@iqauth/sdk 2.2.0 → 2.3.0

package/dist/{chunk-MDUHPQMM.mjs → chunk-W3F4JYGP.mjs}

@@ -1,3 +1,6 @@
+import {
+  TokensModule
+} from "./chunk-UNYDG2L4.mjs";
 import {
   IQAuthError
 } from "./chunk-6I6RM4MN.mjs";
@@ -160,177 +163,6 @@ function parseMfaResponse(data, browserSessionMode) {
   throw new Error("Unexpected MFA response shape");
 }
 
-// src/modules/tokens.ts
-import crypto from "crypto";
-import jwt from "jsonwebtoken";
-var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = [
-  "https://auth.dispositioniq.com",
-  "auth.dispositioniq.com"
-];
-var DEFAULT_TOKEN_AUDIENCE = [
-  "dispositioniq",
-  "iqcapture",
-  "iqreuse",
-  "iqvalidate"
-];
-var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
-var TokensModule = class {
-  constructor(baseUrl, options = {}) {
-    this.jwksCache = null;
-    this.inFlightRefresh = null;
-    this.baseUrl = baseUrl;
-    this.defaultIssuer = options.issuer ?? DEFAULT_TOKEN_ISSUER;
-    this.defaultAudience = options.audience ?? DEFAULT_TOKEN_AUDIENCE;
-    this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
-  }
-  /**
-   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-   *
-   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-   * clock tolerance default to client config but can be overridden per call.
-   */
-  async verify(token, options = {}) {
-    const decoded = jwt.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
-      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
-    }
-    const kid = decoded.header.kid;
-    if (!kid) {
-      throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
-    }
-    let publicKey = await this.getPublicKey(kid);
-    if (!publicKey) {
-      await this.refreshJwks();
-      publicKey = await this.getPublicKey(kid);
-    }
-    if (!publicKey) {
-      throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
-    }
-    const issuer = options.issuer ?? this.defaultIssuer;
-    const audience = options.audience ?? this.defaultAudience;
-    const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
-    const algorithms = options.algorithms ?? ["RS256"];
-    try {
-      const verifyOptions = {
-        algorithms,
-        clockTolerance,
-        // The jsonwebtoken types insist on tuple types for arrays; runtime
-        // accepts plain string[] so we cast to satisfy the compiler.
-        issuer,
-        audience
-      };
-      const verified = jwt.verify(token, publicKey, verifyOptions);
-      return verified;
-    } catch (err) {
-      if (err instanceof Error) {
-        if (err.name === "TokenExpiredError") {
-          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-        }
-        throw new IQAuthError("TOKEN_INVALID", err.message);
-      }
-      throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
-    }
-  }
-  /**
-   * Decode a JWT without verification. Returns null if malformed.
-   *
-   * @remarks Local decode only — no network call
-   */
-  decode(token) {
-    const decoded = jwt.decode(token);
-    return decoded;
-  }
-  /**
-   * Check if a token is expired based on the `exp` claim.
-   *
-   * @remarks Local check only — no network call
-   */
-  isExpired(token) {
-    const claims = this.decode(token);
-    if (!claims?.exp) return true;
-    const now = Math.floor(Date.now() / 1e3);
-    return claims.exp <= now;
-  }
-  /**
-   * Get the claims from a token without verification.
-   *
-   * @remarks Local decode only — no network call
-   */
-  getClaims(token) {
-    const claims = this.decode(token);
-    if (!claims) {
-      throw new IQAuthError("TOKEN_INVALID", "Unable to decode token claims");
-    }
-    return claims;
-  }
-  async getPublicKey(kid) {
-    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
-      await this.refreshJwks();
-    }
-    return this.jwksCache?.keys.get(kid) ?? null;
-  }
-  async refreshJwks() {
-    if (this.inFlightRefresh) {
-      return this.inFlightRefresh;
-    }
-    this.inFlightRefresh = (async () => {
-      try {
-        const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
-        if (!res.ok) {
-          throw new IQAuthError(
-            "INTERNAL_ERROR",
-            `Failed to fetch JWKS: ${res.status}`
-          );
-        }
-        let jwks;
-        try {
-          jwks = await res.json();
-        } catch {
-          throw new IQAuthError("INTERNAL_ERROR", "Malformed JWKS response: invalid JSON");
-        }
-        if (!jwks || !Array.isArray(jwks.keys)) {
-          throw new IQAuthError(
-            "INTERNAL_ERROR",
-            "Malformed JWKS response: expected { keys: [...] }"
-          );
-        }
-        const keys = /* @__PURE__ */ new Map();
-        for (const key of jwks.keys) {
-          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
-            throw new IQAuthError(
-              "INTERNAL_ERROR",
-              "Malformed JWKS response: key missing required fields"
-            );
-          }
-          const pem = this.jwkToPem(key);
-          keys.set(key.kid, pem);
-        }
-        this.jwksCache = { keys, fetchedAt: Date.now() };
-      } finally {
-        this.inFlightRefresh = null;
-      }
-    })();
-    return this.inFlightRefresh;
-  }
-  jwkToPem(jwk) {
-    const keyObject = crypto.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e
-      },
-      format: "jwk"
-    });
-    return keyObject.export({ type: "spki", format: "pem" });
-  }
-  /** @internal Exposed for testing — clears JWKS cache */
-  clearCache() {
-    this.jwksCache = null;
-  }
-};
-
 // src/modules/sessions.ts
 var SessionsModule = class {
   constructor(http) {
@@ -532,7 +364,7 @@ var PermissionsModule = class {
 };
 
