npm - @hammadj/better-auth-oauth-provider - Versions diffs - 1.5.0-beta.9 - Mend

@hammadj/better-auth-oauth-provider 1.5.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/LICENSE.md +20 -0
package/dist/client-resource.d.mts +21 -0
package/dist/client-resource.mjs +89 -0
package/dist/client-resource.mjs.map +1 -0
package/dist/client.d.mts +5 -0
package/dist/client.mjs +39 -0
package/dist/client.mjs.map +1 -0
package/dist/index.d.mts +1268 -0
package/dist/index.mjs +3724 -0
package/dist/index.mjs.map +1 -0
package/dist/utils-BSruxDcm.mjs +298 -0
package/dist/utils-BSruxDcm.mjs.map +1 -0
package/package.json +83 -0

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,3724 @@
+import { a as getJwtPlugin, c as parseClientMetadata, d as storeToken, f as validateClientCredentials, i as getClient, l as parsePrompt, m as mcpHandler, n as decryptStoredClientSecret, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeClientSecret } from "./utils-BSruxDcm.mjs";
+import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
+import { APIError as APIError$1 } from "better-call";
+import { BetterAuthError } from "@better-auth/core/error";
+import { constantTimeEqual, generateRandomString, makeSignature } from "better-auth/crypto";
+import { defineRequestState } from "@better-auth/core/context";
+import { logger } from "@better-auth/core/env";
+import { parseSetCookieHeader } from "better-auth/cookies";
+import { mergeSchema } from "better-auth/db";
+import * as z from "zod";
+import { signJWT, toExpJWT } from "better-auth/plugins";
+import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
+//#region src/metadata.ts
+function authServerMetadata(ctx, opts, overrides) {
+	const baseURL = ctx.context.baseURL;
+	return {
+		scopes_supported: overrides?.scopes_supported,
+		issuer: opts?.jwt?.issuer ?? baseURL,
+		authorization_endpoint: `${baseURL}/oauth2/authorize`,
+		token_endpoint: `${baseURL}/oauth2/token`,
+		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
+		registration_endpoint: `${baseURL}/oauth2/register`,
+		introspection_endpoint: `${baseURL}/oauth2/introspect`,
+		revocation_endpoint: `${baseURL}/oauth2/revoke`,
+		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
+		response_modes_supported: ["query"],
+		grant_types_supported: overrides?.grant_types_supported ?? [
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		],
+		token_endpoint_auth_methods_supported: [
+			...overrides?.public_client_supported ? ["none"] : [],
+			"client_secret_basic",
+			"client_secret_post"
+		],
+		introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		code_challenge_methods_supported: ["S256"]
+	};
+}
+function oidcServerMetadata(ctx, opts) {
+	const baseURL = ctx.context.baseURL;
+	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	return {
+		...authServerMetadata(ctx, jwtPluginOptions, {
+			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			public_client_supported: opts.allowUnauthenticatedClientRegistration,
+			grant_types_supported: opts.grantTypes,
+			jwt_disabled: opts.disableJwtPlugin
+		}),
+		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
+		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
+		subject_types_supported: ["public"],
+		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
+		end_session_endpoint: `${baseURL}/oauth2/end-session`,
+		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
+		prompt_values_supported: [
+			"login",
+			"consent",
+			"create",
+			"select_account"
+		]
+	};
+}
+/**
+* Provides an exportable `/.well-known/oauth-authorization-server`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderAuthServerMetadata = (auth, opts) => {
+	return async (_request) => {
+		const res = await auth.api.getOAuthServerConfig();
+		return new Response(JSON.stringify(res), {
+			status: 200,
+			headers: {
+				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
+				...opts?.headers,
+				"Content-Type": "application/json"
+			}
+		});
+	};
+};
+/**
+* Provides an exportable `/.well-known/openid-configuration`.
+*
+* Useful when basePath prevents the endpoint from being located at the root
+* and must be provided manually.
+*
+* @external
+*/
+const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
+	return async (_request) => {
+		const res = await auth.api.getOpenIdConfig();
+		return new Response(JSON.stringify(res), {
+			status: 200,
+			headers: {
+				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
+				...opts?.headers,
+				"Content-Type": "application/json"
+			}
+		});
+	};
+};
+//#endregion
+//#region src/authorize.ts
+/**
+* Formats an error url
+*/
+function formatErrorURL(url, error, description, state) {
+	const searchParams = new URLSearchParams({
+		error,
+		error_description: description
+	});
+	state && searchParams.append("state", state);
+	return `${url}${url.includes("?") ? "&" : "?"}${searchParams.toString()}`;
+}
+const handleRedirect = (ctx, uri) => {
+	if (ctx.headers?.get("accept")?.includes("application/json")) return {
+		redirect: true,
+		url: uri.toString()
+	};
+	else throw ctx.redirect(uri);
+};
+/**
+* Error page url if redirect_uri has not been verified yet
+* Generates Url for custom error page
+*/
+function getErrorURL(ctx, error, description) {
+	return formatErrorURL(ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`, error, description);
+}
+async function authorizeEndpoint(ctx, opts, settings) {
+	if (opts.grantTypes && !opts.grantTypes.includes("authorization_code")) throw new APIError$1("NOT_FOUND");
+	if (!ctx.request) throw new APIError$1("UNAUTHORIZED", {
+		error_description: "request not found",
+		error: "invalid_request"
+	});
+	const query = ctx.query;
+	if (!query.client_id) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
+	if (!query.response_type) throw ctx.redirect(getErrorURL(ctx, "invalid_request", "response_type is required"));
+	const promptSet = ctx.query?.prompt ? parsePrompt(ctx.query?.prompt) : void 0;
+	if (promptSet?.has("select_account") && !opts.selectAccount?.page) throw ctx.redirect(getErrorURL(ctx, `unsupported_prompt_select_account`, "unsupported prompt type"));
+	if (!(query.response_type === "code")) throw ctx.redirect(getErrorURL(ctx, "unsupported_response_type", "unsupported response type"));
+	const client = await getClient(ctx, opts, query.client_id);
+	if (!client) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
+	if (client.disabled) throw ctx.redirect(getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!client.redirectUris?.find((url) => url === query.redirect_uri) || !query.redirect_uri) throw ctx.redirect(getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
+	let requestedScopes = query.scope?.split(" ").filter((s) => s);
+	if (requestedScopes) {
+		const validScopes = new Set(client.scopes ?? opts.scopes);
+		const invalidScopes = requestedScopes.filter((scope) => {
+			return !validScopes?.has(scope) || scope === "offline_access" && (query.code_challenge_method !== "S256" || !query.code_challenge);
+		});
+		if (invalidScopes.length) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`, query.state));
+	}
+	if (!requestedScopes) {
+		requestedScopes = client.scopes ?? opts.scopes ?? [];
+		query.scope = requestedScopes.join(" ");
+	}
+	if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "pkce is required", query.state));
+	if (!["S256"].includes(query.code_challenge_method)) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method", query.state));
+	const session = await getSessionFromCtx(ctx);
+	if (!session || promptSet?.has("login") || promptSet?.has("create")) return redirectWithPromptCode(ctx, opts, promptSet?.has("create") ? "create" : "login");
+	if (settings?.isAuthorize && promptSet?.has("select_account")) return redirectWithPromptCode(ctx, opts, "select_account");
+	if (settings?.isAuthorize && opts.selectAccount) {
+		if (await opts.selectAccount.shouldRedirect({
+			headers: ctx.request.headers,
+			user: session.user,
+			session: session.session,
+			scopes: requestedScopes
+		})) return redirectWithPromptCode(ctx, opts, "select_account");
+	}
+	if (opts.signup?.shouldRedirect) {
+		const signupRedirect = await opts.signup.shouldRedirect({
+			headers: ctx.request.headers,
+			user: session.user,
+			session: session.session,
+			scopes: requestedScopes
+		});
+		if (signupRedirect) return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
+	}
+	if (!settings?.postLogin && opts.postLogin) {
+		if (await opts.postLogin.shouldRedirect({
+			headers: ctx.request.headers,
+			user: session.user,
+			session: session.session,
+			scopes: requestedScopes
+		})) return redirectWithPromptCode(ctx, opts, "post_login");
+	}
+	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
+	const referenceId = await opts.postLogin?.consentReferenceId?.({
+		user: session.user,
+		session: session.session,
+		scopes: requestedScopes
+	});
+	if (client.skipConsent) return redirectWithAuthorizationCode(ctx, opts, {
+		query,
+		clientId: client.clientId,
+		userId: session.user.id,
+		sessionId: session.session.id,
+		referenceId
+	});
+	const consent = await ctx.context.adapter.findOne({
+		model: "oauthConsent",
+		where: [
+			{
+				field: "clientId",
+				value: client.clientId
+			},
+			{
+				field: "userId",
+				value: session.user.id
+			},
+			...referenceId ? [{
+				field: "referenceId",
+				value: referenceId
+			}] : []
+		]
+	});
+	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) return redirectWithPromptCode(ctx, opts, "consent");
+	return redirectWithAuthorizationCode(ctx, opts, {
+		query,
+		clientId: client.clientId,
+		userId: session.user.id,
+		sessionId: session.session.id,
+		referenceId
+	});
+}
+async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
+	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
+	const iat = Math.floor(Date.now() / 1e3);
+	const exp = iat + (opts.codeExpiresIn ?? 600);
+	const data = {
+		identifier: await storeToken(opts.storeTokens, code, "authorization_code"),
+		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3),
+		value: JSON.stringify({
+			type: "authorization_code",
+			query: ctx.query,
+			userId: verificationValue.userId,
+			sessionId: verificationValue?.sessionId,
+			referenceId: verificationValue.referenceId
+		})
+	};
+	ctx.context.verification_id ? await ctx.context.internalAdapter.updateVerificationValue(ctx.context.verification_id, data) : await ctx.context.internalAdapter.createVerificationValue({
+		...data,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3)
+	});
+	const redirectUriWithCode = new URL(verificationValue.query.redirect_uri);
+	redirectUriWithCode.searchParams.set("code", code);
+	if (verificationValue.query.state) redirectUriWithCode.searchParams.set("state", verificationValue.query.state);
+	return handleRedirect(ctx, redirectUriWithCode.toString());
+}
+async function redirectWithPromptCode(ctx, opts, type, page) {
+	const queryParams = await signParams(ctx, opts);
+	let path = opts.loginPage;
+	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
+	else if (type === "post_login") {
+		if (!opts.postLogin?.page) throw new APIError$1("INTERNAL_SERVER_ERROR", { error_description: "postLogin should have been defined" });
+		path = opts.postLogin?.page;
+	} else if (type === "consent") path = opts.consentPage;
+	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
+	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
+}
+async function signParams(ctx, opts) {
+	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
+	const params = new URLSearchParams(ctx.query);
+	params.set("exp", String(exp));
+	const signature = await makeSignature(params.toString(), ctx.context.secret);
+	params.append("sig", signature);
+	return params.toString();
+}
+//#endregion
+//#region src/consent.ts
+async function consentEndpoint(ctx, opts) {
+	const _query = (await oAuthState.get())?.query;
+	if (!_query) throw new APIError("BAD_REQUEST", {
+		error_description: "missing oauth query",
+		error: "invalid_request"
+	});
+	const query = new URLSearchParams(_query);
+	const originalRequestedScopes = query.get("scope")?.split(" ") ?? [];
+	const clientId = query.get("client_id");
+	if (!clientId) throw new APIError("BAD_REQUEST", {
+		error_description: "client_id is required",
+		error: "invalid_client"
+	});
+	const requestedScopes = ctx.body.scope?.split(" ");
+	if (requestedScopes) {
+		if (!requestedScopes.every((sc) => originalRequestedScopes?.includes(sc))) throw new APIError("BAD_REQUEST", {
+			error_description: "Scope not originally requested",
+			error: "invalid_request"
+		});
+	}
+	if (!(ctx.body.accept === true)) return {
+		redirect: true,
+		uri: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0)
+	};
+	const session = await getSessionFromCtx(ctx);
+	const referenceId = await opts.postLogin?.consentReferenceId?.({
+		user: session?.user,
+		session: session?.session,
+		scopes: requestedScopes ?? originalRequestedScopes
+	});
+	const foundConsent = await ctx.context.adapter.findOne({
+		model: "oauthConsent",
+		where: [
+			{
+				field: "clientId",
+				value: clientId
+			},
+			{
+				field: "userId",
+				value: session?.user.id
+			},
+			...referenceId ? [{
+				field: "referenceId",
+				value: referenceId
+			}] : []
+		]
+	});
+	const iat = Math.floor(Date.now() / 1e3);
+	const consent = {
+		clientId,
+		userId: session?.user.id,
+		scopes: requestedScopes ?? originalRequestedScopes,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
+		referenceId
+	};
+	foundConsent?.id ? await ctx.context.adapter.update({
+		model: "oauthConsent",
+		where: [{
+			field: "id",
+			value: foundConsent.id
+		}],
+		update: {
+			scopes: consent.scopes,
+			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
+		}
+	}) : await ctx.context.adapter.create({
+		model: "oauthConsent",
+		data: {
+			...consent,
+			scopes: consent.scopes
+		}
+	});
+	ctx?.headers?.set("accept", "application/json");
+	ctx.query = deleteFromPrompt(query, "consent");
+	ctx.context.postLogin = true;
+	const { url } = await authorizeEndpoint(ctx, opts);
+	return {
+		redirect: true,
+		uri: url
+	};
+}
+//#endregion
+//#region src/continue.ts
+async function continueEndpoint(ctx, opts) {
+	if (ctx.body.selected === true) return await selected(ctx, opts);
+	else if (ctx.body.created === true) return await created(ctx, opts);
+	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
+	else throw new APIError("BAD_REQUEST", {
+		error_description: "Missing parameters",
+		error: "invalid_request"
+	});
+}
+async function selected(ctx, opts) {
+	const _query = (await oAuthState.get())?.query;
+	if (!_query) throw new APIError("BAD_REQUEST", {
+		error_description: "missing oauth query",
+		error: "invalid_request"
+	});
+	ctx.headers?.set("accept", "application/json");
+	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
+	const { url } = await authorizeEndpoint(ctx, opts);
+	return {
+		redirect: true,
+		uri: url
+	};
+}
+async function created(ctx, opts) {
+	const _query = (await oAuthState.get())?.query;
+	if (!_query) throw new APIError("BAD_REQUEST", {
+		error_description: "missing oauth query",
+		error: "invalid_request"
+	});
+	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "create");
+	const { url } = await authorizeEndpoint(ctx, opts);
+	return {
+		redirect: true,
+		uri: url
+	};
+}
+async function postLogin(ctx, opts) {
+	const _query = (await oAuthState.get())?.query;
