@pymthouse/builder-sdk 0.3.0 → 0.4.1-rc.1

package/dist/signer/server.js

@@ -19,8 +19,14 @@ var PmtHouseError = class extends Error {
 };
 
 // src/signer/handler-errors.ts
-function signerHandlerErrorResponse(error) {
+function isPmtHouseError(error) {
   if (error instanceof PmtHouseError) {
+    return true;
+  }
+  return error instanceof Error && typeof error.status === "number" && typeof error.code === "string";
+}
+function signerHandlerErrorResponse(error) {
+  if (isPmtHouseError(error)) {
     return new Response(
       JSON.stringify({
         error: error.code,
@@ -48,17 +54,14 @@ function createSignerTokenManager(options) {
   const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
   const cache = /* @__PURE__ */ new Map();
   const inflight = /* @__PURE__ */ new Map();
-  function keyFor(externalUserId) {
-    return cacheKey(options.publicClientId, externalUserId);
-  }
   function isUsable(entry, now, forceRefresh) {
     if (forceRefresh) return false;
     if (now >= entry.expiresAt) return false;
     if (now >= entry.refreshAt) return false;
     return true;
   }
-  async function refresh(externalUserId) {
-    const key = keyFor(externalUserId);
+  async function refresh(publicClientId, externalUserId) {
+    const key = cacheKey(publicClientId, externalUserId);
     const existing = inflight.get(key);
     if (existing) {
       return existing;
@@ -79,22 +82,22 @@ function createSignerTokenManager(options) {
     return promise;
   }
   return {
-    peek(externalUserId) {
-      return cache.get(keyFor(externalUserId));
+    peek(publicClientId, externalUserId) {
+      return cache.get(cacheKey(publicClientId, externalUserId));
     },
-    invalidate(externalUserId) {
-      const key = keyFor(externalUserId);
+    invalidate(publicClientId, externalUserId) {
+      const key = cacheKey(publicClientId, externalUserId);
       cache.delete(key);
       inflight.delete(key);
     },
-    async getToken(externalUserId, getOptions = {}) {
+    async getToken(publicClientId, externalUserId, getOptions = {}) {
       const now = Date.now();
-      const key = keyFor(externalUserId);
+      const key = cacheKey(publicClientId, externalUserId);
       const cached = cache.get(key);
       if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
         return cached;
       }
-      return refresh(externalUserId);
+      return refresh(publicClientId, externalUserId);
     }
   };
 }
@@ -212,13 +215,6 @@ async function forwardDirectSignerRequest(options) {
   return fetchImpl(target, init);
 }
 
-// src/encoding.ts
-function encodeClientSecretBasic(clientId, clientSecret) {
-  const raw = `${clientId}:${clientSecret}`;
-  const b64 = typeof Buffer !== "undefined" ? Buffer.from(raw, "utf8").toString("base64") : btoa(Array.from(new TextEncoder().encode(raw), (c) => String.fromCharCode(c)).join(""));
-  return `Basic ${b64}`;
-}
-
 // src/string-utils.ts
 function stripTrailingSlashes(value) {
   let end = value.length;
@@ -250,986 +246,896 @@ function stripIssuerOriginFromOidcUrl(issuerUrl) {
   base = stripSuffixIgnoreCase(base, "/oidc");
   return stripTrailingSlashes(base);
 }
-
-// src/ingest.ts
-function signerSnapshotToIngestPayload(input) {
-  return {
-    requestId: input.snapshot.requestId,
-    externalUserId: input.externalUserId,
-    networkFeeUsdMicros: input.snapshot.computedFeeUsdMicros.toString(),
-    feeWei: input.snapshot.computedFeeWei,
-    pixels: input.snapshot.pixels,
-    pipeline: input.snapshot.pipeline,
-    modelId: input.snapshot.modelId,
-    gatewayRequestId: input.gatewayRequestId,
-    ethUsdPrice: input.snapshot.ethUsdPrice,
-    ethUsdRoundId: input.snapshot.ethUsdRoundId,
-    ethUsdObservedAt: input.snapshot.ethUsdObservedAt
-  };
-}
-function ingestUrl(issuerUrl, publicClientId) {
-  const origin = new URL(stripTrailingSlashes(issuerUrl)).origin;
-  return `${origin}/api/v1/apps/${encodeURIComponent(publicClientId)}/usage/signed-tickets`;
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var discoveryCache = /* @__PURE__ */ new Map();
+function normalizedIssuerKey(issuerUrl) {
+  return stripTrailingSlashes(issuerUrl);
 }
-async function readJsonResponse(response) {
-  const text = await response.text();
-  if (!text.trim()) {
-    return {};
+async function loadAuthorizationServer(issuerUrl, fetchImpl, options = {}) {
+  const key = normalizedIssuerKey(issuerUrl);
+  const now = Date.now();
+  const cached = discoveryCache.get(key);
+  if (!options.force && cached && now - cached.fetchedAt < CACHE_TTL_MS) {
+    return cached.as;
+  }
+  const issuerIdentifier = new URL(key);
+  const discoveryOpts = {
+    algorithm: "oidc",
+    [customFetch]: fetchImpl
+  };
+  if (options.allowInsecureHttp) {
+    discoveryOpts[allowInsecureRequests] = true;
   }
+  let response;
   try {
-    const parsed = JSON.parse(text);
-    return typeof parsed === "object" && parsed !== null && !Array.isArray(parsed) ? parsed : {};
-  } catch {
-    return {};
+    response = await discoveryRequest(issuerIdentifier, discoveryOpts);
+  } catch (e) {
+    throw mapDiscoveryNetworkError(e);
   }
-}
-async function ingestSignedTicket(options) {
-  const fetchImpl = options.fetch ?? fetch;
-  const url = ingestUrl(options.issuerUrl, options.publicClientId);
-  const response = await fetchImpl(url, {
-    method: "POST",
-    headers: {
-      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
-      "Content-Type": "application/json",
-      Accept: "application/json"
-    },
-    body: JSON.stringify(options.ticket),
-    cache: "no-store"
-  });
-  const body = await readJsonResponse(response);
-  if (!response.ok) {
-    const message = typeof body.error === "string" ? body.error : `Signed-ticket ingest failed (${response.status})`;
-    throw new PmtHouseError(message, {
-      status: response.status,
-      code: "ingest_failed",
-      details: body
-    });
+  let as;
+  try {
+    as = await processDiscoveryResponse(issuerIdentifier, response);
+  } catch (e) {
+    throw mapOAuthDiscoveryError(e);
   }
-  return {
-    ingested: Boolean(body.ingested),
-    duplicate: Boolean(body.duplicate),
-    source: body.source === "openmeter" ? "openmeter" : "disabled"
-  };
-}
-
-// src/signer/proxy.ts
-var HTTP_DMZ_TOKEN_MAX_ENTRIES = 100;
-var HTTP_DMZ_TOKEN_TTL_MS = 3.5 * 60 * 1e3;
-var DEFAULT_PROBE_SUBJECT = "signer-reachability-probe";
-var httpDmzTokenCache = /* @__PURE__ */ new Map();
-function normalizeSignerBaseUrl(base) {
-  return stripTrailingSlashes(base);
+  discoveryCache.set(key, { as, fetchedAt: now });
+  return as;
 }
-function joinSignerUrl(baseUrl, path) {
-  if (path.startsWith("/")) {
-    return `${baseUrl}${path}`;
+function mapOAuthDiscoveryError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
   }
-  return `${baseUrl}/${path}`;
-}
-function aliasBodyString(raw) {
-  if (raw === void 0 || raw === null) {
-    return null;
+  if (error instanceof Error) {
+    return new PmtHouseError(error.message, {
+      status: 500,
+      code: "oidc_discovery_invalid",
+      details: { cause: error.cause }
+    });
   }
-  if (typeof raw === "string") {
-    return raw.length > 0 ? raw : null;
+  return new PmtHouseError("OIDC discovery failed", {
+    status: 500,
+    code: "oidc_discovery_invalid"
+  });
+}
+function mapDiscoveryNetworkError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
   }
-  if (typeof raw === "number" || typeof raw === "boolean" || typeof raw === "bigint") {
-    return String(raw);
+  if (error instanceof Error) {
+    return new PmtHouseError(`Failed to load OIDC discovery: ${error.message}`, {
+      status: 502,
+      code: "oidc_discovery_failed"
+    });
   }
-  return null;
+  return new PmtHouseError("Failed to load OIDC discovery", {
+    status: 502,
+    code: "oidc_discovery_failed"
+  });
 }
-function resolveSignerBaseUrl(input) {
-  if (input.testSignerUrl?.trim()) {
-    return normalizeSignerBaseUrl(input.testSignerUrl);
-  }
-  const legacyBareSignerPort = 8081;
-  const rawPort = input.storedPort ?? input.defaultPort ?? 8080;
-  const port = rawPort === legacyBareSignerPort ? 8080 : rawPort;
-  const base = input.envUrl?.trim() || input.storedUrl?.trim() || `http://127.0.0.1:${port}`;
-  return normalizeSignerBaseUrl(base);
+
+// src/encoding.ts
+function encodeClientSecretBasic(clientId, clientSecret) {
+  const raw = `${clientId}:${clientSecret}`;
+  const b64 = typeof Buffer !== "undefined" ? Buffer.from(raw, "utf8").toString("base64") : btoa(Array.from(new TextEncoder().encode(raw), (c) => String.fromCharCode(c)).join(""));
+  return `Basic ${b64}`;
 }
