@keycardai/oauth 0.2.0 → 0.3.0

package/README.md

@@ -28,8 +28,13 @@ const token = await signer.sign({
   scope: "read write",
 });
 
-// Verify a JWT
-const verifier = new JWTVerifier(keyring);
+// Verify a JWT. `issuers` is required — it binds the verifier to the
+// authorization server(s) you trust. Tokens with any other `iss` are
+// rejected before the keyring is consulted.
+const verifier = new JWTVerifier(keyring, {
+  issuers: "https://your-zone.keycard.cloud",
+  // audiences: "https://api.example.com", // optional
+});
 const claims = await verifier.verify(token);
 ```
 

package/dist/cjs/credentials.d.ts

@@ -0,0 +1,18 @@
+import type { TokenExchangeRequest } from "./tokenExchange.js";
+/**
+ * Common interface for application-level credentials used in token exchange.
+ *
+ * Implementations live in downstream packages (@keycardai/mcp, @keycardai/cloudflare)
+ * because they depend on platform-specific APIs (Node.js fs, Cloudflare Workers, etc.).
+ */
+export interface ApplicationCredential {
+    getAuth(): {
+        clientId: string;
+        clientSecret: string;
+    } | null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
+        tokenEndpoint?: string;
+        authInfo?: Record<string, string>;
+    }): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=credentials.d.ts.map

package/dist/cjs/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC7D,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}

package/dist/cjs/credentials.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=credentials.js.map

package/dist/cjs/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":""}

package/dist/cjs/index.d.ts

@@ -9,4 +9,5 @@ export type { JWTClaims } from "./jwt/signer.js";
 export { JWTVerifier } from "./jwt/verifier.js";
 export { TokenExchangeClient } from "./tokenExchange.js";
 export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
+export type { ApplicationCredential } from "./credentials.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAC1G,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/cjs/jwt/verifier.d.ts

@@ -1,8 +1,29 @@
 import { OAuthKeyring } from "../keyring.js";
 import type { JWTClaims } from "./signer.js";
+export interface JWTVerifierOptions {
+    /**
+     * Issuer(s) this verifier will accept. The `iss` claim in a presented token
+     * must exactly match (string equality) one of these values. Tokens with any
+     * other issuer are rejected before any key lookup or network I/O runs.
+     */
+    issuers: string | readonly string[];
+    /**
+     * Audience(s) the token must be intended for. When configured, the token's
+     * `aud` claim must be present and contain at least one of these values.
+     * When omitted, audience is not validated.
+     */
+    audiences?: string | readonly string[];
+    /**
+     * Allowed JWT algorithms. Defaults to `["RS256"]`. The `alg` header of a
+     * presented token must be a member. `"none"` is always rejected. Values
+     * must be in the set the verifier actually implements (currently only
+     * `"RS256"`).
+     */
+    algorithms?: readonly string[];
+}
 export declare class JWTVerifier {
     #private;
-    constructor(keyring: OAuthKeyring);
+    constructor(keyring: OAuthKeyring, options: JWTVerifierOptions);
     verify(token: string): Promise<JWTClaims>;
 }
 //# sourceMappingURL=verifier.d.ts.map

package/dist/cjs/jwt/verifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,qBAAa,WAAW;;gBAGV,OAAO,EAAE,YAAY;IAI3B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA2BhD"}
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA4FhD"}

package/dist/cjs/jwt/verifier.js

@@ -13,27 +13,119 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
-var _JWTVerifier_keyring;
+var _JWTVerifier_keyring, _JWTVerifier_issuers, _JWTVerifier_audiences, _JWTVerifier_algorithms;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.JWTVerifier = void 0;
 const errors_js_1 = require("../errors.js");
 const base64url_js_1 = __importDefault(require("../base64url.js"));
+// The single `crypto.subtle.verify` call in `verify()` is hardcoded to
+// RSASSA-PKCS1-v1_5 + SHA-256, so the `algorithms` option is only meaningful
+// as an allowlist that's a subset of what we actually implement. Used both
+// as the default when the option is omitted and to validate user-supplied
+// values at construction time.
