@openid4vc/oauth2 0.3.1-alpha-20251124151046 → 0.4.0-alpha-20251127093634

package/dist/index.d.cts

@@ -1,3705 +0,0 @@
-import { BaseSchema, ContentType, Fetch, FetchHeaders, FetchRequestInit, FetchResponse, HttpMethod, HttpMethod as HttpMethod$1, InvalidFetchResponseError, Oid4vcTsConfig, OrPromise, StringWithAutoCompletion, getGlobalConfig, setGlobalConfig } from "@openid4vc/utils";
-import z$1, { z } from "zod";
-
-//#region src/metadata/authorization-server/z-authorization-server-metadata.d.ts
-declare const zAuthorizationServerMetadata: z$1.ZodObject<{
-  issuer: z$1.ZodURL;
-  token_endpoint: z$1.ZodURL;
-  token_endpoint_auth_methods_supported: z$1.ZodOptional<z$1.ZodArray<z$1.ZodUnion<readonly [z$1.ZodEnum<{
-    client_secret_basic: "client_secret_basic";
-    client_secret_post: "client_secret_post";
-    attest_jwt_client_auth: "attest_jwt_client_auth";
-    client_secret_jwt: "client_secret_jwt";
-    private_key_jwt: "private_key_jwt";
-  }>, z$1.ZodString]>>>;
-  authorization_endpoint: z$1.ZodOptional<z$1.ZodURL>;
-  jwks_uri: z$1.ZodOptional<z$1.ZodURL>;
-  grant_types_supported: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  code_challenge_methods_supported: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  dpop_signing_alg_values_supported: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  require_pushed_authorization_requests: z$1.ZodOptional<z$1.ZodBoolean>;
-  pushed_authorization_request_endpoint: z$1.ZodOptional<z$1.ZodURL>;
-  introspection_endpoint: z$1.ZodOptional<z$1.ZodURL>;
-  introspection_endpoint_auth_methods_supported: z$1.ZodOptional<z$1.ZodArray<z$1.ZodUnion<readonly [z$1.ZodEnum<{
-    client_secret_basic: "client_secret_basic";
-    client_secret_post: "client_secret_post";
-    attest_jwt_client_auth: "attest_jwt_client_auth";
-    client_secret_jwt: "client_secret_jwt";
-    private_key_jwt: "private_key_jwt";
-  }>, z$1.ZodString]>>>;
-  introspection_endpoint_auth_signing_alg_values_supported: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  authorization_challenge_endpoint: z$1.ZodOptional<z$1.ZodURL>;
-  'pre-authorized_grant_anonymous_access_supported': z$1.ZodOptional<z$1.ZodBoolean>;
-  client_attestation_pop_nonce_required: z$1.ZodOptional<z$1.ZodBoolean>;
-}, z$1.core.$loose>;
-type AuthorizationServerMetadata = z$1.infer<typeof zAuthorizationServerMetadata>;
-//#endregion
-//#region src/client-authentication.d.ts
-declare enum SupportedClientAuthenticationMethod {
-  ClientSecretBasic = "client_secret_basic",
-  ClientSecretPost = "client_secret_post",
-  ClientAttestationJwt = "attest_jwt_client_auth",
-  None = "none",
-}
-interface ClientAuthenticationDynamicOptions {
-  clientId: string;
-  clientSecret: string;
-}
-/**
- * Dynamicaly get the client authentication method based on endpoint type and authorization server.
- * Only `client_secret_post`, `client_secret_basic`, and `none` supported.
- *
- * It also supports anonymous access to the token endpoint for pre-authorized code flow
- * if the authorization server has enabled `pre-authorized_grant_anonymous_access_supported`
- */
-declare function clientAuthenticationDynamic(options: ClientAuthenticationDynamicOptions): ClientAuthenticationCallback;
-/**
- * Options for client authentication
- */
-interface ClientAuthenticationCallbackOptions {
-  /**
-   * Metadata of the authorization server
-   */
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  /**
-   * URL to which the request will be made
-   */
-  url: string;
-  /**
-   * http method that will be used
-   */
-  method: HttpMethod$1;
-  /**
-   * Headers for the request. You can modify this object
-   */
-  headers: FetchHeaders;
-  contentType: ContentType;
-  /**
-   * The body as a JSON object. If content type `x-www-form-urlencoded`
-   * is used, it will be encoded after this call.
-   *
-   * You can modify this object
-   */
-  body: Record<string, unknown>;
-}
-/**
- * Callback method to determine the client authentication for a request.
- */
-type ClientAuthenticationCallback = (options: ClientAuthenticationCallbackOptions) => Promise<void> | void;
-interface ClientAuthenticationClientSecretPostOptions {
-  clientId: string;
-  clientSecret: string;
-}
-/**
- * Client authentication using `client_secret_post` option
- */
-declare function clientAuthenticationClientSecretPost(options: ClientAuthenticationClientSecretPostOptions): ClientAuthenticationCallback;
-interface ClientAuthenticationClientSecretBasicOptions {
-  clientId: string;
-  clientSecret: string;
-}
-/**
- * Client authentication using `client_secret_basic` option
- */
-declare function clientAuthenticationClientSecretBasic(options: ClientAuthenticationClientSecretBasicOptions): ClientAuthenticationCallback;
-interface ClientAuthenticationNoneOptions {
-  clientId: string;
-}
-/**
- * Client authentication using `none` option
- */
-declare function clientAuthenticationNone(options: ClientAuthenticationNoneOptions): ClientAuthenticationCallback;
-/**
- * Anonymous client authentication
- */
-declare function clientAuthenticationAnonymous(): ClientAuthenticationCallback;
-interface ClientAuthenticationClientAttestationJwtOptions {
-  clientAttestationJwt: string;
-  callbacks: Pick<CallbackContext, 'signJwt' | 'generateRandom'>;
-}
-/**
- * Client authentication using `attest_jwt_client_auth` option.
- */
-declare function clientAuthenticationClientAttestationJwt(options: ClientAuthenticationClientAttestationJwtOptions): ClientAuthenticationCallback;
-//#endregion
-//#region src/common/jwk/z-jwk.d.ts
-declare const zJwk: z$1.ZodObject<{
-  kty: z$1.ZodString;
-  crv: z$1.ZodOptional<z$1.ZodString>;
-  x: z$1.ZodOptional<z$1.ZodString>;
-  y: z$1.ZodOptional<z$1.ZodString>;
-  e: z$1.ZodOptional<z$1.ZodString>;
-  n: z$1.ZodOptional<z$1.ZodString>;
-  alg: z$1.ZodOptional<z$1.ZodString>;
-  d: z$1.ZodOptional<z$1.ZodString>;
-  dp: z$1.ZodOptional<z$1.ZodString>;
-  dq: z$1.ZodOptional<z$1.ZodString>;
-  ext: z$1.ZodOptional<z$1.ZodBoolean>;
-  k: z$1.ZodOptional<z$1.ZodString>;
-  key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  kid: z$1.ZodOptional<z$1.ZodString>;
-  oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-    d: z$1.ZodOptional<z$1.ZodString>;
-    r: z$1.ZodOptional<z$1.ZodString>;
-    t: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>>;
-  p: z$1.ZodOptional<z$1.ZodString>;
-  q: z$1.ZodOptional<z$1.ZodString>;
-  qi: z$1.ZodOptional<z$1.ZodString>;
-  use: z$1.ZodOptional<z$1.ZodString>;
-  x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  x5t: z$1.ZodOptional<z$1.ZodString>;
-  'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-  x5u: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type Jwk = z$1.infer<typeof zJwk>;
-declare const zJwkSet: z$1.ZodObject<{
-  keys: z$1.ZodArray<z$1.ZodObject<{
-    kty: z$1.ZodString;
-    crv: z$1.ZodOptional<z$1.ZodString>;
-    x: z$1.ZodOptional<z$1.ZodString>;
-    y: z$1.ZodOptional<z$1.ZodString>;
-    e: z$1.ZodOptional<z$1.ZodString>;
-    n: z$1.ZodOptional<z$1.ZodString>;
-    alg: z$1.ZodOptional<z$1.ZodString>;
-    d: z$1.ZodOptional<z$1.ZodString>;
-    dp: z$1.ZodOptional<z$1.ZodString>;
-    dq: z$1.ZodOptional<z$1.ZodString>;
-    ext: z$1.ZodOptional<z$1.ZodBoolean>;
-    k: z$1.ZodOptional<z$1.ZodString>;
-    key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    kid: z$1.ZodOptional<z$1.ZodString>;
-    oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-      d: z$1.ZodOptional<z$1.ZodString>;
-      r: z$1.ZodOptional<z$1.ZodString>;
-      t: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>>;
-    p: z$1.ZodOptional<z$1.ZodString>;
-    q: z$1.ZodOptional<z$1.ZodString>;
-    qi: z$1.ZodOptional<z$1.ZodString>;
-    use: z$1.ZodOptional<z$1.ZodString>;
-    x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    x5t: z$1.ZodOptional<z$1.ZodString>;
-    'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-    x5u: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-}, z$1.core.$loose>;
-type JwkSet = z$1.infer<typeof zJwkSet>;
-//#endregion
-//#region src/common/jwt/z-jwt.d.ts
-type JwtSignerDid = {
-  method: 'did';
-  didUrl: string;
-  alg: string;
-  /**
-   * The key id that should be used for signing. You need to make sure the kid actuall matches
-   * with the key associated with the didUrl.
-   */
-  kid?: string;
-};
-type JwtSignerJwk = {
-  method: 'jwk';
-  publicJwk: Jwk;
-  alg: string;
-  /**
-   * The key id that should be used for signing. You need to make sure the kid actuall matches
-   * with the key associated with the jwk.
-   *
-   * If not provided the kid can also be extracted from the `publicJwk`. Providing it here means the `kid` won't
-   * be included in the JWT header.
-   */
-  kid?: string;
-};
-type JwtSignerX5c = {
-  method: 'x5c';
-  x5c: string[];
-  alg: string;
-  /**
-   * The key id that should be used for signing. You need to make sure the kid actuall matches
-   * with the key associated with the leaf certificate.
-   */
-  kid?: string;
-};
-type JwtSignerFederation = {
-  method: 'federation';
-  trustChain?: [string, ...string[]];
-  alg: string;
-  /**
-   * The key id that should be used for signing. You need to make sure the kid actuall matches
-   * with a key present in the federation.
-   */
-  kid: string;
-};
-type JwtSignerCustom = {
-  method: 'custom';
-  alg: string;
-  /**
-   * The key id that should be used for signing.
-   */
-  kid?: string;
-};
-type JwtSigner = JwtSignerDid | JwtSignerJwk | JwtSignerX5c | JwtSignerFederation | JwtSignerCustom;
-type JwtSignerWithJwk = JwtSigner & {
-  publicJwk: Jwk;
-};
-type JweEncryptor = JwtSignerJwk & {
-  enc: string;
-  /**
-   * base64-url encoded apu
-   */
-  apu?: string;
-  /**
-   * base64-url encoded apv
-   */
-  apv?: string;
-};
-declare const zCompactJwt: z$1.ZodString;
-declare const zJwtPayload: z$1.ZodObject<{
-  iss: z$1.ZodOptional<z$1.ZodString>;
-  aud: z$1.ZodOptional<z$1.ZodUnion<readonly [z$1.ZodString, z$1.ZodArray<z$1.ZodString>]>>;
-  iat: z$1.ZodOptional<z$1.ZodNumber>;
-  exp: z$1.ZodOptional<z$1.ZodNumber>;
-  nbf: z$1.ZodOptional<z$1.ZodNumber>;
-  nonce: z$1.ZodOptional<z$1.ZodString>;
-  jti: z$1.ZodOptional<z$1.ZodString>;
-  sub: z$1.ZodOptional<z$1.ZodString>;
-  cnf: z$1.ZodOptional<z$1.ZodObject<{
-    jwk: z$1.ZodOptional<z$1.ZodObject<{
-      kty: z$1.ZodString;
-      crv: z$1.ZodOptional<z$1.ZodString>;
-      x: z$1.ZodOptional<z$1.ZodString>;
-      y: z$1.ZodOptional<z$1.ZodString>;
-      e: z$1.ZodOptional<z$1.ZodString>;
-      n: z$1.ZodOptional<z$1.ZodString>;
-      alg: z$1.ZodOptional<z$1.ZodString>;
-      d: z$1.ZodOptional<z$1.ZodString>;
-      dp: z$1.ZodOptional<z$1.ZodString>;
-      dq: z$1.ZodOptional<z$1.ZodString>;
-      ext: z$1.ZodOptional<z$1.ZodBoolean>;
-      k: z$1.ZodOptional<z$1.ZodString>;
-      key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      kid: z$1.ZodOptional<z$1.ZodString>;
-      oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-        d: z$1.ZodOptional<z$1.ZodString>;
-        r: z$1.ZodOptional<z$1.ZodString>;
-        t: z$1.ZodOptional<z$1.ZodString>;
-      }, z$1.core.$loose>>>;
-      p: z$1.ZodOptional<z$1.ZodString>;
-      q: z$1.ZodOptional<z$1.ZodString>;
-      qi: z$1.ZodOptional<z$1.ZodString>;
-      use: z$1.ZodOptional<z$1.ZodString>;
-      x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      x5t: z$1.ZodOptional<z$1.ZodString>;
-      'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-      x5u: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>;
-    jkt: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  status: z$1.ZodOptional<z$1.ZodRecord<z$1.ZodString, z$1.ZodAny>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type JwtPayload = z$1.infer<typeof zJwtPayload>;
-declare const zJwtHeader: z$1.ZodObject<{
-  alg: z$1.ZodString;
-  typ: z$1.ZodOptional<z$1.ZodString>;
-  kid: z$1.ZodOptional<z$1.ZodString>;
-  jwk: z$1.ZodOptional<z$1.ZodObject<{
-    kty: z$1.ZodString;
-    crv: z$1.ZodOptional<z$1.ZodString>;
-    x: z$1.ZodOptional<z$1.ZodString>;
-    y: z$1.ZodOptional<z$1.ZodString>;
-    e: z$1.ZodOptional<z$1.ZodString>;
-    n: z$1.ZodOptional<z$1.ZodString>;
-    alg: z$1.ZodOptional<z$1.ZodString>;
-    d: z$1.ZodOptional<z$1.ZodString>;
-    dp: z$1.ZodOptional<z$1.ZodString>;
-    dq: z$1.ZodOptional<z$1.ZodString>;
-    ext: z$1.ZodOptional<z$1.ZodBoolean>;
-    k: z$1.ZodOptional<z$1.ZodString>;
-    key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    kid: z$1.ZodOptional<z$1.ZodString>;
-    oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-      d: z$1.ZodOptional<z$1.ZodString>;
-      r: z$1.ZodOptional<z$1.ZodString>;
-      t: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>>;
-    p: z$1.ZodOptional<z$1.ZodString>;
-    q: z$1.ZodOptional<z$1.ZodString>;
-    qi: z$1.ZodOptional<z$1.ZodString>;
-    use: z$1.ZodOptional<z$1.ZodString>;
-    x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    x5t: z$1.ZodOptional<z$1.ZodString>;
-    'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-    x5u: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type JwtHeader = z$1.infer<typeof zJwtHeader>;
-//#endregion
-//#region src/callbacks.d.ts
-/**
- * Supported hashing algorithms
- *
- * Based on https://www.iana.org/assignments/named-information/named-information.xhtml
- */
-declare enum HashAlgorithm {
-  Sha256 = "sha-256",
-  Sha384 = "sha-384",
-  Sha512 = "sha-512",
-}
-/**
- * Callback used for operations that require hashing
- */
-type HashCallback = (data: Uint8Array, alg: HashAlgorithm) => OrPromise<Uint8Array>;
-type GenerateRandomCallback = (byteLength: number) => OrPromise<Uint8Array>;
-type SignJwtCallback = (jwtSigner: JwtSigner, jwt: {
-  header: JwtHeader;
-  payload: JwtPayload;
-}) => OrPromise<{
-  jwt: string;
-  signerJwk: Jwk;
-}>;
-type VerifyJwtCallback = (jwtSigner: JwtSigner, jwt: {
-  header: JwtHeader;
-  payload: JwtPayload;
-  compact: string;
-}) => OrPromise<{
-  verified: true;
-  signerJwk: Jwk;
-} | {
-  verified: false;
-  signerJwk?: Jwk;
-}>;
-interface DecryptJweCallbackOptions {
-  jwk?: Jwk;
-}
-type DecryptJweCallback = (jwe: string, options?: DecryptJweCallbackOptions) => OrPromise<{
-  decrypted: true;
-  decryptionJwk: Jwk;
-  payload: string;
-} | {
-  decrypted: false;
-  decryptionJwk?: Jwk;
-  payload?: string;
-}>;
-type EncryptJweCallback = (jweEncryptor: JweEncryptor, data: string) => OrPromise<{
-  encryptionJwk: Jwk;
-  jwe: string;
-}>;
-/**
- * Callback context provides the callbacks that are required for the openid4vc library
- */
-interface CallbackContext {
-  /**
-   * Custom fetch implementation to use
-   */
-  fetch?: Fetch;
-  /**
-   * Hash callback used for e.g. dpop and pkce
-   */
-  hash: HashCallback;
-  /**
-   * Sign jwt callback for signing of Json Web Tokens
-   */
-  signJwt: SignJwtCallback;
-  /**
-   * Decrypt jwe callback for decrypting of Json Web Encryptions
-   */
-  decryptJwe: DecryptJweCallback;
-  /**
-   * Encrypt jwt callback for encrypting of Json Web Encryptions
-   */
-  encryptJwe: EncryptJweCallback;
-  /**
-   * Verify jwt callback for verification of Json Web Tokens
-   */
-  verifyJwt: VerifyJwtCallback;
-  /**
-   * Generate random callback to generate random bytes. Used for
-   * e.g. the 'jti' value in a dpop jwt, and 'code_verifier' in pkce.
-   */
-  generateRandom: GenerateRandomCallback;
-  /**
-   * Extend a request to the authorization server with client authentication
-   * parameters. If you're not using client authentication, you can set this
-   * to `clientAuthenticationNone()`
-   *
-   * There are three default client authentication methods provided:
-   * - `clientAuthenticationClientSecretPost`
-   * - `clientAuthenticationClientSecretBasic`
-   * - `clientAuthenticationClientAttestationJwt`
-   * - `clientAuthenticationNone`
-   * - `clientAuthenticationAnonymous`
-   *
-   * A custom implementation can be made for other methods, or allowing complex
-   * scenarios where multiple authorization servers are supported.
-   */
-  clientAuthentication: ClientAuthenticationCallback;
-  /**
-   * Get the DNS names and URI names from a X.509 certificate
-   */
-  getX509CertificateMetadata?: (certificate: string) => {
-    sanDnsNames: string[];
-    sanUriNames: string[];
-  };
-}
-//#endregion
-//#region src/common/z-common.d.ts
-declare const zAlgValueNotNone: z$1.ZodString;
-interface RequestLike {
-  headers: FetchHeaders;
-  method: HttpMethod$1;
-  url: string;
-}
-//#endregion
-//#region src/dpop/dpop.d.ts
-interface RequestDpopOptions {
-  /**
-   * Dpop nonce to use for constructing the dpop jwt
-   */
-  nonce?: string;
-  /**
-   * The signer of the dpop jwt
-   */
-  signer: JwtSignerJwk;
-}
-interface VerifyDpopJwtOptions {
-  /**
-   * The compact dpop jwt.
-   */
-  dpopJwt: string;
-  /**
-   * The requet for which to verify the dpop jwt
-   */
-  request: RequestLike;
-  /**
-   * Allowed dpop signing alg values. If not provided
-   * any alg values are allowed and it's up to the `verifyJwtCallback`
-   * to handle the alg.
-   */
-  allowedSigningAlgs?: string[];
-  /**
-   * Expected nonce in the payload. If not provided the nonce won't be validated.
-   */
-  expectedNonce?: string;
-  /**
-   * Access token to which the dpop jwt is bound. If provided the sha-256 hash of the
-   * access token needs to match the 'ath' claim.
-   */
-  accessToken?: string;
-  /**
-   * The expected jwk thumprint 'jti' confirmation method. If provided the thumprint of the
-   * jwk used to sign the dpop jwt must match this provided thumbprint value. The 'jti' value
-   * can be extracted from the access token payload, or if opaque tokens are used can be retrieved
-   * using token introspection.
-   */
-  expectedJwkThumbprint?: string;
-  /**
-   * Callbacks used for verifying dpop jwt
-   */
-  callbacks: Pick<CallbackContext, 'verifyJwt' | 'hash'>;
-  now?: Date;
-}
-//#endregion
-//#region src/common/z-oauth2-error.d.ts
-declare enum Oauth2ErrorCodes {
-  ServerError = "server_error",
-  InvalidTarget = "invalid_target",
-  InvalidRequest = "invalid_request",
-  InvalidToken = "invalid_token",
-  InsufficientScope = "insufficient_scope",
-  InvalidGrant = "invalid_grant",
-  InvalidClient = "invalid_client",
-  UnauthorizedClient = "unauthorized_client",
-  UnsupportedGrantType = "unsupported_grant_type",
-  InvalidScope = "invalid_scope",
-  InvalidDpopProof = "invalid_dpop_proof",
-  UseDpopNonce = "use_dpop_nonce",
-  RedirectToWeb = "redirect_to_web",
-  InvalidSession = "invalid_session",
-  InsufficientAuthorization = "insufficient_authorization",
-  InvalidCredentialRequest = "invalid_credential_request",
-  CredentialRequestDenied = "credential_request_denied",
-  InvalidProof = "invalid_proof",
-  InvalidNonce = "invalid_nonce",
-  InvalidEncryptionParameters = "invalid_encryption_parameters",
-  UnknownCredentialConfiguration = "unknown_credential_configuration",
-  UnknownCredentialIdentifier = "unknown_credential_identifier",
-  InvalidTransactionId = "invalid_transaction_id",
-  UnsupportedCredentialType = "unsupported_credential_type",
-  UnsupportedCredentialFormat = "unsupported_credential_format",
-  InvalidRequestUri = "invalid_request_uri",
-  InvalidRequestObject = "invalid_request_object",
-  RequestNotSupported = "request_not_supported",
-  RequestUriNotSupported = "request_uri_not_supported",
-  VpFormatsNotSupported = "vp_formats_not_supported",
-  AccessDenied = "access_denied",
-  InvalidPresentationDefinitionUri = "invalid_presentation_definition_uri",
-  InvalidPresentationDefinitionReference = "invalid_presentation_definition_reference",
-  InvalidRequestUriMethod = "invalid_request_uri_method",
-  InvalidTransactionData = "invalid_transaction_data",
-  WalletUnavailable = "wallet_unavailable",
-}
-declare const zOauth2ErrorResponse: z$1.ZodObject<{
-  error: z$1.ZodUnion<readonly [z$1.ZodEnum<typeof Oauth2ErrorCodes>, z$1.ZodString]>;
-  error_description: z$1.ZodOptional<z$1.ZodString>;
-  error_uri: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type Oauth2ErrorResponse = z$1.infer<typeof zOauth2ErrorResponse>;
-//#endregion
-//#region src/access-token/z-access-token.d.ts
-declare const zAccessTokenRequest: z$1.ZodIntersection<z$1.ZodObject<{
-  'pre-authorized_code': z$1.ZodOptional<z$1.ZodString>;
-  code: z$1.ZodOptional<z$1.ZodString>;
-  redirect_uri: z$1.ZodOptional<z$1.ZodURL>;
-  refresh_token: z$1.ZodOptional<z$1.ZodString>;
-  resource: z$1.ZodOptional<z$1.ZodURL>;
-  code_verifier: z$1.ZodOptional<z$1.ZodString>;
-  grant_type: z$1.ZodUnion<readonly [z$1.ZodLiteral<"urn:ietf:params:oauth:grant-type:pre-authorized_code">, z$1.ZodLiteral<"authorization_code">, z$1.ZodLiteral<"refresh_token">, z$1.ZodString]>;
-}, z$1.core.$loose>, z$1.ZodPipe<z$1.ZodObject<{
-  tx_code: z$1.ZodOptional<z$1.ZodString>;
-  user_pin: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>, z$1.ZodTransform<{
-  tx_code?: string | undefined;
-}, {
-  [x: string]: unknown;
-  tx_code?: string | undefined;
-  user_pin?: string | undefined;
-}>>>;
-type AccessTokenRequest = z$1.infer<typeof zAccessTokenRequest>;
-declare const zAccessTokenResponse: z$1.ZodObject<{
-  access_token: z$1.ZodString;
-  token_type: z$1.ZodString;
-  expires_in: z$1.ZodOptional<z$1.ZodNumber>;
-  scope: z$1.ZodOptional<z$1.ZodString>;
-  state: z$1.ZodOptional<z$1.ZodString>;
-  refresh_token: z$1.ZodOptional<z$1.ZodString>;
-  c_nonce: z$1.ZodOptional<z$1.ZodString>;
-  c_nonce_expires_in: z$1.ZodOptional<z$1.ZodNumber>;
-  authorization_details: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{}, z$1.core.$loose>>>;
-}, z$1.core.$loose>;
-type AccessTokenResponse = z$1.infer<typeof zAccessTokenResponse>;
-declare const zAccessTokenErrorResponse: z$1.ZodObject<{
-  error: z$1.ZodUnion<readonly [z$1.ZodEnum<typeof Oauth2ErrorCodes>, z$1.ZodString]>;
-  error_description: z$1.ZodOptional<z$1.ZodString>;
-  error_uri: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type AccessTokenErrorResponse = z$1.infer<typeof zAccessTokenErrorResponse>;
-//#endregion
-//#region src/access-token/retrieve-access-token.d.ts
-interface RetrieveAccessTokenReturn {
-  accessTokenResponse: AccessTokenResponse;
-  dpop?: RequestDpopOptions;
-}
-interface RetrieveAccessTokenBaseOptions {
-  /**
-   * Authorization server to request the access token from
-   */
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  /**
-   * Callbacks to use for requesting access token
-   */
-  callbacks: Pick<CallbackContext, 'fetch' | 'generateRandom' | 'hash' | 'signJwt' | 'clientAuthentication'>;
-  /**
-   * The resource to which access is being requested. This can help the authorization
-   * server in determining the resource server to handle the authorization request for
-   */
-  resource?: string;
-  /**
-   * Dpop parameters for including a dpop in the access token request. The request will automatically
-   * be retried if the server responds with a 'use_dpop_nonce' header.
-   *
-   * If provided but 'dpop_signing_alg_values_supported' is not available in the authorization server
-   * metadata, or the 'alg' value does not match an error will be thrown.
-   */
-  dpop?: RequestDpopOptions;
-}
-interface RetrievePreAuthorizedCodeAccessTokenOptions extends RetrieveAccessTokenBaseOptions {
-  preAuthorizedCode: string;
-  txCode?: string;
-  /**
-   * Additional payload to include in the access token request. Items will be encoded and sent
-   * using x-www-form-urlencoded format. Nested items (JSON) will be stringified and url encoded.
-   */
-  additionalRequestPayload?: Record<string, unknown>;
-}
-interface RetrieveAuthorizationCodeAccessTokenOptions extends RetrieveAccessTokenBaseOptions {
-  /**
-   * PKCE Code verifier that was used in the authorization request.
-   */
-  pkceCodeVerifier?: string;
-  /**
-   * The authorization code
-   */
-  authorizationCode: string;
-  /**
-   * Redirect uri to include in the access token request. Only required
-   * if the redirect uri was present in the authorization request.
-   */
-  redirectUri?: string;
-  /**
-   * Additional payload to include in the access token request. Items will be encoded and sent
-   * using x-www-form-urlencoded format. Nested items (JSON) will be stringified and url encoded.
-   */
-  additionalRequestPayload?: Record<string, unknown>;
-}
-interface RetrieveRefreshTokenAccessTokenOptions extends RetrieveAccessTokenBaseOptions {
-  /**
-   * The refresh token
-   */
-  refreshToken: string;
-  /**
-   * Additional payload to include in the access token request. Items will be encoded and sent
-   * using x-www-form-urlencoded format. Nested items (JSON) will be stringified and url encoded.
-   */
-  additionalRequestPayload?: Record<string, unknown>;
-}
-//#endregion
-//#region src/access-token/verify-access-token.d.ts
-declare enum SupportedAuthenticationScheme {
-  Bearer = "Bearer",
-  DPoP = "DPoP",
-}
-//#endregion
-//#region src/client-attestation/z-client-attestation.d.ts
-declare const zClientAttestationJwtPayload: z$1.ZodObject<{
-  iss: z$1.ZodString;
-  sub: z$1.ZodString;
-  exp: z$1.ZodNumber;
-  cnf: z$1.ZodObject<{
-    jwk: z$1.ZodObject<{
-      kty: z$1.ZodString;
-      crv: z$1.ZodOptional<z$1.ZodString>;
-      x: z$1.ZodOptional<z$1.ZodString>;
-      y: z$1.ZodOptional<z$1.ZodString>;
-      e: z$1.ZodOptional<z$1.ZodString>;
-      n: z$1.ZodOptional<z$1.ZodString>;
-      alg: z$1.ZodOptional<z$1.ZodString>;
-      d: z$1.ZodOptional<z$1.ZodString>;
-      dp: z$1.ZodOptional<z$1.ZodString>;
-      dq: z$1.ZodOptional<z$1.ZodString>;
-      ext: z$1.ZodOptional<z$1.ZodBoolean>;
-      k: z$1.ZodOptional<z$1.ZodString>;
-      key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      kid: z$1.ZodOptional<z$1.ZodString>;
-      oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-        d: z$1.ZodOptional<z$1.ZodString>;
-        r: z$1.ZodOptional<z$1.ZodString>;
-        t: z$1.ZodOptional<z$1.ZodString>;
-      }, z$1.core.$loose>>>;
-      p: z$1.ZodOptional<z$1.ZodString>;
-      q: z$1.ZodOptional<z$1.ZodString>;
-      qi: z$1.ZodOptional<z$1.ZodString>;
-      use: z$1.ZodOptional<z$1.ZodString>;
-      x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      x5t: z$1.ZodOptional<z$1.ZodString>;
-      'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-      x5u: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>;
-  }, z$1.core.$loose>;
-  wallet_name: z$1.ZodOptional<z$1.ZodString>;
-  wallet_link: z$1.ZodOptional<z$1.ZodURL>;
-  aud: z$1.ZodOptional<z$1.ZodUnion<readonly [z$1.ZodString, z$1.ZodArray<z$1.ZodString>]>>;
-  iat: z$1.ZodOptional<z$1.ZodNumber>;
-  nbf: z$1.ZodOptional<z$1.ZodNumber>;
-  nonce: z$1.ZodOptional<z$1.ZodString>;
-  jti: z$1.ZodOptional<z$1.ZodString>;
-  status: z$1.ZodOptional<z$1.ZodRecord<z$1.ZodString, z$1.ZodAny>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type ClientAttestationJwtPayload = z$1.infer<typeof zClientAttestationJwtPayload>;
-declare const zClientAttestationJwtHeader: z$1.ZodObject<{
-  typ: z$1.ZodLiteral<"oauth-client-attestation+jwt">;
-  alg: z$1.ZodString;
-  kid: z$1.ZodOptional<z$1.ZodString>;
-  jwk: z$1.ZodOptional<z$1.ZodObject<{
-    kty: z$1.ZodString;
-    crv: z$1.ZodOptional<z$1.ZodString>;
-    x: z$1.ZodOptional<z$1.ZodString>;
-    y: z$1.ZodOptional<z$1.ZodString>;
-    e: z$1.ZodOptional<z$1.ZodString>;
-    n: z$1.ZodOptional<z$1.ZodString>;
-    alg: z$1.ZodOptional<z$1.ZodString>;
-    d: z$1.ZodOptional<z$1.ZodString>;
-    dp: z$1.ZodOptional<z$1.ZodString>;
-    dq: z$1.ZodOptional<z$1.ZodString>;
-    ext: z$1.ZodOptional<z$1.ZodBoolean>;
-    k: z$1.ZodOptional<z$1.ZodString>;
-    key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    kid: z$1.ZodOptional<z$1.ZodString>;
-    oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-      d: z$1.ZodOptional<z$1.ZodString>;
-      r: z$1.ZodOptional<z$1.ZodString>;
-      t: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>>;
-    p: z$1.ZodOptional<z$1.ZodString>;
-    q: z$1.ZodOptional<z$1.ZodString>;
-    qi: z$1.ZodOptional<z$1.ZodString>;
-    use: z$1.ZodOptional<z$1.ZodString>;
-    x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    x5t: z$1.ZodOptional<z$1.ZodString>;
-    'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-    x5u: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type ClientAttestationJwtHeader = z$1.infer<typeof zClientAttestationJwtHeader>;
-declare const zClientAttestationPopJwtPayload: z$1.ZodObject<{
-  iss: z$1.ZodString;
-  exp: z$1.ZodNumber;
-  aud: z$1.ZodUnion<readonly [z$1.ZodURL, z$1.ZodArray<z$1.ZodURL>]>;
-  jti: z$1.ZodString;
-  nonce: z$1.ZodOptional<z$1.ZodString>;
-  iat: z$1.ZodOptional<z$1.ZodNumber>;
-  nbf: z$1.ZodOptional<z$1.ZodNumber>;
-  sub: z$1.ZodOptional<z$1.ZodString>;
-  cnf: z$1.ZodOptional<z$1.ZodObject<{
-    jwk: z$1.ZodOptional<z$1.ZodObject<{
-      kty: z$1.ZodString;
-      crv: z$1.ZodOptional<z$1.ZodString>;
-      x: z$1.ZodOptional<z$1.ZodString>;
-      y: z$1.ZodOptional<z$1.ZodString>;
-      e: z$1.ZodOptional<z$1.ZodString>;
-      n: z$1.ZodOptional<z$1.ZodString>;
-      alg: z$1.ZodOptional<z$1.ZodString>;
-      d: z$1.ZodOptional<z$1.ZodString>;
-      dp: z$1.ZodOptional<z$1.ZodString>;
-      dq: z$1.ZodOptional<z$1.ZodString>;
-      ext: z$1.ZodOptional<z$1.ZodBoolean>;
-      k: z$1.ZodOptional<z$1.ZodString>;
-      key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      kid: z$1.ZodOptional<z$1.ZodString>;
-      oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-        d: z$1.ZodOptional<z$1.ZodString>;
-        r: z$1.ZodOptional<z$1.ZodString>;
-        t: z$1.ZodOptional<z$1.ZodString>;
-      }, z$1.core.$loose>>>;
-      p: z$1.ZodOptional<z$1.ZodString>;
-      q: z$1.ZodOptional<z$1.ZodString>;
-      qi: z$1.ZodOptional<z$1.ZodString>;
-      use: z$1.ZodOptional<z$1.ZodString>;
-      x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      x5t: z$1.ZodOptional<z$1.ZodString>;
-      'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-      x5u: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>;
-    jkt: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  status: z$1.ZodOptional<z$1.ZodRecord<z$1.ZodString, z$1.ZodAny>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type ClientAttestationPopJwtPayload = z$1.infer<typeof zClientAttestationPopJwtPayload>;
-declare const zClientAttestationPopJwtHeader: z$1.ZodObject<{
-  typ: z$1.ZodLiteral<"oauth-client-attestation-pop+jwt">;
-  alg: z$1.ZodString;
-  kid: z$1.ZodOptional<z$1.ZodString>;
-  jwk: z$1.ZodOptional<z$1.ZodObject<{
-    kty: z$1.ZodString;
-    crv: z$1.ZodOptional<z$1.ZodString>;
-    x: z$1.ZodOptional<z$1.ZodString>;
-    y: z$1.ZodOptional<z$1.ZodString>;
-    e: z$1.ZodOptional<z$1.ZodString>;
-    n: z$1.ZodOptional<z$1.ZodString>;
-    alg: z$1.ZodOptional<z$1.ZodString>;
-    d: z$1.ZodOptional<z$1.ZodString>;
-    dp: z$1.ZodOptional<z$1.ZodString>;
-    dq: z$1.ZodOptional<z$1.ZodString>;
-    ext: z$1.ZodOptional<z$1.ZodBoolean>;
-    k: z$1.ZodOptional<z$1.ZodString>;
-    key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    kid: z$1.ZodOptional<z$1.ZodString>;
-    oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-      d: z$1.ZodOptional<z$1.ZodString>;
-      r: z$1.ZodOptional<z$1.ZodString>;
-      t: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>>;
-    p: z$1.ZodOptional<z$1.ZodString>;
-    q: z$1.ZodOptional<z$1.ZodString>;
-    qi: z$1.ZodOptional<z$1.ZodString>;
-    use: z$1.ZodOptional<z$1.ZodString>;
-    x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    x5t: z$1.ZodOptional<z$1.ZodString>;
-    'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-    x5u: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type ClientAttestationPopJwtHeader = z$1.infer<typeof zClientAttestationPopJwtHeader>;
-//#endregion
-//#region src/client-attestation/client-attestation.d.ts
-interface VerifyClientAttestationJwtOptions {
-  /**
-   * The compact client attestation jwt.
-   */
-  clientAttestationJwt: string;
-  /**
-   * Date to use for expiration. If not provided current date will be used.
-   */
-  now?: Date;
-  /**
-   * Callbacks used for verifying client attestation pop jwt.
-   */
-  callbacks: Pick<CallbackContext, 'verifyJwt'>;
-}
-type VerifiedClientAttestationJwt = Awaited<ReturnType<typeof verifyClientAttestationJwt>>;
-declare function verifyClientAttestationJwt(options: VerifyClientAttestationJwtOptions): Promise<{
-  header: {
-    [x: string]: unknown;
-    typ: "oauth-client-attestation+jwt";
-    alg: string;
-    kid?: string | undefined;
-    jwk?: {
-      [x: string]: unknown;
-      kty: string;
-      crv?: string | undefined;
-      x?: string | undefined;
-      y?: string | undefined;
-      e?: string | undefined;
-      n?: string | undefined;
-      alg?: string | undefined;
-      d?: string | undefined;
-      dp?: string | undefined;
-      dq?: string | undefined;
-      ext?: boolean | undefined;
-      k?: string | undefined;
-      key_ops?: string[] | undefined;
-      kid?: string | undefined;
-      oth?: {
-        [x: string]: unknown;
-        d?: string | undefined;
-        r?: string | undefined;
-        t?: string | undefined;
-      }[] | undefined;
-      p?: string | undefined;
-      q?: string | undefined;
-      qi?: string | undefined;
-      use?: string | undefined;
-      x5c?: string[] | undefined;
-      x5t?: string | undefined;
-      'x5t#S256'?: string | undefined;
-      x5u?: string | undefined;
-    } | undefined;
-    x5c?: string[] | undefined;
-    trust_chain?: [string, ...string[]] | undefined;
-  };
-  payload: {
-    [x: string]: unknown;
-    iss: string;
-    sub: string;
-    exp: number;
-    cnf: {
-      [x: string]: unknown;
-      jwk: {
-        [x: string]: unknown;
-        kty: string;
-        crv?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        e?: string | undefined;
-        n?: string | undefined;
-        alg?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        ext?: boolean | undefined;
-        k?: string | undefined;
-        key_ops?: string[] | undefined;
-        kid?: string | undefined;
-        oth?: {
-          [x: string]: unknown;
-          d?: string | undefined;
-          r?: string | undefined;
-          t?: string | undefined;
-        }[] | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        use?: string | undefined;
-        x5c?: string[] | undefined;
-        x5t?: string | undefined;
-        'x5t#S256'?: string | undefined;
-        x5u?: string | undefined;
-      };
-    };
-    wallet_name?: string | undefined;
-    wallet_link?: string | undefined;
-    aud?: string | string[] | undefined;
-    iat?: number | undefined;
-    nbf?: number | undefined;
-    nonce?: string | undefined;
-    jti?: string | undefined;
-    status?: Record<string, any> | undefined;
-    trust_chain?: [string, ...string[]] | undefined;
-  };
-  signer: JwtSignerWithJwk;
-}>;
-interface CreateClientAttestationJwtOptions {
-  /**
-   * Creation time of the JWT. If not provided the current date will be used
-   */
-  issuedAt?: Date;
-  /**
-   * Expiration time of the JWT.
-   */
-  expiresAt: Date;
-  /**
-   * Issuer of the client attestation, usually identifier of the client backend
-   */
-  issuer: string;
-  /**
-   * The client id of the client instance.
-   */
-  clientId: string;
-  /**
-   * The confirmation payload for the client, attesting the `jwk`, `key_type` and `user_authentication`
-   */
-  confirmation: ClientAttestationJwtPayload['cnf'];
-  /**
-   * Additional payload to include in the client attestation jwt payload. Will be applied after
-   * any default claims that are included, so add claims with caution.
-   */
-  additionalPayload?: Record<string, unknown>;
-  /**
-   * Callback used for client attestation
-   */
-  callbacks: Pick<CallbackContext, 'signJwt'>;
-  /**
-   * The signer of the client attestation jwt.
-   */
-  signer: JwtSigner;
-}
-declare function createClientAttestationJwt(options: CreateClientAttestationJwtOptions): Promise<string>;
-interface VerifyClientAttestationOptions {
-  authorizationServer: string;
-  clientAttestationJwt: string;
-  clientAttestationPopJwt: string;
-  callbacks: Pick<CallbackContext, 'verifyJwt'>;
-  /**
-   * Date to use for expiration. If not provided current date will be used.
-   */
-  now?: Date;
-}
-//#endregion
-//#region src/client-attestation/client-attestation-pop.d.ts
-interface RequestClientAttestationOptions {
-  /**
-   * Dpop nonce to use for constructing the client attestation pop jwt
-   */
-  nonce?: string;
-  /**
-   * Expiration time of the client attestation pop jwt.
-   *
-   * @default 5 minutes after issuance date
-   */
-  expiresAt?: Date;
-  /**
-   * The client attestation jwt to create the pop for.
-   */
-  jwt: string;
-  /**
-   * The signer of the client attestation pop jwt.
-   *
-   * Will be extracted from the client attestation if not provided.
-   */
-  signer?: JwtSignerJwk;
-}
-interface VerifyClientAttestationPopJwtOptions {
-  /**
-   * The compact client attestation pop jwt.
-   */
-  clientAttestationPopJwt: string;
-  /**
-   * The issuer identifier of the authorization server handling the client attestation
-   */
-  authorizationServer: string;
-  /**
-   * Expected nonce in the payload. If not provided the nonce won't be validated.
-   */
-  expectedNonce?: string;
-  /**
-   * Date to use for expiration. If not provided current date will be used.
-   */
-  now?: Date;
-  /**
-   * Callbacks used for verifying client attestation pop jwt.
-   */
-  callbacks: Pick<CallbackContext, 'verifyJwt'>;
-  /**
-   * The parsed and verified client attestation jwt
-   */
-  clientAttestation: {
-    header: ClientAttestationJwtHeader;
-    payload: ClientAttestationJwtPayload;
-  };
-}
-type VerifiedClientAttestationPopJwt = Awaited<ReturnType<typeof verifyClientAttestationPopJwt>>;
-declare function verifyClientAttestationPopJwt(options: VerifyClientAttestationPopJwtOptions): Promise<{
-  header: {
-    [x: string]: unknown;
-    typ: "oauth-client-attestation-pop+jwt";
-    alg: string;
-    kid?: string | undefined;
-    jwk?: {
-      [x: string]: unknown;
-      kty: string;
-      crv?: string | undefined;
-      x?: string | undefined;
-      y?: string | undefined;
-      e?: string | undefined;
-      n?: string | undefined;
-      alg?: string | undefined;
-      d?: string | undefined;
-      dp?: string | undefined;
-      dq?: string | undefined;
-      ext?: boolean | undefined;
-      k?: string | undefined;
-      key_ops?: string[] | undefined;
-      kid?: string | undefined;
-      oth?: {
-        [x: string]: unknown;
-        d?: string | undefined;
-        r?: string | undefined;
-        t?: string | undefined;
-      }[] | undefined;
-      p?: string | undefined;
-      q?: string | undefined;
-      qi?: string | undefined;
-      use?: string | undefined;
-      x5c?: string[] | undefined;
-      x5t?: string | undefined;
-      'x5t#S256'?: string | undefined;
-      x5u?: string | undefined;
-    } | undefined;
-    x5c?: string[] | undefined;
-    trust_chain?: [string, ...string[]] | undefined;
-  };
-  payload: {
-    [x: string]: unknown;
-    iss: string;
-    exp: number;
-    aud: string | string[];
-    jti: string;
-    nonce?: string | undefined;
-    iat?: number | undefined;
-    nbf?: number | undefined;
-    sub?: string | undefined;
-    cnf?: {
-      [x: string]: unknown;
-      jwk?: {
-        [x: string]: unknown;
-        kty: string;
-        crv?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        e?: string | undefined;
-        n?: string | undefined;
-        alg?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        ext?: boolean | undefined;
-        k?: string | undefined;
-        key_ops?: string[] | undefined;
-        kid?: string | undefined;
-        oth?: {
-          [x: string]: unknown;
-          d?: string | undefined;
-          r?: string | undefined;
-          t?: string | undefined;
-        }[] | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        use?: string | undefined;
-        x5c?: string[] | undefined;
-        x5t?: string | undefined;
-        'x5t#S256'?: string | undefined;
-        x5u?: string | undefined;
-      } | undefined;
-      jkt?: string | undefined;
-    } | undefined;
-    status?: Record<string, any> | undefined;
-    trust_chain?: [string, ...string[]] | undefined;
-  };
-  signer: JwtSignerWithJwk;
-}>;
-//#endregion
-//#region src/pkce.d.ts
-declare enum PkceCodeChallengeMethod {
-  Plain = "plain",
-  S256 = "S256",
-}
-interface CreatePkceReturn {
-  codeVerifier: string;
-  codeChallenge: string;
-  codeChallengeMethod: PkceCodeChallengeMethod;
-}
-//#endregion
-//#region src/z-grant-type.d.ts
-declare const zPreAuthorizedCodeGrantIdentifier: z$1.ZodLiteral<"urn:ietf:params:oauth:grant-type:pre-authorized_code">;
-declare const preAuthorizedCodeGrantIdentifier: "urn:ietf:params:oauth:grant-type:pre-authorized_code";
-type PreAuthorizedCodeGrantIdentifier = z$1.infer<typeof zPreAuthorizedCodeGrantIdentifier>;
-declare const zAuthorizationCodeGrantIdentifier: z$1.ZodLiteral<"authorization_code">;
-declare const authorizationCodeGrantIdentifier: "authorization_code";
-type AuthorizationCodeGrantIdentifier = z$1.infer<typeof zAuthorizationCodeGrantIdentifier>;
-declare const zRefreshTokenGrantIdentifier: z$1.ZodLiteral<"refresh_token">;
-declare const refreshTokenGrantIdentifier: "refresh_token";
-type RefreshTokenGrantIdentifier = z$1.infer<typeof zRefreshTokenGrantIdentifier>;
-//#endregion
-//#region src/access-token/parse-access-token-request.d.ts
-interface ParsedAccessTokenPreAuthorizedCodeRequestGrant {
-  grantType: PreAuthorizedCodeGrantIdentifier;
-  preAuthorizedCode: string;
-  txCode?: string;
-}
-interface ParsedAccessTokenAuthorizationCodeRequestGrant {
-  grantType: AuthorizationCodeGrantIdentifier;
-  code: string;
-}
-interface ParsedAccessTokenRefreshTokenRequestGrant {
-  grantType: RefreshTokenGrantIdentifier;
-  refreshToken: string;
-}
-type ParsedAccessTokenRequestGrant = ParsedAccessTokenPreAuthorizedCodeRequestGrant | ParsedAccessTokenAuthorizationCodeRequestGrant | ParsedAccessTokenRefreshTokenRequestGrant;
-interface ParseAccessTokenRequestResult {
-  accessTokenRequest: AccessTokenRequest;
-  grant: ParsedAccessTokenRequestGrant;
-  /**
-   * The dpop jwt from the access token request headers
-   */
-  dpop?: {
-    jwt: string;
-  };
-  /**
-   * The client attestation jwts from the access token request headers
-   */
-  clientAttestation?: {
-    clientAttestationJwt: string;
-    clientAttestationPopJwt: string;
-  };
-  /**
-   * The pkce code verifier from the access token request
-   */
-  pkceCodeVerifier?: string;
-}
-interface ParseAccessTokenRequestOptions {
-  request: RequestLike;
-  /**
-   * The access token request as a JSON object. Your server should decode the
-   * `x-www-url-form-urlencoded` body into an object (e.g. using `bodyParser.urlEncoded()` in express)
-   */
-  accessTokenRequest: Record<string, unknown>;
-}
-//#endregion
-//#region src/access-token/verify-access-token-request.d.ts
-interface VerifyAccessTokenRequestDpop {
-  /**
-   * Whether dpop is required
-   */
-  required?: boolean;
-  /**
-   * The dpop jwt from the access token request
-   */
-  jwt?: string;
-  /**
-   * The expected jwk thumbprint, and can be used to match a dpop provided in the authorization
-   * request to the dpop key used for the access token request.
-   */
-  expectedJwkThumbprint?: string;
-  /**
-   * Allowed dpop signing alg values. If not provided
-   * any alg values are allowed and it's up to the `verifyJwtCallback`
-   * to handle the alg.
-   */
-  allowedSigningAlgs?: string[];
-}
-interface VerifyAccessTokenRequestClientAttestation {
-  /**
-   * Whether client attestation is required.
-   */
-  required?: boolean;
-  /**
-   * Whether to ensure that the key used in client attestation confirmation
-   * is the same key used for DPoP. This only has effect if both DPoP and client
-   * attestations are present.
-   *
-   * @default false
-   */
-  ensureConfirmationKeyMatchesDpopKey?: boolean;
-  clientAttestationJwt?: string;
-  clientAttestationPopJwt?: string;
-  /**
-   * The expected client id that is bound to the authorization session, and can be used to match the client id
-   * provided in the authorization request to the client used for the access token request.
-   */
-  expectedClientId?: string;
-}
-interface VerifyAccessTokenRequestPkce {
-  codeVerifier?: string;
-  codeChallenge: string;
-  codeChallengeMethod: PkceCodeChallengeMethod;
-}
-interface VerifyAccessTokenRequestReturn {
-  dpop?: {
-    /**
-     * base64url encoding of the JWK SHA-256 Thumbprint (according to [RFC7638])
-     * of the DPoP public key (in JWK format)
-     */
-    jwkThumbprint: string;
-    jwk: Jwk;
-  };
-  clientAttestation?: {
-    clientAttestation: VerifiedClientAttestationJwt;
-    clientAttestationPop: VerifiedClientAttestationPopJwt;
-  };
-}
-interface VerifyPreAuthorizedCodeAccessTokenRequestOptions {
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  grant: ParsedAccessTokenPreAuthorizedCodeRequestGrant;
-  accessTokenRequest: AccessTokenRequest;
-  request: RequestLike;
-  expectedPreAuthorizedCode: string;
-  expectedTxCode?: string;
-  clientAttestation?: VerifyAccessTokenRequestClientAttestation;
-  dpop?: VerifyAccessTokenRequestDpop;
-  pkce?: VerifyAccessTokenRequestPkce;
-  preAuthorizedCodeExpiresAt?: Date;
-  now?: Date;
-  callbacks: Pick<CallbackContext, 'hash' | 'verifyJwt'>;
-}
-interface VerifyAuthorizationCodeAccessTokenRequestOptions {
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  grant: ParsedAccessTokenAuthorizationCodeRequestGrant;
-  accessTokenRequest: AccessTokenRequest;
-  request: RequestLike;
-  expectedCode: string;
-  clientAttestation?: VerifyAccessTokenRequestClientAttestation;
-  dpop?: VerifyAccessTokenRequestDpop;
-  pkce?: VerifyAccessTokenRequestPkce;
-  codeExpiresAt?: Date;
-  now?: Date;
-  callbacks: Pick<CallbackContext, 'hash' | 'verifyJwt'>;
-}
-interface VerifyRefreshTokenAccessTokenRequestOptions {
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  grant: ParsedAccessTokenRefreshTokenRequestGrant;
-  accessTokenRequest: AccessTokenRequest;
-  request: RequestLike;
-  expectedRefreshToken: string;
-  clientAttestation?: VerifyAccessTokenRequestClientAttestation;
-  dpop?: VerifyAccessTokenRequestDpop;
-  pkce?: VerifyAccessTokenRequestPkce;
-  refreshTokenExpiresAt?: Date;
-  now?: Date;
-  callbacks: Pick<CallbackContext, 'hash' | 'verifyJwt'>;
-}
-//#endregion
-//#region src/access-token/z-access-token-jwt.d.ts
-declare const zAccessTokenProfileJwtPayload: z$1.ZodObject<{
-  iss: z$1.ZodString;
-  exp: z$1.ZodNumber;
-  iat: z$1.ZodNumber;
-  aud: z$1.ZodUnion<readonly [z$1.ZodString, z$1.ZodArray<z$1.ZodString>]>;
-  sub: z$1.ZodString;
-  client_id: z$1.ZodOptional<z$1.ZodString>;
-  jti: z$1.ZodString;
-  scope: z$1.ZodOptional<z$1.ZodString>;
-  nbf: z$1.ZodOptional<z$1.ZodNumber>;
-  nonce: z$1.ZodOptional<z$1.ZodString>;
-  cnf: z$1.ZodOptional<z$1.ZodObject<{
-    jwk: z$1.ZodOptional<z$1.ZodObject<{
-      kty: z$1.ZodString;
-      crv: z$1.ZodOptional<z$1.ZodString>;
-      x: z$1.ZodOptional<z$1.ZodString>;
-      y: z$1.ZodOptional<z$1.ZodString>;
-      e: z$1.ZodOptional<z$1.ZodString>;
-      n: z$1.ZodOptional<z$1.ZodString>;
-      alg: z$1.ZodOptional<z$1.ZodString>;
-      d: z$1.ZodOptional<z$1.ZodString>;
-      dp: z$1.ZodOptional<z$1.ZodString>;
-      dq: z$1.ZodOptional<z$1.ZodString>;
-      ext: z$1.ZodOptional<z$1.ZodBoolean>;
-      k: z$1.ZodOptional<z$1.ZodString>;
-      key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      kid: z$1.ZodOptional<z$1.ZodString>;
-      oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-        d: z$1.ZodOptional<z$1.ZodString>;
-        r: z$1.ZodOptional<z$1.ZodString>;
-        t: z$1.ZodOptional<z$1.ZodString>;
-      }, z$1.core.$loose>>>;
-      p: z$1.ZodOptional<z$1.ZodString>;
-      q: z$1.ZodOptional<z$1.ZodString>;
-      qi: z$1.ZodOptional<z$1.ZodString>;
-      use: z$1.ZodOptional<z$1.ZodString>;
-      x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      x5t: z$1.ZodOptional<z$1.ZodString>;
-      'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-      x5u: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>;
-    jkt: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  status: z$1.ZodOptional<z$1.ZodRecord<z$1.ZodString, z$1.ZodAny>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type AccessTokenProfileJwtPayload = z$1.infer<typeof zAccessTokenProfileJwtPayload>;
-//#endregion
-//#region src/access-token/z-token-introspection.d.ts
-declare const zTokenIntrospectionResponse: z$1.ZodObject<{
-  active: z$1.ZodBoolean;
-  scope: z$1.ZodOptional<z$1.ZodString>;
-  client_id: z$1.ZodOptional<z$1.ZodString>;
-  username: z$1.ZodOptional<z$1.ZodString>;
-  token_type: z$1.ZodOptional<z$1.ZodString>;
-  exp: z$1.ZodOptional<z$1.ZodNumber>;
-  iat: z$1.ZodOptional<z$1.ZodNumber>;
-  nbf: z$1.ZodOptional<z$1.ZodNumber>;
-  sub: z$1.ZodOptional<z$1.ZodString>;
-  aud: z$1.ZodOptional<z$1.ZodUnion<readonly [z$1.ZodString, z$1.ZodArray<z$1.ZodString>]>>;
-  iss: z$1.ZodOptional<z$1.ZodString>;
-  jti: z$1.ZodOptional<z$1.ZodString>;
-  cnf: z$1.ZodOptional<z$1.ZodObject<{
-    jwk: z$1.ZodOptional<z$1.ZodObject<{
-      kty: z$1.ZodString;
-      crv: z$1.ZodOptional<z$1.ZodString>;
-      x: z$1.ZodOptional<z$1.ZodString>;
-      y: z$1.ZodOptional<z$1.ZodString>;
-      e: z$1.ZodOptional<z$1.ZodString>;
-      n: z$1.ZodOptional<z$1.ZodString>;
-      alg: z$1.ZodOptional<z$1.ZodString>;
-      d: z$1.ZodOptional<z$1.ZodString>;
-      dp: z$1.ZodOptional<z$1.ZodString>;
-      dq: z$1.ZodOptional<z$1.ZodString>;
-      ext: z$1.ZodOptional<z$1.ZodBoolean>;
-      k: z$1.ZodOptional<z$1.ZodString>;
-      key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      kid: z$1.ZodOptional<z$1.ZodString>;
-      oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-        d: z$1.ZodOptional<z$1.ZodString>;
-        r: z$1.ZodOptional<z$1.ZodString>;
-        t: z$1.ZodOptional<z$1.ZodString>;
-      }, z$1.core.$loose>>>;
-      p: z$1.ZodOptional<z$1.ZodString>;
-      q: z$1.ZodOptional<z$1.ZodString>;
-      qi: z$1.ZodOptional<z$1.ZodString>;
-      use: z$1.ZodOptional<z$1.ZodString>;
-      x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      x5t: z$1.ZodOptional<z$1.ZodString>;
-      'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-      x5u: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>;
-    jkt: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-}, z$1.core.$loose>;
-type TokenIntrospectionResponse = z$1.infer<typeof zTokenIntrospectionResponse>;
-//#endregion
-//#region src/authorization-request/parse-authorization-request.d.ts
-interface ParseAuthorizationRequestResult {
-  /**
-   * The dpop params from the authorization request.
-   *
-   * Both `dpop_jkt` and DPoP header can be included in the request.
-   *
-   * The jkt and the signer of the jwt have not been verified against
-   * each other yet, this only happens during verification
-   */
-  dpop?: {
-    jwkThumbprint: string;
-    jwt?: string;
-  } | {
-    jwkThumbprint?: string;
-    jwt: string;
-  };
-  /**
-   * The client attestation jwts from the authorization request headers.
-   * These have not been verified yet.
-   */
-  clientAttestation?: {
-    clientAttestationJwt: string;
-    clientAttestationPopJwt: string;
-  };
-}
-//#endregion
-//#region src/authorization-challenge/z-authorization-challenge.d.ts
-declare const zAuthorizationChallengeRequest: z$1.ZodObject<{
-  client_id: z$1.ZodOptional<z$1.ZodString>;
-  auth_session: z$1.ZodOptional<z$1.ZodString>;
-  presentation_during_issuance_session: z$1.ZodOptional<z$1.ZodString>;
-  scope: z$1.ZodOptional<z$1.ZodString>;
-  redirect_uri: z$1.ZodOptional<z$1.ZodURL>;
-  resource: z$1.ZodOptional<z$1.ZodURL>;
-  state: z$1.ZodOptional<z$1.ZodString>;
-  issuer_state: z$1.ZodOptional<z$1.ZodString>;
-  dpop_jkt: z$1.ZodOptional<z$1.ZodBase64URL>;
-  code_challenge: z$1.ZodOptional<z$1.ZodString>;
-  code_challenge_method: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type AuthorizationChallengeRequest = z$1.infer<typeof zAuthorizationChallengeRequest>;
-declare const zAuthorizationChallengeResponse: z$1.ZodObject<{
-  authorization_code: z$1.ZodString;
-}, z$1.core.$loose>;
-type AuthorizationChallengeResponse = z$1.infer<typeof zAuthorizationChallengeResponse>;
-declare const zAuthorizationChallengeErrorResponse: z$1.ZodObject<{
-  auth_session: z$1.ZodOptional<z$1.ZodString>;
-  request_uri: z$1.ZodOptional<z$1.ZodString>;
-  expires_in: z$1.ZodOptional<z$1.ZodNumber>;
-  presentation: z$1.ZodOptional<z$1.ZodString>;
-  error: z$1.ZodUnion<readonly [z$1.ZodEnum<typeof Oauth2ErrorCodes>, z$1.ZodString]>;
-  error_description: z$1.ZodOptional<z$1.ZodString>;
-  error_uri: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type AuthorizationChallengeErrorResponse = z$1.infer<typeof zAuthorizationChallengeErrorResponse>;
-//#endregion
-//#region src/authorization-challenge/parse-authorization-challenge-request.d.ts
-interface ParseAuthorizationChallengeRequestOptions {
-  request: RequestLike;
-  authorizationChallengeRequest: unknown;
-}
-interface ParseAuthorizationChallengeRequestResult extends ParseAuthorizationRequestResult {
-  authorizationChallengeRequest: AuthorizationChallengeRequest;
-}
-//#endregion
-//#region src/authorization-request/verify-authorization-request.d.ts
-interface VerifyAuthorizationRequestDpop {
-  /**
-   * Whether dpop is required.
-   */
-  required?: boolean;
-  /**
-   * The dpop jwt from the pushed authorization request.
-   *
-   * If dpop is required, at least one of `jwt` or `jwkThumbprint` MUST
-   * be provided. If both are provided, the jwk thumbprints are matched
-   */
-  jwt?: string;
-  /**
-   * The jwk thumbprint as provided in the `dpop_jkt` parameter.
-   *
-   * If dpop is required, at least one of `jwt` or `jwkThumbprint` MUST
-   * be provided. If both are provided, the jwk thumbprints are matched
-   */
-  jwkThumbprint?: string;
-  /**
-   * Allowed dpop signing alg values. If not provided
-   * any alg values are allowed and it's up to the `verifyJwtCallback`
-   * to handle the alg.
-   */
-  allowedSigningAlgs?: string[];
-}
-interface VerifyAuthorizationRequestClientAttestation {
-  /**
-   * Whether client attestation is required.
-   */
-  required?: boolean;
-  /**
-   * Whether to ensure that the key used in client attestation confirmation
-   * is the same key used for DPoP. This only has effect if both DPoP and client
-   * attestations are present.
-   *
-   * @default false
-   */
-  ensureConfirmationKeyMatchesDpopKey?: boolean;
-  clientAttestationJwt?: string;
-  clientAttestationPopJwt?: string;
-}
-interface VerifyAuthorizationRequestReturn {
-  dpop?: {
-    /**
-     * base64url encoding of the JWK SHA-256 Thumbprint (according to [RFC7638])
-     * of the DPoP public key (in JWK format).
-     *
-     * This will always be returned if dpop is used for the PAR endpoint
-     */
-    jwkThumbprint: string;
-    /**
-     * The JWK will be returned if a DPoP proof was provided in the header.
-     */
-    jwk?: Jwk;
-  };
-  /**
-   * The verified client attestation if any were provided.
-   */
-  clientAttestation?: {
-    clientAttestation: VerifiedClientAttestationJwt;
-    clientAttestationPop: VerifiedClientAttestationPopJwt;
-  };
-}
-interface VerifyAuthorizationRequestOptions {
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  authorizationRequest: {
-    client_id?: string;
-  };
-  request: RequestLike;
-  dpop?: VerifyAuthorizationRequestDpop;
-  clientAttestation?: VerifyAuthorizationRequestClientAttestation;
-  /**
-   * Date to use for expiration. If not provided current date will be used.
-   */
-  now?: Date;
-  callbacks: Pick<CallbackContext, 'hash' | 'verifyJwt'>;
-}
-//#endregion
-//#region src/authorization-challenge/verify-authorization-challenge-request.d.ts
-type VerifyAuthorizationChallengeRequestReturn = VerifyAuthorizationRequestReturn;
-interface VerifyAuthorizationChallengeRequestOptions extends Omit<VerifyAuthorizationRequestOptions, 'authorizationRequest'> {
-  authorizationChallengeRequest: AuthorizationChallengeRequest;
-}
-//#endregion
-//#region src/authorization-request/create-authorization-request.d.ts
-interface CreateAuthorizationRequestUrlOptions {
-  /**
-   * Callback context mostly for crypto related functionality
-   */
-  callbacks: Pick<CallbackContext, 'fetch' | 'hash' | 'generateRandom' | 'signJwt' | 'clientAuthentication'>;
-  /**
-   * Metadata of the authorization server for which to create the authorization request url
-   */
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  /**
-   * The client id to use for the authorization request.
-   *
-   * For authorization requests the `client_id` is ALWAYS required, even if client authentication is used
-   * (which differs from the token endpoint). This should match with the client_id that will be used for
-   * client authentication
-   */
-  clientId: string;
-  /**
-   * Scope to request for the authorization request
-   */
-  scope?: string;
-  /**
-   * State for the authorization request
-   */
-  state?: string;
-  /**
-   * The resource to which access is being requested. This can help the authorization
-   * server in determining the resource server to handle the authorization request for
-   */
-  resource?: string;
-  /**
-   * Redirect uri to include in the authorization request
-   */
-  redirectUri?: string;
-  /**
-   * Additional payload to include in the authorization request. Items will be encoded and sent
-   * using x-www-form-urlencoded format. Nested items (JSON) will be stringified and url encoded.
-   */
-  additionalRequestPayload?: Record<string, unknown>;
-  /**
-   * Code verifier to use for pkce. If not provided a value will generated when pkce is supported
-   */
-  pkceCodeVerifier?: string;
-  /**
-   * DPoP options
-   *
-   * If PAR is not used only the `dpop_jkt` property will be included in the request
-   */
-  dpop?: RequestDpopOptions;
-}
-//#endregion
-//#region src/authorization-request/create-pushed-authorization-response.d.ts
-interface CreatePushedAuthorizationResponseOptions {
-  /**
-   * The request uri where the client should redirect to
-   */
-  requestUri: string;
-  /**
-   * Number of seconds after which the `requestUri` will expire.
-   */
-  expiresInSeconds: number;
-  /**
-   * Additional payload to include in the pushed authorization response.
-   */
-  additionalPayload?: Record<string, unknown>;
-}
-interface CreatePushedAuthorizationErrorResponseOptions {
-  /**
-   * The pushed authorization error
-   */
-  error: StringWithAutoCompletion<Oauth2ErrorCodes>;
-  /**
-   * Optional error description
-   */
-  errorDescription?: string;
-  /**
-   * Additional payload to include in the pushed authorization error response.
-   */
-  additionalPayload?: Record<string, unknown>;
-}
-//#endregion
-//#region src/authorization-request/z-authorization-request.d.ts
-declare const zPushedAuthorizationRequestUriPrefix: z$1.ZodLiteral<"urn:ietf:params:oauth:request_uri:">;
-declare const pushedAuthorizationRequestUriPrefix: "urn:ietf:params:oauth:request_uri:";
-type PushedAuthorizationRequestUriPrefix = z$1.infer<typeof zPushedAuthorizationRequestUriPrefix>;
-declare const zAuthorizationRequest: z$1.ZodObject<{
-  response_type: z$1.ZodString;
-  client_id: z$1.ZodString;
-  issuer_state: z$1.ZodOptional<z$1.ZodString>;
-  redirect_uri: z$1.ZodOptional<z$1.ZodURL>;
-  resource: z$1.ZodOptional<z$1.ZodURL>;
-  scope: z$1.ZodOptional<z$1.ZodString>;
-  state: z$1.ZodOptional<z$1.ZodString>;
-  dpop_jkt: z$1.ZodOptional<z$1.ZodBase64URL>;
-  code_challenge: z$1.ZodOptional<z$1.ZodString>;
-  code_challenge_method: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type AuthorizationRequest = z$1.infer<typeof zAuthorizationRequest>;
-//#endregion
-//#region src/authorization-request/parse-pushed-authorization-request.d.ts
-interface ParsePushedAuthorizationRequestOptions {
-  request: RequestLike;
-  authorizationRequest: unknown;
-  callbacks: Pick<CallbackContext, 'fetch'>;
-}
-interface ParsePushedAuthorizationRequestResult extends ParseAuthorizationRequestResult {
-  authorizationRequest: AuthorizationRequest;
-  /**
-   * The JWT-secured request object, if the request was pushed as a JAR.
-   * May be undefined if the request object is not a JAR.
-   */
-  authorizationRequestJwt?: string;
-}
-interface ParsePushedAuthorizationRequestUriReferenceValueOptions {
-  uri: string;
-}
-/**
- * Parse a pushed authorization request URI prefixed with `urn:ietf:params:oauth:request_uri:`
- * and returns the identifier, without the prefix.
- *
- * @throws {Oauth2ServerErrorResponseError}
- */
-declare function parsePushedAuthorizationRequestUriReferenceValue(options: ParsePushedAuthorizationRequestUriReferenceValueOptions): string;
-//#endregion
-//#region src/common/jwt/decode-jwt.d.ts
-interface DecodeJwtOptions<HeaderSchema extends BaseSchema | undefined, PayloadSchema extends BaseSchema | undefined> {
-  /**
-   * The comapct encoded jwt
-   */
-  jwt: string;
-  /**
-   * Schema to use for validating the header. If not provided the
-   * default `zJwtHeader` schema will be used
-   */
-  headerSchema?: HeaderSchema;
-  /**
-   * Schema to use for validating the payload. If not provided the
-   * default `zJwtPayload` schema will be used
-   */
-  payloadSchema?: PayloadSchema;
-}
-type DecodeJwtResult<HeaderSchema extends BaseSchema | undefined = undefined, PayloadSchema extends BaseSchema | undefined = undefined> = {
-  header: InferSchemaOrDefaultOutput<HeaderSchema, typeof zJwtHeader>;
-  payload: InferSchemaOrDefaultOutput<PayloadSchema, typeof zJwtPayload>;
-  signature: string;
-  compact: string;
-};
-declare function decodeJwt<HeaderSchema extends BaseSchema | undefined = undefined, PayloadSchema extends BaseSchema | undefined = undefined>(options: DecodeJwtOptions<HeaderSchema, PayloadSchema>): DecodeJwtResult<HeaderSchema, PayloadSchema>;
-declare function jwtHeaderFromJwtSigner(signer: JwtSigner): {
-  readonly alg: string;
-  readonly kid: string;
-  readonly trust_chain?: undefined;
-  readonly jwk?: undefined;
-  readonly x5c?: undefined;
-} | {
-  readonly alg: string;
-  readonly kid: string;
-  readonly trust_chain: [string, ...string[]] | undefined;
-  readonly jwk?: undefined;
-  readonly x5c?: undefined;
-} | {
-  readonly alg: string;
-  readonly jwk: {
-    [x: string]: unknown;
-    kty: string;
-    crv?: string | undefined;
-    x?: string | undefined;
-    y?: string | undefined;
-    e?: string | undefined;
-    n?: string | undefined;
-    alg?: string | undefined;
-    d?: string | undefined;
-    dp?: string | undefined;
-    dq?: string | undefined;
-    ext?: boolean | undefined;
-    k?: string | undefined;
-    key_ops?: string[] | undefined;
-    kid?: string | undefined;
-    oth?: {
-      [x: string]: unknown;
-      d?: string | undefined;
-      r?: string | undefined;
-      t?: string | undefined;
-    }[] | undefined;
-    p?: string | undefined;
-    q?: string | undefined;
-    qi?: string | undefined;
-    use?: string | undefined;
-    x5c?: string[] | undefined;
-    x5t?: string | undefined;
-    'x5t#S256'?: string | undefined;
-    x5u?: string | undefined;
-  };
-  readonly kid?: undefined;
-  readonly trust_chain?: undefined;
-  readonly x5c?: undefined;
-} | {
-  readonly alg: string;
-  readonly x5c: string[];
-  readonly kid?: undefined;
-  readonly trust_chain?: undefined;
-  readonly jwk?: undefined;
-} | {
-  alg: string;
-  readonly kid?: undefined;
-  readonly trust_chain?: undefined;
-  readonly jwk?: undefined;
-  readonly x5c?: undefined;
-};
-declare function jwtSignerFromJwt({
-  header,
-  payload,
-  allowedSignerMethods
-}: Pick<DecodeJwtResult, 'header' | 'payload'> & {
-  allowedSignerMethods?: JwtSigner['method'][];
-}): JwtSigner;
-type IsSchemaProvided<T> = T extends undefined ? false : true;
-type InferSchemaOrDefaultOutput<ProvidedSchema extends BaseSchema | undefined, DefaultSchema extends BaseSchema> = IsSchemaProvided<ProvidedSchema> extends true ? ProvidedSchema extends BaseSchema ? z$1.infer<ProvidedSchema> : never : z$1.infer<DefaultSchema>;
-//#endregion
-//#region src/jar/z-jar-authorization-request.d.ts
-declare const zJarAuthorizationRequest: z.ZodObject<{
-  request: z.ZodOptional<z.ZodString>;
-  request_uri: z.ZodOptional<z.ZodURL>;
-  client_id: z.ZodOptional<z.ZodString>;
-}, z.core.$loose>;
-type JarAuthorizationRequest = z.infer<typeof zJarAuthorizationRequest>;
-declare function validateJarRequestParams(options: {
-  jarRequestParams: JarAuthorizationRequest;
-}): JarAuthorizationRequest & ({
-  request_uri: string;
-  request?: never;
-} | {
-  request: string;
-  request_uri?: never;
-});
-//#endregion
-//#region src/jar/z-jar-request-object.d.ts
-declare const zJarRequestObjectPayload: z.ZodObject<{
-  client_id: z.ZodString;
-  iss: z.ZodOptional<z.ZodString>;
-  aud: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
-  iat: z.ZodOptional<z.ZodNumber>;
-  exp: z.ZodOptional<z.ZodNumber>;
-  nbf: z.ZodOptional<z.ZodNumber>;
-  nonce: z.ZodOptional<z.ZodString>;
-  jti: z.ZodOptional<z.ZodString>;
-  sub: z.ZodOptional<z.ZodString>;
-  cnf: z.ZodOptional<z.ZodObject<{
-    jwk: z.ZodOptional<z.ZodObject<{
-      kty: z.ZodString;
-      crv: z.ZodOptional<z.ZodString>;
-      x: z.ZodOptional<z.ZodString>;
-      y: z.ZodOptional<z.ZodString>;
-      e: z.ZodOptional<z.ZodString>;
-      n: z.ZodOptional<z.ZodString>;
-      alg: z.ZodOptional<z.ZodString>;
-      d: z.ZodOptional<z.ZodString>;
-      dp: z.ZodOptional<z.ZodString>;
-      dq: z.ZodOptional<z.ZodString>;
-      ext: z.ZodOptional<z.ZodBoolean>;
-      k: z.ZodOptional<z.ZodString>;
-      key_ops: z.ZodOptional<z.ZodArray<z.ZodString>>;
-      kid: z.ZodOptional<z.ZodString>;
-      oth: z.ZodOptional<z.ZodArray<z.ZodObject<{
-        d: z.ZodOptional<z.ZodString>;
-        r: z.ZodOptional<z.ZodString>;
-        t: z.ZodOptional<z.ZodString>;
-      }, z.core.$loose>>>;
-      p: z.ZodOptional<z.ZodString>;
-      q: z.ZodOptional<z.ZodString>;
-      qi: z.ZodOptional<z.ZodString>;
-      use: z.ZodOptional<z.ZodString>;
-      x5c: z.ZodOptional<z.ZodArray<z.ZodString>>;
-      x5t: z.ZodOptional<z.ZodString>;
-      'x5t#S256': z.ZodOptional<z.ZodString>;
-      x5u: z.ZodOptional<z.ZodString>;
-    }, z.core.$loose>>;
-    jkt: z.ZodOptional<z.ZodString>;
-  }, z.core.$loose>>;
-  status: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
-  trust_chain: z.ZodOptional<z.ZodTuple<[z.ZodString], z.ZodString>>;
-}, z.core.$loose>;
-type JarRequestObjectPayload = z.infer<typeof zJarRequestObjectPayload>;
-declare const signedAuthorizationRequestJwtHeaderTyp: "oauth-authz-req+jwt";
-declare const jwtAuthorizationRequestJwtHeaderTyp: "jwt";
-//#endregion
-//#region src/jar/handle-jar-request/verify-jar-request.d.ts
-interface VerifiedJarRequest {
-  authorizationRequestPayload: JarRequestObjectPayload;
-  signer: JwtSignerWithJwk;
-  jwt: ReturnType<typeof decodeJwt<undefined, typeof zJarRequestObjectPayload>>;
-}
-//#endregion
-//#region src/authorization-request/verify-pushed-authorization-request.d.ts
-interface VerifyPushedAuthorizationRequestReturn extends VerifyAuthorizationRequestReturn {
-  /**
-   * The verified JAR request, if `authorizationRequestJwt` was provided
-   */
-  jar?: VerifiedJarRequest;
-}
-interface VerifyPushedAuthorizationRequestOptions extends VerifyAuthorizationRequestOptions {
-  /**
-   * The authorization request JWT to verify. If this value was returned from `parsePushedAuthorizationRequest`
-   * you MUST provide this value to ensure the JWT is verified.
-   */
-  authorizationRequestJwt?: {
-    jwt: string;
-    signer: JwtSigner;
-  };
-}
-//#endregion
-//#region src/authorization-response/z-authorization-response.d.ts
-declare const zAuthorizationResponse: z$1.ZodObject<{
-  state: z$1.ZodOptional<z$1.ZodString>;
-  code: z$1.ZodString;
-  error: z$1.ZodOptional<z$1.ZodNever>;
-}, z$1.core.$loose>;
-declare const zAuthorizationResponseFromUriParams: z$1.ZodPipe<z$1.ZodPipe<z$1.ZodURL, z$1.ZodTransform<unknown, string>>, z$1.ZodObject<{
-  state: z$1.ZodOptional<z$1.ZodString>;
-  code: z$1.ZodString;
-  error: z$1.ZodOptional<z$1.ZodNever>;
-}, z$1.core.$loose>>;
-type AuthorizationResponse = z$1.infer<typeof zAuthorizationResponse>;
-declare const zAuthorizationErrorResponse: z$1.ZodObject<{
-  state: z$1.ZodOptional<z$1.ZodString>;
-  code: z$1.ZodOptional<z$1.ZodNever>;
-  error: z$1.ZodUnion<readonly [z$1.ZodEnum<typeof Oauth2ErrorCodes>, z$1.ZodString]>;
-  error_description: z$1.ZodOptional<z$1.ZodString>;
-  error_uri: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type AuthorizationErrorResponse = z$1.infer<typeof zAuthorizationErrorResponse>;
-//#endregion
-//#region src/authorization-response/parse-authorization-response.d.ts
-interface ParseAuthorizationRequestOptions {
-  url: string;
-}
-/**
- * Parse an authorization response redirect URL.
- *
- * @throws {Oauth2ServerErrorResponseError}
- */
-declare function parseAuthorizationResponseRedirectUrl(options: ParseAuthorizationRequestOptions): AuthorizationResponse | AuthorizationErrorResponse;
-//#endregion
-//#region src/common/algorithm/algorithm-transform.d.ts
-/**
- * Algorithm transformation utilities for JWA and COSE
- *
- * This module provides utilities to transform between JWA (JSON Web Algorithms)
- * signature algorithm identifiers and fully-specified COSE (CBOR Object Signing and Encryption)
- * algorithm identifiers.
- *
- * Based on RFC 9864: Fully-Specified Algorithms for JOSE and COSE
- * https://www.rfc-editor.org/rfc/rfc9864.html
- */
-/**
- * JWA (JSON Web Algorithms) signature algorithm identifiers
- *
- * From RFC 7518 (JWA) and RFC 9864 (Fully-Specified Algorithms)
- */
-declare enum JwaSignatureAlgorithm {
-  Ed25519 = "Ed25519",
-  Ed448 = "Ed448",
-  EdDSA = "EdDSA",
-  ES256 = "ES256",
-  ES384 = "ES384",
-  ES512 = "ES512",
-  ES256K = "ES256K",
-  RS256 = "RS256",
-  RS384 = "RS384",
-  RS512 = "RS512",
-  PS256 = "PS256",
-  PS384 = "PS384",
-  PS512 = "PS512",
-}
-/**
- * Mapping of COSE algorithm identifiers to JWA signature algorithm identifiers
- *
- * This is the inverse of JWA_SIGNATURE_TO_COSE_ALGORITHM_MAP, with additional entries
- * for deprecated polymorphic COSE algorithms that should be avoided.
- */
-declare const COSE_TO_JWA_SIGNATURE_ALGORITHM_MAP: {
-  readonly [-19]: JwaSignatureAlgorithm.Ed25519;
-  readonly [-53]: JwaSignatureAlgorithm.Ed448;
-  readonly [-8]: JwaSignatureAlgorithm.Ed25519;
-  readonly [-9]: JwaSignatureAlgorithm.ES256;
-  readonly [-51]: JwaSignatureAlgorithm.ES384;
-  readonly [-52]: JwaSignatureAlgorithm.ES512;
-  readonly [-47]: JwaSignatureAlgorithm.ES256K;
-  readonly [-7]: JwaSignatureAlgorithm.ES256;
-  readonly [-35]: JwaSignatureAlgorithm.ES384;
-  readonly [-36]: JwaSignatureAlgorithm.ES512;
-  readonly [-257]: JwaSignatureAlgorithm.RS256;
-  readonly [-258]: JwaSignatureAlgorithm.RS384;
-  readonly [-259]: JwaSignatureAlgorithm.RS512;
-  readonly [-37]: JwaSignatureAlgorithm.PS256;
-  readonly [-38]: JwaSignatureAlgorithm.PS384;
-  readonly [-39]: JwaSignatureAlgorithm.PS512;
-};
-type CoseAlgorithmIdentifier = keyof typeof COSE_TO_JWA_SIGNATURE_ALGORITHM_MAP;
-type JwaSignatureAlgorithmIdentifier = `${JwaSignatureAlgorithm}`;
-/**
- * Transform a JWA signature algorithm identifier to an RFC 9864 fully-specified COSE algorithm identifier
- *
- * @param jwaAlg - JWA signature algorithm identifier (e.g., 'Ed25519', 'ES256')
- * @returns Fully-specified COSE algorithm identifier (e.g., -19, -9) or undefined if not mappable
- *
- * @example
- * ```typescript
- * const coseAlg = jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm('Ed25519') // Returns -19
- * const coseAlg = jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm('ES256')   // Returns -9 (ESP256)
- * ```
- */
-declare function jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm(jwaAlg: string): CoseAlgorithmIdentifier | undefined;
-/**
- * Transform a COSE algorithm identifier (either RFC 9864 fully-specified, or polymorphic) to a JWA signature algorithm identifier
- *
- * @param coseAlg - COSE algorithm identifier (e.g., -19, -9)
- * @returns JWA signature algorithm identifier (e.g., 'Ed25519', 'ES256') or undefined if not mappable
- *
- * @example
- * ```typescript
- * const jwaAlg = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(-19) // Returns 'Ed25519'
- * const jwaAlg = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(-9)  // Returns 'ES256'
- * const jwaAlg = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(-7)  // Returns 'ES256' (deprecated polymorphic COSE ES256)
- * ```
- */
-declare function fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(coseAlg: number): JwaSignatureAlgorithmIdentifier | undefined;
-/**
- * Transform an array of JWA signature algorithm identifiers to RFC 9864 fully-specified COSE algorithm identifiers.
- *
- * By default it filters out unmappable algorithms. You can also choose to throw an error when an unknown
- * algorithm is detected.
- *
- * @param jwaAlgs - Array of JWA signature algorithm identifiers
- * @returns Array of fully-specified COSE algorithm identifiers
- *
- * @example
- * ```typescript
- * const coseAlgs = jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray(['Ed25519', 'ES256', 'Unknown'])
- * // Returns [-19, -9]
- * ```
- */
-declare function jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray(jwaAlgs: string[], throwOnUnknownValue?: boolean): CoseAlgorithmIdentifier[];
-/**
- * Transform an array of COSE algorithm identifiers (either RFC 9864 fully-specified or polymorphic) to JWA signature algorithm identifiers
- *
- * By default it filters out unmappable algorithms. You can also choose to throw an error when an unknown
- * algorithm is detected.
- *
- * @param coseAlgs - Array of COSE algorithm identifiers
- * @returns Array of JWA signature algorithm identifiers
- *
- * @example
- * ```typescript
- * const jwaAlgs = fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray([-19, -9, 999])
- * // Returns ['Ed25519', 'ES256']
- * ```
- */
-declare function fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray(coseAlgs: number[], throwOnUnknownValue?: boolean): JwaSignatureAlgorithmIdentifier[];
-//#endregion
-//#region src/common/jwk/jwk-thumbprint.d.ts
-interface CalculateJwkThumbprintOptions {
-  /**
-   * The jwk to calcualte the thumbprint for.
-   */
-  jwk: Jwk;
-  /**
-   * The hashing algorithm to use for calculating the thumbprint
-   */
-  hashAlgorithm: HashAlgorithm;
-  /**
-   * The hash callback to calculate the digest
-   */
-  hashCallback: HashCallback;
-}
-declare function calculateJwkThumbprint(options: CalculateJwkThumbprintOptions): Promise<string>;
-//#endregion
-//#region src/common/jwk/jwks.d.ts
-declare function isJwkInSet({
-  jwk,
-  jwks,
-  callbacks
-}: {
-  jwk: Jwk;
-  jwks: Jwk[];
-  callbacks: Pick<CallbackContext, 'hash'>;
-}): Promise<boolean>;
-//#endregion
-//#region src/common/jwt/decode-jwt-header.d.ts
-interface DecodeJwtHeaderOptions<HeaderSchema extends BaseSchema | undefined> {
-  /**
-   * The comapct encoded jwt
-   */
-  jwt: string;
-  /**
-   * Schema to use for validating the header. If not provided the
-   * default `vJwtHeader` schema will be used
-   */
-  headerSchema?: HeaderSchema;
-}
-type DecodeJwtHeaderResult<HeaderSchema extends BaseSchema | undefined = undefined> = {
-  header: InferSchemaOrDefaultOutput<HeaderSchema, typeof zJwtHeader>;
-};
-declare function decodeJwtHeader<HeaderSchema extends BaseSchema | undefined = undefined>(options: DecodeJwtHeaderOptions<HeaderSchema>): DecodeJwtHeaderResult<HeaderSchema>;
-//#endregion
-//#region src/common/jwt/verify-jwt.d.ts
-interface VerifyJwtOptions {
-  /**
-   * Compact jwt
-   */
-  compact: string;
-  /**
-   * Header of the jwt
-   */
-  header: JwtHeader;
-  /**
-   * Payload of the jwt.
-   */
-  payload: JwtPayload;
-  /**
-   * If not provided current time will be used.
-   *
-   * @default new Date()
-   */
-  now?: Date;
-  /**
-   * Whether to skip time based validation of `nbf` and `exp`.
-   * @default false
-   */
-  skipTimeBasedValidation?: boolean;
-  /**
-   * Callback to verify jwt signature
-   */
-  verifyJwtCallback: VerifyJwtCallback;
-  /**
-   * Signer of the jwt
-   */
-  signer: JwtSigner;
-  /**
-   * Custom error message
-   */
-  errorMessage?: string;
-  /**
-   * Allowed skew time in seconds for validity of token. Used for `exp` and `nbf`
-   * verification.
-   *
-   * @default 0
-   */
-  allowedSkewInSeconds?: number;
-  /**
-   * Expected value for the 'aud' claim
-   */
-  expectedAudience?: string;
-  /**
-   * Expected value for the 'iss' claim
-   */
-  expectedIssuer?: string;
-  /**
-   * Expected value for the 'nonce' claim
-   */
-  expectedNonce?: string;
-  /**
-   * Expected value for the 'sub' claim
-   */
-  expectedSubject?: string;
-  /**
-   * The claims that are required to be present in the jwt.
-   */
-  requiredClaims?: string[];
-}
-interface VerifyJwtReturn {
-  signer: JwtSignerWithJwk;
-}
-declare function verifyJwt(options: VerifyJwtOptions): Promise<VerifyJwtReturn>;
-//#endregion
-//#region src/common/jwt/z-jwe.d.ts
-declare const zCompactJwe: z.ZodString;
-//#endregion
-//#region src/error/Oauth2Error.d.ts
-interface Oauth2ErrorOptions {
-  cause?: unknown;
-}
-declare class Oauth2Error extends Error {
-  readonly cause?: unknown;
-  constructor(message?: string, options?: Oauth2ErrorOptions);
-}
-//#endregion
-//#region src/error/Oauth2ClientErrorResponseError.d.ts
-declare class Oauth2ClientErrorResponseError extends Oauth2Error {
-  readonly errorResponse: Oauth2ErrorResponse;
-  readonly response: FetchResponse;
-  constructor(message: string, errorResponse: Oauth2ErrorResponse, response: FetchResponse);
-}
-//#endregion
-//#region src/error/Oauth2ClientAuthorizationChallengeError.d.ts
-declare class Oauth2ClientAuthorizationChallengeError extends Oauth2ClientErrorResponseError {
-  readonly errorResponse: AuthorizationChallengeErrorResponse;
-  constructor(message: string, errorResponse: AuthorizationChallengeErrorResponse, response: FetchResponse);
-}
-//#endregion
-//#region src/error/Oauth2JwtParseError.d.ts
-declare class Oauth2JwtParseError extends Oauth2Error {
-  constructor(message?: string);
-}
-//#endregion
-//#region src/error/Oauth2JwtVerificationError.d.ts
-declare class Oauth2JwtVerificationError extends Oauth2Error {
-  constructor(message?: string, options?: Oauth2ErrorOptions);
-}
-//#endregion
-//#region src/error/Oauth2ResourceUnauthorizedError.d.ts
-interface WwwAuthenticateHeaderChallenge {
-  scheme: SupportedAuthenticationScheme | (string & {});
-  /**
-   * Space delimited scope value that lists scopes required
-   * to access this resource.
-   */
-  scope?: string;
-  /**
-   * Error should only be undefined if no access token was provided at all
-   */
-  error?: Oauth2ErrorCodes | string;
-  error_description?: string;
-  /**
-   * Additional payload items to include in the Www-Authenticate
-   * header response.
-   */
-  additionalPayload?: Record<string, string>;
-}
-declare class Oauth2ResourceUnauthorizedError extends Oauth2Error {
-  readonly wwwAuthenticateHeaders: WwwAuthenticateHeaderChallenge[];
-  constructor(internalMessage: string | undefined, wwwAuthenticateHeaders: WwwAuthenticateHeaderChallenge | Array<WwwAuthenticateHeaderChallenge>);
-  static fromHeaderValue(value: string): Oauth2ResourceUnauthorizedError;
-  toHeaderValue(): string;
-}
-//#endregion
-//#region src/error/Oauth2ServerErrorResponseError.d.ts
-interface Oauth2ServerErrorResponseErrorOptions extends Oauth2ErrorOptions {
-  internalMessage?: string;
-  /**
-   * @default 400
-   */
-  status?: number;
-}
-declare class Oauth2ServerErrorResponseError extends Oauth2Error {
-  readonly errorResponse: Oauth2ErrorResponse;
-  readonly status: number;
-  constructor(errorResponse: Oauth2ErrorResponse, options?: Oauth2ServerErrorResponseErrorOptions);
-}
-//#endregion
-//#region src/id-token/verify-id-token.d.ts
-interface VerifyIdTokenJwtOptions {
-  /**
-   * The compact id token.
-   */
-  idToken: string;
-  /**
-   * Callbacks used for verifying the id token
-   */
-  callbacks: Pick<CallbackContext, 'verifyJwt' | 'fetch'>;
-  /**
-   * If not provided current time will be used
-   */
-  now?: Date;
-  /**
-   * Authorization server metadata
-   */
-  authorizationServer: AuthorizationServerMetadata;
-  /**
-   * The client_id of the Relying Party for which the token was issued.
-   */
-  clientId: string;
-  /**
-   * Expected nonce in the payload. If not provided the nonce won't be validated.
-   */
-  expectedNonce?: string;
-}
-/**
- * Verify an ID Token JWT.
- */
-declare function verifyIdTokenJwt(options: VerifyIdTokenJwtOptions): Promise<{
-  header: {
-    [x: string]: unknown;
-    alg: string;
-    typ?: string | undefined;
-    kid?: string | undefined;
-    jwk?: {
-      [x: string]: unknown;
-      kty: string;
-      crv?: string | undefined;
-      x?: string | undefined;
-      y?: string | undefined;
-      e?: string | undefined;
-      n?: string | undefined;
-      alg?: string | undefined;
-      d?: string | undefined;
-      dp?: string | undefined;
-      dq?: string | undefined;
-      ext?: boolean | undefined;
-      k?: string | undefined;
-      key_ops?: string[] | undefined;
-      kid?: string | undefined;
-      oth?: {
-        [x: string]: unknown;
-        d?: string | undefined;
-        r?: string | undefined;
-        t?: string | undefined;
-      }[] | undefined;
-      p?: string | undefined;
-      q?: string | undefined;
-      qi?: string | undefined;
-      use?: string | undefined;
-      x5c?: string[] | undefined;
-      x5t?: string | undefined;
-      'x5t#S256'?: string | undefined;
-      x5u?: string | undefined;
-    } | undefined;
-    x5c?: string[] | undefined;
-    trust_chain?: [string, ...string[]] | undefined;
-  };
-  payload: {
-    [x: string]: unknown;
-    iss: string;
-    sub: string;
-    aud: string | string[];
-    exp: number;
-    iat: number;
-    auth_time?: number | undefined;
-    acr?: string | undefined;
-    amr?: string[] | undefined;
-    azp?: string | undefined;
-    name?: string | undefined;
-    given_name?: string | undefined;
-    family_name?: string | undefined;
-    middle_name?: string | undefined;
-    nickname?: string | undefined;
-    preferred_username?: string | undefined;
-    profile?: string | undefined;
-    picture?: string | undefined;
-    website?: string | undefined;
-    email?: string | undefined;
-    email_verified?: boolean | undefined;
-    gender?: string | undefined;
-    birthdate?: string | undefined;
-    zoneinfo?: string | undefined;
-    locale?: string | undefined;
-    phone_number?: string | undefined;
-    phone_number_verified?: boolean | undefined;
-    address?: {
-      [x: string]: unknown;
-      formatted?: string | undefined;
-      street_address?: string | undefined;
-      locality?: string | undefined;
-      region?: string | undefined;
-      postal_code?: string | undefined;
-      country?: string | undefined;
-    } | undefined;
-    updated_at?: number | undefined;
-    nbf?: number | undefined;
-    nonce?: string | undefined;
-    jti?: string | undefined;
-    cnf?: {
-      [x: string]: unknown;
-      jwk?: {
-        [x: string]: unknown;
-        kty: string;
-        crv?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        e?: string | undefined;
-        n?: string | undefined;
-        alg?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        ext?: boolean | undefined;
-        k?: string | undefined;
-        key_ops?: string[] | undefined;
-        kid?: string | undefined;
-        oth?: {
-          [x: string]: unknown;
-          d?: string | undefined;
-          r?: string | undefined;
-          t?: string | undefined;
-        }[] | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        use?: string | undefined;
-        x5c?: string[] | undefined;
-        x5t?: string | undefined;
-        'x5t#S256'?: string | undefined;
-        x5u?: string | undefined;
-      } | undefined;
-      jkt?: string | undefined;
-    } | undefined;
-    status?: Record<string, any> | undefined;
-    trust_chain?: [string, ...string[]] | undefined;
-  };
-}>;
-//#endregion
-//#region src/id-token/z-id-token-jwt.d.ts
-declare const zIdTokenJwtHeader: z$1.ZodObject<{
-  alg: z$1.ZodString;
-  typ: z$1.ZodOptional<z$1.ZodString>;
-  kid: z$1.ZodOptional<z$1.ZodString>;
-  jwk: z$1.ZodOptional<z$1.ZodObject<{
-    kty: z$1.ZodString;
-    crv: z$1.ZodOptional<z$1.ZodString>;
-    x: z$1.ZodOptional<z$1.ZodString>;
-    y: z$1.ZodOptional<z$1.ZodString>;
-    e: z$1.ZodOptional<z$1.ZodString>;
-    n: z$1.ZodOptional<z$1.ZodString>;
-    alg: z$1.ZodOptional<z$1.ZodString>;
-    d: z$1.ZodOptional<z$1.ZodString>;
-    dp: z$1.ZodOptional<z$1.ZodString>;
-    dq: z$1.ZodOptional<z$1.ZodString>;
-    ext: z$1.ZodOptional<z$1.ZodBoolean>;
-    k: z$1.ZodOptional<z$1.ZodString>;
-    key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    kid: z$1.ZodOptional<z$1.ZodString>;
-    oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-      d: z$1.ZodOptional<z$1.ZodString>;
-      r: z$1.ZodOptional<z$1.ZodString>;
-      t: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>>;
-    p: z$1.ZodOptional<z$1.ZodString>;
-    q: z$1.ZodOptional<z$1.ZodString>;
-    qi: z$1.ZodOptional<z$1.ZodString>;
-    use: z$1.ZodOptional<z$1.ZodString>;
-    x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-    x5t: z$1.ZodOptional<z$1.ZodString>;
-    'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-    x5u: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type IdTokenJwtHeader = z$1.infer<typeof zIdTokenJwtHeader>;
-declare const zIdTokenJwtPayload: z$1.ZodObject<{
-  iss: z$1.ZodString;
-  sub: z$1.ZodString;
-  aud: z$1.ZodUnion<readonly [z$1.ZodString, z$1.ZodArray<z$1.ZodString>]>;
-  exp: z$1.ZodNumber;
-  iat: z$1.ZodNumber;
-  auth_time: z$1.ZodOptional<z$1.ZodNumber>;
-  acr: z$1.ZodOptional<z$1.ZodString>;
-  amr: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-  azp: z$1.ZodOptional<z$1.ZodString>;
-  name: z$1.ZodOptional<z$1.ZodString>;
-  given_name: z$1.ZodOptional<z$1.ZodString>;
-  family_name: z$1.ZodOptional<z$1.ZodString>;
-  middle_name: z$1.ZodOptional<z$1.ZodString>;
-  nickname: z$1.ZodOptional<z$1.ZodString>;
-  preferred_username: z$1.ZodOptional<z$1.ZodString>;
-  profile: z$1.ZodOptional<z$1.ZodURL>;
-  picture: z$1.ZodOptional<z$1.ZodURL>;
-  website: z$1.ZodOptional<z$1.ZodURL>;
-  email: z$1.ZodOptional<z$1.ZodEmail>;
-  email_verified: z$1.ZodOptional<z$1.ZodBoolean>;
-  gender: z$1.ZodOptional<z$1.ZodUnion<[z$1.ZodEnum<{
-    male: "male";
-    female: "female";
-  }>, z$1.ZodString]>>;
-  birthdate: z$1.ZodOptional<z$1.ZodISODate>;
-  zoneinfo: z$1.ZodOptional<z$1.ZodString>;
-  locale: z$1.ZodOptional<z$1.ZodString>;
-  phone_number: z$1.ZodOptional<z$1.ZodString>;
-  phone_number_verified: z$1.ZodOptional<z$1.ZodBoolean>;
-  address: z$1.ZodOptional<z$1.ZodObject<{
-    formatted: z$1.ZodOptional<z$1.ZodString>;
-    street_address: z$1.ZodOptional<z$1.ZodString>;
-    locality: z$1.ZodOptional<z$1.ZodString>;
-    region: z$1.ZodOptional<z$1.ZodString>;
-    postal_code: z$1.ZodOptional<z$1.ZodString>;
-    country: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  updated_at: z$1.ZodOptional<z$1.ZodNumber>;
-  nbf: z$1.ZodOptional<z$1.ZodNumber>;
-  nonce: z$1.ZodOptional<z$1.ZodString>;
-  jti: z$1.ZodOptional<z$1.ZodString>;
-  cnf: z$1.ZodOptional<z$1.ZodObject<{
-    jwk: z$1.ZodOptional<z$1.ZodObject<{
-      kty: z$1.ZodString;
-      crv: z$1.ZodOptional<z$1.ZodString>;
-      x: z$1.ZodOptional<z$1.ZodString>;
-      y: z$1.ZodOptional<z$1.ZodString>;
-      e: z$1.ZodOptional<z$1.ZodString>;
-      n: z$1.ZodOptional<z$1.ZodString>;
-      alg: z$1.ZodOptional<z$1.ZodString>;
-      d: z$1.ZodOptional<z$1.ZodString>;
-      dp: z$1.ZodOptional<z$1.ZodString>;
-      dq: z$1.ZodOptional<z$1.ZodString>;
-      ext: z$1.ZodOptional<z$1.ZodBoolean>;
-      k: z$1.ZodOptional<z$1.ZodString>;
-      key_ops: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      kid: z$1.ZodOptional<z$1.ZodString>;
-      oth: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
-        d: z$1.ZodOptional<z$1.ZodString>;
-        r: z$1.ZodOptional<z$1.ZodString>;
-        t: z$1.ZodOptional<z$1.ZodString>;
-      }, z$1.core.$loose>>>;
-      p: z$1.ZodOptional<z$1.ZodString>;
-      q: z$1.ZodOptional<z$1.ZodString>;
-      qi: z$1.ZodOptional<z$1.ZodString>;
-      use: z$1.ZodOptional<z$1.ZodString>;
-      x5c: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
-      x5t: z$1.ZodOptional<z$1.ZodString>;
-      'x5t#S256': z$1.ZodOptional<z$1.ZodString>;
-      x5u: z$1.ZodOptional<z$1.ZodString>;
-    }, z$1.core.$loose>>;
-    jkt: z$1.ZodOptional<z$1.ZodString>;
-  }, z$1.core.$loose>>;
-  status: z$1.ZodOptional<z$1.ZodRecord<z$1.ZodString, z$1.ZodAny>>;
-  trust_chain: z$1.ZodOptional<z$1.ZodTuple<[z$1.ZodString], z$1.ZodString>>;
-}, z$1.core.$loose>;
-type IdTokenJwtPayload = z$1.infer<typeof zIdTokenJwtPayload>;
-//#endregion
-//#region src/jar/create-jar-authorization-request.d.ts
-interface CreateJarAuthorizationRequestOptions {
-  authorizationRequestPayload: JwtPayload & {
-    client_id?: string;
-  };
-  requestUri?: string;
-  jwtSigner: JwtSigner;
-  jweEncryptor?: JweEncryptor;
-  callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe'>;
-  /**
-   * Number of seconds after which the signed authorization request will expire
-   */
-  expiresInSeconds: number;
-  /**
-   * Date that should be used as now. If not provided current date will be used.
-   */
-  now?: Date;
-  additionalJwtPayload?: Record<string, unknown>;
-}
-/**
- * Creates a JAR (JWT Authorization Request) request object.
- *
- * @param options - The input parameters
- * @param options.authorizationRequestPayload - The authorization request parameters
- * @param options.jwtSigner - The JWT signer
- * @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted
- * @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI
- * @param options.callbacks - The callback context
- * @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt
- */
-declare function createJarAuthorizationRequest(options: CreateJarAuthorizationRequestOptions): Promise<{
-  jarAuthorizationRequest: {
-    [x: string]: unknown;
-    request?: string | undefined;
-    request_uri?: string | undefined;
-    client_id?: string | undefined;
-  };
-  signerJwk: {
-    [x: string]: unknown;
-    kty: string;
-    crv?: string | undefined;
-    x?: string | undefined;
-    y?: string | undefined;
-    e?: string | undefined;
-    n?: string | undefined;
-    alg?: string | undefined;
-    d?: string | undefined;
-    dp?: string | undefined;
-    dq?: string | undefined;
-    ext?: boolean | undefined;
-    k?: string | undefined;
-    key_ops?: string[] | undefined;
-    kid?: string | undefined;
-    oth?: {
-      [x: string]: unknown;
-      d?: string | undefined;
-      r?: string | undefined;
-      t?: string | undefined;
-    }[] | undefined;
-    p?: string | undefined;
-    q?: string | undefined;
-    qi?: string | undefined;
-    use?: string | undefined;
-    x5c?: string[] | undefined;
-    x5t?: string | undefined;
-    'x5t#S256'?: string | undefined;
-    x5u?: string | undefined;
-  };
-  encryptionJwk: {
-    [x: string]: unknown;
-    kty: string;
-    crv?: string | undefined;
-    x?: string | undefined;
-    y?: string | undefined;
-    e?: string | undefined;
-    n?: string | undefined;
-    alg?: string | undefined;
-    d?: string | undefined;
-    dp?: string | undefined;
-    dq?: string | undefined;
-    ext?: boolean | undefined;
-    k?: string | undefined;
-    key_ops?: string[] | undefined;
-    kid?: string | undefined;
-    oth?: {
-      [x: string]: unknown;
-      d?: string | undefined;
-      r?: string | undefined;
-      t?: string | undefined;
-    }[] | undefined;
-    p?: string | undefined;
-    q?: string | undefined;
-    qi?: string | undefined;
-    use?: string | undefined;
-    x5c?: string[] | undefined;
-    x5t?: string | undefined;
-    'x5t#S256'?: string | undefined;
-    x5u?: string | undefined;
-  } | undefined;
-  authorizationRequestJwt: string;
-}>;
-//#endregion
-//#region src/metadata/authorization-server/authorization-server-metadata.d.ts
-/**
- * fetch authorization server metadata. It first tries to fetch the oauth-authorization-server metadata. If that returns
- *  a 404, the openid-configuration metadata will be fetched.
- */
-declare function fetchAuthorizationServerMetadata(issuer: string, fetch?: Fetch): Promise<AuthorizationServerMetadata | null>;
-declare function getAuthorizationServerMetadataFromList(authorizationServersMetadata: AuthorizationServerMetadata[], issuer: string): {
-  [x: string]: unknown;
-  issuer: string;
-  token_endpoint: string;
-  token_endpoint_auth_methods_supported?: string[] | undefined;
-  authorization_endpoint?: string | undefined;
-  jwks_uri?: string | undefined;
-  grant_types_supported?: string[] | undefined;
-  code_challenge_methods_supported?: string[] | undefined;
-  dpop_signing_alg_values_supported?: string[] | undefined;
-  require_pushed_authorization_requests?: boolean | undefined;
-  pushed_authorization_request_endpoint?: string | undefined;
-  introspection_endpoint?: string | undefined;
-  introspection_endpoint_auth_methods_supported?: string[] | undefined;
-  introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
-  authorization_challenge_endpoint?: string | undefined;
-  'pre-authorized_grant_anonymous_access_supported'?: boolean | undefined;
-  client_attestation_pop_nonce_required?: boolean | undefined;
-};
-//#endregion
-//#region src/metadata/fetch-jwks-uri.d.ts
-/**
- * Fetch JWKs from a provided JWKs URI.
- *
- * Returns validated metadata if successful response
- * Throws error otherwise
- *
- * @throws {ValidationError} if successful response but validation of response failed
- * @throws {InvalidFetchResponseError} if unsuccesful response
- */
-declare function fetchJwks(jwksUrl: string, fetch?: Fetch): Promise<JwkSet>;
-//#endregion
-//#region src/metadata/fetch-well-known-metadata.d.ts
-interface FetchWellKnownMetadataOptions {
-  /**
-   * Custom fetch implementation to use for fetching the metadata
-   */
-  fetch?: Fetch;
-  /**
-   * The accepted content types. If not provided a default of `ContentType.Json`
-   * will be used. This will be used for the `Accept` header, as well as verified
-   * against the `Content-Type` response header.
-   */
-  acceptedContentType?: [ContentType, ...ContentType[]];
-}
-/**
- * Fetch well known metadata and validate the response.
- *
- * Returns null if 404 is returned
- * Returns validated metadata if successful response
- * Throws error otherwise
- *
- * @throws {ValidationError} if successful response but validation of response failed
- * @throws {InvalidFetchResponseError} if no successful or 404 response
- * @throws {Error} if parsing json from response fails
- */
-declare function fetchWellKnownMetadata<Schema extends BaseSchema>(wellKnownMetadataUrl: string, schema: Schema, options?: FetchWellKnownMetadataOptions): Promise<z$1.infer<Schema> | null>;
-//#endregion
-//#region src/access-token/create-access-token.d.ts
-interface CreateAccessTokenOptions {
-  callbacks: Pick<CallbackContext, 'signJwt' | 'generateRandom' | 'hash'>;
-  /**
-   * public dpop jwk key. Will be encoded as jwk thumbprint in the `cnf.jkt` claim.
-   */
-  dpop?: {
-    jwk: Jwk;
-  };
-  /**
-   * scope of the access token. If the authorization request included scopes
-   * they should be added to the access token as well
-   */
-  scope?: string;
-  /**
-   * Client id to which the access token is bound.
-   * Can be undefined in case of anonymous access using pre authorized code flow
-   */
-  clientId?: string;
-  /**
-   * The authorization server that issues the access token
-   */
-  authorizationServer: string;
-  /**
-   * Signer of the access token
-   */
-  signer: JwtSigner;
-  /**
-   * Number of seconds after which the token will expire
-   */
-  expiresInSeconds: number;
-  /**
-   * The audience of the access token. Should be the `resource` if included in the authorization request
-   */
-  audience: string;
-  /**
-   * The subject of the access token. When a resource owner is involved,
-   * it should be an identifier for the resource owner.
-   */
-  subject: string;
-  /**
-   * Date that should be used as now. If not provided current date will be used.
-   */
-  now?: Date;
-  /**
-   * Additional payload claims to include in the access token JWT.
-   * Will override existing claims so you can override default behaviour, but be careful.
-   */
-  additionalPayload?: Record<string, unknown>;
-}
-//#endregion
-//#region src/access-token/create-access-token-response.d.ts
-interface CreateAccessTokenResponseOptions {
-  callbacks: Pick<CallbackContext, 'signJwt' | 'generateRandom' | 'hash'>;
-  /**
-   * The access token
-   */
-  accessToken: string;
-  /**
-   * The type of token. Should be DPoP if the access token
-   * is bound to a dpop key
-   */
-  tokenType: 'DPoP' | 'Bearer' | (string & {});
-  /**
-   * Number of seconds after which the access tokens expires.
-   */
-  expiresInSeconds: number;
-  /**
-   * The refresh token
-   */
-  refreshToken?: string;
-  /**
-   * New cNonce value
-   */
-  cNonce?: string;
-  cNonceExpiresIn?: number;
-  /**
-   * Additional payload to include in the access token response.
-   *
-   * Will be applied after default payload to allow overriding over values, but be careful.
-   */
-  additionalPayload?: Record<string, unknown>;
-}
-//#endregion
-//#region src/authorization-challenge/create-authorization-challenge-response.d.ts
-interface CreateAuthorizationChallengeResponseOptions {
-  /**
-   * The authorization code
-   */
-  authorizationCode: string;
-  /**
-   * Additional payload to include in the authorization challenge response.
-   */
-  additionalPayload?: Record<string, unknown>;
-}
-interface CreateAuthorizationChallengeErrorResponseOptions {
-  /**
-   * Auth session identifier for the authorization challenge. The client MUST include this
-   * in subsequent requests to the authorization challenge endpoint.
-   */
-  authSession?: string;
-  /**
-   * Error codes specific to authorization challenge are:
-   *  - @see Oauth2ErrorCodes.RedirectToWeb
-   *  - @see Oauth2ErrorCodes.InvalidSession
-   *  - @see Oauth2ErrorCodes.InsufficientAuthorization
-   */
-  error: StringWithAutoCompletion<Oauth2ErrorCodes>;
-  /**
-   * Optional error description
-   */
-  errorDescription?: string;
-  /**
-   * OpenID4VP authorization request url that must be completed before authorization
-   * can be granted
-   *
-   * Should be combined with `error` @see Oauth2ErrorCodes.InsufficientAuthorization
-   */
-  presentation?: string;
-  /**
-   * Optional PAR request uri, allowing the authorization challenge request to be treated
-   * as a succesfull pushed authorization request.
-   *
-   * Should be combined with `error` @see Oauth2ErrorCodes.RedirectToWeb
-   */
-  requestUri?: string;
-  /**
-   * Duration is seconds after which the `requestUri` parameter will expire. Should only be included
-   * if the `requestUri` is also included, and has no meaning otherwise
-   */
-  expiresIn?: number;
-  /**
-   * Additional payload to include in the authorization challenge error response.
-   */
-  additionalPayload?: Record<string, unknown>;
-}
-//#endregion
-//#region src/Oauth2AuthorizationServer.d.ts
-interface Oauth2AuthorizationServerOptions {
-  /**
-   * Callbacks required for the oauth2 authorization server
-   */
-  callbacks: Omit<CallbackContext, 'decryptJwe' | 'encryptJwe'>;
-}
-declare class Oauth2AuthorizationServer {
-  private options;
-  constructor(options: Oauth2AuthorizationServerOptions);
-  createAuthorizationServerMetadata(authorizationServerMetadata: AuthorizationServerMetadata): {
-    [x: string]: unknown;
-    issuer: string;
-    token_endpoint: string;
-    token_endpoint_auth_methods_supported?: string[] | undefined;
-    authorization_endpoint?: string | undefined;
-    jwks_uri?: string | undefined;
-    grant_types_supported?: string[] | undefined;
-    code_challenge_methods_supported?: string[] | undefined;
-    dpop_signing_alg_values_supported?: string[] | undefined;
-    require_pushed_authorization_requests?: boolean | undefined;
-    pushed_authorization_request_endpoint?: string | undefined;
-    introspection_endpoint?: string | undefined;
-    introspection_endpoint_auth_methods_supported?: string[] | undefined;
-    introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
-    authorization_challenge_endpoint?: string | undefined;
-    'pre-authorized_grant_anonymous_access_supported'?: boolean | undefined;
-    client_attestation_pop_nonce_required?: boolean | undefined;
-  };
-  /**
-   * Parse access token request and extract the grant specific properties.
-   *
-   * If something goes wrong, such as the grant is not supported, missing parameters, etc,
-   * it will throw `Oauth2ServerErrorResponseError` containing an error response object
-   * that can be returned to the client.
-   */
-  parseAccessTokenRequest(options: ParseAccessTokenRequestOptions): ParseAccessTokenRequestResult;
-  verifyPreAuthorizedCodeAccessTokenRequest(options: Omit<VerifyPreAuthorizedCodeAccessTokenRequestOptions, 'callbacks'>): Promise<VerifyAccessTokenRequestReturn>;
-  verifyAuthorizationCodeAccessTokenRequest(options: Omit<VerifyAuthorizationCodeAccessTokenRequestOptions, 'callbacks'>): Promise<VerifyAccessTokenRequestReturn>;
-  verifyRefreshTokenAccessTokenRequest(options: Omit<VerifyRefreshTokenAccessTokenRequestOptions, 'callbacks'>): Promise<VerifyAccessTokenRequestReturn>;
-  /**
-   * Create an access token response.
-   *
-   * The `sub` claim can be used to identify the resource owner is subsequent requests.
-   * For pre-auth flow this can be the pre-authorized_code but there are no requirements
-   * on the value.
-   *
-   * To generate a refresh token, set the `refreshToken` option to `true`. You can
-   * also provide a custom refresh token string.
-   */
-  createAccessTokenResponse(options: Pick<CreateAccessTokenOptions, 'expiresInSeconds' | 'scope' | 'clientId' | 'audience' | 'signer' | 'dpop' | 'authorizationServer' | 'now' | 'subject'> & Pick<CreateAccessTokenResponseOptions, 'cNonce' | 'cNonceExpiresIn'> & {
-    additionalAccessTokenPayload?: CreateAccessTokenOptions['additionalPayload'];
-    additionalAccessTokenResponsePayload?: CreateAccessTokenResponseOptions['additionalPayload'];
-    refreshToken?: boolean | string;
-  }): Promise<{
-    [x: string]: unknown;
-    access_token: string;
-    token_type: string;
-    expires_in?: number | undefined;
-    scope?: string | undefined;
-    state?: string | undefined;
-    refresh_token?: string | undefined;
-    c_nonce?: string | undefined;
-    c_nonce_expires_in?: number | undefined;
-    authorization_details?: {
-      [x: string]: unknown;
-    }[] | undefined;
-  }>;
-  /**
-   * Parse a pushed authorization request
-   */
-  parsePushedAuthorizationRequest(options: Omit<ParsePushedAuthorizationRequestOptions, 'callbacks'>): Promise<ParsePushedAuthorizationRequestResult>;
-  /**
-   * Verify pushed authorization request.
-   *
-   * Make sure to provide the `authorizationRequestJwt` if this was returned in the `parsePushedAuthorizationRequest`
-   */
-  verifyPushedAuthorizationRequest(options: Omit<VerifyPushedAuthorizationRequestOptions, 'callbacks'>): Promise<VerifyPushedAuthorizationRequestReturn>;
-  createPushedAuthorizationResponse(options: CreatePushedAuthorizationResponseOptions): {
-    pushedAuthorizationResponse: {
-      [x: string]: unknown;
-      request_uri: string;
-      expires_in: number;
-    };
-  };
-  createPushedAuthorizationErrorResponse(options: CreatePushedAuthorizationErrorResponseOptions): {
-    [x: string]: unknown;
-    error: string;
-    error_description?: string | undefined;
-    error_uri?: string | undefined;
-  };
-  /**
-   * Parse an authorization challenge request
-   */
-  parseAuthorizationChallengeRequest(options: ParseAuthorizationChallengeRequestOptions): ParseAuthorizationChallengeRequestResult;
-  verifyAuthorizationChallengeRequest(options: Omit<VerifyAuthorizationChallengeRequestOptions, 'callbacks'>): Promise<VerifyAuthorizationRequestReturn>;
-  createAuthorizationChallengeResponse(options: CreateAuthorizationChallengeResponseOptions): {
-    authorizationChallengeResponse: {
-      [x: string]: unknown;
-      authorization_code: string;
-    };
-  };
-  /**
-   * Create an authorization challenge error response indicating presentation of credentials
-   * using OpenID4VP is required before authorization can be granted.
-   *
-   * The `presentation` parameter should be an OpenID4VP authorization request url.
-   * The `authSession` should be used to track the session
-   */
-  createAuthorizationChallengePresentationErrorResponse(options: Pick<CreateAuthorizationChallengeErrorResponseOptions, 'errorDescription' | 'additionalPayload'> & Required<Pick<CreateAuthorizationChallengeErrorResponseOptions, 'authSession' | 'presentation'>>): {
-    [x: string]: unknown;
-    error: string;
-    auth_session?: string | undefined;
-    request_uri?: string | undefined;
-    expires_in?: number | undefined;
-    presentation?: string | undefined;
-    error_description?: string | undefined;
-    error_uri?: string | undefined;
-  };
-  createAuthorizationChallengeErrorResponse(options: CreateAuthorizationChallengeErrorResponseOptions): {
-    [x: string]: unknown;
-    error: string;
-    auth_session?: string | undefined;
-    request_uri?: string | undefined;
-    expires_in?: number | undefined;
-    presentation?: string | undefined;
-    error_description?: string | undefined;
-    error_uri?: string | undefined;
-  };
-  verifyDpopJwt(options: Omit<VerifyDpopJwtOptions, 'callbacks'>): Promise<{
-    header: {
-      [x: string]: unknown;
-      typ: "dpop+jwt";
-      jwk: {
-        [x: string]: unknown;
-        kty: string;
-        crv?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        e?: string | undefined;
-        n?: string | undefined;
-        alg?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        ext?: boolean | undefined;
-        k?: string | undefined;
-        key_ops?: string[] | undefined;
-        kid?: string | undefined;
-        oth?: {
-          [x: string]: unknown;
-          d?: string | undefined;
-          r?: string | undefined;
-          t?: string | undefined;
-        }[] | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        use?: string | undefined;
-        x5c?: string[] | undefined;
-        x5t?: string | undefined;
-        'x5t#S256'?: string | undefined;
-        x5u?: string | undefined;
-      };
-      alg: string;
-      kid?: string | undefined;
-      x5c?: string[] | undefined;
-      trust_chain?: [string, ...string[]] | undefined;
-    };
-    payload: {
-      [x: string]: unknown;
-      iat: number;
-      htu: string;
-      htm: "POST" | "GET" | "PUT" | "DELETE" | "HEAD" | "OPTIONS" | "TRACE" | "CONNECT" | "PATCH";
-      jti: string;
-      ath?: string | undefined;
-      iss?: string | undefined;
-      aud?: string | string[] | undefined;
-      exp?: number | undefined;
-      nbf?: number | undefined;
-      nonce?: string | undefined;
-      sub?: string | undefined;
-      cnf?: {
-        [x: string]: unknown;
-        jwk?: {
-          [x: string]: unknown;
-          kty: string;
-          crv?: string | undefined;
-          x?: string | undefined;
-          y?: string | undefined;
-          e?: string | undefined;
-          n?: string | undefined;
-          alg?: string | undefined;
-          d?: string | undefined;
-          dp?: string | undefined;
-          dq?: string | undefined;
-          ext?: boolean | undefined;
-          k?: string | undefined;
-          key_ops?: string[] | undefined;
-          kid?: string | undefined;
-          oth?: {
-            [x: string]: unknown;
-            d?: string | undefined;
-            r?: string | undefined;
-            t?: string | undefined;
-          }[] | undefined;
-          p?: string | undefined;
-          q?: string | undefined;
-          qi?: string | undefined;
-          use?: string | undefined;
-          x5c?: string[] | undefined;
-          x5t?: string | undefined;
-          'x5t#S256'?: string | undefined;
-          x5u?: string | undefined;
-        } | undefined;
-        jkt?: string | undefined;
-      } | undefined;
-      status?: Record<string, any> | undefined;
-      trust_chain?: [string, ...string[]] | undefined;
-    };
-    jwkThumbprint: string;
-  }>;
-  verifyClientAttestation(options: Omit<VerifyClientAttestationOptions, 'callbacks'>): Promise<{
-    clientAttestation: {
-      header: {
-        [x: string]: unknown;
-        typ: "oauth-client-attestation+jwt";
-        alg: string;
-        kid?: string | undefined;
-        jwk?: {
-          [x: string]: unknown;
-          kty: string;
-          crv?: string | undefined;
-          x?: string | undefined;
-          y?: string | undefined;
-          e?: string | undefined;
-          n?: string | undefined;
-          alg?: string | undefined;
-          d?: string | undefined;
-          dp?: string | undefined;
-          dq?: string | undefined;
-          ext?: boolean | undefined;
-          k?: string | undefined;
-          key_ops?: string[] | undefined;
-          kid?: string | undefined;
-          oth?: {
-            [x: string]: unknown;
-            d?: string | undefined;
-            r?: string | undefined;
-            t?: string | undefined;
-          }[] | undefined;
-          p?: string | undefined;
-          q?: string | undefined;
-          qi?: string | undefined;
-          use?: string | undefined;
-          x5c?: string[] | undefined;
-          x5t?: string | undefined;
-          'x5t#S256'?: string | undefined;
-          x5u?: string | undefined;
-        } | undefined;
-        x5c?: string[] | undefined;
-        trust_chain?: [string, ...string[]] | undefined;
-      };
-      payload: {
-        [x: string]: unknown;
-        iss: string;
-        sub: string;
-        exp: number;
-        cnf: {
-          [x: string]: unknown;
-          jwk: {
-            [x: string]: unknown;
-            kty: string;
-            crv?: string | undefined;
-            x?: string | undefined;
-            y?: string | undefined;
-            e?: string | undefined;
-            n?: string | undefined;
-            alg?: string | undefined;
-            d?: string | undefined;
-            dp?: string | undefined;
-            dq?: string | undefined;
-            ext?: boolean | undefined;
-            k?: string | undefined;
-            key_ops?: string[] | undefined;
-            kid?: string | undefined;
-            oth?: {
-              [x: string]: unknown;
-              d?: string | undefined;
-              r?: string | undefined;
-              t?: string | undefined;
-            }[] | undefined;
-            p?: string | undefined;
-            q?: string | undefined;
-            qi?: string | undefined;
-            use?: string | undefined;
-            x5c?: string[] | undefined;
-            x5t?: string | undefined;
-            'x5t#S256'?: string | undefined;
-            x5u?: string | undefined;
-          };
-        };
-        wallet_name?: string | undefined;
-        wallet_link?: string | undefined;
-        aud?: string | string[] | undefined;
-        iat?: number | undefined;
-        nbf?: number | undefined;
-        nonce?: string | undefined;
-        jti?: string | undefined;
-        status?: Record<string, any> | undefined;
-        trust_chain?: [string, ...string[]] | undefined;
-      };
-      signer: JwtSignerWithJwk;
-    };
-    clientAttestationPop: {
-      header: {
-        [x: string]: unknown;
-        typ: "oauth-client-attestation-pop+jwt";
-        alg: string;
-        kid?: string | undefined;
-        jwk?: {
-          [x: string]: unknown;
-          kty: string;
-          crv?: string | undefined;
-          x?: string | undefined;
-          y?: string | undefined;
-          e?: string | undefined;
-          n?: string | undefined;
-          alg?: string | undefined;
-          d?: string | undefined;
-          dp?: string | undefined;
-          dq?: string | undefined;
-          ext?: boolean | undefined;
-          k?: string | undefined;
-          key_ops?: string[] | undefined;
-          kid?: string | undefined;
-          oth?: {
-            [x: string]: unknown;
-            d?: string | undefined;
-            r?: string | undefined;
-            t?: string | undefined;
-          }[] | undefined;
-          p?: string | undefined;
-          q?: string | undefined;
-          qi?: string | undefined;
-          use?: string | undefined;
-          x5c?: string[] | undefined;
-          x5t?: string | undefined;
-          'x5t#S256'?: string | undefined;
-          x5u?: string | undefined;
-        } | undefined;
-        x5c?: string[] | undefined;
-        trust_chain?: [string, ...string[]] | undefined;
-      };
-      payload: {
-        [x: string]: unknown;
-        iss: string;
-        exp: number;
-        aud: string | string[];
-        jti: string;
-        nonce?: string | undefined;
-        iat?: number | undefined;
-        nbf?: number | undefined;
-        sub?: string | undefined;
-        cnf?: {
-          [x: string]: unknown;
-          jwk?: {
-            [x: string]: unknown;
-            kty: string;
-            crv?: string | undefined;
-            x?: string | undefined;
-            y?: string | undefined;
-            e?: string | undefined;
-            n?: string | undefined;
-            alg?: string | undefined;
-            d?: string | undefined;
-            dp?: string | undefined;
-            dq?: string | undefined;
-            ext?: boolean | undefined;
-            k?: string | undefined;
-            key_ops?: string[] | undefined;
-            kid?: string | undefined;
-            oth?: {
-              [x: string]: unknown;
-              d?: string | undefined;
-              r?: string | undefined;
-              t?: string | undefined;
-            }[] | undefined;
-            p?: string | undefined;
-            q?: string | undefined;
-            qi?: string | undefined;
-            use?: string | undefined;
-            x5c?: string[] | undefined;
-            x5t?: string | undefined;
-            'x5t#S256'?: string | undefined;
-            x5u?: string | undefined;
-          } | undefined;
-          jkt?: string | undefined;
-        } | undefined;
-        status?: Record<string, any> | undefined;
-        trust_chain?: [string, ...string[]] | undefined;
-      };
-      signer: JwtSignerWithJwk;
-    };
-  }>;
-}
-//#endregion
-//#region src/resource-request/make-resource-request.d.ts
-interface ResourceRequestOptions {
-  /**
-   * DPoP options
-   */
-  dpop?: RequestDpopOptions & {
-    /**
-     * Whether to retry the request if the server responds with an error indicating
-     * the request should be retried with a server provided dpop nonce
-     *
-     * @default true
-     */
-    retryWithNonce?: boolean;
-  };
-  /**
-   * Callbacks
-   */
-  callbacks: Pick<CallbackContext, 'fetch' | 'generateRandom' | 'signJwt' | 'hash'>;
-  /**
-   * Access token
-   */
-  accessToken: string;
-  url: string;
-  requestOptions: FetchRequestInit;
-}
-interface ResourceRequestResponseBase {
-  ok: boolean;
-  response: FetchResponse;
-  /**
-   * If the response included a dpop nonce to be used in subsequent requests
-   */
-  dpop?: {
-    nonce: string;
-  };
-}
-interface ResourceRequestResponseOk extends ResourceRequestResponseBase {
-  ok: true;
-}
-interface ResourceRequestResponseNotOk extends ResourceRequestResponseBase {
-  ok: false;
-  /**
-   * If a WWW-Authenticate was included in the headers of the response
-   * they will be parsed and added here.
-   */
-  wwwAuthenticate?: WwwAuthenticateHeaderChallenge[];
-}
-declare function resourceRequest(options: ResourceRequestOptions): Promise<ResourceRequestResponseOk | ResourceRequestResponseNotOk>;
-//#endregion
-//#region src/authorization-challenge/send-authorization-challenge.d.ts
-interface SendAuthorizationChallengeRequestOptions {
-  /**
-   * Callback context
-   */
-  callbacks: Pick<CallbackContext, 'fetch' | 'hash' | 'generateRandom' | 'signJwt' | 'clientAuthentication'>;
-  /**
-   * Metadata of the authorization server where to perform the authorization challenge
-   */
-  authorizationServerMetadata: AuthorizationServerMetadata;
-  /**
-   * Previously established auth session
-   */
-  authSession?: string;
-  /**
-   * Scope to request for the authorization challenge request
-   */
-  scope?: string;
-  /**
-   * State for the authorization challenge request
-   */
-  state?: string;
-  /**
-   * The resource to which access is being requested. This can help the authorization
-   * server in determining the resource server to handle the authorization request for
-   */
-  resource?: string;
-  /**
-   * Redirect uri to include in the authorization challenge request. Maybe be used by the
-   * server when falling back to a PAR request.
-   */
-  redirectUri?: string;
-  /**
-   * Presentation during issuance session if credentials were presented
-   * as part of an issuance session
-   */
-  presentationDuringIssuanceSession?: string;
-  /**
-   * Additional payload to include in the authorization challenge request. Items will be encoded and sent
-   * using x-www-form-urlencoded format. Nested items (JSON) will be stringified and url encoded.
-   */
-  additionalRequestPayload?: Record<string, unknown>;
-  /**
-   * Code verifier to use for pkce. If not provided a value will generated when pkce is supported
-   */
-  pkceCodeVerifier?: string;
-  /**
-   * DPoP options
-   */
-  dpop?: RequestDpopOptions;
-}
-//#endregion
-//#region src/Oauth2Client.d.ts
-interface Oauth2ClientOptions {
-  /**
-   * Callbacks required for the oauth2 client
-   */
-  callbacks: Omit<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'encryptJwe'>;
-}
-declare class Oauth2Client {
-  private options;
-  constructor(options: Oauth2ClientOptions);
-  isDpopSupported(options: {
-    authorizationServerMetadata: AuthorizationServerMetadata;
-  }): {
-    readonly supported: false;
-    readonly dpopSigningAlgValuesSupported?: undefined;
-  } | {
-    readonly supported: true;
-    readonly dpopSigningAlgValuesSupported: string[];
-  };
-  isClientAttestationSupported(options: {
-    authorizationServerMetadata: AuthorizationServerMetadata;
-  }): {
-    readonly supported: false;
-  } | {
-    readonly supported: true;
-  };
-  fetchAuthorizationServerMetadata(issuer: string): Promise<{
-    [x: string]: unknown;
-    issuer: string;
-    token_endpoint: string;
-    token_endpoint_auth_methods_supported?: string[] | undefined;
-    authorization_endpoint?: string | undefined;
-    jwks_uri?: string | undefined;
-    grant_types_supported?: string[] | undefined;
-    code_challenge_methods_supported?: string[] | undefined;
-    dpop_signing_alg_values_supported?: string[] | undefined;
-    require_pushed_authorization_requests?: boolean | undefined;
-    pushed_authorization_request_endpoint?: string | undefined;
-    introspection_endpoint?: string | undefined;
-    introspection_endpoint_auth_methods_supported?: string[] | undefined;
-    introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
-    authorization_challenge_endpoint?: string | undefined;
-    'pre-authorized_grant_anonymous_access_supported'?: boolean | undefined;
-    client_attestation_pop_nonce_required?: boolean | undefined;
-  } | null>;
-  /**
-   * Initiate authorization.
-   *
-   * It will take the followings steps:
-   * - if `authorization_challenge_endpoint` is defined, send an authorization challenge request
-   * - if authorization challenge request returns a `redirect_to_web` error code with `request_uri`
-   *   then construct the authorization request url based on the `request_uri`
-   * - if the `authorization_challenge_endpoint` is not defined, or authorization challenge request reuturns a `redirect_to_web` error code without `request_uri`
-   *   then the authorization request url will be constructed as usual (optionally using PAR).
-   *
-   * @throws {Oauth2ClientAuthorizationChallengeError} in case of an error response. If `error` is
-   * `insufficient_authorization` possible extra steps can be taken.
-   */
-  initiateAuthorization(options: Omit<CreateAuthorizationRequestUrlOptions, 'callbacks'>): Promise<{
-    authorizationRequestUrl: string;
-    pkce: CreatePkceReturn | undefined;
-    dpop: RequestDpopOptions | undefined;
-  } | {
-    dpop: {
-      nonce: string | null;
-      signer: JwtSignerJwk;
-    } | undefined;
-    authorizationRequestUrl: string;
-    pkce: CreatePkceReturn | undefined;
-  }>;
-  sendAuthorizationChallengeRequest(options: Omit<SendAuthorizationChallengeRequestOptions, 'callbacks'>): Promise<{
-    pkce: CreatePkceReturn | undefined;
-    dpop: {
-      nonce: string | undefined;
-      signer: JwtSignerJwk;
-    } | undefined;
-    authorizationChallengeResponse: {
-      [x: string]: unknown;
-      authorization_code: string;
-    };
-  }>;
-  createAuthorizationRequestUrl(options: Omit<CreateAuthorizationRequestUrlOptions, 'callbacks'>): Promise<{
-    authorizationRequestUrl: string;
-    pkce: CreatePkceReturn | undefined;
-    dpop: RequestDpopOptions | undefined;
-  }>;
-  retrievePreAuthorizedCodeAccessToken({
-    authorizationServerMetadata,
-    preAuthorizedCode,
-    additionalRequestPayload,
-    txCode,
-    dpop,
-    resource
-  }: Omit<RetrievePreAuthorizedCodeAccessTokenOptions, 'callbacks'>): Promise<RetrieveAccessTokenReturn>;
-  retrieveAuthorizationCodeAccessToken({
-    authorizationServerMetadata,
-    additionalRequestPayload,
-    authorizationCode,
-    pkceCodeVerifier,
-    redirectUri,
-    resource,
-    dpop
-  }: Omit<RetrieveAuthorizationCodeAccessTokenOptions, 'callbacks'>): Promise<RetrieveAccessTokenReturn>;
-  retrieveRefreshTokenAccessToken({
-    authorizationServerMetadata,
-    additionalRequestPayload,
-    refreshToken,
-    resource,
-    dpop
-  }: Omit<RetrieveRefreshTokenAccessTokenOptions, 'callbacks'>): Promise<RetrieveAccessTokenReturn>;
-  resourceRequest(options: ResourceRequestOptions): Promise<ResourceRequestResponseOk | ResourceRequestResponseNotOk>;
-}
-//#endregion
-//#region src/Oauth2ResourceServer.d.ts
-interface Oauth2ResourceServerOptions {
-  /**
-   * Callbacks required for the oauth2 resource server
-   */
-  callbacks: Pick<CallbackContext, 'verifyJwt' | 'hash' | 'clientAuthentication' | 'fetch'>;
-}
-declare class Oauth2ResourceServer {
-  private options;
-  constructor(options: Oauth2ResourceServerOptions);
-  verifyResourceRequest(options: Omit<VerifyResourceRequestOptions, 'callbacks'>): Promise<{
-    tokenPayload: {
-      [x: string]: unknown;
-      iss: string;
-      exp: number;
-      iat: number;
-      aud: string | string[];
-      sub: string;
-      jti: string;
-      client_id?: string | undefined;
-      scope?: string | undefined;
-      nbf?: number | undefined;
-      nonce?: string | undefined;
-      cnf?: {
-        [x: string]: unknown;
-        jwk?: {
-          [x: string]: unknown;
-          kty: string;
-          crv?: string | undefined;
-          x?: string | undefined;
-          y?: string | undefined;
-          e?: string | undefined;
-          n?: string | undefined;
-          alg?: string | undefined;
-          d?: string | undefined;
-          dp?: string | undefined;
-          dq?: string | undefined;
-          ext?: boolean | undefined;
-          k?: string | undefined;
-          key_ops?: string[] | undefined;
-          kid?: string | undefined;
-          oth?: {
-            [x: string]: unknown;
-            d?: string | undefined;
-            r?: string | undefined;
-            t?: string | undefined;
-          }[] | undefined;
-          p?: string | undefined;
-          q?: string | undefined;
-          qi?: string | undefined;
-          use?: string | undefined;
-          x5c?: string[] | undefined;
-          x5t?: string | undefined;
-          'x5t#S256'?: string | undefined;
-          x5u?: string | undefined;
-        } | undefined;
-        jkt?: string | undefined;
-      } | undefined;
-      status?: Record<string, any> | undefined;
-      trust_chain?: [string, ...string[]] | undefined;
-    } | {
-      [x: string]: unknown;
-      active: boolean;
-      scope?: string | undefined;
-      client_id?: string | undefined;
-      username?: string | undefined;
-      token_type?: string | undefined;
-      exp?: number | undefined;
-      iat?: number | undefined;
-      nbf?: number | undefined;
-      sub?: string | undefined;
-      aud?: string | string[] | undefined;
-      iss?: string | undefined;
-      jti?: string | undefined;
-      cnf?: {
-        [x: string]: unknown;
-        jwk?: {
-          [x: string]: unknown;
-          kty: string;
-          crv?: string | undefined;
-          x?: string | undefined;
-          y?: string | undefined;
-          e?: string | undefined;
-          n?: string | undefined;
-          alg?: string | undefined;
-          d?: string | undefined;
-          dp?: string | undefined;
-          dq?: string | undefined;
-          ext?: boolean | undefined;
-          k?: string | undefined;
-          key_ops?: string[] | undefined;
-          kid?: string | undefined;
-          oth?: {
-            [x: string]: unknown;
-            d?: string | undefined;
-            r?: string | undefined;
-            t?: string | undefined;
-          }[] | undefined;
-          p?: string | undefined;
-          q?: string | undefined;
-          qi?: string | undefined;
-          use?: string | undefined;
-          x5c?: string[] | undefined;
-          x5t?: string | undefined;
-          'x5t#S256'?: string | undefined;
-          x5u?: string | undefined;
-        } | undefined;
-        jkt?: string | undefined;
-      } | undefined;
-    };
-    dpop: {
-      jwk: {
-        [x: string]: unknown;
-        kty: string;
-        crv?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        e?: string | undefined;
-        n?: string | undefined;
-        alg?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        ext?: boolean | undefined;
-        k?: string | undefined;
-        key_ops?: string[] | undefined;
-        kid?: string | undefined;
-        oth?: {
-          [x: string]: unknown;
-          d?: string | undefined;
-          r?: string | undefined;
-          t?: string | undefined;
-        }[] | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        use?: string | undefined;
-        x5c?: string[] | undefined;
-        x5t?: string | undefined;
-        'x5t#S256'?: string | undefined;
-        x5u?: string | undefined;
-      };
-    } | undefined;
-    scheme: SupportedAuthenticationScheme;
-    accessToken: string;
-    authorizationServer: string;
-  }>;
-}
-//#endregion
-//#region src/resource-request/verify-resource-request.d.ts
-interface VerifyResourceRequestOptions {
-  /**
-   * The incoming request
-   */
-  request: RequestLike;
-  /**
-   * Identifier for the resource server, will be matched with the `aud` value of the access token.
-   */
-  resourceServer: string;
-  /**
-   * Callbacks for verification of the access token.
-   */
-  callbacks: Pick<CallbackContext, 'verifyJwt' | 'hash' | 'clientAuthentication' | 'fetch'>;
-  /**
-   * allowed auth schems for the access token. If not provided
-   * all supported authentication schemes are allowed.
-   */
-  allowedAuthenticationSchemes?: SupportedAuthenticationScheme[];
-  /**
-   * List of authorization servers that this resource endpoint supports
-   */
-  authorizationServers: AuthorizationServerMetadata[];
-  now?: Date;
-}
-declare function verifyResourceRequest(options: VerifyResourceRequestOptions): Promise<{
-  tokenPayload: {
-    [x: string]: unknown;
-    iss: string;
-    exp: number;
-    iat: number;
-    aud: string | string[];
-    sub: string;
-    jti: string;
-    client_id?: string | undefined;
-    scope?: string | undefined;
-    nbf?: number | undefined;
-    nonce?: string | undefined;
-    cnf?: {
-      [x: string]: unknown;
-      jwk?: {
-        [x: string]: unknown;
-        kty: string;
-        crv?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        e?: string | undefined;
-        n?: string | undefined;
-        alg?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        ext?: boolean | undefined;
-        k?: string | undefined;
-        key_ops?: string[] | undefined;
-        kid?: string | undefined;
-        oth?: {
-          [x: string]: unknown;
-          d?: string | undefined;
-          r?: string | undefined;
-          t?: string | undefined;
-        }[] | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        use?: string | undefined;
-        x5c?: string[] | undefined;
-        x5t?: string | undefined;
-        'x5t#S256'?: string | undefined;
-        x5u?: string | undefined;
-      } | undefined;
-      jkt?: string | undefined;
-    } | undefined;
-    status?: Record<string, any> | undefined;
-    trust_chain?: [string, ...string[]] | undefined;
-  } | {
-    [x: string]: unknown;
-    active: boolean;
-    scope?: string | undefined;
-    client_id?: string | undefined;
-    username?: string | undefined;
-    token_type?: string | undefined;
-    exp?: number | undefined;
-    iat?: number | undefined;
-    nbf?: number | undefined;
-    sub?: string | undefined;
-    aud?: string | string[] | undefined;
-    iss?: string | undefined;
-    jti?: string | undefined;
-    cnf?: {
-      [x: string]: unknown;
-      jwk?: {
-        [x: string]: unknown;
-        kty: string;
-        crv?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        e?: string | undefined;
-        n?: string | undefined;
-        alg?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        ext?: boolean | undefined;
-        k?: string | undefined;
-        key_ops?: string[] | undefined;
-        kid?: string | undefined;
-        oth?: {
-          [x: string]: unknown;
-          d?: string | undefined;
-          r?: string | undefined;
-          t?: string | undefined;
-        }[] | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        use?: string | undefined;
-        x5c?: string[] | undefined;
-        x5t?: string | undefined;
-        'x5t#S256'?: string | undefined;
-        x5u?: string | undefined;
-      } | undefined;
-      jkt?: string | undefined;
-    } | undefined;
-  };
-  dpop: {
-    jwk: {
-      [x: string]: unknown;
-      kty: string;
-      crv?: string | undefined;
-      x?: string | undefined;
-      y?: string | undefined;
-      e?: string | undefined;
-      n?: string | undefined;
-      alg?: string | undefined;
-      d?: string | undefined;
-      dp?: string | undefined;
-      dq?: string | undefined;
-      ext?: boolean | undefined;
-      k?: string | undefined;
-      key_ops?: string[] | undefined;
-      kid?: string | undefined;
-      oth?: {
-        [x: string]: unknown;
-        d?: string | undefined;
-        r?: string | undefined;
-        t?: string | undefined;
-      }[] | undefined;
-      p?: string | undefined;
-      q?: string | undefined;
-      qi?: string | undefined;
-      use?: string | undefined;
-      x5c?: string[] | undefined;
-      x5t?: string | undefined;
-      'x5t#S256'?: string | undefined;
-      x5u?: string | undefined;
-    };
-  } | undefined;
-  scheme: SupportedAuthenticationScheme;
-  accessToken: string;
-  authorizationServer: string;
-}>;
-//#endregion
-export { type AccessTokenErrorResponse, type AccessTokenProfileJwtPayload, type AccessTokenResponse, type AuthorizationChallengeErrorResponse, type AuthorizationChallengeRequest, type AuthorizationChallengeResponse, type AuthorizationCodeGrantIdentifier, AuthorizationErrorResponse, AuthorizationResponse, type AuthorizationServerMetadata, type CalculateJwkThumbprintOptions, type CallbackContext, type ClientAttestationJwtHeader, type ClientAttestationJwtPayload, type ClientAttestationPopJwtHeader, type ClientAttestationPopJwtPayload, type ClientAuthenticationCallback, type ClientAuthenticationCallbackOptions, type ClientAuthenticationClientAttestationJwtOptions, type ClientAuthenticationClientSecretBasicOptions, type ClientAuthenticationClientSecretPostOptions, type ClientAuthenticationDynamicOptions, type ClientAuthenticationNoneOptions, type CreateAuthorizationRequestUrlOptions, type CreateClientAttestationJwtOptions, type CreateJarAuthorizationRequestOptions, type CreatePkceReturn, type CreatePushedAuthorizationErrorResponseOptions, type CreatePushedAuthorizationResponseOptions, type DecodeJwtHeaderResult, type DecodeJwtOptions, type DecodeJwtResult, type DecryptJweCallback, type DecryptJweCallbackOptions, type EncryptJweCallback, type GenerateRandomCallback, HashAlgorithm, type HashCallback, type HttpMethod, IdTokenJwtHeader, IdTokenJwtPayload, InvalidFetchResponseError, type JarAuthorizationRequest, type JarRequestObjectPayload, type JweEncryptor, type Jwk, type JwkSet, type JwtHeader, type JwtPayload, type JwtSigner, type JwtSignerCustom, type JwtSignerDid, type JwtSignerJwk, type JwtSignerWithJwk, type JwtSignerX5c, Oauth2AuthorizationServer, type Oauth2AuthorizationServerOptions, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, type Oauth2ClientOptions, Oauth2Error, Oauth2ErrorCodes, type Oauth2ErrorOptions, type Oauth2ErrorResponse, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, type Oauth2ResourceServerOptions, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, type Oid4vcTsConfig, type ParseAuthorizationChallengeRequestOptions, type ParseAuthorizationChallengeRequestResult, ParseAuthorizationRequestOptions, type ParsePushedAuthorizationRequestOptions, type ParsePushedAuthorizationRequestResult, PkceCodeChallengeMethod, type PreAuthorizedCodeGrantIdentifier, type PushedAuthorizationRequestUriPrefix, type RefreshTokenGrantIdentifier, type RequestClientAttestationOptions, type RequestDpopOptions, type RequestLike, type ResourceRequestOptions, type ResourceRequestResponseNotOk, type ResourceRequestResponseOk, type RetrieveAuthorizationCodeAccessTokenOptions, type RetrievePreAuthorizedCodeAccessTokenOptions, type SignJwtCallback, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, type TokenIntrospectionResponse, type VerifiedClientAttestationJwt, type VerifyAccessTokenRequestReturn, type VerifyAuthorizationChallengeRequestOptions, type VerifyAuthorizationChallengeRequestReturn, VerifyIdTokenJwtOptions, type VerifyJwtCallback, type VerifyPushedAuthorizationRequestOptions, type VerifyPushedAuthorizationRequestReturn, type VerifyResourceRequestOptions, type WwwAuthenticateHeaderChallenge, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, createJarAuthorizationRequest, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
-//# sourceMappingURL=index.d.cts.map