@keycardai/express 0.1.0

package/dist/cjs/wellKnown.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keycardMetadataRouter = keycardMetadataRouter;
+const express_1 = require("express");
+/**
+ * Returns an Express Router that serves the two OAuth discovery endpoints
+ * required by RFC 9728 and RFC 8414:
+ *
+ * - `GET /.well-known/oauth-protected-resource` (RFC 9728 §2)
+ * - `GET /.well-known/oauth-authorization-server` (RFC 8414 §3, proxied)
+ *
+ * Mount it at the application root:
+ * ```ts
+ * import express from "express";
+ * import { keycardMetadataRouter } from "@keycardai/express";
+ *
+ * const app = express();
+ * app.use(keycardMetadataRouter({ issuer: "https://zone.keycard.cloud" }));
+ * ```
+ *
+ * These paths must remain publicly accessible (no bearer auth) per their
+ * respective specs. Per the security guidance in
+ * `@keycardai/starlette` and the feedback_specific_path_bypass rule:
+ * only bypass auth for these exact paths, never a broad `/.well-known/` prefix.
+ */
+function keycardMetadataRouter(options) {
+    const router = (0, express_1.Router)();
+    router.get("/.well-known/oauth-protected-resource", protectedResourceHandler(options));
+    router.get("/.well-known/oauth-authorization-server", authorizationServerHandler(options.issuer, options.asMetadataTimeoutMs ?? 10_000));
+    return router;
+}
+function protectedResourceHandler(options) {
+    return (req, res) => {
+        const resource = `${req.protocol}://${req.host}`;
+        const metadata = {
+            resource,
+            authorization_servers: [options.issuer],
+        };
+        if (options.resourceName)
+            metadata.resource_name = options.resourceName;
+        if (options.scopesSupported)
+            metadata.scopes_supported = [...options.scopesSupported];
+        if (options.resourceDocumentation)
+            metadata.resource_documentation = options.resourceDocumentation;
+        res.set("Access-Control-Allow-Origin", "*");
+        res.status(200).json(metadata);
+    };
+}
+function authorizationServerHandler(issuer, timeoutMs) {
+    return async (req, res, next) => {
+        try {
+            const upstream = await fetch(`${issuer}/.well-known/oauth-authorization-server`, { signal: AbortSignal.timeout(timeoutMs) });
+            if (!upstream.ok) {
+                res.status(502).json({ error: "Failed to fetch AS metadata from issuer" });
+                return;
+            }
+            const metadata = await upstream.json();
+            // Rewrite authorization_endpoint to include a `resource` param pointing
+            // at this server's origin so the AS knows which resource is being accessed.
+            if (typeof metadata.authorization_endpoint === "string") {
+                const authUrl = new URL(metadata.authorization_endpoint);
+                authUrl.searchParams.set("resource", `${req.protocol}://${req.host}`);
+                metadata.authorization_endpoint = authUrl.toString();
+            }
+            res.set("Access-Control-Allow-Origin", "*");
+            res.status(200).json(metadata);
+        }
+        catch (e) {
+            next(e);
+        }
+    };
+}
+//# sourceMappingURL=wellKnown.js.map

package/dist/cjs/wellKnown.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":";;AAiDA,sDAcC;AA/DD,qCAAiC;AA4BjC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAgB,qBAAqB,CAAC,OAA6B;IACjE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;IAExB,MAAM,CAAC,GAAG,CACR,uCAAuC,EACvC,wBAAwB,CAAC,OAAO,CAAC,CAClC,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,yCAAyC,EACzC,0BAA0B,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,IAAI,MAAM,CAAC,CAClF,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,wBAAwB,CAAC,OAA6B;IAC7D,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,QAAQ,GAA4B;YACxC,QAAQ;YACR,qBAAqB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACxC,CAAC;QACF,IAAI,OAAO,CAAC,YAAY;YAAE,QAAQ,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;QACxE,IAAI,OAAO,CAAC,eAAe;YAAE,QAAQ,CAAC,gBAAgB,GAAG,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,qBAAqB;YAAE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC;QAEnG,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAc,EAAE,SAAiB;IACnE,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,MAAM,yCAAyC,EAClD,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAC3C,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;gBAC3E,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;YAElE,wEAAwE;YACxE,4EAA4E;YAC5E,IAAI,OAAO,QAAQ,CAAC,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;gBACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YACvD,CAAC;YAED,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,CAAC,CAAC,CAAC;QACV,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/esm/bearerAuth.d.ts

