@iqauth/sdk 2.1.0 → 2.3.0

package/dist/chunk-UNYDG2L4.mjs

@@ -0,0 +1,209 @@
+import {
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+import {
+  __require
+} from "./chunk-Y6FXYEAI.mjs";
+
+// src/modules/tokens.ts
+import {
+  createLocalJWKSet,
+  jwtVerify,
+  errors as joseErrors
+} from "jose";
+var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
+var DEFAULT_TOKEN_AUDIENCE = [
+  "dispositioniq",
+  "iqcapture",
+  "iqreuse",
+  "iqvalidate"
+];
+var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+function decodeProtectedHeader(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const padded = parts[0] + "=".repeat((4 - parts[0].length % 4) % 4);
+    const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    let json;
+    if (typeof atob === "function") {
+      json = atob(b64);
+    } else {
+      const { Buffer } = __require("buffer");
+      json = Buffer.from(b64, "base64").toString("utf8");
+    }
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+var TokensModule = class {
+  constructor(baseUrl, options = {}) {
+    this.jwksCache = null;
+    this.inFlightRefresh = null;
+    this.baseUrl = baseUrl;
+    this.defaultIssuer = options.issuer ?? DEFAULT_TOKEN_ISSUER;
+    this.defaultAudience = options.audience ?? DEFAULT_TOKEN_AUDIENCE;
+    this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
+  }
+  /**
+   * Verify a JWT access token using RS256/ES256 via JWKS from
+   * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+   * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+   * Caches JWKS for 1 hour and refetches once on unknown `kid`.
+   */
+  async verify(token, options = {}) {
+    const header = decodeProtectedHeader(token);
+    if (!header) {
+      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
+    }
+    const kid = header.kid;
+    if (!kid) {
+      throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
+    }
+    let cache = await this.ensureCache();
+    if (!cache.byKid.has(kid)) {
+      this.jwksCache = null;
+      cache = await this.ensureCache();
+    }
+    if (!cache.byKid.has(kid)) {
+      throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
+    }
+    const issuer = options.issuer ?? this.defaultIssuer;
+    const audience = options.audience ?? this.defaultAudience;
+    const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
+    const algorithms = options.algorithms ?? ["RS256", "ES256"];
+    const verifyOptions = {
+      algorithms,
+      clockTolerance,
+      issuer,
+      audience
+    };
+    try {
+      const { payload } = await jwtVerify(token, cache.verifier, verifyOptions);
+      return payload;
+    } catch (err) {
+      if (err instanceof joseErrors.JWTExpired) {
+        throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
+      }
+      if (err instanceof joseErrors.JOSEError) {
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
+      if (err instanceof Error) {
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
+      throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
+    }
+  }
+  /**
+   * Decode a JWT without verification. Returns null if malformed.
+   */
+  decode(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length < 2) return null;
+      const payload = parts[1];
+      const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+      const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+      let json;
+      if (typeof atob === "function") {
+        json = atob(b64);
+      } else {
+        const { Buffer } = __require("buffer");
+        json = Buffer.from(b64, "base64").toString("utf8");
+      }
+      try {
+        json = decodeURIComponent(escape(json));
+      } catch {
+      }
+      const claims = JSON.parse(json);
+      if (!claims || typeof claims !== "object") return null;
+      return claims;
+    } catch {
+      return null;
+    }
+  }
+  /** Check if a token is expired based on the `exp` claim. */
+  isExpired(token) {
+    const claims = this.decode(token);
+    if (!claims?.exp) return true;
+    const now = Math.floor(Date.now() / 1e3);
+    return claims.exp <= now;
+  }
+  /** Get the claims from a token without verification. */
+  getClaims(token) {
+    const claims = this.decode(token);
+    if (!claims) {
+      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token claims");
+    }
+    return claims;
+  }
+  async ensureCache() {
+    if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) {
+      return this.jwksCache;
+    }
+    await this.refreshJwks();
+    if (!this.jwksCache) {
+      throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
+    }
+    return this.jwksCache;
+  }
+  async refreshJwks() {
+    if (this.inFlightRefresh) {
+      return this.inFlightRefresh;
+    }
+    this.inFlightRefresh = (async () => {
+      try {
+        const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
+        if (!res.ok) {
+          throw new IQAuthError(
+            "INTERNAL_ERROR",
+            `Failed to fetch JWKS: ${res.status}`
+          );
+        }
+        let jwks;
+        try {
+          jwks = await res.json();
+        } catch {
+          throw new IQAuthError("INTERNAL_ERROR", "Malformed JWKS response: invalid JSON");
+        }
+        if (!jwks || !Array.isArray(jwks.keys)) {
+          throw new IQAuthError(
+            "INTERNAL_ERROR",
+            "Malformed JWKS response: expected { keys: [...] }"
+          );
+        }
+        const byKid = /* @__PURE__ */ new Set();
+        for (const key of jwks.keys) {
+          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
+            throw new IQAuthError(
+              "INTERNAL_ERROR",
+              "Malformed JWKS response: key missing required fields"
+            );
+          }
+          byKid.add(key.kid);
+        }
+        const verifier = createLocalJWKSet({ keys: jwks.keys });
+        this.jwksCache = { raw: jwks.keys, byKid, verifier, fetchedAt: Date.now() };
+      } finally {
+        this.inFlightRefresh = null;
+      }
+    })();
+    return this.inFlightRefresh;
+  }
+  /** @internal Exposed for testing — clears JWKS cache */
+  clearCache() {
+    this.jwksCache = null;
+  }
+};
+
+export {
+  DEFAULT_TOKEN_ISSUER,
+  DEFAULT_TOKEN_AUDIENCE,
+  DEFAULT_CLOCK_TOLERANCE_SECONDS,
+  TokensModule
+};

