@iqauth/sdk 2.0.0

package/dist/dev-FUTJZSWN.mjs

@@ -0,0 +1,56 @@
+import {
+  loadEnv,
+  parseFlags
+} from "./chunk-X3K3WOBR.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+
+// src/cli/dev.ts
+import { spawn } from "child_process";
+import { dirname, resolve } from "path";
+import { fileURLToPath } from "url";
+import { existsSync } from "fs";
+function getHere() {
+  const cjsDir = globalThis.__dirname;
+  if (typeof cjsDir === "string" && cjsDir.length > 0) return cjsDir;
+  try {
+    const url = import.meta?.url;
+    if (typeof url === "string" && url.length > 0) return dirname(fileURLToPath(url));
+  } catch {
+  }
+  const argv1 = process.argv[1];
+  if (argv1) return dirname(argv1);
+  return process.cwd();
+}
+async function runDev(argv) {
+  const { flags } = parseFlags(argv);
+  const env = await loadEnv(flags.get("env-file") || ".env");
+  const pk = env.IQAUTH_PUBLISHABLE_KEY;
+  if (!pk) {
+    console.error("\u2717 IQAUTH_PUBLISHABLE_KEY missing in .env. Run `iqauth init` first.");
+    process.exit(1);
+  }
+  const here = getHere();
+  let example = flags.get("example");
+  if (!example) {
+    const candidates = [
+      resolve(here, "..", "..", "..", "..", "examples", "react-vite"),
+      resolve(here, "..", "..", "examples", "react-vite"),
+      resolve(process.cwd(), "examples", "react-vite")
+    ];
+    example = candidates.find((p) => existsSync(p)) || candidates[0];
+  }
+  console.log(`\u2192 Starting example at ${example}`);
+  console.log(`  using IQAUTH_PUBLISHABLE_KEY=${pk.slice(0, 12)}\u2026`);
+  const child = spawn("npm", ["run", "dev"], {
+    cwd: example,
+    stdio: "inherit",
+    env: {
+      ...process.env,
+      VITE_IQAUTH_PUBLISHABLE_KEY: pk
+    }
+  });
+  child.on("exit", (code) => process.exit(code ?? 0));
+}
+export {
+  runDev
+};

package/dist/doctor-OHJRZBBT.mjs

@@ -0,0 +1,89 @@
+import {
+  loadEnv,
+  parseFlags,
+  symbol
+} from "./chunk-X3K3WOBR.mjs";
+import {
+  parsePublishableKey
+} from "./chunk-5WFR6Y33.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+
+// src/cli/doctor.ts
+async function runDoctor(argv) {
+  const { flags } = parseFlags(argv);
+  const envFile = flags.get("env-file") || ".env";
+  const env = await loadEnv(envFile);
+  const probes = [];
+  const pkRaw = env.IQAUTH_PUBLISHABLE_KEY;
+  const issuerEnv = env.IQAUTH_ISSUER;
+  const redirect = env.IQAUTH_REDIRECT_URI;
+  probes.push({
+    name: ".env present",
+    ok: !!pkRaw,
+    detail: pkRaw ? `${envFile} loaded; IQAUTH_PUBLISHABLE_KEY=${pkRaw.slice(0, 10)}\u2026` : `IQAUTH_PUBLISHABLE_KEY missing in ${envFile}`
+  });
+  const parsed = pkRaw ? parsePublishableKey(pkRaw) : null;
+  probes.push({
+    name: "publishable key parses",
+    ok: !!parsed,
+    detail: parsed ? `mode=${parsed.mode} appId=${parsed.appId} tenantId=${parsed.tenantId} kid=${parsed.kid}` : "key did not match pk_<test|live>_<base64> format"
+  });
+  const issuer = (issuerEnv || (parsed?.iss.startsWith("http") ? parsed.iss : parsed ? `https://${parsed.iss}` : "")).replace(/\/+$/, "");
+  if (issuer) {
+    try {
+      const res = await fetch(`${issuer}/.well-known/openid-configuration`);
+      probes.push({
+        name: "issuer reachable",
+        ok: res.ok,
+        detail: `${issuer}/.well-known/openid-configuration \u2192 ${res.status}`
+      });
+    } catch (err) {
+      probes.push({
+        name: "issuer reachable",
+        ok: false,
+        detail: `fetch failed: ${err.message}`
+      });
+    }
+  } else {
+    probes.push({ name: "issuer reachable", ok: false, detail: "issuer URL unknown (no IQAUTH_ISSUER and no key)" });
+  }
+  if (issuer) {
+    try {
+      const res = await fetch(`${issuer}/.well-known/jwks.json`);
+      const json = await res.json().catch(() => ({}));
+      const keys = json.keys;
+      probes.push({
+        name: "JWKS reachable",
+        ok: res.ok && Array.isArray(keys) && keys.length > 0,
+        detail: `${issuer}/.well-known/jwks.json \u2192 ${res.status} (${Array.isArray(keys) ? keys.length : 0} keys)`
+      });
+    } catch (err) {
+      probes.push({ name: "JWKS reachable", ok: false, detail: `fetch failed: ${err.message}` });
+    }
+  }
+  if (redirect) {
+    try {
+      const res = await fetch(redirect, { method: "GET" });
+      probes.push({
+        name: "redirect URI reachable",
+        ok: res.status > 0 && res.status < 500,
+        detail: `${redirect} \u2192 ${res.status}`
+      });
+    } catch (err) {
+      probes.push({ name: "redirect URI reachable", ok: false, detail: `fetch failed: ${err.message}` });
+    }
+  } else {
+    probes.push({ name: "redirect URI reachable", ok: false, detail: "IQAUTH_REDIRECT_URI not set" });
+  }
+  let allOk = true;
+  for (const p of probes) {
+    console.log(`${symbol(p.ok)} ${p.name.padEnd(28)} ${p.detail}`);
+    if (!p.ok) allOk = false;
+  }
+  console.log("");
+  console.log(allOk ? "\u2705 All checks passed." : "\u274C One or more checks failed \u2014 see above.");
+  process.exit(allOk ? 0 : 1);
+}
+export {
+  runDoctor
+};