 // src/modules/oidc.ts
-import crypto2 from "crypto";
+import crypto from "crypto";
 var InMemoryOidcStateStore = class {
   constructor() {
     this.map = /* @__PURE__ */ new Map();
@@ -613,12 +445,12 @@ var OidcModule = class {
    * ready to redirect the user to.
    */
   async createAuthRequest(params) {
-    const codeVerifier = base64UrlEncode(crypto2.randomBytes(32));
+    const codeVerifier = base64UrlEncode(crypto.randomBytes(32));
     const codeChallenge = base64UrlEncode(
-      crypto2.createHash("sha256").update(codeVerifier).digest()
+      crypto.createHash("sha256").update(codeVerifier).digest()
     );
-    const state = base64UrlEncode(crypto2.randomBytes(16));
-    const nonce = base64UrlEncode(crypto2.randomBytes(16));
+    const state = base64UrlEncode(crypto.randomBytes(16));
+    const nonce = base64UrlEncode(crypto.randomBytes(16));
     await this.stateStore.set(state, {
       codeVerifier,
       state,
@@ -1712,10 +1544,6 @@ var IQAuthClient = class _IQAuthClient {
 
 export {
   AuthModule,
-  DEFAULT_TOKEN_ISSUER,
-  DEFAULT_TOKEN_AUDIENCE,
-  DEFAULT_CLOCK_TOLERANCE_SECONDS,
-  TokensModule,
   SessionsModule,
   UsersModule,
   PermissionsModule,

package/dist/{chunk-QEJB7WEQ.mjs → chunk-WQWBJSSS.mjs}

@@ -93,7 +93,7 @@ function assertPublishableKey(raw, opts) {
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
       "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }
   return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };

package/dist/cli/index.mjs

@@ -17,7 +17,7 @@ async function run() {
       return;
     }
     case "doctor": {
-      const { runDoctor } = await import("../doctor-XCI77BQS.mjs");
+      const { runDoctor } = await import("../doctor-A5E7LSFW.mjs");
       await runDoctor(rest);
       return;
     }

package/dist/{client-DXbHb2ul.d.ts → client-DTX4hNdS.d.ts}

@@ -1,5 +1,4 @@
 import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, J as JwtClaims, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.js';
-import jwt from 'jsonwebtoken';
 
 /**
  * SOURCE REFS:
@@ -90,6 +89,14 @@ declare class AuthModule {
  * - Route file: src/lib/crypto.ts (key rotation with kid)
  * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
  * - Last verified: Phase 0 Research Summary
+ *
+ * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
+ * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
+ * edge runtimes. Edge has only Web Crypto, so every call from a Next
+ * middleware previously threw and was wrapped as `TOKEN_INVALID`,
+ * indistinguishable from a real bad token. We keep our own JWKS fetch +
+ * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
+ * to keep the kid-aware "Unknown key ID" diagnostic.
  */
 