-async function getCachedDmzBearerToken(subject, gate, getDmzToken) {
-  const cacheKey2 = `${gate}:${subject}`;
-  const now = Date.now();
-  const cached = httpDmzTokenCache.get(cacheKey2);
-  if (cached && cached.expMs > now + 15e3) {
-    httpDmzTokenCache.delete(cacheKey2);
-    httpDmzTokenCache.set(cacheKey2, cached);
-    return cached.token;
+
+// src/signer/fetch-json.ts
+function oauthFailureDescription(parsed, failureLabel, status) {
+  if (typeof parsed.error_description === "string") {
+    return parsed.error_description;
   }
-  const token = await getDmzToken(subject, gate);
-  httpDmzTokenCache.set(cacheKey2, { token, expMs: now + HTTP_DMZ_TOKEN_TTL_MS });
-  if (httpDmzTokenCache.size > HTTP_DMZ_TOKEN_MAX_ENTRIES) {
-    const oldest = httpDmzTokenCache.keys().next().value;
-    if (oldest !== void 0) {
-      httpDmzTokenCache.delete(oldest);
-    }
+  if (typeof parsed.error === "string") {
+    return parsed.error;
   }
-  return token;
+  return `${failureLabel} (${status})`;
 }
-async function readSignerUpstreamBody(response) {
+async function readJsonObjectFromResponse(response, options) {
   const text = await response.text();
-  if (!text.trim()) {
-    return {};
-  }
+  let parsed;
   try {
-    return JSON.parse(text);
+    parsed = text ? JSON.parse(text) : {};
   } catch {
-    return {
-      error: "Signer DMZ returned a non-JSON body (often Apache auth failure)",
-      upstreamStatus: response.status,
-      detail: text.slice(0, 800)
-    };
+    throw new PmtHouseError(options.invalidJsonMessage, {
+      status: 502,
+      code: options.invalidJsonCode,
+      details: { status: response.status }
+    });
   }
-}
-function pickConflictingStringAliases(body, ...keys) {
-  const values = keys.map((key) => {
-    const value = aliasBodyString(body[key]);
-    return value === null ? null : { key, value };
-  }).filter((entry) => entry !== null);
-  const first = values[0];
-  const conflict = values.find((entry) => entry.value !== first?.value);
-  if (first && conflict) {
-    return {
-      ok: false,
-      message: `Conflicting ${keys.join("/")} in request body`
-    };
+  if (!response.ok) {
+    const description = oauthFailureDescription(parsed, options.failureLabel, response.status);
+    throw new PmtHouseError(description, {
+      status: response.status,
+      code: typeof parsed.error === "string" ? parsed.error : options.defaultErrorCode,
+      details: parsed
+    });
   }
-  return { ok: true, value: first?.value };
+  return parsed;
 }
-function pickConflictingNumberAliases(body, ...keys) {
-  const parseNum = (value) => {
-    if (typeof value === "number" && Number.isFinite(value)) {
-      return value;
-    }
-    if (typeof value === "string" && value.trim() !== "") {
-      const parsed = Number(value);
-      return Number.isFinite(parsed) ? parsed : void 0;
-    }
-    return void 0;
-  };
-  const values = keys.map((key) => {
-    const value = parseNum(body[key]);
-    return value === void 0 ? null : { key, value };
-  }).filter((entry) => entry !== null);
-  const first = values[0];
-  const conflict = values.find((entry) => entry.value !== first?.value);
-  if (first && conflict) {
-    return {
-      ok: false,
-      message: `Conflicting ${keys.join("/")} in request body`
-    };
+
+// src/signer/json-fields.ts
+function readStringField(body, key, errorCode, messagePrefix = "Response") {
+  const value = body[key];
+  if (typeof value !== "string" || !value.trim()) {
+    throw new PmtHouseError(`${messagePrefix} missing ${key}`, {
+      status: 502,
+      code: errorCode
+    });
   }
-  return { ok: true, value: first?.value };
+  return value.trim();
 }
-function pickString(obj, ...keys) {
-  for (const key of keys) {
-    const value = obj[key];
-    if (typeof value === "string" && value.trim()) {
-      return value.trim();
-    }
-    if (typeof value === "number" && Number.isFinite(value)) {
-      return String(Math.trunc(value));
-    }
+function readExpiresIn(body, errorCode) {
+  const expiresIn = body.expires_in;
+  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+    throw new PmtHouseError("Response missing expires_in", {
+      status: 502,
+      code: errorCode
+    });
   }
-  return "";
+  return Math.floor(expiresIn);
 }
-function parseSignerUsageSnapshot(body) {
-  if (body === null || typeof body !== "object" || Array.isArray(body)) {
-    return null;
-  }
-  const record = body;
-  const usageRaw = record.usage;
-  if (usageRaw === null || typeof usageRaw !== "object" || Array.isArray(usageRaw)) {
-    return null;
-  }
-  const usage = usageRaw;
-  const computedFeeWei = pickString(usage, "computed_fee_wei", "computedFeeWei");
-  const usdMicrosStr = pickString(usage, "computed_fee_usd_micros", "computedFeeUsdMicros");
-  const requestId = pickString(usage, "request_id", "requestId");
-  if (!computedFeeWei || !usdMicrosStr || !requestId) {
-    return null;
-  }
-  let computedFeeUsdMicros;
-  try {
-    computedFeeUsdMicros = BigInt(usdMicrosStr);
-  } catch {
-    return null;
-  }
+
+// src/signer/mint-token.ts
+var SIGN_MINT_USER_TOKEN_SCOPE = "sign:mint_user_token";
+var LIVEPEER_REMOTE_SIGNER_AUDIENCE = "livepeer-remote-signer";
+var DEFAULT_TTL_REFRESH_RATIO = 0.8;
+var TOKEN_RESPONSE_ERROR = "invalid_token_response";
+function signerJwtAudience(issuerUrl) {
+  return stripTrailingSlashes(issuerUrl);
+}
+function parseMintUserSignerTokenResponse(body, ttlRefreshRatio = DEFAULT_TTL_REFRESH_RATIO) {
+  const accessToken = readStringField(body, "access_token", TOKEN_RESPONSE_ERROR, "Token response");
+  const expiresIn = readExpiresIn(body, TOKEN_RESPONSE_ERROR);
+  const balanceUsdMicros = readStringField(
+    body,
+    "balanceUsdMicros",
+    TOKEN_RESPONSE_ERROR,
+    "Token response"
+  );
+  const lifetimeGrantedUsdMicros = readStringField(
+    body,
+    "lifetimeGrantedUsdMicros",
+    TOKEN_RESPONSE_ERROR,
+    "Token response"
+  );
+  const now = Date.now();
+  const expiresAt = now + expiresIn * 1e3;
+  const refreshAt = now + Math.floor(expiresIn * 1e3 * ttlRefreshRatio);
   return {
-    requestId,
-    computedFeeWei,
-    computedFeeUsdMicros,
-    ethUsdPrice: pickString(usage, "eth_usd_price", "ethUsdPrice") || void 0,
-    ethUsdRoundId: pickString(usage, "eth_usd_round_id", "ethUsdRoundId") || void 0,
-    ethUsdObservedAt: pickString(usage, "eth_usd_updated_at", "ethUsdUpdatedAt", "eth_usd_observed_at") || void 0,
-    pixels: pickString(usage, "pixels") || void 0,
-    billableSecs: pickString(usage, "billable_secs", "billableSecs") || void 0,
-    pipeline: pickString(usage, "pipeline") || void 0,
-    modelId: pickString(usage, "model_id", "modelId") || void 0
+    jwt: accessToken,
+    expiresAt,
+    refreshAt,
+    balanceUsdMicros,
+    lifetimeGrantedUsdMicros
   };
 }
-function stripSignerUsageFromResponse(body) {
-  if (body !== null && typeof body === "object" && !Array.isArray(body)) {
-    delete body.usage;
-  }
-}
-async function forwardToSigner(options) {
+async function mintUserSignerToken(options) {
   const fetchImpl = options.fetch ?? fetch;
-  const baseUrl = normalizeSignerBaseUrl(options.baseUrl);
-  const url = joinSignerUrl(baseUrl, options.path);
-  const timeoutMs = options.timeoutMs ?? 3e4;
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), timeoutMs);
-  const headers = { "Content-Type": "application/json" };
-  const attachJwt = options.forwardJwt ?? true;
-  if (attachJwt) {
-    const token = await getCachedDmzBearerToken(
-      options.subject,
-      "http",
-      options.getDmzToken
-    );
-    headers.Authorization = `Bearer ${token}`;
+  const issuerUrl = stripTrailingSlashes(options.issuerUrl);
+  const as = await loadAuthorizationServer(issuerUrl, fetchImpl, {
+    allowInsecureHttp: options.allowInsecureHttp
+  });
+  const tokenEndpoint = as.token_endpoint;
+  if (!tokenEndpoint) {
+    throw new PmtHouseError("OIDC discovery document is missing token_endpoint", {
+      status: 500,
+      code: "oidc_discovery_invalid"
+    });
   }
-  if (options.extraHeaders) {
-    for (const [name, value] of Object.entries(options.extraHeaders)) {
-      if (value.trim()) {
-        headers[name] = value.trim();
+  const audience = signerJwtAudience(issuerUrl);
+  const body = new URLSearchParams({
+    grant_type: "client_credentials",
+    scope: SIGN_MINT_USER_TOKEN_SCOPE,
+    external_user_id: options.externalUserId,
+    audience
+  });
+  const response = await fetchImpl(tokenEndpoint, {
+    method: "POST",
+    headers: {
+      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: body.toString(),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "Token endpoint returned invalid JSON",
