@iqauth/sdk 2.3.0 → 2.5.0

package/dist/test.js

@@ -0,0 +1,289 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/test.ts
+var test_exports = {};
+__export(test_exports, {
+  createTestIssuer: () => createTestIssuer
+});
+module.exports = __toCommonJS(test_exports);
+var import_http = require("http");
+var import_crypto = require("crypto");
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+
+// src/publishableKey.ts
+function b64urlEncode(input) {
+  if (typeof btoa === "function") {
+    const bytes = new TextEncoder().encode(input);
+    let bin = "";
+    for (let i = 0; i < bytes.byteLength; i++) bin += String.fromCharCode(bytes[i]);
+    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+  }
+  const { Buffer: Buffer2 } = require("buffer");
+  return Buffer2.from(input, "utf8").toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function encodePublishableKey(mode, payload) {
+  if (mode !== "test" && mode !== "live") throw new Error(`Invalid mode: ${mode}`);
+  return `pk_${mode}_${b64urlEncode(JSON.stringify(payload))}`;
+}
+
+// src/test.ts
+function jwkFromPublicKey(publicKey, kid) {
+  const jwk = publicKey.export({ format: "jwk" });
+  return { kty: "RSA", use: "sig", alg: "RS256", kid, n: jwk.n, e: jwk.e };
+}
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (c) => chunks.push(c));
+    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    req.on("error", reject);
+  });
+}
+function parseFormOrJson(raw, contentType) {
+  if (!raw) return {};
+  if (contentType && contentType.includes("application/json")) {
+    try {
+      const obj = JSON.parse(raw);
+      const out2 = {};
+      for (const [k, v] of Object.entries(obj || {})) {
+        if (typeof v === "string") out2[k] = v;
+        else if (v != null) out2[k] = String(v);
+      }
+      return out2;
+    } catch {
+      return {};
+    }
+  }
+  const out = {};
+  for (const part of raw.split("&")) {
+    if (!part) continue;
+    const eq = part.indexOf("=");
+    const k = decodeURIComponent(eq === -1 ? part : part.slice(0, eq)).replace(/\+/g, " ");
+    const v = eq === -1 ? "" : decodeURIComponent(part.slice(eq + 1)).replace(/\+/g, " ");
+    out[k] = v;
+  }
+  return out;
+}
+function send(res, status, body, headers = {}) {
+  const payload = typeof body === "string" ? body : JSON.stringify(body);
+  res.writeHead(status, {
+    "Content-Type": typeof body === "string" ? "text/plain; charset=utf-8" : "application/json; charset=utf-8",
+    "Content-Length": Buffer.byteLength(payload),
+    ...headers
+  });
+  res.end(payload);
+}
+async function createTestIssuer(options = {}) {
+  const host = options.host ?? "127.0.0.1";
+  const port = options.port ?? 0;
+  const tenantId = options.tenantId ?? "tenant-test";
+  const appId = options.appId ?? "app-test";
+  const kid = options.kid ?? `test-${(0, import_crypto.randomBytes)(6).toString("hex")}`;
+  const defaultAudience = options.defaultAudience ?? ["dispositioniq"];
+  const { privateKey, publicKey } = (0, import_crypto.generateKeyPairSync)("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" }
+  });
+  const publicKeyObj = (0, import_crypto.createPublicKey)(publicKey);
+  const jwk = jwkFromPublicKey(publicKeyObj, kid);
+  const pendingCodes = /* @__PURE__ */ new Map();
+  let baseUrl = "";
+  const buildToken = (opts) => {
+    const payload = {
+      sub: opts.sub ?? "test-user",
+      email: opts.email ?? "test@example.com",
+      name: opts.name ?? "Test User",
+      tenantId: opts.tenantId ?? tenantId,
+      vendorId: opts.vendorId ?? null,
+      roles: opts.roles ?? [],
+      entitlements: opts.entitlements ?? [],
+      sessionId: opts.sessionId ?? `sess-${(0, import_crypto.randomBytes)(4).toString("hex")}`,