@@ -0,0 +1,76 @@
+import type { Request, RequestHandler } from "express";
+import { TokenVerifier } from "@keycardai/oauth/server/tokenVerifier";
+import type { TokenVerifierOptions } from "@keycardai/oauth/server/tokenVerifier";
+import type { AccessToken } from "@keycardai/oauth/server/accessToken";
+/**
+ * Extends Express `Request` with the verified Keycard `AccessToken`.
+ *
+ * Cast inside handlers that run after `requireBearerAuth()`:
+ * ```ts
+ * app.get("/data", (req, res) => {
+ *   const { auth } = req as AuthenticatedRequest;
+ * });
+ * ```
+ *
+ * Alternatively, adopt Express module augmentation so `req.auth` is
+ * available without casting across your entire app:
+ * ```ts
+ * import type { AccessToken } from "@keycardai/oauth/server";
+ * declare global {
+ *   namespace Express {
+ *     interface Request {
+ *       auth?: AccessToken;
+ *     }
+ *   }
+ * }
+ * ```
+ * We ship the interface-extension form rather than augmenting the global
+ * namespace by default. Augmentation makes `req.auth` optional on every
+ * request including unauthenticated routes, which weakens the type
+ * contract. Use it when you prefer convenience over strictness.
+ * See: https://github.com/auth0/express-jwt/issues/311
+ */
+export interface AuthenticatedRequest extends Request {
+    auth: AccessToken;
+}
+export type BearerAuthOptions = {
+    verifier: TokenVerifier;
+    requiredScopes?: readonly string[];
+} | {
+    /**
+     * Keycard zone URL, e.g. "https://zone-id.keycard.cloud".
+     * Either `zoneUrl` or `zoneId` is required (consistent with `grant()`).
+     */
+    zoneUrl?: string;
+    /**
+     * Keycard zone ID. Constructs the URL as `https://{zoneId}.keycard.cloud`.
+     * Either `zoneUrl` or `zoneId` is required (consistent with `grant()`).
+     */
+    zoneId?: string;
+    audience?: string;
+    enableMultiZone?: boolean;
+    keyring?: TokenVerifierOptions["keyring"];
+    requiredScopes?: readonly string[];
+};
+/**
+ * Express middleware that validates a Bearer token (RFC 6750) and sets
+ * `req.auth` to the verified `AccessToken`.
+ *
+ * On failure: responds with a `WWW-Authenticate` challenge containing the
+ * `resource_metadata` URL per RFC 9728 §3.
+ *
+ * Usage with a zone URL:
+ * ```ts
+ * app.use(requireBearerAuth({ zoneUrl: "https://zone.keycard.cloud" }));
+ * // or by zone ID
+ * app.use(requireBearerAuth({ zoneId: "zone-id" }));
+ * ```
+ *
+ * Usage with a pre-built verifier (shared across routes):
+ * ```ts
+ * const verifier = new TokenVerifier({ issuer: "https://zone.keycard.cloud" });
+ * app.use(requireBearerAuth({ verifier }));
+ * ```
+ */
+export declare function requireBearerAuth(options: BearerAuthOptions): RequestHandler;
+//# sourceMappingURL=bearerAuth.d.ts.map

package/dist/esm/bearerAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearerAuth.d.ts","sourceRoot":"","sources":["../../src/bearerAuth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAC;AAClF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AASvE;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,WAAW,CAAC;CACnB;AAED,MAAM,MAAM,iBAAiB,GACzB;IAAE,QAAQ,EAAE,aAAa,CAAC;IAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CAAE,GAC/D;IACE;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,OAAO,CAAC,EAAE,oBAAoB,CAAC,SAAS,CAAC,CAAC;IAC1C,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC,CAAC;AAEN;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,cAAc,CAgG5E"}