+    invalidJsonCode: TOKEN_RESPONSE_ERROR,
+    failureLabel: "Token mint failed",
+    defaultErrorCode: "token_mint_failed"
+  });
+  return parseMintUserSignerTokenResponse(parsed);
+}
+
+// src/signer/device-exchange.ts
+var TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
+var SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+var EXCHANGE_RESPONSE_ERROR = "invalid_exchange_response";
+function extractSignerAccessTokenFromExchangeBody(body) {
+  const tokenObj = body.token;
+  if (tokenObj !== null && typeof tokenObj === "object" && !Array.isArray(tokenObj)) {
+    const nested = tokenObj;
+    for (const key of ["accessToken", "access_token"]) {
+      const value = nested[key];
+      if (typeof value === "string" && value.trim()) {
+        return value.trim();
       }
     }
   }
-  try {
-    const response = await fetchImpl(url, {
-      method: options.method,
-      headers,
-      body: options.body === void 0 ? void 0 : JSON.stringify(options.body),
-      signal: controller.signal
-    });
-    return {
-      response,
-      requestUrl: url,
-      authorizationHeader: headers.Authorization
-    };
-  } finally {
-    clearTimeout(timeout);
+  for (const key of ["accessToken", "access_token"]) {
+    const value = body[key];
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
   }
+  throw new PmtHouseError("Device exchange response missing signer access token", {
+    status: 502,
+    code: "invalid_exchange_response"
+  });
 }
-function createSignerProbeContext(options) {
-  return {
-    fetchImpl: options.fetch ?? fetch,
-    signerUrl: normalizeSignerBaseUrl(options.signerUrl),
-    timeoutMs: options.timeoutMs ?? 5e3,
-    probeSubject: options.probeSubject ?? DEFAULT_PROBE_SUBJECT,
-    useJwt: options.forwardJwt ?? true,
-    getDmzToken: options.getDmzToken
+function normalizeDeviceExchangeResponse(minted, options) {
+  const scope = minted.scope.trim() || "sign:job";
+  const body = {
+    access_token: minted.access_token,
+    token_type: "Bearer",
+    expires_in: minted.expires_in,
+    scope,
+    balanceUsdMicros: minted.balanceUsdMicros,
+    lifetimeGrantedUsdMicros: minted.lifetimeGrantedUsdMicros,
+    token: {
+      accessToken: minted.access_token,
+      access_token: minted.access_token,
+      expiresIn: minted.expires_in,
+      expires_in: minted.expires_in,
+      scope,
+      balanceUsdMicros: minted.balanceUsdMicros,
+      lifetimeGrantedUsdMicros: minted.lifetimeGrantedUsdMicros
+    }
   };
-}
-function reachableResult(ethAddress) {
-  return { reachable: true, ethAddress };
-}
-async function fetchSignerStatus(ctx, headers) {
-  const response = await ctx.fetchImpl(`${ctx.signerUrl}/status`, {
-    headers,
-    signal: AbortSignal.timeout(ctx.timeoutMs)
-  });
-  if (!response.ok) {
-    return { ok: false };
+  const signerUrl = options?.signerUrl?.trim();
+  if (signerUrl) {
+    body.signerUrl = signerUrl;
   }
-  const data = await readSignerUpstreamBody(response);
-  const ethAddress = typeof data.Address === "string" && data.Address || typeof data.address === "string" && data.address || void 0;
-  return { ok: true, ethAddress };
+  return body;
 }
-async function tryJwtStatus(ctx) {
-  if (!ctx.useJwt) {
-    return null;
-  }
+async function parseDeviceExchangeRequestBody(request) {
+  let body;
   try {
-    const token = await ctx.getDmzToken(ctx.probeSubject, "http");
-    const { ok, ethAddress } = await fetchSignerStatus(ctx, {
-      Authorization: `Bearer ${token}`
-    });
-    return ok ? reachableResult(ethAddress) : null;
+    body = await request.json();
   } catch {
-    return null;
+    throw new PmtHouseError("Request body must be JSON", {
+      status: 400,
+      code: "invalid_request"
+    });
   }
-}
-async function tryPlainStatus(ctx) {
-  try {
-    const { ok, ethAddress } = await fetchSignerStatus(ctx, {});
-    return ok ? reachableResult(ethAddress) : null;
-  } catch {
-    return null;
+  if (body === null || typeof body !== "object" || Array.isArray(body)) {
+    throw new PmtHouseError("Request body must be a JSON object", {
+      status: 400,
+      code: "invalid_request"
+    });
   }
-}
-async function trySigningProbe(ctx) {
-  try {
-    const token = await ctx.getDmzToken(ctx.probeSubject, "http");
-    const response = await ctx.fetchImpl(`${ctx.signerUrl}/sign-orchestrator-info`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${token}`,
-        "Content-Type": "application/json"
-      },
-      body: "{}",
-      signal: AbortSignal.timeout(ctx.timeoutMs)
+  const record = body;
+  const deviceTokenRaw = record.deviceToken;
+  if (typeof deviceTokenRaw !== "string" || !deviceTokenRaw.trim()) {
+    throw new PmtHouseError("Request body must include deviceToken", {
+      status: 400,
+      code: "invalid_request"
     });
-    return response.ok;
-  } catch {
-    return false;
   }
+  const deviceToken = deviceTokenRaw.trim();
+  const scope = typeof record.scope === "string" && record.scope.trim() ? record.scope.trim() : void 0;
+  const clientId = typeof record.clientId === "string" && record.clientId.trim() ? record.clientId.trim() : void 0;
+  return { deviceToken, scope, clientId };
 }
-async function runSignerReachabilityProbes(ctx) {
-  const jwtResult = await tryJwtStatus(ctx);
-  if (jwtResult) {
-    return jwtResult;
+async function mintSignerTokenFromDeviceToken(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const issuerUrl = stripTrailingSlashes(options.issuerUrl);
+  const as = await loadAuthorizationServer(issuerUrl, fetchImpl, {
+    allowInsecureHttp: options.allowInsecureHttp
+  });
+  const tokenEndpoint = as.token_endpoint;
+  if (!tokenEndpoint) {
+    throw new PmtHouseError("OIDC discovery document is missing token_endpoint", {
+      status: 500,
+      code: "oidc_discovery_invalid"
+    });
   }
-  const plainResult = await tryPlainStatus(ctx);
-  if (plainResult) {
-    return plainResult;
-  }
-  if (await trySigningProbe(ctx)) {
-    return reachableResult();
-  }
-  return { reachable: false };
-}
-async function probeSignerHttpReachability(options) {
-  const ctx = createSignerProbeContext(options);
-  try {
-    const health = await ctx.fetchImpl(`${ctx.signerUrl}/healthz`, {
-      signal: AbortSignal.timeout(ctx.timeoutMs)
-    });
-    if (health.ok) {
-      return runSignerReachabilityProbes(ctx);
-    }
-  } catch {
-  }
-  return runSignerReachabilityProbes(ctx);
-}
-
-// src/signer/types.ts
-function resolvesToHostedMetering(mode) {
-  return mode === "pymthouse_hosted";
-}
-
-// src/signer/metering.ts
-async function forwardWithOptionalMetering(input) {
-  const upstream = await input.forward();
-  const mode = input.config.metering?.mode;
-  if (!resolvesToHostedMetering(mode)) {
-    return upstream;
-  }
-  const body = await readSignerUpstreamBody(upstream);
-  const snapshot = upstream.ok && body !== null && typeof body === "object" ? parseSignerUsageSnapshot(body) : null;
-  if (snapshot) {
-    stripSignerUsageFromResponse(body);
-  }
-  if (upstream.ok && snapshot && snapshot.computedFeeUsdMicros > 0n) {
-    try {
-      await ingestSignedTicket({
-        issuerUrl: input.config.pymthouseIssuerUrl,
-        publicClientId: input.config.pymthouseClientId,
-        m2mClientId: input.config.pymthouseM2MClientId,
-        m2mClientSecret: input.config.pymthouseM2MClientSecret,
-        ticket: signerSnapshotToIngestPayload({
-          snapshot,
-          externalUserId: input.externalUserId
-        }),
-        fetch: input.config.fetch
-      });
-    } catch (err) {
-      console.warn("[builder-sdk] signed-ticket ingest failed:", err);
-    }
-  }
-  const headers = new Headers(upstream.headers);
-  if (!headers.has("content-type")) {
-    headers.set("Content-Type", "application/json");
-  }
-  return new Response(JSON.stringify(body), {
-    status: upstream.status,
-    statusText: upstream.statusText,
-    headers
+  const audience = options.audience?.trim() || signerJwtAudience(issuerUrl);
+  const params = new URLSearchParams({
+    grant_type: TOKEN_EXCHANGE_GRANT,
+    subject_token: options.deviceToken,
+    subject_token_type: SUBJECT_ACCESS_TOKEN_TYPE,
+    audience,
+    resource: audience
   });
-}
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-var discoveryCache = /* @__PURE__ */ new Map();
-function normalizedIssuerKey(issuerUrl) {
-  return stripTrailingSlashes(issuerUrl);
-}
-async function loadAuthorizationServer(issuerUrl, fetchImpl, options = {}) {
-  const key = normalizedIssuerKey(issuerUrl);
-  const now = Date.now();
-  const cached = discoveryCache.get(key);
-  if (!options.force && cached && now - cached.fetchedAt < CACHE_TTL_MS) {
-    return cached.as;
+  if (options.scope?.trim()) {
+    params.set("scope", options.scope.trim());
   }
-  const issuerIdentifier = new URL(key);
-  const discoveryOpts = {
-    algorithm: "oidc",
-    [customFetch]: fetchImpl
+  const response = await fetchImpl(tokenEndpoint, {
+    method: "POST",
+    headers: {
+      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: params.toString(),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "Token endpoint returned invalid JSON",
+    invalidJsonCode: "invalid_token_response",
+    failureLabel: "Signer JWT exchange failed",
+    defaultErrorCode: "token_exchange_failed"
+  });
+  const cached = parseMintUserSignerTokenResponse(parsed);
+  return {
+    access_token: cached.jwt,
+    expires_in: readExpiresIn(parsed, EXCHANGE_RESPONSE_ERROR),
+    scope: readStringField(parsed, "scope", EXCHANGE_RESPONSE_ERROR),
+    balanceUsdMicros: cached.balanceUsdMicros,
+    lifetimeGrantedUsdMicros: cached.lifetimeGrantedUsdMicros
   };
-  if (options.allowInsecureHttp) {
-    discoveryOpts[allowInsecureRequests] = true;
-  }
-  let response;
-  try {
-    response = await discoveryRequest(issuerIdentifier, discoveryOpts);
-  } catch (e) {
-    throw mapDiscoveryNetworkError(e);
-  }
-  let as;
-  try {
-    as = await processDiscoveryResponse(issuerIdentifier, response);
-  } catch (e) {
-    throw mapOAuthDiscoveryError(e);
-  }
-  discoveryCache.set(key, { as, fetchedAt: now });
-  return as;
 }
-function mapOAuthDiscoveryError(error) {
-  if (error instanceof PmtHouseError) {
-    return error;
+async function exchangeDeviceTokenForSigner(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const url = `${stripTrailingSlashes(options.facadeUrl)}/api/signer/device/exchange`;
+  const body = { deviceToken: options.deviceToken };
+  if (options.scope?.trim()) {
+    body.scope = options.scope.trim();
   }
-  if (error instanceof Error) {
-    return new PmtHouseError(error.message, {
-      status: 500,
-      code: "oidc_discovery_invalid",
-      details: { cause: error.cause }
-    });
+  if (options.clientId?.trim()) {
+    body.clientId = options.clientId.trim();
   }
-  return new PmtHouseError("OIDC discovery failed", {
-    status: 500,
-    code: "oidc_discovery_invalid"
+  const response = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(body),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "Device exchange returned invalid JSON",
+    invalidJsonCode: EXCHANGE_RESPONSE_ERROR,
+    failureLabel: "Device exchange failed",
+    defaultErrorCode: "device_exchange_failed"
   });
+  const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
+  const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
+  const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  return normalizeDeviceExchangeResponse(
+    {
+      access_token: accessToken,
+      expires_in: readExpiresIn(parsed, EXCHANGE_RESPONSE_ERROR),
+      scope: typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : "sign:job",
+      balanceUsdMicros: typeof parsed.balanceUsdMicros === "string" ? parsed.balanceUsdMicros : "0",
+      lifetimeGrantedUsdMicros: typeof parsed.lifetimeGrantedUsdMicros === "string" ? parsed.lifetimeGrantedUsdMicros : "0"
+    },
+    { signerUrl }
+  );
 }
-function mapDiscoveryNetworkError(error) {
-  if (error instanceof PmtHouseError) {
-    return error;
-  }
-  if (error instanceof Error) {
-    return new PmtHouseError(`Failed to load OIDC discovery: ${error.message}`, {
-      status: 502,
-      code: "oidc_discovery_failed"
-    });
+function resolveMint(config) {
+  if ("mint" in config && typeof config.mint === "function") {
+    return config.mint;
   }
-  return new PmtHouseError("Failed to load OIDC discovery", {
-    status: 502,
-    code: "oidc_discovery_failed"
+  return (deviceToken, context) => mintSignerTokenFromDeviceToken({
+    issuerUrl: config.issuerUrl,
+    m2mClientId: config.m2mClientId,
+    m2mClientSecret: config.m2mClientSecret,
+    deviceToken,
+    scope: context.scope,
+    audience: config.audience,
+    fetch: config.fetch,
+    allowInsecureHttp: config.allowInsecureHttp
   });
 }
-
-// src/signer/fetch-json.ts
-function oauthFailureDescription(parsed, failureLabel, status) {
-  if (typeof parsed.error_description === "string") {
-    return parsed.error_description;
+function resolveSignerUrlFromConfig(config) {
+  if ("signerUrl" in config && typeof config.signerUrl === "string" && config.signerUrl.trim()) {
+    return config.signerUrl.trim();
   }
-  if (typeof parsed.error === "string") {
-    return parsed.error;
+  if ("getSignerUrl" in config && typeof config.getSignerUrl === "function") {
+    return config.getSignerUrl();
   }
-  return `${failureLabel} (${status})`;
+  return void 0;
 }
-async function readJsonObjectFromResponse(response, options) {
-  const text = await response.text();
-  let parsed;
+function createDeviceExchangeHandler(config) {
+  const mint = resolveMint(config);
+  return async function deviceExchangeHandler(request) {
+    try {
+      if (request.method !== "POST") {
+        return new Response(JSON.stringify({ error: "method_not_allowed" }), {
+          status: 405,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
+      const parsed = await parseDeviceExchangeRequestBody(request);
+      const minted = await mint(parsed.deviceToken, {
+        scope: parsed.scope,
+        clientId: parsed.clientId
+      });
+      const signerUrlValue = await resolveSignerUrlFromConfig(config);
+      const body = normalizeDeviceExchangeResponse(minted, {
+        signerUrl: typeof signerUrlValue === "string" ? signerUrlValue : void 0
+      });
+      return new Response(JSON.stringify(body), {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": "no-store"
+        }
+      });
+    } catch (error) {
+      return signerHandlerErrorResponse(error);
+    }
+  };
+}
+
+// src/signer/api-key-exchange.ts
+var EXCHANGE_RESPONSE_ERROR2 = "invalid_exchange_response";
+async function parseApiKeyExchangeRequestBody(request) {
+  let body;
   try {
-    parsed = text ? JSON.parse(text) : {};
+    body = await request.json();
   } catch {
-    throw new PmtHouseError(options.invalidJsonMessage, {
-      status: 502,
-      code: options.invalidJsonCode,
-      details: { status: response.status }
+    throw new PmtHouseError("Request body must be JSON", {
+      status: 400,
+      code: "invalid_request"
     });
   }
-  if (!response.ok) {
-    const description = oauthFailureDescription(parsed, options.failureLabel, response.status);
-    throw new PmtHouseError(description, {
-      status: response.status,
-      code: typeof parsed.error === "string" ? parsed.error : options.defaultErrorCode,
-      details: parsed
+  if (body === null || typeof body !== "object" || Array.isArray(body)) {
+    throw new PmtHouseError("Request body must be a JSON object", {
+      status: 400,
+      code: "invalid_request"
     });
   }
-  return parsed;
-}
-
-// src/signer/json-fields.ts
-function readStringField(body, key, errorCode, messagePrefix = "Response") {
-  const value = body[key];
-  if (typeof value !== "string" || !value.trim()) {
-    throw new PmtHouseError(`${messagePrefix} missing ${key}`, {
-      status: 502,
-      code: errorCode
+  const record = body;
+  const apiKeyRaw = record.apiKey;
+  if (typeof apiKeyRaw !== "string" || !apiKeyRaw.trim()) {
+    throw new PmtHouseError("Request body must include apiKey", {
+      status: 400,
+      code: "invalid_request"
     });
   }
-  return value.trim();
+  const scope = typeof record.scope === "string" && record.scope.trim() ? record.scope.trim() : void 0;
+  const clientId = typeof record.clientId === "string" && record.clientId.trim() ? record.clientId.trim() : void 0;
+  return { apiKey: apiKeyRaw.trim(), scope, clientId };
 }
-function readExpiresIn(body, errorCode) {
-  const expiresIn = body.expires_in;
-  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
-    throw new PmtHouseError("Response missing expires_in", {
+async function mintUserAccessTokenFromApiKey(input) {
+  const fetchImpl = input.fetch ?? fetch;
+  const issuerOrigin = stripIssuerOriginFromOidcUrl(input.issuerUrl);
+  const url = `${issuerOrigin}/api/v1/apps/${encodeURIComponent(input.publicClientId)}/auth/api-key/token`;
+  const response = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${input.apiKey}`,
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(input.scope ? { scope: input.scope } : {}),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "API key token exchange returned invalid JSON",
+    invalidJsonCode: "invalid_token_response",
+    failureLabel: "API key token exchange failed",
+    defaultErrorCode: "api_key_token_exchange_failed"
+  });
+  const accessToken = parsed.access_token;
+  if (typeof accessToken !== "string" || !accessToken.trim()) {
+    throw new PmtHouseError("API key token exchange missing access_token", {
       status: 502,
-      code: errorCode
+      code: EXCHANGE_RESPONSE_ERROR2
     });
   }
-  return Math.floor(expiresIn);
-}
-
-// src/signer/mint-token.ts
-var SIGN_MINT_USER_TOKEN_SCOPE = "sign:mint_user_token";
-var LIVEPEER_REMOTE_SIGNER_AUDIENCE = "livepeer-remote-signer";
-var DEFAULT_TTL_REFRESH_RATIO = 0.8;
-var TOKEN_RESPONSE_ERROR = "invalid_token_response";
-function parseMintUserSignerTokenResponse(body, ttlRefreshRatio = DEFAULT_TTL_REFRESH_RATIO) {
-  const accessToken = readStringField(body, "access_token", TOKEN_RESPONSE_ERROR, "Token response");
-  const expiresIn = readExpiresIn(body, TOKEN_RESPONSE_ERROR);
-  const balanceUsdMicros = readStringField(
-    body,
-    "balanceUsdMicros",
-    TOKEN_RESPONSE_ERROR,
-    "Token response"
-  );
-  const lifetimeGrantedUsdMicros = readStringField(
-    body,
-    "lifetimeGrantedUsdMicros",
-    TOKEN_RESPONSE_ERROR,
-    "Token response"
-  );
-  const now = Date.now();
-  const expiresAt = now + expiresIn * 1e3;
-  const refreshAt = now + Math.floor(expiresIn * 1e3 * ttlRefreshRatio);
+  const expiresIn = typeof parsed.expires_in === "number" && Number.isFinite(parsed.expires_in) ? parsed.expires_in : 900;
+  const scope = typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : input.scope?.trim() || "sign:job";
   return {
-    jwt: accessToken,
-    expiresAt,
-    refreshAt,
-    balanceUsdMicros,
-    lifetimeGrantedUsdMicros
+    access_token: accessToken.trim(),
+    expires_in: expiresIn,
+    scope
   };
 }
-async function mintUserSignerToken(options) {
-  const fetchImpl = options.fetch ?? fetch;
-  const issuerUrl = stripTrailingSlashes(options.issuerUrl);
-  const as = await loadAuthorizationServer(issuerUrl, fetchImpl, {
-    allowInsecureHttp: options.allowInsecureHttp
+async function mintSignerSessionFromApiKey(input) {
+  const userToken = await mintUserAccessTokenFromApiKey({
+    issuerUrl: input.issuerUrl,
+    publicClientId: input.publicClientId,
+    apiKey: input.apiKey,
+    scope: input.scope,
+    fetch: input.fetch
   });
-  const tokenEndpoint = as.token_endpoint;
-  if (!tokenEndpoint) {
-    throw new PmtHouseError("OIDC discovery document is missing token_endpoint", {
-      status: 500,
-      code: "oidc_discovery_invalid"
-    });
-  }
-  const body = new URLSearchParams({
-    grant_type: "client_credentials",
-    scope: SIGN_MINT_USER_TOKEN_SCOPE,
-    external_user_id: options.externalUserId,
-    audience: LIVEPEER_REMOTE_SIGNER_AUDIENCE
+  return mintSignerTokenFromDeviceToken({
+    issuerUrl: input.issuerUrl,
+    m2mClientId: input.m2mClientId,
+    m2mClientSecret: input.m2mClientSecret,
+    deviceToken: userToken.access_token,
+    scope: userToken.scope,
+    audience: input.audience,
+    fetch: input.fetch,
+    allowInsecureHttp: input.allowInsecureHttp
   });
-  const response = await fetchImpl(tokenEndpoint, {
+}
+async function exchangeApiKeyForSigner(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const url = `${stripTrailingSlashes(options.facadeUrl)}/api/pymthouse/keys/exchange`;
+  const body = { apiKey: options.apiKey };
+  if (options.scope?.trim()) {
+    body.scope = options.scope.trim();
+  }
+  if (options.clientId?.trim()) {
+    body.clientId = options.clientId.trim();
+  }
+  const response = await fetchImpl(url, {
     method: "POST",
     headers: {
-      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
-      "Content-Type": "application/x-www-form-urlencoded",
+      "Content-Type": "application/json",
       Accept: "application/json"
     },
-    body: body.toString(),
+    body: JSON.stringify(body),
     cache: "no-store"
   });
   const parsed = await readJsonObjectFromResponse(response, {
-    invalidJsonMessage: "Token endpoint returned invalid JSON",
-    invalidJsonCode: TOKEN_RESPONSE_ERROR,
-    failureLabel: "Token mint failed",
-    defaultErrorCode: "token_mint_failed"
+    invalidJsonMessage: "API key exchange returned invalid JSON",
+    invalidJsonCode: EXCHANGE_RESPONSE_ERROR2,
+    failureLabel: "API key exchange failed",
+    defaultErrorCode: "api_key_exchange_failed"
   });
-  return parseMintUserSignerTokenResponse(parsed);
+  const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
+  const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
+  const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  return normalizeDeviceExchangeResponse(
+    {
+      access_token: accessToken,
+      expires_in: typeof parsed.expires_in === "number" && Number.isFinite(parsed.expires_in) ? parsed.expires_in : 3600,
+      scope: typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : "sign:job",
+      balanceUsdMicros: typeof parsed.balanceUsdMicros === "string" ? parsed.balanceUsdMicros : "0",
+      lifetimeGrantedUsdMicros: typeof parsed.lifetimeGrantedUsdMicros === "string" ? parsed.lifetimeGrantedUsdMicros : "0"
+    },
+    { signerUrl }
+  );
 }
-
-// src/signer/device-exchange.ts
-var TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
-var SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
-var EXCHANGE_RESPONSE_ERROR = "invalid_exchange_response";
-function extractSignerAccessTokenFromExchangeBody(body) {
-  const tokenObj = body.token;
-  if (tokenObj !== null && typeof tokenObj === "object" && !Array.isArray(tokenObj)) {
-    const nested = tokenObj;
-    for (const key of ["accessToken", "access_token"]) {
-      const value = nested[key];
-      if (typeof value === "string" && value.trim()) {
-        return value.trim();
+function createApiKeyExchangeHandler(config) {
+  const publicClientId = config.publicClientId.trim();
+  return async function apiKeyExchangeHandler(request) {
+    try {
+      if (request.method !== "POST") {
+        return new Response(JSON.stringify({ error: "method_not_allowed" }), {
+          status: 405,
+          headers: { "Content-Type": "application/json" }
+        });
       }
+      const parsed = await parseApiKeyExchangeRequestBody(request);
+      const effectiveClientId = parsed.clientId?.trim() || publicClientId;
+      if (effectiveClientId !== publicClientId) {
+        throw new PmtHouseError("clientId does not match configured public client", {
+          status: 400,
+          code: "invalid_request"
+        });
+      }
+      const minted = await mintSignerSessionFromApiKey({
+        issuerUrl: config.issuerUrl,
+        publicClientId,
+        m2mClientId: config.m2mClientId,
+        m2mClientSecret: config.m2mClientSecret,
+        apiKey: parsed.apiKey,
+        scope: parsed.scope,
+        audience: config.audience,
+        fetch: config.fetch,
+        allowInsecureHttp: config.allowInsecureHttp
+      });
+      const signerUrlValue = typeof config.signerUrl === "string" && config.signerUrl.trim() ? config.signerUrl.trim() : void 0;
+      const body = normalizeDeviceExchangeResponse(minted, { signerUrl: signerUrlValue });
+      return new Response(JSON.stringify(body), {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": "no-store"
+        }
+      });
+    } catch (error) {
+      return signerHandlerErrorResponse(error);
+    }
+  };
+}
+
+// src/signer/proxy.ts
+var HTTP_DMZ_TOKEN_MAX_ENTRIES = 100;
+var HTTP_DMZ_TOKEN_TTL_MS = 3.5 * 60 * 1e3;
+var DEFAULT_PROBE_SUBJECT = "signer-reachability-probe";
+var httpDmzTokenCache = /* @__PURE__ */ new Map();
+function normalizeSignerBaseUrl(base) {
+  return stripTrailingSlashes(base);
+}
+function joinSignerUrl(baseUrl, path) {
+  if (path.startsWith("/")) {
+    return `${baseUrl}${path}`;
+  }
+  return `${baseUrl}/${path}`;
+}
+function aliasBodyString(raw) {
+  if (raw === void 0 || raw === null) {
+    return null;
+  }
+  if (typeof raw === "string") {
+    return raw.length > 0 ? raw : null;
+  }
+  if (typeof raw === "number" || typeof raw === "boolean" || typeof raw === "bigint") {
+    return String(raw);
+  }
+  return null;
+}
+function resolveSignerBaseUrl(input) {
+  if (input.testSignerUrl?.trim()) {
+    return normalizeSignerBaseUrl(input.testSignerUrl);
+  }
+  const legacyBareSignerPort = 8081;
+  const rawPort = input.storedPort ?? input.defaultPort ?? 8080;
+  const port = rawPort === legacyBareSignerPort ? 8080 : rawPort;
+  const base = input.envUrl?.trim() || input.storedUrl?.trim() || `http://127.0.0.1:${port}`;
+  return normalizeSignerBaseUrl(base);
+}
+async function getCachedDmzBearerToken(subject, gate, getDmzToken) {
+  const cacheKey2 = `${gate}:${subject}`;
+  const now = Date.now();
+  const cached = httpDmzTokenCache.get(cacheKey2);
+  if (cached && cached.expMs > now + 15e3) {
+    httpDmzTokenCache.delete(cacheKey2);
+    httpDmzTokenCache.set(cacheKey2, cached);
+    return cached.token;
+  }
+  const token = await getDmzToken(subject, gate);
+  httpDmzTokenCache.set(cacheKey2, { token, expMs: now + HTTP_DMZ_TOKEN_TTL_MS });
+  if (httpDmzTokenCache.size > HTTP_DMZ_TOKEN_MAX_ENTRIES) {
+    const oldest = httpDmzTokenCache.keys().next().value;
+    if (oldest !== void 0) {
+      httpDmzTokenCache.delete(oldest);
+    }
+  }
+  return token;
+}
+async function readSignerUpstreamBody(response) {
+  const text = await response.text();
+  if (!text.trim()) {
+    return {};
+  }
+  try {
+    return JSON.parse(text);
+  } catch {
+    return {
+      error: "Signer DMZ returned a non-JSON body (often Apache auth failure)",
+      upstreamStatus: response.status,
+      detail: text.slice(0, 800)
+    };
+  }
+}
+function pickConflictingStringAliases(body, ...keys) {
+  const values = keys.map((key) => {
+    const value = aliasBodyString(body[key]);
+    return value === null ? null : { key, value };
+  }).filter((entry) => entry !== null);
+  const first = values[0];
+  const conflict = values.find((entry) => entry.value !== first?.value);
+  if (first && conflict) {
+    return {
+      ok: false,
+      message: `Conflicting ${keys.join("/")} in request body`
+    };
+  }
+  return { ok: true, value: first?.value };
+}
+function pickConflictingNumberAliases(body, ...keys) {
+  const parseNum = (value) => {
+    if (typeof value === "number" && Number.isFinite(value)) {
+      return value;
+    }
+    if (typeof value === "string" && value.trim() !== "") {
+      const parsed = Number(value);
+      return Number.isFinite(parsed) ? parsed : void 0;
     }
+    return void 0;
+  };
+  const values = keys.map((key) => {
+    const value = parseNum(body[key]);
+    return value === void 0 ? null : { key, value };
+  }).filter((entry) => entry !== null);
+  const first = values[0];
+  const conflict = values.find((entry) => entry.value !== first?.value);
+  if (first && conflict) {
+    return {
+      ok: false,
+      message: `Conflicting ${keys.join("/")} in request body`
+    };
   }
-  for (const key of ["accessToken", "access_token"]) {
-    const value = body[key];
+  return { ok: true, value: first?.value };
+}
+function pickString(obj, ...keys) {
+  for (const key of keys) {
+    const value = obj[key];
     if (typeof value === "string" && value.trim()) {
       return value.trim();
     }
-  }
-  throw new PmtHouseError("Device exchange response missing signer access token", {
-    status: 502,
-    code: "invalid_exchange_response"
-  });
-}
-function normalizeDeviceExchangeResponse(minted, options) {
-  const scope = minted.scope.trim() || "sign:job";
-  const body = {
-    access_token: minted.access_token,
-    token_type: "Bearer",
-    expires_in: minted.expires_in,
-    scope,
-    balanceUsdMicros: minted.balanceUsdMicros,
-    lifetimeGrantedUsdMicros: minted.lifetimeGrantedUsdMicros,
-    token: {
-      accessToken: minted.access_token,
-      access_token: minted.access_token,
-      expiresIn: minted.expires_in,
-      expires_in: minted.expires_in,
-      scope,
-      balanceUsdMicros: minted.balanceUsdMicros,
-      lifetimeGrantedUsdMicros: minted.lifetimeGrantedUsdMicros
+    if (typeof value === "number" && Number.isFinite(value)) {
+      return String(Math.trunc(value));
     }
-  };
-  const signerUrl = options?.signerUrl?.trim();
-  if (signerUrl) {
-    body.signerUrl = signerUrl;
   }
-  return body;
+  return "";
 }
-async function parseDeviceExchangeRequestBody(request) {
-  let body;
-  try {
-    body = await request.json();
-  } catch {
-    throw new PmtHouseError("Request body must be JSON", {
-      status: 400,
-      code: "invalid_request"
-    });
-  }
+function parseSignerUsageSnapshot(body) {
   if (body === null || typeof body !== "object" || Array.isArray(body)) {
-    throw new PmtHouseError("Request body must be a JSON object", {
-      status: 400,
-      code: "invalid_request"
-    });
+    return null;
   }
   const record = body;
-  const deviceTokenRaw = record.deviceToken;
-  if (typeof deviceTokenRaw !== "string" || !deviceTokenRaw.trim()) {
-    throw new PmtHouseError("Request body must include deviceToken", {
-      status: 400,
-      code: "invalid_request"
-    });
+  const usageRaw = record.usage;
+  if (usageRaw === null || typeof usageRaw !== "object" || Array.isArray(usageRaw)) {
+    return null;
   }
-  const deviceToken = deviceTokenRaw.trim();
-  const scope = typeof record.scope === "string" && record.scope.trim() ? record.scope.trim() : void 0;
-  const clientId = typeof record.clientId === "string" && record.clientId.trim() ? record.clientId.trim() : void 0;
-  return { deviceToken, scope, clientId };
-}
-async function mintSignerTokenFromDeviceToken(options) {
-  const fetchImpl = options.fetch ?? fetch;
-  const issuerUrl = stripTrailingSlashes(options.issuerUrl);
-  const as = await loadAuthorizationServer(issuerUrl, fetchImpl, {
-    allowInsecureHttp: options.allowInsecureHttp
-  });
-  const tokenEndpoint = as.token_endpoint;
-  if (!tokenEndpoint) {
-    throw new PmtHouseError("OIDC discovery document is missing token_endpoint", {
-      status: 500,
-      code: "oidc_discovery_invalid"
-    });
+  const usage = usageRaw;
+  const computedFeeWei = pickString(usage, "computed_fee_wei", "computedFeeWei");
+  const usdMicrosStr = pickString(usage, "computed_fee_usd_micros", "computedFeeUsdMicros");
+  const requestId = pickString(usage, "request_id", "requestId");
+  if (!computedFeeWei || !usdMicrosStr || !requestId) {
+    return null;
   }
-  const audience = options.audience?.trim() || LIVEPEER_REMOTE_SIGNER_AUDIENCE;
-  const params = new URLSearchParams({
-    grant_type: TOKEN_EXCHANGE_GRANT,
-    subject_token: options.deviceToken,
-    subject_token_type: SUBJECT_ACCESS_TOKEN_TYPE,
-    audience,
-    resource: audience
-  });
-  if (options.scope?.trim()) {
-    params.set("scope", options.scope.trim());
+  let computedFeeUsdMicros;
+  try {
+    computedFeeUsdMicros = BigInt(usdMicrosStr);
+  } catch {
+    return null;
   }
-  const response = await fetchImpl(tokenEndpoint, {
-    method: "POST",
-    headers: {
-      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
-      "Content-Type": "application/x-www-form-urlencoded",
-      Accept: "application/json"
-    },
-    body: params.toString(),
-    cache: "no-store"
-  });
-  const parsed = await readJsonObjectFromResponse(response, {
-    invalidJsonMessage: "Token endpoint returned invalid JSON",
-    invalidJsonCode: "invalid_token_response",
-    failureLabel: "Signer JWT exchange failed",
-    defaultErrorCode: "token_exchange_failed"
-  });
-  const cached = parseMintUserSignerTokenResponse(parsed);
   return {
-    access_token: cached.jwt,
-    expires_in: readExpiresIn(parsed, EXCHANGE_RESPONSE_ERROR),
-    scope: readStringField(parsed, "scope", EXCHANGE_RESPONSE_ERROR),
-    balanceUsdMicros: cached.balanceUsdMicros,
-    lifetimeGrantedUsdMicros: cached.lifetimeGrantedUsdMicros
+    requestId,
+    computedFeeWei,
+    computedFeeUsdMicros,
+    ethUsdPrice: pickString(usage, "eth_usd_price", "ethUsdPrice") || void 0,
+    ethUsdRoundId: pickString(usage, "eth_usd_round_id", "ethUsdRoundId") || void 0,
+    ethUsdObservedAt: pickString(usage, "eth_usd_updated_at", "ethUsdUpdatedAt", "eth_usd_observed_at") || void 0,
+    pixels: pickString(usage, "pixels") || void 0,
+    billableSecs: pickString(usage, "billable_secs", "billableSecs") || void 0,
+    pipeline: pickString(usage, "pipeline") || void 0,
+    modelId: pickString(usage, "model_id", "modelId") || void 0
   };
 }
-async function exchangeDeviceTokenForSigner(options) {
+function stripSignerUsageFromResponse(body) {
+  if (body !== null && typeof body === "object" && !Array.isArray(body)) {
+    delete body.usage;
+  }
+}
+async function forwardToSigner(options) {
   const fetchImpl = options.fetch ?? fetch;
-  const url = `${stripTrailingSlashes(options.facadeUrl)}/api/signer/device/exchange`;
-  const body = { deviceToken: options.deviceToken };
-  if (options.scope?.trim()) {
-    body.scope = options.scope.trim();
+  const baseUrl = normalizeSignerBaseUrl(options.baseUrl);
+  const url = joinSignerUrl(baseUrl, options.path);
+  const timeoutMs = options.timeoutMs ?? 3e4;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  const headers = { "Content-Type": "application/json" };
+  const explicitAuth = options.authorization?.trim();
+  if (explicitAuth) {
+    headers.Authorization = explicitAuth.startsWith("Bearer ") ? explicitAuth : `Bearer ${explicitAuth}`;
+  } else {
+    const attachJwt = options.forwardJwt ?? true;
+    if (attachJwt) {
+      const token = await getCachedDmzBearerToken(
+        options.subject,
+        "http",
+        options.getDmzToken
+      );
+      headers.Authorization = `Bearer ${token}`;
+    }
   }
-  if (options.clientId?.trim()) {
-    body.clientId = options.clientId.trim();
+  if (options.extraHeaders) {
+    for (const [name, value] of Object.entries(options.extraHeaders)) {
+      if (value.trim()) {
+        headers[name] = value.trim();
+      }
+    }
   }
-  const response = await fetchImpl(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Accept: "application/json"
-    },
-    body: JSON.stringify(body),
-    cache: "no-store"
-  });
-  const parsed = await readJsonObjectFromResponse(response, {
-    invalidJsonMessage: "Device exchange returned invalid JSON",
-    invalidJsonCode: EXCHANGE_RESPONSE_ERROR,
-    failureLabel: "Device exchange failed",
-    defaultErrorCode: "device_exchange_failed"
-  });
-  const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
-  const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
-  const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
-  return normalizeDeviceExchangeResponse(
-    {
-      access_token: accessToken,
-      expires_in: readExpiresIn(parsed, EXCHANGE_RESPONSE_ERROR),
-      scope: typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : "sign:job",
-      balanceUsdMicros: typeof parsed.balanceUsdMicros === "string" ? parsed.balanceUsdMicros : "0",
-      lifetimeGrantedUsdMicros: typeof parsed.lifetimeGrantedUsdMicros === "string" ? parsed.lifetimeGrantedUsdMicros : "0"
-    },
-    { signerUrl }
-  );
-}
-function resolveMint(config) {
-  if ("mint" in config && typeof config.mint === "function") {
-    return config.mint;
+  try {
+    const response = await fetchImpl(url, {
+      method: options.method,
+      headers,
+      body: options.body === void 0 ? void 0 : JSON.stringify(options.body),
+      signal: controller.signal
+    });
+    return {
+      response,
+      requestUrl: url,
+      authorizationHeader: headers.Authorization
+    };
+  } finally {
+    clearTimeout(timeout);
   }
-  return (deviceToken, context) => mintSignerTokenFromDeviceToken({
-    issuerUrl: config.issuerUrl,
-    m2mClientId: config.m2mClientId,
-    m2mClientSecret: config.m2mClientSecret,
-    deviceToken,
-    scope: context.scope,
-    audience: config.audience,
-    fetch: config.fetch,
-    allowInsecureHttp: config.allowInsecureHttp
+}
+function createSignerProbeContext(options) {
+  return {
+    fetchImpl: options.fetch ?? fetch,
+    signerUrl: normalizeSignerBaseUrl(options.signerUrl),
+    timeoutMs: options.timeoutMs ?? 5e3,
+    probeSubject: options.probeSubject ?? DEFAULT_PROBE_SUBJECT,
+    useJwt: options.forwardJwt ?? true,
+    getDmzToken: options.getDmzToken
+  };
+}
+function reachableResult(ethAddress) {
+  return { reachable: true, ethAddress };
+}
+async function fetchSignerStatus(ctx, headers) {
+  const response = await ctx.fetchImpl(`${ctx.signerUrl}/status`, {
+    headers,
+    signal: AbortSignal.timeout(ctx.timeoutMs)
   });
+  if (!response.ok) {
+    return { ok: false };
+  }
+  const data = await readSignerUpstreamBody(response);
+  const ethAddress = typeof data.Address === "string" && data.Address || typeof data.address === "string" && data.address || void 0;
+  return { ok: true, ethAddress };
 }
-function resolveSignerUrlFromConfig(config) {
-  if ("signerUrl" in config && typeof config.signerUrl === "string" && config.signerUrl.trim()) {
-    return config.signerUrl.trim();
+async function tryJwtStatus(ctx) {
+  if (!ctx.useJwt) {
+    return null;
   }
-  if ("getSignerUrl" in config && typeof config.getSignerUrl === "function") {
-    return config.getSignerUrl();
+  try {
+    const token = await ctx.getDmzToken(ctx.probeSubject, "http");
+    const { ok, ethAddress } = await fetchSignerStatus(ctx, {
+      Authorization: `Bearer ${token}`
+    });
+    return ok ? reachableResult(ethAddress) : null;
+  } catch {
+    return null;
   }
-  return void 0;
-}
-function createDeviceExchangeHandler(config) {
-  const mint = resolveMint(config);
-  return async function deviceExchangeHandler(request) {
-    try {
-      if (request.method !== "POST") {
-        return new Response(JSON.stringify({ error: "method_not_allowed" }), {
-          status: 405,
-          headers: { "Content-Type": "application/json" }
-        });
-      }
-      const parsed = await parseDeviceExchangeRequestBody(request);
-      const minted = await mint(parsed.deviceToken, {
-        scope: parsed.scope,
-        clientId: parsed.clientId
-      });
-      const signerUrlValue = await resolveSignerUrlFromConfig(config);
-      const body = normalizeDeviceExchangeResponse(minted, {
-        signerUrl: typeof signerUrlValue === "string" ? signerUrlValue : void 0
-      });
-      return new Response(JSON.stringify(body), {
-        status: 200,
-        headers: {
-          "Content-Type": "application/json",
-          "Cache-Control": "no-store"
-        }
-      });
-    } catch (error) {
-      return signerHandlerErrorResponse(error);
-    }
-  };
 }
-
-// src/signer/api-key-exchange.ts
-var EXCHANGE_RESPONSE_ERROR2 = "invalid_exchange_response";
-async function parseApiKeyExchangeRequestBody(request) {
-  let body;
+async function tryPlainStatus(ctx) {
   try {
-    body = await request.json();
+    const { ok, ethAddress } = await fetchSignerStatus(ctx, {});
+    return ok ? reachableResult(ethAddress) : null;
   } catch {
-    throw new PmtHouseError("Request body must be JSON", {
-      status: 400,
-      code: "invalid_request"
-    });
-  }
-  if (body === null || typeof body !== "object" || Array.isArray(body)) {
-    throw new PmtHouseError("Request body must be a JSON object", {
-      status: 400,
-      code: "invalid_request"
-    });
-  }
-  const record = body;
-  const apiKeyRaw = record.apiKey;
-  if (typeof apiKeyRaw !== "string" || !apiKeyRaw.trim()) {
-    throw new PmtHouseError("Request body must include apiKey", {
-      status: 400,
-      code: "invalid_request"
-    });
+    return null;
   }
-  const scope = typeof record.scope === "string" && record.scope.trim() ? record.scope.trim() : void 0;
-  const clientId = typeof record.clientId === "string" && record.clientId.trim() ? record.clientId.trim() : void 0;
-  return { apiKey: apiKeyRaw.trim(), scope, clientId };
 }
-async function mintUserAccessTokenFromApiKey(input) {
-  const fetchImpl = input.fetch ?? fetch;
-  const issuerOrigin = stripIssuerOriginFromOidcUrl(input.issuerUrl);
-  const url = `${issuerOrigin}/api/v1/apps/${encodeURIComponent(input.publicClientId)}/auth/api-key/token`;
-  const response = await fetchImpl(url, {
-    method: "POST",
-    headers: {
-      Authorization: `Bearer ${input.apiKey}`,
-      "Content-Type": "application/json",
-      Accept: "application/json"
-    },
-    body: JSON.stringify(input.scope ? { scope: input.scope } : {}),
-    cache: "no-store"
-  });
-  const parsed = await readJsonObjectFromResponse(response, {
-    invalidJsonMessage: "API key token exchange returned invalid JSON",
-    invalidJsonCode: "invalid_token_response",
-    failureLabel: "API key token exchange failed",
-    defaultErrorCode: "api_key_token_exchange_failed"
-  });
-  const accessToken = parsed.access_token;
-  if (typeof accessToken !== "string" || !accessToken.trim()) {
-    throw new PmtHouseError("API key token exchange missing access_token", {
-      status: 502,
-      code: EXCHANGE_RESPONSE_ERROR2
+async function trySigningProbe(ctx) {
+  try {
+    const token = await ctx.getDmzToken(ctx.probeSubject, "http");
+    const response = await ctx.fetchImpl(`${ctx.signerUrl}/sign-orchestrator-info`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: "{}",
+      signal: AbortSignal.timeout(ctx.timeoutMs)
     });
+    return response.ok;
+  } catch {
+    return false;
   }
-  const expiresIn = typeof parsed.expires_in === "number" && Number.isFinite(parsed.expires_in) ? parsed.expires_in : 900;
-  const scope = typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : input.scope?.trim() || "sign:job";
