npm - @tern-secure/backend - Versions diffs - 1.2.0-canary.v20251127221555 → 1.2.0-canary.v20251202162458 - Mend

@tern-secure/backend 1.2.0-canary.v20251127221555 → 1.2.0-canary.v20251202162458

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/dist/adapters/index.d.ts +1 -1
package/dist/adapters/index.d.ts.map +1 -1
package/dist/adapters/types.d.ts +42 -0
package/dist/adapters/types.d.ts.map +1 -1
package/dist/admin/index.d.ts +1 -1
package/dist/admin/index.d.ts.map +1 -1
package/dist/admin/index.js +8 -1
package/dist/admin/index.js.map +1 -1
package/dist/admin/index.mjs +10 -70
package/dist/admin/index.mjs.map +1 -1
package/dist/app-check/AppCheckApi.d.ts +14 -0
package/dist/app-check/AppCheckApi.d.ts.map +1 -0
package/dist/app-check/generator.d.ts +9 -0
package/dist/app-check/generator.d.ts.map +1 -0
package/dist/app-check/index.d.ts +18 -0
package/dist/app-check/index.d.ts.map +1 -0
package/dist/app-check/index.js +1052 -0
package/dist/app-check/index.js.map +1 -0
package/dist/app-check/index.mjs +13 -0
package/dist/app-check/index.mjs.map +1 -0
package/dist/app-check/serverAppCheck.d.ts +33 -0
package/dist/app-check/serverAppCheck.d.ts.map +1 -0
package/dist/app-check/types.d.ts +21 -0
package/dist/app-check/types.d.ts.map +1 -0
package/dist/app-check/verifier.d.ts +16 -0
package/dist/app-check/verifier.d.ts.map +1 -0
package/dist/auth/credential.d.ts +5 -5
package/dist/auth/credential.d.ts.map +1 -1
package/dist/auth/getauth.d.ts +2 -1
package/dist/auth/getauth.d.ts.map +1 -1
package/dist/auth/index.d.ts +2 -0
package/dist/auth/index.d.ts.map +1 -1
package/dist/auth/index.js +819 -394
package/dist/auth/index.js.map +1 -1
package/dist/auth/index.mjs +5 -3
package/dist/chunk-3OGMNIOJ.mjs +174 -0
package/dist/chunk-3OGMNIOJ.mjs.map +1 -0
package/dist/{chunk-GFH5CXQR.mjs → chunk-AW5OXT7N.mjs} +2 -2
package/dist/chunk-IEJQ7F4A.mjs +778 -0
package/dist/chunk-IEJQ7F4A.mjs.map +1 -0
package/dist/{chunk-NXYWC6YO.mjs → chunk-TUYCJY35.mjs} +182 -6
package/dist/chunk-TUYCJY35.mjs.map +1 -0
package/dist/constants.d.ts +10 -1
package/dist/constants.d.ts.map +1 -1
package/dist/fireRestApi/endpoints/AppCheckApi.d.ts.map +1 -1
package/dist/index.d.ts +4 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1570 -1183
package/dist/index.js.map +1 -1
package/dist/index.mjs +97 -135
package/dist/index.mjs.map +1 -1
package/dist/jwt/crypto-signer.d.ts +21 -0
package/dist/jwt/crypto-signer.d.ts.map +1 -0
package/dist/jwt/index.d.ts +2 -1
package/dist/jwt/index.d.ts.map +1 -1
package/dist/jwt/index.js +119 -2
package/dist/jwt/index.js.map +1 -1
package/dist/jwt/index.mjs +7 -3
package/dist/jwt/signJwt.d.ts +8 -2
package/dist/jwt/signJwt.d.ts.map +1 -1
package/dist/jwt/types.d.ts +6 -0
package/dist/jwt/types.d.ts.map +1 -1
package/dist/jwt/verifyJwt.d.ts +7 -1
package/dist/jwt/verifyJwt.d.ts.map +1 -1
package/dist/tokens/authstate.d.ts +2 -0
package/dist/tokens/authstate.d.ts.map +1 -1
package/dist/tokens/c-authenticateRequestProcessor.d.ts +2 -2
package/dist/tokens/c-authenticateRequestProcessor.d.ts.map +1 -1
package/dist/tokens/keys.d.ts.map +1 -1
package/dist/tokens/request.d.ts.map +1 -1
package/dist/tokens/types.d.ts +6 -4
package/dist/tokens/types.d.ts.map +1 -1
package/dist/utils/config.d.ts.map +1 -1
package/dist/{auth/utils.d.ts → utils/fetcher.d.ts} +2 -1
package/dist/utils/fetcher.d.ts.map +1 -0
package/dist/utils/mapDecode.d.ts +2 -1
package/dist/utils/mapDecode.d.ts.map +1 -1
package/dist/utils/token-generator.d.ts +4 -0
package/dist/utils/token-generator.d.ts.map +1 -0
package/package.json +13 -3
package/dist/auth/constants.d.ts +0 -6
package/dist/auth/constants.d.ts.map +0 -1
package/dist/auth/utils.d.ts.map +0 -1
package/dist/chunk-DJLDUW7J.mjs +0 -414
package/dist/chunk-DJLDUW7J.mjs.map +0 -1
package/dist/chunk-NXYWC6YO.mjs.map +0 -1
package/dist/chunk-WIVOBOZR.mjs +0 -86
package/dist/chunk-WIVOBOZR.mjs.map +0 -1
package/dist/utils/gemini_admin-init.d.ts +0 -10
package/dist/utils/gemini_admin-init.d.ts.map +0 -1
/package/dist/{chunk-GFH5CXQR.mjs.map → chunk-AW5OXT7N.mjs.map} +0 -0

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 // src/index.ts
@@ -28,6 +38,7 @@ __export(index_exports, {
   createAdapter: () => createAdapter,
   createBackendInstanceClient: () => createBackendInstanceClient,
   createRedirect: () => createRedirect,
+  createRequestProcessor: () => createRequestProcessor,
   createTernSecureRequest: () => createTernSecureRequest,
   disableDebugLogging: () => disableDebugLogging,
   enableDebugLogging: () => enableDebugLogging,
@@ -35,15 +46,25 @@ __export(index_exports, {
   signedIn: () => signedIn,
   signedInAuthObject: () => signedInAuthObject,
   signedOutAuthObject: () => signedOutAuthObject,
-  validateCheckRevokedOptions: () => validateCheckRevokedOptions
+  validateCheckRevokedOptions: () => validateCheckRevokedOptions,
+  verifyToken: () => verifyToken
 });
 module.exports = __toCommonJS(index_exports);
 // src/constants.ts
 var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var FIREBASE_APP_CHECK_AUDIENCE = "https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService";
 var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
 var DEFAULT_CACHE_DURATION = 3600 * 1e3;
 var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+var ONE_MINUTE_IN_SECONDS = 60;
+var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1e3;
+var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1e3;
 var Attributes = {
   AuthToken: "__ternsecureAuthToken",
   AuthSignature: "__ternsecureAuthSignature",
@@ -78,7 +99,7 @@ var QueryParameters = {
 };
 var Headers2 = {
   Accept: "accept",
-  AppCheckToken: "x-firebase-appcheck",
+  AppCheckToken: "x-ternsecure-appcheck",
   AuthMessage: "x-ternsecure-auth-message",
   Authorization: "authorization",
   AuthReason: "x-ternsecure-auth-reason",
@@ -238,12 +259,93 @@ var createTernSecureRequest = (...args) => {
   return args[0] instanceof TernSecureRequest ? args[0] : new TernSecureRequest(...args);
 };
+// src/tokens/c-authenticateRequestProcessor.ts
+var RequestProcessorContext = class {
+  constructor(ternSecureRequest, options) {
+    this.ternSecureRequest = ternSecureRequest;
+    this.options = options;
+    this.initHeaderValues();
+    this.initCookieValues();
+    this.initHandshakeValues();
+    this.initUrlValues();
+    Object.assign(this, options);
+    this.ternUrl = this.ternSecureRequest.ternUrl;
+  }
+  get request() {
+    return this.ternSecureRequest;
+  }
+  initHeaderValues() {
+    this.sessionTokenInHeader = this.parseAuthorizationHeader(
+      this.getHeader(constants.Headers.Authorization)
+    );
+    this.origin = this.getHeader(constants.Headers.Origin);
+    this.host = this.getHeader(constants.Headers.Host);
+    this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);
+    this.forwardedProto = this.getHeader(constants.Headers.CloudFrontForwardedProto) || this.getHeader(constants.Headers.ForwardedProto);
+    this.referrer = this.getHeader(constants.Headers.Referrer);
+    this.userAgent = this.getHeader(constants.Headers.UserAgent);
+    this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);
+    this.accept = this.getHeader(constants.Headers.Accept);
+    this.appCheckToken = this.getHeader(constants.Headers.AppCheckToken);
+  }
+  initCookieValues() {
+    const isProduction = process.env.NODE_ENV === "production";
+    const defaultPrefix = isProduction ? "__HOST-" : "__dev_";
+    this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);
+    this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);
+    this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);
+    this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);
+    this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);
+    this.ternAuth = Number.parseInt(this.getCookie(constants.Cookies.TernAut) || "0", 10);
+  }
+  initHandshakeValues() {
+    this.handshakeToken = this.getQueryParam(constants.QueryParameters.Handshake) || this.getCookie(constants.Cookies.Handshake);
+    this.handshakeNonce = this.getQueryParam(constants.QueryParameters.HandshakeNonce) || this.getCookie(constants.Cookies.HandshakeNonce);
+  }
+  initUrlValues() {
+    this.method = this.ternSecureRequest.method;
+    this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split("/").filter(Boolean);
+    this.endpoint = this.pathSegments[2];
+    this.subEndpoint = this.pathSegments[3];
+  }
+  getQueryParam(name) {
+    return this.ternSecureRequest.ternUrl.searchParams.get(name);
+  }
+  getHeader(name) {
+    return this.ternSecureRequest.headers.get(name) || void 0;
+  }
+  getCookie(name) {
+    return this.ternSecureRequest.cookies.get(name) || void 0;
+  }
+  parseAuthorizationHeader(authorizationHeader) {
+    if (!authorizationHeader) {
+      return void 0;
+    }
+    const [scheme, token] = authorizationHeader.split(" ", 2);
+    if (!token) {
+      return scheme;
+    }
+    if (scheme === "Bearer") {
+      return token;
+    }
+    return void 0;
+  }
+};
+var createRequestProcessor = (ternSecureRequest, options) => {
+  return new RequestProcessorContext(ternSecureRequest, options);
+};
 // src/utils/mapDecode.ts
 function mapJwtPayloadToDecodedIdToken(payload) {
   const decodedIdToken = payload;
   decodedIdToken.uid = decodedIdToken.sub;
   return decodedIdToken;
 }
+function mapJwtPayloadToDecodedAppCheckToken(payload) {
+  const decodedAppCheckToken = payload;
+  decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
+  return decodedAppCheckToken;
+}
 // src/tokens/authstate.ts
 var AuthStatus = {
@@ -333,6 +435,7 @@ function signedOut(authCtx, reason, message = "", headers = new Headers()) {
     isSignedIn: false,
     auth: () => signedOutAuthObject(),
     token: null,
+    appCheckToken: authCtx.appCheckToken,
     headers
   });
 }
@@ -356,1059 +459,1143 @@ var decorateHeaders = (requestState) => {
     } catch {
     }
   }
+  if (requestState.appCheckToken) {
+    try {
+      headers.set(constants.Headers.AppCheckToken, requestState.appCheckToken);
+    } catch {
+    }
+  }
   requestState.headers = headers;
   return requestState;
 };
-// src/fireRestApi/endpoints/AbstractApi.ts
-var AbstractAPI = class {
-  constructor(request) {
-    this.request = request;
+// src/jwt/verifyJwt.ts
+var import_jose2 = require("jose");
+// src/utils/errors.ts
+var RefreshTokenErrorReason = {
+  NonEligibleNoCookie: "non-eligible-no-refresh-cookie",
+  NonEligibleNonGet: "non-eligible-non-get",
+  InvalidSessionToken: "invalid-session-token",
+  MissingApiClient: "missing-api-client",
+  MissingIdToken: "missing-id-token",
+  MissingSessionToken: "missing-session-token",
+  MissingRefreshToken: "missing-refresh-token",
+  ExpiredIdTokenDecodeFailed: "expired-id-token-decode-failed",
+  ExpiredSessionTokenDecodeFailed: "expired-session-token-decode-failed",
+  FetchError: "fetch-error"
+};
+var TokenVerificationErrorReason = {
+  TokenExpired: "token-expired",
+  TokenInvalid: "token-invalid",
+  TokenInvalidAlgorithm: "token-invalid-algorithm",
+  TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
+  TokenInvalidSignature: "token-invalid-signature",
