@keycardai/oauth 0.1.0 → 0.1.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Keycard
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,112 @@
+# @keycardai/oauth
+
+Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, authorization server discovery, and token exchange. **Zero MCP dependencies.**
+
+This is the foundational layer of the [Keycard TypeScript SDK](../../README.md). If you're building an MCP server, you probably want [`@keycardai/mcp`](../mcp/) instead, which includes this package as a dependency.
+
+## Installation
+
+```bash
+npm install @keycardai/oauth
+```
+
+## Quick Start
+
+### Sign and Verify JWTs
+
+```typescript
+import { JWTSigner } from "@keycardai/oauth/jwt/signer";
+import { JWTVerifier } from "@keycardai/oauth/jwt/verifier";
+import { JWKSOAuthKeyring } from "@keycardai/oauth/keyring";
+
+// Sign a JWT
+const keyring = new JWKSOAuthKeyring();
+const signer = new JWTSigner(keyring);
+const token = await signer.sign({
+  sub: "user-123",
+  aud: "https://api.example.com",
+  scope: "read write",
+});
+
+// Verify a JWT
+const verifier = new JWTVerifier(keyring);
+const claims = await verifier.verify(token);
+```
+
+### Discover Authorization Server Metadata
+
+```typescript
+import { fetchAuthorizationServerMetadata } from "@keycardai/oauth/discovery";
+
+const metadata = await fetchAuthorizationServerMetadata(
+  "https://your-zone.keycard.cloud",
+);
+console.log(metadata.token_endpoint);
+console.log(metadata.jwks_uri);
+```
+
+### Token Exchange (RFC 8693)
+
+```typescript
+import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
+
+const client = new TokenExchangeClient("https://your-zone.keycard.cloud", {
+  clientId: "your-client-id",
+  clientSecret: "your-client-secret",
+});
+
+const response = await client.exchangeToken({
+  subjectToken: userBearerToken,
+  resource: "https://api.github.com",
+});
+
+console.log(response.accessToken);
+```
+
+## API Overview
+
+### JWKS Key Management
+
+| Export | Import Path | Description |
+|---|---|---|
+| `JWKSOAuthKeyring` | `@keycardai/oauth/keyring` | Fetches and caches JWKS public keys from an authorization server |
+| `OAuthKeyring` (type) | `@keycardai/oauth/keyring` | Interface for public key lookup by issuer and key ID |
+| `PrivateKeyring` (type) | `@keycardai/oauth/keyring` | Interface for private key access (signing) |
+
+### JWT Signing & Verification
+
+| Export | Import Path | Description |
+|---|---|---|
+| `JWTSigner` | `@keycardai/oauth/jwt/signer` | Signs JWTs with RS256 using a private keyring |
+| `JWTVerifier` | `@keycardai/oauth/jwt/verifier` | Verifies JWT signatures against JWKS public keys |
+| `JWTClaims` (type) | `@keycardai/oauth/jwt/signer` | Standard JWT claims (iss, sub, aud, exp, etc.) |
+
+### Discovery & Token Exchange
+
+| Export | Import Path | Description |
+|---|---|---|
+| `fetchAuthorizationServerMetadata` | `@keycardai/oauth/discovery` | Fetches `.well-known/oauth-authorization-server` metadata |
+| `TokenExchangeClient` | `@keycardai/oauth/tokenExchange` | RFC 8693 token exchange client with auto-discovery |
+
+### Errors
+
+| Export | Import Path | Description |
+|---|---|---|
+| `HTTPError` | `@keycardai/oauth/errors` | Base HTTP error |
+| `BadRequestError` | `@keycardai/oauth/errors` | 400 Bad Request |
+| `UnauthorizedError` | `@keycardai/oauth/errors` | 401 Unauthorized |
+| `OAuthError` | `@keycardai/oauth/errors` | OAuth error with error code and URI |
+| `InvalidTokenError` | `@keycardai/oauth/errors` | Token validation failure |
+| `InsufficientScopeError` | `@keycardai/oauth/errors` | Missing required scopes |
+
+### Utilities
+
+| Export | Import Path | Description |
+|---|---|---|
+| `base64url` | `@keycardai/oauth/base64url` | Base64url encode/decode utilities |
+
+## Related Packages
+
+- [`@keycardai/mcp`](../mcp/) — MCP-specific OAuth integration with Express middleware, bearer auth, and delegated access
+- [`@keycardai/sdk`](../sdk/) — Aggregate package re-exporting from both oauth and mcp
+- [Keycard TypeScript SDK](../../README.md) — Root documentation with full quick start guide

