@oari/jose 0.0.0

package/dist/types/jwk/embedded.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Verification using a JWK Embedded in a JWS Header
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * EmbeddedJWK is an implementation of a GetKeyFunction intended to be used with the JWS/JWT verify
+ * operations whenever you need to opt-in to verify signatures with a public key embedded in the
+ * token's "jwk" (JSON Web Key) Header Parameter. It is recommended to combine this with the verify
+ * function's `algorithms` option to define accepted JWS "alg" (Algorithm) Header Parameter values.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwk/embedded'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jwt =
+ *   'eyJqd2siOnsiY3J2IjoiUC0yNTYiLCJ4IjoiVU05ZzVuS25aWFlvdldBbE03NmNMejl2VG96UmpfX0NIVV9kT2wtZ09vRSIsInkiOiJkczhhZVF3MWwyY0RDQTdiQ2tPTnZ3REtwWEFidFhqdnFDbGVZSDhXc19VIiwia3R5IjoiRUMifSwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSIsImlhdCI6MTYwNDU4MDc5NH0.60boak3_dErnW47ZPty1C0nrjeVq86EN_eK0GOq6K8w2OA0thKoBxFK4j-NuU9yZ_A9UKGxPT_G87DladBaV9g'
+ *
+ * const { payload, protectedHeader } = await jose.jwtVerify(jwt, jose.EmbeddedJWK, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ *
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ */
+export declare function EmbeddedJWK(protectedHeader?: types.JWSHeaderParameters, token?: types.FlattenedJWSInput): Promise<types.CryptoKey>;

package/dist/types/jwk/thumbprint.d.ts

@@ -0,0 +1,60 @@
+/**
+ * JSON Web Key Thumbprint and JSON Web Key Thumbprint URI
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * Calculates a base64url-encoded JSON Web Key (JWK) Thumbprint
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwk/thumbprint'`.
+ *
+ * @example
+ *
+ * ```js
+ * const thumbprint = await jose.calculateJwkThumbprint({
+ *   kty: 'EC',
+ *   crv: 'P-256',
+ *   x: 'jJ6Flys3zK9jUhnOHf6G49Dyp5hah6CNP84-gY-n9eo',
+ *   y: 'nhI6iD5eFXgBTLt_1p3aip-5VbZeMhxeFSpjfEAf7Ww',
+ * })
+ *
+ * console.log(thumbprint)
+ * // 'w9eYdC6_s_tLQ8lH6PUpc0mddazaqtPgeC2IgWDiqY8'
+ * ```
+ *
+ * @param key Key to calculate the thumbprint for.
+ * @param digestAlgorithm Digest Algorithm to use for calculating the thumbprint. Default is
+ *   "sha256".
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc7638 RFC7638}
+ */
+export declare function calculateJwkThumbprint(key: types.JWK | types.CryptoKey | types.KeyObject, digestAlgorithm?: 'sha256' | 'sha384' | 'sha512'): Promise<string>;
+/**
+ * Calculates a JSON Web Key (JWK) Thumbprint URI
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwk/thumbprint'`.
+ *
+ * @example
+ *
+ * ```js
+ * const thumbprintUri = await jose.calculateJwkThumbprintUri({
+ *   kty: 'EC',
+ *   crv: 'P-256',
+ *   x: 'jJ6Flys3zK9jUhnOHf6G49Dyp5hah6CNP84-gY-n9eo',
+ *   y: 'nhI6iD5eFXgBTLt_1p3aip-5VbZeMhxeFSpjfEAf7Ww',
+ * })
+ *
+ * console.log(thumbprintUri)
+ * // 'urn:ietf:params:oauth:jwk-thumbprint:sha-256:w9eYdC6_s_tLQ8lH6PUpc0mddazaqtPgeC2IgWDiqY8'
+ * ```
+ *
+ * @param key Key to calculate the thumbprint for.
+ * @param digestAlgorithm Digest Algorithm to use for calculating the thumbprint. Default is
+ *   "sha256".
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9278 RFC9278}
+ */
+export declare function calculateJwkThumbprintUri(key: types.CryptoKey | types.KeyObject | types.JWK, digestAlgorithm?: 'sha256' | 'sha384' | 'sha512'): Promise<string>;