-  return {
-    access_token: accessToken.trim(),
-    expires_in: expiresIn,
-    scope
-  };
-}
-async function mintSignerSessionFromApiKey(input) {
-  const userToken = await mintUserAccessTokenFromApiKey({
-    issuerUrl: input.issuerUrl,
-    publicClientId: input.publicClientId,
-    apiKey: input.apiKey,
-    scope: input.scope,
-    fetch: input.fetch
-  });
-  return mintSignerTokenFromDeviceToken({
-    issuerUrl: input.issuerUrl,
-    m2mClientId: input.m2mClientId,
-    m2mClientSecret: input.m2mClientSecret,
-    deviceToken: userToken.access_token,
-    scope: userToken.scope,
-    audience: input.audience,
-    fetch: input.fetch,
-    allowInsecureHttp: input.allowInsecureHttp
-  });
 }
-async function exchangeApiKeyForSigner(options) {
-  const fetchImpl = options.fetch ?? fetch;
-  const url = `${stripTrailingSlashes(options.facadeUrl)}/api/pymthouse/keys/exchange`;
-  const body = { apiKey: options.apiKey };
-  if (options.scope?.trim()) {
-    body.scope = options.scope.trim();
+async function runSignerReachabilityProbes(ctx) {
+  const jwtResult = await tryJwtStatus(ctx);
+  if (jwtResult) {
+    return jwtResult;
   }
-  if (options.clientId?.trim()) {
-    body.clientId = options.clientId.trim();
+  const plainResult = await tryPlainStatus(ctx);
+  if (plainResult) {
+    return plainResult;
   }
-  const response = await fetchImpl(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Accept: "application/json"
-    },
-    body: JSON.stringify(body),
-    cache: "no-store"
-  });
-  const parsed = await readJsonObjectFromResponse(response, {
-    invalidJsonMessage: "API key exchange returned invalid JSON",
-    invalidJsonCode: EXCHANGE_RESPONSE_ERROR2,
-    failureLabel: "API key exchange failed",
-    defaultErrorCode: "api_key_exchange_failed"
-  });
-  const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
-  const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
-  const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
-  return normalizeDeviceExchangeResponse(
-    {
-      access_token: accessToken,
-      expires_in: typeof parsed.expires_in === "number" && Number.isFinite(parsed.expires_in) ? parsed.expires_in : 3600,
-      scope: typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : "sign:job",
-      balanceUsdMicros: typeof parsed.balanceUsdMicros === "string" ? parsed.balanceUsdMicros : "0",
-      lifetimeGrantedUsdMicros: typeof parsed.lifetimeGrantedUsdMicros === "string" ? parsed.lifetimeGrantedUsdMicros : "0"
-    },
-    { signerUrl }
-  );
+  if (await trySigningProbe(ctx)) {
+    return reachableResult();
+  }
+  return { reachable: false };
 }
-function createApiKeyExchangeHandler(config) {
-  const publicClientId = config.publicClientId.trim();
-  return async function apiKeyExchangeHandler(request) {
-    try {
-      if (request.method !== "POST") {
-        return new Response(JSON.stringify({ error: "method_not_allowed" }), {
-          status: 405,
-          headers: { "Content-Type": "application/json" }
-        });
-      }
-      const parsed = await parseApiKeyExchangeRequestBody(request);
-      const effectiveClientId = parsed.clientId?.trim() || publicClientId;
-      if (effectiveClientId !== publicClientId) {
-        throw new PmtHouseError("clientId does not match configured public client", {
-          status: 400,
-          code: "invalid_request"
-        });
-      }
-      const minted = await mintSignerSessionFromApiKey({
-        issuerUrl: config.issuerUrl,
-        publicClientId,
-        m2mClientId: config.m2mClientId,
-        m2mClientSecret: config.m2mClientSecret,
-        apiKey: parsed.apiKey,
-        scope: parsed.scope,
-        audience: config.audience,
-        fetch: config.fetch,
-        allowInsecureHttp: config.allowInsecureHttp
-      });
-      const signerUrlValue = typeof config.signerUrl === "string" && config.signerUrl.trim() ? config.signerUrl.trim() : void 0;
-      const body = normalizeDeviceExchangeResponse(minted, { signerUrl: signerUrlValue });
-      return new Response(JSON.stringify(body), {
-        status: 200,
-        headers: {
-          "Content-Type": "application/json",
-          "Cache-Control": "no-store"
-        }
-      });
-    } catch (error) {
-      return signerHandlerErrorResponse(error);
+async function probeSignerHttpReachability(options) {
+  const ctx = createSignerProbeContext(options);
+  try {
+    const health = await ctx.fetchImpl(`${ctx.signerUrl}/healthz`, {
+      signal: AbortSignal.timeout(ctx.timeoutMs)
+    });
+    if (health.ok) {
+      return runSignerReachabilityProbes(ctx);
     }
-  };
+  } catch {
+  }
+  return runSignerReachabilityProbes(ctx);
 }
 
 // src/signer/server.ts
@@ -1250,7 +1156,6 @@ function toResponse(result) {
 }
 function createDirectSignerProxyHandler(config) {
   const tokenManager = createSignerTokenManager({
-    publicClientId: config.pymthouseClientId,
     mint: (externalUserId) => mintUserSignerToken({
       issuerUrl: config.pymthouseIssuerUrl,
       m2mClientId: config.pymthouseM2MClientId,
@@ -1293,39 +1198,40 @@ function createDirectSignerProxyHandler(config) {
           code: "invalid_external_user_id"
         });
       }
-      let token = await tokenManager.getToken(externalUserId);
+      const publicClientId = config.resolvePublicClientId ? (await config.resolvePublicClientId(session)).trim() : config.pymthouseClientId.trim();
+      if (!publicClientId) {
+        throw new PmtHouseError("resolvePublicClientId returned an empty id", {
+          status: 500,
+          code: "invalid_client_id"
+        });
+      }
+      let token = await tokenManager.getToken(publicClientId, externalUserId);
       const blocked = await runBeforeSign(token, externalUserId, request);
       if (blocked) {
         return blocked;
       }
-      let upstream = await forwardWithOptionalMetering({
-        config,
-        externalUserId,
-        forward: () => forwardOnce(token, request)
-      });
+      let upstream = await forwardOnce(token, request);
       if (upstream.status === 401) {
-        tokenManager.invalidate(externalUserId);
-        token = await tokenManager.getToken(externalUserId, { forceRefresh: true });
+        tokenManager.invalidate(publicClientId, externalUserId);
+        token = await tokenManager.getToken(publicClientId, externalUserId, {
+          forceRefresh: true
+        });
         const retryBlocked = await runBeforeSign(token, externalUserId, request);
         if (retryBlocked) {
           return retryBlocked;
         }
-        upstream = await forwardWithOptionalMetering({
-          config,
-          externalUserId,
-          forward: () => forwardOnce(token, request)
-        });
+        upstream = await forwardOnce(token, request);
       }
       return upstream;
     } catch (error) {
       return signerHandlerErrorResponse(error);
     }
   };
-  handler.getCachedUsage = (externalUserId) => tokenManager.peek(externalUserId);
-  handler.invalidateToken = (externalUserId) => tokenManager.invalidate(externalUserId);
+  handler.getCachedUsage = (externalUserId) => tokenManager.peek(config.pymthouseClientId, externalUserId);
+  handler.invalidateToken = (externalUserId) => tokenManager.invalidate(config.pymthouseClientId, externalUserId);
   return handler;
 }
 
-export { LIVEPEER_REMOTE_SIGNER_AUDIENCE, SIGN_MINT_USER_TOKEN_SCOPE, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, forwardToSigner, forwardWithOptionalMetering, getCachedDmzBearerToken, identityFromJwtPayload, ingestSignedTicket, livepeerIdentityHeaders, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, normalizeSignerBaseUrl, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, parseSignerUsageSnapshot, pickConflictingNumberAliases, pickConflictingStringAliases, probeSignerHttpReachability, readSignerUpstreamBody, resolveSignerBaseUrl, signerSnapshotToIngestPayload, stripSignerUsageFromResponse };
+export { LIVEPEER_REMOTE_SIGNER_AUDIENCE, SIGN_MINT_USER_TOKEN_SCOPE, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, forwardToSigner, getCachedDmzBearerToken, identityFromJwtPayload, livepeerIdentityHeaders, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, normalizeSignerBaseUrl, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, parseSignerUsageSnapshot, pickConflictingNumberAliases, pickConflictingStringAliases, probeSignerHttpReachability, readSignerUpstreamBody, resolveSignerBaseUrl, signerJwtAudience, stripSignerUsageFromResponse };
 //# sourceMappingURL=server.js.map
 //# sourceMappingURL=server.js.map