@iqauth/sdk 2.2.0 → 2.5.0

package/dist/next.js

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/next.ts
@@ -105,7 +95,7 @@ function assertPublishableKey(raw, opts) {
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
       "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }
   return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
@@ -142,8 +132,8 @@ function resolve(config) {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
     cookieDomain: config.cookieDomain,
     sameSite: config.sameSite ?? "lax",
     secure: config.secure ?? true,
@@ -307,6 +297,15 @@ async function handleSignout(config, input) {
     } catch {
     }
   }
+  if (input.endSsoSession !== false && input.ssoCookieHeader) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}/oidc/sso-logout`, {
+        method: "POST",
+        headers: { Cookie: input.ssoCookieHeader }
+      });
+    } catch {
+    }
+  }
   return {
     status: 200,
     body: { success: true, data: { signedOut: true } },
@@ -314,369 +313,8 @@ async function handleSignout(config, input) {
   };
 }
 
-// src/http.ts
-var DEFAULT_RETRY = {
-  maxAttempts: 3,
-  baseDelayMs: 100,
-  maxDelayMs: 2e3
-};
-function resolveRetry(cfg) {
-  return {
-    maxAttempts: Math.max(1, cfg?.maxAttempts ?? DEFAULT_RETRY.maxAttempts),
-    baseDelayMs: Math.max(0, cfg?.baseDelayMs ?? DEFAULT_RETRY.baseDelayMs),
-    maxDelayMs: Math.max(0, cfg?.maxDelayMs ?? DEFAULT_RETRY.maxDelayMs)
-  };
-}
-function sleep(ms) {
-  if (ms <= 0) return Promise.resolve();
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
-}
-var HttpClient = class {
-  constructor(config) {
-    this.refreshPromise = null;
-    this.config = config;
-    this.retryConfig = resolveRetry(config.retry);
-  }
-  computeBackoffDelay(attempt) {
-    const exp = Math.min(this.retryConfig.maxDelayMs, this.retryConfig.baseDelayMs * 2 ** (attempt - 1));
-    return Math.floor(Math.random() * exp);
-  }
-  isRetryableStatus(status) {
-    return status === 429 || status >= 500 && status <= 599;
-  }
-  async fetchWithRetry(url, init) {
-    const { maxAttempts } = this.retryConfig;
-    let lastError;
-    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-      try {
-        const res = await fetch(url, init);
-        if (this.isRetryableStatus(res.status) && attempt < maxAttempts) {
-          await sleep(this.computeBackoffDelay(attempt));
-          continue;
-        }
-        return res;
-      } catch (err) {
-        lastError = err;
-        if (attempt >= maxAttempts) break;
-        await sleep(this.computeBackoffDelay(attempt));
-      }
-    }
-    throw lastError instanceof Error ? lastError : new IQAuthError("INTERNAL_ERROR", "Network request failed");
-  }
-  get baseUrl() {
-    return this.config.baseUrl;
-  }
-  get environment() {
-    return this.config.environment;
-  }
-  isBrowserSession() {
-    return this.config.environment === "browser_session";
-  }
-  hasCredentials() {
-    return this.isBrowserSession() || !!(this.config.getApiKey() || this.config.getAccessToken());
-  }
-  buildHeaders(overrideAuth) {
-    const headers = {
-      "Content-Type": "application/json"
-    };
-    if (this.isBrowserSession()) {
-      const headerName = this.config.sessionHeaderName || "x-iqauth-session";
-      headers[headerName] = this.config.sessionHeaderValue || "cookie";
-      return headers;
-    }
-    const authMode = overrideAuth || (this.config.getApiKey() ? "apikey" : "bearer");
-    if (authMode === "apikey") {
-      const apiKey = this.config.getApiKey();
-      if (apiKey) {
-        headers["X-API-Key"] = apiKey;
-      }
-    } else {
-      const token = this.config.getAccessToken();
-      if (token) {
-        headers["Authorization"] = `Bearer ${token}`;
-      }
-    }
-    return headers;
-  }
-  isTokenExpiringSoon() {
-    const token = this.config.getAccessToken();
-    if (!token) return false;
-    try {
-      const parts = token.split(".");
-      if (parts.length !== 3) return false;
-      const payload = JSON.parse(
-        typeof atob === "function" ? atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")) : Buffer.from(parts[1], "base64url").toString("utf8")
-      );
-      if (!payload.exp) return false;
-      const now = Math.floor(Date.now() / 1e3);
-      return payload.exp - now < 60;
-    } catch {
-      return false;
-    }
-  }
-  async attemptRefresh() {
-    if (this.refreshPromise) {
-      return this.refreshPromise;
-    }
-    this.refreshPromise = (async () => {
-      try {
-        const res = await this.fetchWithRetry(`${this.config.baseUrl}/api/v1/auth/refresh`, {
-          method: "POST",
-          headers: this.buildHeaders(),
-          ...this.isBrowserSession() ? { credentials: "include" } : (() => {
-            const refreshToken = this.config.getRefreshToken();
-            if (!refreshToken) throw new IQAuthError("TOKEN_INVALID", "No refresh token available");
-            return { body: JSON.stringify({ refreshToken }) };
-          })()
-        });
-        const body = await res.json();
-        if (!body.success) {
-          throw new IQAuthError(
-            body.error.code,
-            body.error.message,
-            res.status,
-            body
-          );
-        }
-        if (this.isBrowserSession()) {
-          return;
-        }
-        if (!body.data.accessToken || !body.data.refreshToken) {
-          throw new IQAuthError("TOKEN_INVALID", "Refresh response did not include a token pair");
-        }
-        const tokens = {
-          accessToken: body.data.accessToken,
-          refreshToken: body.data.refreshToken
-        };
-        this.config.setTokens(tokens);
-        this.config.onTokenRefresh?.(tokens);
-      } finally {
-        this.refreshPromise = null;
-      }
-    })();
-    return this.refreshPromise;
-  }
-  async request(method, path, body, options) {
-    return this.requestWithRetry(method, path, body, options, false);
-  }
-  async requestWithRetry(method, path, body, options, hasRetried) {
-    if (this.config.autoRefresh && !options?.skipAutoRefresh && !this.isBrowserSession() && this.config.getRefreshToken() && this.isTokenExpiringSoon()) {
-      await this.attemptRefresh();
-    }
-    const url = `${this.config.baseUrl}${path}`;
-    const headers = this.buildHeaders(options?.authMode);
-    const fetchOptions = {
-      method,
-      headers,
-      ...this.isBrowserSession() ? { credentials: "include" } : {}
-    };
-    if (body !== void 0 && method !== "GET") {
-      fetchOptions.body = JSON.stringify(body);
-    }
-    const res = await this.fetchWithRetry(url, fetchOptions);
-    if (res.status === 204) {
-      return void 0;
-    }
-    const responseBody = await res.json();
-    if (!responseBody.success) {
-      const shouldRetryRefresh = !hasRetried && this.config.autoRefresh && !options?.skipAutoRefresh && responseBody.error.code === "TOKEN_EXPIRED" && (this.isBrowserSession() || !!this.config.getRefreshToken());
-      if (shouldRetryRefresh) {
-        await this.attemptRefresh();
-        return this.requestWithRetry(method, path, body, options, true);
-      }
-      throw new IQAuthError(
-        responseBody.error.code,
-        responseBody.error.message,
-        res.status,
-        responseBody
-      );
-    }
-    return responseBody.data;
-  }
-  async requestRaw(method, path, body) {
-    const url = `${this.config.baseUrl}${path}`;
-    const headers = { "Content-Type": "application/json" };
-    if (this.isBrowserSession()) {
-      const headerName = this.config.sessionHeaderName || "x-iqauth-session";
-      headers[headerName] = this.config.sessionHeaderValue || "cookie";
-    }
-    const token = this.config.getAccessToken();
-    if (token) {
-      headers["Authorization"] = `Bearer ${token}`;
-    }
-    const fetchOptions = { method, headers };
-    if (this.isBrowserSession()) {
-      fetchOptions.credentials = "include";
-    }
-    if (body !== void 0 && method !== "GET") {
-      fetchOptions.body = JSON.stringify(body);
-    }
