@sentroy-co/client-sdk 2.13.7 → 2.13.8

package/dist/auth/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Sentroy Auth-as-a-Service — browser/server SDK entry.
+ *
+ *   import { SentroyAuth } from "@sentroy-co/client-sdk/auth"
+ *   const auth = new SentroyAuth({ projectSlug: "my-app" })
+ *
+ * For server admin operations (verifyIdToken, etc):
+ *   import { SentroyAuthAdmin } from "@sentroy-co/client-sdk/auth/admin"
+ *
+ * For React integration:
+ *   import { SentroyAuthProvider, useAuth } from "@sentroy-co/client-sdk/auth/react"
+ */
+export { SentroyAuth } from "./client";
+export type { SentroyAuthOptions, AuthStateChangeListener, AuthStorageAdapter, } from "./client";
+export { SentroyAuthError, type SentroyAuthUser, type SignupResponse, type LoginResponse, type AuthTokensResponse, } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AACtC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,UAAU,CAAA;AACjB,OAAO,EACL,gBAAgB,EAChB,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,kBAAkB,GACxB,MAAM,SAAS,CAAA"}

package/dist/auth/index.js

@@ -0,0 +1,20 @@
+"use strict";
+/**
+ * Sentroy Auth-as-a-Service — browser/server SDK entry.
+ *
+ *   import { SentroyAuth } from "@sentroy-co/client-sdk/auth"
+ *   const auth = new SentroyAuth({ projectSlug: "my-app" })
+ *
+ * For server admin operations (verifyIdToken, etc):
+ *   import { SentroyAuthAdmin } from "@sentroy-co/client-sdk/auth/admin"
+ *
+ * For React integration:
+ *   import { SentroyAuthProvider, useAuth } from "@sentroy-co/client-sdk/auth/react"
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SentroyAuthError = exports.SentroyAuth = void 0;
+var client_1 = require("./client");
+Object.defineProperty(exports, "SentroyAuth", { enumerable: true, get: function () { return client_1.SentroyAuth; } });
+var types_1 = require("./types");
+Object.defineProperty(exports, "SentroyAuthError", { enumerable: true, get: function () { return types_1.SentroyAuthError; } });
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAEH,mCAAsC;AAA7B,qGAAA,WAAW,OAAA;AAMpB,iCAMgB;AALd,yGAAA,gBAAgB,OAAA"}

package/dist/auth/react/index.d.ts

@@ -0,0 +1,41 @@
+import { type ReactNode } from "react";
+import { SentroyAuth, type SentroyAuthOptions } from "../client";
+import type { SentroyAuthUser } from "../types";
+/**
+ * Sentroy Auth React integration.
+ *
+ *   <SentroyAuthProvider projectSlug="my-app">
+ *     <App />
+ *   </SentroyAuthProvider>
+ *
+ *   const { user, loading, signIn, signOut } = useAuth()
+ *
+ * Provider içeride tek bir `SentroyAuth` instance tutar (mount/unmount
+ * arasında stable), `onAuthStateChanged` ile React state'i senkron tutar.
+ * `loading` ilk render → restore tamam mı henüz değil ayrımı için.
+ */
+interface AuthContextValue {
+    auth: SentroyAuth;
+    user: SentroyAuthUser | null;
+    /** True iken provider ilk state'i restore etmiş değil — UI'da
+     *  "spinner" göster, "redirect to /login" tetikleme. */
+    loading: boolean;
+    /** Convenience proxies — caller `auth.signIn(...)` yerine doğrudan
+     *  `signIn(...)` kullanabilir. */
+    signIn: SentroyAuth["signIn"];
+    signUp: SentroyAuth["signUp"];
+    signOut: SentroyAuth["signOut"];
+    sendPasswordReset: SentroyAuth["sendPasswordReset"];
+    verifyEmail: SentroyAuth["verifyEmail"];
+}
+export declare function SentroyAuthProvider({ children, ...opts }: SentroyAuthOptions & {
+    children: ReactNode;
+}): import("react/jsx-runtime").JSX.Element;
+export declare function useAuth(): AuthContextValue;
+/**
+ * Convenience: yalnızca current user istenirse. `loading` durumunda null
+ * dönerken bekleyebilirsin.
+ */
+export declare function useUser(): SentroyAuthUser | null;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/react/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/react/index.tsx"],"names":[],"mappings":"AAEA,OAAO,EAML,KAAK,SAAS,EACf,MAAM,OAAO,CAAA;AACd,OAAO,EAAE,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAChE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAE/C;;;;;;;;;;;;GAYG;AAEH,UAAU,gBAAgB;IACxB,IAAI,EAAE,WAAW,CAAA;IACjB,IAAI,EAAE,eAAe,GAAG,IAAI,CAAA;IAC5B;4DACwD;IACxD,OAAO,EAAE,OAAO,CAAA;IAChB;sCACkC;IAClC,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAA;IAC7B,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAA;IAC7B,OAAO,EAAE,WAAW,CAAC,SAAS,CAAC,CAAA;IAC/B,iBAAiB,EAAE,WAAW,CAAC,mBAAmB,CAAC,CAAA;IACnD,WAAW,EAAE,WAAW,CAAC,aAAa,CAAC,CAAA;CACxC;AAID,wBAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,IAAI,EACR,EAAE,kBAAkB,GAAG;IAAE,QAAQ,EAAE,SAAS,CAAA;CAAE,2CAkC9C;AAED,wBAAgB,OAAO,IAAI,gBAAgB,CAQ1C;AAED;;;GAGG;AACH,wBAAgB,OAAO,IAAI,eAAe,GAAG,IAAI,CAEhD"}

