@keycardai/oauth 0.3.0 → 0.4.1

package/dist/esm/tokenExchange.d.ts

@@ -1,3 +1,13 @@
+import type { ApplicationCredential } from "./credentials.js";
+export declare const TokenType: {
+    readonly ACCESS_TOKEN: "urn:ietf:params:oauth:token-type:access_token";
+    /**
+     * Vendor URN for substitute-user (impersonation) subject tokens.
+     * Recognized by the Keycard authorization server; not registered with IANA.
+     */
+    readonly SUBSTITUTE_USER: "urn:keycard:params:oauth:token-type:substitute-user";
+};
+export type TokenType = (typeof TokenType)[keyof typeof TokenType];
 export interface TokenExchangeRequest {
     grantType?: string;
     resource?: string;
@@ -22,10 +32,26 @@ export interface TokenResponse {
 export interface TokenExchangeClientOptions {
     clientId?: string;
     clientSecret?: string;
+    /**
+     * Application credential provider. When set, takes precedence over
+     * static `clientId`/`clientSecret` and resolves the per-request
+     * Authorization header from the credential's `getAuth(zoneId)`.
+     */
+    credential?: ApplicationCredential;
+}
+export interface ExchangeOptions {
+    zoneId?: string;
+}
+export interface ImpersonateRequest {
+    userIdentifier: string;
+    resource: string;
+    scope?: string;
+    zoneId?: string;
 }
 export declare class TokenExchangeClient {
     #private;
     constructor(issuerUrl: string, options?: TokenExchangeClientOptions);
-    exchangeToken(request: TokenExchangeRequest): Promise<TokenResponse>;
+    exchangeToken(request: TokenExchangeRequest, options?: ExchangeOptions): Promise<TokenResponse>;
+    impersonate(req: ImpersonateRequest): Promise<TokenResponse>;
 }
 //# sourceMappingURL=tokenExchange.d.ts.map

package/dist/esm/tokenExchange.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAkDD,qBAAa,mBAAmB;;gBAOlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAM7D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;CAgE3E"}
+{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAO9D,eAAO,MAAM,SAAS;;IAEpB;;;OAGG;;CAEK,CAAC;AACX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAEnE,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAkDD,qBAAa,mBAAmB;;gBAQlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAO7D,aAAa,CACjB,OAAO,EAAE,oBAAoB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,aAAa,CAAC;IA8CnB,WAAW,CAAC,GAAG,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;CAkDnE"}

package/dist/esm/tokenExchange.js

@@ -9,9 +9,21 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_getTokenEndpoint;
+var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_credential, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_resolveBasicAuth, _TokenExchangeClient_getTokenEndpoint;
 import { fetchAuthorizationServerMetadata } from "./discovery.js";
 import { OAuthError } from "./errors.js";
+import { buildSubstituteUserToken } from "./jwt/substituteUser.js";
+// =============================================================================
+// Token Exchange Types (RFC 8693)
+// =============================================================================
+export const TokenType = {
+    ACCESS_TOKEN: "urn:ietf:params:oauth:token-type:access_token",
+    /**
+     * Vendor URN for substitute-user (impersonation) subject tokens.
+     * Recognized by the Keycard authorization server; not registered with IANA.
+     */
+    SUBSTITUTE_USER: "urn:keycard:params:oauth:token-type:substitute-user",
+};
 // =============================================================================
 // Wire format helpers (camelCase <-> snake_case at the boundary)
 // =============================================================================
@@ -67,20 +79,23 @@ export class TokenExchangeClient {
         _TokenExchangeClient_issuerUrl.set(this, void 0);
         _TokenExchangeClient_clientId.set(this, void 0);
         _TokenExchangeClient_clientSecret.set(this, void 0);
+        _TokenExchangeClient_credential.set(this, void 0);
         _TokenExchangeClient_tokenEndpoint.set(this, void 0);
         _TokenExchangeClient_discoveryPromise.set(this, void 0);
         __classPrivateFieldSet(this, _TokenExchangeClient_issuerUrl, issuerUrl, "f");
         __classPrivateFieldSet(this, _TokenExchangeClient_clientId, options?.clientId, "f");
         __classPrivateFieldSet(this, _TokenExchangeClient_clientSecret, options?.clientSecret, "f");
+        __classPrivateFieldSet(this, _TokenExchangeClient_credential, options?.credential, "f");
     }
-    async exchangeToken(request) {
+    async exchangeToken(request, options) {
         const tokenEndpoint = await __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_getTokenEndpoint).call(this);
         const body = serializeRequest(request);
         const headers = {
             "Content-Type": "application/x-www-form-urlencoded",
         };
-        if (__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f") && __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")) {
-            const credentials = btoa(`${__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f")}:${__classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")}`);
+        const basicAuth = __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_resolveBasicAuth).call(this, options?.zoneId);
+        if (basicAuth) {
+            const credentials = btoa(`${basicAuth.clientId}:${basicAuth.clientSecret}`);
             headers["Authorization"] = `Basic ${credentials}`;
         }
         const response = await fetch(tokenEndpoint, {
@@ -112,8 +127,31 @@ export class TokenExchangeClient {
         const json = await response.json();
         return deserializeResponse(json);
     }
+    async impersonate(req) {
+        if (!req.userIdentifier) {
+            throw new Error("impersonate: userIdentifier is required");
+        }
+        if (!req.resource) {
+            throw new Error("impersonate: resource is required");
+        }
+        const subjectToken = buildSubstituteUserToken(req.userIdentifier);
+        return this.exchangeToken({
+            subjectToken,
+            subjectTokenType: TokenType.SUBSTITUTE_USER,
+            resource: req.resource,
+            scope: req.scope,
+        }, { zoneId: req.zoneId });
+    }
 }
-_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(), _TokenExchangeClient_getTokenEndpoint = async function _TokenExchangeClient_getTokenEndpoint() {
+_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_credential = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(), _TokenExchangeClient_resolveBasicAuth = function _TokenExchangeClient_resolveBasicAuth(zoneId) {
+    if (__classPrivateFieldGet(this, _TokenExchangeClient_credential, "f")) {
+        return __classPrivateFieldGet(this, _TokenExchangeClient_credential, "f").getAuth(zoneId);
+    }
+    if (__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f") && __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")) {
+        return { clientId: __classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f"), clientSecret: __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f") };
+    }
+    return null;
+}, _TokenExchangeClient_getTokenEndpoint = async function _TokenExchangeClient_getTokenEndpoint() {
     if (__classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f")) {
         return __classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f");
     }

