@auth0/auth0-api-js - npm Package Compare versions

Comparing version 1.0.2 to 1.1.0

dist/index.cjs

@@ -34,5 +34,11 @@ "use strict";
   ApiClient: () => ApiClient,
+  BearerMethod: () => BearerMethod,
+  GrantType: () => GrantType,
+  InvalidRequestError: () => InvalidRequestError,
   MissingRequiredArgumentError: () => MissingRequiredArgumentError,
   MissingTransactionError: () => MissingTransactionError,
-  VerifyAccessTokenError: () => VerifyAccessTokenError
+  ProtectedResourceMetadataBuilder: () => ProtectedResourceMetadataBuilder,
+  SigningAlgorithm: () => SigningAlgorithm,
+  VerifyAccessTokenError: () => VerifyAccessTokenError,
+  getToken: () => getToken
 });
@@ -44,2 +50,3 @@ module.exports = __toCommonJS(index_exports);
 var import_jose = require("jose");
+var import_auth0_auth_js = require("@auth0/auth0-auth-js");
 
@@ -61,2 +68,9 @@ // src/errors.ts
 };
+var InvalidRequestError = class extends Error {
+  code = "invalid_request";
+  constructor(message) {
+    super(message);
+    this.name = "InvalidRequestError";
+  }
+};
 var MissingRequiredArgumentError = class extends Error {
@@ -75,4 +89,15 @@ code = "missing_required_argument_error";
   #jwks;
+  #authClient;
   constructor(options) {
     this.#options = options;
+    if (options.clientId) {
+      this.#authClient = new import_auth0_auth_js.AuthClient({
+        domain: options.domain,
+        clientId: options.clientId,
+        clientSecret: options.clientSecret,
+        clientAssertionSigningKey: options.clientAssertionSigningKey,
+        clientAssertionSigningAlg: options.clientAssertionSigningAlg,
+        customFetch: options.customFetch
+      });
+    }
     if (!this.#options.audience) {
@@ -125,10 +150,309 @@ throw new MissingRequiredArgumentError("audience");
   }
+  /**
+   * Retrieves an access token for a connection.
+   *
+   * @param options - Options for retrieving an access token for a connection.
+   *
+   * @throws {TokenForConnectionError} If there was an issue requesting the access token.
+   *
+   * @returns The Connection Token Set, containing the access token for the connection, as well as additional information.
+   */
+  async getAccessTokenForConnection(options) {
+    if (!this.#authClient) {
+      throw new import_auth0_auth_js.TokenForConnectionError(
+        "Client credentials are required to use getAccessTokenForConnection"
+      );
+    }
+    const tokenEndpointResponse = await this.#authClient.getTokenForConnection({
+      connection: options.connection,
+      loginHint: options.loginHint,
+      accessToken: options.accessToken
+    });
+    return {
+      accessToken: tokenEndpointResponse.accessToken,
+      scope: tokenEndpointResponse.scope,
+      expiresAt: tokenEndpointResponse.expiresAt,
+      connection: options.connection,
+      loginHint: options.loginHint
+    };
+  }
 };
+
+// src/protected-resource-metadata.ts
+var BearerMethod = /* @__PURE__ */ ((BearerMethod2) => {
+  BearerMethod2["HEADER"] = "header";
+  BearerMethod2["BODY"] = "body";
+  BearerMethod2["QUERY"] = "query";
+  return BearerMethod2;
+})(BearerMethod || {});
+var SigningAlgorithm = /* @__PURE__ */ ((SigningAlgorithm2) => {
+  SigningAlgorithm2["RS256"] = "RS256";
+  SigningAlgorithm2["RS384"] = "RS384";
+  SigningAlgorithm2["RS512"] = "RS512";
+  SigningAlgorithm2["ES256"] = "ES256";
+  SigningAlgorithm2["ES384"] = "ES384";
+  SigningAlgorithm2["ES512"] = "ES512";
+  SigningAlgorithm2["PS256"] = "PS256";
+  SigningAlgorithm2["PS384"] = "PS384";
+  SigningAlgorithm2["PS512"] = "PS512";
+  SigningAlgorithm2["HS256"] = "HS256";
+  SigningAlgorithm2["HS384"] = "HS384";
+  SigningAlgorithm2["HS512"] = "HS512";
+  return SigningAlgorithm2;
+})(SigningAlgorithm || {});
+var GrantType = /* @__PURE__ */ ((GrantType2) => {
+  GrantType2["AUTHORIZATION_CODE"] = "authorization_code";
+  GrantType2["IMPLICIT"] = "implicit";
+  GrantType2["PASSWORD"] = "password";
+  GrantType2["CLIENT_CREDENTIALS"] = "client_credentials";
+  GrantType2["REFRESH_TOKEN"] = "refresh_token";
+  GrantType2["JWT_BEARER"] = "urn:ietf:params:oauth:grant-type:jwt-bearer";
+  GrantType2["SAML2_BEARER"] = "urn:ietf:params:oauth:grant-type:saml2-bearer";
+  GrantType2["DEVICE_CODE"] = "urn:ietf:params:oauth:grant-type:device_code";
+  return GrantType2;
+})(GrantType || {});
+var ProtectedResourceMetadataBuilder = class {
+  props;
+  /**
+   * Constructor for the builder
+   * @param resource - The protected resource identifier (REQUIRED)
+   * @param authorization_servers - Array of authorization server URLs (REQUIRED)
+   */
+  constructor(resource, authorization_servers) {
+    if (!resource?.trim()) {
+      throw new MissingRequiredArgumentError("resource");
+    }
+    if (!Array.isArray(authorization_servers) || authorization_servers.length === 0) {
+      throw new MissingRequiredArgumentError("authorization_servers");
+    }
+    this.props = { resource, authorization_servers };
+  }
+  get properties() {
+    return this.props;
+  }
+  /**
+   * Builds the ProtectedResourceMetadata
+   */
+  build() {
+    return new ProtectedResourceMetadata(this);
+  }
+  /**
+   * Builder method to add JWKS URI
+   */
+  withJwksUri(jwks_uri) {
+    this.props.jwks_uri = jwks_uri;
+    return this;
+  }
+  /**
+   * Builder method to add supported scopes
+   */
+  withScopesSupported(scopes_supported) {
+    this.props.scopes_supported = [...scopes_supported];
+    return this;
+  }
+  /**
+   * Builder method to add supported bearer methods
+   */
+  withBearerMethodsSupported(bearer_methods_supported) {
+    this.props.bearer_methods_supported = [...bearer_methods_supported];
+    return this;
+  }
+  /**
+   * Builder method to add supported resource signing algorithms
+   */
+  withResourceSigningAlgValuesSupported(resource_signing_alg_values_supported) {
+    this.props.resource_signing_alg_values_supported = [...resource_signing_alg_values_supported];
+    return this;
+  }
+  /**
+   * Builder method to add resource_name
+   */
+  withResourceName(resource_name) {
+    this.props.resource_name = resource_name;
+    return this;
+  }
+  /**
+   * Builder method to add resource documentation URL
+   */
+  withResourceDocumentation(resource_documentation) {
+    this.props.resource_documentation = resource_documentation;
+    return this;
+  }
+  /**
+   * Builder method to add resource policy URI
+   */
+  withResourcePolicyUri(resource_policy_uri) {
+    this.props.resource_policy_uri = resource_policy_uri;
+    return this;
+  }
+  /**
+   * Builder method to add resource terms of service URI
+   */
+  withResourceTosUri(resource_tos_uri) {
+    this.props.resource_tos_uri = resource_tos_uri;
+    return this;
+  }
+  /**
+   * Builder method to enable TLS client certificate bound access tokens
+   */
+  withTlsClientCertificateBoundAccessTokens(tls_client_certificate_bound_access_tokens) {
+    this.props.tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens;
+    return this;
+  }
+  /**
+   * Builder method to add supported authorization details types
+   */
+  withAuthorizationDetailsTypesSupported(authorization_details_types_supported) {
+    this.props.authorization_details_types_supported = [...authorization_details_types_supported];
+    return this;
+  }
+  /**
+   * Builder method to add supported DPoP signing algorithms
+   */
+  withDpopSigningAlgValuesSupported(dpop_signing_alg_values_supported) {
+    this.props.dpop_signing_alg_values_supported = [...dpop_signing_alg_values_supported];
+    return this;
+  }
+  /**
+   * Builder method to require DPoP bound access tokens
+   */
+  withDpopBoundAccessTokensRequired(dpop_bound_access_tokens_required) {
+    this.props.dpop_bound_access_tokens_required = dpop_bound_access_tokens_required;
+    return this;
+  }
+};
+var ProtectedResourceMetadata = class {
+  #resource;
+  #authorization_servers;
+  #jwks_uri;
+  #scopes_supported;
+  #bearer_methods_supported;
+  #resource_signing_alg_values_supported;
+  #resource_documentation;
+  #resource_policy_uri;
+  #resource_tos_uri;
+  #resource_name;
+  #tls_client_certificate_bound_access_tokens;
+  #authorization_details_types_supported;
+  #dpop_signing_alg_values_supported;
+  #dpop_bound_access_tokens_required;
+  constructor(builder) {
+    const props = builder.properties;
+    this.#resource = props.resource;
+    this.#authorization_servers = [...props.authorization_servers];
+    this.#jwks_uri = props.jwks_uri;
+    this.#scopes_supported = props.scopes_supported ? [...props.scopes_supported] : void 0;
+    this.#bearer_methods_supported = props.bearer_methods_supported ? [...props.bearer_methods_supported] : void 0;
+    this.#resource_signing_alg_values_supported = props.resource_signing_alg_values_supported ? [...props.resource_signing_alg_values_supported] : void 0;
+    this.#resource_documentation = props.resource_documentation;
+    this.#resource_policy_uri = props.resource_policy_uri;
+    this.#resource_tos_uri = props.resource_tos_uri;
+    this.#resource_name = props.resource_name;
+    this.#tls_client_certificate_bound_access_tokens = props.tls_client_certificate_bound_access_tokens;
+    this.#authorization_details_types_supported = props.authorization_details_types_supported ? [...props.authorization_details_types_supported] : void 0;
+    this.#dpop_signing_alg_values_supported = props.dpop_signing_alg_values_supported ? [...props.dpop_signing_alg_values_supported] : void 0;
+    this.#dpop_bound_access_tokens_required = props.dpop_bound_access_tokens_required;
+  }
+  /**
+   * Convert to JSON representation
+   */
+  toJSON() {
+    return {
+      resource: this.#resource,
+      authorization_servers: [...this.#authorization_servers],
+      ...this.#jwks_uri !== void 0 && { jwks_uri: this.#jwks_uri },
+      ...this.#scopes_supported !== void 0 && {
+        scopes_supported: [...this.#scopes_supported]
+      },
+      ...this.#bearer_methods_supported !== void 0 && {
+        bearer_methods_supported: [...this.#bearer_methods_supported]
+      },
+      ...this.#resource_signing_alg_values_supported !== void 0 && {
+        resource_signing_alg_values_supported: [...this.#resource_signing_alg_values_supported]
+      },
+      ...this.#resource_documentation !== void 0 && {
+        resource_documentation: this.#resource_documentation
+      },
+      ...this.#resource_policy_uri !== void 0 && {
+        resource_policy_uri: this.#resource_policy_uri
+      },
+      ...this.#resource_tos_uri !== void 0 && {
+        resource_tos_uri: this.#resource_tos_uri
+      },
+      ...this.#resource_name !== void 0 && {
+        resource_name: this.#resource_name
+      },
+      ...this.#tls_client_certificate_bound_access_tokens !== void 0 && {
+        tls_client_certificate_bound_access_tokens: this.#tls_client_certificate_bound_access_tokens
+      },
+      ...this.#authorization_details_types_supported !== void 0 && {
+        authorization_details_types_supported: [...this.#authorization_details_types_supported]
+      },
+      ...this.#dpop_signing_alg_values_supported !== void 0 && {
+        dpop_signing_alg_values_supported: [...this.#dpop_signing_alg_values_supported]
+      },
+      ...this.#dpop_bound_access_tokens_required !== void 0 && {
+        dpop_bound_access_tokens_required: this.#dpop_bound_access_tokens_required
+      }
+    };
+  }
+};
+
+// src/token.ts
+var TOKEN_RE = /^Bearer (.+)$/i;
+function getToken(headers, query, body) {
+  const fromHeader = getTokenFromHeader(headers);
+  const fromQuery = getTokenFromQuery(query);
+  const fromBody = getTokenFromBody(headers, body);
+  if (!fromQuery && !fromHeader && !fromBody) {
+    throw new InvalidRequestError("No Bearer token found in request");
+  }
+  if (+!!fromQuery + +!!fromBody + +!!fromHeader > 1) {
+    throw new InvalidRequestError(
+      "More than one method used for authentication"
+    );
+  }
+  return fromQuery || fromBody || fromHeader;
+}
+function getTokenFromHeader(headers) {
+  const authHeader = headers.authorization;
+  if (typeof authHeader !== "string") {
+    return void 0;
+  }
+  const match = authHeader.match(TOKEN_RE);
+  return match?.[1];
+}
+function getTokenFromQuery(query) {
+  const accessToken = query?.access_token;
+  if (typeof accessToken === "string") {
+    return accessToken;
+  }
+}
+function getTokenFromBody(headers, body) {
+  if (!body || typeof body.access_token !== "string") {
+    return void 0;
+  }
+  const contentType = headers["content-type"];
+  if (!contentType) {
+    return void 0;
+  }
+  const isFormEncoded = contentType.toLowerCase().includes("application/x-www-form-urlencoded");
+  if (!isFormEncoded) {
+    return void 0;
+  }
+  return body.access_token;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ApiClient,
+  BearerMethod,
+  GrantType,
+  InvalidRequestError,
   MissingRequiredArgumentError,
   MissingTransactionError,
-  VerifyAccessTokenError
+  ProtectedResourceMetadataBuilder,
+  SigningAlgorithm,
+  VerifyAccessTokenError,
+  getToken
 });
 //# sourceMappingURL=index.cjs.map

