interface TokenSet {
  /** JWT access token */
  accessToken: string;

  /** Refresh token (present if `offline_access` scope was requested) */
  refreshToken: string | null;

  /** OIDC ID token (present if `openid` scope was requested) */
  idToken: string | null;

  /** Token type (always "Bearer") */
  tokenType: "Bearer";

  /** Access token lifetime in seconds */
  expiresIn: number;

  /** ISO 8601 absolute expiry time */
  expiresAt: string;

  /** Space-separated granted scopes */
  scope: string;
}

interface IdTokenClaims {
  sub: string;              // User ID
  email: string;
  email_verified: boolean;
  name: string;
  given_name: string;
  family_name: string;
  locale: string;
  picture: string;
  org_id: string | undefined;     // Organization ID (if organizations scope)
  org_name: string | undefined;   // Organization name
  iss: string;                     // Issuer URL
  aud: string | string[];          // Audience
  exp: number;                     // Expiry (Unix timestamp)
  iat: number;                     // Issued at (Unix timestamp)
  nonce: string | undefined;       // Nonce (if provided during authorization)
  at_hash: string | undefined;     // Access token hash
  auth_time: number;               // Time of authentication
  acr: string;                     // Authentication context class
  amr: string[];                   // Authentication methods used
  act?: { sub: string };           // Actor claim (token exchange)
}

interface TokenIntrospection {
  active: boolean;
  sub: string;
  clientId: string;
  scope: string;
  exp: number;
  iat: number;
  iss: string;
  aud: string[];
  tokenType: string;
  orgId?: string;
  orgName?: string;
}

interface DeviceCodeResponse {
  deviceCode: string;
  userCode: string;
  verificationUri: string;
  verificationUriComplete: string;
  expiresIn: number;
  interval: number;
}

interface AuthorizationUrlResult {
  url: string;
  codeVerifier: string;
  state: string;
}