package/dist/{chunk-MDUHPQMM.mjs → chunk-W3F4JYGP.mjs}

@@ -1,3 +1,6 @@
+import {
+  TokensModule
+} from "./chunk-UNYDG2L4.mjs";
 import {
   IQAuthError
 } from "./chunk-6I6RM4MN.mjs";
@@ -160,177 +163,6 @@ function parseMfaResponse(data, browserSessionMode) {
   throw new Error("Unexpected MFA response shape");
 }
 
-// src/modules/tokens.ts
-import crypto from "crypto";
-import jwt from "jsonwebtoken";
-var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = [
-  "https://auth.dispositioniq.com",
-  "auth.dispositioniq.com"
-];
-var DEFAULT_TOKEN_AUDIENCE = [
-  "dispositioniq",
-  "iqcapture",
-  "iqreuse",
-  "iqvalidate"
-];
-var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
-var TokensModule = class {
-  constructor(baseUrl, options = {}) {
-    this.jwksCache = null;
-    this.inFlightRefresh = null;
-    this.baseUrl = baseUrl;
-    this.defaultIssuer = options.issuer ?? DEFAULT_TOKEN_ISSUER;
-    this.defaultAudience = options.audience ?? DEFAULT_TOKEN_AUDIENCE;
-    this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
-  }
-  /**
-   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-   *
-   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-   * clock tolerance default to client config but can be overridden per call.
-   */
-  async verify(token, options = {}) {
-    const decoded = jwt.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
-      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
-    }
-    const kid = decoded.header.kid;
-    if (!kid) {
-      throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
-    }
-    let publicKey = await this.getPublicKey(kid);
-    if (!publicKey) {
-      await this.refreshJwks();
-      publicKey = await this.getPublicKey(kid);
-    }
-    if (!publicKey) {
-      throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
-    }
-    const issuer = options.issuer ?? this.defaultIssuer;
-    const audience = options.audience ?? this.defaultAudience;
-    const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
-    const algorithms = options.algorithms ?? ["RS256"];
-    try {
-      const verifyOptions = {
-        algorithms,
-        clockTolerance,
-        // The jsonwebtoken types insist on tuple types for arrays; runtime
-        // accepts plain string[] so we cast to satisfy the compiler.
-        issuer,
-        audience
-      };
-      const verified = jwt.verify(token, publicKey, verifyOptions);
-      return verified;
-    } catch (err) {
-      if (err instanceof Error) {
-        if (err.name === "TokenExpiredError") {
-          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-        }
-        throw new IQAuthError("TOKEN_INVALID", err.message);
-      }
-      throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
-    }
-  }
-  /**
-   * Decode a JWT without verification. Returns null if malformed.
-   *
-   * @remarks Local decode only — no network call
-   */
-  decode(token) {
-    const decoded = jwt.decode(token);
-    return decoded;
-  }
-  /**
-   * Check if a token is expired based on the `exp` claim.
-   *
-   * @remarks Local check only — no network call
-   */
-  isExpired(token) {
-    const claims = this.decode(token);
-    if (!claims?.exp) return true;
-    const now = Math.floor(Date.now() / 1e3);
-    return claims.exp <= now;
-  }
-  /**
-   * Get the claims from a token without verification.
-   *
-   * @remarks Local decode only — no network call
-   */
-  getClaims(token) {
-    const claims = this.decode(token);
-    if (!claims) {
-      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token claims");
-    }
-    return claims;
-  }
-  async getPublicKey(kid) {
-    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
-      await this.refreshJwks();
-    }
-    return this.jwksCache?.keys.get(kid) ?? null;
-  }
-  async refreshJwks() {
-    if (this.inFlightRefresh) {
-      return this.inFlightRefresh;
-    }
-    this.inFlightRefresh = (async () => {
-      try {
-        const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
-        if (!res.ok) {
-          throw new IQAuthError(
-            "INTERNAL_ERROR",
-            `Failed to fetch JWKS: ${res.status}`
-          );
-        }
-        let jwks;
-        try {
-          jwks = await res.json();
-        } catch {
-          throw new IQAuthError("INTERNAL_ERROR", "Malformed JWKS response: invalid JSON");
-        }
-        if (!jwks || !Array.isArray(jwks.keys)) {
-          throw new IQAuthError(
-            "INTERNAL_ERROR",
-            "Malformed JWKS response: expected { keys: [...] }"
-          );
-        }
-        const keys = /* @__PURE__ */ new Map();
-        for (const key of jwks.keys) {
-          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
-            throw new IQAuthError(
-              "INTERNAL_ERROR",
-              "Malformed JWKS response: key missing required fields"
-            );
-          }
-          const pem = this.jwkToPem(key);
-          keys.set(key.kid, pem);
-        }
-        this.jwksCache = { keys, fetchedAt: Date.now() };
-      } finally {
-        this.inFlightRefresh = null;
-      }
-    })();
-    return this.inFlightRefresh;
-  }
-  jwkToPem(jwk) {
-    const keyObject = crypto.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e
-      },
-      format: "jwk"
-    });
-    return keyObject.export({ type: "spki", format: "pem" });
-  }
-  /** @internal Exposed for testing — clears JWKS cache */
-  clearCache() {
-    this.jwksCache = null;
-  }
-};
-
 // src/modules/sessions.ts
 var SessionsModule = class {
   constructor(http) {
@@ -532,7 +364,7 @@ var PermissionsModule = class {
 };
 
