@tern-secure/backend 1.2.0-canary.v20251127221555 → 1.2.0-canary.v20251202162458

package/dist/auth/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,112 +17,37 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/auth/index.ts
 var auth_exports = {};
 __export(auth_exports, {
+  ServiceAccountManager: () => ServiceAccountManager,
   getAuth: () => getAuth
 });
 module.exports = __toCommonJS(auth_exports);
 
-// src/jwt/customJwt.ts
-var import_jose = require("jose");
-var CustomTokenError = class extends Error {
-  constructor(message, code) {
-    super(message);
-    this.code = code;
-    this.name = "CustomTokenError";
-  }
-};
-var RESERVED_CLAIMS = [
-  "acr",
-  "amr",
-  "at_hash",
-  "aud",
-  "auth_time",
-  "azp",
-  "cnf",
-  "c_hash",
-  "exp",
-  "firebase",
-  "iat",
-  "iss",
-  "jti",
-  "nbf",
-  "nonce",
-  "sub"
-];
-async function createCustomTokenJwt(uid, developerClaims) {
-  try {
-    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
-    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
-    if (!privateKey || !clientEmail) {
-      return {
-        errors: [
-          new CustomTokenError(
-            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
-            "MISSING_ENV_VARS"
-          )
-        ]
-      };
-    }
-    if (!uid || typeof uid !== "string") {
-      return {
-        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
-      };
-    }
-    if (uid.length > 128) {
-      return {
-        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
-      };
-    }
-    if (developerClaims) {
-      for (const claim of Object.keys(developerClaims)) {
-        if (RESERVED_CLAIMS.includes(claim)) {
-          return {
-            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
-          };
-        }
-      }
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
     }
-    const expiresIn = 3600;
-    const now = Math.floor(Date.now() / 1e3);
-    const parsedPrivateKey = await (0, import_jose.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
-    const payload = {
-      iss: clientEmail,
-      sub: clientEmail,
-      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
-      iat: now,
-      exp: now + expiresIn,
-      uid,
-      ...developerClaims
-    };
-    const jwt = await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
-      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
-    ).sign(parsedPrivateKey);
-    return {
-      data: jwt
-    };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error occurred";
-    return {
-      errors: [
-        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
-      ]
-    };
-  }
-}
-async function createCustomToken(uid, developerClaims) {
-  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
-  if (errors) {
-    throw errors[0];
-  }
-  return data;
+    return data;
+  };
 }
 
 // src/jwt/verifyJwt.ts
-var import_jose3 = require("jose");
+var import_jose2 = require("jose");
 
 // src/utils/errors.ts
 var TokenVerificationErrorReason = {
@@ -163,6 +90,11 @@ function mapJwtPayloadToDecodedIdToken(payload) {
   decodedIdToken.uid = decodedIdToken.sub;
   return decodedIdToken;
 }
+function mapJwtPayloadToDecodedAppCheckToken(payload) {
+  const decodedAppCheckToken = payload;
+  decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
+  return decodedAppCheckToken;
+}
 
 // src/utils/rfc4648.ts
 var base64url = {
@@ -241,10 +173,10 @@ function stringify(data, encoding, opts = {}) {
 }
 
 // src/jwt/cryptoKeys.ts
-var import_jose2 = require("jose");
+var import_jose = require("jose");
 async function importKey(key, algorithm) {
   if (typeof key === "object") {
-    const result = await (0, import_jose2.importJWK)(key, algorithm);
+    const result = await (0, import_jose.importJWK)(key, algorithm);
     if (result instanceof Uint8Array) {
       throw new Error("Unexpected Uint8Array result from JWK import");
     }
@@ -252,13 +184,13 @@ async function importKey(key, algorithm) {
   }
   const keyString = key.trim();
   if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
-    return await (0, import_jose2.importX509)(keyString, algorithm);
+    return await (0, import_jose.importX509)(keyString, algorithm);
   }
   if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
   }
   try {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
   } catch (error) {
     throw new Error(
       `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
@@ -341,7 +273,7 @@ async function verifySignature(jwt, key) {
   const joseAlgorithm = header.alg || "RS256";
   try {
     const publicKey = await importKey(key, joseAlgorithm);
-    const { payload } = await (0, import_jose3.jwtVerify)(raw.text, publicKey);
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, publicKey);
     return { data: payload };
   } catch (error) {
     return {
@@ -356,8 +288,8 @@ async function verifySignature(jwt, key) {
 }
 function ternDecodeJwt(token) {
   try {