+      jti: opts.jti ?? `jti-${(0, import_crypto.randomBytes)(4).toString("hex")}`
+    };
+    if (opts.scopeContext !== void 0) payload.scopeContext = opts.scopeContext;
+    if (opts.loginMethod !== void 0) payload.loginMethod = opts.loginMethod;
+    for (const [k, v] of Object.entries(opts)) {
+      if (["sub", "email", "name", "tenantId", "vendorId", "roles", "entitlements", "sessionId", "jti", "scopeContext", "loginMethod", "audience", "issuer", "expiresInSeconds", "iat"].includes(k))
+        continue;
+      payload[k] = v;
+    }
+    const audience = opts.audience ?? defaultAudience;
+    const issuer = opts.issuer ?? baseUrl;
+    const expiresIn = opts.expiresInSeconds ?? 900;
+    const signOpts = {
+      algorithm: "RS256",
+      keyid: kid,
+      issuer,
+      audience
+    };
+    if (opts.iat !== void 0) {
+      payload.iat = opts.iat;
+      payload.exp = opts.iat + expiresIn;
+    } else {
+      signOpts.expiresIn = expiresIn;
+    }
+    return import_jsonwebtoken.default.sign(payload, privateKey, signOpts);
+  };
+  const handler = async (req, res) => {
+    try {
+      const url = new URL(req.url || "/", baseUrl || `http://${host}`);
+      const path = url.pathname;
+      if (req.method === "OPTIONS") {
+        res.writeHead(204, {
+          "Access-Control-Allow-Origin": "*",
+          "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
+          "Access-Control-Allow-Headers": "Authorization,Content-Type"
+        });
+        return res.end();
+      }
+      const cors = { "Access-Control-Allow-Origin": "*" };
+      if (req.method === "GET" && path === "/.well-known/openid-configuration") {
+        return send(res, 200, {
+          issuer: baseUrl,
+          jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+          authorization_endpoint: `${baseUrl}/oidc/authorize`,
+          token_endpoint: `${baseUrl}/oidc/token`,
+          userinfo_endpoint: `${baseUrl}/api/v1/auth/me`,
+          response_types_supported: ["code"],
+          grant_types_supported: ["authorization_code", "refresh_token"],
+          subject_types_supported: ["public"],
+          id_token_signing_alg_values_supported: ["RS256"],
+          code_challenge_methods_supported: ["S256"]
+        }, cors);
+      }
+      if (req.method === "GET" && path === "/.well-known/jwks.json") {
+        return send(res, 200, { keys: [jwk] }, { ...cors, "Cache-Control": "public, max-age=3600" });
+      }
+      if (req.method === "POST" && path === "/oidc/token") {
+        const raw = await readBody(req);
+        const params = parseFormOrJson(raw, req.headers["content-type"]);
+        const grant = params.grant_type;
+        if (grant === "authorization_code") {
+          const code = params.code;
+          const pending = code ? pendingCodes.get(code) : void 0;
+          if (!pending) {
+            return send(res, 400, { error: "invalid_grant", error_description: "Unknown or expired code" }, cors);
+          }
+          pendingCodes.delete(code);
+          const accessToken = buildToken(pending.claims);
+          return send(res, 200, {
+            access_token: accessToken,
+            refresh_token: pending.refreshToken,
+            id_token: accessToken,
+            token_type: "Bearer",
+            expires_in: pending.claims.expiresInSeconds ?? 900
+          }, cors);
+        }
+        if (grant === "refresh_token") {
+          const accessToken = buildToken({ sub: "test-user" });
+          return send(res, 200, {
+            access_token: accessToken,
+            refresh_token: params.refresh_token || `rt-${(0, import_crypto.randomBytes)(8).toString("hex")}`,
+            token_type: "Bearer",
+            expires_in: 900