-    const res = await fetch(url, fetchOptions);
-    return await res.json();
-  }
-};
-
-// src/modules/auth.ts
-function parseLoginResponse(data, browserSessionMode) {
-  if (data.accessToken && data.refreshToken && data.user) {
-    return {
-      status: "authenticated",
-      authMode: "token",
-      tokens: { accessToken: data.accessToken, refreshToken: data.refreshToken },
-      user: data.user
-    };
-  }
-  if (browserSessionMode && data.user) {
-    return {
-      status: "authenticated",
-      authMode: "session",
-      user: data.user
-    };
-  }
-  if (data.mfaChallengeToken && !data.tenantSelectionToken) {
-    return {
-      status: "mfa_required",
-      mfaChallengeToken: data.mfaChallengeToken,
-      availableMethods: data.availableMethods ?? []
-    };
-  }
-  if (data.tenantSelectionToken && data.tenants) {
-    return {
-      status: "tenant_selection",
-      tenantSelectionToken: data.tenantSelectionToken,
-      tenants: data.tenants
-    };
-  }
-  throw new Error("Unexpected login response shape");
-}
-var AuthModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async login(email, password) {
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/auth/login",
-      { email, password },
-      { skipAutoRefresh: true }
-    );
-    return parseLoginResponse(data, this.http.isBrowserSession());
-  }
-  async signup(input) {
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/auth/signup",
-      input,
-      { skipAutoRefresh: true }
-    );
-    return parseLoginResponse(data, this.http.isBrowserSession());
-  }
-  async completeMfa(mfaChallengeToken, code, method) {
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/mfa/verify",
-      { mfaChallengeToken, code, method },
-      { skipAutoRefresh: true }
-    );
-    return parseMfaResponse(data, this.http.isBrowserSession());
-  }
-  async completeMfaWithBackup(mfaChallengeToken, backupCode) {
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/mfa/verify-backup",
-      { mfaChallengeToken, backupCode },
-      { skipAutoRefresh: true }
-    );
-    return parseMfaResponse(data, this.http.isBrowserSession());
-  }
-  async sendMfaChallenge(mfaChallengeToken, method) {
-    return this.http.request("POST", "/api/v1/mfa/challenge", {
-      mfaChallengeToken,
-      method
-    }, { skipAutoRefresh: true });
-  }
-  async selectTenant(tenantSelectionToken, tenantId) {
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/auth/select-tenant",
-      {
-        tenantSelectionToken,
-        tenantId
-      },
-      { skipAutoRefresh: true }
-    );
-    return parseLoginResponse(data, this.http.isBrowserSession());
-  }
-  async logout() {
-    return this.http.request("POST", "/api/v1/auth/logout");
-  }
-  async logoutAll() {
-    return this.http.request("POST", "/api/v1/auth/logout-all");
-  }
-  async refreshTokens(refreshToken) {
-    if (this.http.isBrowserSession()) {
-      throw new Error("refreshTokens(refreshToken) is not used in browser_session mode; the backend session should own refresh.");
-    }
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/auth/refresh",
-      { refreshToken },
-      { skipAutoRefresh: true }
-    );
-    return { accessToken: data.accessToken, refreshToken: data.refreshToken };
-  }
-  async forgotPassword(email) {
-    return this.http.request("POST", "/api/v1/auth/password/reset/request", { email }, { skipAutoRefresh: true });
-  }
-  async resetPassword(token, newPassword) {
-    return this.http.request("POST", "/api/v1/auth/password/reset/confirm", { token, newPassword }, { skipAutoRefresh: true });
-  }
-  async changePassword(currentPassword, newPassword) {
-    return this.http.request("POST", "/api/v1/auth/password/change", {
-      currentPassword,
-      newPassword
-    });
-  }
-  async verifyToken() {
-    return this.http.request("GET", "/api/v1/auth/verify");
-  }
-  async exchangeOAuthCode(code) {
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/auth/oauth/exchange",
-      { code },
-      { skipAutoRefresh: true }
-    );
-    return parseLoginResponse(data, this.http.isBrowserSession());
-  }
-  async getSessionUser() {
-    return this.http.request("GET", "/api/v1/auth/me");
-  }
-};
-function parseMfaResponse(data, browserSessionMode) {
-  if (data.accessToken && data.refreshToken && data.user) {
-    return {
-      authMode: "token",
-      tokens: { accessToken: data.accessToken, refreshToken: data.refreshToken },
-      user: data.user,
-      ...data.remainingBackupCodes !== void 0 ? { remainingBackupCodes: data.remainingBackupCodes } : {},
-      ...data.warning ? { warning: data.warning } : {}
-    };
-  }
-  if (browserSessionMode && data.user) {
-    return {
-      authMode: "session",
-      user: data.user,
-      ...data.remainingBackupCodes !== void 0 ? { remainingBackupCodes: data.remainingBackupCodes } : {},
-      ...data.warning ? { warning: data.warning } : {}
-    };
-  }
-  throw new Error("Unexpected MFA response shape");
-}
-
 // src/modules/tokens.ts
-var import_crypto = __toESM(require("crypto"));
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var import_jose = require("jose");
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
 var DEFAULT_TOKEN_ISSUER = [
   "https://auth.dispositioniq.com",
@@ -689,6 +327,24 @@ var DEFAULT_TOKEN_AUDIENCE = [
   "iqvalidate"
 ];
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+function decodeProtectedHeader(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const padded = parts[0] + "=".repeat((4 - parts[0].length % 4) % 4);
+    const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    let json;
+    if (typeof atob === "function") {
+      json = atob(b64);
+    } else {
+      const { Buffer: Buffer2 } = require("buffer");
+      json = Buffer2.from(b64, "base64").toString("utf8");
+    }
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
 var TokensModule = class {
   constructor(baseUrl, options = {}) {
     this.jwksCache = null;
@@ -699,49 +355,49 @@ var TokensModule = class {
     this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
   }
   /**
-   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-   *
-   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-   * clock tolerance default to client config but can be overridden per call.
+   * Verify a JWT access token using RS256/ES256 via JWKS from
+   * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+   * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+   * Caches JWKS for 1 hour and refetches once on unknown `kid`.
    */
   async verify(token, options = {}) {
-    const decoded = import_jsonwebtoken.default.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
+    const header = decodeProtectedHeader(token);
+    if (!header) {
       throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
     }
-    const kid = decoded.header.kid;
+    const kid = header.kid;
     if (!kid) {
       throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
     }
-    let publicKey = await this.getPublicKey(kid);
-    if (!publicKey) {
-      await this.refreshJwks();
-      publicKey = await this.getPublicKey(kid);
+    let cache = await this.ensureCache();
+    if (!cache.byKid.has(kid)) {
+      this.jwksCache = null;
+      cache = await this.ensureCache();
     }
-    if (!publicKey) {
+    if (!cache.byKid.has(kid)) {
       throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
     }
     const issuer = options.issuer ?? this.defaultIssuer;
     const audience = options.audience ?? this.defaultAudience;
     const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
-    const algorithms = options.algorithms ?? ["RS256"];
+    const algorithms = options.algorithms ?? ["RS256", "ES256"];
+    const verifyOptions = {
+      algorithms,
+      clockTolerance,
+      issuer,
+      audience
+    };
     try {
-      const verifyOptions = {
-        algorithms,
-        clockTolerance,
-        // The jsonwebtoken types insist on tuple types for arrays; runtime
-        // accepts plain string[] so we cast to satisfy the compiler.
