@supabase/server 0.1.1-rc.25 → 0.1.1-rc.27

package/README.md

@@ -189,7 +189,7 @@ Extracts credentials from a Request and validates against the allow config.
 ```ts
 const { data: auth, error } = await verifyAuth(req, { allow: 'user' })
 if (error) {
-  return Response.json({ error: error.message }, { status: error.status })
+  return Response.json({ message: error.message }, { status: error.status })
 }
 ```
 
@@ -246,7 +246,10 @@ export default {
     if (url.pathname === '/todos') {
       const { data: auth, error } = await verifyAuth(req, { allow: 'user' })
       if (error)
-        return Response.json({ error: error.message }, { status: error.status })
+        return Response.json(
+          { message: error.message },
+          { status: error.status },
+        )
 
       const supabase = createContextClient(auth.token)
       const { data } = await supabase.from('todos').select()

package/dist/adapters/hono/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_create_supabase_context = require('../../create-supabase-context-DcVorGKG.cjs');
+const require_create_supabase_context = require('../../create-supabase-context-BO7DGfth.cjs');
 let hono_http_exception = require("hono/http-exception");
 let hono_factory = require("hono/factory");
 

package/dist/adapters/hono/index.mjs

@@ -1,4 +1,4 @@
-import { t as createSupabaseContext } from "../../create-supabase-context-CmWaH3s6.mjs";
+import { t as createSupabaseContext } from "../../create-supabase-context--JXiHT_N.mjs";
 import { HTTPException } from "hono/http-exception";
 import { createMiddleware } from "hono/factory";
 

package/dist/core/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_verify_auth = require('../verify-auth-DvRVnjdq.cjs');
+const require_verify_auth = require('../verify-auth-BjIehuNM.cjs');
 
 exports.createAdminClient = require_verify_auth.createAdminClient;
 exports.createContextClient = require_verify_auth.createContextClient;