-    const header = (0, import_jose3.decodeProtectedHeader)(token);
-    const payload = (0, import_jose3.decodeJwt)(token);
+    const header = (0, import_jose2.decodeProtectedHeader)(token);
+    const payload = (0, import_jose2.decodeJwt)(token);
     const tokenParts = (token || "").toString().split(".");
     if (tokenParts.length !== 3) {
       return {
@@ -424,179 +356,189 @@ async function verifyJwt(token, options) {
   const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
   return { data: decodedIdToken };
 }
-
-// src/constants.ts
-var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
-var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
-var DEFAULT_CACHE_DURATION = 3600 * 1e3;
-var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
-var Cookies = {
-  Session: "__session",
-  CsrfToken: "__terncf",
-  IdToken: "TernSecure_[DEFAULT]",
-  Refresh: "TernSecureID_[DEFAULT]",
-  Custom: "__custom",
-  TernAut: "tern_aut",
-  Handshake: "__ternsecure_handshake",
-  DevBrowser: "__ternsecure_db_jwt",
-  RedirectCount: "__ternsecure_redirect_count",
-  HandshakeNonce: "__ternsecure_handshake_nonce"
-};
-var QueryParameters = {
-  TernSynced: "__tern_synced",
-  SuffixedCookies: "suffixed_cookies",
-  TernRedirectUrl: "__tern_redirect_url",
-  // use the reference to Cookies to indicate that it's the same value
-  DevBrowser: Cookies.DevBrowser,
-  Handshake: Cookies.Handshake,
-  HandshakeHelp: "__tern_help",
-  LegacyDevBrowser: "__dev_session",
-  HandshakeReason: "__tern_hs_reason",
-  HandshakeNonce: Cookies.HandshakeNonce
-};
-
-// src/tokens/keys.ts
-var cache = {};
-var lastUpdatedAt = 0;
-var googleExpiresAt = 0;
-function getFromCache(kid) {
-  return cache[kid];
-}
-function getCacheValues() {
-  return Object.values(cache);
-}
-function setInCache(kid, certificate, shouldExpire = true) {
-  cache[kid] = certificate;
-  lastUpdatedAt = shouldExpire ? Date.now() : -1;
-}
-async function fetchPublicKeys(keyUrl) {
-  const url = new URL(keyUrl);
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new TokenVerificationError({
-      message: `Error loading public keys from ${url.href} with code=${response.status} `,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  const data = await response.json();
-  const expiresAt = getExpiresAt(response);
-  return {
-    keys: data,
-    expiresAt
-  };
-}
-async function loadJWKFromRemote({
-  keyURL = GOOGLE_PUBLIC_KEYS_URL,
-  skipJwksCache,
-  kid
-}) {
-  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
-    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
-    if (!keys || Object.keys(keys).length === 0) {
-      throw new TokenVerificationError({
-        message: `The JWKS endpoint ${keyURL} returned no keys`,
-        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
-      });
-    }
-    googleExpiresAt = expiresAt;
-    Object.entries(keys).forEach(([keyId, cert2]) => {
-      setInCache(keyId, cert2);
-    });
-  }
-  const cert = getFromCache(kid);
-  if (!cert) {
-    getCacheValues();
-    const availableKids = Object.keys(cache).sort().join(", ");
-    throw new TokenVerificationError({
-      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  return cert;
-}
-function isCacheExpired() {
-  const now = Date.now();
-  if (lastUpdatedAt === -1) {
-    return false;
-  }
-  const cacheAge = now - lastUpdatedAt;
-  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
-  const localCacheExpired = cacheAge >= maxCacheAge;
-  const googleCacheExpired = now >= googleExpiresAt;
-  const isExpired = localCacheExpired || googleCacheExpired;
-  if (isExpired) {
-    cache = {};
-  }
-  return isExpired;
-}
-function getExpiresAt(res) {
-  const cacheControlHeader = res.headers.get("cache-control");
-  if (!cacheControlHeader) {
-    return Date.now() + DEFAULT_CACHE_DURATION;
+async function verifyAppCheckSignature(jwt, getPublicKey2) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const key = await getPublicKey2();
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, key);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
   }
-  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
-  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
-  return Date.now() + maxAge * 1e3;
 }
-
-// src/tokens/verify.ts
-async function verifyToken(token, options) {
-  const { data: decodedResult, errors } = ternDecodeJwt(token);
+async function verifyAppCheckJwt(token, options) {
+  const { key: getPublicKey2 } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
   if (errors) {
     return { errors };
   }
-  const { header } = decodedResult;
-  const { kid } = header;
-  if (!kid) {
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
+  }
+  const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(
+    decoded,
+    getPublicKey2
+  );
+  if (signatureErrors) {
     return {
       errors: [
         new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: 'JWT "kid" header is missing.'