+  TokenNotActiveYet: "token-not-active-yet",
+  TokenIatInTheFuture: "token-iat-in-the-future",
+  TokenVerificationFailed: "token-verification-failed",
+  InvalidSecretKey: "secret-key-invalid",
+  LocalJWKMissing: "jwk-local-missing",
+  RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
+  RemoteJWKInvalid: "jwk-remote-invalid",
+  RemoteJWKMissing: "jwk-remote-missing",
+  JWKFailedToResolve: "jwk-failed-to-resolve",
+  JWKKidMismatch: "jwk-kid-mismatch"
+};
+var TokenVerificationError = class _TokenVerificationError extends Error {
+  reason;
+  tokenCarrier;
+  constructor({
+    message,
+    reason
+  }) {
+    super(message);
+    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
+    this.reason = reason;
+    this.message = message;
   }
-  requireApiKey(apiKey) {
-    if (!apiKey) {
-      throw new Error("A valid API key is required.");
-    }
+  getFullMessage() {
+    return `${[this.message].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
   }
 };
-// src/fireRestApi/endpoints/AppCheckApi.ts
-function getSdkVersion() {
-  return "12.7.0";
-}
-var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
-  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+// src/utils/rfc4648.ts
+var base64url = {
+  parse(string, opts) {
+    return parse2(string, base64UrlEncoding, opts);
+  },
+  stringify(data, opts) {
+    return stringify(data, base64UrlEncoding, opts);
+  }
 };
-var AppCheckApi = class extends AbstractAPI {
-  async exchangeCustomToken(params) {
-    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
-    if (!projectId || !appId) {
-      throw new Error("Project ID and App ID are required for App Check token exchange");
+var base64UrlEncoding = {
+  chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
+  bits: 6
+};
+function parse2(string, encoding, opts = {}) {
+  if (!encoding.codes) {
+    encoding.codes = {};
+    for (let i = 0; i < encoding.chars.length; ++i) {
+      encoding.codes[encoding.chars[i]] = i;
     }
-    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
-    const headers = {
-      "Content-Type": "application/json",
-      "Authorization": `Bearer ${accessToken}`
-    };
-    const body = {
-      customToken,
-      limitedUse
-    };
-    try {
-      const response = await fetch(endpoint, {
-        method: "POST",
-        headers,
-        body: JSON.stringify(body)
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
-      }
-      const data = await response.json();
-      return {
-        token: data.token,
-        ttl: data.ttl
-      };
-    } catch (error) {
-      console.warn("[ternsecure - appcheck api]unexpected error:", error);
-      throw error;
+  }
+  if (!opts.loose && string.length * encoding.bits & 7) {
+    throw new SyntaxError("Invalid padding");
+  }
+  let end = string.length;
+  while (string[end - 1] === "=") {
+    --end;
+    if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
+      throw new SyntaxError("Invalid padding");
     }
   }
-  async exchangeDebugToken(params) {
-    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
-    if (!projectId || !appId) {
-      throw new Error("Project ID and App ID are required for App Check token exchange");
+  const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
+  let bits = 0;
+  let buffer = 0;
+  let written = 0;
+  for (let i = 0; i < end; ++i) {
+    const value = encoding.codes[string[i]];
+    if (value === void 0) {
+      throw new SyntaxError("Invalid character " + string[i]);
     }
-    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
-    const headers = {
-      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
-      "Authorization": `Bearer ${accessToken}`
-    };
-    const body = {
-      customToken,
-      limitedUse
-    };
-    try {
-      const response = await fetch(endpoint, {
-        method: "POST",
-        headers,
-        body: JSON.stringify(body)
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
-      }
-      const data = await response.json();
-      return {
-        token: data.token,
-        ttl: data.ttl
-      };
-    } catch (error) {
-      console.warn("[ternsecure - appcheck api]unexpected error:", error);
-      throw error;
+    buffer = buffer << encoding.bits | value;
+    bits += encoding.bits;
+    if (bits >= 8) {
+      bits -= 8;
+      out[written++] = 255 & buffer >> bits;
     }
   }
-};
-// src/fireRestApi/endpoints/EmailApi.ts
-var EmailApi = class extends AbstractAPI {
-  async verifyEmailVerification(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
-      endpoint: "sendOobCode",
-      method: "POST",
-      bodyParams: restParams
-    });
-  }
-  async confirmEmailVerification(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
-      endpoint: "sendOobCode",
-      method: "POST",
-      bodyParams: restParams
-    });
+  if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
+    throw new SyntaxError("Unexpected end of data");
   }
-};
-// src/fireRestApi/endpoints/PasswordApi.ts
-var PasswordApi = class extends AbstractAPI {
-  async verifyPasswordResetCode(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
-      endpoint: "passwordReset",
-      method: "POST",
-      bodyParams: restParams
-    });
+  return out;
+}
+function stringify(data, encoding, opts = {}) {
+  const { pad = true } = opts;
+  const mask = (1 << encoding.bits) - 1;
+  let out = "";
+  let bits = 0;
+  let buffer = 0;
+  for (let i = 0; i < data.length; ++i) {
+    buffer = buffer << 8 | 255 & data[i];
+    bits += 8;
+    while (bits > encoding.bits) {
+      bits -= encoding.bits;
+      out += encoding.chars[mask & buffer >> bits];
+    }
   }
-  async confirmPasswordReset(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
-      endpoint: "passwordReset",
-      method: "POST",
-      bodyParams: restParams
-    });
+  if (bits) {
+    out += encoding.chars[mask & buffer << encoding.bits - bits];
   }
-  async changePassword(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
-      endpoint: "passwordReset",
-      method: "POST",
-      bodyParams: restParams
-    });
+  if (pad) {
+    while (out.length * encoding.bits & 7) {
+      out += "=";
+    }
   }
-};
+  return out;
+}
-// src/fireRestApi/endpoints/SignInApi.ts
-var SignInApi = class extends AbstractAPI {
-  async resetPasswordEmail(apiKey, params) {
-    try {
-      this.requireApiKey(apiKey);
-      const { ...restParams } = params;
-      const response = await this.request({
-        endpoint: "sendOobCode",
-        method: "POST",
-        apiKey,
-        bodyParams: restParams
-      });
-      if (response.errors) {
-        const errorMessage = response.errors[0]?.message || "Failed to send reset password email";
-        throw new Error(errorMessage);
-      }
-      return response.data;
-    } catch (error) {
-      const contextualMessage = `Failed to send reset password email: ${error instanceof Error ? error.message : "Unknown error"}`;
-      throw new Error(contextualMessage);
+// src/jwt/cryptoKeys.ts
+var import_jose = require("jose");
+async function importKey(key, algorithm) {
+  if (typeof key === "object") {
+    const result = await (0, import_jose.importJWK)(key, algorithm);
+    if (result instanceof Uint8Array) {
+      throw new Error("Unexpected Uint8Array result from JWK import");
     }
+    return result;
+  }
+  const keyString = key.trim();
+  if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
+    return await (0, import_jose.importX509)(keyString, algorithm);
+  }
+  if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
+  }
+  try {
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
+  } catch (error) {
+    throw new Error(
+      `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
+    );
   }
+}
+// src/jwt/algorithms.ts
+var algToHash = {
+  RS256: "SHA-256",
+  RS384: "SHA-384",
+  RS512: "SHA-512"
 };
+var algs = Object.keys(algToHash);
-// src/fireRestApi/endpoints/SignInTokenApi.ts
-var SignInTokenApi = class extends AbstractAPI {
-  async createCustomToken(apiKey, params) {
-    try {
-      this.requireApiKey(apiKey);
-      const { ...restParams } = params;
-      const response = await this.request({
-        endpoint: "signInWithCustomToken",
-        method: "POST",
-        bodyParams: restParams
-      });
-      if (response.errors) {
-        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
-        throw new Error(errorMessage);
-      }
-      return response.data;
-    } catch (error) {
-      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
-      throw new Error(contextualMessage);
-    }
+// src/jwt/verifyContent.ts
+var verifyHeaderKid = (kid) => {
+  if (typeof kid === "undefined") {
+    return;
+  }
+  if (typeof kid !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenInvalid,
+      message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`
+    });
   }
 };
-// src/fireRestApi/endpoints/SignUpApi.ts
-var SignUpApi = class extends AbstractAPI {
-  async createCustomToken(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
-      endpoint: "signUp",
-      method: "POST",
-      bodyParams: restParams
+var verifySubClaim = (sub) => {
+  if (typeof sub !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`
     });
   }
 };
-// src/fireRestApi/endpoints/TokenApi.ts
-var TokenApi = class extends AbstractAPI {
-  async refreshToken(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { refresh_token, request_origin, app_check_token, ...restParams } = params;
-    const headers = {};
-    if (request_origin) {
-      headers["Referer"] = request_origin;
-    }
-    if (app_check_token) {
-      headers["X-Firebase-AppCheck"] = app_check_token;
-    }
-    const bodyParams = {
-      grant_type: "refresh_token",
-      refresh_token,
-      ...restParams
-    };
-    return this.request({
-      endpoint: "refreshToken",
-      method: "POST",
-      apiKey,
-      bodyParams,
-      headerParams: headers
+var verifyExpirationClaim = (exp, clockSkewInMs) => {
+  if (typeof exp !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`
     });
   }
-  async exchangeCustomForIdAndRefreshTokens(apiKey, params, options) {
-    this.requireApiKey(apiKey);
-    const headers = {};
-    if (options?.referer) {
-      headers["Referer"] = options.referer;
-    }
-    if (options?.appCheckToken) {
-      headers["X-Firebase-AppCheck"] = options.appCheckToken;
-    }
-    const response = await this.request({
-      endpoint: "signInWithCustomToken",
-      method: "POST",
-      apiKey,
-      bodyParams: params,
-      headerParams: headers
+  const currentDate = new Date(Date.now());
+  const expiryDate = /* @__PURE__ */ new Date(0);
+  expiryDate.setUTCSeconds(exp);
+  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;
+  if (expired) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenExpired,
+      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`
     });
-    if (response.errors) {
-      throw new Error(response.errors[0].message);
-    }
-    if (!response.data) {
