@ovixa/auth-client 0.1.1 → 0.1.3

package/CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/),
 and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.1.3] - 2026-01-29
+
+### Added
+
+- `auth.exchangeOAuthCode(code)` - Exchange OAuth authorization code for tokens, completing the OAuth 2.0 Authorization Code flow
+
+### Fixed
+
+- OAuth flow now works correctly with the auth server's secure authorization code pattern
+
+## [0.1.2] - 2026-01-28
+
+### Added
+
+- `auth.admin.deleteUser(realmId, userId)` - Delete users within a realm using client_secret authentication
+- `auth.deleteMe()` - Allow authenticated users to delete their own account
+
 ## [0.1.1] - 2026-01-28
 
 ### Added

package/README.md

@@ -141,6 +141,15 @@ await auth.forgotPassword({
 });
 ```
 
+### Email Branding
+
+Verification and password reset emails automatically display your realm's `display_name` as the brand name. To customize the branding in emails:
+
+1. Set `display_name` when creating your realm
+2. Emails will show your brand (e.g., "Linkdrop") instead of "Ovixa"
+
+If no `display_name` is set, emails default to "Ovixa".
+
 #### `resetPassword(options)`
 
 Set a new password using a reset token.
@@ -195,6 +204,45 @@ Invalidate the cached JWKS to force a refresh on next verification.
 auth.clearJwksCache();
 ```
 
+### Admin Operations
+
+Admin operations require `clientSecret` to be configured. These operations allow server-side management of users within the realm boundary.
+
+**Important:** Never expose `clientSecret` to client-side code.
+
+#### `admin.deleteUser(options)`
+
+Delete a user from your realm. This permanently deletes the user and all associated data (tokens, OAuth accounts).
+
+```typescript
+const auth = new OvixaAuth({
+  authUrl: 'https://auth.ovixa.io',
+  realmId: 'your-realm-id',
+  clientSecret: process.env.OVIXA_CLIENT_SECRET, // Required
+});
+
+// Delete a user
+await auth.admin.deleteUser({ userId: 'user-id-to-delete' });
+```
+
+**Error Handling:**
+
+```typescript
+try {
+  await auth.admin.deleteUser({ userId });
+} catch (error) {
+  if (error instanceof OvixaAuthError) {
+    if (error.code === 'NOT_FOUND') {
+      console.error('User not found');
+    } else if (error.code === 'FORBIDDEN') {
+      console.error('User does not belong to this realm');
+    } else if (error.code === 'REALM_UNAUTHORIZED') {
+      console.error('Invalid client secret');
+    }
+  }
+}
+```
+
 ### OAuth
 
 #### `getOAuthUrl(options)`
@@ -418,23 +466,25 @@ try {
 
 ### Error Codes
 
-| Code                      | Description                                  |
-| ------------------------- | -------------------------------------------- |
-| `INVALID_CREDENTIALS`     | Wrong email or password                      |
-| `EMAIL_NOT_VERIFIED`      | User must verify email before login          |
-| `PASSWORD_RESET_REQUIRED` | Account flagged for mandatory password reset |
-| `INVALID_TOKEN`           | Token is invalid or malformed                |
-| `TOKEN_EXPIRED`           | Token has expired                            |
-| `INVALID_SIGNATURE`       | Token signature verification failed          |
-| `INVALID_ISSUER`          | Token issuer doesn't match                   |
-| `INVALID_AUDIENCE`        | Token audience doesn't match                 |
-| `RATE_LIMITED`            | Too many requests                            |
-| `NETWORK_ERROR`           | Failed to reach auth service                 |
-| `BAD_REQUEST`             | Invalid request parameters                   |
-| `UNAUTHORIZED`            | Authentication required                      |
-| `FORBIDDEN`               | Access denied                                |
-| `NOT_FOUND`               | Resource not found                           |
-| `SERVER_ERROR`            | Auth service error                           |
+| Code                      | Description                                           |
+| ------------------------- | ----------------------------------------------------- |
+| `INVALID_CREDENTIALS`     | Wrong email or password                               |
+| `EMAIL_NOT_VERIFIED`      | User must verify email before login                   |
+| `PASSWORD_RESET_REQUIRED` | Account flagged for mandatory password reset          |
+| `INVALID_TOKEN`           | Token is invalid or malformed                         |
+| `TOKEN_EXPIRED`           | Token has expired                                     |
+| `INVALID_SIGNATURE`       | Token signature verification failed                   |
+| `INVALID_ISSUER`          | Token issuer doesn't match                            |
+| `INVALID_AUDIENCE`        | Token audience doesn't match                          |
+| `RATE_LIMITED`            | Too many requests                                     |
+| `NETWORK_ERROR`           | Failed to reach auth service                          |
+| `BAD_REQUEST`             | Invalid request parameters                            |
+| `UNAUTHORIZED`            | Authentication required                               |
+| `FORBIDDEN`               | Access denied (e.g., user belongs to different realm) |
+| `NOT_FOUND`               | Resource not found                                    |
+| `SERVER_ERROR`            | Auth service error                                    |
+| `REALM_UNAUTHORIZED`      | Invalid or missing realm client secret                |
+| `CLIENT_SECRET_REQUIRED`  | Admin operation attempted without clientSecret config |
 
 ### Handling `PASSWORD_RESET_REQUIRED`
 

package/dist/{chunk-UHRF6AFJ.js → chunk-CUACHOKT.js}

@@ -415,7 +415,8 @@ var OvixaAuth = class {
    * Generate an OAuth authorization URL.
    *
    * Redirect the user to this URL to start the OAuth flow. After authentication,
-   * the user will be redirected back to your `redirectUri` with tokens.
+   * the user will be redirected back to your `redirectUri` with an authorization code.
+   * Use `exchangeOAuthCode()` to exchange the code for tokens.
    *
    * @param options - OAuth URL options
    * @returns The full OAuth authorization URL
@@ -429,6 +430,10 @@ var OvixaAuth = class {
    *
    * // Redirect user to start OAuth flow
    * window.location.href = googleAuthUrl;
+   *
+   * // In your callback handler:
+   * // const code = new URLSearchParams(window.location.search).get('code');
+   * // const tokens = await auth.exchangeOAuthCode(code);
    * ```
    */
   getOAuthUrl(options) {
@@ -437,6 +442,51 @@ var OvixaAuth = class {
     url.searchParams.set("redirect_uri", options.redirectUri);
     return url.toString();
   }
+  /**
+   * Exchange an OAuth authorization code for tokens.
+   *
+   * After the OAuth flow completes, the user is redirected back to your app with
+   * an authorization code in the URL query params. Use this method to exchange
+   * that code for access and refresh tokens.
+   *
+   * Note: Authorization codes expire after 60 seconds.
+   *
+   * @param code - The authorization code from the OAuth callback URL
+   * @returns Token response with access and refresh tokens
+   * @throws {OvixaAuthError} If the exchange fails
+   *
+   * @example
+   * ```typescript
+   * // In your OAuth callback handler
+   * const code = new URLSearchParams(window.location.search).get('code');
+   *
+   * if (code) {
+   *   try {
+   *     const tokens = await auth.exchangeOAuthCode(code);
+   *     console.log('OAuth successful!', tokens.access_token);
+   *
+   *     // Check if this is a new user (first-time OAuth login)
+   *     if (tokens.is_new_user) {
+   *       // Show onboarding flow
+   *     }
+   *   } catch (error) {
+   *     if (error instanceof OvixaAuthError) {
+   *       if (error.code === 'INVALID_CODE') {
+   *         console.error('Invalid or expired authorization code');
+   *       }
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  async exchangeOAuthCode(code) {
+    const url = `${this.config.authUrl}/oauth/token`;
+    const body = {
+      code,
+      realm_id: this.config.realmId
+    };
+    return this.makeRequest(url, body);
+  }
   /**
    * Transform a token response into an AuthResult with user and session data.
    *
@@ -475,6 +525,74 @@ var OvixaAuth = class {
     }
     return result;
   }
+  /**
+   * Delete the current user's own account.
+   *
+   * This permanently deletes the user's account and all associated data.
+   * Password re-authentication is required to prevent accidental deletion.
+   *
+   * @param options - Delete account options
+   * @returns Success response
+   * @throws {OvixaAuthError} If deletion fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   await auth.deleteMyAccount({
+   *     accessToken: session.accessToken,
+   *     password: 'current-password',
+   *   });
+   *   console.log('Account deleted successfully');
+   *   // Clear local session storage
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError) {
+   *     if (error.code === 'INVALID_CREDENTIALS') {
+   *       console.error('Incorrect password');
+   *     } else if (error.code === 'UNAUTHORIZED') {
+   *       console.error('Invalid or expired access token');
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  async deleteMyAccount(options) {
+    const url = `${this.config.authUrl}/me`;
+    try {
+      const response = await fetch(url, {
+        method: "DELETE",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${options.accessToken}`
+        },
+        body: JSON.stringify({
+          password: options.password
+        })
+      });
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        const errorData = errorBody;
+        let errorCode;
+        let errorMessage;
+        if (typeof errorData.error === "object" && errorData.error) {
+          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);
+          errorMessage = errorData.error.message || "Request failed";
+        } else {
+          errorCode = this.mapHttpStatusToErrorCode(response.status);
+          errorMessage = typeof errorData.error === "string" ? errorData.error : "Request failed";
+        }
+        throw new OvixaAuthError(errorMessage, errorCode, response.status);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
   /**
    * Make an authenticated POST request to the auth service.
    */
@@ -535,10 +653,129 @@ var OvixaAuth = class {
         return "UNKNOWN_ERROR";
     }
   }
+  /**
+   * Get the admin API interface for realm-scoped operations.
+   *
+   * Admin operations require clientSecret to be configured.
+   * These operations allow managing users within the realm boundary.
+   *
+   * @returns OvixaAuthAdmin interface for admin operations
+   * @throws {OvixaAuthError} If clientSecret is not configured
+   *
+   * @example
+   * ```typescript
+   * const auth = new OvixaAuth({
+   *   authUrl: 'https://auth.ovixa.io',
+   *   realmId: 'your-realm',
+   *   clientSecret: process.env.OVIXA_CLIENT_SECRET,
+   * });
+   *
+   * // Delete a user from the realm
+   * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });
+   * ```
+   */
+  get admin() {
+    if (!this.config.clientSecret) {
+      throw new OvixaAuthError(
+        "clientSecret is required for admin operations",
+        "CLIENT_SECRET_REQUIRED"
+      );
+    }
+    return new OvixaAuthAdmin(this.config);
+  }
+};
+var OvixaAuthAdmin = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Delete a user from the realm.
+   *
+   * This permanently deletes the user and all associated data (tokens, OAuth accounts).
+   * The user must belong to this realm.
+   *
+   * @param options - Delete user options
+   * @returns Success response
+   * @throws {OvixaAuthError} If deletion fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   await auth.admin.deleteUser({ userId: 'user-id-to-delete' });
+   *   console.log('User deleted successfully');
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError) {
+   *     if (error.code === 'NOT_FOUND') {
+   *       console.error('User not found');
+   *     } else if (error.code === 'FORBIDDEN') {
+   *       console.error('User does not belong to this realm');
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  async deleteUser(options) {
+    const url = `${this.config.authUrl}/realms/${this.config.realmId}/users/${options.userId}`;
+    try {
+      const response = await fetch(url, {
+        method: "DELETE",
+        headers: {
+          Authorization: `RealmSecret ${this.config.clientSecret}`
+        }
+      });
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        const errorData = errorBody;
+        let errorCode;
+        let errorMessage;
+        if (typeof errorData.error === "object" && errorData.error) {
+          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);
+          errorMessage = errorData.error.message || "Request failed";
+        } else {
+          errorCode = this.mapHttpStatusToErrorCode(response.status);
+          errorMessage = typeof errorData.error === "string" ? errorData.error : "Request failed";
+        }
+        throw new OvixaAuthError(errorMessage, errorCode, response.status);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * Map HTTP status codes to error codes.
+   */
+  mapHttpStatusToErrorCode(status) {
+    switch (status) {
+      case 400:
+        return "BAD_REQUEST";
+      case 401:
+        return "UNAUTHORIZED";
+      case 403:
+        return "FORBIDDEN";
+      case 404:
+        return "NOT_FOUND";
+      case 429:
+        return "RATE_LIMITED";
+      case 500:
+      case 502:
+      case 503:
+        return "SERVER_ERROR";
+      default:
+        return "UNKNOWN_ERROR";
+    }
+  }
 };
 
 export {
   OvixaAuthError,
   OvixaAuth
 };
-//# sourceMappingURL=chunk-UHRF6AFJ.js.map
+//# sourceMappingURL=chunk-CUACHOKT.js.map

package/dist/chunk-CUACHOKT.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n  createRemoteJWKSet,\n  jwtVerify,\n  type JWTPayload,\n  type JWTVerifyResult,\n  type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n  /** The base URL of the Ovixa Auth service */\n  authUrl: string;\n  /** The realm ID to authenticate against */\n  realmId: string;\n  /** Your application's client secret (for server-side use only) */\n  clientSecret?: string;\n  /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n  jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n  /** Subject (user ID) */\n  sub: string;\n  /** User's email address */\n  email: string;\n  /** Whether the user's email has been verified */\n  email_verified: boolean;\n  /** Issued at timestamp */\n  iat: number;\n  /** Expiration timestamp */\n  exp: number;\n  /** Issuer */\n  iss: string;\n  /** Audience (realm ID) */\n  aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n  /** The decoded token payload */\n  payload: AccessTokenPayload;\n  /** The protected header */\n  protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n  /** The access token (JWT) */\n  access_token: string;\n  /** The refresh token (JWT) */\n  refresh_token: string;\n  /** Token type (always \"Bearer\") */\n  token_type: 'Bearer';\n  /** Access token expiration time in seconds */\n  expires_in: number;\n  /** Whether this is a new user (only present in OAuth callback) */\n  is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n  /** User ID (UUID) */\n  id: string;\n  /** User's email address */\n  email: string;\n  /** Whether the email has been verified */\n  emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n  /** The access token (JWT) */\n  accessToken: string;\n  /** The refresh token for obtaining new access tokens */\n  refreshToken: string;\n  /** When the access token expires */\n  expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n  /** The authenticated user */\n  user: User;\n  /** The session tokens */\n  session: Session;\n  /** Whether this is a new user (only set for OAuth flows) */\n  isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n  /** User's email address */\n  email: string;\n  /** Password meeting requirements */\n  password: string;\n  /** Optional redirect URI after email verification */\n  redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Status message */\n  message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n  /** User's email address */\n  email: string;\n  /** User's password */\n  password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n  /** Verification token from email */\n  token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI after verification */\n  redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Optional status message */\n  message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI for password reset page */\n  redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n  /** Reset token from email */\n  token: string;\n  /** New password */\n  password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n  /** OAuth provider */\n  provider: OAuthProvider;\n  /** Redirect URI after OAuth completes */\n  redirectUri: string;\n}\n\n/**\n * Options for deleting a user (admin operation).\n */\nexport interface DeleteUserOptions {\n  /** The ID of the user to delete */\n  userId: string;\n}\n\n/**\n * Options for deleting the current user's own account.\n */\nexport interface DeleteMyAccountOptions {\n  /** The user's current access token */\n  accessToken: string;\n  /** The user's current password (for re-authentication) */\n  password: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly code: string,\n    public readonly statusCode?: number\n  ) {\n    super(message);\n    this.name = 'OvixaAuthError';\n  }\n}\n\ninterface InternalConfig {\n  authUrl: string;\n  realmId: string;\n  clientSecret?: string;\n  jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n  fetcher: JWKSFetcher;\n  createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n *   authUrl: 'https://auth.ovixa.io',\n *   realmId: 'your-realm-id',\n *   clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n  private config: InternalConfig;\n  private jwksCache: JWKSCache | null = null;\n\n  constructor(config: AuthClientConfig) {\n    // Normalize authUrl by removing trailing slash\n    const authUrl = config.authUrl.replace(/\\/$/, '');\n\n    this.config = {\n      authUrl,\n      realmId: config.realmId,\n      clientSecret: config.clientSecret,\n      jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n    };\n  }\n\n  /** Get the configured auth URL */\n  get authUrl(): string {\n    return this.config.authUrl;\n  }\n\n  /** Get the configured realm ID */\n  get realmId(): string {\n    return this.config.realmId;\n  }\n\n  /**\n   * Get the JWKS URL for the auth service.\n   */\n  get jwksUrl(): string {\n    return `${this.config.authUrl}/.well-known/jwks.json`;\n  }\n\n  /**\n   * Get the JWKS fetcher, creating a new one if necessary.\n   * The fetcher is cached based on the configured TTL.\n   */\n  private getJwksFetcher(): JWKSFetcher {\n    const now = Date.now();\n\n    // Return cached fetcher if still valid\n    if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n      return this.jwksCache.fetcher;\n    }\n\n    // Create new JWKS fetcher\n    const jwksUrl = new URL(this.jwksUrl);\n    const fetcher = createRemoteJWKSet(jwksUrl, {\n      // jose library has its own internal caching, but we add our own TTL layer\n      // to control when to refresh the JWKS set\n      cacheMaxAge: this.config.jwksCacheTtl,\n    });\n\n    this.jwksCache = {\n      fetcher,\n      createdAt: now,\n    };\n\n    return fetcher;\n  }\n\n  /**\n   * Verify an access token and return the decoded payload.\n   *\n   * This method fetches the public key from the JWKS endpoint (with caching)\n   * and verifies the token's signature and claims.\n   *\n   * @param token - The access token (JWT) to verify\n   * @returns The verified token payload and header\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const result = await auth.verifyToken(accessToken);\n   *   console.log('User ID:', result.payload.sub);\n   *   console.log('Email:', result.payload.email);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     console.error('Token verification failed:', error.code);\n   *   }\n   * }\n   * ```\n   */\n  async verifyToken(token: string): Promise<VerifyResult> {\n    try {\n      const jwks = this.getJwksFetcher();\n\n      const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n        algorithms: ['RS256'],\n        issuer: this.config.authUrl,\n        // Audience is the realm for this application\n        audience: this.config.realmId,\n      });\n\n      // Validate required claims\n      const payload = result.payload;\n      if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n        throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n      }\n\n      return {\n        payload: payload as AccessTokenPayload,\n        protectedHeader: result.protectedHeader,\n      };\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      // Handle jose library errors\n      if (error instanceof Error) {\n        const message = error.message;\n\n        if (message.includes('expired')) {\n          throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n        }\n        if (message.includes('signature')) {\n          throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n        }\n        if (message.includes('issuer')) {\n          throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n        }\n        if (message.includes('audience')) {\n          throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n        }\n        if (message.includes('malformed')) {\n          throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n        }\n\n        throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n      }\n\n      throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n    }\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   *\n   * This method exchanges a valid refresh token for a new access token\n   * and a new refresh token (token rotation).\n   *\n   * @param refreshToken - The refresh token to exchange\n   * @returns New token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the refresh fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.refreshToken(currentRefreshToken);\n   *   // Store the new tokens\n   *   saveTokens(tokens.access_token, tokens.refresh_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     // Refresh token is invalid or expired - user must re-authenticate\n   *     redirectToLogin();\n   *   }\n   * }\n   * ```\n   */\n  async refreshToken(refreshToken: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/token/refresh`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({\n          refresh_token: refreshToken,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n        const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      const data = (await response.json()) as TokenResponse;\n      return data;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n    }\n  }\n\n  /**\n   * Invalidate the cached JWKS fetcher.\n   * Call this if you need to force a refresh of the public keys.\n   */\n  clearJwksCache(): void {\n    this.jwksCache = null;\n  }\n\n  /**\n   * Create a new user account.\n   *\n   * After signup, a verification email is sent. The user must verify their\n   * email before they can log in.\n   *\n   * @param options - Signup options\n   * @returns Signup response indicating success\n   * @throws {OvixaAuthError} If signup fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.signup({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *     redirectUri: 'https://myapp.com/verify-callback',\n   *   });\n   *   console.log('Verification email sent!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_ALREADY_EXISTS') {\n   *       console.error('Email is already registered');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async signup(options: SignupOptions): Promise<SignupResponse> {\n    const url = `${this.config.authUrl}/signup`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SignupResponse>(url, body);\n  }\n\n  /**\n   * Authenticate a user with email and password.\n   *\n   * @param options - Login options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If login fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.login({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *   });\n   *   console.log('Logged in!', tokens.access_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_NOT_VERIFIED') {\n   *       console.error('Please verify your email first');\n   *     } else if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Invalid email or password');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async login(options: LoginOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/login`;\n\n    const body = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Verify an email address using a verification token.\n   *\n   * This is the API flow that returns tokens. For browser redirect flow,\n   * use `GET /verify` directly.\n   *\n   * @param options - Verification options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params after clicking email link\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   const tokens = await auth.verifyEmail({ token });\n   *   console.log('Email verified! Logged in.');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n   *     console.error('Invalid or expired verification link');\n   *   }\n   * }\n   * ```\n   */\n  async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/verify`;\n\n    const body = {\n      token: options.token,\n      realm_id: this.config.realmId,\n      type: 'email_verification',\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Resend a verification email for an unverified account.\n   *\n   * @param options - Resend options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.resendVerification({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/verify-callback',\n   * });\n   * console.log('Verification email sent!');\n   * ```\n   */\n  async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/verify/resend`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Request a password reset email.\n   *\n   * Note: This endpoint always returns success to prevent email enumeration.\n   *\n   * @param options - Forgot password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.forgotPassword({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/reset-password',\n   * });\n   * console.log('If the email exists, a reset link has been sent.');\n   * ```\n   */\n  async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/forgot-password`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Reset password using a reset token.\n   *\n   * @param options - Reset password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If reset fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   await auth.resetPassword({\n   *     token,\n   *     password: 'NewSecurePassword123!',\n   *   });\n   *   console.log('Password reset successfully!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_TOKEN') {\n   *       console.error('Invalid or expired reset link');\n   *     } else if (error.code === 'WEAK_PASSWORD') {\n   *       console.error('Password does not meet requirements');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/reset-password`;\n\n    const body = {\n      token: options.token,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Revoke a refresh token (logout).\n   *\n   * @param refreshToken - The refresh token to revoke\n   * @returns Success response\n   * @throws {OvixaAuthError} If logout fails\n   *\n   * @example\n   * ```typescript\n   * await auth.logout(currentRefreshToken);\n   * // Clear local token storage\n   * localStorage.removeItem('refresh_token');\n   * localStorage.removeItem('access_token');\n   * ```\n   */\n  async logout(refreshToken: string): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/logout`;\n\n    const body = {\n      refresh_token: refreshToken,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Generate an OAuth authorization URL.\n   *\n   * Redirect the user to this URL to start the OAuth flow. After authentication,\n   * the user will be redirected back to your `redirectUri` with an authorization code.\n   * Use `exchangeOAuthCode()` to exchange the code for tokens.\n   *\n   * @param options - OAuth URL options\n   * @returns The full OAuth authorization URL\n   *\n   * @example\n   * ```typescript\n   * const googleAuthUrl = auth.getOAuthUrl({\n   *   provider: 'google',\n   *   redirectUri: 'https://myapp.com/auth/callback',\n   * });\n   *\n   * // Redirect user to start OAuth flow\n   * window.location.href = googleAuthUrl;\n   *\n   * // In your callback handler:\n   * // const code = new URLSearchParams(window.location.search).get('code');\n   * // const tokens = await auth.exchangeOAuthCode(code);\n   * ```\n   */\n  getOAuthUrl(options: GetOAuthUrlOptions): string {\n    const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n    url.searchParams.set('realm_id', this.config.realmId);\n    url.searchParams.set('redirect_uri', options.redirectUri);\n    return url.toString();\n  }\n\n  /**\n   * Exchange an OAuth authorization code for tokens.\n   *\n   * After the OAuth flow completes, the user is redirected back to your app with\n   * an authorization code in the URL query params. Use this method to exchange\n   * that code for access and refresh tokens.\n   *\n   * Note: Authorization codes expire after 60 seconds.\n   *\n   * @param code - The authorization code from the OAuth callback URL\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the exchange fails\n   *\n   * @example\n   * ```typescript\n   * // In your OAuth callback handler\n   * const code = new URLSearchParams(window.location.search).get('code');\n   *\n   * if (code) {\n   *   try {\n   *     const tokens = await auth.exchangeOAuthCode(code);\n   *     console.log('OAuth successful!', tokens.access_token);\n   *\n   *     // Check if this is a new user (first-time OAuth login)\n   *     if (tokens.is_new_user) {\n   *       // Show onboarding flow\n   *     }\n   *   } catch (error) {\n   *     if (error instanceof OvixaAuthError) {\n   *       if (error.code === 'INVALID_CODE') {\n   *         console.error('Invalid or expired authorization code');\n   *       }\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async exchangeOAuthCode(code: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/oauth/token`;\n\n    const body = {\n      code,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Transform a token response into an AuthResult with user and session data.\n   *\n   * This method decodes the access token to extract user information and\n   * creates a structured result object.\n   *\n   * @param tokenResponse - The token response from login, verify, or refresh\n   * @returns AuthResult with user and session data\n   * @throws {OvixaAuthError} If the access token cannot be decoded\n   *\n   * @example\n   * ```typescript\n   * const tokens = await auth.login({ email, password });\n   * const result = await auth.toAuthResult(tokens);\n   *\n   * console.log('User ID:', result.user.id);\n   * console.log('Email:', result.user.email);\n   * console.log('Expires at:', result.session.expiresAt);\n   * ```\n   */\n  async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n    // Verify and decode the access token\n    const verified = await this.verifyToken(tokenResponse.access_token);\n\n    const user: User = {\n      id: verified.payload.sub,\n      email: verified.payload.email,\n      emailVerified: verified.payload.email_verified,\n    };\n\n    const session: Session = {\n      accessToken: tokenResponse.access_token,\n      refreshToken: tokenResponse.refresh_token,\n      expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n    };\n\n    const result: AuthResult = { user, session };\n\n    if (tokenResponse.is_new_user !== undefined) {\n      result.isNewUser = tokenResponse.is_new_user;\n    }\n\n    return result;\n  }\n\n  /**\n   * Delete the current user's own account.\n   *\n   * This permanently deletes the user's account and all associated data.\n   * Password re-authentication is required to prevent accidental deletion.\n   *\n   * @param options - Delete account options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.deleteMyAccount({\n   *     accessToken: session.accessToken,\n   *     password: 'current-password',\n   *   });\n   *   console.log('Account deleted successfully');\n   *   // Clear local session storage\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Incorrect password');\n   *     } else if (error.code === 'UNAUTHORIZED') {\n   *       console.error('Invalid or expired access token');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteMyAccount(options: DeleteMyAccountOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/me`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify({\n          password: options.password,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Make an authenticated POST request to the auth service.\n   */\n  private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as T;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n\n  /**\n   * Get the admin API interface for realm-scoped operations.\n   *\n   * Admin operations require clientSecret to be configured.\n   * These operations allow managing users within the realm boundary.\n   *\n   * @returns OvixaAuthAdmin interface for admin operations\n   * @throws {OvixaAuthError} If clientSecret is not configured\n   *\n   * @example\n   * ```typescript\n   * const auth = new OvixaAuth({\n   *   authUrl: 'https://auth.ovixa.io',\n   *   realmId: 'your-realm',\n   *   clientSecret: process.env.OVIXA_CLIENT_SECRET,\n   * });\n   *\n   * // Delete a user from the realm\n   * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   * ```\n   */\n  get admin(): OvixaAuthAdmin {\n    if (!this.config.clientSecret) {\n      throw new OvixaAuthError(\n        'clientSecret is required for admin operations',\n        'CLIENT_SECRET_REQUIRED'\n      );\n    }\n    return new OvixaAuthAdmin(this.config);\n  }\n}\n\n/**\n * Admin API interface for realm-scoped operations.\n *\n * This class provides methods for managing users within the realm boundary.\n * All operations are authenticated using the realm's client_secret.\n *\n * @example\n * ```typescript\n * // Access via OvixaAuth.admin\n * await auth.admin.deleteUser({ userId: 'user-id' });\n * ```\n */\nclass OvixaAuthAdmin {\n  private config: InternalConfig;\n\n  constructor(config: InternalConfig) {\n    this.config = config;\n  }\n\n  /**\n   * Delete a user from the realm.\n   *\n   * This permanently deletes the user and all associated data (tokens, OAuth accounts).\n   * The user must belong to this realm.\n   *\n   * @param options - Delete user options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   *   console.log('User deleted successfully');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'NOT_FOUND') {\n   *       console.error('User not found');\n   *     } else if (error.code === 'FORBIDDEN') {\n   *       console.error('User does not belong to this realm');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteUser(options: DeleteUserOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/realms/${this.config.realmId}/users/${options.userId}`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          Authorization: `RealmSecret ${this.config.clientSecret}`,\n        },\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAsNA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuCA,MAAM,kBAAkB,MAAsC;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX;AAAA,MACA,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,MAAM,gBAAgB,SAA2D;AAC/E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,QAAQ;AAAA,QACpB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,IAAI,QAAwB;AAC1B,QAAI,CAAC,KAAK,OAAO,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,IAAI,eAAe,KAAK,MAAM;AAAA,EACvC;AACF;AAcA,IAAM,iBAAN,MAAqB;AAAA,EACX;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,WAAW,SAAsD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,WAAW,KAAK,OAAO,OAAO,UAAU,QAAQ,MAAM;AAExF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,eAAe,eAAe,KAAK,OAAO,YAAY;AAAA,QACxD;AAAA,MACF,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;","names":[]}

package/dist/{chunk-Y5NJCTZO.js → chunk-DIZJA4PY.js}

@@ -1,6 +1,6 @@
 import {
   OvixaAuthError
-} from "./chunk-UHRF6AFJ.js";
+} from "./chunk-CUACHOKT.js";
 
 // src/middleware/types.ts
 var DEFAULT_COOKIE_OPTIONS = {
@@ -140,4 +140,4 @@ export {
   setAuthCookies,
   clearAuthCookies
 };
-//# sourceMappingURL=chunk-Y5NJCTZO.js.map
+//# sourceMappingURL=chunk-DIZJA4PY.js.map

package/dist/index.d.ts

@@ -181,6 +181,22 @@ interface GetOAuthUrlOptions {
     /** Redirect URI after OAuth completes */
     redirectUri: string;
 }
+/**
+ * Options for deleting a user (admin operation).
+ */
+interface DeleteUserOptions {
+    /** The ID of the user to delete */
+    userId: string;
+}
+/**
+ * Options for deleting the current user's own account.
+ */
+interface DeleteMyAccountOptions {
+    /** The user's current access token */
+    accessToken: string;
+    /** The user's current password (for re-authentication) */
+    password: string;
+}
 /**
  * Error thrown by OvixaAuth operations.
  */
@@ -189,6 +205,12 @@ declare class OvixaAuthError extends Error {
     readonly statusCode?: number | undefined;
     constructor(message: string, code: string, statusCode?: number | undefined);
 }
+interface InternalConfig {
+    authUrl: string;
+    realmId: string;
+    clientSecret?: string;
+    jwksCacheTtl: number;
+}
 /**
  * OvixaAuth client for authenticating with the Ovixa Auth service.
  *
@@ -447,7 +469,8 @@ declare class OvixaAuth {
      * Generate an OAuth authorization URL.
      *
      * Redirect the user to this URL to start the OAuth flow. After authentication,
-     * the user will be redirected back to your `redirectUri` with tokens.
+     * the user will be redirected back to your `redirectUri` with an authorization code.
+     * Use `exchangeOAuthCode()` to exchange the code for tokens.
      *
      * @param options - OAuth URL options
      * @returns The full OAuth authorization URL
@@ -461,9 +484,51 @@ declare class OvixaAuth {
      *
      * // Redirect user to start OAuth flow
      * window.location.href = googleAuthUrl;
+     *
+     * // In your callback handler:
+     * // const code = new URLSearchParams(window.location.search).get('code');
+     * // const tokens = await auth.exchangeOAuthCode(code);
      * ```
      */
     getOAuthUrl(options: GetOAuthUrlOptions): string;
+    /**
+     * Exchange an OAuth authorization code for tokens.
+     *
+     * After the OAuth flow completes, the user is redirected back to your app with
+     * an authorization code in the URL query params. Use this method to exchange
+     * that code for access and refresh tokens.
+     *
+     * Note: Authorization codes expire after 60 seconds.
+     *
+     * @param code - The authorization code from the OAuth callback URL
+     * @returns Token response with access and refresh tokens
+     * @throws {OvixaAuthError} If the exchange fails
+     *
+     * @example
+     * ```typescript
+     * // In your OAuth callback handler
+     * const code = new URLSearchParams(window.location.search).get('code');
+     *
+     * if (code) {
+     *   try {
+     *     const tokens = await auth.exchangeOAuthCode(code);
+     *     console.log('OAuth successful!', tokens.access_token);
+     *
+     *     // Check if this is a new user (first-time OAuth login)
+     *     if (tokens.is_new_user) {
+     *       // Show onboarding flow
+     *     }
+     *   } catch (error) {
+     *     if (error instanceof OvixaAuthError) {
+     *       if (error.code === 'INVALID_CODE') {
+     *         console.error('Invalid or expired authorization code');
+     *       }
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    exchangeOAuthCode(code: string): Promise<TokenResponse>;
     /**
      * Transform a token response into an AuthResult with user and session data.
      *
@@ -485,6 +550,37 @@ declare class OvixaAuth {
      * ```
      */
     toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult>;
+    /**
+     * Delete the current user's own account.
+     *
+     * This permanently deletes the user's account and all associated data.
+     * Password re-authentication is required to prevent accidental deletion.
+     *
+     * @param options - Delete account options
+     * @returns Success response
+     * @throws {OvixaAuthError} If deletion fails
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   await auth.deleteMyAccount({
+     *     accessToken: session.accessToken,
+     *     password: 'current-password',
+     *   });
+     *   console.log('Account deleted successfully');
+     *   // Clear local session storage
+     * } catch (error) {
+     *   if (error instanceof OvixaAuthError) {
+     *     if (error.code === 'INVALID_CREDENTIALS') {
+     *       console.error('Incorrect password');
+     *     } else if (error.code === 'UNAUTHORIZED') {
+     *       console.error('Invalid or expired access token');
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    deleteMyAccount(options: DeleteMyAccountOptions): Promise<SuccessResponse>;
     /**
      * Make an authenticated POST request to the auth service.
      */
@@ -493,6 +589,75 @@ declare class OvixaAuth {
      * Map HTTP status codes to error codes.
      */
     private mapHttpStatusToErrorCode;
+    /**
+     * Get the admin API interface for realm-scoped operations.
+     *
+     * Admin operations require clientSecret to be configured.
+     * These operations allow managing users within the realm boundary.
+     *
+     * @returns OvixaAuthAdmin interface for admin operations
+     * @throws {OvixaAuthError} If clientSecret is not configured
+     *
+     * @example
+     * ```typescript
+     * const auth = new OvixaAuth({
+     *   authUrl: 'https://auth.ovixa.io',
+     *   realmId: 'your-realm',
+     *   clientSecret: process.env.OVIXA_CLIENT_SECRET,
+     * });
+     *
+     * // Delete a user from the realm
+     * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });
+     * ```
+     */
+    get admin(): OvixaAuthAdmin;
+}
+/**
+ * Admin API interface for realm-scoped operations.
+ *
+ * This class provides methods for managing users within the realm boundary.
+ * All operations are authenticated using the realm's client_secret.
+ *
+ * @example
+ * ```typescript
+ * // Access via OvixaAuth.admin
+ * await auth.admin.deleteUser({ userId: 'user-id' });
+ * ```
+ */
+declare class OvixaAuthAdmin {
+    private config;
+    constructor(config: InternalConfig);
+    /**
+     * Delete a user from the realm.
+     *
+     * This permanently deletes the user and all associated data (tokens, OAuth accounts).
+     * The user must belong to this realm.
+     *
+     * @param options - Delete user options
+     * @returns Success response
+     * @throws {OvixaAuthError} If deletion fails
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   await auth.admin.deleteUser({ userId: 'user-id-to-delete' });
+     *   console.log('User deleted successfully');
+     * } catch (error) {
+     *   if (error instanceof OvixaAuthError) {
+     *     if (error.code === 'NOT_FOUND') {
+     *       console.error('User not found');
+     *     } else if (error.code === 'FORBIDDEN') {
+     *       console.error('User does not belong to this realm');
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    deleteUser(options: DeleteUserOptions): Promise<SuccessResponse>;
+    /**
+     * Map HTTP status codes to error codes.
+     */
+    private mapHttpStatusToErrorCode;
 }
 
-export { type AccessTokenPayload, type AuthClientConfig, type AuthResult, type ForgotPasswordOptions, type GetOAuthUrlOptions, type LoginOptions, type OAuthProvider, OvixaAuth, OvixaAuthError, type ResendVerificationOptions, type ResetPasswordOptions, type Session, type SignupOptions, type SignupResponse, type SuccessResponse, type TokenResponse, type User, type VerifyEmailOptions, type VerifyResult };
+export { type AccessTokenPayload, type AuthClientConfig, type AuthResult, type DeleteMyAccountOptions, type DeleteUserOptions, type ForgotPasswordOptions, type GetOAuthUrlOptions, type LoginOptions, type OAuthProvider, OvixaAuth, OvixaAuthError, type ResendVerificationOptions, type ResetPasswordOptions, type Session, type SignupOptions, type SignupResponse, type SuccessResponse, type TokenResponse, type User, type VerifyEmailOptions, type VerifyResult };

package/dist/index.js

@@ -1,7 +1,7 @@
 import {
   OvixaAuth,
   OvixaAuthError
-} from "./chunk-UHRF6AFJ.js";
+} from "./chunk-CUACHOKT.js";
 export {
   OvixaAuth,
   OvixaAuthError

package/dist/middleware/astro.js

@@ -3,8 +3,8 @@ import {
   clearAuthCookies,
   isPublicRoute,
   setAuthCookies
-} from "../chunk-Y5NJCTZO.js";
-import "../chunk-UHRF6AFJ.js";
+} from "../chunk-DIZJA4PY.js";
+import "../chunk-CUACHOKT.js";
 
 // src/middleware/astro.ts
 var AstroCookieAdapter = class {

package/dist/middleware/express.js

@@ -3,8 +3,8 @@ import {
   clearAuthCookies,
   isPublicRoute,
   setAuthCookies
-} from "../chunk-Y5NJCTZO.js";
-import "../chunk-UHRF6AFJ.js";
+} from "../chunk-DIZJA4PY.js";
+import "../chunk-CUACHOKT.js";
 
 // src/middleware/express.ts
 var ExpressCookieAdapter = class {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ovixa/auth-client",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Client SDK for Ovixa Auth service",
   "type": "module",
   "main": "./dist/index.js",

package/dist/chunk-UHRF6AFJ.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n  createRemoteJWKSet,\n  jwtVerify,\n  type JWTPayload,\n  type JWTVerifyResult,\n  type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n  /** The base URL of the Ovixa Auth service */\n  authUrl: string;\n  /** The realm ID to authenticate against */\n  realmId: string;\n  /** Your application's client secret (for server-side use only) */\n  clientSecret?: string;\n  /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n  jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n  /** Subject (user ID) */\n  sub: string;\n  /** User's email address */\n  email: string;\n  /** Whether the user's email has been verified */\n  email_verified: boolean;\n  /** Issued at timestamp */\n  iat: number;\n  /** Expiration timestamp */\n  exp: number;\n  /** Issuer */\n  iss: string;\n  /** Audience (realm ID) */\n  aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n  /** The decoded token payload */\n  payload: AccessTokenPayload;\n  /** The protected header */\n  protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n  /** The access token (JWT) */\n  access_token: string;\n  /** The refresh token (JWT) */\n  refresh_token: string;\n  /** Token type (always \"Bearer\") */\n  token_type: 'Bearer';\n  /** Access token expiration time in seconds */\n  expires_in: number;\n  /** Whether this is a new user (only present in OAuth callback) */\n  is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n  /** User ID (UUID) */\n  id: string;\n  /** User's email address */\n  email: string;\n  /** Whether the email has been verified */\n  emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n  /** The access token (JWT) */\n  accessToken: string;\n  /** The refresh token for obtaining new access tokens */\n  refreshToken: string;\n  /** When the access token expires */\n  expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n  /** The authenticated user */\n  user: User;\n  /** The session tokens */\n  session: Session;\n  /** Whether this is a new user (only set for OAuth flows) */\n  isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n  /** User's email address */\n  email: string;\n  /** Password meeting requirements */\n  password: string;\n  /** Optional redirect URI after email verification */\n  redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Status message */\n  message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n  /** User's email address */\n  email: string;\n  /** User's password */\n  password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n  /** Verification token from email */\n  token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI after verification */\n  redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Optional status message */\n  message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI for password reset page */\n  redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n  /** Reset token from email */\n  token: string;\n  /** New password */\n  password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n  /** OAuth provider */\n  provider: OAuthProvider;\n  /** Redirect URI after OAuth completes */\n  redirectUri: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly code: string,\n    public readonly statusCode?: number\n  ) {\n    super(message);\n    this.name = 'OvixaAuthError';\n  }\n}\n\ninterface InternalConfig {\n  authUrl: string;\n  realmId: string;\n  clientSecret?: string;\n  jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n  fetcher: JWKSFetcher;\n  createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n *   authUrl: 'https://auth.ovixa.io',\n *   realmId: 'your-realm-id',\n *   clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n  private config: InternalConfig;\n  private jwksCache: JWKSCache | null = null;\n\n  constructor(config: AuthClientConfig) {\n    // Normalize authUrl by removing trailing slash\n    const authUrl = config.authUrl.replace(/\\/$/, '');\n\n    this.config = {\n      authUrl,\n      realmId: config.realmId,\n      clientSecret: config.clientSecret,\n      jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n    };\n  }\n\n  /** Get the configured auth URL */\n  get authUrl(): string {\n    return this.config.authUrl;\n  }\n\n  /** Get the configured realm ID */\n  get realmId(): string {\n    return this.config.realmId;\n  }\n\n  /**\n   * Get the JWKS URL for the auth service.\n   */\n  get jwksUrl(): string {\n    return `${this.config.authUrl}/.well-known/jwks.json`;\n  }\n\n  /**\n   * Get the JWKS fetcher, creating a new one if necessary.\n   * The fetcher is cached based on the configured TTL.\n   */\n  private getJwksFetcher(): JWKSFetcher {\n    const now = Date.now();\n\n    // Return cached fetcher if still valid\n    if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n      return this.jwksCache.fetcher;\n    }\n\n    // Create new JWKS fetcher\n    const jwksUrl = new URL(this.jwksUrl);\n    const fetcher = createRemoteJWKSet(jwksUrl, {\n      // jose library has its own internal caching, but we add our own TTL layer\n      // to control when to refresh the JWKS set\n      cacheMaxAge: this.config.jwksCacheTtl,\n    });\n\n    this.jwksCache = {\n      fetcher,\n      createdAt: now,\n    };\n\n    return fetcher;\n  }\n\n  /**\n   * Verify an access token and return the decoded payload.\n   *\n   * This method fetches the public key from the JWKS endpoint (with caching)\n   * and verifies the token's signature and claims.\n   *\n   * @param token - The access token (JWT) to verify\n   * @returns The verified token payload and header\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const result = await auth.verifyToken(accessToken);\n   *   console.log('User ID:', result.payload.sub);\n   *   console.log('Email:', result.payload.email);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     console.error('Token verification failed:', error.code);\n   *   }\n   * }\n   * ```\n   */\n  async verifyToken(token: string): Promise<VerifyResult> {\n    try {\n      const jwks = this.getJwksFetcher();\n\n      const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n        algorithms: ['RS256'],\n        issuer: this.config.authUrl,\n        // Audience is the realm for this application\n        audience: this.config.realmId,\n      });\n\n      // Validate required claims\n      const payload = result.payload;\n      if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n        throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n      }\n\n      return {\n        payload: payload as AccessTokenPayload,\n        protectedHeader: result.protectedHeader,\n      };\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      // Handle jose library errors\n      if (error instanceof Error) {\n        const message = error.message;\n\n        if (message.includes('expired')) {\n          throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n        }\n        if (message.includes('signature')) {\n          throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n        }\n        if (message.includes('issuer')) {\n          throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n        }\n        if (message.includes('audience')) {\n          throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n        }\n        if (message.includes('malformed')) {\n          throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n        }\n\n        throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n      }\n\n      throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n    }\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   *\n   * This method exchanges a valid refresh token for a new access token\n   * and a new refresh token (token rotation).\n   *\n   * @param refreshToken - The refresh token to exchange\n   * @returns New token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the refresh fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.refreshToken(currentRefreshToken);\n   *   // Store the new tokens\n   *   saveTokens(tokens.access_token, tokens.refresh_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     // Refresh token is invalid or expired - user must re-authenticate\n   *     redirectToLogin();\n   *   }\n   * }\n   * ```\n   */\n  async refreshToken(refreshToken: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/token/refresh`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({\n          refresh_token: refreshToken,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n        const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      const data = (await response.json()) as TokenResponse;\n      return data;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n    }\n  }\n\n  /**\n   * Invalidate the cached JWKS fetcher.\n   * Call this if you need to force a refresh of the public keys.\n   */\n  clearJwksCache(): void {\n    this.jwksCache = null;\n  }\n\n  /**\n   * Create a new user account.\n   *\n   * After signup, a verification email is sent. The user must verify their\n   * email before they can log in.\n   *\n   * @param options - Signup options\n   * @returns Signup response indicating success\n   * @throws {OvixaAuthError} If signup fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.signup({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *     redirectUri: 'https://myapp.com/verify-callback',\n   *   });\n   *   console.log('Verification email sent!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_ALREADY_EXISTS') {\n   *       console.error('Email is already registered');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async signup(options: SignupOptions): Promise<SignupResponse> {\n    const url = `${this.config.authUrl}/signup`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SignupResponse>(url, body);\n  }\n\n  /**\n   * Authenticate a user with email and password.\n   *\n   * @param options - Login options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If login fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.login({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *   });\n   *   console.log('Logged in!', tokens.access_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_NOT_VERIFIED') {\n   *       console.error('Please verify your email first');\n   *     } else if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Invalid email or password');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async login(options: LoginOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/login`;\n\n    const body = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Verify an email address using a verification token.\n   *\n   * This is the API flow that returns tokens. For browser redirect flow,\n   * use `GET /verify` directly.\n   *\n   * @param options - Verification options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params after clicking email link\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   const tokens = await auth.verifyEmail({ token });\n   *   console.log('Email verified! Logged in.');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n   *     console.error('Invalid or expired verification link');\n   *   }\n   * }\n   * ```\n   */\n  async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/verify`;\n\n    const body = {\n      token: options.token,\n      realm_id: this.config.realmId,\n      type: 'email_verification',\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Resend a verification email for an unverified account.\n   *\n   * @param options - Resend options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.resendVerification({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/verify-callback',\n   * });\n   * console.log('Verification email sent!');\n   * ```\n   */\n  async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/verify/resend`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Request a password reset email.\n   *\n   * Note: This endpoint always returns success to prevent email enumeration.\n   *\n   * @param options - Forgot password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.forgotPassword({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/reset-password',\n   * });\n   * console.log('If the email exists, a reset link has been sent.');\n   * ```\n   */\n  async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/forgot-password`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Reset password using a reset token.\n   *\n   * @param options - Reset password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If reset fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   await auth.resetPassword({\n   *     token,\n   *     password: 'NewSecurePassword123!',\n   *   });\n   *   console.log('Password reset successfully!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_TOKEN') {\n   *       console.error('Invalid or expired reset link');\n   *     } else if (error.code === 'WEAK_PASSWORD') {\n   *       console.error('Password does not meet requirements');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/reset-password`;\n\n    const body = {\n      token: options.token,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Revoke a refresh token (logout).\n   *\n   * @param refreshToken - The refresh token to revoke\n   * @returns Success response\n   * @throws {OvixaAuthError} If logout fails\n   *\n   * @example\n   * ```typescript\n   * await auth.logout(currentRefreshToken);\n   * // Clear local token storage\n   * localStorage.removeItem('refresh_token');\n   * localStorage.removeItem('access_token');\n   * ```\n   */\n  async logout(refreshToken: string): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/logout`;\n\n    const body = {\n      refresh_token: refreshToken,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Generate an OAuth authorization URL.\n   *\n   * Redirect the user to this URL to start the OAuth flow. After authentication,\n   * the user will be redirected back to your `redirectUri` with tokens.\n   *\n   * @param options - OAuth URL options\n   * @returns The full OAuth authorization URL\n   *\n   * @example\n   * ```typescript\n   * const googleAuthUrl = auth.getOAuthUrl({\n   *   provider: 'google',\n   *   redirectUri: 'https://myapp.com/auth/callback',\n   * });\n   *\n   * // Redirect user to start OAuth flow\n   * window.location.href = googleAuthUrl;\n   * ```\n   */\n  getOAuthUrl(options: GetOAuthUrlOptions): string {\n    const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n    url.searchParams.set('realm_id', this.config.realmId);\n    url.searchParams.set('redirect_uri', options.redirectUri);\n    return url.toString();\n  }\n\n  /**\n   * Transform a token response into an AuthResult with user and session data.\n   *\n   * This method decodes the access token to extract user information and\n   * creates a structured result object.\n   *\n   * @param tokenResponse - The token response from login, verify, or refresh\n   * @returns AuthResult with user and session data\n   * @throws {OvixaAuthError} If the access token cannot be decoded\n   *\n   * @example\n   * ```typescript\n   * const tokens = await auth.login({ email, password });\n   * const result = await auth.toAuthResult(tokens);\n   *\n   * console.log('User ID:', result.user.id);\n   * console.log('Email:', result.user.email);\n   * console.log('Expires at:', result.session.expiresAt);\n   * ```\n   */\n  async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n    // Verify and decode the access token\n    const verified = await this.verifyToken(tokenResponse.access_token);\n\n    const user: User = {\n      id: verified.payload.sub,\n      email: verified.payload.email,\n      emailVerified: verified.payload.email_verified,\n    };\n\n    const session: Session = {\n      accessToken: tokenResponse.access_token,\n      refreshToken: tokenResponse.refresh_token,\n      expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n    };\n\n    const result: AuthResult = { user, session };\n\n    if (tokenResponse.is_new_user !== undefined) {\n      result.isNewUser = tokenResponse.is_new_user;\n    }\n\n    return result;\n  }\n\n  /**\n   * Make an authenticated POST request to the auth service.\n   */\n  private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as T;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAoMA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;","names":[]}