@mcp-z/oauth 1.0.0

package/dist/cjs/lib/account-server/shared-utils.js

@@ -0,0 +1,235 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "findAccountByEmailOrAlias", {
+    enumerable: true,
+    get: function() {
+        return findAccountByEmailOrAlias;
+    }
+});
+var _accountutilsts = require("../../account-utils.js");
+function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
+    try {
+        var info = gen[key](arg);
+        var value = info.value;
+    } catch (error) {
+        reject(error);
+        return;
+    }
+    if (info.done) {
+        resolve(value);
+    } else {
+        Promise.resolve(value).then(_next, _throw);
+    }
+}
+function _async_to_generator(fn) {
+    return function() {
+        var self = this, args = arguments;
+        return new Promise(function(resolve, reject) {
+            var gen = fn.apply(self, args);
+            function _next(value) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
+            }
+            function _throw(err) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
+            }
+            _next(undefined);
+        });
+    };
+}
+function _ts_generator(thisArg, body) {
+    var f, y, t, _ = {
+        label: 0,
+        sent: function() {
+            if (t[0] & 1) throw t[1];
+            return t[1];
+        },
+        trys: [],
+        ops: []
+    }, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype), d = Object.defineProperty;
+    return d(g, "next", {
+        value: verb(0)
+    }), d(g, "throw", {
+        value: verb(1)
+    }), d(g, "return", {
+        value: verb(2)
+    }), typeof Symbol === "function" && d(g, Symbol.iterator, {
+        value: function() {
+            return this;
+        }
+    }), g;
+    function verb(n) {
+        return function(v) {
+            return step([
+                n,
+                v
+            ]);
+        };
+    }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while(g && (g = 0, op[0] && (_ = 0)), _)try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [
+                op[0] & 2,
+                t.value
+            ];
+            switch(op[0]){
+                case 0:
+                case 1:
+                    t = op;
+                    break;
+                case 4:
+                    _.label++;
+                    return {
+                        value: op[1],
+                        done: false
+                    };
+                case 5:
+                    _.label++;
+                    y = op[1];
+                    op = [
+                        0
+                    ];
+                    continue;
+                case 7:
+                    op = _.ops.pop();
+                    _.trys.pop();
+                    continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
+                        _ = 0;
+                        continue;
+                    }
+                    if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
+                        _.label = op[1];
+                        break;
+                    }
+                    if (op[0] === 6 && _.label < t[1]) {
+                        _.label = t[1];
+                        t = op;
+                        break;
+                    }
+                    if (t && _.label < t[2]) {
+                        _.label = t[2];
+                        _.ops.push(op);
+                        break;
+                    }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop();
+                    continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) {
+            op = [
+                6,
+                e
+            ];
+            y = 0;
+        } finally{
+            f = t = 0;
+        }
+        if (op[0] & 5) throw op[1];
+        return {
+            value: op[0] ? op[1] : void 0,
+            done: true
+        };
+    }
+}
+function findAccountByEmailOrAlias(store, service, emailOrAlias) {
+    return _async_to_generator(function() {
+        var linkedAccountIds, _iteratorNormalCompletion, _didIteratorError, _iteratorError, _iterator, _step, accountId, info, err;
+        return _ts_generator(this, function(_state) {
+            switch(_state.label){
+                case 0:
+                    return [
+                        4,
+                        (0, _accountutilsts.getLinkedAccounts)(store, {
+                            service: service
+                        })
+                    ];
+                case 1:
+                    linkedAccountIds = _state.sent();
+                    // Try exact email match first