package/dist/errors-CDdl24MP.d.mts

@@ -0,0 +1,52 @@
+/**
+ * SOURCE REFS:
+ * - Route file: src/lib/response.ts (error envelope: { success: false, error: { code, message } })
+ * - All route files for error code extraction
+ * - Verified claims: N/A (error module)
+ * - Last verified: Phase 0 Research Summary
+ */
+declare class IQAuthError extends Error {
+    code: string;
+    status?: number;
+    raw?: unknown;
+    constructor(code: string, message: string, status?: number, raw?: unknown);
+}
+declare const ErrorCodes: {
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly INVALID_CREDENTIALS: "INVALID_CREDENTIALS";
+    readonly ACCOUNT_INACTIVE: "ACCOUNT_INACTIVE";
+    readonly ACCOUNT_LOCKED: "ACCOUNT_LOCKED";
+    readonly INSUFFICIENT_PERMISSIONS: "INSUFFICIENT_PERMISSIONS";
+    readonly TOKEN_INVALID: "TOKEN_INVALID";
+    readonly TOKEN_EXPIRED: "TOKEN_EXPIRED";
+    readonly TOKEN_REVOKED: "TOKEN_REVOKED";
+    readonly USER_INACTIVE: "USER_INACTIVE";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly SESSION_INVALID: "SESSION_INVALID";
+    readonly SESSION_EXPIRED: "SESSION_EXPIRED";
+    readonly REFRESH_TOKEN_REUSED: "REFRESH_TOKEN_REUSED";
+    readonly PASSWORD_EXPIRED: "PASSWORD_EXPIRED";
+    readonly PIN_EXPIRED: "PIN_EXPIRED";
+    readonly PASSWORD_POLICY_VIOLATION: "PASSWORD_POLICY_VIOLATION";
+    readonly MFA_INVALID_CODE: "MFA_INVALID_CODE";
+    readonly MFA_METHOD_UNAVAILABLE: "MFA_METHOD_UNAVAILABLE";
+    readonly MFA_RATE_LIMITED: "MFA_RATE_LIMITED";
+    readonly MFA_ENROLLMENT_REQUIRED: "MFA_ENROLLMENT_REQUIRED";
+    readonly API_KEY_REQUIRED: "API_KEY_REQUIRED";
+    readonly API_KEY_INVALID: "API_KEY_INVALID";
+    readonly AUTH_REQUIRED: "AUTH_REQUIRED";
+    readonly ALREADY_EXISTS: "ALREADY_EXISTS";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly OAUTH_NOT_CONFIGURED: "OAUTH_NOT_CONFIGURED";
+    readonly UPLOAD_ERROR: "UPLOAD_ERROR";
+    readonly EMAIL_SERVICE_UNAVAILABLE: "EMAIL_SERVICE_UNAVAILABLE";
+    readonly INVALID_CODE: "INVALID_CODE";
+    readonly CODE_ALREADY_USED: "CODE_ALREADY_USED";
+    readonly CODE_EXPIRED: "CODE_EXPIRED";
+    readonly CODE_IP_MISMATCH: "CODE_IP_MISMATCH";
+    readonly UNKNOWN_PAYLOAD: "UNKNOWN_PAYLOAD";
+};
+type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];
+
+export { ErrorCodes as E, IQAuthError as I, type ErrorCode as a };

