@eudi-verify/server 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,835 @@
+/**
+ * @eudi-verify/server - Shared Types
+ *
+ * These types are derived from the OpenAPI spec and used across all packages.
+ * They define the contract between client, server, and widget.
+ */
+/**
+ * Claims that can be requested from an EUDI Wallet.
+ * Each property set to `true` requests that specific claim.
+ * Uses selective disclosure — only requested claims are shared.
+ *
+ * @example
+ * ```ts
+ * const request: VerificationRequest = {
+ *   age_over_18: true,
+ *   nationality: true,
+ * };
+ * ```
+ */
+interface VerificationRequest {
+    /** Request age verification (over 18) */
+    age_over_18?: true;
+    /** Request age verification (over 21) */
+    age_over_21?: true;
+    /** Request nationality claim (ISO 3166-1 alpha-2) */
+    nationality?: true;
+    /** Request given name */
+    given_name?: true;
+    /** Request family name */
+    family_name?: true;
+    /** Request birth date */
+    birth_date?: true;
+    /** Additional claims (extensible) */
+    [key: string]: true | undefined;
+}
+/**
+ * Session lifecycle states.
+ *
+ * Flow: pending → waiting_for_wallet → verified|rejected|expired|error
+ *       ↳ cancelled (from any non-terminal state)
+ */
+type SessionStatus = 'pending' | 'waiting_for_wallet' | 'verified' | 'rejected' | 'expired' | 'cancelled' | 'error';
+/**
+ * Terminal states that cannot transition further.
+ */
+declare const TERMINAL_STATUSES: readonly SessionStatus[];
+/**
+ * Check if a status is terminal (cannot transition).
+ */
+declare function isTerminalStatus(status: SessionStatus): boolean;
+/**
+ * Claims extracted from a verified presentation.
+ * Only includes claims that were requested and disclosed.
+ *
+ * WARNING: In demo mode, these are simulated values.
+ */
+interface VerifiedClaims {
+    age_over_18?: boolean;
+    age_over_21?: boolean;
+    nationality?: string;
+    given_name?: string;
+    family_name?: string;
+    birth_date?: string;
+    [key: string]: unknown;
+}
+/**
+ * Verification session representing the full lifecycle of a verification request.
+ */
+interface Session {
+    /** Unique session identifier (UUID) */
+    id: string;
+    /** Current session status */
+    status: SessionStatus;
+    /** Original verification request */
+    request: VerificationRequest;
+    /** URL to encode in QR code (present when status is 'pending') */
+    qrUrl?: string;
+    /** Opaque verification token (present when status is 'verified') */
+    token?: string;
+    /** Verified claims (present when status is 'verified') */
+    claims?: VerifiedClaims;
+    /** Error message (present when status is 'error') */
+    error?: string;
+    /** Session creation timestamp */
+    createdAt: Date;
+    /** Session expiration timestamp */
+    expiresAt: Date;
+    /** Internal: engine-specific session data */
+    _engineData?: unknown;
+}
+/**
+ * Session as returned by the API (dates as ISO strings).
+ */
+interface SessionDTO {
+    id: string;
+    status: SessionStatus;
+    qrUrl?: string;
+    token?: string;
+    claims?: VerifiedClaims;
+    error?: string;
+    createdAt: string;
+    expiresAt: string;
+}
+/**
+ * Convert internal Session to API response DTO.
+ */
+declare function sessionToDTO(session: Session): SessionDTO;
+/**
+ * Verification token payload.
+ * Format: `eudi_v1.<base64url-payload>.<hmac>`
+ *
+ * Properties:
+ * - Single-use (consumed on successful verify)
+ * - Short TTL (default 5 minutes)
+ * - HMAC-signed with server secret
+ */
+interface VerificationTokenPayload {
+    /** Session ID this token is bound to */
+    sid: string;
+    /** Key ID for secret rotation */
+    kid: string;
+    /** Expiration timestamp (Unix seconds) */
+    exp: number;
+    /** Hash of the verified claims */
+    hash: string;
+}
+/**
+ * Token version prefix for format identification and future compatibility.
