@supabase/server 0.1.1-rc.24 → 0.1.1-rc.26

package/dist/errors-5ivL23qo.d.mts

@@ -0,0 +1,78 @@
+//#region src/errors.d.ts
+/**
+ * Thrown when a required environment variable is missing or malformed.
+ *
+ * Has a fixed `status` of `500` since environment errors are server-side
+ * configuration issues, not client errors.
+ *
+ * @example
+ * ```ts
+ * import { EnvError } from '@supabase/server'
+ *
+ * try {
+ *   const client = createAdminClient()
+ * } catch (e) {
+ *   if (e instanceof EnvError) {
+ *     console.error(`Config issue [${e.code}]: ${e.message}`)
+ *     // → "Config issue [MISSING_SUPABASE_URL]: SUPABASE_URL is required but not set"
+ *   }
+ * }
+ * ```
+ */
+declare class EnvError extends Error {
+  /** Always `500` — environment errors are server-side issues. */
+  readonly status = 500;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"MISSING_SUPABASE_URL"` — `SUPABASE_URL` not set
+   * - `"MISSING_PUBLISHABLE_KEY"` — No publishable key found
+   * - `"MISSING_SECRET_KEY"` — No secret key found
+   * - `"ENV_ERROR"` — Generic environment error
+   */
+  readonly code: string;
+  constructor(message: string, code?: string);
+}
+/**
+ * Thrown when authentication or authorization fails.
+ *
+ * Carries an HTTP `status` code suitable for returning directly in a response
+ * (typically `401` for invalid credentials, `500` for server-side auth failures).
+ *
+ * @example
+ * ```ts
+ * import { AuthError, createSupabaseContext } from '@supabase/server'
+ *
+ * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * if (error) {
+ *   // error is an AuthError
+ *   return Response.json(
+ *     { error: error.message, code: error.code },
+ *     { status: error.status },
+ *   )
+ * }
+ * ```
+ */
+declare class AuthError extends Error {
+  /**
+   * HTTP status code.
+   *
+   * - `401` — Invalid or missing credentials
+   * - `500` — Server-side auth failure (e.g., missing JWKS, env misconfiguration)
+   */
+  readonly status: number;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"INVALID_CREDENTIALS"` — No credential matched any allowed auth mode
+   * - `"CLIENT_ERROR"` — Failed to create a Supabase client after auth succeeded
+   * - `"AUTH_ERROR"` — Generic authentication error
+   * - Any `EnvError` code (propagated when env resolution fails during auth)
+   */
+  readonly code: string;
+  constructor(message: string, code?: string, status?: number);
+}
+//#endregion
+export { EnvError as n, AuthError as t };

package/dist/errors-BmSsOAvx.d.cts

@@ -0,0 +1,78 @@
+//#region src/errors.d.ts
+/**
+ * Thrown when a required environment variable is missing or malformed.
+ *
+ * Has a fixed `status` of `500` since environment errors are server-side
+ * configuration issues, not client errors.
+ *
+ * @example
+ * ```ts
+ * import { EnvError } from '@supabase/server'
+ *
+ * try {
+ *   const client = createAdminClient()
+ * } catch (e) {
+ *   if (e instanceof EnvError) {
+ *     console.error(`Config issue [${e.code}]: ${e.message}`)
+ *     // → "Config issue [MISSING_SUPABASE_URL]: SUPABASE_URL is required but not set"
+ *   }
+ * }
+ * ```
+ */
+declare class EnvError extends Error {
+  /** Always `500` — environment errors are server-side issues. */
+  readonly status = 500;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"MISSING_SUPABASE_URL"` — `SUPABASE_URL` not set
+   * - `"MISSING_PUBLISHABLE_KEY"` — No publishable key found
+   * - `"MISSING_SECRET_KEY"` — No secret key found
+   * - `"ENV_ERROR"` — Generic environment error
+   */
+  readonly code: string;
+  constructor(message: string, code?: string);
+}
+/**
+ * Thrown when authentication or authorization fails.
+ *
+ * Carries an HTTP `status` code suitable for returning directly in a response
+ * (typically `401` for invalid credentials, `500` for server-side auth failures).
+ *
+ * @example
+ * ```ts
+ * import { AuthError, createSupabaseContext } from '@supabase/server'
+ *
+ * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * if (error) {
+ *   // error is an AuthError
+ *   return Response.json(
+ *     { error: error.message, code: error.code },
+ *     { status: error.status },
+ *   )
+ * }
+ * ```
+ */
+declare class AuthError extends Error {
+  /**
+   * HTTP status code.
+   *
+   * - `401` — Invalid or missing credentials
+   * - `500` — Server-side auth failure (e.g., missing JWKS, env misconfiguration)
+   */
+  readonly status: number;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"INVALID_CREDENTIALS"` — No credential matched any allowed auth mode
+   * - `"CLIENT_ERROR"` — Failed to create a Supabase client after auth succeeded
+   * - `"AUTH_ERROR"` — Generic authentication error
+   * - Any `EnvError` code (propagated when env resolution fails during auth)
+   */
+  readonly code: string;
+  constructor(message: string, code?: string, status?: number);
+}
+//#endregion
+export { EnvError as n, AuthError as t };

