@monocloud/auth-core 0.1.3 → 0.1.5

package/README.md

@@ -1,10 +1,26 @@
-![MonoCloud Logo](https://raw.githubusercontent.com/monocloud/auth-js/refs/heads/main/MonoCloud.png)
+<div align="center">
+  <a href="https://www.monocloud.com?utm_source=github&utm_medium=auth_js" target="_blank" rel="noopener noreferrer">
+    <picture>
+      <img src="https://raw.githubusercontent.com/monocloud/auth-js/refs/heads/main/packages/core/banner.svg" alt="MonoCloud Banner">
+    </picture>
+  </a>
+  <div align="right">
+    <a href="https://www.npmjs.com/package/@monocloud/auth-core" target="_blank">
+      <img src="https://img.shields.io/npm/v/@monocloud/auth-core" alt="NPM" />
+    </a>
+    <a href="https://opensource.org/licenses/MIT">
+      <img src="https://img.shields.io/:license-MIT-blue.svg?style=flat" alt="License: MIT" />
+    </a>
+    <a href="https://github.com/monocloud/auth-js/actions/workflows/build.yml">
+      <img src="https://github.com/monocloud/auth-js/actions/workflows/build.yml/badge.svg" alt="Build Status" />
+    </a>
+  </div>
+</div>
 
 ## Introduction
 
 **MonoCloud OIDC Client for JavaScript — a standards-compliant OpenID Connect client for secure authentication flows.**
 
-
 [MonoCloud](https://www.monocloud.com?utm_source=github&utm_medium=auth_js) is a modern, developer-friendly Identity & Access Management platform.
 
 This package provides a **framework-agnostic OpenID Connect (OIDC) client** for interacting with MonoCloud. It supports industry-standard authentication flows including **Authorization Code Flow**, **PKCE**, **Pushed Authorization Requests (PAR)**, and token lifecycle management.
@@ -79,7 +95,7 @@ const session = await oidcClient.authenticate(
   'openid profile email'
 );
 
-console.log(session.user);    // User profile claims
+console.log(session.user); // User profile claims
 console.log(session.idToken); // Raw ID Token
 ```
 

package/dist/index.cjs

@@ -1,10 +1,25 @@
-const require_internal = require('./internal-DytuO03E.cjs');
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_utils_internal = require('./utils/internal.cjs');
 
 //#region src/errors/monocloud-auth-base-error.ts
+/**
+* Base class for all MonoCloud authentication errors.
+*
+* All errors thrown by the MonoCloud SDK extend this class, allowing applications to safely detect and handle MonoCloud-specific failures using `instanceof`.
+*
+* @category Error Classes
+*/
 var MonoCloudAuthBaseError = class extends Error {};
 
 //#endregion
 //#region src/errors/monocloud-op-error.ts
+/**
+* OAuth error returned by the authorization server during an authentication or token request.
+*
+* These errors correspond to standard OAuth / OpenID Connect error responses such as `invalid_request`, `access_denied`, or `invalid_grant`.
+*
+* @category Error Classes
+*/
 var MonoCloudOPError = class extends MonoCloudAuthBaseError {
 	constructor(error, errorDescription) {
 		super(error);
@@ -15,14 +30,31 @@ var MonoCloudOPError = class extends MonoCloudAuthBaseError {
 
 //#endregion
 //#region src/errors/monocloud-http-error.ts
+/**
+* Error thrown when a request to the MonoCloud authorization server fails.
+*
+* This error typically indicates a network failure, an unexpected HTTP response, or an unsuccessful response returned by the authorization server.
+*
+* @category Error Classes
+*/
 var MonoCloudHttpError = class extends MonoCloudAuthBaseError {};
 
 //#endregion
 //#region src/errors/monocloud-token-error.ts
+/**
+* Error thrown when a token operation fails.
+*
+* @category Error Classes
+*/
 var MonoCloudTokenError = class extends MonoCloudAuthBaseError {};
 
 //#endregion
 //#region src/errors/monocloud-validation-error.ts
+/**
+* Error thrown when validation fails.