+	if (!_query) throw new APIError("BAD_REQUEST", {
+		error_description: "missing oauth query",
+		error: "invalid_request"
+	});
+	const query = new URLSearchParams(_query);
+	ctx.headers?.set("accept", "application/json");
+	ctx.query = Object.fromEntries(query);
+	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
+	return {
+		redirect: true,
+		uri: url
+	};
+}
+//#endregion
+//#region src/userinfo.ts
+/**
+* Provides shared /userinfo and id_token claims functionality
+*
+* @see https://openid.net/specs/openid-connect-core-1_0.html#NormalClaims
+*/
+function userNormalClaims(user, scopes) {
+	const name = user.name.split(" ").filter((v) => v !== "");
+	const profile = {
+		name: user.name ?? void 0,
+		picture: user.image ?? void 0,
+		given_name: name.length > 1 ? name.slice(0, -1).join(" ") : void 0,
+		family_name: name.length > 1 ? name.at(-1) : void 0
+	};
+	const email = {
+		email: user.email ?? void 0,
+		email_verified: user.emailVerified ?? false
+	};
+	return {
+		sub: user.id ?? void 0,
+		...scopes.includes("profile") ? profile : {},
+		...scopes.includes("email") ? email : {}
+	};
+}
+/**
+* Handles the /oauth2/userinfo endpoint
+*/
+async function userInfoEndpoint(ctx, opts) {
+	if (!ctx.request) throw new APIError("UNAUTHORIZED", {
+		error_description: "request not found",
+		error: "invalid_request"
+	});
+	const authorization = ctx.request.headers.get("authorization");
+	const token = typeof authorization === "string" && authorization?.startsWith("Bearer ") ? authorization?.replace("Bearer ", "") : authorization;
+	if (!token?.length) throw new APIError("UNAUTHORIZED", {
+		error_description: "authorization header not found",
+		error: "invalid_request"
+	});
+	const jwt = await validateAccessToken(ctx, opts, token);
+	const scopes = jwt.scope?.split(" ");
+	if (!scopes?.includes("openid")) throw new APIError("BAD_REQUEST", {
+		error_description: "Missing required scope",
+		error: "invalid_scope"
+	});
+	if (!jwt.sub) throw new APIError("BAD_REQUEST", {
+		error_description: "user not found",
+		error: "invalid_request"
+	});
+	const user = await ctx.context.internalAdapter.findUserById(jwt.sub);
+	if (!user) throw new APIError("BAD_REQUEST", {
+		error_description: "user not found",
+		error: "invalid_request"
+	});
+	const baseUserClaims = userNormalClaims(user, scopes ?? []);
+	const additionalInfoUserClaims = opts.customUserInfoClaims && scopes?.length ? await opts.customUserInfoClaims({
+		user,
+		scopes,
+		jwt
+	}) : {};
+	return {
+		...baseUserClaims,
+		...additionalInfoUserClaims
+	};
+}
+//#endregion
+//#region src/token.ts
+/**
+* Handles the /oauth2/token endpoint by delegating
+* the grant types
+*/
+async function tokenEndpoint(ctx, opts) {
+	const grantType = ctx.body?.grant_type;
+	if (opts.grantTypes && grantType && !opts.grantTypes.includes(grantType)) throw new APIError("BAD_REQUEST", {
+		error_description: `unsupported grant_type ${grantType}`,
+		error: "unsupported_grant_type"
+	});
+	switch (grantType) {
+		case "authorization_code": return handleAuthorizationCodeGrant(ctx, opts);
+		case "client_credentials": return handleClientCredentialsGrant(ctx, opts);
+		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
+		case void 0: throw new APIError("BAD_REQUEST", {
+			error_description: "missing required grant_type",
+			error: "unsupported_grant_type"
+		});
+		default: throw new APIError("BAD_REQUEST", {
+			error_description: `unsupported grant_type ${grantType}`,
+			error: "unsupported_grant_type"
+		});
+	}
+}
+async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, overrides) {
+	const iat = overrides?.iat ?? Math.floor(Date.now() / 1e3);
+	const exp = overrides?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
+	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
+		user,
+		scopes,
+		resource: ctx.body.resource,
+		referenceId,
+		metadata: parseClientMetadata(client.metadata)
+	}) : {};
+	const jwtPluginOptions = getJwtPlugin(ctx.context).options;
+	return signJWT(ctx, {
+		options: jwtPluginOptions,
+		payload: {
+			...customClaims,
+			sub: user.id,
+			aud: typeof audience === "string" ? audience : audience?.length === 1 ? audience.at(0) : audience,
+			azp: client.clientId,
+			scope: scopes.join(" "),
+			sid: overrides?.sid,
+			iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
+			iat,
+			exp
+		}
+	});
+}
+/**
+* Creates a user id token in code_authorization with scope of 'openid'
+* and hybrid/implicit (not yet implemented) flows
+*/
+async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId) {
+	const iat = Math.floor(Date.now() / 1e3);
+	const exp = iat + (opts.idTokenExpiresIn ?? 36e3);
+	const userClaims = userNormalClaims(user, scopes);
+	const authTime = Math.floor((ctx.context.session?.session.createdAt ?? /* @__PURE__ */ new Date(iat * 1e3)).getTime() / 1e3);
+	const acr = "urn:mace:incommon:iap:bronze";
+	const customClaims = opts.customIdTokenClaims ? await opts.customIdTokenClaims({
+		user,
+		scopes,
+		metadata: parseClientMetadata(client.metadata)
+	}) : {};
+	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	const payload = {
+		...customClaims,
+		...userClaims,
+		auth_time: authTime,
+		acr,
+		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
+		sub: user.id,
+		aud: client.clientId,
+		nonce,
+		iat,
+		exp,
+		sid: client.enableEndSession ? sessionId : void 0
+	};
+	if (opts.disableJwtPlugin && !client.clientSecret) return;
+	return opts.disableJwtPlugin ? new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : signJWT(ctx, {
+		options: jwtPluginOptions,
+		payload
+	});
+}
+/**
+* Encodes a refresh token for a client
+*/
+async function encodeRefreshToken(opts, token, sessionId) {
+	return (opts.prefix?.refreshToken ?? "") + (opts.formatRefreshToken?.encrypt ? opts.formatRefreshToken.encrypt(token, sessionId) : token);
+}
+/**
+* Decodes a refresh token for a client
+*
+* @internal
+*/
+async function decodeRefreshToken(opts, token) {
+	if (opts.prefix?.refreshToken) if (token.startsWith(opts.prefix.refreshToken)) token = token.replace(opts.prefix.refreshToken, "");
+	else throw new APIError("BAD_REQUEST", {
+		error_description: "refresh token not found",
+		error: "invalid_token"
+	});
+	return opts.formatRefreshToken?.decrypt ? opts.formatRefreshToken?.decrypt(token) : { token };
+}
+async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, referenceId, refreshId) {
+	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
+	const exp = payload?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
+	const token = opts.generateOpaqueAccessToken ? await opts.generateOpaqueAccessToken() : generateRandomString(32, "A-Z", "a-z");
+	await ctx.context.adapter.create({
+		model: "oauthAccessToken",
+		data: {
+			token: await storeToken(opts.storeTokens, token, "access_token"),
+			clientId: client.clientId,
+			sessionId: payload?.sid,
+			userId: user?.id,
+			referenceId,
+			refreshId,
+			scopes,
+			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+			expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+		}
+	});
+	return (opts.prefix?.opaqueAccessToken ?? "") + token;
+}
+async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh) {
+	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
+	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
+	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
+	const sessionId = payload?.sid;
+	if (originalRefresh?.id) await ctx.context.adapter.update({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "id",
+			value: originalRefresh.id
+		}],
+		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	});
+	return {
+		id: (await ctx.context.adapter.create({
+			model: "oauthRefreshToken",
+			data: {
+				token: await storeToken(opts.storeTokens, token, "refresh_token"),
+				clientId: client.clientId,
+				sessionId,
+				userId: user.id,
+				referenceId,
+				scopes,
+				createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+				expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+			}
+		})).id,
+		token: await encodeRefreshToken(opts, token, sessionId)
+	};
+}
+/**
+* Checks the resource parameter, if provided,
+* and returns a valid audience based on the request
+*/
+async function checkResource(ctx, opts, scopes) {
+	const resource = ctx.body.resource;
+	const audience = typeof resource === "string" ? [resource] : resource ? [...resource] : void 0;
+	if (audience) {
+		if (scopes.includes("openid")) audience.push(`${ctx.context.baseURL}/oauth2/userinfo`);
+		const validAudiences = new Set([...opts.validAudiences ?? [ctx.context.baseURL], scopes?.includes("openid") ? `${ctx.context.baseURL}/oauth2/userinfo` : void 0].flat().filter((v) => v?.length));
+		for (const aud of audience) if (!validAudiences.has(aud)) throw new APIError("BAD_REQUEST", {
+			error_description: "requested resource invalid",
+			error: "invalid_request"
+		});
+	}
+	return audience?.length === 1 ? audience.at(0) : audience;
+}
+async function createUserTokens(ctx, opts, client, scopes, user, referenceId, sessionId, nonce, additional) {
+	const iat = Math.floor(Date.now() / 1e3);
+	const defaultExp = iat + (opts.accessTokenExpiresIn ?? 3600);
+	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
+		return prev < curr ? prev : curr;
+	}, defaultExp) : defaultExp;
+	const audience = await checkResource(ctx, opts, scopes);
+	const isRefreshToken = additional?.refreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access");
+	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
+	const isIdToken = scopes.includes("openid");
+	const earlyRefreshToken = isRefreshToken && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+		iat,
+		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
+		sid: sessionId
+	}, additional?.refreshToken) : void 0;
+	const [accessToken, refreshToken, idToken] = await Promise.all([
+		isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
+			iat,
+			exp,
+			sid: sessionId
+		}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
+			iat,
+			exp,
+			sid: sessionId
+		}, referenceId, earlyRefreshToken?.id),
+		earlyRefreshToken ? earlyRefreshToken : isRefreshToken ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+			iat,
+			exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
+			sid: sessionId
+		}, additional?.refreshToken) : void 0,
+		isIdToken ? createIdToken(ctx, opts, user, client, scopes, nonce, sessionId) : void 0
+	]);
+	return ctx.json({
+		access_token: accessToken,
+		expires_in: exp - iat,
+		expires_at: exp,
+		token_type: "Bearer",
+		refresh_token: refreshToken?.token,
+		scope: scopes.join(" "),
+		id_token: idToken
+	}, { headers: {
+		"Cache-Control": "no-store",
+		Pragma: "no-cache"
+	} });
+}
+/** Checks verification value */
+async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
+	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
+	const verificationValue = verification ? JSON.parse(verification?.value) : void 0;
+	if (!verification) throw new APIError("UNAUTHORIZED", {
+		error_description: "Invalid code",
+		error: "invalid_verification"
+	});
+	if (verification?.id) await ctx.context.internalAdapter.deleteVerificationValue(verification.id);
+	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
+		error_description: "code expired",
+		error: "invalid_verification"
+	});
+	if (!verificationValue) throw new APIError("UNAUTHORIZED", {
+		error_description: "missing verification value content",
+		error: "invalid_verification"
+	});
+	if (verificationValue.type !== "authorization_code") throw new APIError("UNAUTHORIZED", {
+		error_description: "incorrect verification type",
+		error: "invalid_verification"
+	});
+	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
+		error_description: "invalid client_id",
+		error: "invalid_client"
+	});
+	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
+		error_description: "missing user_id on challenge",
+		error: "invalid_user"
+	});
+	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
+		error_description: "missing verification redirect_uri",
+		error: "invalid_request"
+	});
+	return verificationValue;
+}
+/**
+* Obtains new Session Jwt and Refresh Tokens using a code
+*/
+async function handleAuthorizationCodeGrant(ctx, opts) {
+	let { client_id, client_secret, code, code_verifier, redirect_uri } = ctx.body;
+	const authorization = ctx.request?.headers.get("authorization") || null;
+	if (authorization?.startsWith("Basic ")) {
+		const res = basicToClientCredentials(authorization);
+		client_id = res?.client_id;
+		client_secret = res?.client_secret;
+	}
+	if (!client_id) throw new APIError("BAD_REQUEST", {
+		error_description: "client_id is required",
+		error: "invalid_request"
+	});
+	if (!code) throw new APIError("BAD_REQUEST", {
+		error_description: "code is required",
+		error: "invalid_request"
+	});
+	if (!redirect_uri) throw new APIError("BAD_REQUEST", {
+		error_description: "redirect_uri is required",
+		error: "invalid_request"
+	});
+	const isAuthCodeWithSecret = client_id && client_secret;
+	const isAuthCodeWithPkce = client_id && code && code_verifier;
+	if (!(isAuthCodeWithPkce || isAuthCodeWithSecret)) throw new APIError("BAD_REQUEST", {
+		error_description: "Missing a required credential value for authorization_code grant",
+		error: "invalid_request"
+	});
+	/** Get and check Verification Value */
+	const verificationValue = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri);
+	const scopes = verificationValue.query.scope?.split(" ");
+	if (!scopes) throw new APIError("INTERNAL_SERVER_ERROR", {
+		error_description: "verification scope unset",
+		error: "invalid_scope"
+	});
+	/** Verify Client */
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes);
+	/** Check challenge */
+	const challenge = code_verifier && verificationValue.query?.code_challenge_method === "S256" ? await generateCodeChallenge(code_verifier) : void 0;
+	if (isAuthCodeWithSecret && (challenge || verificationValue?.query?.code_challenge) && challenge !== verificationValue.query?.code_challenge) throw new APIError("UNAUTHORIZED", {
+		error_description: "code verification failed",
+		error: "invalid_request"
+	});
+	if (isAuthCodeWithPkce && challenge !== verificationValue.query?.code_challenge) throw new APIError("UNAUTHORIZED", {
+		error_description: "code verification failed",
+		error: "invalid_request"
+	});
+	/** Get user */
+	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
+		error_description: "missing user, user may have been deleted",
+		error: "invalid_user"
+	});
+	const user = await ctx.context.internalAdapter.findUserById(verificationValue.userId);
+	if (!user) throw new APIError("BAD_REQUEST", {
+		error_description: "missing user, user may have been deleted",
+		error: "invalid_user"
+	});
+	const session = await ctx.context.adapter.findOne({
+		model: "session",
+		where: [{
+			field: "id",
+			value: verificationValue.sessionId
+		}]
+	});
+	if (!session || session.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("BAD_REQUEST", {
+		error_description: "session no longer exists",
+		error: "invalid_request"
+	});
+	return createUserTokens(ctx, opts, client, verificationValue.query.scope?.split(" ") ?? [], user, verificationValue.referenceId, session.id, verificationValue.query?.nonce);
+}
+/**
+* Grant that allows direct access to an API using the application's credentials
+* This grant is for M2M so the concept of a user id does not exist on the token.