-        issuer,
-        audience
-      };
-      const verified = import_jsonwebtoken.default.verify(token, publicKey, verifyOptions);
-      return verified;
+      const { payload } = await (0, import_jose.jwtVerify)(token, cache.verifier, verifyOptions);
+      return payload;
     } catch (err) {
+      if (err instanceof import_jose.errors.JWTExpired) {
+        throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
+      }
+      if (err instanceof import_jose.errors.JOSEError) {
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
       if (err instanceof Error) {
-        if (err.name === "TokenExpiredError") {
-          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-        }
         throw new IQAuthError("TOKEN_INVALID", err.message);
       }
       throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
@@ -749,29 +405,40 @@ var TokensModule = class {
   }
   /**
    * Decode a JWT without verification. Returns null if malformed.
-   *
-   * @remarks Local decode only — no network call
    */
   decode(token) {
-    const decoded = import_jsonwebtoken.default.decode(token);
-    return decoded;
+    try {
+      const parts = token.split(".");
+      if (parts.length < 2) return null;
+      const payload = parts[1];
+      const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+      const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+      let json;
+      if (typeof atob === "function") {
+        json = atob(b64);
+      } else {
+        const { Buffer: Buffer2 } = require("buffer");
+        json = Buffer2.from(b64, "base64").toString("utf8");
+      }
+      try {
+        json = decodeURIComponent(escape(json));
+      } catch {
+      }
+      const claims = JSON.parse(json);
+      if (!claims || typeof claims !== "object") return null;
+      return claims;
+    } catch {
+      return null;
+    }
   }
-  /**
-   * Check if a token is expired based on the `exp` claim.
-   *
-   * @remarks Local check only — no network call
-   */
+  /** Check if a token is expired based on the `exp` claim. */
   isExpired(token) {
     const claims = this.decode(token);
     if (!claims?.exp) return true;
     const now = Math.floor(Date.now() / 1e3);
     return claims.exp <= now;
   }
-  /**
-   * Get the claims from a token without verification.
-   *
-   * @remarks Local decode only — no network call
-   */
+  /** Get the claims from a token without verification. */
   getClaims(token) {
     const claims = this.decode(token);
     if (!claims) {
@@ -779,11 +446,15 @@ var TokensModule = class {
     }
     return claims;
   }
-  async getPublicKey(kid) {
-    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
-      await this.refreshJwks();
+  async ensureCache() {
+    if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) {
+      return this.jwksCache;
+    }
+    await this.refreshJwks();
+    if (!this.jwksCache) {
+      throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
     }
-    return this.jwksCache?.keys.get(kid) ?? null;
+    return this.jwksCache;
   }
   async refreshJwks() {
     if (this.inFlightRefresh) {
@@ -810,1218 +481,30 @@ var TokensModule = class {
             "Malformed JWKS response: expected { keys: [...] }"
           );
         }
-        const keys = /* @__PURE__ */ new Map();
+        const byKid = /* @__PURE__ */ new Set();
         for (const key of jwks.keys) {
-          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
+          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
             throw new IQAuthError(
               "INTERNAL_ERROR",
               "Malformed JWKS response: key missing required fields"
             );
           }
-          const pem = this.jwkToPem(key);
-          keys.set(key.kid, pem);
+          byKid.add(key.kid);
         }
-        this.jwksCache = { keys, fetchedAt: Date.now() };
+        const verifier = (0, import_jose.createLocalJWKSet)({ keys: jwks.keys });
+        this.jwksCache = { raw: jwks.keys, byKid, verifier, fetchedAt: Date.now() };
       } finally {
         this.inFlightRefresh = null;
       }
     })();
     return this.inFlightRefresh;
   }
-  jwkToPem(jwk) {
-    const keyObject = import_crypto.default.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e
-      },
-      format: "jwk"
-    });
-    return keyObject.export({ type: "spki", format: "pem" });
-  }
   /** @internal Exposed for testing — clears JWKS cache */
   clearCache() {
     this.jwksCache = null;
   }
 };
 
-// src/modules/sessions.ts
-var SessionsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  /**
-   * List all active sessions for the current user.
-   *
-   * @remarks Wraps GET /api/v1/sessions
-   */
-  async list() {
-    return this.http.request("GET", "/api/v1/sessions");
-  }
-  /**
-   * Revoke (terminate) a specific session by ID.
-   *
-   * @remarks Wraps DELETE /api/v1/sessions/:sessionId
-   */
-  async revoke(sessionId) {
-    return this.http.request("DELETE", `/api/v1/sessions/${sessionId}`);
-  }
-  /**
-   * Revoke all sessions for the current user.
-   *
-   * @remarks Wraps POST /api/v1/auth/logout-all
-   */
-  async revokeAll() {
-    return this.http.request("POST", "/api/v1/auth/logout-all");
-  }
-};
-
-// src/modules/users.ts
-var UsersModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  /**
-   * Get the currently authenticated user's profile.
-   *
-   * @remarks Wraps GET /api/v1/users/me
-   */
-  async getCurrent() {
-    return this.http.request("GET", "/api/v1/users/me");
-  }
-  /**
-   * Get a user by ID.
-   *
-   * @remarks Wraps GET /api/v1/users/:id
-   */
-  async getById(userId) {
-    return this.http.request("GET", `/api/v1/users/${userId}`);
-  }
-  /**
-   * List users in the current tenant. Requires tenant_admin role.
-   *
-   * @remarks Wraps GET /api/v1/users
-   */
-  async list(params) {
-    const query = new URLSearchParams();
-    if (params?.email) query.set("email", params.email);
-    if (params?.tenantId) query.set("tenantId", params.tenantId);
-    const qs = query.toString();
-    return this.http.request("GET", `/api/v1/users${qs ? `?${qs}` : ""}`);
-  }
-  /**
-   * Provision (create) a new user in a tenant. Requires platform_admin or tenant-scoped API key with admin role.
-   *
-   * @remarks Wraps POST /api/v1/tenants/:tenantId/users/provision
-   */
-  async create(tenantId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/provision`, data);
-  }
-  /**
-   * Update the current user's profile (name, picture).
-   *
-   * @remarks Wraps PATCH /api/v1/users/me
-   */
-  async update(data) {
-    return this.http.request("PATCH", "/api/v1/users/me", data);
-  }
-  /**
-   * Deactivate a user in the current tenant. Requires tenant_admin role.
-   *
-   * @remarks Wraps PATCH /api/v1/users/:id/deactivate
-   */
-  async deactivate(userId) {
-    return this.http.request("PATCH", `/api/v1/users/${userId}/deactivate`);
-  }
-  /**
-   * Reactivate a user in the current tenant. Requires tenant_admin role.
-   *
-   * @remarks Wraps PATCH /api/v1/users/:id/reactivate
-   */
-  async reactivate(userId) {
-    return this.http.request("PATCH", `/api/v1/users/${userId}/reactivate`);
-  }
-  /**
-   * Unlock a locked user account in the current tenant. Requires tenant_admin role.
-   *
-   * @remarks Wraps PATCH /api/v1/users/:id/unlock
-   */
-  async unlock(userId) {
-    return this.http.request("PATCH", `/api/v1/users/${userId}/unlock`);
-  }
-  /**
-   * Get effective permissions for a user for a specific product.
-   *
-   * @remarks Wraps GET /api/v1/users/:id/permissions?product=...
-   */
-  async getPermissions(userId, product) {
-    return this.http.request("GET", `/api/v1/users/${userId}/permissions?product=${encodeURIComponent(product)}`);
-  }
-  /**
-   * Change the current user's password.