package/dist/esm/tokenExchange.js.map

@@ -1 +1 @@
-{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAkCzC,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,OAAO,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,UAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
+{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AAEnE,gFAAgF;AAChF,kCAAkC;AAClC,gFAAgF;AAEhF,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,YAAY,EAAE,+CAA+C;IAC7D;;;OAGG;IACH,eAAe,EAAE,qDAAqD;CAC9D,CAAC;AAgDX,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,OAAO,mBAAmB;IAQ9B,YAAY,SAAiB,EAAE,OAAoC;;QAPnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,kDAAoC;QACpC,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;QAC3C,uBAAA,IAAI,mCAAe,OAAO,EAAE,UAAU,MAAA,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAA6B,EAC7B,OAAyB;QAEzB,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,MAAM,SAAS,GAAG,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,EAAmB,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5E,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,UAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAuB;QACvC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,YAAY,GAAG,wBAAwB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,aAAa,CACvB;YACE,YAAY;YACZ,gBAAgB,EAAE,SAAS,CAAC,eAAe;YAC3C,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,EACD,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CACvB,CAAC;IACJ,CAAC;CAiCF;qbA9BG,MAA0B;IAE1B,IAAI,uBAAA,IAAI,uCAAY,EAAE,CAAC;QACrB,OAAO,uBAAA,IAAI,uCAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,uBAAA,IAAI,qCAAU,EAAE,YAAY,EAAE,uBAAA,IAAI,yCAAc,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,0CAED,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@keycardai/oauth",
-  "version": "0.3.0",
-  "description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
+  "version": "0.4.1",
+  "description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -54,6 +54,36 @@
       "import": "./dist/esm/credentials.js",
       "require": "./dist/cjs/credentials.js",
       "types": "./dist/esm/credentials.d.ts"
+    },
+    "./jwt/substituteUser": {
+      "import": "./dist/esm/jwt/substituteUser.js",
+      "require": "./dist/cjs/jwt/substituteUser.js",
+      "types": "./dist/esm/jwt/substituteUser.d.ts"
+    },
+    "./server": {
+      "import": "./dist/esm/server/index.js",
+      "require": "./dist/cjs/server/index.js",
+      "types": "./dist/esm/server/index.d.ts"
+    },
+    "./server/accessContext": {
+      "import": "./dist/esm/server/accessContext.js",
+      "require": "./dist/cjs/server/accessContext.js",
+      "types": "./dist/esm/server/accessContext.d.ts"
+    },
+    "./server/accessToken": {
+      "import": "./dist/esm/server/accessToken.js",
+      "require": "./dist/cjs/server/accessToken.js",
+      "types": "./dist/esm/server/accessToken.d.ts"
+    },
+    "./server/tokenVerifier": {
+      "import": "./dist/esm/server/tokenVerifier.js",
+      "require": "./dist/cjs/server/tokenVerifier.js",
+      "types": "./dist/esm/server/tokenVerifier.d.ts"
+    },
+    "./server/clientSecret": {
+      "import": "./dist/esm/server/clientSecret.js",
+      "require": "./dist/cjs/server/clientSecret.js",
+      "types": "./dist/esm/server/clientSecret.d.ts"
     }
   },
   "files": [
@@ -61,6 +91,12 @@
   ],
   "typesVersions": {
     "*": {
+      "server": [
+        "./dist/esm/server/index.d.ts"
+      ],
+      "server/*": [
+        "./dist/esm/server/*.d.ts"
+      ],
       "*": [
         "./dist/esm/*"
       ]