+          }, cors);
+        }
+        return send(res, 400, { error: "unsupported_grant_type" }, cors);
+      }
+      if (req.method === "GET" && path === "/api/v1/auth/me") {
+        const auth = req.headers.authorization || "";
+        if (!/^Bearer /i.test(auth)) {
+          return send(res, 401, { success: false, error: { code: "TOKEN_INVALID", message: "Missing bearer" } }, cors);
+        }
+        const token = auth.slice(7).trim();
+        try {
+          const decoded = import_jsonwebtoken.default.verify(token, publicKey, {
+            algorithms: ["RS256"],
+            issuer: baseUrl,
+            audience: defaultAudience
+          });
+          return send(res, 200, {
+            success: true,
+            data: {
+              id: decoded.sub,
+              email: decoded.email,
+              name: decoded.name,
+              tenantId: decoded.tenantId,
+              roles: decoded.roles,
+              entitlements: decoded.entitlements
+            }
+          }, cors);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : "verify failed";
+          return send(res, 401, { success: false, error: { code: "TOKEN_INVALID", message: msg } }, cors);
+        }
+      }
+      send(res, 404, { error: "not_found", path }, cors);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "internal error";
+      send(res, 500, { error: "internal", message: msg });
+    }
+  };
+  const server = (0, import_http.createServer)((req, res) => {
+    void handler(req, res);
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(port, host, () => {
+      server.off("error", reject);
+      resolve();
+    });
+  });
+  const addr = server.address();
+  const boundPort = typeof addr === "object" && addr ? addr.port : port;
+  baseUrl = `http://${host}:${boundPort}`;
+  const publishableKey = encodePublishableKey("test", {
+    iss: baseUrl,
+    appId,
+    tenantId,
+    kid
+  });
+  return {
+    baseUrl,
+    publishableKey,
+    kid,
+    publicKey,
+    mintToken: (opts = {}) => buildToken(opts),
+    mintAuthCode: (opts = {}) => {
+      const code = `code-${(0, import_crypto.randomBytes)(12).toString("hex")}`;
+      const refreshToken = opts.refreshToken ?? `rt-${(0, import_crypto.randomBytes)(12).toString("hex")}`;
+      pendingCodes.set(code, { claims: opts, refreshToken });
+      return code;
+    },
+    close: () => new Promise((resolve, reject) => {
+      server.close((err) => err ? reject(err) : resolve());
+    })
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createTestIssuer
+});

package/dist/test.mjs

@@ -0,0 +1,9 @@
+import {
+  createTestIssuer
+} from "./chunk-MKKZULZR.mjs";
+import "./chunk-WQWBJSSS.mjs";
+import "./chunk-6I6RM4MN.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  createTestIssuer
+};

package/dist/tokens-DCyzzn8L.d.mts

@@ -0,0 +1,63 @@
+import { J as JwtClaims } from './types-DZAflmmq.mjs';
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/services/token.service.ts (RS256, issuer "auth.dispositioniq.com", audience array)
+ * - Route file: src/routes/wellknown.routes.ts (JWKS endpoint /.well-known/jwks.json)
+ * - Route file: src/lib/crypto.ts (key rotation with kid)
+ * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
+ * - Last verified: Phase 0 Research Summary
+ *
+ * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
+ * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
+ * edge runtimes. Edge has only Web Crypto, so every call from a Next
+ * middleware previously threw and was wrapped as `TOKEN_INVALID`,
+ * indistinguishable from a real bad token. We keep our own JWKS fetch +
+ * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
+ * to keep the kid-aware "Unknown key ID" diagnostic.