-   *
-   * @remarks Wraps POST /api/v1/auth/password/change
-   */
-  async updatePassword(currentPassword, newPassword) {
-    return this.http.request("POST", "/api/v1/auth/password/change", {
-      currentPassword,
-      newPassword
-    });
-  }
-};
-
-// src/modules/permissions.ts
-var PermissionsModule = class {
-  constructor(claimsProvider) {
-    this.getClaims = claimsProvider;
-  }
-  /**
-   * Get the roles from the current JWT claims.
-   *
-   * @remarks Extracted from JWT claim `roles` (string[])
-   */
-  getRoles() {
-    return this.getClaims()?.roles ?? [];
-  }
-  /**
-   * Get the entitlements from the current JWT claims.
-   *
-   * @remarks Extracted from JWT claim `entitlements` (string[])
-   */
-  getEntitlements() {
-    return this.getClaims()?.entitlements ?? [];
-  }
-  /**
-   * Check if the current user has a specific role.
-   *
-   * @remarks Checks against JWT claim `roles`
-   */
-  hasRole(role) {
-    return this.getRoles().includes(role);
-  }
-  /**
-   * Check if the current user has a specific entitlement.
-   *
-   * @remarks Checks against JWT claim `entitlements`
-   */
-  hasEntitlement(entitlement) {
-    return this.getEntitlements().includes(entitlement);
-  }
-  /**
-   * Check if the current user has all of the specified roles.
-   *
-   * @remarks Checks against JWT claim `roles`
-   */
-  hasAllRoles(roles) {
-    const userRoles = this.getRoles();
-    return roles.every((r) => userRoles.includes(r));
-  }
-  /**
-   * Check if the current user has any of the specified roles.
-   *
-   * @remarks Checks against JWT claim `roles`
-   */
-  hasAnyRole(roles) {
-    const userRoles = this.getRoles();
-    return roles.some((r) => userRoles.includes(r));
-  }
-  /**
-   * Check if the current user has all of the specified entitlements.
-   *
-   * @remarks Checks against JWT claim `entitlements`
-   */
-  hasAllEntitlements(entitlements) {
-    const userEntitlements = this.getEntitlements();
-    return entitlements.every((e) => userEntitlements.includes(e));
-  }
-  /**
-   * Check if the current user has any of the specified entitlements.
-   *
-   * @remarks Checks against JWT claim `entitlements`
-   */
-  hasAnyEntitlement(entitlements) {
-    const userEntitlements = this.getEntitlements();
-    return entitlements.some((e) => userEntitlements.includes(e));
-  }
-};
-
-// src/modules/oidc.ts
-var import_crypto2 = __toESM(require("crypto"));
-var InMemoryOidcStateStore = class {
-  constructor() {
-    this.map = /* @__PURE__ */ new Map();
-  }
-  set(state, value) {
-    this.map.set(state, value);
-  }
-  get(state) {
-    const entry = this.map.get(state);
-    if (!entry) return null;
-    if (entry.expiresAt < Date.now()) {
-      this.map.delete(state);
-      return null;
-    }
-    return entry;
-  }
-  delete(state) {
-    this.map.delete(state);
-  }
-};
-var DEFAULT_REQUEST_TTL_MS = 10 * 60 * 1e3;
-function base64UrlEncode(buf) {
-  return buf.toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-var OidcModule = class {
-  constructor(http, baseUrl, options = {}) {
-    this.http = http;
-    this.baseUrl = baseUrl;
-    this.stateStore = options.stateStore ?? new InMemoryOidcStateStore();
-    this.requestTtlMs = options.requestTtlMs ?? DEFAULT_REQUEST_TTL_MS;
-    this.tokensModule = options.tokens;
-  }
-  /** @internal Allow the client to inject its TokensModule after construction. */
-  _setTokensModule(tokens) {
-    if (!this.tokensModule) this.tokensModule = tokens;
-  }
-  /**
-   * Fetch the OpenID Connect discovery document.
-   *
-   * @remarks Wraps GET /.well-known/openid-configuration
-   */
-  async getDiscovery() {
-    const res = await fetch(`${this.baseUrl}/.well-known/openid-configuration`);
-    if (!res.ok) throw new Error(`Failed to fetch OIDC discovery: ${res.status}`);
-    return res.json();
-  }
-  /**
-   * Fetch the JSON Web Key Set.
-   *
-   * @remarks Wraps GET /.well-known/jwks.json
-   */
-  async getJwks() {
-    const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`);
-    if (!res.ok) throw new Error(`Failed to fetch JWKS: ${res.status}`);
-    return res.json();
-  }
-  /**
-   * Build an OIDC authorization URL for redirect-based login.
-   *
-   * @remarks Constructs URL pointing to /oidc/authorize. Prefer
-   * {@link createAuthRequest} which also generates and stores PKCE/state/nonce.
-   */
-  buildAuthorizationUrl(params) {
-    const url = new URL("/oidc/authorize", this.baseUrl);
-    url.searchParams.set("response_type", "code");
-    url.searchParams.set("client_id", params.clientId);
-    url.searchParams.set("redirect_uri", params.redirectUri);
-    url.searchParams.set("scope", params.scope || "openid");
-    url.searchParams.set("state", params.state);
-    if (params.nonce) url.searchParams.set("nonce", params.nonce);
-    if (params.codeChallenge) url.searchParams.set("code_challenge", params.codeChallenge);
-    if (params.codeChallengeMethod) url.searchParams.set("code_challenge_method", params.codeChallengeMethod);
-    return url.toString();
-  }
-  /**
-   * Generate `code_verifier`, `code_challenge`, `state`, and `nonce`, persist
-   * them via the configured storage adapter, and return an authorization URL
-   * ready to redirect the user to.
-   */
-  async createAuthRequest(params) {
-    const codeVerifier = base64UrlEncode(import_crypto2.default.randomBytes(32));
-    const codeChallenge = base64UrlEncode(
-      import_crypto2.default.createHash("sha256").update(codeVerifier).digest()
-    );
-    const state = base64UrlEncode(import_crypto2.default.randomBytes(16));
-    const nonce = base64UrlEncode(import_crypto2.default.randomBytes(16));
-    await this.stateStore.set(state, {
-      codeVerifier,
-      state,
-      nonce,
-      redirectUri: params.redirectUri,
-      clientId: params.clientId,
-      expiresAt: Date.now() + this.requestTtlMs
-    });
-    const authorizationUrl = this.buildAuthorizationUrl({
-      clientId: params.clientId,
-      redirectUri: params.redirectUri,
-      scope: params.scope,
-      state,
-      nonce,
-      codeChallenge,
-      codeChallengeMethod: "S256"
-    });
-    return {
-      authorizationUrl,
-      state,
-      nonce,
-      codeVerifier,
-      codeChallenge,
-      codeChallengeMethod: "S256"
-    };
-  }
-  /**
-   * Validate the callback `state`, exchange the code with the bound PKCE
-   * verifier, and verify that the returned `id_token` (if any) carries the
-   * stored `nonce` and `aud === clientId`.
-   */
-  async handleCallback(params) {
-    if (!params.state) {
-      throw new IQAuthError("VALIDATION_ERROR", "OIDC callback missing state parameter");
-    }
-    if (!params.code) {
-      throw new IQAuthError("VALIDATION_ERROR", "OIDC callback missing code parameter");
-    }
-    const stored = await this.stateStore.get(params.state);
-    if (!stored) {
-      throw new IQAuthError("VALIDATION_ERROR", "Unknown or expired OIDC state");
-    }
-    let tokens;
-    try {
-      tokens = await this.exchangeCode({
-        code: params.code,
-        redirectUri: stored.redirectUri,
-        clientId: stored.clientId,
-        clientSecret: params.clientSecret,
-        codeVerifier: stored.codeVerifier
-      });
-    } finally {
-      await this.stateStore.delete(params.state);
-    }
-    let idTokenClaims = null;
-    if (tokens.id_token) {
-      if (!this.tokensModule) {
-        throw new IQAuthError(
-          "INTERNAL_ERROR",
-          "OIDC handleCallback received an id_token but no TokensModule is configured for verification"
-        );
-      }
-      idTokenClaims = await this.tokensModule.verify(tokens.id_token, {
-        audience: stored.clientId
-      });
-      const claimsBag = idTokenClaims;
-      const tokenNonce = typeof claimsBag.nonce === "string" ? claimsBag.nonce : void 0;
-      if (!tokenNonce || tokenNonce !== stored.nonce) {
-        throw new IQAuthError(
-          "TOKEN_INVALID",
-          "OIDC id_token nonce did not match the stored value"
-        );
-      }
-    }
-    return { tokens, idTokenClaims };
-  }
-  /**
-   * Exchange an authorization code for tokens at the OIDC token endpoint.