+const SUPPORTED_ALGORITHMS = ["RS256"];
+const SUPPORTED_ALGORITHM_SET = new Set(SUPPORTED_ALGORITHMS);
 class JWTVerifier {
-    constructor(keyring) {
+    constructor(keyring, options) {
         _JWTVerifier_keyring.set(this, void 0);
+        _JWTVerifier_issuers.set(this, void 0);
+        _JWTVerifier_audiences.set(this, void 0);
+        _JWTVerifier_algorithms.set(this, void 0);
+        const rawIssuers = typeof options?.issuers === "string" ? [options.issuers] : options?.issuers ?? [];
+        if (rawIssuers.length === 0) {
+            throw new Error("JWTVerifier requires at least one trusted issuer");
+        }
+        const rawAudiences = typeof options.audiences === "string"
+            ? [options.audiences]
+            : options.audiences ?? [];
+        const rawAlgorithms = options.algorithms ?? SUPPORTED_ALGORITHMS;
+        for (const alg of rawAlgorithms) {
+            if (!SUPPORTED_ALGORITHM_SET.has(alg)) {
+                throw new Error(`JWTVerifier does not implement signature verification for "${alg}". ` +
+                    `Supported: ${SUPPORTED_ALGORITHMS.join(", ")}.`);
+            }
+        }
         __classPrivateFieldSet(this, _JWTVerifier_keyring, keyring, "f");
+        __classPrivateFieldSet(this, _JWTVerifier_issuers, new Set(rawIssuers), "f");
+        // An empty `audiences` list means "unconfigured" — matches the ergonomic
+        // intent of passing `audiences: []`. A non-empty list switches audience
+        // validation on; a missing `aud` fails closed.
+        __classPrivateFieldSet(this, _JWTVerifier_audiences, rawAudiences.length > 0 ? new Set(rawAudiences) : undefined, "f");
+        __classPrivateFieldSet(this, _JWTVerifier_algorithms, new Set(rawAlgorithms), "f");
     }
     async verify(token) {
-        const [header, payload, signature, ...rest] = token.split('.');
-        const jsonHeader = JSON.parse(autob(header));
-        const jsonPayload = JSON.parse(autob(payload));
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            throw new errors_js_1.InvalidTokenError("Malformed JWT");
+        }
+        const [header, payload, signature] = parts;
+        let jsonHeader;
+        let jsonPayload;
+        try {
+            jsonHeader = JSON.parse(autob(header));
+            jsonPayload = JSON.parse(autob(payload));
+        }
+        catch {
+            throw new errors_js_1.InvalidTokenError("Malformed JWT");
+        }
+        // Algorithm allowlist. Reject "none" and anything outside the allowlist
+        // before any other work.
+        if (!jsonHeader.alg || jsonHeader.alg === "none" || !__classPrivateFieldGet(this, _JWTVerifier_algorithms, "f").has(jsonHeader.alg)) {
+            throw new errors_js_1.InvalidTokenError(`Unsupported JWT algorithm: ${jsonHeader.alg ?? "none"}`);
+        }
+        // Issuer allowlist. Rejected BEFORE any keyring call — guarantees a token
+        // with an attacker-controlled `iss` can't trigger discovery against an
+        // untrusted URL.
         if (!jsonPayload.iss) {
             throw new errors_js_1.InvalidTokenError("JWT missing issuer (iss) claim");
         }
+        if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
+            throw new errors_js_1.InvalidTokenError("Untrusted issuer");
+        }
+        // Required claims per RFC 9068 § 2.2. Reject NaN / Infinity explicitly —
+        // `typeof NaN === "number"` passes the type check but would make every
+        // comparison below false (and with `exp: NaN` that means effectively no
+        // expiration).
+        if (!Number.isFinite(jsonPayload.exp)) {
+            throw new errors_js_1.InvalidTokenError("JWT missing expiration (exp) claim");
+        }
+        if (!jsonPayload.client_id) {
+            throw new errors_js_1.InvalidTokenError("JWT missing client_id claim");
+        }
+        // Time-based claims.
+        const now = Math.floor(Date.now() / 1000);
+        if (now > jsonPayload.exp) {
+            throw new errors_js_1.InvalidTokenError("Token expired");
+        }
+        if (jsonPayload.nbf !== undefined) {
+            if (!Number.isFinite(jsonPayload.nbf)) {
+                throw new errors_js_1.InvalidTokenError("JWT has invalid not-before (nbf) claim");
+            }
+            if (now < jsonPayload.nbf) {
+                throw new errors_js_1.InvalidTokenError("Token not yet valid");
+            }
+        }
+        // Audience check, if configured. Missing `aud` fails closed when audiences
+        // are required — matches RFC 8707 resource-indicator expectations.