+ */
+
+declare const DEFAULT_TOKEN_ISSUER: string[];
+declare const DEFAULT_TOKEN_AUDIENCE: string[];
+declare const DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+interface TokenVerifyOptions {
+    issuer?: string | string[];
+    audience?: string | string[];
+    clockTolerance?: number;
+    algorithms?: string[];
+}
+interface TokensModuleOptions {
+    issuer?: string | string[];
+    audience?: string | string[];
+    clockTolerance?: number;
+}
+declare class TokensModule {
+    private baseUrl;
+    private jwksCache;
+    private inFlightRefresh;
+    private defaultIssuer;
+    private defaultAudience;
+    private defaultClockTolerance;
+    constructor(baseUrl: string, options?: TokensModuleOptions);
+    /**
+     * Verify a JWT access token using RS256/ES256 via JWKS from
+     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
+     */
+    verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
+    /**
+     * Decode a JWT without verification. Returns null if malformed.
+     */
+    decode(token: string): JwtClaims | null;
+    /** Check if a token is expired based on the `exp` claim. */
+    isExpired(token: string): boolean;
+    /** Get the claims from a token without verification. */
+    getClaims(token: string): JwtClaims;
+    private ensureCache;
+    private refreshJwks;
+    /** @internal Exposed for testing — clears JWKS cache */
+    clearCache(): void;
+}
+
+export { DEFAULT_TOKEN_ISSUER as D, TokensModule as T, DEFAULT_TOKEN_AUDIENCE as a, DEFAULT_CLOCK_TOLERANCE_SECONDS as b, type TokenVerifyOptions as c, type TokensModuleOptions as d };

package/dist/tokens-aHiGFr_E.d.ts

@@ -0,0 +1,63 @@
+import { J as JwtClaims } from './types-DZAflmmq.js';
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/services/token.service.ts (RS256, issuer "auth.dispositioniq.com", audience array)
+ * - Route file: src/routes/wellknown.routes.ts (JWKS endpoint /.well-known/jwks.json)
+ * - Route file: src/lib/crypto.ts (key rotation with kid)
+ * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
+ * - Last verified: Phase 0 Research Summary
+ *
+ * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
+ * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
+ * edge runtimes. Edge has only Web Crypto, so every call from a Next
+ * middleware previously threw and was wrapped as `TOKEN_INVALID`,
+ * indistinguishable from a real bad token. We keep our own JWKS fetch +
+ * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
+ * to keep the kid-aware "Unknown key ID" diagnostic.
+ */
+
+declare const DEFAULT_TOKEN_ISSUER: string[];
+declare const DEFAULT_TOKEN_AUDIENCE: string[];
+declare const DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+interface TokenVerifyOptions {
+    issuer?: string | string[];
+    audience?: string | string[];
+    clockTolerance?: number;
+    algorithms?: string[];
+}
+interface TokensModuleOptions {
+    issuer?: string | string[];
+    audience?: string | string[];
+    clockTolerance?: number;
+}
+declare class TokensModule {
+    private baseUrl;
+    private jwksCache;
+    private inFlightRefresh;
+    private defaultIssuer;
+    private defaultAudience;
+    private defaultClockTolerance;
+    constructor(baseUrl: string, options?: TokensModuleOptions);
+    /**
+     * Verify a JWT access token using RS256/ES256 via JWKS from
+     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
+     */
+    verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
+    /**
+     * Decode a JWT without verification. Returns null if malformed.
+     */
+    decode(token: string): JwtClaims | null;
+    /** Check if a token is expired based on the `exp` claim. */
+    isExpired(token: string): boolean;
+    /** Get the claims from a token without verification. */
+    getClaims(token: string): JwtClaims;
+    private ensureCache;
+    private refreshJwks;
+    /** @internal Exposed for testing — clears JWKS cache */
+    clearCache(): void;
+}
+
+export { DEFAULT_TOKEN_ISSUER as D, TokensModule as T, DEFAULT_TOKEN_AUDIENCE as a, DEFAULT_CLOCK_TOLERANCE_SECONDS as b, type TokenVerifyOptions as c, type TokensModuleOptions as d };

package/dist/types-6bNdxesb.d.mts

@@ -0,0 +1,196 @@
+/**
+ * Catalog of all localizable strings used by the IQAuth SDK UI components and
+ * hosted auth pages. The shape is defined as a strict interface so missing
+ * keys in a contributed locale produce a TypeScript compile error.
