@keycardai/express 0.1.0 → 0.3.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Keycard
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/cjs/grant.d.ts

@@ -2,6 +2,7 @@ import type { RequestHandler } from "express";
 import { AccessContext } from "@keycardai/oauth/server/accessContext";
 import type { ApplicationCredential } from "@keycardai/oauth/credentials";
 import type { AuthenticatedRequest } from "./bearerAuth.js";
+import type { AccessToken } from "@keycardai/oauth/server/accessToken";
 export interface GrantedRequest extends AuthenticatedRequest {
     accessContext: AccessContext;
 }
@@ -12,13 +13,24 @@ export interface GrantOptions {
      */
     zoneUrl?: string;
     /**
-     * Keycard zone ID. Constructs the zone URL as
-     * `https://{zoneId}.keycard.cloud`.
+     * Keycard zone ID, or a function that resolves it from the verified
+     * access token at request time. Use the function form for multi-zone
+     * deployments where each request may target a different zone.
+     *
+     * ```ts
+     * // Static zone
+     * grant(resources, { zoneId: "zone-abc" });
+     *
+     * // Dynamic zone extracted from the token's clientId
+     * grant(resources, { zoneId: (auth) => auth.clientId });
+     * ```
      */
-    zoneId?: string;
+    zoneId?: string | ((auth: AccessToken) => string);
     /**
      * Application credential provider for authenticated token exchange.
-     * When omitted, the bearer token is exchanged without client auth.
+     * For multi-zone deployments, pass a `ClientSecret` constructed with a
+     * `Record<zoneId, [clientId, clientSecret]>` so the correct credentials
+     * are selected per request.
      */
     applicationCredential?: ApplicationCredential;
 }

package/dist/cjs/grant.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAG5D,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CA2EhB"}
+{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAGvE,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,KAAK,MAAM,CAAC,CAAC;IAClD;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CAuGhB"}

