workos 8.0.0 → 9.0.0

data/lib/workos/vault/vault_names_listed.rb

@@ -5,30 +5,30 @@
 module WorkOS
   class VaultNamesListed < WorkOS::Types::BaseModel
     HASH_ATTRS = {
+      object: :object,
       id: :id,
       event: :event,
       data: :data,
       created_at: :created_at,
-      context: :context,
-      object: :object
+      context: :context
     }.freeze
 
     attr_accessor \
+      :object,
       :id,
       :event,
       :data,
       :created_at,
-      :context,
-      :object
+      :context
 
     def initialize(json)
       hash = self.class.normalize(json)
+      @object = hash[:object]
       @id = hash[:id]
       @event = hash[:event]
       @data = hash[:data] ? WorkOS::VaultNamesListedData.new(hash[:data]) : nil
       @created_at = hash[:created_at]
       @context = hash[:context] ? WorkOS::EventContext.new(hash[:context]) : nil
-      @object = hash[:object]
     end
   end
 end

data/lib/workos/vault/version_list_response.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+# This file is auto-generated by oagen. Do not edit.
+
+module WorkOS
+  class VersionListResponse < WorkOS::Types::BaseModel
+    HASH_ATTRS = {
+      data: :data,
+      list_metadata: :list_metadata
+    }.freeze
+
+    attr_accessor \
+      :data,
+      :list_metadata
+
+    def initialize(json)
+      hash = self.class.normalize(json)
+      @data = (hash[:data] || []).map { |item| item ? WorkOS::ObjectVersion.new(item) : nil }
+      @list_metadata = hash[:list_metadata] ? WorkOS::ListMetadata.new(hash[:list_metadata]) : nil
+    end
+  end
+end

data/lib/workos/vault.rb

@@ -1,176 +1,309 @@
 # frozen_string_literal: true
 
-# @oagen-ignore-file
-# Hand-maintained Vault service: 8 KV endpoints + 2 key endpoints + client-side
-# AES-GCM encrypt/decrypt (H18). The Vault HTTP API is not in the OpenAPI spec
-# and the AES-GCM helpers are inherently client-side, so this stays
-# hand-maintained regardless of spec coverage.
-require "base64"
+# This file is auto-generated by oagen. Do not edit.
+
 require "json"
+require "base64"
 require "openssl"
 require "securerandom"
 
 module WorkOS
-  # WorkOS Vault: KV secret storage, server-managed key wrapping, and
-  # client-side AES-GCM encrypt/decrypt.
-  #
-  # @example Store and retrieve a secret
-  #   client.vault.create_object(name: "api-key", value: "sk_...", key_context: { "tenant" => "t1" })
-  #   obj = client.vault.read_object_by_name(name: "api-key")
-  #   obj.value # => "sk_..."
-  #
-  # @example Client-side encrypt/decrypt
-  #   encrypted = client.vault.encrypt(data: "plaintext", key_context: { "tenant" => "t1" })
-  #   client.vault.decrypt(encrypted_data: encrypted)
   class Vault
-    DEFAULT_RESPONSE_LIMIT = 10
-
-    DataKey = Data.define(:id, :key) do
-      def self.from_response(hash)
-        new(id: hash["id"], key: hash["data_key"])
-      end
-    end
-
-    DataKeyPair = Data.define(:context, :data_key, :encrypted_keys) do
-      def self.from_response(hash)
-        new(
-          context: hash["context"],
-          data_key: DataKey.new(id: hash["id"], key: hash["data_key"]),
-          encrypted_keys: hash["encrypted_keys"]
-        )
-      end
-    end
-
-    ObjectUpdateBy = Data.define(:id, :name) do
-      def self.from_hash(hash)
-        return nil if hash.nil?
-        new(id: hash["id"], name: hash["name"])
-      end
-    end
-
-    ObjectMetadata = Data.define(:context, :environment_id, :id, :key_id, :updated_at, :updated_by, :version_id) do
-      def self.from_hash(hash)
-        new(
-          context: hash["context"],
-          environment_id: hash["environment_id"],
-          id: hash["id"],
-          key_id: hash["key_id"],
-          updated_at: hash["updated_at"],
-          updated_by: ObjectUpdateBy.from_hash(hash["updated_by"]),
-          version_id: hash["version_id"]
-        )
-      end
-    end
-
-    VaultObject = Data.define(:id, :name, :value, :metadata) do
-      def self.from_hash(hash)
-        new(
-          id: hash["id"],
-          name: hash["name"],
-          value: hash["value"],
-          metadata: hash["metadata"] ? ObjectMetadata.from_hash(hash["metadata"]) : nil
-        )
-      end
-    end
-
-    ObjectDigest = Data.define(:id, :name, :updated_at) do
-      def self.from_hash(hash)
-        new(id: hash["id"], name: hash["name"], updated_at: hash["updated_at"])
-      end
-    end
-
-    ObjectVersion = Data.define(:id, :created_at, :current_version) do
-      def self.from_hash(hash)
-        new(id: hash["id"], created_at: hash["created_at"], current_version: hash["current_version"])
-      end
-    end
-
     def initialize(client)
       @client = client
     end
 
