@wix/cli-app 1.1.48 → 1.1.50

package/build/cloudflare-runtime/entry.js

@@ -159,151 +159,118 @@ var init_errors = __esm({
   "../../node_modules/jose/dist/browser/util/errors.js"() {
     "use strict";
     JOSEError = class extends Error {
-      static get code() {
-        return "ERR_JOSE_GENERIC";
-      }
-      constructor(message2) {
-        super(message2);
+      constructor(message2, options) {
+        super(message2, options);
         this.code = "ERR_JOSE_GENERIC";
         this.name = this.constructor.name;
         Error.captureStackTrace?.(this, this.constructor);
       }
     };
+    JOSEError.code = "ERR_JOSE_GENERIC";
     JWTClaimValidationFailed = class extends JOSEError {
-      static get code() {
-        return "ERR_JWT_CLAIM_VALIDATION_FAILED";
-      }
-      constructor(message2, claim = "unspecified", reason = "unspecified") {
-        super(message2);
+      constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+        super(message2, { cause: { claim, reason, payload } });
         this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
         this.claim = claim;
         this.reason = reason;
+        this.payload = payload;
       }
     };
+    JWTClaimValidationFailed.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
     JWTExpired = class extends JOSEError {
-      static get code() {
-        return "ERR_JWT_EXPIRED";
-      }
-      constructor(message2, claim = "unspecified", reason = "unspecified") {
-        super(message2);
+      constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+        super(message2, { cause: { claim, reason, payload } });
         this.code = "ERR_JWT_EXPIRED";
         this.claim = claim;
         this.reason = reason;
+        this.payload = payload;
       }
     };
+    JWTExpired.code = "ERR_JWT_EXPIRED";
     JOSEAlgNotAllowed = class extends JOSEError {
       constructor() {
         super(...arguments);
         this.code = "ERR_JOSE_ALG_NOT_ALLOWED";
       }
-      static get code() {
-        return "ERR_JOSE_ALG_NOT_ALLOWED";
-      }
     };
+    JOSEAlgNotAllowed.code = "ERR_JOSE_ALG_NOT_ALLOWED";
     JOSENotSupported = class extends JOSEError {
       constructor() {
         super(...arguments);
         this.code = "ERR_JOSE_NOT_SUPPORTED";
       }
-      static get code() {
-        return "ERR_JOSE_NOT_SUPPORTED";
-      }
     };
+    JOSENotSupported.code = "ERR_JOSE_NOT_SUPPORTED";
     JWEDecryptionFailed = class extends JOSEError {
-      constructor() {
-        super(...arguments);
+      constructor(message2 = "decryption operation failed", options) {
+        super(message2, options);
         this.code = "ERR_JWE_DECRYPTION_FAILED";
-        this.message = "decryption operation failed";
-      }
-      static get code() {
-        return "ERR_JWE_DECRYPTION_FAILED";
       }
     };
+    JWEDecryptionFailed.code = "ERR_JWE_DECRYPTION_FAILED";
     JWEInvalid = class extends JOSEError {
       constructor() {
         super(...arguments);
         this.code = "ERR_JWE_INVALID";
       }
-      static get code() {
-        return "ERR_JWE_INVALID";
-      }
     };
+    JWEInvalid.code = "ERR_JWE_INVALID";
     JWSInvalid = class extends JOSEError {
       constructor() {
         super(...arguments);
         this.code = "ERR_JWS_INVALID";
       }
-      static get code() {
-        return "ERR_JWS_INVALID";
-      }
     };
+    JWSInvalid.code = "ERR_JWS_INVALID";
     JWTInvalid = class extends JOSEError {
       constructor() {
         super(...arguments);
         this.code = "ERR_JWT_INVALID";
       }
-      static get code() {
-        return "ERR_JWT_INVALID";
-      }
     };
+    JWTInvalid.code = "ERR_JWT_INVALID";
     JWKInvalid = class extends JOSEError {
       constructor() {
         super(...arguments);
         this.code = "ERR_JWK_INVALID";
       }
-      static get code() {
-        return "ERR_JWK_INVALID";
-      }
     };
+    JWKInvalid.code = "ERR_JWK_INVALID";
     JWKSInvalid = class extends JOSEError {
       constructor() {
         super(...arguments);
         this.code = "ERR_JWKS_INVALID";
       }
-      static get code() {
-        return "ERR_JWKS_INVALID";
-      }
     };
+    JWKSInvalid.code = "ERR_JWKS_INVALID";
     JWKSNoMatchingKey = class extends JOSEError {
-      constructor() {
-        super(...arguments);
+      constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
+        super(message2, options);
         this.code = "ERR_JWKS_NO_MATCHING_KEY";
-        this.message = "no applicable key found in the JSON Web Key Set";
-      }
-      static get code() {
-        return "ERR_JWKS_NO_MATCHING_KEY";
       }
     };
+    JWKSNoMatchingKey.code = "ERR_JWKS_NO_MATCHING_KEY";
     JWKSMultipleMatchingKeys = class extends JOSEError {
-      constructor() {
-        super(...arguments);
+      constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+        super(message2, options);
         this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-        this.message = "multiple matching keys found in the JSON Web Key Set";
-      }
-      static get code() {
-        return "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
       }
     };
+    JWKSMultipleMatchingKeys.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     JWKSTimeout = class extends JOSEError {
-      constructor() {
-        super(...arguments);
+      constructor(message2 = "request timed out", options) {
+        super(message2, options);
         this.code = "ERR_JWKS_TIMEOUT";
-        this.message = "request timed out";
-      }
-      static get code() {
-        return "ERR_JWKS_TIMEOUT";
       }
     };
+    JWKSTimeout.code = "ERR_JWKS_TIMEOUT";
     JWSSignatureVerificationFailed = class extends JOSEError {
-      constructor() {
-        super(...arguments);
+      constructor(message2 = "signature verification failed", options) {
+        super(message2, options);
         this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-        this.message = "signature verification failed";
-      }
-      static get code() {
-        return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
       }
     };
+    JWSSignatureVerificationFailed.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
   }
 });
 