-      throw new Error("No data received from Firebase token exchange");
-    }
-    return response.data;
   }
 };
-// src/fireRestApi/endpoints/UserData.ts
-var UserData = class extends AbstractAPI {
-  async getUserData(apiKey, params, options) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    const headers = {};
-    if (options?.referer) {
-      headers["Referer"] = options.referer;
-    }
-    return this.request({
-      endpoint: "lookup",
-      method: "POST",
-      apiKey,
-      bodyParams: restParams,
-      headerParams: headers
+var verifyIssuedAtClaim = (iat, clockSkewInMs) => {
+  if (typeof iat === "undefined") {
+    return;
+  }
+  if (typeof iat !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const issuedAtDate = /* @__PURE__ */ new Date(0);
+  issuedAtDate.setUTCSeconds(iat);
+  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;
+  if (postIssued) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenIatInTheFuture,
+      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
     });
   }
 };
-// src/runtime.ts
-var import_crypto = require("#crypto");
-var globalFetch = fetch.bind(globalThis);
-var runtime = {
-  crypto: import_crypto.webcrypto,
-  get fetch() {
-    return process.env.NODE_ENV === "test" ? fetch : globalFetch;
-  },
-  AbortController: globalThis.AbortController,
-  Blob: globalThis.Blob,
-  FormData: globalThis.FormData,
-  Headers: globalThis.Headers,
-  Request: globalThis.Request,
-  Response: globalThis.Response
-};
-// src/fireRestApi/emulator.ts
-var FIREBASE_AUTH_EMULATOR_HOST = process.env.FIREBASE_AUTH_EMULATOR_HOST;
-function emulatorHost() {
-  if (typeof process === "undefined") return void 0;
-  return FIREBASE_AUTH_EMULATOR_HOST;
-}
-function useEmulator() {
-  return !!emulatorHost();
-}
-// src/fireRestApi/endpointUrl.ts
-var lookupEndpoint = (apiKey) => {
-  return `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${apiKey}`;
-};
-var getRefreshTokenEndpoint = (apiKey) => {
-  return `https://securetoken.googleapis.com/v1/token?key=${apiKey}`;
-};
-var signInWithPassword = (apiKey) => {
-  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=${apiKey}`;
-};
-var signUpEndpoint = (apiKey) => {
-  return `https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=${apiKey}`;
-};
-var sendOobCode = (apiKey) => {
-  return `https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode?key=${apiKey}`;
-};
-var getCustomTokenEndpoint = (apiKey) => {
-  if (useEmulator() && FIREBASE_AUTH_EMULATOR_HOST) {
-    let protocol = "http://";
-    if (FIREBASE_AUTH_EMULATOR_HOST.startsWith("http://")) {
-      protocol = "";
-    }
-    return `${protocol}${FIREBASE_AUTH_EMULATOR_HOST}/identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+// src/jwt/verifyJwt.ts
+var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
+async function verifySignature(jwt, key) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const publicKey = await importKey(key, joseAlgorithm);
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, publicKey);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
   }
-  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
-};
-// src/fireRestApi/request.ts
-var FIREBASE_ENDPOINT_MAP = {
-  refreshToken: getRefreshTokenEndpoint,
-  signInWithPassword,
-  signUp: signUpEndpoint,
-  signInWithCustomToken: getCustomTokenEndpoint,
-  passwordReset: sendOobCode,
-  sendOobCode,
-  lookup: lookupEndpoint
-};
-function createRequest(options) {
-  const requestFn = async (requestOptions) => {
-    const { endpoint, method, apiKey, queryParams, headerParams, bodyParams, formData } = requestOptions;
-    if (!apiKey) {
+}
+function ternDecodeJwt(token) {
+  try {
+    const header = (0, import_jose2.decodeProtectedHeader)(token);
+    const payload = (0, import_jose2.decodeJwt)(token);
+    const tokenParts = (token || "").toString().split(".");
+    if (tokenParts.length !== 3) {
       return {
-        data: null,
         errors: [
-          {
-            domain: "none",
-            reason: "invalid_parameter",
-            message: "Firebase API key is required",
-            code: "400"
-          }
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: "Invalid JWT format"
+          })
         ]
       };
     }
-    const endpointUrl = FIREBASE_ENDPOINT_MAP[endpoint](apiKey);
-    const finalUrl = new URL(endpointUrl);
-    if (queryParams) {
-      Object.entries(queryParams).forEach(([key, value]) => {
-        if (value) {
-          [value].flat().forEach((v) => finalUrl.searchParams.append(key, v));
-        }
-      });
-    }
-    const headers = {
-      ...headerParams
-    };
-    let res;
-    try {
-      if (formData) {
-        res = await runtime.fetch(finalUrl.href, {
-          method,
-          headers,
-          body: formData
-        });
-      } else {
-        headers["Content-Type"] = "application/json";
-        const hasBody = method !== "GET" && bodyParams && Object.keys(bodyParams).length > 0;
-        const body = hasBody ? { body: JSON.stringify(bodyParams) } : null;
-        res = await runtime.fetch(finalUrl.href, {
-          method,
-          headers,
-          ...body
-        });
-      }
-      const isJSONResponse = res?.headers && res.headers?.get(constants.Headers.ContentType)?.includes(constants.ContentTypes.Json);
-      let responseBody;
-      try {
-        const text = await res.text();
-        try {
-          responseBody = JSON.parse(text);
-        } catch {
-          responseBody = text;
-        }
-      } catch (e) {
-        responseBody = null;
-      }
-      if (!res.ok) {
-        return {
-          data: null,
-          errors: parseErrors(responseBody),
-          status: res?.status,
-          statusText: res?.statusText
-        };
-      }
-      return {
-        data: responseBody,
-        errors: null
-      };
-    } catch (error) {
-      if (error instanceof Error) {
-        return {
-          data: null,
-          errors: [
-            {
-              domain: "none",
-              reason: "request_failed",
-              message: error.message || "An unexpected error occurred",
-              code: "500"
-            }
-          ]
-        };
+    const [rawHeader, rawPayload, rawSignature] = tokenParts;
+    const signature = base64url.parse(rawSignature, { loose: true });
+    const data = {
+      header,
+      payload,
+      signature,
+      raw: {
+        header: rawHeader,
+        payload: rawPayload,
+        signature: rawSignature,
+        text: token
       }
-      return {
-        data: null,
-        errors: parseErrors(error),
-        status: res?.status,
-        statusText: res?.statusText
-      };
-    }
-  };
-  return requestFn;
+    };
+    return { data };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: `${error.message || "Invalid Token or Protected Header formatting"} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`
+        })
+      ]
+    };
+  }
 }
-function parseErrors(data) {
-  let parsedData = data;
-  if (typeof data === "string") {
-    try {
-      parsedData = JSON.parse(data);
-    } catch (error) {
-      return [];
-    }
+async function verifyJwt(token, options) {
+  const { key } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
   }
-  if (!parsedData || typeof parsedData !== "object") {
-    return [];
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
   }
-  if ("error" in parsedData && typeof parsedData.error === "object" && parsedData.error !== null) {
-    const errorObj = parsedData.error;
-    if ("errors" in errorObj && Array.isArray(errorObj.errors) && errorObj.errors.length > 0) {
-      return errorObj.errors.map((err) => parseError({
-        code: errorObj.code || "unknown_error",
-        message: err.message || "Unknown error",
-        domain: err.domain,
-        reason: err.reason
-      }));
+  const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);
+  if (signatureErrors) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
+        })
+      ]
+    };
+  }
+  const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
+  return { data: decodedIdToken };
+}
+async function verifyAppCheckSignature(jwt, getPublicKey2) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const key = await getPublicKey2();
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, key);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
+async function verifyAppCheckJwt(token, options) {
+  const { key: getPublicKey2 } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
+  }
+  const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(
+    decoded,
+    getPublicKey2
+  );
+  if (signatureErrors) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
+        })
+      ]
+    };
+  }
+  const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);
+  return { data: decodedAppCheckToken };
+}
+// src/tokens/keys.ts
+var cache = {};
+var lastUpdatedAt = 0;
+var googleExpiresAt = 0;
+function getFromCache(kid) {
+  return cache[kid];
+}
+function getCacheValues() {
+  return Object.values(cache);
+}
+function setInCache(kid, certificate, shouldExpire = true) {
+  cache[kid] = certificate;
+  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+}
+async function fetchPublicKeys(keyUrl) {
+  const url = new URL(keyUrl);
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new TokenVerificationError({
+      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  const data = await response.json();
+  const expiresAt = getExpiresAt(response);
+  return {
+    keys: data,
+    expiresAt
+  };
+}
+async function loadJWKFromRemote({
+  keyURL,
+  skipJwksCache,
+  kid
+}) {
+  const finalKeyURL = keyURL || GOOGLE_PUBLIC_KEYS_URL;
+  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
+    const { keys, expiresAt } = await fetchPublicKeys(finalKeyURL);
+    if (!keys || Object.keys(keys).length === 0) {
+      throw new TokenVerificationError({
+        message: `The JWKS endpoint ${finalKeyURL} returned no keys`,
+        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
+      });
     }
-    return [parseError({
-      code: errorObj.code?.toString() || "unknown_error",
-      message: errorObj.message || "Unknown error",
-      domain: errorObj.domain || "unknown",
-      reason: errorObj.reason || errorObj.code?.toString() || "unknown_error"
-    })];
+    googleExpiresAt = expiresAt;
+    Object.entries(keys).forEach(([keyId, cert2]) => {
+      setInCache(keyId, cert2);
+    });
+  }
+  const cert = getFromCache(kid);
+  if (!cert) {
+    getCacheValues();
+    const availableKids = Object.keys(cache).sort().join(", ");
+    throw new TokenVerificationError({
+      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
   }
-  return [];
-}
-function parseError(error) {
-  return {
-    domain: error.domain,
-    reason: error.reason,
-    message: error.message,
-    code: error.code
-  };
+  return cert;
 }
-// src/fireRestApi/createFireApi.ts
-function createFireApi(options) {
-  const request = createRequest(options);
-  return {
-    appCheck: new AppCheckApi(request),