+        if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
+            const aud = jsonPayload.aud;
+            if (aud === undefined) {
+                throw new errors_js_1.InvalidTokenError("JWT missing audience (aud) claim");
+            }
+            const audValues = Array.isArray(aud) ? aud : [aud];
+            const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
+            if (!matched) {
+                throw new errors_js_1.InvalidTokenError("Audience mismatch");
+            }
+        }
+        // Only after all cheap policy checks do we touch the keyring.
+        if (!jsonHeader.kid) {
+            throw new errors_js_1.InvalidTokenError("JWT missing key id (kid) header");
+        }
         const key = await __classPrivateFieldGet(this, _JWTVerifier_keyring, "f").key(jsonPayload.iss, jsonHeader.kid);
         const verified = await crypto.subtle.verify({
-            name: 'RSASSA-PKCS1-v1_5',
-            hash: { name: 'SHA-256' },
+            name: "RSASSA-PKCS1-v1_5",
+            hash: { name: "SHA-256" },
         }, key, base64url_js_1.default.decode(signature), new TextEncoder().encode(`${header}.${payload}`));
         if (!verified) {
             throw new errors_js_1.InvalidTokenError("Invalid signature");
@@ -42,8 +134,8 @@ class JWTVerifier {
     }
 }
 exports.JWTVerifier = JWTVerifier;
-_JWTVerifier_keyring = new WeakMap();
+_JWTVerifier_keyring = new WeakMap(), _JWTVerifier_issuers = new WeakMap(), _JWTVerifier_audiences = new WeakMap(), _JWTVerifier_algorithms = new WeakMap();
 function autob(data) {
-    return atob(data.replace(/-/g, '+').replace(/_/g, '/'));
+    return atob(data.replace(/-/g, "+").replace(/_/g, "/"));
 }
 //# sourceMappingURL=verifier.js.map

package/dist/cjs/jwt/verifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AAGxC,MAAa,WAAW;IAGtB,YAAY,OAAqB;QAFjC,uCAAuB;QAGrB,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAc,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAE1D,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,sBAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AAlCD,kCAkCC;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAa,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,6BAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,6BAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,yEAAyE;QACzE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,6BAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,mEAAmE;QACnE,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC;YAC5B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,MAAM,IAAI,6BAAiB,CAAC,kCAAkC,CAAC,CAAC;YAClE,CAAC;YACD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,6BAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,sBAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AAjID,kCAiIC;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/esm/credentials.d.ts

@@ -0,0 +1,18 @@
+import type { TokenExchangeRequest } from "./tokenExchange.js";
+/**
+ * Common interface for application-level credentials used in token exchange.
+ *
+ * Implementations live in downstream packages (@keycardai/mcp, @keycardai/cloudflare)
+ * because they depend on platform-specific APIs (Node.js fs, Cloudflare Workers, etc.).
+ */
+export interface ApplicationCredential {
+    getAuth(): {
+        clientId: string;
+        clientSecret: string;
+    } | null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
+        tokenEndpoint?: string;
+        authInfo?: Record<string, string>;
+    }): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=credentials.d.ts.map

package/dist/esm/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC7D,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}

package/dist/esm/credentials.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=credentials.js.map

package/dist/esm/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":""}

package/dist/esm/index.d.ts

@@ -9,4 +9,5 @@ export type { JWTClaims } from "./jwt/signer.js";
 export { JWTVerifier } from "./jwt/verifier.js";
 export { TokenExchangeClient } from "./tokenExchange.js";
 export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
+export type { ApplicationCredential } from "./credentials.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAC1G,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/esm/jwt/verifier.d.ts

@@ -1,8 +1,29 @@
 import { OAuthKeyring } from "../keyring.js";
 import type { JWTClaims } from "./signer.js";
+export interface JWTVerifierOptions {
+    /**
+     * Issuer(s) this verifier will accept. The `iss` claim in a presented token
+     * must exactly match (string equality) one of these values. Tokens with any
+     * other issuer are rejected before any key lookup or network I/O runs.
+     */
+    issuers: string | readonly string[];
+    /**
+     * Audience(s) the token must be intended for. When configured, the token's
+     * `aud` claim must be present and contain at least one of these values.
+     * When omitted, audience is not validated.