+*
+* MUST follow https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
+*/
+async function handleClientCredentialsGrant(ctx, opts) {
+	let { client_id, client_secret, scope } = ctx.body;
+	const authorization = ctx.request?.headers.get("authorization") || null;
+	if (authorization?.startsWith("Basic ")) {
+		const res = basicToClientCredentials(authorization);
+		client_id = res?.client_id;
+		client_secret = res?.client_secret;
+	}
+	if (!client_id) throw new APIError("BAD_REQUEST", {
+		error_description: "Missing required client_id",
+		error: "invalid_grant"
+	});
+	if (!client_secret) throw new APIError("BAD_REQUEST", {
+		error_description: "Missing a required client_secret",
+		error: "invalid_grant"
+	});
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	let requestedScopes = scope?.split(" ");
+	if (requestedScopes) {
+		const validScopes = new Set(client.scopes ?? opts.scopes);
+		const oidcScopes = new Set([
+			"openid",
+			"profile",
+			"email",
+			"offline_access"
+		]);
+		const invalidScopes = requestedScopes.filter((scope) => {
+			return !validScopes?.has(scope) || oidcScopes.has(scope);
+		});
+		if (invalidScopes.length) throw new APIError("BAD_REQUEST", {
+			error_description: `The following scopes are invalid: ${invalidScopes.join(", ")}`,
+			error: "invalid_scope"
+		});
+	}
+	if (!requestedScopes) requestedScopes = client.scopes ?? opts.clientCredentialGrantDefaultScopes ?? opts.scopes ?? [];
+	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	const audience = await checkResource(ctx, opts, requestedScopes);
+	const iat = Math.floor(Date.now() / 1e3);
+	const defaultExp = iat + (opts.m2mAccessTokenExpiresIn ?? 3600);
+	const exp = opts.scopeExpirations && requestedScopes ? requestedScopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
+		return prev < curr ? prev : curr;
+	}, defaultExp) : defaultExp;
+	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
+		scopes: requestedScopes,
+		resource: ctx.body.resource,
+		metadata: parseClientMetadata(client.metadata)
+	}) : {};
+	const accessToken = audience && !opts.disableJwtPlugin ? await signJWT(ctx, {
+		options: jwtPluginOptions,
+		payload: {
+			...customClaims,
+			aud: audience,
+			azp: client.clientId,
+			scope: requestedScopes.join(" "),
+			iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
+			iat,
+			exp
+		}
+	}) : await createOpaqueAccessToken(ctx, opts, void 0, client, requestedScopes, {
+		iat,
+		exp
+	});
+	return ctx.json({
+		access_token: accessToken,
+		expires_in: exp - iat,
+		expires_at: exp,
+		token_type: "Bearer",
+		scope: requestedScopes.join(" ")
+	}, { headers: {
+		"Cache-Control": "no-store",
+		Pragma: "no-cache"
+	} });
+}
+/**
+* Obtains new Session Jwt and Refresh Tokens using a refresh token
+*
+* Refresh tokens will only allow the same or lesser scopes as the initial authorize request.
+* To add scopes, you must restart the authorize process again.
+*/
+async function handleRefreshTokenGrant(ctx, opts) {
+	let { client_id, client_secret, refresh_token, scope } = ctx.body;
+	const authorization = ctx.request?.headers.get("authorization") || null;
+	if (authorization?.startsWith("Basic ")) {
+		const res = basicToClientCredentials(authorization);
+		client_id = res?.client_id;
+		client_secret = res?.client_secret;
+	}
+	if (!client_id) throw new APIError("BAD_REQUEST", {
+		error_description: "Missing required client_id",
+		error: "invalid_grant"
+	});
+	if (!refresh_token) throw new APIError("BAD_REQUEST", {
+		error_description: "Missing a required refresh_token for refresh_token grant",
+		error: "invalid_grant"
+	});
+	const decodedRefresh = await decodeRefreshToken(opts, refresh_token);
+	const refreshToken = await ctx.context.adapter.findOne({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "token",
+			value: await getStoredToken(opts.storeTokens, decodedRefresh.token, "refresh_token")
+		}]
+	});
+	if (!refreshToken) throw new APIError("BAD_REQUEST", {
+		error_description: "session not found",
+		error: "invalid_request"
+	});
+	if (refreshToken.clientId !== client_id) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid client_id",
+		error: "invalid_client"
+	});
+	if (refreshToken.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid refresh token",
+		error: "invalid_request"
+	});
+	if (refreshToken.revoked) {
+		await ctx.context.adapter.deleteMany({
+			model: "oauthRefreshToken",
+			where: [{
+				field: "clientId",
+				value: client_id
+			}, {
+				field: "userId",
+				value: refreshToken.userId
+			}]
+		});
+		throw new APIError("BAD_REQUEST", {
+			error_description: "invalid refresh token",
+			error: "invalid_request"
+		});
+	}
+	const scopes = refreshToken?.scopes;
+	const requestedScopes = scope?.split(" ");
+	if (requestedScopes) {
+		const validScopes = new Set(scopes);
+		for (const requestedScope of requestedScopes) if (!validScopes.has(requestedScope)) throw new APIError("BAD_REQUEST", {
+			error_description: `unable to issue scope ${requestedScope}`,
+			error: "invalid_scope"
+		});
+	}
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes);
+	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
+	if (!user) throw new APIError("BAD_REQUEST", {
+		error_description: "user not found",
+		error: "invalid_request"
+	});
+	return createUserTokens(ctx, opts, client, requestedScopes ?? scopes, user, refreshToken.referenceId, refreshToken.sessionId, void 0, { refreshToken });
+}
+//#endregion
+//#region src/introspect.ts
+/**
+* IMPORTANT NOTES:
+* Introspection follows RFC7662
+* https://datatracker.ietf.org/doc/html/rfc7662
+* - APIError: Continue catches (returnable to client)
+* - Error: Should immediately stop catches (internal error)
+*/
+/**
+* Validates a JWT access token against the configured JWKs.
+*
+* @returns RFC7662 introspection format
+*/
+async function validateJwtAccessToken(ctx, opts, token, clientId) {
+	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
+	const jwtPluginOptions = jwtPlugin?.options;
+	let jwtPayload;
+	try {
+		jwtPayload = await verifyJwsAccessToken(token, {
+			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
+				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
+			},
+			verifyOptions: {
+				audience: opts.validAudiences ?? ctx.context.baseURL,
+				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
+			}
+		});
+	} catch (error) {
+		if (error instanceof Error) {
+			if (error.name === "TypeError" || error.name === "JWSInvalid") throw new APIError$1("BAD_REQUEST", {
+				error_description: "invalid JWT signature",
+				error: "invalid_request"
+			});
+			else if (error.name === "JWTExpired") return { active: false };
+			else if (error.name === "JWTInvalid") return { active: false };
+			throw error;
+		}
+		throw new Error(error);
+	}
+	let client;
+	if (jwtPayload.azp) {
+		client = await getClient(ctx, opts, jwtPayload.azp);
+		if (!client || client?.disabled) return { active: false };
+		if (clientId && jwtPayload.azp !== clientId) return { active: false };
+	}
+	const sessionId = jwtPayload.sid;
+	if (sessionId) {
+		const session = await ctx.context.adapter.findOne({
+			model: "session",
+			where: [{
+				field: "id",
+				value: sessionId
+			}]
+		});
+		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) jwtPayload.sid = void 0;
+	}
+	if (jwtPayload.azp) jwtPayload.client_id = jwtPayload.azp;
+	jwtPayload.active = true;
+	return jwtPayload;
+}
+/**
+* Searches for an opaque access token in the database and validates it
+*
+* @returns RFC7662 introspection format
+*/
+async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
+	let tokenValue = token;
+	if (opts.prefix?.opaqueAccessToken) if (tokenValue.startsWith(opts.prefix.opaqueAccessToken)) tokenValue = tokenValue.replace(opts.prefix.opaqueAccessToken, "");
+	else throw new APIError$1("BAD_REQUEST", {
+		error_description: "opaque access token not found",
+		error: "invalid_request"
+	});
+	const accessToken = await ctx.context.adapter.findOne({
+		model: "oauthAccessToken",
+		where: [{
+			field: "token",
+			value: await getStoredToken(opts.storeTokens, tokenValue, "access_token")
+		}]
+	});
+	if (!accessToken) throw new APIError$1("BAD_REQUEST", {
+		error_description: "opaque access token not found",
+		error: "invalid_token"
+	});
+	if (!accessToken.expiresAt || accessToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
+	let client;
+	if (accessToken.clientId) {
+		client = await getClient(ctx, opts, accessToken.clientId);
+		if (!client || client?.disabled) return { active: false };
+		if (clientId && accessToken.clientId !== clientId) return { active: false };
+	}
+	let sessionId = accessToken.sessionId ?? void 0;
+	if (sessionId) {
+		const session = await ctx.context.adapter.findOne({
+			model: "session",
+			where: [{
+				field: "id",
+				value: sessionId
+			}]
+		});
+		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
+	}
+	let user;
+	if (accessToken.userId) user = await ctx.context.internalAdapter.findUserById(accessToken?.userId);
+	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
+		user,
+		scopes: accessToken.scopes,
+		referenceId: accessToken?.referenceId,
+		metadata: parseClientMetadata(client?.metadata)
+	}) : {};
+	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
+	return {
+		...customClaims,
+		active: true,
+		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
+		client_id: accessToken.clientId,
+		sub: user?.id,
+		sid: sessionId,
+		exp: Math.floor(accessToken.expiresAt.getTime() / 1e3),
+		iat: Math.floor(accessToken.createdAt.getTime() / 1e3),
+		scope: accessToken.scopes?.join(" ")
+	};
+}
+/**
+* Validates a refresh token in the session store.
+*
+* @returns payload in RFC7662 introspection format
+*/
+async function validateRefreshToken(ctx, opts, token, clientId) {
+	const refreshToken = await ctx.context.adapter.findOne({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "token",
+			value: await getStoredToken(opts.storeTokens, token, "refresh_token")
+		}]
+	});
+	if (!refreshToken) throw new APIError$1("BAD_REQUEST", {
+		error_description: "token not found",
+		error: "invalid_token"
+	});
+	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return { active: false };
+	if (!refreshToken.expiresAt || refreshToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
+	if (refreshToken.revoked) return { active: false };
+	let sessionId = refreshToken.sessionId ?? void 0;
+	if (sessionId) {
+		const session = await ctx.context.adapter.findOne({
+			model: "session",
+			where: [{
+				field: "id",
+				value: refreshToken.sessionId
+			}]
+		});
+		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
+	}
+	let user = void 0;
+	if (refreshToken.userId) user = await ctx.context.internalAdapter.findUserById(refreshToken?.userId) ?? void 0;
+	return {
+		active: true,
+		client_id: clientId,
+		iss: ((opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options)?.jwt?.issuer ?? ctx.context.baseURL,
+		sub: user?.id,
+		sid: sessionId,
+		exp: Math.floor(refreshToken.expiresAt.getTime() / 1e3),
+		iat: Math.floor(refreshToken.createdAt.getTime() / 1e3),
+		scope: refreshToken.scopes?.join(" ")
+	};
+}
+/**
+* We don't know the access token format so we try to validate it
+* as a JWT first, then as an opaque token.