-    email: new EmailApi(request),
-    password: new PasswordApi(request),
-    signIn: new SignInApi(request),
-    signInToken: new SignInTokenApi(request),
-    signUp: new SignUpApi(request),
-    tokens: new TokenApi(request),
-    userData: new UserData(request)
-  };
+function isCacheExpired() {
+  const now = Date.now();
+  if (lastUpdatedAt === -1) {
+    return false;
+  }
+  const cacheAge = now - lastUpdatedAt;
+  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
+  const localCacheExpired = cacheAge >= maxCacheAge;
+  const googleCacheExpired = now >= googleExpiresAt;
+  const isExpired = localCacheExpired || googleCacheExpired;
+  if (isExpired) {
+    cache = {};
+  }
+  return isExpired;
 }
-// src/utils/options.ts
-var defaultOptions = {
-  apiKey: void 0,
-  apiUrl: void 0,
-  apiVersion: void 0
-};
-function mergePreDefinedOptions(userOptions = {}) {
-  return {
-    ...defaultOptions,
-    ...userOptions
-  };
+function getExpiresAt(res) {
+  const cacheControlHeader = res.headers.get("cache-control");
+  if (!cacheControlHeader) {
+    return Date.now() + DEFAULT_CACHE_DURATION;
+  }
+  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
+  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
+  return Date.now() + maxAge * 1e3;
 }
-// src/tokens/request.ts
-var import_ms = require("@tern-secure/shared/ms");
-// src/jwt/customJwt.ts
-var import_jose = require("jose");
-var CustomTokenError = class extends Error {
-  constructor(message, code) {
-    super(message);
-    this.code = code;
-    this.name = "CustomTokenError";
+// src/tokens/verify.ts
+async function verifyToken(token, options) {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
   }
-};
-var RESERVED_CLAIMS = [
-  "acr",
-  "amr",
-  "at_hash",
-  "aud",
-  "auth_time",
-  "azp",
-  "cnf",
-  "c_hash",
-  "exp",
-  "firebase",
-  "iat",
-  "iss",
-  "jti",
-  "nbf",
-  "nonce",
-  "sub"
-];
-async function createCustomTokenJwt(uid, developerClaims) {
   try {
-    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
-    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
-    if (!privateKey || !clientEmail) {
+    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
+    if (!key) {
       return {
         errors: [
-          new CustomTokenError(
-            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
-            "MISSING_ENV_VARS"
-          )
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: `No public key found for kid "${kid}".`
+          })
         ]
       };
     }
-    if (!uid || typeof uid !== "string") {
-      return {
-        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
-      };
+    return await verifyJwt(token, { ...options, key });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
     }
-    if (uid.length > 128) {
+    return {
+      errors: [error]
+    };
+  }
+}
+// src/fireRestApi/endpoints/AbstractApi.ts
+var AbstractAPI = class {
+  constructor(request) {
+    this.request = request;
+  }
+  requireApiKey(apiKey) {
+    if (!apiKey) {
+      throw new Error("A valid API key is required.");
+    }
+  }
+};
+// src/fireRestApi/endpoints/AppCheckApi.ts
+function getSdkVersion() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+};
+var AppCheckApi = class extends AbstractAPI {
+  async exchangeCustomToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${accessToken}`
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
       return {
-        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+        token: data.token,
+        ttl: data.ttl
       };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
     }
-    if (developerClaims) {
-      for (const claim of Object.keys(developerClaims)) {
-        if (RESERVED_CLAIMS.includes(claim)) {
-          return {
-            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
-          };
-        }
-      }
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
     }
-    const expiresIn = 3600;
-    const now = Math.floor(Date.now() / 1e3);
-    const parsedPrivateKey = await (0, import_jose.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
-    const payload = {
-      iss: clientEmail,
-      sub: clientEmail,
-      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
-      iat: now,
-      exp: now + expiresIn,
-      uid,
-      ...developerClaims
-    };
-    const jwt = await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
-      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
-    ).sign(parsedPrivateKey);
-    return {
-      data: jwt
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
+      "Authorization": `Bearer ${accessToken}`
     };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error occurred";
-    return {
-      errors: [
-        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
-      ]
+    const body = {
+      customToken,
+      limitedUse
     };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+// src/fireRestApi/endpoints/EmailApi.ts
+var EmailApi = class extends AbstractAPI {
+  async verifyEmailVerification(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "sendOobCode",
+      method: "POST",
+      bodyParams: restParams
+    });
   }
-}
-async function createCustomToken(uid, developerClaims) {
-  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
-  if (errors) {
-    throw errors[0];
+  async confirmEmailVerification(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "sendOobCode",
+      method: "POST",
+      bodyParams: restParams
+    });
   }
-  return data;
-}
-// src/jwt/verifyJwt.ts
-var import_jose3 = require("jose");
-// src/utils/errors.ts
-var RefreshTokenErrorReason = {
-  NonEligibleNoCookie: "non-eligible-no-refresh-cookie",
-  NonEligibleNonGet: "non-eligible-non-get",
-  InvalidSessionToken: "invalid-session-token",
-  MissingApiClient: "missing-api-client",
-  MissingIdToken: "missing-id-token",
-  MissingSessionToken: "missing-session-token",
-  MissingRefreshToken: "missing-refresh-token",
-  ExpiredIdTokenDecodeFailed: "expired-id-token-decode-failed",
-  ExpiredSessionTokenDecodeFailed: "expired-session-token-decode-failed",
-  FetchError: "fetch-error"
-};
-var TokenVerificationErrorReason = {
-  TokenExpired: "token-expired",
-  TokenInvalid: "token-invalid",
-  TokenInvalidAlgorithm: "token-invalid-algorithm",
-  TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
-  TokenInvalidSignature: "token-invalid-signature",
-  TokenNotActiveYet: "token-not-active-yet",
-  TokenIatInTheFuture: "token-iat-in-the-future",
-  TokenVerificationFailed: "token-verification-failed",
-  InvalidSecretKey: "secret-key-invalid",
-  LocalJWKMissing: "jwk-local-missing",
-  RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
-  RemoteJWKInvalid: "jwk-remote-invalid",
-  RemoteJWKMissing: "jwk-remote-missing",
-  JWKFailedToResolve: "jwk-failed-to-resolve",
-  JWKKidMismatch: "jwk-kid-mismatch"
 };
-var TokenVerificationError = class _TokenVerificationError extends Error {
-  reason;
-  tokenCarrier;
-  constructor({
-    message,
-    reason
-  }) {
-    super(message);
-    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
-    this.reason = reason;
-    this.message = message;
+// src/fireRestApi/endpoints/PasswordApi.ts
+var PasswordApi = class extends AbstractAPI {
+  async verifyPasswordResetCode(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
   }
-  getFullMessage() {
-    return `${[this.message].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
+  async confirmPasswordReset(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+  async changePassword(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
   }
 };
-// src/utils/rfc4648.ts
-var base64url = {
-  parse(string, opts) {
-    return parse2(string, base64UrlEncoding, opts);
-  },
-  stringify(data, opts) {
-    return stringify(data, base64UrlEncoding, opts);
+// src/fireRestApi/endpoints/SignInApi.ts
+var SignInApi = class extends AbstractAPI {
+  async resetPasswordEmail(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "sendOobCode",
+        method: "POST",
+        apiKey,
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to send reset password email";
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to send reset password email: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
   }
 };
-var base64UrlEncoding = {
-  chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
-  bits: 6
-};
-function parse2(string, encoding, opts = {}) {
-  if (!encoding.codes) {
-    encoding.codes = {};
-    for (let i = 0; i < encoding.chars.length; ++i) {
-      encoding.codes[encoding.chars[i]] = i;
+// src/fireRestApi/endpoints/SignInTokenApi.ts
+var SignInTokenApi = class extends AbstractAPI {
+  async createCustomToken(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "signInWithCustomToken",
+        method: "POST",
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
     }
   }
-  if (!opts.loose && string.length * encoding.bits & 7) {
-    throw new SyntaxError("Invalid padding");
-  }
-  let end = string.length;
-  while (string[end - 1] === "=") {
-    --end;
-    if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
-      throw new SyntaxError("Invalid padding");
-    }
+};
+// src/fireRestApi/endpoints/SignUpApi.ts
+var SignUpApi = class extends AbstractAPI {
+  async createCustomToken(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "signUp",
+      method: "POST",
+      bodyParams: restParams
+    });
   }
-  const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
-  let bits = 0;
-  let buffer = 0;
-  let written = 0;
-  for (let i = 0; i < end; ++i) {
-    const value = encoding.codes[string[i]];
-    if (value === void 0) {
-      throw new SyntaxError("Invalid character " + string[i]);
+};
+// src/fireRestApi/endpoints/TokenApi.ts
+var TokenApi = class extends AbstractAPI {
+  async refreshToken(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { refresh_token, request_origin, app_check_token, ...restParams } = params;
+    const headers = {};
+    if (request_origin) {
+      headers["Referer"] = request_origin;
     }
-    buffer = buffer << encoding.bits | value;
-    bits += encoding.bits;
-    if (bits >= 8) {
-      bits -= 8;
-      out[written++] = 255 & buffer >> bits;
+    if (app_check_token) {
+      headers["X-Firebase-AppCheck"] = app_check_token;
     }
+    const bodyParams = {
+      grant_type: "refresh_token",
+      refresh_token,
+      ...restParams
+    };
+    return this.request({
+      endpoint: "refreshToken",
+      method: "POST",
+      apiKey,
+      bodyParams,
+      headerParams: headers
+    });
   }
-  if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
-    throw new SyntaxError("Unexpected end of data");
-  }
-  return out;
-}
-function stringify(data, encoding, opts = {}) {
-  const { pad = true } = opts;
-  const mask = (1 << encoding.bits) - 1;
-  let out = "";
-  let bits = 0;
-  let buffer = 0;
-  for (let i = 0; i < data.length; ++i) {
-    buffer = buffer << 8 | 255 & data[i];
-    bits += 8;
-    while (bits > encoding.bits) {
-      bits -= encoding.bits;
