@pymthouse/builder-sdk 0.4.1-rc.1 → 0.4.1-rc.3

package/dist/{index-BixH4VIG.d.cts → index-D5wdxNYy.d.cts}

@@ -1,5 +1,5 @@
 import { F as FetchLike } from './types-BORaHW_x.cjs';
-import { U as UsageIdentity, P as PaymentWebhookRequest, V as VerifiedEndUserAuth, E as EndUserAuthVerifier } from './verifier-B-WFDMz6.cjs';
+import { U as UsageIdentity, P as PaymentWebhookRequest, V as VerifiedEndUserAuth, E as EndUserAuthVerifier } from './verifier-Be9WAjFF.cjs';
 import { TrustedHeadersEndUserAuthConfig } from './signer/webhook/adapters/trusted-headers.cjs';
 
 type WebhookIdentityClaimMapping = {
@@ -28,6 +28,8 @@ declare function handleRemoteSignerAuthorize(request: Request, config: RemoteSig
 declare function createRemoteSignerAuthorizeHandler(config: RemoteSignerWebhookConfig): (request: Request) => Promise<Response>;
 declare function routeRemoteSignerWebhookRequest(request: Request, config: RemoteSignerWebhookConfig): Promise<Response | null>;
 
+/** Returns the token after `Bearer `, or null when the header is missing or not Bearer. */
+declare function optionalBearerToken(authorization: string): string | null;
 declare function bearerTokenFromAuthorization(authorization: string): string;
 
 type OidcEndUserAuthConfig = {
@@ -61,4 +63,4 @@ declare function readOidcRemoteSignerWebhookConfigFromEnv(env?: NodeJS.ProcessEn
 /** @deprecated Use readOidcRemoteSignerWebhookConfigFromEnv */
 declare const readRemoteSignerWebhookConfigFromEnv: typeof readOidcRemoteSignerWebhookConfigFromEnv;
 
-export { DEFAULT_WEBHOOK_IDENTITY_CLAIMS as D, type OidcRemoteSignerWebhookConfigInput as O, type RemoteSignerWebhookConfig as R, type SignerDmzRemoteSignerWebhookConfigInput as S, type WebhookAuthorizeContext as W, type OidcEndUserAuthConfig as a, type WebhookIdentityClaimMapping as b, authenticateWebhookCaller as c, bearerTokenFromAuthorization as d, claimExpirySeconds as e, createOidcEndUserVerifier as f, createOidcRemoteSignerWebhookConfig as g, createRemoteSignerAuthorizeHandler as h, createSignerDmzRemoteSignerWebhookConfig as i, handleRemoteSignerAuthorize as j, handleRemoteSignerRefreshJwks as k, identityFromWebhookClaims as l, readRemoteSignerWebhookConfigFromEnv as m, routeRemoteSignerWebhookRequest as n, readOidcRemoteSignerWebhookConfigFromEnv as r };
+export { DEFAULT_WEBHOOK_IDENTITY_CLAIMS as D, type OidcRemoteSignerWebhookConfigInput as O, type RemoteSignerWebhookConfig as R, type SignerDmzRemoteSignerWebhookConfigInput as S, type WebhookAuthorizeContext as W, type OidcEndUserAuthConfig as a, type WebhookIdentityClaimMapping as b, authenticateWebhookCaller as c, bearerTokenFromAuthorization as d, claimExpirySeconds as e, createOidcEndUserVerifier as f, createOidcRemoteSignerWebhookConfig as g, createRemoteSignerAuthorizeHandler as h, createSignerDmzRemoteSignerWebhookConfig as i, handleRemoteSignerAuthorize as j, handleRemoteSignerRefreshJwks as k, identityFromWebhookClaims as l, readRemoteSignerWebhookConfigFromEnv as m, routeRemoteSignerWebhookRequest as n, optionalBearerToken as o, readOidcRemoteSignerWebhookConfigFromEnv as r };

package/dist/{index-BTDKEorK.d.ts → index-DFJ6qcK0.d.ts}

@@ -1,5 +1,5 @@
 import { F as FetchLike } from './types-BORaHW_x.js';
-import { U as UsageIdentity, P as PaymentWebhookRequest, V as VerifiedEndUserAuth, E as EndUserAuthVerifier } from './verifier-B-WFDMz6.js';
+import { U as UsageIdentity, P as PaymentWebhookRequest, V as VerifiedEndUserAuth, E as EndUserAuthVerifier } from './verifier-Be9WAjFF.js';
 import { TrustedHeadersEndUserAuthConfig } from './signer/webhook/adapters/trusted-headers.js';
 
 type WebhookIdentityClaimMapping = {
@@ -28,6 +28,8 @@ declare function handleRemoteSignerAuthorize(request: Request, config: RemoteSig
 declare function createRemoteSignerAuthorizeHandler(config: RemoteSignerWebhookConfig): (request: Request) => Promise<Response>;
 declare function routeRemoteSignerWebhookRequest(request: Request, config: RemoteSignerWebhookConfig): Promise<Response | null>;
 