+*
+* @returns RFC7662 introspection format
+*
+* @internal
+*/
+async function validateAccessToken(ctx, opts, token, clientId) {
+	try {
+		return await validateJwtAccessToken(ctx, opts, token, clientId);
+	} catch (err) {
+		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
+		else throw new Error(err);
+	}
+	try {
+		return await validateOpaqueAccessToken(ctx, opts, token, clientId);
+	} catch (err) {
+		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
+		else throw new Error("Unknown error validating access token");
+	}
+	throw new APIError$1("BAD_REQUEST", {
+		error_description: "Invalid access token",
+		error: "invalid_request"
+	});
+}
+async function introspectEndpoint(ctx, opts) {
+	let { client_id, client_secret, token, token_type_hint } = ctx.body;
+	const authorization = ctx.request?.headers.get("authorization") || null;
+	if (authorization?.startsWith("Basic ")) {
+		const res = basicToClientCredentials(authorization);
+		client_id = res?.client_id;
+		client_secret = res?.client_secret;
+	}
+	if (!client_id || !client_secret) throw new APIError$1("UNAUTHORIZED", {
+		error_description: "missing required credentials",
+		error: "invalid_client"
+	});
+	if (token && typeof token === "string" && token.startsWith("Bearer ")) token = token.replace("Bearer ", "");
+	if (!token?.length) throw new APIError$1("BAD_REQUEST", {
+		error_description: "missing a required token for introspection",
+		error: "invalid_request"
+	});
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	try {
+		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
+			return await validateAccessToken(ctx, opts, token, client.clientId);
+		} catch (error) {
+			if (error instanceof APIError$1) {
+				if (token_type_hint === "access_token") throw error;
+			} else if (error instanceof Error) throw error;
+			else throw new Error(error);
+		}
+		if (token_type_hint === void 0 || token_type_hint === "refresh_token") try {
+			return await validateRefreshToken(ctx, opts, (await decodeRefreshToken(opts, token)).token, client.clientId);
+		} catch (error) {
+			if (error instanceof APIError$1) {
+				if (token_type_hint === "refresh_token") throw error;
+			} else if (error instanceof Error) throw error;
+			else throw new Error(error);
+		}
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "token not found",
+			error: "invalid_request"
+		});
+	} catch (error) {
+		if (error instanceof APIError$1) {
+			if (error.name === "BAD_REQUEST") return { active: false };
+			throw error;
+		} else if (error instanceof Error) {
+			logger.error("Introspection error:", error.message, error.stack);
+			throw new APIError$1("INTERNAL_SERVER_ERROR");
+		} else {
+			logger.error("Introspection error:", error);
+			throw new APIError$1("INTERNAL_SERVER_ERROR");
+		}
+	}
+}
+//#endregion
+//#region src/logout.ts
+/**
+* IMPORTANT NOTES:
+* Follows OIDC RP-Initiated Logout
+*
+* @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html
+*/
+async function rpInitiatedLogoutEndpoint(ctx, opts) {
+	const { id_token_hint, client_id, post_logout_redirect_uri, state } = ctx.query;
+	const baseURL = ctx.context.baseURL;
+	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
+	const jwksUrl = jwtPluginOptions?.jwks?.remoteUrl ?? `${baseURL}${jwtPluginOptions?.jwks?.jwksPath ?? "/jwks"}`;
+	let clientId = client_id;
+	if (!clientId) {
+		let decoded;
+		try {
+			decoded = decodeJwt(id_token_hint);
+		} catch (_e) {
+			throw new APIError$1("UNAUTHORIZED", {
+				error_description: "invalid id token",
+				error: "invalid_token"
+			});
+		}
+		clientId = decoded?.aud;
+		if (!clientId) throw new APIError$1("INTERNAL_SERVER_ERROR", {
+			error_description: "id token missing audience",
+			error: "invalid_request"
+		});
+	}
+	const client = await getClient(ctx, opts, clientId);
+	if (!client) throw new APIError$1("BAD_REQUEST", {
+		error_description: "client doesn't exist",
+		error: "invalid_client"
+	});
+	if (client.disabled) throw new APIError$1("BAD_REQUEST", {
+		error_description: "client is disabled",
+		error: "invalid_client"
+	});
+	if (!client.enableEndSession) throw new APIError$1("UNAUTHORIZED", {
+		error_description: "client unable to logout",
+		error: "invalid_client"
+	});
+	let idTokenPayload;
+	if (opts.disableJwtPlugin) {
+		const clientSecret = client.clientSecret;
+		if (!clientSecret) throw new APIError$1("UNAUTHORIZED", {
+			error_description: "missing required credentials",
+			error: "invalid_client"
+		});
+		const secret = await decryptStoredClientSecret(ctx, opts.storeClientSecret, clientSecret);
+		const { payload } = await compactVerify(id_token_hint, new TextEncoder().encode(secret));
+		const idToken = new TextDecoder().decode(payload);
+		idTokenPayload = JSON.parse(idToken);
+	} else {
+		const { payload } = await compactVerify(id_token_hint, createLocalJWKSet(await getJwks(id_token_hint, { jwksFetch: jwksUrl })));
+		const idToken = new TextDecoder().decode(payload);
+		idTokenPayload = JSON.parse(idToken);
+	}
+	if (!idTokenPayload) throw new APIError$1("INTERNAL_SERVER_ERROR", {
+		error_description: "missing payload",
+		error: "invalid_request"
+	});
+	if ((jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL) !== idTokenPayload.iss) throw new APIError$1("INTERNAL_SERVER_ERROR", {
+		error_description: "invalid issuer",
+		error: "invalid_request"
+	});
+	const idTokenAudience = typeof idTokenPayload.aud === "string" ? [idTokenPayload.aud] : idTokenPayload.aud;
+	if (!idTokenAudience) throw new APIError$1("INTERNAL_SERVER_ERROR", {
+		error_description: "id token missing audience",
+		error: "invalid_request"
+	});
+	if (client_id && !idTokenAudience.includes(client_id)) throw new APIError$1("BAD_REQUEST", {
+		error_description: "audience mismatch",
+		error: "invalid_request"
+	});
+	const sessionId = idTokenPayload.sid;
+	if (!sessionId) throw new APIError$1("INTERNAL_SERVER_ERROR", {
+		error_description: "id token missing session",
+		error: "invalid_request"
+	});
+	try {
+		const session = await ctx.context.adapter.findOne({
+			model: "session",
+			where: [{
+				field: "id",
+				value: sessionId
+			}]
+		});
+		session?.token ? await ctx.context.internalAdapter.deleteSession(session?.token) : session?.id ? await ctx.context.adapter.delete({
+			model: "session",
+			where: [{
+				field: "id",
+				value: session.id
+			}]
+		}) : await ctx.context.adapter.delete({
+			model: "session",
+			where: [{
+				field: "id",
+				value: sessionId
+			}]
+		});
+	} catch {}
+	if (post_logout_redirect_uri) {
+		if (client.postLogoutRedirectUris?.includes(post_logout_redirect_uri)) {
+			const redirectUri = new URL(post_logout_redirect_uri);
+			if (state) redirectUri.searchParams.set("state", state);
+			return handleRedirect(ctx, redirectUri.toString());
+		}
+	}
+}
+//#endregion
+//#region src/register.ts
+async function registerEndpoint(ctx, opts) {
+	if (!opts.allowDynamicClientRegistration) throw new APIError("FORBIDDEN", {
+		error: "access_denied",
+		error_description: "Client registration is disabled"
+	});
+	const body = ctx.body;
+	const session = await getSessionFromCtx(ctx);
+	if (!(session || opts.allowUnauthenticatedClientRegistration)) throw new APIError("UNAUTHORIZED", {
+		error: "invalid_token",
+		error_description: "Authentication required for client registration"
+	});
+	const isPublic = body.token_endpoint_auth_method === "none";
+	if (!session && !isPublic) throw new APIError("UNAUTHORIZED", {
+		error: "invalid_request",
+		error_description: "Authentication required for confidential client registration"
+	});
+	if (!ctx.body.scope) ctx.body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
+	return createOAuthClientEndpoint(ctx, opts, { isRegister: true });
+}
+async function checkOAuthClient(client, opts, settings) {
+	const isPublic = client.token_endpoint_auth_method === "none";
+	if (client.type) {
+		if (isPublic && !(client.type === "native" || client.type === "user-agent-based")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: `Type must be 'native' or 'user-agent-based' for public applications`
+		});
+		else if (!isPublic && !(client.type === "web")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: `Type must be 'web' for confidential applications`
+		});
+	}
+	if ((!client.grant_types || client.grant_types.includes("authorization_code")) && (!client.redirect_uris || client.redirect_uris.length === 0)) throw new APIError("BAD_REQUEST", {
+		error: "invalid_redirect_uri",
+		error_description: "Redirect URIs are required for authorization_code and implicit grant types"
+	});
+	const grantTypes = client.grant_types ?? ["authorization_code"];
+	const responseTypes = client.response_types ?? ["code"];
+	if (grantTypes.includes("authorization_code") && !responseTypes.includes("code")) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "When 'authorization_code' grant type is used, 'code' response type must be included"
+	});
+	const requestedScopes = (client?.scope)?.split(" ").filter((v) => v.length);
+	const allowedScopes = settings?.isRegister ? opts.clientRegistrationAllowedScopes ?? opts.scopes : opts.scopes;
+	if (allowedScopes) {
+		const validScopes = new Set(allowedScopes);
+		for (const requestedScope of requestedScopes ?? []) if (!validScopes?.has(requestedScope)) throw new APIError("BAD_REQUEST", {
+			error: "invalid_scope",
+			error_description: `cannot request scope ${requestedScope}`
+		});
+	}
+}
+async function createOAuthClientEndpoint(ctx, opts, settings) {
+	const body = ctx.body;
+	const session = await getSessionFromCtx(ctx);
+	const isPublic = body.token_endpoint_auth_method === "none";
+	await checkOAuthClient(ctx.body, opts, settings);
+	const clientId = opts.generateClientId?.() || generateRandomString(32, "a-z", "A-Z");
+	const clientSecret = isPublic ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
+	const storedClientSecret = clientSecret ? await storeClientSecret(ctx, opts, clientSecret) : void 0;
+	const iat = Math.floor(Date.now() / 1e3);
+	const referenceId = opts.clientReference ? await opts.clientReference({
+		user: session?.user,
+		session: session?.session
+	}) : void 0;
+	const schema = oauthToSchema({
+		...body ?? {},
+		disabled: void 0,
+		jwks: void 0,
+		jwks_uri: void 0,
+		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
+		client_id: clientId,
+		client_secret: storedClientSecret,
+		client_id_issued_at: iat,
+		public: isPublic,
+		user_id: referenceId ? void 0 : session?.session.userId,
+		reference_id: referenceId
+	});
+	const client = await ctx.context.adapter.create({
+		model: "oauthClient",
+		data: schema
+	});
+	return ctx.json(schemaToOAuth({
+		...client,
+		clientSecret: clientSecret ? (opts.prefix?.clientSecret ?? "") + clientSecret : void 0
+	}), {
+		status: 201,
+		headers: {
+			"Cache-Control": "no-store",
+			Pragma: "no-cache"
+		}
+	});
+}
+/**
+* Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
+*
+* @param input
+* @returns
+*/
+function oauthToSchema(input) {
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
+	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
+	const scopes = _scope?.split(" ");
+	const metadataObj = {
+		...rest && Object.keys(rest).length ? rest : {},
+		...inputMetadata && typeof inputMetadata === "object" ? inputMetadata : {}
+	};
+	return {
+		clientId,
+		clientSecret,
+		disabled,
+		scopes,
+		userId,
+		createdAt,
+		expiresAt,
+		name,
+		uri,
+		icon,
+		contacts,
+		tos,
+		policy,
+		softwareId,
+		softwareVersion,
+		softwareStatement,
+		redirectUris,
+		postLogoutRedirectUris,
+		tokenEndpointAuthMethod,
+		grantTypes,
+		responseTypes,
+		public: _public,
+		type,
+		skipConsent,
+		enableEndSession,
+		referenceId,
+		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
+	};
+}
+/**
+* Converts a Database Schema to an OAuth 2.0 Dynamic Client Schema
+* @param input
+* @param cleaned - default true, determines if the output has only Oauth 2.0 compatible data
+* @returns
+*/
+function schemaToOAuth(input) {
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, referenceId, metadata } = input;
+	const _expiresAt = expiresAt ? Math.round(expiresAt.getTime() / 1e3) : void 0;
+	const _createdAt = createdAt ? Math.round(createdAt.getTime() / 1e3) : void 0;
+	const _scopes = scopes?.join(" ");
+	return {
+		...parseClientMetadata(metadata),
+		client_id: clientId,
+		client_secret: clientSecret ?? void 0,
+		client_secret_expires_at: clientSecret ? _expiresAt ?? 0 : void 0,
+		scope: _scopes ?? void 0,
+		user_id: userId ?? void 0,
+		client_id_issued_at: _createdAt ?? void 0,
+		client_name: name ?? void 0,
+		client_uri: uri ?? void 0,
+		logo_uri: icon ?? void 0,
+		contacts: contacts ?? void 0,
+		tos_uri: tos ?? void 0,
+		policy_uri: policy ?? void 0,
+		software_id: softwareId ?? void 0,
+		software_version: softwareVersion ?? void 0,
+		software_statement: softwareStatement ?? void 0,
+		redirect_uris: redirectUris ?? void 0,
+		post_logout_redirect_uris: postLogoutRedirectUris ?? void 0,
+		token_endpoint_auth_method: tokenEndpointAuthMethod ?? void 0,
+		grant_types: grantTypes ?? void 0,
+		response_types: responseTypes ?? void 0,
+		public: _public ?? void 0,
+		type: type ?? void 0,
+		disabled: disabled ?? void 0,
+		skip_consent: skipConsent ?? void 0,
+		enable_end_session: enableEndSession ?? void 0,
+		reference_id: referenceId ?? void 0
+	};
+}
+//#endregion
+//#region src/types/zod.ts
+/**
+* Reusable URL validation that disallows javascript: scheme
+*/
+const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z.NEVER;
+	}
+}).refine((url) => {
+	const u = new URL(url);
+	return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
+}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
+//#endregion
+//#region src/oauthClient/endpoints.ts
+async function getClientEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action: "read",
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+	const client = await getClient(ctx, opts, ctx.query.client_id);
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
+		error: "not_found"
+	});
+	if (client.userId) {
+		if (client.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
+	} else if (client.referenceId && opts.clientReference) {
+		if (client.referenceId !== await opts.clientReference(session)) throw new APIError("UNAUTHORIZED");
+	} else throw new APIError("UNAUTHORIZED");
+	const res = schemaToOAuth(client);
+	res.client_secret = void 0;
+	return res;
+}
+/**
+* Provides public client fields for any logged-in user.
+* This is commonly used to display information on login flow pages.