@@ -563,6 +530,7 @@ var init_crypto_key = __esm({
 
 // ../../node_modules/jose/dist/browser/lib/invalid_key_input.js
 function message(msg, actual, ...types2) {
+  types2 = types2.filter(Boolean);
   if (types2.length > 2) {
     const last = types2.pop();
     msg += `one of type ${types2.join(", ")}, or ${last}.`;
@@ -602,14 +570,17 @@ var init_is_key_like = __esm({
     "use strict";
     init_webcrypto();
     is_key_like_default = (key) => {
-      return isCryptoKey(key);
+      if (isCryptoKey(key)) {
+        return true;
+      }
+      return key?.[Symbol.toStringTag] === "KeyObject";
     };
     types = ["CryptoKey"];
   }
 });
 
 // ../../node_modules/jose/dist/browser/runtime/decrypt.js
-async function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+async function cbcDecrypt(enc, cek, ciphertext, iv, tag2, aad) {
   if (!(cek instanceof Uint8Array)) {
     throw new TypeError(invalid_key_input_default(cek, "Uint8Array"));
   }
@@ -623,7 +594,7 @@ async function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
   const expectedTag = new Uint8Array((await webcrypto_default.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
   let macCheckPassed;
   try {
-    macCheckPassed = timing_safe_equal_default(tag, expectedTag);
+    macCheckPassed = timing_safe_equal_default(tag2, expectedTag);
   } catch {
   }
   if (!macCheckPassed) {
@@ -639,7 +610,7 @@ async function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
   }
   return plaintext;
 }
-async function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+async function gcmDecrypt(enc, cek, ciphertext, iv, tag2, aad) {
   let encKey;
   if (cek instanceof Uint8Array) {
     encKey = await webcrypto_default.subtle.importKey("raw", cek, "AES-GCM", false, ["decrypt"]);
@@ -653,7 +624,7 @@ async function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {
       iv,
       name: "AES-GCM",
       tagLength: 128
-    }, encKey, concat(ciphertext, tag)));
+    }, encKey, concat(ciphertext, tag2)));
   } catch {
     throw new JWEDecryptionFailed();
   }
@@ -671,14 +642,14 @@ var init_decrypt = __esm({
     init_crypto_key();
     init_invalid_key_input();
     init_is_key_like();
-    decrypt = async (enc, cek, ciphertext, iv, tag, aad) => {
+    decrypt = async (enc, cek, ciphertext, iv, tag2, aad) => {
       if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
         throw new TypeError(invalid_key_input_default(cek, ...types, "Uint8Array"));
       }
       if (!iv) {
         throw new JWEInvalid("JWE Initialization Vector missing");
       }
-      if (!tag) {
+      if (!tag2) {
         throw new JWEInvalid("JWE Authentication Tag missing");
       }
       check_iv_length_default(enc, iv);
@@ -688,13 +659,13 @@ var init_decrypt = __esm({
         case "A256CBC-HS512":
           if (cek instanceof Uint8Array)
             check_cek_length_default(cek, parseInt(enc.slice(-3), 10));
-          return cbcDecrypt(enc, cek, ciphertext, iv, tag, aad);
+          return cbcDecrypt(enc, cek, ciphertext, iv, tag2, aad);
         case "A128GCM":
         case "A192GCM":
         case "A256GCM":
           if (cek instanceof Uint8Array)
             check_cek_length_default(cek, parseInt(enc.slice(1, 4), 10));
-          return gcmDecrypt(enc, cek, ciphertext, iv, tag, aad);
+          return gcmDecrypt(enc, cek, ciphertext, iv, tag2, aad);
         default:
           throw new JOSENotSupported("Unsupported JWE Content Encryption Algorithm");
       }
@@ -1010,6 +981,207 @@ var init_rsaes = __esm({
   }
 });
 