+                    if (linkedAccountIds.includes(emailOrAlias)) {
+                        return [
+                            2,
+                            emailOrAlias
+                        ];
+                    }
+                    _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
+                    _state.label = 2;
+                case 2:
+                    _state.trys.push([
+                        2,
+                        7,
+                        8,
+                        9
+                    ]);
+                    _iterator = linkedAccountIds[Symbol.iterator]();
+                    _state.label = 3;
+                case 3:
+                    if (!!(_iteratorNormalCompletion = (_step = _iterator.next()).done)) return [
+                        3,
+                        6
+                    ];
+                    accountId = _step.value;
+                    return [
+                        4,
+                        (0, _accountutilsts.getAccountInfo)(store, {
+                            accountId: accountId,
+                            service: service
+                        })
+                    ];
+                case 4:
+                    info = _state.sent();
+                    if ((info === null || info === void 0 ? void 0 : info.alias) === emailOrAlias) {
+                        return [
+                            2,
+                            accountId
+                        ];
+                    }
+                    _state.label = 5;
+                case 5:
+                    _iteratorNormalCompletion = true;
+                    return [
+                        3,
+                        3
+                    ];
+                case 6:
+                    return [
+                        3,
+                        9
+                    ];
+                case 7:
+                    err = _state.sent();
+                    _didIteratorError = true;
+                    _iteratorError = err;
+                    return [
+                        3,
+                        9
+                    ];
+                case 8:
+                    try {
+                        if (!_iteratorNormalCompletion && _iterator.return != null) {
+                            _iterator.return();
+                        }
+                    } finally{
+                        if (_didIteratorError) {
+                            throw _iteratorError;
+                        }
+                    }
+                    return [
+                        7
+                    ];
+                case 9:
+                    return [
+                        2,
+                        null
+                    ];
+            }
+        });
+    })();
+}
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/lib/account-server/shared-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/shared-utils.ts"],"sourcesContent":["import type { Keyv } from 'keyv';\nimport { getAccountInfo, getLinkedAccounts } from '../../account-utils.ts';\n\n/**\n * Find account ID by email or alias lookup.\n * Returns accountId if found, otherwise null.\n */\nexport async function findAccountByEmailOrAlias(store: Keyv, service: string, emailOrAlias: string): Promise<string | null> {\n  const linkedAccountIds = await getLinkedAccounts(store, { service });\n\n  // Try exact email match first\n  if (linkedAccountIds.includes(emailOrAlias)) {\n    return emailOrAlias;\n  }\n\n  // Search by alias\n  for (const accountId of linkedAccountIds) {\n    const info = await getAccountInfo(store, { accountId, service });\n    if (info?.alias === emailOrAlias) {\n      return accountId;\n    }\n  }\n\n  return null;\n}\n"],"names":["findAccountByEmailOrAlias","store","service","emailOrAlias","linkedAccountIds","accountId","info","getLinkedAccounts","includes","getAccountInfo","alias"],"mappings":";;;;+BAOsBA;;;eAAAA;;;8BAN4B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAM3C,SAAeA,0BAA0BC,KAAW,EAAEC,OAAe,EAAEC,YAAoB;;YAC1FC,kBAQD,2BAAA,mBAAA,gBAAA,WAAA,OAAMC,WACHC;;;;oBATiB;;wBAAMC,IAAAA,iCAAiB,EAACN,OAAO;4BAAEC,SAAAA;wBAAQ;;;oBAA5DE,mBAAmB;oBAEzB,8BAA8B;oBAC9B,IAAIA,iBAAiBI,QAAQ,CAACL,eAAe;wBAC3C;;4BAAOA;;oBACT;oBAGK,kCAAA,2BAAA;;;;;;;;;oBAAA,YAAmBC;;;2BAAnB,6BAAA,QAAA;;;;oBAAMC,YAAN;oBACU;;wBAAMI,IAAAA,8BAAc,EAACR,OAAO;4BAAEI,WAAAA;4BAAWH,SAAAA;wBAAQ;;;oBAAxDI,OAAO;oBACb,IAAIA,CAAAA,iBAAAA,2BAAAA,KAAMI,KAAK,MAAKP,cAAc;wBAChC;;4BAAOE;;oBACT;;;oBAJG;;;;;;;;;;;;oBAAA;oBAAA;;;;;;;6BAAA,6BAAA;4BAAA;;;4BAAA;kCAAA;;;;;;;oBAOL;;wBAAO;;;;IACT"}

