@frontmcp/utils 0.7.2 → 0.8.1

package/crypto/hmac-signing.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Generic HMAC Signing Utilities
+ *
+ * Provides HMAC-SHA256 signing and verification for any JSON-serializable data.
+ * Protects against data tampering when stored in external systems.
+ *
+ * @example
+ * ```typescript
+ * import { signData, verifyData } from '@frontmcp/utils';
+ *
+ * // Sign any data
+ * const signed = signData({ userId: '123', role: 'admin' }, { secret: 'my-secret' });
+ *
+ * // Verify and extract
+ * const data = verifyData(signed, { secret: 'my-secret' });
+ * if (data) {
+ *   console.log(data.userId); // '123'
+ * }
+ * ```
+ */
+/**
+ * Signed data wrapper structure.
+ * Contains the data and its HMAC signature.
+ */
+export interface SignedData<T> {
+    /** The signed data */
+    data: T;
+    /** HMAC-SHA256 signature in base64url format */
+    sig: string;
+    /** Signature version for future algorithm changes */
+    v: 1;
+}
+/**
+ * Configuration for HMAC signing operations.
+ */
+export interface HmacSigningConfig {
+    /**
+     * The secret key used for HMAC signing.
+     * Should be at least 32 bytes for security.
+     */
+    secret: string;
+}
+/**
+ * Sign data with HMAC-SHA256.
+ *
+ * Creates a tamper-evident wrapper around the data.
+ * Any modification to the data will invalidate the signature.
+ *
+ * @param data - The data to sign (must be JSON-serializable)
+ * @param config - Signing configuration with secret
+ * @returns JSON string containing signed data
+ *
+ * @example
+ * ```typescript
+ * const signed = signData({ key: 'value' }, { secret: 'my-secret' });
+ * await redis.set('mykey', signed);
+ * ```
+ */
+export declare function signData<T>(data: T, config: HmacSigningConfig): string;
+/**
+ * Verify and extract signed data.
+ *
+ * Validates the HMAC signature and returns the data if valid.
+ * Returns null if the signature is invalid or the data is corrupted.
+ *
+ * @param signedJson - JSON string from signData()
+ * @param config - Signing configuration with secret
+ * @returns The verified data or null if invalid
+ *
+ * @example
+ * ```typescript
+ * const raw = await redis.get('mykey');
+ * const data = verifyData<MyType>(raw, { secret: 'my-secret' });
+ * if (!data) {
+ *   // Data was tampered with or corrupted
+ * }
+ * ```
+ */
+export declare function verifyData<T>(signedJson: string, config: HmacSigningConfig): T | null;
+/**
+ * Check if a stored value is signed data.
+ * Useful for migrating from unsigned to signed data.
+ *
+ * @param json - Raw JSON string from storage
+ * @returns true if the data appears to be signed
+ */
+export declare function isSignedData(json: string): boolean;
+/**
+ * Verify or parse data, supporting both signed and unsigned formats.
+ * Useful for backwards compatibility during migration.
+ *
+ * @param json - Raw JSON string from storage
+ * @param config - Signing configuration with secret
+ * @returns The data (verified if signed, parsed if unsigned) or null
+ */
+export declare function verifyOrParseData<T>(json: string, config: HmacSigningConfig): T | null;