package/dist/core/index.d.cts

@@ -1,3 +1,195 @@
-import "../types-CnKoFCMX.cjs";
-import { a as extractCredentials, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, t as createAdminClient } from "../create-admin-client-Cp7FxI6O.cjs";
+import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "../types-CnKoFCMX.cjs";
+import { i as EnvError, t as AuthError } from "../errors-O2ugIMec.cjs";
+import { SupabaseClient } from "@supabase/supabase-js";
+
+//#region src/core/resolve-env.d.ts
+/**
+ * Resolves Supabase environment configuration from runtime environment variables.
+ *
+ * Reads `SUPABASE_URL`, keys (`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS`),
+ * and `SUPABASE_JWKS`. Works across Deno, Node.js, and Bun. For Cloudflare Workers,
+ * use `overrides` or enable node-compat.
+ *
+ * @param overrides - Partial values that take precedence over env vars.
+ * @returns `{ data: SupabaseEnv, error: null }` on success, `{ data: null, error: EnvError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const { data: env, error } = resolveEnv()
+ * if (error) throw error
+ *
+ * // Override for tests
+ * const { data: env } = resolveEnv({ url: 'http://localhost:54321' })
+ * ```
+ */
+declare function resolveEnv(overrides?: Partial<SupabaseEnv>): {
+  data: SupabaseEnv;
+  error: null;
+} | {
+  data: null;
+  error: EnvError;
+};
+//#endregion
+//#region src/core/extract-credentials.d.ts
+/**
+ * Extracts authentication credentials from an incoming HTTP request.
+ *
+ * Reads two headers:
+ * - `Authorization: Bearer <token>` → extracted as `token`
+ * - `apikey: <key>` → extracted as `apikey`
+ *
+ * This is a pure extraction step — no validation or verification is performed.
+ * Pass the result to {@link verifyCredentials} to validate against allowed auth modes.
+ *
+ * @param request - The incoming HTTP request.
+ * @returns The extracted {@link Credentials}. Fields are `null` when the corresponding header is absent.
+ *
+ * @example
+ * ```ts
+ * import { extractCredentials } from '@supabase/server/core'
+ *
+ * const creds = extractCredentials(request)
+ * console.log(creds.token)  // "eyJhbGci..." or null
+ * console.log(creds.apikey) // "sb-abc123-publishable-..." or null
+ * ```
+ */
+declare function extractCredentials(request: Request): Credentials;
+//#endregion
+//#region src/core/verify-credentials.d.ts
+/**
+ * Options for {@link verifyCredentials}.
+ */
+interface VerifyCredentialsOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Verifies pre-extracted credentials against one or more allowed auth modes.
+ *
+ * Tries each mode in order — first match wins. Use {@link verifyAuth} to extract
+ * and verify in a single call.
+ *
+ * @param credentials - The credentials to verify (from {@link extractCredentials}).
+ * @param options - Allowed auth modes and optional env overrides.
+ * @returns `{ data: AuthResult, error: null }` on success, `{ data: null, error: AuthError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const credentials = extractCredentials(request)
+ * const { data: auth, error } = await verifyCredentials(credentials, {
+ *   allow: ['user', 'public'],
+ * })
+ * if (error) {
+ *   return Response.json({ message: error.message }, { status: error.status })
+ * }
+ * ```
+ */
+declare function verifyCredentials(credentials: Credentials, options: VerifyCredentialsOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/verify-auth.d.ts
+/**
+ * Options for {@link verifyAuth}.
+ */
+interface VerifyAuthOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Extracts credentials from a request and verifies them in a single step.
+ *
+ * This is a convenience function that combines {@link extractCredentials} and
+ * {@link verifyCredentials}. Use it when you want the full auth flow without
+ * needing to inspect the raw credentials.
+ *
+ * @param request - The incoming HTTP request.
+ * @param options - Auth modes to accept and optional environment overrides.
+ *
+ * @returns A result tuple: `{ data, error }`.
+ *   - On success: `{ data: AuthResult, error: null }`
+ *   - On failure: `{ data: null, error: AuthError }`
+ *
+ * @example
+ * ```ts
+ * import { verifyAuth } from '@supabase/server/core'
+ *
+ * const { data: auth, error } = await verifyAuth(request, {
+ *   allow: 'user',
+ * })
+ *
+ * if (error) {
+ *   return Response.json({ message: error.message }, { status: error.status })
+ * }
+ *
+ * console.log(auth.userClaims!.id) // "d0f1a2b3-..."
+ * ```
+ */
+declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/create-context-client.d.ts
+/**
+ * Creates a Supabase client scoped to the caller's context.
+ *
+ * Configured with a publishable key and (optionally) the caller's JWT,
+ * so Row-Level Security policies apply. Session persistence is disabled
+ * (stateless, one client per request).
+ *
+ * @param token - The caller's JWT, or `null` for anonymous access.
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with RLS enforced.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
+ *
+ * @example
+ * ```ts
+ * const { data: auth } = await verifyAuth(request, { allow: 'user' })
+ * const supabase = createContextClient(auth.token)
+ * const { data } = await supabase.rpc('get_my_items')
+ * ```
+ */
+declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
+//#region src/core/create-admin-client.d.ts
+/**
+ * Creates an admin Supabase client that bypasses Row-Level Security.
+ *
+ * Uses a secret key for authentication, giving full access to all data.
+ * Session persistence is disabled (stateless, one client per request).
+ *
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
+ *
+ * @example
+ * ```ts
+ * const supabaseAdmin = createAdminClient()
+ * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
+ * ```
+ */
+declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
 export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/core/index.d.mts