package/dist/auth/react/index.js

@@ -0,0 +1,52 @@
+"use strict";
+"use client";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SentroyAuthProvider = SentroyAuthProvider;
+exports.useAuth = useAuth;
+exports.useUser = useUser;
+const jsx_runtime_1 = require("react/jsx-runtime");
+const react_1 = require("react");
+const client_1 = require("../client");
+const AuthContext = (0, react_1.createContext)(null);
+function SentroyAuthProvider({ children, ...opts }) {
+    // Single instance — opts deep-compare'a girersek dependency drift'i
+    // restart'a yol açar. Caller `projectSlug` değiştirmemeli runtime'da.
+    const auth = (0, react_1.useMemo)(() => new client_1.SentroyAuth(opts), 
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [opts.projectSlug, opts.authBaseUrl, opts.apiKey]);
+    const [user, setUser] = (0, react_1.useState)(auth.user);
+    const [loading, setLoading] = (0, react_1.useState)(true);
+    (0, react_1.useEffect)(() => {
+        const unsubscribe = auth.onAuthStateChanged((u) => {
+            setUser(u);
+            setLoading(false);
+        });
+        return unsubscribe;
+    }, [auth]);
+    const value = (0, react_1.useMemo)(() => ({
+        auth,
+        user,
+        loading,
+        signIn: (i) => auth.signIn(i),
+        signUp: (i) => auth.signUp(i),
+        signOut: () => auth.signOut(),
+        sendPasswordReset: (e) => auth.sendPasswordReset(e),
+        verifyEmail: (t) => auth.verifyEmail(t),
+    }), [auth, user, loading]);
+    return (0, jsx_runtime_1.jsx)(AuthContext.Provider, { value: value, children: children });
+}
+function useAuth() {
+    const ctx = (0, react_1.useContext)(AuthContext);
+    if (!ctx) {
+        throw new Error("useAuth must be used inside <SentroyAuthProvider> — wrap your app root.");
+    }
+    return ctx;
+}
+/**
+ * Convenience: yalnızca current user istenirse. `loading` durumunda null
+ * dönerken bekleyebilirsin.
+ */
+function useUser() {
+    return useAuth().user;
+}
+//# sourceMappingURL=index.js.map