package/dist/cjs/discovery.d.ts

@@ -22,6 +22,8 @@ declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
     token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, z.ZodTypeAny, "passthrough">>;
 export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
-export declare function fetchAuthorizationServerMetadata(issuer: string): Promise<OAuthAuthorizationServerMetadata>;
+export declare function fetchAuthorizationServerMetadata(issuer: string, options?: {
+    signal?: AbortSignal;
+}): Promise<OAuthAuthorizationServerMetadata>;
 export {};
 //# sourceMappingURL=discovery.d.ts.map

package/dist/cjs/discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gCAAgC,CAAC,CAsBhH"}
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CACpD,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAA;CAAE,GACjC,OAAO,CAAC,gCAAgC,CAAC,CAsB3C"}

package/dist/cjs/discovery.js

@@ -10,14 +10,14 @@ const OAuthAuthorizationServerMetadataSchema = zod_1.z.object({
     registration_endpoint: zod_1.z.string().optional(),
     token_endpoint_auth_methods_supported: zod_1.z.array(zod_1.z.string()).optional(),
 }).passthrough();
-async function fetchAuthorizationServerMetadata(issuer) {
+async function fetchAuthorizationServerMetadata(issuer, options) {
     const issuerURL = new URL(issuer);
     let path = issuerURL.pathname;
     if (path.endsWith("/")) {
         path = path.slice(0, -1);
     }
     const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
-    const response = await fetch(url);
+    const response = await fetch(url, { signal: options?.signal });
     if (!response.ok) {
         throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
     }

package/dist/cjs/discovery.js.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;AAaA,4EAsBC;AAnCD,6BAAwB;AAExB,MAAM,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIV,KAAK,UAAU,gCAAgC,CAAC,MAAc;IACnE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;AAaA,4EAyBC;AAtCD,6BAAwB;AAExB,MAAM,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIV,KAAK,UAAU,gCAAgC,CACpD,MAAc,EACd,OAAkC;IAElC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/cjs/index.d.ts

@@ -1,4 +1,4 @@
-export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
+export type { OAuthKeyring, PrivateKeyring, IdentifiableKey, JWKSOAuthKeyringOptions } from "./keyring.js";
 export { JWKSOAuthKeyring } from "./keyring.js";
 export { default as base64url } from "./base64url.js";
 export { fetchAuthorizationServerMetadata } from "./discovery.js";

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/cjs/keyring.d.ts

@@ -9,7 +9,18 @@ export type IdentifiableKey = {
 export interface PrivateKeyring {
     key(usage: string): Promise<IdentifiableKey>;
 }
+export interface JWKSOAuthKeyringOptions {
+    /** TTL for cached CryptoKeys. Default: 5 minutes. */
+    keyTtlMs?: number;
+    /** TTL for cached discovery (issuer → jwks_uri) mappings. Default: 1 hour. */
+    discoveryTtlMs?: number;
+    /** Timeout for both discovery and JWKS fetch requests. Default: 10 seconds. */
+    fetchTimeoutMs?: number;
+}
 export declare class JWKSOAuthKeyring implements OAuthKeyring {
+    #private;
+    constructor(options?: JWKSOAuthKeyringOptions);
     key(issuer: string, kid: string): Promise<CryptoKey>;
+    invalidate(issuer: string, kid: string): void;
 }
 //# sourceMappingURL=keyring.d.ts.map