-      out += encoding.chars[mask & buffer >> bits];
+  async exchangeCustomForIdAndRefreshTokens(apiKey, params, options) {
+    this.requireApiKey(apiKey);
+    const headers = {};
+    if (options?.referer) {
+      headers["Referer"] = options.referer;
     }
-  }
-  if (bits) {
-    out += encoding.chars[mask & buffer << encoding.bits - bits];
-  }
-  if (pad) {
-    while (out.length * encoding.bits & 7) {
-      out += "=";
+    if (options?.appCheckToken) {
+      headers["X-Firebase-AppCheck"] = options.appCheckToken;
     }
-  }
-  return out;
-}
-// src/jwt/cryptoKeys.ts
-var import_jose2 = require("jose");
-async function importKey(key, algorithm) {
-  if (typeof key === "object") {
-    const result = await (0, import_jose2.importJWK)(key, algorithm);
-    if (result instanceof Uint8Array) {
-      throw new Error("Unexpected Uint8Array result from JWK import");
+    const response = await this.request({
+      endpoint: "signInWithCustomToken",
+      method: "POST",
+      apiKey,
+      bodyParams: params,
+      headerParams: headers
+    });
+    if (response.errors) {
+      throw new Error(response.errors[0].message);
     }
-    return result;
-  }
-  const keyString = key.trim();
-  if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
-    return await (0, import_jose2.importX509)(keyString, algorithm);
-  }
-  if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
-  }
-  try {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
-  } catch (error) {
-    throw new Error(
-      `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
-    );
+    if (!response.data) {
+      throw new Error("No data received from Firebase token exchange");
+    }
+    return response.data;
   }
-}
-// src/jwt/algorithms.ts
-var algToHash = {
-  RS256: "SHA-256",
-  RS384: "SHA-384",
-  RS512: "SHA-512"
 };
-var algs = Object.keys(algToHash);
-// src/jwt/verifyContent.ts
-var verifyHeaderKid = (kid) => {
-  if (typeof kid === "undefined") {
-    return;
-  }
-  if (typeof kid !== "string") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenInvalid,
-      message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`
+// src/fireRestApi/endpoints/UserData.ts
+var UserData = class extends AbstractAPI {
+  async getUserData(apiKey, params, options) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    const headers = {};
+    if (options?.referer) {
+      headers["Referer"] = options.referer;
+    }
+    return this.request({
+      endpoint: "lookup",
+      method: "POST",
+      apiKey,
+      bodyParams: restParams,
+      headerParams: headers
     });
   }
 };
-var verifySubClaim = (sub) => {
-  if (typeof sub !== "string") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenVerificationFailed,
-      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`
-    });
-  }
+// src/runtime.ts
+var import_crypto = require("#crypto");
+var globalFetch = fetch.bind(globalThis);
+var runtime = {
+  crypto: import_crypto.webcrypto,
+  get fetch() {
+    return process.env.NODE_ENV === "test" ? fetch : globalFetch;
+  },
+  AbortController: globalThis.AbortController,
+  Blob: globalThis.Blob,
+  FormData: globalThis.FormData,
+  Headers: globalThis.Headers,
+  Request: globalThis.Request,
+  Response: globalThis.Response
 };
-var verifyExpirationClaim = (exp, clockSkewInMs) => {
-  if (typeof exp !== "number") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenVerificationFailed,
-      message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`
-    });
-  }
-  const currentDate = new Date(Date.now());
-  const expiryDate = /* @__PURE__ */ new Date(0);
-  expiryDate.setUTCSeconds(exp);
-  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;
-  if (expired) {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenExpired,
-      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`
-    });
-  }
+// src/fireRestApi/emulator.ts
+var FIREBASE_AUTH_EMULATOR_HOST = process.env.FIREBASE_AUTH_EMULATOR_HOST;
+function emulatorHost() {
+  if (typeof process === "undefined") return void 0;
+  return FIREBASE_AUTH_EMULATOR_HOST;
+}
+function useEmulator() {
+  return !!emulatorHost();
+}
+// src/fireRestApi/endpointUrl.ts
+var lookupEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${apiKey}`;
 };
-var verifyIssuedAtClaim = (iat, clockSkewInMs) => {
-  if (typeof iat === "undefined") {
-    return;
-  }
-  if (typeof iat !== "number") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenVerificationFailed,
-      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`
-    });
-  }
-  const currentDate = new Date(Date.now());
-  const issuedAtDate = /* @__PURE__ */ new Date(0);
-  issuedAtDate.setUTCSeconds(iat);
-  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;
-  if (postIssued) {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenIatInTheFuture,
-      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
-    });
+var getRefreshTokenEndpoint = (apiKey) => {
+  return `https://securetoken.googleapis.com/v1/token?key=${apiKey}`;
+};
+var signInWithPassword = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=${apiKey}`;
+};
+var signUpEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=${apiKey}`;
+};
+var sendOobCode = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode?key=${apiKey}`;
+};
+var getCustomTokenEndpoint = (apiKey) => {
+  if (useEmulator() && FIREBASE_AUTH_EMULATOR_HOST) {
+    let protocol = "http://";
+    if (FIREBASE_AUTH_EMULATOR_HOST.startsWith("http://")) {
+      protocol = "";
+    }
+    return `${protocol}${FIREBASE_AUTH_EMULATOR_HOST}/identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
   }
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
 };
-// src/jwt/verifyJwt.ts
-var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
-async function verifySignature(jwt, key) {
-  const { header, raw } = jwt;
-  const joseAlgorithm = header.alg || "RS256";
-  try {
-    const publicKey = await importKey(key, joseAlgorithm);
-    const { payload } = await (0, import_jose3.jwtVerify)(raw.text, publicKey);
-    return { data: payload };
-  } catch (error) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalidSignature,
-          message: error.message
-        })
-      ]
+// src/fireRestApi/request.ts
+var FIREBASE_ENDPOINT_MAP = {
+  refreshToken: getRefreshTokenEndpoint,
+  signInWithPassword,
+  signUp: signUpEndpoint,
+  signInWithCustomToken: getCustomTokenEndpoint,
+  passwordReset: sendOobCode,
+  sendOobCode,
+  lookup: lookupEndpoint
+};
+function createRequest(options) {
+  const requestFn = async (requestOptions) => {
+    const { endpoint, method, apiKey, queryParams, headerParams, bodyParams, formData } = requestOptions;
+    if (!apiKey) {
+      return {
+        data: null,
+        errors: [
+          {
+            domain: "none",
+            reason: "invalid_parameter",
+            message: "Firebase API key is required",
+            code: "400"
+          }
+        ]
+      };
+    }
+    const endpointUrl = FIREBASE_ENDPOINT_MAP[endpoint](apiKey);
+    const finalUrl = new URL(endpointUrl);
+    if (queryParams) {
+      Object.entries(queryParams).forEach(([key, value]) => {
+        if (value) {
+          [value].flat().forEach((v) => finalUrl.searchParams.append(key, v));
+        }
+      });
+    }
+    const headers = {
+      ...headerParams
     };
-  }
-}
-function ternDecodeJwt(token) {
-  try {
-    const header = (0, import_jose3.decodeProtectedHeader)(token);
-    const payload = (0, import_jose3.decodeJwt)(token);
-    const tokenParts = (token || "").toString().split(".");
-    if (tokenParts.length !== 3) {
+    let res;
+    try {
+      if (formData) {
+        res = await runtime.fetch(finalUrl.href, {
+          method,
+          headers,
+          body: formData
+        });
+      } else {
+        headers["Content-Type"] = "application/json";
+        const hasBody = method !== "GET" && bodyParams && Object.keys(bodyParams).length > 0;
+        const body = hasBody ? { body: JSON.stringify(bodyParams) } : null;
+        res = await runtime.fetch(finalUrl.href, {
+          method,
+          headers,
+          ...body
+        });
+      }
+      const isJSONResponse = res?.headers && res.headers?.get(constants.Headers.ContentType)?.includes(constants.ContentTypes.Json);
+      let responseBody;
+      try {
+        const text = await res.text();
+        try {
+          responseBody = JSON.parse(text);
+        } catch {
+          responseBody = text;
+        }
+      } catch (e) {
+        responseBody = null;
+      }
+      if (!res.ok) {
+        return {
+          data: null,
+          errors: parseErrors(responseBody),
+          status: res?.status,
+          statusText: res?.statusText
+        };
+      }
+      return {
+        data: responseBody,
+        errors: null
+      };
+    } catch (error) {
+      if (error instanceof Error) {
+        return {
+          data: null,
+          errors: [
+            {
+              domain: "none",
+              reason: "request_failed",
+              message: error.message || "An unexpected error occurred",
+              code: "500"
+            }
+          ]
+        };
+      }
       return {
-        errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: "Invalid JWT format"
-          })
-        ]
+        data: null,
+        errors: parseErrors(error),
+        status: res?.status,
+        statusText: res?.statusText
       };
     }
-    const [rawHeader, rawPayload, rawSignature] = tokenParts;
-    const signature = base64url.parse(rawSignature, { loose: true });
-    const data = {
-      header,
-      payload,
-      signature,
-      raw: {
-        header: rawHeader,
-        payload: rawPayload,
-        signature: rawSignature,
-        text: token
-      }
-    };
-    return { data };
-  } catch (error) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: `${error.message || "Invalid Token or Protected Header formatting"} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`
-        })
-      ]
-    };
-  }
+  };
+  return requestFn;
 }
-async function verifyJwt(token, options) {
-  const { key } = options;
-  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
-  const { data: decoded, errors } = ternDecodeJwt(token);
-  if (errors) {
-    return { errors };
+function parseErrors(data) {
+  let parsedData = data;
+  if (typeof data === "string") {
+    try {
+      parsedData = JSON.parse(data);
+    } catch (error) {
+      return [];
+    }
   }
-  const { header, payload } = decoded;
-  try {
-    verifyHeaderKid(header.kid);
-    verifySubClaim(payload.sub);
-    verifyExpirationClaim(payload.exp, clockSkew);
-    verifyIssuedAtClaim(payload.iat, clockSkew);
-  } catch (error) {
-    return { errors: [error] };
+  if (!parsedData || typeof parsedData !== "object") {
+    return [];
   }
-  const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);
-  if (signatureErrors) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalidSignature,
-          message: "Token signature verification failed."