+ */
+declare const TOKEN_VERSION: "eudi_v1";
+/**
+ * Default session TTL in milliseconds (5 minutes).
+ */
+declare const DEFAULT_SESSION_TTL_MS: number;
+/**
+ * Default token TTL in milliseconds (5 minutes).
+ */
+declare const DEFAULT_TOKEN_TTL_MS: number;
+/**
+ * Request body for POST /sessions.
+ */
+interface CreateSessionInput {
+    request: VerificationRequest;
+    callbackUrl?: string;
+}
+/**
+ * Request body for POST /tokens/verify.
+ */
+interface VerifyTokenInput {
+    token: string;
+}
+/**
+ * Response from POST /tokens/verify.
+ */
+interface VerifyTokenResult {
+    valid: boolean;
+    claims?: VerifiedClaims;
+    error?: 'invalid_token' | 'expired' | 'already_consumed' | 'invalid_signature';
+}
+/**
+ * API error response.
+ */
+interface ApiError {
+    error: string;
+    message: string;
+    details?: Record<string, unknown>;
+}
+/**
+ * Operation mode for the verifier.
+ */
+type VerifierMode = 'demo' | 'production';
+
+/**
+ * @eudi-verify/server - Key-Value Store Interface
+ *
+ * Abstraction for session and token storage. Implementations:
+ * - MemoryKVStore: In-memory (default, for demo/testing)
+ * - RedisKVStore: Redis (production, horizontal scaling)
+ * - PostgresKVStore: Postgres (production, when Redis unavailable)
+ */
+/**
+ * Generic key-value store interface for session and token storage.
+ *
+ * All implementations must support:
+ * - TTL-based expiration
+ * - Atomic get-and-delete for single-use tokens
+ *
+ * @example
+ * ```ts
+ * const store = new MemoryKVStore();
+ * await store.set('session:123', session, 300_000); // 5 min TTL
+ * const data = await store.get('session:123');
+ * ```
+ */
+interface IKVStore {
+    /**
+     * Get a value by key.
+     * @returns The value, or undefined if not found or expired
+     */
+    get<T>(key: string): Promise<T | undefined>;
+    /**
+     * Set a value with optional TTL.
+     * @param key - Storage key
+     * @param value - Value to store (will be serialized)
+     * @param ttlMs - Time-to-live in milliseconds (optional)
+     */
+    set<T>(key: string, value: T, ttlMs?: number): Promise<void>;
+    /**
+     * Delete a key.
+     * @returns true if the key existed, false otherwise
+     */
+    delete(key: string): Promise<boolean>;
+    /**
+     * Check if a key exists (and is not expired).
+     */
+    has(key: string): Promise<boolean>;
+    /**
+     * Atomically get and delete a value.
+     * Essential for single-use token consumption.
+     * @returns The value if it existed, undefined otherwise
+     */
+    getAndDelete<T>(key: string): Promise<T | undefined>;
+    /**
+     * Clear all keys (useful for testing).
+     */
+    clear(): Promise<void>;
+}
+/**
+ * In-memory implementation of IKVStore.
+ *
+ * Suitable for:
+ * - Demo mode
+ * - Development
+ * - Testing
+ * - Single-instance deployments
+ *
+ * NOT suitable for:
+ * - Production with multiple instances (no shared state)
+ * - High-volume traffic (memory limits)
+ *
+ * @example
+ * ```ts
+ * const store = new MemoryKVStore();
+ *
+ * // Store session with 5 minute TTL
+ * await store.set('session:abc', { status: 'pending' }, 300_000);
+ *
+ * // Retrieve session
+ * const session = await store.get<Session>('session:abc');
+ *
+ * // Consume single-use token (atomic get + delete)
+ * const tokenData = await store.getAndDelete('token:xyz');
+ * ```
+ */
+declare class MemoryKVStore implements IKVStore {
+    private store;
+    private cleanupInterval;
+    /**
+     * Create a new in-memory store.
