@thunderid/nuxt 0.0.1

package/dist/runtime/server/routes/auth/user/profile.get.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { UserProfile } from '@thunderid/node';
+/**
+ * GET /api/auth/user/profile
+ *
+ * Returns the full SCIM2 {@link UserProfile} (with `flattenedProfile` and
+ * `schemas`) for the authenticated user.  Used by `ThunderIDRoot.revalidateProfile`
+ * to refresh client-side state after a profile update.
+ *
+ * Mirrors `getUserProfileAction` in the Next.js SDK.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<UserProfile>>;
+export default _default;

package/dist/runtime/server/routes/auth/user/profile.get.js

@@ -0,0 +1,24 @@
+import { defineEventHandler, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.getUserProfile(session.sessionId);
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to retrieve user profile: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+});

package/dist/runtime/server/routes/auth/user/profile.patch.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { User } from '@thunderid/node';
+/**
+ * PATCH /api/auth/user/profile
+ *
+ * Updates the SCIM2 /Me profile for the authenticated user.
+ * Mirrors the `updateUserProfileAction` Next.js server action.
+ *
+ * Request body: {@link UpdateMeProfileConfig} (the SCIM patch payload).
+ * Response: `{ data: { user: User }; success: boolean; error: string }`
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    data: {
+        user: User;
+    };
+    error: string;
+    success: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/user/profile.patch.js

@@ -0,0 +1,41 @@
+import { Platform } from "@thunderid/node";
+import { defineEventHandler, readBody, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(
+  async (event) => {
+    const config = useRuntimeConfig();
+    const sessionSecret = config.thunderid?.sessionSecret;
+    const publicConfig = config.public.thunderid;
+    if (publicConfig?.platform === Platform.ThunderIDV2) {
+      throw createError({
+        statusCode: 501,
+        statusMessage: "Profile updates are not supported for the ThunderIDV2 (Thunder) platform."
+      });
+    }
+    const session = await verifyAndRehydrateSession(
+      event,
+      sessionSecret
+    );
+    if (!session) {
+      throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+    }
+    let payload;
+    try {
+      payload = await readBody(event);
+    } catch {
+      throw createError({ statusCode: 400, statusMessage: "Invalid request body." });
+    }
+    try {
+      const client = ThunderIDNuxtClient.getInstance();
+      const user = await client.updateUserProfile(payload, session.sessionId);
+      return { data: { user }, error: "", success: true };
+    } catch (err) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: `Failed to update user profile: ${err instanceof Error ? err.message : String(err)}`
+      });
+    }
+  }
+);

package/dist/runtime/server/routes/auth/user/user.get.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * GET /api/auth/user
+ *
+ * Returns user information for the current session.
+ * Requires a valid session.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<import("@thunderid/javascript").User>>;
+export default _default;

package/dist/runtime/server/routes/auth/user/user.get.js

@@ -0,0 +1,21 @@
+import { defineEventHandler, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.getUser(session.sessionId);
+  } catch {
+    throw createError({ statusCode: 500, statusMessage: "Failed to retrieve user information." });
+  }
+});

package/dist/runtime/server/utils/event-context.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { H3Event } from 'h3';
+import type { ThunderIDSessionPayload, ThunderIDSSRData } from '../../types.js';
+/**
+ * The typed shape of `event.context.thunderid` set by the ThunderID Nitro plugin
+ * on every SSR request.
+ */
+export interface ThunderIDEventContext {
+    /** Convenience boolean derived from the session presence. */
+    isSignedIn: boolean;
+    /** The decoded session payload, or null when the user is not signed in. */
+    session: ThunderIDSessionPayload | null;
+    /** SSR-prefetched data (user profile, orgs, branding). Present only after the SSR plugin runs. */
+    ssr?: ThunderIDSSRData;
+}
+/**
+ * Typed accessor for `event.context.thunderid`.
+ *
+ * Returns null when called before the ThunderID SSR plugin has populated
+ * the context (e.g. in non-Nuxt Nitro routes that run before the plugin).
+ *
+ * @example
+ * ```ts
+ * import { getThunderIDContext } from '@thunderid/nuxt/server';
+ *
+ * export default defineEventHandler((event) => {
+ *   const ctx = getThunderIDContext(event);
+ *   if (!ctx?.isSignedIn) throw createError({ statusCode: 401 });
+ *   return { userId: ctx.session!.sub };
+ * });
+ * ```
+ */
+export declare function getThunderIDContext(event: H3Event): ThunderIDEventContext | null;

package/dist/runtime/server/utils/event-context.js

@@ -0,0 +1,3 @@
+export function getThunderIDContext(event) {
+  return event.context.thunderid ?? null;
+}