+// ../../node_modules/jose/dist/browser/lib/is_jwk.js
+function isJWK(key) {
+  return isObject2(key) && typeof key.kty === "string";
+}
+function isPrivateJWK(key) {
+  return key.kty !== "oct" && typeof key.d === "string";
+}
+function isPublicJWK(key) {
+  return key.kty !== "oct" && typeof key.d === "undefined";
+}
+function isSecretJWK(key) {
+  return isJWK(key) && key.kty === "oct" && typeof key.k === "string";
+}
+var init_is_jwk = __esm({
+  "../../node_modules/jose/dist/browser/lib/is_jwk.js"() {
+    "use strict";
+    init_is_object();
+  }
+});
+
+// ../../node_modules/jose/dist/browser/runtime/jwk_to_key.js
+function subtleMapping(jwk) {
+  let algorithm;
+  let keyUsages;
+  switch (jwk.kty) {
+    case "RSA": {
+      switch (jwk.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          algorithm = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+          };
+          keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (jwk.alg) {
+        case "ES256":
+          algorithm = { name: "ECDSA", namedCurve: "P-256" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          algorithm = { name: "ECDSA", namedCurve: "P-384" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: "ECDH", namedCurve: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (jwk.alg) {
+        case "EdDSA":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          algorithm = { name: jwk.crv };
+          keyUsages = jwk.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm, keyUsages };
+}
+var parse, jwk_to_key_default;
+var init_jwk_to_key = __esm({
+  "../../node_modules/jose/dist/browser/runtime/jwk_to_key.js"() {
+    "use strict";
+    init_webcrypto();
+    init_errors();
+    parse = async (jwk) => {
+      if (!jwk.alg) {
+        throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+      }
+      const { algorithm, keyUsages } = subtleMapping(jwk);
+      const rest = [
+        algorithm,
+        jwk.ext ?? false,
+        jwk.key_ops ?? keyUsages
+      ];
+      const keyData = { ...jwk };
+      delete keyData.alg;
+      delete keyData.use;
+      return webcrypto_default.subtle.importKey("jwk", keyData, ...rest);
+    };
+    jwk_to_key_default = parse;
+  }
+});
+
+// ../../node_modules/jose/dist/browser/runtime/normalize_key.js
+var exportKeyValue, privCache, pubCache, isKeyObject, importAndCache, normalizePublicKey, normalizePrivateKey, normalize_key_default;
+var init_normalize_key = __esm({
+  "../../node_modules/jose/dist/browser/runtime/normalize_key.js"() {
+    "use strict";
+    init_is_jwk();
+    init_base64url();
+    init_jwk_to_key();
+    exportKeyValue = (k) => decode(k);
+    isKeyObject = (key) => {
+      return key?.[Symbol.toStringTag] === "KeyObject";
+    };
+    importAndCache = async (cache, key, jwk, alg, freeze = false) => {
+      let cached = cache.get(key);
+      if (cached?.[alg]) {
+        return cached[alg];
+      }
+      const cryptoKey = await jwk_to_key_default({ ...jwk, alg });
+      if (freeze)
+        Object.freeze(key);
+      if (!cached) {
+        cache.set(key, { [alg]: cryptoKey });
+      } else {
+        cached[alg] = cryptoKey;
+      }
+      return cryptoKey;
+    };
+    normalizePublicKey = (key, alg) => {
+      if (isKeyObject(key)) {
+        let jwk = key.export({ format: "jwk" });
+        delete jwk.d;
+        delete jwk.dp;
+        delete jwk.dq;
+        delete jwk.p;
+        delete jwk.q;
+        delete jwk.qi;
+        if (jwk.k) {
+          return exportKeyValue(jwk.k);
+        }
+        pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
+        return importAndCache(pubCache, key, jwk, alg);
+      }
+      if (isJWK(key)) {
+        if (key.k)
+          return decode(key.k);
+        pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
+        const cryptoKey = importAndCache(pubCache, key, key, alg, true);
+        return cryptoKey;
+      }
+      return key;
+    };
+    normalizePrivateKey = (key, alg) => {
+      if (isKeyObject(key)) {
+        let jwk = key.export({ format: "jwk" });
+        if (jwk.k) {
+          return exportKeyValue(jwk.k);
+        }
+        privCache || (privCache = /* @__PURE__ */ new WeakMap());
+        return importAndCache(privCache, key, jwk, alg);
+      }
+      if (isJWK(key)) {
+        if (key.k)
+          return decode(key.k);
+        privCache || (privCache = /* @__PURE__ */ new WeakMap());
+        const cryptoKey = importAndCache(privCache, key, key, alg, true);
+        return cryptoKey;
+      }
+      return key;
+    };
+    normalize_key_default = { normalizePublicKey, normalizePrivateKey };
+  }
+});
+
 // ../../node_modules/jose/dist/browser/lib/cek.js
 function bitLength2(alg) {
   switch (alg) {
@@ -1065,15 +1237,15 @@ function getElement(seq) {
 }
 function parseElement(bytes) {
   let position = 0;
-  let tag = bytes[0] & 31;
+  let tag2 = bytes[0] & 31;
   position++;
-  if (tag === 31) {
-    tag = 0;
+  if (tag2 === 31) {
+    tag2 = 0;
     while (bytes[position] >= 128) {
-      tag = tag * 128 + bytes[position] - 128;
+      tag2 = tag2 * 128 + bytes[position] - 128;
       position++;
     }
-    tag = tag * 128 + bytes[position] - 128;
+    tag2 = tag2 * 128 + bytes[position] - 128;
     position++;
   }
   let length = 0;
@@ -1256,114 +1428,6 @@ var init_asn1 = __esm({
   }
 });
 
-// ../../node_modules/jose/dist/browser/runtime/jwk_to_key.js
-function subtleMapping(jwk) {
-  let algorithm;
-  let keyUsages;
-  switch (jwk.kty) {
-    case "RSA": {
-      switch (jwk.alg) {
-        case "PS256":
-        case "PS384":
-        case "PS512":
-          algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "RS256":
-        case "RS384":
-        case "RS512":
-          algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "RSA-OAEP":
-        case "RSA-OAEP-256":
-        case "RSA-OAEP-384":
-        case "RSA-OAEP-512":
-          algorithm = {
-            name: "RSA-OAEP",
-            hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
-          };
-          keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
-          break;
-        default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    case "EC": {
-      switch (jwk.alg) {
-        case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          algorithm = { name: "ECDH", namedCurve: jwk.crv };
-          keyUsages = jwk.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    case "OKP": {
-      switch (jwk.alg) {
-        case "EdDSA":
-          algorithm = { name: jwk.crv };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          algorithm = { name: jwk.crv };
-          keyUsages = jwk.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    default:
-      throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
-  }
-  return { algorithm, keyUsages };
-}
-var parse, jwk_to_key_default;
-var init_jwk_to_key = __esm({
-  "../../node_modules/jose/dist/browser/runtime/jwk_to_key.js"() {
-    "use strict";
-    init_webcrypto();
-    init_errors();
-    parse = async (jwk) => {
-      if (!jwk.alg) {
-        throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-      }
-      const { algorithm, keyUsages } = subtleMapping(jwk);
-      const rest = [
-        algorithm,
-        jwk.ext ?? false,
-        jwk.key_ops ?? keyUsages
-      ];
-      const keyData = { ...jwk };
-      delete keyData.alg;
-      delete keyData.use;
-      return webcrypto_default.subtle.importKey("jwk", keyData, ...rest);
-    };
-    jwk_to_key_default = parse;
-  }
-});
-
 // ../../node_modules/jose/dist/browser/key/import.js
 async function importSPKI(spki, alg, options) {
   if (typeof spki !== "string" || spki.indexOf("-----BEGIN PUBLIC KEY-----") !== 0) {
@@ -1417,51 +1481,83 @@ var init_import = __esm({
 });
 