 // src/modules/oidc.ts
-import crypto2 from "crypto";
+import crypto from "crypto";
 var InMemoryOidcStateStore = class {
   constructor() {
     this.map = /* @__PURE__ */ new Map();
@@ -613,12 +445,12 @@ var OidcModule = class {
    * ready to redirect the user to.
    */
   async createAuthRequest(params) {
-    const codeVerifier = base64UrlEncode(crypto2.randomBytes(32));
+    const codeVerifier = base64UrlEncode(crypto.randomBytes(32));
     const codeChallenge = base64UrlEncode(
-      crypto2.createHash("sha256").update(codeVerifier).digest()
+      crypto.createHash("sha256").update(codeVerifier).digest()
     );
-    const state = base64UrlEncode(crypto2.randomBytes(16));
-    const nonce = base64UrlEncode(crypto2.randomBytes(16));
+    const state = base64UrlEncode(crypto.randomBytes(16));
+    const nonce = base64UrlEncode(crypto.randomBytes(16));
     await this.stateStore.set(state, {
       codeVerifier,
       state,
@@ -1712,10 +1544,6 @@ var IQAuthClient = class _IQAuthClient {
 
 export {
   AuthModule,
-  DEFAULT_TOKEN_ISSUER,
-  DEFAULT_TOKEN_AUDIENCE,
-  DEFAULT_CLOCK_TOLERANCE_SECONDS,
-  TokensModule,
   SessionsModule,
   UsersModule,
   PermissionsModule,

package/dist/chunk-WQWBJSSS.mjs

@@ -0,0 +1,119 @@
+import {
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+import {
+  __require
+} from "./chunk-Y6FXYEAI.mjs";
+
+// src/publishableKey.ts
+function b64urlEncode(input) {
+  if (typeof btoa === "function") {
+    const bytes = new TextEncoder().encode(input);
+    let bin = "";
+    for (let i = 0; i < bytes.byteLength; i++) bin += String.fromCharCode(bytes[i]);
+    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+  }
+  const { Buffer } = __require("buffer");
+  return Buffer.from(input, "utf8").toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function b64urlDecode(input) {
+  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  if (typeof atob === "function") {
+    const bin = atob(normalized);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  const { Buffer } = __require("buffer");
+  return Buffer.from(normalized, "base64").toString("utf8");
+}
+function encodePublishableKey(mode, payload) {
+  if (mode !== "test" && mode !== "live") throw new Error(`Invalid mode: ${mode}`);
+  return `pk_${mode}_${b64urlEncode(JSON.stringify(payload))}`;
+}
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
+  try {
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function parsePublishableKey(raw) {
+  if (typeof raw !== "string") return null;
+  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!m) return null;
+  try {
+    const json = JSON.parse(b64urlDecode(m[2]));
+    if (!json || typeof json !== "object") return null;
+    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
+      return null;
+    }
+    if (!isValidIssuerUrl(json.iss)) return null;
+    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+  } catch {
+    return null;
+  }
+}
+function assertPublishableKey(raw, opts) {
+  const ctx = opts?.context ? `${opts.context}: ` : "";
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
+    );
+  }
+  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!shapeMatch) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
+    );
+  }
+  let decoded;
+  try {
+    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
+  } catch {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isPublishableKeyPayload(decoded)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isValidIssuerUrl(decoded.iss)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
+    );
+  }
+  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
+}
+function isPublishableKeyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
+}
+function isPublishableKey(raw) {
+  return typeof raw === "string" && /^pk_(test|live)_/.test(raw);
+}
+function isSecretKey(raw) {
+  return typeof raw === "string" && /^sk_(test|live)_/.test(raw);
+}
+
+export {
+  encodePublishableKey,
+  parsePublishableKey,
+  assertPublishableKey,
+  isPublishableKey,
+  isSecretKey
+};