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
         })
       ]
     };
   }
-  try {
-    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
-    if (!key) {
-      return {
-        errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: `No public key found for kid "${kid}".`
-          })
+  const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);
+  return { data: decodedAppCheckToken };
+}
+
+// src/jwt/jwt.ts
+var import_jose3 = require("jose");
+
+// src/jwt/customJwt.ts
+var import_jose4 = require("jose");
+var CustomTokenError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "CustomTokenError";
+  }
+};
+var RESERVED_CLAIMS = [
+  "acr",
+  "amr",
+  "at_hash",
+  "aud",
+  "auth_time",
+  "azp",
+  "cnf",
+  "c_hash",
+  "exp",
+  "firebase",
+  "iat",
+  "iss",
+  "jti",
+  "nbf",
+  "nonce",
+  "sub"
+];
+async function createCustomTokenJwt(uid, developerClaims) {
+  try {
+    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
+    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
+    if (!privateKey || !clientEmail) {
+      return {
+        errors: [
+          new CustomTokenError(
+            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
+            "MISSING_ENV_VARS"
+          )
         ]
       };
     }
-    return await verifyJwt(token, { ...options, key });
-  } catch (error) {
-    if (error instanceof TokenVerificationError) {
-      return { errors: [error] };
+    if (!uid || typeof uid !== "string") {
+      return {
+        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
+      };
+    }
+    if (uid.length > 128) {
+      return {
+        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+      };
+    }
+    if (developerClaims) {
+      for (const claim of Object.keys(developerClaims)) {
+        if (RESERVED_CLAIMS.includes(claim)) {
+          return {
+            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
+          };
+        }
+      }
     }
+    const expiresIn = 3600;
+    const now = Math.floor(Date.now() / 1e3);
+    const parsedPrivateKey = await (0, import_jose4.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
+    const payload = {
+      iss: clientEmail,
+      sub: clientEmail,
+      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+      iat: now,
+      exp: now + expiresIn,
+      uid,
+      ...developerClaims
+    };
+    const jwt = await new import_jose4.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
+      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+    ).sign(parsedPrivateKey);
     return {
-      errors: [error]
+      data: jwt
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error occurred";
+    return {
+      errors: [
+        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
+      ]
     };
   }
 }
-
-// src/jwt/guardReturn.ts
-function createJwtGuard(decodedFn) {
-  return (...args) => {
-    const { data, errors } = decodedFn(...args);
-    if (errors) {
-      throw errors[0];
-    }
-    return data;
-  };
+async function createCustomToken(uid, developerClaims) {
+  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
+  if (errors) {
+    throw errors[0];
+  }
+  return data;
 }
 
-// src/jwt/jwt.ts
-var import_jose4 = require("jose");
-
 // src/jwt/signJwt.ts
 var import_jose5 = require("jose");
+
+// src/utils/fetcher.ts
+async function getDetailFromResponse(response) {
+  const json = await response.json();
+  if (!json) {
+    return "Missing error payload";
+  }
+  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
+  if (json.error_description) {
+    detail += " (" + json.error_description + ")";
+  }
+  return detail;
+}
+async function fetchText(url, init) {
+  return (await fetchAny(url, init)).text();
+}
+async function fetchJson(url, init) {
+  return (await fetchAny(url, init)).json();
+}
+async function fetchAny(url, init) {
+  const response = await fetch(url, init);
+  if (!response.ok) {
+    throw new Error(await getDetailFromResponse(response));
+  }
+  return response;
+}
+
+// src/jwt/types.ts
 var ALGORITHM_RS256 = "RS256";
+
+// src/jwt/signJwt.ts
 async function ternSignJwt(opts) {
   const { payload, privateKey, keyId } = opts;
   let key;
@@ -604,118 +546,553 @@ async function ternSignJwt(opts) {
     key = await (0, import_jose5.importPKCS8)(privateKey, ALGORITHM_RS256);
   } catch (error) {
     throw new TokenVerificationError({
-      message: `Failed to import private key: ${error.message}`,
+      message: `Failed to import private key: ${error.message}`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
+}
+function formatBase64(value) {
+  return value.replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+}
+function encodeSegment(segment) {
+  const value = JSON.stringify(segment);
+  return formatBase64(import_jose5.base64url.encode(value));
+}
+async function ternSignBlob({
+  payload,
+  serviceAccountId,
+  accessToken
+}) {
+  const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;
+  const header = {
+    alg: ALGORITHM_RS256,
+    typ: "JWT"
+  };
+  const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;
+  const request = {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ payload: import_jose5.base64url.encode(token) })
+  };
+  const response = await fetchAny(url, request);
+  const blob = await response.blob();
+  const key = await blob.text();
+  const { signedBlob } = JSON.parse(key);
+  return `${token}.${formatBase64(signedBlob)}`;
+}
+
+// src/jwt/crypto-signer.ts
+var ServiceAccountSigner = class {
+  constructor(credential, tenantId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+  }
+  async getAccountId() {
+    return Promise.resolve(this.credential.clientEmail);
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    return ternSignJwt({ payload, privateKey: this.credential.privateKey });
+  }
+};
+var IAMSigner = class {
+  algorithm = ALGORITHM_RS256;
+  credential;
+  tenantId;
+  serviceAccountId;
+  constructor(credential, tenantId, serviceAccountId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+    this.serviceAccountId = serviceAccountId;
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    const serviceAccount = await this.getAccountId();
+    const accessToken = await this.credential.getAccessToken();
+    return ternSignBlob({
+      accessToken: accessToken.accessToken,
+      serviceAccountId: serviceAccount,
+      payload
+    });
+  }
+  async getAccountId() {
+    if (this.serviceAccountId) {
+      return this.serviceAccountId;
+    }
+    const token = await this.credential.getAccessToken();
+    const url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";
+    const request = {
+      method: "GET",
+      headers: {
+        "Metadata-Flavor": "Google",
+        Authorization: `Bearer ${token.accessToken}`
+      }
+    };
+    return this.serviceAccountId = await fetchText(url, request);
+  }
+};
+
+// src/jwt/index.ts
+var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+
+// src/utils/token-generator.ts
+function cryptoSignerFromCredential(credential, tenantId, serviceAccountId) {
+  if (credential instanceof ServiceAccountManager) {
+    return new ServiceAccountSigner(credential, tenantId);
+  }
+  return new IAMSigner(credential, tenantId, serviceAccountId);
+}
+
+// src/app-check/AppCheckApi.ts
+function getSdkVersion() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+};
+var AppCheckApi = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  async exchangeToken(params) {
+    const { projectId, appId, customToken, limitedUse = false } = params;
+    const token = await this.credential.getAccessToken(false);
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${token.accessToken}`
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+
+// src/constants.ts
+var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var FIREBASE_APP_CHECK_AUDIENCE = "https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService";
+var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
+var DEFAULT_CACHE_DURATION = 3600 * 1e3;
+var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+var ONE_MINUTE_IN_SECONDS = 60;
+var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1e3;
+var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1e3;
+var Cookies = {