package/dist/index.cjs

@@ -1,14 +1,34 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_verify_auth = require('./verify-auth-6a1UPrFz.cjs');
-const require_create_supabase_context = require('./create-supabase-context-DNWor6i_.cjs');
+const require_verify_auth = require('./verify-auth-DvRVnjdq.cjs');
+const require_create_supabase_context = require('./create-supabase-context-DcVorGKG.cjs');
 let _supabase_supabase_js_cors = require("@supabase/supabase-js/cors");
 
 //#region src/cors.ts
+/**
+* Builds the CORS headers object based on the given configuration.
+*
+* @param config - The CORS configuration.
+* @returns A headers record to include in the response. Empty object if CORS is disabled.
+*
+* @internal
+*/
 function buildCorsHeaders(config) {
 	if (config === false) return {};
 	if (typeof config === "object") return config;
 	return _supabase_supabase_js_cors.corsHeaders;
 }
+/**
+* Returns a new `Response` with CORS headers appended.
+*
+* Creates a clone of the original response and sets each CORS header on it.
+* If CORS is disabled (`config === false`), returns the original response unchanged.
+*
+* @param response - The original response to augment.
+* @param config - The CORS configuration.
+* @returns A new `Response` with CORS headers set, or the original response if CORS is disabled.
+*
+* @internal
+*/
 function addCorsHeaders(response, config) {
 	if (config === false) return response;
 	const corsHeaders = buildCorsHeaders(config);
@@ -19,6 +39,29 @@ function addCorsHeaders(response, config) {
 
 //#endregion
 //#region src/with-supabase.ts
+/**
+* Wraps a request handler with Supabase auth, client creation, and CORS handling.
+*
+* Built for the Web API `Request`/`Response` standard that all modern runtimes
+* implement natively. Handles CORS preflight, credential verification,
+* context creation, and error responses. Your handler only runs on successful auth.
+*
+* @param config - Auth modes, CORS, and environment overrides. See {@link WithSupabaseConfig}.
+* @param handler - Receives the `Request` and a fully-initialized {@link SupabaseContext}.
+* @returns A `(req: Request) => Promise<Response>` fetch handler.
+*
+* @example
+* ```ts
+* import { withSupabase } from '@supabase/server'
+*
+* export default {
+*   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+*     const { data } = await ctx.supabase.rpc('get_my_profile')
+*     return Response.json(data)
+*   }),
+* }
+* ```
+*/
 function withSupabase(config, handler) {
 	return async (req) => {
 		if (config.cors !== false && req.method === "OPTIONS") return new Response(null, {
@@ -42,11 +85,5 @@ function withSupabase(config, handler) {
 //#endregion
 exports.AuthError = require_verify_auth.AuthError;
 exports.EnvError = require_verify_auth.EnvError;
-exports.createAdminClient = require_verify_auth.createAdminClient;
-exports.createContextClient = require_verify_auth.createContextClient;
 exports.createSupabaseContext = require_create_supabase_context.createSupabaseContext;
-exports.extractCredentials = require_verify_auth.extractCredentials;
-exports.resolveEnv = require_verify_auth.resolveEnv;
-exports.verifyAuth = require_verify_auth.verifyAuth;
-exports.verifyCredentials = require_verify_auth.verifyCredentials;
 exports.withSupabase = withSupabase;

package/dist/index.d.cts

@@ -1,10 +1,53 @@
-import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-C9J9JcPD.cjs";
-import { a as extractCredentials, c as EnvError, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, s as AuthError, t as createAdminClient } from "./create-admin-client-CnuiHPpV.cjs";
+import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-CnKoFCMX.cjs";
+import { n as EnvError, t as AuthError } from "./errors-BmSsOAvx.cjs";
 