package/dist/errors-CDdl24MP.d.ts

@@ -0,0 +1,52 @@
+/**
+ * SOURCE REFS:
+ * - Route file: src/lib/response.ts (error envelope: { success: false, error: { code, message } })
+ * - All route files for error code extraction
+ * - Verified claims: N/A (error module)
+ * - Last verified: Phase 0 Research Summary
+ */
+declare class IQAuthError extends Error {
+    code: string;
+    status?: number;
+    raw?: unknown;
+    constructor(code: string, message: string, status?: number, raw?: unknown);
+}
+declare const ErrorCodes: {
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly INVALID_CREDENTIALS: "INVALID_CREDENTIALS";
+    readonly ACCOUNT_INACTIVE: "ACCOUNT_INACTIVE";
+    readonly ACCOUNT_LOCKED: "ACCOUNT_LOCKED";
+    readonly INSUFFICIENT_PERMISSIONS: "INSUFFICIENT_PERMISSIONS";
+    readonly TOKEN_INVALID: "TOKEN_INVALID";
+    readonly TOKEN_EXPIRED: "TOKEN_EXPIRED";
+    readonly TOKEN_REVOKED: "TOKEN_REVOKED";
+    readonly USER_INACTIVE: "USER_INACTIVE";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly SESSION_INVALID: "SESSION_INVALID";
+    readonly SESSION_EXPIRED: "SESSION_EXPIRED";
+    readonly REFRESH_TOKEN_REUSED: "REFRESH_TOKEN_REUSED";
+    readonly PASSWORD_EXPIRED: "PASSWORD_EXPIRED";
+    readonly PIN_EXPIRED: "PIN_EXPIRED";
+    readonly PASSWORD_POLICY_VIOLATION: "PASSWORD_POLICY_VIOLATION";
+    readonly MFA_INVALID_CODE: "MFA_INVALID_CODE";
+    readonly MFA_METHOD_UNAVAILABLE: "MFA_METHOD_UNAVAILABLE";
+    readonly MFA_RATE_LIMITED: "MFA_RATE_LIMITED";
+    readonly MFA_ENROLLMENT_REQUIRED: "MFA_ENROLLMENT_REQUIRED";
+    readonly API_KEY_REQUIRED: "API_KEY_REQUIRED";
+    readonly API_KEY_INVALID: "API_KEY_INVALID";
+    readonly AUTH_REQUIRED: "AUTH_REQUIRED";
+    readonly ALREADY_EXISTS: "ALREADY_EXISTS";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly OAUTH_NOT_CONFIGURED: "OAUTH_NOT_CONFIGURED";
+    readonly UPLOAD_ERROR: "UPLOAD_ERROR";
+    readonly EMAIL_SERVICE_UNAVAILABLE: "EMAIL_SERVICE_UNAVAILABLE";
+    readonly INVALID_CODE: "INVALID_CODE";
+    readonly CODE_ALREADY_USED: "CODE_ALREADY_USED";
+    readonly CODE_EXPIRED: "CODE_EXPIRED";
+    readonly CODE_IP_MISMATCH: "CODE_IP_MISMATCH";
+    readonly UNKNOWN_PAYLOAD: "UNKNOWN_PAYLOAD";
+};
+type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];
+
+export { ErrorCodes as E, IQAuthError as I, type ErrorCode as a };