package/dist/cjs/keyring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAyBD,qBAAa,gBAAiB,YAAW,YAAY;IAE7C,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA8B3D"}
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}

package/dist/cjs/keyring.js

@@ -1,4 +1,16 @@
 "use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _JWKSOAuthKeyring_instances, _JWKSOAuthKeyring_keyTtlMs, _JWKSOAuthKeyring_discoveryTtlMs, _JWKSOAuthKeyring_fetchTimeoutMs, _JWKSOAuthKeyring_discoveryCache, _JWKSOAuthKeyring_keyCache, _JWKSOAuthKeyring_discoveryInflight, _JWKSOAuthKeyring_keyInflight, _JWKSOAuthKeyring_resolveJwksUri, _JWKSOAuthKeyring_resolveKey, _JWKSOAuthKeyring_getCached;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.JWKSOAuthKeyring = void 0;
 const zod_1 = require("zod");
@@ -21,29 +33,137 @@ const ECJWKSchema = JWKSchema.extend({
 const JWKSetSchema = zod_1.z.object({
     keys: zod_1.z.array(zod_1.z.union([RSAJWKSchema, ECJWKSchema])),
 });
+const DEFAULT_KEY_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DEFAULT_DISCOVERY_TTL_MS = 60 * 60 * 1000; // 1 hour
+const DEFAULT_FETCH_TIMEOUT_MS = 10_000; // 10 seconds
+function assertSameOrigin(issuer, jwksUri) {
+    const issuerOrigin = new URL(issuer).origin;
+    const jwksOrigin = new URL(jwksUri).origin;
+    if (issuerOrigin !== jwksOrigin) {
+        throw new Error(`JWKS URI origin "${jwksOrigin}" does not match issuer origin "${issuerOrigin}" for "${issuer}"`);
+    }
+}
+function keyCacheKey(issuer, kid) {
+    return `${issuer}::${kid}`;
+}
+// ---------------------------------------------------------------------------
+// JWKSOAuthKeyring — two-level cached keyring
+// ---------------------------------------------------------------------------
 class JWKSOAuthKeyring {
+    constructor(options) {
+        _JWKSOAuthKeyring_instances.add(this);
+        _JWKSOAuthKeyring_keyTtlMs.set(this, void 0);
+        _JWKSOAuthKeyring_discoveryTtlMs.set(this, void 0);
+        _JWKSOAuthKeyring_fetchTimeoutMs.set(this, void 0);
+        _JWKSOAuthKeyring_discoveryCache.set(this, new Map());
+        _JWKSOAuthKeyring_keyCache.set(this, new Map());
+        _JWKSOAuthKeyring_discoveryInflight.set(this, new Map());
+        _JWKSOAuthKeyring_keyInflight.set(this, new Map());
+        __classPrivateFieldSet(this, _JWKSOAuthKeyring_keyTtlMs, options?.keyTtlMs ?? DEFAULT_KEY_TTL_MS, "f");
+        __classPrivateFieldSet(this, _JWKSOAuthKeyring_discoveryTtlMs, options?.discoveryTtlMs ?? DEFAULT_DISCOVERY_TTL_MS, "f");
+        __classPrivateFieldSet(this, _JWKSOAuthKeyring_fetchTimeoutMs, options?.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS, "f");
+    }
     async key(issuer, kid) {
-        const authorizationServer = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuer);
-        if (!authorizationServer.jwks_uri) {
-            throw new Error(`No JSON Web Key Set available for "${issuer}"`);
+        const cacheKey = keyCacheKey(issuer, kid);
+        const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f"), cacheKey);
+        if (cached) {
+            return cached;
         }
-        const response = await fetch(authorizationServer.jwks_uri);
-        if (!response.ok) {
-            throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
-        }
-        const json = await response.json();
-        const jwkSet = JWKSetSchema.parse(json);
-        const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
-        if (!jwk) {
-            throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
-        }
-        // TODO: make this more robust to uses and algs
-        const key = await crypto.subtle.importKey('jwk', jwk, {
-            name: 'RSASSA-PKCS1-v1_5',
-            hash: { name: 'SHA-256' },
-        }, true, ['verify']);
-        return key;
+        const jwksUri = await __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveJwksUri).call(this, issuer);