package/dist/types/jwks/local.d.ts

@@ -0,0 +1,90 @@
+/**
+ * Verification using a JSON Web Key Set (JWKS) available locally
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * Returns a function that resolves a JWS JOSE Header to a public key object from a locally stored,
+ * or otherwise available, JSON Web Key Set.
+ *
+ * It uses the "alg" (JWS Algorithm) Header Parameter to determine the right JWK "kty" (Key Type),
+ * then proceeds to match the JWK "kid" (Key ID) with one found in the JWS Header Parameters (if
+ * there is one) while also respecting the JWK "use" (Public Key Use) and JWK "key_ops" (Key
+ * Operations) Parameters (if they are present on the JWK).
+ *
+ * Only a single public key must match the selection process. As shown in the example below when
+ * multiple keys get matched it is possible to opt-in to iterate over the matched keys and attempt
+ * verification in an iterative manner.
+ *
+ * > [!NOTE]\
+ * > The function's purpose is to resolve public keys used for verifying signatures and will not work
+ * > for public encryption keys.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwks/local'`.
+ *
+ * @example
+ *
+ * ```js
+ * const JWKS = jose.createLocalJWKSet({
+ *   keys: [
+ *     {
+ *       kty: 'RSA',
+ *       e: 'AQAB',
+ *       n: '12oBZRhCiZFJLcPg59LkZZ9mdhSMTKAQZYq32k_ti5SBB6jerkh-WzOMAO664r_qyLkqHUSp3u5SbXtseZEpN3XPWGKSxjsy-1JyEFTdLSYe6f9gfrmxkUF_7DTpq0gn6rntP05g2-wFW50YO7mosfdslfrTJYWHFhJALabAeYirYD7-9kqq9ebfFMF4sRRELbv9oi36As6Q9B3Qb5_C1rAzqfao_PCsf9EPsTZsVVVkA5qoIAr47lo1ipfiBPxUCCNSdvkmDTYgvvRm6ZoMjFbvOtgyts55fXKdMWv7I9HMD5HwE9uW839PWA514qhbcIsXEYSFMPMV6fnlsiZvQQ',
+ *       alg: 'PS256',
+ *     },
+ *     {
+ *       crv: 'P-256',
+ *       kty: 'EC',
+ *       x: 'ySK38C1jBdLwDsNWKzzBHqKYEE5Cgv-qjWvorUXk9fw',
+ *       y: '_LeQBw07cf5t57Iavn4j-BqJsAD1dpoz8gokd3sBsOo',
+ *       alg: 'ES256',
+ *     },
+ *   ],
+ * })
+ *
+ * const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @example
+ *
+ * Opting-in to multiple JWKS matches using `createLocalJWKSet`
+ *
+ * ```js
+ * const options = {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * }
+ * const { payload, protectedHeader } = await jose
+ *   .jwtVerify(jwt, JWKS, options)
+ *   .catch(async (error) => {
+ *     if (error?.code === 'ERR_JWKS_MULTIPLE_MATCHING_KEYS') {
+ *       for await (const publicKey of error) {
+ *         try {
+ *           return await jose.jwtVerify(jwt, publicKey, options)
+ *         } catch (innerError) {
+ *           if (innerError?.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
+ *             continue
+ *           }
+ *           throw innerError
+ *         }
+ *       }
+ *       throw new jose.errors.JWSSignatureVerificationFailed()
+ *     }
+ *
+ *     throw error
+ *   })
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @param jwks JSON Web Key Set formatted object.
+ */
+export declare function createLocalJWKSet(jwks: types.JSONWebKeySet): (protectedHeader?: types.JWSHeaderParameters, token?: types.FlattenedJWSInput) => Promise<types.CryptoKey>;

package/dist/types/jwks/remote.d.ts

@@ -0,0 +1,306 @@
+/**
+ * Verification using a JSON Web Key Set (JWKS) available on an HTTP(S) URL
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * When passed to {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} this allows the resolver
+ * to make use of advanced fetch configurations, HTTP Proxies, retry on network errors, etc.
+ *
+ * > [!NOTE]\
+ * > Known caveat: Expect Type-related issues when passing the inputs through to fetch-like modules,
+ * > they hardly ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
+ *
+ * @example
+ *
+ * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) for retries and its hooks feature for
+ * logging outgoing requests and their responses.
+ *
+ * ```ts
+ * import ky from 'ky'
+ *
+ * let logRequest!: (request: Request) => void
+ * let logResponse!: (request: Request, response: Response) => void
+ * let logRetry!: (request: Request, error: Error, retryCount: number) => void
+ *
+ * const JWKS = jose.createRemoteJWKSet(url, {
+ *   [jose.customFetch]: (...args) =>
+ *     ky(args[0], {
+ *       ...args[1],
+ *       hooks: {
+ *         beforeRequest: [
+ *           (request) => {
+ *             logRequest(request)
+ *           },
+ *         ],
+ *         beforeRetry: [
+ *           ({ request, error, retryCount }) => {
+ *             logRetry(request, error, retryCount)
+ *           },
+ *         ],
+ *         afterResponse: [
+ *           (request, _, response) => {
+ *             logResponse(request, response)
+ *           },
+ *         ],
+ *       },
+ *     }),
+ * })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to detect and use HTTP proxies.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/EnvHttpProxyAgent
+ * let envHttpProxyAgent = new undici.EnvHttpProxyAgent()
+ *
+ * // @ts-ignore
+ * const JWKS = jose.createRemoteJWKSet(url, {
+ *   [jose.customFetch]: (...args) => {
+ *     // @ts-ignore
+ *     return undici.fetch(args[0], { ...args[1], dispatcher: envHttpProxyAgent }) // prettier-ignore
+ *   },
+ * })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to automatically retry network errors.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/RetryAgent
+ * let retryAgent = new undici.RetryAgent(new undici.Agent(), {
+ *   statusCodes: [],
+ *   errorCodes: [
+ *     'ECONNRESET',
+ *     'ECONNREFUSED',
+ *     'ENOTFOUND',
+ *     'ENETDOWN',
+ *     'ENETUNREACH',
+ *     'EHOSTDOWN',
+ *     'UND_ERR_SOCKET',
+ *   ],
+ * })
+ *
+ * // @ts-ignore
+ * const JWKS = jose.createRemoteJWKSet(url, {
+ *   [jose.customFetch]: (...args) => {
+ *     // @ts-ignore
+ *     return undici.fetch(args[0], { ...args[1], dispatcher: retryAgent }) // prettier-ignore
+ *   },
+ * })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to mock responses in tests.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/MockAgent
+ * let mockAgent = new undici.MockAgent()
+ * mockAgent.disableNetConnect()
+ *
+ * // @ts-ignore
+ * const JWKS = jose.createRemoteJWKSet(url, {
+ *   [jose.customFetch]: (...args) => {
+ *     // @ts-ignore
+ *     return undici.fetch(args[0], { ...args[1], dispatcher: mockAgent }) // prettier-ignore
+ *   },
+ * })
+ * ```
+ */
+export declare const customFetch: unique symbol;
+/** See {@link customFetch}. */
+export type FetchImplementation = (
+/** URL the request is being made sent to {@link !fetch} as the `resource` argument */
+url: string, 
+/** Options otherwise sent to {@link !fetch} as the `options` argument */
+options: {
+    /** HTTP Headers */
+    headers: Headers;
+    /** The {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods request method} */
+    method: 'GET';
+    /** See {@link !Request.redirect} */
+    redirect: 'manual';
+    signal: AbortSignal;
+}) => Promise<Response>;
+/**
+ * > [!WARNING]\
+ * > This option has security implications that must be understood, assessed for applicability, and
+ * > accepted before use. It is critical that the JSON Web Key Set cache only be writable by your own
+ * > code.
+ *
+ * This option is intended for cloud computing runtimes that cannot keep an in memory cache between
+ * their code's invocations. Use in runtimes where an in memory cache between requests is available
+ * is not desirable.
+ *
+ * When passed to {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} this allows the passed in
+ * object to:
+ *
+ * - Serve as an initial value for the JSON Web Key Set that the module would otherwise need to
+ *   trigger an HTTP request for
+ * - Have the JSON Web Key Set the function optionally ended up triggering an HTTP request for
+ *   assigned to it as properties
+ *
+ * The intended use pattern is:
+ *
+ * - Before verifying with {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} you pull the
+ *   previously cached object from a low-latency key-value store offered by the cloud computing
+ *   runtime it is executed on;
+ * - Default to an empty object `{}` instead when there's no previously cached value;
+ * - Pass it in as {@link RemoteJWKSetOptions[jwksCache]};
+ * - Afterwards, update the key-value storage if the {@link ExportedJWKSCache.uat `uat`} property of
+ *   the object has changed.
+ *
+ * @example
+ *
+ * ```ts
+ * // Prerequisites
+ * let url!: URL
+ * let jwt!: string
+ * let getPreviouslyCachedJWKS!: () => Promise<jose.ExportedJWKSCache>
+ * let storeNewJWKScache!: (cache: jose.ExportedJWKSCache) => Promise<void>
+ *
+ * // Load JSON Web Key Set cache
+ * const jwksCache: jose.JWKSCacheInput = (await getPreviouslyCachedJWKS()) || {}
+ * const { uat } = jwksCache
+ *
+ * const JWKS = jose.createRemoteJWKSet(url, {
+ *   [jose.jwksCache]: jwksCache,
+ * })
+ *
+ * // Use JSON Web Key Set cache
+ * await jose.jwtVerify(jwt, JWKS)
+ *
+ * if (uat !== jwksCache.uat) {
+ *   // Update JSON Web Key Set cache
+ *   await storeNewJWKScache(jwksCache)
+ * }
+ * ```
+ */
+export declare const jwksCache: unique symbol;
+/** Options for the remote JSON Web Key Set. */
+export interface RemoteJWKSetOptions {
+    /**
+     * Timeout (in milliseconds) for the HTTP request. When reached the request will be aborted and
+     * the verification will fail. Default is 5000 (5 seconds).
+     */
+    timeoutDuration?: number;
+    /**
+     * Duration (in milliseconds) for which no more HTTP requests will be triggered after a previous
+     * successful fetch. Default is 30000 (30 seconds).
+     */
+    cooldownDuration?: number;
+    /**
+     * Maximum time (in milliseconds) between successful HTTP requests. Default is 600000 (10
+     * minutes).
+     */
+    cacheMaxAge?: number | typeof Infinity;
+    /** Headers to be sent with the HTTP request. */
+    headers?: Record<string, string>;
+    /** See {@link jwksCache}. */
+    [jwksCache]?: JWKSCacheInput;
+    /** See {@link customFetch}. */
+    [customFetch]?: FetchImplementation;
+}
+/** See {@link jwksCache}. */
+export interface ExportedJWKSCache {
+    /** Current cached JSON Web Key Set */
+    jwks: types.JSONWebKeySet;
+    /** Last updated at timestamp (seconds since epoch) */
+    uat: number;
+}
+/** See {@link jwksCache}. */
+export type JWKSCacheInput = ExportedJWKSCache | Record<string, never>;
+/**
+ * Returns a function that resolves a JWS JOSE Header to a public key object downloaded from a
+ * remote endpoint returning a JSON Web Key Set, that is, for example, an OAuth 2.0 or OIDC
+ * jwks_uri. The JSON Web Key Set is fetched when no key matches the selection process but only as
+ * frequently as the `cooldownDuration` option allows to prevent abuse.
+ *
+ * It uses the "alg" (JWS Algorithm) Header Parameter to determine the right JWK "kty" (Key Type),
+ * then proceeds to match the JWK "kid" (Key ID) with one found in the JWS Header Parameters (if
+ * there is one) while also respecting the JWK "use" (Public Key Use) and JWK "key_ops" (Key
+ * Operations) Parameters (if they are present on the JWK).
+ *
+ * Only a single public key must match the selection process. As shown in the example below when
+ * multiple keys get matched it is possible to opt-in to iterate over the matched keys and attempt
+ * verification in an iterative manner.
+ *
+ * > [!NOTE]\
+ * > The function's purpose is to resolve public keys used for verifying signatures and will not work
+ * > for public encryption keys.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwks/remote'`.
+ *
+ * @example
+ *
+ * ```js
+ * const JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'))
+ *
+ * const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @example
+ *
+ * Opting-in to multiple JWKS matches using `createRemoteJWKSet`
+ *
+ * ```js
+ * const options = {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * }
+ * const { payload, protectedHeader } = await jose
+ *   .jwtVerify(jwt, JWKS, options)
+ *   .catch(async (error) => {
+ *     if (error?.code === 'ERR_JWKS_MULTIPLE_MATCHING_KEYS') {
+ *       for await (const publicKey of error) {
+ *         try {
+ *           return await jose.jwtVerify(jwt, publicKey, options)
+ *         } catch (innerError) {
+ *           if (innerError?.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
+ *             continue
+ *           }
+ *           throw innerError
+ *         }
+ *       }
+ *       throw new jose.errors.JWSSignatureVerificationFailed()
+ *     }
+ *
+ *     throw error
+ *   })
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @param url URL to fetch the JSON Web Key Set from.
+ * @param options Options for the remote JSON Web Key Set.
+ */
+export declare function createRemoteJWKSet(url: URL, options?: RemoteJWKSetOptions): {
+    (protectedHeader?: types.JWSHeaderParameters, token?: types.FlattenedJWSInput): Promise<types.CryptoKey>;
+    /** @ignore */
+    coolingDown: boolean;
+    /** @ignore */
+    fresh: boolean;
+    /** @ignore */
+    reloading: boolean;
+    /** @ignore */
+    reload: () => Promise<void>;
+    /** @ignore */
+    jwks: () => types.JSONWebKeySet | undefined;
+};

package/dist/types/jws/compact/sign.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Signing JSON Web Signature (JWS) in Compact Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * The CompactSign class is used to build and sign Compact JWS strings.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jws/compact/sign'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jws = await new jose.CompactSign(
+ *   new TextEncoder().encode('It’s a dangerous business, Frodo, going out your door.'),
+ * )
+ *   .setProtectedHeader({ alg: 'ES256' })
+ *   .sign(privateKey)
+ *
+ * console.log(jws)
+ * ```
+ */
+export declare class CompactSign {
+    #private;
+    /**
+     * {@link CompactSign} constructor
+     *
+     * @param payload Binary representation of the payload to sign.
+     */
+    constructor(payload: Uint8Array);
+    /**
+     * Sets the JWS Protected Header on the CompactSign object.
+     *
+     * @param protectedHeader JWS Protected Header.
+     */
+    setProtectedHeader(protectedHeader: types.CompactJWSHeaderParameters): this;
+    /**
+     * Signs and resolves the value of the Compact JWS string.
+     *
+     * @param key Private Key or Secret to sign the JWS with. See
+     *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+     * @param options JWS Sign options.
+     */
+    sign(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.SignOptions): Promise<string>;
+}

package/dist/types/jws/compact/verify.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Verifying JSON Web Signature (JWS) in Compact Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * Interface for Compact JWS Verification dynamic key resolution. No token components have been
+ * verified at the time of this function call.
+ *
+ * @see {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} to verify using a remote JSON Web Key Set.
+ */
+export interface CompactVerifyGetKey extends types.GenericGetKeyFunction<types.CompactJWSHeaderParameters, types.FlattenedJWSInput, types.CryptoKey | types.KeyObject | types.JWK | Uint8Array> {
+}
+/**
+ * Verifies the signature and format of and afterwards decodes the Compact JWS.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jws/compact/verify'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jws =
+ *   'eyJhbGciOiJFUzI1NiJ9.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4.kkAs_gPPxWMI3rHuVlxHaTPfDWDoqdI8jSvuSmqV-8IHIWXg9mcAeC9ggV-45ZHRbiRJ3obUIFo1rHphPA5URg'
+ *
+ * const { payload, protectedHeader } = await jose.compactVerify(jws, publicKey)
+ *
+ * console.log(protectedHeader)
+ * console.log(new TextDecoder().decode(payload))
+ * ```
+ *
+ * @param jws Compact JWS.
+ * @param key Key to verify the JWS with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWS Verify options.
+ */
+export declare function compactVerify(jws: string | Uint8Array, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.VerifyOptions): Promise<types.CompactVerifyResult>;
+/**
+ * @param jws Compact JWS.
+ * @param getKey Function resolving a key to verify the JWS with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWS Verify options.
+ */
+export declare function compactVerify(jws: string | Uint8Array, getKey: CompactVerifyGetKey, options?: types.VerifyOptions): Promise<types.CompactVerifyResult & types.ResolvedKey>;

package/dist/types/jws/flattened/sign.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Signing JSON Web Signature (JWS) in Flattened JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * The FlattenedSign class is used to build and sign Flattened JWS objects.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jws/flattened/sign'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jws = await new jose.FlattenedSign(
+ *   new TextEncoder().encode('It’s a dangerous business, Frodo, going out your door.'),
+ * )
+ *   .setProtectedHeader({ alg: 'ES256' })
+ *   .sign(privateKey)
+ *
+ * console.log(jws)
+ * ```
+ */
+export declare class FlattenedSign {
+    #private;
+    /**
+     * {@link FlattenedSign} constructor
+     *
+     * @param payload Binary representation of the payload to sign.
+     */
+    constructor(payload: Uint8Array);
+    /**
+     * Sets the JWS Protected Header on the FlattenedSign object.
+     *
+     * @param protectedHeader JWS Protected Header.
+     */
+    setProtectedHeader(protectedHeader: types.JWSHeaderParameters): this;
+    /**
+     * Sets the JWS Unprotected Header on the FlattenedSign object.
+     *
+     * @param unprotectedHeader JWS Unprotected Header.
+     */
+    setUnprotectedHeader(unprotectedHeader: types.JWSHeaderParameters): this;
+    /**
+     * Signs and resolves the value of the Flattened JWS object.
+     *
+     * @param key Private Key or Secret to sign the JWS with. See
+     *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+     * @param options JWS Sign options.
+     */
+    sign(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.SignOptions): Promise<types.FlattenedJWS>;
+}

package/dist/types/jws/flattened/verify.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Verifying JSON Web Signature (JWS) in Flattened JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * Interface for Flattened JWS Verification dynamic key resolution. No token components have been
+ * verified at the time of this function call.
+ *
+ * @see {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} to verify using a remote JSON Web Key Set.
+ */
+export interface FlattenedVerifyGetKey extends types.GenericGetKeyFunction<types.JWSHeaderParameters | undefined, types.FlattenedJWSInput, types.CryptoKey | types.KeyObject | types.JWK | Uint8Array> {
+}
+/**
+ * Verifies the signature and format of and afterwards decodes the Flattened JWS.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jws/flattened/verify'`.
+ *
+ * @example
+ *
+ * ```js
+ * const decoder = new TextDecoder()
+ * const jws = {
+ *   signature:
+ *     'FVVOXwj6kD3DqdfD9yYqfT2W9jv-Nop4kOehp_DeDGNB5dQNSPRvntBY6xH3uxlCxE8na9d_kyhYOcanpDJ0EA',
+ *   payload: 'SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4',
+ *   protected: 'eyJhbGciOiJFUzI1NiJ9',
+ * }
+ *
+ * const { payload, protectedHeader } = await jose.flattenedVerify(jws, publicKey)
+ *
+ * console.log(protectedHeader)
+ * console.log(decoder.decode(payload))
+ * ```
+ *
+ * @param jws Flattened JWS.
+ * @param key Key to verify the JWS with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWS Verify options.
+ */
+export declare function flattenedVerify(jws: types.FlattenedJWSInput, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.VerifyOptions): Promise<types.FlattenedVerifyResult>;
+/**
+ * @param jws Flattened JWS.
+ * @param getKey Function resolving a key to verify the JWS with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWS Verify options.
+ */
+export declare function flattenedVerify(jws: types.FlattenedJWSInput, getKey: FlattenedVerifyGetKey, options?: types.VerifyOptions): Promise<types.FlattenedVerifyResult & types.ResolvedKey>;