 //#region src/with-supabase.d.ts
+/**
+ * Wraps a request handler with Supabase auth, client creation, and CORS handling.
+ *
+ * Built for the Web API `Request`/`Response` standard that all modern runtimes
+ * implement natively. Handles CORS preflight, credential verification,
+ * context creation, and error responses. Your handler only runs on successful auth.
+ *
+ * @param config - Auth modes, CORS, and environment overrides. See {@link WithSupabaseConfig}.
+ * @param handler - Receives the `Request` and a fully-initialized {@link SupabaseContext}.
+ * @returns A `(req: Request) => Promise<Response>` fetch handler.
+ *
+ * @example
+ * ```ts
+ * import { withSupabase } from '@supabase/server'
+ *
+ * export default {
+ *   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+ *     const { data } = await ctx.supabase.rpc('get_my_profile')
+ *     return Response.json(data)
+ *   }),
+ * }
+ * ```
+ */
 declare function withSupabase<Database = unknown>(config: WithSupabaseConfig, handler: (req: Request, ctx: SupabaseContext<Database>) => Promise<Response>): (req: Request) => Promise<Response>;
 //#endregion
 //#region src/create-supabase-context.d.ts
+/**
+ * Creates a {@link SupabaseContext} directly from a request.
+ *
+ * Use this when you need the context without the full {@link withSupabase} wrapper —
+ * e.g., inside framework route handlers or custom middleware. Returns a result tuple
+ * instead of producing a `Response`.
+ *
+ * @param request - The incoming HTTP request.
+ * @param options - Auth modes, environment overrides. The `cors` option is ignored here.
+ * @returns `{ data: SupabaseContext, error: null }` on success, `{ data: null, error: AuthError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * if (error) {
+ *   return Response.json({ error: error.message }, { status: error.status })
+ * }
+ * const { data } = await ctx.supabase.rpc('get_my_items')
+ * ```
+ */
 declare function createSupabaseContext<Database = unknown>(request: Request, options?: WithSupabaseConfig): Promise<{
   data: SupabaseContext<Database>;
   error: null;
@@ -13,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.d.mts

@@ -1,10 +1,53 @@
-import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-Ceetds5F.mjs";
-import { a as extractCredentials, c as EnvError, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, s as AuthError, t as createAdminClient } from "./create-admin-client-BQEHqeFW.mjs";
+import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-ClmJ8pi8.mjs";
+import { n as EnvError, t as AuthError } from "./errors-5ivL23qo.mjs";
 
 //#region src/with-supabase.d.ts
+/**
+ * Wraps a request handler with Supabase auth, client creation, and CORS handling.
+ *
+ * Built for the Web API `Request`/`Response` standard that all modern runtimes
+ * implement natively. Handles CORS preflight, credential verification,
+ * context creation, and error responses. Your handler only runs on successful auth.
+ *
+ * @param config - Auth modes, CORS, and environment overrides. See {@link WithSupabaseConfig}.
+ * @param handler - Receives the `Request` and a fully-initialized {@link SupabaseContext}.
+ * @returns A `(req: Request) => Promise<Response>` fetch handler.
+ *
+ * @example
+ * ```ts
+ * import { withSupabase } from '@supabase/server'
+ *
+ * export default {
+ *   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+ *     const { data } = await ctx.supabase.rpc('get_my_profile')
+ *     return Response.json(data)
+ *   }),
+ * }
+ * ```
+ */
 declare function withSupabase<Database = unknown>(config: WithSupabaseConfig, handler: (req: Request, ctx: SupabaseContext<Database>) => Promise<Response>): (req: Request) => Promise<Response>;
 //#endregion
 //#region src/create-supabase-context.d.ts
+/**
+ * Creates a {@link SupabaseContext} directly from a request.
+ *
+ * Use this when you need the context without the full {@link withSupabase} wrapper —
+ * e.g., inside framework route handlers or custom middleware. Returns a result tuple
+ * instead of producing a `Response`.
+ *
+ * @param request - The incoming HTTP request.
+ * @param options - Auth modes, environment overrides. The `cors` option is ignored here.
+ * @returns `{ data: SupabaseContext, error: null }` on success, `{ data: null, error: AuthError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * if (error) {
+ *   return Response.json({ error: error.message }, { status: error.status })
+ * }
+ * const { data } = await ctx.supabase.rpc('get_my_items')
+ * ```
+ */
 declare function createSupabaseContext<Database = unknown>(request: Request, options?: WithSupabaseConfig): Promise<{
   data: SupabaseContext<Database>;
   error: null;
@@ -13,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.mjs

@@ -1,13 +1,33 @@
-import { a as createAdminClient, c as EnvError, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, s as AuthError, t as verifyAuth } from "./verify-auth-DxUT0XoT.mjs";
-import { t as createSupabaseContext } from "./create-supabase-context-BrSIe29v.mjs";
+import { c as EnvError, s as AuthError } from "./verify-auth-2S7zFfR-.mjs";
+import { t as createSupabaseContext } from "./create-supabase-context-CmWaH3s6.mjs";
 import { corsHeaders } from "@supabase/supabase-js/cors";
 
 //#region src/cors.ts
+/**
+* Builds the CORS headers object based on the given configuration.
+*
+* @param config - The CORS configuration.
+* @returns A headers record to include in the response. Empty object if CORS is disabled.
+*
+* @internal
+*/
 function buildCorsHeaders(config) {
 	if (config === false) return {};
 	if (typeof config === "object") return config;
 	return corsHeaders;
 }
+/**
+* Returns a new `Response` with CORS headers appended.
+*
+* Creates a clone of the original response and sets each CORS header on it.
+* If CORS is disabled (`config === false`), returns the original response unchanged.
+*
+* @param response - The original response to augment.
+* @param config - The CORS configuration.
+* @returns A new `Response` with CORS headers set, or the original response if CORS is disabled.
+*
+* @internal
+*/
 function addCorsHeaders(response, config) {
 	if (config === false) return response;
 	const corsHeaders = buildCorsHeaders(config);
@@ -18,6 +38,29 @@ function addCorsHeaders(response, config) {
 
 //#endregion
 //#region src/with-supabase.ts
+/**
+* Wraps a request handler with Supabase auth, client creation, and CORS handling.
+*
+* Built for the Web API `Request`/`Response` standard that all modern runtimes
+* implement natively. Handles CORS preflight, credential verification,
+* context creation, and error responses. Your handler only runs on successful auth.
+*
+* @param config - Auth modes, CORS, and environment overrides. See {@link WithSupabaseConfig}.
+* @param handler - Receives the `Request` and a fully-initialized {@link SupabaseContext}.
+* @returns A `(req: Request) => Promise<Response>` fetch handler.
+*
+* @example
+* ```ts
+* import { withSupabase } from '@supabase/server'
+*
+* export default {
+*   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+*     const { data } = await ctx.supabase.rpc('get_my_profile')
+*     return Response.json(data)
+*   }),
+* }
+* ```
+*/
 function withSupabase(config, handler) {
 	return async (req) => {
 		if (config.cors !== false && req.method === "OPTIONS") return new Response(null, {
@@ -39,4 +82,4 @@ function withSupabase(config, handler) {
 }
 
 //#endregion
-export { AuthError, EnvError, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };
+export { AuthError, EnvError, createSupabaseContext, withSupabase };

package/dist/types-ClmJ8pi8.d.mts

@@ -0,0 +1,227 @@
+import { SupabaseClient } from "@supabase/supabase-js";
+
+//#region src/types.d.ts
+/**
+ * Authentication mode that determines what credentials a request must provide.
+ *
+ * - `"always"` — No credentials required. Every request is accepted.
+ * - `"public"` — Requires a valid publishable key in the `apikey` header.
+ * - `"secret"` — Requires a valid secret key in the `apikey` header (timing-safe comparison).
+ * - `"user"` — Requires a valid JWT in the `Authorization: Bearer <token>` header.
+ *
+ * @example
+ * ```ts
+ * // Single mode
+ * withSupabase({ allow: 'user' }, handler)
+ *
+ * // Multiple modes — the first match wins
+ * withSupabase({ allow: ['user', 'public'] }, handler)
+ * ```
+ */
+type Allow = 'always' | 'public' | 'secret' | 'user';
+/**
+ * Extended auth mode that supports targeting a specific named key.
+ *
+ * Use the colon syntax (`"public:web_app"`) to require a specific named key
+ * from the `SUPABASE_PUBLISHABLE_KEYS` or `SUPABASE_SECRET_KEYS` JSON object.
+ * Use `"public:*"` or `"secret:*"` to accept any key in the set.
+ *
+ * @example
+ * ```ts
+ * // Accept only the "mobile" publishable key
+ * withSupabase({ allow: 'public:mobile' }, handler)
+ *
+ * // Accept any secret key
+ * withSupabase({ allow: 'secret:*' }, handler)
+ *
+ * // Mix named keys with other modes
+ * withSupabase({ allow: ['user', 'public:web_app'] }, handler)
+ * ```
+ */
+type AllowWithKey = Allow | `public:${string}` | `secret:${string}`;
+/**
+ * Resolved Supabase environment configuration.
+ *
+ * Holds the project URL, API keys, and JWKS needed by every other primitive.
+ * Typically resolved automatically from environment variables by {@link resolveEnv},
+ * but can be passed explicitly via the `env` option.
+ *
+ * @see {@link resolveEnv} for how each field maps to environment variables.
+ */
+interface SupabaseEnv {
+  /** Supabase project URL (e.g. `"https://<ref>.supabase.co"`). Sourced from `SUPABASE_URL`. */
+  url: string;
+  /**
+   * Named publishable (anon) keys. Sourced from `SUPABASE_PUBLISHABLE_KEYS` (JSON object)
+   * or `SUPABASE_PUBLISHABLE_KEY` (single key, stored as `{ default: "<value>" }`).
+   */
+  publishableKeys: Record<string, string>;
+  /**
+   * Named secret (service-role) keys. Sourced from `SUPABASE_SECRET_KEYS` (JSON object)
+   * or `SUPABASE_SECRET_KEY` (single key, stored as `{ default: "<value>" }`).
+   */
+  secretKeys: Record<string, string>;
+  /**
+   * JSON Web Key Set used for JWT verification. Sourced from `SUPABASE_JWKS`.
+   * Accepts both `{ keys: [...] }` and bare `[...]` array formats.
+   * `null` when no JWKS is configured (JWT verification will be unavailable).
+   */
+  jwks: JsonWebKeySet | null;
+}
+/**
+ * A JSON Web Key Set as defined by RFC 7517.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7517
+ */
+interface JsonWebKeySet {
+  /** Array of JSON Web Keys. */
+  keys: JsonWebKey[];
+}
+/**
+ * Raw credentials extracted from an incoming HTTP request.
+ *
+ * Produced by {@link extractCredentials} from the `Authorization` and `apikey` headers.
+ *
+ * @see {@link extractCredentials}
+ */
+interface Credentials {
+  /** Bearer token from the `Authorization: Bearer <token>` header, or `null` if absent. */
+  token: string | null;
+  /** API key from the `apikey` header, or `null` if absent. */
+  apikey: string | null;
+}
+/**
+ * Result of credential verification.
+ *
+ * Contains the resolved auth mode, the verified token (for `"user"` mode),
+ * decoded JWT claims, and the matched key name (for `"public"` / `"secret"` modes).
+ *
+ * @see {@link verifyCredentials}
+ * @see {@link verifyAuth}
+ */
+interface AuthResult {
+  /** The auth mode that was successfully matched. */
+  authType: Allow;
+  /** The verified JWT, or `null` for non-user auth modes. */
+  token: string | null;
+  /** Normalized user identity derived from the JWT, or `null` when no JWT is present. */
+  userClaims: UserClaims | null;
+  /** Raw JWT payload, or `null` when no JWT is present. */
+  claims: JWTClaims | null;
+  /** Name of the matched key (e.g. `"default"`, `"mobile"`), or `null` for `"user"` / `"always"` modes. */
+  keyName?: string | null;
+}
+/**