+        return __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveKey).call(this, issuer, kid, jwksUri, cacheKey);
+    }
+    invalidate(issuer, kid) {
+        const cacheKey = keyCacheKey(issuer, kid);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").delete(cacheKey);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
     }
 }
 exports.JWKSOAuthKeyring = JWKSOAuthKeyring;
+_JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri = 
+// -------------------------------------------------------
+// Discovery resolution with cache + dedup
+// -------------------------------------------------------
+async function _JWKSOAuthKeyring_resolveJwksUri(issuer) {
+    const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f"), issuer);
+    if (cached) {
+        return cached;
+    }
+    const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").get(issuer);
+    if (inflight) {
+        return inflight;
+    }
+    const promise = (async () => {
+        try {
+            const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuer, {
+                signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
+            });
+            if (!metadata.jwks_uri) {
+                throw new Error(`No JSON Web Key Set available for "${issuer}"`);
+            }
+            assertSameOrigin(issuer, metadata.jwks_uri);
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").set(issuer, {
+                value: metadata.jwks_uri,
+                expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryTtlMs, "f"),
+            });
+            return metadata.jwks_uri;
+        }
+        finally {
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
+        }
+    })();
+    __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").set(issuer, promise);
+    return promise;
+}, _JWKSOAuthKeyring_resolveKey = 
+// -------------------------------------------------------
+// Key resolution with cache + dedup
+// -------------------------------------------------------
+async function _JWKSOAuthKeyring_resolveKey(issuer, kid, jwksUri, cacheKey) {
+    const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").get(cacheKey);
+    if (inflight) {
+        return inflight;
+    }
+    const promise = (async () => {
+        try {
+            const response = await fetch(jwksUri, {
+                signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
+            });
+            if (!response.ok) {
+                throw new Error(`Failed to fetch JWKS from "${jwksUri}" for "${issuer}" (HTTP ${response.status})`);
+            }
+            const json = await response.json();
+            const jwkSet = JWKSetSchema.parse(json);
+            const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
+            if (!jwk) {
+                throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
+            }
+            // TODO: make this more robust to uses and algs
+            const key = await crypto.subtle.importKey('jwk', jwk, {
+                name: 'RSASSA-PKCS1-v1_5',
+                hash: { name: 'SHA-256' },
+            }, true, ['verify']);
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").set(cacheKey, {
+                value: key,
+                expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyTtlMs, "f"),
+            });
+            return key;
+        }
+        finally {
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
+        }
+    })();
+    __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").set(cacheKey, promise);
+    return promise;
+}, _JWKSOAuthKeyring_getCached = function _JWKSOAuthKeyring_getCached(cache, key) {
+    const entry = cache.get(key);
+    if (!entry) {
+        return undefined;
+    }
+    if (Date.now() >= entry.expiresAt) {
+        cache.delete(key);
+        return undefined;
+    }
+    return entry.value;
+};
 //# sourceMappingURL=keyring.js.map

