@navios/jwt 0.5.0 → 0.7.0

package/lib/index.d.cts

@@ -0,0 +1,936 @@
+import jwt, { Secret as Secret$1 } from "jsonwebtoken";
+import * as zod_v40 from "zod/v4";
+import { z } from "zod/v4";
+import * as zod_v4_core0 from "zod/v4/core";
+import * as _navios_core0 from "@navios/core";
+import { BoundInjectionToken, FactoryInjectionToken, InjectionToken } from "@navios/core";
+
+//#region src/options/jwt-service.options.d.mts
+/**
+ * Request type for secret or key provider functions.
+ *
+ * Used to distinguish between signing and verification operations when
+ * dynamically resolving secrets or keys.
+ */
+declare enum RequestType {
+  /** Request is for signing a token */
+  Sign = "Sign",
+  /** Request is for verifying a token */
+  Verify = "Verify",
+}
+/**
+ * Supported JWT algorithms.
+ *
+ * Includes symmetric (HMAC) and asymmetric (RSA, ECDSA, EdDSA) algorithms.
+ */
+declare const AlgorithmType: z.ZodEnum<{
+  HS256: "HS256";
+  HS384: "HS384";
+  HS512: "HS512";
+  RS256: "RS256";
+  RS384: "RS384";
+  RS512: "RS512";
+  ES256: "ES256";
+  ES384: "ES384";
+  ES512: "ES512";
+  PS256: "PS256";
+  PS384: "PS384";
+  PS512: "PS512";
+  none: "none";
+}>;
+/**
+ * JWT header schema.
+ *
+ * Defines the structure of the JWT header with standard claims.
+ */
+declare const JwtHeaderSchema: z.ZodObject<{
+  alg: z.ZodUnion<[z.ZodEnum<{
+    HS256: "HS256";
+    HS384: "HS384";
+    HS512: "HS512";
+    RS256: "RS256";
+    RS384: "RS384";
+    RS512: "RS512";
+    ES256: "ES256";
+    ES384: "ES384";
+    ES512: "ES512";
+    PS256: "PS256";
+    PS384: "PS384";
+    PS512: "PS512";
+    none: "none";
+  }>, z.ZodString]>;
+  typ: z.ZodOptional<z.ZodString>;
+  cty: z.ZodOptional<z.ZodString>;
+  crit: z.ZodOptional<z.ZodArray<z.ZodString>>;
+  kid: z.ZodOptional<z.ZodString>;
+  jku: z.ZodOptional<z.ZodString>;
+  x5u: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+  'x5t#S256': z.ZodOptional<z.ZodString>;
+  x5t: z.ZodOptional<z.ZodString>;
+  x5c: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+}, z.core.$strip>;
+/**
+ * JWT header type.
+ *
+ * Contains algorithm, type, and optional header claims.
+ */
+type JwtHeader = z.infer<typeof JwtHeaderSchema>;
+/**
+ * Schema for JWT signing options.
+ *
+ * Defines all available options for signing tokens including algorithm,
+ * expiration, audience, issuer, and other standard JWT claims.
+ */
+declare const SignOptionsSchema: z.ZodObject<{
+  algorithm: z.ZodOptional<z.ZodEnum<{
+    HS256: "HS256";
+    HS384: "HS384";
+    HS512: "HS512";
+    RS256: "RS256";
+    RS384: "RS384";
+    RS512: "RS512";
+    ES256: "ES256";
+    ES384: "ES384";
+    ES512: "ES512";
+    PS256: "PS256";
+    PS384: "PS384";
+    PS512: "PS512";
+    none: "none";
+  }>>;
+  keyid: z.ZodOptional<z.ZodString>;
+  expiresIn: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+  notBefore: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+  audience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>, z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>>]>>;
+  subject: z.ZodOptional<z.ZodString>;
+  issuer: z.ZodOptional<z.ZodString>;
+  jwtid: z.ZodOptional<z.ZodString>;
+  mutatePayload: z.ZodOptional<z.ZodBoolean>;
+  noTimestamp: z.ZodOptional<z.ZodBoolean>;
+  header: z.ZodOptional<z.ZodObject<{
+    alg: z.ZodUnion<[z.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>, z.ZodString]>;
+    typ: z.ZodOptional<z.ZodString>;
+    cty: z.ZodOptional<z.ZodString>;
+    crit: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    kid: z.ZodOptional<z.ZodString>;
+    jku: z.ZodOptional<z.ZodString>;
+    x5u: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    'x5t#S256': z.ZodOptional<z.ZodString>;
+    x5t: z.ZodOptional<z.ZodString>;
+    x5c: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+  }, z.core.$strip>>;
+  encoding: z.ZodOptional<z.ZodString>;
+  allowInsecureKeySizes: z.ZodOptional<z.ZodBoolean>;
+  allowInvalidAsymmetricKeyTypes: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Options for signing JWT tokens.
+ *
+ * @see SignOptionsSchema for the complete schema definition
+ */
+type SignOptions = z.infer<typeof SignOptionsSchema>;
+/**
+ * Schema for JWT verification options.
+ *
+ * Defines all available options for verifying tokens including allowed
+ * algorithms, audience, issuer, expiration handling, and other validation rules.
+ */
+declare const VerifyOptionsSchema: z.ZodObject<{
+  algorithms: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+    HS256: "HS256";
+    HS384: "HS384";
+    HS512: "HS512";
+    RS256: "RS256";
+    RS384: "RS384";
+    RS512: "RS512";
+    ES256: "ES256";
+    ES384: "ES384";
+    ES512: "ES512";
+    PS256: "PS256";
+    PS384: "PS384";
+    PS512: "PS512";
+    none: "none";
+  }>>>;
+  audience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>, z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>>]>>;
+  clockTimestamp: z.ZodOptional<z.ZodNumber>;
+  clockTolerance: z.ZodOptional<z.ZodNumber>;
+  complete: z.ZodOptional<z.ZodBoolean>;
+  issuer: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+  ignoreExpiration: z.ZodOptional<z.ZodBoolean>;
+  ignoreNotBefore: z.ZodOptional<z.ZodBoolean>;
+  jwtid: z.ZodOptional<z.ZodString>;
+  nonce: z.ZodOptional<z.ZodString>;
+  subject: z.ZodOptional<z.ZodString>;
+  maxAge: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+  allowInvalidAsymmetricKeyTypes: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Options for verifying JWT tokens.
+ *
+ * @see VerifyOptionsSchema for the complete schema definition
+ */
+type VerifyOptions = z.infer<typeof VerifyOptionsSchema>;
+/**
+ * Schema for JWT secret/key types.
+ *
+ * Supports string secrets, Buffer objects, and key objects with passphrases.
+ */
+declare const SecretSchema: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>, z.ZodObject<{
+  type: z.ZodString;
+}, z.core.$loose>, z.ZodObject<{
+  key: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>;
+  passphrase: z.ZodString;
+}, z.core.$strip>]>;
+/**
+ * Secret or key type for JWT operations.
+ *
+ * Can be a string, Buffer, or an object with key and optional passphrase.
+ */
+type Secret = z.infer<typeof SecretSchema>;
+declare const JwtServiceOptionsSchema: z.ZodObject<{
+  signOptions: z.ZodOptional<z.ZodObject<{
+    algorithm: z.ZodOptional<z.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>;
+    keyid: z.ZodOptional<z.ZodString>;
+    expiresIn: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+    notBefore: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+    audience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>, z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>>]>>;
+    subject: z.ZodOptional<z.ZodString>;
+    issuer: z.ZodOptional<z.ZodString>;
+    jwtid: z.ZodOptional<z.ZodString>;
+    mutatePayload: z.ZodOptional<z.ZodBoolean>;
+    noTimestamp: z.ZodOptional<z.ZodBoolean>;
+    header: z.ZodOptional<z.ZodObject<{
+      alg: z.ZodUnion<[z.ZodEnum<{
+        HS256: "HS256";
+        HS384: "HS384";
+        HS512: "HS512";
+        RS256: "RS256";
+        RS384: "RS384";
+        RS512: "RS512";
+        ES256: "ES256";
+        ES384: "ES384";
+        ES512: "ES512";
+        PS256: "PS256";
+        PS384: "PS384";
+        PS512: "PS512";
+        none: "none";
+      }>, z.ZodString]>;
+      typ: z.ZodOptional<z.ZodString>;
+      cty: z.ZodOptional<z.ZodString>;
+      crit: z.ZodOptional<z.ZodArray<z.ZodString>>;
+      kid: z.ZodOptional<z.ZodString>;
+      jku: z.ZodOptional<z.ZodString>;
+      x5u: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+      'x5t#S256': z.ZodOptional<z.ZodString>;
+      x5t: z.ZodOptional<z.ZodString>;
+      x5c: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    }, z.core.$strip>>;
+    encoding: z.ZodOptional<z.ZodString>;
+    allowInsecureKeySizes: z.ZodOptional<z.ZodBoolean>;
+    allowInvalidAsymmetricKeyTypes: z.ZodOptional<z.ZodBoolean>;
+  }, z.core.$strip>>;
+  secret: z.ZodOptional<z.ZodString>;
+  publicKey: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>>;
+  privateKey: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>, z.ZodObject<{
+    type: z.ZodString;
+  }, z.core.$loose>, z.ZodObject<{
+    key: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>;
+    passphrase: z.ZodString;
+  }, z.core.$strip>]>>;
+  verifyOptions: z.ZodOptional<z.ZodObject<{
+    algorithms: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>>;
+    audience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>, z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>>]>>;
+    clockTimestamp: z.ZodOptional<z.ZodNumber>;
+    clockTolerance: z.ZodOptional<z.ZodNumber>;
+    complete: z.ZodOptional<z.ZodBoolean>;
+    issuer: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    ignoreExpiration: z.ZodOptional<z.ZodBoolean>;
+    ignoreNotBefore: z.ZodOptional<z.ZodBoolean>;
+    jwtid: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    subject: z.ZodOptional<z.ZodString>;
+    maxAge: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+    allowInvalidAsymmetricKeyTypes: z.ZodOptional<z.ZodBoolean>;
+  }, z.core.$strip>>;
+  secretOrKeyProvider: z.ZodOptional<z.ZodFunction<z.ZodTuple<readonly [z.ZodEnum<typeof RequestType>, z.ZodAny, z.ZodOptional<z.ZodUnion<readonly [z.ZodObject<{
+    algorithm: z.ZodOptional<z.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>;
+    keyid: z.ZodOptional<z.ZodString>;
+    expiresIn: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+    notBefore: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+    audience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>, z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>>]>>;
+    subject: z.ZodOptional<z.ZodString>;
+    issuer: z.ZodOptional<z.ZodString>;
+    jwtid: z.ZodOptional<z.ZodString>;
+    mutatePayload: z.ZodOptional<z.ZodBoolean>;
+    noTimestamp: z.ZodOptional<z.ZodBoolean>;
+    header: z.ZodOptional<z.ZodObject<{
+      alg: z.ZodUnion<[z.ZodEnum<{
+        HS256: "HS256";
+        HS384: "HS384";
+        HS512: "HS512";
+        RS256: "RS256";
+        RS384: "RS384";
+        RS512: "RS512";
+        ES256: "ES256";
+        ES384: "ES384";
+        ES512: "ES512";
+        PS256: "PS256";
+        PS384: "PS384";
+        PS512: "PS512";
+        none: "none";
+      }>, z.ZodString]>;
+      typ: z.ZodOptional<z.ZodString>;
+      cty: z.ZodOptional<z.ZodString>;
+      crit: z.ZodOptional<z.ZodArray<z.ZodString>>;
+      kid: z.ZodOptional<z.ZodString>;
+      jku: z.ZodOptional<z.ZodString>;
+      x5u: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+      'x5t#S256': z.ZodOptional<z.ZodString>;
+      x5t: z.ZodOptional<z.ZodString>;
+      x5c: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    }, z.core.$strip>>;
+    encoding: z.ZodOptional<z.ZodString>;
+    allowInsecureKeySizes: z.ZodOptional<z.ZodBoolean>;
+    allowInvalidAsymmetricKeyTypes: z.ZodOptional<z.ZodBoolean>;
+  }, z.core.$strip>, z.ZodObject<{
+    algorithms: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>>;
+    audience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>, z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>>]>>;
+    clockTimestamp: z.ZodOptional<z.ZodNumber>;
+    clockTolerance: z.ZodOptional<z.ZodNumber>;
+    complete: z.ZodOptional<z.ZodBoolean>;
+    issuer: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    ignoreExpiration: z.ZodOptional<z.ZodBoolean>;
+    ignoreNotBefore: z.ZodOptional<z.ZodBoolean>;
+    jwtid: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    subject: z.ZodOptional<z.ZodString>;
+    maxAge: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+    allowInvalidAsymmetricKeyTypes: z.ZodOptional<z.ZodBoolean>;
+  }, z.core.$strip>]>>], null>, z.ZodUnion<readonly [z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>, z.ZodObject<{
+    type: z.ZodString;
+  }, z.core.$loose>, z.ZodObject<{
+    key: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>;
+    passphrase: z.ZodString;
+  }, z.core.$strip>]>, z.ZodPromise<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>, z.ZodObject<{
+    type: z.ZodString;
+  }, z.core.$loose>, z.ZodObject<{
+    key: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>;
+    passphrase: z.ZodString;
+  }, z.core.$strip>]>>]>>>;
+}, z.core.$strip>;
+/**
+ * Configuration options for the JWT service.
+ *
+ * @property signOptions - Default options for signing tokens
+ * @property secret - Default secret for symmetric algorithms (HS256, HS384, HS512)
+ * @property publicKey - Default public key for asymmetric algorithms (RS256, ES256, etc.)
+ * @property privateKey - Default private key for asymmetric algorithms
+ * @property verifyOptions - Default options for verifying tokens
+ * @property secretOrKeyProvider - Optional function to dynamically resolve secrets/keys
+ *
+ * @example
+ * ```ts
+ * const options: JwtServiceOptions = {
+ *   secret: 'your-secret-key',
+ *   signOptions: {
+ *     expiresIn: '1h',
+ *     algorithm: 'HS256',
+ *   },
+ *   verifyOptions: {
+ *     algorithms: ['HS256'],
+ *   },
+ * }
+ * ```
+ */
+type JwtServiceOptions = z.infer<typeof JwtServiceOptionsSchema>;
+/**
+ * Options for signing JWT tokens.
+ *
+ * Extends `SignOptions` with additional properties for specifying
+ * the secret or private key to use for signing.
+ *
+ * @property secret - Secret key for symmetric algorithms (overrides service default)
+ * @property privateKey - Private key for asymmetric algorithms (overrides service default)
+ */
+interface JwtSignOptions extends SignOptions {
+  /** Secret key for symmetric algorithms */
+  secret?: string | Buffer;
+  /** Private key for asymmetric algorithms */
+  privateKey?: Secret;
+}
+/**
+ * Options for verifying JWT tokens.
+ *
+ * Extends `VerifyOptions` with additional properties for specifying
+ * the secret or public key to use for verification.
+ *
+ * @property secret - Secret key for symmetric algorithms (overrides service default)
+ * @property publicKey - Public key for asymmetric algorithms (overrides service default)
+ */
+interface JwtVerifyOptions extends VerifyOptions {
+  /** Secret key for symmetric algorithms */
+  secret?: string | Buffer;
+  /** Public key for asymmetric algorithms */
+  publicKey?: string | Buffer;
+}
+/**
+ * Result type for secret/key resolution.
+ *
+ * Represents the possible return types from secret or key provider functions.
+ */
+type GetSecretKeyResult = string | Buffer | Secret$1;
+//#endregion
+//#region src/jwt.service.d.mts
+/**
+ * Injection token for JwtService.
+ *
+ * Used internally by the dependency injection system to register and resolve JwtService instances.
+ */
+declare const JwtServiceToken: InjectionToken<unknown, zod_v40.ZodObject<{
+  signOptions: zod_v40.ZodOptional<zod_v40.ZodObject<{
+    algorithm: zod_v40.ZodOptional<zod_v40.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>;
+    keyid: zod_v40.ZodOptional<zod_v40.ZodString>;
+    expiresIn: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodNumber]>>;
+    notBefore: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodNumber]>>;
+    audience: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>, zod_v40.ZodArray<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>]>>]>>;
+    subject: zod_v40.ZodOptional<zod_v40.ZodString>;
+    issuer: zod_v40.ZodOptional<zod_v40.ZodString>;
+    jwtid: zod_v40.ZodOptional<zod_v40.ZodString>;
+    mutatePayload: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    noTimestamp: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    header: zod_v40.ZodOptional<zod_v40.ZodObject<{
+      alg: zod_v40.ZodUnion<[zod_v40.ZodEnum<{
+        HS256: "HS256";
+        HS384: "HS384";
+        HS512: "HS512";
+        RS256: "RS256";
+        RS384: "RS384";
+        RS512: "RS512";
+        ES256: "ES256";
+        ES384: "ES384";
+        ES512: "ES512";
+        PS256: "PS256";
+        PS384: "PS384";
+        PS512: "PS512";
+        none: "none";
+      }>, zod_v40.ZodString]>;
+      typ: zod_v40.ZodOptional<zod_v40.ZodString>;
+      cty: zod_v40.ZodOptional<zod_v40.ZodString>;
+      crit: zod_v40.ZodOptional<zod_v40.ZodArray<zod_v40.ZodString>>;
+      kid: zod_v40.ZodOptional<zod_v40.ZodString>;
+      jku: zod_v40.ZodOptional<zod_v40.ZodString>;
+      x5u: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodArray<zod_v40.ZodString>]>>;
+      'x5t#S256': zod_v40.ZodOptional<zod_v40.ZodString>;
+      x5t: zod_v40.ZodOptional<zod_v40.ZodString>;
+      x5c: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodArray<zod_v40.ZodString>]>>;
+    }, zod_v4_core0.$strip>>;
+    encoding: zod_v40.ZodOptional<zod_v40.ZodString>;
+    allowInsecureKeySizes: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    allowInvalidAsymmetricKeyTypes: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+  }, zod_v4_core0.$strip>>;
+  secret: zod_v40.ZodOptional<zod_v40.ZodString>;
+  publicKey: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>>;
+  privateKey: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>, zod_v40.ZodObject<{
+    type: zod_v40.ZodString;
+  }, zod_v4_core0.$loose>, zod_v40.ZodObject<{
+    key: zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>;
+    passphrase: zod_v40.ZodString;
+  }, zod_v4_core0.$strip>]>>;
+  verifyOptions: zod_v40.ZodOptional<zod_v40.ZodObject<{
+    algorithms: zod_v40.ZodOptional<zod_v40.ZodArray<zod_v40.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>>;
+    audience: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>, zod_v40.ZodArray<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>]>>]>>;
+    clockTimestamp: zod_v40.ZodOptional<zod_v40.ZodNumber>;
+    clockTolerance: zod_v40.ZodOptional<zod_v40.ZodNumber>;
+    complete: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    issuer: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodArray<zod_v40.ZodString>]>>;
+    ignoreExpiration: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    ignoreNotBefore: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    jwtid: zod_v40.ZodOptional<zod_v40.ZodString>;
+    nonce: zod_v40.ZodOptional<zod_v40.ZodString>;
+    subject: zod_v40.ZodOptional<zod_v40.ZodString>;
+    maxAge: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodNumber]>>;
+    allowInvalidAsymmetricKeyTypes: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+  }, zod_v4_core0.$strip>>;
+  secretOrKeyProvider: zod_v40.ZodOptional<zod_v40.ZodFunction<zod_v40.ZodTuple<readonly [zod_v40.ZodEnum<typeof RequestType>, zod_v40.ZodAny, zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodObject<{
+    algorithm: zod_v40.ZodOptional<zod_v40.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>;
+    keyid: zod_v40.ZodOptional<zod_v40.ZodString>;
+    expiresIn: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodNumber]>>;
+    notBefore: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodNumber]>>;
+    audience: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>, zod_v40.ZodArray<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>]>>]>>;
+    subject: zod_v40.ZodOptional<zod_v40.ZodString>;
+    issuer: zod_v40.ZodOptional<zod_v40.ZodString>;
+    jwtid: zod_v40.ZodOptional<zod_v40.ZodString>;
+    mutatePayload: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    noTimestamp: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    header: zod_v40.ZodOptional<zod_v40.ZodObject<{
+      alg: zod_v40.ZodUnion<[zod_v40.ZodEnum<{
+        HS256: "HS256";
+        HS384: "HS384";
+        HS512: "HS512";
+        RS256: "RS256";
+        RS384: "RS384";
+        RS512: "RS512";
+        ES256: "ES256";
+        ES384: "ES384";
+        ES512: "ES512";
+        PS256: "PS256";
+        PS384: "PS384";
+        PS512: "PS512";
+        none: "none";
+      }>, zod_v40.ZodString]>;
+      typ: zod_v40.ZodOptional<zod_v40.ZodString>;
+      cty: zod_v40.ZodOptional<zod_v40.ZodString>;
+      crit: zod_v40.ZodOptional<zod_v40.ZodArray<zod_v40.ZodString>>;
+      kid: zod_v40.ZodOptional<zod_v40.ZodString>;
+      jku: zod_v40.ZodOptional<zod_v40.ZodString>;
+      x5u: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodArray<zod_v40.ZodString>]>>;
+      'x5t#S256': zod_v40.ZodOptional<zod_v40.ZodString>;
+      x5t: zod_v40.ZodOptional<zod_v40.ZodString>;
+      x5c: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodArray<zod_v40.ZodString>]>>;
+    }, zod_v4_core0.$strip>>;
+    encoding: zod_v40.ZodOptional<zod_v40.ZodString>;
+    allowInsecureKeySizes: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    allowInvalidAsymmetricKeyTypes: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+  }, zod_v4_core0.$strip>, zod_v40.ZodObject<{
+    algorithms: zod_v40.ZodOptional<zod_v40.ZodArray<zod_v40.ZodEnum<{
+      HS256: "HS256";
+      HS384: "HS384";
+      HS512: "HS512";
+      RS256: "RS256";
+      RS384: "RS384";
+      RS512: "RS512";
+      ES256: "ES256";
+      ES384: "ES384";
+      ES512: "ES512";
+      PS256: "PS256";
+      PS384: "PS384";
+      PS512: "PS512";
+      none: "none";
+    }>>>;
+    audience: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>, zod_v40.ZodArray<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<RegExp, RegExp>]>>]>>;
+    clockTimestamp: zod_v40.ZodOptional<zod_v40.ZodNumber>;
+    clockTolerance: zod_v40.ZodOptional<zod_v40.ZodNumber>;
+    complete: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    issuer: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodArray<zod_v40.ZodString>]>>;
+    ignoreExpiration: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    ignoreNotBefore: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+    jwtid: zod_v40.ZodOptional<zod_v40.ZodString>;
+    nonce: zod_v40.ZodOptional<zod_v40.ZodString>;
+    subject: zod_v40.ZodOptional<zod_v40.ZodString>;
+    maxAge: zod_v40.ZodOptional<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodNumber]>>;
+    allowInvalidAsymmetricKeyTypes: zod_v40.ZodOptional<zod_v40.ZodBoolean>;
+  }, zod_v4_core0.$strip>]>>], null>, zod_v40.ZodUnion<readonly [zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>, zod_v40.ZodObject<{
+    type: zod_v40.ZodString;
+  }, zod_v4_core0.$loose>, zod_v40.ZodObject<{
+    key: zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>;
+    passphrase: zod_v40.ZodString;
+  }, zod_v4_core0.$strip>]>, zod_v40.ZodPromise<zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>, zod_v40.ZodObject<{
+    type: zod_v40.ZodString;
+  }, zod_v4_core0.$loose>, zod_v40.ZodObject<{
+    key: zod_v40.ZodUnion<readonly [zod_v40.ZodString, zod_v40.ZodCustom<Buffer<ArrayBufferLike>, Buffer<ArrayBufferLike>>]>;
+    passphrase: zod_v40.ZodString;
+  }, zod_v4_core0.$strip>]>>]>>>;
+}, zod_v4_core0.$strip>, true>;
+/**
+ * Service for signing, verifying, and decoding JSON Web Tokens (JWTs).
+ *
+ * This service provides a type-safe wrapper around the `jsonwebtoken` library with
+ * seamless integration into Navios's dependency injection system. It supports both
+ * symmetric (HS256, HS384, HS512) and asymmetric (RS256, ES256, etc.) algorithms.
+ *
+ * @example
+ * ```ts
+ * import { provideJwtService } from '@navios/jwt'
+ * import { inject } from '@navios/core'
+ *
+ * const JwtService = provideJwtService({
+ *   secret: 'your-secret-key',
+ *   signOptions: { expiresIn: '1h' },
+ * })
+ *
+ * @Injectable()
+ * class AuthService {
+ *   jwtService = inject(JwtService)
+ *
+ *   async login(userId: string) {
+ *     const token = this.jwtService.sign({ userId, role: 'user' })
+ *     return token
+ *   }
+ * }
+ * ```
+ */
+declare class JwtService {
+  private readonly options;
+  logger: _navios_core0.LoggerInstance;
+  /**
+   * Creates a new JwtService instance.
+   *
+   * @param options - Configuration options for the JWT service
+   */
+  constructor(options?: JwtServiceOptions);
+  /**
+   * Signs a JWT payload synchronously.
+   *
+   * When the payload is a string, only `secret` and `privateKey` options are allowed.
+   * For object or Buffer payloads, all sign options are available.
+   *
+   * @param payload - The payload to sign. Can be a string, Buffer, or object.
+   * @param options - Signing options. When payload is a string, only `secret` and `privateKey` are allowed.
+   * @returns The signed JWT token as a string
+   * @throws {Error} If `secretOrKeyProvider` returns a Promise (use `signAsync` instead)
+   * @throws {Error} If payload is a string and invalid options are provided
+   *
+   * @example
+   * ```ts
+   * // Sign with object payload
+   * const token = jwtService.sign(
+   *   { userId: '123', role: 'admin' },
+   *   { expiresIn: '1h' }
+   * )
+   *
+   * // Sign with string payload (limited options)
+   * const token = jwtService.sign('payload-string', { secret: 'key' })
+   * ```
+   */
+  sign(payload: string, options?: Omit<JwtSignOptions, keyof SignOptions>): string;
+  /**
+   * Signs a JWT payload synchronously.
+   *
+   * @param payload - The payload to sign. Can be a Buffer or object.
+   * @param options - Signing options including algorithm, expiration, etc.
+   * @returns The signed JWT token as a string
+   */
+  sign(payload: Buffer | object, options?: JwtSignOptions): string;
+  /**
+   * Signs a JWT payload asynchronously.
+   *
+   * Use this method when `secretOrKeyProvider` returns a Promise or when you need
+   * to handle async key resolution. Supports the same payload types and options as `sign()`.
+   *
+   * @param payload - The payload to sign. Can be a string, Buffer, or object.
+   * @param options - Signing options. When payload is a string, only `secret` and `privateKey` are allowed.
+   * @returns A Promise that resolves to the signed JWT token as a string
+   * @throws {Error} If payload is a string and invalid options are provided
+   *
+   * @example
+   * ```ts
+   * // Sign with async key provider
+   * const token = await jwtService.signAsync(
+   *   { userId: '123' },
+   *   { expiresIn: '1h' }
+   * )
+   * ```
+   */
+  signAsync(payload: string, options?: Omit<JwtSignOptions, keyof jwt.SignOptions>): Promise<string>;
+  /**
+   * Signs a JWT payload asynchronously.
+   *
+   * @param payload - The payload to sign. Can be a Buffer or object.
+   * @param options - Signing options including algorithm, expiration, etc.
+   * @returns A Promise that resolves to the signed JWT token as a string
+   */
+  signAsync(payload: Buffer | object, options?: JwtSignOptions): Promise<string>;
+  /**
+   * Verifies and decodes a JWT token synchronously.
+   *
+   * This method validates the token's signature, expiration, and other claims
+   * according to the provided options. If verification fails, an error is thrown.
+   *
+   * @template T - The expected type of the decoded payload
+   * @param token - The JWT token string to verify
+   * @param options - Verification options including algorithms, audience, issuer, etc.
+   * @returns The decoded payload as type T
+   * @throws {TokenExpiredError} If the token has expired
+   * @throws {NotBeforeError} If the token is not yet valid (nbf claim)
+   * @throws {JsonWebTokenError} If the token is invalid or malformed
+   * @throws {Error} If `secretOrKeyProvider` returns a Promise (use `verifyAsync` instead)
+   *
+   * @example
+   * ```ts
+   * try {
+   *   const payload = jwtService.verify<{ userId: string; role: string }>(token)
+   *   console.log(payload.userId) // '123'
+   * } catch (error) {
+   *   if (error instanceof TokenExpiredError) {
+   *     console.error('Token expired')
+   *   }
+   * }
+   * ```
+   */
+  verify<T extends object = any>(token: string, options?: JwtVerifyOptions): T;
+  /**
+   * Verifies and decodes a JWT token asynchronously.
+   *
+   * Use this method when `secretOrKeyProvider` returns a Promise or when you need
+   * to handle async key resolution. Provides the same validation as `verify()`.
+   *
+   * @template T - The expected type of the decoded payload
+   * @param token - The JWT token string to verify
+   * @param options - Verification options including algorithms, audience, issuer, etc.
+   * @returns A Promise that resolves to the decoded payload as type T
+   * @throws {TokenExpiredError} If the token has expired
+   * @throws {NotBeforeError} If the token is not yet valid (nbf claim)
+   * @throws {JsonWebTokenError} If the token is invalid or malformed
+   *
+   * @example
+   * ```ts
+   * try {
+   *   const payload = await jwtService.verifyAsync<{ userId: string }>(token)
+   *   console.log(payload.userId)
+   * } catch (error) {
+   *   if (error instanceof TokenExpiredError) {
+   *     console.error('Token expired')
+   *   }
+   * }
+   * ```
+   */
+  verifyAsync<T extends object = any>(token: string, options?: JwtVerifyOptions): Promise<T>;
+  /**
+   * Decodes a JWT token without verification.
+   *
+   * This method decodes the token without validating its signature or claims.
+   * Use this only when you need to inspect the token contents without verification.
+   * For secure token validation, use `verify()` or `verifyAsync()` instead.
+   *
+   * @template T - The expected type of the decoded payload
+   * @param token - The JWT token string to decode
+   * @param options - Decode options (complete, json, etc.)
+   * @returns The decoded payload as type T, or null if decoding fails
+   *
+   * @example
+   * ```ts
+   * // Decode without verification (not recommended for production)
+   * const payload = jwtService.decode<{ userId: string }>(token)
+   * if (payload) {
+   *   console.log(payload.userId)
+   * }
+   * ```
+   */
+  decode<T = any>(token: string, options?: jwt.DecodeOptions): T;
+  private mergeJwtOptions;
+  private getSecretKey;
+}
+//#endregion
+//#region src/jwt-service.provider.d.mts
+/**
+ * Creates a JWT service provider for dependency injection.
+ *
+ * This function creates an injection token that can be used to register and resolve
+ * `JwtService` instances in the Navios dependency injection container. It supports
+ * both static configuration and async factory functions for dynamic configuration.
+ *
+ * @param config - Static JWT service configuration options
+ * @returns A bound injection token that can be used with `inject()` or `syncInject()`
+ *
+ * @example
+ * ```ts
+ * // Static configuration
+ * const JwtService = provideJwtService({
+ *   secret: 'your-secret-key',
+ *   signOptions: { expiresIn: '1h' },
+ * })
+ *
+ * @Injectable()
+ * class AuthService {
+ *   jwtService = inject(JwtService)
+ * }
+ * ```
+ */
+declare function provideJwtService(config: JwtServiceOptions): BoundInjectionToken<JwtService, typeof JwtServiceOptionsSchema>;
+/**
+ * Creates a JWT service provider with async configuration factory.
+ *
+ * Use this overload when you need to load configuration asynchronously, such as
+ * fetching secrets from a configuration service or environment variables.
+ *
+ * @param config - Async factory function that returns JWT service configuration
+ * @returns A factory injection token that resolves configuration asynchronously
+ *
+ * @example
+ * ```ts
+ * // Async configuration
+ * const JwtService = provideJwtService(async () => {
+ *   const configService = await inject(ConfigService)
+ *   return {
+ *     secret: configService.jwt.secret,
+ *     signOptions: { expiresIn: configService.jwt.expiresIn },
+ *   }
+ * })
+ *
+ * @Injectable()
+ * class AuthService {
+ *   jwtService = inject(JwtService)
+ * }
+ * ```
+ */
+declare function provideJwtService(config: () => Promise<JwtServiceOptions>): FactoryInjectionToken<JwtService, typeof JwtServiceOptionsSchema>;
+//#endregion
+//#region src/index.d.mts
+/**
+ * Error thrown when a JWT token has expired.
+ *
+ * This error is thrown by `verify()` and `verifyAsync()` when the token's
+ * expiration time (exp claim) has passed.
+ *
+ * @example
+ * ```ts
+ * try {
+ *   jwtService.verify(token)
+ * } catch (error) {
+ *   if (error instanceof TokenExpiredError) {
+ *     console.error('Token expired at:', error.expiredAt)
+ *   }
+ * }
+ * ```
+ */
+declare const TokenExpiredError: typeof jwt.TokenExpiredError;
+/**
+ * Error thrown when a JWT token is not yet valid.
+ *
+ * This error is thrown by `verify()` and `verifyAsync()` when the token's
+ * "not before" time (nbf claim) is in the future.
+ *
+ * @example
+ * ```ts
+ * try {
+ *   jwtService.verify(token)
+ * } catch (error) {
+ *   if (error instanceof NotBeforeError) {
+ *     console.error('Token not valid until:', error.date)
+ *   }
+ * }
+ * ```
+ */
+declare const NotBeforeError: typeof jwt.NotBeforeError;
+/**
+ * Base error class for JWT-related errors.
+ *
+ * This is the base class for all JWT errors including `TokenExpiredError`
+ * and `NotBeforeError`. It's thrown for invalid or malformed tokens.
+ *
+ * @example
+ * ```ts
+ * try {
+ *   jwtService.verify(token)
+ * } catch (error) {
+ *   if (error instanceof JsonWebTokenError) {
+ *     console.error('JWT error:', error.message)
+ *   }
+ * }
+ * ```
+ */
+declare const JsonWebTokenError: typeof jwt.JsonWebTokenError;
+//#endregion
+export { AlgorithmType, GetSecretKeyResult, JsonWebTokenError, JwtHeader, JwtHeaderSchema, JwtService, JwtServiceOptions, JwtServiceOptionsSchema, JwtServiceToken, JwtSignOptions, JwtVerifyOptions, NotBeforeError, RequestType, Secret, SecretSchema, SignOptions, SignOptionsSchema, TokenExpiredError, VerifyOptions, VerifyOptionsSchema, provideJwtService };
+//# sourceMappingURL=index.d.cts.map