package/dist/auth/react/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/react/index.tsx"],"names":[],"mappings":";AAAA,YAAY,CAAA;;AA4CZ,kDAqCC;AAED,0BAQC;AAMD,0BAEC;;AAjGD,iCAOc;AACd,sCAAgE;AAgChE,MAAM,WAAW,GAAG,IAAA,qBAAa,EAA0B,IAAI,CAAC,CAAA;AAEhE,SAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,IAAI,EACsC;IAC7C,oEAAoE;IACpE,sEAAsE;IACtE,MAAM,IAAI,GAAG,IAAA,eAAO,EAClB,GAAG,EAAE,CAAC,IAAI,oBAAW,CAAC,IAAI,CAAC;IAC3B,uDAAuD;IACvD,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAClD,CAAA;IACD,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,IAAA,gBAAQ,EAAyB,IAAI,CAAC,IAAI,CAAC,CAAA;IACnE,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG,IAAA,gBAAQ,EAAC,IAAI,CAAC,CAAA;IAE5C,IAAA,iBAAS,EAAC,GAAG,EAAE;QACb,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE;YAChD,OAAO,CAAC,CAAC,CAAC,CAAA;YACV,UAAU,CAAC,KAAK,CAAC,CAAA;QACnB,CAAC,CAAC,CAAA;QACF,OAAO,WAAW,CAAA;IACpB,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAA;IAEV,MAAM,KAAK,GAAG,IAAA,eAAO,EACnB,GAAG,EAAE,CAAC,CAAC;QACL,IAAI;QACJ,IAAI;QACJ,OAAO;QACP,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7B,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7B,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE;QAC7B,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACnD,WAAW,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;KACxC,CAAC,EACF,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CACtB,CAAA;IAED,OAAO,uBAAC,WAAW,CAAC,QAAQ,IAAC,KAAK,EAAE,KAAK,YAAG,QAAQ,GAAwB,CAAA;AAC9E,CAAC;AAED,SAAgB,OAAO;IACrB,MAAM,GAAG,GAAG,IAAA,kBAAU,EAAC,WAAW,CAAC,CAAA;IACnC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAA;IACH,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;;GAGG;AACH,SAAgB,OAAO;IACrB,OAAO,OAAO,EAAE,CAAC,IAAI,CAAA;AACvB,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Sentroy Auth-as-a-Service — SDK types.
+ *
+ * Public types are kept narrow on purpose: SDK shapes evolve with backend;
+ * caller code should depend on these names, not on hand-coded interfaces.
+ */
+export interface SentroyAuthUser {
+    id: string;
+    authProjectId: string;
+    email: string;
+    emailVerified: boolean;
+    displayName: string | null;
+    image: string | null;
+    metadata: Record<string, unknown>;
+    lastLoginAt: string | null;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface AuthTokensResponse {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+    tokenType: "Bearer";
+}
+export interface SignupResponse {
+    user: SentroyAuthUser;
+    /** Email verification gerekiyorsa undefined; aksi halde set. */
+    accessToken?: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    tokenType?: "Bearer";
+    emailVerificationRequired?: boolean;
+}
+export interface LoginResponse {
+    user: SentroyAuthUser;
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+    tokenType: "Bearer";
+}
+export interface AuthApiError {
+    error: string;
+    error_description: string;
+}
+export declare class SentroyAuthError extends Error {
+    readonly code: string;
+    readonly status: number;
+    constructor(code: string, message: string, status: number);
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAA;IACV,aAAa,EAAE,MAAM,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,EAAE,OAAO,CAAA;IACtB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,QAAQ,CAAA;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,eAAe,CAAA;IACrB,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,QAAQ,CAAA;IACpB,yBAAyB,CAAC,EAAE,OAAO,CAAA;CACpC;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,eAAe,CAAA;IACrB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,QAAQ,CAAA;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAA;IACb,iBAAiB,EAAE,MAAM,CAAA;CAC1B;AAED,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;gBACX,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAM1D"}

package/dist/auth/types.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Sentroy Auth-as-a-Service — SDK types.
+ *
+ * Public types are kept narrow on purpose: SDK shapes evolve with backend;
+ * caller code should depend on these names, not on hand-coded interfaces.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SentroyAuthError = void 0;
+class SentroyAuthError extends Error {
+    code;
+    status;
+    constructor(code, message, status) {
+        super(message);
+        this.name = "SentroyAuthError";
+        this.code = code;
+        this.status = status;
+    }
+}
+exports.SentroyAuthError = SentroyAuthError;
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA6CH,MAAa,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAQ;IACZ,MAAM,CAAQ;IACvB,YAAY,IAAY,EAAE,OAAe,EAAE,MAAc;QACvD,KAAK,CAAC,OAAO,CAAC,CAAA;QACd,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;QAC9B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;QAChB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;IACtB,CAAC;CACF;AATD,4CASC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentroy-co/client-sdk",
-  "version": "2.13.7",
+  "version": "2.13.8",
   "description": "TypeScript SDK + CLI for the Sentroy platform — mail, storage, env vault + React components.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -38,6 +38,21 @@
       "types": "./dist/vault/react.d.ts",
       "import": "./dist/vault/react.js",
       "require": "./dist/vault/react.js"
+    },
+    "./auth": {
+      "types": "./dist/auth/index.d.ts",
+      "import": "./dist/auth/index.js",
+      "require": "./dist/auth/index.js"
+    },
+    "./auth/admin": {
+      "types": "./dist/auth/admin/index.d.ts",
+      "import": "./dist/auth/admin/index.js",
+      "require": "./dist/auth/admin/index.js"
+    },
+    "./auth/react": {
+      "types": "./dist/auth/react/index.d.ts",
+      "import": "./dist/auth/react/index.js",
+      "require": "./dist/auth/react/index.js"
     }
   },
   "files": [