-   *
-   * @remarks Wraps POST /oidc/token (or /api/v1/oidc/token)
-   */
-  async exchangeCode(params) {
-    const body = {
-      grant_type: "authorization_code",
-      code: params.code,
-      redirect_uri: params.redirectUri,
-      client_id: params.clientId
-    };
-    if (params.clientSecret) body.client_secret = params.clientSecret;
-    if (params.codeVerifier) body.code_verifier = params.codeVerifier;
-    const res = await fetch(`${this.baseUrl}/oidc/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(body)
-    });
-    if (!res.ok) {
-      const err = await res.json().catch(() => ({}));
-      throw new Error(
-        `OIDC token exchange failed: ${err.error_description || err.error || res.status}`
-      );
-    }
-    return res.json();
-  }
-  /**
-   * Get user info from the OIDC userinfo endpoint.
-   *
-   * @remarks Wraps GET /oidc/userinfo (requires Bearer token)
-   */
-  async getUserInfo() {
-    if (this.http.isBrowserSession()) {
-      throw new Error("oidc.getUserInfo() requires a bearer token and is not supported in browser_session mode.");
-    }
-    return this.http.requestRaw("GET", "/oidc/userinfo");
-  }
-  async getClientContext(clientId) {
-    const res = await fetch(`${this.baseUrl}/oidc/client-context?client_id=${encodeURIComponent(clientId)}`);
-    if (!res.ok) throw new Error(`Failed to fetch OIDC client context: ${res.status}`);
-    const payload = await res.json();
-    if (!payload.success || !payload.data) {
-      throw new Error("OIDC client context response was invalid");
-    }
-    return payload.data;
-  }
-};
-
-// src/modules/tenants.ts
-function normalizeBrandingConfig(config) {
-  return {
-    ...config,
-    brandName: config.brandName ?? config.companyName,
-    loginHeadline: config.loginHeadline ?? config.headline ?? null,
-    loginSubheadline: config.loginSubheadline ?? config.subheadline ?? null,
-    companyName: config.companyName ?? config.brandName,
-    headline: config.headline ?? config.loginHeadline ?? null,
-    subheadline: config.subheadline ?? config.loginSubheadline ?? null
-  };
-}
-var TenantsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async getCurrent(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}`);
-  }
-  async get(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}`);
-  }
-  async list(params) {
-    const query = new URLSearchParams();
-    if (params?.vendorId) query.set("vendorId", params.vendorId);
-    const qs = query.toString();
-    return this.http.request("GET", `/api/v1/tenants${qs ? `?${qs}` : ""}`);
-  }
-  async create(data) {
-    return this.http.request("POST", "/api/v1/tenants", data);
-  }
-  async update(tenantId, data) {
-    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}`, data);
-  }
-  async delete(tenantId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}`);
-  }
-  async promoteToVendor(tenantId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/promote-to-vendor`, data);
-  }
-  async getUsers(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users`);
-  }
-  async inviteUser(tenantId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/invite`, data);
-  }
-  async changeUserRole(tenantId, userId, role) {
-    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/users/${userId}/role`, { role });
-  }
-  async migrateUser(tenantId, userId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/migrate`, data);
-  }
-  async removeUser(tenantId, userId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}`);
-  }
-  async getPasswordPolicy(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/password-policy`);
-  }
-  async updatePasswordPolicy(tenantId, data) {
-    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/password-policy`, data);
-  }
-  async getMfaPolicies(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/mfa-policies`);
-  }
-  async updateMfaPolicy(tenantId, role, data) {
-    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/mfa-policies/${role}`, data);
-  }
-  async getPublicBranding(params) {
-    const query = new URLSearchParams();
-    if (params?.vendor) query.set("vendor", params.vendor);
-    const qs = query.toString();
-    const url = `${this.http.baseUrl}/api/public/branding${qs ? `?${qs}` : ""}`;
-    const res = await fetch(url);
-    if (!res.ok) return null;
-    const body = await res.json();
-    if (body.success && body.data) return normalizeBrandingConfig(body.data);
-    return null;
-  }
-  async getPublicBrandingBySlug(vendorSlug) {
-    const url = `${this.http.baseUrl}/api/public/branding/by-slug/${encodeURIComponent(vendorSlug)}`;
-    const res = await fetch(url);
-    if (!res.ok) return null;
-    const body = await res.json();
-    if (body.success && body.data) return normalizeBrandingConfig(body.data);
-    return null;
-  }
-};
-
-// src/modules/apps.ts
-var AppsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  /**
-   * Self-service Phase A: provision an app + OIDC client + key pair in one shot.
-   * Caller must be authenticated as a tenant_admin (or platform_admin).
-   *
-   * @remarks Wraps POST /api/v1/apps
-   */
-  async create(data) {
-    return this.http.request("POST", "/api/v1/apps", data);
-  }
-  async update(id, data) {
-    return this.http.request("PATCH", `/api/v1/apps/${encodeURIComponent(id)}`, data);
-  }
-  async remove(id) {
-    return this.http.request("DELETE", `/api/v1/apps/${encodeURIComponent(id)}`);
-  }
-  async listOrigins(id) {
-    return this.http.request("GET", `/api/v1/apps/${encodeURIComponent(id)}/origins`);
-  }
-  async addOrigin(id, origin) {
-    return this.http.request("POST", `/api/v1/apps/${encodeURIComponent(id)}/origins`, { origin });
-  }
-  async removeOrigin(id, origin) {
-    return this.http.request("DELETE", `/api/v1/apps/${encodeURIComponent(id)}/origins/${encodeURIComponent(origin)}`);
-  }
-  async listKeys(id) {
-    return this.http.request("GET", `/api/v1/apps/${encodeURIComponent(id)}/keys`);
-  }
-  async createKey(id, data) {
-    return this.http.request("POST", `/api/v1/apps/${encodeURIComponent(id)}/keys`, data);
-  }
-  async rotateKey(id, keyId) {
-    return this.http.request("POST", `/api/v1/apps/${encodeURIComponent(id)}/keys/${encodeURIComponent(keyId)}/rotate`, {});
-  }
-  async revokeKey(id, keyId) {
-    return this.http.request("DELETE", `/api/v1/apps/${encodeURIComponent(id)}/keys/${encodeURIComponent(keyId)}`);
-  }
-  /**
-   * List all registered applications.
-   * Requires `apps.view` permission on the `iqauth-admin` app.
-   *
-   * @remarks Wraps GET /api/v1/apps
-   */
-  async list() {
-    return this.http.request("GET", "/api/v1/apps");
-  }
-  /**
-   * Get a registered application by its unique key, including its permission nodes.
-   * Requires `apps.view` permission on the `iqauth-admin` app.
-   *
-   * @remarks Wraps GET /api/v1/apps/:appKey
-   */
-  async get(appKey) {
-    return this.http.request("GET", `/api/v1/apps/${encodeURIComponent(appKey)}`);
-  }
-  /**
-   * Register or sync an application manifest. This is an idempotent upsert —
-   * it creates the app if it doesn't exist, or updates it if it does.