+     * @param cleanupIntervalMs - How often to run expired key cleanup (default: 60s)
+     */
+    constructor(cleanupIntervalMs?: number);
+    get<T>(key: string): Promise<T | undefined>;
+    set<T>(key: string, value: T, ttlMs?: number): Promise<void>;
+    delete(key: string): Promise<boolean>;
+    has(key: string): Promise<boolean>;
+    getAndDelete<T>(key: string): Promise<T | undefined>;
+    clear(): Promise<void>;
+    /**
+     * Remove expired entries. Called automatically on interval.
+     */
+    private cleanup;
+    /**
+     * Stop the cleanup interval. Call when disposing the store.
+     */
+    dispose(): void;
+    /**
+     * Get the current number of entries (for testing/monitoring).
+     */
+    get size(): number;
+}
+/**
+ * Key prefixes for namespacing different data types.
+ */
+declare const KEY_PREFIX: {
+    readonly SESSION: "session:";
+    readonly TOKEN: "token:";
+    readonly RATE_LIMIT: "rate:";
+};
+/**
+ * Build a session storage key.
+ */
+declare function sessionKey(sessionId: string): string;
+/**
+ * Build a token storage key.
+ */
+declare function tokenKey(tokenId: string): string;
+/**
+ * Build a rate limit key for an IP address.
+ */
+declare function rateLimitKey(ip: string): string;
+
+/**
+ * @eudi-verify/server - Verifier Engine Interface
+ *
+ * Abstraction over the underlying EUDI verification protocol implementation.
+ * Enables swapping between:
+ * - OpenEUDI (primary, Luxembourg-based Apache-2.0 library)
+ * - Sphereon OID4VC (fallback, mitigates OpenEUDI single-contributor risk)
+ * - MockEngine (testing and demo without external dependencies)
+ *
+ * The engine handles OpenID4VP protocol details; the server handles:
+ * - HTTP routing and validation
+ * - Token minting and verification
+ * - Session storage
+ * - Rate limiting
+ */
+
+/**
+ * Configuration for creating a verification session.
+ */
+interface CreateSessionConfig {
+    /** Unique session ID (generated by server) */
+    sessionId: string;
+    /** Claims to request from the wallet */
+    request: VerificationRequest;
+    /** Base URL for callback endpoints (e.g., https://example.com/api/eudi) */
+    baseUrl: string;
+    /** Session TTL in milliseconds */
+    ttlMs: number;
+}
+/**
+ * Result of session creation from the engine.
+ */
+interface CreateSessionResult {
+    /** URL for the QR code (OpenID4VP authorization request) */
+    qrUrl: string;
+    /** Engine-specific data to store with session (e.g., nonce, keys) */
+    engineData?: unknown;
+}
+/**
+ * Callback data received from the wallet.
+ */
+interface CallbackData {
+    /** Session ID extracted from the callback */
+    sessionId: string;
+    /** Raw response from wallet (VP token or encrypted JWE) */
+    response: string;
+}
+/**
+ * Result of processing a wallet callback.
+ */
+interface CallbackResult {
+    /** Whether verification succeeded */
+    success: boolean;
+    /** Verified claims (if success) */
+    claims?: VerifiedClaims;
+    /** Error message (if !success) */
+    error?: string;
+    /** New status for the session */
+    status: SessionStatus;
+}
+/**
+ * Verifier engine interface — the protocol abstraction layer.
+ *
+ * Implementations handle OpenID4VP specifics:
+ * - Generating authorization requests (QR URLs)
+ * - Verifying VP responses (signatures, trust lists, disclosure)
+ * - Managing cryptographic material (nonces, keys)
+ *
+ * The server layer handles everything else:
+ * - Session lifecycle and storage
+ * - Token minting (captcha pattern)
+ * - HTTP request/response handling
+ * - Rate limiting and security checks
+ *
+ * @example
+ * ```ts
+ * // Using OpenEUDI engine (production)
+ * import { OpenEudiEngine } from './engines/openeudi.js';
+ * const engine = new OpenEudiEngine({ mode: 'demo' });
+ *
+ * // Using mock engine (testing)
+ * import { MockEngine } from './engines/mock.js';
+ * const engine = new MockEngine();
+ * ```
+ */
+interface VerifierEngine {
+    /**
+     * Engine identifier for logging and debugging.