-        })
-      ]
-    };
+  if ("error" in parsedData && typeof parsedData.error === "object" && parsedData.error !== null) {
+    const errorObj = parsedData.error;
+    if ("errors" in errorObj && Array.isArray(errorObj.errors) && errorObj.errors.length > 0) {
+      return errorObj.errors.map((err) => parseError({
+        code: errorObj.code || "unknown_error",
+        message: err.message || "Unknown error",
+        domain: err.domain,
+        reason: err.reason
+      }));
+    }
+    return [parseError({
+      code: errorObj.code?.toString() || "unknown_error",
+      message: errorObj.message || "Unknown error",
+      domain: errorObj.domain || "unknown",
+      reason: errorObj.reason || errorObj.code?.toString() || "unknown_error"
+    })];
   }
-  const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
-  return { data: decodedIdToken };
-}
-// src/tokens/keys.ts
-var cache = {};
-var lastUpdatedAt = 0;
-var googleExpiresAt = 0;
-function getFromCache(kid) {
-  return cache[kid];
+  return [];
 }
-function getCacheValues() {
-  return Object.values(cache);
+function parseError(error) {
+  return {
+    domain: error.domain,
+    reason: error.reason,
+    message: error.message,
+    code: error.code
+  };
 }
-function setInCache(kid, certificate, shouldExpire = true) {
-  cache[kid] = certificate;
-  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+// src/fireRestApi/createFireApi.ts
+function createFireApi(options) {
+  const request = createRequest(options);
+  return {
+    appCheck: new AppCheckApi(request),
+    email: new EmailApi(request),
+    password: new PasswordApi(request),
+    signIn: new SignInApi(request),
+    signInToken: new SignInTokenApi(request),
+    signUp: new SignUpApi(request),
+    tokens: new TokenApi(request),
+    userData: new UserData(request)
+  };
 }
-async function fetchPublicKeys(keyUrl) {
-  const url = new URL(keyUrl);
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new TokenVerificationError({
-      message: `Error loading public keys from ${url.href} with code=${response.status} `,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  const data = await response.json();
-  const expiresAt = getExpiresAt(response);
+// src/utils/options.ts
+var defaultOptions = {
+  apiKey: void 0,
+  apiUrl: void 0,
+  apiVersion: void 0
+};
+function mergePreDefinedOptions(userOptions = {}) {
   return {
-    keys: data,
-    expiresAt
+    ...defaultOptions,
+    ...userOptions
   };
 }
-async function loadJWKFromRemote({
-  keyURL = GOOGLE_PUBLIC_KEYS_URL,
-  skipJwksCache,
-  kid
-}) {
-  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
-    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
-    if (!keys || Object.keys(keys).length === 0) {
-      throw new TokenVerificationError({
-        message: `The JWKS endpoint ${keyURL} returned no keys`,
-        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
-      });
+// src/tokens/request.ts
+var import_ms = require("@tern-secure/shared/ms");
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
     }
-    googleExpiresAt = expiresAt;
-    Object.entries(keys).forEach(([keyId, cert2]) => {
-      setInCache(keyId, cert2);
-    });
-  }
-  const cert = getFromCache(kid);
-  if (!cert) {
-    getCacheValues();
-    const availableKids = Object.keys(cache).sort().join(", ");
-    throw new TokenVerificationError({
-      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  return cert;
-}
-function isCacheExpired() {
-  const now = Date.now();
-  if (lastUpdatedAt === -1) {
-    return false;
-  }
-  const cacheAge = now - lastUpdatedAt;
-  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
-  const localCacheExpired = cacheAge >= maxCacheAge;
-  const googleCacheExpired = now >= googleExpiresAt;
-  const isExpired = localCacheExpired || googleCacheExpired;
-  if (isExpired) {
-    cache = {};
-  }
-  return isExpired;
-}
-function getExpiresAt(res) {
-  const cacheControlHeader = res.headers.get("cache-control");
-  if (!cacheControlHeader) {
-    return Date.now() + DEFAULT_CACHE_DURATION;
-  }
-  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
-  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
-  return Date.now() + maxAge * 1e3;
+    return data;
+  };
 }
-// src/tokens/verify.ts
-async function verifyToken(token, options) {
-  const { data: decodedResult, errors } = ternDecodeJwt(token);
-  if (errors) {
-    return { errors };
-  }
-  const { header } = decodedResult;
-  const { kid } = header;
-  if (!kid) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: 'JWT "kid" header is missing.'
-        })
-      ]
-    };
+// src/jwt/jwt.ts
+var import_jose3 = require("jose");
+// src/jwt/customJwt.ts
+var import_jose4 = require("jose");
+var CustomTokenError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "CustomTokenError";
   }
-  try {
-    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
-    if (!key) {
+};
+var RESERVED_CLAIMS = [
+  "acr",
+  "amr",
+  "at_hash",
+  "aud",
+  "auth_time",
+  "azp",
+  "cnf",
+  "c_hash",
+  "exp",
+  "firebase",
+  "iat",
+  "iss",
+  "jti",
+  "nbf",
+  "nonce",
+  "sub"
+];
+async function createCustomTokenJwt(uid, developerClaims) {
+  try {
+    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
+    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
+    if (!privateKey || !clientEmail) {
       return {
         errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: `No public key found for kid "${kid}".`
-          })
+          new CustomTokenError(
+            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
+            "MISSING_ENV_VARS"
+          )
         ]
       };
     }
-    return await verifyJwt(token, { ...options, key });
-  } catch (error) {
-    if (error instanceof TokenVerificationError) {
-      return { errors: [error] };
+    if (!uid || typeof uid !== "string") {
+      return {
+        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
+      };
+    }
+    if (uid.length > 128) {
+      return {
+        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+      };
+    }
+    if (developerClaims) {
+      for (const claim of Object.keys(developerClaims)) {
+        if (RESERVED_CLAIMS.includes(claim)) {
+          return {
+            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
+          };
+        }
+      }
     }
+    const expiresIn = 3600;
+    const now = Math.floor(Date.now() / 1e3);
+    const parsedPrivateKey = await (0, import_jose4.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
+    const payload = {
+      iss: clientEmail,
+      sub: clientEmail,
+      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+      iat: now,
+      exp: now + expiresIn,
+      uid,
+      ...developerClaims
+    };
+    const jwt = await new import_jose4.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
+      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+    ).sign(parsedPrivateKey);
     return {
-      errors: [error]
+      data: jwt
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error occurred";
+    return {
+      errors: [
+        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
+      ]
     };
   }
 }
-// src/jwt/guardReturn.ts
-function createJwtGuard(decodedFn) {
-  return (...args) => {
-    const { data, errors } = decodedFn(...args);
-    if (errors) {
-      throw errors[0];
-    }
-    return data;
-  };
+async function createCustomToken(uid, developerClaims) {
+  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
+  if (errors) {
+    throw errors[0];
+  }
+  return data;
 }
-// src/jwt/jwt.ts
-var import_jose4 = require("jose");
 // src/jwt/signJwt.ts
 var import_jose5 = require("jose");
+// src/utils/fetcher.ts
+async function getDetailFromResponse(response) {
+  const json = await response.json();
+  if (!json) {
+    return "Missing error payload";
+  }
+  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
+  if (json.error_description) {
+    detail += " (" + json.error_description + ")";
+  }
+  return detail;
+}
+async function fetchText(url, init) {
+  return (await fetchAny(url, init)).text();
+}
+async function fetchJson(url, init) {
+  return (await fetchAny(url, init)).json();
+}
+async function fetchAny(url, init) {
+  const response = await fetch(url, init);
+  if (!response.ok) {
+    throw new Error(await getDetailFromResponse(response));
+  }
+  return response;
+}
+// src/jwt/types.ts
 var ALGORITHM_RS256 = "RS256";
+// src/jwt/signJwt.ts
 async function ternSignJwt(opts) {
   const { payload, privateKey, keyId } = opts;
   let key;
@@ -1422,112 +1609,382 @@ async function ternSignJwt(opts) {
   }
   return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
 }
+function formatBase64(value) {
+  return value.replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+}
+function encodeSegment(segment) {
+  const value = JSON.stringify(segment);
+  return formatBase64(import_jose5.base64url.encode(value));
+}
+async function ternSignBlob({
+  payload,
+  serviceAccountId,
+  accessToken
+}) {
+  const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;
+  const header = {
+    alg: ALGORITHM_RS256,
+    typ: "JWT"
+  };
+  const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;
+  const request = {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ payload: import_jose5.base64url.encode(token) })
+  };
+  const response = await fetchAny(url, request);
+  const blob = await response.blob();
+  const key = await blob.text();
+  const { signedBlob } = JSON.parse(key);
+  return `${token}.${formatBase64(signedBlob)}`;
+}
+// src/jwt/crypto-signer.ts
+var ServiceAccountSigner = class {
+  constructor(credential, tenantId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+  }
+  async getAccountId() {
+    return Promise.resolve(this.credential.clientEmail);
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    return ternSignJwt({ payload, privateKey: this.credential.privateKey });
+  }
+};
+var IAMSigner = class {
+  algorithm = ALGORITHM_RS256;
+  credential;
+  tenantId;
+  serviceAccountId;
+  constructor(credential, tenantId, serviceAccountId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+    this.serviceAccountId = serviceAccountId;
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    const serviceAccount = await this.getAccountId();
+    const accessToken = await this.credential.getAccessToken();
+    return ternSignBlob({
+      accessToken: accessToken.accessToken,
+      serviceAccountId: serviceAccount,
+      payload
+    });
+  }
+  async getAccountId() {
+    if (this.serviceAccountId) {
+      return this.serviceAccountId;
+    }
+    const token = await this.credential.getAccessToken();
+    const url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";
+    const request = {
+      method: "GET",
+      headers: {
+        "Metadata-Flavor": "Google",
+        Authorization: `Bearer ${token.accessToken}`
+      }
+    };
+    return this.serviceAccountId = await fetchText(url, request);
+  }
+};
 // src/jwt/index.ts
 var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
-// src/auth/constants.ts
-var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
-var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
-var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
-var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
-var ONE_HOUR_IN_SECONDS = 60 * 60;
+// src/utils/token-generator.ts
+function cryptoSignerFromCredential(credential, tenantId, serviceAccountId) {
+  if (credential instanceof ServiceAccountManager) {
+    return new ServiceAccountSigner(credential, tenantId);
+  }
+  return new IAMSigner(credential, tenantId, serviceAccountId);
+}
-// src/auth/utils.ts
-async function getDetailFromResponse(response) {
-  const json = await response.json();
-  if (!json) {
-    return "Missing error payload";
+// src/app-check/AppCheckApi.ts
+function getSdkVersion2() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS2 = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion2()}`
+};
+var AppCheckApi2 = class {
+  constructor(credential) {
+    this.credential = credential;
   }
-  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
-  if (json.error_description) {
-    detail += " (" + json.error_description + ")";
+  async exchangeToken(params) {
+    const { projectId, appId, customToken, limitedUse = false } = params;
+    const token = await this.credential.getAccessToken(false);
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${token.accessToken}`
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
   }
-  return detail;
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS2,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+// src/app-check/generator.ts
+function transformMillisecondsToSecondsString(milliseconds) {
+  let duration;
+  const seconds = Math.floor(milliseconds / 1e3);
+  const nanos = Math.floor((milliseconds - seconds * 1e3) * 1e6);
+  if (nanos > 0) {
+    let nanoString = nanos.toString();
+    while (nanoString.length < 9) {
+      nanoString = "0" + nanoString;
+    }
+    duration = `${seconds}.${nanoString}s`;
+  } else {
+    duration = `${seconds}s`;
+  }
+  return duration;
 }
-async function fetchJson(url, init) {
-  return (await fetchAny(url, init)).json();
+var AppCheckTokenGenerator = class {
+  signer;
+  constructor(signer) {
+    this.signer = signer;
+  }
+  async createCustomToken(appId, options) {
+    if (!appId) {
+      throw new Error(
+        "appId is invalid"
+      );
+    }
+    let customOptions = {};
+    if (typeof options !== "undefined") {
+      customOptions = this.validateTokenOptions(options);
+    }
+    const account = await this.signer.getAccountId();
+    const iat = Math.floor(Date.now() / 1e3);
+    const body = {
+      iss: account,
+      sub: account,
+      app_id: appId,
+      aud: FIREBASE_APP_CHECK_AUDIENCE,
+      exp: iat + ONE_MINUTE_IN_SECONDS * 5,
+      iat,
+      ...customOptions
+    };
+    return this.signer.sign(body);
+  }
+  validateTokenOptions(options) {
+    if (typeof options.ttlMillis !== "undefined") {
+      if (options.ttlMillis < ONE_MINUTE_IN_MILLIS * 30 || options.ttlMillis > ONE_DAY_IN_MILLIS * 7) {
+        throw new Error(
+          "ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive)."
