@commercelayer/js-auth

interface TBaseOptions { /** * The application's client_id. */ clientId: string; /** * [The access token scope](https://docs.commercelayer.io/core/authentication#authorization-scopes) (market, store, and/or stock location). * * The access token scope is a string that can be composed in two ways: * * by **ID** — `{{resource_name}}:id:{{resource_id}}`\ * Where `{{resource_name}}` can be one of market, store, or stock_location, and `{{resource_id}}` is the id of the resource (e.g. `market:id:xYZkjABcde`, `store:id:bGvCXzYgNB`, `stock_location:id:WLgbSXqyoZ`).\ * * * by **code** — `{{resource_name}}:code:{{resource_code}}` * Where `{{resource_name}}` can be one of market, store, or stock_location, and `{{resource_code}}` is the code of the resource (e.g. `market:code:europe`, `store:code:outlet_ny`, `stock_location:code:eu_warehouse`). */ scope?: string; /** * The Commerce Layer's domain. */ domain?: string; /** * An optional object containing the HTTP request headers to be sent with the request. */ headers?: { /** * Optional header for backend authentication. This key is mandatory for using the `x-true-client-ip` header * to forward the client IP address, which helps in managing rate limits effectively by identifying * unique client requests. * * **Note: This is an enterprise feature.** */ "x-backend-auth"?: string; /** * Optional header to forward the client IP address in server-side requests. Its use requires the presence of * the `x-backend-auth` header for authentication. This approach helps to differentiate between client requests * and manage rate limits based on individual client IP addresses rather than the server's IP address alone. * * **Note: This is an enterprise feature.** */ "x-true-client-ip"?: string; /** * Allows for additional headers as needed, where each key is the header name and the value is the header content. * Header values should be strings, or `undefined` if the header is not set. */ [key: string]: string | undefined; }; } type TBaseReturn = { /** * The access token. */ accessToken: string; /** * The token type. */ tokenType: "bearer"; /** * The duration after which the token will expire, in seconds. */ expiresIn: number; /** * The access token expiration date. */ expires: Date; /** * [The access token scope](https://docs.commercelayer.io/core/authentication#authorization-scopes) (market, store, and/or stock location). */ scope: string; /** * The creation date of the access token. */ createdAt: number; } & TError; interface TError { /** * The list of errors when something goes wrong. */ errors?: Array<{ code: string; detail: string; meta: Record<string, unknown>; status: 400 | 401 | 429 | 500; title: string; }>; } /** * The password grant type is used by first-party clients to exchange a user's credentials for an access token. * @see https://docs.commercelayer.io/core/authentication/password */ interface TPasswordOptions extends TBaseOptions { /** The customer's email address. */ username: string; /** The customer's password */ password: string; } /** * The password grant type is used by first-party clients to exchange a user's credentials for an access token. * @see https://docs.commercelayer.io/core/authentication/password */ interface TPasswordReturn extends TBaseReturn { /** The ID of the owner of the access token. */ ownerId: string; /** The type of the owner of the access token. */ ownerType: "customer"; /** The refresh token used to obtain a new access token. */ refreshToken: string; } /** * The authorization code grant type is used by clients to exchange an authorization code for an access token. * @see https://docs.commercelayer.io/core/authentication/authorization-code#getting-an-access-token */ interface TAuthorizationCodeOptions extends TBaseOptions { /** * The authorization code that [you got](https://docs.commercelayer.io/core/authentication/authorization-code#getting-an-authorization-code) from the redirect URI query string. */ code: string; /** * Your application's redirect URI. */ redirectUri: string; /** * Your application's client secret. */ clientSecret: string; } interface TAuthorizationCodeReturn extends Omit<TPasswordReturn, "ownerType"> { ownerType: "user"; } /** * The client credentials grant type is used by clients to obtain an access token outside of the context of a user. * @see https://docs.commercelayer.io/core/authentication/client-credentials */ interface TClientCredentialsOptions extends TBaseOptions { /** * Your application's client secret * (required for [confidential](https://docs.commercelayer.io/core/authentication/client-credentials#integration) API credentials). */ clientSecret?: string; } /** * Commerce Layer, through OAuth2, provides the support of token exchange in the on-behalf-of (delegation) scenario which allows, * for example, to make calls on behalf of a user and get an access token of the requesting user without direct user interaction. * Sales channels and webapps can accomplish it by leveraging the JWT Bearer flow, * which allows a client application to obtain an access token using a JSON Web Token (JWT) assertion. * @see https://docs.commercelayer.io/core/authentication/jwt-bearer */ interface TJwtBearerOptions extends TBaseOptions { /** Your application's client secret. */ clientSecret: string; /** * A single JSON Web Token ([learn more](https://docs.commercelayer.io/core/authentication/jwt-bearer#creating-the-jwt-assertion)). * Max size is 4KB. * * **You can use the `createAssertion` helper method**. * * @example * ```ts * import { createAssertion } from '@commercelayer/js-auth' * ``` */ assertion: string; } interface TJwtBearerReturn extends Omit<TPasswordReturn, "ownerType"> { /** The type of the owner of the access token. */ ownerType: "user" | "customer"; } /** * The refresh token grant type is used by clients to exchange a refresh token for an access token when the access token has expired. * @see https://docs.commercelayer.io/core/authentication/refresh-token */ interface TRefreshTokenOptions extends TBaseOptions { /** * A valid `refresh_token`. */ refreshToken: string; /** * Your application's client secret * (required for confidential API credentials — i.e. in case of [authorization code flow](https://docs.commercelayer.io/core/authentication/refresh-token#webapp-application-with-authorization-code-flow)). */ clientSecret?: string; } /** * The type of OAuth 2.0 grant being used for authentication. */ type GrantType = "password" | "refresh_token" | "client_credentials" | "authorization_code" | "urn:ietf:params:oauth:grant-type:jwt-bearer"; /** The options type for the `authenticate` helper. */ type AuthenticateOptions<TGrantType extends GrantType> = TGrantType extends "urn:ietf:params:oauth:grant-type:jwt-bearer" ? TJwtBearerOptions : TGrantType extends "password" ? TPasswordOptions : TGrantType extends "refresh_token" ? TRefreshTokenOptions : TGrantType extends "client_credentials" ? TClientCredentialsOptions : TGrantType extends "authorization_code" ? TAuthorizationCodeOptions : never; /** The return type of the `authenticate` helper. */ type AuthenticateReturn<TGrantType extends GrantType> = TGrantType extends "urn:ietf:params:oauth:grant-type:jwt-bearer" ? TJwtBearerReturn : TGrantType extends "password" ? TPasswordReturn : TGrantType extends "refresh_token" ? TPasswordReturn : TGrantType extends "client_credentials" ? TBaseReturn : TGrantType extends "authorization_code" ? TAuthorizationCodeReturn : never; /** The options type for the `revoke` helper. */ type RevokeOptions = Pick<TBaseOptions, "clientId"> & { /** Your application's client secret (required for confidential API credentials and non-confidential API credentials without a customer or a user in the JWT only). */ clientSecret?: string; /** A valid access or refresh token. */ token: string; }; /** The return type of the `revoke` helper. */ type RevokeReturn = Pick<TError, "errors">; type ApiCredentialsAuthorization = TBaseReturn & ({ /** * The type of the token owner. It can be `guest` or `customer`. */ ownerType: "guest"; } | { /** * The type of the token owner. It can be `guest` or `customer`. */ ownerType: "customer"; /** * The ID of the token owner. */ ownerId: string; /** * The refresh token that can be used to obtain a new access token. */ refreshToken?: string; }); type SetRequired$1<T, K extends keyof T> = Omit<T, K> & Required<Pick<T, K>>; type AuthOptions = AuthenticateOptions<"client_credentials"> & { /** * Whether to enable debug mode. * @default false */ debug?: boolean; }; /** * Creates a composite storage that combines multiple storages. * * When retrieving an item, it returns the first non-null value from the configured storages. * * The order of the configured storages is important, as it determines priority. The first storage in the array is checked first, followed by the second, and so on. * * Using a composite storage can be useful for reducing the load on the underlying storage. * For example, if you want to use Redis but avoid hitting it on every request, you can use a memory storage as the first storage and Redis as the second. * This way, the memory storage is checked first, and if the item is not found there, it falls back to Redis and is then saved to memory for subsequent requests. * * @param storages - An array of storage instances to combine. * @returns A composite storage instance. * * @example * const compositeStorage = createCompositeStorage([memoryStorage, redisStorage]); * const value = await compositeStorage.getItem('myKey'); */ declare function createCompositeStorage(storages: Storage[]): Storage; type StoreOptions = { /** * Function to get the key for storing the authorization in the storage. * This function receives the configuration and the type of authorization * and should return a unique key for that authorization. */ getKey?: (configuration: { clientId: string; scope: string; }, type: ApiCredentialsAuthorization["ownerType"]) => Promise<string>; /** * Storage instance for storing authorizations. * This storage will be used for both "guest" and "customer" authorizations. * * If you need to use a different store for "customer" authorizations, * you can provide a different storage instance using `customerStorage` option. */ storage: Storage; /** * Storage instance for storing "customer" authorizations. * If not provided, the `storage` option will be used. * * This is useful if you want to separate guest and customer authorizations, * for example, using `localStorage` for guest authorizations * and `sessionStorage` for customer authorizations. */ customerStorage?: Storage; }; /** * Storage interface for managing key/value pairs. * * This interface is used to abstract the storage mechanism, allowing for different implementations (e.g., localStorage, sessionStorage, in-memory storage). */ interface Storage { /** * Returns the current value associated with the given key, or null if the given key does not exist. */ getItem: (key: string) => Promise<StorageValue | null>; /** * Sets the value of the pair identified by key to value, creating a new key/value pair if none existed for key previously. */ setItem: (key: string, value: StorageValue) => Promise<void>; /** * Removes the key/value pair with the given key, if a key/value pair with the given key exists. */ removeItem: (key: string) => Promise<void>; /** * Disposes all mounted storages to ensure there are no open-handles left. * Call it before exiting process. */ dispose?: () => Promise<void>; } type StorageValue = Pick<AuthenticateReturn<"password">, "accessToken" | "scope"> & { refreshToken?: string; }; type MakeAuthReturn = { options: AuthOptions; getAuthorization: () => Promise<ApiCredentialsAuthorization>; setAuthorization: (auth: SetAuthorizationOptions) => Promise<ApiCredentialsAuthorization>; removeAuthorization: (type: ApiCredentialsAuthorization["ownerType"]) => Promise<void>; }; declare function makeAuth(options: AuthOptions, store: StoreOptions, { logPrefix, guestOnly, }: { logPrefix: string; /** * Whether to allow only guest authorizations. * If set to `true`, the helper will only return guest authorizations * and will not attempt to read or refresh customer authorizations. * This is useful for integrations that do not require customer authentication, * such as backend integrations or public APIs. * @default false */ guestOnly?: boolean; }): MakeAuthReturn; type SetAuthorizationOptions = StorageValue; /** * [**Integrations**](https://docs.commercelayer.io/core/api-credentials#integration) are used * to develop backend integrations with any 3rd-party system. * * This helper manages the caching mechanism to avoid unnecessary API calls. */ declare function makeIntegration(options: SetRequired$1<AuthOptions, "clientSecret">, store: Omit<StoreOptions, "customerStorage">): { options: SetRequired$1<AuthOptions, "clientSecret">; /** * Get the current integration authorization. * * This will return the authorization from configured storage. * If the authorization is not found or expired, it will fetch a new one. */ getAuthorization: ReturnType<typeof makeAuth>["getAuthorization"]; /** * Remove the authorization from configured storages. * * This is particularly useful when you want to get a fresh authorization. * **Note:** This will not revoke the token. */ removeAuthorization: (type?: "all") => Promise<void>; /** * Revoke the current integration authorization. * * This will remove the authorization from memory and storage, and revoke the access token. */ revokeAuthorization: () => Promise<RevokeReturn>; }; /** * [**Sales channels**](https://docs.commercelayer.io/core/api-credentials#sales-channel) are used * to build any customer touchpoint (e.g. your storefront with a fully-functional shopping cart and checkout flow). * * This helper manages the caching mechanism to avoid unnecessary API calls * and provides methods to set and remove customer authorizations. */ declare function makeSalesChannel(options: Omit<AuthOptions, "clientSecret">, store: StoreOptions): { options: Omit<AuthOptions, "clientSecret">; /** * Get the current sales channel authorization. * * This will return the authorization from the configured storage. * If the authorization is not found or expired, it will fetch a new one. * If the customer is logged in with a `refreshToken`, it will also attempt to refresh the token when expired. */ getAuthorization: ReturnType<typeof makeAuth>["getAuthorization"]; /** * Remove the authorization from configured storages. * * This is particularly useful when you want to get a fresh authorization. * **Note:** This will not revoke the token. */ removeAuthorization: (type?: "all" | ApiCredentialsAuthorization["ownerType"]) => Promise<void>; /** * Sets the customer authorization. * This will store the authorization in memory and storage. * It will also validate the access token to ensure it contains a valid customer owner. * * The option `refreshToken` is optional and can be used to set a refresh token for the customer (e.g. "remember me" functionality). * It will be used to refresh the access token when it expires. */ setCustomer: (options: StorageValue) => Promise<ApiCredentialsAuthorization>; /** * Logs out the current customer. * * This will remove the customer authorization from memory and storage, and revoke the access token. */ logoutCustomer: () => Promise<RevokeReturn>; }; /** * Authenticate helper used to get the access token. * * _Please note that the authentication endpoint is subject to a [rate limit](https://docs.commercelayer.io/core/rate-limits) * of **max 30 reqs / 1 min** both in live and test mode._ * @param grantType The type of OAuth 2.0 grant being used for authentication. * @param options Authenticate options * @returns * @example * ```ts * import { authenticate } from '@commercelayer/js-auth' * * const auth = await authenticate('client_credentials', { * clientId: '{{ clientId }}', * scope: 'market:id:DGzAouppwn' * }) * * console.log(auth.accessToken) * ``` */ declare function authenticate<TGrantType extends GrantType>(grantType: TGrantType, { domain, headers, ...options }: AuthenticateOptions<TGrantType>): Promise<AuthenticateReturn<TGrantType>>; /** * A token error occurred. */ declare class TokenError extends Error { constructor(message: string); } /** * The token is not valid. */ declare class InvalidTokenError extends TokenError { constructor(message: string); } /** * The token expired. */ declare class TokenExpiredError extends TokenError { constructor(); } /** * Derives the [Core API base endpoint](https://docs.commercelayer.io/core/api-specification#base-endpoint) given a valid access token. * * @example * ```ts * getCoreApiBaseEndpoint('eyJhbGciOiJS...') //= "https://yourdomain.commercelayer.io" * ``` * * The method requires a valid access token with an `organization` in the payload. * * @param accessToken - The access token to decode. * @param options - An options object to configure behavior. * @returns The core API base endpoint as a string, or `null` if the token is invalid and `shouldThrow` is `false`. * @throws InvalidTokenError - If the token is invalid and `shouldThrow` is true. */ declare function getCoreApiBaseEndpoint(accessToken: string, options?: { /** * Whether to throw an error if the token is invalid. * @default true */ shouldThrow?: true; }): string; /** * Derives the [Core API base endpoint](https://docs.commercelayer.io/core/api-specification#base-endpoint) given a valid access token. * * @example * ```ts * getCoreApiBaseEndpoint('eyJhbGciOiJS...') //= "https://yourdomain.commercelayer.io" * ``` * * The method requires a valid access token with an `organization` in the payload. * * @param accessToken - The access token to decode. * @param options - An options object to configure behavior. * @returns The core API base endpoint as a string, or `null` if the token is invalid and `shouldThrow` is `false`. * @throws InvalidTokenError - If the token is invalid and `shouldThrow` is true. */ declare function getCoreApiBaseEndpoint(accessToken: string, options: { /** * Whether to throw an error if the token is invalid. * @default true */ shouldThrow: false; }): string | null; /** * Returns the [Provisioning API base endpoint](https://docs.commercelayer.io/provisioning/getting-started/api-specification#base-endpoint) given a valid access token. * * @example * ```ts * getProvisioningApiBaseEndpoint('eyJhbGciOiJS...') //= "https://provisioning.commercelayer.io" * ``` * * The method requires a valid access token for Provisioning API. * * @param accessToken - The access token to decode. * @param options - An options object to configure behavior. * @returns The provisioning API base endpoint as a string, or `null` if the token is invalid and `shouldThrow` is `false`. * @throws InvalidTokenError - If the token is invalid and `shouldThrow` is true. */ declare function getProvisioningApiBaseEndpoint(accessToken: string, options?: { /** * Whether to throw an error if the token is invalid. * @default true */ shouldThrow?: true; }): string; /** * Returns the [Provisioning API base endpoint](https://docs.commercelayer.io/provisioning/getting-started/api-specification#base-endpoint) given a valid access token. * * @example * ```ts * getProvisioningApiBaseEndpoint('eyJhbGciOiJS...') //= "https://provisioning.commercelayer.io" * ``` * * The method requires a valid access token for Provisioning API. * * @param accessToken - The access token to decode. * @param options - An options object to configure behavior. * @returns The provisioning API base endpoint as a string, or `null` if the token is invalid and `shouldThrow` is `false`. * @throws InvalidTokenError - If the token is invalid and `shouldThrow` is true. */ declare function getProvisioningApiBaseEndpoint(accessToken: string, options: { /** * Whether to throw an error if the token is invalid. * @default true */ shouldThrow: false; }): string | null; /** * Decode a Commerce Layer access token without verifying if the signature is valid. * * _You should not use this for untrusted messages, since this helper method does not verify whether the signature is valid. * If you need to verify the access token before decoding, you can use `jwtVerify` instead._ */ declare function jwtDecode(accessToken: string): CommerceLayerJWT; interface CommerceLayerJWT { /** The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA. */ header: { /** Signing algorithm being used (e.g. `HMAC`, `SHA256`, `RSA`, `RS512`). */ alg: string; /** Type of the token (usually `JWT`). */ typ?: string; /** Key ID */ kid: string; }; payload: Payload; signature: string; } type Payload = JWTDashboard | JWTUser | JWTSalesChannel | JWTIntegration | JWTWebApp; interface JWTBase { /** The type of credentials you're using to authenticate to the APIs. */ application: { id: string; public: boolean; client_id: string; /** Whether the application is confidential (`true` when the `client_secret` is provided). */ confidential: boolean; }; /** Scope used to restrict access to a specific active market and/or stock location. */ scope: string; /** The token expiration time, expressed as an [epoch](https://www.epoch101.com/). */ exp: number; /** The environment type (true for test mode, false for live mode). */ test: boolean; /** A randomly generated number, less than one. */ rand: number; /** Issued at (seconds since Unix epoch). */ iat: number; /** Who created and signed this token (e.g. `"https://auth.commercelayer.io"`). */ iss: string; } /** * A JWT payload that represents a `user`. */ type JWTUser = JWTBase & { /** The type of credentials you're using to authenticate to the APIs. */ application: { kind: "user"; }; /** The authenticated user. */ user: { id: string; }; }; /** * A JWT payload that represents a `dashboard`. */ type JWTDashboard = JWTBase & { /** The type of credentials you're using to authenticate to the APIs. */ application: { kind: "dashboard"; }; /** The authenticated user. */ user: { id: string; }; }; type JWTOrganizationBase = JWTBase & { /** The organization in scope. */ organization: { id: string; slug: string; enterprise: boolean; region: string; }; /** The owner (if any) authenticating to the APIs. */ owner?: { id: string; type: "Customer" | "User"; }; /** * Any other information (key/value pairs) you want to enrich the token with, * when using the [JWT Bearer flow](https://docs.commercelayer.io/core/authentication/jwt-bearer). */ custom_claim?: Record<string, string>; /** * The market(s) in scope. * This is available only when the scope is defined in the request. */ market?: { id: string[]; stock_location_ids: string[]; geocoder_id: string | null; allows_external_prices: boolean; }; }; /** * A JWT payload that represents a `webapp`. */ type JWTWebApp = SetRequired<JWTOrganizationBase, "owner"> & { /** The type of credentials you're using to authenticate to the APIs. */ application: { kind: "webapp"; }; }; /** Create a type that makes the given keys required. The remaining keys are kept as is. */ type SetRequired<T, K extends keyof T> = T & { [P in K]-?: T[P]; }; /** * A JWT payload that represents a `sales_channel`. */ type JWTSalesChannel = JWTOrganizationBase & { /** The type of credentials you're using to authenticate to the APIs. */ application: { kind: "sales_channel"; }; }; /** * A JWT payload that represents an `integration`. */ type JWTIntegration = JWTOrganizationBase & { /** The type of credentials you're using to authenticate to the APIs. */ application: { kind: "integration"; }; }; /** * Checks if the provided payload represents a `user`. * @param payload The payload to be checked. * @returns */ declare function jwtIsUser(payload: Payload): payload is JWTUser; /** * Checks if the provided payload represents a `dashboard`. * @param payload The payload to be checked. * @returns */ declare function jwtIsDashboard(payload: Payload): payload is JWTDashboard; /** * Checks if the provided payload represents an `integration`. * @param payload The payload to be checked. * @returns */ declare function jwtIsIntegration(payload: Payload): payload is JWTIntegration; /** * Checks if the provided payload represents a `sales_channel`. * @param payload The payload to be checked. * @returns */ declare function jwtIsSalesChannel(payload: Payload): payload is JWTSalesChannel; /** * Checks if the provided payload represents a `webapp`. * @param payload The payload to be checked. * @returns */ declare function jwtIsWebApp(payload: Payload): payload is JWTWebApp; interface Owner { type: "User" | "Customer"; id: string; } /** * Create a JWT assertion as the first step of the [JWT bearer token authorization grant flow](https://docs.commercelayer.io/core/authentication/jwt-bearer). * * The JWT assertion is a digitally signed JSON object containing information * about the client and the user on whose behalf the access token is being requested. * * This JWT assertion can include information such as the issuer (typically the client), * the owner (the user on whose behalf the request is made), and any other relevant claims. * * @example * ```ts * const assertion = await createAssertion({ * payload: { * 'https://commercelayer.io/claims': { * owner: { * type: 'Customer', * id: '4tepftJsT2' * }, * custom_claim: { * customer: { * first_name: 'John', * last_name: 'Doe' * } * } * } * } * }) * ``` */ declare function createAssertion({ payload }: Assertion): Promise<string>; /** RequireAtLeastOne helps create a type where at least one of the properties of an interface (can be any property) is required to exist. */ type RequireAtLeastOne<T> = { [K in keyof T]-?: Required<Pick<T, K>> & Partial<Pick<T, Exclude<keyof T, K>>>; }[keyof T]; interface Assertion { /** Assertion payload. */ payload: { /** At least one of `owner` or `custom_claim` is required. You cannot use an empty object. */ "https://commercelayer.io/claims": RequireAtLeastOne<{ /** The customer or user you want to make the calls on behalf of. */ owner?: Owner; /** Any other information (key/value pairs) you want to enrich the token with. */ custom_claim?: Record<string, unknown>; }>; }; } /** * Validate the integrity and authenticity of the JWT. * It checks if the token is valid by verifying the signature against the public key used to create it. * This is useful to ensure that the token hasn't been tampered with and originates from Commerce Layer. * * When the verification succeeds, it resolves to the decoded access token, it rejects otherwise. */ declare function jwtVerify(accessToken: string, { ignoreExpiration, jwk }?: JwtVerifyOptions): Promise<CommerceLayerJWT>; type CommerceLayerJsonWebKey = JsonWebKey & { kid: string; }; interface JwtVerifyOptions { /** * Do not validate the token expiration when set to `true`. * @default false */ ignoreExpiration?: boolean; /** * Json Web Key used to verify the signature. * * The `kid` must match the `kid` from decoded accessToken. * * By default, we pick the jwk from https://auth.commercelayer.io/.well-known/jwks.json using the `kid` from the accessToken. */ jwk?: CommerceLayerJsonWebKey; } /** * Revoke a previously generated access token (refresh tokens included) before its natural expiration date. * * @param options Revoke options * @returns * @example * ```ts * await revoke({ * clientId: '{{ integrationClientId }}', * clientSecret: '{{ integrationClientSecret }}', * token: authenticateResponse.accessToken * }) * ``` */ declare function revoke(options: RevokeOptions): Promise<RevokeReturn>; export { type ApiCredentialsAuthorization, type AuthenticateOptions, type AuthenticateReturn, type GrantType, InvalidTokenError, type JWTDashboard, type JWTIntegration, type JWTSalesChannel, type JWTUser, type JWTWebApp, type RevokeOptions, type RevokeReturn, type Storage, type StorageValue, TokenError, TokenExpiredError, authenticate, createAssertion, createCompositeStorage, getCoreApiBaseEndpoint, getProvisioningApiBaseEndpoint, jwtDecode, jwtIsDashboard, jwtIsIntegration, jwtIsSalesChannel, jwtIsUser, jwtIsWebApp, jwtVerify, makeIntegration, makeSalesChannel, revoke };