+     */
+    readonly name: string;
+    /**
+     * Operating mode (demo returns simulated credentials).
+     */
+    readonly mode: VerifierMode;
+    /**
+     * Create a new verification session.
+     *
+     * Generates the OpenID4VP authorization request URL that will be
+     * encoded in the QR code for wallet scanning.
+     *
+     * @param config - Session configuration
+     * @returns QR URL and optional engine-specific data to persist
+     * @throws If session creation fails
+     */
+    createSession(config: CreateSessionConfig): Promise<CreateSessionResult>;
+    /**
+     * Parse and validate a wallet callback.
+     *
+     * Called when the wallet POSTs to the callback endpoint.
+     * Extracts session ID and validates the response format.
+     *
+     * @param rawBody - Raw request body (form-encoded or JSON)
+     * @returns Parsed callback data
+     * @throws If callback is malformed
+     */
+    parseCallback(rawBody: string): Promise<CallbackData>;
+    /**
+     * Process a wallet callback and verify the presentation.
+     *
+     * Performs cryptographic verification:
+     * - VP signature validation
+     * - Trust list verification (production)
+     * - Selective disclosure validation
+     * - Nonce/state binding checks
+     *
+     * @param data - Parsed callback data
+     * @param session - Current session (with engineData)
+     * @returns Verification result with claims or error
+     */
+    handleCallback(data: CallbackData, session: Session): Promise<CallbackResult>;
+    /**
+     * Generate the authorization request object for PAR.
+     *
+     * Called when wallet fetches the request_uri.
+     * Returns a signed JWT containing the OpenID4VP request.
+     *
+     * @param session - Session to generate request for
+     * @returns Signed authorization request JWT
+     */
+    getAuthorizationRequest?(session: Session): Promise<string>;
+    /**
+     * Clean up any resources associated with a cancelled session.
+     *
+     * Optional — implement if the engine maintains state that needs cleanup.
+     *
+     * @param session - Session being cancelled
+     */
+    cancelSession?(session: Session): Promise<void>;
+    /**
+     * Initialize the engine (load keys, connect to services, etc.).
+     *
+     * Called once during server startup.
+     */
+    initialize?(): Promise<void>;
+    /**
+     * Shutdown the engine gracefully.
+     *
+     * Called during server shutdown.
+     */
+    shutdown?(): Promise<void>;
+}
+/**
+ * Configuration for MockEngine.
+ */
+interface MockEngineConfig {
+    /**
+     * Simulated delay before verification completes (ms).
+     * @default 1000
+     */
+    verificationDelayMs?: number;
+    /**
+     * Probability that verification succeeds (0-1).
+     * @default 1.0
+     */
+    successRate?: number;
+    /**
+     * Default claims to return for all verifications.
+     */
+    defaultClaims?: VerifiedClaims;
+}
+/**
+ * Mock engine for testing and demos without external dependencies.
+ *
+ * Simulates the verification flow with configurable behavior:
+ * - Immediate or delayed verification
+ * - Configurable success/failure rates
+ * - Custom claim responses
+ *
+ * WARNING: This engine does NOT perform real verification.
+ * Never use in production — it accepts any input as valid.
+ *
+ * @example
+ * ```ts
+ * const engine = new MockEngine({
+ *   verificationDelayMs: 2000, // Simulate wallet interaction time
+ *   successRate: 0.9, // 90% success rate
+ *   defaultClaims: { age_over_18: true },
+ * });
+ * ```
+ */
+declare class MockEngine implements VerifierEngine {
+    readonly name = "mock";
+    readonly mode: VerifierMode;
+    private config;
+    constructor(config?: MockEngineConfig);
+    createSession(config: CreateSessionConfig): Promise<CreateSessionResult>;
+    parseCallback(rawBody: string): Promise<CallbackData>;
+    handleCallback(data: CallbackData, session: Session): Promise<CallbackResult>;
+    getAuthorizationRequest(session: Session): Promise<string>;
+    cancelSession(_session: Session): Promise<void>;
+    private buildMockQrUrl;
+    private generateMockClaims;
+    private delay;
+}
+/**
+ * Placeholder for OpenEUDI engine implementation.