@@ -1,3 +1,195 @@
-import "../types-ClmJ8pi8.mjs";
-import { a as extractCredentials, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, t as createAdminClient } from "../create-admin-client-ZTnl1zMe.mjs";
+import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "../types-ClmJ8pi8.mjs";
+import { i as EnvError, t as AuthError } from "../errors-CAH-RRA3.mjs";
+import { SupabaseClient } from "@supabase/supabase-js";
+
+//#region src/core/resolve-env.d.ts
+/**
+ * Resolves Supabase environment configuration from runtime environment variables.
+ *
+ * Reads `SUPABASE_URL`, keys (`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS`),
+ * and `SUPABASE_JWKS`. Works across Deno, Node.js, and Bun. For Cloudflare Workers,
+ * use `overrides` or enable node-compat.
+ *
+ * @param overrides - Partial values that take precedence over env vars.
+ * @returns `{ data: SupabaseEnv, error: null }` on success, `{ data: null, error: EnvError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const { data: env, error } = resolveEnv()
+ * if (error) throw error
+ *
+ * // Override for tests
+ * const { data: env } = resolveEnv({ url: 'http://localhost:54321' })
+ * ```
+ */
+declare function resolveEnv(overrides?: Partial<SupabaseEnv>): {
+  data: SupabaseEnv;
+  error: null;
+} | {
+  data: null;
+  error: EnvError;
+};
+//#endregion
+//#region src/core/extract-credentials.d.ts
+/**
+ * Extracts authentication credentials from an incoming HTTP request.
+ *
+ * Reads two headers:
+ * - `Authorization: Bearer <token>` → extracted as `token`
+ * - `apikey: <key>` → extracted as `apikey`
+ *
+ * This is a pure extraction step — no validation or verification is performed.
+ * Pass the result to {@link verifyCredentials} to validate against allowed auth modes.
+ *
+ * @param request - The incoming HTTP request.
+ * @returns The extracted {@link Credentials}. Fields are `null` when the corresponding header is absent.
+ *
+ * @example
+ * ```ts
+ * import { extractCredentials } from '@supabase/server/core'
+ *
+ * const creds = extractCredentials(request)
+ * console.log(creds.token)  // "eyJhbGci..." or null
+ * console.log(creds.apikey) // "sb-abc123-publishable-..." or null
+ * ```
+ */
+declare function extractCredentials(request: Request): Credentials;
+//#endregion
+//#region src/core/verify-credentials.d.ts
+/**
+ * Options for {@link verifyCredentials}.
+ */
+interface VerifyCredentialsOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Verifies pre-extracted credentials against one or more allowed auth modes.
+ *
+ * Tries each mode in order — first match wins. Use {@link verifyAuth} to extract
+ * and verify in a single call.
+ *
+ * @param credentials - The credentials to verify (from {@link extractCredentials}).
+ * @param options - Allowed auth modes and optional env overrides.
+ * @returns `{ data: AuthResult, error: null }` on success, `{ data: null, error: AuthError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const credentials = extractCredentials(request)
+ * const { data: auth, error } = await verifyCredentials(credentials, {
+ *   allow: ['user', 'public'],
+ * })
+ * if (error) {
+ *   return Response.json({ message: error.message }, { status: error.status })
+ * }
+ * ```
+ */
+declare function verifyCredentials(credentials: Credentials, options: VerifyCredentialsOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/verify-auth.d.ts
+/**
+ * Options for {@link verifyAuth}.
+ */
+interface VerifyAuthOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Extracts credentials from a request and verifies them in a single step.
+ *
+ * This is a convenience function that combines {@link extractCredentials} and
+ * {@link verifyCredentials}. Use it when you want the full auth flow without
+ * needing to inspect the raw credentials.
+ *
+ * @param request - The incoming HTTP request.
+ * @param options - Auth modes to accept and optional environment overrides.
+ *
+ * @returns A result tuple: `{ data, error }`.
+ *   - On success: `{ data: AuthResult, error: null }`
+ *   - On failure: `{ data: null, error: AuthError }`
+ *
+ * @example
+ * ```ts
+ * import { verifyAuth } from '@supabase/server/core'
+ *
+ * const { data: auth, error } = await verifyAuth(request, {
+ *   allow: 'user',
+ * })
+ *
+ * if (error) {
+ *   return Response.json({ message: error.message }, { status: error.status })
+ * }
+ *
+ * console.log(auth.userClaims!.id) // "d0f1a2b3-..."
+ * ```
+ */
+declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/create-context-client.d.ts
+/**
+ * Creates a Supabase client scoped to the caller's context.
+ *
+ * Configured with a publishable key and (optionally) the caller's JWT,
+ * so Row-Level Security policies apply. Session persistence is disabled
+ * (stateless, one client per request).
+ *
+ * @param token - The caller's JWT, or `null` for anonymous access.
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with RLS enforced.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
+ *
+ * @example
+ * ```ts
+ * const { data: auth } = await verifyAuth(request, { allow: 'user' })
+ * const supabase = createContextClient(auth.token)
+ * const { data } = await supabase.rpc('get_my_items')
+ * ```
+ */
+declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
+//#region src/core/create-admin-client.d.ts
+/**
+ * Creates an admin Supabase client that bypasses Row-Level Security.
+ *
+ * Uses a secret key for authentication, giving full access to all data.
+ * Session persistence is disabled (stateless, one client per request).
+ *
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
+ *
+ * @example
+ * ```ts
+ * const supabaseAdmin = createAdminClient()
+ * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
+ * ```
+ */
+declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
 export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/core/index.mjs