-   * Permission nodes are also upserted (created or updated) from the manifest tree.
-   *
-   * Requires `platform_admin` role and `apps.manage` permission.
-   *
-   * @remarks Wraps POST /api/v1/apps/sync
-   */
-  async register(manifest) {
-    if (!this.http.hasCredentials()) {
-      throw new IQAuthError(
-        "AUTH_REQUIRED",
-        "Cannot sync app manifest: no API key or access token configured. Initialize the client with an apiKey or accessToken.",
-        401
-      );
-    }
-    return this.http.request("POST", "/api/v1/apps/sync", manifest);
-  }
-  /**
-   * Check if an application is registered by its key.
-   * Returns `true` if the app exists, `false` otherwise.
-   *
-   * @remarks Uses GET /api/v1/apps/:appKey — catches 404 errors
-   */
-  async isRegistered(appKey) {
-    try {
-      await this.get(appKey);
-      return true;
-    } catch (err) {
-      if (err.code === "NOT_FOUND" || err.status === 404) {
-        return false;
-      }
-      throw err;
-    }
-  }
-};
-
-// src/modules/roles.ts
-var RolesModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async list(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/roles`);
-  }
-  async create(tenantId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/roles`, data);
-  }
-  async update(tenantId, roleId, data) {
-    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/roles/${roleId}`, data);
-  }
-  async delete(tenantId, roleId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/roles/${roleId}`);
-  }
-  async getUserRoles(tenantId, userId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/roles`);
-  }
-  async assignRole(tenantId, userId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/roles`, data);
-  }
-  async removeRole(tenantId, userId, roleId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}/roles/${roleId}`);
-  }
-};
-
-// src/modules/permissionGroups.ts
-var PermissionGroupsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async list(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/permission-groups`);
-  }
-  async create(tenantId, name, description) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/permission-groups`, { name, description });
-  }
-  async update(tenantId, groupId, data) {
-    return this.http.request("PATCH", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}`, data);
-  }
-  async delete(tenantId, groupId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}`);
-  }
-  async getPermissions(tenantId, groupId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/permissions`);
-  }
-  async addPermission(tenantId, groupId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/permissions`, data);
-  }
-  async removePermission(tenantId, groupId, permissionId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/permissions/${permissionId}`);
-  }
-  async addInheritance(tenantId, groupId, inheritsFromGroupId) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/inherit`, { inheritsFromGroupId });
-  }
-  async removeInheritance(tenantId, groupId, inheritedGroupId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/permission-groups/${groupId}/inherit/${inheritedGroupId}`);
-  }
-  async getUserGroups(tenantId, userId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/groups`);
-  }
-  async assignUserToGroup(tenantId, userId, groupId) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/groups`, { groupId });
-  }
-  async removeUserFromGroup(tenantId, userId, groupId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}/groups/${groupId}`);
-  }
-  async getUserOverrides(tenantId, userId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/overrides`);
-  }
-  async addUserOverride(tenantId, userId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/overrides`, data);
-  }
-  async removeUserOverride(tenantId, userId, overrideId) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/overrides/${overrideId}`);
-  }
-  async getEffectivePermissions(tenantId, userId, params) {
-    const query = new URLSearchParams();
-    if (params.product) query.set("product", params.product);
-    if (params.appKey) query.set("appKey", params.appKey);
-    const qs = query.toString();
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/effective${qs ? `?${qs}` : ""}`);
-  }
-  async checkPermission(tenantId, userId, appKey, nodeKey) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/users/${userId}/permissions/check`, { appKey, nodeKey });
-  }
-};
-
-// src/modules/apiKeys.ts
-var ApiKeysModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async create(data) {
-    return this.http.request("POST", "/api/v1/api-keys", data);
-  }
-  async list(params) {
-    const query = new URLSearchParams();
-    if (params?.tenantId) query.set("tenantId", params.tenantId);
-    const qs = query.toString();
-    return this.http.request("GET", `/api/v1/api-keys${qs ? `?${qs}` : ""}`);
-  }
-  async revoke(id) {
-    return this.http.request("DELETE", `/api/v1/api-keys/${id}`);
-  }
-  async introspect(apiKey) {
-    return this.http.request("POST", "/api/v1/api-keys/introspect", { apiKey }, { skipAutoRefresh: true });
-  }
-};
-
-// src/modules/invites.ts
-var InvitesModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async create(data) {
-    return this.http.request("POST", "/api/v1/invites", data);
-  }
-  async validate(token) {
-    return this.http.request("GET", `/api/v1/invites/${token}/validate`);
-  }
-  async accept(token, data) {
-    return this.http.request("POST", `/api/v1/invites/${token}/accept`, data, { skipAutoRefresh: true });
-  }
-};
-
-// src/modules/webhooks.ts
-function normalizeWebhookDelivery(delivery) {
-  return {
-    ...delivery,
-    endpointId: delivery.endpointId ?? delivery.webhookEndpointId,
-    webhookEndpointId: delivery.webhookEndpointId ?? delivery.endpointId,
-    event: delivery.event ?? delivery.eventType,
-    eventType: delivery.eventType ?? delivery.event,
-    statusCode: delivery.statusCode ?? delivery.responseStatus ?? null,
-    responseStatus: delivery.responseStatus ?? delivery.statusCode ?? null,
-    response: delivery.response ?? delivery.responseBody ?? null,
-    responseBody: delivery.responseBody ?? delivery.response ?? null,
-    deliveredAt: delivery.deliveredAt ?? delivery.createdAt
-  };
-}
-var WebhooksModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async createEndpoint(data) {
-    return this.http.request("POST", "/api/v1/webhooks/endpoints", data);
-  }
-  async listEndpoints() {
-    return this.http.request("GET", "/api/v1/webhooks/endpoints");
-  }
-  async deleteEndpoint(id) {
-    return this.http.request("DELETE", `/api/v1/webhooks/endpoints/${id}`);
-  }
-  async getDeliveries(endpointId) {
-    const deliveries = await this.http.request("GET", `/api/v1/webhooks/deliveries?endpointId=${encodeURIComponent(endpointId)}`);
-    return deliveries.map(normalizeWebhookDelivery);
-  }
-  async testEndpoint(id) {
-    return this.http.request("POST", `/api/v1/webhooks/endpoints/${id}/test`);
-  }
-  async rotateSecret(id) {
-    return this.http.request("POST", `/api/v1/webhooks/endpoints/${id}/rotate-secret`);
-  }
-};
-
-// src/modules/entitlements.ts
-var EntitlementsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async list(tenantId) {
-    return this.http.request("GET", `/api/v1/tenants/${tenantId}/entitlements`);
-  }
-  async grant(tenantId, data) {
-    return this.http.request("POST", `/api/v1/tenants/${tenantId}/entitlements`, data);
-  }
-  async revoke(tenantId, product) {
-    return this.http.request("DELETE", `/api/v1/tenants/${tenantId}/entitlements/${encodeURIComponent(product)}`);
-  }
-};
-
-// src/modules/vendors.ts
-var VendorsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async list() {