+ *
+ * Will wrap @openeudi/core and @openeudi/openid4vp to provide:
+ * - Real OpenID4VP authorization requests
+ * - Demo mode with simulated wallet responses
+ * - Production mode with full crypto verification
+ *
+ * Implementation deferred to WP2.
+ */
+interface OpenEudiEngineConfig {
+    /** Operating mode */
+    mode: VerifierMode;
+    /** Base URL for callback endpoints */
+    baseUrl: string;
+    /** Custom session TTL (ms) */
+    sessionTtlMs?: number;
+}
+/**
+ * Placeholder for Sphereon OID4VC engine implementation.
+ *
+ * Fallback engine using Sphereon's OID4VC libraries.
+ * Mitigates OpenEUDI's single-contributor bus factor risk.
+ *
+ * Implementation deferred until OpenEUDI proves unstable.
+ */
+interface SphereonEngineConfig {
+    mode: VerifierMode;
+    baseUrl: string;
+}
+
+/**
+ * @eudi-verify/server - OpenEUDI Engine
+ *
+ * Verifier engine implementation wrapping @openeudi/core.
+ * Provides both demo mode (simulated credentials) and production mode.
+ *
+ * Demo mode:
+ * - Generates mock OpenID4VP authorization requests
+ * - Simulates wallet responses with configurable claims
+ * - No real cryptographic verification
+ *
+ * Production mode (future):
+ * - Real OpenID4VP protocol implementation
+ * - Cryptographic verification of VPs
+ * - Trust list validation
+ */
+
+/**
+ * Demo claims configuration.
+ */
+interface DemoClaimsConfig {
+    age_over_18?: boolean;
+    age_over_21?: boolean;
+    nationality?: string;
+    given_name?: string;
+    family_name?: string;
+    birth_date?: string;
+}
+/**
+ * Extended OpenEUDI engine configuration.
+ */
+interface OpenEudiEngineOptions extends OpenEudiEngineConfig {
+    /** Default claims to return in demo mode */
+    demoClaims?: DemoClaimsConfig;
+    /** Simulated verification delay in ms (demo mode) */
+    demoDelayMs?: number;
+}
+/**
+ * OpenEUDI engine implementation.
+ *
+ * In demo mode, simulates the OpenID4VP flow:
+ * 1. createSession generates a mock authorization request URL
+ * 2. handleCallback returns simulated claims
+ *
+ * In production mode (future), will use @openeudi/core for:
+ * - Real authorization request generation
+ * - VP signature verification
+ * - Trust list validation
+ */
+declare class OpenEudiEngine implements VerifierEngine {
+    readonly name = "openeudi";
+    readonly mode: VerifierMode;
+    private config;
+    constructor(options: OpenEudiEngineOptions);
+    initialize(): Promise<void>;
+    createSession(config: CreateSessionConfig): Promise<CreateSessionResult>;
+    parseCallback(rawBody: string): Promise<CallbackData>;
+    handleCallback(data: CallbackData, session: Session): Promise<CallbackResult>;
+    getAuthorizationRequest(session: Session): Promise<string>;
+    cancelSession(_session: Session): Promise<void>;
+    shutdown(): Promise<void>;
+    private handleDemoCallback;
+    private handleProductionCallback;
+    private buildAuthorizationRequestUrl;
+    private buildPresentationDefinition;
+    private getClaimDisplayName;
+    private generateDemoClaims;
+    private generateNonce;
+    private delay;
+}
+
+/**
+ * @eudi-verify/server - Token Service
+ *
+ * Implements captcha-style token minting and verification.
+ * Tokens prove successful verification and are:
+ * - Single-use (consumed on successful verify)
+ * - Short-lived (5 minute TTL)
+ * - HMAC-signed with server secret
+ *
+ * Format: eudi_v1.<base64url-payload>.<hmac>
+ */
+
+/**
+ * Configuration for the token service.
+ */
+interface TokenServiceConfig {
+    /** Secret key for HMAC signing. Must be at least 32 characters. */
+    secret: string;
+    /** Key ID for secret rotation (allows multiple active keys) */
+    keyId?: string;
+    /** Token TTL in milliseconds (default: 5 minutes) */
+    ttlMs?: number;
+    /** KV store for single-use token tracking */
+    store: IKVStore;
+}
+/**
+ * Token service for minting and verifying verification tokens.
+ */
+interface TokenService {
+    /**
+     * Mint a new verification token.
+     * @param sessionId - Session this token is bound to
+     * @param claims - Verified claims to include in the token
+     * @returns Opaque token string
+     */
+    mint(sessionId: string, claims: VerifiedClaims): Promise<string>;
+    /**
+     * Verify a token and consume it (single-use).
+     * @param token - Token to verify
+     * @returns Verification result with claims if valid
+     */
+    verify(token: string): Promise<VerifyTokenResult>;
+}
+/**
+ * Create a token service instance.
+ */
+declare function createTokenService(config: TokenServiceConfig): TokenService;
+
+/**
+ * @eudi-verify/server - Rate Limiter
+ *
+ * Per-IP rate limiting for session creation to prevent abuse.
+ * Uses sliding window counter stored in IKVStore.
+ */
+
+/**
+ * Rate limit configuration.
+ */
+interface RateLimitConfig {
+    /** Maximum requests allowed in the window (default: 10) */
+    maxRequests?: number;
+    /** Time window in milliseconds (default: 60000 = 1 minute) */
+    windowMs?: number;
+    /** KV store for rate limit counters */
+    store: IKVStore;
+}
+/**
+ * Result of a rate limit check.
+ */
+interface RateLimitResult {
+    /** Whether the request is allowed */
+    allowed: boolean;
+    /** Remaining requests in the current window */
+    remaining: number;
+    /** Seconds until the rate limit resets (present if not allowed) */
+    retryAfter?: number;
+    /** Total limit */
+    limit: number;
+}
+/**
+ * Rate limiter interface.
+ */
+interface RateLimiter {
+    /**
+     * Check if a request from the given IP is allowed.
+     * Does NOT consume a request slot.
+     */
+    check(ip: string): Promise<RateLimitResult>;
+    /**
+     * Consume a request slot for the given IP.
+     * Call this after check() returns allowed=true.
+     */
+    consume(ip: string): Promise<void>;
+    /**
+     * Check and consume in one operation.
+     * Returns the result and consumes a slot if allowed.
+     */
+    checkAndConsume(ip: string): Promise<RateLimitResult>;
+}
+/**
+ * Create a rate limiter instance.
+ */
+declare function createRateLimiter(config: RateLimitConfig): RateLimiter;
+
+/**
+ * @eudi-verify/server - Handler Factory
+ *
+ * Framework-agnostic HTTP handlers implementing the OpenAPI spec.
+ * Each handler receives a parsed request and returns a response object.
+ * The adapter layer (Node http, Hono, Express, etc.) maps these to actual HTTP.
+ */
+
+/**
+ * Configuration for the verifier handlers.
+ */
+interface VerifierConfig {
+    /** Verification engine (OpenEUDI, Sphereon, or Mock) */
+    engine: VerifierEngine;
+    /** Key-value store for sessions and tokens */
+    store: IKVStore;
+    /** Base URL for callback endpoints (e.g., https://example.com/api/eudi) */
+    baseUrl: string;
+    /** Operating mode (demo returns simulated credentials) */
+    mode: VerifierMode;
+    /** Session TTL in milliseconds (default: 5 minutes) */
+    sessionTtlMs?: number;
+    /** Secret for token signing (required, min 32 chars) */
+    tokenSecret: string;
+    /** Token key ID for rotation */
+    tokenKeyId?: string;
+    /** Rate limit config (optional) */
+    rateLimit?: {
+        maxRequests: number;
+        windowMs: number;
+    };
+    /** Allowed origins for CORS/Origin check (empty = allow all) */
+    allowedOrigins?: string[];
+}
+/**
+ * Generic request context provided by the adapter.
