veryfront 0.1.217 → 0.1.218

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "veryfront",
-  "version": "0.1.217",
+  "version": "0.1.218",
   "description": "The simplest way to build AI-powered apps",
   "keywords": [
     "react",
@@ -26,100 +26,132 @@
   "module": "./esm/src/index.js",
   "exports": {
     ".": {
-      "import": "./esm/src/index.js"
+      "import": "./esm/src/index.js",
+      "types": "./esm/src/index.d.ts"
     },
     "./head": {
-      "import": "./esm/src/react/components/Head.js"
+      "import": "./esm/src/react/components/Head.js",
+      "types": "./esm/src/react/components/Head.d.ts"
     },
     "./router": {
-      "import": "./esm/src/react/router/index.js"
+      "import": "./esm/src/react/router/index.js",
+      "types": "./esm/src/react/router/index.d.ts"
     },
     "./context": {
-      "import": "./esm/src/react/context/index.js"
+      "import": "./esm/src/react/context/index.js",
+      "types": "./esm/src/react/context/index.d.ts"
     },
     "./fonts": {
-      "import": "./esm/src/react/fonts/index.js"
+      "import": "./esm/src/react/fonts/index.js",
+      "types": "./esm/src/react/fonts/index.d.ts"
     },
     "./chat": {
-      "import": "./esm/src/chat/index.js"
+      "import": "./esm/src/chat/index.js",
+      "types": "./esm/src/chat/index.d.ts"
     },
     "./chat/ag-ui": {
-      "import": "./esm/src/chat/ag-ui.js"
+      "import": "./esm/src/chat/ag-ui.js",
+      "types": "./esm/src/chat/ag-ui.d.ts"
     },
     "./chat/protocol": {
-      "import": "./esm/src/chat/protocol.js"
+      "import": "./esm/src/chat/protocol.js",
+      "types": "./esm/src/chat/protocol.d.ts"
     },
     "./markdown": {
-      "import": "./esm/src/markdown/index.js"
+      "import": "./esm/src/markdown/index.js",
+      "types": "./esm/src/markdown/index.d.ts"
     },
     "./mdx": {
-      "import": "./esm/src/mdx/index.js"
+      "import": "./esm/src/mdx/index.js",
+      "types": "./esm/src/mdx/index.d.ts"
     },
     "./agent": {
-      "import": "./esm/src/agent/index.js"
+      "import": "./esm/src/agent/index.js",
+      "types": "./esm/src/agent/index.d.ts"
     },
     "./tool": {
-      "import": "./esm/src/tool/index.js"
+      "import": "./esm/src/tool/index.js",
+      "types": "./esm/src/tool/index.d.ts"
     },
     "./workflow": {
-      "import": "./esm/src/workflow/index.js"
+      "import": "./esm/src/workflow/index.js",
+      "types": "./esm/src/workflow/index.d.ts"
     },
     "./workflow/worker": {
-      "import": "./esm/src/workflow/worker/index.js"
+      "import": "./esm/src/workflow/worker/index.js",
+      "types": "./esm/src/workflow/worker/index.d.ts"
     },
     "./workflow/claude-code": {
-      "import": "./esm/src/workflow/claude-code/index.js"
+      "import": "./esm/src/workflow/claude-code/index.js",
+      "types": "./esm/src/workflow/claude-code/index.d.ts"
     },
     "./workflow/claude-code/react": {
-      "import": "./esm/src/workflow/claude-code/react/index.js"
+      "import": "./esm/src/workflow/claude-code/react/index.js",
+      "types": "./esm/src/workflow/claude-code/react/index.d.ts"
     },
     "./workflow/discovery": {
-      "import": "./esm/src/workflow/discovery/index.js"
+      "import": "./esm/src/workflow/discovery/index.js",
+      "types": "./esm/src/workflow/discovery/index.d.ts"
     },
     "./prompt": {
-      "import": "./esm/src/prompt/index.js"
+      "import": "./esm/src/prompt/index.js",
+      "types": "./esm/src/prompt/index.d.ts"
     },
     "./resource": {
-      "import": "./esm/src/resource/index.js"
+      "import": "./esm/src/resource/index.js",
+      "types": "./esm/src/resource/index.d.ts"
     },
     "./jobs": {
-      "import": "./esm/src/jobs/index.js"
+      "import": "./esm/src/jobs/index.js",
+      "types": "./esm/src/jobs/index.d.ts"
     },
     "./mcp": {
-      "import": "./esm/src/mcp/index.js"
+      "import": "./esm/src/mcp/index.js",
+      "types": "./esm/src/mcp/index.d.ts"
     },
     "./middleware": {
-      "import": "./esm/src/middleware/index.js"
+      "import": "./esm/src/middleware/index.js",
+      "types": "./esm/src/middleware/index.d.ts"
     },
     "./utils": {
-      "import": "./esm/src/utils/index.js"
+      "import": "./esm/src/utils/index.js",
+      "types": "./esm/src/utils/index.d.ts"
     },
     "./oauth": {
-      "import": "./esm/src/oauth/index.js"
+      "import": "./esm/src/oauth/index.js",
+      "types": "./esm/src/oauth/index.d.ts"
     },
     "./provider": {
-      "import": "./esm/src/provider/index.js"
+      "import": "./esm/src/provider/index.js",
+      "types": "./esm/src/provider/index.d.ts"
     },
     "./fs": {
-      "import": "./esm/src/fs/index.js"
+      "import": "./esm/src/fs/index.js",
+      "types": "./esm/src/fs/index.d.ts"
     },
     "./integrations": {
-      "import": "./esm/src/integrations/index.js"
+      "import": "./esm/src/integrations/index.js",
+      "types": "./esm/src/integrations/index.d.ts"
     },
     "./sandbox": {
-      "import": "./esm/src/sandbox/index.js"
+      "import": "./esm/src/sandbox/index.js",
+      "types": "./esm/src/sandbox/index.d.ts"
     },
     "./embedding": {
-      "import": "./esm/src/embedding/index.js"
+      "import": "./esm/src/embedding/index.js",
+      "types": "./esm/src/embedding/index.d.ts"
     },
     "./extensions": {
-      "import": "./esm/src/extensions/index.js"
+      "import": "./esm/src/extensions/index.js",
+      "types": "./esm/src/extensions/index.d.ts"
     },
     "./extensions/interfaces": {
-      "import": "./esm/src/extensions/interfaces/index.js"
+      "import": "./esm/src/extensions/interfaces/index.js",
+      "types": "./esm/src/extensions/interfaces/index.d.ts"
     },
     "./cli": {
-      "import": "./esm/cli/main.js"
+      "import": "./esm/cli/main.js",
+      "types": "./esm/cli/main.d.ts"
     },
     "./tsconfig.json": "./tsconfig.json"
   },
@@ -158,12 +190,10 @@
     "esbuild": "0.27.4",
     "github-slugger": "2.0.0",
     "gray-matter": "4.0.3",
-    "jose": "5.9.6",
     "mdast-util-to-string": "4.0.0",
     "mime-types": "3.0.2",
     "react": "19.2.4",
     "react-dom": "19.2.4",
-    "redis": "5.11.0",
     "rehype-highlight": "7.0.2",
     "rehype-raw": "7.0.0",
     "rehype-sanitize": "6.0.0",
@@ -199,6 +229,7 @@
   },
   "_generatedBy": "dnt@dev",
   "type": "module",
+  "types": "./esm/src/index.d.ts",
   "bin": {
     "veryfront": "bin/veryfront.js"
   },