package/dist/cjs/grant.js

@@ -25,10 +25,16 @@ const errors_1 = require("@keycardai/oauth/errors");
  * ```
  */
 function grant(resources, options) {
-    const zoneUrl = options.zoneUrl ?? buildZoneUrl(options.zoneId);
-    if (!zoneUrl) {
+    // Validate at construction time that a zone is specified.
+    const hasZoneOption = !!(options.zoneUrl || options.zoneId);
+    if (!hasZoneOption) {
         throw new errors_1.AuthProviderConfigurationError("grant: either `zoneUrl` or `zoneId` is required");
     }
+    // Cache TokenExchangeClient instances keyed by resolved zone URL.
+    // One client per zone amortizes AS discovery (GET /.well-known/) across
+    // requests — the TokenExchangeClient already caches the token_endpoint
+    // internally after the first discovery call.
+    const clientCache = new Map();
     return async (req, _res, next) => {
         const authReq = req;
         const subjectToken = authReq.auth?.token;
@@ -40,19 +46,35 @@ function grant(resources, options) {
             req.accessContext = accessCtx;
             return next();
         }
-        let client;
+        // Resolve zone at request time — zoneId may be a static string or a
+        // function that extracts the zone from the verified access token.
+        let resolvedZoneId;
         try {
-            const auth = options.applicationCredential?.getAuth();
-            client = new tokenExchange_1.TokenExchangeClient(zoneUrl, auth ?? undefined);
+            resolvedZoneId =
+                typeof options.zoneId === "function"
+                    ? options.zoneId(authReq.auth)
+                    : options.zoneId;
         }
         catch (e) {
-            accessCtx.setError({
-                message: "Failed to initialize token exchange client.",
-                rawError: String(e),
-            });
+            return next(e);
+        }
+        const resolvedZoneUrl = options.zoneUrl ?? buildZoneUrl(resolvedZoneId);
+        if (!resolvedZoneUrl) {
+            accessCtx.setError({ message: "Could not resolve zone URL for this request." });
             req.accessContext = accessCtx;
             return next();
         }
+        // Look up or create a cached client for this zone.
+        let client = clientCache.get(resolvedZoneUrl);
+        if (!client) {
+            // Pass the credential directly so TokenExchangeClient can call
+            // getAuth(zoneId) at exchange time, enabling multi-zone credential
+            // routing without pre-resolving credentials here.
+            client = new tokenExchange_1.TokenExchangeClient(resolvedZoneUrl, {
+                credential: options.applicationCredential,
+            });
+            clientCache.set(resolvedZoneUrl, client);
+        }
         const resourceList = Array.isArray(resources)
             ? resources
             : [resources];
@@ -61,7 +83,7 @@ function grant(resources, options) {
             try {
                 let exchangeRequest;
                 if (options.applicationCredential) {
-                    exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource);
+                    exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource, { zoneId: resolvedZoneId });
                 }
                 else {
                     exchangeRequest = {
@@ -70,7 +92,9 @@ function grant(resources, options) {
                         subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
                     };
                 }
-                tokens[resource] = await client.exchangeToken(exchangeRequest);
+                tokens[resource] = await client.exchangeToken(exchangeRequest, {
+                    zoneId: resolvedZoneId,
+                });
             }
             catch (e) {
                 const detail = {

package/dist/cjs/grant.js.map

@@ -1 +1 @@
-{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":";;AAkDA,sBA8EC;AA/HD,kEAAqE;AACrE,yEAAsE;AAEtE,oDAAqF;AA0BrF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,uCAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,EAAE,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,MAAM,SAAS,GAAG,IAAI,6BAAa,EAAE,CAAC;QAEtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EACL,0EAA0E;aAC7E,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,IAAI,MAA2B,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,OAAO,CAAC,qBAAqB,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,GAAG,IAAI,mCAAmB,CAAC,OAAO,EAAE,IAAI,IAAI,SAAS,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EAAE,6CAA6C;gBACtD,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;aACpB,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,CACT,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,CAAC,CAAC;YACjE,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,mBAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":";;AA8DA,sBA0GC;AAvKD,kEAAqE;AACrE,yEAAsE;AAEtE,oDAAqF;AAsCrF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,0DAA0D;IAC1D,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,uCAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,wEAAwE;IACxE,uEAAuE;IACvE,6CAA6C;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAA+B,CAAC;IAE3D,OAAO,KAAK,EAAE,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,MAAM,SAAS,GAAG,IAAI,6BAAa,EAAE,CAAC;QAEtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EACL,0EAA0E;aAC7E,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,oEAAoE;QACpE,kEAAkE;QAClE,IAAI,cAAkC,CAAC;QACvC,IAAI,CAAC;YACH,cAAc;gBACZ,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;oBAClC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC9B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC;QACxE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAAC;YAC/E,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mDAAmD;QACnD,IAAI,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,+DAA+D;YAC/D,mEAAmE;YACnE,kDAAkD;YAClD,MAAM,GAAG,IAAI,mCAAmB,CAAC,eAAe,EAAE;gBAChD,UAAU,EAAE,OAAO,CAAC,qBAAqB;aAC1C,CAAC,CAAC;YACH,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,EACR,EAAE,MAAM,EAAE,cAAc,EAAE,CAC3B,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE;oBAC7D,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,mBAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}

package/dist/esm/grant.d.ts

@@ -2,6 +2,7 @@ import type { RequestHandler } from "express";
 import { AccessContext } from "@keycardai/oauth/server/accessContext";
 import type { ApplicationCredential } from "@keycardai/oauth/credentials";
 import type { AuthenticatedRequest } from "./bearerAuth.js";
+import type { AccessToken } from "@keycardai/oauth/server/accessToken";
 export interface GrantedRequest extends AuthenticatedRequest {
     accessContext: AccessContext;
 }
@@ -12,13 +13,24 @@ export interface GrantOptions {
      */
     zoneUrl?: string;
     /**
-     * Keycard zone ID. Constructs the zone URL as
-     * `https://{zoneId}.keycard.cloud`.
+     * Keycard zone ID, or a function that resolves it from the verified
+     * access token at request time. Use the function form for multi-zone
+     * deployments where each request may target a different zone.
+     *
+     * ```ts
+     * // Static zone
+     * grant(resources, { zoneId: "zone-abc" });
+     *
+     * // Dynamic zone extracted from the token's clientId
+     * grant(resources, { zoneId: (auth) => auth.clientId });
+     * ```
      */
-    zoneId?: string;
+    zoneId?: string | ((auth: AccessToken) => string);
     /**
      * Application credential provider for authenticated token exchange.
-     * When omitted, the bearer token is exchanged without client auth.
+     * For multi-zone deployments, pass a `ClientSecret` constructed with a
+     * `Record<zoneId, [clientId, clientSecret]>` so the correct credentials
+     * are selected per request.
      */
     applicationCredential?: ApplicationCredential;
 }

package/dist/esm/grant.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAG5D,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CA2EhB"}
+{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAGvE,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,KAAK,MAAM,CAAC,CAAC;IAClD;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CAuGhB"}

package/dist/esm/grant.js

@@ -22,10 +22,16 @@ import { OAuthError, AuthProviderConfigurationError } from "@keycardai/oauth/err
  * ```
  */
 export function grant(resources, options) {
-    const zoneUrl = options.zoneUrl ?? buildZoneUrl(options.zoneId);
-    if (!zoneUrl) {
+    // Validate at construction time that a zone is specified.
+    const hasZoneOption = !!(options.zoneUrl || options.zoneId);
+    if (!hasZoneOption) {
         throw new AuthProviderConfigurationError("grant: either `zoneUrl` or `zoneId` is required");
     }
+    // Cache TokenExchangeClient instances keyed by resolved zone URL.
+    // One client per zone amortizes AS discovery (GET /.well-known/) across
+    // requests — the TokenExchangeClient already caches the token_endpoint
+    // internally after the first discovery call.
+    const clientCache = new Map();
     return async (req, _res, next) => {
         const authReq = req;
         const subjectToken = authReq.auth?.token;
@@ -37,19 +43,35 @@ export function grant(resources, options) {
             req.accessContext = accessCtx;
             return next();
         }
-        let client;
+        // Resolve zone at request time — zoneId may be a static string or a
+        // function that extracts the zone from the verified access token.
+        let resolvedZoneId;
         try {
-            const auth = options.applicationCredential?.getAuth();
-            client = new TokenExchangeClient(zoneUrl, auth ?? undefined);
+            resolvedZoneId =
+                typeof options.zoneId === "function"
+                    ? options.zoneId(authReq.auth)
+                    : options.zoneId;
         }
         catch (e) {
-            accessCtx.setError({
-                message: "Failed to initialize token exchange client.",
-                rawError: String(e),
-            });
+            return next(e);
+        }
+        const resolvedZoneUrl = options.zoneUrl ?? buildZoneUrl(resolvedZoneId);
+        if (!resolvedZoneUrl) {
+            accessCtx.setError({ message: "Could not resolve zone URL for this request." });
             req.accessContext = accessCtx;
             return next();
         }
+        // Look up or create a cached client for this zone.
+        let client = clientCache.get(resolvedZoneUrl);
+        if (!client) {
+            // Pass the credential directly so TokenExchangeClient can call
+            // getAuth(zoneId) at exchange time, enabling multi-zone credential
+            // routing without pre-resolving credentials here.
+            client = new TokenExchangeClient(resolvedZoneUrl, {
+                credential: options.applicationCredential,
+            });
+            clientCache.set(resolvedZoneUrl, client);
+        }
         const resourceList = Array.isArray(resources)
             ? resources
             : [resources];
@@ -58,7 +80,7 @@ export function grant(resources, options) {
             try {
                 let exchangeRequest;
                 if (options.applicationCredential) {
-                    exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource);
+                    exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource, { zoneId: resolvedZoneId });
                 }
                 else {
                     exchangeRequest = {
@@ -67,7 +89,9 @@ export function grant(resources, options) {
                         subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
                     };
                 }
-                tokens[resource] = await client.exchangeToken(exchangeRequest);
+                tokens[resource] = await client.exchangeToken(exchangeRequest, {
+                    zoneId: resolvedZoneId,
+                });
             }
             catch (e) {
                 const detail = {