package/crypto/index.d.ts

@@ -86,6 +86,15 @@ export declare function base64urlEncode(data: Uint8Array): string;
  * Decode a base64url string to Uint8Array.
  */
 export declare function base64urlDecode(data: string): Uint8Array;
+/**
+ * Encode a Uint8Array to standard base64 string.
+ * RFC 4648 Section 4: Uses +/= characters, suitable for HTTP Basic auth.
+ */
+export declare function base64Encode(data: Uint8Array): string;
+/**
+ * Decode a standard base64 string to Uint8Array.
+ */
+export declare function base64Decode(data: string): Uint8Array;
 /**
  * Compute SHA-256 hash and return as base64url string.
  * Commonly used for PKCE code_challenge (S256 method).
@@ -96,3 +105,5 @@ export { isNode, isBrowser, assertNode } from './runtime';
 export { type EncryptedBlob, EncryptedBlobError, encryptValue, decryptValue, tryDecryptValue, serializeBlob, deserializeBlob, tryDeserializeBlob, isValidEncryptedBlob, encryptAndSerialize, deserializeAndDecrypt, tryDeserializeAndDecrypt, } from './encrypted-blob';
 export { MIN_CODE_VERIFIER_LENGTH, MAX_CODE_VERIFIER_LENGTH, DEFAULT_CODE_VERIFIER_LENGTH, PkceError, generateCodeVerifier, generateCodeChallenge, verifyCodeChallenge, generatePkcePair, isValidCodeVerifier, isValidCodeChallenge, type PkcePair, } from './pkce';
 export { type SecretData, type SecretPersistenceOptions, type SecretValidationResult, secretDataSchema, validateSecretData, parseSecretData, isSecretPersistenceEnabled, resolveSecretPath, loadSecret, saveSecret, deleteSecret, generateSecret, createSecretData, getOrCreateSecret, clearCachedSecret, isSecretCached, } from './secret-persistence';
+export { type SignedData, type HmacSigningConfig, signData, verifyData, isSignedData, verifyOrParseData, } from './hmac-signing';
+export { type BaseKeyData, type SecretKeyData, type AsymmetricKeyData, type AnyKeyData, type KeyPersistenceOptions, type CreateKeyPersistenceOptions, type CreateSecretOptions, type CreateAsymmetricOptions, type KeyValidationResult, asymmetricAlgSchema, secretKeyDataSchema, asymmetricKeyDataSchema, anyKeyDataSchema, validateKeyData, parseKeyData, isSecretKeyData, isAsymmetricKeyData, KeyPersistence, createKeyPersistence, createKeyPersistenceWithStorage, } from './key-persistence';

package/crypto/key-persistence/factory.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Factory functions for KeyPersistence.
+ *
+ * Provides convenient ways to create KeyPersistence instances
+ * with auto-detection of storage backend.
+ *
+ * @module @frontmcp/utils/key-persistence
+ */
+import type { StorageAdapter } from '../../storage/types';
+import { KeyPersistence } from './key-persistence';
+import type { CreateKeyPersistenceOptions } from './types';
+/**
+ * Create a KeyPersistence instance with auto-detected storage.
+ *
+ * In Node.js: Uses filesystem storage at `.frontmcp/keys/` by default
+ * In browser: Uses memory storage (keys lost on refresh)
+ *
+ * @param options - Configuration options
+ * @returns KeyPersistence instance (storage already connected)
+ *
+ * @example
+ * ```typescript
+ * // Auto-detect storage
+ * const keys = await createKeyPersistence();
+ *
+ * // Force memory storage
+ * const memKeys = await createKeyPersistence({ type: 'memory' });
+ *
+ * // Custom directory for filesystem
+ * const fsKeys = await createKeyPersistence({
+ *   type: 'filesystem',
+ *   baseDir: '.my-app/keys',
+ * });
+ * ```
+ */
+export declare function createKeyPersistence(options?: CreateKeyPersistenceOptions): Promise<KeyPersistence>;
+/**
+ * Create a KeyPersistence instance with an explicit storage adapter.
+ *
+ * Use this when you want to provide your own storage backend
+ * (e.g., Redis, custom adapter).
+ *
+ * Note: The storage adapter must already be connected.
+ *
+ * @param storage - Connected storage adapter
+ * @param options - Additional options
+ * @returns KeyPersistence instance
+ *
+ * @example
+ * ```typescript
+ * import { createStorage } from '@frontmcp/utils';
+ *
+ * // Use Redis for distributed key storage
+ * const redis = await createStorage({ type: 'redis' });
+ * const keys = createKeyPersistenceWithStorage(redis);
+ * ```
+ */
+export declare function createKeyPersistenceWithStorage(storage: StorageAdapter, options?: Pick<CreateKeyPersistenceOptions, 'throwOnInvalid' | 'enableCache'>): KeyPersistence;