 declare const DEFAULT_TOKEN_ISSUER: string[];
@@ -99,7 +106,7 @@ interface TokenVerifyOptions {
     issuer?: string | string[];
     audience?: string | string[];
     clockTolerance?: number;
-    algorithms?: jwt.Algorithm[];
+    algorithms?: string[];
 }
 interface TokensModuleOptions {
     issuer?: string | string[];
@@ -115,34 +122,22 @@ declare class TokensModule {
     private defaultClockTolerance;
     constructor(baseUrl: string, options?: TokensModuleOptions);
     /**
-     * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-     * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-     *
-     * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-     * clock tolerance default to client config but can be overridden per call.
+     * Verify a JWT access token using RS256/ES256 via JWKS from
+     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
      */
     verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
     /**
      * Decode a JWT without verification. Returns null if malformed.
-     *
-     * @remarks Local decode only — no network call
      */
     decode(token: string): JwtClaims | null;
-    /**
-     * Check if a token is expired based on the `exp` claim.
-     *
-     * @remarks Local check only — no network call
-     */
+    /** Check if a token is expired based on the `exp` claim. */
     isExpired(token: string): boolean;
-    /**
-     * Get the claims from a token without verification.
-     *
-     * @remarks Local decode only — no network call
-     */
+    /** Get the claims from a token without verification. */
     getClaims(token: string): JwtClaims;
-    private getPublicKey;
+    private ensureCache;
     private refreshJwks;
-    private jwkToPem;
     /** @internal Exposed for testing — clears JWKS cache */
     clearCache(): void;
 }

package/dist/{client-Dv4v92Mj.d.mts → client-vdh2a9fJ.d.mts}

@@ -1,5 +1,4 @@
 import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, J as JwtClaims, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
-import jwt from 'jsonwebtoken';
 
 /**
  * SOURCE REFS:
@@ -90,6 +89,14 @@ declare class AuthModule {
  * - Route file: src/lib/crypto.ts (key rotation with kid)
  * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
  * - Last verified: Phase 0 Research Summary
+ *
+ * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
+ * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
+ * edge runtimes. Edge has only Web Crypto, so every call from a Next
+ * middleware previously threw and was wrapped as `TOKEN_INVALID`,
+ * indistinguishable from a real bad token. We keep our own JWKS fetch +
+ * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
+ * to keep the kid-aware "Unknown key ID" diagnostic.
  */
 
 declare const DEFAULT_TOKEN_ISSUER: string[];
@@ -99,7 +106,7 @@ interface TokenVerifyOptions {
     issuer?: string | string[];
     audience?: string | string[];
     clockTolerance?: number;
-    algorithms?: jwt.Algorithm[];
+    algorithms?: string[];
 }
 interface TokensModuleOptions {
     issuer?: string | string[];
@@ -115,34 +122,22 @@ declare class TokensModule {
     private defaultClockTolerance;
     constructor(baseUrl: string, options?: TokensModuleOptions);
     /**
-     * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-     * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-     *
-     * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-     * clock tolerance default to client config but can be overridden per call.
+     * Verify a JWT access token using RS256/ES256 via JWKS from
+     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
      */
     verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
     /**
      * Decode a JWT without verification. Returns null if malformed.
-     *
-     * @remarks Local decode only — no network call
      */
     decode(token: string): JwtClaims | null;
-    /**
-     * Check if a token is expired based on the `exp` claim.
-     *
-     * @remarks Local check only — no network call
-     */
+    /** Check if a token is expired based on the `exp` claim. */
     isExpired(token: string): boolean;
-    /**
-     * Get the claims from a token without verification.
-     *
-     * @remarks Local decode only — no network call
-     */
+    /** Get the claims from a token without verification. */
     getClaims(token: string): JwtClaims;
-    private getPublicKey;
+    private ensureCache;
     private refreshJwks;
-    private jwkToPem;
     /** @internal Exposed for testing — clears JWKS cache */
     clearCache(): void;
 }

package/dist/{doctor-XCI77BQS.mjs → doctor-A5E7LSFW.mjs}

@@ -5,7 +5,7 @@ import {
 } from "./chunk-X3K3WOBR.mjs";
 import {
   parsePublishableKey
-} from "./chunk-QEJB7WEQ.mjs";
+} from "./chunk-WQWBJSSS.mjs";
 import "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 

package/dist/{express-BZmF1llh.d.mts → express-A0-dWEMy.d.mts}

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
+import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
 import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
 