package/dist/cjs/keyring.js.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,iDAAkE;AAiBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAEH,MAAa,gBAAgB;IAE3B,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,mBAAmB,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,CAAC,CAAC;QAC3E,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4DAA4D,MAAM,GAAG,CAAC,CAAC;QACzF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,+CAA+C;QAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AAhCD,4CAgCC"}
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6BAAwB;AACxB,iDAAkE;AAyBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAa,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;AAxJD,4CAwJC;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}

package/dist/esm/discovery.d.ts

@@ -22,6 +22,8 @@ declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
     token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, z.ZodTypeAny, "passthrough">>;
 export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
-export declare function fetchAuthorizationServerMetadata(issuer: string): Promise<OAuthAuthorizationServerMetadata>;
+export declare function fetchAuthorizationServerMetadata(issuer: string, options?: {
+    signal?: AbortSignal;
+}): Promise<OAuthAuthorizationServerMetadata>;
 export {};
 //# sourceMappingURL=discovery.d.ts.map

package/dist/esm/discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gCAAgC,CAAC,CAsBhH"}
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CACpD,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAA;CAAE,GACjC,OAAO,CAAC,gCAAgC,CAAC,CAsB3C"}

package/dist/esm/discovery.js

@@ -7,14 +7,14 @@ const OAuthAuthorizationServerMetadataSchema = z.object({
     registration_endpoint: z.string().optional(),
     token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
 }).passthrough();
-export async function fetchAuthorizationServerMetadata(issuer) {
+export async function fetchAuthorizationServerMetadata(issuer, options) {
     const issuerURL = new URL(issuer);
     let path = issuerURL.pathname;
     if (path.endsWith("/")) {
         path = path.slice(0, -1);
     }
     const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
-    const response = await fetch(url);
+    const response = await fetch(url, { signal: options?.signal });
     if (!response.ok) {
         throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
     }

package/dist/esm/discovery.js.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,MAAc;IACnE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,MAAc,EACd,OAAkC;IAElC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/esm/index.d.ts

@@ -1,4 +1,4 @@
-export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
+export type { OAuthKeyring, PrivateKeyring, IdentifiableKey, JWKSOAuthKeyringOptions } from "./keyring.js";
 export { JWKSOAuthKeyring } from "./keyring.js";
 export { default as base64url } from "./base64url.js";
 export { fetchAuthorizationServerMetadata } from "./discovery.js";

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/esm/keyring.d.ts

@@ -9,7 +9,18 @@ export type IdentifiableKey = {
 export interface PrivateKeyring {
     key(usage: string): Promise<IdentifiableKey>;
 }
+export interface JWKSOAuthKeyringOptions {
+    /** TTL for cached CryptoKeys. Default: 5 minutes. */
+    keyTtlMs?: number;
+    /** TTL for cached discovery (issuer → jwks_uri) mappings. Default: 1 hour. */
+    discoveryTtlMs?: number;
+    /** Timeout for both discovery and JWKS fetch requests. Default: 10 seconds. */
+    fetchTimeoutMs?: number;
+}
 export declare class JWKSOAuthKeyring implements OAuthKeyring {
+    #private;
+    constructor(options?: JWKSOAuthKeyringOptions);
     key(issuer: string, kid: string): Promise<CryptoKey>;
+    invalidate(issuer: string, kid: string): void;
 }
 //# sourceMappingURL=keyring.d.ts.map

package/dist/esm/keyring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAyBD,qBAAa,gBAAiB,YAAW,YAAY;IAE7C,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA8B3D"}
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}