package/crypto/key-persistence/index.d.ts

@@ -0,0 +1,35 @@
+/**
+ * KeyPersistence Module
+ *
+ * Unified key persistence for browser and Node.js environments.
+ * Uses StorageAdapter abstraction to support both memory (browser)
+ * and filesystem (Node.js) backends.
+ *
+ * @example
+ * ```typescript
+ * import { createKeyPersistence } from '@frontmcp/utils';
+ *
+ * // Auto-detect storage (filesystem in Node.js, memory in browser)
+ * const keys = await createKeyPersistence();
+ *
+ * // Get or create a secret
+ * const secret = await keys.getOrCreateSecret('encryption-key');
+ * console.log(secret.secret); // base64url-encoded secret
+ *
+ * // Store a custom key
+ * await keys.set({
+ *   type: 'secret',
+ *   kid: 'my-key',
+ *   secret: 'abc...',
+ *   bytes: 32,
+ *   createdAt: Date.now(),
+ *   version: 1,
+ * });
+ * ```
+ *
+ * @module @frontmcp/utils/key-persistence
+ */
+export type { BaseKeyData, SecretKeyData, AsymmetricKeyData, AnyKeyData, KeyPersistenceOptions, CreateKeyPersistenceOptions, CreateSecretOptions, CreateAsymmetricOptions, } from './types';
+export { asymmetricAlgSchema, secretKeyDataSchema, asymmetricKeyDataSchema, anyKeyDataSchema, validateKeyData, parseKeyData, isSecretKeyData, isAsymmetricKeyData, type KeyValidationResult, } from './schemas';
+export { KeyPersistence } from './key-persistence';
+export { createKeyPersistence, createKeyPersistenceWithStorage } from './factory';

package/crypto/key-persistence/key-persistence.d.ts

@@ -0,0 +1,143 @@
+/**
+ * KeyPersistence - Unified key management with storage abstraction.
+ *
+ * Provides a high-level API for storing and retrieving cryptographic keys
+ * with any storage backend (memory, filesystem, Redis, etc.).
+ *
+ * @module @frontmcp/utils/key-persistence
+ */
+import type { StorageAdapter } from '../../storage/types';
+import type { AnyKeyData, SecretKeyData, AsymmetricKeyData, KeyPersistenceOptions, CreateSecretOptions } from './types';
+/**
+ * KeyPersistence provides a unified API for storing and retrieving
+ * cryptographic keys with any storage backend.
+ *
+ * Features:
+ * - Type-safe key storage with Zod validation
+ * - In-memory caching for fast reads
+ * - Support for symmetric secrets and asymmetric key pairs
+ * - Works with any StorageAdapter (Memory, FileSystem, Redis, etc.)
+ *
+ * @example
+ * ```typescript
+ * import { KeyPersistence, MemoryStorageAdapter } from '@frontmcp/utils';
+ *
+ * const storage = new MemoryStorageAdapter();
+ * await storage.connect();
+ *
+ * const keys = new KeyPersistence({ storage });
+ *
+ * // Get or create a secret
+ * const secret = await keys.getOrCreateSecret('encryption-key');
+ * console.log(secret.secret); // base64url string
+ *
+ * // Store a custom key
+ * await keys.set({
+ *   type: 'secret',
+ *   kid: 'my-key',
+ *   secret: 'abc...',
+ *   bytes: 32,
+ *   createdAt: Date.now(),
+ *   version: 1,
+ * });
+ *
+ * // List all keys
+ * const kids = await keys.list();
+ * ```
+ */
+export declare class KeyPersistence {
+    private readonly storage;
+    private readonly cache;
+    private readonly enableCache;
+    private readonly throwOnInvalid;
+    constructor(options: KeyPersistenceOptions);
+    /**
+     * Get a key by ID.
+     *
+     * @param kid - Key identifier
+     * @returns Key data or null if not found
+     */
+    get<T extends AnyKeyData = AnyKeyData>(kid: string): Promise<T | null>;
+    /**
+     * Get a secret key by ID.
+     *
+     * @param kid - Key identifier
+     * @returns Secret key data or null if not found or wrong type
+     */
+    getSecret(kid: string): Promise<SecretKeyData | null>;
+    /**
+     * Get an asymmetric key by ID.
+     *
+     * @param kid - Key identifier
+     * @returns Asymmetric key data or null if not found or wrong type
+     */
+    getAsymmetric(kid: string): Promise<AsymmetricKeyData | null>;
+    /**
+     * Store a key.
+     *
+     * @param key - Key data to store
+     */
+    set(key: AnyKeyData): Promise<void>;
+    /**
+     * Delete a key.
+     *
+     * @param kid - Key identifier
+     * @returns true if key existed and was deleted
+     */
+    delete(kid: string): Promise<boolean>;
+    /**
+     * Check if a key exists.
+     *
+     * @param kid - Key identifier
+     * @returns true if key exists
+     */
+    has(kid: string): Promise<boolean>;
+    /**
+     * List all key IDs.
+     *
+     * @returns Array of key identifiers
+     */
+    list(): Promise<string[]>;
+    /**
+     * Get or create a secret key.
+     *
+     * If a key with the given ID exists and is a valid secret key,
+     * it is returned. Otherwise, a new secret key is generated.
+     *
+     * @param kid - Key identifier
+     * @param options - Options for key creation
+     * @returns Secret key data
+     *
+     * @example
+     * ```typescript
+     * const secret = await keys.getOrCreateSecret('encryption-key');
+     * const bytes = base64urlDecode(secret.secret);
+     * ```
+     */
+    getOrCreateSecret(kid: string, options?: CreateSecretOptions): Promise<SecretKeyData>;
+    /**
+     * Clear the in-memory cache.
+     *
+     * Useful when you want to force a reload from storage.
+     */
+    clearCache(): void;
+    /**
+     * Clear cache for a specific key.
+     *
+     * @param kid - Key identifier
+     */
+    clearCacheFor(kid: string): void;
+    /**
+     * Check if a key is in the cache.
+     *
+     * @param kid - Key identifier
+     * @returns true if key is cached
+     */
+    isCached(kid: string): boolean;
+    /**
+     * Get the underlying storage adapter.
+     *
+     * Use with caution - direct storage access bypasses validation.
+     */
+    getAdapter(): StorageAdapter;
+}