+  Session: "__session",
+  CsrfToken: "__terncf",
+  IdToken: "TernSecure_[DEFAULT]",
+  Refresh: "TernSecureID_[DEFAULT]",
+  Custom: "__custom",
+  TernAut: "tern_aut",
+  Handshake: "__ternsecure_handshake",
+  DevBrowser: "__ternsecure_db_jwt",
+  RedirectCount: "__ternsecure_redirect_count",
+  HandshakeNonce: "__ternsecure_handshake_nonce"
+};
+var QueryParameters = {
+  TernSynced: "__tern_synced",
+  SuffixedCookies: "suffixed_cookies",
+  TernRedirectUrl: "__tern_redirect_url",
+  // use the reference to Cookies to indicate that it's the same value
+  DevBrowser: Cookies.DevBrowser,
+  Handshake: Cookies.Handshake,
+  HandshakeHelp: "__tern_help",
+  LegacyDevBrowser: "__dev_session",
+  HandshakeReason: "__tern_hs_reason",
+  HandshakeNonce: Cookies.HandshakeNonce
+};
+
+// src/app-check/generator.ts
+function transformMillisecondsToSecondsString(milliseconds) {
+  let duration;
+  const seconds = Math.floor(milliseconds / 1e3);
+  const nanos = Math.floor((milliseconds - seconds * 1e3) * 1e6);
+  if (nanos > 0) {
+    let nanoString = nanos.toString();
+    while (nanoString.length < 9) {
+      nanoString = "0" + nanoString;
+    }
+    duration = `${seconds}.${nanoString}s`;
+  } else {
+    duration = `${seconds}s`;
+  }
+  return duration;
+}
+var AppCheckTokenGenerator = class {
+  signer;
+  constructor(signer) {
+    this.signer = signer;
+  }
+  async createCustomToken(appId, options) {
+    if (!appId) {
+      throw new Error(
+        "appId is invalid"
+      );
+    }
+    let customOptions = {};
+    if (typeof options !== "undefined") {
+      customOptions = this.validateTokenOptions(options);
+    }
+    const account = await this.signer.getAccountId();
+    const iat = Math.floor(Date.now() / 1e3);
+    const body = {
+      iss: account,
+      sub: account,
+      app_id: appId,
+      aud: FIREBASE_APP_CHECK_AUDIENCE,
+      exp: iat + ONE_MINUTE_IN_SECONDS * 5,
+      iat,
+      ...customOptions
+    };
+    return this.signer.sign(body);
+  }
+  validateTokenOptions(options) {
+    if (typeof options.ttlMillis !== "undefined") {
+      if (options.ttlMillis < ONE_MINUTE_IN_MILLIS * 30 || options.ttlMillis > ONE_DAY_IN_MILLIS * 7) {
+        throw new Error(
+          "ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive)."
+        );
+      }
+      return { ttl: transformMillisecondsToSecondsString(options.ttlMillis) };
+    }
+    return {};
+  }
+};
+
+// src/app-check/serverAppCheck.ts
+var import_redis = require("@upstash/redis");
+
+// src/utils/admin-init.ts
+var import_firebase_admin = __toESM(require("firebase-admin"));
+var import_app_check = require("firebase-admin/app-check");
+
+// src/utils/config.ts
+var loadAdminConfig = () => ({
+  projectId: process.env.FIREBASE_PROJECT_ID || "",
+  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
+  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
+});
+var validateAdminConfig = (config) => {
+  const requiredFields = [
+    "projectId",
+    "clientEmail",
+    "privateKey"
+  ];
+  const errors = [];
+  requiredFields.forEach((field) => {
+    if (!config[field]) {
+      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
+    }
+  });
+  return {
+    isValid: errors.length === 0,
+    errors,
+    config
+  };
+};
+var initializeAdminConfig = () => {
+  const config = loadAdminConfig();
+  const validationResult = validateAdminConfig(config);
+  if (!validationResult.isValid) {
+    throw new Error(
+      `Firebase Admin configuration validation failed:
+${validationResult.errors.join("\n")}`
+    );
+  }
+  return config;
+};
+
+// src/utils/admin-init.ts
+if (!import_firebase_admin.default.apps.length) {
+  try {
+    const config = initializeAdminConfig();
+    import_firebase_admin.default.initializeApp({
+      credential: import_firebase_admin.default.credential.cert({
+        ...config,
+        privateKey: config.privateKey.replace(/\\n/g, "\n")
+      })
+    });
+  } catch (error) {
+    console.error("Firebase admin initialization error", error);
+  }
+}
+var adminTernSecureAuth = import_firebase_admin.default.auth();
+var adminTernSecureDb = import_firebase_admin.default.firestore();