package/dist/cli/index.js

@@ -278,6 +278,13 @@ var init_util = __esm({
   }
 });
 
+// src/errors.ts
+var init_errors = __esm({
+  "src/errors.ts"() {
+    "use strict";
+  }
+});
+
 // src/publishableKey.ts
 function b64urlDecode(input) {
   const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
@@ -291,6 +298,18 @@ function b64urlDecode(input) {
   const { Buffer: Buffer2 } = require("buffer");
   return Buffer2.from(normalized, "base64").toString("utf8");
 }
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
+  try {
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
 function parsePublishableKey(raw) {
   if (typeof raw !== "string") return null;
   const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
@@ -301,6 +320,7 @@ function parsePublishableKey(raw) {
     if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
       return null;
     }
+    if (!isValidIssuerUrl(json.iss)) return null;
     return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
   } catch {
     return null;
@@ -309,6 +329,7 @@ function parsePublishableKey(raw) {
 var init_publishableKey = __esm({
   "src/publishableKey.ts"() {
     "use strict";
+    init_errors();
   }
 });
 

package/dist/cli/index.mjs

@@ -17,7 +17,7 @@ async function run() {
       return;
     }
     case "doctor": {
-      const { runDoctor } = await import("../doctor-OHJRZBBT.mjs");
+      const { runDoctor } = await import("../doctor-A5E7LSFW.mjs");
       await runDoctor(rest);
       return;
     }

package/dist/{client-DXbHb2ul.d.ts → client-DTX4hNdS.d.ts}

@@ -1,5 +1,4 @@
 import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, J as JwtClaims, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.js';
-import jwt from 'jsonwebtoken';
 
 /**
  * SOURCE REFS:
@@ -90,6 +89,14 @@ declare class AuthModule {
  * - Route file: src/lib/crypto.ts (key rotation with kid)
  * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
  * - Last verified: Phase 0 Research Summary
+ *
+ * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
+ * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
+ * edge runtimes. Edge has only Web Crypto, so every call from a Next
+ * middleware previously threw and was wrapped as `TOKEN_INVALID`,
+ * indistinguishable from a real bad token. We keep our own JWKS fetch +
+ * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
+ * to keep the kid-aware "Unknown key ID" diagnostic.
  */
 
 declare const DEFAULT_TOKEN_ISSUER: string[];
@@ -99,7 +106,7 @@ interface TokenVerifyOptions {
     issuer?: string | string[];
     audience?: string | string[];
     clockTolerance?: number;
-    algorithms?: jwt.Algorithm[];
+    algorithms?: string[];
 }
 interface TokensModuleOptions {
     issuer?: string | string[];
@@ -115,34 +122,22 @@ declare class TokensModule {
     private defaultClockTolerance;
     constructor(baseUrl: string, options?: TokensModuleOptions);
     /**
-     * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-     * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-     *
-     * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-     * clock tolerance default to client config but can be overridden per call.
+     * Verify a JWT access token using RS256/ES256 via JWKS from
+     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
      */
     verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
     /**
      * Decode a JWT without verification. Returns null if malformed.
-     *
-     * @remarks Local decode only — no network call
      */
     decode(token: string): JwtClaims | null;
-    /**
-     * Check if a token is expired based on the `exp` claim.
-     *
-     * @remarks Local check only — no network call
-     */
+    /** Check if a token is expired based on the `exp` claim. */
     isExpired(token: string): boolean;
-    /**
-     * Get the claims from a token without verification.
-     *
-     * @remarks Local decode only — no network call
-     */
+    /** Get the claims from a token without verification. */
     getClaims(token: string): JwtClaims;
-    private getPublicKey;
+    private ensureCache;
     private refreshJwks;
-    private jwkToPem;
     /** @internal Exposed for testing — clears JWKS cache */
     clearCache(): void;
 }