package/dist/esm/grant.js.map

@@ -1 +1 @@
-{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC;AA0BrF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,8BAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,EAAE,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,MAAM,SAAS,GAAG,IAAI,aAAa,EAAE,CAAC;QAEtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EACL,0EAA0E;aAC7E,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,IAAI,MAA2B,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,OAAO,CAAC,qBAAqB,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,GAAG,IAAI,mBAAmB,CAAC,OAAO,EAAE,IAAI,IAAI,SAAS,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EAAE,6CAA6C;gBACtD,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;aACpB,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,CACT,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,CAAC,CAAC;YACjE,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC;AAsCrF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,0DAA0D;IAC1D,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,8BAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,wEAAwE;IACxE,uEAAuE;IACvE,6CAA6C;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAA+B,CAAC;IAE3D,OAAO,KAAK,EAAE,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,MAAM,SAAS,GAAG,IAAI,aAAa,EAAE,CAAC;QAEtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EACL,0EAA0E;aAC7E,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,oEAAoE;QACpE,kEAAkE;QAClE,IAAI,cAAkC,CAAC;QACvC,IAAI,CAAC;YACH,cAAc;gBACZ,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;oBAClC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC9B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC;QACxE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAAC;YAC/E,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mDAAmD;QACnD,IAAI,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,+DAA+D;YAC/D,mEAAmE;YACnE,kDAAkD;YAClD,MAAM,GAAG,IAAI,mBAAmB,CAAC,eAAe,EAAE;gBAChD,UAAU,EAAE,OAAO,CAAC,qBAAqB;aAC1C,CAAC,CAAC;YACH,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,EACR,EAAE,MAAM,EAAE,cAAc,EAAE,CAC3B,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE;oBAC7D,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keycardai/express",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "[Preview] Keycard auth middleware for Express: bearer token validation, RFC 6750 challenges, delegated token exchange, and OAuth discovery routes",
   "license": "MIT",
   "repository": {
@@ -26,16 +26,8 @@
       ]
     }
   },
-  "scripts": {
-    "build": "pnpm run build:esm && pnpm run build:cjs",
-    "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
-    "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
-    "test": "NODE_OPTIONS='--experimental-vm-modules' jest",
-    "typecheck": "tsc --noEmit",
-    "clean": "rm -rf dist"
-  },
   "dependencies": {
-    "@keycardai/oauth": "workspace:*"
+    "@keycardai/oauth": "0.6.0"
   },
   "peerDependencies": {
     "express": ">=4.0.0"
@@ -49,5 +41,13 @@
     "supertest": "^7.1.1",
     "ts-jest": "^29.4.0",
     "typescript": "^5.8.3"
+  },
+  "scripts": {
+    "build": "pnpm run build:esm && pnpm run build:cjs",
+    "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
+    "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
+    "test": "NODE_OPTIONS='--experimental-vm-modules' jest",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist"
   }
-}
+}