package/dist/runtime/server/utils/serverSession.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { H3Event } from 'h3';
+import type { ThunderIDSessionPayload } from '../../types.js';
+/**
+ * Get the current session from the request cookie.
+ * Returns the session payload if valid, or null if no session exists.
+ *
+ * Use this in custom server API routes to access session data.
+ *
+ * @example
+ * ```ts
+ * // server/api/me.get.ts
+ * export default defineEventHandler(async (event) => {
+ *   const session = await useServerSession(event);
+ *   if (!session) {
+ *     throw createError({ statusCode: 401, statusMessage: 'Unauthorized' });
+ *   }
+ *   return { sessionId: session.sessionId, sub: session.sub };
+ * });
+ * ```
+ */
+export declare function useServerSession(event: H3Event): Promise<ThunderIDSessionPayload | null>;
+/**
+ * Get the current session or throw a 401 error.
+ * Use this when the route must be authenticated.
+ *
+ * @example
+ * ```ts
+ * // server/api/protected-data.get.ts
+ * export default defineEventHandler(async (event) => {
+ *   const session = await requireServerSession(event);
+ *   // session is guaranteed to be non-null here
+ *   return { userId: session.sub };
+ * });
+ * ```
+ */
+export declare function requireServerSession(event: H3Event): Promise<ThunderIDSessionPayload>;
+/**
+ * Verify the session cookie and rehydrate the legacy in-memory token store
+ * from its payload. Used internally by the SDK's SSR plugin and /api/auth/*
+ * routes so that subsequent calls which look up tokens by `sessionId`
+ * (`getAccessToken`, `getUser`, `getDecodedIdToken`, `signOut`) still succeed
+ * after a server restart, when the in-memory store is empty but the signed
+ * session cookie is still valid.
+ *
+ * Returns `null` for missing or invalid cookies — callers decide whether to
+ * 401 or silently treat the user as unauthenticated.
+ */
+export declare function verifyAndRehydrateSession(event: H3Event, sessionSecret?: string): Promise<ThunderIDSessionPayload | null>;

package/dist/runtime/server/utils/serverSession.js

@@ -0,0 +1,44 @@
+import { getCookie, createError } from "h3";
+import { verifySessionToken, getSessionCookieName } from "./session.js";
+import ThunderIDNuxtClient from "../ThunderIDNuxtClient.js";
+import { useRuntimeConfig } from "#imports";
+export async function useServerSession(event) {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const sessionCookie = getCookie(event, getSessionCookieName());
+  if (!sessionCookie) {
+    return null;
+  }
+  try {
+    return await verifySessionToken(sessionCookie, sessionSecret);
+  } catch {
+    return null;
+  }
+}
+export async function requireServerSession(event) {
+  const session = await useServerSession(event);
+  if (!session) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized: Authentication required."
+    });
+  }
+  return session;
+}
+export async function verifyAndRehydrateSession(event, sessionSecret) {
+  const sessionCookie = getCookie(event, getSessionCookieName());
+  if (!sessionCookie) {
+    return null;
+  }
+  let session;
+  try {
+    session = await verifySessionToken(sessionCookie, sessionSecret);
+  } catch {
+    return null;
+  }
+  try {
+    await ThunderIDNuxtClient.getInstance().rehydrateSessionFromPayload(session);
+  } catch {
+  }
+  return session;
+}

package/dist/runtime/server/utils/session.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { TokenResponse } from '@thunderid/node';
+import type { H3Event } from 'h3';
+import type { ThunderIDSessionPayload } from '../../types.js';
+/**
+ * Create a signed JWT session token.
+ */
+export declare function createSessionToken(params: {
+    accessToken: string;
+    /** Unix timestamp (seconds) when the access token expires. */
+    accessTokenExpiresAt?: number;
+    expirySeconds?: number;
+    /** Raw ID token string. */
+    idToken?: string;
+    organizationId?: string;
+    /** Refresh token for silent re-auth. */
+    refreshToken?: string;
+    scopes: string;
+    sessionId: string;
+    userId: string;
+}, sessionSecret?: string): Promise<string>;
+/**
+ * Create a signed JWT temp session token (used during OAuth flow).
+ */
+export declare function createTempSessionToken(sessionId: string, sessionSecret?: string, returnTo?: string): Promise<string>;
+/**
+ * Verify and decode a session JWT.
+ */
+export declare function verifySessionToken(token: string, sessionSecret?: string): Promise<ThunderIDSessionPayload>;
+/**
+ * Verify and decode a temp session JWT.
+ */
+export declare function verifyTempSessionToken(token: string, sessionSecret?: string): Promise<{
+    returnTo?: string;
+    sessionId: string;
+}>;
+/**
+ * Session cookie name.
+ */
+export declare function getSessionCookieName(): string;
+/**
+ * Temp session cookie name.
+ */
+export declare function getTempSessionCookieName(): string;
+/**
+ * Session cookie options.
+ */
+type SessionCookieOptions = {
+    httpOnly: boolean;
+    maxAge: number;
+    path: string;
+    sameSite: 'lax';
+    secure: boolean;
+};
+export declare function getSessionCookieOptions(): SessionCookieOptions;
+/**
+ * Temp session cookie options (15 min TTL).
+ */
+export declare function getTempSessionCookieOptions(): SessionCookieOptions;
+/**
+ * Decode a token response into a signed session JWT and write it as the
+ * session cookie on the H3 event.
+ *
+ * Extracted from the inline blocks in `callback.get.ts` and
+ * `organizations/switch.post.ts` so that all three callers (callback.get,
+ * switch.post, and the new `signin.post`) share one implementation.
+ */
+export declare function issueSessionCookie(event: H3Event, sessionId: string, tokenResponse: TokenResponse, sessionSecret?: string): Promise<void>;
+export {};