dist/index.cjs.map

@@ -1,1 +0,1 @@
-{"version":3,"sources":["../src/index.ts","../src/api-client.ts","../src/errors.ts"],"sourcesContent":["export { ApiClient } from './api-client.js';\nexport * from './errors.js';\nexport * from './types.js';","import * as oauth from 'oauth4webapi';\nimport { createRemoteJWKSet, jwtVerify, customFetch } from 'jose';\nimport { ApiClientOptions, VerifyAccessTokenOptions } from './types.js';\nimport {\n  MissingRequiredArgumentError,\n  VerifyAccessTokenError,\n} from './errors.js';\n\nexport class ApiClient {\n  #serverMetadata: oauth.AuthorizationServer | undefined;\n  readonly #options: ApiClientOptions;\n  #jwks?: ReturnType<typeof createRemoteJWKSet>;\n\n  constructor(options: ApiClientOptions) {\n    this.#options = options;\n\n    if (!this.#options.audience) {\n      throw new MissingRequiredArgumentError('audience');\n    }\n  }\n\n  /**\n   * Initialized the SDK by performing Metadata Discovery.\n   */\n  async #discover() {\n    if (this.#serverMetadata) {\n      return {\n        serverMetadata: this.#serverMetadata,\n      };\n    }\n\n    const issuer = new URL(`https://${this.#options.domain}`);\n    const response = await oauth.discoveryRequest(issuer, {\n      [oauth.customFetch]: this.#options.customFetch,\n    });\n\n    this.#serverMetadata = await oauth.processDiscoveryResponse(\n      issuer,\n      response\n    );\n\n    return {\n      serverMetadata: this.#serverMetadata,\n    };\n  }\n\n  /**\n   * Verifies the provided access token.\n   * @param options Options used to verify the logout token.\n   * @returns\n   */\n  async verifyAccessToken(options: VerifyAccessTokenOptions) {\n    const { serverMetadata } = await this.#discover();\n\n    this.#jwks ||= createRemoteJWKSet(new URL(serverMetadata!.jwks_uri!), {\n      [customFetch]: this.#options.customFetch,\n    });\n\n    try {\n      const { payload } = await jwtVerify(options.accessToken, this.#jwks, {\n        issuer: this.#serverMetadata!.issuer,\n        audience: this.#options.audience,\n        algorithms: ['RS256'],\n        requiredClaims: ['iat', 'exp', ...(options.requiredClaims || [])],\n      });\n      return payload;\n    } catch (e) {\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      throw new VerifyAccessTokenError((e as any).message);\n    }\n  }\n}\n","/**\n * Error thrown when the transaction is missing.\n */\nexport class MissingTransactionError extends Error {\n  public code: string = 'missing_transaction_error';\n\n  constructor(message?: string) {\n    super(message ?? 'The transaction is missing.');\n    this.name = 'MissingTransactionError';\n  }\n}\n\n/**\n * Error thrown when verifying the access token.\n */\nexport class VerifyAccessTokenError extends Error {\n  public code: string = 'verify_access_token_error';\n\n  constructor(message: string) {\n    super(message);\n    this.name = 'VerifyAccessTokenError';\n  }\n}\n\n/**\n * Error thrown when a required argument is missing.\n */\nexport class MissingRequiredArgumentError extends Error {\n  public code: string = 'missing_required_argument_error';\n\n  constructor(argument: string) {\n    super(`The argument '${argument}' is required but was not provided.`);\n    this.name = 'MissingRequiredArgumentError';\n  }\n}"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,YAAuB;AACvB,kBAA2D;;;ACEpD,IAAM,0BAAN,cAAsC,MAAM;AAAA,EAC1C,OAAe;AAAA,EAEtB,YAAY,SAAkB;AAC5B,UAAM,WAAW,6BAA6B;AAC9C,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EACzC,OAAe;AAAA,EAEtB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,MAAM;AAAA,EAC/C,OAAe;AAAA,EAEtB,YAAY,UAAkB;AAC5B,UAAM,iBAAiB,QAAQ,qCAAqC;AACpE,SAAK,OAAO;AAAA,EACd;AACF;;;AD1BO,IAAM,YAAN,MAAgB;AAAA,EACrB;AAAA,EACS;AAAA,EACT;AAAA,EAEA,YAAY,SAA2B;AACrC,SAAK,WAAW;AAEhB,QAAI,CAAC,KAAK,SAAS,UAAU;AAC3B,YAAM,IAAI,6BAA6B,UAAU;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY;AAChB,QAAI,KAAK,iBAAiB;AACxB,aAAO;AAAA,QACL,gBAAgB,KAAK;AAAA,MACvB;AAAA,IACF;AAEA,UAAM,SAAS,IAAI,IAAI,WAAW,KAAK,SAAS,MAAM,EAAE;AACxD,UAAM,WAAW,MAAY,uBAAiB,QAAQ;AAAA,MACpD,CAAO,iBAAW,GAAG,KAAK,SAAS;AAAA,IACrC,CAAC;AAED,SAAK,kBAAkB,MAAY;AAAA,MACjC;AAAA,MACA;AAAA,IACF;AAEA,WAAO;AAAA,MACL,gBAAgB,KAAK;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,kBAAkB,SAAmC;AACzD,UAAM,EAAE,eAAe,IAAI,MAAM,KAAK,UAAU;AAEhD,SAAK,cAAU,gCAAmB,IAAI,IAAI,eAAgB,QAAS,GAAG;AAAA,MACpE,CAAC,uBAAW,GAAG,KAAK,SAAS;AAAA,IAC/B,CAAC;AAED,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,QAAQ,aAAa,KAAK,OAAO;AAAA,QACnE,QAAQ,KAAK,gBAAiB;AAAA,QAC9B,UAAU,KAAK,SAAS;AAAA,QACxB,YAAY,CAAC,OAAO;AAAA,QACpB,gBAAgB,CAAC,OAAO,OAAO,GAAI,QAAQ,kBAAkB,CAAC,CAAE;AAAA,MAClE,CAAC;AACD,aAAO;AAAA,IACT,SAAS,GAAG;AAEV,YAAM,IAAI,uBAAwB,EAAU,OAAO;AAAA,IACrD;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../src/index.ts","../src/api-client.ts","../src/errors.ts","../src/protected-resource-metadata.ts","../src/token.ts"],"sourcesContent":["export { ApiClient } from './api-client.js';\nexport * from './protected-resource-metadata.js';\nexport * from './errors.js';\nexport * from './types.js';\nexport { getToken } from './token.js';\n","import * as oauth from 'oauth4webapi';\nimport { createRemoteJWKSet, jwtVerify, customFetch } from 'jose';\nimport { AuthClient, TokenForConnectionError } from '@auth0/auth0-auth-js';\nimport { AccessTokenForConnectionOptions, ApiClientOptions, ConnectionTokenSet, VerifyAccessTokenOptions } from './types.js';\nimport {\n  MissingRequiredArgumentError,\n  VerifyAccessTokenError,\n} from './errors.js';\n\nexport class ApiClient {\n  #serverMetadata: oauth.AuthorizationServer | undefined;\n  readonly #options: ApiClientOptions;\n  #jwks?: ReturnType<typeof createRemoteJWKSet>;\n  readonly #authClient: AuthClient | undefined;\n\n  constructor(options: ApiClientOptions) {\n    this.#options = options;\n\n    if (options.clientId) {\n      this.#authClient = new AuthClient({\n        domain: options.domain,\n        clientId: options.clientId,\n        clientSecret: options.clientSecret,\n        clientAssertionSigningKey: options.clientAssertionSigningKey,\n        clientAssertionSigningAlg: options.clientAssertionSigningAlg,\n        customFetch: options.customFetch,\n      });\n    }\n\n    if (!this.#options.audience) {\n      throw new MissingRequiredArgumentError('audience');\n    }\n  }\n\n  /**\n   * Initialized the SDK by performing Metadata Discovery.\n   */\n  async #discover() {\n    if (this.#serverMetadata) {\n      return {\n        serverMetadata: this.#serverMetadata,\n      };\n    }\n\n    const issuer = new URL(`https://${this.#options.domain}`);\n    const response = await oauth.discoveryRequest(issuer, {\n      [oauth.customFetch]: this.#options.customFetch,\n    });\n\n    this.#serverMetadata = await oauth.processDiscoveryResponse(\n      issuer,\n      response\n    );\n\n    return {\n      serverMetadata: this.#serverMetadata,\n    };\n  }\n\n  /**\n   * Verifies the provided access token.\n   * @param options Options used to verify the logout token.\n   * @returns\n   */\n  async verifyAccessToken(options: VerifyAccessTokenOptions) {\n    const { serverMetadata } = await this.#discover();\n\n    this.#jwks ||= createRemoteJWKSet(new URL(serverMetadata!.jwks_uri!), {\n      [customFetch]: this.#options.customFetch,\n    });\n\n    try {\n      const { payload } = await jwtVerify(options.accessToken, this.#jwks, {\n        issuer: this.#serverMetadata!.issuer,\n        audience: this.#options.audience,\n        algorithms: ['RS256'],\n        requiredClaims: ['iat', 'exp', ...(options.requiredClaims || [])],\n      });\n      return payload;\n    } catch (e) {\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      throw new VerifyAccessTokenError((e as any).message);\n    }\n  }\n\n  /**\n   * Retrieves an access token for a connection.\n   *\n   * @param options - Options for retrieving an access token for a connection.\n   *\n   * @throws {TokenForConnectionError} If there was an issue requesting the access token.\n   *\n   * @returns The Connection Token Set, containing the access token for the connection, as well as additional information.\n   */\n  public async getAccessTokenForConnection(options: AccessTokenForConnectionOptions): Promise<ConnectionTokenSet> {\n    if (!this.#authClient) {\n      throw new TokenForConnectionError(\n        'Client credentials are required to use getAccessTokenForConnection'\n      );\n    }\n\n    const tokenEndpointResponse = await this.#authClient.getTokenForConnection({\n      connection: options.connection,\n      loginHint: options.loginHint,\n      accessToken: options.accessToken,\n    });\n\n    return {\n      accessToken: tokenEndpointResponse.accessToken,\n      scope: tokenEndpointResponse.scope,\n      expiresAt: tokenEndpointResponse.expiresAt,\n      connection: options.connection,\n      loginHint: options.loginHint,\n    };\n  }\n}\n","/**\n * Error thrown when the transaction is missing.\n */\nexport class MissingTransactionError extends Error {\n  public code: string = 'missing_transaction_error';\n\n  constructor(message?: string) {\n    super(message ?? 'The transaction is missing.');\n    this.name = 'MissingTransactionError';\n  }\n}\n\n/**\n * Error thrown when verifying the access token.\n */\nexport class VerifyAccessTokenError extends Error {\n  public code: string = 'verify_access_token_error';\n\n  constructor(message: string) {\n    super(message);\n    this.name = 'VerifyAccessTokenError';\n  }\n}\n\n/**\n * Error thrown when request is missing a valid token or\n * multiple auth methods used\n */\nexport class InvalidRequestError extends Error {\n  public code: string = 'invalid_request';\n\n  constructor(message: string) {\n    super(message);\n    this.name = 'InvalidRequestError';\n  }\n}\n\n/**\n * Error thrown when a required argument is missing.\n */\nexport class MissingRequiredArgumentError extends Error {\n  public code: string = 'missing_required_argument_error';\n\n  constructor(argument: string) {\n    super(`The argument '${argument}' is required but was not provided.`);\n    this.name = 'MissingRequiredArgumentError';\n  }\n}\n","/**\n * RFC 9728 - OAuth 2.0 Protected Resource Metadata\n * https://datatracker.ietf.org/doc/html/rfc9728\n */\n\nimport { MissingRequiredArgumentError } from \"./errors.js\";\n\n/**\n * Supported methods of sending an OAuth 2.0 bearer token\n */\nexport enum BearerMethod {\n  HEADER = \"header\",\n  BODY = \"body\",\n  QUERY = \"query\",\n}\n\n/**\n * Supported signing algorithms\n */\nexport enum SigningAlgorithm {\n  RS256 = \"RS256\",\n  RS384 = \"RS384\",\n  RS512 = \"RS512\",\n  ES256 = \"ES256\",\n  ES384 = \"ES384\",\n  ES512 = \"ES512\",\n  PS256 = \"PS256\",\n  PS384 = \"PS384\",\n  PS512 = \"PS512\",\n  HS256 = \"HS256\",\n  HS384 = \"HS384\",\n  HS512 = \"HS512\",\n}\n\n/**\n * Grant types supported\n */\nexport enum GrantType {\n  AUTHORIZATION_CODE = \"authorization_code\",\n  IMPLICIT = \"implicit\",\n  PASSWORD = \"password\",\n  CLIENT_CREDENTIALS = \"client_credentials\",\n  REFRESH_TOKEN = \"refresh_token\",\n  JWT_BEARER = \"urn:ietf:params:oauth:grant-type:jwt-bearer\",\n  SAML2_BEARER = \"urn:ietf:params:oauth:grant-type:saml2-bearer\",\n  DEVICE_CODE = \"urn:ietf:params:oauth:grant-type:device_code\",\n}\n\n/**\n * Interface for Protected Resource Metadata\n */\nexport interface IProtectedResourceMetadata {\n  resource: string;\n  authorization_servers: string[];\n  jwks_uri?: string;\n  scopes_supported?: string[];\n  bearer_methods_supported?: BearerMethod[];\n  resource_signing_alg_values_supported?: SigningAlgorithm[];\n  resource_name?: string;\n  resource_documentation?: string;\n  resource_policy_uri?: string;\n  resource_tos_uri?: string;\n  tls_client_certificate_bound_access_tokens?: boolean;\n  authorization_details_types_supported?: string[];\n  dpop_signing_alg_values_supported?: string[];\n  dpop_bound_access_tokens_required?: boolean;\n}\n\n/**\n * Builder for creating a ProtectedResourceMetadata instance\n *\n * @example\n * ```typescript\n * const metadata = new ProtectedResourceMetadataBuilder('https://api.example.com', ['https://auth.example.com'])\n *   .withJwksUri('https://api.example.com/.well-known/jwks.json')\n *   .withScopesSupported(['read', 'write'])\n *   .build();\n * // serialize to json\n * const json = metadata.toJSON();\n * ```\n */\nexport class ProtectedResourceMetadataBuilder {\n  private readonly props: Partial<IProtectedResourceMetadata> &\n    Pick<IProtectedResourceMetadata, \"resource\" | \"authorization_servers\">;\n\n  /**\n   * Constructor for the builder\n   * @param resource - The protected resource identifier (REQUIRED)\n   * @param authorization_servers - Array of authorization server URLs (REQUIRED)\n   */\n  constructor(resource: string, authorization_servers: string[]) {\n    if (!resource?.trim()) {\n      throw new MissingRequiredArgumentError(\"resource\");\n    }\n    if (\n      !Array.isArray(authorization_servers) ||\n      authorization_servers.length === 0\n    ) {\n      throw new MissingRequiredArgumentError(\"authorization_servers\");\n    }\n    this.props = { resource, authorization_servers };\n  }\n\n  get properties(): IProtectedResourceMetadata {\n    return this.props;\n  }\n\n  /**\n   * Builds the ProtectedResourceMetadata\n   */\n  public build() {\n    return new ProtectedResourceMetadata(this);\n  }\n\n  /**\n   * Builder method to add JWKS URI\n   */\n  withJwksUri(jwks_uri: string): this {\n    this.props.jwks_uri = jwks_uri;\n    return this;\n  }\n\n  /**\n   * Builder method to add supported scopes\n   */\n  withScopesSupported(scopes_supported: string[]): this {\n    this.props.scopes_supported = [...scopes_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add supported bearer methods\n   */\n  withBearerMethodsSupported(\n    bearer_methods_supported: BearerMethod[]\n  ): this {\n    this.props.bearer_methods_supported = [...bearer_methods_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add supported resource signing algorithms\n   */\n  withResourceSigningAlgValuesSupported(\n    resource_signing_alg_values_supported: SigningAlgorithm[]\n  ): this {\n    this.props.resource_signing_alg_values_supported = [...resource_signing_alg_values_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add resource_name\n   */\n  withResourceName(resource_name: string): this {\n    this.props.resource_name = resource_name;\n    return this;\n  }\n\n  /**\n   * Builder method to add resource documentation URL\n   */\n  withResourceDocumentation(resource_documentation: string): this {\n    this.props.resource_documentation = resource_documentation;\n    return this;\n  }\n\n  /**\n   * Builder method to add resource policy URI\n   */\n  withResourcePolicyUri(resource_policy_uri: string): this {\n    this.props.resource_policy_uri = resource_policy_uri;\n    return this;\n  }\n\n  /**\n   * Builder method to add resource terms of service URI\n   */\n  withResourceTosUri(resource_tos_uri: string): this {\n    this.props.resource_tos_uri = resource_tos_uri;\n    return this;\n  }\n\n  /**\n   * Builder method to enable TLS client certificate bound access tokens\n   */\n  withTlsClientCertificateBoundAccessTokens(tls_client_certificate_bound_access_tokens: boolean): this {\n    this.props.tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens;\n    return this;\n  }\n\n  /**\n   * Builder method to add supported authorization details types\n   */\n  withAuthorizationDetailsTypesSupported(authorization_details_types_supported: string[]): this {\n    this.props.authorization_details_types_supported = [...authorization_details_types_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add supported DPoP signing algorithms\n   */\n  withDpopSigningAlgValuesSupported(dpop_signing_alg_values_supported: string[]): this {\n    this.props.dpop_signing_alg_values_supported = [...dpop_signing_alg_values_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to require DPoP bound access tokens\n   */\n  withDpopBoundAccessTokensRequired(dpop_bound_access_tokens_required: boolean): this {\n    this.props.dpop_bound_access_tokens_required = dpop_bound_access_tokens_required;\n    return this;\n  }\n\n\n}\n\nclass ProtectedResourceMetadata {\n  readonly #resource: string;\n  readonly #authorization_servers: string[];\n  readonly #jwks_uri?: string;\n  readonly #scopes_supported?: string[];\n  readonly #bearer_methods_supported?: BearerMethod[];\n  readonly #resource_signing_alg_values_supported?: SigningAlgorithm[];\n  readonly #resource_documentation?: string;\n  readonly #resource_policy_uri?: string;\n  readonly #resource_tos_uri?: string;\n  readonly #resource_name?: string;\n  readonly #tls_client_certificate_bound_access_tokens?: boolean;\n  readonly #authorization_details_types_supported?: string[];\n  readonly #dpop_signing_alg_values_supported?: string[];\n  readonly #dpop_bound_access_tokens_required?: boolean;\n\n  constructor(builder: ProtectedResourceMetadataBuilder) {\n    const props = builder.properties;\n    this.