@@ -1,3 +1,3 @@
-import { a as createAdminClient, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, t as verifyAuth } from "../verify-auth-2S7zFfR-.mjs";
+import { a as createAdminClient, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, t as verifyAuth } from "../verify-auth-mePXRNu9.mjs";
 
 export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/{create-supabase-context-CmWaH3s6.mjs → create-supabase-context--JXiHT_N.mjs}

@@ -1,4 +1,4 @@
-import { a as createAdminClient, c as EnvError, i as createContextClient, s as AuthError, t as verifyAuth } from "./verify-auth-2S7zFfR-.mjs";
+import { a as createAdminClient, f as Errors, i as createContextClient, l as CreateSupabaseClientError, s as AuthError, t as verifyAuth, u as EnvError } from "./verify-auth-mePXRNu9.mjs";
 
 //#region src/create-supabase-context.ts
 /**
@@ -16,7 +16,7 @@ import { a as createAdminClient, c as EnvError, i as createContextClient, s as A
 * ```ts
 * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
 * if (error) {
-*   return Response.json({ error: error.message }, { status: error.status })
+*   return Response.json({ message: error.message }, { status: error.status })
 * }
 * const { data } = await ctx.supabase.rpc('get_my_items')
 * ```
@@ -46,7 +46,7 @@ async function createSupabaseContext(request, options) {
 	} catch (e) {
 		return {
 			data: null,
-			error: e instanceof EnvError ? new AuthError(e.message, e.code, 500) : new AuthError("Failed to create Supabase client", "CLIENT_ERROR", 500)
+			error: e instanceof EnvError ? new AuthError(e.message, e.code, 500) : Errors[CreateSupabaseClientError]()
 		};
 	}
 }

package/dist/{create-supabase-context-DcVorGKG.cjs → create-supabase-context-BO7DGfth.cjs}

@@ -1,4 +1,4 @@
-const require_verify_auth = require('./verify-auth-DvRVnjdq.cjs');
+const require_verify_auth = require('./verify-auth-BjIehuNM.cjs');
 
 //#region src/create-supabase-context.ts
 /**
@@ -16,7 +16,7 @@ const require_verify_auth = require('./verify-auth-DvRVnjdq.cjs');
 * ```ts
 * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
 * if (error) {
-*   return Response.json({ error: error.message }, { status: error.status })
+*   return Response.json({ message: error.message }, { status: error.status })
 * }
 * const { data } = await ctx.supabase.rpc('get_my_items')
 * ```
@@ -46,7 +46,7 @@ async function createSupabaseContext(request, options) {
 	} catch (e) {
 		return {
 			data: null,
-			error: e instanceof require_verify_auth.EnvError ? new require_verify_auth.AuthError(e.message, e.code, 500) : new require_verify_auth.AuthError("Failed to create Supabase client", "CLIENT_ERROR", 500)
+			error: e instanceof require_verify_auth.EnvError ? new require_verify_auth.AuthError(e.message, e.code, 500) : require_verify_auth.Errors[require_verify_auth.CreateSupabaseClientError]()
 		};
 	}
 }