+*/
+async function getClientPublicEndpoint(ctx, opts) {
+	const client = await getClient(ctx, opts, ctx.query.client_id);
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
+		error: "not_found"
+	});
+	if (client.disabled) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
+		error: "not_found"
+	});
+	return schemaToOAuth({
+		clientId: client.clientId,
+		name: client.name,
+		uri: client.uri,
+		contacts: client.contacts,
+		icon: client.icon,
+		tos: client.tos,
+		policy: client.policy
+	});
+}
+async function getClientsEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action: "list",
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+	const referenceId = await opts.clientReference?.(session);
+	if (referenceId) return await ctx.context.adapter.findMany({
+		model: "oauthClient",
+		where: [{
+			field: "referenceId",
+			value: referenceId
+		}]
+	}).then((res) => {
+		if (!res) return null;
+		return res.map((v) => {
+			const res = schemaToOAuth(v);
+			res.client_secret = void 0;
+			return res;
+		});
+	});
+	else if (session.user.id) return await ctx.context.adapter.findMany({
+		model: "oauthClient",
+		where: [{
+			field: "userId",
+			value: session.user.id
+		}]
+	}).then((res) => {
+		if (!res) return null;
+		return res.map((v) => {
+			const res = schemaToOAuth(v);
+			res.client_secret = void 0;
+			return res;
+		});
+	});
+	else throw new APIError("BAD_REQUEST", { message: "either user_id or reference_id must be provided" });
+}
+async function deleteClientEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action: "delete",
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+	const clientId = ctx.body.client_id;
+	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
+		error_description: "trusted clients must be updated manually",
+		error: "invalid_client"
+	});
+	const client = await getClient(ctx, opts, clientId);
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
+		error: "not_found"
+	});
+	if (client.userId) {
+		if (client.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
+	} else if (client.referenceId && opts.clientReference) {
+		if (client.referenceId !== await opts.clientReference(session)) throw new APIError("UNAUTHORIZED");
+	} else throw new APIError("UNAUTHORIZED");
+	await ctx.context.adapter.delete({
+		model: "oauthClient",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}]
+	});
+}
+async function updateClientEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action: "update",
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+	const clientId = ctx.body.client_id;
+	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
+		error_description: "trusted clients must be updated manually",
+		error: "invalid_client"
+	});
+	const client = await getClient(ctx, opts, clientId);
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
+		error: "not_found"
+	});
+	if (client.userId) {
+		if (client.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
+	} else if (client.referenceId && opts.clientReference) {
+		if (client.referenceId !== await opts.clientReference(session)) throw new APIError("UNAUTHORIZED");
+	} else throw new APIError("UNAUTHORIZED");
+	const updates = ctx.body.update;
+	if (Object.keys(updates).length === 0) {
+		const res = schemaToOAuth(client);
+		res.client_secret = void 0;
+		return res;
+	}
+	await checkOAuthClient({
+		...schemaToOAuth(client),
+		...updates
+	}, opts);
+	const updatedClient = await ctx.context.adapter.update({
+		model: "oauthClient",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}],
+		update: oauthToSchema(updates)
+	});
+	if (!updatedClient) throw new APIError("INTERNAL_SERVER_ERROR", {
+		error_description: "unable to update client",
+		error: "invalid_client"
+	});
+	const res = schemaToOAuth(updatedClient);
+	res.client_secret = void 0;
+	return res;
+}
+async function rotateClientSecretEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action: "rotate",
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+	const clientId = ctx.body.client_id;
+	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
+		error_description: "trusted clients must be updated manually",
+		error: "invalid_client"
+	});
+	const client = await getClient(ctx, opts, clientId);
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
+		error: "not_found"
+	});
+	if (client.userId) {
+		if (client.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
+	} else if (client.referenceId && opts.clientReference) {
+		if (client.referenceId !== await opts.clientReference(session)) throw new APIError("UNAUTHORIZED");
+	} else throw new APIError("UNAUTHORIZED");
+	if (client.public || !client.clientSecret) throw new APIError("BAD_REQUEST", {
+		error_description: "public clients cannot be updated",
+		error: "invalid_client"
+	});
+	const clientSecret = opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
+	const storedClientSecret = clientSecret ? await storeClientSecret(ctx, opts, clientSecret) : void 0;
+	const updatedClient = await ctx.context.adapter.update({
+		model: "oauthClient",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}],
+		update: {
+			...schemaToOAuth(client),
+			clientSecret: storedClientSecret
+		}
+	});
+	if (!updatedClient) throw new APIError("INTERNAL_SERVER_ERROR", {
+		error_description: "unable to update client",
+		error: "invalid_client"
+	});
+	return schemaToOAuth({
+		...updatedClient,
+		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
+	});
+}
+//#endregion
+//#region src/oauthClient/index.ts
+const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
+	method: "POST",
+	body: z.object({
+		redirect_uris: z.array(SafeUrlSchema).min(1),
+		scope: z.string().optional(),
+		client_name: z.string().optional(),
+		client_uri: z.string().optional(),
+		logo_uri: z.string().optional(),
+		contacts: z.array(z.string().min(1)).min(1).optional(),
+		tos_uri: z.string().optional(),
+		policy_uri: z.string().optional(),
+		software_id: z.string().optional(),
+		software_version: z.string().optional(),
+		software_statement: z.string().optional(),
+		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		token_endpoint_auth_method: z.enum([
+			"none",
+			"client_secret_basic",
+			"client_secret_post"
+		]).default("client_secret_basic").optional(),
+		grant_types: z.array(z.enum([
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		])).default(["authorization_code"]).optional(),
+		response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
+		type: z.enum([
+			"web",
+			"native",
+			"user-agent-based"
+		]).optional(),
+		client_secret_expires_at: z.union([z.string(), z.number()]).optional().default(0),
+		skip_consent: z.boolean().optional(),
+		enable_end_session: z.boolean().optional(),
+		metadata: z.record(z.string(), z.unknown()).optional()
+	}),
+	metadata: {
+		SERVER_ONLY: true,
+		openapi: {
+			description: "Register an OAuth2 application",
+			responses: { "200": {
+				description: "OAuth2 application registered successfully",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						client_id: {
+							type: "string",
+							description: "Unique identifier for the client"
+						},
+						client_secret: {
+							type: "string",
+							description: "Secret key for the client"
+						},
+						client_secret_expires_at: {
+							type: "number",
+							description: "Time the client secret will expire. If 0, the client secret will never expire."
+						},
+						scope: {
+							type: "string",
+							description: "Space-separated scopes allowed by the client"
+						},
+						user_id: {
+							type: "string",
+							description: "ID of the user who registered the client, null if registered anonymously"
+						},
+						client_id_issued_at: {
+							type: "number",
+							description: "Creation timestamp of this client"
+						},
+						client_name: {
+							type: "string",
+							description: "Name of the OAuth2 application"
+						},
+						client_uri: {
+							type: "string",
+							description: "URI of the OAuth2 application"
+						},
+						logo_uri: {
+							type: "string",
+							description: "Icon URI for the application"
+						},
+						contacts: {
+							type: "array",
+							items: { type: "string" },
+							description: "List representing ways to contact people responsible for this client, typically email addresses"
+						},
+						tos_uri: {
+							type: "string",
+							description: "Client's terms of service uri"
+						},
+						policy_uri: {
+							type: "string",
+							description: "Client's policy uri"
+						},
+						software_id: {
+							type: "string",
+							description: "Unique identifier assigned by the developer to help in the dynamic registration process"
+						},
+						software_version: {
+							type: "string",
+							description: "Version identifier for the software_id"
+						},
+						software_statement: {
+							type: "string",
+							description: "JWT containing metadata values about the client software as claims"
+						},
+						redirect_uris: {
+							type: "array",
+							items: {
+								type: "string",
+								format: "uri"
+							},
+							description: "List of allowed redirect uris"
+						},
+						token_endpoint_auth_method: {
+							type: "string",
+							description: "Requested authentication method for the token endpoint",
+							enum: [
+								"none",
+								"client_secret_basic",
+								"client_secret_post"
+							]
+						},
+						grant_types: {
+							type: "array",
+							items: {
+								type: "string",
+								enum: [
+									"authorization_code",
+									"client_credentials",
+									"refresh_token"
+								]
+							},
+							description: "Requested authentication method for the token endpoint"
+						},
+						response_types: {
+							type: "array",
+							items: {
+								type: "string",
+								enum: ["code"]
+							},
+							description: "Requested authentication method for the token endpoint"
+						},
+						public: {
+							type: "boolean",
+							description: "Whether the client is public as determined by the type"
+						},
+						type: {
+							type: "string",
+							description: "Type of the client",
+							enum: [
+								"web",
+								"native",
+								"user-agent-based"
+							]
+						},
+						disabled: {
+							type: "boolean",
+							description: "Whether the client is disabled"
+						},
+						metadata: {
+							type: "object",
+							additionalProperties: true,
+							nullable: true,
+							description: "Additional metadata for the application"
+						}
+					},
+					required: ["client_id"]
+				} } }
+			} }
+		}
+	}
+}, async (ctx) => {
+	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
+});
+const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
+	method: "POST",
+	use: [sessionMiddleware],
+	body: z.object({
+		redirect_uris: z.array(SafeUrlSchema).min(1),
+		scope: z.string().optional(),
+		client_name: z.string().optional(),
+		client_uri: z.string().optional(),
+		logo_uri: z.string().optional(),
+		contacts: z.array(z.string().min(1)).min(1).optional(),
+		tos_uri: z.string().optional(),
+		policy_uri: z.string().optional(),
+		software_id: z.string().optional(),
+		software_version: z.string().optional(),
+		software_statement: z.string().optional(),
+		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		token_endpoint_auth_method: z.enum([
+			"none",
+			"client_secret_basic",
+			"client_secret_post"
+		]).default("client_secret_basic").optional(),
+		grant_types: z.array(z.enum([
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		])).default(["authorization_code"]).optional(),
+		response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
+		type: z.enum([
+			"web",
+			"native",
+			"user-agent-based"
+		]).optional()
+	}),
+	metadata: { openapi: {
+		description: "Register an OAuth2 application",
+		responses: { "200": {
+			description: "OAuth2 application registered successfully",
+			content: { "application/json": { schema: {
+				type: "object",
+				properties: {
+					client_id: {
+						type: "string",
+						description: "Unique identifier for the client"
+					},
+					client_secret: {
+						type: "string",
+						description: "Secret key for the client"
+					},
+					client_secret_expires_at: {
+						type: "number",
+						description: "Time the client secret will expire. If 0, the client secret will never expire."
+					},
+					scope: {
+						type: "string",
+						description: "Space-separated scopes allowed by the client"
+					},
+					user_id: {
+						type: "string",
+						description: "ID of the user who registered the client, null if registered anonymously"
+					},
+					client_id_issued_at: {
+						type: "number",
+						description: "Creation timestamp of this client"
+					},
+					client_name: {
+						type: "string",
+						description: "Name of the OAuth2 application"
+					},
+					client_uri: {
+						type: "string",
+						description: "URI of the OAuth2 application"
+					},
+					logo_uri: {
+						type: "string",
+						description: "Icon URI for the application"
+					},
+					contacts: {
+						type: "array",
+						items: { type: "string" },
+						description: "List representing ways to contact people responsible for this client, typically email addresses"
+					},
+					tos_uri: {
+						type: "string",
+						description: "Client's terms of service uri"
+					},
+					policy_uri: {
+						type: "string",
+						description: "Client's policy uri"
+					},
+					software_id: {
+						type: "string",
+						description: "Unique identifier assigned by the developer to help in the dynamic registration process"
+					},
+					software_version: {
+						type: "string",
+						description: "Version identifier for the software_id"
+					},
+					software_statement: {
+						type: "string",
+						description: "JWT containing metadata values about the client software as claims"
+					},
+					redirect_uris: {
+						type: "array",
+						items: {
+							type: "string",
+							format: "uri"
+						},
+						description: "List of allowed redirect uris"
+					},
+					token_endpoint_auth_method: {
+						type: "string",
+						description: "Response types the client may use",
+						enum: [
+							"none",
+							"client_secret_basic",
+							"client_secret_post"
+						]
+					},
+					grant_types: {
+						type: "array",
+						items: {
+							type: "string",
+							enum: [
+								"authorization_code",
+								"client_credentials",
+								"refresh_token"
+							]
+						},
+						description: "Requested authentication method for the token endpoint"
+					},
+					response_types: {
+						type: "array",
+						items: {
+							type: "string",
+							enum: ["code"]
+						},
+						description: "Requested authentication method for the token endpoint"
+					},
+					public: {
+						type: "boolean",
+						description: "Whether the client is public as determined by the type"
+					},
+					type: {
+						type: "string",
+						description: "Type of the client",
+						enum: [
+							"web",
+							"native",
+							"user-agent-based"
+						]
+					},
+					disabled: {
+						type: "boolean",
+						description: "Whether the client is disabled"
+					},
+					metadata: {
+						type: "object",
+						additionalProperties: true,
+						nullable: true,
+						description: "Additional metadata for the application"
+					}
+				},
+				required: ["client_id"]
+			} } }
+		} }
+	} }
+}, async (ctx) => {
+	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
+});
+const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
+	method: "GET",
+	use: [sessionMiddleware],
+	query: z.object({ client_id: z.string() }),
+	metadata: { openapi: { description: "Get OAuth2 formatted client details" } }
+}, async (ctx) => {
+	return getClientEndpoint(ctx, opts);
+});
+const getOAuthClientPublic = (opts) => createAuthEndpoint("/oauth2/public-client", {
+	method: "GET",
+	use: [sessionMiddleware],
+	query: z.object({ client_id: z.string() }),
+	metadata: { openapi: { description: "Gets publically available client fields" } }
+}, async (ctx) => {
+	return getClientPublicEndpoint(ctx, opts);
+});
+const getOAuthClients = (opts) => createAuthEndpoint("/oauth2/get-clients", {
+	method: "GET",
+	use: [sessionMiddleware],
+	metadata: { openapi: { description: "Get OAuth2 formatted client details for a user or organization" } }
+}, async (ctx) => {
+	return getClientsEndpoint(ctx, opts);
+});
+const adminUpdateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/update-client", {
+	method: "PATCH",
+	body: z.object({
+		client_id: z.string(),
+		update: z.object({
+			redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			scope: z.string().optional(),
+			client_name: z.string().optional(),
+			client_uri: z.string().optional(),
+			logo_uri: z.string().optional(),
+			contacts: z.array(z.string().min(1)).min(1).optional(),
+			tos_uri: z.string().optional(),
+			policy_uri: z.string().optional(),
+			software_id: z.string().optional(),
+			software_version: z.string().optional(),
+			software_statement: z.string().optional(),
+			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			grant_types: z.array(z.enum([
+				"authorization_code",
+				"client_credentials",
+				"refresh_token"
+			])).optional(),
+			response_types: z.array(z.enum(["code"])).optional(),
+			type: z.enum([