#resource = props.resource;\n    this.#authorization_servers = [...props.authorization_servers];\n    this.#jwks_uri = props.jwks_uri;\n    this.#scopes_supported = props.scopes_supported\n      ? [...props.scopes_supported]\n      : undefined;\n    this.#bearer_methods_supported = props.bearer_methods_supported\n      ? [...props.bearer_methods_supported]\n      : undefined;\n    this.#resource_signing_alg_values_supported = props.resource_signing_alg_values_supported\n      ? [...props.resource_signing_alg_values_supported]\n      : undefined;\n    this.#resource_documentation = props.resource_documentation;\n    this.#resource_policy_uri = props.resource_policy_uri;\n    this.#resource_tos_uri = props.resource_tos_uri;\n    this.#resource_name = props.resource_name;\n    this.#tls_client_certificate_bound_access_tokens = props.tls_client_certificate_bound_access_tokens;\n    this.#authorization_details_types_supported = props.authorization_details_types_supported\n      ? [...props.authorization_details_types_supported]\n      : undefined;\n    this.#dpop_signing_alg_values_supported = props.dpop_signing_alg_values_supported\n      ? [...props.dpop_signing_alg_values_supported]\n      : undefined;\n    this.#dpop_bound_access_tokens_required = props.dpop_bound_access_tokens_required;\n  }\n\n  /**\n   * Convert to JSON representation\n   */\n  public toJSON(): IProtectedResourceMetadata {\n    return {\n      resource: this.#resource,\n      authorization_servers: [...this.#authorization_servers],\n\n      ...(this.#jwks_uri !== undefined && { jwks_uri: this.#jwks_uri }),\n      ...(this.#scopes_supported !== undefined && {\n        scopes_supported: [...this.#scopes_supported],\n      }),\n      ...(this.#bearer_methods_supported !== undefined && {\n        bearer_methods_supported: [...this.#bearer_methods_supported],\n      }),\n      ...(this.#resource_signing_alg_values_supported !== undefined && {\n        resource_signing_alg_values_supported: [...this.#resource_signing_alg_values_supported],\n      }),\n      ...(this.#resource_documentation !== undefined && {\n        resource_documentation: this.#resource_documentation,\n      }),\n      ...(this.#resource_policy_uri !== undefined && {\n        resource_policy_uri: this.#resource_policy_uri,\n      }),\n      ...(this.#resource_tos_uri !== undefined && {\n        resource_tos_uri: this.#resource_tos_uri,\n      }),\n      ...(this.#resource_name !== undefined && {\n        resource_name: this.#resource_name,\n      }),\n      ...(this.#tls_client_certificate_bound_access_tokens !== undefined && {\n        tls_client_certificate_bound_access_tokens: this.#tls_client_certificate_bound_access_tokens,\n      }),\n      ...(this.#authorization_details_types_supported !== undefined && {\n        authorization_details_types_supported: [...this.#authorization_details_types_supported],\n      }),\n      ...(this.#dpop_signing_alg_values_supported !== undefined && {\n        dpop_signing_alg_values_supported: [...this.#dpop_signing_alg_values_supported],\n      }),\n      ...(this.#dpop_bound_access_tokens_required !== undefined && {\n        dpop_bound_access_tokens_required: this.#dpop_bound_access_tokens_required,\n      }),\n    };\n  }\n}\n","import { InvalidRequestError } from './errors.js';\n/**\n * Header-like object that can represent headers from different HTTP frameworks\n */\ntype HeadersLike = Record<string, unknown> & {\n  authorization?: string;\n  'content-type'?: string;\n};\n\n/**\n * Query-like object for URL query parameters\n */\ntype QueryLike = Record<string, unknown> & { access_token?: string };\n\n/**\n * Body-like object for form-encoded request body\n */\ntype BodyLike = QueryLike;\n\n/**\n * Regular expression to match Bearer token in Authorization header\n */\nconst TOKEN_RE = /^Bearer (.+)$/i;\n\n/**\n * Extracts a Bearer token from HTTP request according to RFC 6750.\n * Supports all three methods defined in the RFC:\n * - Authorization header (Section 2.1)\n * - Form-encoded body parameter (Section 2.2)\n * - URI query parameter (Section 2.3)\n *\n * @param headers - HTTP headers object\n * @param query - Query parameters object (optional)\n * @param body - Request body object (optional)\n * @returns The extracted token string\n * @throws {InvalidRequestError} When no token is found or multiple methods are used\n *\n * @example\n * ```typescript\n * // Authorization header method (recommended)\n * const token1 = getToken({ authorization: 'Bearer mF_9.B5f-4.1JqM' });\n *\n * // Query parameter method\n * const token2 = getToken({}, { access_token: 'mF_9.B5f-4.1JqM' });\n *\n * // Form body method\n * const token3 = getToken(\n *   { 'content-type': 'application/x-www-form-urlencoded' },\n *   {},\n *   { access_token: 'mF_9.B5f-4.1JqM' }\n * );\n *\n * // Express.js usage\n * const token4 = getToken(req.headers, req.query, req.body);\n * ```\n *\n * @see https://datatracker.ietf.org/doc/html/rfc6750#section-2 - RFC 6750 Section 2\n */\nexport function getToken(\n  headers: HeadersLike,\n  query?: QueryLike,\n  body?: BodyLike\n): string {\n  const fromHeader = getTokenFromHeader(headers);\n  const fromQuery = getTokenFromQuery(query);\n  const fromBody = getTokenFromBody(headers, body);\n\n  if (!fromQuery && !fromHeader && !fromBody) {\n    throw new InvalidRequestError('No Bearer token found in request');\n  }\n\n  // If multiple methods are used, throw an error\n  if (+!!fromQuery + +!!fromBody + +!!fromHeader > 1) {\n    throw new InvalidRequestError(\n      'More than one method used for authentication'\n    );\n  }\n\n  return (fromQuery || fromBody || fromHeader) as string;\n}\n\n/**\n * Extract token from Authorization header\n */\nfunction getTokenFromHeader(headers: HeadersLike) {\n  const authHeader = headers.authorization;\n  if (typeof authHeader !== 'string') {\n    return undefined;\n  }\n\n  const match = authHeader.match(TOKEN_RE);\n  return match?.[1];\n}\n\n/**\n * Extract token from query parameters\n */\nfunction getTokenFromQuery(query?: QueryLike): string | undefined {\n  const accessToken = query?.access_token;\n  if (typeof accessToken === 'string') {\n    return accessToken;\n  }\n}\n\n/**\n * Extract token from form-encoded body\n */\nfunction getTokenFromBody(\n  headers: HeadersLike,\n  body?: BodyLike\n): string | undefined {\n  if (!body || typeof body.access_token !== 'string') {\n    return undefined;\n  }\n\n  const contentType = headers['content-type'];\n  if (!contentType) {\n    return undefined;\n  }\n\n  // Handle content-type with charset, e.g., \"application/x-www-form-urlencoded; charset=utf-8\"\n  const isFormEncoded = contentType\n    .toLowerCase()\n    .includes('application/x-www-form-urlencoded');\n  if (!isFormEncoded) {\n    return undefined;\n  }\n\n  return body.access_token;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,YAAuB;AACvB,kBAA2D;AAC3D,2BAAoD;;;ACC7C,IAAM,0BAAN,cAAsC,MAAM;AAAA,EAC1C,OAAe;AAAA,EAEtB,YAAY,SAAkB;AAC5B,UAAM,WAAW,6BAA6B;AAC9C,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EACzC,OAAe;AAAA,EAEtB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAMO,IAAM,sBAAN,cAAkC,MAAM;AAAA,EACtC,OAAe;AAAA,EAEtB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,MAAM;AAAA,EAC/C,OAAe;AAAA,EAEtB,YAAY,UAAkB;AAC5B,UAAM,iBAAiB,QAAQ,qCAAqC;AACpE,SAAK,OAAO;AAAA,EACd;AACF;;;ADtCO,IAAM,YAAN,MAAgB;AAAA,EACrB;AAAA,EACS;AAAA,EACT;AAAA,EACS;AAAA,EAET,YAAY,SAA2B;AACrC,SAAK,WAAW;AAEhB,QAAI,QAAQ,UAAU;AACpB,WAAK,cAAc,IAAI,gCAAW;AAAA,QAChC,QAAQ,QAAQ;AAAA,QAChB,UAAU,QAAQ;AAAA,QAClB,cAAc,QAAQ;AAAA,QACtB,2BAA2B,QAAQ;AAAA,QACnC,2BAA2B,QAAQ;AAAA,QACnC,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAK,SAAS,UAAU;AAC3B,YAAM,IAAI,6BAA6B,UAAU;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY;AAChB,QAAI,KAAK,iBAAiB;AACxB,aAAO;AAAA,QACL,gBAAgB,KAAK;AAAA,MACvB;AAAA,IACF;AAEA,UAAM,SAAS,IAAI,IAAI,WAAW,KAAK,SAAS,MAAM,EAAE;AACxD,UAAM,WAAW,MAAY,uBAAiB,QAAQ;AAAA,MACpD,CAAO,iBAAW,GAAG,KAAK,SAAS;AAAA,IACrC,CAAC;AAED,SAAK,kBAAkB,MAAY;AAAA,MACjC;AAAA,MACA;AAAA,IACF;AAEA,WAAO;AAAA,MACL,gBAAgB,KAAK;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,kBAAkB,SAAmC;AACzD,UAAM,EAAE,eAAe,IAAI,MAAM,KAAK,UAAU;AAEhD,SAAK,cAAU,gCAAmB,IAAI,IAAI,eAAgB,QAAS,GAAG;AAAA,MACpE,CAAC,uBAAW,GAAG,KAAK,SAAS;AAAA,IAC/B,CAAC;AAED,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,QAAQ,aAAa,KAAK,OAAO;AAAA,QACnE,QAAQ,KAAK,gBAAiB;AAAA,QAC9B,UAAU,KAAK,SAAS;AAAA,QACxB,YAAY,CAAC,OAAO;AAAA,QACpB,gBAAgB,CAAC,OAAO,OAAO,GAAI,QAAQ,kBAAkB,CAAC,CAAE;AAAA,MAClE,CAAC;AACD,aAAO;AAAA,IACT,SAAS,GAAG;AAEV,YAAM,IAAI,uBAAwB,EAAU,OAAO;AAAA,IACrD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAa,4BAA4B,SAAuE;AAC9G,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,wBAAwB,MAAM,KAAK,YAAY,sBAAsB;AAAA,MACzE,YAAY,QAAQ;AAAA,MACpB,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB,CAAC;AAED,WAAO;AAAA,MACL,aAAa,sBAAsB;AAAA,MACnC,OAAO,sBAAsB;AAAA,MAC7B,WAAW,sBAAsB;AAAA,MACjC,YAAY,QAAQ;AAAA,MACpB,WAAW,QAAQ;AAAA,IACrB;AAAA,EACF;AACF;;;AEzGO,IAAK,eAAL,kBAAKA,kBAAL;AACL,EAAAA,cAAA,YAAS;AACT,EAAAA,cAAA,UAAO;AACP,EAAAA,cAAA,WAAQ;AAHE,SAAAA;AAAA,GAAA;AASL,IAAK,mBAAL,kBAAKC,sBAAL;AACL,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AAZE,SAAAA;AAAA,GAAA;AAkBL,IAAK,YAAL,kBAAKC,eAAL;AACL,EAAAA,WAAA,wBAAqB;AACrB,EAAAA,WAAA,cAAW;AACX,EAAAA,WAAA,cAAW;AACX,EAAAA,WAAA,wBAAqB;AACrB,EAAAA,WAAA,mBAAgB;AAChB,EAAAA,WAAA,gBAAa;AACb,EAAAA,WAAA,kBAAe;AACf,EAAAA,WAAA,iBAAc;AARJ,SAAAA;AAAA,GAAA;AA4CL,IAAM,mCAAN,MAAuC;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQjB,YAAY,UAAkB,uBAAiC;AAC7D,QAAI,CAAC,UAAU,KAAK,GAAG;AACrB,YAAM,IAAI,6BAA6B,UAAU;AAAA,IACnD;AACA,QACE,CAAC,MAAM,QAAQ,qBAAqB,KACpC,sBAAsB,WAAW,GACjC;AACA,YAAM,IAAI,6BAA6B,uBAAuB;AAAA,IAChE;AACA,SAAK,QAAQ,EAAE,UAAU,sBAAsB;AAAA,EACjD;AAAA,EAEA,IAAI,aAAyC;AAC3C,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKO,QAAQ;AACb,WAAO,IAAI,0BAA0B,IAAI;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,UAAwB;AAClC,SAAK,MAAM,WAAW;AACtB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,oBAAoB,kBAAkC;AACpD,SAAK,MAAM,mBAAmB,CAAC,GAAG,gBAAgB;AAClD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,2BACE,0BACM;AACN,SAAK,MAAM,2BAA2B,CAAC,GAAG,wBAAwB;AAClE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,sCACE,uCACM;AACN,SAAK,MAAM,wCAAwC,CAAC,GAAG,qCAAqC;AAC5F,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,eAA6B;AAC5C,SAAK,MAAM,gBAAgB;AAC3B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B,wBAAsC;AAC9D,SAAK,MAAM,yBAAyB;AACpC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB,qBAAmC;AACvD,SAAK,MAAM,sBAAsB;AACjC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAmB,kBAAgC;AACjD,SAAK,MAAM,mBAAmB;AAC9B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,0CAA0C,4CAA2D;AACnG,SAAK,MAAM,6CAA6C;AACxD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,uCAAuC,uCAAuD;AAC5F,SAAK,MAAM,wCAAwC,CAAC,GAAG,qCAAqC;AAC5F,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,kCAAkC,mCAAmD;AACnF,SAAK,MAAM,oCAAoC,CAAC,GAAG,iCAAiC;AACpF,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,kCAAkC,mCAAkD;AAClF,SAAK,MAAM,oCAAoC;AAC/C,WAAO;AAAA,EACT;AAGF;AAEA,IAAM,4BAAN,MAAgC;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,SAA2C;AACrD,UAAM,QAAQ,QAAQ;AACtB,SAAK,YAAY,MAAM;AACvB,SAAK,yBAAyB,CAAC,GAAG,MAAM,qBAAqB;AAC7D,SAAK,YAAY,MAAM;AACvB,SAAK,oBAAoB,MAAM,mBAC3B,CAAC,GAAG,MAAM,gBAAgB,IAC1B;AACJ,SAAK,4BAA4B,MAAM,2BACnC,CAAC,GAAG,MAAM,wBAAwB,IAClC;AACJ,SAAK,yCAAyC,MAAM,wCAChD,CAAC,GAAG,MAAM,qCAAqC,IAC/C;AACJ,SAAK,0BAA0B,MAAM;AACrC,SAAK,uBAAuB,MAAM;AAClC,SAAK,oBAAoB,MAAM;AAC/B,SAAK,iBAAiB,MAAM;AAC5B,SAAK,8CAA8C,MAAM;AACzD,SAAK,yCAAyC,MAAM,wCAChD,CAAC,GAAG,MAAM,qCAAqC,IAC/C;AACJ,SAAK,qCAAqC,MAAM,oCAC5C,CAAC,GAAG,MAAM,iCAAiC,IAC3C;AACJ,SAAK,qCAAqC,MAAM;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKO,SAAqC;AAC1C,WAAO;AAAA,MACL,UAAU,KAAK;AAAA,MACf,uBAAuB,CAAC,GAAG,KAAK,sBAAsB;AAAA,MAEtD,GAAI,KAAK,cAAc,UAAa,EAAE,UAAU,KAAK,UAAU;AAAA,MAC/D,GAAI,KAAK,sBAAsB,UAAa;AAAA,QAC1C,kBAAkB,CAAC,GAAG,KAAK,iBAAiB;AAAA,MAC9C;AAAA,MACA,GAAI,KAAK,8BAA8B,UAAa;AAAA,QAClD,0BAA0B,CAAC,GAAG,KAAK,yBAAyB;AAAA,MAC9D;AAAA,MACA,GAAI,KAAK,2CAA2C,UAAa;AAAA,QAC/D,uCAAuC,CAAC,GAAG,KAAK,sCAAsC;AAAA,MACxF;AAAA,MACA,GAAI,KAAK,4BAA4B,UAAa;AAAA,QAChD,wBAAwB,KAAK;AAAA,MAC/B;AAAA,MACA,GAAI,KAAK,yBAAyB,UAAa;AAAA,QAC7C,qBAAqB,KAAK;AAAA,MAC5B;AAAA,MACA,GAAI,KAAK,sBAAsB,UAAa;AAAA,QAC1C,kBAAkB,KAAK;AAAA,MACzB;AAAA,MACA,GAAI,KAAK,mBAAmB,UAAa;AAAA,QACvC,eAAe,KAAK;AAAA,MACtB;AAAA,MACA,GAAI,KAAK,gDAAgD,UAAa;AAAA,QACpE,4CAA4C,KAAK;AAAA,MACnD;AAAA,MACA,GAAI,KAAK,2CAA2C,UAAa;AAAA,QAC/D,uCAAuC,CAAC,GAAG,KAAK,sCAAsC;AAAA,MACxF;AAAA,MACA,GAAI,KAAK,uCAAuC,UAAa;AAAA,QAC3D,mCAAmC,CAAC,GAAG,KAAK,kCAAkC;AAAA,MAChF;AAAA,MACA,GAAI,KAAK,uCAAuC,UAAa;AAAA,QAC3D,mCAAmC,KAAK;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AACF;;;AC3RA,IAAM,WAAW;AAoCV,SAAS,SACd,SACA,OACA,MACQ;AACR,QAAM,aAAa,mBAAmB,OAAO;AAC7C,QAAM,YAAY,kBAAkB,KAAK;AACzC,QAAM,WAAW,iBAAiB,SAAS,IAAI;AAE/C,MAAI,CAAC,aAAa,CAAC,cAAc,CAAC,UAAU;AAC1C,UAAM,IAAI,oBAAoB,kCAAkC;AAAA,EAClE;AAGA,MAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,aAAa,GAAG;AAClD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAQ,aAAa,YAAY;AACnC;AAKA,SAAS,mBAAmB,SAAsB;AAChD,QAAM,aAAa,QAAQ;AAC3B,MAAI,OAAO,eAAe,UAAU;AAClC,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,WAAW,MAAM,QAAQ;AACvC,SAAO,QAAQ,CAAC;AAClB;AAKA,SAAS,kBAAkB,OAAuC;AAChE,QAAM,cAAc,OAAO;AAC3B,MAAI,OAAO,gBAAgB,UAAU;AACnC,WAAO;AAAA,EACT;AACF;AAKA,SAAS,iBACP,SACA,MACoB;AACpB,MAAI,CAAC,QAAQ,OAAO,KAAK,iBAAiB,UAAU;AAClD,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,QAAQ,cAAc;AAC1C,MAAI,CAAC,aAAa;AAChB,WAAO;AAAA,EACT;AAGA,QAAM,gBAAgB,YACnB,YAAY,EACZ,SAAS,mCAAmC;AAC/C,MAAI,CAAC,eAAe;AAClB,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;","names":["BearerMethod","SigningAlgorithm","GrantType"]}