+/** Returns the token after `Bearer `, or null when the header is missing or not Bearer. */
+declare function optionalBearerToken(authorization: string): string | null;
 declare function bearerTokenFromAuthorization(authorization: string): string;
 
 type OidcEndUserAuthConfig = {
@@ -61,4 +63,4 @@ declare function readOidcRemoteSignerWebhookConfigFromEnv(env?: NodeJS.ProcessEn
 /** @deprecated Use readOidcRemoteSignerWebhookConfigFromEnv */
 declare const readRemoteSignerWebhookConfigFromEnv: typeof readOidcRemoteSignerWebhookConfigFromEnv;
 
-export { DEFAULT_WEBHOOK_IDENTITY_CLAIMS as D, type OidcRemoteSignerWebhookConfigInput as O, type RemoteSignerWebhookConfig as R, type SignerDmzRemoteSignerWebhookConfigInput as S, type WebhookAuthorizeContext as W, type OidcEndUserAuthConfig as a, type WebhookIdentityClaimMapping as b, authenticateWebhookCaller as c, bearerTokenFromAuthorization as d, claimExpirySeconds as e, createOidcEndUserVerifier as f, createOidcRemoteSignerWebhookConfig as g, createRemoteSignerAuthorizeHandler as h, createSignerDmzRemoteSignerWebhookConfig as i, handleRemoteSignerAuthorize as j, handleRemoteSignerRefreshJwks as k, identityFromWebhookClaims as l, readRemoteSignerWebhookConfigFromEnv as m, routeRemoteSignerWebhookRequest as n, readOidcRemoteSignerWebhookConfigFromEnv as r };
+export { DEFAULT_WEBHOOK_IDENTITY_CLAIMS as D, type OidcRemoteSignerWebhookConfigInput as O, type RemoteSignerWebhookConfig as R, type SignerDmzRemoteSignerWebhookConfigInput as S, type WebhookAuthorizeContext as W, type OidcEndUserAuthConfig as a, type WebhookIdentityClaimMapping as b, authenticateWebhookCaller as c, bearerTokenFromAuthorization as d, claimExpirySeconds as e, createOidcEndUserVerifier as f, createOidcRemoteSignerWebhookConfig as g, createRemoteSignerAuthorizeHandler as h, createSignerDmzRemoteSignerWebhookConfig as i, handleRemoteSignerAuthorize as j, handleRemoteSignerRefreshJwks as k, identityFromWebhookClaims as l, readRemoteSignerWebhookConfigFromEnv as m, routeRemoteSignerWebhookRequest as n, optionalBearerToken as o, readOidcRemoteSignerWebhookConfigFromEnv as r };