package/crypto/key-persistence/schemas.d.ts

@@ -0,0 +1,180 @@
+/**
+ * Zod schemas for key persistence validation.
+ *
+ * @module @frontmcp/utils/key-persistence
+ */
+import { z } from 'zod';
+import type { AnyKeyData, SecretKeyData, AsymmetricKeyData } from './types';
+/**
+ * Supported asymmetric algorithms.
+ */
+export declare const asymmetricAlgSchema: z.ZodEnum<{
+    RS256: "RS256";
+    RS384: "RS384";
+    RS512: "RS512";
+    ES256: "ES256";
+    ES384: "ES384";
+    ES512: "ES512";
+}>;
+/**
+ * Zod schema for SecretKeyData.
+ */
+export declare const secretKeyDataSchema: z.ZodObject<{
+    kid: z.ZodString;
+    createdAt: z.ZodNumber;
+    version: z.ZodNumber;
+    type: z.ZodLiteral<"secret">;
+    secret: z.ZodString;
+    bytes: z.ZodNumber;
+}, z.core.$strip>;
+/**
+ * Zod schema for AsymmetricKeyData.
+ */
+export declare const asymmetricKeyDataSchema: z.ZodObject<{
+    kid: z.ZodString;
+    createdAt: z.ZodNumber;
+    version: z.ZodNumber;
+    type: z.ZodLiteral<"asymmetric">;
+    alg: z.ZodEnum<{
+        RS256: "RS256";
+        RS384: "RS384";
+        RS512: "RS512";
+        ES256: "ES256";
+        ES384: "ES384";
+        ES512: "ES512";
+    }>;
+    privateKey: z.ZodObject<{
+        kty: z.ZodOptional<z.ZodString>;
+        use: z.ZodOptional<z.ZodString>;
+        alg: z.ZodOptional<z.ZodString>;
+        kid: z.ZodOptional<z.ZodString>;
+        n: z.ZodOptional<z.ZodString>;
+        e: z.ZodOptional<z.ZodString>;
+        d: z.ZodOptional<z.ZodString>;
+        p: z.ZodOptional<z.ZodString>;
+        q: z.ZodOptional<z.ZodString>;
+        dp: z.ZodOptional<z.ZodString>;
+        dq: z.ZodOptional<z.ZodString>;
+        qi: z.ZodOptional<z.ZodString>;
+        x: z.ZodOptional<z.ZodString>;
+        y: z.ZodOptional<z.ZodString>;
+        crv: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+    publicJwk: z.ZodObject<{
+        keys: z.ZodArray<z.ZodObject<{
+            kty: z.ZodOptional<z.ZodString>;
+            use: z.ZodOptional<z.ZodString>;
+            alg: z.ZodOptional<z.ZodString>;
+            kid: z.ZodOptional<z.ZodString>;
+            n: z.ZodOptional<z.ZodString>;
+            e: z.ZodOptional<z.ZodString>;
+            d: z.ZodOptional<z.ZodString>;
+            p: z.ZodOptional<z.ZodString>;
+            q: z.ZodOptional<z.ZodString>;
+            dp: z.ZodOptional<z.ZodString>;
+            dq: z.ZodOptional<z.ZodString>;
+            qi: z.ZodOptional<z.ZodString>;
+            x: z.ZodOptional<z.ZodString>;
+            y: z.ZodOptional<z.ZodString>;
+            crv: z.ZodOptional<z.ZodString>;
+        }, z.core.$loose>>;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+/**
+ * Zod schema for AnyKeyData (discriminated union).
+ */
+export declare const anyKeyDataSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    kid: z.ZodString;
+    createdAt: z.ZodNumber;
+    version: z.ZodNumber;
+    type: z.ZodLiteral<"secret">;
+    secret: z.ZodString;