+     */
+    audiences?: string | readonly string[];
+    /**
+     * Allowed JWT algorithms. Defaults to `["RS256"]`. The `alg` header of a
+     * presented token must be a member. `"none"` is always rejected. Values
+     * must be in the set the verifier actually implements (currently only
+     * `"RS256"`).
+     */
+    algorithms?: readonly string[];
+}
 export declare class JWTVerifier {
     #private;
-    constructor(keyring: OAuthKeyring);
+    constructor(keyring: OAuthKeyring, options: JWTVerifierOptions);
     verify(token: string): Promise<JWTClaims>;
 }
 //# sourceMappingURL=verifier.d.ts.map

package/dist/esm/jwt/verifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,qBAAa,WAAW;;gBAGV,OAAO,EAAE,YAAY;IAI3B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA2BhD"}
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA4FhD"}

package/dist/esm/jwt/verifier.js

@@ -9,25 +9,117 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _JWTVerifier_keyring;
+var _JWTVerifier_keyring, _JWTVerifier_issuers, _JWTVerifier_audiences, _JWTVerifier_algorithms;
 import { InvalidTokenError } from "../errors.js";
 import base64url from "../base64url.js";
+// The single `crypto.subtle.verify` call in `verify()` is hardcoded to
+// RSASSA-PKCS1-v1_5 + SHA-256, so the `algorithms` option is only meaningful
+// as an allowlist that's a subset of what we actually implement. Used both
+// as the default when the option is omitted and to validate user-supplied
+// values at construction time.
+const SUPPORTED_ALGORITHMS = ["RS256"];
+const SUPPORTED_ALGORITHM_SET = new Set(SUPPORTED_ALGORITHMS);
 export class JWTVerifier {
-    constructor(keyring) {
+    constructor(keyring, options) {
         _JWTVerifier_keyring.set(this, void 0);
+        _JWTVerifier_issuers.set(this, void 0);
+        _JWTVerifier_audiences.set(this, void 0);
+        _JWTVerifier_algorithms.set(this, void 0);
+        const rawIssuers = typeof options?.issuers === "string" ? [options.issuers] : options?.issuers ?? [];
+        if (rawIssuers.length === 0) {
+            throw new Error("JWTVerifier requires at least one trusted issuer");
+        }
+        const rawAudiences = typeof options.audiences === "string"
+            ? [options.audiences]
+            : options.audiences ?? [];
+        const rawAlgorithms = options.algorithms ?? SUPPORTED_ALGORITHMS;
+        for (const alg of rawAlgorithms) {
+            if (!SUPPORTED_ALGORITHM_SET.has(alg)) {
+                throw new Error(`JWTVerifier does not implement signature verification for "${alg}". ` +
+                    `Supported: ${SUPPORTED_ALGORITHMS.join(", ")}.`);
+            }
+        }
         __classPrivateFieldSet(this, _JWTVerifier_keyring, keyring, "f");
+        __classPrivateFieldSet(this, _JWTVerifier_issuers, new Set(rawIssuers), "f");
+        // An empty `audiences` list means "unconfigured" — matches the ergonomic
+        // intent of passing `audiences: []`. A non-empty list switches audience
+        // validation on; a missing `aud` fails closed.
+        __classPrivateFieldSet(this, _JWTVerifier_audiences, rawAudiences.length > 0 ? new Set(rawAudiences) : undefined, "f");
+        __classPrivateFieldSet(this, _JWTVerifier_algorithms, new Set(rawAlgorithms), "f");
     }
     async verify(token) {
-        const [header, payload, signature, ...rest] = token.split('.');
-        const jsonHeader = JSON.parse(autob(header));
-        const jsonPayload = JSON.parse(autob(payload));
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            throw new InvalidTokenError("Malformed JWT");
+        }
+        const [header, payload, signature] = parts;
+        let jsonHeader;
+        let jsonPayload;
+        try {
+            jsonHeader = JSON.parse(autob(header));
+            jsonPayload = JSON.parse(autob(payload));
+        }
+        catch {
+            throw new InvalidTokenError("Malformed JWT");
+        }
+        // Algorithm allowlist. Reject "none" and anything outside the allowlist
+        // before any other work.
