workos 7.1.1 → 7.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 784d66731f3736d0a82674d067f89b258f5979c497ae57bbf0d413af3fa3cd61
-  data.tar.gz: 7fed939e2d52cf44085df0a6aeb3d7cad07778eefff07c1380b023ee7810624c
+  metadata.gz: 6e48d8fb142eca494c5b316c17dd940cfbb2244a5c1589a9b30cc7106f850631
+  data.tar.gz: 1fd7a0f9e75d74109e01e6a54546cf7f83155c78e64ea321e77d032e219a749c
 SHA512:
-  metadata.gz: 0e75fe9404664c71cf3dc2fa392c0871406cbcc9aca8b0e2b87f09c88e894b40a8485a79d45e1feb2df068ff2a93d204a83ff331ae0c5a6c4d1eccb601021b98
-  data.tar.gz: 5504f24a552331b35908cf14dc1cdd54023ef646fad049ccb7ebe1e95a1f71c24c4f5f8ef0cda714ecdd795c34dbbda2fafcb898cbc93099ce61e6aff215712b
+  metadata.gz: 29c7c96477e7d66be140bee056673e9d5385beb15da8cad3011e9a3335d8d6ebcf902d9547c2188656ed0fdb0cdde724df79a6eb240507e501a46c6c0cded34e
+  data.tar.gz: 34592fb5ecd1d1e52f06338115f3740a02304f1c3d077c06a8038bb8bb009dd769073d2bff0bf782558a945bd3ff9b4270c868a1101ebf2c7ac6443bbaf735cd

data/.oagen-manifest.json

@@ -1,7 +1,7 @@
 {
   "version": 2,
   "language": "ruby",
-  "generatedAt": "2026-04-27T20:55:49.741Z",
+  "generatedAt": "2026-04-30T17:41:02.756Z",
   "files": [
     "lib/workos.rb",
     "lib/workos/admin_portal.rb",

data/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "7.1.1"
+  ".": "7.1.2"
 }

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [7.1.2](https://github.com/workos/workos-ruby/compare/v7.1.1...v7.1.2) (2026-05-06)
+
+
+### Bug Fixes
+
+* decode legacy v6 sealed sessions on unseal ([#479](https://github.com/workos/workos-ruby/issues/479)) ([1d8b4aa](https://github.com/workos/workos-ruby/commit/1d8b4aaa26e77e6d7820feb7e2f81278a77b0cf4))
+* replace parameter-group hashes with typed variant classes ([#473](https://github.com/workos/workos-ruby/issues/473)) ([a66c15b](https://github.com/workos/workos-ruby/commit/a66c15b6070ad8c26f0ca0b9ad7414f7b2ce8d8a))
+* set canonical User-Agent header format ([#476](https://github.com/workos/workos-ruby/issues/476)) ([6728358](https://github.com/workos/workos-ruby/commit/67283581886a122f36d907229a71211665623219))
+
 ## [7.1.1](https://github.com/workos/workos-ruby/compare/v7.1.0...v7.1.1) (2026-04-29)
 
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (7.1.1)
+    workos (7.1.2)
       jwt (~> 3.1)
       logger (~> 1.7)
       zeitwerk (~> 2.6)
@@ -124,7 +124,7 @@ CHECKSUMS
   unicode-display_width (3.2.0) sha256=0cdd96b5681a5949cdbc2c55e7b420facae74c4aaf9a9815eee1087cb1853c42
   unicode-emoji (4.2.0) sha256=519e69150f75652e40bf736106cfbc8f0f73aa3fb6a65afe62fefa7f80b0f80f
   webmock (3.26.2) sha256=774556f2ea6371846cca68c01769b2eac0d134492d21f6d0ab5dd643965a4c90
-  workos (7.1.1)
+  workos (7.1.2)
   zeitwerk (2.7.5) sha256=d8da92128c09ea6ec62c949011b00ed4a20242b255293dd66bf41545398f73dd
 