 // ../../node_modules/jose/dist/browser/lib/check_key_type.js
-var symmetricTypeCheck, asymmetricTypeCheck, checkKeyType, check_key_type_default;
+function checkKeyType(allowJwk, alg, key, usage) {
+  const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg);
+  if (symmetric) {
+    symmetricTypeCheck(alg, key, usage, allowJwk);
+  } else {
+    asymmetricTypeCheck(alg, key, usage, allowJwk);
+  }
+}
+var tag, jwkMatchesOp, symmetricTypeCheck, asymmetricTypeCheck, check_key_type_default, checkKeyTypeWithJwk;
 var init_check_key_type = __esm({
   "../../node_modules/jose/dist/browser/lib/check_key_type.js"() {
     "use strict";
     init_invalid_key_input();
     init_is_key_like();
-    symmetricTypeCheck = (alg, key) => {
+    init_is_jwk();
+    tag = (key) => key?.[Symbol.toStringTag];
+    jwkMatchesOp = (alg, key, usage) => {
+      if (key.use !== void 0 && key.use !== "sig") {
+        throw new TypeError("Invalid key for this operation, when present its use must be sig");
+      }
+      if (key.key_ops !== void 0 && key.key_ops.includes?.(usage) !== true) {
+        throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${usage}`);
+      }
+      if (key.alg !== void 0 && key.alg !== alg) {
+        throw new TypeError(`Invalid key for this operation, when present its alg must be ${alg}`);
+      }
+      return true;
+    };
+    symmetricTypeCheck = (alg, key, usage, allowJwk) => {
       if (key instanceof Uint8Array)
         return;
+      if (allowJwk && isJWK(key)) {
+        if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
+          return;
+        throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+      }
       if (!is_key_like_default(key)) {
-        throw new TypeError(withAlg(alg, key, ...types, "Uint8Array"));
+        throw new TypeError(withAlg(alg, key, ...types, "Uint8Array", allowJwk ? "JSON Web Key" : null));
       }
       if (key.type !== "secret") {
-        throw new TypeError(`${types.join(" or ")} instances for symmetric algorithms must be of type "secret"`);
+        throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
       }
     };
-    asymmetricTypeCheck = (alg, key, usage) => {
+    asymmetricTypeCheck = (alg, key, usage, allowJwk) => {
+      if (allowJwk && isJWK(key)) {
+        switch (usage) {
+          case "sign":
+            if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
+              return;
+            throw new TypeError(`JSON Web Key for this operation be a private JWK`);
+          case "verify":
+            if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
+              return;
+            throw new TypeError(`JSON Web Key for this operation be a public JWK`);
+        }
+      }
       if (!is_key_like_default(key)) {
-        throw new TypeError(withAlg(alg, key, ...types));
+        throw new TypeError(withAlg(alg, key, ...types, allowJwk ? "JSON Web Key" : null));
       }
       if (key.type === "secret") {
-        throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
       }
       if (usage === "sign" && key.type === "public") {
-        throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
       }
       if (usage === "decrypt" && key.type === "public") {
-        throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
       }
       if (key.algorithm && usage === "verify" && key.type === "private") {
-        throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
       }
       if (key.algorithm && usage === "encrypt" && key.type === "private") {
-        throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`);
+        throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
       }
     };
-    checkKeyType = (alg, key, usage) => {
-      const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg);
-      if (symmetric) {
-        symmetricTypeCheck(alg, key);
-      } else {
-        asymmetricTypeCheck(alg, key, usage);
-      }
-    };
-    check_key_type_default = checkKeyType;
+    check_key_type_default = checkKeyType.bind(void 0, false);
+    checkKeyTypeWithJwk = checkKeyType.bind(void 0, true);
   }
 });
 
@@ -1481,8 +1577,8 @@ async function cbcEncrypt(enc, plaintext, cek, iv, aad) {
     name: "AES-CBC"
   }, encKey, plaintext));
   const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
-  const tag = new Uint8Array((await webcrypto_default.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
-  return { ciphertext, tag, iv };
+  const tag2 = new Uint8Array((await webcrypto_default.subtle.sign("HMAC", macKey, macData)).slice(0, keySize >> 3));
+  return { ciphertext, tag: tag2, iv };
 }
 async function gcmEncrypt(enc, plaintext, cek, iv, aad) {
   let encKey;
@@ -1498,9 +1594,9 @@ async function gcmEncrypt(enc, plaintext, cek, iv, aad) {
     name: "AES-GCM",
     tagLength: 128
   }, encKey, plaintext));
-  const tag = encrypted.slice(-16);
+  const tag2 = encrypted.slice(-16);
   const ciphertext = encrypted.slice(0, -16);
-  return { ciphertext, tag, iv };
+  return { ciphertext, tag: tag2, iv };
 }
 var encrypt3, encrypt_default;
 var init_encrypt = __esm({
@@ -1557,9 +1653,9 @@ async function wrap2(alg, key, cek, iv) {
     tag: encode(wrapped.tag)
   };
 }
-async function unwrap2(alg, key, encryptedKey, iv, tag) {
+async function unwrap2(alg, key, encryptedKey, iv, tag2) {
   const jweAlgorithm = alg.slice(0, 7);
-  return decrypt_default(jweAlgorithm, key, encryptedKey, iv, tag, new Uint8Array(0));
+  return decrypt_default(jweAlgorithm, key, encryptedKey, iv, tag2, new Uint8Array(0));
 }
 var init_aesgcmkw = __esm({
   "../../node_modules/jose/dist/browser/lib/aesgcmkw.js"() {
@@ -1573,6 +1669,7 @@ var init_aesgcmkw = __esm({
 // ../../node_modules/jose/dist/browser/lib/decrypt_key_management.js
 async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
   check_key_type_default(alg, key, "decrypt");
+  key = await normalize_key_default.normalizePrivateKey?.(key, alg) || key;
   switch (alg) {
     case "dir": {
       if (encryptedKey !== void 0)
@@ -1668,13 +1765,13 @@ async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options)
       } catch {
         throw new JWEInvalid("Failed to base64url decode the iv");
       }
-      let tag;
+      let tag2;
       try {
-        tag = decode(joseHeader.tag);
+        tag2 = decode(joseHeader.tag);
       } catch {
         throw new JWEInvalid("Failed to base64url decode the tag");
       }
-      return unwrap2(alg, key, encryptedKey, iv, tag);
+      return unwrap2(alg, key, encryptedKey, iv, tag2);
     }
     default: {
       throw new JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value');
@@ -1690,6 +1787,7 @@ var init_decrypt_key_management = __esm({
     init_pbes2kw();
     init_rsaes();
     init_base64url();
+    init_normalize_key();
     init_errors();
     init_cek();
     init_import();
@@ -1848,7 +1946,7 @@ async function flattenedDecrypt(jwe, key, options) {
     cek = cek_default(enc);
   }
   let iv;
-  let tag;
+  let tag2;
   if (jwe.iv !== void 0) {
     try {
       iv = decode(jwe.iv);
@@ -1858,7 +1956,7 @@ async function flattenedDecrypt(jwe, key, options) {
   }
   if (jwe.tag !== void 0) {
     try {
-      tag = decode(jwe.tag);
+      tag2 = decode(jwe.tag);
     } catch {
       throw new JWEInvalid("Failed to base64url decode the tag");
     }
@@ -1876,7 +1974,7 @@ async function flattenedDecrypt(jwe, key, options) {
   } catch {
     throw new JWEInvalid("Failed to base64url decode the ciphertext");
   }
-  const plaintext = await decrypt_default(enc, cek, ciphertext, iv, tag, additionalData);
+  const plaintext = await decrypt_default(enc, cek, ciphertext, iv, tag2, additionalData);
   const result = { plaintext };
   if (jwe.protected !== void 0) {
     result.protectedHeader = parsedProt;
@@ -1923,7 +2021,7 @@ async function compactDecrypt(jwe, key, options) {
   if (typeof jwe !== "string") {
     throw new JWEInvalid("Compact JWE must be a string or Uint8Array");
   }
-  const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length } = jwe.split(".");
+  const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag2, length } = jwe.split(".");
   if (length !== 5) {
     throw new JWEInvalid("Invalid Compact JWE");
   }
@@ -1931,7 +2029,7 @@ async function compactDecrypt(jwe, key, options) {
     ciphertext,
     iv: iv || void 0,
     protected: protectedHeader,
-    tag: tag || void 0,
+    tag: tag2 || void 0,
     encrypted_key: encryptedKey || void 0
   }, key, options);
   const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };
@@ -1986,6 +2084,15 @@ var init_decrypt4 = __esm({
   }
 });
 
+// ../../node_modules/jose/dist/browser/lib/private_symbols.js
+var unprotected;
+var init_private_symbols = __esm({
+  "../../node_modules/jose/dist/browser/lib/private_symbols.js"() {
+    "use strict";
+    unprotected = Symbol();
+  }
+});
+
 // ../../node_modules/jose/dist/browser/runtime/key_to_jwk.js
 var keyToJWK, key_to_jwk_default;
 var init_key_to_jwk = __esm({
@@ -2040,6 +2147,7 @@ async function encryptKeyManagement(alg, enc, key, providedCek, providedParamete
   let parameters;
   let cek;
   check_key_type_default(alg, key, "encrypt");
+  key = await normalize_key_default.normalizePublicKey?.(key, alg) || key;
   switch (alg) {
     case "dir": {
       cek = key;
@@ -2120,6 +2228,7 @@ var init_encrypt_key_management = __esm({
     init_pbes2kw();
     init_rsaes();
     init_base64url();
+    init_normalize_key();
     init_cek();
     init_errors();
     init_export();
@@ -2130,18 +2239,18 @@ var init_encrypt_key_management = __esm({
 });
 
 // ../../node_modules/jose/dist/browser/jwe/flattened/encrypt.js
-var unprotected, FlattenedEncrypt;
+var FlattenedEncrypt;
 var init_encrypt2 = __esm({
   "../../node_modules/jose/dist/browser/jwe/flattened/encrypt.js"() {
     "use strict";
     init_base64url();
+    init_private_symbols();
     init_encrypt();
     init_encrypt_key_management();
     init_errors();
     init_is_disjoint();
     init_buffer_utils();
     init_validate_crit();
-    unprotected = Symbol();
     FlattenedEncrypt = class {
       constructor(plaintext) {
         if (!(plaintext instanceof Uint8Array)) {
@@ -2233,12 +2342,10 @@ var init_encrypt2 = __esm({
               } else {
                 this._unprotectedHeader = { ...this._unprotectedHeader, ...parameters };
               }
+            } else if (!this._protectedHeader) {
+              this.setProtectedHeader(parameters);
             } else {
-              if (!this._protectedHeader) {
-                this.setProtectedHeader(parameters);
-              } else {
-                this._protectedHeader = { ...this._protectedHeader, ...parameters };
-              }
+              this._protectedHeader = { ...this._protectedHeader, ...parameters };
             }
           }
         }
@@ -2256,15 +2363,15 @@ var init_encrypt2 = __esm({
         } else {
           additionalData = protectedHeader;
         }
-        const { ciphertext, tag, iv } = await encrypt_default(enc, this._plaintext, cek, this._iv, additionalData);
+        const { ciphertext, tag: tag2, iv } = await encrypt_default(enc, this._plaintext, cek, this._iv, additionalData);
         const jwe = {
           ciphertext: encode(ciphertext)
         };
         if (iv) {
           jwe.iv = encode(iv);
         }
-        if (tag) {
-          jwe.tag = encode(tag);
+        if (tag2) {
+          jwe.tag = encode(tag2);
         }
         if (encryptedKey) {
           jwe.encrypted_key = encode(encryptedKey);
@@ -2293,6 +2400,7 @@ var init_encrypt3 = __esm({
   "../../node_modules/jose/dist/browser/jwe/general/encrypt.js"() {
     "use strict";
     init_encrypt2();
+    init_private_symbols();
     init_errors();
     init_cek();
     init_is_disjoint();
@@ -2487,7 +2595,13 @@ var init_subtle_dsa = __esm({
 });
 
 // ../../node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
-function getCryptoKey3(alg, key, usage) {
+async function getCryptoKey3(alg, key, usage) {
+  if (usage === "sign") {
+    key = await normalize_key_default.normalizePrivateKey(key, alg);
+  }
+  if (usage === "verify") {
+    key = await normalize_key_default.normalizePublicKey(key, alg);
+  }
   if (isCryptoKey(key)) {
     checkSigCryptoKey(key, alg, usage);
     return key;
@@ -2498,7 +2612,7 @@ function getCryptoKey3(alg, key, usage) {
     }
     return webcrypto_default.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
   }
-  throw new TypeError(invalid_key_input_default(key, ...types, "Uint8Array"));
+  throw new TypeError(invalid_key_input_default(key, ...types, "Uint8Array", "JSON Web Key"));
 }
 var init_get_sign_verify_key = __esm({
   "../../node_modules/jose/dist/browser/runtime/get_sign_verify_key.js"() {
@@ -2507,6 +2621,7 @@ var init_get_sign_verify_key = __esm({
     init_crypto_key();
     init_invalid_key_input();
     init_is_key_like();
+    init_normalize_key();
   }
 });
 
@@ -2596,8 +2711,13 @@ async function flattenedVerify(jws, key, options) {
   if (typeof key === "function") {
     key = await key(parsedProt, jws);
     resolvedKey = true;
+    checkKeyTypeWithJwk(alg, key, "verify");
+    if (isJWK(key)) {
+      key = await importJWK(key, alg);
+    }
+  } else {
+    checkKeyTypeWithJwk(alg, key, "verify");
   }
-  check_key_type_default(alg, key, "verify");
   const data = concat(encoder.encode(jws.protected ?? ""), encoder.encode("."), typeof jws.payload === "string" ? encoder.encode(jws.payload) : jws.payload);
   let signature;
   try {
@@ -2645,6 +2765,8 @@ var init_verify2 = __esm({
     init_check_key_type();
     init_validate_crit();
     init_validate_algorithms();
+    init_is_jwk();
+    init_import();
   }
 });
 
@@ -2799,10 +2921,6 @@ var init_jwt_claims_set = __esm({
       return false;
     };
     jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) => {
-      const { typ } = options;
-      if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
-        throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', "typ", "check_failed");
-      }
       let payload;
       try {
         payload = JSON.parse(decoder.decode(encodedPayload));
@@ -2811,6 +2929,10 @@ var init_jwt_claims_set = __esm({
       if (!isObject2(payload)) {
         throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
       }
+      const { typ } = options;
+      if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+        throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, "typ", "check_failed");
+      }
       const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
       const presenceCheck = [...requiredClaims];
       if (maxTokenAge !== void 0)
@@ -2823,17 +2945,17 @@ var init_jwt_claims_set = __esm({
         presenceCheck.push("iss");
       for (const claim of new Set(presenceCheck.reverse())) {
         if (!(claim in payload)) {
-          throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, claim, "missing");
+          throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
         }
       }
       if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
-        throw new JWTClaimValidationFailed('unexpected "iss" claim value', "iss", "check_failed");
+        throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, "iss", "check_failed");
       }
       if (subject && payload.sub !== subject) {
-        throw new JWTClaimValidationFailed('unexpected "sub" claim value', "sub", "check_failed");
+        throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, "sub", "check_failed");
       }
       if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) {
-        throw new JWTClaimValidationFailed('unexpected "aud" claim value', "aud", "check_failed");
+        throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, "aud", "check_failed");
       }
       let tolerance;
       switch (typeof options.clockTolerance) {
@@ -2852,32 +2974,32 @@ var init_jwt_claims_set = __esm({
       const { currentDate } = options;
       const now = epoch_default(currentDate || /* @__PURE__ */ new Date());
       if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") {
-        throw new JWTClaimValidationFailed('"iat" claim must be a number', "iat", "invalid");
+        throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, "iat", "invalid");
       }
       if (payload.nbf !== void 0) {
         if (typeof payload.nbf !== "number") {
-          throw new JWTClaimValidationFailed('"nbf" claim must be a number', "nbf", "invalid");
+          throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, "nbf", "invalid");
         }
         if (payload.nbf > now + tolerance) {
-          throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', "nbf", "check_failed");
+          throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, "nbf", "check_failed");
         }
       }
       if (payload.exp !== void 0) {
         if (typeof payload.exp !== "number") {
-          throw new JWTClaimValidationFailed('"exp" claim must be a number', "exp", "invalid");
+          throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, "exp", "invalid");
         }
         if (payload.exp <= now - tolerance) {
-          throw new JWTExpired('"exp" claim timestamp check failed', "exp", "check_failed");
+          throw new JWTExpired('"exp" claim timestamp check failed', payload, "exp", "check_failed");
         }
       }
       if (maxTokenAge) {
         const age = now - payload.iat;
         const max = typeof maxTokenAge === "number" ? maxTokenAge : secs_default(maxTokenAge);
         if (age - tolerance > max) {
-          throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', "iat", "check_failed");
+          throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, "iat", "check_failed");
         }
         if (age < 0 - tolerance) {
-          throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', "iat", "check_failed");
+          throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, "iat", "check_failed");
         }
       }
       return payload;
@@ -2913,13 +3035,13 @@ async function jwtDecrypt(jwt, key, options) {
   const payload = jwt_claims_set_default(decrypted.protectedHeader, decrypted.plaintext, options);
   const { protectedHeader } = decrypted;
   if (protectedHeader.iss !== void 0 && protectedHeader.iss !== payload.iss) {
-    throw new JWTClaimValidationFailed('replicated "iss" claim header parameter mismatch', "iss", "mismatch");
+    throw new JWTClaimValidationFailed('replicated "iss" claim header parameter mismatch', payload, "iss", "mismatch");
   }
   if (protectedHeader.sub !== void 0 && protectedHeader.sub !== payload.sub) {
-    throw new JWTClaimValidationFailed('replicated "sub" claim header parameter mismatch', "sub", "mismatch");
+    throw new JWTClaimValidationFailed('replicated "sub" claim header parameter mismatch', payload, "sub", "mismatch");
   }
   if (protectedHeader.aud !== void 0 && JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) {
-    throw new JWTClaimValidationFailed('replicated "aud" claim header parameter mismatch', "aud", "mismatch");
+    throw new JWTClaimValidationFailed('replicated "aud" claim header parameter mismatch', payload, "aud", "mismatch");
   }
   const result = { payload, protectedHeader };
   if (typeof key === "function") {
@@ -3045,7 +3167,7 @@ var init_sign2 = __esm({
         if (typeof alg !== "string" || !alg) {
           throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
         }
-        check_key_type_default(alg, key, "sign");
+        checkKeyTypeWithJwk(alg, key, "sign");
         let payload = this._payload;
         if (b64) {
           payload = encoder.encode(encode(payload));
@@ -3476,7 +3598,16 @@ async function importWithAlgCache(cache, jwk, alg) {
 }
 function createLocalJWKSet(jwks) {
   const set = new LocalJWKSet(jwks);
-  return async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(localJWKSet, {
+    jwks: {
+      value: () => clone(set._jwks),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    }
+  });
+  return localJWKSet;
 }
 var LocalJWKSet;
 var init_local = __esm({
@@ -3599,26 +3730,68 @@ var init_fetch_jwks = __esm({
 function isCloudflareWorkers() {
   return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
 }
+function isFreshJwksCache(input, cacheMaxAge) {
+  if (typeof input !== "object" || input === null) {
+    return false;
+  }
+  if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) {
+    return false;
+  }
+  if (!("jwks" in input) || !isObject2(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject2)) {
+    return false;
+  }
+  return true;
+}
 function createRemoteJWKSet(url, options) {
   const set = new RemoteJWKSet(url, options);
-  return async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(remoteJWKSet, {
+    coolingDown: {
+      get: () => set.coolingDown(),
+      enumerable: true,
+      configurable: false
+    },
+    fresh: {
+      get: () => set.fresh(),
+      enumerable: true,
+      configurable: false
+    },
+    reload: {
+      value: () => set.reload(),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    },
+    reloading: {
+      get: () => !!set._pendingFetch,
+      enumerable: true,
+      configurable: false
+    },
+    jwks: {
+      value: () => set._local?.jwks(),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    }
+  });
+  return remoteJWKSet;
 }
-var USER_AGENT, RemoteJWKSet;
+var USER_AGENT, jwksCache, RemoteJWKSet, experimental_jwksCache;
 var init_remote = __esm({
   "../../node_modules/jose/dist/browser/jwks/remote.js"() {
     "use strict";
     init_fetch_jwks();
     init_errors();
     init_local();
+    init_is_object();
     if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
       const NAME = "jose";
-      const VERSION = "v5.2.3";
+      const VERSION = "v5.9.6";
       USER_AGENT = `${NAME}/${VERSION}`;
     }
-    RemoteJWKSet = class extends LocalJWKSet {
+    jwksCache = Symbol();
+    RemoteJWKSet = class {
       constructor(url, options) {
-        super({ keys: [] });
-        this._jwks = void 0;
         if (!(url instanceof URL)) {
           throw new TypeError("url must be an instance of URL");
         }
@@ -3627,6 +3800,13 @@ var init_remote = __esm({
         this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
         this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
         this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
+        if (options?.[jwksCache] !== void 0) {
+          this._cache = options?.[jwksCache];
+          if (isFreshJwksCache(options?.[jwksCache], this._cacheMaxAge)) {
+            this._jwksTimestamp = this._cache.uat;
+            this._local = createLocalJWKSet(this._cache.jwks);
+          }
+        }
       }
       coolingDown() {
         return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
@@ -3635,16 +3815,16 @@ var init_remote = __esm({
         return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;
       }
       async getKey(protectedHeader, token) {
-        if (!this._jwks || !this.fresh()) {
+        if (!this._local || !this.fresh()) {
           await this.reload();
         }
         try {
-          return await super.getKey(protectedHeader, token);
+          return await this._local(protectedHeader, token);
         } catch (err) {
           if (err instanceof JWKSNoMatchingKey) {
             if (this.coolingDown() === false) {
               await this.reload();
-              return super.getKey(protectedHeader, token);
+              return this._local(protectedHeader, token);
             }
           }
           throw err;
@@ -3660,10 +3840,11 @@ var init_remote = __esm({
           this._options.headers = Object.fromEntries(headers.entries());
         }
         this._pendingFetch || (this._pendingFetch = fetch_jwks_default(this._url, this._timeoutDuration, this._options).then((json) => {
-          if (!isJWKSLike(json)) {
-            throw new JWKSInvalid("JSON Web Key Set malformed");
+          this._local = createLocalJWKSet(json);
+          if (this._cache) {
+            this._cache.uat = Date.now();
+            this._cache.jwks = json;
           }
-          this._jwks = { keys: json.keys };
           this._jwksTimestamp = Date.now();
           this._pendingFetch = void 0;
         }).catch((err) => {
@@ -3673,6 +3854,7 @@ var init_remote = __esm({
         await this._pendingFetch;
       }
     };
+    experimental_jwksCache = jwksCache;
   }
 });
 
@@ -4017,6 +4199,7 @@ __export(browser_exports, {
   decodeJwt: () => decodeJwt,
   decodeProtectedHeader: () => decodeProtectedHeader,
   errors: () => errors_exports,
+  experimental_jwksCache: () => experimental_jwksCache,
   exportJWK: () => exportJWK,
   exportPKCS8: () => exportPKCS8,
   exportSPKI: () => exportSPKI,
@@ -4030,6 +4213,7 @@ __export(browser_exports, {
   importPKCS8: () => importPKCS8,
   importSPKI: () => importSPKI,
   importX509: () => importX509,
+  jwksCache: () => jwksCache,
   jwtDecrypt: () => jwtDecrypt,
   jwtVerify: () => jwtVerify
 });
@@ -4219,10 +4403,10 @@ function buildHostModule(val, host) {
 
 // ../../node_modules/@wix/sdk/build/bi/biHeaderGenerator.js
 var WixBIHeaderName = "x-wix-bi-gateway";
-function biHeaderGenerator(apiMetadata, publicMetadata) {
+function biHeaderGenerator(apiMetadata, publicMetadata, environment) {
   return {
     [WixBIHeaderName]: objectToKeyValue({
-      environment: "js-sdk",
+      environment: `js-sdk${environment ? `-${environment}` : ``}`,
       "package-name": apiMetadata.packageName ?? publicMetadata?.PACKAGE_NAME,
       "method-fqn": apiMetadata.methodFqn,
       entity: apiMetadata.entityFqdn
@@ -4266,7 +4450,7 @@ function runWithoutContext(fn) {
 }
 
 // ../../node_modules/@wix/sdk/build/rest-modules.js
-function buildRESTDescriptor(origFunc, publicMetadata, boundFetch, wixAPIFetch, getActiveToken, options) {
+function buildRESTDescriptor(origFunc, publicMetadata, boundFetch, wixAPIFetch, getActiveToken, options, hostName) {
   return runWithoutContext(() => origFunc({
     request: async (factory) => {
       const requestOptions = factory({
@@ -4282,7 +4466,7 @@ function buildRESTDescriptor(origFunc, publicMetadata, boundFetch, wixAPIFetch,
         url += `?${request.params.toString()}`;
       }
       try {
-        const biHeader = biHeaderGenerator(requestOptions, publicMetadata);
+        const biHeader = biHeaderGenerator(requestOptions, publicMetadata, hostName);
         const res = await boundFetch(url, {
           method: request.method,
           ...request.data && {
@@ -4599,7 +4783,7 @@ function createClient(config) {
         finalUrl.host = apiBaseUrl;
         finalUrl.protocol = "https";
         return boundFetch(finalUrl.toString(), fetchOptions);
-      }, authStrategy.getActiveToken, { HTTPHost: apiBaseUrl });
+      }, authStrategy.getActiveToken, { HTTPHost: apiBaseUrl }, config.host?.name);
     } else if (isObject(modules)) {
       return Object.fromEntries(Object.entries(modules).map(([key, value]) => {
         return [key, use(value, modules[PUBLIC_METADATA_KEY])];
@@ -4697,6 +4881,7 @@ function createClient(config) {
 function AppStrategy(opts) {
   const authServerBaseUrl = opts.authServerBaseUrl ?? "https://www.wixapis.com";
   let refreshToken = "refreshToken" in opts ? opts.refreshToken : void 0;
+  let cachedToken;
   return {
     getInstallUrl({ redirectUrl, token, state }) {
       const params = new URLSearchParams();
@@ -4749,6 +4934,13 @@ function AppStrategy(opts) {
       };
     },
     async getAuthHeaders() {
+      if (cachedToken && cachedToken.expiresAt > Date.now()) {
+        return {
+          headers: {
+            Authorization: cachedToken.token
+          }
+        };
+      }
       if ("refreshToken" in opts || refreshToken) {
         if (!opts.appSecret) {
           throw new Error("App secret is required for retrieveing app-level access tokens. Make sure to pass it to the AppStrategy");
@@ -4797,15 +4989,38 @@ function AppStrategy(opts) {
           throw new Error(`Failed to exchange instance ID for access token. Unexpected status code from Wix OAuth API: ${tokensRes.status}`);
         }
         const tokens = await tokensRes.json();
+        cachedToken = {
+          token: tokens.access_token,
+          expiresAt: Date.now() + tokens.expires_in * 1e3
+        };
         return {
           headers: {
             Authorization: tokens.access_token
           }
         };
       } else if ("accessToken" in opts && opts.accessToken) {
+        const tokenRes = await fetch(new URL("/oauth2/token", authServerBaseUrl), {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify({
+            grant_type: "strip_bound_session",
+            client_secret: opts.appSecret,
+            access_token: opts.accessToken
+          })
+        });
+        if (tokenRes.status !== 200) {
+          throw new Error(`Failed to get unbound token. Unexpected status code from Wix OAuth API: ${tokenRes.status}`);
+        }
+        const { access_token, expires_in } = await tokenRes.json();
+        cachedToken = {
+          token: access_token,
+          expiresAt: Date.now() + expires_in * 1e3
+        };
         return {
           headers: {
-            Authorization: opts.accessToken
+            Authorization: access_token
           }
         };
       } else {
@@ -5057,9 +5272,7 @@ var ServicePluginHandler = class {
         "passing a `callsHandler` is required for running service plugins"
       );
     }
-    const processedRequest = await this.wixClient.servicePlugins.parseRequest(
-      request
-    );
+    const processedRequest = await this.wixClient.servicePlugins.parseRequest(request);
     const { instanceId } = processedRequest.metadata;
     const servicePluginData = await this.callsHandler.run(
       null,