+        );
+      }
+      return { ttl: transformMillisecondsToSecondsString(options.ttlMillis) };
+    }
+    return {};
+  }
+};
+// src/app-check/serverAppCheck.ts
+var import_redis = require("@upstash/redis");
+// src/utils/admin-init.ts
+var import_firebase_admin = __toESM(require("firebase-admin"));
+var import_app_check = require("firebase-admin/app-check");
+// src/utils/config.ts
+var loadAdminConfig = () => ({
+  projectId: process.env.FIREBASE_PROJECT_ID || "",
+  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
+  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
+});
+var validateAdminConfig = (config) => {
+  const requiredFields = [
+    "projectId",
+    "clientEmail",
+    "privateKey"
+  ];
+  const errors = [];
+  requiredFields.forEach((field) => {
+    if (!config[field]) {
+      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
+    }
+  });
+  return {
+    isValid: errors.length === 0,
+    errors,
+    config
+  };
+};
+var initializeAdminConfig = () => {
+  const config = loadAdminConfig();
+  const validationResult = validateAdminConfig(config);
+  if (!validationResult.isValid) {
+    throw new Error(
+      `Firebase Admin configuration validation failed:
+${validationResult.errors.join("\n")}`
+    );
+  }
+  return config;
+};
+// src/utils/admin-init.ts
+if (!import_firebase_admin.default.apps.length) {
+  try {
+    const config = initializeAdminConfig();
+    import_firebase_admin.default.initializeApp({
+      credential: import_firebase_admin.default.credential.cert({
+        ...config,
+        privateKey: config.privateKey.replace(/\\n/g, "\n")
+      })
+    });
+  } catch (error) {
+    console.error("Firebase admin initialization error", error);
+  }
 }
-async function fetchAny(url, init) {
-  const response = await fetch(url, init);
-  if (!response.ok) {
-    throw new Error(await getDetailFromResponse(response));
+var adminTernSecureAuth = import_firebase_admin.default.auth();
+var adminTernSecureDb = import_firebase_admin.default.firestore();
+var TernSecureTenantManager = import_firebase_admin.default.auth().tenantManager();
+var appCheckAdmin = (0, import_app_check.getAppCheck)();
+// src/app-check/verifier.ts
+var import_jose6 = require("jose");
+var getPublicKey = async (header, keyURL) => {
+  const jswksUrl = new URL(keyURL);
+  const getKey = (0, import_jose6.createRemoteJWKSet)(jswksUrl);
+  return getKey(header);
+};
+var verifyAppCheckToken = async (token, options) => {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    throw errors[0];
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const getPublicKeyForToken = () => getPublicKey(header, options.keyURL || "");
+    return await verifyAppCheckJwt(token, { ...options, key: getPublicKeyForToken });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
   }
-  return response;
-}
-// src/auth/credential.ts
-var accessTokenCache = /* @__PURE__ */ new Map();
-async function requestAccessToken(urlString, init) {
-  const json = await fetchJson(urlString, init);
-  if (!json.access_token || !json.expires_in) {
-    throw new Error("Invalid access token response");
+};
+var AppcheckTokenVerifier = class {
+  constructor(credential) {
+    this.credential = credential;
   }
-  return {
-    accessToken: json.access_token,
-    expirationTime: Date.now() + json.expires_in * 1e3
+  verifyToken = async (token, projectId, options) => {
+    const { data, errors } = await verifyAppCheckToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
   };
-}
-var ServiceAccountTokenManager = class {
-  projectId;
-  privateKey;
-  clientEmail;
-  constructor(serviceAccount) {
-    this.projectId = serviceAccount.projectId;
-    this.privateKey = serviceAccount.privateKey;
-    this.clientEmail = serviceAccount.clientEmail;
+};
+// src/app-check/index.ts
+var JWKS_URL = "https://firebaseappcheck.googleapis.com/v1/jwks";
+var AppCheck = class {
+  client;
+  tokenGenerator;
+  appCheckTokenVerifier;
+  limitedUse;
+  constructor(credential, tenantId, limitedUse) {
+    this.client = new AppCheckApi2(credential);
+    this.tokenGenerator = new AppCheckTokenGenerator(
+      cryptoSignerFromCredential(credential, tenantId)
+    );
+    this.appCheckTokenVerifier = new AppcheckTokenVerifier(credential);
+    this.limitedUse = limitedUse;
   }
-  fetchAccessToken = async (url) => {
-    const token = await this.createJwt();
-    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
-    return requestAccessToken(url, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Authorization: `Bearer ${token}`,
-        Accept: "application/json"
-      },
-      body: postData
+  createToken = (projectId, appId, options) => {
+    return this.tokenGenerator.createCustomToken(appId, options).then((customToken) => {
+      return this.client.exchangeToken({ customToken, projectId, appId });
     });
   };
-  fetchAndCacheAccessToken = async (url) => {
-    const accessToken = await this.fetchAccessToken(url);
-    accessTokenCache.set(this.projectId, accessToken);
-    return accessToken;
-  };
-  getAccessToken = async (refresh) => {
-    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
-    if (refresh) {
-      return this.fetchAndCacheAccessToken(url);
-    }
-    const cachedResponse = accessTokenCache.get(this.projectId);
-    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
-      return this.fetchAndCacheAccessToken(url);
-    }
-    return cachedResponse;
-  };
-  createJwt = async () => {
-    const iat = Math.floor(Date.now() / 1e3);
-    const payload = {
-      aud: GOOGLE_TOKEN_AUDIENCE,
-      iat,
-      exp: iat + ONE_HOUR_IN_SECONDS,
-      iss: this.clientEmail,
-      sub: this.clientEmail,
-      scope: [
-        "https://www.googleapis.com/auth/cloud-platform",
-        "https://www.googleapis.com/auth/firebase.database",
-        "https://www.googleapis.com/auth/firebase.messaging",
-        "https://www.googleapis.com/auth/identitytoolkit",
-        "https://www.googleapis.com/auth/userinfo.email"
-      ].join(" ")
-    };
-    return ternSignJwt({
-      payload,
-      privateKey: this.privateKey
+  verifyToken = async (appCheckToken, projectId, options) => {
+    return this.appCheckTokenVerifier.verifyToken(appCheckToken, projectId, { keyURL: JWKS_URL, ...options }).then((decodedToken) => {
+      return {
+        appId: decodedToken.app_id,
+        token: decodedToken
+      };
     });
   };
 };
+function getAppCheck2(serviceAccount, tenantId, limitedUse) {
+  return new AppCheck(new ServiceAccountManager(serviceAccount), tenantId, limitedUse);
+}
 // src/auth/getauth.ts
 var API_KEY_ERROR = "API Key is required";
@@ -1543,17 +2000,8 @@ function parseFirebaseResponse(data) {
   return data;
 }
 function getAuth(options) {
-  const { apiKey, firebaseAdminConfig } = options;
-  const firebaseApiKey = options.firebaseConfig?.apiKey;
-  const effectiveApiKey = apiKey || firebaseApiKey;
-  let credential = null;
-  if (firebaseAdminConfig?.projectId && firebaseAdminConfig?.privateKey && firebaseAdminConfig?.clientEmail) {
-    credential = new ServiceAccountTokenManager({
-      projectId: firebaseAdminConfig.projectId,
-      privateKey: firebaseAdminConfig.privateKey,
-      clientEmail: firebaseAdminConfig.clientEmail
-    });
-  }
+  const { apiKey } = options;
+  const effectiveApiKey = apiKey || process.env.NEXT_PUBLIC_FIREBASE_API_KEY;
   async function getUserData(idToken, localId) {
     if (!effectiveApiKey) {
       throw new Error(API_KEY_ERROR);
@@ -1638,43 +2086,12 @@ function getAuth(options) {
       auth_time: decodedCustomIdToken.data.auth_time
     };
   }
-  async function exchangeAppCheckToken(idToken) {
-    if (!credential) {
-      return {
-        data: null,
-        error: new Error(
-          "Firebase Admin config must be provided to exchange App Check tokens."