+ * Standard JWT claims as defined by RFC 7519, extended with Supabase-specific fields.
+ *
+ * This is the raw JWT payload — use {@link UserClaims} for a normalized, camelCase view.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
+ */
+interface JWTClaims {
+  /** Subject — the user's unique ID. */
+  sub: string;
+  /** Issuer — typically your Supabase project URL. */
+  iss?: string;
+  /** Audience — who the token is intended for. */
+  aud?: string | string[];
+  /** Expiration time (seconds since epoch). */
+  exp?: number;
+  /** Issued at (seconds since epoch). */
+  iat?: number;
+  /** Supabase role (e.g. `"authenticated"`, `"anon"`). */
+  role?: string;
+  /** User's email address from Supabase Auth. */
+  email?: string;
+  /** Application-level metadata set via Supabase Auth admin APIs. */
+  app_metadata?: Record<string, unknown>;
+  /** User-editable metadata set via Supabase Auth. */
+  user_metadata?: Record<string, unknown>;
+  /** Additional custom claims. */
+  [key: string]: unknown;
+}
+/**
+ * Normalized, camelCase view of the authenticated user's identity.
+ *
+ * Derived from {@link JWTClaims}. For the full Supabase `User` object
+ * (including email confirmation status, providers, etc.), call
+ * `supabase.auth.getUser()` using the context client.
+ */
+interface UserClaims {
+  /** User's unique ID (same as `JWTClaims.sub`). */
+  id: string;
+  /** Supabase role (e.g. `"authenticated"`). */
+  role?: string;
+  /** User's email address. */
+  email?: string;
+  /** Application-level metadata (e.g. roles, permissions). */
+  appMetadata?: Record<string, unknown>;
+  /** User-editable profile metadata (e.g. display name, avatar). */
+  userMetadata?: Record<string, unknown>;
+}
+/**
+ * Configuration for {@link withSupabase} and {@link createSupabaseContext}.
+ *
+ * Controls which auth modes are accepted, environment overrides, and CORS behavior.
+ *
+ * @example
+ * ```ts
+ * // Require authenticated users, auto-CORS enabled (default)
+ * const config: WithSupabaseConfig = { allow: 'user' }
+ *
+ * // Accept users or service-to-service calls, custom CORS headers
+ * const config: WithSupabaseConfig = {
+ *   allow: ['user', 'secret'],
+ *   cors: { 'Access-Control-Allow-Origin': 'https://myapp.com' },
+ * }
+ *
+ * // No auth required, CORS disabled
+ * const config: WithSupabaseConfig = { allow: 'always', cors: false }
+ * ```
+ */
+interface WithSupabaseConfig {
+  /**
+   * Auth mode(s) to accept. Modes are tried in order — the first match wins.
+   *
+   * @defaultValue `"user"`
+   */
+  allow?: AllowWithKey | AllowWithKey[];
+  /**
+   * Override auto-detected environment variables. Useful for testing
+   * or when running in environments without standard env var support.
+   */
+  env?: Partial<SupabaseEnv>;
+  /**
+   * CORS configuration for the `withSupabase` wrapper.
+   *
+   * - `true` (default) — uses `@supabase/supabase-js` default CORS headers.
+   * - `false` — disables CORS handling entirely.
+   * - `Record<string, string>` — custom CORS headers.
+   *
+   * @remarks Only applies to the top-level {@link withSupabase} wrapper.
+   * The Hono adapter handles CORS separately via Hono's own middleware.
+   *
+   * @defaultValue `true`
+   */
+  cors?: boolean | Record<string, string>;
+}
+/**
+ * The Supabase context created for each authenticated request.
+ *
+ * Contains pre-configured Supabase clients and the caller's identity.
+ * Identical regardless of which layer or adapter produced it.
+ */
+interface SupabaseContext<Database = unknown> {
+  /** Supabase client scoped to the caller's identity. RLS policies apply. */
+  supabase: SupabaseClient<Database>;
+  /** Admin Supabase client that bypasses Row-Level Security. */
+  supabaseAdmin: SupabaseClient<Database>;
+  /** JWT-derived identity. For the full Supabase User object, call `supabase.auth.getUser()`. */
+  userClaims: UserClaims | null;
+  /** Raw JWT payload. `null` for non-user auth modes. */
+  claims: JWTClaims | null;
+  /** The auth mode that was used for this request. */
+  authType: Allow;
+}
+//#endregion
+export { JWTClaims as a, UserClaims as c, Credentials as i, WithSupabaseConfig as l, AllowWithKey as n, SupabaseContext as o, AuthResult as r, SupabaseEnv as s, Allow as t };