tripwire-server 0.3.1 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a3703f1cf37bec81be8697615f837553379c371e808633793911a603fb9b55e
-  data.tar.gz: 4bb9e0a6712fa1632e148e72f4f17ed27ef260e54dce60b66416ad7489be6b9f
+  metadata.gz: 3705acd09cee16f85cfc7da0a430dd203c928296265a8f412f0b0136dfa27a73
+  data.tar.gz: 79d3246ecf68eae368ec605c96cfed1f09be0427f0a9953700b5e3fde5a761a1
 SHA512:
-  metadata.gz: d995c7bcd72fe27223c8dfd6ba96ce3556b6f856b1150bed5b76bf74f2f1f8d6359a1bfb757aabce85f6b02decc2f1dd35b5b7f623bc9f2c12cc60e44bebd9d1
-  data.tar.gz: 602db5a36951402b18e211e651135a1c779cbeec6c7788281f9aa8a7717d418df1ea3e3235b2abfec524d5e861b23113fa308d5b80448d0fd2b8c03d814e26fb
+  metadata.gz: 04bcd559dba66a6677ef3bb2d09ff55f55b7c50598e7883d9c124edd3986213564ed8de8ebfdc351db4b1408fddf4d4403583c53949b37e9a7c1dd8c0a4db387
+  data.tar.gz: 0cf760c24506a05d64164773e5cc8c0b1c3d17607f3770b240ad4c4d0fa7400a79ccf8f37d545c2c6f3ec8240d5f7ed8e45a84dcb121f26fde60e3ba8c7524b8

data/README.md

@@ -4,13 +4,14 @@
 ![Ruby 3.3+](https://img.shields.io/badge/ruby-3.3%2B-CC342D?logo=ruby&logoColor=white)
 ![License: MIT](https://img.shields.io/badge/license-MIT-0f766e.svg)
 
-The Tripwire Ruby library provides convenient access to the Tripwire API from applications written in Ruby. It includes a client for Sessions, visitor fingerprints, Teams, Team API key management, sealed token verification, Gate, and Gate delivery/webhook helpers.
+The Tripwire Ruby library provides convenient access to the Tripwire API from applications written in Ruby. It includes a client for Sessions, visitor fingerprints, Organizations, Organization API key management, sealed token verification, Gate, and Gate delivery/webhook helpers.
 
 The library also provides:
 
 - a fast configuration path using `TRIPWIRE_SECRET_KEY`
 - lazy helpers for cursor-based pagination
 - structured API errors and built-in sealed token verification
+- webhook endpoint management, test sends, and event delivery history
 - public, bearer-token, and secret-key auth modes for Gate flows
 - Gate delivery/webhook helpers
 
@@ -72,20 +73,39 @@ fingerprint = client.fingerprints.get("vid_0123456789abcdefghjkmnpqrs")
 puts fingerprint[:id]
 ```
 
-### Teams
+### Organizations
 
 ```ruby
-team = client.teams.get("team_0123456789abcdefghjkmnpqrs")
-updated = client.teams.update("team_0123456789abcdefghjkmnpqrs", name: "New Name")
+organization = client.organizations.get("org_0123456789abcdefghjkmnpqrs")
+updated = client.organizations.update("org_0123456789abcdefghjkmnpqrs", name: "New Name")
 
 puts updated[:name]
 ```
 
-### Team API keys
+### Organization API keys
 
 ```ruby
-created = client.teams.api_keys.create("team_0123456789abcdefghjkmnpqrs", name: "Production", environment: "live")
-client.teams.api_keys.revoke("team_0123456789abcdefghjkmnpqrs", created[:id])
+created = client.organizations.api_keys.create("org_0123456789abcdefghjkmnpqrs", name: "Production", type: "secret", environment: "live")
+client.organizations.api_keys.revoke("org_0123456789abcdefghjkmnpqrs", created[:id])
+```
+
+### Webhooks
+
+```ruby
+endpoint = client.webhooks.create_endpoint(
+  "org_0123456789abcdefghjkmnpqrs",
+  name: "Production alerts",
+  url: "https://example.com/tripwire/webhook",
+  event_types: ["session.result.persisted", "gate.session.approved"]
+)
+
+events = client.webhooks.list_events(
+  "org_0123456789abcdefghjkmnpqrs",
+  endpoint_id: endpoint[:id],
+  type: "session.result.persisted"
+)
+
+puts events.items.first[:webhook_deliveries].first[:status]
 ```
 
 ### Gate APIs

data/lib/tripwire/server/client.rb