+    bytes: z.ZodNumber;
+}, z.core.$strip>, z.ZodObject<{
+    kid: z.ZodString;
+    createdAt: z.ZodNumber;
+    version: z.ZodNumber;
+    type: z.ZodLiteral<"asymmetric">;
+    alg: z.ZodEnum<{
+        RS256: "RS256";
+        RS384: "RS384";
+        RS512: "RS512";
+        ES256: "ES256";
+        ES384: "ES384";
+        ES512: "ES512";
+    }>;
+    privateKey: z.ZodObject<{
+        kty: z.ZodOptional<z.ZodString>;
+        use: z.ZodOptional<z.ZodString>;
+        alg: z.ZodOptional<z.ZodString>;
+        kid: z.ZodOptional<z.ZodString>;
+        n: z.ZodOptional<z.ZodString>;
+        e: z.ZodOptional<z.ZodString>;
+        d: z.ZodOptional<z.ZodString>;
+        p: z.ZodOptional<z.ZodString>;
+        q: z.ZodOptional<z.ZodString>;
+        dp: z.ZodOptional<z.ZodString>;
+        dq: z.ZodOptional<z.ZodString>;
+        qi: z.ZodOptional<z.ZodString>;
+        x: z.ZodOptional<z.ZodString>;
+        y: z.ZodOptional<z.ZodString>;
+        crv: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+    publicJwk: z.ZodObject<{
+        keys: z.ZodArray<z.ZodObject<{
+            kty: z.ZodOptional<z.ZodString>;
+            use: z.ZodOptional<z.ZodString>;
+            alg: z.ZodOptional<z.ZodString>;
+            kid: z.ZodOptional<z.ZodString>;
+            n: z.ZodOptional<z.ZodString>;
+            e: z.ZodOptional<z.ZodString>;
+            d: z.ZodOptional<z.ZodString>;
+            p: z.ZodOptional<z.ZodString>;
+            q: z.ZodOptional<z.ZodString>;
+            dp: z.ZodOptional<z.ZodString>;
+            dq: z.ZodOptional<z.ZodString>;
+            qi: z.ZodOptional<z.ZodString>;
+            x: z.ZodOptional<z.ZodString>;
+            y: z.ZodOptional<z.ZodString>;
+            crv: z.ZodOptional<z.ZodString>;
+        }, z.core.$loose>>;
+    }, z.core.$strip>;
+}, z.core.$strip>], "type">;
+/**
+ * Result of validating key data.
+ */
+export interface KeyValidationResult {
+    /** Whether the key data is valid */
+    valid: boolean;
+    /** Parsed key data if valid */
+    data?: AnyKeyData;
+    /** Error message if invalid */
+    error?: string;
+}
+/**
+ * Validate key data structure and timestamps.
+ *
+ * Checks:
+ * - Schema validation
+ * - createdAt is not in the future (with 1 minute drift allowance)
+ * - createdAt is not too old (100 years)
+ *
+ * @param data - Data to validate
+ * @returns Validation result
+ */
+export declare function validateKeyData(data: unknown): KeyValidationResult;
+/**
+ * Parse and validate key data.
+ *
+ * @param data - Raw data to parse
+ * @returns Parsed key data or null if invalid
+ */
+export declare function parseKeyData(data: unknown): AnyKeyData | null;
+/**
+ * Check if key data is a secret key.
+ */
+export declare function isSecretKeyData(data: AnyKeyData): data is SecretKeyData;
+/**
+ * Check if key data is an asymmetric key.
+ */
+export declare function isAsymmetricKeyData(data: AnyKeyData): data is AsymmetricKeyData;