-    return this.http.request("GET", "/api/v1/vendors");
-  }
-  async get(vendorId) {
-    return this.http.request("GET", `/api/v1/vendors/${vendorId}`);
-  }
-  async create(data) {
-    return this.http.request("POST", "/api/v1/vendors", data);
-  }
-  async update(vendorId, data) {
-    return this.http.request("PATCH", `/api/v1/vendors/${vendorId}`, data);
-  }
-  async delete(vendorId) {
-    return this.http.request("DELETE", `/api/v1/vendors/${vendorId}`);
-  }
-};
-
-// src/modules/sources.ts
-var SourcesModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async create(vendorId, data) {
-    return this.http.request("POST", `/api/v1/vendors/${vendorId}/sources`, data);
-  }
-  async listForVendor(vendorId) {
-    return this.http.request("GET", `/api/v1/vendors/${vendorId}/sources`);
-  }
-  async get(sourceId) {
-    return this.http.request("GET", `/api/v1/sources/${sourceId}`);
-  }
-  async update(sourceId, data) {
-    return this.http.request("PATCH", `/api/v1/sources/${sourceId}`, data);
-  }
-  async delete(sourceId) {
-    return this.http.request("DELETE", `/api/v1/sources/${sourceId}`);
-  }
-  async createClient(sourceId, data) {
-    return this.http.request("POST", `/api/v1/sources/${sourceId}/clients`, data);
-  }
-  async listClients(sourceId) {
-    return this.http.request("GET", `/api/v1/sources/${sourceId}/clients`);
-  }
-};
-
-// src/modules/clients.ts
-var ClientsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async get(clientId) {
-    return this.http.request("GET", `/api/v1/clients/${clientId}`);
-  }
-  async update(clientId, data) {
-    return this.http.request("PATCH", `/api/v1/clients/${clientId}`, data);
-  }
-  async delete(clientId) {
-    return this.http.request("DELETE", `/api/v1/clients/${clientId}`);
-  }
-};
-
-// src/modules/hierarchy.ts
-var HierarchyModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async getGraph() {
-    return this.http.request("GET", "/api/v1/hierarchy");
-  }
-  async linkVendorSource(vendorId, sourceId) {
-    return this.http.request("POST", "/api/v1/hierarchy/link/vendor-source", { vendorId, sourceId });
-  }
-  async unlinkVendorSource(vendorId, sourceId) {
-    return this.http.request("DELETE", "/api/v1/hierarchy/link/vendor-source", { vendorId, sourceId });
-  }
-  async linkSourceClient(sourceId, clientId) {
-    return this.http.request("POST", "/api/v1/hierarchy/link/source-client", { sourceId, clientId });
-  }
-  async unlinkSourceClient(sourceId, clientId) {
-    return this.http.request("DELETE", "/api/v1/hierarchy/link/source-client", { sourceId, clientId });
-  }
-};
-
-// src/modules/memberships.ts
-var MembershipsModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async listForUser(userId, tenantId) {
-    return this.http.request("GET", `/api/v1/users/${userId}/memberships?tenantId=${encodeURIComponent(tenantId)}`);
-  }
-  async listForScope(scopeType, scopeId) {
-    return this.http.request("GET", `/api/v1/memberships/scope/${scopeType}/${scopeId}`);
-  }
-  async grant(data) {
-    return this.http.request("POST", "/api/v1/memberships", data);
-  }
-  async revoke(id) {
-    return this.http.request("DELETE", `/api/v1/memberships/${id}`);
-  }
-  async update(id, data) {
-    return this.http.request("PATCH", `/api/v1/memberships/${id}`, data);
-  }
-  async listForTenant(params) {
-    const query = new URLSearchParams();
-    if (params?.scopeType) query.set("scopeType", params.scopeType);
-    if (params?.roleName) query.set("roleName", params.roleName);
-    const qs = query.toString();
-    return this.http.request("GET", `/api/v1/memberships/tenant${qs ? `?${qs}` : ""}`);
-  }
-};
-
-// src/modules/scope.ts
-var ScopeModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async getAvailable() {
-    return this.http.request("GET", "/api/v1/auth/available-scopes");
-  }
-  async switchScope(scopeType, scopeId) {
-    return this.http.request("POST", "/api/v1/auth/switch-scope", { scopeType, scopeId });
-  }
-};
-
-// src/modules/gdpr.ts
-var GdprModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async exportData() {
-    return this.http.request("GET", "/api/v1/gdpr/export");
-  }
-  async deleteAccount(confirmEmail) {
-    return this.http.request("POST", "/api/v1/gdpr/delete", { confirmEmail });
-  }
-};
-
-// src/modules/pin.ts
-var PinModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async set(pin) {
-    return this.http.request("POST", "/api/v1/pin/set", { pin });
-  }
-  async change(currentPin, newPin) {
-    return this.http.request("POST", "/api/v1/pin/change", { currentPin, newPin });
-  }
-  async remove() {
-    return this.http.request("DELETE", "/api/v1/pin");
-  }
-  async getStatus() {
-    return this.http.request("GET", "/api/v1/pin/status");
-  }
-  async login(email, pin, deviceFingerprint) {
-    const data = await this.http.request(
-      "POST",
-      "/api/v1/pin/login",
-      { email, pin, ...deviceFingerprint && { deviceFingerprint } },
-      { skipAutoRefresh: true }
-    );
-    if (data.type === "success" && data.accessToken && data.refreshToken && data.user) {
-      return {
-        status: "authenticated",
-        authMode: "token",
-        tokens: { accessToken: data.accessToken, refreshToken: data.refreshToken },
-        user: data.user
-      };
-    }
-    if (data.type === "mfa_required" && data.mfaChallengeToken) {
-      return {
-        status: "mfa_required",
-        mfaChallengeToken: data.mfaChallengeToken,
-        availableMethods: data.availableMethods || []
-      };
-    }
-    if (data.type === "tenant_selection" && data.tenantSelectionToken && data.tenants) {
-      return {
-        status: "tenant_selection",
-        tenantSelectionToken: data.tenantSelectionToken,
-        tenants: data.tenants
-      };
-    }
-    throw new Error("Unexpected PIN login response shape");
-  }
-};
-
-// src/modules/mfa.ts
-var MfaModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async getAvailableMethods() {
-    return this.http.request("GET", "/api/v1/mfa/methods");
-  }
-  async enrollTotp() {
-    return this.http.request("POST", "/api/v1/mfa/enroll/totp");
-  }
-  async verifyTotpEnrollment(code, secret) {
-    return this.http.request("POST", "/api/v1/mfa/enroll/totp/verify", { code, secret });
-  }
-  async enrollSms(phoneNumber) {
-    return this.http.request("POST", "/api/v1/mfa/enroll/sms", { phoneNumber });
-  }
-  async verifySmsEnrollment(code, phoneNumber) {
-    return this.http.request("POST", "/api/v1/mfa/enroll/sms/verify", { code, phoneNumber });
-  }
-  async startEmailEnrollment() {
-    return this.http.request("POST", "/api/v1/mfa/enroll/email/start");
-  }
-  async verifyEmailEnrollment(code) {
-    return this.http.request("POST", "/api/v1/mfa/enroll/email/verify", { code });
-  }
-  async listEnrollments() {
-    return this.http.request("GET", "/api/v1/mfa/enrollments");
-  }
-  async setPrimaryEnrollment(enrollmentId) {
-    return this.http.request("PATCH", `/api/v1/mfa/enrollments/${enrollmentId}/primary`);
-  }
-  async deactivateEnrollment(enrollmentId) {
-    return this.http.request("DELETE", `/api/v1/mfa/enrollments/${enrollmentId}`);
-  }
-  async regenerateBackupCodes() {
-    return this.http.request("POST", "/api/v1/mfa/backup-codes/regenerate");
-  }
-  async getBackupCodeCount() {
-    return this.http.request("GET", "/api/v1/mfa/backup-codes/count");
-  }
-};
-
-// src/modules/branding.ts
-function normalizeBrandingConfig2(config) {
-  return {
-    ...config,
-    brandName: config.brandName ?? config.companyName,
-    loginHeadline: config.loginHeadline ?? config.headline ?? null,
-    loginSubheadline: config.loginSubheadline ?? config.subheadline ?? null,