-    # -- KV operations --------------------------------------------------------
-
-    # Get a Vault object with the value decrypted.
-    def read_object(object_id:, request_options: {})
-      response = @client.request(method: :get, path: "/vault/v1/kv/#{WorkOS::Util.encode_path(object_id)}", auth: true, request_options: request_options)
-      VaultObject.from_hash(JSON.parse(response.body))
+    # Create a data key
+    # @param context [Hash{String => String}] Map of values used to determine the encryption key.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::CreateDataKeyResponse]
+    def create_data_key(
+      context:,
+      request_options: {}
+    )
+      body = {
+        "context" => context
+      }
+      response = @client.request(
+        method: :post,
+        path: "/vault/v1/keys/data-key",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::CreateDataKeyResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # Get a Vault object by name with the value decrypted.
-    def read_object_by_name(name:, request_options: {})
-      response = @client.request(method: :get, path: "/vault/v1/kv/name/#{WorkOS::Util.encode_path(name)}", auth: true, request_options: request_options)
-      VaultObject.from_hash(JSON.parse(response.body))
+    # Decrypt a data key
+    # @param keys [String] Base64-encoded encrypted data key to decrypt.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::DecryptResponse]
+    def create_decrypt(
+      keys:,
+      request_options: {}
+    )
+      body = {
+        "keys" => keys
+      }
+      response = @client.request(
+        method: :post,
+        path: "/vault/v1/keys/decrypt",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::DecryptResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # Get a Vault object's metadata without decrypting the value.
-    def get_object_metadata(object_id:, request_options: {})
-      response = @client.request(method: :get, path: "/vault/v1/kv/#{WorkOS::Util.encode_path(object_id)}/metadata", auth: true, request_options: request_options)
-      VaultObject.from_hash(JSON.parse(response.body))
+    # Re-encrypt a data key
+    # @param context [Hash{String => String}] Map of values used to determine the new encryption key.
+    # @param encrypted_keys [String] Base64-encoded encrypted data key blob to re-encrypt.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::CreateDataKeyResponse]
+    def create_rekey(
+      context:,
+      encrypted_keys:,
+      request_options: {}
+    )
+      body = {
+        "context" => context,
+        "encrypted_keys" => encrypted_keys
+      }
+      response = @client.request(
+        method: :post,
+        path: "/vault/v1/keys/rekey",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::CreateDataKeyResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # List encrypted Vault objects.
-    # @return [Array<ObjectDigest>]
-    def list_objects(limit: DEFAULT_RESPONSE_LIMIT, before: nil, after: nil, request_options: {})
-      params = {"limit" => limit, "before" => before, "after" => after}.compact
-      response = @client.request(method: :get, path: "/vault/v1/kv", auth: true, params: params, request_options: request_options)
-      parsed = JSON.parse(response.body)
-      (parsed["data"] || []).map { |item| ObjectDigest.from_hash(item) }
+    # List objects
+    # @param limit [Integer, nil] Upper limit on the number of objects to return.
+    # @param before [String, nil] Cursor for the previous page of results.
+    # @param after [String, nil] Cursor for the next page of results.
+    # @param order [WorkOS::Types::VaultOrder, nil] Sort direction for results.
+    # @param search [String, nil] Filter results by name or structured search JSON.
+    # @param updated_after [String, nil] ISO 8601 timestamp to filter by last modified time.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::ObjectSummary>]
+    def list_kv(
+      limit: 10,
+      before: nil,
+      after: nil,
+      order: nil,
+      search: nil,
+      updated_after: nil,
+      request_options: {}
+    )
+      params = {
+        "limit" => limit,
+        "before" => before,
+        "after" => after,
+        "order" => order,
+        "search" => search,
+        "updatedAfter" => updated_after
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/vault/v1/kv",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_kv(
+          limit: limit,
+          before: before,
+          after: cursor,
+          order: order,
+          search: search,
+          updated_after: updated_after,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::ObjectSummary,
+        filters: {limit: limit, before: before, order: order, search: search, updated_after: updated_after},
+        fetch_next: fetch_next
+      )
     end
 
-    # List versions for a specific Vault object.
-    # @return [Array<ObjectVersion>]
-    def list_object_versions(object_id:, request_options: {})
-      response = @client.request(method: :get, path: "/vault/v1/kv/#{WorkOS::Util.encode_path(object_id)}/versions", auth: true, request_options: request_options)
-      parsed = JSON.parse(response.body)
-      (parsed["data"] || []).map { |item| ObjectVersion.from_hash(item) }
+    # Create an object
+    # @param key_context [Hash{String => String}] Map of values used to determine the encryption key.
+    # @param name [String] Unique name for the object.
+    # @param value [String] Plaintext data to encrypt and store.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::ObjectMetadata]
+    def create_kv(
+      key_context:,
+      name:,
+      value:,
+      request_options: {}
+    )
+      body = {
+        "key_context" => key_context,
+        "name" => name,
+        "value" => value
+      }
+      response = @client.request(
+        method: :post,
+        path: "/vault/v1/kv",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::ObjectMetadata.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # Create a new Vault encrypted object.
-    def create_object(name:, value:, key_context:, request_options: {})
-      body = {"name" => name, "value" => value, "key_context" => key_context}
-      response = @client.request(method: :post, path: "/vault/v1/kv", auth: true, body: body, request_options: request_options)
-      ObjectMetadata.from_hash(JSON.parse(response.body))
+    # Read an object by name
+    # @param name [String] Unique name of the object.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::ObjectModel]
+    def get_name(
+      name:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/vault/v1/kv/name/#{WorkOS::Util.encode_path(name)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::ObjectModel.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # Update an existing Vault object.
-    def update_object(object_id:, value:, version_check: nil, request_options: {})
-      body = {"value" => value, "version_check" => version_check}.compact
-      response = @client.request(method: :put, path: "/vault/v1/kv/#{WorkOS::Util.encode_path(object_id)}", auth: true, body: body, request_options: request_options)
-      VaultObject.from_hash(JSON.parse(response.body))
+    # Read an object by ID
+    # @param id [String] Unique identifier of the object.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::ObjectModel]
+    def get_kv(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::ObjectModel.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # Permanently delete a Vault encrypted object.
-    def delete_object(object_id:, request_options: {})
-      @client.request(method: :delete, path: "/vault/v1/kv/#{WorkOS::Util.encode_path(object_id)}", auth: true, request_options: request_options)
-      nil
+    # Update an object
+    # @param id [String] Unique identifier of the object.
+    # @param value [String] New plaintext value.
+    # @param version_check [String, nil] ID of the expected current version for optimistic locking.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::ObjectWithoutValue]
+    def update_kv(
+      id:,
+      value:,
+      version_check: nil,
+      request_options: {}
+    )
+      body = {
+        "value" => value,
+        "version_check" => version_check
+      }.compact
+      response = @client.request(
+        method: :put,
+        path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::ObjectWithoutValue.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # -- Key operations -------------------------------------------------------
+    # Delete an object
+    # @param id [String] Unique identifier of the object.
+    # @param version_check [String, nil] Expected current version for optimistic locking.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::DeleteObjectResponse]
+    def delete_kv(
+      id:,
+      version_check: nil,
+      request_options: {}
+    )
+      params = {
+        "version_check" => version_check
+      }.compact
+      response = @client.request(
+        method: :delete,
+        path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      result = WorkOS::DeleteObjectResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-    # Generate a data key for local encryption.
-    # @return [DataKeyPair]
-    def create_data_key(key_context:, request_options: {})
-      body = {"context" => key_context}
-      response = @client.request(method: :post, path: "/vault/v1/keys/data-key", auth: true, body: body, request_options: request_options)
-      DataKeyPair.from_response(JSON.parse(response.body))
+    # Describe an object
+    # @param id [String] Unique identifier of the object.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::ObjectWithoutValue]
+    def list_kv_metadata(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}/metadata",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::ObjectWithoutValue.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
     end
 
-    # Decrypt encrypted data keys previously generated by create_data_key.
-    # @return [DataKey]
-    def decrypt_data_key(keys:, request_options: {})
-      body = {"keys" => keys}
-      response = @client.request(method: :post, path: "/vault/v1/keys/decrypt", auth: true, body: body, request_options: request_options)
-      DataKey.from_response(JSON.parse(response.body))
+    # List object versions
+    # @param id [String] Unique identifier of the object.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::ObjectVersion>]
+    def list_kv_versions(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}/versions",
+        auth: true,
+        request_options: request_options
+      )
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::ObjectVersion,
+        filters: {id: id}
+      )
     end
 
-    # -- Client-side AES-GCM encrypt/decrypt (H18) ---------------------------
+    # @oagen-ignore-start — client-side AES-GCM encrypt/decrypt (H18, hand-maintained)
 
     # Encrypt data locally using AES-GCM with a data key derived from the context.
     # Returns base64(IV || TAG || LEB128(len(keyBlob)) || keyBlob || ciphertext).
-    def encrypt(data:, key_context:, associated_data: nil)
-      pair = create_data_key(key_context: key_context)
-      key = Base64.decode64(pair.data_key.key)
+    def encrypt(data:, context:, associated_data: nil)
+      pair = create_data_key(context: context)
+      key = Base64.decode64(pair.data_key)
       key_blob = Base64.decode64(pair.encrypted_keys)
       prefix = encode_u32_leb128(key_blob.bytesize)
       iv, ciphertext, tag = aes_gcm_encrypt(data.b, key, associated_data&.b)
@@ -186,8 +319,8 @@ module WorkOS
       keys_index = 28 + leb_len
       key_blob = payload.byteslice(keys_index, key_len)
       ciphertext = payload.byteslice(keys_index + key_len, payload.bytesize - (keys_index + key_len))
-      data_key = decrypt_data_key(keys: Base64.strict_encode64(key_blob))
-      key = Base64.decode64(data_key.key)
+      dk = create_decrypt(keys: Base64.strict_encode64(key_blob))
+      key = Base64.decode64(dk.data_key)
       aes_gcm_decrypt(ciphertext, key, iv, tag, associated_data&.b)
     end
 
@@ -237,5 +370,6 @@ module WorkOS
       end
       raise ArgumentError, "LEB128 not terminated"
     end
+    # @oagen-ignore-end
   end
 end

data/lib/workos/version.rb

@@ -2,5 +2,5 @@
 
 # @oagen-ignore-file
 module WorkOS
-  VERSION = "8.0.0"
+  VERSION = "9.0.0"
 end

data/lib/workos/webhooks/webhook_endpoint.rb

@@ -2,12 +2,8 @@
 
 # This file is auto-generated by oagen. Do not edit.
 
-require "json"
-
 module WorkOS
-  class WebhookEndpoint
-    include HashProvider
-
+  class WebhookEndpoint < WorkOS::Types::BaseModel
     HASH_ATTRS = {
       object: :object,
       id: :id,
@@ -30,8 +26,7 @@ module WorkOS
       :updated_at
 
     def initialize(json)
-      hash = json.is_a?(Hash) ? json : JSON.parse(json, symbolize_names: true)
-      hash = hash.transform_keys(&:to_sym) if hash.keys.first.is_a?(String)
+      hash = self.class.normalize(json)
       @object = hash[:object]
       @id = hash[:id]
       @endpoint_url = hash[:endpoint_url]

data/lib/workos/webhooks.rb

@@ -3,6 +3,7 @@
 # This file is auto-generated by oagen. Do not edit.
 
 require "json"
+require "openssl"
 
 module WorkOS
   class Webhooks
@@ -16,7 +17,7 @@ module WorkOS
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
     # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
-    # @return [WorkOS::Types::ListStruct<WorkOS::WebhookEndpointJson>]
+    # @return [WorkOS::Types::ListStruct<WorkOS::WebhookEndpoint>]
     def list_webhook_endpoints(
       before: nil,
       after: nil,
@@ -48,7 +49,7 @@ module WorkOS
       }
       WorkOS::Types::ListStruct.from_response(
         response,
-        model: WorkOS::WebhookEndpointJson,
+        model: WorkOS::WebhookEndpoint,
         filters: {before: before, limit: limit, order: order},
         fetch_next: fetch_next
       )
@@ -58,7 +59,7 @@ module WorkOS
     # @param endpoint_url [String] The HTTPS URL where webhooks will be sent.
     # @param events [Array<WorkOS::Types::CreateWebhookEndpointEvents>] The events that the Webhook Endpoint is subscribed to.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
-    # @return [WorkOS::WebhookEndpointJson]
+    # @return [WorkOS::WebhookEndpoint]
     def create_webhook_endpoint(
       endpoint_url:,
       events:,
@@ -75,7 +76,7 @@ module WorkOS
         body: body,
         request_options: request_options
       )
-      result = WorkOS::WebhookEndpointJson.new(response.body)
+      result = WorkOS::WebhookEndpoint.new(response.body)
       result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
       result
     end
@@ -86,7 +87,7 @@ module WorkOS
     # @param status [WorkOS::Types::UpdateWebhookEndpointStatus, nil] Whether the Webhook Endpoint is enabled or disabled.
     # @param events [Array<WorkOS::Types::UpdateWebhookEndpointEvents>, nil] The events that the Webhook Endpoint is subscribed to.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
-    # @return [WorkOS::WebhookEndpointJson]
+    # @return [WorkOS::WebhookEndpoint]
     def update_webhook_endpoint(
       id:,
       endpoint_url: nil,
@@ -106,7 +107,7 @@ module WorkOS
         body: body,
         request_options: request_options
       )
-      result = WorkOS::WebhookEndpointJson.new(response.body)
+      result = WorkOS::WebhookEndpoint.new(response.body)
       result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
       result
     end
@@ -129,8 +130,6 @@ module WorkOS
     end
 
     # @oagen-ignore-start — non-spec helpers (hand-maintained)
-    require "openssl"
-
     DEFAULT_TOLERANCE_SECONDS = 180
 
     # Verify a webhook signature and return a typed event struct.
@@ -193,7 +192,7 @@ module WorkOS
       timestamp_ms, signature_hash = parse_signature_header(sig_header)
       max_age = tolerance.to_i
       issued_at = timestamp_ms.to_i / 1000.0
-      if (Time.now.to_f - issued_at) > max_age
+      if (Time.now.to_f - issued_at).abs > max_age
         raise WorkOS::SignatureVerificationError.new(
           message: "Timestamp outside the tolerance zone",
           http_status: nil

data/lib/workos.rb

@@ -21,6 +21,7 @@ loader.collapse("#{__dir__}/workos/feature_flags")
 loader.collapse("#{__dir__}/workos/groups")
 loader.collapse("#{__dir__}/workos/multi_factor_auth")
 loader.collapse("#{__dir__}/workos/organization_domains")
+loader.collapse("#{__dir__}/workos/organization_membership")
 loader.collapse("#{__dir__}/workos/organizations")
 loader.collapse("#{__dir__}/workos/pipes")
 loader.collapse("#{__dir__}/workos/radar")