+ *
+ * Strings may contain `{placeholder}` tokens that are interpolated at render
+ * time via `t(bundle, key, vars)`.
+ */
+interface IQAuthLocaleBundle {
+    /** BCP-47 tag for this bundle (e.g. "en-US", "fr-FR"). */
+    locale: string;
+    "common.loading": string;
+    "common.submitting": string;
+    "common.cancel": string;
+    "common.continue": string;
+    "common.back": string;
+    "common.close": string;
+    "common.save": string;
+    "common.saving": string;
+    "common.delete": string;
+    "common.confirm": string;
+    "common.email": string;
+    "common.password": string;
+    "common.name": string;
+    "common.or": string;
+    "common.required": string;
+    "common.optional": string;
+    "common.retry": string;
+    "signIn.title": string;
+    "signIn.subtitle": string;
+    "signIn.titleWithApp": string;
+    "signIn.emailLabel": string;
+    "signIn.emailPlaceholder": string;
+    "signIn.passwordLabel": string;
+    "signIn.passwordPlaceholder": string;
+    "signIn.submit": string;
+    "signIn.submitting": string;
+    "signIn.continueWithGoogle": string;
+    "signIn.continueWithMagicLink": string;
+    "signIn.continueWithPasskey": string;
+    "signIn.forgotPassword": string;
+    "signIn.noAccount": string;
+    "signIn.signUp": string;
+    "signIn.resumingSession": string;
+    "signIn.useDifferentAccount": string;
+    "signIn.selectTenant": string;
+    "signIn.selectTenantSubtitle": string;
+    "signIn.dividerOr": string;
+    "signIn.preparingExperience": string;
+    "signIn.applicationUnavailable": string;
+    "signIn.applicationNotFound": string;
+    "signIn.invalidRedirect": string;
+    "signIn.returnUrlNotRegistered": string;
+    "signIn.welcomeBackName": string;
+    "signIn.oneMomentResume": string;
+    "signIn.notYouUseDifferent": string;
+    "signIn.chooseWorkspace": string;
+    "signIn.pickTenantToSignIn": string;
+    "signIn.subtitleHosted": string;
+    "signIn.createAccount": string;
+    "signIn.couldntResume": string;
+    "signUp.title": string;
+    "signUp.subtitle": string;
+    "signUp.nameLabel": string;
+    "signUp.namePlaceholder": string;
+    "signUp.emailLabel": string;
+    "signUp.passwordLabel": string;
+    "signUp.passwordHint": string;
+    "signUp.submit": string;
+    "signUp.submitting": string;
+    "signUp.haveAccount": string;
+    "signUp.signIn": string;
+    "signUp.tenantNameLabel": string;
+    "signUp.tenantNamePlaceholder": string;
+    "signUp.legal": string;
+    "forgotPassword.title": string;
+    "forgotPassword.subtitle": string;
+    "forgotPassword.submit": string;
+    "forgotPassword.submitting": string;
+    "forgotPassword.sent": string;
+    "forgotPassword.backToSignIn": string;
+    "resetPassword.title": string;
+    "resetPassword.newPasswordLabel": string;
+    "resetPassword.confirmPasswordLabel": string;
+    "resetPassword.submit": string;
+    "resetPassword.submitting": string;
+    "resetPassword.success": string;
+    "resetPassword.mismatch": string;
+    "mfa.title": string;
+    "mfa.subtitle": string;
+    "mfa.totpLabel": string;
+    "mfa.totpPlaceholder": string;
+    "mfa.smsLabel": string;
+    "mfa.emailLabel": string;
+    "mfa.submit": string;
+    "mfa.submitting": string;
+    "mfa.useBackupCode": string;
+    "mfa.useAuthenticator": string;
+    "mfa.useSms": string;
+    "mfa.useEmail": string;
+    "mfa.resend": string;
+    "mfa.resent": string;
+    "mfa.backupCodeLabel": string;
+    "userButton.signedInAs": string;