+				"web",
+				"native",
+				"user-agent-based"
+			]).optional(),
+			client_secret_expires_at: z.union([z.string(), z.number()]).optional(),
+			skip_consent: z.boolean().optional(),
+			enable_end_session: z.boolean().optional(),
+			metadata: z.record(z.string(), z.unknown()).optional()
+		})
+	}),
+	metadata: {
+		SERVER_ONLY: true,
+		openapi: { description: "Updates OAuth2 formatted client details." }
+	}
+}, async (ctx) => {
+	return updateClientEndpoint(ctx, opts);
+});
+const updateOAuthClient = (opts) => createAuthEndpoint("/oauth2/update-client", {
+	method: "POST",
+	use: [sessionMiddleware],
+	body: z.object({
+		client_id: z.string(),
+		update: z.object({
+			redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			scope: z.string().optional(),
+			client_name: z.string().optional(),
+			client_uri: z.string().optional(),
+			logo_uri: z.string().optional(),
+			contacts: z.array(z.string().min(1)).min(1).optional(),
+			tos_uri: z.string().optional(),
+			policy_uri: z.string().optional(),
+			software_id: z.string().optional(),
+			software_version: z.string().optional(),
+			software_statement: z.string().optional(),
+			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			grant_types: z.array(z.enum([
+				"authorization_code",
+				"client_credentials",
+				"refresh_token"
+			])).optional(),
+			response_types: z.array(z.enum(["code"])).optional(),
+			type: z.enum([
+				"web",
+				"native",
+				"user-agent-based"
+			]).optional()
+		})
+	}),
+	metadata: { openapi: { description: "Updates OAuth2 formatted client details." } }
+}, async (ctx) => {
+	return updateClientEndpoint(ctx, opts);
+});
+const rotateClientSecret = (opts) => createAuthEndpoint("/oauth2/client/rotate-secret", {
+	method: "POST",
+	use: [sessionMiddleware],
+	body: z.object({ client_id: z.string() }),
+	metadata: { openapi: { description: "Rotates a confidential client's secret" } }
+}, async (ctx) => {
+	return rotateClientSecretEndpoint(ctx, opts);
+});
+const deleteOAuthClient = (opts) => createAuthEndpoint("/oauth2/delete-client", {
+	method: "POST",
+	use: [sessionMiddleware],
+	body: z.object({ client_id: z.string() }),
+	metadata: { openapi: { description: "Deletes an oauth client" } }
+}, async (ctx) => {
+	return deleteClientEndpoint(ctx, opts);
+});
+//#endregion
+//#region src/oauthConsent/endpoints.ts
+async function getConsent(ctx, opts, id) {
+	return await ctx.context.adapter.findOne({
+		model: "oauthConsent",
+		where: [{
+			field: "id",
+			value: id
+		}]
+	});
+}
+async function getConsentEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	const { id } = ctx.query;
+	if (!id) throw new APIError("NOT_FOUND", {
+		error_description: "missing id parameter",
+		error: "not_found"
+	});
+	const consent = await getConsent(ctx, opts, id);
+	if (!consent) throw new APIError("NOT_FOUND", {
+		error_description: "no consent",
+		error: "not_found"
+	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
+	return consent;
+}
+async function getConsentsEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	return await ctx.context.adapter.findMany({
+		model: "oauthConsent",
+		where: [{
+			field: "userId",
+			value: session.user.id
+		}]
+	});
+}
+async function deleteConsentEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	const { id } = ctx.body;
+	if (!id) throw new APIError("NOT_FOUND", {
+		error_description: "missing id parameter",
+		error: "not_found"
+	});
+	const consent = await getConsent(ctx, opts, id);
+	if (!consent) throw new APIError("NOT_FOUND", {
+		error_description: "no consent",
+		error: "not_found"
+	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
+	await ctx.context.adapter.delete({
+		model: "oauthConsent",
+		where: [{
+			field: "id",
+			value: id
+		}]
+	});
+}
+async function updateConsentEndpoint(ctx, opts) {
+	const session = await getSessionFromCtx(ctx);
+	if (!session) throw new APIError("UNAUTHORIZED");
+	const { id } = ctx.body;
+	if (!id) throw new APIError("NOT_FOUND", {
+		error_description: "missing id parameter",
+		error: "not_found"
+	});
+	const consent = await getConsent(ctx, opts, id);
+	if (!consent) throw new APIError("NOT_FOUND", {
+		error_description: "no consent",
+		error: "not_found"
+	});
+	const client = await getClient(ctx, opts, consent.clientId);
+	if (!consent) throw new APIError("NOT_FOUND", {
+		error_description: "no consent",
+		error: "not_found"
+	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
+	const allowedScopes = client?.scopes ?? opts.scopes ?? [];
+	const updates = ctx.body.update;
+	const scopes = updates.scopes;
+	if (scopes && !scopes.every((val) => allowedScopes?.includes(val))) throw new APIError("BAD_REQUEST", {
+		error_description: `unable to provide scopes to ${client?.referenceId ?? client?.userId}`,
+		error: "invalid_request"
+	});
+	const iat = Math.floor(Date.now() / 1e3);
+	return await ctx.context.adapter.update({
+		model: "oauthConsent",
+		where: [{
+			field: "id",
+			value: id
+		}],
+		update: {
+			...updates,
+			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
+		}
+	});
+}
+//#endregion
+//#region src/oauthConsent/index.ts
+const getOAuthConsent = (opts) => createAuthEndpoint("/oauth2/get-consent", {
+	method: "GET",
+	query: z.object({ id: z.string() }),
+	use: [sessionMiddleware],
+	metadata: { openapi: { description: "Gets details of a specific OAuth2 consent for a user" } }
+}, async (ctx) => {
+	return getConsentEndpoint(ctx, opts);
+});
+const getOAuthConsents = (opts) => createAuthEndpoint("/oauth2/get-consents", {
+	method: "GET",
+	use: [sessionMiddleware],
+	metadata: { openapi: { description: "Gets all available OAuth2 consents for a user" } }
+}, async (ctx) => {
+	return getConsentsEndpoint(ctx, opts);
+});
+const updateOAuthConsent = (opts) => createAuthEndpoint("/oauth2/update-consent", {
+	method: "POST",
+	use: [sessionMiddleware],
+	body: z.object({
+		id: z.string(),
+		update: z.object({ scopes: z.array(z.string()) })
+	}),
+	metadata: { openapi: { description: "Updates consent granted to a client." } }
+}, async (ctx) => {
+	return updateConsentEndpoint(ctx, opts);
+});
+const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent", {
+	method: "POST",
+	use: [sessionMiddleware],
+	body: z.object({ id: z.string() }),
+	metadata: { openapi: { description: "Deletes consent granted to a client" } }
+}, async (ctx) => {
+	return deleteConsentEndpoint(ctx, opts);
+});
+//#endregion
+//#region src/revoke.ts
+/**
+* IMPORTANT NOTES:
+* Revocation follows RFC7009
+* https://datatracker.ietf.org/doc/html/rfc7009
+* - APIError: Continue catches (returnable to client)
+* - Error: Should immediately stop catches (internal error)
+*/
+/**
+* Revokes a JWT access token against the configured JWKs.
+* (does nothing if successful since a JWT is not stored on the server)
+*/
+async function revokeJwtAccessToken(ctx, opts, token) {
+	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
+	const jwtPluginOptions = jwtPlugin?.options;
+	try {
+		await verifyJwsAccessToken(token, {
+			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
+				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
+			},
+			verifyOptions: {
+				audience: opts.validAudiences ?? ctx.context.baseURL,
+				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
+			}
+		});
+	} catch (error) {
+		if (error instanceof Error) {
+			if (error.name === "TypeError" || error.name === "JWSInvalid") throw new APIError$1("BAD_REQUEST", {
+				error_description: "invalid JWT signature",
+				error: "invalid_request"
+			});
+			else if (error.name === "JWTExpired") return null;
+			else if (error.name === "JWTInvalid") return null;
+			throw error;
+		}
+		throw new Error(error);
+	}
+}
+/**
+* Searches for an opaque access token in the database and validates it
+*/
+async function revokeOpaqueAccessToken(ctx, opts, token, clientId) {
+	let tokenValue = token;
+	if (opts.prefix?.opaqueAccessToken) if (tokenValue.startsWith(opts.prefix.opaqueAccessToken)) tokenValue = tokenValue.replace(opts.prefix.opaqueAccessToken, "");
+	else throw new APIError$1("BAD_REQUEST", {
+		error_description: "opaque access token not found",
+		error: "invalid_request"
+	});
+	const accessToken = await ctx.context.adapter.findOne({
+		model: "oauthAccessToken",
+		where: [{
+			field: "token",
+			value: await getStoredToken(opts.storeTokens, tokenValue, "access_token")
+		}]
+	});
+	if (!accessToken) throw new APIError$1("BAD_REQUEST", {
+		error_description: "opaque access token not found",
+		error: "invalid_request"
+	});
+	if (!accessToken.clientId || accessToken.clientId !== clientId) return null;
+	accessToken.id ? await ctx.context.adapter.delete({
+		model: "oauthAccessToken",
+		where: [{
+			field: "id",
+			value: accessToken.id
+		}]
+	}) : await ctx.context.adapter.delete({
+		model: "oauthAccessToken",
+		where: [{
+			field: "token",
+			value: accessToken.token
+		}]
+	});
+}
+/**
+* Validates a refresh token in the session store.
+*/
+async function revokeRefreshToken(ctx, opts, token, clientId) {
+	const refreshToken = await ctx.context.adapter.findOne({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "token",
+			value: await getStoredToken(opts.storeTokens, token, "refresh_token")
+		}]
+	});
+	if (!refreshToken) throw new APIError$1("BAD_REQUEST", {
+		error_description: "token not found",
+		error: "invalid_request"
+	});
+	if (refreshToken.revoked) {
+		await ctx.context.adapter.deleteMany({
+			model: "oauthRefreshToken",
+			where: [{
+				field: "clientId",
+				value: clientId
+			}, {
+				field: "userId",
+				value: refreshToken.userId
+			}]
+		});
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "refresh token revoked",
+			error: "invalid_request"
+		});
+	}
+	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
+	const iat = Math.floor(Date.now() / 1e3);
+	await Promise.allSettled([ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			value: refreshToken.id
+		}]
+	}), ctx.context.adapter.update({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "id",
+			value: refreshToken.id
+		}],
+		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	})]);
+}
+/**
+* We don't know the access token format so we try to validate it
+* as a JWT first, then as an opaque token.
+*/
+async function revokeAccessToken(ctx, opts, clientId, token) {
+	try {
+		return await revokeJwtAccessToken(ctx, opts, token);
+	} catch (err) {
+		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
+		else throw new Error(err);
+	}
+	try {
+		return await revokeOpaqueAccessToken(ctx, opts, token, clientId);
+	} catch (err) {
+		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
+		else throw new Error("Unknown error validating access token");
+	}
+	throw new APIError$1("BAD_REQUEST", {
+		error_description: "Invalid access token",
+		error: "invalid_request"
+	});
+}
+async function revokeEndpoint(ctx, opts) {
+	let { client_id, client_secret, token, token_type_hint } = ctx.body;
+	const authorization = ctx.request?.headers.get("authorization") || null;
+	if (authorization?.startsWith("Basic ")) {
+		const res = basicToClientCredentials(authorization);
+		client_id = res?.client_id;
+		client_secret = res?.client_secret;
+	}
+	if (!client_id) throw new APIError$1("UNAUTHORIZED", {
+		error_description: "missing required credentials",
+		error: "invalid_client"
+	});
+	if (typeof token === "string" && token.startsWith("Bearer ")) token = token.replace("Bearer ", "");
+	if (!token?.length) throw new APIError$1("BAD_REQUEST", {
+		error_description: "missing a required token for introspection",
+		error: "invalid_request"
+	});
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	try {
+		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
+			return await revokeAccessToken(ctx, opts, client.clientId, token);
+		} catch (error) {
+			if (error instanceof APIError$1) {
+				if (token_type_hint === "access_token") throw error;
+			} else if (error instanceof Error) throw error;
+			else throw new Error(error);
+		}
+		if (token_type_hint === void 0 || token_type_hint === "refresh_token") try {
+			return await revokeRefreshToken(ctx, opts, (await decodeRefreshToken(opts, token)).token, client.clientId);
+		} catch (error) {
+			if (error instanceof APIError$1) {
+				if (token_type_hint === "refresh_token") throw error;
+			} else if (error instanceof Error) throw error;
+			else throw new Error(error);
+		}
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "token not found",
+			error: "invalid_request"
+		});
+	} catch (error) {
+		if (error instanceof APIError$1) {
+			if (error.name === "BAD_REQUEST") return null;
+			throw error;
+		} else if (error instanceof Error) {
+			logger.error("Introspection error:", error.message, error.stack);
+			throw new APIError$1("INTERNAL_SERVER_ERROR");
+		} else {
+			logger.error("Introspection error:", error);
+			throw new APIError$1("INTERNAL_SERVER_ERROR");
+		}
+	}
+}
+//#endregion
+//#region src/schema.ts
+const schema = {
+	oauthClient: {
+		modelName: "oauthClient",
+		fields: {
+			clientId: {
+				type: "string",
+				unique: true,
+				required: true
+			},
+			clientSecret: {
+				type: "string",
+				required: false
+			},
+			disabled: {
+				type: "boolean",
+				defaultValue: false,
+				required: false
+			},
+			skipConsent: {
+				type: "boolean",
+				required: false
+			},
+			enableEndSession: {
+				type: "boolean",
+				required: false
+			},
+			scopes: {
+				type: "string[]",
+				required: false
+			},
+			userId: {
+				type: "string",
+				required: false,
+				references: {
+					model: "user",
+					field: "id"
+				}
+			},
+			createdAt: {
+				type: "date",
+				required: false
+			},
+			updatedAt: {
+				type: "date",
+				required: false
+			},
+			name: {
+				type: "string",
+				required: false
+			},
+			uri: {
+				type: "string",
+				required: false
+			},
+			icon: {
+				type: "string",
+				required: false
+			},
+			contacts: {
+				type: "string[]",
+				required: false
+			},
+			tos: {
+				type: "string",
+				required: false
+			},
+			policy: {
+				type: "string",
+				required: false
+			},
+			softwareId: {
+				type: "string",
+				required: false
+			},
+			softwareVersion: {
+				type: "string",
+				required: false
+			},
+			softwareStatement: {
+				type: "string",
+				required: false
+			},
+			redirectUris: {
+				type: "string[]",
+				required: true
+			},
+			postLogoutRedirectUris: {
+				type: "string[]",
+				required: false
+			},
+			tokenEndpointAuthMethod: {
+				type: "string",
+				required: false
+			},
+			grantTypes: {
+				type: "string[]",
+				required: false
+			},
+			responseTypes: {
+				type: "string[]",
+				required: false
+			},
+			public: {
+				type: "boolean",
+				required: false
+			},
+			type: {
+				type: "string",
+				required: false
+			},
+			referenceId: {
+				type: "string",
+				required: false
+			},
+			metadata: {
+				type: "json",
+				required: false
+			}
+		}
+	},
+	oauthRefreshToken: { fields: {
+		token: {
+			type: "string",
+			required: true
+		},
+		clientId: {
+			type: "string",
+			required: true,
+			references: {
+				model: "oauthClient",
+				field: "clientId"
+			}
+		},
+		sessionId: {
+			type: "string",
+			required: false,
+			references: {
+				model: "session",
+				field: "id",
+				onDelete: "set null"
+			}
+		},
+		userId: {
+			type: "string",
+			required: true,
+			references: {
+				model: "user",
+				field: "id"
+			}
+		},
+		referenceId: {
+			type: "string",
+			required: false
+		},
+		expiresAt: { type: "date" },
+		createdAt: { type: "date" },
+		revoked: {
+			type: "date",
+			required: false
+		},
+		scopes: {
+			type: "string[]",
+			required: true
+		}
+	} },
+	oauthAccessToken: {
+		modelName: "oauthAccessToken",
+		fields: {
+			token: {
+				type: "string",
+				unique: true
+			},
+			clientId: {
+				type: "string",
+				required: true,
+				references: {
+					model: "oauthClient",
+					field: "clientId"
+				}
+			},
+			sessionId: {
+				type: "string",
+				required: false,
+				references: {
+					model: "session",
+					field: "id",
+					onDelete: "set null"
+				}
+			},
+			userId: {
+				type: "string",
+				required: false,
+				references: {
+					model: "user",
+					field: "id"
+				}
+			},
+			referenceId: {
+				type: "string",
+				required: false
+			},
+			refreshId: {
+				type: "string",
+				required: false,
+				references: {
+					model: "oauthRefreshToken",
+					field: "id"
+				}
+			},
+			expiresAt: { type: "date" },
+			createdAt: { type: "date" },
+			scopes: {
+				type: "string[]",
+				required: true
+			}
+		}
+	},
+	oauthConsent: {
+		modelName: "oauthConsent",
+		fields: {
+			clientId: {
+				type: "string",
+				required: true,
+				references: {
+					model: "oauthClient",
+					field: "clientId"
+				}
+			},
+			userId: {
+				type: "string",
+				required: false,
+				references: {
+					model: "user",
+					field: "id"
+				}
+			},
+			referenceId: {
+				type: "string",
+				required: false
+			},
+			scopes: {
+				type: "string[]",
+				required: true
+			},
+			createdAt: { type: "date" },
+			updatedAt: { type: "date" }
+		}
+	}
+};
+//#endregion
+//#region src/oauth.ts
+const oAuthState = defineRequestState(() => null);
+/**
+* oAuth 2.1 provider plugin for Better Auth.