package/dist/errors-CAH-RRA3.d.mts

@@ -0,0 +1,109 @@
+//#region src/errors.d.ts
+/**
+ * Thrown when a required environment variable is missing or malformed.
+ *
+ * Always has `status: 500` — environment errors are server-side configuration issues.
+ *
+ * @example
+ * ```ts
+ * import { EnvError } from '@supabase/server'
+ *
+ * try {
+ *   const client = createAdminClient()
+ * } catch (e) {
+ *   if (e instanceof EnvError) {
+ *     console.error(`Config issue [${e.code}]: ${e.message}`)
+ *     // → "Config issue [MISSING_SUPABASE_URL]: SUPABASE_URL is required but not set"
+ *   }
+ * }
+ * ```
+ */
+declare class EnvError extends Error {
+  /** Always `500` — environment errors are server-side issues. */
+  readonly status = 500;
+  /**
+   * Machine-readable error code.
+   *
+   * @see {@link EnvGenericError}, {@link MissingSupabaseURLError},
+   *   {@link MissingPublishableKeyError}, {@link MissingDefaultPublishableKeyError},
+   *   {@link MissingSecretKeyError}, {@link MissingDefaultSecretKeyError}
+   */
+  readonly code: string;
+  constructor(message: string, code?: string);
+}
+/** Generic environment error code. */
+declare const EnvGenericError = "ENV_ERROR";
+/** `SUPABASE_URL` is not set. */
+declare const MissingSupabaseURLError = "MISSING_SUPABASE_URL";
+/** Named publishable key not found in `SUPABASE_PUBLISHABLE_KEYS`. */
+declare const MissingPublishableKeyError = "MISSING_PUBLISHABLE_KEY";
+/** No default publishable key found. */
+declare const MissingDefaultPublishableKeyError = "MISSING_DEFAULT_PUBLISHABLE_KEY";
+/** Named secret key not found in `SUPABASE_SECRET_KEYS`. */
+declare const MissingSecretKeyError = "MISSING_SECRET_KEY";
+/** No default secret key found. */
+declare const MissingDefaultSecretKeyError = "MISSING_DEFAULT_SECRET_KEY";
+/**
+ * Thrown when authentication or authorization fails.
+ *
+ * Carries an HTTP `status` code suitable for returning directly in a response
+ * (typically `401` for invalid credentials, `500` for server-side auth failures).
+ *
+ * @example
+ * ```ts
+ * import { AuthError, createSupabaseContext } from '@supabase/server'
+ *
+ * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * if (error) {
+ *   // error is an AuthError
+ *   return Response.json(
+ *     { message: error.message, code: error.code },
+ *     { status: error.status },
+ *   )
+ * }
+ * ```
+ */
+declare class AuthError extends Error {
+  /**
+   * HTTP status code.
+   *
+   * - `401` — Invalid or missing credentials
+   * - `500` — Server-side auth failure (e.g., missing JWKS, env misconfiguration)
+   */
+  readonly status: number;
+  /**
+   * Machine-readable error code.
+   *
+   * @see {@link AuthGenericError}, {@link InvalidCredentialsError},
+   *   {@link CreateSupabaseClientError}
+   */
+  readonly code: string;
+  constructor(message: string, code?: string, status?: number);
+}
+/** Generic authentication error code. */
+declare const AuthGenericError = "AUTH_ERROR";
+/** No credential matched any allowed auth mode. */
+declare const InvalidCredentialsError = "INVALID_CREDENTIALS";
+/** Failed to create a Supabase client after auth succeeded. */
+declare const CreateSupabaseClientError = "CREATE_SUPABASE_CLIENT_ERROR";
+/**
+ * Factory map for all error types. Keyed by error code constant, each entry
+ * returns a pre-configured {@link EnvError} or {@link AuthError}.
+ *
+ * @example
+ * ```ts
+ * throw Errors[MissingSupabaseURLError]()
+ * throw Errors[MissingPublishableKeyError]('mobile')
+ * ```
+ */
+declare const Errors: {
+  INVALID_CREDENTIALS: () => AuthError;
+  CREATE_SUPABASE_CLIENT_ERROR: () => AuthError;
+  MISSING_SUPABASE_URL: () => EnvError;
+  MISSING_SECRET_KEY: (name: string) => EnvError;
+  MISSING_DEFAULT_SECRET_KEY: () => EnvError;
+  MISSING_PUBLISHABLE_KEY: (name: string) => EnvError;
+  MISSING_DEFAULT_PUBLISHABLE_KEY: () => EnvError;
+};
+//#endregion
+export { EnvGenericError as a, MissingDefaultPublishableKeyError as c, MissingSecretKeyError as d, MissingSupabaseURLError as f, EnvError as i, MissingDefaultSecretKeyError as l, AuthGenericError as n, Errors as o, CreateSupabaseClientError as r, InvalidCredentialsError as s, AuthError as t, MissingPublishableKeyError as u };