package/crypto/key-persistence/types.d.ts

@@ -0,0 +1,120 @@
+/**
+ * Types for unified key persistence.
+ *
+ * Supports both symmetric secrets and asymmetric key pairs
+ * with a unified storage interface.
+ *
+ * @module @frontmcp/utils/key-persistence
+ */
+import type { StorageAdapter } from '../../storage/types';
+/**
+ * Base interface for all key data types.
+ */
+export interface BaseKeyData {
+    /** Unique key identifier */
+    kid: string;
+    /** Creation timestamp (ms since epoch) */
+    createdAt: number;
+    /** Schema version for migrations */
+    version: number;
+}
+/**
+ * Symmetric secret key data.
+ * Used for encryption, HMAC, and other symmetric operations.
+ */
+export interface SecretKeyData extends BaseKeyData {
+    type: 'secret';
+    /** Base64url-encoded secret bytes */
+    secret: string;
+    /** Number of bytes in the secret */
+    bytes: number;
+}
+/**
+ * Asymmetric key pair data (RSA or EC).
+ * Used for JWT signing and verification.
+ */
+export interface AsymmetricKeyData extends BaseKeyData {
+    type: 'asymmetric';
+    /** Algorithm identifier (RS256, RS384, RS512, ES256, ES384, ES512) */
+    alg: 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512';
+    /** Private key in JWK format */
+    privateKey: JsonWebKey;
+    /** Public JWKS for verification (contains keys array) */
+    publicJwk: {
+        keys: JsonWebKey[];
+    };
+}
+/**
+ * Union of all key types.
+ */
+export type AnyKeyData = SecretKeyData | AsymmetricKeyData;
+/**
+ * Options for KeyPersistence constructor.
+ */
+export interface KeyPersistenceOptions {
+    /**
+     * Storage adapter for key data.
+     * Can be MemoryStorageAdapter, FileSystemStorageAdapter, or any StorageAdapter.
+     */
+    storage: StorageAdapter;
+    /**
+     * Whether to throw an error on invalid key data.
+     * If false, invalid data is silently ignored (returns null).
+     * @default false
+     */
+    throwOnInvalid?: boolean;
+    /**
+     * Enable in-memory caching for faster reads.
+     * @default true
+     */
+    enableCache?: boolean;
+}
+/**
+ * Options for creating a KeyPersistence instance.
+ */
+export interface CreateKeyPersistenceOptions {
+    /**
+     * Storage type.
+     * - 'auto': Auto-detect based on environment (filesystem in Node.js, memory in browser)
+     * - 'memory': Always use memory (keys lost on restart)
+     * - 'filesystem': Always use filesystem (Node.js only)
+     * @default 'auto'
+     */
+    type?: 'auto' | 'memory' | 'filesystem';
+    /**
+     * Base directory for filesystem storage.
+     * Only used when type is 'filesystem' or 'auto' in Node.js.
+     * @default '.frontmcp/keys'
+     */
+    baseDir?: string;
+    /**
+     * Whether to throw on invalid key data.
+     * @default false
+     */
+    throwOnInvalid?: boolean;
+    /**
+     * Enable in-memory caching.
+     * @default true
+     */
+    enableCache?: boolean;
+}
+/**
+ * Options for creating a secret key.
+ */
+export interface CreateSecretOptions {
+    /**
+     * Number of bytes to generate.
+     * @default 32 (256 bits)
+     */
+    bytes?: number;
+}
+/**
+ * Options for creating an asymmetric key.
+ */
+export interface CreateAsymmetricOptions {
+    /**
+     * Algorithm to use.
+     * @default 'RS256'
+     */
+    alg?: AsymmetricKeyData['alg'];
+}