+*
+* @category Error Classes
+*/
 var MonoCloudValidationError = class extends MonoCloudAuthBaseError {};
 
 //#endregion
@@ -140,13 +172,13 @@ const keyToSubtle = (key) => {
 	throw new Error("unsupported CryptoKey algorithm name");
 };
 const clientAssertionPayload = (issuer, clientId, skew) => {
-	const now$1 = Math.floor(Date.now() / 1e3) + skew;
+	const now = Math.floor(Date.now() / 1e3) + skew;
 	return {
-		jti: require_internal.randomBytes(),
+		jti: require_utils_internal.randomBytes(),
 		aud: issuer,
-		exp: now$1 + 60,
-		iat: now$1,
-		nbf: now$1,
+		exp: now + 60,
+		iat: now,
+		nbf: now,
 		iss: clientId,
 		sub: clientId
 	};
@@ -160,8 +192,8 @@ const jwtAssertionGenerator = async (issuer, clientId, clientSecret, body, skew)
 	const payload = clientAssertionPayload(issuer, clientId, skew);
 	body.set("client_id", clientId);
 	body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
-	const input = `${require_internal.encodeBase64Url(require_internal.stringToArrayBuffer(JSON.stringify(header)))}.${require_internal.encodeBase64Url(require_internal.stringToArrayBuffer(JSON.stringify(payload)))}`;
-	const signature = require_internal.encodeBase64Url(await crypto.subtle.sign(keyToSubtle(key), key, require_internal.stringToArrayBuffer(input)));
+	const input = `${require_utils_internal.encodeBase64Url(require_utils_internal.stringToArrayBuffer(JSON.stringify(header)))}.${require_utils_internal.encodeBase64Url(require_utils_internal.stringToArrayBuffer(JSON.stringify(payload)))}`;
+	const signature = require_utils_internal.encodeBase64Url(await crypto.subtle.sign(keyToSubtle(key), key, require_utils_internal.stringToArrayBuffer(input)));
 	body.set("client_assertion", `${input}.${signature}`);
 };
 const clientAuth = async (clientId, clientSecret, method, issuer, headers, body, jwtAssertionSkew) => {
@@ -175,7 +207,7 @@ const clientAuth = async (clientId, clientSecret, method, issuer, headers, body,
 			break;
 		case method === "client_secret_jwt" && !!issuer && !!body && (typeof clientSecret === "string" || clientSecret?.kty === "oct"):
 			await jwtAssertionGenerator(issuer, clientId, typeof clientSecret === "string" ? {
-				k: require_internal.encodeBase64Url(require_internal.stringToArrayBuffer(clientSecret)),
+				k: require_utils_internal.encodeBase64Url(require_utils_internal.stringToArrayBuffer(clientSecret)),
 				kty: "oct",
 				alg: "HS256"
 			} : clientSecret, body, jwtAssertionSkew ?? 0);
@@ -223,12 +255,15 @@ const deserializeJson = async (res) => {
 		);
 	}
 };
+/**
+* @category Classes
+*/
 var MonoCloudOidcClient = class MonoCloudOidcClient {
 	constructor(tenantDomain, clientId, options) {
 		this.jwksCacheExpiry = 0;
-		this.jwksCacheDuration = 60;
+		this.jwksCacheDuration = 300;
 		this.metadataCacheExpiry = 0;
-		this.metadataCacheDuration = 60;
+		this.metadataCacheDuration = 300;
 		tenantDomain ??= "";
 		/* v8 ignore next -- @preserve */
 		this.tenantDomain = `${!tenantDomain.startsWith("https://") ? "https://" : ""}${tenantDomain.endsWith("/") ? tenantDomain.slice(0, -1) : tenantDomain}`;
@@ -244,9 +279,9 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	*
 	* If no values are provided for `responseType`, or `codeChallengeMethod`, they default to `code`, and `S256`, respectively.
 	*
-	* @param params Authorization URL parameters
+	* @param params - Authorization URL parameters.
 	*
-	* @returns Tenant's authorization url.
+	* @returns Tenant's authorization URL.
 	*
 	* @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
 	* unexpected status code during the request or a serialization error while processing the response.
@@ -257,7 +292,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		queryParams.set("client_id", this.clientId);
 		if (params.redirectUri) queryParams.set("redirect_uri", params.redirectUri);
 		if (params.requestUri) queryParams.set("request_uri", params.requestUri);
-		const scopes = require_internal.parseSpaceSeparated(params.scopes) ?? [];
+		const scopes = require_utils_internal.parseSpaceSeparated(params.scopes) ?? [];
 		if (scopes.length > 0) queryParams.set("scope", scopes.join(" "));
 		if (params.responseType && params.responseType.length > 0) queryParams.set("response_type", params.responseType);
 		if ((!params.responseType || params.responseType.length === 0) && !params.requestUri) queryParams.set("response_type", "code");
@@ -271,7 +306,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		if (params.display) queryParams.set("display", params.display);
 		if (typeof params.maxAge === "number") queryParams.set("max_age", params.maxAge.toString());
 		if (params.prompt) queryParams.set("prompt", params.prompt);
-		const resource = require_internal.parseSpaceSeparated(params.resource) ?? [];
+		const resource = require_utils_internal.parseSpaceSeparated(params.resource) ?? [];
 		if (resource.length > 0) for (const r of resource) queryParams.append("resource", r);
 		if (params.codeChallenge) {
 			queryParams.set("code_challenge", params.codeChallenge);
@@ -295,17 +330,17 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	*
 	*/
 	async getMetadata(forceRefresh = false) {
-		if (!forceRefresh && this.metadata && this.metadataCacheExpiry > require_internal.now()) return this.metadata;
+		if (!forceRefresh && this.metadata && this.metadataCacheExpiry > require_utils_internal.now()) return this.metadata;
 		this.metadata = void 0;
 		const response = await innerFetch(`${this.tenantDomain}/.well-known/openid-configuration`);
 		if (response.status !== 200) throw new MonoCloudHttpError(`Error while fetching metadata. Unexpected status code: ${response.status}`);
 		const metadata = await deserializeJson(response);
 		this.metadata = metadata;
-		this.metadataCacheExpiry = require_internal.now() + this.metadataCacheDuration;
+		this.metadataCacheExpiry = require_utils_internal.now() + this.metadataCacheDuration;
 		return metadata;
 	}
 	/**
-	* Fetches the JSON Web Keys used to sign the id token.
+	* Fetches the JSON Web Keys used to sign the ID token.
 	* The JWKS is cached for 1 minute.
 	*
 	* @param forceRefresh - If `true`, bypasses the cache and fetches fresh set of JWKS from the server.
@@ -317,7 +352,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	*
 	*/
 	async getJwks(forceRefresh = false) {
-		if (!forceRefresh && this.jwks && this.jwksCacheExpiry > require_internal.now()) return this.jwks;
+		if (!forceRefresh && this.jwks && this.jwksCacheExpiry > require_utils_internal.now()) return this.jwks;
 		this.jwks = void 0;
 		const metadata = await this.getMetadata();
 		assertMetadataProperty(metadata, "jwks_uri");
@@ -325,15 +360,15 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		if (response.status !== 200) throw new MonoCloudHttpError(`Error while fetching JWKS. Unexpected status code: ${response.status}`);
 		const jwks = await deserializeJson(response);
 		this.jwks = jwks;
-		this.jwksCacheExpiry = require_internal.now() + this.jwksCacheDuration;
+		this.jwksCacheExpiry = require_utils_internal.now() + this.jwksCacheDuration;
 		return jwks;
 	}
 	/**
 	* Performs a pushed authorization request.
 	*
-	* @param params - Authorization Parameters
+	* @param params - Authorization Parameters.
 	*
-	* @returns Response from Pushed Authorization Request (PAR) endpoint
+	* @returns Response from Pushed Authorization Request (PAR) endpoint.
 	*
 	* @throws {@link MonoCloudOPError} - When the request is invalid.
 	*
@@ -345,7 +380,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		const body = new URLSearchParams();
 		body.set("client_id", this.clientId);
 		if (params.redirectUri) body.set("redirect_uri", params.redirectUri);
-		const scopes = require_internal.parseSpaceSeparated(params.scopes) ?? [];
+		const scopes = require_utils_internal.parseSpaceSeparated(params.scopes) ?? [];
 		if (scopes.length > 0) body.set("scope", scopes.join(" "));
 		if (params.responseType && params.responseType.length > 0) body.set("response_type", params.responseType);
 		else body.set("response_type", "code");
@@ -359,7 +394,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		if (params.display) body.set("display", params.display);
 		if (typeof params.maxAge === "number") body.set("max_age", params.maxAge.toString());
 		if (params.prompt) body.set("prompt", params.prompt);
-		const resource = require_internal.parseSpaceSeparated(params.resource) ?? [];
+		const resource = require_utils_internal.parseSpaceSeparated(params.resource) ?? [];
 		if (resource.length > 0) for (const r of resource) body.append("resource", r);
 		if (params.codeChallenge) {
 			body.set("code_challenge", params.codeChallenge);
@@ -423,13 +458,13 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		return await deserializeJson(response);
 	}
 	/**
-	* Generates OpenID end session url for signing out.
+	* Generates OpenID end session URL for signing out.
 	*
 	* Note - The `state` is added only when `postLogoutRedirectUri` is present.
 	*
-	* @param params - Parameters to build end session url
+	* @param params - Parameters to build end session URL.
 	*
-	* @returns Tenant's end session url
+	* @returns Tenant's end session URL.
 	*
 	* @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
 	* unexpected status code during the request or a serialization error while processing the response.
@@ -453,7 +488,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	* @param code - The authorization code received from the authorization server.
 	* @param redirectUri - The redirect URI used in the initial authorization request.
 	* @param codeVerifier - Code verifier for PKCE.
-	* @param resource - Space-separated list of resources the access token should be scoped to
+	* @param resource - Space-separated list of resources the access token should be scoped to.
 	*
 	* @returns Tokens obtained by exchanging an authorization code at the token endpoint.
 	*
@@ -470,7 +505,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		body.set("code", code);
 		body.set("redirect_uri", redirectUri);
 		if (codeVerifier) body.set("code_verifier", codeVerifier);
-		const resources = require_internal.parseSpaceSeparated(resource) ?? [];
+		const resources = require_utils_internal.parseSpaceSeparated(resource) ?? [];
 		if (resources.length > 0) for (const r of resources) body.append("resource", r);
 		const headers = {
 			"content-type": "application/x-www-form-urlencoded",
@@ -510,9 +545,9 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		const body = new URLSearchParams();
 		body.set("grant_type", "refresh_token");
 		body.set("refresh_token", refreshToken);
-		const scopes = require_internal.parseSpaceSeparated(options?.scopes) ?? [];
+		const scopes = require_utils_internal.parseSpaceSeparated(options?.scopes) ?? [];
 		if (scopes.length > 0) body.set("scope", scopes.join(" "));
-		const resource = require_internal.parseSpaceSeparated(options?.resource) ?? [];
+		const resource = require_utils_internal.parseSpaceSeparated(options?.resource) ?? [];
 		if (resource.length > 0) for (const r of resource) body.append("resource", r);
 		const headers = {
 			"content-type": "application/x-www-form-urlencoded",
@@ -536,23 +571,23 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	/**
 	* Generates a session with user and tokens by exchanging authorization code from callback params.
 	*
-	* @param code - The authorization code received from the callback
-	* @param redirectUri - The redirect URI that was used in the authorization request
+	* @param code - The authorization code received from the callback.
+	* @param redirectUri - The redirect URI that was used in the authorization request.
 	* @param requestedScopes - A space-separated list of scopes originally requested via the `/authorize` endpoint.
 	* This is stored in the session to ensure the correct access token can be identified and refreshed during `refreshSession()`.
 	* @param resource - A space-separated list of resource indicators originally requested via the `/authorize` endpoint.
 	* Used alongside scopes to uniquely identify and refresh the specific access token associated with these resources.
-	* @param options - Options for authenticating a user with authorization code
+	* @param options - Options for authenticating a user with authorization code.
 	*
 	* @returns The user's session containing authentication tokens and user information.
 	*
 	* @throws {@link MonoCloudValidationError} - When the token scope does not contain the openid scope,
 	* or if 'expires_in' or 'scope' is missing from the token response.
 	*
-	* @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
+	* @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized.
 	* OAuth 2.0 error response.
 	*
-	* @throws {@link MonoCloudTokenError} - If ID Token validation fails
+	* @throws {@link MonoCloudTokenError} - If ID Token validation fails.
 	*
 	* @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
 	* unexpected status code during the request or a serialization error while processing the response.
@@ -560,7 +595,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	*/
 	async authenticate(code, redirectUri, requestedScopes, resource, options) {
 		const tokens = await this.exchangeAuthorizationCode(code, redirectUri, options?.codeVerifier, resource);
-		const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_internal.now() + tokens.expires_in : void 0;
+		const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_utils_internal.now() + tokens.expires_in : void 0;
 		if (!accessTokenExpiration) throw new MonoCloudValidationError("Missing required 'expires_in' field");
 		if (!tokens.scope) throw new MonoCloudValidationError("Missing or invalid 'scope' field");
 		let userinfo;
@@ -596,11 +631,11 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	* Refetches user information for an existing session using the userinfo endpoint.
 	* Updates the session's user object with the latest user information while preserving existing properties.
 	*
-	* @param accessToken - Access token used to fetch the userinfo
-	* @param session - The current MonoCloudSession
-	* @param options - Userinfo refetch options
+	* @param accessToken - Access token used to fetch the userinfo.
+	* @param session - The current MonoCloudSession.
+	* @param options - Userinfo refetch options.
 	*
-	* @returns Updated session with the latest userinfo
+	* @returns Updated session with the latest userinfo.
 	*
 	* @throws {@link MonoCloudValidationError} - When the token scope does not contain openid scope
 	*
@@ -627,8 +662,8 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	* Refreshes an existing session using the refresh token.
 	* This function requests new tokens using the refresh token and optionally updates user information.
 	*
-	* @param session - The current MonoCloudSession containing the refresh token
-	* @param options - Session refresh options
+	* @param session - The current MonoCloudSession containing the refresh token.
+	* @param options - Session refresh options.
 	*
 	* @returns User's session containing refreshed authentication tokens and user information.
 	*
@@ -647,7 +682,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	async refreshSession(session, options) {
 		if (!session.refreshToken) throw new MonoCloudValidationError("Session does not contain refresh token");
 		const tokens = await this.refreshGrant(session.refreshToken, options?.refreshGrantOptions);
-		const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_internal.now() + tokens.expires_in : void 0;
+		const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_utils_internal.now() + tokens.expires_in : void 0;
 		if (!accessTokenExpiration) throw new MonoCloudValidationError("Missing required 'expires_in' field");
 		if (!tokens.scope) throw new MonoCloudValidationError("Missing or invalid 'scope' field");
 		let userinfo;
@@ -663,7 +698,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		const resource = options?.refreshGrantOptions?.resource;
 		let scopes = options?.refreshGrantOptions?.scopes;
 		if (!resource && !scopes) scopes = session.authorizedScopes;
-		const accessToken = require_internal.findToken(session.accessTokens, resource, scopes);
+		const accessToken = require_utils_internal.findToken(session.accessTokens, resource, scopes);
 		const user = Object.keys(idTokenClaims).length === 0 && !userinfo ? session.user : {
 			...session.user,
 			...idTokenClaims,
@@ -690,10 +725,10 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	/**
 	* Revokes an access token or refresh token, rendering it invalid for future use.
 	*
-	* @param token - The token string to be revoked
-	* @param tokenType - Hint about the token type ('access_token' or 'refresh_token')
+	* @param token - The token string to be revoked.
+	* @param tokenType - Hint about the token type ('access_token' or 'refresh_token').
 	*
-	* @returns If token revocation succeeded
+	* @returns If token revocation succeeded.
 	*
 	* @throws {@link MonoCloudValidationError} - If token is invalid or unsupported token type
 	*
@@ -727,14 +762,14 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	/**
 	* Validates an ID Token.
 	*
-	* @param idToken - The ID Token JWT string to validate
-	* @param jwks - Array of JSON Web Keys (JWK) used to verify the token's signature
-	* @param clockSkew - Number of seconds to adjust the current time to account for clock differences
-	* @param clockTolerance - Additional time tolerance in seconds for time-based claim validation
-	* @param maxAge - maximum authentication age in seconds
-	* @param nonce - nonce value to validate against the token's nonce claim
+	* @param idToken - The ID Token JWT string to validate.
+	* @param jwks - Array of JSON Web Keys (JWK) used to verify the token's signature.
+	* @param clockSkew - Number of seconds to adjust the current time to account for clock differences.
+	* @param clockTolerance - Additional time tolerance in seconds for time-based claim validation.
+	* @param maxAge - Maximum authentication age in seconds.
+	* @param nonce - Nonce value to validate against the token's nonce claim.
 	*
-	* @returns Validated ID Token claims
+	* @returns Validated ID Token claims.
 	*
 	* @throws {@link MonoCloudTokenError} - If ID Token validation fails
 	*
@@ -745,28 +780,28 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		if (length !== 3) throw new MonoCloudTokenError("ID Token must have a header, payload and signature");
 		let header;
 		try {
-			header = JSON.parse(require_internal.decodeBase64Url(protectedHeader));
+			header = JSON.parse(require_utils_internal.decodeBase64Url(protectedHeader));
 		} catch {
 			throw new MonoCloudTokenError("Failed to parse JWT Header");
 		}
 		if (header === null || typeof header !== "object" || Array.isArray(header)) throw new MonoCloudTokenError("JWT Header must be a top level object");
 		if (this.idTokenSigningAlgorithm !== header.alg) throw new MonoCloudTokenError("Invalid signing alg");
 		if (header.crit !== void 0) throw new MonoCloudTokenError("Unexpected JWT \"crit\" header parameter");
-		const binary = require_internal.decodeBase64Url(encodedSignature);
+		const binary = require_utils_internal.decodeBase64Url(encodedSignature);
 		const signature = new Uint8Array(binary.length);
 		for (let i = 0; i < binary.length; i++) signature[i] = binary.charCodeAt(i);
-		const key = await require_internal.getPublicSigKeyFromIssuerJwks(jwks, header);
+		const key = await require_utils_internal.getPublicSigKeyFromIssuerJwks(jwks, header);
 		const input = `${protectedHeader}.${payload}`;
-		if (!await crypto.subtle.verify(keyToSubtle(key), key, signature, require_internal.stringToArrayBuffer(input))) throw new MonoCloudTokenError("JWT signature verification failed");
+		if (!await crypto.subtle.verify(keyToSubtle(key), key, signature, require_utils_internal.stringToArrayBuffer(input))) throw new MonoCloudTokenError("JWT signature verification failed");
 		let claims;
 		try {
-			claims = JSON.parse(require_internal.decodeBase64Url(payload));
+			claims = JSON.parse(require_utils_internal.decodeBase64Url(payload));
 		} catch {
 			throw new MonoCloudTokenError("Failed to parse JWT Payload");
 		}
 		if (claims === null || typeof claims !== "object" || Array.isArray(claims)) throw new MonoCloudTokenError("JWT Payload must be a top level object");
 		if ((claims.nonce || nonce) && claims.nonce !== nonce) throw new MonoCloudTokenError("Nonce mismatch");
-		const current = require_internal.now() + clockSkew;
+		const current = require_utils_internal.now() + clockSkew;
 		/* v8 ignore else -- @preserve */
 		if (claims.exp !== void 0) {
 			if (typeof claims.exp !== "number") throw new MonoCloudTokenError("Unexpected JWT \"exp\" (expiration time) claim type");
@@ -787,11 +822,12 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 	}
 	/**
 	* Decodes the payload of a JSON Web Token (JWT) and returns it as an object.
-	* **THIS METHOD DOES NOT VERIFY JWT TOKENS**.
 	*
-	* @param jwt - JWT to decode
+	* >Note: THIS METHOD DOES NOT VERIFY JWT TOKENS.
+	*
+	* @param jwt - JWT to decode.
 	*
-	* @returns Decoded payload
+	* @returns Decoded payload.
 	*
 	* @throws {@link MonoCloudTokenError} - If decoding fails
 	*
@@ -800,7 +836,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
 		try {
 			const [, payload] = jwt.split(".");
 			if (!payload?.trim()) throw new MonoCloudTokenError("JWT does not contain payload");
-			const decoded = require_internal.decodeBase64Url(payload);
+			const decoded = require_utils_internal.decodeBase64Url(payload);
 			if (!decoded.startsWith("{")) throw new MonoCloudTokenError("Payload is not an object");
 			return JSON.parse(decoded);
 		} catch (e) {