 /**

package/dist/{express-B4o3P8vK.d.ts → express-Bo_pJKHN.d.ts}

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
+import { I as IQAuthClient } from './client-DTX4hNdS.js';
 import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
 
 /**

package/dist/express.d.mts

@@ -1,10 +1,9 @@
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
-import { C as CookieAwareMiddlewareOptions } from './express-BZmF1llh.mjs';
-export { i as iqAuthMiddleware } from './express-BZmF1llh.mjs';
+import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
+import { C as CookieAwareMiddlewareOptions } from './express-A0-dWEMy.mjs';
+export { i as iqAuthMiddleware } from './express-A0-dWEMy.mjs';
 import { IQAuthHelperConfig } from './server/handlers.mjs';
 import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-import 'jsonwebtoken';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -22,18 +21,89 @@ import 'jsonwebtoken';
  *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
  */
 
+interface InlineCallbackBrandedRenderArgs {
+    /** Issuer URL the SDK will use to mint the authorization code (publishable key origin). */
+    issuer: string;
+    /** Path of the JSON exchange endpoint to POST to (e.g. `/api/iqauth/callback/exchange`). */
+    exchangePath: string;
+    /** The raw `?code=` value from the OAuth redirect (already escaped for HTML). */
+    code: string;
+    /** The raw `?state=` value from the OAuth redirect (already escaped for HTML). */
+    state: string;
+    /** If `errorPath` is configured on the inline-callback options, it's threaded
+     * here so a custom render function can reuse it for its own catch handler.
+     * `""` when unset. */
+    errorPath?: string;
+}
+interface InlineCallbackBrandedConfig {
+    /**
+     * Optional override for the spinner page HTML. Receives the issuer URL, the
+     * exchange endpoint path, and the (HTML-escaped) `code` + `state` from the
+     * OAuth redirect. Returns a full HTML document. When omitted, a minimal
+     * neutral spinner is rendered.
+     */
+    render?: (args: InlineCallbackBrandedRenderArgs) => string;
+}
+interface InlineCallbackConfig {
+    /**
+     * When truthy, mount a GET-method handler on the same path as the POST
+     * callback so the OAuth redirect lands on a server-rendered page (no
+     * blank-tab while waiting for client JS). When `false`, only `POST` is
+     * mounted (the browser SDK posts the code + verifier itself).
+     *
+     * - `inlineCallback: true` — GET exchanges the code synchronously
+     *   (PKCE verifier read from the `iqauth_pkce` first-party cookie set by
+     *   the browser SDK before redirect) and 302s to the final URL.
+     *
+     * - `inlineCallback: { branded: true }` — GET returns a small spinner HTML
+     *   document; the exchange happens via a sibling JSON endpoint at
+     *   `${callbackPath}/exchange`.
+     *
+     * - `inlineCallback: { branded: { render } }` — same as above but lets
+     *   you supply your own HTML (logo, copy, theme).
+     */
+    branded?: boolean | InlineCallbackBrandedConfig;
+    /**
+     * Where to redirect on a failed inline callback (state mismatch, missing
+     * code, code-exchange error from the issuer, etc). When omitted, the
+     * plain inline flow returns a JSON error body and the branded flow
+     * surfaces the failure via the spinner script's catch handler. When set,
+     * the GET handler 302s to this path with `?error=<code>` appended.
+     */
+    errorPath?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the OAuth `state` value
+     * before redirect. Validated against the `?state=` query param on the
+     * return trip. Defaults to `iqauth_state`.
+     */
+    stateCookieName?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the post-login destination
+     * before redirect. The inline GET handler reads it and 302s the user
+     * there after a successful exchange. Defaults to `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
+}
 interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
     /** Mount path prefix for the auto-mounted helper routes. */
     mountPath?: string;
     /** Set to false to skip mounting helper routes (verify-only mode). */
     mountHelperRoutes?: boolean;
+    /**
+     * Mount a GET handler on the callback path so the OAuth redirect lands
+     * on a server-rendered page. Off by default (browser SDK posts the code
+     * itself). See {@link InlineCallbackConfig}.
+     */
+    inlineCallback?: boolean | InlineCallbackConfig;
 }
 interface ExpressLikeApp {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
     use?: (...args: unknown[]) => unknown;
 }
 interface ExpressLikeRouter {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
 }
 declare function iqAuth(options: IQAuthExpressOptions): {
     (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
@@ -42,4 +112,4 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     client: IQAuthClient;
 };
 