dist/index.d.cts

@@ -14,2 +14,22 @@ import * as jose from 'jose';
     /**
+     * The optional client ID of the application.
+     * Required when using the `getAccessTokenForConnection` method.
+     */
+    clientId?: string;
+    /**
+     * The optional client secret of the application.
+     * At least one of `clientSecret` or `clientAssertionSigningKey` is required when using the `getAccessTokenForConnection` method.
+     */
+    clientSecret?: string;
+    /**
+     * The optional client assertion signing key to use.
+     * At least one of `clientSecret` or `clientAssertionSigningKey` is required when using the `getAccessTokenForConnection` method.
+     */
+    clientAssertionSigningKey?: string | CryptoKey;
+    /**
+     * The optional client assertion signing algorithm to use with the `clientAssertionSigningKey`.
+     * If not provided, it will default to `RS256`.
+     */
+    clientAssertionSigningAlg?: string;
+    /**
      * Optional, custom Fetch implementation to use.
@@ -19,2 +39,38 @@ */
 }
+interface AccessTokenForConnectionOptions {
+    /**
+     * The name of the connection to get the token for.
+     */
+    connection: string;
+    /**
+     * The access token used as the subject token to be exchanged.
+     */
+    accessToken: string;
+    /**
+     * An optional login hint to pass to the connection.
+     */
+    loginHint?: string;
+}
+interface ConnectionTokenSet {
+    /**
+     * The access token issued by the connection.
+     */
+    accessToken: string;
+    /**
+     * The scope granted by the connection.
+     */
+    scope: string | undefined;
+    /**
+     * The access token expiration time, represented in seconds since the Unix epoch.
+     */
+    expiresAt: number;
+    /**
+     * The name of the connection the token was requested for.
+     */
+    connection: string;
+    /**
+     * An optional login hint that was passed during the exchange.
+     */
+    loginHint?: string;
+}
 interface VerifyAccessTokenOptions {
@@ -42,5 +98,160 @@ /**
     verifyAccessToken(options: VerifyAccessTokenOptions): Promise<jose.JWTPayload>;
+    /**
+     * Retrieves an access token for a connection.
+     *
+     * @param options - Options for retrieving an access token for a connection.
+     *
+     * @throws {TokenForConnectionError} If there was an issue requesting the access token.
+     *
+     * @returns The Connection Token Set, containing the access token for the connection, as well as additional information.
+     */
+    getAccessTokenForConnection(options: AccessTokenForConnectionOptions): Promise<ConnectionTokenSet>;
 }
 
 /**
+ * RFC 9728 - OAuth 2.0 Protected Resource Metadata
+ * https://datatracker.ietf.org/doc/html/rfc9728
+ */
+/**
+ * Supported methods of sending an OAuth 2.0 bearer token
+ */
+declare enum BearerMethod {
+    HEADER = "header",
+    BODY = "body",
+    QUERY = "query"
+}
+/**
+ * Supported signing algorithms
+ */
+declare enum SigningAlgorithm {
+    RS256 = "RS256",
+    RS384 = "RS384",
+    RS512 = "RS512",
+    ES256 = "ES256",
+    ES384 = "ES384",
+    ES512 = "ES512",
+    PS256 = "PS256",
+    PS384 = "PS384",
+    PS512 = "PS512",
+    HS256 = "HS256",
+    HS384 = "HS384",
+    HS512 = "HS512"
+}
+/**
+ * Grant types supported
+ */
+declare enum GrantType {
+    AUTHORIZATION_CODE = "authorization_code",
+    IMPLICIT = "implicit",
+    PASSWORD = "password",
+    CLIENT_CREDENTIALS = "client_credentials",
+    REFRESH_TOKEN = "refresh_token",
+    JWT_BEARER = "urn:ietf:params:oauth:grant-type:jwt-bearer",
+    SAML2_BEARER = "urn:ietf:params:oauth:grant-type:saml2-bearer",
+    DEVICE_CODE = "urn:ietf:params:oauth:grant-type:device_code"
+}
+/**
+ * Interface for Protected Resource Metadata
+ */
+interface IProtectedResourceMetadata {
+    resource: string;
+    authorization_servers: string[];
+    jwks_uri?: string;
+    scopes_supported?: string[];
+    bearer_methods_supported?: BearerMethod[];
+    resource_signing_alg_values_supported?: SigningAlgorithm[];
+    resource_name?: string;
+    resource_documentation?: string;
+    resource_policy_uri?: string;
+    resource_tos_uri?: string;
+    tls_client_certificate_bound_access_tokens?: boolean;
+    authorization_details_types_supported?: string[];
+    dpop_signing_alg_values_supported?: string[];
+    dpop_bound_access_tokens_required?: boolean;
+}
+/**
+ * Builder for creating a ProtectedResourceMetadata instance
+ *
+ * @example
+ * ```typescript
+ * const metadata = new ProtectedResourceMetadataBuilder('https://api.example.com', ['https://auth.example.com'])
+ *   .withJwksUri('https://api.example.com/.well-known/jwks.json')
+ *   .withScopesSupported(['read', 'write'])
+ *   .build();
+ * // serialize to json
+ * const json = metadata.toJSON();
+ * ```
+ */
+declare class ProtectedResourceMetadataBuilder {
+    private readonly props;
+    /**
+     * Constructor for the builder
+     * @param resource - The protected resource identifier (REQUIRED)
+     * @param authorization_servers - Array of authorization server URLs (REQUIRED)
+     */
+    constructor(resource: string, authorization_servers: string[]);
+    get properties(): IProtectedResourceMetadata;
+    /**
+     * Builds the ProtectedResourceMetadata
+     */
+    build(): ProtectedResourceMetadata;
+    /**
+     * Builder method to add JWKS URI
+     */
+    withJwksUri(jwks_uri: string): this;
+    /**
+     * Builder method to add supported scopes
+     */
+    withScopesSupported(scopes_supported: string[]): this;
+    /**
+     * Builder method to add supported bearer methods
+     */
+    withBearerMethodsSupported(bearer_methods_supported: BearerMethod[]): this;
+    /**
+     * Builder method to add supported resource signing algorithms
+     */
+    withResourceSigningAlgValuesSupported(resource_signing_alg_values_supported: SigningAlgorithm[]): this;
+    /**
+     * Builder method to add resource_name
+     */
+    withResourceName(resource_name: string): this;
+    /**
+     * Builder method to add resource documentation URL
+     */
+    withResourceDocumentation(resource_documentation: string): this;
+    /**
+     * Builder method to add resource policy URI
+     */
+    withResourcePolicyUri(resource_policy_uri: string): this;
+    /**
+     * Builder method to add resource terms of service URI
+     */
+    withResourceTosUri(resource_tos_uri: string): this;
+    /**
+     * Builder method to enable TLS client certificate bound access tokens
+     */
+    withTlsClientCertificateBoundAccessTokens(tls_client_certificate_bound_access_tokens: boolean): this;
+    /**
+     * Builder method to add supported authorization details types
+     */
+    withAuthorizationDetailsTypesSupported(authorization_details_types_supported: string[]): this;
+    /**
+     * Builder method to add supported DPoP signing algorithms
+     */
+    withDpopSigningAlgValuesSupported(dpop_signing_alg_values_supported: string[]): this;
+    /**
+     * Builder method to require DPoP bound access tokens
+     */
+    withDpopBoundAccessTokensRequired(dpop_bound_access_tokens_required: boolean): this;
+}
+declare class ProtectedResourceMetadata {
+    #private;
+    constructor(builder: ProtectedResourceMetadataBuilder);
+    /**
+     * Convert to JSON representation
+     */
+    toJSON(): IProtectedResourceMetadata;
+}
+
+/**
  * Error thrown when the transaction is missing.
@@ -60,2 +271,10 @@ */
 /**
+ * Error thrown when request is missing a valid token or
+ * multiple auth methods used
+ */
+declare class InvalidRequestError extends Error {
+    code: string;
+    constructor(message: string);
+}
+/**
  * Error thrown when a required argument is missing.
@@ -68,2 +287,55 @@ */
 
-export { ApiClient, type ApiClientOptions, MissingRequiredArgumentError, MissingTransactionError, VerifyAccessTokenError, type VerifyAccessTokenOptions };
+/**
+ * Header-like object that can represent headers from different HTTP frameworks
+ */
+type HeadersLike = Record<string, unknown> & {
+    authorization?: string;
+    'content-type'?: string;
+};
+/**
+ * Query-like object for URL query parameters
+ */
+type QueryLike = Record<string, unknown> & {
+    access_token?: string;
+};
+/**
+ * Body-like object for form-encoded request body
+ */
+type BodyLike = QueryLike;
+/**
+ * Extracts a Bearer token from HTTP request according to RFC 6750.
+ * Supports all three methods defined in the RFC:
+ * - Authorization header (Section 2.1)
+ * - Form-encoded body parameter (Section 2.2)
+ * - URI query parameter (Section 2.3)
+ *
+ * @param headers - HTTP headers object
+ * @param query - Query parameters object (optional)
+ * @param body - Request body object (optional)
+ * @returns The extracted token string
+ * @throws {InvalidRequestError} When no token is found or multiple methods are used
+ *
+ * @example
+ * ```typescript
+ * // Authorization header method (recommended)
+ * const token1 = getToken({ authorization: 'Bearer mF_9.B5f-4.1JqM' });
+ *
+ * // Query parameter method
+ * const token2 = getToken({}, { access_token: 'mF_9.B5f-4.1JqM' });
+ *
+ * // Form body method
+ * const token3 = getToken(
+ *   { 'content-type': 'application/x-www-form-urlencoded' },
+ *   {},
+ *   { access_token: 'mF_9.B5f-4.1JqM' }
+ * );
+ *
+ * // Express.js usage
+ * const token4 = getToken(req.headers, req.query, req.body);
+ * ```
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6750#section-2 - RFC 6750 Section 2
+ */
+declare function getToken(headers: HeadersLike, query?: QueryLike, body?: BodyLike): string;
+
+export { type AccessTokenForConnectionOptions, ApiClient, type ApiClientOptions, BearerMethod, type ConnectionTokenSet, GrantType, type IProtectedResourceMetadata, InvalidRequestError, MissingRequiredArgumentError, MissingTransactionError, ProtectedResourceMetadataBuilder, SigningAlgorithm, VerifyAccessTokenError, type VerifyAccessTokenOptions, getToken };

dist/index.d.ts

@@ -14,2 +14,22 @@ import * as jose from 'jose';
     /**
+     * The optional client ID of the application.
+     * Required when using the `getAccessTokenForConnection` method.
+     */
+    clientId?: string;
+    /**
+     * The optional client secret of the application.
+     * At least one of `clientSecret` or `clientAssertionSigningKey` is required when using the `getAccessTokenForConnection` method.
+     */
+    clientSecret?: string;
+    /**
+     * The optional client assertion signing key to use.
+     * At least one of `clientSecret` or `clientAssertionSigningKey` is required when using the `getAccessTokenForConnection` method.
+     */
+    clientAssertionSigningKey?: string | CryptoKey;
+    /**
+     * The optional client assertion signing algorithm to use with the `clientAssertionSigningKey`.
+     * If not provided, it will default to `RS256`.
+     */
+    clientAssertionSigningAlg?: string;
+    /**
      * Optional, custom Fetch implementation to use.
@@ -19,2 +39,38 @@ */
 }
+interface AccessTokenForConnectionOptions {
+    /**
+     * The name of the connection to get the token for.
+     */
+    connection: string;
+    /**
+     * The access token used as the subject token to be exchanged.
+     */
+    accessToken: string;
+    /**
+     * An optional login hint to pass to the connection.
+     */
+    loginHint?: string;
+}
+interface ConnectionTokenSet {
+    /**
+     * The access token issued by the connection.
+     */
+    accessToken: string;
+    /**
+     * The scope granted by the connection.
+     */
+    scope: string | undefined;
+    /**
+     * The access token expiration time, represented in seconds since the Unix epoch.
+     */
+    expiresAt: number;
+    /**
+     * The name of the connection the token was requested for.
+     */
+    connection: string;
+    /**
+     * An optional login hint that was passed during the exchange.
+     */
+    loginHint?: string;
+}
 interface VerifyAccessTokenOptions {
@@ -42,5 +98,160 @@ /**
     verifyAccessToken(options: VerifyAccessTokenOptions): Promise<jose.JWTPayload>;
+    /**
+     * Retrieves an access token for a connection.
+     *
+     * @param options - Options for retrieving an access token for a connection.
+     *
+     * @throws {TokenForConnectionError} If there was an issue requesting the access token.
+     *
+     * @returns The Connection Token Set, containing the access token for the connection, as well as additional information.
+     */
+    getAccessTokenForConnection(options: AccessTokenForConnectionOptions): Promise<ConnectionTokenSet>;
 }
 