+ */
+interface RequestContext {
+    /** Client IP address */
+    ip: string;
+    /** Origin header (for CORS check) */
+    origin?: string;
+    /** Request path parameters */
+    params: Record<string, string>;
+    /** Parsed JSON body (for POST requests) */
+    body?: unknown;
+    /** Raw body string (for form-encoded callbacks) */
+    rawBody?: string;
+}
+/**
+ * Generic response returned by handlers.
+ */
+interface HandlerResponse<T = unknown> {
+    /** HTTP status code */
+    status: number;
+    /** Response headers */
+    headers: Record<string, string>;
+    /** Response body (will be JSON-serialized) */
+    body: T;
+}
+/**
+ * Handler function signature.
+ */
+type RequestHandler<T = unknown> = (ctx: RequestContext) => Promise<HandlerResponse<T>>;
+/**
+ * All handlers returned by createVerifierHandlers.
+ */
+interface VerifierHandlers {
+    createSession: RequestHandler<SessionDTO | ApiError>;
+    getSession: RequestHandler<SessionDTO | ApiError>;
+    cancelSession: RequestHandler<SessionDTO | ApiError>;
+    verifyToken: RequestHandler<VerifyTokenResult | ApiError>;
+    handleCallback: RequestHandler<{
+        status: string;
+    } | ApiError>;
+    getRequest: RequestHandler<string | ApiError>;
+}
+/**
+ * Create the verifier handlers.
+ */
+declare function createVerifierHandlers(config: VerifierConfig): VerifierHandlers;
+
+/**
+ * @eudi-verify/server
+ *
+ * Framework-agnostic EUDI Wallet verifier server.
+ * Implements the OpenAPI spec for session management and token verification.
+ *
+ * @example
+ * ```ts
+ * import {
+ *   createVerifierHandlers,
+ *   OpenEudiEngine,
+ *   MemoryKVStore,
+ *   type VerifierConfig,
+ * } from '@eudi-verify/server';
+ *
+ * const engine = new OpenEudiEngine({ mode: 'demo', baseUrl: '/api/eudi' });
+ * const store = new MemoryKVStore();
+ * const handlers = createVerifierHandlers({
+ *   engine,
+ *   store,
+ *   baseUrl: '/api/eudi',
+ *   mode: 'demo',
+ *   tokenSecret: process.env.TOKEN_SECRET!,
+ * });
+ * ```
+ *
+ * @packageDocumentation
+ */
+declare const VERSION = "0.1.0";
+
+export { type ApiError, type CallbackData, type CallbackResult, type CreateSessionConfig, type CreateSessionInput, type CreateSessionResult, DEFAULT_SESSION_TTL_MS, DEFAULT_TOKEN_TTL_MS, type DemoClaimsConfig, type HandlerResponse, type IKVStore, KEY_PREFIX, MemoryKVStore, MockEngine, type MockEngineConfig, OpenEudiEngine, type OpenEudiEngineConfig, type OpenEudiEngineOptions, type RateLimitConfig, type RateLimitResult, type RateLimiter, type RequestContext, type RequestHandler, type Session, type SessionDTO, type SessionStatus, type SphereonEngineConfig, TERMINAL_STATUSES, TOKEN_VERSION, type TokenService, type TokenServiceConfig, VERSION, type VerificationRequest, type VerificationTokenPayload, type VerifiedClaims, type VerifierConfig, type VerifierEngine, type VerifierHandlers, type VerifierMode, type VerifyTokenInput, type VerifyTokenResult, createRateLimiter, createTokenService, createVerifierHandlers, isTerminalStatus, rateLimitKey, sessionKey, sessionToDTO, tokenKey };