+    "userButton.manageAccount": string;
+    "userButton.switchOrg": string;
+    "userButton.signOut": string;
+    "userProfile.title": string;
+    "userProfile.profileTab": string;
+    "userProfile.securityTab": string;
+    "userProfile.sessionsTab": string;
+    "userProfile.linkedAccountsTab": string;
+    "userProfile.changeName": string;
+    "userProfile.changeEmail": string;
+    "userProfile.changePassword": string;
+    "userProfile.currentPassword": string;
+    "userProfile.newPassword": string;
+    "userProfile.confirmPassword": string;
+    "userProfile.passwordUpdated": string;
+    "userProfile.mfaSection": string;
+    "userProfile.mfaEnable": string;
+    "userProfile.mfaDisable": string;
+    "userProfile.sessionsSection": string;
+    "userProfile.revokeSession": string;
+    "userProfile.revokeAllOthers": string;
+    "userProfile.thisDevice": string;
+    "userProfile.sessionsEmpty": string;
+    "userProfile.linkedAccountsEmpty": string;
+    "userProfile.connectGoogle": string;
+    "userProfile.disconnect": string;
+    "orgSwitcher.label": string;
+    "orgSwitcher.personal": string;
+    "orgSwitcher.createNew": string;
+    "orgSwitcher.manage": string;
+    "orgSwitcher.noOrgs": string;
+    "orgProfile.title": string;
+    "orgProfile.generalTab": string;
+    "orgProfile.membersTab": string;
+    "orgProfile.invitationsTab": string;
+    "orgProfile.dangerTab": string;
+    "orgProfile.invite": string;
+    "orgProfile.inviteEmailLabel": string;
+    "orgProfile.inviteRoleLabel": string;
+    "orgProfile.inviteSend": string;
+    "orgProfile.inviteSent": string;
+    "orgProfile.removeMember": string;
+    "orgProfile.deleteOrg": string;
+    "orgProfile.deleteOrgConfirm": string;
+    "createOrg.title": string;
+    "createOrg.nameLabel": string;
+    "createOrg.submit": string;
+    "createOrg.submitting": string;
+    "waitlist.title": string;
+    "waitlist.subtitle": string;
+    "waitlist.submit": string;
+    "waitlist.submitting": string;
+    "waitlist.success": string;
+    "impersonation.banner": string;
+    "impersonation.exit": string;
+    "magicLink.title": string;
+    "magicLink.subtitle": string;
+    "magicLink.resend": string;
+    "magicLink.changeEmail": string;
+    "errors.generic": string;
+    "errors.network": string;
+    "errors.invalidCredentials": string;
+    "errors.userNotFound": string;
+    "errors.emailInUse": string;
+    "errors.weakPassword": string;
+    "errors.mfaInvalid": string;
+    "errors.mfaExpired": string;
+    "errors.tooManyAttempts": string;
+    "errors.sessionExpired": string;
+    "errors.permissionDenied": string;
+    "errors.notFound": string;
+    "errors.serverError": string;
+    "errors.invalidEmail": string;
+    "errors.passwordTooShort": string;
+    "errors.required": string;
+    "errors.invitationInvalid": string;
+    "validation.emailRequired": string;
+    "validation.emailInvalid": string;
+    "validation.passwordRequired": string;
+    "validation.nameRequired": string;
+    "validation.codeRequired": string;
+    "validation.codeInvalid": string;
+}
+type IQAuthLocaleKey = keyof Omit<IQAuthLocaleBundle, "locale">;
+/**
+ * A partial bundle (used for the `localization` prop on IQAuthProvider) that
+ * may override a subset of keys; missing keys fall back to the default
+ * (en-US) bundle.
+ */
+type IQAuthLocaleOverride = Partial<IQAuthLocaleBundle>;
+
+export type { IQAuthLocaleBundle as I, IQAuthLocaleOverride as a, IQAuthLocaleKey as b };