+var TernSecureTenantManager = import_firebase_admin.default.auth().tenantManager();
+var appCheckAdmin = (0, import_app_check.getAppCheck)();
+
+// src/app-check/verifier.ts
+var import_jose6 = require("jose");
+var getPublicKey = async (header, keyURL) => {
+  const jswksUrl = new URL(keyURL);
+  const getKey = (0, import_jose6.createRemoteJWKSet)(jswksUrl);
+  return getKey(header);
+};
+var verifyAppCheckToken = async (token, options) => {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    throw errors[0];
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const getPublicKeyForToken = () => getPublicKey(header, options.keyURL || "");
+    return await verifyAppCheckJwt(token, { ...options, key: getPublicKeyForToken });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+};
+var AppcheckTokenVerifier = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  verifyToken = async (token, projectId, options) => {
+    const { data, errors } = await verifyAppCheckToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+};
+
+// src/app-check/index.ts
+var JWKS_URL = "https://firebaseappcheck.googleapis.com/v1/jwks";
+var AppCheck = class {
+  client;
+  tokenGenerator;
+  appCheckTokenVerifier;
+  limitedUse;
+  constructor(credential, tenantId, limitedUse) {
+    this.client = new AppCheckApi(credential);
+    this.tokenGenerator = new AppCheckTokenGenerator(
+      cryptoSignerFromCredential(credential, tenantId)
+    );
+    this.appCheckTokenVerifier = new AppcheckTokenVerifier(credential);
+    this.limitedUse = limitedUse;
+  }
+  createToken = (projectId, appId, options) => {
+    return this.tokenGenerator.createCustomToken(appId, options).then((customToken) => {
+      return this.client.exchangeToken({ customToken, projectId, appId });
+    });
+  };
+  verifyToken = async (appCheckToken, projectId, options) => {
+    return this.appCheckTokenVerifier.verifyToken(appCheckToken, projectId, { keyURL: JWKS_URL, ...options }).then((decodedToken) => {
+      return {
+        appId: decodedToken.app_id,
+        token: decodedToken
+      };
+    });
+  };
+};
+function getAppCheck2(serviceAccount, tenantId, limitedUse) {
+  return new AppCheck(new ServiceAccountManager(serviceAccount), tenantId, limitedUse);
+}
+
+// src/tokens/keys.ts
+var cache = {};
+var lastUpdatedAt = 0;
+var googleExpiresAt = 0;
+function getFromCache(kid) {
+  return cache[kid];
+}
+function getCacheValues() {
+  return Object.values(cache);
+}
+function setInCache(kid, certificate, shouldExpire = true) {
+  cache[kid] = certificate;
+  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+}
+async function fetchPublicKeys(keyUrl) {
+  const url = new URL(keyUrl);
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new TokenVerificationError({
+      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  const data = await response.json();
+  const expiresAt = getExpiresAt(response);
+  return {
+    keys: data,
+    expiresAt
+  };
+}
+async function loadJWKFromRemote({
+  keyURL,
+  skipJwksCache,
+  kid
+}) {
+  const finalKeyURL = keyURL || GOOGLE_PUBLIC_KEYS_URL;
+  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
+    const { keys, expiresAt } = await fetchPublicKeys(finalKeyURL);
+    if (!keys || Object.keys(keys).length === 0) {
+      throw new TokenVerificationError({
+        message: `The JWKS endpoint ${finalKeyURL} returned no keys`,
+        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
+      });
+    }
+    googleExpiresAt = expiresAt;
+    Object.entries(keys).forEach(([keyId, cert2]) => {
+      setInCache(keyId, cert2);
+    });
+  }
+  const cert = getFromCache(kid);
+  if (!cert) {
+    getCacheValues();
+    const availableKids = Object.keys(cache).sort().join(", ");
+    throw new TokenVerificationError({
+      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
       reason: TokenVerificationErrorReason.TokenInvalid
     });
   }
-  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
+  return cert;
 }
-
-// src/jwt/index.ts
-var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
-
-// src/auth/constants.ts
-var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
-var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
-var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
-var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
-var ONE_HOUR_IN_SECONDS = 60 * 60;
-
-// src/auth/utils.ts
-async function getDetailFromResponse(response) {
-  const json = await response.json();
-  if (!json) {
-    return "Missing error payload";
+function isCacheExpired() {
+  const now = Date.now();
+  if (lastUpdatedAt === -1) {
+    return false;
   }
-  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
-  if (json.error_description) {
-    detail += " (" + json.error_description + ")";
+  const cacheAge = now - lastUpdatedAt;
+  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
+  const localCacheExpired = cacheAge >= maxCacheAge;
+  const googleCacheExpired = now >= googleExpiresAt;
+  const isExpired = localCacheExpired || googleCacheExpired;
+  if (isExpired) {
+    cache = {};
   }
-  return detail;
-}
-async function fetchJson(url, init) {
-  return (await fetchAny(url, init)).json();
+  return isExpired;
 }
-async function fetchAny(url, init) {
-  const response = await fetch(url, init);
-  if (!response.ok) {
-    throw new Error(await getDetailFromResponse(response));
+function getExpiresAt(res) {
+  const cacheControlHeader = res.headers.get("cache-control");
+  if (!cacheControlHeader) {
+    return Date.now() + DEFAULT_CACHE_DURATION;
   }
-  return response;
+  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
+  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
+  return Date.now() + maxAge * 1e3;
 }
 
-// src/auth/credential.ts
-var accessTokenCache = /* @__PURE__ */ new Map();
-async function requestAccessToken(urlString, init) {
-  const json = await fetchJson(urlString, init);
-  if (!json.access_token || !json.expires_in) {
-    throw new Error("Invalid access token response");
+// src/tokens/verify.ts
+async function verifyToken(token, options) {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
   }
-  return {
-    accessToken: json.access_token,
-    expirationTime: Date.now() + json.expires_in * 1e3
-  };
-}
-var ServiceAccountTokenManager = class {
-  projectId;
-  privateKey;
-  clientEmail;
-  constructor(serviceAccount) {
-    this.projectId = serviceAccount.projectId;
-    this.privateKey = serviceAccount.privateKey;
-    this.clientEmail = serviceAccount.clientEmail;
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
   }
-  fetchAccessToken = async (url) => {
-    const token = await this.createJwt();
-    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
-    return requestAccessToken(url, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Authorization: `Bearer ${token}`,
-        Accept: "application/json"
-      },
-      body: postData
-    });
-  };
-  fetchAndCacheAccessToken = async (url) => {
-    const accessToken = await this.fetchAccessToken(url);
-    accessTokenCache.set(this.projectId, accessToken);
-    return accessToken;
-  };
-  getAccessToken = async (refresh) => {
-    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
-    if (refresh) {
-      return this.fetchAndCacheAccessToken(url);
+  try {
+    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
+    if (!key) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: `No public key found for kid "${kid}".`
+          })
+        ]
+      };
     }
-    const cachedResponse = accessTokenCache.get(this.projectId);
-    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
-      return this.fetchAndCacheAccessToken(url);
+    return await verifyJwt(token, { ...options, key });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
     }
-    return cachedResponse;
-  };
-  createJwt = async () => {
-    const iat = Math.floor(Date.now() / 1e3);
-    const payload = {
-      aud: GOOGLE_TOKEN_AUDIENCE,
-      iat,
-      exp: iat + ONE_HOUR_IN_SECONDS,
-      iss: this.clientEmail,
-      sub: this.clientEmail,
-      scope: [
-        "https://www.googleapis.com/auth/cloud-platform",
-        "https://www.googleapis.com/auth/firebase.database",
-        "https://www.googleapis.com/auth/firebase.messaging",
-        "https://www.googleapis.com/auth/identitytoolkit",
-        "https://www.googleapis.com/auth/userinfo.email"
-      ].join(" ")
+    return {
+      errors: [error]
     };
-    return ternSignJwt({
-      payload,
-      privateKey: this.privateKey
-    });
-  };
-};
+  }
+}
 
 // src/auth/getauth.ts
 var API_KEY_ERROR = "API Key is required";
@@ -731,17 +1108,8 @@ function parseFirebaseResponse(data) {
   return data;
 }
 function getAuth(options) {
-  const { apiKey, firebaseAdminConfig } = options;
-  const firebaseApiKey = options.firebaseConfig?.apiKey;
-  const effectiveApiKey = apiKey || firebaseApiKey;
-  let credential = null;
-  if (firebaseAdminConfig?.projectId && firebaseAdminConfig?.privateKey && firebaseAdminConfig?.clientEmail) {
-    credential = new ServiceAccountTokenManager({
-      projectId: firebaseAdminConfig.projectId,
-      privateKey: firebaseAdminConfig.privateKey,
-      clientEmail: firebaseAdminConfig.clientEmail
-    });
-  }
+  const { apiKey } = options;
+  const effectiveApiKey = apiKey || process.env.NEXT_PUBLIC_FIREBASE_API_KEY;
   async function getUserData(idToken, localId) {
     if (!effectiveApiKey) {
       throw new Error(API_KEY_ERROR);
@@ -826,43 +1194,12 @@ function getAuth(options) {
       auth_time: decodedCustomIdToken.data.auth_time
     };
   }
-  async function exchangeAppCheckToken(idToken) {
-    if (!credential) {
-      return {
-        data: null,
-        error: new Error(
-          "Firebase Admin config must be provided to exchange App Check tokens."
-        )
-      };
-    }
-    if (!effectiveApiKey) {
-      return { data: null, error: new Error(API_KEY_ERROR) };
-    }
+  async function createAppCheckToken() {
+    const adminConfig = loadAdminConfig();
+    const appId = process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "";
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
     try {
-      const decoded = await verifyToken(idToken, options);
-      if (decoded.errors) {
-        return { data: null, error: decoded.errors[0] };
-      }
-      const customToken = await createCustomToken(decoded.data.uid, {
-        emailVerified: decoded.data.email_verified,
-        source_sign_in_provider: decoded.data.firebase.sign_in_provider
-      });
-      const projectId = options.firebaseConfig?.projectId;
-      const appId = options.firebaseConfig?.appId;
-      if (!projectId || !appId) {
-        return { data: null, error: new Error("Project ID and App ID are required for App Check") };
-      }
-      const { accessToken } = await credential.getAccessToken();
-      const appCheckResponse = await options.apiClient?.appCheck.exchangeCustomToken({
-        accessToken,
-        projectId,
-        appId,
-        customToken,
-        limitedUse: false
-      });
-      if (!appCheckResponse?.token) {
-        return { data: null, error: new Error("Failed to exchange for App Check token") };
-      }
+      const appCheckResponse = await appCheck.createToken(adminConfig.projectId, appId);
       return {
         data: {
           token: appCheckResponse.token,
@@ -874,16 +1211,104 @@ function getAuth(options) {
       return { data: null, error };
     }
   }
+  async function verifyAppCheckToken2(token) {
+    const adminConfig = loadAdminConfig();
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
+    try {
+      const decodedToken = await appCheck.verifyToken(token, adminConfig.projectId, {});
+      return {
+        data: decodedToken,
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
   return {
     getUserData,
     customForIdAndRefreshToken,
     createCustomIdAndRefreshToken,
     refreshExpiredIdToken,
-    exchangeAppCheckToken
+    createAppCheckToken,
+    verifyAppCheckToken: verifyAppCheckToken2
+  };
+}
+
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
+  }
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
   };
 }
+var ServiceAccountManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
+  }
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ServiceAccountManager,
   getAuth
 });
 //# sourceMappingURL=index.js.map