package/dist/runtime/server/utils/session.js

@@ -0,0 +1,106 @@
+import { CookieConfig } from "@thunderid/node";
+import { setCookie } from "h3";
+import { SignJWT, jwtVerify } from "jose";
+const DEFAULT_EXPIRY_SECONDS = 3600;
+function getSecret(sessionSecret) {
+  const secret = sessionSecret || process.env["THUNDERID_SESSION_SECRET"];
+  if (!secret) {
+    if (process.env["NODE_ENV"] === "production") {
+      throw new Error(
+        "[thunderid] THUNDERID_SESSION_SECRET environment variable is required in production. Set it to a secure random string of at least 32 characters."
+      );
+    }
+    console.warn(
+      "[thunderid] Using default session secret for development. Set THUNDERID_SESSION_SECRET for production."
+    );
+    return new TextEncoder().encode("thunderid-dev-secret-not-for-production");
+  }
+  return new TextEncoder().encode(secret);
+}
+export async function createSessionToken(params, sessionSecret) {
+  const secret = getSecret(sessionSecret);
+  return new SignJWT({
+    accessToken: params.accessToken,
+    accessTokenExpiresAt: params.accessTokenExpiresAt,
+    idToken: params.idToken,
+    organizationId: params.organizationId,
+    refreshToken: params.refreshToken,
+    scopes: params.scopes,
+    sessionId: params.sessionId,
+    type: "session"
+  }).setProtectedHeader({ alg: "HS256" }).setSubject(params.userId).setIssuedAt().setExpirationTime(Date.now() / 1e3 + (params.expirySeconds ?? DEFAULT_EXPIRY_SECONDS)).sign(secret);
+}
+export async function createTempSessionToken(sessionId, sessionSecret, returnTo) {
+  const secret = getSecret(sessionSecret);
+  const payload = {
+    sessionId,
+    type: "temp"
+  };
+  if (returnTo) {
+    payload["returnTo"] = returnTo;
+  }
+  return new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("15m").sign(secret);
+}
+export async function verifySessionToken(token, sessionSecret) {
+  const secret = getSecret(sessionSecret);
+  const { payload } = await jwtVerify(token, secret);
+  return payload;
+}
+export async function verifyTempSessionToken(token, sessionSecret) {
+  const secret = getSecret(sessionSecret);
+  const { payload } = await jwtVerify(token, secret);
+  if (payload["type"] !== "temp") {
+    throw new Error("Invalid token type: expected temp session");
+  }
+  return {
+    returnTo: payload["returnTo"],
+    sessionId: payload["sessionId"]
+  };
+}
+export function getSessionCookieName() {
+  return CookieConfig.SESSION_COOKIE_NAME;
+}
+export function getTempSessionCookieName() {
+  return CookieConfig.TEMP_SESSION_COOKIE_NAME;
+}
+export function getSessionCookieOptions() {
+  return {
+    httpOnly: true,
+    maxAge: DEFAULT_EXPIRY_SECONDS,
+    path: "/",
+    sameSite: "lax",
+    secure: process.env["NODE_ENV"] === "production"
+  };
+}
+export function getTempSessionCookieOptions() {
+  return {
+    httpOnly: true,
+    maxAge: 15 * 60,
+    path: "/",
+    sameSite: "lax",
+    secure: process.env["NODE_ENV"] === "production"
+  };
+}
+export async function issueSessionCookie(event, sessionId, tokenResponse, sessionSecret) {
+  const { default: ThunderIDNuxtClient } = await import("../ThunderIDNuxtClient.js");
+  const client = ThunderIDNuxtClient.getInstance();
+  const idToken = await client.getDecodedIdToken(sessionId, tokenResponse.idToken);
+  const userId = idToken.sub || sessionId;
+  const organizationId = idToken["user_org"] || idToken["organization_id"];
+  const expiresInSeconds = parseInt(tokenResponse.expiresIn ?? "3600", 10);
+  const accessTokenExpiresAt = Math.floor(Date.now() / 1e3) + (Number.isFinite(expiresInSeconds) ? expiresInSeconds : 3600);
+  const sessionToken = await createSessionToken(
+    {
+      accessToken: tokenResponse.accessToken,
+      accessTokenExpiresAt,
+      idToken: tokenResponse.idToken || void 0,
+      organizationId,
+      refreshToken: tokenResponse.refreshToken || void 0,
+      scopes: tokenResponse.scope || "",
+      sessionId,
+      userId
+    },
+    sessionSecret
+  );
+  setCookie(event, getSessionCookieName(), sessionToken, getSessionCookieOptions());
+}

package/dist/runtime/server/utils/token-refresh.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { type H3Event } from 'h3';
+/**
+ * Return a valid access token for the current request.
+ *
+ * If the stored access token is still fresh (or has no expiry metadata —
+ * e.g. sessions created before Phase 2), it is returned as-is.
+ *
+ * When the token is within `REFRESH_SKEW_SECONDS` of expiring and a
+ * refresh token is present, a `refresh_token` grant is sent to the OIDC
+ * token endpoint.  On success the session cookie is reissued with the new
+ * tokens so subsequent calls within the same browser session are also fresh.
+ *
+ * Throws a 401 if the token is expired and no refresh token is available, or
+ * if the refresh call itself fails.
+ *
+ * @example
+ * ```ts
+ * // In a Nitro API route:
+ * export default defineEventHandler(async (event) => {
+ *   const accessToken = await getValidAccessToken(event);
+ *   // use accessToken to call a protected API
+ * });
+ * ```
+ */
+export declare function getValidAccessToken(event: H3Event): Promise<string>;

package/dist/runtime/server/utils/token-refresh.js

@@ -0,0 +1,65 @@
+import { createError, setCookie } from "h3";
+import { requireServerSession } from "./serverSession.js";
+import { createSessionToken, getSessionCookieName, getSessionCookieOptions } from "./session.js";
+import { useRuntimeConfig } from "#imports";
+const REFRESH_SKEW_SECONDS = 60;
+export async function getValidAccessToken(event) {
+  const session = await requireServerSession(event);
+  const now = Math.floor(Date.now() / 1e3);
+  if (!session.accessTokenExpiresAt || session.accessTokenExpiresAt - REFRESH_SKEW_SECONDS > now) {
+    return session.accessToken;
+  }
+  if (!session.refreshToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Session expired. Please sign in again."
+    });
+  }
+  const config = useRuntimeConfig(event);
+  const publicConfig = config.public.thunderid;
+  const privateConfig = config.thunderid;
+  const tokenEndpoint = `${publicConfig.baseUrl}/oauth2/token`;
+  const body = new URLSearchParams({
+    client_id: publicConfig.clientId,
+    grant_type: "refresh_token",
+    refresh_token: session.refreshToken
+  });
+  if (privateConfig?.clientSecret) {
+    body.set("client_secret", privateConfig.clientSecret);
+  }
+  let refreshed;
+  try {
+    const res = await fetch(tokenEndpoint, {
+      body,
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      method: "POST"
+    });
+    if (!res.ok) {
+      const errText = await res.text().catch(() => String(res.status));
+      throw new Error(`Token endpoint returned ${res.status}: ${errText}`);
+    }
+    refreshed = await res.json();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error("[thunderid] Token refresh failed:", msg);
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Token refresh failed. Please sign in again."
+    });
+  }
+  const newSessionToken = await createSessionToken(
+    {
+      accessToken: refreshed.access_token,
+      accessTokenExpiresAt: now + (refreshed.expires_in ?? 3600),
+      idToken: refreshed.id_token ?? session.idToken,
+      organizationId: session.organizationId,
+      refreshToken: refreshed.refresh_token ?? session.refreshToken,
+      scopes: refreshed.scope ?? session.scopes,
+      sessionId: session.sessionId,
+      userId: session.sub
+    },
+    privateConfig?.sessionSecret
+  );
+  setCookie(event, getSessionCookieName(), newSessionToken, getSessionCookieOptions());
+  return refreshed.access_token;
+}