@omnixhq/ucp-client 2.0.0 → 2.1.0

package/README.md

@@ -167,8 +167,41 @@ if (client.checkout) {
 
 console.log(Object.keys(client.paymentHandlers));
 // e.g., ['com.google.pay', 'dev.shopify.shop_pay']
+
+client.signingKeys; // JWK[] — EC P-256 keys for webhook verification
+```
+
+## Webhook signature verification
+
+UCP businesses sign webhook POST requests with a detached JWS in the `Request-Signature` header (RFC 7797). The JWT header MUST include a `kid` claim identifying the signing key.
+
+Use `createWebhookVerifier` to get a stateful verifier that fetches and caches signing keys from the business's discovery profile. It automatically re-fetches on a `kid` cache miss to support zero-downtime key rotation.
+
+```typescript
+import { createWebhookVerifier } from '@omnixhq/ucp-client';
+
+const verifier = createWebhookVerifier('https://store.example.com');
+
+// In your webhook handler — MUST respond quickly with 2xx, process async:
+const valid = await verifier.verify(rawBody, req.headers['request-signature']);
+if (!valid) return res.status(401).send('Invalid signature');
+
+// Safe to process
 ```
 
+Keys are loaded lazily on the first `verify()` call from `<gatewayUrl>/.well-known/ucp` and cached by `kid`. A `kid` not found in cache triggers one re-fetch (key rotation support).
+
+If you already have signing keys loaded (e.g. from `client.signingKeys`), use `verifyRequestSignature` directly:
+
+```typescript
+import { UCPClient, verifyRequestSignature } from '@omnixhq/ucp-client';
+
+const client = await UCPClient.connect(config);
+const valid = await verifyRequestSignature(rawBody, signature, client.signingKeys);
+```
+
+See [examples/webhook-verification.ts](./examples/webhook-verification.ts) for a complete HTTP server example.
+
 ## Framework adapters
 
 Ready-made adapters convert `getAgentTools()` output to each framework's native format — no manual mapping.

package/dist/adapters/anthropic.d.cts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-jyrE4r9F.cjs";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-hlc4bOF9.cjs";
 
 //#region src/adapters/anthropic.d.ts
 interface AnthropicInputSchema {

package/dist/adapters/anthropic.d.ts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-BW8p9Abt.js";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-s9k0IH2E.js";
 
 //#region src/adapters/anthropic.d.ts
 interface AnthropicInputSchema {

package/dist/adapters/langchain.d.cts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-jyrE4r9F.cjs";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-hlc4bOF9.cjs";
 
 //#region src/adapters/langchain.d.ts
 interface LangChainTool {

package/dist/adapters/langchain.d.ts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-BW8p9Abt.js";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-s9k0IH2E.js";
 
 //#region src/adapters/langchain.d.ts
 interface LangChainTool {

package/dist/adapters/mcp.d.cts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-jyrE4r9F.cjs";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-hlc4bOF9.cjs";
 
 //#region src/adapters/mcp.d.ts
 interface MCPInputSchema {

package/dist/adapters/mcp.d.ts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-BW8p9Abt.js";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-s9k0IH2E.js";
 
 //#region src/adapters/mcp.d.ts
 interface MCPInputSchema {

package/dist/adapters/openai.d.cts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-jyrE4r9F.cjs";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-hlc4bOF9.cjs";
 
 //#region src/adapters/openai.d.ts
 interface OpenAIFunction {

package/dist/adapters/openai.d.ts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-BW8p9Abt.js";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-s9k0IH2E.js";
 
 //#region src/adapters/openai.d.ts
 interface OpenAIFunction {

package/dist/adapters/vercel-ai.d.cts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-jyrE4r9F.cjs";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-hlc4bOF9.cjs";
 
 //#region src/adapters/vercel-ai.d.ts
 interface VercelAISchema {

package/dist/adapters/vercel-ai.d.ts

@@ -1,4 +1,4 @@
-import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-BW8p9Abt.js";
+import { AdapterOptions, AgentTool, JsonSchema } from "../catch-errors-s9k0IH2E.js";
 
 //#region src/adapters/vercel-ai.d.ts
 interface VercelAISchema {

package/dist/{catch-errors-jyrE4r9F.d.cts → catch-errors-hlc4bOF9.d.cts}

@@ -48,7 +48,14 @@ interface LocalizationContext {
   readonly address_region?: string;
   readonly postal_code?: string;
 }
-
+/**
+ * A JSON Web Key (RFC 7517).
+ * Extends the TypeScript stdlib `JsonWebKey` with the `kid` claim required by UCP for webhook
+ * signature verification (the stdlib definition omits `kid`).
+ */
+type JWK = JsonWebKey & {
+  readonly kid?: string;
+};
 //#endregion
 //#region src/types/payment.d.ts
 //# sourceMappingURL=common.d.ts.map
@@ -157,9 +164,10 @@ interface CompleteCheckoutPayload {
   readonly ap2?: {
     readonly checkout_mandate?: string;
   };
-} //#endregion
-//#region src/capabilities/checkout.d.ts
+}
 
+//#endregion
+//#region src/capabilities/checkout.d.ts
 //# sourceMappingURL=checkout.d.ts.map
 type FulfillmentPatch = Omit<UpdateCheckoutPayload, 'fulfillment' | 'discounts'>;
 /**
@@ -307,6 +315,8 @@ interface ToolDescriptor {
 interface ConnectedClient {
   /** The server's UCP discovery profile. */
   readonly profile: UCPProfile;
+  /** JWK signing keys from the discovery profile. Used for verifying incoming webhook signatures. */
+  readonly signingKeys: readonly JWK[];
   /** Checkout operations. Null if server does not support `dev.ucp.shopping.checkout`. */
   readonly checkout: CheckoutCapability | null;
   /** Order operations. Null if server does not support `dev.ucp.shopping.order`. */
@@ -431,5 +441,5 @@ type ToolErrorResult = {
 };
 
 //#endregion
-export { AdapterOptions, AgentTool, AuthorizationParams, BuyerConsent, CardCredential$1 as CardCredential, CheckoutCapability, CheckoutExtensions, CheckoutSession, CheckoutSessionStatus, CompleteCheckoutPayload, ConnectedClient, CreateCheckoutPayload, DEFAULT_UCP_VERSION, IdentityLinkingCapability, JsonSchema, LocalizationContext, OAuthServerMetadata, OrderCapability, PaymentCredential, PaymentHandlerInstance, PaymentHandlerMap, PaymentInstrument, PostalAddress, TokenCredential$1 as TokenCredential, TokenExchangeParams, TokenRefreshParams, TokenResponse, TokenRevokeParams, ToolDescriptor, ToolErrorResult, UCPClient, UCPClientConfig, UCPProfile, UCPSpecOrder, UCP_CAPABILITIES, UpdateCheckoutPayload, WebhookEvent, connect, getAgentTools };
-//# sourceMappingURL=catch-errors-jyrE4r9F.d.cts.map
+export { AdapterOptions, AgentTool, AuthorizationParams, BuyerConsent, CardCredential$1 as CardCredential, CheckoutCapability, CheckoutExtensions, CheckoutSession, CheckoutSessionStatus, CompleteCheckoutPayload, ConnectedClient, CreateCheckoutPayload, DEFAULT_UCP_VERSION, IdentityLinkingCapability, JWK, JsonSchema, LocalizationContext, OAuthServerMetadata, OrderCapability, PaymentCredential, PaymentHandlerInstance, PaymentHandlerMap, PaymentInstrument, PostalAddress, TokenCredential$1 as TokenCredential, TokenExchangeParams, TokenRefreshParams, TokenResponse, TokenRevokeParams, ToolDescriptor, ToolErrorResult, UCPClient, UCPClientConfig, UCPProfile, UCPSpecOrder, UCP_CAPABILITIES, UpdateCheckoutPayload, WebhookEvent, connect, getAgentTools };
+//# sourceMappingURL=catch-errors-hlc4bOF9.d.cts.map

package/dist/catch-errors-hlc4bOF9.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catch-errors-hlc4bOF9.d.cts","names":[],"sources":["../src/http.ts","../src/types/common.ts","../src/types/payment.ts","../src/types/checkout.ts","../src/capabilities/checkout.ts","../src/types/order.ts","../src/capabilities/order.ts","../src/types/identity-linking.ts","../src/capabilities/identity-linking.ts","../src/types/config.ts","../src/UCPClient.ts","../src/agent-tools.ts","../src/adapters/catch-errors.ts"],"sourcesContent":null,"mappings":";;;;KAMK,UAAA;KAEO,KAAA;UAEK,gBAAA;EAJZ,SAAA,UAAU,EAAA,MAAA;EAEH,SAAK,eAAA,EAAA,MAAA;EAEA,SAAA,UAAgB,EAAA,MAAA;EASpB,SAAA,gBAAU,CAAA,EAAA,MAAA;EAAA,SAAA,WAAA,CAAA,EAAA,MAAA;EAAA,SAQD,mBAAA,CAAA,EAXW,KAWX;;AAsBE,cA9BX,UAAA,CA8BW;EAAU,iBAAiC,UAAA;EAAO,iBAwC7B,eAAA;EAAC,iBAAT,UAAA;EAAO,iBAAM,gBAAA;EAAC,iBAAA,WAAA;;sBA9D7B;kCAWY;ECtCjB,OAAA,CAAA,MAAA,EDiDO,UCjDM,EAAA,IAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,OAAA,CAAA,EDiDqC,OCjDrC,CAAA,OAAA,CAAA;EAYb,QAAA,CAAA,CAAA,CAAA,CAAA,IAAY,EAAA,OAAA,EAAA,MAAA,ED6EQ,OC7ER,CD6EgB,CC7EhB,CAAA,CAAA,ED6EqB,CC7ErB;EAOZ,QAAA,iBAAmB;;;UAnBnB,aAAA;;;;EDMZ,SAAA,gBAAU,CAAA,EAAA,MAAA;EAEH,SAAK,gBAAA,CAAA,EAAA,MAAA;EAEA,SAAA,cAAgB,CAAA,EAAA,MAMA;EAGpB,SAAA,eAAU,CAAA,EAAA,MAAA;EAAA,SAAA,WAAA,CAAA,EAAA,MAAA;EAAA,SAQD,YAAA,CAAA,EAAA,MAAA;;AAsBE,UCrCP,YAAA,CDqCO;EAAU,SAAiC,SAAA,CAAA,EAAA,OAAA;EAAO,SAwC7B,WAAA,CAAA,EAAA,OAAA;EAAC,SAAT,SAAA,CAAA,EAAA,OAAA;EAAO,SAAM,YAAA,CAAA,EAAA,OAAA;AAAC;UCtElC,mBAAA;;;EAnBA,SAAA,WAAa,CAAA,EAAA,MAAA;AAY9B;AAOA;;;;;KAWY,GAAA,GAAM;EAAN,SAAG,GAAA,CAAA,EAAA,MAAG;;;;;KCzBN,iBAAA,GAAkB;KAClB,gBAAA,GAAiB;KAEjB,iBAAA,GAAoB,oBAAkB;AFAtC,UEIK,iBAAA,CFJA;EAEA,SAAA,EAAA,EAAA,MAAgB;EASpB,SAAA,UAAU,EAAA,MAAA;EAAA,SAAA,IAAA,EAAA,MAAA;EAAA,SAQD,KAAA,CAAA,EAAA,MAAA;EAAgB,SAWJ,WAAA,CAAA,EAAA,MAAA;EAAU,SAWpB,YAAA,CAAA,EAAA,MAAA;EAAU,SAAiC,QAAA,CAAA,EAAA,OAAA;EAAO,SAwC7B,OAAA,CAAA,EErExB,QFqEwB,CErEf,MFqEe,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA;EAAC,SAAT,UAAA,CAAA,EEpEb,iBFoEa;EAAO,SAAM,eAAA,CAAA,EEnErB,aFmEqB;AAAC;UEhElC,sBAAA;;;EDzBA,SAAA,IAAA,EAAA,MAAa;EAYb,SAAA,MAAY,EAAA,MAAA;EAOZ,SAAA,MAAA,CAAA,ECWG,QDXgB,CCWP,MDXO,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA;;UCcnB,iBAAA;yCACwB;;;;;;KC9B7B,eAAA,GAAkB;AHEzB,KGDO,qBAAA,GAAwB,sBHCrB;AAEH,UGDK,kBAAA,CHCA;EAEA,SAAA,WAAgB,EAAA,OAAA;EASpB,SAAA,QAAU,EAAA,OAAA;EAAA,SAAA,YAAA,EAAA,OAAA;EAAA,SAQD,UAAA,EAAA,OAAA;;AAsBE,UGnCP,qBAAA,CHmCO;EAAU,SAAiC,UAAA,EGlC5C,aHkC4C,CAAA;IAwCtB,SAAA,IAAA,EAAA;MAAR,SAAA,EAAA,EAAA,MAAA;IAAa,CAAA;IAAC,SAAA,QAAA,EAAA,MAAA;;;;ICzFlC,SAAA,UAAa,CAAA,EAAA,MAAA;IAYb,SAAA,SAAY,CAAA,EAAA,MAAA;IAOZ,SAAA,KAAA,CAAA,EAAA,MAAmB;;uBEMb;;qBAEF;;IFGT,SAAG,WAAG,CAAA,EAAU,SAAA,OAAA,EAAA;;;;ACzBhB,UC6BK,qBAAA,CD7Ba;EAClB,SAAA,KAAA,CAAA,EAAA;IAEA,SAAA,UAAiB,CAAA,EAAA,MAAA;IAAA,SAAA,SAAA,CAAA,EAAA,MAAA;IAAG,SAAA,KAAA,CAAA,EAAA,MAAA;IAAkB,SAAA,YAAA,CAAA,EAAA,MAAA;IAAc,SAAA,OAAA,CAAA,ECgCzC,YDhCyC;EAI/C,CAAA;EAAiB,SAAA,WAAA,CAAA,EAAA;IAQJ,SAAA,YAAA,CAAA,ECuBF,aDvBE,CAAA;MAAT,SAAA,EAAA,EAAA,MAAA;MACG,SAAA,OAAA,EAAA;QACK,SAAA,cAAA,CAAA,EAAA,MAAA;QAAa,SAAA,gBAAA,CAAA,EAAA,MAAA;QAGzB,SAAA,cAAsB,CAAA,EAAA,MAAA;QAAA,SAAA,WAAA,CAAA,EAAA,MAAA;QAKV,SAAA,eAAA,CAAA,EAAA,MAAA;MAAT,CAAA;IAAQ,CAAA,CAAA;IAGX,SAAA,OAAiB,CAAA,ECoBX,aDnBkB,CAAA;;;;MC9B7B,SAAA,uBAAkB,CAAA,EAAA,MAAA;MAClB,SAAA,MAAA,CAAqB,EAqDT,aArDY,CAAA;QAEnB,SAAkB,EAAA,EAAA,MAAA;QAOlB,SAAA,kBAAqB,CAAA,EAAA,MAAA;MAAA,CAAA,CAAA;IACf,CAAA,CAAA;EAAa,CAAA;EAUD,SAEd,OAAA,CAAA,EAAA;IAAmB,SAAA,WAAA,CAAA,EAsCb,aAtCa,CAsCC,iBAtCD,CAAA;EAOvB,CAAA;EAAqB,SAAA,SAAA,CAAA,EAAA;IAMf,SAAA,KAAA,CAAA,EAAA,SAAA,MAAA,EAAA;EAAY,CAAA;EAGM,SAejB,OAAA,CAAA,EAYH,mBAZG;;AAOiB,UAQxB,uBAAA,CARwB;EAAiB,SAA/B,OAAA,CAAA,EAAA;IAKN,SAAA,WAAA,EAKK,aALL,CAKmB,iBALnB,CAAA;EAAmB,CAAA;EAGvB,SAAA,YAAA,CAAA,EAIS,iBAJc;EAAA,SAAA,YAAA,CAAA,EAKd,QALc,CAKL,MALK,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA;EAAA,SAEA,GAAA,CAAA,EAAA;IAAd,SAAA,gBAAA,CAAA,EAAA,MAAA;EAAa,CAAA;;;;;;KC7DlC,gBAAA,GAAmB,KAAK;;AJbM;AAOnC;AAEA;AASa,cICA,kBAAA,CJDU;EAAA,iBAAA,IAAA;EAAA;EAQe,SAWJ,UAAA,EIhBX,kBJgBW;EAAU,WAWpB,CAAA,IAAA,EIxBG,UJwBH,EAAA,UAAA,EIvBR,kBJuBQ;EAAU,MAAiC,CAAA,OAAA,EIlB3C,qBJkB2C,CAAA,EIlBnB,OJkBmB,CIlBX,eJkBW,CAAA;EAAO,GAwC7B,CAAA,EAAA,EAAA,MAAA,CAAA,EIrDpB,OJqDoB,CIrDZ,eJqDY,CAAA;EAAC,MAAT,CAAA,EAAA,EAAA,MAAA,EAAA,KAAA,EIhDH,qBJgDG,CAAA,EIhDqB,OJgDrB,CIhD6B,eJgD7B,CAAA;EAAO,QAAM,CAAA,EAAA,EAAA,MAAA,EAAA,OAAA,EIvCZ,uBJuCY,CAAA,EIvCc,OJuCd,CIvCsB,eJuCtB,CAAA;EAAC,MAAA,CAAA,EAAA,EAAA,MAAA,CAAA,EI9BvB,OJ8BuB,CI9Bf,eJ8Be,CAAA;mDInBvC,mBACP,QAAQ;yFAWD,mBACP,QAAQ;kHAoBD,mBACP,QAAQ;EHxGI,kBAAa,CAAA,EAAA,EAAA,MAAA,EAAA,KAAA,EAAA,SAAA,MAAA,EAAA,EAAA,KAAA,CAAA,EG2HlB,gBH3HkB,CAAA,EG4HzB,OH5HyB,CG4HjB,eH5HiB,CAAA;EAYb,QAAA,eAAY;AAO7B;;;;KIjBY,YAAA,GAAe;UAEV,YAAA;;ELEZ,SAAA,YAAU,EAAA,MAAA;EAEH,UAAK,GAAA,EAAA,MAAA,CAAA,EAAA,OAAA;AAEjB;;;;AASA;;cMda,eAAA;ENCR,iBAAU,IAAA;EAEH,WAAK,CAAA,IAAA,EMFoB,UNEpB;EAEA;EASJ,GAAA,CAAA,EAAA,EAAA,MAAU,CAAA,EMVE,ONUF,CMVU,YNUV,CAAA;EAAA;EAAA,MAQD,CAAA,EAAA,EAAA,MAAA,EAAA,OAAA,EMZc,MNYd,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA,EMZwC,ONYxC,CMZgD,YNYhD,CAAA;;;;;;UO3BL,mBAAA;;;;EPMZ,SAAA,mBAAU,EAAA,MAAA;EAEH,SAAK,gBAAA,EAAA,SAAA,MAAA,EAAA;EAEA,SAAA,wBAMgB,EAAK,SAAA,MAAA,EAAA;EAGzB,SAAA,qBAAU,EAAA,SAAA,MAAA,EAAA;EAAA,SAAA,qCAAA,EAAA,SAAA,MAAA,EAAA;EAAA,SAQD,qBAAA,CAAA,EAAA,MAAA;;AAsBE,UOrCP,mBAAA,CPqCO;EAAU,SAAiC,SAAA,EAAA,MAAA;EAAO,SAwC7B,YAAA,EAAA,MAAA;EAAC,SAAT,KAAA,CAAA,EAAA,MAAA;EAAO,SAAM,KAAA,CAAA,EAAA,MAAA;AAAC;UOtElC,aAAA;;;ENnBA,SAAA,UAAa,CAAA,EAAA,MAAA;EAYb,SAAA,aAAY,CAAA,EAAA,MAAA;EAOZ,SAAA,KAAA,CAAA,EAAA,MAAmB;;UMQnB,mBAAA;;;;ENGL,SAAG,YAAG,EAAA,MAAU;;UMIX,kBAAA;;EL7BL,SAAA,aAAe,EAAA,MAAA;EACf,SAAA,aAAc,EAAA,MAAG;AAE7B;AAA6B,UKgCZ,iBAAA,CLhCY;EAAA,SAAG,SAAA,EAAA,MAAA;EAAe,SAAG,aAAA,EAAA,MAAA;EAAc,SAAA,KAAA,EAAA,MAAA;EAI/C,SAAA,eAAiB,CAAA,EAAA,cAAA,GAAA,eAAA;;;;;;;;;AFXC;AAOvB,cQiBC,yBAAA,CRjBI;EAEA,iBAAA,QAAgB;EASpB,WAAA,CAAA,QAAU,EQOkB,mBRPlB;EAAA;EAAA,mBAQD,CAAA,MAAA,EQEQ,mBRFR,CAAA,EAAA,MAAA;EAAgB,YAWJ,CAAA,MAAA,EQGL,mBRHK,CAAA,EQGiB,ORHjB,CQGyB,aRHzB,CAAA;EAAU,YAWpB,CAAA,MAAA,EQEK,kBRFL,CAAA,EQE0B,ORF1B,CQEkC,aRFlC,CAAA;EAAU,WAAiC,CAAA,MAAA,EQWvC,iBRXuC,CAAA,EQWnB,ORXmB,CAAA,IAAA,CAAA;EAAO,WAwC7B,CAAA,CAAA,EQT5B,QRS4B,CQTnB,mBRSmB,CAAA;EAAC,QAAT,YAAA;;;;;AAAc;USzFlC,eAAA;;;;ETMZ,SAAA,gBAAU,CAAA,EAAA,MAAA;AAEf;AAEiB,cSHJ,mBAAA,GTSyB,YAAA;AAGzB,cSVA,gBTUU,EAAA;EAAA,SAAA,QAAA,EAAA,2BAAA;EAAA,SAQD,WAAA,EAAA,8BAAA;EAAgB,SAWJ,QAAA,EAAA,2BAAA;EAAU,SAWpB,aAAA,EAAA,gCAAA;EAAU,SAAiC,KAAA,EAAA,wBAAA;EAAO,SAwC7B,gBAAA,EAAA,iCAAA;EAAC,SAAT,WAAA,EAAA,8BAAA;CAAO;;;;AAAO;;AAnDjB,KUpBtB,UAAA,GAAa,mBVoBS;;AAWiC,UU5BlD,cAAA,CV4BkD;EAAO,SAwC7B,IAAA,EAAA,MAAA;EAAC,SAAT,UAAA,EAAA,MAAA;EAAO,SAAM,WAAA,EAAA,MAAA;AAAC;;;;ACzFnD;AAYiB,USmBA,eAAA,CTnBY;EAOZ;oBScG;;iCAEa;;qBAEZ;ETPT;kBSSM;;4BAEU;ERpChB;EACA,SAAA,eAAc,EQqCE,iBRrCC;EAEjB;EAAiB,aAAA,EAAA,EAAA,SQqCD,cRrCC,EAAA;EAAA;;AAAmC;AAIhE;EAAkC,aAAA,EAAA,EAAA,SQsCN,SRtCM,EAAA;;;;;AAUQ;AAG1C;;;;AAK4B;AAG5B;;;;AC7BA;AACA;AAEiB,iBO6DK,OAAA,CP7Da,MAAA,EO8DzB,eP9DyB,EAAA,OAOG,CAPH,EAAA;EAOlB,SAAA,mBAAqB,CAAA,EOwDO,KPxDP;CAAA,CAAA,EOyDnC,OPzDmC,COyD3B,ePzD2B,CAAA;;;;AAaE;AAOxC;;;;;;;;AAoCqB,cOkDR,SAAA,CPlDQ;EAAmB,QAAA,WAAA,CAAA;EAGvB,OAAA,OAAA,EAAA,OOoDD,OPpDwB;;;;;;;UQtEvB,UAAA;;EXGZ,SAAA,UAAU,CAAA,EWDS,QXCT,CWDkB,MXClB,CAAA,MAAA,EWDiC,UXCjC,CAAA,CAAA;EAEH,SAAK,QAAA,CAAA,EAAA,SAAA,MAAA,EAAA;EAEA,SAAA,KAAA,CAAA,EWHE,UXGc;EASpB,SAAA,IAAU,CAAA,EAAA,SAAA,MAAA,EAAA;EAAA,SAAA,WAAA,CAAA,EAAA,MAAA;EAAA,SAQD,OAAA,CAAA,EAAA,OAAA;;;;;;AA8D4B,UWxEjC,SAAA,CXwEiC;EAAC,SAAA,IAAA,EAAA,MAAA;;uBWrE5B;6BACM,4BAA4B;AVrBzD;AAYA;AAOA;;;;;;AAWA;;;;ACzBA;AACA;AAEA;;;;AAAgE;AAIhE;;;;;;AAU0C;AAG1C;;;;AAK4B;AAG5B;;;;AC7BY,iBQsDI,aAAA,CRtDc,MAAA,EQsDQ,eRtDgB,CAAA,EAAA,SQsDW,SRtDX,EAAA;;;;AACtD;USHiB,cAAA;;;KAIL,eAAA;EZAP,SAAA,KAAU,EAAA,MAAA;AAEf,CAAA,GAAY;EAEK,SAAA,mBAAgB,EAMA,IAAA;EAGpB,SAAA,YAAU,EAAA,MAAA;CAAA"}

package/dist/{catch-errors-BW8p9Abt.d.ts → catch-errors-s9k0IH2E.d.ts}

@@ -48,7 +48,14 @@ interface LocalizationContext {
   readonly address_region?: string;
   readonly postal_code?: string;
 }
-
+/**
+ * A JSON Web Key (RFC 7517).
+ * Extends the TypeScript stdlib `JsonWebKey` with the `kid` claim required by UCP for webhook
+ * signature verification (the stdlib definition omits `kid`).
+ */
+type JWK = JsonWebKey & {
+  readonly kid?: string;
+};
 //#endregion
 //#region src/types/payment.d.ts
 //# sourceMappingURL=common.d.ts.map
@@ -157,9 +164,10 @@ interface CompleteCheckoutPayload {
   readonly ap2?: {
     readonly checkout_mandate?: string;
   };
-} //#endregion
-//#region src/capabilities/checkout.d.ts
+}
 
+//#endregion
+//#region src/capabilities/checkout.d.ts
 //# sourceMappingURL=checkout.d.ts.map
 type FulfillmentPatch = Omit<UpdateCheckoutPayload, 'fulfillment' | 'discounts'>;
 /**
@@ -307,6 +315,8 @@ interface ToolDescriptor {
 interface ConnectedClient {
   /** The server's UCP discovery profile. */
   readonly profile: UCPProfile;
+  /** JWK signing keys from the discovery profile. Used for verifying incoming webhook signatures. */
+  readonly signingKeys: readonly JWK[];
   /** Checkout operations. Null if server does not support `dev.ucp.shopping.checkout`. */
   readonly checkout: CheckoutCapability | null;
   /** Order operations. Null if server does not support `dev.ucp.shopping.order`. */
@@ -431,5 +441,5 @@ type ToolErrorResult = {
 };
 
 //#endregion
-export { AdapterOptions, AgentTool, AuthorizationParams, BuyerConsent, CardCredential$1 as CardCredential, CheckoutCapability, CheckoutExtensions, CheckoutSession, CheckoutSessionStatus, CompleteCheckoutPayload, ConnectedClient, CreateCheckoutPayload, DEFAULT_UCP_VERSION, IdentityLinkingCapability, JsonSchema, LocalizationContext, OAuthServerMetadata, OrderCapability, PaymentCredential, PaymentHandlerInstance, PaymentHandlerMap, PaymentInstrument, PostalAddress, TokenCredential$1 as TokenCredential, TokenExchangeParams, TokenRefreshParams, TokenResponse, TokenRevokeParams, ToolDescriptor, ToolErrorResult, UCPClient, UCPClientConfig, UCPProfile, UCPSpecOrder, UCP_CAPABILITIES, UpdateCheckoutPayload, WebhookEvent, connect, getAgentTools };
-//# sourceMappingURL=catch-errors-BW8p9Abt.d.ts.map
+export { AdapterOptions, AgentTool, AuthorizationParams, BuyerConsent, CardCredential$1 as CardCredential, CheckoutCapability, CheckoutExtensions, CheckoutSession, CheckoutSessionStatus, CompleteCheckoutPayload, ConnectedClient, CreateCheckoutPayload, DEFAULT_UCP_VERSION, IdentityLinkingCapability, JWK, JsonSchema, LocalizationContext, OAuthServerMetadata, OrderCapability, PaymentCredential, PaymentHandlerInstance, PaymentHandlerMap, PaymentInstrument, PostalAddress, TokenCredential$1 as TokenCredential, TokenExchangeParams, TokenRefreshParams, TokenResponse, TokenRevokeParams, ToolDescriptor, ToolErrorResult, UCPClient, UCPClientConfig, UCPProfile, UCPSpecOrder, UCP_CAPABILITIES, UpdateCheckoutPayload, WebhookEvent, connect, getAgentTools };
+//# sourceMappingURL=catch-errors-s9k0IH2E.d.ts.map

package/dist/catch-errors-s9k0IH2E.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catch-errors-s9k0IH2E.d.ts","names":[],"sources":["../src/http.ts","../src/types/common.ts","../src/types/payment.ts","../src/types/checkout.ts","../src/capabilities/checkout.ts","../src/types/order.ts","../src/capabilities/order.ts","../src/types/identity-linking.ts","../src/capabilities/identity-linking.ts","../src/types/config.ts","../src/UCPClient.ts","../src/agent-tools.ts","../src/adapters/catch-errors.ts"],"sourcesContent":null,"mappings":";;;;KAMK,UAAA;KAEO,KAAA;UAEK,gBAAA;EAJZ,SAAA,UAAU,EAAA,MAAA;EAEH,SAAK,eAAA,EAAA,MAAA;EAEA,SAAA,UAAgB,EAAA,MAAA;EASpB,SAAA,gBAAU,CAAA,EAAA,MAAA;EAAA,SAAA,WAAA,CAAA,EAAA,MAAA;EAAA,SAQD,mBAAA,CAAA,EAXW,KAWX;;AAsBE,cA9BX,UAAA,CA8BW;EAAU,iBAAiC,UAAA;EAAO,iBAwC7B,eAAA;EAAC,iBAAT,UAAA;EAAO,iBAAM,gBAAA;EAAC,iBAAA,WAAA;;sBA9D7B;kCAWY;ECtCjB,OAAA,CAAA,MAAA,EDiDO,UCjDM,EAAA,IAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,OAAA,CAAA,EDiDqC,OCjDrC,CAAA,OAAA,CAAA;EAYb,QAAA,CAAA,CAAA,CAAA,CAAA,IAAY,EAAA,OAAA,EAAA,MAAA,ED6EQ,OC7ER,CD6EgB,CC7EhB,CAAA,CAAA,ED6EqB,CC7ErB;EAOZ,QAAA,iBAAmB;;;UAnBnB,aAAA;;;;EDMZ,SAAA,gBAAU,CAAA,EAAA,MAAA;EAEH,SAAK,gBAAA,CAAA,EAAA,MAAA;EAEA,SAAA,cAAgB,CAAA,EAAA,MAMA;EAGpB,SAAA,eAAU,CAAA,EAAA,MAAA;EAAA,SAAA,WAAA,CAAA,EAAA,MAAA;EAAA,SAQD,YAAA,CAAA,EAAA,MAAA;;AAsBE,UCrCP,YAAA,CDqCO;EAAU,SAAiC,SAAA,CAAA,EAAA,OAAA;EAAO,SAwC7B,WAAA,CAAA,EAAA,OAAA;EAAC,SAAT,SAAA,CAAA,EAAA,OAAA;EAAO,SAAM,YAAA,CAAA,EAAA,OAAA;AAAC;UCtElC,mBAAA;;;EAnBA,SAAA,WAAa,CAAA,EAAA,MAAA;AAY9B;AAOA;;;;;KAWY,GAAA,GAAM;EAAN,SAAG,GAAA,CAAA,EAAA,MAAG;;;;;KCzBN,iBAAA,GAAkB;KAClB,gBAAA,GAAiB;KAEjB,iBAAA,GAAoB,oBAAkB;AFAtC,UEIK,iBAAA,CFJA;EAEA,SAAA,EAAA,EAAA,MAAgB;EASpB,SAAA,UAAU,EAAA,MAAA;EAAA,SAAA,IAAA,EAAA,MAAA;EAAA,SAQD,KAAA,CAAA,EAAA,MAAA;EAAgB,SAWJ,WAAA,CAAA,EAAA,MAAA;EAAU,SAWpB,YAAA,CAAA,EAAA,MAAA;EAAU,SAAiC,QAAA,CAAA,EAAA,OAAA;EAAO,SAwC7B,OAAA,CAAA,EErExB,QFqEwB,CErEf,MFqEe,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA;EAAC,SAAT,UAAA,CAAA,EEpEb,iBFoEa;EAAO,SAAM,eAAA,CAAA,EEnErB,aFmEqB;AAAC;UEhElC,sBAAA;;;EDzBA,SAAA,IAAA,EAAA,MAAa;EAYb,SAAA,MAAY,EAAA,MAAA;EAOZ,SAAA,MAAA,CAAA,ECWG,QDXgB,CCWP,MDXO,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA;;UCcnB,iBAAA;yCACwB;;;;;;KC9B7B,eAAA,GAAkB;AHEzB,KGDO,qBAAA,GAAwB,sBHCrB;AAEH,UGDK,kBAAA,CHCA;EAEA,SAAA,WAAgB,EAAA,OAAA;EASpB,SAAA,QAAU,EAAA,OAAA;EAAA,SAAA,YAAA,EAAA,OAAA;EAAA,SAQD,UAAA,EAAA,OAAA;;AAsBE,UGnCP,qBAAA,CHmCO;EAAU,SAAiC,UAAA,EGlC5C,aHkC4C,CAAA;IAwCtB,SAAA,IAAA,EAAA;MAAR,SAAA,EAAA,EAAA,MAAA;IAAa,CAAA;IAAC,SAAA,QAAA,EAAA,MAAA;;;;ICzFlC,SAAA,UAAa,CAAA,EAAA,MAAA;IAYb,SAAA,SAAY,CAAA,EAAA,MAAA;IAOZ,SAAA,KAAA,CAAA,EAAA,MAAmB;;uBEMb;;qBAEF;;IFGT,SAAG,WAAG,CAAA,EAAU,SAAA,OAAA,EAAA;;;;ACzBhB,UC6BK,qBAAA,CD7Ba;EAClB,SAAA,KAAA,CAAA,EAAA;IAEA,SAAA,UAAiB,CAAA,EAAA,MAAA;IAAA,SAAA,SAAA,CAAA,EAAA,MAAA;IAAG,SAAA,KAAA,CAAA,EAAA,MAAA;IAAkB,SAAA,YAAA,CAAA,EAAA,MAAA;IAAc,SAAA,OAAA,CAAA,ECgCzC,YDhCyC;EAI/C,CAAA;EAAiB,SAAA,WAAA,CAAA,EAAA;IAQJ,SAAA,YAAA,CAAA,ECuBF,aDvBE,CAAA;MAAT,SAAA,EAAA,EAAA,MAAA;MACG,SAAA,OAAA,EAAA;QACK,SAAA,cAAA,CAAA,EAAA,MAAA;QAAa,SAAA,gBAAA,CAAA,EAAA,MAAA;QAGzB,SAAA,cAAsB,CAAA,EAAA,MAAA;QAAA,SAAA,WAAA,CAAA,EAAA,MAAA;QAKV,SAAA,eAAA,CAAA,EAAA,MAAA;MAAT,CAAA;IAAQ,CAAA,CAAA;IAGX,SAAA,OAAiB,CAAA,ECoBX,aDnBkB,CAAA;;;;MC9B7B,SAAA,uBAAkB,CAAA,EAAA,MAAA;MAClB,SAAA,MAAA,CAAqB,EAqDT,aArDY,CAAA;QAEnB,SAAkB,EAAA,EAAA,MAAA;QAOlB,SAAA,kBAAqB,CAAA,EAAA,MAAA;MAAA,CAAA,CAAA;IACf,CAAA,CAAA;EAAa,CAAA;EAUD,SAEd,OAAA,CAAA,EAAA;IAAmB,SAAA,WAAA,CAAA,EAsCb,aAtCa,CAsCC,iBAtCD,CAAA;EAOvB,CAAA;EAAqB,SAAA,SAAA,CAAA,EAAA;IAMf,SAAA,KAAA,CAAA,EAAA,SAAA,MAAA,EAAA;EAAY,CAAA;EAGM,SAejB,OAAA,CAAA,EAYH,mBAZG;;AAOiB,UAQxB,uBAAA,CARwB;EAAiB,SAA/B,OAAA,CAAA,EAAA;IAKN,SAAA,WAAA,EAKK,aALL,CAKmB,iBALnB,CAAA;EAAmB,CAAA;EAGvB,SAAA,YAAA,CAAA,EAIS,iBAJc;EAAA,SAAA,YAAA,CAAA,EAKd,QALc,CAKL,MALK,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA;EAAA,SAEA,GAAA,CAAA,EAAA;IAAd,SAAA,gBAAA,CAAA,EAAA,MAAA;EAAa,CAAA;;;;;;KC7DlC,gBAAA,GAAmB,KAAK;;AJbM;AAOnC;AAEA;AASa,cICA,kBAAA,CJDU;EAAA,iBAAA,IAAA;EAAA;EAQe,SAWJ,UAAA,EIhBX,kBJgBW;EAAU,WAWpB,CAAA,IAAA,EIxBG,UJwBH,EAAA,UAAA,EIvBR,kBJuBQ;EAAU,MAAiC,CAAA,OAAA,EIlB3C,qBJkB2C,CAAA,EIlBnB,OJkBmB,CIlBX,eJkBW,CAAA;EAAO,GAwC7B,CAAA,EAAA,EAAA,MAAA,CAAA,EIrDpB,OJqDoB,CIrDZ,eJqDY,CAAA;EAAC,MAAT,CAAA,EAAA,EAAA,MAAA,EAAA,KAAA,EIhDH,qBJgDG,CAAA,EIhDqB,OJgDrB,CIhD6B,eJgD7B,CAAA;EAAO,QAAM,CAAA,EAAA,EAAA,MAAA,EAAA,OAAA,EIvCZ,uBJuCY,CAAA,EIvCc,OJuCd,CIvCsB,eJuCtB,CAAA;EAAC,MAAA,CAAA,EAAA,EAAA,MAAA,CAAA,EI9BvB,OJ8BuB,CI9Bf,eJ8Be,CAAA;mDInBvC,mBACP,QAAQ;yFAWD,mBACP,QAAQ;kHAoBD,mBACP,QAAQ;EHxGI,kBAAa,CAAA,EAAA,EAAA,MAAA,EAAA,KAAA,EAAA,SAAA,MAAA,EAAA,EAAA,KAAA,CAAA,EG2HlB,gBH3HkB,CAAA,EG4HzB,OH5HyB,CG4HjB,eH5HiB,CAAA;EAYb,QAAA,eAAY;AAO7B;;;;KIjBY,YAAA,GAAe;UAEV,YAAA;;ELEZ,SAAA,YAAU,EAAA,MAAA;EAEH,UAAK,GAAA,EAAA,MAAA,CAAA,EAAA,OAAA;AAEjB;;;;AASA;;cMda,eAAA;ENCR,iBAAU,IAAA;EAEH,WAAK,CAAA,IAAA,EMFoB,UNEpB;EAEA;EASJ,GAAA,CAAA,EAAA,EAAA,MAAU,CAAA,EMVE,ONUF,CMVU,YNUV,CAAA;EAAA;EAAA,MAQD,CAAA,EAAA,EAAA,MAAA,EAAA,OAAA,EMZc,MNYd,CAAA,MAAA,EAAA,OAAA,CAAA,CAAA,EMZwC,ONYxC,CMZgD,YNYhD,CAAA;;;;;;UO3BL,mBAAA;;;;EPMZ,SAAA,mBAAU,EAAA,MAAA;EAEH,SAAK,gBAAA,EAAA,SAAA,MAAA,EAAA;EAEA,SAAA,wBAMgB,EAAK,SAAA,MAAA,EAAA;EAGzB,SAAA,qBAAU,EAAA,SAAA,MAAA,EAAA;EAAA,SAAA,qCAAA,EAAA,SAAA,MAAA,EAAA;EAAA,SAQD,qBAAA,CAAA,EAAA,MAAA;;AAsBE,UOrCP,mBAAA,CPqCO;EAAU,SAAiC,SAAA,EAAA,MAAA;EAAO,SAwC7B,YAAA,EAAA,MAAA;EAAC,SAAT,KAAA,CAAA,EAAA,MAAA;EAAO,SAAM,KAAA,CAAA,EAAA,MAAA;AAAC;UOtElC,aAAA;;;ENnBA,SAAA,UAAa,CAAA,EAAA,MAAA;EAYb,SAAA,aAAY,CAAA,EAAA,MAAA;EAOZ,SAAA,KAAA,CAAA,EAAA,MAAmB;;UMQnB,mBAAA;;;;ENGL,SAAG,YAAG,EAAA,MAAU;;UMIX,kBAAA;;EL7BL,SAAA,aAAe,EAAA,MAAA;EACf,SAAA,aAAc,EAAA,MAAG;AAE7B;AAA6B,UKgCZ,iBAAA,CLhCY;EAAA,SAAG,SAAA,EAAA,MAAA;EAAe,SAAG,aAAA,EAAA,MAAA;EAAc,SAAA,KAAA,EAAA,MAAA;EAI/C,SAAA,eAAiB,CAAA,EAAA,cAAA,GAAA,eAAA;;;;;;;;;AFXC;AAOvB,cQiBC,yBAAA,CRjBI;EAEA,iBAAA,QAAgB;EASpB,WAAA,CAAA,QAAU,EQOkB,mBRPlB;EAAA;EAAA,mBAQD,CAAA,MAAA,EQEQ,mBRFR,CAAA,EAAA,MAAA;EAAgB,YAWJ,CAAA,MAAA,EQGL,mBRHK,CAAA,EQGiB,ORHjB,CQGyB,aRHzB,CAAA;EAAU,YAWpB,CAAA,MAAA,EQEK,kBRFL,CAAA,EQE0B,ORF1B,CQEkC,aRFlC,CAAA;EAAU,WAAiC,CAAA,MAAA,EQWvC,iBRXuC,CAAA,EQWnB,ORXmB,CAAA,IAAA,CAAA;EAAO,WAwC7B,CAAA,CAAA,EQT5B,QRS4B,CQTnB,mBRSmB,CAAA;EAAC,QAAT,YAAA;;;;;AAAc;USzFlC,eAAA;;;;ETMZ,SAAA,gBAAU,CAAA,EAAA,MAAA;AAEf;AAEiB,cSHJ,mBAAA,GTSyB,YAAA;AAGzB,cSVA,gBTUU,EAAA;EAAA,SAAA,QAAA,EAAA,2BAAA;EAAA,SAQD,WAAA,EAAA,8BAAA;EAAgB,SAWJ,QAAA,EAAA,2BAAA;EAAU,SAWpB,aAAA,EAAA,gCAAA;EAAU,SAAiC,KAAA,EAAA,wBAAA;EAAO,SAwC7B,gBAAA,EAAA,iCAAA;EAAC,SAAT,WAAA,EAAA,8BAAA;CAAO;;;;AAAO;;AAnDjB,KUpBtB,UAAA,GAAa,mBVoBS;;AAWiC,UU5BlD,cAAA,CV4BkD;EAAO,SAwC7B,IAAA,EAAA,MAAA;EAAC,SAAT,UAAA,EAAA,MAAA;EAAO,SAAM,WAAA,EAAA,MAAA;AAAC;;;;ACzFnD;AAYiB,USmBA,eAAA,CTnBY;EAOZ;oBScG;;iCAEa;;qBAEZ;ETPT;kBSSM;;4BAEU;ERpChB;EACA,SAAA,eAAc,EQqCE,iBRrCC;EAEjB;EAAiB,aAAA,EAAA,EAAA,SQqCD,cRrCC,EAAA;EAAA;;AAAmC;AAIhE;EAAkC,aAAA,EAAA,EAAA,SQsCN,SRtCM,EAAA;;;;;AAUQ;AAG1C;;;;AAK4B;AAG5B;;;;AC7BA;AACA;AAEiB,iBO6DK,OAAA,CP7Da,MAAA,EO8DzB,eP9DyB,EAAA,OAOG,CAPH,EAAA;EAOlB,SAAA,mBAAqB,CAAA,EOwDO,KPxDP;CAAA,CAAA,EOyDnC,OPzDmC,COyD3B,ePzD2B,CAAA;;;;AAaE;AAOxC;;;;;;;;AAoCqB,cOkDR,SAAA,CPlDQ;EAAmB,QAAA,WAAA,CAAA;EAGvB,OAAA,OAAA,EAAA,OOoDD,OPpDwB;;;;;;;UQtEvB,UAAA;;EXGZ,SAAA,UAAU,CAAA,EWDS,QXCT,CWDkB,MXClB,CAAA,MAAA,EWDiC,UXCjC,CAAA,CAAA;EAEH,SAAK,QAAA,CAAA,EAAA,SAAA,MAAA,EAAA;EAEA,SAAA,KAAA,CAAA,EWHE,UXGc;EASpB,SAAA,IAAU,CAAA,EAAA,SAAA,MAAA,EAAA;EAAA,SAAA,WAAA,CAAA,EAAA,MAAA;EAAA,SAQD,OAAA,CAAA,EAAA,OAAA;;;;;;AA8D4B,UWxEjC,SAAA,CXwEiC;EAAC,SAAA,IAAA,EAAA,MAAA;;uBWrE5B;6BACM,4BAA4B;AVrBzD;AAYA;AAOA;;;;;;AAWA;;;;ACzBA;AACA;AAEA;;;;AAAgE;AAIhE;;;;;;AAU0C;AAG1C;;;;AAK4B;AAG5B;;;;AC7BY,iBQsDI,aAAA,CRtDc,MAAA,EQsDQ,eRtDgB,CAAA,EAAA,SQsDW,SRtDX,EAAA;;;;AACtD;USHiB,cAAA;;;KAIL,eAAA;EZAP,SAAA,KAAU,EAAA,MAAA;AAEf,CAAA,GAAY;EAEK,SAAA,mBAAgB,EAMA,IAAA;EAGpB,SAAA,YAAU,EAAA,MAAA;CAAA"}

package/dist/index.cjs

@@ -33,6 +33,15 @@ const UCPProfileSchema = __omnixhq_ucp_js_sdk.UcpDiscoveryProfileSchema.passthro
 const CreateCheckoutRequestSchema = __omnixhq_ucp_js_sdk.ExtendedCheckoutCreateRequestSchema.passthrough();
 const UpdateCheckoutRequestSchema = __omnixhq_ucp_js_sdk.ExtendedCheckoutUpdateRequestSchema.passthrough();
 const CompleteCheckoutRequestSchema = __omnixhq_ucp_js_sdk.CheckoutCompleteRequestSchema.passthrough();
+const JWKSchema = zod.z.object({
+	kty: zod.z.string(),
+	kid: zod.z.string().optional(),
+	use: zod.z.string().optional(),
+	alg: zod.z.string().optional(),
+	crv: zod.z.string().optional(),
+	x: zod.z.string().optional(),
+	y: zod.z.string().optional()
+}).passthrough();
 
 //#endregion
 //#region src/http.ts
@@ -867,8 +876,10 @@ async function connect(config, options) {
 	const order = capabilityNames.has(UCP_CAPABILITIES.ORDER) ? new OrderCapability(http) : null;
 	const identityLinking = await buildIdentityLinking(config, capabilityNames);
 	const paymentHandlers = extractPaymentHandlers(profile);
+	const signingKeys = extractSigningKeys(profile);
 	const client = {
 		profile,
+		signingKeys,
 		checkout,
 		order,
 		identityLinking,
@@ -919,6 +930,16 @@ function extractPaymentHandlers(profile) {
 	if (!result.success) return {};
 	return result.data;
 }
+function extractSigningKeys(profile) {
+	const raw = profile["signing_keys"];
+	if (!Array.isArray(raw)) return [];
+	const keys = [];
+	for (const item of raw) {
+		const result = JWKSchema.safeParse(item);
+		if (result.success) keys.push(result.data);
+	}
+	return keys;
+}
 function buildCheckoutCapability(http, capabilityNames) {
 	if (!capabilityNames.has(UCP_CAPABILITIES.CHECKOUT)) return null;
 	const extensions = {
@@ -1023,6 +1044,120 @@ function buildToolDescriptors(checkout, order, identityLinking) {
 	return tools;
 }
 
+//#endregion
+//#region src/verify-signature.ts
+/**
+* Verifies a `Request-Signature` header (detached JWS per RFC 7797) over a raw request body.
+*
+* Per UCP spec, the JWT header MUST include a `kid` claim identifying the signing key.
+* Returns `false` if `kid` is absent — do not fall back to guessing.
+*
+* @returns `true` if the signature is valid, `false` for any verification failure.
+*/
+async function verifyRequestSignature(body, signature, signingKeys) {
+	const parts = signature.split(".");
+	if (parts.length !== 3 || parts[1] !== "") return false;
+	const [headerB64, , sigB64] = parts;
+	let header;
+	try {
+		header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+	} catch {
+		return false;
+	}
+	if (typeof header["alg"] !== "undefined" && header["alg"] !== "ES256") return false;
+	if (typeof header["kid"] !== "string") return false;
+	const kid = header["kid"];
+	const key = signingKeys.find((k) => k.kid === kid);
+	if (!key) return false;
+	let cryptoKey;
+	try {
+		cryptoKey = await crypto.subtle.importKey("jwk", key, {
+			name: "ECDSA",
+			namedCurve: "P-256"
+		}, false, ["verify"]);
+	} catch {
+		return false;
+	}
+	let sigBytes;
+	try {
+		sigBytes = base64urlDecode(sigB64);
+	} catch {
+		return false;
+	}
+	const signingInput = `${headerB64}.${Buffer.from(body).toString("base64url")}`;
+	try {
+		return await crypto.subtle.verify({
+			name: "ECDSA",
+			hash: "SHA-256"
+		}, cryptoKey, sigBytes, new TextEncoder().encode(signingInput));
+	} catch {
+		return false;
+	}
+}
+/**
+* Creates a {@link WebhookVerifier} bound to a specific business's UCP gateway.
+*
+* Signing keys are lazily loaded from `<gatewayUrl>/.well-known/ucp` on the first call
+* and cached by `kid`. A cache miss triggers a re-fetch to support key rotation.
+*
+* @example
+* ```typescript
+* import { createWebhookVerifier } from '@omnixhq/ucp-client';
+*
+* const verifier = createWebhookVerifier('https://store.example.com');
+*
+* // In your webhook handler:
+* const valid = await verifier.verify(rawBody, req.headers['request-signature']);
+* if (!valid) return res.status(401).send('Invalid signature');
+* ```
+*/
+function createWebhookVerifier(gatewayUrl) {
+	const baseUrl = gatewayUrl.replace(/\/+$/, "");
+	const keyCache = new Map();
+	let fetched = false;
+	async function loadKeys() {
+		const res = await fetch(`${baseUrl}/.well-known/ucp`);
+		if (!res.ok) return;
+		const profile = await res.json();
+		const rawKeys = profile["signing_keys"];
+		if (!Array.isArray(rawKeys)) return;
+		keyCache.clear();
+		for (const item of rawKeys) {
+			const parsed = JWKSchema.safeParse(item);
+			if (parsed.success && typeof parsed.data.kid === "string") keyCache.set(parsed.data.kid, parsed.data);
+		}
+		fetched = true;
+	}
+	return { async verify(body, signature) {
+		const kid = extractKid(signature);
+		if (kid === null) return false;
+		if (!fetched) await loadKeys();
+		if (!keyCache.has(kid)) await loadKeys();
+		const key = keyCache.get(kid);
+		if (!key) return false;
+		return verifyRequestSignature(body, signature, [key]);
+	} };
+}
+/** Extracts the `kid` from a detached JWS header without full verification. */
+function extractKid(signature) {
+	const parts = signature.split(".");
+	if (parts.length !== 3 || parts[1] !== "") return null;
+	try {
+		const header = JSON.parse(new TextDecoder().decode(base64urlDecode(parts[0])));
+		return typeof header["kid"] === "string" ? header["kid"] : null;
+	} catch {
+		return null;
+	}
+}
+function base64urlDecode(b64url) {
+	const b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+	const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+	const binaryStr = atob(padded);
+	const result = new Uint8Array(binaryStr.length);
+	for (let i = 0; i < binaryStr.length; i++) result[i] = binaryStr.charCodeAt(i);
+	return result;
+}
+
 //#endregion
 exports.AccountInfoSchema = __omnixhq_ucp_js_sdk.AccountInfoSchema
 exports.AdjustmentSchema = __omnixhq_ucp_js_sdk.AdjustmentSchema
@@ -1080,6 +1215,7 @@ exports.FulfillmentSchema = __omnixhq_ucp_js_sdk.FulfillmentSchema
 exports.IdentityLinkingCapability = IdentityLinkingCapability
 exports.ItemResponseSchema = __omnixhq_ucp_js_sdk.ItemResponseSchema
 exports.ItemSchema = __omnixhq_ucp_js_sdk.ItemSchema
+exports.JWKSchema = JWKSchema
 exports.LineItemResponseSchema = __omnixhq_ucp_js_sdk.LineItemResponseSchema
 exports.LineItemSchema = __omnixhq_ucp_js_sdk.LineItemSchema
 exports.LineItemUpdateRequestSchema = __omnixhq_ucp_js_sdk.LineItemUpdateRequestSchema
@@ -1133,5 +1269,7 @@ exports.UcpReverseDomainNameSchema = __omnixhq_ucp_js_sdk.UcpReverseDomainNameSc
 exports.UcpVersionSchema = __omnixhq_ucp_js_sdk.UcpVersionSchema
 exports.UpdateCheckoutRequestSchema = UpdateCheckoutRequestSchema
 exports.connect = connect
+exports.createWebhookVerifier = createWebhookVerifier
 exports.getAgentTools = getAgentTools
+exports.verifyRequestSignature = verifyRequestSignature
 //# sourceMappingURL=index.cjs.map