package/dist/index.d.cts

@@ -1,7 +1,7 @@
 export { NETWORK_USD_PER_MICRO, applyRetailRateToNetworkMicros, defaultRetailRateUsd, markupPercentToRetailRateUsd, parseMarkupPercentInput, parseRetailRateUsd, retailRateUsdPerMillion, retailRateUsdToMarkupPercent } from './plan-pricing.cjs';
 import { S as SignedTicketIngestInput, F as FetchLike, f as SignedTicketIngestResult, r as UsageByUserRow, s as UsageForExternalUser, e as UsageApiResponse, n as MeScopeUsagePayload, t as UsageByPipelineModelRow, u as UsageByPipelineModelFiatRow, O as OidcDiscoveryDocument, v as AppManifestResponse } from './types-BORaHW_x.cjs';
 export { w as AllowancePolicy, x as AppManifestCapability, A as AppUserRecord, q as ApproveDeviceLoginInput, B as BillingProduct, y as BillingSyncState, z as BillingSyncStatus, E as CapabilityPriceRule, C as ClientCredentialsTokenResponse, D as DeviceApprovalInput, o as GetAppManifestResult, G as GetDiscoveryOptions, l as GrantSource, L as ListBillingProductsResult, p as MintSignerSessionForExternalUserInput, M as MintUserAccessTokenInput, b as MintUserAccessTokenResponse, c as MintUserSignerSessionTokenInput, a as ParsedDeviceApprovalRedirect, h as PlanSyncResult, P as PmtHouseClientOptions, H as SignerRoutingConfig, g as SignerRoutingResponse, T as TokenExchangeResponse, U as UpsertAppUserInput, i as UsageBalanceResponse, I as UsageDailyPipelineRow, d as UsageQueryInput, J as UsageTotals, k as UserAllowanceGrantInput, j as UserAllowancesResponse, K as UserCreditGrantInput, N as UserCreditsResponse, m as UserSubscriptionResponse } from './types-BORaHW_x.cjs';
-import { S as SignerUsageSnapshot } from './proxy-JrT6raU_.cjs';
+import { S as SignerUsageSnapshot } from './proxy-0wa8QZIU.cjs';
 export { P as PmtHouseClient, b as buildDeviceCodeResource, n as normalizeUserCode } from './client-D1Xz-xlx.cjs';
 export { PYMTHOUSE_NOT_CONFIGURED_MESSAGE, getBuilderApiV1BaseFromIssuerUrl, getPymthouseIssuerOrigin, getPymthouseIssuerUrlFromEnv, getPymthousePublicClientIdFromEnv, isPymthouseConfigured, readPymthouseEnv } from './config.cjs';
 import { AuthorizationServer } from 'oauth4webapi';

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 export { NETWORK_USD_PER_MICRO, applyRetailRateToNetworkMicros, defaultRetailRateUsd, markupPercentToRetailRateUsd, parseMarkupPercentInput, parseRetailRateUsd, retailRateUsdPerMillion, retailRateUsdToMarkupPercent } from './plan-pricing.js';
 import { S as SignedTicketIngestInput, F as FetchLike, f as SignedTicketIngestResult, r as UsageByUserRow, s as UsageForExternalUser, e as UsageApiResponse, n as MeScopeUsagePayload, t as UsageByPipelineModelRow, u as UsageByPipelineModelFiatRow, O as OidcDiscoveryDocument, v as AppManifestResponse } from './types-BORaHW_x.js';
 export { w as AllowancePolicy, x as AppManifestCapability, A as AppUserRecord, q as ApproveDeviceLoginInput, B as BillingProduct, y as BillingSyncState, z as BillingSyncStatus, E as CapabilityPriceRule, C as ClientCredentialsTokenResponse, D as DeviceApprovalInput, o as GetAppManifestResult, G as GetDiscoveryOptions, l as GrantSource, L as ListBillingProductsResult, p as MintSignerSessionForExternalUserInput, M as MintUserAccessTokenInput, b as MintUserAccessTokenResponse, c as MintUserSignerSessionTokenInput, a as ParsedDeviceApprovalRedirect, h as PlanSyncResult, P as PmtHouseClientOptions, H as SignerRoutingConfig, g as SignerRoutingResponse, T as TokenExchangeResponse, U as UpsertAppUserInput, i as UsageBalanceResponse, I as UsageDailyPipelineRow, d as UsageQueryInput, J as UsageTotals, k as UserAllowanceGrantInput, j as UserAllowancesResponse, K as UserCreditGrantInput, N as UserCreditsResponse, m as UserSubscriptionResponse } from './types-BORaHW_x.js';
-import { S as SignerUsageSnapshot } from './proxy-U32DFNuj.js';
+import { S as SignerUsageSnapshot } from './proxy-KrA1vEmh.js';
 export { P as PmtHouseClient, b as buildDeviceCodeResource, n as normalizeUserCode } from './client-CauCfGa7.js';
 export { PYMTHOUSE_NOT_CONFIGURED_MESSAGE, getBuilderApiV1BaseFromIssuerUrl, getPymthouseIssuerOrigin, getPymthouseIssuerUrlFromEnv, getPymthousePublicClientIdFromEnv, isPymthouseConfigured, readPymthouseEnv } from './config.js';
 import { AuthorizationServer } from 'oauth4webapi';

package/dist/{proxy-JrT6raU_.d.cts → proxy-0wa8QZIU.d.cts}

@@ -1,6 +1,10 @@
 import { F as FetchLike } from './types-BORaHW_x.cjs';
 
 type SignerDmzGate = "http" | "cli";
+interface M2MClientCredentials {
+    m2mClientId: string;
+    m2mClientSecret: string;
+}
 interface DirectSignerProxyConfig {
     pymthouseIssuerUrl: string;
     /** Public Builder app client id (`app_…`); used for cache keys and JWT `client_id`. */
@@ -10,6 +14,16 @@ interface DirectSignerProxyConfig {
     remoteSignerUrl: string | URL;
     fetch?: FetchLike;
     allowInsecureHttp?: boolean;
+    /**
+     * Multi-tenant: resolve the M2M credentials used to mint signer JWTs for a
+     * given `publicClientId`. The PymtHouse issuer binds the minted JWT's
+     * `client_id` to the developer app linked to these M2M credentials, so each
+     * tenant's `publicClientId` (from {@link DirectSignerProxyConfig.resolvePublicClientId})
+     * must map to the M2M credentials whose app uses it. The token manager
+     * validates that the minted `client_id` matches the requested `publicClientId`.
+     * Defaults to `pymthouseM2MClientId` / `pymthouseM2MClientSecret`.
+     */
+    resolveM2MCredentials?: (publicClientId: string) => M2MClientCredentials | Promise<M2MClientCredentials>;
     /**
      * When set, incoming request paths matching this prefix are rewritten to the remote signer base.
      * Example: `/api/signer/proxy` → remote `/generate-live-payment` when the suffix is empty.
@@ -53,7 +67,7 @@ interface MintUserSignerTokenResponse {
     lifetimeGrantedUsdMicros: string;
 }
 interface SignerTokenManagerOptions {
-    mint: (externalUserId: string) => Promise<CachedSignerToken>;
+    mint: (publicClientId: string, externalUserId: string) => Promise<CachedSignerToken>;
     /** Fraction of TTL after which a proactive refresh runs. Defaults to `0.8`. */
     ttlRefreshRatio?: number;
     fetch?: FetchLike;
@@ -231,4 +245,4 @@ declare function probeSignerHttpReachability(options: ProbeSignerHttpReachabilit
     ethAddress?: string;
 }>;
 
-export { type ApiKeyExchangeHandlerConfig as A, resolveSignerBaseUrl as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, stripSignerUsageFromResponse as G, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type MintUserSignerTokenResponse as q, type SignerDmzGate as r, forwardToSigner as s, getCachedDmzBearerToken as t, normalizeSignerBaseUrl as u, parseSignerUsageSnapshot as v, pickConflictingNumberAliases as w, pickConflictingStringAliases as x, probeSignerHttpReachability as y, readSignerUpstreamBody as z };
+export { type ApiKeyExchangeHandlerConfig as A, readSignerUpstreamBody as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, resolveSignerBaseUrl as G, stripSignerUsageFromResponse as H, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type M2MClientCredentials as q, type MintUserSignerTokenResponse as r, type SignerDmzGate as s, forwardToSigner as t, getCachedDmzBearerToken as u, normalizeSignerBaseUrl as v, parseSignerUsageSnapshot as w, pickConflictingNumberAliases as x, pickConflictingStringAliases as y, probeSignerHttpReachability as z };

package/dist/{proxy-U32DFNuj.d.ts → proxy-KrA1vEmh.d.ts}

@@ -1,6 +1,10 @@
 import { F as FetchLike } from './types-BORaHW_x.js';
 
 type SignerDmzGate = "http" | "cli";
+interface M2MClientCredentials {
+    m2mClientId: string;
+    m2mClientSecret: string;
+}
 interface DirectSignerProxyConfig {
     pymthouseIssuerUrl: string;
     /** Public Builder app client id (`app_…`); used for cache keys and JWT `client_id`. */
@@ -10,6 +14,16 @@ interface DirectSignerProxyConfig {
     remoteSignerUrl: string | URL;
     fetch?: FetchLike;
     allowInsecureHttp?: boolean;
+    /**
+     * Multi-tenant: resolve the M2M credentials used to mint signer JWTs for a
+     * given `publicClientId`. The PymtHouse issuer binds the minted JWT's
+     * `client_id` to the developer app linked to these M2M credentials, so each
+     * tenant's `publicClientId` (from {@link DirectSignerProxyConfig.resolvePublicClientId})
+     * must map to the M2M credentials whose app uses it. The token manager
+     * validates that the minted `client_id` matches the requested `publicClientId`.
+     * Defaults to `pymthouseM2MClientId` / `pymthouseM2MClientSecret`.
+     */
+    resolveM2MCredentials?: (publicClientId: string) => M2MClientCredentials | Promise<M2MClientCredentials>;
     /**
      * When set, incoming request paths matching this prefix are rewritten to the remote signer base.
      * Example: `/api/signer/proxy` → remote `/generate-live-payment` when the suffix is empty.
@@ -53,7 +67,7 @@ interface MintUserSignerTokenResponse {
     lifetimeGrantedUsdMicros: string;
 }
 interface SignerTokenManagerOptions {
-    mint: (externalUserId: string) => Promise<CachedSignerToken>;
+    mint: (publicClientId: string, externalUserId: string) => Promise<CachedSignerToken>;
     /** Fraction of TTL after which a proactive refresh runs. Defaults to `0.8`. */
     ttlRefreshRatio?: number;
     fetch?: FetchLike;
@@ -231,4 +245,4 @@ declare function probeSignerHttpReachability(options: ProbeSignerHttpReachabilit
     ethAddress?: string;
 }>;
 
-export { type ApiKeyExchangeHandlerConfig as A, resolveSignerBaseUrl as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, stripSignerUsageFromResponse as G, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type MintUserSignerTokenResponse as q, type SignerDmzGate as r, forwardToSigner as s, getCachedDmzBearerToken as t, normalizeSignerBaseUrl as u, parseSignerUsageSnapshot as v, pickConflictingNumberAliases as w, pickConflictingStringAliases as x, probeSignerHttpReachability as y, readSignerUpstreamBody as z };
+export { type ApiKeyExchangeHandlerConfig as A, readSignerUpstreamBody as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, resolveSignerBaseUrl as G, stripSignerUsageFromResponse as H, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type M2MClientCredentials as q, type MintUserSignerTokenResponse as r, type SignerDmzGate as s, forwardToSigner as t, getCachedDmzBearerToken as u, normalizeSignerBaseUrl as v, parseSignerUsageSnapshot as w, pickConflictingNumberAliases as x, pickConflictingStringAliases as y, probeSignerHttpReachability as z };

package/dist/signer/server.cjs

@@ -48,62 +48,6 @@ function signerHandlerErrorResponse(error) {
   });
 }
 
-// src/signer/token-manager.ts
-function cacheKey(clientId, externalUserId) {
-  return `${clientId}\0${externalUserId}`;
-}
-function createSignerTokenManager(options) {
-  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
-  const cache = /* @__PURE__ */ new Map();
-  const inflight = /* @__PURE__ */ new Map();
-  function isUsable(entry, now, forceRefresh) {
-    if (forceRefresh) return false;
-    if (now >= entry.expiresAt) return false;
-    if (now >= entry.refreshAt) return false;
-    return true;
-  }
-  async function refresh(publicClientId, externalUserId) {
-    const key = cacheKey(publicClientId, externalUserId);
-    const existing = inflight.get(key);
-    if (existing) {
-      return existing;
-    }
-    const promise = options.mint(externalUserId).then((token) => {
-      const normalized = {
-        ...token,
-        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
-      };
-      cache.set(key, normalized);
-      inflight.delete(key);
-      return normalized;
-    }).catch((error) => {
-      inflight.delete(key);
-      throw error;
-    });
-    inflight.set(key, promise);
-    return promise;
-  }
-  return {
-    peek(publicClientId, externalUserId) {
-      return cache.get(cacheKey(publicClientId, externalUserId));
-    },
-    invalidate(publicClientId, externalUserId) {
-      const key = cacheKey(publicClientId, externalUserId);
-      cache.delete(key);
-      inflight.delete(key);
-    },
-    async getToken(publicClientId, externalUserId, getOptions = {}) {
-      const now = Date.now();
-      const key = cacheKey(publicClientId, externalUserId);
-      const cached = cache.get(key);
-      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
-        return cached;
-      }
-      return refresh(publicClientId, externalUserId);
-    }
-  };
-}
-
 // src/signer/forward.ts
 function base64UrlPayloadToUtf8(payloadB64) {
   const normalized = payloadB64.replaceAll("-", "+").replaceAll("_", "/");
@@ -217,6 +161,70 @@ async function forwardDirectSignerRequest(options) {
   return fetchImpl(target, init);
 }
 
