authhero 6.0.0 → 7.1.0

package/dist/types/routes/management-api/users.d.ts

@@ -737,7 +737,7 @@ export declare const userRoutes: OpenAPIHono<{
                 };
             };
             output: {
-                type: "fc" | "fd" | "fn" | "i" | "sapi" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
+                type: "fn" | "i" | "sapi" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
                 date: string;
                 isMobile: boolean;
                 log_id: string;
@@ -776,7 +776,7 @@ export declare const userRoutes: OpenAPIHono<{
                 limit: number;
                 length: number;
                 logs: {
-                    type: "fc" | "fd" | "fn" | "i" | "sapi" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
+                    type: "fn" | "i" | "sapi" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
                     date: string;
                     isMobile: boolean;
                     log_id: string;

package/dist/types/routes/proxy-control-plane/index.d.ts

@@ -2,6 +2,7 @@ import { Hono } from "hono";
 import type { ResolvedHost } from "@authhero/proxy";
 import { CustomDomain, CustomDomainsAdapter, ProxyRoute, ProxyRoutesAdapter } from "@authhero/adapter-interfaces";
 import { SyncEvent } from "../../helpers/control-plane-sync-events";
+import { Bindings } from "../../types";
 export interface ProxyControlPlaneOptions {
     /**
      * Cross-tenant host resolver. Typically delegated to a database adapter's
@@ -9,13 +10,12 @@ export interface ProxyControlPlaneOptions {
      */
     resolveHost: (host: string) => Promise<ResolvedHost | null>;
     /**
-     * Authentication check for incoming requests. Return `true` to allow,
-     * `false` to reject with 401. The control-plane endpoint is cross-tenant
-     * and must not be exposed to regular tenant tokens — use a dedicated
-     * proxy-reader credential (shared secret, mTLS, JWT with `proxy:resolve_host`
-     * scope, …).
+     * Optional fetch override for the per-issuer JWKS document. Called with
+     * the derived URL (`<iss>/.well-known/jwks.json`); defaults to global
+     * `fetch`. Hosts on Cloudflare Workers can route specific hosts through a
+     * service binding by inspecting the URL and dispatching accordingly.
      */
-    authenticate: (request: Request) => Promise<boolean> | boolean;
+    jwksFetch?: (url: string) => Promise<Response>;
     /**
      * Optional handler for `POST /sync` — receives `controlplane.sync.*` events
      * emitted by tenant shards via `ControlPlaneSyncDestination` and replicates
@@ -34,8 +34,17 @@ export interface ProxyControlPlaneOptions {
  * `GET /hosts/:host`. When `applySyncEvents` is provided, also exposes
  * `POST /sync` for tenant shards to replicate custom_domains / proxy_routes
  * mutations. Mount under `/api/v2/proxy/control-plane`.
+ *
+ * Authentication is built in: requests must carry a `Bearer` JWT whose `iss`
+ * is either the runtime `env.ISSUER` or the host the request actually
+ * arrived on (`x-forwarded-host` or the request URL's host). The verifier
+ * then fetches `<iss>/.well-known/jwks.json` to validate the signature, so
+ * each accepted host must publish its own JWKS at that path. Tokens must
+ * also carry the `proxy:resolve_host` scope.
  */
-export declare function createProxyControlPlaneApp(options: ProxyControlPlaneOptions): Hono;
+export declare function createProxyControlPlaneApp(options: ProxyControlPlaneOptions): Hono<{
+    Bindings: Bindings;
+}>;
 export interface CreateApplySyncEventsOptions {
     customDomains: CustomDomainsAdapter;
     proxyRoutes?: ProxyRoutesAdapter;

package/dist/types/routes/proxy-control-plane/verify.d.ts

@@ -0,0 +1,44 @@
+import { PROXY_RESOLVE_HOST_SCOPE } from "@authhero/proxy";
+/**
+ * Strict issuer equality: parse both `iss` and `expected` as URLs and compare
+ * the resulting hrefs after stripping any single trailing slash. No host-only
+ * match, no subdomain match — a token issued by `https://a.example.com/` and
+ * an expected `https://b.example.com/` (or `https://example.com/x/`) must NOT
+ * be treated as equivalent.
+ */
+export declare function isAllowedIssuer(iss: string, expected: string): boolean;
+export type VerifyControlPlaneTokenResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+};
+export interface VerifyControlPlaneTokenOptions {
+    /** Compact JWS to verify. */
+    token: string;
+    /** Optional fetch override — defaults to global `fetch`. */
+    jwksFetch?: (url: string) => Promise<Response>;
+    /**
+     * Set of acceptable `iss` claim values. Comparison is strict URL equality
+     * (after trailing-slash normalization) via {@link isAllowedIssuer}. The
+     * verifier fetches the per-issuer JWKS from `<iss>/.well-known/jwks.json`,
+     * so any host you list here must publish its own JWKS at that path.
+     */
+    expectedIssuers: string[];
+    /** Required `scope` (space-separated). Defaults to `proxy:resolve_host`. */
+    requiredScope?: string;
+}
+/**
+ * Verify a bearer token for the proxy control plane. Returns `{ ok: true }`
+ * on success, `{ ok: false, reason }` on any failure — the reason is for
+ * logs only and must not be surfaced to the caller.
+ *
+ * Accepted algs: RS256/384/512, ES256/384/512. The JWK's `alg` must match
+ * the token header's `alg`. The token must carry the configured required
+ * scope (`proxy:resolve_host` by default) and an `iss` that strictly equals
+ * one of `expectedIssuers` after URL normalization. The JWKS document is
+ * fetched from `<iss>/.well-known/jwks.json` AFTER the `iss` is allow-listed,
+ * so an attacker cannot redirect the verifier to a JWKS they control.
+ */
+export declare function verifyControlPlaneToken(options: VerifyControlPlaneTokenOptions): Promise<VerifyControlPlaneTokenResult>;
+export { PROXY_RESOLVE_HOST_SCOPE };

package/dist/types/routes/universal-login/common.d.ts

@@ -447,7 +447,7 @@ export declare function initJSXRoute(ctx: Context<{
         custom_login_page_preview?: string | undefined;
         form_template?: string | undefined;
         addons?: Record<string, any> | undefined;
-        token_endpoint_auth_method?: "none" | "private_key_jwt" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | undefined;
+        token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "private_key_jwt" | "client_secret_jwt" | undefined;
         client_metadata?: Record<string, string> | undefined;
         hide_sign_up_disabled_error?: boolean | undefined;
         mobile?: Record<string, any> | undefined;
@@ -1166,7 +1166,7 @@ export declare function initJSXRouteWithSession(ctx: Context<{
         custom_login_page_preview?: string | undefined;
         form_template?: string | undefined;
         addons?: Record<string, any> | undefined;
-        token_endpoint_auth_method?: "none" | "private_key_jwt" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | undefined;
+        token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "private_key_jwt" | "client_secret_jwt" | undefined;
         client_metadata?: Record<string, string> | undefined;
         hide_sign_up_disabled_error?: boolean | undefined;
         mobile?: Record<string, any> | undefined;

package/dist/types/routes/universal-login/flow-api.d.ts

@@ -27,7 +27,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
             output: {
                 screen: {
                     action: string;
-                    method: "GET" | "POST";
+                    method: "POST" | "GET";
                     components: {
                         id: string;
                         type: string;
@@ -107,7 +107,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
             output: {
                 screen: {
                     action: string;
-                    method: "GET" | "POST";
+                    method: "POST" | "GET";
                     components: {
                         id: string;
                         type: string;
@@ -204,7 +204,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
             output: {
                 screen: {
                     action: string;
-                    method: "GET" | "POST";
+                    method: "POST" | "GET";
                     components: {
                         id: string;
                         type: string;
@@ -319,7 +319,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
             output: {
                 screen: {
                     action: string;
-                    method: "GET" | "POST";
+                    method: "POST" | "GET";
                     components: {
                         id: string;
                         type: string;

package/dist/types/types/AuthHeroConfig.d.ts

@@ -283,14 +283,24 @@ export interface AuthHeroConfig {
      * data plane. When set, mounts `GET /api/v2/proxy/control-plane/hosts/:host`
      * which returns the cross-tenant `ResolvedHost` for the given hostname.
      *
-     * This endpoint is read by remote proxy deployments via
-     * `createHttpProxyAdapter`. It is **cross-tenant** — gate it with a
-     * dedicated credential (shared secret, mTLS, or a JWT scoped to
-     * `proxy:resolve_host`), never with a tenant token.
+     * Authentication is opinionated and built in: incoming requests must
+     * carry a `Bearer` JWT whose `iss` is either the runtime `env.ISSUER`
+     * or the host the request landed on (tenant subdomain or registered
+     * custom domain). The verifier fetches `<iss>/.well-known/jwks.json` to
+     * validate the signature, so each accepted host must publish its own
+     * JWKS at that path. Tokens must also carry the `proxy:resolve_host`
+     * scope. The matching client-side helper is `createHttpProxyAdapter`
+     * in `@authhero/proxy`.
      */
     proxyControlPlane?: {
         resolveHost: (host: string) => Promise<import("@authhero/proxy").ResolvedHost | null>;
-        authenticate: (request: Request) => Promise<boolean> | boolean;
+        /**
+         * Optional fetch override for the per-issuer JWKS document. Called
+         * with the derived URL (`<iss>/.well-known/jwks.json`); defaults to
+         * global `fetch`. Hosts on Cloudflare Workers can route specific
+         * hosts through a service binding by inspecting the URL.
+         */
+        jwksFetch?: (url: string) => Promise<Response>;
         /**
          * Optional receiver for `POST /sync` events emitted by tenant shards via
          * the `ControlPlaneSyncDestination`. Mount on the control-plane authhero

package/dist/types/utils/jwks.d.ts

@@ -9,7 +9,7 @@ import { SigningKeyModeOption } from "../types/AuthHeroConfig";
  */
 export declare function getJwksFromDatabase(data: DataAdapters): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;
@@ -28,7 +28,7 @@ export declare function getJwksFromDatabase(data: DataAdapters): Promise<{
  */
 export declare function getJwksForPublication(data: DataAdapters, tenantId: string, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;

package/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "6.0.0",
+  "version": "7.1.0",
   "files": [
     "dist"
   ],
@@ -62,8 +62,8 @@
     "vite": "^8.0.14",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.1.7",
-    "@authhero/kysely-adapter": "11.8.2",
-    "@authhero/widget": "0.32.39"
+    "@authhero/kysely-adapter": "11.8.5",
+    "@authhero/widget": "0.32.40"
   },
   "dependencies": {
     "@peculiar/x509": "^1.14.0",
@@ -81,8 +81,8 @@
     "qrcode": "^1.5.4",
     "sanitize-html": "^2.17.4",
     "xstate": "^5.31.1",
-    "@authhero/adapter-interfaces": "3.0.0",
-    "@authhero/proxy": "0.4.5",
+    "@authhero/adapter-interfaces": "3.1.0",
+    "@authhero/proxy": "0.5.1",
     "@authhero/saml": "0.4.1"
   },
   "peerDependencies": {