 BUNDLED WITH

data/lib/workos/api_keys.rb

@@ -20,7 +20,7 @@ module WorkOS
     )
       body = {
         "value" => value
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/api_keys/validations",

data/lib/workos/audit_logs.rb

@@ -41,7 +41,7 @@ module WorkOS
     )
       body = {
         "retention_period_in_days" => retention_period_in_days
-      }.compact
+      }
       response = @client.request(
         method: :put,
         path: "/organizations/#{WorkOS::Util.encode_path(id)}/audit_logs_retention",
@@ -189,7 +189,7 @@ module WorkOS
       body = {
         "organization_id" => organization_id,
         "event" => event
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/audit_logs/events",

data/lib/workos/authorization.rb

@@ -6,6 +6,48 @@ require "json"
 
 module WorkOS
   class Authorization
+    # Identifies the resource target (by id variant).
+    #
+    # @!attribute [r] resource_id
+    #   @return [String]
+    ResourceTargetById = Data.define(:resource_id)
+
+    # Identifies the resource target (by external id variant).
+    #
+    # @!attribute [r] resource_external_id
+    #   @return [String]
+    # @!attribute [r] resource_type_slug
+    #   @return [String]
+    ResourceTargetByExternalId = Data.define(:resource_external_id, :resource_type_slug)
+
+    # Identifies the parent resource (by id variant).
+    #
+    # @!attribute [r] parent_resource_id
+    #   @return [String]
+    ParentResourceById = Data.define(:parent_resource_id)
+
+    # Identifies the parent resource (by external id variant).
+    #
+    # @!attribute [r] parent_resource_type_slug
+    #   @return [String]
+    # @!attribute [r] parent_resource_external_id
+    #   @return [String]
+    ParentResourceByExternalId = Data.define(:parent_resource_type_slug, :parent_resource_external_id)
+
+    # Identifies the parent (by id variant).
+    #
+    # @!attribute [r] parent_resource_id
+    #   @return [String]
+    ParentById = Data.define(:parent_resource_id)
+
+    # Identifies the parent (by external id variant).
+    #
+    # @!attribute [r] parent_resource_type_slug
+    #   @return [String]
+    # @!attribute [r] parent_external_id
+    #   @return [String]
+    ParentByExternalId = Data.define(:parent_resource_type_slug, :parent_external_id)
+
     def initialize(client)
       @client = client
     end
@@ -13,32 +55,26 @@ module WorkOS
     # Check authorization
     # @param organization_membership_id [String] The ID of the organization membership to check.
     # @param permission_slug [String] The slug of the permission to check.
-    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
-    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
-    # @param resource_type_slug [String, nil] The slug of the resource type. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param resource_target [WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId] Identifies the resource target.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationCheck]
     def check(
       organization_membership_id:,
       permission_slug:,
       resource_target:,
-      resource_id: nil,
-      resource_external_id: nil,
-      resource_type_slug: nil,
       request_options: {}
     )
       body = {
-        "permission_slug" => permission_slug,
-        "resource_id" => resource_id,
-        "resource_external_id" => resource_external_id,
-        "resource_type_slug" => resource_type_slug
-      }.compact
-      case resource_target[:type]
-      when "by_id"
-        body["resource_id"] = resource_target[:resource_id]
-      when "by_external_id"
-        body["resource_external_id"] = resource_target[:resource_external_id]
-        body["resource_type_slug"] = resource_target[:resource_type_slug]
+        "permission_slug" => permission_slug
+      }
+      case resource_target
+      when WorkOS::Authorization::ResourceTargetById
+        body["resource_id"] = resource_target.resource_id
+      when WorkOS::Authorization::ResourceTargetByExternalId
+        body["resource_external_id"] = resource_target.resource_external_id
+        body["resource_type_slug"] = resource_target.resource_type_slug
+      else
+        raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
       end
       response = @client.request(
         method: :post,
@@ -59,6 +95,7 @@ module WorkOS
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
     # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param permission_slug [String] The permission slug to filter by. Only child resources where the organization membership has this permission are returned.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>]
     def list_resources_for_membership(
@@ -78,12 +115,14 @@ module WorkOS
         "order" => order,
         "permission_slug" => permission_slug
       }.compact
-      case parent_resource[:type]
-      when "by_id"
-        params["parent_resource_id"] = parent_resource[:parent_resource_id]
-      when "by_external_id"
-        params["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
-        params["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
+      case parent_resource
+      when WorkOS::Authorization::ParentResourceById
+        params["parent_resource_id"] = parent_resource.parent_resource_id
+      when WorkOS::Authorization::ParentResourceByExternalId
+        params["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        params["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+      else
+        raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
       end
       response = @client.request(
         method: :get,
@@ -265,32 +304,26 @@ module WorkOS
     # Assign a role
     # @param organization_membership_id [String] The ID of the organization membership.
     # @param role_slug [String] The slug of the role to assign.
-    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
-    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
-    # @param resource_type_slug [String, nil] The resource type slug. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param resource_target [WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId] Identifies the resource target.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::RoleAssignment]
     def assign_role(
       organization_membership_id:,
       role_slug:,
       resource_target:,
-      resource_id: nil,
-      resource_external_id: nil,
-      resource_type_slug: nil,
       request_options: {}
     )
       body = {
-        "role_slug" => role_slug,
-        "resource_id" => resource_id,
-        "resource_external_id" => resource_external_id,
-        "resource_type_slug" => resource_type_slug
-      }.compact
-      case resource_target[:type]
-      when "by_id"
-        body["resource_id"] = resource_target[:resource_id]
-      when "by_external_id"
-        body["resource_external_id"] = resource_target[:resource_external_id]
-        body["resource_type_slug"] = resource_target[:resource_type_slug]
+        "role_slug" => role_slug
+      }
+      case resource_target
+      when WorkOS::Authorization::ResourceTargetById
+        body["resource_id"] = resource_target.resource_id
+      when WorkOS::Authorization::ResourceTargetByExternalId
+        body["resource_external_id"] = resource_target.resource_external_id
+        body["resource_type_slug"] = resource_target.resource_type_slug
+      else
+        raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
       end
       response = @client.request(
         method: :post,
@@ -307,34 +340,28 @@ module WorkOS
     # Remove a role assignment
     # @param organization_membership_id [String] The ID of the organization membership.
     # @param role_slug [String] The slug of the role to remove.
-    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
-    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
-    # @param resource_type_slug [String, nil] The resource type slug. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param resource_target [WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId] Identifies the resource target.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [void]
     def remove_role(
       organization_membership_id:,
       role_slug:,
       resource_target:,
-      resource_id: nil,
-      resource_external_id: nil,
-      resource_type_slug: nil,
       request_options: {}
     )
-      params = {}.compact
-      case resource_target[:type]
-      when "by_id"
-        params["resource_id"] = resource_target[:resource_id]
-      when "by_external_id"
-        params["resource_external_id"] = resource_target[:resource_external_id]
-        params["resource_type_slug"] = resource_target[:resource_type_slug]
+      params = {}
+      case resource_target
+      when WorkOS::Authorization::ResourceTargetById
+        params["resource_id"] = resource_target.resource_id
+      when WorkOS::Authorization::ResourceTargetByExternalId
+        params["resource_external_id"] = resource_target.resource_external_id
+        params["resource_type_slug"] = resource_target.resource_type_slug
+      else
+        raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
       end
       body = {
-        "role_slug" => role_slug,
-        "resource_id" => resource_id,
-        "resource_external_id" => resource_external_id,
-        "resource_type_slug" => resource_type_slug
-      }.compact
+        "role_slug" => role_slug
+      }
       @client.request(
         method: :delete,
         path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
@@ -502,7 +529,7 @@ module WorkOS
     )
       body = {
         "slug" => body_slug
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
@@ -529,7 +556,7 @@ module WorkOS
     )
       body = {
         "permissions" => permissions
-      }.compact
+      }
       response = @client.request(
         method: :put,
         path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
@@ -594,9 +621,7 @@ module WorkOS
     # @param external_id [String] An identifier you provide to reference the resource in your system.
     # @param name [String, nil] A display name for the resource.
     # @param description [String, nil] An optional description of the resource.
-    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
-    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
-    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationResource]
     def update_resource_by_external_id(
@@ -605,26 +630,22 @@ module WorkOS
       external_id:,
       name: nil,
       description: nil,
-      parent_resource_id: nil,
-      parent_resource_external_id: nil,
-      parent_resource_type_slug: nil,
       parent_resource: nil,
       request_options: {}
     )
       body = {
         "name" => name,
-        "description" => description,
-        "parent_resource_id" => parent_resource_id,
-        "parent_resource_external_id" => parent_resource_external_id,
-        "parent_resource_type_slug" => parent_resource_type_slug
+        "description" => description
       }.compact
       if parent_resource
-        case parent_resource[:type]
-        when "by_id"
-          body["parent_resource_id"] = parent_resource[:parent_resource_id]
-        when "by_external_id"
-          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
-          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        case parent_resource
+        when WorkOS::Authorization::ParentResourceById
+          body["parent_resource_id"] = parent_resource.parent_resource_id
+        when WorkOS::Authorization::ParentResourceByExternalId
+          body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+          body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        else
+          raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
         end
       end
       response = @client.request(
@@ -736,6 +757,7 @@ module WorkOS
     # @param resource_type_slug [String, nil] Filter resources by resource type slug.
     # @param resource_external_id [String, nil] Filter resources by external ID.
     # @param search [String, nil] Search resources by name.
+    # @param parent [WorkOS::Authorization::ParentById, WorkOS::Authorization::ParentByExternalId, nil] Identifies the parent.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>]
     def list_resources(
@@ -761,12 +783,14 @@ module WorkOS
         "search" => search
       }.compact
       if parent
-        case parent[:type]
-        when "by_id"
-          params["parent_resource_id"] = parent[:parent_resource_id]
-        when "by_external_id"
-          params["parent_resource_type_slug"] = parent[:parent_resource_type_slug]
-          params["parent_external_id"] = parent[:parent_external_id]
+        case parent
+        when WorkOS::Authorization::ParentById
+          params["parent_resource_id"] = parent.parent_resource_id
+        when WorkOS::Authorization::ParentByExternalId
+          params["parent_resource_type_slug"] = parent.parent_resource_type_slug
+          params["parent_external_id"] = parent.parent_external_id
+        else
+          raise ArgumentError, "expected parent to be one of: WorkOS::Authorization::ParentById, WorkOS::Authorization::ParentByExternalId, got #{parent.class}"
         end
       end
       response = @client.request(
@@ -804,9 +828,7 @@ module WorkOS
     # @param description [String, nil] An optional description of the resource.
     # @param resource_type_slug [String] The slug of the resource type.
     # @param organization_id [String] The ID of the organization this resource belongs to.
-    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
-    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
-    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationResource]
     def create_resource(
@@ -815,9 +837,6 @@ module WorkOS
       resource_type_slug:,
       organization_id:,
       description: nil,
-      parent_resource_id: nil,
-      parent_resource_external_id: nil,
-      parent_resource_type_slug: nil,
       parent_resource: nil,
       request_options: {}
     )
@@ -826,18 +845,17 @@ module WorkOS
         "name" => name,
         "description" => description,
         "resource_type_slug" => resource_type_slug,
-        "organization_id" => organization_id,
-        "parent_resource_id" => parent_resource_id,
-        "parent_resource_external_id" => parent_resource_external_id,
-        "parent_resource_type_slug" => parent_resource_type_slug
+        "organization_id" => organization_id
       }.compact
       if parent_resource
-        case parent_resource[:type]
-        when "by_id"
-          body["parent_resource_id"] = parent_resource[:parent_resource_id]
-        when "by_external_id"
-          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
-          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        case parent_resource
+        when WorkOS::Authorization::ParentResourceById
+          body["parent_resource_id"] = parent_resource.parent_resource_id
+        when WorkOS::Authorization::ParentResourceByExternalId
+          body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+          body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        else
+          raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
         end
       end
       response = @client.request(
@@ -875,35 +893,29 @@ module WorkOS
     # @param resource_id [String] The ID of the authorization resource.
     # @param name [String, nil] A display name for the resource.
     # @param description [String, nil] An optional description of the resource.
-    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
-    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
-    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationResource]
     def update_resource(
       resource_id:,
       name: nil,
       description: nil,
-      parent_resource_id: nil,
-      parent_resource_external_id: nil,
-      parent_resource_type_slug: nil,
       parent_resource: nil,
       request_options: {}
     )
       body = {
         "name" => name,
-        "description" => description,
-        "parent_resource_id" => parent_resource_id,
-        "parent_resource_external_id" => parent_resource_external_id,
-        "parent_resource_type_slug" => parent_resource_type_slug
+        "description" => description
       }.compact
       if parent_resource
-        case parent_resource[:type]
-        when "by_id"
-          body["parent_resource_id"] = parent_resource[:parent_resource_id]
-        when "by_external_id"
-          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
-          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        case parent_resource
+        when WorkOS::Authorization::ParentResourceById
+          body["parent_resource_id"] = parent_resource.parent_resource_id
+        when WorkOS::Authorization::ParentResourceByExternalId
+          body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+          body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        else
+          raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
         end
       end
       response = @client.request(
@@ -1102,7 +1114,7 @@ module WorkOS
     )
       body = {
         "slug" => body_slug
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
@@ -1127,7 +1139,7 @@ module WorkOS
     )
       body = {
         "permissions" => permissions
-      }.compact
+      }
       response = @client.request(
         method: :put,
         path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",

data/lib/workos/base_client.rb

@@ -34,7 +34,12 @@ module WorkOS
     RETRY_BACKOFF_BASE = 0.5
     LOG_SEVERITY = {debug: 0, info: 1, warn: 2, error: 3, unknown: 4}.freeze
 
-    USER_AGENT = "workos-ruby/#{WorkOS::VERSION} ruby/#{RUBY_VERSION} (#{RUBY_PLATFORM})"
+    USER_AGENT = [
+      "WorkOS",
+      "#{defined?(::RUBY_ENGINE) ? ::RUBY_ENGINE : "ruby"}/#{RUBY_VERSION}",
+      RUBY_PLATFORM,
+      "v#{WorkOS::VERSION}"
+    ].join("; ").freeze
 
     attr_reader :api_key, :base_url, :client_id, :timeout, :max_retries, :logger, :log_level
 

data/lib/workos/encryptors/aes_gcm.rb

@@ -27,6 +27,18 @@ module WorkOS
 
       def unseal(sealed, key)
         raw = Base64.decode64(sealed.to_s)
+        decode_v7(raw, key)
+      rescue ArgumentError, OpenSSL::Cipher::CipherError => original_error
+        begin
+          decode_old(raw, key)
+        rescue ArgumentError, OpenSSL::Cipher::CipherError
+          raise original_error
+        end
+      end
+
+      private
+
+      def decode_v7(raw, key)
         raise ArgumentError, "Sealed payload too short" if raw.bytesize < 1 + 12 + 16
         version = raw.byteslice(0, 1).bytes.first
         raise ArgumentError, "Unknown seal version: #{version}" unless version == SEAL_VERSION
@@ -37,7 +49,29 @@ module WorkOS
         cipher.key = derive_key(key)
         cipher.iv = iv
         cipher.auth_tag = tag
-        decoded = cipher.update(ciphertext) + cipher.final
+
+        parse_decoded(cipher.update(ciphertext) + cipher.final)
+      end
+
+      def decode_old(raw, key)
+        # v6 sealed sessions were Base64(iv + ciphertext + auth_tag) using the
+        # `encryptor` gem without the v7 version byte or key derivation.
+        raise ArgumentError, "Legacy sealed payload too short" if raw.bytesize < 12 + 16
+
+        iv = raw.byteslice(0, 12)
+        encrypted = raw.byteslice(12, raw.bytesize - 12)
+        ciphertext = encrypted.byteslice(0, encrypted.bytesize - 16)
+        tag = encrypted.byteslice(encrypted.bytesize - 16, 16)
+
+        cipher = OpenSSL::Cipher.new("aes-256-gcm").decrypt
+        cipher.key = key.to_s
+        cipher.iv = iv
+        cipher.auth_tag = tag
+
+        parse_decoded(cipher.update(ciphertext) + cipher.final)
+      end
+
+      def parse_decoded(decoded)
         decoded.force_encoding(Encoding::UTF_8)
         begin
           JSON.parse(decoded)
@@ -46,8 +80,6 @@ module WorkOS
         end
       end
 
-      private
-
       def derive_key(passphrase)
         Digest::SHA256.digest(passphrase.to_s)
       end

data/lib/workos/groups.rb

@@ -219,7 +219,7 @@ module WorkOS
     )
       body = {
         "organization_membership_id" => organization_membership_id
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/organizations/#{WorkOS::Util.encode_path(organization_id)}/groups/#{WorkOS::Util.encode_path(group_id)}/organization-memberships",

data/lib/workos/multi_factor_auth.rb

@@ -22,7 +22,7 @@ module WorkOS
     )
       body = {
         "code" => code
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/auth/challenges/#{WorkOS::Util.encode_path(id)}/verify",

data/lib/workos/organization_domains.rb

@@ -23,7 +23,7 @@ module WorkOS
       body = {
         "domain" => domain,
         "organization_id" => organization_id
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/organization_domains",

data/lib/workos/radar.rb

@@ -91,7 +91,7 @@ module WorkOS
     )
       body = {
         "entry" => entry
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/radar/lists/#{WorkOS::Util.encode_path(type)}/#{WorkOS::Util.encode_path(action)}",
@@ -118,7 +118,7 @@ module WorkOS
     )
       body = {
         "entry" => entry
-      }.compact
+      }
       @client.request(
         method: :delete,
         path: "/radar/lists/#{WorkOS::Util.encode_path(type)}/#{WorkOS::Util.encode_path(action)}",

data/lib/workos/sso.rb

@@ -116,7 +116,7 @@ module WorkOS
     )
       body = {
         "profile_id" => profile_id
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/sso/logout/authorize",
@@ -157,7 +157,7 @@ module WorkOS
         "client_id" => request_options[:client_id] || @client.client_id,
         "client_secret" => request_options[:api_key] || @client.api_key,
         "code" => code
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/sso/token",