@@ -10,7 +10,7 @@ module Tripwire
       DEFAULT_TIMEOUT = 30
       SDK_CLIENT_HEADER = "tripwire-server-ruby/0.1.0".freeze
 
-      attr_reader :sessions, :fingerprints, :teams, :gate, :timeout
+      attr_reader :sessions, :fingerprints, :organizations, :gate, :webhooks, :timeout
 
       def initialize(secret_key: ENV["TRIPWIRE_SECRET_KEY"], base_url: DEFAULT_BASE_URL, timeout: DEFAULT_TIMEOUT, user_agent: nil, transport: nil)
         @secret_key = secret_key
@@ -21,8 +21,9 @@ module Tripwire
 
         @sessions = SessionsResource.new(self)
         @fingerprints = FingerprintsResource.new(self)
-        @teams = TeamsResource.new(self)
+        @organizations = OrganizationsResource.new(self)
         @gate = GateResource.new(self)
+        @webhooks = WebhooksResource.new(self)
       end
 
       def request_json(method, path, query: {}, body: nil, expect_content: true, auth: { kind: :secret })
@@ -220,30 +221,39 @@ module Tripwire
     end
 
     class ApiKeysResource < BaseResource
-      def create(team_id, name: nil, environment: nil, allowed_origins: nil, rate_limit: nil)
-        payload = @client.request_json("POST", "/v1/teams/#{CGI.escape(team_id)}/api-keys", body: compact({
+      def create(organization_id, name:, type: nil, environment: nil, allowed_origins: nil, scopes: nil)
+        payload = @client.request_json("POST", "/v1/organizations/#{CGI.escape(organization_id)}/api-keys", body: compact({
           name: name,
+          type: type,
           environment: environment,
           allowed_origins: allowed_origins,
-          rate_limit: rate_limit
+          scopes: scopes
         }))
         payload[:data]
       end
 
-      def list(team_id, limit: nil, cursor: nil)
-        payload = @client.request_json("GET", "/v1/teams/#{CGI.escape(team_id)}/api-keys", query: {
+      def list(organization_id, limit: nil, cursor: nil)
+        payload = @client.request_json("GET", "/v1/organizations/#{CGI.escape(organization_id)}/api-keys", query: {
           limit: limit,
           cursor: cursor
         })
         list_result(payload)
       end
 
-      def revoke(team_id, key_id)
-        @client.request_json("DELETE", "/v1/teams/#{CGI.escape(team_id)}/api-keys/#{CGI.escape(key_id)}")[:data]
+      def update(organization_id, key_id, name: nil, allowed_origins: nil, scopes: nil)
+        @client.request_json("PATCH", "/v1/organizations/#{CGI.escape(organization_id)}/api-keys/#{CGI.escape(key_id)}", body: compact({
+          name: name,
+          allowed_origins: allowed_origins,
+          scopes: scopes
+        }))[:data]
       end
 
-      def rotate(team_id, key_id)
-        payload = @client.request_json("POST", "/v1/teams/#{CGI.escape(team_id)}/api-keys/#{CGI.escape(key_id)}/rotations")
+      def revoke(organization_id, key_id)
+        @client.request_json("DELETE", "/v1/organizations/#{CGI.escape(organization_id)}/api-keys/#{CGI.escape(key_id)}")[:data]
+      end
+
+      def rotate(organization_id, key_id)
+        payload = @client.request_json("POST", "/v1/organizations/#{CGI.escape(organization_id)}/api-keys/#{CGI.escape(key_id)}/rotations")
         payload[:data]
       end
 
@@ -254,7 +264,7 @@ module Tripwire
       end
     end
 
-    class TeamsResource < BaseResource
+    class OrganizationsResource < BaseResource
       attr_reader :api_keys
 
       def initialize(client)
@@ -263,15 +273,15 @@ module Tripwire
       end
 
       def create(name:, slug:)
-        @client.request_json("POST", "/v1/teams", body: { name: name, slug: slug })[:data]
+        @client.request_json("POST", "/v1/organizations", body: { name: name, slug: slug })[:data]
       end
 
-      def get(team_id)
-        @client.request_json("GET", "/v1/teams/#{CGI.escape(team_id)}")[:data]
+      def get(organization_id)
+        @client.request_json("GET", "/v1/organizations/#{CGI.escape(organization_id)}")[:data]
       end
 
-      def update(team_id, name: nil, status: nil)
-        @client.request_json("PATCH", "/v1/teams/#{CGI.escape(team_id)}", body: {
+      def update(organization_id, name: nil, status: nil)
+        @client.request_json("PATCH", "/v1/organizations/#{CGI.escape(organization_id)}", body: {
           name: name,
           status: status
         }.reject { |_key, value| value.nil? })[:data]
@@ -310,7 +320,7 @@ module Tripwire
         @client.request_json("GET", "/v1/gate/services/#{CGI.escape(service_id)}")[:data]
       end
 
-      def create(id:, name:, description:, website:, webhook_url:, discoverable: nil, dashboard_login_url: nil, webhook_secret: nil, env_vars: nil, docs_url: nil, sdks: nil, branding: nil, consent: nil)
+      def create(id:, name:, description:, website:, webhook_endpoint_id:, discoverable: nil, dashboard_login_url: nil, env_vars: nil, docs_url: nil, sdks: nil, branding: nil, consent: nil)
         @client.request_json("POST", "/v1/gate/services", body: compact({
           id: id,
           discoverable: discoverable,
@@ -318,8 +328,7 @@ module Tripwire
           description: description,
           website: website,
           dashboard_login_url: dashboard_login_url,
-          webhook_url: webhook_url,
-          webhook_secret: webhook_secret,
+          webhook_endpoint_id: webhook_endpoint_id,
           env_vars: env_vars,
           docs_url: docs_url,
           sdks: sdks,
@@ -328,15 +337,14 @@ module Tripwire
         }))[:data]
       end
 
-      def update(service_id, discoverable: nil, name: nil, description: nil, website: nil, dashboard_login_url: nil, webhook_url: nil, webhook_secret: nil, env_vars: nil, docs_url: nil, sdks: nil, branding: nil, consent: nil)
+      def update(service_id, discoverable: nil, name: nil, description: nil, website: nil, dashboard_login_url: nil, webhook_endpoint_id: nil, env_vars: nil, docs_url: nil, sdks: nil, branding: nil, consent: nil)
         @client.request_json("PATCH", "/v1/gate/services/#{CGI.escape(service_id)}", body: compact({
           discoverable: discoverable,
           name: name,
           description: description,
           website: website,
           dashboard_login_url: dashboard_login_url,
-          webhook_url: webhook_url,
-          webhook_secret: webhook_secret,
+          webhook_endpoint_id: webhook_endpoint_id,
           env_vars: env_vars,
           docs_url: docs_url,
           sdks: sdks,
@@ -356,6 +364,50 @@ module Tripwire
       end
     end
 
+    class WebhooksResource < BaseResource
+      def list_endpoints(organization_id)
+        payload = @client.request_json("GET", "/v1/organizations/#{CGI.escape(organization_id)}/webhooks/endpoints")
+        list_result(payload)
+      end
+
+      def create_endpoint(organization_id, name:, url:, event_types:)
+        @client.request_json("POST", "/v1/organizations/#{CGI.escape(organization_id)}/webhooks/endpoints", body: {
+          name: name,
+          url: url,
+          event_types: event_types
+        })[:data]
+      end
+
+      def update_endpoint(organization_id, endpoint_id, **updates)
+        @client.request_json("PATCH", "/v1/organizations/#{CGI.escape(organization_id)}/webhooks/endpoints/#{CGI.escape(endpoint_id)}", body: updates)[:data]
+      end
+
+      def disable_endpoint(organization_id, endpoint_id)
+        @client.request_json("DELETE", "/v1/organizations/#{CGI.escape(organization_id)}/webhooks/endpoints/#{CGI.escape(endpoint_id)}")[:data]
+      end
+
+      def rotate_secret(organization_id, endpoint_id)
+        @client.request_json("POST", "/v1/organizations/#{CGI.escape(organization_id)}/webhooks/endpoints/#{CGI.escape(endpoint_id)}/rotations")[:data]
+      end
+
+      def send_test(organization_id, endpoint_id)
+        @client.request_json("POST", "/v1/organizations/#{CGI.escape(organization_id)}/webhooks/endpoints/#{CGI.escape(endpoint_id)}/test")[:data]
+      end
+
+      def list_events(organization_id, endpoint_id: nil, type: nil, limit: nil)
+        payload = @client.request_json("GET", "/v1/organizations/#{CGI.escape(organization_id)}/events", query: {
+          endpoint_id: endpoint_id,
+          type: type,
+          limit: limit
+        })
+        list_result(payload)
+      end
+
+      def retrieve_event(organization_id, event_id)
+        @client.request_json("GET", "/v1/organizations/#{CGI.escape(organization_id)}/events/#{CGI.escape(event_id)}")[:data]
+      end
+    end
+
     class GateSessionsResource < BaseResource
       def create(service_id:, account_name:, delivery:, metadata: nil)
         body = {

data/lib/tripwire/server/gate_delivery.rb

@@ -39,6 +39,12 @@ module Tripwire
         XDG_CONFIG_HOME
       ].freeze
       BLOCKED_GATE_ENV_VAR_PREFIXES = %w[NPM_CONFIG_ BUN_CONFIG_ GIT_CONFIG_].freeze
+      WEBHOOK_EVENT_TYPES = %w[
+        session.fingerprint.calculated
+        session.result.persisted
+        gate.session.approved
+        webhook.test
+      ].freeze
       GATE_DELIVERY_HKDF_INFO = "tripwire-gate-delivery:v1".b.freeze
       X25519_SPKI_PREFIX = ["302a300506032b656e032100"].pack("H*").freeze
 
@@ -217,7 +223,7 @@ module Tripwire
 
       def validate_gate_approved_webhook_payload(value)
         candidate = symbolize(value)
-        raise ArgumentError, "event must be gate.session.approved" unless candidate[:event] == "gate.session.approved"
+        raise ArgumentError, "webhook payload must not include event; use the webhook event envelope type" if candidate.key?(:event)
         raise ArgumentError, "service_id is required" if candidate[:service_id].to_s.empty?
         raise ArgumentError, "gate_session_id is required" if candidate[:gate_session_id].to_s.empty?
         raise ArgumentError, "gate_account_id is required" if candidate[:gate_account_id].to_s.empty?
@@ -230,7 +236,6 @@ module Tripwire
         raise ArgumentError, "tripwire.score must be a number or null" unless score.nil? || score.is_a?(Numeric)
 
         {
-          event: "gate.session.approved",
           service_id: candidate[:service_id],
           gate_session_id: candidate[:gate_session_id],
           gate_account_id: candidate[:gate_account_id],
@@ -255,6 +260,26 @@ module Tripwire
         false
       end
 
+      def parse_webhook_event(raw_body)
+        envelope = symbolize(JSON.parse(raw_body))
+        raise ArgumentError, "webhook event object must be webhook_event" unless envelope[:object] == "webhook_event"
+        raise ArgumentError, "webhook event id is required" if envelope[:id].to_s.empty?
+        raise ArgumentError, "webhook event type is required" if envelope[:type].to_s.empty?
+        raise ArgumentError, "unsupported webhook event type: #{envelope[:type]}" unless WEBHOOK_EVENT_TYPES.include?(envelope[:type])
+        raise ArgumentError, "webhook event created timestamp is required" if envelope[:created].to_s.empty?
+        raise ArgumentError, "webhook event data must be an object" unless envelope[:data].is_a?(Hash)
+
+        envelope[:data] = validate_gate_approved_webhook_payload(envelope[:data]) if envelope[:type] == "gate.session.approved"
+        envelope
+      end
+
+      def verify_and_parse_webhook_event(secret:, timestamp:, raw_body:, signature:, max_age_seconds: 300, now_seconds: nil)
+        unless verify_gate_webhook_signature(secret: secret, timestamp: timestamp, raw_body: raw_body, signature: signature, max_age_seconds: max_age_seconds, now_seconds: now_seconds)
+          raise ArgumentError, "Invalid Tripwire webhook signature"
+        end
+        parse_webhook_event(raw_body)
+      end
+
       def symbolize(value)
         case value
         when Array

data/lib/tripwire/server/version.rb

@@ -1,5 +1,5 @@
 module Tripwire
   module Server
-    VERSION = "0.3.1".freeze
+    VERSION = "0.3.2".freeze
   end
 end

data/spec/README.md

@@ -15,8 +15,8 @@ Server SDKs include only customer-facing APIs:
 
 - `/v1/sessions`
 - `/v1/fingerprints`
-- `/v1/teams`
-- `/v1/teams/:teamId/api-keys`
+- `/v1/organizations`
+- `/v1/organizations/:organizationId/api-keys`
 - `/v1/gate/registry`
 - `/v1/gate/services`
 - `/v1/gate/sessions`
@@ -44,11 +44,11 @@ Every server SDK should expose these top-level capabilities:
   - list
   - get
   - iterator / auto-pagination helper
-- Teams
+- Organizations
   - create
   - get
   - update
-- Team API keys
+- Organization API keys
   - create
   - list
   - revoke

data/spec/fixtures/api/gate/service-create.json

@@ -8,7 +8,6 @@
     "description": "Acme production signup flow",
     "website": "https://acme.example.com",
     "dashboard_login_url": "https://dashboard.acme.example.com/auth/gate",
-    "webhook_url": "https://api.acme.example.com/v1/gate/webhook",
     "env_vars": [
       {
         "name": "Publishable key",
@@ -41,7 +40,8 @@
       "privacy_url": "https://acme.example.com/privacy"
     },
     "created_at": "2026-04-03T20:00:00.000Z",
-    "updated_at": "2026-04-03T20:00:00.000Z"
+    "updated_at": "2026-04-03T20:00:00.000Z",
+    "webhook_endpoint_id": "we_0123456789abcdef0123456789abcdef"
   },
   "meta": {
     "request_id": "req_0123456789abcdef0123456789abcdef"

data/spec/fixtures/api/gate/service-detail.json

@@ -8,7 +8,6 @@
     "description": "Acme production signup flow",
     "website": "https://acme.example.com",
     "dashboard_login_url": "https://dashboard.acme.example.com/auth/gate",
-    "webhook_url": "https://api.acme.example.com/v1/gate/webhook",
     "env_vars": [
       {
         "name": "Publishable key",
@@ -41,7 +40,8 @@
       "privacy_url": "https://acme.example.com/privacy"
     },
     "created_at": "2026-04-03T20:00:00.000Z",
-    "updated_at": "2026-04-03T20:05:00.000Z"
+    "updated_at": "2026-04-03T20:05:00.000Z",
+    "webhook_endpoint_id": "we_0123456789abcdef0123456789abcdef"
   },
   "meta": {
     "request_id": "req_0123456789abcdef0123456789abcdef"

data/spec/fixtures/api/gate/service-disable.json

@@ -8,7 +8,6 @@
     "description": "Acme production signup flow",
     "website": "https://acme.example.com",
     "dashboard_login_url": "https://dashboard.acme.example.com/auth/gate",
-    "webhook_url": "https://api.acme.example.com/v1/gate/webhook",
     "env_vars": [
       {
         "name": "Publishable key",
@@ -41,7 +40,8 @@
       "privacy_url": "https://acme.example.com/privacy"
     },
     "created_at": "2026-04-03T20:00:00.000Z",
-    "updated_at": "2026-04-03T20:15:00.000Z"
+    "updated_at": "2026-04-03T20:15:00.000Z",
+    "webhook_endpoint_id": "we_0123456789abcdef0123456789abcdef"
   },
   "meta": {
     "request_id": "req_0123456789abcdef0123456789abcdef"

data/spec/fixtures/api/gate/service-update.json

@@ -8,7 +8,6 @@
     "description": "Acme production signup flow",
     "website": "https://acme.example.com",
     "dashboard_login_url": "https://dashboard.acme.example.com/auth/gate",
-    "webhook_url": "https://api.acme.example.com/v1/gate/webhook",
     "env_vars": [
       {
         "name": "Publishable key",
@@ -41,7 +40,8 @@
       "privacy_url": "https://acme.example.com/privacy"
     },
     "created_at": "2026-04-03T20:00:00.000Z",
-    "updated_at": "2026-04-03T20:10:00.000Z"
+    "updated_at": "2026-04-03T20:10:00.000Z",
+    "webhook_endpoint_id": "we_0123456789abcdef0123456789abcdef"
   },
   "meta": {
     "request_id": "req_0123456789abcdef0123456789abcdef"

data/spec/fixtures/api/gate/services-list.json

@@ -9,7 +9,6 @@
       "description": "Acme production signup flow",
       "website": "https://acme.example.com",
       "dashboard_login_url": "https://dashboard.acme.example.com/auth/gate",
-      "webhook_url": "https://api.acme.example.com/v1/gate/webhook",
       "env_vars": [
         {
           "name": "Publishable key",
@@ -42,7 +41,8 @@
         "privacy_url": "https://acme.example.com/privacy"
       },
       "created_at": "2026-04-03T20:00:00.000Z",
-      "updated_at": "2026-04-03T20:05:00.000Z"
+      "updated_at": "2026-04-03T20:05:00.000Z",
+      "webhook_endpoint_id": "we_0123456789abcdef0123456789abcdef"
     }
   ],
   "meta": {

data/spec/fixtures/api/organizations/api-key-create.json

@@ -0,0 +1,27 @@
+{
+  "data": {
+    "object": "api_key",
+    "id": "key_2y4grs8zpxb7n1q3dm5kc9wfta",
+    "type": "secret",
+    "name": "Production Backend",
+    "environment": "live",
+    "status": "active",
+    "allowed_origins": null,
+    "scopes": [
+      "sessions:list",
+      "sessions:read",
+      "api_keys:read"
+    ],
+    "rate_limit": null,
+    "key_preview": "sk_live_[example]...",
+    "revealed_key": "sk_live_[example_secret_key]",
+    "last_used_at": null,
+    "created_at": "2026-03-24T19:00:00.000Z",
+    "rotated_at": null,
+    "revoked_at": null,
+    "grace_expires_at": null
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/{teams → organizations}/api-key-list.json

@@ -3,17 +3,22 @@
     {
       "object": "api_key",
       "id": "key_6789abcdefghjkmnpqrstvwxyz",
-      "public_key": "pk_live_example",
-      "name": "Production",
+      "type": "publishable",
+      "name": "Acme Web App",
       "environment": "live",
+      "status": "active",
       "allowed_origins": [
         "https://example.com"
       ],
-      "rate_limit": 600,
-      "status": "active",
+      "scopes": null,
+      "rate_limit": null,
+      "key_preview": "pk_live_[example]...",
+      "display_key": "pk_live_[example_publishable_key]",
+      "last_used_at": "2026-03-24T19:30:00.000Z",
       "created_at": "2026-03-24T19:00:00.000Z",
       "rotated_at": null,
-      "revoked_at": null
+      "revoked_at": null,
+      "grace_expires_at": null
     }
   ],
   "pagination": {

data/spec/fixtures/api/{teams → organizations}/api-key-revoke.json

@@ -2,17 +2,22 @@
   "data": {
     "object": "api_key",
     "id": "key_6789abcdefghjkmnpqrstvwxyz",
-    "public_key": "pk_live_example",
-    "name": "Production",
+    "type": "publishable",
+    "name": "Acme Web App",
     "environment": "live",
+    "status": "revoked",
     "allowed_origins": [
       "https://example.com"
     ],
-    "rate_limit": 600,
-    "status": "revoked",
+    "scopes": null,
+    "rate_limit": null,
+    "key_preview": "pk_live_[example]...",
+    "display_key": "pk_live_[example_publishable_key]",
+    "last_used_at": "2026-03-24T19:30:00.000Z",
     "created_at": "2026-03-24T19:00:00.000Z",
     "rotated_at": null,
-    "revoked_at": "2026-03-24T20:05:00.000Z"
+    "revoked_at": "2026-03-24T20:05:00.000Z",
+    "grace_expires_at": null
   },
   "meta": {
     "request_id": "req_0123456789abcdef0123456789abcdef"

data/spec/fixtures/api/organizations/api-key-rotate.json

@@ -0,0 +1,27 @@
+{
+  "data": {
+    "object": "api_key",
+    "id": "key_789abcdefghjkmnpqrstvwxyz0",
+    "type": "secret",
+    "name": "Production Backend",
+    "environment": "live",
+    "status": "active",
+    "allowed_origins": null,
+    "scopes": [
+      "sessions:list",
+      "sessions:read",
+      "api_keys:manage"
+    ],
+    "rate_limit": null,
+    "key_preview": "sk_live_[rotated_example]...",
+    "revealed_key": "sk_live_[rotated_example_secret_key]",
+    "last_used_at": null,
+    "created_at": "2026-03-24T19:00:00.000Z",
+    "rotated_at": null,
+    "revoked_at": null,
+    "grace_expires_at": null
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/organizations/api-key-update.json

@@ -0,0 +1,29 @@
+{
+  "data": {
+    "object": "api_key",
+    "id": "key_6789abcdefghjkmnpqrstvwxyz",
+    "type": "publishable",
+    "name": "Updated Web App",
+    "environment": "live",
+    "status": "active",
+    "allowed_origins": [
+      "https://example.com",
+      "https://app.example.com"
+    ],
+    "scopes": [
+      "sessions:list",
+      "sessions:read"
+    ],
+    "rate_limit": null,
+    "key_preview": "pk_live_[example]...",
+    "display_key": "pk_live_[example_publishable_key]",
+    "last_used_at": "2026-03-24T19:30:00.000Z",
+    "created_at": "2026-03-24T19:00:00.000Z",
+    "rotated_at": null,
+    "revoked_at": null,
+    "grace_expires_at": null
+  },
+  "meta": {
+    "request_id": "req_0123456789abcdef0123456789abcdef"
+  }
+}

data/spec/fixtures/api/{teams/team-create.json → organizations/organization-create.json}

@@ -1,9 +1,9 @@
 {
   "data": {
-    "object": "team",
-    "id": "team_56789abcdefghjkmnpqrstvwxy",
-    "name": "Example Team",
-    "slug": "example-team",
+    "object": "organization",
+    "id": "org_56789abcdefghjkmnpqrstvwxy",
+    "name": "Example Organization",
+    "slug": "example-organization",
     "status": "active",
     "created_at": "2026-03-24T19:00:00.000Z",
     "updated_at": "2026-03-24T19:10:00.000Z"

data/spec/fixtures/api/{teams/team-update.json → organizations/organization-update.json}

@@ -1,9 +1,9 @@
 {
   "data": {
-    "object": "team",
-    "id": "team_56789abcdefghjkmnpqrstvwxy",
-    "name": "Example Team",
-    "slug": "example-team",
+    "object": "organization",
+    "id": "org_56789abcdefghjkmnpqrstvwxy",
+    "name": "Example Organization",
+    "slug": "example-organization",
     "status": "suspended",
     "created_at": "2026-03-24T19:00:00.000Z",
     "updated_at": "2026-03-24T19:12:00.000Z"

data/spec/fixtures/api/{teams/team.json → organizations/organization.json}

@@ -1,9 +1,9 @@
 {
   "data": {
-    "object": "team",
-    "id": "team_56789abcdefghjkmnpqrstvwxy",
-    "name": "Example Team",
-    "slug": "example-team",
+    "object": "organization",
+    "id": "org_56789abcdefghjkmnpqrstvwxy",
+    "name": "Example Organization",
+    "slug": "example-organization",
     "status": "active",
     "created_at": "2026-03-24T19:00:00.000Z",
     "updated_at": "2026-03-24T19:10:00.000Z"