package/dist/esm/bearerAuth.js

@@ -0,0 +1,120 @@
+import { TokenVerifier } from "@keycardai/oauth/server/tokenVerifier";
+import { BadRequestError, UnauthorizedError, InvalidTokenError, InsufficientScopeError, OAuthError, } from "@keycardai/oauth/errors";
+/**
+ * Express middleware that validates a Bearer token (RFC 6750) and sets
+ * `req.auth` to the verified `AccessToken`.
+ *
+ * On failure: responds with a `WWW-Authenticate` challenge containing the
+ * `resource_metadata` URL per RFC 9728 §3.
+ *
+ * Usage with a zone URL:
+ * ```ts
+ * app.use(requireBearerAuth({ zoneUrl: "https://zone.keycard.cloud" }));
+ * // or by zone ID
+ * app.use(requireBearerAuth({ zoneId: "zone-id" }));
+ * ```
+ *
+ * Usage with a pre-built verifier (shared across routes):
+ * ```ts
+ * const verifier = new TokenVerifier({ issuer: "https://zone.keycard.cloud" });
+ * app.use(requireBearerAuth({ verifier }));
+ * ```
+ */
+export function requireBearerAuth(options) {
+    // Do not pass requiredScopes to TokenVerifier: it returns null on scope
+    // failure, which the middleware would interpret as a generic 401. The
+    // explicit scope check below produces the correct 403 InsufficientScopeError.
+    let verifier;
+    if ("verifier" in options) {
+        verifier = options.verifier;
+    }
+    else {
+        const issuer = options.zoneUrl ?? buildIssuerFromZoneId(options.zoneId);
+        if (!issuer) {
+            throw new Error("requireBearerAuth: either `zoneUrl` or `zoneId` is required");
+        }
+        verifier = new TokenVerifier({
+            issuer,
+            audience: options.audience,
+            enableMultiZone: options.enableMultiZone,
+            keyring: options.keyring,
+        });
+    }
+    return async (req, res, next) => {
+        const resourceMetadataUrl = getResourceMetadataUrl(req);
+        try {
+            const authorization = req.headers.authorization;
+            if (!authorization) {
+                throw new UnauthorizedError("No credentials");
+            }
+            const [scheme, token] = authorization.split(" ");
+            if (!token) {
+                throw new BadRequestError("Malformed credentials");
+            }
+            if (scheme.toLowerCase() !== "bearer") {
+                throw new InvalidTokenError("Unsupported authentication scheme");
+            }
+            const accessToken = await verifier.verifyToken(token);
+            if (!accessToken) {
+                throw new InvalidTokenError("Token validation failed");
+            }
+            // Validate resource audience: a token scoped to a different resource
+            // server must not be accepted here. Compare origins so path and query
+            // string differences are ignored (mirrors Workers auth.ts:88-92).
+            if (accessToken.resource) {
+                const requestOrigin = `${req.protocol}://${req.host}`;
+                try {
+                    const tokenOrigin = new URL(accessToken.resource).origin;
+                    if (tokenOrigin !== requestOrigin) {
+                        throw new InvalidTokenError("Token not intended for resource");
+                    }
+                }
+                catch (e) {
+                    if (e instanceof InvalidTokenError)
+                        throw e;
+                    // resource claim is not a URL; opaque audience, skip origin check
+                }
+            }
+            if ("requiredScopes" in options &&
+                options.requiredScopes &&
+                options.requiredScopes.length > 0) {
+                const hasAllScopes = options.requiredScopes.every((scope) => accessToken.scopes.includes(scope));
+                if (!hasAllScopes) {
+                    throw new InsufficientScopeError("Insufficient scope");
+                }
+            }
+            req.auth = accessToken;
+            next();
+        }
+        catch (error) {
+            if (error instanceof BadRequestError) {
+                res.status(400).end();
+            }
+            else if (error instanceof UnauthorizedError) {
+                res.set("WWW-Authenticate", `Bearer resource_metadata="${resourceMetadataUrl}"`);
+                res.status(401).end();
+            }
+            else if (error instanceof InsufficientScopeError) {
+                res.set("WWW-Authenticate", `Bearer error="${error.errorCode}", error_description="${error.message}", resource_metadata="${resourceMetadataUrl}"`);
+                res.status(403).end();
+            }
+            else if (error instanceof OAuthError || error instanceof InvalidTokenError) {
+                res.set("WWW-Authenticate", `Bearer error="${error.errorCode}", error_description="${error.message}", resource_metadata="${resourceMetadataUrl}"`);
+                res.status(401).end();
+            }
+            else {
+                next(error);
+            }
+        }
+    };
+}
+function getResourceMetadataUrl(req) {
+    const origin = `${req.protocol}://${req.host}`;
+    return `${origin}/.well-known/oauth-protected-resource`;
+}
+function buildIssuerFromZoneId(zoneId) {
+    if (!zoneId)
+        return undefined;
+    return `https://${zoneId}.keycard.cloud`;
+}
+//# sourceMappingURL=bearerAuth.js.map

package/dist/esm/bearerAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearerAuth.js","sourceRoot":"","sources":["../../src/bearerAuth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAGtE,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,sBAAsB,EACtB,UAAU,GACX,MAAM,yBAAyB,CAAC;AAqDjC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAA0B;IAC1D,wEAAwE;IACxE,sEAAsE;IACtE,8EAA8E;IAC9E,IAAI,QAAuB,CAAC;IAC5B,IAAI,UAAU,IAAI,OAAO,EAAE,CAAC;QAC1B,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,IAAI,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;QACD,QAAQ,GAAG,IAAI,aAAa,CAAC;YAC3B,MAAM;YACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,eAAe,EAAE,OAAO,CAAC,eAAe;YACxC,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QAExD,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAChD,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,iBAAiB,CAAC,gBAAgB,CAAC,CAAC;YAChD,CAAC;YAED,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACjD,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,eAAe,CAAC,uBAAuB,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,mCAAmC,CAAC,CAAC;YACnE,CAAC;YAED,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACtD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,IAAI,iBAAiB,CAAC,yBAAyB,CAAC,CAAC;YACzD,CAAC;YAED,qEAAqE;YACrE,sEAAsE;YACtE,kEAAkE;YAClE,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;gBACzB,MAAM,aAAa,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACtD,IAAI,CAAC;oBACH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;oBACzD,IAAI,WAAW,KAAK,aAAa,EAAE,CAAC;wBAClC,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;oBACjE,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,IAAI,CAAC,YAAY,iBAAiB;wBAAE,MAAM,CAAC,CAAC;oBAC5C,kEAAkE;gBACpE,CAAC;YACH,CAAC;YAED,IACE,gBAAgB,IAAI,OAAO;gBAC3B,OAAO,CAAC,cAAc;gBACtB,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EACjC,CAAC;gBACD,MAAM,YAAY,GAAG,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAC1D,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CACnC,CAAC;gBACF,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,MAAM,IAAI,sBAAsB,CAAC,oBAAoB,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAEA,GAA4B,CAAC,IAAI,GAAG,WAAW,CAAC;YACjD,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;gBACrC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACxB,CAAC;iBAAM,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;gBAC9C,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,6BAA6B,mBAAmB,GAAG,CAAC,CAAC;gBACjF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACxB,CAAC;iBAAM,IAAI,KAAK,YAAY,sBAAsB,EAAE,CAAC;gBACnD,GAAG,CAAC,GAAG,CACL,kBAAkB,EAClB,iBAAkB,KAAoB,CAAC,SAAS,yBAAyB,KAAK,CAAC,OAAO,yBAAyB,mBAAmB,GAAG,CACtI,CAAC;gBACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACxB,CAAC;iBAAM,IAAI,KAAK,YAAY,UAAU,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;gBAC7E,GAAG,CAAC,GAAG,CACL,kBAAkB,EAClB,iBAAkB,KAAoB,CAAC,SAAS,yBAAyB,KAAK,CAAC,OAAO,yBAAyB,mBAAmB,GAAG,CACtI,CAAC;gBACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACxB,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,KAAK,CAAC,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,GAAY;IAC1C,MAAM,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC/C,OAAO,GAAG,MAAM,uCAAuC,CAAC;AAC1D,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAe;IAC5C,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}

package/dist/esm/grant.d.ts

@@ -0,0 +1,46 @@
+import type { RequestHandler } from "express";
+import { AccessContext } from "@keycardai/oauth/server/accessContext";
+import type { ApplicationCredential } from "@keycardai/oauth/credentials";
+import type { AuthenticatedRequest } from "./bearerAuth.js";
+export interface GrantedRequest extends AuthenticatedRequest {
+    accessContext: AccessContext;
+}
+export interface GrantOptions {
+    /**
+     * Keycard zone URL, e.g. "https://zone-id.keycard.cloud".
+     * Either `zoneUrl` or `zoneId` is required.
+     */
+    zoneUrl?: string;
+    /**
+     * Keycard zone ID. Constructs the zone URL as
+     * `https://{zoneId}.keycard.cloud`.
+     */
+    zoneId?: string;
+    /**
+     * Application credential provider for authenticated token exchange.
+     * When omitted, the bearer token is exchanged without client auth.
+     */
+    applicationCredential?: ApplicationCredential;
+}
+/**
+ * Express middleware factory for delegated token exchange (RFC 8693).
+ *
+ * Must run AFTER `requireBearerAuth()`. Reads the verified bearer token
+ * from `req.auth`, exchanges it for per-resource access tokens at the
+ * Keycard zone, and stores the results in `req.accessContext`.
+ *
+ * On success, `req.accessContext.access(resourceUrl)` returns the
+ * `TokenResponse` for that resource. On partial failure, some resources
+ * may have errors while others succeed.
+ *
+ * ```ts
+ * app.use(requireBearerAuth({ issuer: "https://zone.keycard.cloud" }));
+ * app.use(grant(["https://graph.microsoft.com"], { zoneUrl: "https://zone.keycard.cloud" }));
+ * app.get("/data", (req, res) => {
+ *   const token = req.accessContext.access("https://graph.microsoft.com");
+ *   // ...
+ * });
+ * ```
+ */
+export declare function grant(resources: string | readonly string[], options: GrantOptions): RequestHandler;
+//# sourceMappingURL=grant.d.ts.map

package/dist/esm/grant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAG5D,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CA2EhB"}

package/dist/esm/grant.js

@@ -0,0 +1,96 @@
+import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
+import { AccessContext } from "@keycardai/oauth/server/accessContext";
+import { OAuthError, AuthProviderConfigurationError } from "@keycardai/oauth/errors";
+/**
+ * Express middleware factory for delegated token exchange (RFC 8693).
+ *
+ * Must run AFTER `requireBearerAuth()`. Reads the verified bearer token
+ * from `req.auth`, exchanges it for per-resource access tokens at the
+ * Keycard zone, and stores the results in `req.accessContext`.
+ *
+ * On success, `req.accessContext.access(resourceUrl)` returns the
+ * `TokenResponse` for that resource. On partial failure, some resources
+ * may have errors while others succeed.
+ *
+ * ```ts
+ * app.use(requireBearerAuth({ issuer: "https://zone.keycard.cloud" }));
+ * app.use(grant(["https://graph.microsoft.com"], { zoneUrl: "https://zone.keycard.cloud" }));
+ * app.get("/data", (req, res) => {
+ *   const token = req.accessContext.access("https://graph.microsoft.com");
+ *   // ...
+ * });
+ * ```
+ */
+export function grant(resources, options) {
+    const zoneUrl = options.zoneUrl ?? buildZoneUrl(options.zoneId);
+    if (!zoneUrl) {
+        throw new AuthProviderConfigurationError("grant: either `zoneUrl` or `zoneId` is required");
+    }
+    return async (req, _res, next) => {
+        const authReq = req;
+        const subjectToken = authReq.auth?.token;
+        const accessCtx = new AccessContext();
+        if (!subjectToken) {
+            accessCtx.setError({
+                message: "No authentication token. Ensure requireBearerAuth() runs before grant().",
+            });
+            req.accessContext = accessCtx;
+            return next();
+        }
+        let client;
+        try {
+            const auth = options.applicationCredential?.getAuth();
+            client = new TokenExchangeClient(zoneUrl, auth ?? undefined);
+        }
+        catch (e) {
+            accessCtx.setError({
+                message: "Failed to initialize token exchange client.",
+                rawError: String(e),
+            });
+            req.accessContext = accessCtx;
+            return next();
+        }
+        const resourceList = Array.isArray(resources)
+            ? resources
+            : [resources];
+        const tokens = {};
+        for (const resource of resourceList) {
+            try {
+                let exchangeRequest;
+                if (options.applicationCredential) {
+                    exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource);
+                }
+                else {
+                    exchangeRequest = {
+                        subjectToken,
+                        resource,
+                        subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+                    };
+                }
+                tokens[resource] = await client.exchangeToken(exchangeRequest);
+            }
+            catch (e) {
+                const detail = {
+                    message: `Token exchange failed for ${resource}`,
+                };
+                if (e instanceof OAuthError) {
+                    detail.code = e.errorCode;
+                    detail.description = e.message;
+                }
+                else {
+                    detail.rawError = String(e);
+                }
+                accessCtx.setResourceError(resource, detail);
+            }
+        }
+        accessCtx.setBulkTokens(tokens);
+        req.accessContext = accessCtx;
+        next();
+    };
+}
+function buildZoneUrl(zoneId) {
+    if (!zoneId)
+        return undefined;
+    return `https://${zoneId}.keycard.cloud`;
+}
+//# sourceMappingURL=grant.js.map

package/dist/esm/grant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC;AA0BrF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,8BAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,EAAE,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,MAAM,SAAS,GAAG,IAAI,aAAa,EAAE,CAAC;QAEtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EACL,0EAA0E;aAC7E,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,IAAI,MAA2B,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,OAAO,CAAC,qBAAqB,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,GAAG,IAAI,mBAAmB,CAAC,OAAO,EAAE,IAAI,IAAI,SAAS,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EAAE,6CAA6C;gBACtD,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;aACpB,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,CACT,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,CAAC,CAAC;YACjE,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}

package/dist/esm/index.d.ts

@@ -0,0 +1,9 @@
+export { requireBearerAuth } from "./bearerAuth.js";
+export type { AuthenticatedRequest, BearerAuthOptions } from "./bearerAuth.js";
+export { grant } from "./grant.js";
+export type { GrantedRequest, GrantOptions } from "./grant.js";
+export { keycardMetadataRouter } from "./wellKnown.js";
+export type { KeycardRouterOptions } from "./wellKnown.js";
+export { createKeycardMiddleware } from "./middleware.js";
+export type { KeycardMiddlewareOptions, KeycardMiddleware } from "./middleware.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,YAAY,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,YAAY,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,YAAY,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/esm/index.js

@@ -0,0 +1,5 @@
+export { requireBearerAuth } from "./bearerAuth.js";
+export { grant } from "./grant.js";
+export { keycardMetadataRouter } from "./wellKnown.js";
+export { createKeycardMiddleware } from "./middleware.js";
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEpD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAEvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/esm/middleware.d.ts

@@ -0,0 +1,54 @@
+import type { RequestHandler } from "express";
+import type { ApplicationCredential } from "@keycardai/oauth/credentials";
+export interface KeycardMiddlewareOptions {
+    /**
+     * Keycard zone URL, e.g. "https://zone-id.keycard.cloud".
+     * Either `zoneUrl` or `zoneId` is required.
+     */
+    zoneUrl?: string;
+    /**
+     * Keycard zone ID. Constructs the URL as `https://{zoneId}.keycard.cloud`.
+     */
+    zoneId?: string;
+    /**
+     * Application credential for token exchange in `grant()`.
+     * Typically a `ClientSecret` from `@keycardai/oauth/server`.
+     */
+    applicationCredential?: ApplicationCredential;
+}
+export interface KeycardMiddleware {
+    /**
+     * Express middleware that validates a Bearer token and sets `req.auth`.
+     * Accepts optional `requiredScopes` to enforce at the middleware level.
+     */
+    requireBearerAuth(options?: {
+        requiredScopes?: readonly string[];
+    }): RequestHandler;
+    /**
+     * Express middleware for delegated RFC 8693 token exchange.
+     * Sets `req.accessContext` with per-resource tokens.
+     */
+    grant(resources: string | readonly string[], options?: {
+        applicationCredential?: ApplicationCredential;
+    }): RequestHandler;
+}
+/**
+ * Creates a pair of pre-configured Keycard middleware functions sharing a
+ * common zone URL. Eliminates the naming mismatch between `requireBearerAuth`
+ * (which takes `issuer`) and `grant` (which takes `zoneUrl`/`zoneId`) by
+ * accepting a single consistent config.
+ *
+ * Python equivalent: `AuthProvider(zone_url=..., application_credential=...)`
+ *
+ * ```ts
+ * const keycard = createKeycardMiddleware({
+ *   zoneUrl: "https://zone.keycard.cloud",
+ *   applicationCredential: new ClientSecret("client-id", "client-secret"),
+ * });
+ *
+ * app.use(keycard.requireBearerAuth());
+ * app.use(keycard.grant(["https://graph.microsoft.com"]));
+ * ```
+ */
+export declare function createKeycardMiddleware(options: KeycardMiddlewareOptions): KeycardMiddleware;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/esm/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,iBAAiB,CAAC,OAAO,CAAC,EAAE;QAAE,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;KAAE,GAAG,cAAc,CAAC;IACpF;;;OAGG;IACH,KAAK,CACH,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,CAAC,EAAE;QACR,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;KAC/C,GACA,cAAc,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,wBAAwB,GAAG,iBAAiB,CAsB5F"}

package/dist/esm/middleware.js

@@ -0,0 +1,46 @@
+import { requireBearerAuth } from "./bearerAuth.js";
+import { grant } from "./grant.js";
+/**
+ * Creates a pair of pre-configured Keycard middleware functions sharing a
+ * common zone URL. Eliminates the naming mismatch between `requireBearerAuth`
+ * (which takes `issuer`) and `grant` (which takes `zoneUrl`/`zoneId`) by
+ * accepting a single consistent config.
+ *
+ * Python equivalent: `AuthProvider(zone_url=..., application_credential=...)`
+ *
+ * ```ts
+ * const keycard = createKeycardMiddleware({
+ *   zoneUrl: "https://zone.keycard.cloud",
+ *   applicationCredential: new ClientSecret("client-id", "client-secret"),
+ * });
+ *
+ * app.use(keycard.requireBearerAuth());
+ * app.use(keycard.grant(["https://graph.microsoft.com"]));
+ * ```
+ */
+export function createKeycardMiddleware(options) {
+    const zoneUrl = options.zoneUrl ?? buildZoneUrl(options.zoneId);
+    if (!zoneUrl) {
+        throw new Error("createKeycardMiddleware: either `zoneUrl` or `zoneId` is required");
+    }
+    return {
+        requireBearerAuth(localOptions) {
+            return requireBearerAuth({
+                zoneUrl,
+                requiredScopes: localOptions?.requiredScopes,
+            });
+        },
+        grant(resources, localOptions) {
+            return grant(resources, {
+                zoneUrl,
+                applicationCredential: localOptions?.applicationCredential ?? options.applicationCredential,
+            });
+        },
+    };
+}
+function buildZoneUrl(zoneId) {
+    if (!zoneId)
+        return undefined;
+    return `https://${zoneId}.keycard.cloud`;
+}
+//# sourceMappingURL=middleware.js.map

package/dist/esm/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAsCnC;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAiC;IACvE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IAED,OAAO;QACL,iBAAiB,CAAC,YAAqD;YACrE,OAAO,iBAAiB,CAAC;gBACvB,OAAO;gBACP,cAAc,EAAE,YAAY,EAAE,cAAc;aAC7C,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,SAAS,EAAE,YAAY;YAC3B,OAAO,KAAK,CAAC,SAAS,EAAE;gBACtB,OAAO;gBACP,qBAAqB,EACnB,YAAY,EAAE,qBAAqB,IAAI,OAAO,CAAC,qBAAqB;aACvE,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}

package/dist/esm/package.json

@@ -0,0 +1 @@
+{"type": "module"}

package/dist/esm/wellKnown.d.ts

@@ -0,0 +1,48 @@
+import { Router } from "express";
+export interface KeycardRouterOptions {
+    /**
+     * Keycard issuer URL, e.g. "https://zone-id.keycard.cloud".
+     * Used to proxy AS metadata from the Keycard authorization server.
+     */
+    issuer: string;
+    /**
+     * Human-readable resource name shown in AS metadata.
+     */
+    resourceName?: string;
+    /**
+     * Scopes this resource server supports.
+     */
+    scopesSupported?: readonly string[];
+    /**
+     * Link to documentation for this resource.
+     */
+    resourceDocumentation?: string;
+    /**
+     * Timeout in milliseconds for the upstream AS metadata fetch.
+     * Default: 10 000 ms.
+     */
+    asMetadataTimeoutMs?: number;
+}
+/**
+ * Returns an Express Router that serves the two OAuth discovery endpoints
+ * required by RFC 9728 and RFC 8414:
+ *
+ * - `GET /.well-known/oauth-protected-resource` (RFC 9728 §2)
+ * - `GET /.well-known/oauth-authorization-server` (RFC 8414 §3, proxied)
+ *
+ * Mount it at the application root:
+ * ```ts
+ * import express from "express";
+ * import { keycardMetadataRouter } from "@keycardai/express";
+ *
+ * const app = express();
+ * app.use(keycardMetadataRouter({ issuer: "https://zone.keycard.cloud" }));
+ * ```
+ *
+ * These paths must remain publicly accessible (no bearer auth) per their
+ * respective specs. Per the security guidance in
+ * `@keycardai/starlette` and the feedback_specific_path_bypass rule:
+ * only bypass auth for these exact paths, never a broad `/.well-known/` prefix.
+ */
+export declare function keycardMetadataRouter(options: KeycardRouterOptions): Router;
+//# sourceMappingURL=wellKnown.d.ts.map

package/dist/esm/wellKnown.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CAc3E"}