+*
+* @see https://better-auth.com/docs/plugins/oauth-provider
+* @param options - The options for the oAuth Provider plugin.
+* @returns A Better Auth plugin.
+*/
+const oauthProvider = (options) => {
+	let clientRegistrationAllowedScopes = options.clientRegistrationAllowedScopes;
+	if (options.clientRegistrationDefaultScopes) {
+		const _allowedScopes = clientRegistrationAllowedScopes ? new Set([...clientRegistrationAllowedScopes, ...options.clientRegistrationDefaultScopes]) : new Set([...options.clientRegistrationDefaultScopes]);
+		clientRegistrationAllowedScopes = Array.from(_allowedScopes);
+	}
+	const scopes = new Set((options.scopes ?? [
+		"openid",
+		"profile",
+		"email",
+		"offline_access"
+	]).filter((val) => val.length));
+	if (clientRegistrationAllowedScopes) {
+		for (const sc of clientRegistrationAllowedScopes) if (!scopes.has(sc)) throw new BetterAuthError(`clientRegistrationAllowedScope ${sc} not found in scopes`);
+	}
+	for (const sc of options.advertisedMetadata?.scopes_supported ?? []) if (!scopes?.has(sc)) throw new BetterAuthError(`advertisedMetadata.scopes_supported ${sc} not found in scopes`);
+	const claims = new Set([
+		"sub",
+		"iss",
+		"aud",
+		"exp",
+		"iat",
+		"sid",
+		"scope",
+		"azp",
+		...scopes.has("email") ? ["email", "email_verified"] : [],
+		...scopes.has("profile") ? [
+			"name",
+			"picture",
+			"family_name",
+			"given_name"
+		] : []
+	]);
+	const opts = {
+		codeExpiresIn: 600,
+		accessTokenExpiresIn: 3600,
+		m2mAccessTokenExpiresIn: 3600,
+		refreshTokenExpiresIn: 2592e3,
+		allowUnauthenticatedClientRegistration: false,
+		allowDynamicClientRegistration: false,
+		disableJwtPlugin: false,
+		storeClientSecret: options.disableJwtPlugin ? "encrypted" : "hashed",
+		storeTokens: "hashed",
+		grantTypes: [
+			"authorization_code",
+			"client_credentials",
+			"refresh_token"
+		],
+		...options,
+		scopes: Array.from(scopes),
+		claims: Array.from(claims),
+		clientRegistrationAllowedScopes
+	};
+	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
+	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
+	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
+	return {
+		id: "oauth-provider",
+		options: opts,
+		init: (ctx) => {
+			if (ctx.options.session && !ctx.options.session.storeSessionInDatabase) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
+			if (!opts.disableJwtPlugin) {
+				const issuer = (getJwtPlugin(ctx)?.options)?.jwt?.issuer ?? ctx.baseURL;
+				const issuerPath = new URL(issuer).pathname;
+				if (!opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
+				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
+			}
+		},
+		hooks: {
+			before: [{
+				matcher(ctx) {
+					return ctx.body?.oauth_query;
+				},
+				handler: createAuthMiddleware(async (ctx) => {
+					const query = ctx.body.oauth_query;
+					let queryParams = new URLSearchParams(query);
+					const sig = queryParams.get("sig");
+					const exp = Number(queryParams.get("exp"));
+					queryParams.delete("sig");
+					queryParams = new URLSearchParams(queryParams);
+					const verifySig = await makeSignature(queryParams.toString(), ctx.context.secret);
+					if (!sig || !constantTimeEqual(sig, verifySig) || /* @__PURE__ */ new Date(exp * 1e3) < /* @__PURE__ */ new Date()) throw new APIError("BAD_REQUEST", { error: "invalid_signature" });
+					queryParams.delete("exp");
+					await oAuthState.set({ query: new URLSearchParams(queryParams).toString() });
+					if (ctx.path === "/sign-in/social" || ctx.path === "/sign-in/oauth2") {
+						if (ctx.body.additionalData?.query) return;
+						if (!ctx.body.additionalData) ctx.body.additionalData = {};
+						ctx.body.additionalData.query = queryParams.toString();
+					}
+				})
+			}],
+			after: [{
+				matcher(ctx) {
+					return parseSetCookieHeader(ctx.context.responseHeaders?.get("set-cookie") || "").has(ctx.context.authCookies.sessionToken.name);
+				},
+				handler: createAuthMiddleware(async (ctx) => {
+					const sessionToken = parseSetCookieHeader(ctx.context.responseHeaders?.get("set-cookie") || "").get(ctx.context.authCookies.sessionToken.name)?.value.split(".")[0];
+					if (!sessionToken) return;
+					const _query = (await oAuthState.get())?.query ?? (await getOAuthState())?.query;
+					if (!_query) return;
+					const query = new URLSearchParams(_query);
+					const session = await ctx.context.internalAdapter.findSession(sessionToken);
+					if (!session) return;
+					ctx.context.session = session;
+					ctx.query = deleteFromPrompt(query, "login");
+					return await authorizeEndpoint(ctx, opts);
+				})
+			}]
+		},
+		endpoints: {
+			getOAuthServerConfig: createAuthEndpoint("/.well-known/oauth-authorization-server", {
+				method: "GET",
+				metadata: { SERVER_ONLY: true }
+			}, async (ctx) => {
+				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
+				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, { scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes });
+			}),
+			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
+				method: "GET",
+				metadata: { SERVER_ONLY: true }
+			}, async (ctx) => {
+				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
+				return oidcServerMetadata(ctx, opts);
+			}),
+			oauth2Authorize: createAuthEndpoint("/oauth2/authorize", {
+				method: "GET",
+				query: z.object({
+					response_type: z.enum(["code"]),
+					client_id: z.string(),
+					redirect_uri: SafeUrlSchema.optional(),
+					scope: z.string().optional(),
+					state: z.string().optional(),
+					code_challenge: z.string().optional(),
+					code_challenge_method: z.enum(["S256"]).optional(),
+					nonce: z.string().optional(),
+					prompt: z.enum([
+						"consent",
+						"login",
+						"create",
+						"select_account",
+						"login consent",
+						"select_account consent"
+					]).optional()
+				}),
+				metadata: { openapi: {
+					description: "Authorize an OAuth2 request",
+					parameters: [
+						{
+							name: "response_type",
+							in: "query",
+							required: true,
+							schema: { type: "string" },
+							description: "OAuth2 response type (e.g., 'code')"
+						},
+						{
+							name: "client_id",
+							in: "query",
+							required: true,
+							schema: { type: "string" },
+							description: "OAuth2 client ID"
+						},
+						{
+							name: "redirect_uri",
+							in: "query",
+							required: false,
+							schema: {
+								type: "string",
+								format: "uri"
+							},
+							description: "OAuth2 redirect URI"
+						},
+						{
+							name: "scope",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "OAuth2 scopes (space-separated)"
+						},
+						{
+							name: "state",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "OAuth2 state parameter"
+						},
+						{
+							name: "code_challenge",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "PKCE code challenge"
+						},
+						{
+							name: "code_challenge_method",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "PKCE code challenge method"
+						},
+						{
+							name: "nonce",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "OpenID Connect nonce"
+						},
+						{
+							name: "prompt",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "OAuth2 prompt parameter"
+						}
+					],
+					responses: {
+						"302": {
+							description: "Redirect to client with code or error",
+							headers: { Location: {
+								description: "Redirect URI with code or error",
+								schema: {
+									type: "string",
+									format: "uri"
+								}
+							} }
+						},
+						"400": {
+							description: "Invalid request",
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									error: { type: "string" },
+									error_description: { type: "string" },
+									state: { type: "string" }
+								},
+								required: ["error"]
+							} } }
+						}
+					}
+				} }
+			}, async (ctx) => {
+				return authorizeEndpoint(ctx, opts, { isAuthorize: true });
+			}),
+			oauth2Consent: createAuthEndpoint("/oauth2/consent", {
+				method: "POST",
+				body: z.object({
+					accept: z.boolean().meta({ description: "Accept or deny user consent for a set of scopes" }),
+					scope: z.string().optional().meta({ description: "List of accept of accepted space-separated scopes. If none is provided, then all originally requested scopes are accepted." }),
+					oauth_query: z.string().optional().meta({ description: "The redirected page's query parameters" })
+				}),
+				use: [sessionMiddleware],
+				metadata: { openapi: {
+					description: "Handle OAuth2 consent",
+					responses: { "200": {
+						description: "Consent processed successfully",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: { redirect_uri: {
+								type: "string",
+								format: "uri",
+								description: "The URI to redirect to, either with an authorization code or an error"
+							} },
+							required: ["redirect_uri"]
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				return consentEndpoint(ctx, opts);
+			}),
+			oauth2Continue: createAuthEndpoint("/oauth2/continue", {
+				method: "POST",
+				body: z.object({
+					selected: z.boolean().optional().meta({ description: "Confirms an account has been selected and authorization can proceed." }),
+					created: z.boolean().optional().meta({ description: "Confirms an account was registered" }),
+					postLogin: z.boolean().optional().meta({ description: "Confirms organization and/or team selection." }),
+					oauth_query: z.string().optional().meta({ description: "The redirected page's query parameters" })
+				}),
+				use: [sessionMiddleware],
+				metadata: { openapi: {
+					description: "Continues OAuth2 authorization flow",
+					responses: { "200": {
+						description: "Consent processed successfully",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: { redirect_uri: {
+								type: "string",
+								format: "uri",
+								description: "The URI to redirect to, either with an authorization code or an error"
+							} },
+							required: ["redirect_uri"]
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				return continueEndpoint(ctx, opts);
+			}),
+			oauth2Token: createAuthEndpoint("/oauth2/token", {
+				method: "POST",
+				body: z.object({
+					grant_type: z.enum([
+						"authorization_code",
+						"client_credentials",
+						"refresh_token"
+					]),
+					client_id: z.string().optional(),
+					client_secret: z.string().optional(),
+					code: z.string().optional(),
+					code_verifier: z.string().optional(),
+					redirect_uri: SafeUrlSchema.optional(),
+					refresh_token: z.string().optional(),
+					resource: z.string().optional(),
+					scope: z.string().optional()
+				}),
+				metadata: {
+					allowedMediaTypes: ["application/x-www-form-urlencoded"],
+					openapi: {
+						description: "Obtain an OAuth2.1 access token",
+						requestBody: {
+							required: true,
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									grant_type: {
+										type: "string",
+										enum: [
+											"authorization_code",
+											"client_credentials",
+											"refresh_token"
+										],
+										description: "OAuth2 grant type"
+									},
+									client_id: {
+										type: "string",
+										description: "OAuth2 client ID"
+									},
+									client_secret: {
+										type: "string",
+										description: "OAuth2 client secret"
+									},
+									code: {
+										type: "string",
+										description: "Authorization code (for authorization_code grant)"
+									},
+									code_verifier: {
+										type: "string",
+										description: "PKCE code verifier (for authorization_code grant)"
+									},
+									redirect_uri: {
+										type: "string",
+										format: "uri",
+										description: "Redirect URI (for authorization_code grant)"
+									},
+									refresh_token: {
+										type: "string",
+										description: "Refresh token (for refresh_token grant)"
+									},
+									resource: {
+										type: "string",
+										description: "Requested token resource (ie audience) to obtain a JWT formatted access token"
+									},
+									scope: {
+										type: "string",
+										description: "Requested scopes (for client_credentials grant)"
+									}
+								},
+								required: ["grant_type"]
+							} } }
+						},
+						responses: {
+							"200": {
+								description: "Access token response",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										access_token: {
+											type: "string",
+											description: "The access token issued by the authorization server"
+										},
+										token_type: {
+											type: "string",
+											description: "The type of the token issued",
+											enum: ["Bearer"]
+										},
+										expires_in: {
+											type: "number",
+											description: "Lifetime in seconds of the access token"
+										},
+										refresh_token: {
+											type: "string",
+											description: "Refresh token, if issued"
+										},
+										scope: {
+											type: "string",
+											description: "Scopes granted by the access token"
+										},
+										id_token: {
+											type: "string",
+											description: "ID Token (if OpenID Connect)"
+										}
+									},
+									required: [
+										"access_token",
+										"token_type",
+										"expires_in"
+									]
+								} } }
+							},
+							"400": {
+								description: "Invalid request or error response",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										error: { type: "string" },
+										error_description: { type: "string" },
+										error_uri: { type: "string" }
+									},
+									required: ["error"]
+								} } }
+							}
+						}
+					}
+				}
+			}, async (ctx) => {
+				return tokenEndpoint(ctx, opts);
+			}),
+			oauth2Introspect: createAuthEndpoint("/oauth2/introspect", {
+				method: "POST",
+				body: z.object({
+					client_id: z.string().optional(),
+					client_secret: z.string().optional(),
+					token: z.string(),
+					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+				}),
+				metadata: {
+					allowedMediaTypes: ["application/x-www-form-urlencoded"],
+					openapi: {
+						description: "Introspect an OAuth2 access or refresh token",
+						requestBody: {
+							required: true,
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									client_id: {
+										type: "string",
+										description: "OAuth2 client ID"
+									},
+									client_secret: {
+										type: "string",
+										description: "OAuth2 client secret"
+									},
+									token: {
+										type: "string",
+										description: "The token to introspect (access or refresh token)"
+									},
+									token_type_hint: {
+										type: "string",
+										enum: ["access_token", "refresh_token"],
+										description: "Hint about the type of the token submitted for introspection"
+									},
+									resource: {
+										type: "string",
+										description: "Introspects a token for a specific resource."