+        if (!jsonHeader.alg || jsonHeader.alg === "none" || !__classPrivateFieldGet(this, _JWTVerifier_algorithms, "f").has(jsonHeader.alg)) {
+            throw new InvalidTokenError(`Unsupported JWT algorithm: ${jsonHeader.alg ?? "none"}`);
+        }
+        // Issuer allowlist. Rejected BEFORE any keyring call — guarantees a token
+        // with an attacker-controlled `iss` can't trigger discovery against an
+        // untrusted URL.
         if (!jsonPayload.iss) {
             throw new InvalidTokenError("JWT missing issuer (iss) claim");
         }
+        if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
+            throw new InvalidTokenError("Untrusted issuer");
+        }
+        // Required claims per RFC 9068 § 2.2. Reject NaN / Infinity explicitly —
+        // `typeof NaN === "number"` passes the type check but would make every
+        // comparison below false (and with `exp: NaN` that means effectively no
+        // expiration).
+        if (!Number.isFinite(jsonPayload.exp)) {
+            throw new InvalidTokenError("JWT missing expiration (exp) claim");
+        }
+        if (!jsonPayload.client_id) {
+            throw new InvalidTokenError("JWT missing client_id claim");
+        }
+        // Time-based claims.
+        const now = Math.floor(Date.now() / 1000);
+        if (now > jsonPayload.exp) {
+            throw new InvalidTokenError("Token expired");
+        }
+        if (jsonPayload.nbf !== undefined) {
+            if (!Number.isFinite(jsonPayload.nbf)) {
+                throw new InvalidTokenError("JWT has invalid not-before (nbf) claim");
+            }
+            if (now < jsonPayload.nbf) {
+                throw new InvalidTokenError("Token not yet valid");
+            }
+        }
+        // Audience check, if configured. Missing `aud` fails closed when audiences
+        // are required — matches RFC 8707 resource-indicator expectations.
+        if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
+            const aud = jsonPayload.aud;
+            if (aud === undefined) {
+                throw new InvalidTokenError("JWT missing audience (aud) claim");
+            }
+            const audValues = Array.isArray(aud) ? aud : [aud];
+            const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
+            if (!matched) {
+                throw new InvalidTokenError("Audience mismatch");
+            }
+        }
+        // Only after all cheap policy checks do we touch the keyring.
+        if (!jsonHeader.kid) {
+            throw new InvalidTokenError("JWT missing key id (kid) header");
+        }
         const key = await __classPrivateFieldGet(this, _JWTVerifier_keyring, "f").key(jsonPayload.iss, jsonHeader.kid);
         const verified = await crypto.subtle.verify({
-            name: 'RSASSA-PKCS1-v1_5',
-            hash: { name: 'SHA-256' },
+            name: "RSASSA-PKCS1-v1_5",
+            hash: { name: "SHA-256" },
         }, key, base64url.decode(signature), new TextEncoder().encode(`${header}.${payload}`));
         if (!verified) {
             throw new InvalidTokenError("Invalid signature");
@@ -35,8 +127,8 @@ export class JWTVerifier {
         return jsonPayload;
     }
 }
-_JWTVerifier_keyring = new WeakMap();
+_JWTVerifier_keyring = new WeakMap(), _JWTVerifier_issuers = new WeakMap(), _JWTVerifier_audiences = new WeakMap(), _JWTVerifier_algorithms = new WeakMap();
 function autob(data) {
-    return atob(data.replace(/-/g, '+').replace(/_/g, '/'));
+    return atob(data.replace(/-/g, "+").replace(/_/g, "/"));
 }
 //# sourceMappingURL=verifier.js.map

package/dist/esm/jwt/verifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AAGxC,MAAM,OAAO,WAAW;IAGtB,YAAY,OAAqB;QAFjC,uCAAuB;QAGrB,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAc,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAE1D,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAM,OAAO,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,yEAAyE;QACzE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,mEAAmE;QACnE,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC;YAC5B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,MAAM,IAAI,iBAAiB,CAAC,kCAAkC,CAAC,CAAC;YAClE,CAAC;YACD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keycardai/oauth",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
   "license": "MIT",
   "repository": {
@@ -49,6 +49,11 @@
       "import": "./dist/esm/tokenExchange.js",
       "require": "./dist/cjs/tokenExchange.js",
       "types": "./dist/esm/tokenExchange.d.ts"
+    },
+    "./credentials": {
+      "import": "./dist/esm/credentials.js",
+      "require": "./dist/cjs/credentials.js",
+      "types": "./dist/esm/credentials.d.ts"
     }
   },
   "files": [