package/src/deno.js

@@ -1,8 +1,11 @@
 export default {
   "name": "veryfront",
-  "version": "0.1.217",
+  "version": "0.1.218",
   "license": "Apache-2.0",
   "nodeModulesDir": "auto",
+  "workspace": [
+    "./extensions/ext-redis"
+  ],
   "exclude": [
     "npm/",
     "dist/",
@@ -12,7 +15,8 @@ export default {
     "data/",
     ".deno_cache/",
     "cli/templates/files/",
-    "cli/templates/integrations/"
+    "cli/templates/integrations/",
+    "extensions/"
   ],
   "exports": {
     ".": "./src/index.ts",
@@ -260,9 +264,7 @@ export default {
     "tailwindcss/plugin": "https://esm.sh/tailwindcss@4.2.2/plugin",
     "tailwindcss/defaultTheme": "https://esm.sh/tailwindcss@4.2.2/defaultTheme",
     "tailwindcss/colors": "https://esm.sh/tailwindcss@4.2.2/colors",
-    "redis": "npm:redis@5.11.0",
     "pg": "npm:pg@8.13.1",
-    "jose": "npm:jose@5.9.6",
     "@opentelemetry/api": "npm:@opentelemetry/api@1.9.0",
     "@opentelemetry/core": "npm:@opentelemetry/core@2.6.0",
     "@opentelemetry/context-async-hooks": "npm:@opentelemetry/context-async-hooks@2.6.0",

package/src/src/extensions/interfaces/auth-provider.ts

@@ -36,17 +36,49 @@ export interface VerifyOptions {
   [key: string]: unknown;
 }
 