package/dist/cjs/lib/account-server/stateless.d.cts

@@ -0,0 +1,20 @@
+/**
+ * Stateless tool set for MCP OAuth mode (DCR).
+ *
+ * Use this when authentication is managed by the MCP client.
+ * Tokens are provided per-request and not stored by the server.
+ *
+ * Tools:
+ * - {service}-account-me: Show current user identity from bearer token
+ */
+import type { McpPrompt, McpTool } from '../../types.js';
+import type { AccountStatelessConfig } from './types.js';
+/**
+ * Create stateless mode tools.
+ * MCP client manages authentication. Server provides user identity from bearer token.
+ * Returns 1 tool: account-me.
+ */
+export declare function createStateless(config: AccountStatelessConfig): {
+    tools: McpTool[];
+    prompts: McpPrompt[];
+};

package/dist/cjs/lib/account-server/stateless.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Stateless tool set for MCP OAuth mode (DCR).
+ *
+ * Use this when authentication is managed by the MCP client.
+ * Tokens are provided per-request and not stored by the server.
+ *
+ * Tools:
+ * - {service}-account-me: Show current user identity from bearer token
+ */
+import type { McpPrompt, McpTool } from '../../types.js';
+import type { AccountStatelessConfig } from './types.js';
+/**
+ * Create stateless mode tools.
+ * MCP client manages authentication. Server provides user identity from bearer token.
+ * Returns 1 tool: account-me.
+ */
+export declare function createStateless(config: AccountStatelessConfig): {
+    tools: McpTool[];
+    prompts: McpPrompt[];
+};

package/dist/cjs/lib/account-server/stateless.js

@@ -0,0 +1,32 @@
+/**
+ * Stateless tool set for MCP OAuth mode (DCR).
+ *
+ * Use this when authentication is managed by the MCP client.
+ * Tokens are provided per-request and not stored by the server.
+ *
+ * Tools:
+ * - {service}-account-me: Show current user identity from bearer token
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "createStateless", {
+    enumerable: true,
+    get: function() {
+        return createStateless;
+    }
+});
+var _mets = require("./me.js");
+function createStateless(config) {
+    var service = config.service;
+    // Create account-me tool for stateless mode
+    var meTools = (0, _mets.createAccountMe)({
+        service: service,
+        mode: 'stateless'
+    });
+    return {
+        tools: meTools.tools,
+        prompts: []
+    };
+}
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/lib/account-server/stateless.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/stateless.ts"],"sourcesContent":["/**\n * Stateless tool set for MCP OAuth mode (DCR).\n *\n * Use this when authentication is managed by the MCP client.\n * Tokens are provided per-request and not stored by the server.\n *\n * Tools:\n * - {service}-account-me: Show current user identity from bearer token\n */\n\nimport type { McpPrompt, McpTool } from '../../types.ts';\nimport { createAccountMe } from './me.ts';\nimport type { AccountStatelessConfig } from './types.ts';\n\n/**\n * Create stateless mode tools.\n * MCP client manages authentication. Server provides user identity from bearer token.\n * Returns 1 tool: account-me.\n */\nexport function createStateless(config: AccountStatelessConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n  const { service } = config;\n\n  // Create account-me tool for stateless mode\n  const meTools = createAccountMe({ service, mode: 'stateless' });\n\n  return { tools: meTools.tools, prompts: [] };\n}\n"],"names":["createStateless","config","service","meTools","createAccountMe","mode","tools","prompts"],"mappings":"AAAA;;;;;;;;CAQC;;;;+BAWeA;;;eAAAA;;;oBARgB;AAQzB,SAASA,gBAAgBC,MAA8B;IAC5D,IAAM,AAAEC,UAAYD,OAAZC;IAER,4CAA4C;IAC5C,IAAMC,UAAUC,IAAAA,qBAAe,EAAC;QAAEF,SAAAA;QAASG,MAAM;IAAY;IAE7D,OAAO;QAAEC,OAAOH,QAAQG,KAAK;QAAEC,SAAS,EAAE;IAAC;AAC7C"}