package/dist/esm/keyring.js

@@ -1,3 +1,15 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _JWKSOAuthKeyring_instances, _JWKSOAuthKeyring_keyTtlMs, _JWKSOAuthKeyring_discoveryTtlMs, _JWKSOAuthKeyring_fetchTimeoutMs, _JWKSOAuthKeyring_discoveryCache, _JWKSOAuthKeyring_keyCache, _JWKSOAuthKeyring_discoveryInflight, _JWKSOAuthKeyring_keyInflight, _JWKSOAuthKeyring_resolveJwksUri, _JWKSOAuthKeyring_resolveKey, _JWKSOAuthKeyring_getCached;
 import { z } from "zod";
 import { fetchAuthorizationServerMetadata } from "./discovery.js";
 const JWKSchema = z.object({
@@ -18,28 +30,136 @@ const ECJWKSchema = JWKSchema.extend({
 const JWKSetSchema = z.object({
     keys: z.array(z.union([RSAJWKSchema, ECJWKSchema])),
 });
+const DEFAULT_KEY_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DEFAULT_DISCOVERY_TTL_MS = 60 * 60 * 1000; // 1 hour
+const DEFAULT_FETCH_TIMEOUT_MS = 10_000; // 10 seconds
+function assertSameOrigin(issuer, jwksUri) {
+    const issuerOrigin = new URL(issuer).origin;
+    const jwksOrigin = new URL(jwksUri).origin;
+    if (issuerOrigin !== jwksOrigin) {
+        throw new Error(`JWKS URI origin "${jwksOrigin}" does not match issuer origin "${issuerOrigin}" for "${issuer}"`);
+    }
+}
+function keyCacheKey(issuer, kid) {
+    return `${issuer}::${kid}`;
+}
+// ---------------------------------------------------------------------------
+// JWKSOAuthKeyring — two-level cached keyring
+// ---------------------------------------------------------------------------
 export class JWKSOAuthKeyring {
+    constructor(options) {
+        _JWKSOAuthKeyring_instances.add(this);
+        _JWKSOAuthKeyring_keyTtlMs.set(this, void 0);
+        _JWKSOAuthKeyring_discoveryTtlMs.set(this, void 0);
+        _JWKSOAuthKeyring_fetchTimeoutMs.set(this, void 0);
+        _JWKSOAuthKeyring_discoveryCache.set(this, new Map());
+        _JWKSOAuthKeyring_keyCache.set(this, new Map());
+        _JWKSOAuthKeyring_discoveryInflight.set(this, new Map());
+        _JWKSOAuthKeyring_keyInflight.set(this, new Map());
+        __classPrivateFieldSet(this, _JWKSOAuthKeyring_keyTtlMs, options?.keyTtlMs ?? DEFAULT_KEY_TTL_MS, "f");
+        __classPrivateFieldSet(this, _JWKSOAuthKeyring_discoveryTtlMs, options?.discoveryTtlMs ?? DEFAULT_DISCOVERY_TTL_MS, "f");
+        __classPrivateFieldSet(this, _JWKSOAuthKeyring_fetchTimeoutMs, options?.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS, "f");
+    }
     async key(issuer, kid) {
-        const authorizationServer = await fetchAuthorizationServerMetadata(issuer);
-        if (!authorizationServer.jwks_uri) {
-            throw new Error(`No JSON Web Key Set available for "${issuer}"`);
+        const cacheKey = keyCacheKey(issuer, kid);
+        const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f"), cacheKey);
+        if (cached) {
+            return cached;
+        }
+        const jwksUri = await __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveJwksUri).call(this, issuer);
+        return __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveKey).call(this, issuer, kid, jwksUri, cacheKey);
+    }
+    invalidate(issuer, kid) {
+        const cacheKey = keyCacheKey(issuer, kid);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").delete(cacheKey);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
+        __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
+    }
+}
+_JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri = 
+// -------------------------------------------------------
+// Discovery resolution with cache + dedup
+// -------------------------------------------------------
+async function _JWKSOAuthKeyring_resolveJwksUri(issuer) {
+    const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f"), issuer);
+    if (cached) {
+        return cached;
+    }
+    const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").get(issuer);
+    if (inflight) {
+        return inflight;
+    }
+    const promise = (async () => {
+        try {
+            const metadata = await fetchAuthorizationServerMetadata(issuer, {
+                signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
+            });
+            if (!metadata.jwks_uri) {
+                throw new Error(`No JSON Web Key Set available for "${issuer}"`);
+            }
+            assertSameOrigin(issuer, metadata.jwks_uri);
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").set(issuer, {
+                value: metadata.jwks_uri,
+                expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryTtlMs, "f"),
+            });
+            return metadata.jwks_uri;
         }
-        const response = await fetch(authorizationServer.jwks_uri);
-        if (!response.ok) {
-            throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
+        finally {
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
         }
-        const json = await response.json();
-        const jwkSet = JWKSetSchema.parse(json);
-        const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
-        if (!jwk) {
-            throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
+    })();
+    __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").set(issuer, promise);
+    return promise;
+}, _JWKSOAuthKeyring_resolveKey = 
+// -------------------------------------------------------
+// Key resolution with cache + dedup
+// -------------------------------------------------------
+async function _JWKSOAuthKeyring_resolveKey(issuer, kid, jwksUri, cacheKey) {
+    const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").get(cacheKey);
+    if (inflight) {
+        return inflight;
+    }
+    const promise = (async () => {
+        try {
+            const response = await fetch(jwksUri, {
+                signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
+            });
+            if (!response.ok) {
+                throw new Error(`Failed to fetch JWKS from "${jwksUri}" for "${issuer}" (HTTP ${response.status})`);
+            }
+            const json = await response.json();
+            const jwkSet = JWKSetSchema.parse(json);
+            const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
+            if (!jwk) {
+                throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
+            }
+            // TODO: make this more robust to uses and algs
+            const key = await crypto.subtle.importKey('jwk', jwk, {
+                name: 'RSASSA-PKCS1-v1_5',
+                hash: { name: 'SHA-256' },
+            }, true, ['verify']);
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").set(cacheKey, {
+                value: key,
+                expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyTtlMs, "f"),
+            });
+            return key;
         }
-        // TODO: make this more robust to uses and algs
-        const key = await crypto.subtle.importKey('jwk', jwk, {
-            name: 'RSASSA-PKCS1-v1_5',
-            hash: { name: 'SHA-256' },
-        }, true, ['verify']);
-        return key;
+        finally {
+            __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
+        }
+    })();
+    __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").set(cacheKey, promise);
+    return promise;
+}, _JWKSOAuthKeyring_getCached = function _JWKSOAuthKeyring_getCached(cache, key) {
+    const entry = cache.get(key);
+    if (!entry) {
+        return undefined;
     }
-}
+    if (Date.now() >= entry.expiresAt) {
+        cache.delete(key);
+        return undefined;
+    }
+    return entry.value;
+};
 //# sourceMappingURL=keyring.js.map