+/**
+ * The parsed, unverified header of a JWT.
+ *
+ * Returned by {@link AuthProvider.decode}. `alg` is the signing algorithm
+ * advertised by the token (e.g. `"HS256"`, `"RS256"`); additional fields
+ * such as `kid` or `typ` may be present.
+ */
+export interface TokenHeader {
+  /** Signing algorithm advertised by the token header. */
+  alg?: string;
+  /** Additional header fields. */
+  [key: string]: unknown;
+}
+
 /**
  * AuthProvider contract interface.
  *
  * Implementations sign, verify, and decode authentication tokens
- * (e.g. JWTs) for request authentication.
+ * (e.g. JWTs) for request authentication, and verify third-party tokens
+ * against a remote JWKS.
  */
 export interface AuthProvider {
   /** Sign a payload into a token string. */
   sign(payload: TokenPayload, options?: SignOptions): Promise<string>;
   /** Verify a token and return its decoded payload. Throws on invalid tokens. */
   verify(token: string, options?: VerifyOptions): Promise<TokenPayload>;
-  /** Decode a token without verifying its signature. */
-  decode(token: string): TokenPayload | undefined;
+  /**
+   * Verify a token against a remote JSON Web Key Set.
+   *
+   * Fetches (and caches) the JWKS at `jwksUrl`, then verifies the token's
+   * signature and claims. Throws on invalid tokens, unreachable JWKS, or
+   * `kid`/algorithm mismatch.
+   */
+  verifyWithJwks(
+    token: string,
+    jwksUrl: string,
+    options?: VerifyOptions,
+  ): Promise<TokenPayload>;
+  /**
+   * Decode a token's protected header without verifying its signature.
+   *
+   * Returns `undefined` on malformed input. Useful for inspecting `alg`
+   * before choosing a verification strategy.
+   */
+  decode(token: string): TokenHeader | undefined;
 }

package/src/src/extensions/interfaces/index.ts

@@ -23,6 +23,9 @@ export type {
 // Cache store
 export type { CacheStore } from "./cache-store.js";
 
+// Token cache store (proxy-grade cache with scan + stats)
+export type { TokenCacheEntry, TokenCacheStats, TokenCacheStore } from "./token-cache-store.js";
+
 // CSS processor
 export type { CSSProcessOptions, CSSProcessor, CSSProcessResult } from "./css-processor.js";
 
@@ -37,7 +40,13 @@ export type {
 export type { DatabaseClient, QueryResult } from "./database-client.js";
 
 // Auth provider
-export type { AuthProvider, SignOptions, TokenPayload, VerifyOptions } from "./auth-provider.js";
+export type {
+  AuthProvider,
+  SignOptions,
+  TokenHeader,
+  TokenPayload,
+  VerifyOptions,
+} from "./auth-provider.js";
 
 // Tracing exporter
 export type { SpanData, TracingExporter } from "./tracing-exporter.js";

package/src/src/extensions/interfaces/token-cache-store.ts

@@ -0,0 +1,58 @@
+/**
+ * Contract interface for OAuth-token-style cache stores used by the proxy.
+ *
+ * This contract is richer than the generic `CacheStore` — it adds scan-by-prefix,
+ * bulk read, and usage statistics primitives that the proxy's token cache needs.
+ * Simpler key-value consumers should use `CacheStore` instead.
+ *
+ * Default implementation: `@veryfront/ext-redis`.
+ *
+ * @module extensions/interfaces/token-cache-store
+ */
+
+/**
+ * A cache entry stored by `TokenCacheStore`.
+ *
+ * The proxy persists OAuth tokens keyed by request metadata; this entry shape
+ * mirrors what the proxy has historically stored.
+ */
+export interface TokenCacheEntry {
+  token: string;
+  /** Unix timestamp in milliseconds. */
+  expiresAt: number;
+  scope: "preview" | "production";
+  projectSlug?: string;
+}
+
+/**
+ * Aggregate usage statistics for a `TokenCacheStore`.
+ */
+export interface TokenCacheStats {
+  hits: number;
+  misses: number;
+  size: number;
+  type: "memory" | "redis";
+}
+
+/**
+ * TokenCacheStore contract interface.
+ *
+ * Implementations provide TTL-aware token caching, plus scan and stats
+ * primitives that generic key-value caches do not require.
+ */
+export interface TokenCacheStore {
+  /** Retrieve a cached entry by key. Returns `null` on miss or expiry. */
+  get(key: string): Promise<TokenCacheEntry | null>;
+  /** Store an entry. TTL is derived from `entry.expiresAt`. */
+  set(key: string, entry: TokenCacheEntry): Promise<void>;
+  /** Delete a cached entry. No-op if the key does not exist. */
+  delete(key: string): Promise<void>;
+  /** Remove every entry owned by this store. */
+  clear(): Promise<void>;
+  /** Check whether a non-expired entry exists for the given key. */
+  has(key: string): Promise<boolean>;
+  /** Return current hit/miss/size statistics. */
+  stats(): Promise<TokenCacheStats>;
+  /** Close connections and release resources. */
+  close(): Promise<void>;
+}

package/src/src/extensions/recommendations.ts

@@ -7,6 +7,7 @@
 const recommendations = new Map<string, string>([
   ["Bundler", "@veryfront/ext-esbuild"],
   ["CacheStore", "@veryfront/ext-redis"],
+  ["TokenCacheStore", "@veryfront/ext-redis"],
   ["CSSProcessor", "@veryfront/ext-tailwind"],
   ["ContentTransformer", "@veryfront/ext-mdx"],
   ["DatabaseClient", "@veryfront/ext-postgres"],

package/src/src/proxy/cache/index.ts

@@ -13,24 +13,34 @@ export type {
   TokenCacheEntry,
 } from "./types.js";
 export { MemoryCache } from "./memory-cache.js";
-export { RedisCache } from "./redis-cache.js";
 export { ResilientCache } from "./resilient-cache.js";
+export { TracingTokenCache } from "./tracing-cache.js";
 
 import type { CacheOptions, TokenCache } from "./types.js";
+import type { TokenCacheStore } from "../../extensions/interfaces/token-cache-store.js";
 import { MemoryCache } from "./memory-cache.js";
-import { RedisCache } from "./redis-cache.js";
 import { ResilientCache } from "./resilient-cache.js";
+import { TracingTokenCache } from "./tracing-cache.js";
+import { tryResolve } from "../../extensions/contracts.js";
 import { getEnv } from "../../platform/compat/process.js";
 import { proxyLogger } from "../logger.js";
 import { withSpan } from "../tracing.js";
 
 const logger = proxyLogger.child({ module: "cache" });
 
+const MISSING_EXTENSION_INFO =
+  "TokenCacheStore contract not provided — install @veryfront/ext-redis or scaffold extensions/ext-redis/";
+
 export async function createCache(options: CacheOptions): Promise<TokenCache> {
   return withSpan(
     "cache.create",
     async () => {
-      if (options.type === "redis") return new RedisCache(options.options);
+      if (options.type === "redis") {
+        const tokenCache = tryResolve<TokenCacheStore>("TokenCacheStore");
+        if (tokenCache) return new TracingTokenCache(tokenCache as unknown as TokenCache);
+        logger.info(MISSING_EXTENSION_INFO);
+        return new MemoryCache(undefined);
+      }
       return new MemoryCache(options.options);
     },
     { "cache.type": options.type },
@@ -45,21 +55,23 @@ export async function createCacheFromEnv(): Promise<TokenCache> {
     async () => {
       if (cacheType !== "redis") return new MemoryCache();
 
-      const url = getEnv("REDIS_URL");
-      if (!url) {
-        logger.warn("[Cache] CACHE_TYPE=redis but REDIS_URL not set, falling back to memory");
+      const tokenCache = tryResolve<TokenCacheStore>("TokenCacheStore");
+      if (!tokenCache) {
+        // Redis was requested via config/env but no extension registered the
+        // TokenCacheStore contract. Log an info (misconfiguration, not error),
+        // then fall back to an in-memory cache so the proxy still boots.
+        logger.info(MISSING_EXTENSION_INFO);
         return new MemoryCache();
       }
 
-      const redisCache = new RedisCache({
-        url,
-        prefix: getEnv("REDIS_PREFIX") || "vf:token:",
-      });
-
-      // Wrap Redis with resilient fallback to memory cache
-      // This ensures the proxy continues to function when Redis is unavailable
-      logger.debug("[Cache] Using Redis with memory fallback (ResilientCache)");
-      return new ResilientCache(redisCache, new MemoryCache());
+      // Wrap the extension-provided cache with a memory fallback so a Redis
+      // outage does not take the proxy down. TracingTokenCache sits between
+      // ResilientCache and the extension impl so spans wrap the actual
+      // primary-cache attempt (mirrors the pre-extraction RedisCache which
+      // had inner withSpan calls).
+      logger.debug("[Cache] Using TokenCacheStore extension with memory fallback (ResilientCache)");
+      const traced = new TracingTokenCache(tokenCache as unknown as TokenCache);
+      return new ResilientCache(traced, new MemoryCache());
     },
     { "cache.type": cacheType },
   );

package/src/src/proxy/cache/tracing-cache.ts

@@ -0,0 +1,77 @@
+/**
+ * TracingTokenCache
+ *
+ * Wraps a {@link TokenCache} implementation and emits an OpenTelemetry span
+ * around each public method. This keeps extension-provided caches (such as
+ * `@veryfront/ext-redis`) tracer-agnostic: the extension implements the
+ * contract only, and the proxy applies observability at the factory boundary.
+ *
+ * Span names default to `cache.redis.<op>` to preserve the pre-extraction
+ * behavior of the in-tree RedisCache. Callers may override via
+ * {@link TracingTokenCacheOptions.spanPrefix} when wrapping a different
+ * backend.
+ */
+
+import type { CacheStats, TokenCache, TokenCacheEntry } from "./types.js";
+import { withSpan } from "../tracing.js";
+
+export interface TracingTokenCacheOptions {
+  /** Span name prefix, e.g. "cache.redis" produces "cache.redis.get". */
+  spanPrefix?: string;
+}
+
+const DEFAULT_SPAN_PREFIX = "cache.redis";
+
+export class TracingTokenCache implements TokenCache {
+  private readonly inner: TokenCache;
+  private readonly prefix: string;
+
+  constructor(inner: TokenCache, options: TracingTokenCacheOptions = {}) {
+    this.inner = inner;
+    this.prefix = options.spanPrefix ?? DEFAULT_SPAN_PREFIX;
+  }
+
+  get(key: string): Promise<TokenCacheEntry | null> {
+    return withSpan(
+      `${this.prefix}.get`,
+      () => this.inner.get(key),
+      { "cache.key": key },
+    );
+  }
+
+  set(key: string, entry: TokenCacheEntry): Promise<void> {
+    return withSpan(
+      `${this.prefix}.set`,
+      () => this.inner.set(key, entry),
+      { "cache.key": key },
+    );
+  }
+
+  delete(key: string): Promise<void> {
+    return withSpan(
+      `${this.prefix}.delete`,
+      () => this.inner.delete(key),
+      { "cache.key": key },
+    );
+  }
+
+  clear(): Promise<void> {
+    return withSpan(`${this.prefix}.clear`, () => this.inner.clear());
+  }
+
+  has(key: string): Promise<boolean> {
+    return withSpan(
+      `${this.prefix}.has`,
+      () => this.inner.has(key),
+      { "cache.key": key },
+    );
+  }
+
+  stats(): Promise<CacheStats> {
+    return withSpan(`${this.prefix}.stats`, () => this.inner.stats());
+  }
+
+  close(): Promise<void> {
+    return withSpan(`${this.prefix}.close`, () => this.inner.close());
+  }
+}

package/src/src/proxy/cache/types.ts

@@ -2,7 +2,7 @@
  * Token Cache Interface
  *
  * Abstraction for storing OAuth tokens with TTL support.
- * Implementations: MemoryCache, RedisCache
+ * Implementations: MemoryCache (built-in), RedisCache (via @veryfront/ext-redis)
  */
 
 export interface TokenCacheEntry {

package/src/src/proxy/handler.ts

@@ -6,7 +6,48 @@ import { cwd, getEnv } from "../platform/compat/process.js";
 import { join } from "../platform/compat/path/index.js";
 import { injectContext, ProxySpanNames, withSpan } from "./tracing.js";
 import { computeContentSourceId } from "../cache/keys.js";
-import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { resolve as resolveContract } from "../extensions/contracts.js";
+import type { AuthProvider } from "../extensions/interfaces/auth-provider.js";
+
+/**
+ * Cache the resolved AuthProvider at module scope so the proxy does not pay
+ * the registry lookup on every request. The cache is cleared implicitly when
+ * `ExtensionLoader.teardownAll()` clears the registry — the next call
+ * re-resolves (or surfaces the "install ext-jwt" hint if the extension was
+ * removed).
+ */
+let cachedAuthProvider: AuthProvider | undefined;
+
+function getAuthProvider(): AuthProvider {
+  if (cachedAuthProvider) return cachedAuthProvider;
+
+  try {
+    cachedAuthProvider = resolveContract<AuthProvider>("AuthProvider");
+    return cachedAuthProvider;
+  } catch (err) {
+    // resolve() already throws with a helpful "Recommended: @veryfront/ext-jwt"
+    // message, but the proxy is a load-bearing code path — append a concrete
+    // remediation hint that names the project-root extension directory so
+    // the user knows exactly what's missing.
+    const base = err instanceof Error ? err.message : String(err);
+    throw new Error(
+      `${base}\nTo enable JWT verification in the proxy, install ext-jwt ` +
+        `(scaffold with \`deno task cli extension init ext-jwt\` or add the ` +
+        `npm package @veryfront/ext-jwt).`,
+      { cause: err },
+    );
+  }
+}
+
+/**
+ * Reset the cached AuthProvider. Intended for tests that `register()` a mock
+ * after the handler module has been imported.
+ *
+ * @internal
+ */
+export function __resetCachedAuthProviderForTests(): void {
+  cachedAuthProvider = undefined;
+}
 
 export const INTERNAL_PROXY_HEADERS = [
   "x-token",
@@ -64,24 +105,10 @@ interface DomainLookupResult {
   }>;
 }
 
-const remoteJwksByUrl = new Map<string, ReturnType<typeof createRemoteJWKSet>>();
-
-function getApiJwks(apiBaseUrl: string, logger?: ProxyLogger) {
+function resolveApiJwksUrl(apiBaseUrl: string, logger?: ProxyLogger): string | undefined {
   try {
     const normalizedBaseUrl = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
-    const jwksUrl = new URL(".well-known/jwks.json", normalizedBaseUrl);
-    const cacheKey = jwksUrl.toString();
-
-    // Lazily initialize and cache JWKS in a single, idempotent step to avoid
-    // unsynchronized read/then-write on the shared Map across concurrent calls.
-    let jwks = remoteJwksByUrl.get(cacheKey);
-    if (!jwks) {
-      const created = createRemoteJWKSet(jwksUrl);
-      remoteJwksByUrl.set(cacheKey, created);
-      jwks = created;
-    }
-
-    return jwks;
+    return new URL(".well-known/jwks.json", normalizedBaseUrl).toString();
   } catch (error) {
     logger?.error("Invalid API base URL for JWKS lookup", error as Error, {
       apiBaseUrl,
@@ -229,23 +256,22 @@ async function extractUserIdFromToken(
   apiBaseUrl: string,
   log?: ProxyLogger,
 ): Promise<string | undefined> {
-  let algorithm: string | undefined;
+  const auth = getAuthProvider();
 
-  try {
-    algorithm = decodeProtectedHeader(token).alg;
-  } catch (error) {
-    log?.debug("Failed to decode JWT header", {
-      error: error instanceof Error ? error.message : String(error),
-    });
+  const header = auth.decode(token);
+  if (!header) {
+    log?.debug("Failed to decode JWT header");
     return undefined;
   }
 
+  const algorithm = header.alg;
+
   if (algorithm === "RS256") {
-    const jwks = getApiJwks(apiBaseUrl, log);
-    if (!jwks) return undefined;
+    const jwksUrl = resolveApiJwksUrl(apiBaseUrl, log);
+    if (!jwksUrl) return undefined;
 
     try {
-      const { payload } = await jwtVerify(token, jwks, {
+      const payload = await auth.verifyWithJwks(token, jwksUrl, {
         algorithms: ["RS256"],
       });
       return (payload as { userId?: string }).userId;
@@ -270,10 +296,10 @@ async function extractUserIdFromToken(
   }
 
   try {
-    const secret = new TextEncoder().encode(jwtSecret);
-    const { payload } = await jwtVerify(token, secret, {
-      algorithms: ["HS256"],
-    });
+    // ext-jwt reads JWT_SECRET from the environment when no `secret` was
+    // passed to the extension factory; the explicit env check above is kept
+    // so callers can warn once before we attempt verification.
+    const payload = await auth.verify(token, { algorithms: ["HS256"] });
     return (payload as { userId?: string }).userId;
   } catch (error) {
     log?.debug("JWT verification failed", {

package/src/src/utils/version-constant.ts

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.217";
+export const VERSION = "0.1.218";