package/dist/cjs/lib/account-server/types.d.cts

@@ -0,0 +1,32 @@
+/**
+ * Configuration types for account tool factories.
+ */
+import type { Keyv } from 'keyv';
+import type { AuthEmailProvider, Logger } from '../../types.js';
+/**
+ * Configuration for loopback OAuth account management.
+ * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).
+ */
+export interface AccountLoopbackConfig {
+    service: string;
+    store: Keyv;
+    logger: Logger;
+    auth: AuthEmailProvider;
+}
+/**
+ * Configuration for stateless mode.
+ * MCP client manages authentication. Server provides read-only status.
+ */
+export interface AccountStatelessConfig {
+    service: string;
+}
+/**
+ * Configuration for account-me tool.
+ * Works across all auth modes: loopback, stateless, device code, service account.
+ */
+export interface AccountMeConfig {
+    service: string;
+    store?: Keyv;
+    logger?: Logger;
+    mode: 'loopback' | 'stateless' | 'device-code' | 'service-account';
+}

package/dist/cjs/lib/account-server/types.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Configuration types for account tool factories.
+ */
+import type { Keyv } from 'keyv';
+import type { AuthEmailProvider, Logger } from '../../types.js';
+/**
+ * Configuration for loopback OAuth account management.
+ * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).
+ */
+export interface AccountLoopbackConfig {
+    service: string;
+    store: Keyv;
+    logger: Logger;
+    auth: AuthEmailProvider;
+}
+/**
+ * Configuration for stateless mode.
+ * MCP client manages authentication. Server provides read-only status.
+ */
+export interface AccountStatelessConfig {
+    service: string;
+}
+/**
+ * Configuration for account-me tool.
+ * Works across all auth modes: loopback, stateless, device code, service account.
+ */
+export interface AccountMeConfig {
+    service: string;
+    store?: Keyv;
+    logger?: Logger;
+    mode: 'loopback' | 'stateless' | 'device-code' | 'service-account';
+}

package/dist/cjs/lib/account-server/types.js

@@ -0,0 +1,7 @@
+/**
+ * Configuration types for account tool factories.
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/lib/account-server/types.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/types.ts"],"sourcesContent":["/**\n * Configuration types for account tool factories.\n */\n\nimport type { Keyv } from 'keyv';\nimport type { AuthEmailProvider, Logger } from '../../types.ts';\n\n/**\n * Configuration for loopback OAuth account management.\n * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).\n */\nexport interface AccountLoopbackConfig {\n  service: string;\n  store: Keyv;\n  logger: Logger;\n  auth: AuthEmailProvider;\n}\n\n/**\n * Configuration for stateless mode.\n * MCP client manages authentication. Server provides read-only status.\n */\nexport interface AccountStatelessConfig {\n  service: string;\n}\n\n/**\n * Configuration for account-me tool.\n * Works across all auth modes: loopback, stateless, device code, service account.\n */\nexport interface AccountMeConfig {\n  service: string;\n  store?: Keyv;\n  logger?: Logger;\n  mode: 'loopback' | 'stateless' | 'device-code' | 'service-account';\n}\n"],"names":[],"mappings":"AAAA;;CAEC"}