+// src/signer/token-manager.ts
+function cacheKey(clientId, externalUserId) {
+  return `${clientId}\0${externalUserId}`;
+}
+function createSignerTokenManager(options) {
+  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
+  const cache = /* @__PURE__ */ new Map();
+  const inflight = /* @__PURE__ */ new Map();
+  function isUsable(entry, now, forceRefresh) {
+    if (forceRefresh) return false;
+    if (now >= entry.expiresAt) return false;
+    if (now >= entry.refreshAt) return false;
+    return true;
+  }
+  async function refresh(publicClientId, externalUserId) {
+    const key = cacheKey(publicClientId, externalUserId);
+    const existing = inflight.get(key);
+    if (existing) {
+      return existing;
+    }
+    const promise = options.mint(publicClientId, externalUserId).then((token) => {
+      const identity = identityFromJwtPayload(decodeJwtPayload(token.jwt));
+      if (identity.clientId !== publicClientId) {
+        throw new PmtHouseError("minted JWT client_id does not match public client id", {
+          status: 500,
+          code: "invalid_client_id",
+          details: { expected: publicClientId, actual: identity.clientId }
+        });
+      }
+      const normalized = {
+        ...token,
+        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
+      };
+      cache.set(key, normalized);
+      inflight.delete(key);
+      return normalized;
+    }).catch((error) => {
+      inflight.delete(key);
+      throw error;
+    });
+    inflight.set(key, promise);
+    return promise;
+  }
+  return {
+    peek(publicClientId, externalUserId) {
+      return cache.get(cacheKey(publicClientId, externalUserId));
+    },
+    invalidate(publicClientId, externalUserId) {
+      const key = cacheKey(publicClientId, externalUserId);
+      cache.delete(key);
+      inflight.delete(key);
+    },
+    async getToken(publicClientId, externalUserId, getOptions = {}) {
+      const now = Date.now();
+      const key = cacheKey(publicClientId, externalUserId);
+      const cached = cache.get(key);
+      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
+        return cached;
+      }
+      return refresh(publicClientId, externalUserId);
+    }
+  };
+}
+
 // src/string-utils.ts
 function stripTrailingSlashes(value) {
   let end = value.length;
@@ -1013,7 +1021,7 @@ async function forwardToSigner(options) {
   const headers = { "Content-Type": "application/json" };
   const explicitAuth = options.authorization?.trim();
   if (explicitAuth) {
-    headers.Authorization = explicitAuth.startsWith("Bearer ") ? explicitAuth : `Bearer ${explicitAuth}`;
+    headers.Authorization = explicitAuth;
   } else {
     const attachJwt = options.forwardJwt ?? true;
     if (attachJwt) {
@@ -1157,15 +1165,30 @@ function toResponse(result) {
   });
 }
 function createDirectSignerProxyHandler(config) {
-  const tokenManager = createSignerTokenManager({
-    mint: (externalUserId) => mintUserSignerToken({
-      issuerUrl: config.pymthouseIssuerUrl,
+  async function resolveM2MCredentials(publicClientId) {
+    if (config.resolveM2MCredentials) {
+      return config.resolveM2MCredentials(publicClientId);
+    }
+    return {
       m2mClientId: config.pymthouseM2MClientId,
-      m2mClientSecret: config.pymthouseM2MClientSecret,
-      externalUserId,
-      fetch: config.fetch,
-      allowInsecureHttp: config.allowInsecureHttp
-    })
+      m2mClientSecret: config.pymthouseM2MClientSecret
+    };
+  }
+  const tokenManager = createSignerTokenManager({
+    // `publicClientId` selects the M2M credentials so the minted JWT's
+    // `client_id` matches the cache partition key. The token manager rejects any
+    // minted token whose `client_id` diverges from `publicClientId`.
+    mint: async (publicClientId, externalUserId) => {
+      const { m2mClientId, m2mClientSecret } = await resolveM2MCredentials(publicClientId);
+      return mintUserSignerToken({
+        issuerUrl: config.pymthouseIssuerUrl,
+        m2mClientId,
+        m2mClientSecret,
+        externalUserId,
+        fetch: config.fetch,
+        allowInsecureHttp: config.allowInsecureHttp
+      });
+    }
   });
   async function runBeforeSign(token, externalUserId, request) {
     if (!config.beforeSign) {
@@ -1229,8 +1252,8 @@ function createDirectSignerProxyHandler(config) {
       return signerHandlerErrorResponse(error);
     }
   };
-  handler.getCachedUsage = (externalUserId) => tokenManager.peek(config.pymthouseClientId, externalUserId);
-  handler.invalidateToken = (externalUserId) => tokenManager.invalidate(config.pymthouseClientId, externalUserId);
+  handler.getCachedUsage = (publicClientId, externalUserId) => tokenManager.peek(publicClientId, externalUserId);
+  handler.invalidateToken = (publicClientId, externalUserId) => tokenManager.invalidate(publicClientId, externalUserId);
   return handler;
 }