+									}
+								},
+								required: ["token"]
+							} } }
+						},
+						responses: {
+							"200": {
+								description: "Token introspection response",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										active: {
+											type: "boolean",
+											description: "Whether the token is active"
+										},
+										scope: {
+											type: "string",
+											description: "Scopes associated with the token"
+										},
+										client_id: {
+											type: "string",
+											description: "Client ID associated with the token"
+										},
+										username: {
+											type: "string",
+											description: "Username associated with the token"
+										},
+										token_type: {
+											type: "string",
+											description: "Type of the token"
+										},
+										exp: {
+											type: "number",
+											description: "Expiration time of the token (seconds since epoch)"
+										},
+										iat: {
+											type: "number",
+											description: "Issued at time (seconds since epoch)"
+										},
+										nbf: {
+											type: "number",
+											description: "Not before time (seconds since epoch)"
+										},
+										sub: {
+											type: "string",
+											description: "Subject of the token"
+										},
+										aud: {
+											type: "string",
+											description: "Audience of the token"
+										},
+										iss: {
+											type: "string",
+											description: "Issuer of the token"
+										},
+										jti: {
+											type: "string",
+											description: "JWT ID"
+										}
+									},
+									required: ["active"]
+								} } }
+							},
+							"400": {
+								description: "Invalid request or error response",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										error: { type: "string" },
+										error_description: { type: "string" },
+										error_uri: { type: "string" }
+									},
+									required: ["error"]
+								} } }
+							}
+						}
+					}
+				}
+			}, async (ctx) => {
+				return introspectEndpoint(ctx, opts);
+			}),
+			oauth2Revoke: createAuthEndpoint("/oauth2/revoke", {
+				method: "POST",
+				body: z.object({
+					client_id: z.string().optional(),
+					client_secret: z.string().optional(),
+					token: z.string(),
+					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+				}),
+				metadata: {
+					allowedMediaTypes: ["application/x-www-form-urlencoded"],
+					openapi: {
+						description: "Revoke an OAuth2 access or refresh token",
+						requestBody: {
+							required: true,
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									client_id: {
+										type: "string",
+										description: "OAuth2 client ID"
+									},
+									client_secret: {
+										type: "string",
+										description: "OAuth2 client secret"
+									},
+									token: {
+										type: "string",
+										description: "The token to revoke (access or refresh token)"
+									},
+									token_type_hint: {
+										type: "string",
+										enum: ["access_token", "refresh_token"],
+										description: "Hint about the type of the token submitted for revocation"
+									}
+								},
+								required: ["token"]
+							} } }
+						},
+						responses: {
+							"200": {
+								description: "Token revoked successfully. The response body is empty.",
+								content: { "application/json": { schema: {
+									type: "object",
+									description: "Empty object on success"
+								} } }
+							},
+							"400": {
+								description: "Invalid request or error response",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										error: { type: "string" },
+										error_description: { type: "string" },
+										error_uri: { type: "string" }
+									},
+									required: ["error"]
+								} } }
+							}
+						}
+					}
+				}
+			}, async (ctx) => {
+				return revokeEndpoint(ctx, opts);
+			}),
+			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
+				method: "GET",
+				metadata: { openapi: {
+					description: "Get OpenID Connect user information (UserInfo endpoint)",
+					security: [{ bearerAuth: [] }, { OAuth2: [
+						"openid",
+						"profile",
+						"email"
+					] }],
+					parameters: [{
+						name: "Authorization",
+						in: "header",
+						required: false,
+						schema: { type: "string" },
+						description: "Bearer access token"
+					}],
+					responses: {
+						"200": {
+							description: "User information retrieved successfully",
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									sub: {
+										type: "string",
+										description: "Subject identifier (user ID)"
+									},
+									email: {
+										type: "string",
+										format: "email",
+										nullable: true,
+										description: "User's email address, included if 'email' scope is granted"
+									},
+									name: {
+										type: "string",
+										nullable: true,
+										description: "User's full name, included if 'profile' scope is granted"
+									},
+									picture: {
+										type: "string",
+										format: "uri",
+										nullable: true,
+										description: "User's profile picture URL, included if 'profile' scope is granted"
+									},
+									given_name: {
+										type: "string",
+										nullable: true,
+										description: "User's given name, included if 'profile' scope is granted"
+									},
+									family_name: {
+										type: "string",
+										nullable: true,
+										description: "User's family name, included if 'profile' scope is granted"
+									},
+									email_verified: {
+										type: "boolean",
+										nullable: true,
+										description: "Whether the email is verified, included if 'email' scope is granted"
+									}
+								},
+								required: ["sub"]
+							} } }
+						},
+						"401": {
+							description: "Unauthorized - invalid or missing access token",
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									error: { type: "string" },
+									error_description: { type: "string" }
+								},
+								required: ["error"]
+							} } }
+						},
+						"403": {
+							description: "Forbidden - insufficient scope",
+							content: { "application/json": { schema: {
+								type: "object",
+								properties: {
+									error: { type: "string" },
+									error_description: { type: "string" }
+								},
+								required: ["error"]
+							} } }
+						}
+					}
+				} }
+			}, async (ctx) => {
+				return userInfoEndpoint(ctx, opts);
+			}),
+			oauth2EndSession: createAuthEndpoint("/oauth2/end-session", {
+				method: "GET",
+				query: z.object({
+					id_token_hint: z.string(),
+					client_id: z.string().optional(),
+					post_logout_redirect_uri: SafeUrlSchema.optional(),
+					state: z.string().optional()
+				}),
+				metadata: { openapi: {
+					description: "RP-Initiated Logout endpoint. Allows clients to notify the OP that the End-User has logged out.",
+					responses: { "200": {
+						description: "Logout successful. May include redirect_uri if post_logout_redirect_uri was provided.",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: {
+								redirect_uri: {
+									type: "string",
+									format: "uri",
+									description: "URI to redirect to after logout (if post_logout_redirect_uri was provided)"
+								},
+								message: {
+									type: "string",
+									description: "Success message"
+								}
+							}
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				return rpInitiatedLogoutEndpoint(ctx, opts);
+			}),
+			registerOAuthClient: createAuthEndpoint("/oauth2/register", {
+				method: "POST",
+				body: z.object({
+					redirect_uris: z.array(SafeUrlSchema).min(1).min(1),
+					scope: z.string().optional(),
+					client_name: z.string().optional(),
+					client_uri: z.string().optional(),
+					logo_uri: z.string().optional(),
+					contacts: z.array(z.string().min(1)).min(1).optional(),
+					tos_uri: z.string().optional(),
+					policy_uri: z.string().optional(),
+					software_id: z.string().optional(),
+					software_version: z.string().optional(),
+					software_statement: z.string().optional(),
+					post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+					token_endpoint_auth_method: z.enum([
+						"none",
+						"client_secret_basic",
+						"client_secret_post"
+					]).default("client_secret_basic").optional(),
+					grant_types: z.array(z.enum([
+						"authorization_code",
+						"client_credentials",
+						"refresh_token"
+					])).default(["authorization_code"]).optional(),
+					response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
+					type: z.enum([
+						"web",
+						"native",
+						"user-agent-based"
+					]).optional()
+				}),
+				metadata: { openapi: {
+					description: "Register an OAuth2 application",
+					responses: { "200": {
+						description: "OAuth2 application registered successfully",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: {
+								client_id: {
+									type: "string",
+									description: "Unique identifier for the client"
+								},
+								client_secret: {
+									type: "string",
+									description: "Secret key for the client"
+								},
+								client_secret_expires_at: {
+									type: "number",
+									description: "Time the client secret will expire. If 0, the client secret will never expire."
+								},
+								scope: {
+									type: "string",
+									description: "Space-separated scopes allowed by the client"
+								},
+								user_id: {
+									type: "string",
+									description: "ID of the user who registered the client, null if registered anonymously"
+								},
+								client_id_issued_at: {
+									type: "number",
+									description: "Creation timestamp of this client"
+								},
+								client_name: {
+									type: "string",
+									description: "Name of the OAuth2 application"
+								},
+								client_uri: {
+									type: "string",
+									description: "Name of the OAuth2 application"
+								},
+								logo_uri: {
+									type: "string",
+									description: "Icon URL for the application"
+								},
+								contacts: {
+									type: "array",
+									items: { type: "string" },
+									description: "List representing ways to contact people responsible for this client, typically email addresses"
+								},
+								tos_uri: {
+									type: "string",
+									description: "Client's terms of service uri"
+								},
+								policy_uri: {
+									type: "string",
+									description: "Client's policy uri"
+								},
+								software_id: {
+									type: "string",
+									description: "Unique identifier assigned by the developer to help in the dynamic registration process"
+								},
+								software_version: {
+									type: "string",
+									description: "Version identifier for the software_id"
+								},
+								software_statement: {
+									type: "string",
+									description: "JWT containing metadata values about the client software as claims"
+								},
+								redirect_uris: {
+									type: "array",
+									items: {
+										type: "string",
+										format: "uri"
+									},
+									description: "List of allowed redirect uris"
+								},
+								post_logout_redirect_uris: {
+									type: "array",
+									items: {
+										type: "string",
+										format: "uri"
+									},
+									description: "List of allowed logout redirect uris"
+								},
+								token_endpoint_auth_method: {
+									type: "string",
+									description: "Requested authentication method for the token endpoint",
+									enum: [
+										"none",
+										"client_secret_basic",
+										"client_secret_post"
+									]
+								},
+								grant_types: {
+									type: "array",
+									items: {
+										type: "string",
+										enum: [
+											"authorization_code",
+											"client_credentials",
+											"refresh_token"
+										]
+									},
+									description: "Requested authentication method for the token endpoint"
+								},
+								response_types: {
+									type: "array",
+									items: {
+										type: "string",
+										enum: ["code"]
+									},
+									description: "Requested authentication method for the token endpoint"
+								},
+								public: {
+									type: "boolean",
+									description: "Whether the client is public as determined by the type"
+								},
+								type: {
+									type: "string",
+									description: "Type of the client",
+									enum: [
+										"web",
+										"native",
+										"user-agent-based"
+									]
+								},
+								disabled: {
+									type: "boolean",
+									description: "Whether the client is disabled"
+								}
+							},
+							required: ["client_id"]
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				return registerEndpoint(ctx, opts);
+			}),
+			adminCreateOAuthClient: adminCreateOAuthClient(opts),
+			createOAuthClient: createOAuthClient(opts),
+			getOAuthClient: getOAuthClient(opts),
+			getOAuthClientPublic: getOAuthClientPublic(opts),
+			getOAuthClients: getOAuthClients(opts),
+			adminUpdateOAuthClient: adminUpdateOAuthClient(opts),
+			updateOAuthClient: updateOAuthClient(opts),
+			rotateClientSecret: rotateClientSecret(opts),
+			deleteOAuthClient: deleteOAuthClient(opts),
+			getOAuthConsent: getOAuthConsent(opts),
+			getOAuthConsents: getOAuthConsents(opts),
+			updateOAuthConsent: updateOAuthConsent(opts),
+			deleteOAuthConsent: deleteOAuthConsent(opts)
+		},
+		schema: mergeSchema(schema, opts?.schema)
+	};
+};
+//#endregion
+export { authServerMetadata, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+//# sourceMappingURL=index.mjs.map