package/dist/cjs/lib/dcr-types.d.cts

@@ -0,0 +1,126 @@
+/**
+ * Dynamic Client Registration (DCR) types per RFC 7591
+ *
+ * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.
+ * Used by providers to register clients dynamically with authorization servers.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */
+import type { Logger } from '../types.js';
+/**
+ * Client metadata for dynamic registration request (RFC 7591 Section 2)
+ *
+ * All fields are optional per RFC 7591. Authorization server may have
+ * required fields or default values based on policy.
+ */
+export interface DcrClientMetadata {
+    /** Array of redirection URI strings for redirect-based flows */
+    redirect_uris?: string[];
+    /** Client authentication method for token endpoint */
+    token_endpoint_auth_method?: 'none' | 'client_secret_post' | 'client_secret_basic';
+    /** OAuth 2.0 grant types the client may use */
+    grant_types?: string[];
+    /** OAuth 2.0 response types the client may use */
+    response_types?: string[];
+    /** Human-readable client name */
+    client_name?: string;
+    /** URL providing information about the client */
+    client_uri?: string;
+    /** URL referencing a logo for the client */
+    logo_uri?: string;
+    /** Space-separated list of scope values */
+    scope?: string;
+    /** Array of contact strings (typically email addresses) */
+    contacts?: string[];
+    /** URL pointing to terms of service document */
+    tos_uri?: string;
+    /** URL pointing to privacy policy document */
+    policy_uri?: string;
+    /** URL referencing the client's JSON Web Key Set */
+    jwks_uri?: string;
+    /** Client's JSON Web Key Set document value */
+    jwks?: object;
+    /** Unique identifier for the client software */
+    software_id?: string;
+    /** Version identifier for the client software */
+    software_version?: string;
+    /** JWT containing client metadata claims (signed software statement) */
+    software_statement?: string;
+}
+/**
+ * Client information response from successful registration (RFC 7591 Section 3.2.1)
+ *
+ * Authorization server returns client credentials and echoes/modifies metadata.
+ * client_id is always returned, client_secret is optional for public clients.
+ */
+export interface DcrClientInformation {
+    /** REQUIRED: OAuth 2.0 client identifier string */
+    client_id: string;
+    /** OPTIONAL: OAuth 2.0 client secret (omitted for public clients) */
+    client_secret?: string;
+    /** OPTIONAL: Timestamp of client ID issuance (seconds since Unix epoch) */
+    client_id_issued_at?: number;
+    /**
+     * REQUIRED if client_secret issued: Expiration timestamp (seconds since epoch)
+     * Value of 0 indicates the secret does not expire
+     */
+    client_secret_expires_at?: number;
+    redirect_uris?: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    jwks?: object;
+    software_id?: string;
+    software_version?: string;
+}
+/**
+ * Provider tokens for stateless DCR pattern
+ *
+ * In stateless mode, DCR provider receives provider credentials from context
+ * rather than managing token storage. Used for MCP server deployments where
+ * client manages all tokens.
+ */
+export interface ProviderTokens {
+    /** OAuth 2.0 access token for provider API calls */
+    accessToken: string;
+    /** Optional refresh token for token renewal */
+    refreshToken?: string;
+    /** Token expiration timestamp (seconds since Unix epoch) */
+    expiresAt?: number;
+    /** Space-separated list of granted scopes */
+    scope?: string;
+}
+/**
+ * Configuration for DCR provider initialization
+ *
+ * Minimal config for creating DCR provider instances. Additional provider-specific
+ * config (client IDs, secrets, redirect URIs) handled by concrete implementations.
+ */
+export interface DcrConfig {
+    /** Authorization server's registration endpoint URL */
+    registrationEndpoint: string;
+    /** Client metadata to register with authorization server */
+    metadata: DcrClientMetadata;
+    /** Optional logger for DCR operations */
+    logger?: Logger;
+}
+/**
+ * DCR error response per RFC 7591 Section 3.2.2
+ *
+ * Authorization server returns HTTP 400 with error details when
+ * registration fails due to invalid metadata or policy violations.
+ */
+export interface DcrErrorResponse {
+    /** REQUIRED: Single ASCII error code string */
+    error: 'invalid_redirect_uri' | 'invalid_client_metadata' | 'invalid_software_statement' | 'unapproved_software_statement' | string;
+    /** OPTIONAL: Human-readable ASCII description */
+    error_description?: string;
+}