package/dist/express-BKAXB5Nl.d.ts

@@ -0,0 +1,61 @@
+import { I as IQAuthClient } from './client-CggvJmmm.js';
+import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/middleware/requireAuth.ts (Bearer token verification, req.user assignment)
+ * - Route file: src/types/index.ts (JwtPayload interface for req.user/req.auth)
+ * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat
+ * - Last verified: Phase 0 Research Summary
+ */
+
+declare global {
+    namespace Express {
+        interface Request {
+            auth?: JwtClaims;
+        }
+    }
+}
+/**
+ * Default cookie names looked at by the cookie-aware path. Phase B's browser
+ * SDK writes the refresh token to `iqauth_rt`. The optional `iqauth_at`
+ * cookie is set by the helper routes when the app's backend wants to keep
+ * the access token in an httpOnly cookie.
+ */
+declare const DEFAULT_ACCESS_COOKIE = "iqauth_at";
+declare const DEFAULT_REFRESH_COOKIE = "iqauth_rt";
+interface CookieAwareMiddlewareOptions extends ExpressMiddlewareOptions {
+    /** Cookie name carrying an httpOnly access token. Defaults to `iqauth_at`. */
+    accessCookieName?: string;
+    /** Cookie name carrying the refresh token. Defaults to `iqauth_rt`. */
+    refreshCookieName?: string;
+    /**
+     * If true (default), accept tokens from either Authorization header or the
+     * configured access cookie. When false, only the bearer header is checked.
+     */
+    cookieAware?: boolean;
+}
+/**
+ * Express middleware that verifies access tokens via the SDK's token verifier.
+ *
+ * - Extracts a Bearer token from `Authorization` OR the configured access
+ *   cookie (`iqauth_at` by default). The cookie path enables full-stack apps
+ *   to keep the access token httpOnly and out of browser JS.
+ * - Verifies it using RS256 via JWKS (client.tokens.verify)
+ * - Attaches decoded claims to `req.auth`
+ * - Returns 401 for missing/invalid/expired tokens
+ * - Returns 403 for insufficient roles/entitlements
+ * - Maps unexpected errors to a generic 500 INTERNAL_ERROR response without
+ *   leaking implementation details to the client
+ *
+ * @remarks Uses client.tokens.verify() which fetches JWKS from /.well-known/jwks.json
+ */
+interface PublishableKeyMiddlewareOptions extends CookieAwareMiddlewareOptions {
+    /** A `pk_test_…` / `pk_live_…` publishable key. Issuer + JWKS are auto-discovered from it. */
+    publishableKey: string;
+    /** Optional override for the issuer derived from the publishable key. */
+    issuer?: string;
+}
+declare function iqAuthMiddleware(clientOrOptions: IQAuthClient | PublishableKeyMiddlewareOptions, options?: CookieAwareMiddlewareOptions): (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction) => Promise<void>;
+
+export { type CookieAwareMiddlewareOptions as C, DEFAULT_ACCESS_COOKIE as D, DEFAULT_REFRESH_COOKIE as a, iqAuthMiddleware as i };

package/dist/express-CpfyYTmw.d.mts

@@ -0,0 +1,61 @@
+import { I as IQAuthClient } from './client-C1DXfB8Z.mjs';
+import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/middleware/requireAuth.ts (Bearer token verification, req.user assignment)
+ * - Route file: src/types/index.ts (JwtPayload interface for req.user/req.auth)
+ * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat
+ * - Last verified: Phase 0 Research Summary
+ */
+
+declare global {
+    namespace Express {
+        interface Request {
+            auth?: JwtClaims;
+        }
+    }
+}
+/**
+ * Default cookie names looked at by the cookie-aware path. Phase B's browser
+ * SDK writes the refresh token to `iqauth_rt`. The optional `iqauth_at`
+ * cookie is set by the helper routes when the app's backend wants to keep
+ * the access token in an httpOnly cookie.
+ */
+declare const DEFAULT_ACCESS_COOKIE = "iqauth_at";
+declare const DEFAULT_REFRESH_COOKIE = "iqauth_rt";
+interface CookieAwareMiddlewareOptions extends ExpressMiddlewareOptions {
+    /** Cookie name carrying an httpOnly access token. Defaults to `iqauth_at`. */
+    accessCookieName?: string;
+    /** Cookie name carrying the refresh token. Defaults to `iqauth_rt`. */
+    refreshCookieName?: string;
+    /**
+     * If true (default), accept tokens from either Authorization header or the
+     * configured access cookie. When false, only the bearer header is checked.
+     */
+    cookieAware?: boolean;
+}
+/**
+ * Express middleware that verifies access tokens via the SDK's token verifier.
+ *
+ * - Extracts a Bearer token from `Authorization` OR the configured access
+ *   cookie (`iqauth_at` by default). The cookie path enables full-stack apps
+ *   to keep the access token httpOnly and out of browser JS.
+ * - Verifies it using RS256 via JWKS (client.tokens.verify)
+ * - Attaches decoded claims to `req.auth`
+ * - Returns 401 for missing/invalid/expired tokens
+ * - Returns 403 for insufficient roles/entitlements
+ * - Maps unexpected errors to a generic 500 INTERNAL_ERROR response without
+ *   leaking implementation details to the client
+ *
+ * @remarks Uses client.tokens.verify() which fetches JWKS from /.well-known/jwks.json
+ */
+interface PublishableKeyMiddlewareOptions extends CookieAwareMiddlewareOptions {
+    /** A `pk_test_…` / `pk_live_…` publishable key. Issuer + JWKS are auto-discovered from it. */
+    publishableKey: string;
+    /** Optional override for the issuer derived from the publishable key. */
+    issuer?: string;
+}
+declare function iqAuthMiddleware(clientOrOptions: IQAuthClient | PublishableKeyMiddlewareOptions, options?: CookieAwareMiddlewareOptions): (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction) => Promise<void>;
+
+export { type CookieAwareMiddlewareOptions as C, DEFAULT_ACCESS_COOKIE as D, DEFAULT_REFRESH_COOKIE as a, iqAuthMiddleware as i };

package/dist/express.d.mts

@@ -0,0 +1,45 @@
+import { I as IQAuthClient } from './client-C1DXfB8Z.mjs';
+import { C as CookieAwareMiddlewareOptions } from './express-CpfyYTmw.mjs';
+export { i as iqAuthMiddleware } from './express-CpfyYTmw.mjs';
+import { IQAuthHelperConfig } from './server/handlers.mjs';
+import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
+export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
+import 'jsonwebtoken';
+
+/**
+ * @iqauth/sdk/express — drop-in Express adapter.
+ *
+ * Use this from a full-stack Express app to:
+ *   - verify access tokens (Authorization Bearer or `iqauth_at` cookie),
+ *   - auto-mount /api/iqauth/{callback,refresh,signout} so the browser SDK
+ *     can rotate cookies through your own domain (httpOnly).
+ *
+ * Five-line shape:
+ *   import express from "express";
+ *   import { iqAuth } from "@iqauth/sdk/express";
+ *   const app = express();
+ *   app.use(express.json());
+ *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
+ */
+
+interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
+    /** Mount path prefix for the auto-mounted helper routes. */
+    mountPath?: string;
+    /** Set to false to skip mounting helper routes (verify-only mode). */
+    mountHelperRoutes?: boolean;
+}
+interface ExpressLikeApp {
+    post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    use?: (...args: unknown[]) => unknown;
+}
+interface ExpressLikeRouter {
+    post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+}
+declare function iqAuth(options: IQAuthExpressOptions): {
+    (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
+    middleware: (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction) => void | Promise<void>;
+    attachHelpers: (app: ExpressLikeApp | ExpressLikeRouter) => void;
+    client: IQAuthClient;
+};
+
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };

package/dist/express.d.ts

@@ -0,0 +1,45 @@
+import { I as IQAuthClient } from './client-CggvJmmm.js';
+import { C as CookieAwareMiddlewareOptions } from './express-BKAXB5Nl.js';
+export { i as iqAuthMiddleware } from './express-BKAXB5Nl.js';
+import { IQAuthHelperConfig } from './server/handlers.js';
+import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
+export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
+import 'jsonwebtoken';
+
+/**
+ * @iqauth/sdk/express — drop-in Express adapter.
+ *
+ * Use this from a full-stack Express app to:
+ *   - verify access tokens (Authorization Bearer or `iqauth_at` cookie),
+ *   - auto-mount /api/iqauth/{callback,refresh,signout} so the browser SDK
+ *     can rotate cookies through your own domain (httpOnly).
+ *
+ * Five-line shape:
+ *   import express from "express";
+ *   import { iqAuth } from "@iqauth/sdk/express";
+ *   const app = express();
+ *   app.use(express.json());
+ *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
+ */
+
+interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
+    /** Mount path prefix for the auto-mounted helper routes. */
+    mountPath?: string;
+    /** Set to false to skip mounting helper routes (verify-only mode). */
+    mountHelperRoutes?: boolean;
+}
+interface ExpressLikeApp {
+    post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    use?: (...args: unknown[]) => unknown;
+}
+interface ExpressLikeRouter {
+    post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+}
+declare function iqAuth(options: IQAuthExpressOptions): {
+    (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
+    middleware: (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction) => void | Promise<void>;
+    attachHelpers: (app: ExpressLikeApp | ExpressLikeRouter) => void;
+    client: IQAuthClient;
+};
+
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };