@iqauth/sdk 2.1.0 → 2.3.0

package/dist/next.mjs

@@ -3,13 +3,13 @@ import {
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "./chunk-JQRTY5MY.mjs";
+} from "./chunk-KGEPDXHU.mjs";
 import {
-  parsePublishableKey
-} from "./chunk-5WFR6Y33.mjs";
+  assertPublishableKey
+} from "./chunk-WQWBJSSS.mjs";
 import {
-  IQAuthClient
-} from "./chunk-MDUHPQMM.mjs";
+  TokensModule
+} from "./chunk-UNYDG2L4.mjs";
 import "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
@@ -35,8 +35,7 @@ function toResponse(hr) {
   return new Response(JSON.stringify(hr.body), { status: hr.status, headers });
 }
 function handler(options) {
-  const parsed = parsePublishableKey(options.publishableKey);
-  if (!parsed) throw new Error("@iqauth/sdk/next: invalid publishable key");
+  const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/next handler" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const helperConfig = { ...options, issuer };
   const accessCookie = options.accessCookieName ?? "iqauth_at";
@@ -60,7 +59,7 @@ function handler(options) {
     if (action === "signout") {
       const auth = req.headers.get("authorization");
       const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
-      return toResponse(await handleSignout(helperConfig, { accessToken }));
+      return toResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader ?? void 0 }));
     }
     return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: `Unknown action: ${action}` } }), {
       status: 404,
@@ -69,11 +68,10 @@ function handler(options) {
   };
 }
 function createMiddleware(options) {
-  const parsed = parsePublishableKey(options.publishableKey);
-  if (!parsed) throw new Error("@iqauth/sdk/next: invalid publishable key");
+  const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/next createMiddleware" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const accessCookie = options.accessCookieName ?? "iqauth_at";
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const tokens = new TokensModule(issuer);
   return async (req) => {
     const auth = req.headers.get("authorization");
     let token;
@@ -86,7 +84,7 @@ function createMiddleware(options) {
       });
     }
     try {
-      await client.tokens.verify(token);
+      await tokens.verify(token);
       return void 0;
     } catch (err) {
       const code = err.code || "TOKEN_INVALID";
@@ -98,8 +96,7 @@ function createMiddleware(options) {
   };
 }
 async function getAuth(options) {
-  const parsed = parsePublishableKey(options.publishableKey);
-  if (!parsed) throw new Error("@iqauth/sdk/next: invalid publishable key");
+  const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/next getAuth" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const accessCookie = options.accessCookieName ?? "iqauth_at";
   let cookieJar = null;
@@ -116,9 +113,9 @@ async function getAuth(options) {
   }
   const token = cookieJar?.get(accessCookie)?.value;
   if (!token) return null;
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const tokens = new TokensModule(issuer);
   try {
-    return await client.tokens.verify(token);
+    return await tokens.verify(token);
   } catch {
     return null;
   }

package/dist/{publishableKey-B5DIK81A.d.mts → publishableKey-BaR0HoAH.d.mts}

@@ -18,7 +18,16 @@ interface ParsedPublishableKey extends PublishableKeyPayload {
 }
 declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayload): string;
 declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
+/**
+ * Strict counterpart to `parsePublishableKey` — throws a typed `IQAuthError`
+ * (`code: "CONFIG_INVALID"`) with an actionable message when the key is
+ * missing, malformed, or encodes a non-URL `iss`. Use this at SDK init so a
+ * bad key fails loudly at boot instead of cryptically at first verify.
+ */
+declare function assertPublishableKey(raw: string | undefined | null, opts?: {
+    context?: string;
+}): ParsedPublishableKey;
 declare function isPublishableKey(raw: string): boolean;
 declare function isSecretKey(raw: string): boolean;
 
-export { type KeyMode as K, type PublishableKeyPayload as P, isSecretKey as a, type ParsedPublishableKey as b, encodePublishableKey as e, isPublishableKey as i, parsePublishableKey as p };
+export { type KeyMode as K, type PublishableKeyPayload as P, assertPublishableKey as a, isSecretKey as b, type ParsedPublishableKey as c, encodePublishableKey as e, isPublishableKey as i, parsePublishableKey as p };

package/dist/{publishableKey-B5DIK81A.d.ts → publishableKey-BaR0HoAH.d.ts}

@@ -18,7 +18,16 @@ interface ParsedPublishableKey extends PublishableKeyPayload {
 }
 declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayload): string;
 declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
+/**
+ * Strict counterpart to `parsePublishableKey` — throws a typed `IQAuthError`
+ * (`code: "CONFIG_INVALID"`) with an actionable message when the key is
+ * missing, malformed, or encodes a non-URL `iss`. Use this at SDK init so a
+ * bad key fails loudly at boot instead of cryptically at first verify.
+ */
+declare function assertPublishableKey(raw: string | undefined | null, opts?: {
+    context?: string;
+}): ParsedPublishableKey;
 declare function isPublishableKey(raw: string): boolean;
 declare function isSecretKey(raw: string): boolean;
 
-export { type KeyMode as K, type PublishableKeyPayload as P, isSecretKey as a, type ParsedPublishableKey as b, encodePublishableKey as e, isPublishableKey as i, parsePublishableKey as p };
+export { type KeyMode as K, type PublishableKeyPayload as P, assertPublishableKey as a, isSecretKey as b, type ParsedPublishableKey as c, encodePublishableKey as e, isPublishableKey as i, parsePublishableKey as p };

package/dist/react.d.mts

@@ -1,9 +1,9 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import * as React from 'react';
 import { ReactNode } from 'react';
-import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, C as CallbackResult } from './signIn-CEMdUAwd.mjs';
+import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, C as CallbackResult } from './signIn-Cd0P4y9d.mjs';
 import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.mjs';
-import './publishableKey-B5DIK81A.mjs';
+import './publishableKey-BaR0HoAH.mjs';
 
 interface IQAuthContextValue {
     manager: SessionManager;
@@ -89,6 +89,38 @@ declare function SignedOut({ children }: {
 }): React.FunctionComponentElement<{
     children?: ReactNode | undefined;
 }> | null;
+/**
+ * Renders its children only while the SDK is still bootstrapping (i.e.
+ * `useAuth().isLoaded === false`). Mirrors Clerk's `<ClerkLoading/>`.
+ *
+ * Recommended pattern (slow-network-safe):
+ * ```tsx
+ * <IQAuthProvider publishableKey={…}>
+ *   <IQAuthLoading><Spinner /></IQAuthLoading>
+ *   <IQAuthLoaded>
+ *     <SignedIn><App /></SignedIn>
+ *     <SignedOut><SignIn /></SignedOut>
+ *   </IQAuthLoaded>
+ * </IQAuthProvider>
+ * ```
+ */
+declare function IQAuthLoading({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
+/**
+ * Renders its children only after the SDK has finished bootstrapping (i.e.
+ * `useAuth().isLoaded === true`). Mirrors Clerk's `<ClerkLoaded/>`. Wrap
+ * `<SignedIn/>` / `<SignedOut/>` in this to avoid a flash of blank UI on
+ * slow connections — see `<IQAuthLoading/>` above for the recommended
+ * full pattern.
+ */
+declare function IQAuthLoaded({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
 interface RedirectToSignInProps extends SignInOptions {
 }
 declare function RedirectToSignIn(props?: RedirectToSignInProps): React.DetailedReactHTMLElement<{
@@ -268,4 +300,4 @@ interface OrganizationSwitcherProps {
 declare function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }: OrganizationSwitcherProps): react_jsx_runtime.JSX.Element;
 declare const __version__ = "phase-bc-1.0.0";
 
-export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, isSilentSsoEligible, sanitizeBrandCss, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useResolvedSdkBranding, useSession, useUser };
+export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthLoaded, IQAuthLoading, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, isSilentSsoEligible, sanitizeBrandCss, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useResolvedSdkBranding, useSession, useUser };

package/dist/react.d.ts

@@ -1,9 +1,9 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import * as React from 'react';
 import { ReactNode } from 'react';
-import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, C as CallbackResult } from './signIn-VRNzlNyG.js';
+import { S as SessionManager, a as SessionSnapshot, b as SignInOptions, c as SignOutOptions, C as CallbackResult } from './signIn-DKakyzeu.js';
 import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.js';
-import './publishableKey-B5DIK81A.js';
+import './publishableKey-BaR0HoAH.js';
 
 interface IQAuthContextValue {
     manager: SessionManager;
@@ -89,6 +89,38 @@ declare function SignedOut({ children }: {
 }): React.FunctionComponentElement<{
     children?: ReactNode | undefined;
 }> | null;
+/**
+ * Renders its children only while the SDK is still bootstrapping (i.e.
+ * `useAuth().isLoaded === false`). Mirrors Clerk's `<ClerkLoading/>`.
+ *
+ * Recommended pattern (slow-network-safe):
+ * ```tsx
+ * <IQAuthProvider publishableKey={…}>
+ *   <IQAuthLoading><Spinner /></IQAuthLoading>
+ *   <IQAuthLoaded>
+ *     <SignedIn><App /></SignedIn>
+ *     <SignedOut><SignIn /></SignedOut>
+ *   </IQAuthLoaded>
+ * </IQAuthProvider>
+ * ```
+ */
+declare function IQAuthLoading({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
+/**
+ * Renders its children only after the SDK has finished bootstrapping (i.e.
+ * `useAuth().isLoaded === true`). Mirrors Clerk's `<ClerkLoaded/>`. Wrap
+ * `<SignedIn/>` / `<SignedOut/>` in this to avoid a flash of blank UI on
+ * slow connections — see `<IQAuthLoading/>` above for the recommended
+ * full pattern.
+ */
+declare function IQAuthLoaded({ children }: {
+    children?: ReactNode;
+}): React.FunctionComponentElement<{
+    children?: ReactNode | undefined;
+}> | null;
 interface RedirectToSignInProps extends SignInOptions {
 }
 declare function RedirectToSignIn(props?: RedirectToSignInProps): React.DetailedReactHTMLElement<{
@@ -268,4 +300,4 @@ interface OrganizationSwitcherProps {
 declare function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }: OrganizationSwitcherProps): react_jsx_runtime.JSX.Element;
 declare const __version__ = "phase-bc-1.0.0";
 
-export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, isSilentSsoEligible, sanitizeBrandCss, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useResolvedSdkBranding, useSession, useUser };
+export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthLoaded, IQAuthLoading, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, isSilentSsoEligible, sanitizeBrandCss, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useResolvedSdkBranding, useSession, useUser };

package/dist/react.js

@@ -21,6 +21,8 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var react_exports = {};
 __export(react_exports, {
   AuthCallback: () => AuthCallback,
+  IQAuthLoaded: () => IQAuthLoaded,
+  IQAuthLoading: () => IQAuthLoading,
   IQAuthProvider: () => IQAuthProvider,
   OrganizationSwitcher: () => OrganizationSwitcher,
   RedirectToSignIn: () => RedirectToSignIn,
@@ -70,20 +72,60 @@ function b64urlDecode(input) {
   const { Buffer: Buffer2 } = require("buffer");
   return Buffer2.from(normalized, "base64").toString("utf8");
 }
-function parsePublishableKey(raw) {
-  if (typeof raw !== "string") return null;
-  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
-  if (!m) return null;
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
   try {
-    const json = JSON.parse(b64urlDecode(m[2]));
-    if (!json || typeof json !== "object") return null;
-    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
-      return null;
-    }
-    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
   } catch {
-    return null;
+    return false;
+  }
+}
+function assertPublishableKey(raw, opts) {
+  const ctx = opts?.context ? `${opts.context}: ` : "";
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
+    );
+  }
+  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!shapeMatch) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
+    );
+  }
+  let decoded;
+  try {
+    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
+  } catch {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isPublishableKeyPayload(decoded)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
+    );
   }
+  if (!isValidIssuerUrl(decoded.iss)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
+    );
+  }
+  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
+}
+function isPublishableKeyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
 }
 
 // src/browser/storage.ts
@@ -206,12 +248,7 @@ var SessionManager = class {
     this.remoteRefreshWaiters = [];
     /** Active claims by other tabs (keyed by source tabId). */
     this.foreignClaim = null;
-    const parsed = parsePublishableKey(options.publishableKey);
-    if (!parsed) {
-      throw new Error(
-        `Invalid IQAuth publishable key. Expected pk_test_\u2026 or pk_live_\u2026 (got ${options.publishableKey?.slice(0, 12) ?? "<empty>"}\u2026).`
-      );
-    }
+    const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/browser SessionManager" });
     this.key = parsed;
     const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
     this.issuer = inferred.replace(/\/+$/, "");
@@ -612,6 +649,7 @@ async function createPkcePair() {
 // src/browser/signIn.ts
 var DEFAULT_SIGN_IN_PATH = "/sign-in";
 var DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
+var DEFAULT_SSO_LOGOUT_PATH = "/oidc/sso-logout";
 var DEFAULT_TOKEN_PATH = "/oidc/token";
 var DEFAULT_CALLBACK_PATH = "/auth/callback";
 function defaultRedirectUri() {
@@ -710,11 +748,21 @@ async function handleAuthCallback(manager, options = {}) {
 }
 async function signOut(manager, opts = {}) {
   if (!opts.localOnly) {
+    const issuer = manager.issuerUrl.replace(/\/$/, "");
     try {
-      const url = `${manager.issuerUrl}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
+      const url = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
       await manager.fetch(url, { method: "POST" }).catch(() => void 0);
     } catch {
     }
+    if (opts.endSsoSession !== false) {
+      try {
+        await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
+          method: "POST",
+          credentials: "include"
+        }).catch(() => void 0);
+      } catch {
+      }
+    }
   }
   clearCookie(REFRESH_COOKIE);
   manager.signOutLocal();
@@ -846,6 +894,16 @@ function SignedOut({ children }) {
   if (!isLoaded || isSignedIn) return null;
   return (0, import_react.createElement)(import_react.Fragment, null, children);
 }
+function IQAuthLoading({ children }) {
+  const { isLoaded } = useAuth();
+  if (isLoaded) return null;
+  return (0, import_react.createElement)(import_react.Fragment, null, children);
+}
+function IQAuthLoaded({ children }) {
+  const { isLoaded } = useAuth();
+  if (!isLoaded) return null;
+  return (0, import_react.createElement)(import_react.Fragment, null, children);
+}
 function RedirectToSignIn(props = {}) {
   const { manager, snapshot } = useCtx();
   const [error, setError] = (0, import_react.useState)(null);
@@ -1868,6 +1926,8 @@ var __version__ = "phase-bc-1.0.0";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthCallback,
+  IQAuthLoaded,
+  IQAuthLoading,
   IQAuthProvider,
   OrganizationSwitcher,
   RedirectToSignIn,

package/dist/react.mjs

@@ -4,8 +4,8 @@ import {
   redirectToSignIn,
   signIn,
   signOut
-} from "./chunk-S3M2IXCE.mjs";
-import "./chunk-5WFR6Y33.mjs";
+} from "./chunk-RACIPVLD.mjs";
+import "./chunk-WQWBJSSS.mjs";
 import "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
@@ -144,6 +144,16 @@ function SignedOut({ children }) {
   if (!isLoaded || isSignedIn) return null;
   return createElement(Fragment, null, children);
 }
+function IQAuthLoading({ children }) {
+  const { isLoaded } = useAuth();
+  if (isLoaded) return null;
+  return createElement(Fragment, null, children);
+}
+function IQAuthLoaded({ children }) {
+  const { isLoaded } = useAuth();
+  if (!isLoaded) return null;
+  return createElement(Fragment, null, children);
+}
 function RedirectToSignIn(props = {}) {
   const { manager, snapshot } = useCtx();
   const [error, setError] = useState(null);
@@ -1165,6 +1175,8 @@ function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }) {
 var __version__ = "phase-bc-1.0.0";
 export {
   AuthCallback,
+  IQAuthLoaded,
+  IQAuthLoading,
   IQAuthProvider,
   OrganizationSwitcher,
   RedirectToSignIn,

package/dist/server/handlers.d.mts

@@ -118,6 +118,8 @@ declare function handleRefresh(config: IQAuthHelperConfig, input: {
 /** POST /api/iqauth/signout — clear cookies and best-effort revoke at issuer. */
 declare function handleSignout(config: IQAuthHelperConfig, input: {
     accessToken?: string;
+    ssoCookieHeader?: string;
+    endSsoSession?: boolean;
 }): Promise<HandlerResponse>;
 
 export { type HandlerResponse, type IQAuthHelperConfig, type ResolvedConfig as ResolvedIQAuthHelperConfig, type SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie };

package/dist/server/handlers.d.ts

@@ -118,6 +118,8 @@ declare function handleRefresh(config: IQAuthHelperConfig, input: {
 /** POST /api/iqauth/signout — clear cookies and best-effort revoke at issuer. */
 declare function handleSignout(config: IQAuthHelperConfig, input: {
     accessToken?: string;
+    ssoCookieHeader?: string;
+    endSsoSession?: boolean;
 }): Promise<HandlerResponse>;
 
 export { type HandlerResponse, type IQAuthHelperConfig, type ResolvedConfig as ResolvedIQAuthHelperConfig, type SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie };

package/dist/server/handlers.js

@@ -27,6 +27,17 @@ __export(handlers_exports, {
 });
 module.exports = __toCommonJS(handlers_exports);
 
+// src/errors.ts
+var IQAuthError = class extends Error {
+  constructor(code, message, status, raw) {
+    super(message);
+    this.name = "IQAuthError";
+    this.code = code;
+    this.status = status;
+    this.raw = raw;
+  }
+};
+
 // src/publishableKey.ts
 function b64urlDecode(input) {
   const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
@@ -40,20 +51,60 @@ function b64urlDecode(input) {
   const { Buffer: Buffer2 } = require("buffer");
   return Buffer2.from(normalized, "base64").toString("utf8");
 }
-function parsePublishableKey(raw) {
-  if (typeof raw !== "string") return null;
-  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
-  if (!m) return null;
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
   try {
-    const json = JSON.parse(b64urlDecode(m[2]));
-    if (!json || typeof json !== "object") return null;
-    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
-      return null;
-    }
-    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
   } catch {
-    return null;
+    return false;
+  }
+}
+function assertPublishableKey(raw, opts) {
+  const ctx = opts?.context ? `${opts.context}: ` : "";
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
+    );
+  }
+  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!shapeMatch) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
+    );
+  }
+  let decoded;
+  try {
+    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
+  } catch {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
+    );
   }
+  if (!isPublishableKeyPayload(decoded)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isValidIssuerUrl(decoded.iss)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
+    );
+  }
+  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
+}
+function isPublishableKeyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
 }
 
 // src/server/handlers.ts
@@ -76,12 +127,7 @@ function shouldClearCookiesOnFailure(policy, status, errorCode) {
 var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
 var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
 function resolve(config) {
-  const parsed = parsePublishableKey(config.publishableKey);
-  if (!parsed) {
-    throw new Error(
-      "@iqauth/sdk: invalid publishable key passed to iqAuth helpers (expected pk_test_\u2026 or pk_live_\u2026)"
-    );
-  }
+  const parsed = assertPublishableKey(config.publishableKey, { context: "@iqauth/sdk helpers" });
   const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
   return {
     publishableKey: config.publishableKey,
@@ -252,6 +298,15 @@ async function handleSignout(config, input) {
     } catch {
     }
   }
+  if (input.endSsoSession !== false && input.ssoCookieHeader) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}/oidc/sso-logout`, {
+        method: "POST",
+        headers: { Cookie: input.ssoCookieHeader }
+      });
+    } catch {
+    }
+  }
   return {
     status: 200,
     body: { success: true, data: { signedOut: true } },

package/dist/server/handlers.mjs

@@ -3,8 +3,9 @@ import {
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "../chunk-JQRTY5MY.mjs";
-import "../chunk-5WFR6Y33.mjs";
+} from "../chunk-KGEPDXHU.mjs";
+import "../chunk-WQWBJSSS.mjs";
+import "../chunk-6I6RM4MN.mjs";
 import "../chunk-Y6FXYEAI.mjs";
 export {
   handleCallback,

package/dist/server.d.mts

@@ -1,9 +1,8 @@
 import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
+import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-BZmF1llh.mjs';
+export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-A0-dWEMy.mjs';
 export { HandlerResponse, IQAuthHelperConfig, SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie } from './server/handlers.mjs';
-import 'jsonwebtoken';
 
 declare class ServerIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/server.d.ts

@@ -1,9 +1,8 @@
 import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
+import { I as IQAuthClient } from './client-DTX4hNdS.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-B4o3P8vK.js';
+export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-Bo_pJKHN.js';
 export { HandlerResponse, IQAuthHelperConfig, SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie } from './server/handlers.js';
-import 'jsonwebtoken';
 
 declare class ServerIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);