-    companyName: config.companyName ?? config.brandName,
-    headline: config.headline ?? config.loginHeadline ?? null,
-    subheadline: config.subheadline ?? config.loginSubheadline ?? null
-  };
-}
-function normalizeBrandingAsset(asset) {
-  return {
-    ...asset,
-    url: asset.url ?? asset.publicUrl,
-    publicUrl: asset.publicUrl ?? asset.url
-  };
-}
-function normalizeBrandingUpdate(data) {
-  return {
-    ...data,
-    brandName: data.brandName ?? data.companyName,
-    loginHeadline: data.loginHeadline ?? data.headline,
-    loginSubheadline: data.loginSubheadline ?? data.subheadline
-  };
-}
-var BrandingModule = class {
-  constructor(http) {
-    this.http = http;
-  }
-  async get(vendorId) {
-    const config = await this.http.request("GET", `/api/v1/branding/${vendorId}`);
-    return normalizeBrandingConfig2(config);
-  }
-  async updateBranding(vendorId, data) {
-    const config = await this.http.request("PUT", `/api/v1/branding/${vendorId}`, normalizeBrandingUpdate(data));
-    return normalizeBrandingConfig2(config);
-  }
-  async publishBranding(vendorId) {
-    const config = await this.http.request("POST", `/api/v1/branding/${vendorId}/publish`);
-    return normalizeBrandingConfig2(config);
-  }
-  async unpublishBranding(vendorId) {
-    const config = await this.http.request("POST", `/api/v1/branding/${vendorId}/unpublish`);
-    return normalizeBrandingConfig2(config);
-  }
-  async resetBranding(vendorId) {
-    const config = await this.http.request("POST", `/api/v1/branding/${vendorId}/reset`);
-    return normalizeBrandingConfig2(config);
-  }
-  async uploadAsset(vendorId, data) {
-    const asset = await this.http.request("POST", `/api/v1/branding/${vendorId}/upload`, data);
-    return normalizeBrandingAsset(asset);
-  }
-  async listAssets(vendorId) {
-    const assets = await this.http.request("GET", `/api/v1/branding/${vendorId}/assets`);
-    return assets.map(normalizeBrandingAsset);
-  }
-  async deleteAsset(vendorId, assetId) {
-    return this.http.request("DELETE", `/api/v1/branding/${vendorId}/assets/${assetId}`);
-  }
-  async listDomains(vendorId) {
-    return this.http.request("GET", `/api/v1/branding/${vendorId}/domains`);
-  }
-  async addDomain(vendorId, domain) {
-    return this.http.request("POST", `/api/v1/branding/${vendorId}/domains`, { domain });
-  }
-  async removeDomain(vendorId, domainId) {
-    return this.http.request("DELETE", `/api/v1/branding/${vendorId}/domains/${domainId}`);
-  }
-};
-
-// src/client.ts
-var IQAuthClient = class _IQAuthClient {
-  constructor(config) {
-    this.config = config;
-    this.environment = _IQAuthClient.resolveEnvironment(config);
-    this._accessToken = "accessToken" in config ? config.accessToken : void 0;
-    this._refreshToken = "refreshToken" in config ? config.refreshToken : void 0;
-    this._apiKey = "apiKey" in config ? config.apiKey : void 0;
-    this.httpClient = new HttpClient({
-      baseUrl: config.baseUrl,
-      environment: this.environment,
-      getAccessToken: () => this._accessToken,
-      getRefreshToken: () => this._refreshToken,
-      getApiKey: () => this._apiKey,
-      setTokens: (tokens) => {
-        this._accessToken = tokens.accessToken;
-        this._refreshToken = tokens.refreshToken;
-      },
-      autoRefresh: "autoRefresh" in config ? config.autoRefresh !== false : true,
-      onTokenRefresh: "onTokenRefresh" in config ? config.onTokenRefresh : void 0,
-      sessionHeaderName: config.sessionHeaderName,
-      sessionHeaderValue: config.sessionHeaderValue,
-      retry: config.retry
-    });
-    this.auth = new AuthModule(this.httpClient);
-    this.tokens = new TokensModule(config.baseUrl, {
-      issuer: config.verify?.issuer,
-      audience: config.verify?.audience,
-      clockTolerance: config.verify?.clockTolerance
-    });
-    this.sessions = new SessionsModule(this.httpClient);
-    this.users = new UsersModule(this.httpClient);
-    this.permissions = new PermissionsModule(() => this.getCurrentClaims());
-    this.oidc = new OidcModule(this.httpClient, config.baseUrl, { tokens: this.tokens });
-    this.tenants = new TenantsModule(this.httpClient);
-    this.apps = new AppsModule(this.httpClient);
-    this.roles = new RolesModule(this.httpClient);
-    this.permissionGroups = new PermissionGroupsModule(this.httpClient);
-    this.apiKeys = new ApiKeysModule(this.httpClient);
-    this.invites = new InvitesModule(this.httpClient);
-    this.webhooks = new WebhooksModule(this.httpClient);
-    this.entitlements = new EntitlementsModule(this.httpClient);
-    this.vendors = new VendorsModule(this.httpClient);
-    this.sources = new SourcesModule(this.httpClient);
-    this.clients = new ClientsModule(this.httpClient);
-    this.hierarchy = new HierarchyModule(this.httpClient);
-    this.memberships = new MembershipsModule(this.httpClient);
-    this.scope = new ScopeModule(this.httpClient);
-    this.gdpr = new GdprModule(this.httpClient);
-    this.pin = new PinModule(this.httpClient);
-    this.mfa = new MfaModule(this.httpClient);
-    this.branding = new BrandingModule(this.httpClient);
-  }
-  static forBrowserSession(config) {
-    return new _IQAuthClient({ ...config, environment: "browser_session" });
-  }
-  static forServer(config) {
-    return new _IQAuthClient({ ...config, environment: "server" });
-  }
-  static forMobile(config) {
-    return new _IQAuthClient({ ...config, environment: "mobile" });
-  }
-  static forService(config) {
-    return new _IQAuthClient({ ...config, environment: "service" });
-  }
-  setTokens(tokens) {
-    this._accessToken = tokens.accessToken;
-    this._refreshToken = tokens.refreshToken;
-  }
-  getAccessToken() {
-    return this._accessToken;
-  }
-  getRefreshToken() {
-    return this._refreshToken;
-  }
-  getCurrentClaims() {
-    if (!this._accessToken) return null;
-    return this.tokens.decode(this._accessToken);
-  }
-  static resolveEnvironment(config) {
-    if (config.environment) return config.environment;
-    if (config.apiKey) return "service";
-    return "server";
-  }
-};
-
 // src/next.ts
 function readCookieFromHeader(header, name) {
   if (!header) return void 0;
@@ -2068,7 +551,7 @@ function handler(options) {
     if (action === "signout") {
       const auth = req.headers.get("authorization");
       const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
-      return toResponse(await handleSignout(helperConfig, { accessToken }));
+      return toResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader ?? void 0 }));
     }
     return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: `Unknown action: ${action}` } }), {
       status: 404,
@@ -2080,7 +563,7 @@ function createMiddleware(options) {
   const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/next createMiddleware" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const accessCookie = options.accessCookieName ?? "iqauth_at";
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const tokens = new TokensModule(issuer);
   return async (req) => {
     const auth = req.headers.get("authorization");
     let token;
@@ -2093,7 +576,7 @@ function createMiddleware(options) {
       });
     }
     try {
-      await client.tokens.verify(token);
+      await tokens.verify(token);
       return void 0;
     } catch (err) {
       const code = err.code || "TOKEN_INVALID";
@@ -2122,9 +605,9 @@ async function getAuth(options) {
   }
   const token = cookieJar?.get(accessCookie)?.value;
   if (!token) return null;
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const tokens = new TokensModule(issuer);
   try {
-    return await client.tokens.verify(token);
+    return await tokens.verify(token);
   } catch {
     return null;
   }