package/dist/esm/keyring.js.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAiBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAEH,MAAM,OAAO,gBAAgB;IAE3B,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,mBAAmB,GAAG,MAAM,gCAAgC,CAAC,MAAM,CAAC,CAAC;QAC3E,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4DAA4D,MAAM,GAAG,CAAC,CAAC;QACzF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,+CAA+C;QAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAyBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}

package/package.json

@@ -1,8 +1,13 @@
 {
   "name": "@keycardai/oauth",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/keycardai/typescript-sdk.git",
+    "directory": "packages/oauth"
+  },
   "type": "module",
   "exports": {
     ".": {
@@ -51,20 +56,26 @@
   ],
   "typesVersions": {
     "*": {
-      "*": ["./dist/esm/*"]
+      "*": [
+        "./dist/esm/*"
+      ]
     }
   },
+  "dependencies": {
+    "zod": "^3.25.74"
+  },
+  "devDependencies": {
+    "@jest/globals": "^30.0.4",
+    "jest": "^30.0.4",
+    "ts-jest": "^29.4.0",
+    "typescript": "^5.8.3"
+  },
   "scripts": {
     "build": "pnpm run build:esm && pnpm run build:cjs",
     "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
     "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
+    "test": "NODE_OPTIONS='--experimental-vm-modules' jest",
     "typecheck": "tsc --noEmit",
     "clean": "rm -rf dist"
-  },
-  "dependencies": {
-    "zod": "^3.25.74"
-  },
-  "devDependencies": {
-    "typescript": "^5.8.3"
   }
-}
+}