package/src/auth/admin/index.ts

@@ -0,0 +1,191 @@
+import { AuthHttp } from "../http"
+import type { SentroyAuthUser } from "../types"
+
+/**
+ * Server-side Sentroy Auth admin SDK. **Node only — apiKey browser'a
+ * koymayın**; bu sınıf Project'in master `aps_` token'ını taşır ve
+ * Sentroy üzerindeki user pool'a yetki vermez.
+ *
+ * Tipik kullanım: backend, kendi `/api/auth/...` proxy'sinde RP-spesifik
+ * authorization yapar, sonra `admin.users.get(...)` ile Sentroy'dan
+ * end-user'ı çeker. JWT verify de bu SDK üzerinden — tüm akış stateless.
+ */
+
+export interface SentroyAuthAdminOptions {
+  authBaseUrl?: string
+  projectSlug: string
+  apiKey: string
+}
+
+export class SentroyAuthAdmin {
+  private readonly http: AuthHttp
+  private cachedJwks: { keys: Record<string, unknown>[] } | null = null
+
+  constructor(opts: SentroyAuthAdminOptions) {
+    this.http = new AuthHttp(opts)
+  }
+
+  // ─── User pool admin ──────────────────────────────────────────────────
+
+  users = {
+    list: (opts: {
+      limit?: number
+      skip?: number
+      emailVerified?: boolean
+    } = {}): Promise<{
+      items: SentroyAuthUser[]
+      pagination: { total: number; limit: number; skip: number }
+    }> => {
+      throw new Error(
+        "admin.users.list requires session-authenticated admin API; use dashboard /api/companies/[slug]/auth-projects/[id]/users instead. (v2 admin SDK will proxy this with stk_ tokens.)",
+      )
+      // NOTE Phase 5+: SDK admin endpoint'leri public path'lere taşınmadı;
+      // şu an `/api/companies/...` cookie-auth ile. v2'de `/api/v1/admin/...`
+      // RP token'ı ile authenticate eden ayrı public admin layer eklenir.
+    },
+  }
+
+  // ─── ID token verification ─────────────────────────────────────────────
+
+  /**
+   * Local verify — JWKS cache'lenir (5dk TTL), JWT signature kontrolü
+   * RS256 ile RP backend'inde stateless yapılır. `iss`/`aud` claim
+   * eşleşmesi de kontrol edilir.
+   */
+  async verifyIdToken(token: string): Promise<{
+    sub: string
+    email?: string
+    email_verified?: boolean
+    name?: string
+    picture?: string
+    iss: string
+    aud: string
+    iat: number
+    exp: number
+  }> {
+    const parts = token.split(".")
+    if (parts.length !== 3) {
+      throw new Error("Malformed JWT — expected three segments.")
+    }
+    const [headerB64, payloadB64, sigB64] = parts
+    const header = JSON.parse(decodeBase64Url(headerB64)) as {
+      alg?: string
+      kid?: string
+    }
+    if (header.alg !== "RS256") {
+      throw new Error("Only RS256 supported.")
+    }
+    const claims = JSON.parse(decodeBase64Url(payloadB64)) as {
+      exp?: number
+      iss?: string
+      aud?: string
+    }
+    if (typeof claims.exp !== "number" || claims.exp * 1000 < Date.now()) {
+      throw new Error("Token expired.")
+    }
+    // iss + aud check
+    const expectedIssSuffix = `/p/${this.http.projectSlug}`
+    if (typeof claims.iss !== "string" || !claims.iss.endsWith(expectedIssSuffix)) {
+      throw new Error("Issuer mismatch.")
+    }
+    // aud == project apiKeyPrefix (12 chars). API key first 12 = aud check.
+    if (
+      typeof claims.aud !== "string" ||
+      !this.http.apiKey?.startsWith(claims.aud)
+    ) {
+      throw new Error("Audience mismatch.")
+    }
+
+    const jwks = await this.fetchJwks()
+    const key = jwks.keys.find(
+      (k) => (k as { kid?: string }).kid === header.kid,
+    ) ?? jwks.keys[0]
+    if (!key) throw new Error("No public key in JWKS.")
+
+    await verifyRsaSignature({
+      data: `${headerB64}.${payloadB64}`,
+      sigB64,
+      jwk: key as JsonWebKey,
+    })
+
+    return claims as never
+  }
+
+  private async fetchJwks(): Promise<{ keys: Record<string, unknown>[] }> {
+    if (this.cachedJwks) return this.cachedJwks
+    const jwks = await this.http.request<{ keys: Record<string, unknown>[] }>(
+      "/jwks.json",
+      { method: "GET" },
+    )
+    this.cachedJwks = jwks
+    // 5dk cache — basit setTimeout invalidation
+    setTimeout(() => {
+      this.cachedJwks = null
+    }, 5 * 60 * 1000)
+    return jwks
+  }
+}
+
+// ─── Helpers ─────────────────────────────────────────────────────────────
+
+function decodeBase64Url(s: string): string {
+  const padded = s.replace(/-/g, "+").replace(/_/g, "/")
+  const pad = padded.length % 4 === 0 ? "" : "=".repeat(4 - (padded.length % 4))
+  if (typeof atob === "function") {
+    const binary = atob(padded + pad)
+    const bytes = new Uint8Array(binary.length)
+    for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i)
+    return new TextDecoder().decode(bytes)
+  }
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const B = (globalThis as any).Buffer
+  if (B) return B.from(padded + pad, "base64").toString("utf8")
+  throw new Error("No base64 decoder available")
+}
+
+function base64UrlToBytes(s: string): Uint8Array {
+  const padded = s.replace(/-/g, "+").replace(/_/g, "/")
+  const pad = padded.length % 4 === 0 ? "" : "=".repeat(4 - (padded.length % 4))
+  if (typeof atob === "function") {
+    const binary = atob(padded + pad)
+    const bytes = new Uint8Array(binary.length)
+    for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i)
+    return bytes
+  }
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const B = (globalThis as any).Buffer
+  if (B) return new Uint8Array(B.from(padded + pad, "base64"))
+  throw new Error("No base64 decoder available")
+}
+
+async function verifyRsaSignature(input: {
+  data: string
+  sigB64: string
+  jwk: JsonWebKey
+}): Promise<void> {
+  // Browser + modern Node (>=18) have crypto.subtle. Tek kod yolu.
+  const subtle =
+    typeof crypto !== "undefined" && crypto.subtle ? crypto.subtle : null
+  if (!subtle) {
+    throw new Error("Web Crypto unavailable — upgrade Node >= 18 or run in a browser.")
+  }
+  const key = await subtle.importKey(
+    "jwk",
+    input.jwk,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["verify"],
+  )
+  // Web Crypto types want ArrayBuffer-backed BufferSource. TypeScript
+  // can't prove Uint8Array isn't SharedArrayBuffer-backed (DOM lib edge);
+  // bytes are created fresh from base64 decode so ArrayBuffer-safe — cast.
+  const sigBytes = base64UrlToBytes(input.sigB64) as Uint8Array
+  const dataBytes = new TextEncoder().encode(input.data) as Uint8Array
+  const ok = await subtle.verify(
+    { name: "RSASSA-PKCS1-v1_5" },
+    key,
+    sigBytes as unknown as ArrayBuffer,
+    dataBytes as unknown as ArrayBuffer,
+  )
+  if (!ok) throw new Error("Signature mismatch.")
+}