-        )
-      };
-    }
-    if (!effectiveApiKey) {
-      return { data: null, error: new Error(API_KEY_ERROR) };
-    }
+  async function createAppCheckToken() {
+    const adminConfig = loadAdminConfig();
+    const appId = process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "";
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
     try {
-      const decoded = await verifyToken(idToken, options);
-      if (decoded.errors) {
-        return { data: null, error: decoded.errors[0] };
-      }
-      const customToken = await createCustomToken(decoded.data.uid, {
-        emailVerified: decoded.data.email_verified,
-        source_sign_in_provider: decoded.data.firebase.sign_in_provider
-      });
-      const projectId = options.firebaseConfig?.projectId;
-      const appId = options.firebaseConfig?.appId;
-      if (!projectId || !appId) {
-        return { data: null, error: new Error("Project ID and App ID are required for App Check") };
-      }
-      const { accessToken } = await credential.getAccessToken();
-      const appCheckResponse = await options.apiClient?.appCheck.exchangeCustomToken({
-        accessToken,
-        projectId,
-        appId,
-        customToken,
-        limitedUse: false
-      });
-      if (!appCheckResponse?.token) {
-        return { data: null, error: new Error("Failed to exchange for App Check token") };
-      }
+      const appCheckResponse = await appCheck.createToken(adminConfig.projectId, appId);
       return {
         data: {
           token: appCheckResponse.token,
@@ -1686,89 +2103,100 @@ function getAuth(options) {
       return { data: null, error };
     }
   }
+  async function verifyAppCheckToken2(token) {
+    const adminConfig = loadAdminConfig();
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
+    try {
+      const decodedToken = await appCheck.verifyToken(token, adminConfig.projectId, {});
+      return {
+        data: decodedToken,
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
   return {
     getUserData,
     customForIdAndRefreshToken,
     createCustomIdAndRefreshToken,
     refreshExpiredIdToken,
-    exchangeAppCheckToken
+    createAppCheckToken,
+    verifyAppCheckToken: verifyAppCheckToken2
   };
 }
-// src/tokens/c-authenticateRequestProcessor.ts
-var RequestProcessorContext = class {
-  constructor(ternSecureRequest, options) {
-    this.ternSecureRequest = ternSecureRequest;
-    this.options = options;
-    this.initHeaderValues();
-    this.initCookieValues();
-    this.initHandshakeValues();
-    this.initUrlValues();
-    Object.assign(this, options);
-    this.ternUrl = this.ternSecureRequest.ternUrl;
-  }
-  get request() {
-    return this.ternSecureRequest;
-  }
-  initHeaderValues() {
-    this.sessionTokenInHeader = this.parseAuthorizationHeader(
-      this.getHeader(constants.Headers.Authorization)
-    );
-    this.origin = this.getHeader(constants.Headers.Origin);
-    this.host = this.getHeader(constants.Headers.Host);
-    this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);
-    this.forwardedProto = this.getHeader(constants.Headers.CloudFrontForwardedProto) || this.getHeader(constants.Headers.ForwardedProto);
-    this.referrer = this.getHeader(constants.Headers.Referrer);
-    this.userAgent = this.getHeader(constants.Headers.UserAgent);
-    this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);
-    this.accept = this.getHeader(constants.Headers.Accept);
-    this.appCheckToken = this.getHeader(constants.Headers.AppCheckToken);
-  }
-  initCookieValues() {
-    const isProduction = process.env.NODE_ENV === "production";
-    const defaultPrefix = isProduction ? "__HOST-" : "__dev_";
-    this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);
-    this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);
-    this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);
-    this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);
-    this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);
-    this.ternAuth = Number.parseInt(this.getCookie(constants.Cookies.TernAut) || "0", 10);
-  }
-  initHandshakeValues() {
-    this.handshakeToken = this.getQueryParam(constants.QueryParameters.Handshake) || this.getCookie(constants.Cookies.Handshake);
-    this.handshakeNonce = this.getQueryParam(constants.QueryParameters.HandshakeNonce) || this.getCookie(constants.Cookies.HandshakeNonce);
-  }
-  initUrlValues() {
-    this.method = this.ternSecureRequest.method;
-    this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split("/").filter(Boolean);
-    this.endpoint = this.pathSegments[2];
-    this.subEndpoint = this.pathSegments[3];
-  }
-  getQueryParam(name) {
-    return this.ternSecureRequest.ternUrl.searchParams.get(name);
-  }
-  getHeader(name) {
-    return this.ternSecureRequest.headers.get(name) || void 0;
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
   }
-  getCookie(name) {
-    return this.ternSecureRequest.cookies.get(name) || void 0;
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
+  };
+}
+var ServiceAccountManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
   }
-  parseAuthorizationHeader(authorizationHeader) {
-    if (!authorizationHeader) {
-      return void 0;
-    }
-    const [scheme, token] = authorizationHeader.split(" ", 2);
-    if (!token) {
-      return scheme;
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
     }
-    if (scheme === "Bearer") {
-      return token;
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
     }
-    return void 0;
-  }
-};
-var createRequestProcessor = (ternSecureRequest, options) => {
-  return new RequestProcessorContext(ternSecureRequest, options);
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
 };
 // src/tokens/cookie.ts
@@ -1786,7 +2214,7 @@ function isRequestForRefresh(error, context, request) {
 }
 async function authenticateRequest(request, options) {
   const context = createRequestProcessor(createTernSecureRequest(request), options);
-  const { refreshTokenInCookie, appCheckToken } = context;
+  const { refreshTokenInCookie } = context;
   const { refreshExpiredIdToken } = getAuth(options);
   function checkSessionTimeout(authTimeValue) {
     const defaultMaxAgeSeconds = convertToSeconds("5 days");
@@ -1809,8 +2237,7 @@ async function authenticateRequest(request, options) {
       };
     }
     return await refreshExpiredIdToken(refreshTokenInCookie, {
-      referer: context.ternUrl.origin,
-      appCheckToken
+      referer: context.ternUrl.origin
     });
   }
   async function handleRefresh() {
@@ -1912,24 +2339,7 @@ async function authenticateRequest(request, options) {
       if (errors) {
         throw errors[0];
       }
-      const { exchangeAppCheckToken } = getAuth(options);
-      let appCheckTokenValue;
-      try {
-        const idToken = context.idTokenInCookie || "";
-        const appCheckResult = await exchangeAppCheckToken(idToken);
-        console.log("[authenticateRequest] App Check exchange result:", appCheckResult);
-        if (appCheckResult.data?.token) {
-          appCheckTokenValue = appCheckResult.data.token;
-        }
-      } catch (error) {
-        console.warn("App Check token exchange failed:", error);
-      }
-      const headers = new Headers();
-      headers.set(
-        constants.Headers.AppCheckToken,
-        appCheckTokenValue || ""
-      );
-      const signedInRequestState = signedIn(context, data, headers, context.idTokenInCookie);
+      const signedInRequestState = signedIn(context, data, void 0, context.idTokenInCookie);
       return signedInRequestState;
     } catch (err) {
       return handleError(err, "cookie");
@@ -1943,23 +2353,7 @@ async function authenticateRequest(request, options) {
       if (errors) {
         throw errors[0];
       }
-      const { exchangeAppCheckToken } = getAuth(options);
-      let appCheckTokenValue;
-      try {
-        const token = sessionTokenInHeader || "";
-        const appCheckResult = await exchangeAppCheckToken(token);
-        if (appCheckResult.data?.token) {
-          appCheckTokenValue = appCheckResult.data.token;
-        }
-      } catch (error) {
-        console.warn("App Check token exchange failed:", error);
-      }
-      const headers = new Headers();
-      headers.set(
-        constants.Headers.AppCheckToken,
-        appCheckTokenValue || ""
-      );
-      const signedInRequestState = signedIn(context, data, headers, sessionTokenInHeader);
+      const signedInRequestState = signedIn(context, data, void 0, sessionTokenInHeader);
       return signedInRequestState;
     } catch (err) {
       return handleError(err, "header");
@@ -1973,17 +2367,8 @@ async function authenticateRequest(request, options) {
     if (isRequestForRefresh(err, context, request)) {
       const { data, error } = await handleRefresh();
       if (data) {
-        const { exchangeAppCheckToken } = getAuth(options);
-        let appCheckTokenValue;
-        try {
-          const appCheckResult = await exchangeAppCheckToken(data.token);
-          if (appCheckResult.data?.token) {
-            appCheckTokenValue = appCheckResult.data.token;
-          }
-        } catch (error2) {
-          console.warn("App Check token exchange failed in error handler:", error2);
-        }
-        return signedIn(context, data.decoded, data.headers, data.token);
+        const signedInState = signedIn(context, data.decoded, data.headers, data.token);
+        return signedInState;
       }
       if (error?.cause?.reason) {
         refreshError = error.cause.reason;
@@ -2161,7 +2546,7 @@ var PostgresAdapter = class {
 };
 // src/adapters/RedisAdapter.ts
-var import_redis = require("@upstash/redis");
+var import_redis2 = require("@upstash/redis");
 var TTLCache = class {
   cache = /* @__PURE__ */ new Map();
   defaultTTL;
@@ -2218,7 +2603,7 @@ var RedisAdapter = class {
   cache;
   keyPrefix;
   constructor(config) {
-    this.redis = new import_redis.Redis({
+    this.redis = new import_redis2.Redis({
       url: config.url,
       token: config.token
     });
@@ -2300,6 +2685,7 @@ function validateCheckRevokedOptions(options) {
   createAdapter,
   createBackendInstanceClient,
   createRedirect,
+  createRequestProcessor,
   createTernSecureRequest,
   disableDebugLogging,
   enableDebugLogging,
@@ -2307,6 +2693,7 @@ function validateCheckRevokedOptions(options) {
   signedIn,
   signedInAuthObject,
   signedOutAuthObject,
-  validateCheckRevokedOptions
+  validateCheckRevokedOptions,
+  verifyToken
 });
 //# sourceMappingURL=index.js.map