-export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };

package/dist/express.d.ts

@@ -1,10 +1,9 @@
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
-import { C as CookieAwareMiddlewareOptions } from './express-B4o3P8vK.js';
-export { i as iqAuthMiddleware } from './express-B4o3P8vK.js';
+import { I as IQAuthClient } from './client-DTX4hNdS.js';
+import { C as CookieAwareMiddlewareOptions } from './express-Bo_pJKHN.js';
+export { i as iqAuthMiddleware } from './express-Bo_pJKHN.js';
 import { IQAuthHelperConfig } from './server/handlers.js';
 import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-import 'jsonwebtoken';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -22,18 +21,89 @@ import 'jsonwebtoken';
  *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
  */
 
+interface InlineCallbackBrandedRenderArgs {
+    /** Issuer URL the SDK will use to mint the authorization code (publishable key origin). */
+    issuer: string;
+    /** Path of the JSON exchange endpoint to POST to (e.g. `/api/iqauth/callback/exchange`). */
+    exchangePath: string;
+    /** The raw `?code=` value from the OAuth redirect (already escaped for HTML). */
+    code: string;
+    /** The raw `?state=` value from the OAuth redirect (already escaped for HTML). */
+    state: string;
+    /** If `errorPath` is configured on the inline-callback options, it's threaded
+     * here so a custom render function can reuse it for its own catch handler.
+     * `""` when unset. */
+    errorPath?: string;
+}
+interface InlineCallbackBrandedConfig {
+    /**
+     * Optional override for the spinner page HTML. Receives the issuer URL, the
+     * exchange endpoint path, and the (HTML-escaped) `code` + `state` from the
+     * OAuth redirect. Returns a full HTML document. When omitted, a minimal
+     * neutral spinner is rendered.
+     */
+    render?: (args: InlineCallbackBrandedRenderArgs) => string;
+}
+interface InlineCallbackConfig {
+    /**
+     * When truthy, mount a GET-method handler on the same path as the POST
+     * callback so the OAuth redirect lands on a server-rendered page (no
+     * blank-tab while waiting for client JS). When `false`, only `POST` is
+     * mounted (the browser SDK posts the code + verifier itself).
+     *
+     * - `inlineCallback: true` — GET exchanges the code synchronously
+     *   (PKCE verifier read from the `iqauth_pkce` first-party cookie set by
+     *   the browser SDK before redirect) and 302s to the final URL.
+     *
+     * - `inlineCallback: { branded: true }` — GET returns a small spinner HTML
+     *   document; the exchange happens via a sibling JSON endpoint at
+     *   `${callbackPath}/exchange`.
+     *
+     * - `inlineCallback: { branded: { render } }` — same as above but lets
+     *   you supply your own HTML (logo, copy, theme).
+     */
+    branded?: boolean | InlineCallbackBrandedConfig;
+    /**
+     * Where to redirect on a failed inline callback (state mismatch, missing
+     * code, code-exchange error from the issuer, etc). When omitted, the
+     * plain inline flow returns a JSON error body and the branded flow
+     * surfaces the failure via the spinner script's catch handler. When set,
+     * the GET handler 302s to this path with `?error=<code>` appended.
+     */
+    errorPath?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the OAuth `state` value
+     * before redirect. Validated against the `?state=` query param on the
+     * return trip. Defaults to `iqauth_state`.
+     */
+    stateCookieName?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the post-login destination
+     * before redirect. The inline GET handler reads it and 302s the user
+     * there after a successful exchange. Defaults to `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
+}
 interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
     /** Mount path prefix for the auto-mounted helper routes. */
     mountPath?: string;
     /** Set to false to skip mounting helper routes (verify-only mode). */
     mountHelperRoutes?: boolean;
+    /**
+     * Mount a GET handler on the callback path so the OAuth redirect lands
+     * on a server-rendered page. Off by default (browser SDK posts the code
+     * itself). See {@link InlineCallbackConfig}.
+     */
+    inlineCallback?: boolean | InlineCallbackConfig;
 }
 interface ExpressLikeApp {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
     use?: (...args: unknown[]) => unknown;
 }
 interface ExpressLikeRouter {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
 }
 declare function iqAuth(options: IQAuthExpressOptions): {
     (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
@@ -42,4 +112,4 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     client: IQAuthClient;
 };
 
-export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };