@ovixa/auth-client 0.2.0 → 0.3.0

package/dist/chunk-5QEKSWV4.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n  createRemoteJWKSet,\n  jwtVerify,\n  type JWTPayload,\n  type JWTVerifyResult,\n  type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n  /** The base URL of the Ovixa Auth service */\n  authUrl: string;\n  /** The realm ID to authenticate against */\n  realmId: string;\n  /** Your application's client secret (for server-side use only) */\n  clientSecret?: string;\n  /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n  jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n  /** Subject (user ID) */\n  sub: string;\n  /** User's email address */\n  email: string;\n  /** Whether the user's email has been verified */\n  email_verified: boolean;\n  /** Issued at timestamp */\n  iat: number;\n  /** Expiration timestamp */\n  exp: number;\n  /** Issuer */\n  iss: string;\n  /** Audience (realm ID) */\n  aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n  /** The decoded token payload */\n  payload: AccessTokenPayload;\n  /** The protected header */\n  protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n  /** The access token (JWT) */\n  access_token: string;\n  /** The refresh token (JWT) */\n  refresh_token: string;\n  /** Token type (always \"Bearer\") */\n  token_type: 'Bearer';\n  /** Access token expiration time in seconds */\n  expires_in: number;\n  /** Whether this is a new user (only present in OAuth callback) */\n  is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n  /** User ID (UUID) */\n  id: string;\n  /** User's email address */\n  email: string;\n  /** Whether the email has been verified */\n  emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n  /** The access token (JWT) */\n  accessToken: string;\n  /** The refresh token for obtaining new access tokens */\n  refreshToken: string;\n  /** When the access token expires */\n  expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n  /** The authenticated user */\n  user: User;\n  /** The session tokens */\n  session: Session;\n  /** Whether this is a new user (only set for OAuth flows) */\n  isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n  /** User's email address */\n  email: string;\n  /** Password meeting requirements */\n  password: string;\n  /** Optional redirect URI after email verification */\n  redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Status message */\n  message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n  /** User's email address */\n  email: string;\n  /** User's password */\n  password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n  /** Verification token from email */\n  token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI after verification */\n  redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Optional status message */\n  message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI for password reset page */\n  redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n  /** Reset token from email */\n  token: string;\n  /** New password */\n  password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n// ============================================================\n// WebAuthn / Passkey Types\n// ============================================================\n\n/**\n * Options for getting passkey registration options.\n */\nexport interface GetPasskeyRegistrationOptionsOptions {\n  /** Access token (user must be logged in to register a passkey) */\n  accessToken: string;\n}\n\n/**\n * Registration options returned from the server.\n * These are passed directly to navigator.credentials.create().\n */\nexport interface PasskeyRegistrationOptions {\n  challenge: string;\n  rp: { id: string; name: string };\n  user: { id: string; name: string; displayName: string };\n  pubKeyCredParams: { type: 'public-key'; alg: number }[];\n  excludeCredentials: { id: string; type: 'public-key'; transports?: string[] }[];\n  authenticatorSelection: {\n    authenticatorAttachment?: 'platform' | 'cross-platform';\n    residentKey: 'discouraged' | 'preferred' | 'required';\n    userVerification: 'discouraged' | 'preferred' | 'required';\n  };\n  timeout: number;\n  attestation: 'none';\n}\n\n/**\n * Options for verifying passkey registration.\n */\nexport interface VerifyPasskeyRegistrationOptions {\n  /** Access token (user must be logged in) */\n  accessToken: string;\n  /** The registration response from navigator.credentials.create() */\n  registration: {\n    id: string;\n    rawId: string;\n    type: 'public-key';\n    response: {\n      clientDataJSON: string;\n      attestationObject: string;\n      authenticatorData?: string;\n      transports?: string[];\n      publicKeyAlgorithm?: number;\n      publicKey?: string;\n    };\n    authenticatorAttachment?: 'platform' | 'cross-platform';\n    clientExtensionResults?: Record<string, unknown>;\n  };\n  /** Optional friendly name for the passkey */\n  deviceName?: string;\n}\n\n/**\n * Response from passkey registration verification.\n */\nexport interface PasskeyRegistrationResponse {\n  success: boolean;\n  credential_id: string;\n  device_name?: string;\n}\n\n/**\n * Options for getting passkey authentication options.\n */\nexport interface GetPasskeyAuthenticationOptionsOptions {\n  /** Optional email for allowCredentials hint (for non-discoverable credentials) */\n  email?: string;\n}\n\n/**\n * Authentication options returned from the server.\n * These are passed directly to navigator.credentials.get().\n */\nexport interface PasskeyAuthenticationOptions {\n  challenge: string;\n  rpId: string;\n  allowCredentials: { id: string; type: 'public-key'; transports?: string[] }[];\n  userVerification: 'discouraged' | 'preferred' | 'required';\n  timeout: number;\n}\n\n/**\n * Options for verifying passkey authentication.\n */\nexport interface VerifyPasskeyAuthenticationOptions {\n  /** The authentication response from navigator.credentials.get() */\n  authentication: {\n    id: string;\n    rawId: string;\n    type: 'public-key';\n    response: {\n      clientDataJSON: string;\n      authenticatorData: string;\n      signature: string;\n      userHandle?: string | null;\n    };\n    authenticatorAttachment?: 'platform' | 'cross-platform';\n    clientExtensionResults?: Record<string, unknown>;\n  };\n}\n\n/**\n * Options for listing passkeys.\n */\nexport interface ListPasskeysOptions {\n  /** Access token (user must be logged in) */\n  accessToken: string;\n}\n\n/**\n * Passkey information returned from listPasskeys.\n */\nexport interface Passkey {\n  /** The credential ID (base64url-encoded) */\n  credential_id: string;\n  /** Optional friendly name for the passkey */\n  device_name: string | null;\n  /** When the passkey was registered */\n  created_at: string;\n  /** When the passkey was last used */\n  last_used_at: string | null;\n}\n\n/**\n * Response from listPasskeys.\n */\nexport interface ListPasskeysResponse {\n  /** Array of passkeys */\n  passkeys: Passkey[];\n}\n\n/**\n * Options for deleting a passkey.\n */\nexport interface DeletePasskeyOptions {\n  /** Access token (user must be logged in) */\n  accessToken: string;\n  /** The credential ID to delete */\n  credentialId: string;\n}\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n  /** OAuth provider */\n  provider: OAuthProvider;\n  /** Redirect URI after OAuth completes */\n  redirectUri: string;\n}\n\n/**\n * Options for deleting a user (admin operation).\n */\nexport interface DeleteUserOptions {\n  /** The ID of the user to delete */\n  userId: string;\n}\n\n/**\n * Options for deleting the current user's own account.\n */\nexport interface DeleteMyAccountOptions {\n  /** The user's current access token */\n  accessToken: string;\n  /** The user's current password (for re-authentication) */\n  password: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly code: string,\n    public readonly statusCode?: number\n  ) {\n    super(message);\n    this.name = 'OvixaAuthError';\n  }\n}\n\ninterface InternalConfig {\n  authUrl: string;\n  realmId: string;\n  clientSecret?: string;\n  jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n  fetcher: JWKSFetcher;\n  createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n *   authUrl: 'https://auth.ovixa.io',\n *   realmId: 'your-realm-id',\n *   clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n  private config: InternalConfig;\n  private jwksCache: JWKSCache | null = null;\n\n  constructor(config: AuthClientConfig) {\n    // Normalize authUrl by removing trailing slash\n    const authUrl = config.authUrl.replace(/\\/$/, '');\n\n    this.config = {\n      authUrl,\n      realmId: config.realmId,\n      clientSecret: config.clientSecret,\n      jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n    };\n  }\n\n  /** Get the configured auth URL */\n  get authUrl(): string {\n    return this.config.authUrl;\n  }\n\n  /** Get the configured realm ID */\n  get realmId(): string {\n    return this.config.realmId;\n  }\n\n  /**\n   * Get the JWKS URL for the auth service.\n   */\n  get jwksUrl(): string {\n    return `${this.config.authUrl}/.well-known/jwks.json`;\n  }\n\n  /**\n   * Get the JWKS fetcher, creating a new one if necessary.\n   * The fetcher is cached based on the configured TTL.\n   */\n  private getJwksFetcher(): JWKSFetcher {\n    const now = Date.now();\n\n    // Return cached fetcher if still valid\n    if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n      return this.jwksCache.fetcher;\n    }\n\n    // Create new JWKS fetcher\n    const jwksUrl = new URL(this.jwksUrl);\n    const fetcher = createRemoteJWKSet(jwksUrl, {\n      // jose library has its own internal caching, but we add our own TTL layer\n      // to control when to refresh the JWKS set\n      cacheMaxAge: this.config.jwksCacheTtl,\n    });\n\n    this.jwksCache = {\n      fetcher,\n      createdAt: now,\n    };\n\n    return fetcher;\n  }\n\n  /**\n   * Verify an access token and return the decoded payload.\n   *\n   * This method fetches the public key from the JWKS endpoint (with caching)\n   * and verifies the token's signature and claims.\n   *\n   * @param token - The access token (JWT) to verify\n   * @returns The verified token payload and header\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const result = await auth.verifyToken(accessToken);\n   *   console.log('User ID:', result.payload.sub);\n   *   console.log('Email:', result.payload.email);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     console.error('Token verification failed:', error.code);\n   *   }\n   * }\n   * ```\n   */\n  async verifyToken(token: string): Promise<VerifyResult> {\n    try {\n      const jwks = this.getJwksFetcher();\n\n      const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n        algorithms: ['RS256'],\n        issuer: this.config.authUrl,\n        // Audience is the realm for this application\n        audience: this.config.realmId,\n      });\n\n      // Validate required claims\n      const payload = result.payload;\n      if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n        throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n      }\n\n      return {\n        payload: payload as AccessTokenPayload,\n        protectedHeader: result.protectedHeader,\n      };\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      // Handle jose library errors\n      if (error instanceof Error) {\n        const message = error.message;\n\n        if (message.includes('expired')) {\n          throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n        }\n        if (message.includes('signature')) {\n          throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n        }\n        if (message.includes('issuer')) {\n          throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n        }\n        if (message.includes('audience')) {\n          throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n        }\n        if (message.includes('malformed')) {\n          throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n        }\n\n        throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n      }\n\n      throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n    }\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   *\n   * This method exchanges a valid refresh token for a new access token\n   * and a new refresh token (token rotation).\n   *\n   * @param refreshToken - The refresh token to exchange\n   * @returns New token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the refresh fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.refreshToken(currentRefreshToken);\n   *   // Store the new tokens\n   *   saveTokens(tokens.access_token, tokens.refresh_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     // Refresh token is invalid or expired - user must re-authenticate\n   *     redirectToLogin();\n   *   }\n   * }\n   * ```\n   */\n  async refreshToken(refreshToken: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/token/refresh`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({\n          refresh_token: refreshToken,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n        const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      const data = (await response.json()) as TokenResponse;\n      return data;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n    }\n  }\n\n  /**\n   * Invalidate the cached JWKS fetcher.\n   * Call this if you need to force a refresh of the public keys.\n   */\n  clearJwksCache(): void {\n    this.jwksCache = null;\n  }\n\n  /**\n   * Create a new user account.\n   *\n   * After signup, a verification email is sent. The user must verify their\n   * email before they can log in.\n   *\n   * @param options - Signup options\n   * @returns Signup response indicating success\n   * @throws {OvixaAuthError} If signup fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.signup({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *     redirectUri: 'https://myapp.com/verify-callback',\n   *   });\n   *   console.log('Verification email sent!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_ALREADY_EXISTS') {\n   *       console.error('Email is already registered');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async signup(options: SignupOptions): Promise<SignupResponse> {\n    const url = `${this.config.authUrl}/signup`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SignupResponse>(url, body);\n  }\n\n  /**\n   * Authenticate a user with email and password.\n   *\n   * @param options - Login options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If login fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.login({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *   });\n   *   console.log('Logged in!', tokens.access_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_NOT_VERIFIED') {\n   *       console.error('Please verify your email first');\n   *     } else if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Invalid email or password');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async login(options: LoginOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/login`;\n\n    const body = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Verify an email address using a verification token.\n   *\n   * This is the API flow that returns tokens. For browser redirect flow,\n   * use `GET /verify` directly.\n   *\n   * @param options - Verification options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params after clicking email link\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   const tokens = await auth.verifyEmail({ token });\n   *   console.log('Email verified! Logged in.');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n   *     console.error('Invalid or expired verification link');\n   *   }\n   * }\n   * ```\n   */\n  async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/verify`;\n\n    const body = {\n      token: options.token,\n      realm_id: this.config.realmId,\n      type: 'email_verification',\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Resend a verification email for an unverified account.\n   *\n   * @param options - Resend options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.resendVerification({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/verify-callback',\n   * });\n   * console.log('Verification email sent!');\n   * ```\n   */\n  async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/verify/resend`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Request a password reset email.\n   *\n   * Note: This endpoint always returns success to prevent email enumeration.\n   *\n   * @param options - Forgot password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.forgotPassword({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/reset-password',\n   * });\n   * console.log('If the email exists, a reset link has been sent.');\n   * ```\n   */\n  async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/forgot-password`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Reset password using a reset token.\n   *\n   * @param options - Reset password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If reset fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   await auth.resetPassword({\n   *     token,\n   *     password: 'NewSecurePassword123!',\n   *   });\n   *   console.log('Password reset successfully!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_TOKEN') {\n   *       console.error('Invalid or expired reset link');\n   *     } else if (error.code === 'WEAK_PASSWORD') {\n   *       console.error('Password does not meet requirements');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/reset-password`;\n\n    const body = {\n      token: options.token,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Revoke a refresh token (logout).\n   *\n   * @param refreshToken - The refresh token to revoke\n   * @returns Success response\n   * @throws {OvixaAuthError} If logout fails\n   *\n   * @example\n   * ```typescript\n   * await auth.logout(currentRefreshToken);\n   * // Clear local token storage\n   * localStorage.removeItem('refresh_token');\n   * localStorage.removeItem('access_token');\n   * ```\n   */\n  async logout(refreshToken: string): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/logout`;\n\n    const body = {\n      refresh_token: refreshToken,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Generate an OAuth authorization URL.\n   *\n   * Redirect the user to this URL to start the OAuth flow. After authentication,\n   * the user will be redirected back to your `redirectUri` with an authorization code.\n   * Use `exchangeOAuthCode()` to exchange the code for tokens.\n   *\n   * @param options - OAuth URL options\n   * @returns The full OAuth authorization URL\n   *\n   * @example\n   * ```typescript\n   * const googleAuthUrl = auth.getOAuthUrl({\n   *   provider: 'google',\n   *   redirectUri: 'https://myapp.com/auth/callback',\n   * });\n   *\n   * // Redirect user to start OAuth flow\n   * window.location.href = googleAuthUrl;\n   *\n   * // In your callback handler:\n   * // const code = new URLSearchParams(window.location.search).get('code');\n   * // const tokens = await auth.exchangeOAuthCode(code);\n   * ```\n   */\n  getOAuthUrl(options: GetOAuthUrlOptions): string {\n    const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n    url.searchParams.set('realm_id', this.config.realmId);\n    url.searchParams.set('redirect_uri', options.redirectUri);\n    return url.toString();\n  }\n\n  /**\n   * Exchange an OAuth authorization code for tokens.\n   *\n   * After the OAuth flow completes, the user is redirected back to your app with\n   * an authorization code in the URL query params. Use this method to exchange\n   * that code for access and refresh tokens.\n   *\n   * Note: Authorization codes expire after 60 seconds.\n   *\n   * @param code - The authorization code from the OAuth callback URL\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the exchange fails\n   *\n   * @example\n   * ```typescript\n   * // In your OAuth callback handler\n   * const code = new URLSearchParams(window.location.search).get('code');\n   *\n   * if (code) {\n   *   try {\n   *     const tokens = await auth.exchangeOAuthCode(code);\n   *     console.log('OAuth successful!', tokens.access_token);\n   *\n   *     // Check if this is a new user (first-time OAuth login)\n   *     if (tokens.is_new_user) {\n   *       // Show onboarding flow\n   *     }\n   *   } catch (error) {\n   *     if (error instanceof OvixaAuthError) {\n   *       if (error.code === 'INVALID_CODE') {\n   *         console.error('Invalid or expired authorization code');\n   *       }\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async exchangeOAuthCode(code: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/oauth/token`;\n\n    const body = {\n      code,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Transform a token response into an AuthResult with user and session data.\n   *\n   * This method decodes the access token to extract user information and\n   * creates a structured result object.\n   *\n   * @param tokenResponse - The token response from login, verify, or refresh\n   * @returns AuthResult with user and session data\n   * @throws {OvixaAuthError} If the access token cannot be decoded\n   *\n   * @example\n   * ```typescript\n   * const tokens = await auth.login({ email, password });\n   * const result = await auth.toAuthResult(tokens);\n   *\n   * console.log('User ID:', result.user.id);\n   * console.log('Email:', result.user.email);\n   * console.log('Expires at:', result.session.expiresAt);\n   * ```\n   */\n  async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n    // Verify and decode the access token\n    const verified = await this.verifyToken(tokenResponse.access_token);\n\n    const user: User = {\n      id: verified.payload.sub,\n      email: verified.payload.email,\n      emailVerified: verified.payload.email_verified,\n    };\n\n    const session: Session = {\n      accessToken: tokenResponse.access_token,\n      refreshToken: tokenResponse.refresh_token,\n      expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n    };\n\n    const result: AuthResult = { user, session };\n\n    if (tokenResponse.is_new_user !== undefined) {\n      result.isNewUser = tokenResponse.is_new_user;\n    }\n\n    return result;\n  }\n\n  /**\n   * Delete the current user's own account.\n   *\n   * This permanently deletes the user's account and all associated data.\n   * Password re-authentication is required to prevent accidental deletion.\n   *\n   * @param options - Delete account options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.deleteMyAccount({\n   *     accessToken: session.accessToken,\n   *     password: 'current-password',\n   *   });\n   *   console.log('Account deleted successfully');\n   *   // Clear local session storage\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Incorrect password');\n   *     } else if (error.code === 'UNAUTHORIZED') {\n   *       console.error('Invalid or expired access token');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteMyAccount(options: DeleteMyAccountOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/me`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify({\n          password: options.password,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Make an authenticated POST request to the auth service.\n   */\n  private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as T;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n\n  /**\n   * Get the admin API interface for realm-scoped operations.\n   *\n   * Admin operations require clientSecret to be configured.\n   * These operations allow managing users within the realm boundary.\n   *\n   * @returns OvixaAuthAdmin interface for admin operations\n   * @throws {OvixaAuthError} If clientSecret is not configured\n   *\n   * @example\n   * ```typescript\n   * const auth = new OvixaAuth({\n   *   authUrl: 'https://auth.ovixa.io',\n   *   realmId: 'your-realm',\n   *   clientSecret: process.env.OVIXA_CLIENT_SECRET,\n   * });\n   *\n   * // Delete a user from the realm\n   * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   * ```\n   */\n  get admin(): OvixaAuthAdmin {\n    if (!this.config.clientSecret) {\n      throw new OvixaAuthError(\n        'clientSecret is required for admin operations',\n        'CLIENT_SECRET_REQUIRED'\n      );\n    }\n    return new OvixaAuthAdmin(this.config);\n  }\n\n  /**\n   * Get the WebAuthn API interface for passkey operations.\n   *\n   * The WebAuthn namespace provides methods for registering and authenticating\n   * with passkeys, as well as managing existing passkeys.\n   *\n   * @returns OvixaAuthWebAuthn interface for passkey operations\n   *\n   * @example\n   * ```typescript\n   * const auth = new OvixaAuth({\n   *   authUrl: 'https://auth.ovixa.io',\n   *   realmId: 'your-realm',\n   * });\n   *\n   * // Register a passkey\n   * const options = await auth.webauthn.getRegistrationOptions({ accessToken });\n   *\n   * // Authenticate with passkey\n   * const authOptions = await auth.webauthn.getAuthenticationOptions();\n   *\n   * // List passkeys\n   * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n   *\n   * // Delete a passkey\n   * await auth.webauthn.deletePasskey({ accessToken, credentialId });\n   * ```\n   */\n  get webauthn(): OvixaAuthWebAuthn {\n    return new OvixaAuthWebAuthn(this.config);\n  }\n}\n\n/**\n * Admin API interface for realm-scoped operations.\n *\n * This class provides methods for managing users within the realm boundary.\n * All operations are authenticated using the realm's client_secret.\n *\n * @example\n * ```typescript\n * // Access via OvixaAuth.admin\n * await auth.admin.deleteUser({ userId: 'user-id' });\n * ```\n */\nclass OvixaAuthAdmin {\n  private config: InternalConfig;\n\n  constructor(config: InternalConfig) {\n    this.config = config;\n  }\n\n  /**\n   * Delete a user from the realm.\n   *\n   * This permanently deletes the user and all associated data (tokens, OAuth accounts).\n   * The user must belong to this realm.\n   *\n   * @param options - Delete user options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   *   console.log('User deleted successfully');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'NOT_FOUND') {\n   *       console.error('User not found');\n   *     } else if (error.code === 'FORBIDDEN') {\n   *       console.error('User does not belong to this realm');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteUser(options: DeleteUserOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/realms/${this.config.realmId}/users/${options.userId}`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          Authorization: `RealmSecret ${this.config.clientSecret}`,\n        },\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n}\n\n/**\n * WebAuthn namespace API for passkey operations.\n *\n * Access via `auth.webauthn` property.\n *\n * @example\n * ```typescript\n * // Register a new passkey\n * const options = await auth.webauthn.getRegistrationOptions({ accessToken });\n * // ... use browser API to create credential ...\n * await auth.webauthn.verifyRegistration({ accessToken, registration, deviceName });\n *\n * // Authenticate with passkey\n * const authOptions = await auth.webauthn.getAuthenticationOptions();\n * // ... use browser API to get credential ...\n * const tokens = await auth.webauthn.authenticate({ authentication });\n *\n * // Manage passkeys\n * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n * await auth.webauthn.deletePasskey({ accessToken, credentialId: passkeys[0].credential_id });\n * ```\n */\nclass OvixaAuthWebAuthn {\n  private config: InternalConfig;\n\n  constructor(config: InternalConfig) {\n    this.config = config;\n  }\n\n  /**\n   * Get registration options for creating a new passkey.\n   *\n   * The user must be logged in to register a passkey. Use the returned options\n   * with navigator.credentials.create() to create the credential.\n   *\n   * @param options - Registration options with access token\n   * @returns Registration options to pass to navigator.credentials.create()\n   * @throws {OvixaAuthError} If request fails\n   */\n  async getRegistrationOptions(\n    options: GetPasskeyRegistrationOptionsOptions\n  ): Promise<PasskeyRegistrationOptions> {\n    const url = `${this.config.authUrl}/webauthn/register/options`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify({\n          realm_id: this.config.realmId,\n        }),\n      });\n\n      if (!response.ok) {\n        await this.handleErrorResponse(response);\n      }\n\n      return (await response.json()) as PasskeyRegistrationOptions;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Verify a passkey registration and store the credential.\n   *\n   * Call this after navigator.credentials.create() succeeds to complete the\n   * registration on the server.\n   *\n   * @param options - Verification options with registration response\n   * @returns Registration response with credential ID\n   * @throws {OvixaAuthError} If verification fails\n   */\n  async verifyRegistration(\n    options: VerifyPasskeyRegistrationOptions\n  ): Promise<PasskeyRegistrationResponse> {\n    const url = `${this.config.authUrl}/webauthn/register/verify`;\n\n    const body: Record<string, unknown> = {\n      realm_id: this.config.realmId,\n      registration: options.registration,\n    };\n\n    if (options.deviceName) {\n      body.device_name = options.deviceName;\n    }\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        await this.handleErrorResponse(response);\n      }\n\n      return (await response.json()) as PasskeyRegistrationResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Get authentication options for signing in with a passkey.\n   *\n   * Use the returned options with navigator.credentials.get() to authenticate.\n   *\n   * @param options - Optional email for allowCredentials hint\n   * @returns Authentication options to pass to navigator.credentials.get()\n   * @throws {OvixaAuthError} If request fails\n   */\n  async getAuthenticationOptions(\n    options?: GetPasskeyAuthenticationOptionsOptions\n  ): Promise<PasskeyAuthenticationOptions> {\n    const url = `${this.config.authUrl}/webauthn/authenticate/options`;\n\n    const body: Record<string, string> = {\n      realm_id: this.config.realmId,\n    };\n\n    if (options?.email) {\n      body.email = options.email;\n    }\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        await this.handleErrorResponse(response);\n      }\n\n      return (await response.json()) as PasskeyAuthenticationOptions;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Verify a passkey authentication and get tokens.\n   *\n   * Call this after navigator.credentials.get() succeeds to complete the\n   * authentication and receive access/refresh tokens.\n   *\n   * @param options - Verification options with authentication response\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If verification fails\n   */\n  async authenticate(options: VerifyPasskeyAuthenticationOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/webauthn/authenticate/verify`;\n\n    const body = {\n      realm_id: this.config.realmId,\n      authentication: options.authentication,\n    };\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        await this.handleErrorResponse(response);\n      }\n\n      return (await response.json()) as TokenResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * List all passkeys for the authenticated user.\n   *\n   * @param options - Options with access token\n   * @returns List of passkeys\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n   * for (const passkey of passkeys) {\n   *   console.log(passkey.device_name, passkey.created_at);\n   * }\n   * ```\n   */\n  async listPasskeys(options: ListPasskeysOptions): Promise<ListPasskeysResponse> {\n    const url = `${this.config.authUrl}/webauthn/passkeys`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify({\n          realm_id: this.config.realmId,\n        }),\n      });\n\n      if (!response.ok) {\n        await this.handleErrorResponse(response);\n      }\n\n      return (await response.json()) as ListPasskeysResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Delete a passkey for the authenticated user.\n   *\n   * @param options - Options with access token and credential ID\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * await auth.webauthn.deletePasskey({\n   *   accessToken,\n   *   credentialId: 'credential-id-to-delete',\n   * });\n   * ```\n   */\n  async deletePasskey(options: DeletePasskeyOptions): Promise<{ success: boolean }> {\n    const url = `${this.config.authUrl}/webauthn/passkeys/${encodeURIComponent(options.credentialId)}`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify({\n          realm_id: this.config.realmId,\n        }),\n      });\n\n      if (!response.ok) {\n        await this.handleErrorResponse(response);\n      }\n\n      return (await response.json()) as { success: boolean };\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Handle error response from the server.\n   * @throws {OvixaAuthError} Always throws with appropriate error details\n   */\n  private async handleErrorResponse(response: Response): Promise<never> {\n    const errorBody = await response.json().catch(() => ({}));\n    const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n    let errorCode: string;\n    let errorMessage: string;\n\n    if (typeof errorData.error === 'object' && errorData.error) {\n      errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n      errorMessage = errorData.error.message || 'Request failed';\n    } else {\n      errorCode = this.mapHttpStatusToErrorCode(response.status);\n      errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n    }\n\n    throw new OvixaAuthError(errorMessage, errorCode, response.status);\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n}\n\n// ============================================================\n// WebAuthn Browser Utilities\n// ============================================================\n\n/**\n * Convert an ArrayBuffer to a base64url-encoded string.\n * Used to encode credential IDs and other binary data for API calls.\n *\n * @param buffer - The ArrayBuffer to encode\n * @returns Base64url-encoded string\n *\n * @example\n * ```typescript\n * const encoded = arrayBufferToBase64Url(credential.rawId);\n * ```\n */\nexport function arrayBufferToBase64Url(buffer: ArrayBuffer): string {\n  const bytes = new Uint8Array(buffer);\n  let binary = '';\n  for (const byte of bytes) {\n    binary += String.fromCharCode(byte);\n  }\n  return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\n/**\n * Convert a base64url-encoded string to an ArrayBuffer.\n * Used to decode challenge and credential IDs from API responses.\n *\n * @param base64url - The base64url-encoded string\n * @returns ArrayBuffer\n *\n * @example\n * ```typescript\n * const challenge = base64UrlToArrayBuffer(options.challenge);\n * ```\n */\nexport function base64UrlToArrayBuffer(base64url: string): ArrayBuffer {\n  // Convert base64url to base64\n  const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');\n  // Add padding if needed\n  const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4);\n  // Decode\n  const binary = atob(padded);\n  const bytes = new Uint8Array(binary.length);\n  for (let i = 0; i < binary.length; i++) {\n    bytes[i] = binary.charCodeAt(i);\n  }\n  return bytes.buffer;\n}\n\n/**\n * Prepare registration options for navigator.credentials.create().\n * Converts server response to the format expected by the browser API.\n *\n * @param options - Registration options from getPasskeyRegistrationOptions()\n * @returns PublicKeyCredentialCreationOptions for navigator.credentials.create()\n *\n * @example\n * ```typescript\n * const serverOptions = await auth.getPasskeyRegistrationOptions({ accessToken });\n * const browserOptions = prepareRegistrationOptions(serverOptions);\n * const credential = await navigator.credentials.create({ publicKey: browserOptions });\n * ```\n */\nexport function prepareRegistrationOptions(\n  options: PasskeyRegistrationOptions\n): PublicKeyCredentialCreationOptions {\n  return {\n    challenge: base64UrlToArrayBuffer(options.challenge),\n    rp: options.rp,\n    user: {\n      id: new TextEncoder().encode(options.user.id),\n      name: options.user.name,\n      displayName: options.user.displayName,\n    },\n    pubKeyCredParams: options.pubKeyCredParams,\n    excludeCredentials: options.excludeCredentials.map((cred) => ({\n      id: base64UrlToArrayBuffer(cred.id),\n      type: cred.type,\n      transports: cred.transports as AuthenticatorTransport[] | undefined,\n    })),\n    authenticatorSelection: options.authenticatorSelection,\n    timeout: options.timeout,\n    attestation: options.attestation,\n  };\n}\n\n/**\n * Prepare authentication options for navigator.credentials.get().\n * Converts server response to the format expected by the browser API.\n *\n * @param options - Authentication options from getPasskeyAuthenticationOptions()\n * @returns PublicKeyCredentialRequestOptions for navigator.credentials.get()\n *\n * @example\n * ```typescript\n * const serverOptions = await auth.getPasskeyAuthenticationOptions();\n * const browserOptions = prepareAuthenticationOptions(serverOptions);\n * const credential = await navigator.credentials.get({ publicKey: browserOptions });\n * ```\n */\nexport function prepareAuthenticationOptions(\n  options: PasskeyAuthenticationOptions\n): PublicKeyCredentialRequestOptions {\n  return {\n    challenge: base64UrlToArrayBuffer(options.challenge),\n    rpId: options.rpId,\n    allowCredentials: options.allowCredentials.map((cred) => ({\n      id: base64UrlToArrayBuffer(cred.id),\n      type: cred.type,\n      transports: cred.transports as AuthenticatorTransport[] | undefined,\n    })),\n    userVerification: options.userVerification,\n    timeout: options.timeout,\n  };\n}\n\n/**\n * Format a registration credential response for the server.\n * Converts browser API response to the format expected by verifyPasskeyRegistration().\n *\n * @param credential - The credential from navigator.credentials.create()\n * @returns Formatted registration object for verifyPasskeyRegistration()\n *\n * @example\n * ```typescript\n * const credential = await navigator.credentials.create({ publicKey: options });\n * const registration = formatRegistrationResponse(credential as PublicKeyCredential);\n * await auth.verifyPasskeyRegistration({ accessToken, registration });\n * ```\n */\nexport function formatRegistrationResponse(credential: PublicKeyCredential): {\n  id: string;\n  rawId: string;\n  type: 'public-key';\n  response: {\n    clientDataJSON: string;\n    attestationObject: string;\n    transports?: string[];\n  };\n  authenticatorAttachment?: 'platform' | 'cross-platform';\n} {\n  const response = credential.response as AuthenticatorAttestationResponse;\n\n  return {\n    id: credential.id,\n    rawId: arrayBufferToBase64Url(credential.rawId),\n    type: 'public-key',\n    response: {\n      clientDataJSON: arrayBufferToBase64Url(response.clientDataJSON),\n      attestationObject: arrayBufferToBase64Url(response.attestationObject),\n      transports: response.getTransports?.() as string[] | undefined,\n    },\n    authenticatorAttachment: credential.authenticatorAttachment as\n      | 'platform'\n      | 'cross-platform'\n      | undefined,\n  };\n}\n\n/**\n * Format an authentication credential response for the server.\n * Converts browser API response to the format expected by verifyPasskeyAuthentication().\n *\n * @param credential - The credential from navigator.credentials.get()\n * @returns Formatted authentication object for verifyPasskeyAuthentication()\n *\n * @example\n * ```typescript\n * const credential = await navigator.credentials.get({ publicKey: options });\n * const authentication = formatAuthenticationResponse(credential as PublicKeyCredential);\n * const tokens = await auth.verifyPasskeyAuthentication({ authentication });\n * ```\n */\nexport function formatAuthenticationResponse(credential: PublicKeyCredential): {\n  id: string;\n  rawId: string;\n  type: 'public-key';\n  response: {\n    clientDataJSON: string;\n    authenticatorData: string;\n    signature: string;\n    userHandle: string | null;\n  };\n  authenticatorAttachment?: 'platform' | 'cross-platform';\n} {\n  const response = credential.response as AuthenticatorAssertionResponse;\n\n  return {\n    id: credential.id,\n    rawId: arrayBufferToBase64Url(credential.rawId),\n    type: 'public-key',\n    response: {\n      clientDataJSON: arrayBufferToBase64Url(response.clientDataJSON),\n      authenticatorData: arrayBufferToBase64Url(response.authenticatorData),\n      signature: arrayBufferToBase64Url(response.signature),\n      userHandle: response.userHandle ? arrayBufferToBase64Url(response.userHandle) : null,\n    },\n    authenticatorAttachment: credential.authenticatorAttachment as\n      | 'platform'\n      | 'cross-platform'\n      | undefined,\n  };\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAwWA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuCA,MAAM,kBAAkB,MAAsC;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX;AAAA,MACA,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,MAAM,gBAAgB,SAA2D;AAC/E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,QAAQ;AAAA,QACpB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,IAAI,QAAwB;AAC1B,QAAI,CAAC,KAAK,OAAO,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,IAAI,eAAe,KAAK,MAAM;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,IAAI,WAA8B;AAChC,WAAO,IAAI,kBAAkB,KAAK,MAAM;AAAA,EAC1C;AACF;AAcA,IAAM,iBAAN,MAAqB;AAAA,EACX;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,WAAW,SAAsD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,WAAW,KAAK,OAAO,OAAO,UAAU,QAAQ,MAAM;AAExF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,eAAe,eAAe,KAAK,OAAO,YAAY;AAAA,QACxD;AAAA,MACF,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAwBA,IAAM,oBAAN,MAAwB;AAAA,EACd;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,uBACJ,SACqC;AACrC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,mBACJ,SACsC;AACtC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAgC;AAAA,MACpC,UAAU,KAAK,OAAO;AAAA,MACtB,cAAc,QAAQ;AAAA,IACxB;AAEA,QAAI,QAAQ,YAAY;AACtB,WAAK,cAAc,QAAQ;AAAA,IAC7B;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,yBACJ,SACuC;AACvC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,SAAS,OAAO;AAClB,WAAK,QAAQ,QAAQ;AAAA,IACvB;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAa,SAAqE;AACtF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,UAAU,KAAK,OAAO;AAAA,MACtB,gBAAgB,QAAQ;AAAA,IAC1B;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,aAAa,SAA6D;AAC9E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,cAAc,SAA8D;AAChF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,sBAAsB,mBAAmB,QAAQ,YAAY,CAAC;AAEhG,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,oBAAoB,UAAoC;AACpE,UAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,UAAM,YAAY;AAElB,QAAI;AACJ,QAAI;AAEJ,QAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,kBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,qBAAe,UAAU,MAAM,WAAW;AAAA,IAC5C,OAAO;AACL,kBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,qBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,IACzE;AAEA,UAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAkBO,SAAS,uBAAuB,QAA6B;AAClE,QAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,MAAI,SAAS;AACb,aAAW,QAAQ,OAAO;AACxB,cAAU,OAAO,aAAa,IAAI;AAAA,EACpC;AACA,SAAO,KAAK,MAAM,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AAC/E;AAcO,SAAS,uBAAuB,WAAgC;AAErE,QAAM,SAAS,UAAU,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAE7D,QAAM,SAAS,SAAS,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AAEhE,QAAM,SAAS,KAAK,MAAM;AAC1B,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO,MAAM;AACf;AAgBO,SAAS,2BACd,SACoC;AACpC,SAAO;AAAA,IACL,WAAW,uBAAuB,QAAQ,SAAS;AAAA,IACnD,IAAI,QAAQ;AAAA,IACZ,MAAM;AAAA,MACJ,IAAI,IAAI,YAAY,EAAE,OAAO,QAAQ,KAAK,EAAE;AAAA,MAC5C,MAAM,QAAQ,KAAK;AAAA,MACnB,aAAa,QAAQ,KAAK;AAAA,IAC5B;AAAA,IACA,kBAAkB,QAAQ;AAAA,IAC1B,oBAAoB,QAAQ,mBAAmB,IAAI,CAAC,UAAU;AAAA,MAC5D,IAAI,uBAAuB,KAAK,EAAE;AAAA,MAClC,MAAM,KAAK;AAAA,MACX,YAAY,KAAK;AAAA,IACnB,EAAE;AAAA,IACF,wBAAwB,QAAQ;AAAA,IAChC,SAAS,QAAQ;AAAA,IACjB,aAAa,QAAQ;AAAA,EACvB;AACF;AAgBO,SAAS,6BACd,SACmC;AACnC,SAAO;AAAA,IACL,WAAW,uBAAuB,QAAQ,SAAS;AAAA,IACnD,MAAM,QAAQ;AAAA,IACd,kBAAkB,QAAQ,iBAAiB,IAAI,CAAC,UAAU;AAAA,MACxD,IAAI,uBAAuB,KAAK,EAAE;AAAA,MAClC,MAAM,KAAK;AAAA,MACX,YAAY,KAAK;AAAA,IACnB,EAAE;AAAA,IACF,kBAAkB,QAAQ;AAAA,IAC1B,SAAS,QAAQ;AAAA,EACnB;AACF;AAgBO,SAAS,2BAA2B,YAUzC;AACA,QAAM,WAAW,WAAW;AAE5B,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,OAAO,uBAAuB,WAAW,KAAK;AAAA,IAC9C,MAAM;AAAA,IACN,UAAU;AAAA,MACR,gBAAgB,uBAAuB,SAAS,cAAc;AAAA,MAC9D,mBAAmB,uBAAuB,SAAS,iBAAiB;AAAA,MACpE,YAAY,SAAS,gBAAgB;AAAA,IACvC;AAAA,IACA,yBAAyB,WAAW;AAAA,EAItC;AACF;AAgBO,SAAS,6BAA6B,YAW3C;AACA,QAAM,WAAW,WAAW;AAE5B,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,OAAO,uBAAuB,WAAW,KAAK;AAAA,IAC9C,MAAM;AAAA,IACN,UAAU;AAAA,MACR,gBAAgB,uBAAuB,SAAS,cAAc;AAAA,MAC9D,mBAAmB,uBAAuB,SAAS,iBAAiB;AAAA,MACpE,WAAW,uBAAuB,SAAS,SAAS;AAAA,MACpD,YAAY,SAAS,aAAa,uBAAuB,SAAS,UAAU,IAAI;AAAA,IAClF;AAAA,IACA,yBAAyB,WAAW;AAAA,EAItC;AACF;","names":[]}

package/dist/{chunk-WON3EB4B.js → chunk-IU57RXBC.js}

@@ -1,6 +1,6 @@
 import {
   OvixaAuthError
-} from "./chunk-5ZWKDQQM.js";
+} from "./chunk-5QEKSWV4.js";
 
 // src/middleware/types.ts
 var DEFAULT_COOKIE_OPTIONS = {
@@ -140,4 +140,4 @@ export {
   setAuthCookies,
   clearAuthCookies
 };
-//# sourceMappingURL=chunk-WON3EB4B.js.map
+//# sourceMappingURL=chunk-IU57RXBC.js.map

package/dist/index.d.ts

@@ -285,6 +285,42 @@ interface VerifyPasskeyAuthenticationOptions {
         clientExtensionResults?: Record<string, unknown>;
     };
 }
+/**
+ * Options for listing passkeys.
+ */
+interface ListPasskeysOptions {
+    /** Access token (user must be logged in) */
+    accessToken: string;
+}
+/**
+ * Passkey information returned from listPasskeys.
+ */
+interface Passkey {
+    /** The credential ID (base64url-encoded) */
+    credential_id: string;
+    /** Optional friendly name for the passkey */
+    device_name: string | null;
+    /** When the passkey was registered */
+    created_at: string;
+    /** When the passkey was last used */
+    last_used_at: string | null;
+}
+/**
+ * Response from listPasskeys.
+ */
+interface ListPasskeysResponse {
+    /** Array of passkeys */
+    passkeys: Passkey[];
+}
+/**
+ * Options for deleting a passkey.
+ */
+interface DeletePasskeyOptions {
+    /** Access token (user must be logged in) */
+    accessToken: string;
+    /** The credential ID to delete */
+    credentialId: string;
+}
 /**
  * Options for generating OAuth URL.
  */
@@ -604,155 +640,6 @@ declare class OvixaAuth {
      * ```
      */
     getOAuthUrl(options: GetOAuthUrlOptions): string;
-    /**
-     * Get registration options for creating a new passkey.
-     *
-     * The user must be logged in to register a passkey. Use the returned options
-     * with navigator.credentials.create() to create the credential.
-     *
-     * @param options - Registration options with access token
-     * @returns Registration options to pass to navigator.credentials.create()
-     * @throws {OvixaAuthError} If request fails
-     *
-     * @example
-     * ```typescript
-     * // User must be logged in
-     * const options = await auth.getPasskeyRegistrationOptions({
-     *   accessToken: session.accessToken,
-     * });
-     *
-     * // Create the credential using the browser API
-     * const credential = await navigator.credentials.create({
-     *   publicKey: {
-     *     ...options,
-     *     challenge: base64UrlToArrayBuffer(options.challenge),
-     *     user: {
-     *       ...options.user,
-     *       id: new TextEncoder().encode(options.user.id),
-     *     },
-     *     excludeCredentials: options.excludeCredentials.map(c => ({
-     *       ...c,
-     *       id: base64UrlToArrayBuffer(c.id),
-     *     })),
-     *   },
-     * });
-     *
-     * // Verify the registration with the server
-     * await auth.verifyPasskeyRegistration({
-     *   accessToken: session.accessToken,
-     *   registration: formatRegistrationResponse(credential),
-     *   deviceName: 'My MacBook',
-     * });
-     * ```
-     */
-    getPasskeyRegistrationOptions(options: GetPasskeyRegistrationOptionsOptions): Promise<PasskeyRegistrationOptions>;
-    /**
-     * Verify a passkey registration and store the credential.
-     *
-     * Call this after navigator.credentials.create() succeeds to complete the
-     * registration on the server.
-     *
-     * @param options - Verification options with registration response
-     * @returns Registration response with credential ID
-     * @throws {OvixaAuthError} If verification fails
-     *
-     * @example
-     * ```typescript
-     * const result = await auth.verifyPasskeyRegistration({
-     *   accessToken: session.accessToken,
-     *   registration: {
-     *     id: credential.id,
-     *     rawId: arrayBufferToBase64Url(credential.rawId),
-     *     type: 'public-key',
-     *     response: {
-     *       clientDataJSON: arrayBufferToBase64Url(credential.response.clientDataJSON),
-     *       attestationObject: arrayBufferToBase64Url(credential.response.attestationObject),
-     *       transports: credential.response.getTransports?.(),
-     *     },
-     *   },
-     *   deviceName: 'My MacBook',
-     * });
-     *
-     * console.log('Passkey registered:', result.credential_id);
-     * ```
-     */
-    verifyPasskeyRegistration(options: VerifyPasskeyRegistrationOptions): Promise<PasskeyRegistrationResponse>;
-    /**
-     * Get authentication options for signing in with a passkey.
-     *
-     * Use the returned options with navigator.credentials.get() to authenticate.
-     *
-     * @param options - Optional email for allowCredentials hint
-     * @returns Authentication options to pass to navigator.credentials.get()
-     * @throws {OvixaAuthError} If request fails
-     *
-     * @example
-     * ```typescript
-     * // Option 1: Discoverable credentials (no email needed)
-     * const options = await auth.getPasskeyAuthenticationOptions();
-     *
-     * // Option 2: Provide email for allowCredentials hint
-     * const options = await auth.getPasskeyAuthenticationOptions({
-     *   email: 'user@example.com',
-     * });
-     *
-     * // Authenticate using the browser API
-     * const credential = await navigator.credentials.get({
-     *   publicKey: {
-     *     ...options,
-     *     challenge: base64UrlToArrayBuffer(options.challenge),
-     *     allowCredentials: options.allowCredentials.map(c => ({
-     *       ...c,
-     *       id: base64UrlToArrayBuffer(c.id),
-     *     })),
-     *   },
-     * });
-     *
-     * // Verify and get tokens
-     * const tokens = await auth.verifyPasskeyAuthentication({
-     *   authentication: formatAuthenticationResponse(credential),
-     * });
-     * ```
-     */
-    getPasskeyAuthenticationOptions(options?: GetPasskeyAuthenticationOptionsOptions): Promise<PasskeyAuthenticationOptions>;
-    /**
-     * Verify a passkey authentication and get tokens.
-     *
-     * Call this after navigator.credentials.get() succeeds to complete the
-     * authentication and receive access/refresh tokens.
-     *
-     * @param options - Verification options with authentication response
-     * @returns Token response with access and refresh tokens
-     * @throws {OvixaAuthError} If verification fails
-     *
-     * @example
-     * ```typescript
-     * const tokens = await auth.verifyPasskeyAuthentication({
-     *   authentication: {
-     *     id: credential.id,
-     *     rawId: arrayBufferToBase64Url(credential.rawId),
-     *     type: 'public-key',
-     *     response: {
-     *       clientDataJSON: arrayBufferToBase64Url(credential.response.clientDataJSON),
-     *       authenticatorData: arrayBufferToBase64Url(credential.response.authenticatorData),
-     *       signature: arrayBufferToBase64Url(credential.response.signature),
-     *       userHandle: credential.response.userHandle
-     *         ? arrayBufferToBase64Url(credential.response.userHandle)
-     *         : null,
-     *     },
-     *   },
-     * });
-     *
-     * // Use the tokens
-     * console.log('Logged in!', tokens.access_token);
-     * ```
-     */
-    verifyPasskeyAuthentication(options: VerifyPasskeyAuthenticationOptions): Promise<TokenResponse>;
-    /**
-     * Handle error response from the server.
-     * @throws {OvixaAuthError} Always throws with appropriate error details
-     */
-    private handleErrorResponse;
     /**
      * Exchange an OAuth authorization code for tokens.
      *
@@ -873,6 +760,35 @@ declare class OvixaAuth {
      * ```
      */
     get admin(): OvixaAuthAdmin;
+    /**
+     * Get the WebAuthn API interface for passkey operations.
+     *
+     * The WebAuthn namespace provides methods for registering and authenticating
+     * with passkeys, as well as managing existing passkeys.
+     *
+     * @returns OvixaAuthWebAuthn interface for passkey operations
+     *
+     * @example
+     * ```typescript
+     * const auth = new OvixaAuth({
+     *   authUrl: 'https://auth.ovixa.io',
+     *   realmId: 'your-realm',
+     * });
+     *
+     * // Register a passkey
+     * const options = await auth.webauthn.getRegistrationOptions({ accessToken });
+     *
+     * // Authenticate with passkey
+     * const authOptions = await auth.webauthn.getAuthenticationOptions();
+     *
+     * // List passkeys
+     * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });
+     *
+     * // Delete a passkey
+     * await auth.webauthn.deletePasskey({ accessToken, credentialId });
+     * ```
+     */
+    get webauthn(): OvixaAuthWebAuthn;
 }
 /**
  * Admin API interface for realm-scoped operations.
@@ -921,6 +837,118 @@ declare class OvixaAuthAdmin {
      */
     private mapHttpStatusToErrorCode;
 }
+/**
+ * WebAuthn namespace API for passkey operations.
+ *
+ * Access via `auth.webauthn` property.
+ *
+ * @example
+ * ```typescript
+ * // Register a new passkey
+ * const options = await auth.webauthn.getRegistrationOptions({ accessToken });
+ * // ... use browser API to create credential ...
+ * await auth.webauthn.verifyRegistration({ accessToken, registration, deviceName });
+ *
+ * // Authenticate with passkey
+ * const authOptions = await auth.webauthn.getAuthenticationOptions();
+ * // ... use browser API to get credential ...
+ * const tokens = await auth.webauthn.authenticate({ authentication });
+ *
+ * // Manage passkeys
+ * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });
+ * await auth.webauthn.deletePasskey({ accessToken, credentialId: passkeys[0].credential_id });
+ * ```
+ */
+declare class OvixaAuthWebAuthn {
+    private config;
+    constructor(config: InternalConfig);
+    /**
+     * Get registration options for creating a new passkey.
+     *
+     * The user must be logged in to register a passkey. Use the returned options
+     * with navigator.credentials.create() to create the credential.
+     *
+     * @param options - Registration options with access token
+     * @returns Registration options to pass to navigator.credentials.create()
+     * @throws {OvixaAuthError} If request fails
+     */
+    getRegistrationOptions(options: GetPasskeyRegistrationOptionsOptions): Promise<PasskeyRegistrationOptions>;
+    /**
+     * Verify a passkey registration and store the credential.
+     *
+     * Call this after navigator.credentials.create() succeeds to complete the
+     * registration on the server.
+     *
+     * @param options - Verification options with registration response
+     * @returns Registration response with credential ID
+     * @throws {OvixaAuthError} If verification fails
+     */
+    verifyRegistration(options: VerifyPasskeyRegistrationOptions): Promise<PasskeyRegistrationResponse>;
+    /**
+     * Get authentication options for signing in with a passkey.
+     *
+     * Use the returned options with navigator.credentials.get() to authenticate.
+     *
+     * @param options - Optional email for allowCredentials hint
+     * @returns Authentication options to pass to navigator.credentials.get()
+     * @throws {OvixaAuthError} If request fails
+     */
+    getAuthenticationOptions(options?: GetPasskeyAuthenticationOptionsOptions): Promise<PasskeyAuthenticationOptions>;
+    /**
+     * Verify a passkey authentication and get tokens.
+     *
+     * Call this after navigator.credentials.get() succeeds to complete the
+     * authentication and receive access/refresh tokens.
+     *
+     * @param options - Verification options with authentication response
+     * @returns Token response with access and refresh tokens
+     * @throws {OvixaAuthError} If verification fails
+     */
+    authenticate(options: VerifyPasskeyAuthenticationOptions): Promise<TokenResponse>;
+    /**
+     * List all passkeys for the authenticated user.
+     *
+     * @param options - Options with access token
+     * @returns List of passkeys
+     * @throws {OvixaAuthError} If request fails
+     *
+     * @example
+     * ```typescript
+     * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });
+     * for (const passkey of passkeys) {
+     *   console.log(passkey.device_name, passkey.created_at);
+     * }
+     * ```
+     */
+    listPasskeys(options: ListPasskeysOptions): Promise<ListPasskeysResponse>;
+    /**
+     * Delete a passkey for the authenticated user.
+     *
+     * @param options - Options with access token and credential ID
+     * @returns Success response
+     * @throws {OvixaAuthError} If deletion fails
+     *
+     * @example
+     * ```typescript
+     * await auth.webauthn.deletePasskey({
+     *   accessToken,
+     *   credentialId: 'credential-id-to-delete',
+     * });
+     * ```
+     */
+    deletePasskey(options: DeletePasskeyOptions): Promise<{
+        success: boolean;
+    }>;
+    /**
+     * Handle error response from the server.
+     * @throws {OvixaAuthError} Always throws with appropriate error details
+     */
+    private handleErrorResponse;
+    /**
+     * Map HTTP status codes to error codes.
+     */
+    private mapHttpStatusToErrorCode;
+}
 /**
  * Convert an ArrayBuffer to a base64url-encoded string.
  * Used to encode credential IDs and other binary data for API calls.
@@ -1029,4 +1057,4 @@ declare function formatAuthenticationResponse(credential: PublicKeyCredential):
     authenticatorAttachment?: 'platform' | 'cross-platform';
 };
 
-export { type AccessTokenPayload, type AuthClientConfig, type AuthResult, type DeleteMyAccountOptions, type DeleteUserOptions, type ForgotPasswordOptions, type GetOAuthUrlOptions, type GetPasskeyAuthenticationOptionsOptions, type GetPasskeyRegistrationOptionsOptions, type LoginOptions, type OAuthProvider, OvixaAuth, OvixaAuthError, type PasskeyAuthenticationOptions, type PasskeyRegistrationOptions, type PasskeyRegistrationResponse, type ResendVerificationOptions, type ResetPasswordOptions, type Session, type SignupOptions, type SignupResponse, type SuccessResponse, type TokenResponse, type User, type VerifyEmailOptions, type VerifyPasskeyAuthenticationOptions, type VerifyPasskeyRegistrationOptions, type VerifyResult, arrayBufferToBase64Url, base64UrlToArrayBuffer, formatAuthenticationResponse, formatRegistrationResponse, prepareAuthenticationOptions, prepareRegistrationOptions };
+export { type AccessTokenPayload, type AuthClientConfig, type AuthResult, type DeleteMyAccountOptions, type DeletePasskeyOptions, type DeleteUserOptions, type ForgotPasswordOptions, type GetOAuthUrlOptions, type GetPasskeyAuthenticationOptionsOptions, type GetPasskeyRegistrationOptionsOptions, type ListPasskeysOptions, type ListPasskeysResponse, type LoginOptions, type OAuthProvider, OvixaAuth, OvixaAuthError, type Passkey, type PasskeyAuthenticationOptions, type PasskeyRegistrationOptions, type PasskeyRegistrationResponse, type ResendVerificationOptions, type ResetPasswordOptions, type Session, type SignupOptions, type SignupResponse, type SuccessResponse, type TokenResponse, type User, type VerifyEmailOptions, type VerifyPasskeyAuthenticationOptions, type VerifyPasskeyRegistrationOptions, type VerifyResult, arrayBufferToBase64Url, base64UrlToArrayBuffer, formatAuthenticationResponse, formatRegistrationResponse, prepareAuthenticationOptions, prepareRegistrationOptions };

package/dist/index.js

@@ -7,7 +7,7 @@ import {
   formatRegistrationResponse,
   prepareAuthenticationOptions,
   prepareRegistrationOptions
-} from "./chunk-5ZWKDQQM.js";
+} from "./chunk-5QEKSWV4.js";
 export {
   OvixaAuth,
   OvixaAuthError,

package/dist/middleware/astro.js

@@ -3,8 +3,8 @@ import {
   clearAuthCookies,
   isPublicRoute,
   setAuthCookies
-} from "../chunk-WON3EB4B.js";
-import "../chunk-5ZWKDQQM.js";
+} from "../chunk-IU57RXBC.js";
+import "../chunk-5QEKSWV4.js";
 
 // src/middleware/astro.ts
 var AstroCookieAdapter = class {

package/dist/middleware/express.js

@@ -3,8 +3,8 @@ import {
   clearAuthCookies,
   isPublicRoute,
   setAuthCookies
-} from "../chunk-WON3EB4B.js";
-import "../chunk-5ZWKDQQM.js";
+} from "../chunk-IU57RXBC.js";
+import "../chunk-5QEKSWV4.js";
 
 // src/middleware/express.ts
 var ExpressCookieAdapter = class {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ovixa/auth-client",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Client SDK for Ovixa Auth service",
   "type": "module",
   "main": "./dist/index.js",