 /**
+ * RFC 9728 - OAuth 2.0 Protected Resource Metadata
+ * https://datatracker.ietf.org/doc/html/rfc9728
+ */
+/**
+ * Supported methods of sending an OAuth 2.0 bearer token
+ */
+declare enum BearerMethod {
+    HEADER = "header",
+    BODY = "body",
+    QUERY = "query"
+}
+/**
+ * Supported signing algorithms
+ */
+declare enum SigningAlgorithm {
+    RS256 = "RS256",
+    RS384 = "RS384",
+    RS512 = "RS512",
+    ES256 = "ES256",
+    ES384 = "ES384",
+    ES512 = "ES512",
+    PS256 = "PS256",
+    PS384 = "PS384",
+    PS512 = "PS512",
+    HS256 = "HS256",
+    HS384 = "HS384",
+    HS512 = "HS512"
+}
+/**
+ * Grant types supported
+ */
+declare enum GrantType {
+    AUTHORIZATION_CODE = "authorization_code",
+    IMPLICIT = "implicit",
+    PASSWORD = "password",
+    CLIENT_CREDENTIALS = "client_credentials",
+    REFRESH_TOKEN = "refresh_token",
+    JWT_BEARER = "urn:ietf:params:oauth:grant-type:jwt-bearer",
+    SAML2_BEARER = "urn:ietf:params:oauth:grant-type:saml2-bearer",
+    DEVICE_CODE = "urn:ietf:params:oauth:grant-type:device_code"
+}
+/**
+ * Interface for Protected Resource Metadata
+ */
+interface IProtectedResourceMetadata {
+    resource: string;
+    authorization_servers: string[];
+    jwks_uri?: string;
+    scopes_supported?: string[];
+    bearer_methods_supported?: BearerMethod[];
+    resource_signing_alg_values_supported?: SigningAlgorithm[];
+    resource_name?: string;
+    resource_documentation?: string;
+    resource_policy_uri?: string;
+    resource_tos_uri?: string;
+    tls_client_certificate_bound_access_tokens?: boolean;
+    authorization_details_types_supported?: string[];
+    dpop_signing_alg_values_supported?: string[];
+    dpop_bound_access_tokens_required?: boolean;
+}
+/**
+ * Builder for creating a ProtectedResourceMetadata instance
+ *
+ * @example
+ * ```typescript
+ * const metadata = new ProtectedResourceMetadataBuilder('https://api.example.com', ['https://auth.example.com'])
+ *   .withJwksUri('https://api.example.com/.well-known/jwks.json')
+ *   .withScopesSupported(['read', 'write'])
+ *   .build();
+ * // serialize to json
+ * const json = metadata.toJSON();
+ * ```
+ */
+declare class ProtectedResourceMetadataBuilder {
+    private readonly props;
+    /**
+     * Constructor for the builder
+     * @param resource - The protected resource identifier (REQUIRED)
+     * @param authorization_servers - Array of authorization server URLs (REQUIRED)
+     */
+    constructor(resource: string, authorization_servers: string[]);
+    get properties(): IProtectedResourceMetadata;
+    /**
+     * Builds the ProtectedResourceMetadata
+     */
+    build(): ProtectedResourceMetadata;
+    /**
+     * Builder method to add JWKS URI
+     */
+    withJwksUri(jwks_uri: string): this;
+    /**
+     * Builder method to add supported scopes
+     */
+    withScopesSupported(scopes_supported: string[]): this;
+    /**
+     * Builder method to add supported bearer methods
+     */
+    withBearerMethodsSupported(bearer_methods_supported: BearerMethod[]): this;
+    /**
+     * Builder method to add supported resource signing algorithms
+     */
+    withResourceSigningAlgValuesSupported(resource_signing_alg_values_supported: SigningAlgorithm[]): this;
+    /**
+     * Builder method to add resource_name
+     */
+    withResourceName(resource_name: string): this;
+    /**
+     * Builder method to add resource documentation URL
+     */
+    withResourceDocumentation(resource_documentation: string): this;
+    /**
+     * Builder method to add resource policy URI
+     */
+    withResourcePolicyUri(resource_policy_uri: string): this;
+    /**
+     * Builder method to add resource terms of service URI
+     */
+    withResourceTosUri(resource_tos_uri: string): this;
+    /**
+     * Builder method to enable TLS client certificate bound access tokens
+     */
+    withTlsClientCertificateBoundAccessTokens(tls_client_certificate_bound_access_tokens: boolean): this;
+    /**
+     * Builder method to add supported authorization details types
+     */
+    withAuthorizationDetailsTypesSupported(authorization_details_types_supported: string[]): this;
+    /**
+     * Builder method to add supported DPoP signing algorithms
+     */
+    withDpopSigningAlgValuesSupported(dpop_signing_alg_values_supported: string[]): this;
+    /**
+     * Builder method to require DPoP bound access tokens
+     */
+    withDpopBoundAccessTokensRequired(dpop_bound_access_tokens_required: boolean): this;
+}
+declare class ProtectedResourceMetadata {
+    #private;
+    constructor(builder: ProtectedResourceMetadataBuilder);
+    /**
+     * Convert to JSON representation
+     */
+    toJSON(): IProtectedResourceMetadata;
+}
+
+/**
  * Error thrown when the transaction is missing.
@@ -60,2 +271,10 @@ */
 /**
+ * Error thrown when request is missing a valid token or
+ * multiple auth methods used
+ */
+declare class InvalidRequestError extends Error {
+    code: string;
+    constructor(message: string);
+}
+/**
  * Error thrown when a required argument is missing.
@@ -68,2 +287,55 @@ */
 
-export { ApiClient, type ApiClientOptions, MissingRequiredArgumentError, MissingTransactionError, VerifyAccessTokenError, type VerifyAccessTokenOptions };
+/**
+ * Header-like object that can represent headers from different HTTP frameworks
+ */
+type HeadersLike = Record<string, unknown> & {
+    authorization?: string;
+    'content-type'?: string;
+};
+/**
+ * Query-like object for URL query parameters
+ */
+type QueryLike = Record<string, unknown> & {
+    access_token?: string;
+};
+/**
+ * Body-like object for form-encoded request body
+ */
+type BodyLike = QueryLike;
+/**
+ * Extracts a Bearer token from HTTP request according to RFC 6750.
+ * Supports all three methods defined in the RFC:
+ * - Authorization header (Section 2.1)
+ * - Form-encoded body parameter (Section 2.2)
+ * - URI query parameter (Section 2.3)
+ *
+ * @param headers - HTTP headers object
+ * @param query - Query parameters object (optional)
+ * @param body - Request body object (optional)
+ * @returns The extracted token string
+ * @throws {InvalidRequestError} When no token is found or multiple methods are used
+ *
+ * @example
+ * ```typescript
+ * // Authorization header method (recommended)
+ * const token1 = getToken({ authorization: 'Bearer mF_9.B5f-4.1JqM' });
+ *
+ * // Query parameter method
+ * const token2 = getToken({}, { access_token: 'mF_9.B5f-4.1JqM' });
+ *
+ * // Form body method
+ * const token3 = getToken(
+ *   { 'content-type': 'application/x-www-form-urlencoded' },
+ *   {},
+ *   { access_token: 'mF_9.B5f-4.1JqM' }
+ * );
+ *
+ * // Express.js usage
+ * const token4 = getToken(req.headers, req.query, req.body);
+ * ```
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6750#section-2 - RFC 6750 Section 2
+ */
+declare function getToken(headers: HeadersLike, query?: QueryLike, body?: BodyLike): string;
+
+export { type AccessTokenForConnectionOptions, ApiClient, type ApiClientOptions, BearerMethod, type ConnectionTokenSet, GrantType, type IProtectedResourceMetadata, InvalidRequestError, MissingRequiredArgumentError, MissingTransactionError, ProtectedResourceMetadataBuilder, SigningAlgorithm, VerifyAccessTokenError, type VerifyAccessTokenOptions, getToken };

dist/index.js

 // src/api-client.ts
 import * as oauth from "oauth4webapi";
 import { createRemoteJWKSet, jwtVerify, customFetch as customFetch2 } from "jose";
+import { AuthClient, TokenForConnectionError } from "@auth0/auth0-auth-js";
 
@@ -20,2 +21,9 @@ // src/errors.ts
 };
+var InvalidRequestError = class extends Error {
+  code = "invalid_request";
+  constructor(message) {
+    super(message);
+    this.name = "InvalidRequestError";
+  }
+};
 var MissingRequiredArgumentError = class extends Error {
@@ -34,4 +42,15 @@ code = "missing_required_argument_error";
   #jwks;
+  #authClient;
   constructor(options) {
     this.#options = options;
+    if (options.clientId) {
+      this.#authClient = new AuthClient({
+        domain: options.domain,
+        clientId: options.clientId,
+        clientSecret: options.clientSecret,
+        clientAssertionSigningKey: options.clientAssertionSigningKey,
+        clientAssertionSigningAlg: options.clientAssertionSigningAlg,
+        customFetch: options.customFetch
+      });
+    }
     if (!this.#options.audience) {
@@ -84,9 +103,308 @@ throw new MissingRequiredArgumentError("audience");
   }
+  /**
+   * Retrieves an access token for a connection.
+   *
+   * @param options - Options for retrieving an access token for a connection.
+   *
+   * @throws {TokenForConnectionError} If there was an issue requesting the access token.
+   *
+   * @returns The Connection Token Set, containing the access token for the connection, as well as additional information.
+   */
+  async getAccessTokenForConnection(options) {
+    if (!this.#authClient) {
+      throw new TokenForConnectionError(
+        "Client credentials are required to use getAccessTokenForConnection"
+      );
+    }
+    const tokenEndpointResponse = await this.#authClient.getTokenForConnection({
+      connection: options.connection,
+      loginHint: options.loginHint,
+      accessToken: options.accessToken
+    });
+    return {
+      accessToken: tokenEndpointResponse.accessToken,
+      scope: tokenEndpointResponse.scope,
+      expiresAt: tokenEndpointResponse.expiresAt,
+      connection: options.connection,
+      loginHint: options.loginHint
+    };
+  }
 };
+
+// src/protected-resource-metadata.ts
+var BearerMethod = /* @__PURE__ */ ((BearerMethod2) => {
+  BearerMethod2["HEADER"] = "header";
+  BearerMethod2["BODY"] = "body";
+  BearerMethod2["QUERY"] = "query";
+  return BearerMethod2;
+})(BearerMethod || {});
+var SigningAlgorithm = /* @__PURE__ */ ((SigningAlgorithm2) => {
+  SigningAlgorithm2["RS256"] = "RS256";
+  SigningAlgorithm2["RS384"] = "RS384";
+  SigningAlgorithm2["RS512"] = "RS512";
+  SigningAlgorithm2["ES256"] = "ES256";
+  SigningAlgorithm2["ES384"] = "ES384";
+  SigningAlgorithm2["ES512"] = "ES512";
+  SigningAlgorithm2["PS256"] = "PS256";
+  SigningAlgorithm2["PS384"] = "PS384";
+  SigningAlgorithm2["PS512"] = "PS512";
+  SigningAlgorithm2["HS256"] = "HS256";
+  SigningAlgorithm2["HS384"] = "HS384";
+  SigningAlgorithm2["HS512"] = "HS512";
+  return SigningAlgorithm2;
+})(SigningAlgorithm || {});
+var GrantType = /* @__PURE__ */ ((GrantType2) => {
+  GrantType2["AUTHORIZATION_CODE"] = "authorization_code";
+  GrantType2["IMPLICIT"] = "implicit";
+  GrantType2["PASSWORD"] = "password";
+  GrantType2["CLIENT_CREDENTIALS"] = "client_credentials";
+  GrantType2["REFRESH_TOKEN"] = "refresh_token";
+  GrantType2["JWT_BEARER"] = "urn:ietf:params:oauth:grant-type:jwt-bearer";
+  GrantType2["SAML2_BEARER"] = "urn:ietf:params:oauth:grant-type:saml2-bearer";
+  GrantType2["DEVICE_CODE"] = "urn:ietf:params:oauth:grant-type:device_code";
+  return GrantType2;
+})(GrantType || {});
+var ProtectedResourceMetadataBuilder = class {
+  props;
+  /**
+   * Constructor for the builder
+   * @param resource - The protected resource identifier (REQUIRED)
+   * @param authorization_servers - Array of authorization server URLs (REQUIRED)
+   */
+  constructor(resource, authorization_servers) {
+    if (!resource?.trim()) {
+      throw new MissingRequiredArgumentError("resource");
+    }
+    if (!Array.isArray(authorization_servers) || authorization_servers.length === 0) {
+      throw new MissingRequiredArgumentError("authorization_servers");
+    }
+    this.props = { resource, authorization_servers };
+  }
+  get properties() {
+    return this.props;
+  }
+  /**
+   * Builds the ProtectedResourceMetadata
+   */
+  build() {
+    return new ProtectedResourceMetadata(this);
+  }
+  /**
+   * Builder method to add JWKS URI
+   */
+  withJwksUri(jwks_uri) {
+    this.props.jwks_uri = jwks_uri;
+    return this;
+  }
+  /**
+   * Builder method to add supported scopes
+   */
+  withScopesSupported(scopes_supported) {
+    this.props.scopes_supported = [...scopes_supported];
+    return this;
+  }
+  /**
+   * Builder method to add supported bearer methods
+   */
+  withBearerMethodsSupported(bearer_methods_supported) {
+    this.props.bearer_methods_supported = [...bearer_methods_supported];
+    return this;
+  }
+  /**
+   * Builder method to add supported resource signing algorithms
+   */
+  withResourceSigningAlgValuesSupported(resource_signing_alg_values_supported) {
+    this.props.resource_signing_alg_values_supported = [...resource_signing_alg_values_supported];
+    return this;
+  }
+  /**
+   * Builder method to add resource_name
+   */
+  withResourceName(resource_name) {
+    this.props.resource_name = resource_name;
+    return this;
+  }
+  /**
+   * Builder method to add resource documentation URL
+   */
+  withResourceDocumentation(resource_documentation) {
+    this.props.resource_documentation = resource_documentation;
+    return this;
+  }
+  /**
+   * Builder method to add resource policy URI
+   */
+  withResourcePolicyUri(resource_policy_uri) {
+    this.props.resource_policy_uri = resource_policy_uri;
+    return this;
+  }
+  /**
+   * Builder method to add resource terms of service URI
+   */
+  withResourceTosUri(resource_tos_uri) {
+    this.props.resource_tos_uri = resource_tos_uri;
+    return this;
+  }
+  /**
+   * Builder method to enable TLS client certificate bound access tokens
+   */
+  withTlsClientCertificateBoundAccessTokens(tls_client_certificate_bound_access_tokens) {
+    this.props.tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens;
+    return this;
+  }
+  /**
+   * Builder method to add supported authorization details types
+   */
+  withAuthorizationDetailsTypesSupported(authorization_details_types_supported) {
+    this.props.authorization_details_types_supported = [...authorization_details_types_supported];
+    return this;
+  }
+  /**
+   * Builder method to add supported DPoP signing algorithms
+   */
+  withDpopSigningAlgValuesSupported(dpop_signing_alg_values_supported) {
+    this.props.dpop_signing_alg_values_supported = [...dpop_signing_alg_values_supported];
+    return this;
+  }
+  /**
+   * Builder method to require DPoP bound access tokens
+   */
+  withDpopBoundAccessTokensRequired(dpop_bound_access_tokens_required) {
+    this.props.dpop_bound_access_tokens_required = dpop_bound_access_tokens_required;
+    return this;
+  }
+};
+var ProtectedResourceMetadata = class {
+  #resource;
+  #authorization_servers;
+  #jwks_uri;
+  #scopes_supported;
+  #bearer_methods_supported;
+  #resource_signing_alg_values_supported;
+  #resource_documentation;
+  #resource_policy_uri;
+  #resource_tos_uri;
+  #resource_name;
+  #tls_client_certificate_bound_access_tokens;
+  #authorization_details_types_supported;
+  #dpop_signing_alg_values_supported;
+  #dpop_bound_access_tokens_required;
+  constructor(builder) {
+    const props = builder.properties;
+    this.#resource = props.resource;
+    this.#authorization_servers = [...props.authorization_servers];
+    this.#jwks_uri = props.jwks_uri;
+    this.#scopes_supported = props.scopes_supported ? [...props.scopes_supported] : void 0;
+    this.#bearer_methods_supported = props.bearer_methods_supported ? [...props.bearer_methods_supported] : void 0;
+    this.#resource_signing_alg_values_supported = props.resource_signing_alg_values_supported ? [...props.resource_signing_alg_values_supported] : void 0;
+    this.#resource_documentation = props.resource_documentation;
+    this.#resource_policy_uri = props.resource_policy_uri;
+    this.#resource_tos_uri = props.resource_tos_uri;
+    this.#resource_name = props.resource_name;
+    this.#tls_client_certificate_bound_access_tokens = props.tls_client_certificate_bound_access_tokens;
+    this.#authorization_details_types_supported = props.authorization_details_types_supported ? [...props.authorization_details_types_supported] : void 0;
+    this.#dpop_signing_alg_values_supported = props.dpop_signing_alg_values_supported ? [...props.dpop_signing_alg_values_supported] : void 0;
+    this.#dpop_bound_access_tokens_required = props.dpop_bound_access_tokens_required;
+  }
+  /**
+   * Convert to JSON representation
+   */
+  toJSON() {
+    return {
+      resource: this.#resource,
+      authorization_servers: [...this.#authorization_servers],
+      ...this.#jwks_uri !== void 0 && { jwks_uri: this.#jwks_uri },
+      ...this.#scopes_supported !== void 0 && {
+        scopes_supported: [...this.#scopes_supported]
+      },
+      ...this.#bearer_methods_supported !== void 0 && {
+        bearer_methods_supported: [...this.#bearer_methods_supported]
+      },
+      ...this.#resource_signing_alg_values_supported !== void 0 && {
+        resource_signing_alg_values_supported: [...this.#resource_signing_alg_values_supported]
+      },
+      ...this.#resource_documentation !== void 0 && {
+        resource_documentation: this.#resource_documentation
+      },
+      ...this.#resource_policy_uri !== void 0 && {
+        resource_policy_uri: this.#resource_policy_uri
+      },
+      ...this.#resource_tos_uri !== void 0 && {
+        resource_tos_uri: this.#resource_tos_uri
+      },
+      ...this.#resource_name !== void 0 && {
+        resource_name: this.#resource_name
+      },
+      ...this.#tls_client_certificate_bound_access_tokens !== void 0 && {
+        tls_client_certificate_bound_access_tokens: this.#tls_client_certificate_bound_access_tokens
+      },
+      ...this.#authorization_details_types_supported !== void 0 && {
+        authorization_details_types_supported: [...this.#authorization_details_types_supported]
+      },
+      ...this.#dpop_signing_alg_values_supported !== void 0 && {
+        dpop_signing_alg_values_supported: [...this.#dpop_signing_alg_values_supported]
+      },
+      ...this.#dpop_bound_access_tokens_required !== void 0 && {
+        dpop_bound_access_tokens_required: this.#dpop_bound_access_tokens_required
+      }
+    };
+  }
+};
+
+// src/token.ts
+var TOKEN_RE = /^Bearer (.+)$/i;
+function getToken(headers, query, body) {
+  const fromHeader = getTokenFromHeader(headers);
+  const fromQuery = getTokenFromQuery(query);
+  const fromBody = getTokenFromBody(headers, body);
+  if (!fromQuery && !fromHeader && !fromBody) {
+    throw new InvalidRequestError("No Bearer token found in request");
+  }
+  if (+!!fromQuery + +!!fromBody + +!!fromHeader > 1) {
+    throw new InvalidRequestError(
+      "More than one method used for authentication"
+    );
+  }
+  return fromQuery || fromBody || fromHeader;
+}
+function getTokenFromHeader(headers) {
+  const authHeader = headers.authorization;
+  if (typeof authHeader !== "string") {
+    return void 0;
+  }
+  const match = authHeader.match(TOKEN_RE);
+  return match?.[1];
+}
+function getTokenFromQuery(query) {
+  const accessToken = query?.access_token;
+  if (typeof accessToken === "string") {
+    return accessToken;
+  }
+}
+function getTokenFromBody(headers, body) {
+  if (!body || typeof body.access_token !== "string") {
+    return void 0;
+  }
+  const contentType = headers["content-type"];
+  if (!contentType) {
+    return void 0;
+  }
+  const isFormEncoded = contentType.toLowerCase().includes("application/x-www-form-urlencoded");
+  if (!isFormEncoded) {
+    return void 0;
+  }
+  return body.access_token;
+}
 export {
   ApiClient,
+  BearerMethod,
+  GrantType,
+  InvalidRequestError,
   MissingRequiredArgumentError,
   MissingTransactionError,
-  VerifyAccessTokenError
+  ProtectedResourceMetadataBuilder,
+  SigningAlgorithm,
+  VerifyAccessTokenError,
+  getToken
 };
 //# sourceMappingURL=index.js.map

dist/index.js.map

@@ -1,1 +0,1 @@
-{"version":3,"sources":["../src/api-client.ts","../src/errors.ts"],"sourcesContent":["import * as oauth from 'oauth4webapi';\nimport { createRemoteJWKSet, jwtVerify, customFetch } from 'jose';\nimport { ApiClientOptions, VerifyAccessTokenOptions } from './types.js';\nimport {\n  MissingRequiredArgumentError,\n  VerifyAccessTokenError,\n} from './errors.js';\n\nexport class ApiClient {\n  #serverMetadata: oauth.AuthorizationServer | undefined;\n  readonly #options: ApiClientOptions;\n  #jwks?: ReturnType<typeof createRemoteJWKSet>;\n\n  constructor(options: ApiClientOptions) {\n    this.#options = options;\n\n    if (!this.#options.audience) {\n      throw new MissingRequiredArgumentError('audience');\n    }\n  }\n\n  /**\n   * Initialized the SDK by performing Metadata Discovery.\n   */\n  async #discover() {\n    if (this.#serverMetadata) {\n      return {\n        serverMetadata: this.#serverMetadata,\n      };\n    }\n\n    const issuer = new URL(`https://${this.#options.domain}`);\n    const response = await oauth.discoveryRequest(issuer, {\n      [oauth.customFetch]: this.#options.customFetch,\n    });\n\n    this.#serverMetadata = await oauth.processDiscoveryResponse(\n      issuer,\n      response\n    );\n\n    return {\n      serverMetadata: this.#serverMetadata,\n    };\n  }\n\n  /**\n   * Verifies the provided access token.\n   * @param options Options used to verify the logout token.\n   * @returns\n   */\n  async verifyAccessToken(options: VerifyAccessTokenOptions) {\n    const { serverMetadata } = await this.#discover();\n\n    this.#jwks ||= createRemoteJWKSet(new URL(serverMetadata!.jwks_uri!), {\n      [customFetch]: this.#options.customFetch,\n    });\n\n    try {\n      const { payload } = await jwtVerify(options.accessToken, this.#jwks, {\n        issuer: this.#serverMetadata!.issuer,\n        audience: this.#options.audience,\n        algorithms: ['RS256'],\n        requiredClaims: ['iat', 'exp', ...(options.requiredClaims || [])],\n      });\n      return payload;\n    } catch (e) {\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      throw new VerifyAccessTokenError((e as any).message);\n    }\n  }\n}\n","/**\n * Error thrown when the transaction is missing.\n */\nexport class MissingTransactionError extends Error {\n  public code: string = 'missing_transaction_error';\n\n  constructor(message?: string) {\n    super(message ?? 'The transaction is missing.');\n    this.name = 'MissingTransactionError';\n  }\n}\n\n/**\n * Error thrown when verifying the access token.\n */\nexport class VerifyAccessTokenError extends Error {\n  public code: string = 'verify_access_token_error';\n\n  constructor(message: string) {\n    super(message);\n    this.name = 'VerifyAccessTokenError';\n  }\n}\n\n/**\n * Error thrown when a required argument is missing.\n */\nexport class MissingRequiredArgumentError extends Error {\n  public code: string = 'missing_required_argument_error';\n\n  constructor(argument: string) {\n    super(`The argument '${argument}' is required but was not provided.`);\n    this.name = 'MissingRequiredArgumentError';\n  }\n}"],"mappings":";AAAA,YAAY,WAAW;AACvB,SAAS,oBAAoB,WAAW,eAAAA,oBAAmB;;;ACEpD,IAAM,0BAAN,cAAsC,MAAM;AAAA,EAC1C,OAAe;AAAA,EAEtB,YAAY,SAAkB;AAC5B,UAAM,WAAW,6BAA6B;AAC9C,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EACzC,OAAe;AAAA,EAEtB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,MAAM;AAAA,EAC/C,OAAe;AAAA,EAEtB,YAAY,UAAkB;AAC5B,UAAM,iBAAiB,QAAQ,qCAAqC;AACpE,SAAK,OAAO;AAAA,EACd;AACF;;;AD1BO,IAAM,YAAN,MAAgB;AAAA,EACrB;AAAA,EACS;AAAA,EACT;AAAA,EAEA,YAAY,SAA2B;AACrC,SAAK,WAAW;AAEhB,QAAI,CAAC,KAAK,SAAS,UAAU;AAC3B,YAAM,IAAI,6BAA6B,UAAU;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY;AAChB,QAAI,KAAK,iBAAiB;AACxB,aAAO;AAAA,QACL,gBAAgB,KAAK;AAAA,MACvB;AAAA,IACF;AAEA,UAAM,SAAS,IAAI,IAAI,WAAW,KAAK,SAAS,MAAM,EAAE;AACxD,UAAM,WAAW,MAAY,uBAAiB,QAAQ;AAAA,MACpD,CAAO,iBAAW,GAAG,KAAK,SAAS;AAAA,IACrC,CAAC;AAED,SAAK,kBAAkB,MAAY;AAAA,MACjC;AAAA,MACA;AAAA,IACF;AAEA,WAAO;AAAA,MACL,gBAAgB,KAAK;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,kBAAkB,SAAmC;AACzD,UAAM,EAAE,eAAe,IAAI,MAAM,KAAK,UAAU;AAEhD,SAAK,UAAU,mBAAmB,IAAI,IAAI,eAAgB,QAAS,GAAG;AAAA,MACpE,CAACC,YAAW,GAAG,KAAK,SAAS;AAAA,IAC/B,CAAC;AAED,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,QAAQ,aAAa,KAAK,OAAO;AAAA,QACnE,QAAQ,KAAK,gBAAiB;AAAA,QAC9B,UAAU,KAAK,SAAS;AAAA,QACxB,YAAY,CAAC,OAAO;AAAA,QACpB,gBAAgB,CAAC,OAAO,OAAO,GAAI,QAAQ,kBAAkB,CAAC,CAAE;AAAA,MAClE,CAAC;AACD,aAAO;AAAA,IACT,SAAS,GAAG;AAEV,YAAM,IAAI,uBAAwB,EAAU,OAAO;AAAA,IACrD;AAAA,EACF;AACF;","names":["customFetch","customFetch"]}
+{"version":3,"sources":["../src/api-client.ts","../src/errors.ts","../src/protected-resource-metadata.ts","../src/token.ts"],"sourcesContent":["import * as oauth from 'oauth4webapi';\nimport { createRemoteJWKSet, jwtVerify, customFetch } from 'jose';\nimport { AuthClient, TokenForConnectionError } from '@auth0/auth0-auth-js';\nimport { AccessTokenForConnectionOptions, ApiClientOptions, ConnectionTokenSet, VerifyAccessTokenOptions } from './types.js';\nimport {\n  MissingRequiredArgumentError,\n  VerifyAccessTokenError,\n} from './errors.js';\n\nexport class ApiClient {\n  #serverMetadata: oauth.AuthorizationServer | undefined;\n  readonly #options: ApiClientOptions;\n  #jwks?: ReturnType<typeof createRemoteJWKSet>;\n  readonly #authClient: AuthClient | undefined;\n\n  constructor(options: ApiClientOptions) {\n    this.#options = options;\n\n    if (options.clientId) {\n      this.#authClient = new AuthClient({\n        domain: options.domain,\n        clientId: options.clientId,\n        clientSecret: options.clientSecret,\n        clientAssertionSigningKey: options.clientAssertionSigningKey,\n        clientAssertionSigningAlg: options.clientAssertionSigningAlg,\n        customFetch: options.customFetch,\n      });\n    }\n\n    if (!this.#options.audience) {\n      throw new MissingRequiredArgumentError('audience');\n    }\n  }\n\n  /**\n   * Initialized the SDK by performing Metadata Discovery.\n   */\n  async #discover() {\n    if (this.#serverMetadata) {\n      return {\n        serverMetadata: this.#serverMetadata,\n      };\n    }\n\n    const issuer = new URL(`https://${this.#options.domain}`);\n    const response = await oauth.discoveryRequest(issuer, {\n      [oauth.customFetch]: this.#options.customFetch,\n    });\n\n    this.#serverMetadata = await oauth.processDiscoveryResponse(\n      issuer,\n      response\n    );\n\n    return {\n      serverMetadata: this.#serverMetadata,\n    };\n  }\n\n  /**\n   * Verifies the provided access token.\n   * @param options Options used to verify the logout token.\n   * @returns\n   */\n  async verifyAccessToken(options: VerifyAccessTokenOptions) {\n    const { serverMetadata } = await this.#discover();\n\n    this.#jwks ||= createRemoteJWKSet(new URL(serverMetadata!.jwks_uri!), {\n      [customFetch]: this.#options.customFetch,\n    });\n\n    try {\n      const { payload } = await jwtVerify(options.accessToken, this.#jwks, {\n        issuer: this.#serverMetadata!.issuer,\n        audience: this.#options.audience,\n        algorithms: ['RS256'],\n        requiredClaims: ['iat', 'exp', ...(options.requiredClaims || [])],\n      });\n      return payload;\n    } catch (e) {\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      throw new VerifyAccessTokenError((e as any).message);\n    }\n  }\n\n  /**\n   * Retrieves an access token for a connection.\n   *\n   * @param options - Options for retrieving an access token for a connection.\n   *\n   * @throws {TokenForConnectionError} If there was an issue requesting the access token.\n   *\n   * @returns The Connection Token Set, containing the access token for the connection, as well as additional information.\n   */\n  public async getAccessTokenForConnection(options: AccessTokenForConnectionOptions): Promise<ConnectionTokenSet> {\n    if (!this.#authClient) {\n      throw new TokenForConnectionError(\n        'Client credentials are required to use getAccessTokenForConnection'\n      );\n    }\n\n    const tokenEndpointResponse = await this.#authClient.getTokenForConnection({\n      connection: options.connection,\n      loginHint: options.loginHint,\n      accessToken: options.accessToken,\n    });\n\n    return {\n      accessToken: tokenEndpointResponse.accessToken,\n      scope: tokenEndpointResponse.scope,\n      expiresAt: tokenEndpointResponse.expiresAt,\n      connection: options.connection,\n      loginHint: options.loginHint,\n    };\n  }\n}\n","/**\n * Error thrown when the transaction is missing.\n */\nexport class MissingTransactionError extends Error {\n  public code: string = 'missing_transaction_error';\n\n  constructor(message?: string) {\n    super(message ?? 'The transaction is missing.');\n    this.name = 'MissingTransactionError';\n  }\n}\n\n/**\n * Error thrown when verifying the access token.\n */\nexport class VerifyAccessTokenError extends Error {\n  public code: string = 'verify_access_token_error';\n\n  constructor(message: string) {\n    super(message);\n    this.name = 'VerifyAccessTokenError';\n  }\n}\n\n/**\n * Error thrown when request is missing a valid token or\n * multiple auth methods used\n */\nexport class InvalidRequestError extends Error {\n  public code: string = 'invalid_request';\n\n  constructor(message: string) {\n    super(message);\n    this.name = 'InvalidRequestError';\n  }\n}\n\n/**\n * Error thrown when a required argument is missing.\n */\nexport class MissingRequiredArgumentError extends Error {\n  public code: string = 'missing_required_argument_error';\n\n  constructor(argument: string) {\n    super(`The argument '${argument}' is required but was not provided.`);\n    this.name = 'MissingRequiredArgumentError';\n  }\n}\n","/**\n * RFC 9728 - OAuth 2.0 Protected Resource Metadata\n * https://datatracker.ietf.org/doc/html/rfc9728\n */\n\nimport { MissingRequiredArgumentError } from \"./errors.js\";\n\n/**\n * Supported methods of sending an OAuth 2.0 bearer token\n */\nexport enum BearerMethod {\n  HEADER = \"header\",\n  BODY = \"body\",\n  QUERY = \"query\",\n}\n\n/**\n * Supported signing algorithms\n */\nexport enum SigningAlgorithm {\n  RS256 = \"RS256\",\n  RS384 = \"RS384\",\n  RS512 = \"RS512\",\n  ES256 = \"ES256\",\n  ES384 = \"ES384\",\n  ES512 = \"ES512\",\n  PS256 = \"PS256\",\n  PS384 = \"PS384\",\n  PS512 = \"PS512\",\n  HS256 = \"HS256\",\n  HS384 = \"HS384\",\n  HS512 = \"HS512\",\n}\n\n/**\n * Grant types supported\n */\nexport enum GrantType {\n  AUTHORIZATION_CODE = \"authorization_code\",\n  IMPLICIT = \"implicit\",\n  PASSWORD = \"password\",\n  CLIENT_CREDENTIALS = \"client_credentials\",\n  REFRESH_TOKEN = \"refresh_token\",\n  JWT_BEARER = \"urn:ietf:params:oauth:grant-type:jwt-bearer\",\n  SAML2_BEARER = \"urn:ietf:params:oauth:grant-type:saml2-bearer\",\n  DEVICE_CODE = \"urn:ietf:params:oauth:grant-type:device_code\",\n}\n\n/**\n * Interface for Protected Resource Metadata\n */\nexport interface IProtectedResourceMetadata {\n  resource: string;\n  authorization_servers: string[];\n  jwks_uri?: string;\n  scopes_supported?: string[];\n  bearer_methods_supported?: BearerMethod[];\n  resource_signing_alg_values_supported?: SigningAlgorithm[];\n  resource_name?: string;\n  resource_documentation?: string;\n  resource_policy_uri?: string;\n  resource_tos_uri?: string;\n  tls_client_certificate_bound_access_tokens?: boolean;\n  authorization_details_types_supported?: string[];\n  dpop_signing_alg_values_supported?: string[];\n  dpop_bound_access_tokens_required?: boolean;\n}\n\n/**\n * Builder for creating a ProtectedResourceMetadata instance\n *\n * @example\n * ```typescript\n * const metadata = new ProtectedResourceMetadataBuilder('https://api.example.com', ['https://auth.example.com'])\n *   .withJwksUri('https://api.example.com/.well-known/jwks.json')\n *   .withScopesSupported(['read', 'write'])\n *   .build();\n * // serialize to json\n * const json = metadata.toJSON();\n * ```\n */\nexport class ProtectedResourceMetadataBuilder {\n  private readonly props: Partial<IProtectedResourceMetadata> &\n    Pick<IProtectedResourceMetadata, \"resource\" | \"authorization_servers\">;\n\n  /**\n   * Constructor for the builder\n   * @param resource - The protected resource identifier (REQUIRED)\n   * @param authorization_servers - Array of authorization server URLs (REQUIRED)\n   */\n  constructor(resource: string, authorization_servers: string[]) {\n    if (!resource?.trim()) {\n      throw new MissingRequiredArgumentError(\"resource\");\n    }\n    if (\n      !Array.isArray(authorization_servers) ||\n      authorization_servers.length === 0\n    ) {\n      throw new MissingRequiredArgumentError(\"authorization_servers\");\n    }\n    this.props = { resource, authorization_servers };\n  }\n\n  get properties(): IProtectedResourceMetadata {\n    return this.props;\n  }\n\n  /**\n   * Builds the ProtectedResourceMetadata\n   */\n  public build() {\n    return new ProtectedResourceMetadata(this);\n  }\n\n  /**\n   * Builder method to add JWKS URI\n   */\n  withJwksUri(jwks_uri: string): this {\n    this.props.jwks_uri = jwks_uri;\n    return this;\n  }\n\n  /**\n   * Builder method to add supported scopes\n   */\n  withScopesSupported(scopes_supported: string[]): this {\n    this.props.scopes_supported = [...scopes_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add supported bearer methods\n   */\n  withBearerMethodsSupported(\n    bearer_methods_supported: BearerMethod[]\n  ): this {\n    this.props.bearer_methods_supported = [...bearer_methods_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add supported resource signing algorithms\n   */\n  withResourceSigningAlgValuesSupported(\n    resource_signing_alg_values_supported: SigningAlgorithm[]\n  ): this {\n    this.props.resource_signing_alg_values_supported = [...resource_signing_alg_values_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add resource_name\n   */\n  withResourceName(resource_name: string): this {\n    this.props.resource_name = resource_name;\n    return this;\n  }\n\n  /**\n   * Builder method to add resource documentation URL\n   */\n  withResourceDocumentation(resource_documentation: string): this {\n    this.props.resource_documentation = resource_documentation;\n    return this;\n  }\n\n  /**\n   * Builder method to add resource policy URI\n   */\n  withResourcePolicyUri(resource_policy_uri: string): this {\n    this.props.resource_policy_uri = resource_policy_uri;\n    return this;\n  }\n\n  /**\n   * Builder method to add resource terms of service URI\n   */\n  withResourceTosUri(resource_tos_uri: string): this {\n    this.props.resource_tos_uri = resource_tos_uri;\n    return this;\n  }\n\n  /**\n   * Builder method to enable TLS client certificate bound access tokens\n   */\n  withTlsClientCertificateBoundAccessTokens(tls_client_certificate_bound_access_tokens: boolean): this {\n    this.props.tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens;\n    return this;\n  }\n\n  /**\n   * Builder method to add supported authorization details types\n   */\n  withAuthorizationDetailsTypesSupported(authorization_details_types_supported: string[]): this {\n    this.props.authorization_details_types_supported = [...authorization_details_types_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to add supported DPoP signing algorithms\n   */\n  withDpopSigningAlgValuesSupported(dpop_signing_alg_values_supported: string[]): this {\n    this.props.dpop_signing_alg_values_supported = [...dpop_signing_alg_values_supported];\n    return this;\n  }\n\n  /**\n   * Builder method to require DPoP bound access tokens\n   */\n  withDpopBoundAccessTokensRequired(dpop_bound_access_tokens_required: boolean): this {\n    this.props.dpop_bound_access_tokens_required = dpop_bound_access_tokens_required;\n    return this;\n  }\n\n\n}\n\nclass ProtectedResourceMetadata {\n  readonly #resource: string;\n  readonly #authorization_servers: string[];\n  readonly #jwks_uri?: string;\n  readonly #scopes_supported?: string[];\n  readonly #bearer_methods_supported?: BearerMethod[];\n  readonly #resource_signing_alg_values_supported?: SigningAlgorithm[];\n  readonly #resource_documentation?: string;\n  readonly #resource_policy_uri?: string;\n  readonly #resource_tos_uri?: string;\n  readonly #resource_name?: string;\n  readonly #tls_client_certificate_bound_access_tokens?: boolean;\n  readonly #authorization_details_types_supported?: string[];\n  readonly #dpop_signing_alg_values_supported?: string[];\n  readonly #dpop_bound_access_tokens_required?: boolean;\n\n  constructor(builder: ProtectedResourceMetadataBuilder) {\n    const props = builder.properties;\n    this.#resource = props.resource;\n    this.#authorization_servers = [...props.authorization_servers];\n    this.#jwks_uri = props.jwks_uri;\n    this.#scopes_supported = props.scopes_supported\n      ? [...props.scopes_supported]\n      : undefined;\n    this.#bearer_methods_supported = props.bearer_methods_supported\n      ? [...props.bearer_methods_supported]\n      : undefined;\n    this.#resource_signing_alg_values_supported = props.resource_signing_alg_values_supported\n      ? [...props.resource_signing_alg_values_supported]\n      : undefined;\n    this.#resource_documentation = props.resource_documentation;\n    this.#resource_policy_uri = props.resource_policy_uri;\n    this.#resource_tos_uri = props.resource_tos_uri;\n    this.#resource_name = props.resource_name;\n    this.#tls_client_certificate_bound_access_tokens = props.tls_client_certificate_bound_access_tokens;\n    this.#authorization_details_types_supported = props.authorization_details_types_supported\n      ? [...props.authorization_details_types_supported]\n      : undefined;\n    this.#dpop_signing_alg_values_supported = props.dpop_signing_alg_values_supported\n      ? [...props.dpop_signing_alg_values_supported]\n      : undefined;\n    this.#dpop_bound_access_tokens_required = props.dpop_bound_access_tokens_required;\n  }\n\n  /**\n   * Convert to JSON representation\n   */\n  public toJSON(): IProtectedResourceMetadata {\n    return {\n      resource: this.#resource,\n      authorization_servers: [...this.#authorization_servers],\n\n      ...(this.#jwks_uri !== undefined && { jwks_uri: this.#jwks_uri }),\n      ...(this.#scopes_supported !== undefined && {\n        scopes_supported: [...this.#scopes_supported],\n      }),\n      ...(this.#bearer_methods_supported !== undefined && {\n        bearer_methods_supported: [...this.#bearer_methods_supported],\n      }),\n      ...(this.#resource_signing_alg_values_supported !== undefined && {\n        resource_signing_alg_values_supported: [...this.#resource_signing_alg_values_supported],\n      }),\n      ...(this.#resource_documentation !== undefined && {\n        resource_documentation: this.#resource_documentation,\n      }),\n      ...(this.#resource_policy_uri !== undefined && {\n        resource_policy_uri: this.#resource_policy_uri,\n      }),\n      ...(this.#resource_tos_uri !== undefined && {\n        resource_tos_uri: this.#resource_tos_uri,\n      }),\n      ...(this.#resource_name !== undefined && {\n        resource_name: this.#resource_name,\n      }),\n      ...(this.#tls_client_certificate_bound_access_tokens !== undefined && {\n        tls_client_certificate_bound_access_tokens: this.#tls_client_certificate_bound_access_tokens,\n      }),\n      ...(this.#authorization_details_types_supported !== undefined && {\n        authorization_details_types_supported: [...this.#authorization_details_types_supported],\n      }),\n      ...(this.#dpop_signing_alg_values_supported !== undefined && {\n        dpop_signing_alg_values_supported: [...this.#dpop_signing_alg_values_supported],\n      }),\n      ...(this.#dpop_bound_access_tokens_required !== undefined && {\n        dpop_bound_access_tokens_required: this.#dpop_bound_access_tokens_required,\n      }),\n    };\n  }\n}\n","import { InvalidRequestError } from './errors.js';\n/**\n * Header-like object that can represent headers from different HTTP frameworks\n */\ntype HeadersLike = Record<string, unknown> & {\n  authorization?: string;\n  'content-type'?: string;\n};\n\n/**\n * Query-like object for URL query parameters\n */\ntype QueryLike = Record<string, unknown> & { access_token?: string };\n\n/**\n * Body-like object for form-encoded request body\n */\ntype BodyLike = QueryLike;\n\n/**\n * Regular expression to match Bearer token in Authorization header\n */\nconst TOKEN_RE = /^Bearer (.+)$/i;\n\n/**\n * Extracts a Bearer token from HTTP request according to RFC 6750.\n * Supports all three methods defined in the RFC:\n * - Authorization header (Section 2.1)\n * - Form-encoded body parameter (Section 2.2)\n * - URI query parameter (Section 2.3)\n *\n * @param headers - HTTP headers object\n * @param query - Query parameters object (optional)\n * @param body - Request body object (optional)\n * @returns The extracted token string\n * @throws {InvalidRequestError} When no token is found or multiple methods are used\n *\n * @example\n * ```typescript\n * // Authorization header method (recommended)\n * const token1 = getToken({ authorization: 'Bearer mF_9.B5f-4.1JqM' });\n *\n * // Query parameter method\n * const token2 = getToken({}, { access_token: 'mF_9.B5f-4.1JqM' });\n *\n * // Form body method\n * const token3 = getToken(\n *   { 'content-type': 'application/x-www-form-urlencoded' },\n *   {},\n *   { access_token: 'mF_9.B5f-4.1JqM' }\n * );\n *\n * // Express.js usage\n * const token4 = getToken(req.headers, req.query, req.body);\n * ```\n *\n * @see https://datatracker.ietf.org/doc/html/rfc6750#section-2 - RFC 6750 Section 2\n */\nexport function getToken(\n  headers: HeadersLike,\n  query?: QueryLike,\n  body?: BodyLike\n): string {\n  const fromHeader = getTokenFromHeader(headers);\n  const fromQuery = getTokenFromQuery(query);\n  const fromBody = getTokenFromBody(headers, body);\n\n  if (!fromQuery && !fromHeader && !fromBody) {\n    throw new InvalidRequestError('No Bearer token found in request');\n  }\n\n  // If multiple methods are used, throw an error\n  if (+!!fromQuery + +!!fromBody + +!!fromHeader > 1) {\n    throw new InvalidRequestError(\n      'More than one method used for authentication'\n    );\n  }\n\n  return (fromQuery || fromBody || fromHeader) as string;\n}\n\n/**\n * Extract token from Authorization header\n */\nfunction getTokenFromHeader(headers: HeadersLike) {\n  const authHeader = headers.authorization;\n  if (typeof authHeader !== 'string') {\n    return undefined;\n  }\n\n  const match = authHeader.match(TOKEN_RE);\n  return match?.[1];\n}\n\n/**\n * Extract token from query parameters\n */\nfunction getTokenFromQuery(query?: QueryLike): string | undefined {\n  const accessToken = query?.access_token;\n  if (typeof accessToken === 'string') {\n    return accessToken;\n  }\n}\n\n/**\n * Extract token from form-encoded body\n */\nfunction getTokenFromBody(\n  headers: HeadersLike,\n  body?: BodyLike\n): string | undefined {\n  if (!body || typeof body.access_token !== 'string') {\n    return undefined;\n  }\n\n  const contentType = headers['content-type'];\n  if (!contentType) {\n    return undefined;\n  }\n\n  // Handle content-type with charset, e.g., \"application/x-www-form-urlencoded; charset=utf-8\"\n  const isFormEncoded = contentType\n    .toLowerCase()\n    .includes('application/x-www-form-urlencoded');\n  if (!isFormEncoded) {\n    return undefined;\n  }\n\n  return body.access_token;\n}\n"],"mappings":";AAAA,YAAY,WAAW;AACvB,SAAS,oBAAoB,WAAW,eAAAA,oBAAmB;AAC3D,SAAS,YAAY,+BAA+B;;;ACC7C,IAAM,0BAAN,cAAsC,MAAM;AAAA,EAC1C,OAAe;AAAA,EAEtB,YAAY,SAAkB;AAC5B,UAAM,WAAW,6BAA6B;AAC9C,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EACzC,OAAe;AAAA,EAEtB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAMO,IAAM,sBAAN,cAAkC,MAAM;AAAA,EACtC,OAAe;AAAA,EAEtB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,MAAM;AAAA,EAC/C,OAAe;AAAA,EAEtB,YAAY,UAAkB;AAC5B,UAAM,iBAAiB,QAAQ,qCAAqC;AACpE,SAAK,OAAO;AAAA,EACd;AACF;;;ADtCO,IAAM,YAAN,MAAgB;AAAA,EACrB;AAAA,EACS;AAAA,EACT;AAAA,EACS;AAAA,EAET,YAAY,SAA2B;AACrC,SAAK,WAAW;AAEhB,QAAI,QAAQ,UAAU;AACpB,WAAK,cAAc,IAAI,WAAW;AAAA,QAChC,QAAQ,QAAQ;AAAA,QAChB,UAAU,QAAQ;AAAA,QAClB,cAAc,QAAQ;AAAA,QACtB,2BAA2B,QAAQ;AAAA,QACnC,2BAA2B,QAAQ;AAAA,QACnC,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAK,SAAS,UAAU;AAC3B,YAAM,IAAI,6BAA6B,UAAU;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY;AAChB,QAAI,KAAK,iBAAiB;AACxB,aAAO;AAAA,QACL,gBAAgB,KAAK;AAAA,MACvB;AAAA,IACF;AAEA,UAAM,SAAS,IAAI,IAAI,WAAW,KAAK,SAAS,MAAM,EAAE;AACxD,UAAM,WAAW,MAAY,uBAAiB,QAAQ;AAAA,MACpD,CAAO,iBAAW,GAAG,KAAK,SAAS;AAAA,IACrC,CAAC;AAED,SAAK,kBAAkB,MAAY;AAAA,MACjC;AAAA,MACA;AAAA,IACF;AAEA,WAAO;AAAA,MACL,gBAAgB,KAAK;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,kBAAkB,SAAmC;AACzD,UAAM,EAAE,eAAe,IAAI,MAAM,KAAK,UAAU;AAEhD,SAAK,UAAU,mBAAmB,IAAI,IAAI,eAAgB,QAAS,GAAG;AAAA,MACpE,CAACC,YAAW,GAAG,KAAK,SAAS;AAAA,IAC/B,CAAC;AAED,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,QAAQ,aAAa,KAAK,OAAO;AAAA,QACnE,QAAQ,KAAK,gBAAiB;AAAA,QAC9B,UAAU,KAAK,SAAS;AAAA,QACxB,YAAY,CAAC,OAAO;AAAA,QACpB,gBAAgB,CAAC,OAAO,OAAO,GAAI,QAAQ,kBAAkB,CAAC,CAAE;AAAA,MAClE,CAAC;AACD,aAAO;AAAA,IACT,SAAS,GAAG;AAEV,YAAM,IAAI,uBAAwB,EAAU,OAAO;AAAA,IACrD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAa,4BAA4B,SAAuE;AAC9G,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,wBAAwB,MAAM,KAAK,YAAY,sBAAsB;AAAA,MACzE,YAAY,QAAQ;AAAA,MACpB,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB,CAAC;AAED,WAAO;AAAA,MACL,aAAa,sBAAsB;AAAA,MACnC,OAAO,sBAAsB;AAAA,MAC7B,WAAW,sBAAsB;AAAA,MACjC,YAAY,QAAQ;AAAA,MACpB,WAAW,QAAQ;AAAA,IACrB;AAAA,EACF;AACF;;;AEzGO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,YAAS;AACT,EAAAA,cAAA,UAAO;AACP,EAAAA,cAAA,WAAQ;AAHE,SAAAA;AAAA,GAAA;AASL,IAAK,mBAAL,kBAAKC,sBAAL;AACL,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AACR,EAAAA,kBAAA,WAAQ;AAZE,SAAAA;AAAA,GAAA;AAkBL,IAAK,YAAL,kBAAKC,eAAL;AACL,EAAAA,WAAA,wBAAqB;AACrB,EAAAA,WAAA,cAAW;AACX,EAAAA,WAAA,cAAW;AACX,EAAAA,WAAA,wBAAqB;AACrB,EAAAA,WAAA,mBAAgB;AAChB,EAAAA,WAAA,gBAAa;AACb,EAAAA,WAAA,kBAAe;AACf,EAAAA,WAAA,iBAAc;AARJ,SAAAA;AAAA,GAAA;AA4CL,IAAM,mCAAN,MAAuC;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQjB,YAAY,UAAkB,uBAAiC;AAC7D,QAAI,CAAC,UAAU,KAAK,GAAG;AACrB,YAAM,IAAI,6BAA6B,UAAU;AAAA,IACnD;AACA,QACE,CAAC,MAAM,QAAQ,qBAAqB,KACpC,sBAAsB,WAAW,GACjC;AACA,YAAM,IAAI,6BAA6B,uBAAuB;AAAA,IAChE;AACA,SAAK,QAAQ,EAAE,UAAU,sBAAsB;AAAA,EACjD;AAAA,EAEA,IAAI,aAAyC;AAC3C,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKO,QAAQ;AACb,WAAO,IAAI,0BAA0B,IAAI;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,UAAwB;AAClC,SAAK,MAAM,WAAW;AACtB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,oBAAoB,kBAAkC;AACpD,SAAK,MAAM,mBAAmB,CAAC,GAAG,gBAAgB;AAClD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,2BACE,0BACM;AACN,SAAK,MAAM,2BAA2B,CAAC,GAAG,wBAAwB;AAClE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,sCACE,uCACM;AACN,SAAK,MAAM,wCAAwC,CAAC,GAAG,qCAAqC;AAC5F,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,eAA6B;AAC5C,SAAK,MAAM,gBAAgB;AAC3B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B,wBAAsC;AAC9D,SAAK,MAAM,yBAAyB;AACpC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB,qBAAmC;AACvD,SAAK,MAAM,sBAAsB;AACjC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAmB,kBAAgC;AACjD,SAAK,MAAM,mBAAmB;AAC9B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,0CAA0C,4CAA2D;AACnG,SAAK,MAAM,6CAA6C;AACxD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,uCAAuC,uCAAuD;AAC5F,SAAK,MAAM,wCAAwC,CAAC,GAAG,qCAAqC;AAC5F,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,kCAAkC,mCAAmD;AACnF,SAAK,MAAM,oCAAoC,CAAC,GAAG,iCAAiC;AACpF,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,kCAAkC,mCAAkD;AAClF,SAAK,MAAM,oCAAoC;AAC/C,WAAO;AAAA,EACT;AAGF;AAEA,IAAM,4BAAN,MAAgC;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,SAA2C;AACrD,UAAM,QAAQ,QAAQ;AACtB,SAAK,YAAY,MAAM;AACvB,SAAK,yBAAyB,CAAC,GAAG,MAAM,qBAAqB;AAC7D,SAAK,YAAY,MAAM;AACvB,SAAK,oBAAoB,MAAM,mBAC3B,CAAC,GAAG,MAAM,gBAAgB,IAC1B;AACJ,SAAK,4BAA4B,MAAM,2BACnC,CAAC,GAAG,MAAM,wBAAwB,IAClC;AACJ,SAAK,yCAAyC,MAAM,wCAChD,CAAC,GAAG,MAAM,qCAAqC,IAC/C;AACJ,SAAK,0BAA0B,MAAM;AACrC,SAAK,uBAAuB,MAAM;AAClC,SAAK,oBAAoB,MAAM;AAC/B,SAAK,iBAAiB,MAAM;AAC5B,SAAK,8CAA8C,MAAM;AACzD,SAAK,yCAAyC,MAAM,wCAChD,CAAC,GAAG,MAAM,qCAAqC,IAC/C;AACJ,SAAK,qCAAqC,MAAM,oCAC5C,CAAC,GAAG,MAAM,iCAAiC,IAC3C;AACJ,SAAK,qCAAqC,MAAM;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKO,SAAqC;AAC1C,WAAO;AAAA,MACL,UAAU,KAAK;AAAA,MACf,uBAAuB,CAAC,GAAG,KAAK,sBAAsB;AAAA,MAEtD,GAAI,KAAK,cAAc,UAAa,EAAE,UAAU,KAAK,UAAU;AAAA,MAC/D,GAAI,KAAK,sBAAsB,UAAa;AAAA,QAC1C,kBAAkB,CAAC,GAAG,KAAK,iBAAiB;AAAA,MAC9C;AAAA,MACA,GAAI,KAAK,8BAA8B,UAAa;AAAA,QAClD,0BAA0B,CAAC,GAAG,KAAK,yBAAyB;AAAA,MAC9D;AAAA,MACA,GAAI,KAAK,2CAA2C,UAAa;AAAA,QAC/D,uCAAuC,CAAC,GAAG,KAAK,sCAAsC;AAAA,MACxF;AAAA,MACA,GAAI,KAAK,4BAA4B,UAAa;AAAA,QAChD,wBAAwB,KAAK;AAAA,MAC/B;AAAA,MACA,GAAI,KAAK,yBAAyB,UAAa;AAAA,QAC7C,qBAAqB,KAAK;AAAA,MAC5B;AAAA,MACA,GAAI,KAAK,sBAAsB,UAAa;AAAA,QAC1C,kBAAkB,KAAK;AAAA,MACzB;AAAA,MACA,GAAI,KAAK,mBAAmB,UAAa;AAAA,QACvC,eAAe,KAAK;AAAA,MACtB;AAAA,MACA,GAAI,KAAK,gDAAgD,UAAa;AAAA,QACpE,4CAA4C,KAAK;AAAA,MACnD;AAAA,MACA,GAAI,KAAK,2CAA2C,UAAa;AAAA,QAC/D,uCAAuC,CAAC,GAAG,KAAK,sCAAsC;AAAA,MACxF;AAAA,MACA,GAAI,KAAK,uCAAuC,UAAa;AAAA,QAC3D,mCAAmC,CAAC,GAAG,KAAK,kCAAkC;AAAA,MAChF;AAAA,MACA,GAAI,KAAK,uCAAuC,UAAa;AAAA,QAC3D,mCAAmC,KAAK;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AACF;;;AC3RA,IAAM,WAAW;AAoCV,SAAS,SACd,SACA,OACA,MACQ;AACR,QAAM,aAAa,mBAAmB,OAAO;AAC7C,QAAM,YAAY,kBAAkB,KAAK;AACzC,QAAM,WAAW,iBAAiB,SAAS,IAAI;AAE/C,MAAI,CAAC,aAAa,CAAC,cAAc,CAAC,UAAU;AAC1C,UAAM,IAAI,oBAAoB,kCAAkC;AAAA,EAClE;AAGA,MAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,aAAa,GAAG;AAClD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAQ,aAAa,YAAY;AACnC;AAKA,SAAS,mBAAmB,SAAsB;AAChD,QAAM,aAAa,QAAQ;AAC3B,MAAI,OAAO,eAAe,UAAU;AAClC,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,WAAW,MAAM,QAAQ;AACvC,SAAO,QAAQ,CAAC;AAClB;AAKA,SAAS,kBAAkB,OAAuC;AAChE,QAAM,cAAc,OAAO;AAC3B,MAAI,OAAO,gBAAgB,UAAU;AACnC,WAAO;AAAA,EACT;AACF;AAKA,SAAS,iBACP,SACA,MACoB;AACpB,MAAI,CAAC,QAAQ,OAAO,KAAK,iBAAiB,UAAU;AAClD,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,QAAQ,cAAc;AAC1C,MAAI,CAAC,aAAa;AAChB,WAAO;AAAA,EACT;AAGA,QAAM,gBAAgB,YACnB,YAAY,EACZ,SAAS,mCAAmC;AAC/C,MAAI,CAAC,eAAe;AAClB,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;","names":["customFetch","customFetch","BearerMethod","SigningAlgorithm","GrantType"]}

package.json

 {
     "name": "@auth0/auth0-api-js",
-    "version": "1.0.2",
+    "version": "1.1.0",
     "description": "Auth0 Authentication SDK for API's on JavaScript runtimes",
@@ -27,2 +27,3 @@ "author": "Auth0",
     "dependencies": {
+        "@auth0/auth0-auth-js": "^1.1.0",
         "jose": "^6.0.8",
@@ -32,2 +33,3 @@ "oauth4webapi": "^3.3.0"
     "devDependencies": {
+        "@auth0/typescript-config": "*",
         "@eslint/js": "^9.20.0",
@@ -34,0 +36,0 @@ "@vitest/coverage-v8": "^3.0.6",

README.md

@@ -29,7 +29,6 @@ The `@auth0/auth0-api-js` library allows for securing API's running on a JavaScript runtime.
 
-
 ```ts
 import { ApiClient } from '@auth0/auth0-api-js';
 
-const apiClient = new apiClient({
+const apiClient = new ApiClient({
   domain: '<AUTH0_DOMAIN>',
@@ -48,3 +47,3 @@ audience: '<AUTH0_AUDIENCE>',
 ```ts
-const apiClient = new apiClient({
+const apiClient = new ApiClient({
   domain: '<AUTH0_DOMAIN>',
@@ -55,11 +54,11 @@ audience: '<AUTH0_AUDIENCE>',
 const accessToken = '...';
-const decodedAndVerfiedToken = await apiClient.verifyAccessToken({
-  accessToken
+const decodedAndVerifiedToken = await apiClient.verifyAccessToken({
+  accessToken,
 });
 ```
 
-the SDK automatically validates claims like `iss`, `aud`, `exp`, and `nbf`, you can also pass additional claims to be required by configuring `requiredClaims`:
+The SDK automatically validates claims like `iss`, `aud`, `exp`, and `nbf`. You can also pass additional claims to be required by configuring `requiredClaims`:
 
 ```ts
-const apiClient = new apiClient({
+const apiClient = new ApiClient({
   domain: '<AUTH0_DOMAIN>',
@@ -70,8 +69,37 @@ audience: '<AUTH0_AUDIENCE>',
 const accessToken = '...';
-const decodedAndVerfiedToken = await apiClient.verifyAccessToken({
+const decodedAndVerifiedToken = await apiClient.verifyAccessToken({
   accessToken,
-  requiredClaims: ['my_custom_claim']
+  requiredClaims: ['my_custom_claim'],
 });
 ```
 
+### 4. Protected Resource Metadata (RFC 9728)
+
+The SDK supports OAuth 2.0 Protected Resource Metadata as defined in [RFC 9728](https://datatracker.ietf.org/doc/html/rfc9728):
+
+```ts
+import {
+  ProtectedResourceMetadataBuilder,
+  BearerMethod,
+  SigningAlgorithm,
+} from '@auth0/auth0-api-js';
+
+const resourceServerUrl = 'https://api.example.com';
+const authServers = ['https://your-tenant.us.auth0.com'];
+
+const metadata = new ProtectedResourceMetadataBuilder(resourceServerUrl, authServers)
+  .withBearerMethodsSupported([BearerMethod.HEADER])
+  .withResourceSigningAlgValuesSupported(
+    SigningAlgorithm.RS256,
+    SigningAlgorithm.ES256,
+  )
+  .withScopesSupported(['read', 'write', 'admin'])
+  .build();
+
+// Serve metadata from the standard RFC 9728 endpoint
+app.get('/.well-known/oauth-protected-resource', (req, res) => {
+  res.json(metadata.toJSON());
+});
+```
+
 ## Feedback
@@ -78,0 +106,0 @@

New alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

111275

322.23%

Lines of code

1179

336.67%

Number of lines in readme file

134

26.42%

Worsened metrics

Dependency count

3

50%

Dev dependency count

9

12.5%

Number of medium supply chain risk alerts

3

50%

Dependency changes

• + Added

  @auth0/auth0-auth-js@^1.1.0

• + Added

  @auth0/auth0-auth-js@1.7.0
  (transitive)

• + Added

  openid-client@6.8.4
  (transitive)