package/dist/cjs/lib/dcr-types.d.ts

@@ -0,0 +1,126 @@
+/**
+ * Dynamic Client Registration (DCR) types per RFC 7591
+ *
+ * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.
+ * Used by providers to register clients dynamically with authorization servers.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */
+import type { Logger } from '../types.js';
+/**
+ * Client metadata for dynamic registration request (RFC 7591 Section 2)
+ *
+ * All fields are optional per RFC 7591. Authorization server may have
+ * required fields or default values based on policy.
+ */
+export interface DcrClientMetadata {
+    /** Array of redirection URI strings for redirect-based flows */
+    redirect_uris?: string[];
+    /** Client authentication method for token endpoint */
+    token_endpoint_auth_method?: 'none' | 'client_secret_post' | 'client_secret_basic';
+    /** OAuth 2.0 grant types the client may use */
+    grant_types?: string[];
+    /** OAuth 2.0 response types the client may use */
+    response_types?: string[];
+    /** Human-readable client name */
+    client_name?: string;
+    /** URL providing information about the client */
+    client_uri?: string;
+    /** URL referencing a logo for the client */
+    logo_uri?: string;
+    /** Space-separated list of scope values */
+    scope?: string;
+    /** Array of contact strings (typically email addresses) */
+    contacts?: string[];
+    /** URL pointing to terms of service document */
+    tos_uri?: string;
+    /** URL pointing to privacy policy document */
+    policy_uri?: string;
+    /** URL referencing the client's JSON Web Key Set */
+    jwks_uri?: string;
+    /** Client's JSON Web Key Set document value */
+    jwks?: object;
+    /** Unique identifier for the client software */
+    software_id?: string;
+    /** Version identifier for the client software */
+    software_version?: string;
+    /** JWT containing client metadata claims (signed software statement) */
+    software_statement?: string;
+}
+/**
+ * Client information response from successful registration (RFC 7591 Section 3.2.1)
+ *
+ * Authorization server returns client credentials and echoes/modifies metadata.
+ * client_id is always returned, client_secret is optional for public clients.
+ */
+export interface DcrClientInformation {
+    /** REQUIRED: OAuth 2.0 client identifier string */
+    client_id: string;
+    /** OPTIONAL: OAuth 2.0 client secret (omitted for public clients) */
+    client_secret?: string;
+    /** OPTIONAL: Timestamp of client ID issuance (seconds since Unix epoch) */
+    client_id_issued_at?: number;
+    /**
+     * REQUIRED if client_secret issued: Expiration timestamp (seconds since epoch)
+     * Value of 0 indicates the secret does not expire
+     */
+    client_secret_expires_at?: number;
+    redirect_uris?: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    jwks?: object;
+    software_id?: string;
+    software_version?: string;
+}
+/**
+ * Provider tokens for stateless DCR pattern
+ *
+ * In stateless mode, DCR provider receives provider credentials from context
+ * rather than managing token storage. Used for MCP server deployments where
+ * client manages all tokens.
+ */
+export interface ProviderTokens {
+    /** OAuth 2.0 access token for provider API calls */
+    accessToken: string;
+    /** Optional refresh token for token renewal */
+    refreshToken?: string;
+    /** Token expiration timestamp (seconds since Unix epoch) */
+    expiresAt?: number;
+    /** Space-separated list of granted scopes */
+    scope?: string;
+}
+/**
+ * Configuration for DCR provider initialization
+ *
+ * Minimal config for creating DCR provider instances. Additional provider-specific
+ * config (client IDs, secrets, redirect URIs) handled by concrete implementations.
+ */
+export interface DcrConfig {
+    /** Authorization server's registration endpoint URL */
+    registrationEndpoint: string;
+    /** Client metadata to register with authorization server */
+    metadata: DcrClientMetadata;
+    /** Optional logger for DCR operations */
+    logger?: Logger;
+}
+/**
+ * DCR error response per RFC 7591 Section 3.2.2
+ *
+ * Authorization server returns HTTP 400 with error details when
+ * registration fails due to invalid metadata or policy violations.
+ */
+export interface DcrErrorResponse {
+    /** REQUIRED: Single ASCII error code string */
+    error: 'invalid_redirect_uri' | 'invalid_client_metadata' | 'invalid_software_statement' | 'unapproved_software_statement' | string;
+    /** OPTIONAL: Human-readable ASCII description */
+    error_description?: string;
+}

package/dist/cjs/lib/dcr-types.js

@@ -0,0 +1,12 @@
+/**
+ * Dynamic Client Registration (DCR) types per RFC 7591
+ *
+ * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.
+ * Used by providers to register clients dynamically with authorization servers.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }