@authn-sh/sdk-node 0.4.0-alpha.1

package/dist/index.js

@@ -0,0 +1,1477 @@
+import { createHmac, timingSafeEqual, createHash, randomUUID } from 'crypto';
+import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from 'jose';
+
+// src/errors/index.ts
+var AuthnHttpError = class extends Error {
+  constructor(status, errors, requestId, message) {
+    super(message ?? (errors[0]?.longMessage || errors[0]?.message) ?? `authn.sh API returned HTTP ${status}`);
+    this.status = status;
+    this.errors = errors;
+    this.requestId = requestId;
+  }
+  status;
+  errors;
+  requestId;
+  name = "AuthnHttpError";
+  /** The primary error code returned by the API (when present). */
+  get code() {
+    return this.errors[0]?.code ?? null;
+  }
+};
+var AuthnConfigError = class extends Error {
+  name = "AuthnConfigError";
+};
+var AuthnTokenInvalidError = class extends Error {
+  constructor(reason, message) {
+    super(message ?? `Token invalid: ${reason}`);
+    this.reason = reason;
+  }
+  reason;
+  name = "AuthnTokenInvalidError";
+};
+var AuthnWebhookSignatureInvalidError = class extends Error {
+  constructor(reason, message) {
+    super(message ?? `Webhook signature invalid: ${reason}`);
+    this.reason = reason;
+  }
+  reason;
+  name = "AuthnWebhookSignatureInvalidError";
+};
+
+// src/resources/ListParams.ts
+var ListParams = class {
+  constructor(limit, offset, orderBy) {
+    this.limit = limit;
+    this.offset = offset;
+    this.orderBy = orderBy;
+  }
+  limit;
+  offset;
+  orderBy;
+  toQuery() {
+    const q = {};
+    if (this.limit !== void 0) q.limit = this.limit;
+    if (this.offset !== void 0) q.offset = this.offset;
+    if (this.orderBy !== void 0) q.order_by = this.orderBy;
+    return q;
+  }
+};
+
+// src/resources/Manager.ts
+var Manager = class {
+  constructor(transport) {
+    this.transport = transport;
+  }
+  transport;
+};
+
+// src/resources/PaginatedList.ts
+function hydratePaginatedList(raw, hydrate) {
+  if (!raw || typeof raw !== "object") {
+    return { data: [], totalCount: 0 };
+  }
+  const obj = raw;
+  const data = Array.isArray(obj.data) ? obj.data.map(hydrate) : [];
+  const totalCount = typeof obj.total_count === "number" ? obj.total_count : data.length;
+  return { data, totalCount };
+}
+
+// src/resources/ExternalAccounts.ts
+var ExternalAccountsListParams = class extends ListParams {
+  constructor(userId, oauthProviderId, limit, offset, orderBy) {
+    super(limit, offset, orderBy);
+    this.userId = userId;
+    this.oauthProviderId = oauthProviderId;
+  }
+  userId;
+  oauthProviderId;
+  toQuery() {
+    const q = super.toQuery();
+    if (this.userId) q.user_id = this.userId;
+    if (this.oauthProviderId) q.oauth_provider_id = this.oauthProviderId;
+    return q;
+  }
+};
+var ExternalAccountsManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/external-accounts", {
+      query: (params ?? new ExternalAccountsListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateExternalAccount);
+  }
+  async get(externalAccountId) {
+    const raw = await this.transport.send("GET", `/v1/external-accounts/${encodeURIComponent(externalAccountId)}`);
+    return hydrateExternalAccount(raw);
+  }
+  async delete(externalAccountId) {
+    await this.transport.send("DELETE", `/v1/external-accounts/${encodeURIComponent(externalAccountId)}`);
+  }
+};
+function hydrateExternalAccount(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  const scopes = Array.isArray(obj.scopes) ? obj.scopes.filter((s) => typeof s === "string") : [];
+  const meta2 = obj.public_metadata && typeof obj.public_metadata === "object" ? obj.public_metadata : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "external_account",
+    provider: String(obj.provider ?? ""),
+    providerKey: String(obj.provider_key ?? ""),
+    providerUserId: String(obj.provider_user_id ?? ""),
+    emailAddress: obj.email_address ?? null,
+    scopes,
+    publicMetadata: meta2,
+    verified: Boolean(obj.verified),
+    linkedAt: obj.linked_at ?? null,
+    lastSignedInAt: obj.last_signed_in_at ?? null,
+    raw: obj
+  };
+}
+
+// src/resources/Instance.ts
+var InstanceManager = class extends Manager {
+  async get() {
+    const raw = await this.transport.send("GET", "/v1/instance");
+    return hydrateInstance(raw);
+  }
+  async update(patch) {
+    const raw = await this.transport.send("PATCH", "/v1/instance", { body: patch });
+    return hydrateInstance(raw);
+  }
+  async updateRestrictions(patch) {
+    const raw = await this.transport.send("PATCH", "/v1/instance/restrictions", { body: patch });
+    return hydrateInstance(raw);
+  }
+  async updateOrganizationSettings(patch) {
+    const raw = await this.transport.send("PATCH", "/v1/instance/organization-settings", { body: patch });
+    return hydrateInstance(raw);
+  }
+};
+function hydrateInstance(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  const meta2 = (key) => obj[key] && typeof obj[key] === "object" ? obj[key] : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "instance",
+    attributes: meta2("attributes"),
+    multiFactor: meta2("multi_factor"),
+    signUpMode: typeof obj.sign_up_mode === "string" ? obj.sign_up_mode : void 0,
+    raw: obj
+  };
+}
+function idempotencyKeyFor(payload) {
+  try {
+    const json = JSON.stringify(payload ?? {});
+    return createHash("sha256").update(json).digest("hex").slice(0, 32);
+  } catch {
+    return randomUUID();
+  }
+}
+
+// src/resources/Invitations.ts
+var InvitationsListParams = class extends ListParams {
+  constructor(status, emailAddress, limit, offset, orderBy) {
+    super(limit, offset, orderBy);
+    this.status = status;
+    this.emailAddress = emailAddress;
+  }
+  status;
+  emailAddress;
+  toQuery() {
+    const q = super.toQuery();
+    if (this.status?.length) q.status = this.status;
+    if (this.emailAddress) q.email_address = this.emailAddress;
+    return q;
+  }
+};
+var InvitationsManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/invitations", {
+      query: (params ?? new InvitationsListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateInvitation);
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send("POST", "/v1/invitations", {
+      body: data,
+      idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data)
+    });
+    return hydrateInvitation(raw);
+  }
+  async bulkCreate(invitations, idempotencyKey) {
+    const raw = await this.transport.send("POST", "/v1/invitations/bulk", {
+      body: { invitations },
+      idempotencyKey: idempotencyKey ?? idempotencyKeyFor(invitations)
+    });
+    return (raw?.data ?? []).map(hydrateInvitation);
+  }
+  async revoke(invitationId) {
+    const raw = await this.transport.send("POST", `/v1/invitations/${encodeURIComponent(invitationId)}/revoke`);
+    return hydrateInvitation(raw);
+  }
+};
+function hydrateInvitation(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  const meta2 = obj.public_metadata && typeof obj.public_metadata === "object" ? obj.public_metadata : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "invitation",
+    emailAddress: String(obj.email_address ?? ""),
+    status: String(obj.status ?? ""),
+    redirectUrl: obj.redirect_url ?? null,
+    publicMetadata: meta2,
+    expiresAt: obj.expires_at ?? null,
+    url: obj.url ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/Lists.ts
+var AllowlistIdentifiersManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/allowlist-identifiers", {
+      query: (params ?? new ListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateAllowlistIdentifier);
+  }
+  async create(data) {
+    const raw = await this.transport.send("POST", "/v1/allowlist-identifiers", { body: data });
+    return hydrateAllowlistIdentifier(raw);
+  }
+  async delete(id) {
+    await this.transport.send("DELETE", `/v1/allowlist-identifiers/${encodeURIComponent(id)}`);
+  }
+};
+var BlocklistIdentifiersManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/blocklist-identifiers", {
+      query: (params ?? new ListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateBlocklistIdentifier);
+  }
+  async create(data) {
+    const raw = await this.transport.send("POST", "/v1/blocklist-identifiers", { body: data });
+    return hydrateBlocklistIdentifier(raw);
+  }
+  async delete(id) {
+    await this.transport.send("DELETE", `/v1/blocklist-identifiers/${encodeURIComponent(id)}`);
+  }
+};
+function hydrateIdentifier(raw, object) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object,
+    identifier: String(obj.identifier ?? ""),
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+function hydrateAllowlistIdentifier(raw) {
+  return hydrateIdentifier(raw, "allowlist_identifier");
+}
+function hydrateBlocklistIdentifier(raw) {
+  return hydrateIdentifier(raw, "blocklist_identifier");
+}
+
+// src/resources/OauthProviders.ts
+var OauthProvidersManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/oauth-providers", {
+      query: (params ?? new ListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateOauthProvider);
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send("POST", "/v1/oauth-providers", {
+      body: data,
+      idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data)
+    });
+    return hydrateOauthProvider(raw);
+  }
+  async get(oauthProviderId) {
+    const raw = await this.transport.send("GET", `/v1/oauth-providers/${encodeURIComponent(oauthProviderId)}`);
+    return hydrateOauthProvider(raw);
+  }
+  async update(oauthProviderId, data, idempotencyKey) {
+    const raw = await this.transport.send("PATCH", `/v1/oauth-providers/${encodeURIComponent(oauthProviderId)}`, {
+      body: data,
+      idempotencyKey
+    });
+    return hydrateOauthProvider(raw);
+  }
+  async delete(oauthProviderId) {
+    await this.transport.send("DELETE", `/v1/oauth-providers/${encodeURIComponent(oauthProviderId)}`);
+  }
+  async test(oauthProviderId) {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/oauth-providers/${encodeURIComponent(oauthProviderId)}/test`
+    );
+    const errs = Array.isArray(raw?.errors) ? raw.errors.map((e) => {
+      const o = e && typeof e === "object" ? e : {};
+      return { code: String(o.code ?? "unknown"), message: String(o.message ?? o.long_message ?? "") };
+    }) : [];
+    return {
+      authorizeUrl: String(raw?.authorize_url ?? ""),
+      userinfoStatus: raw?.userinfo_status ?? null,
+      errors: errs
+    };
+  }
+};
+function hydrateOauthProvider(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  const scopes = Array.isArray(obj.scopes) ? obj.scopes.filter((s) => typeof s === "string") : [];
+  const algs = Array.isArray(obj.id_token_signing_algs) ? obj.id_token_signing_algs.filter((s) => typeof s === "string") : [];
+  const mapping = {};
+  if (obj.attribute_mapping && typeof obj.attribute_mapping === "object") {
+    for (const [k, v] of Object.entries(obj.attribute_mapping)) {
+      if (typeof v === "string") mapping[k] = v;
+    }
+  }
+  const authParams = obj.additional_authorization_params && typeof obj.additional_authorization_params === "object" ? obj.additional_authorization_params : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "oauth_provider",
+    providerKind: obj.provider_kind ?? "preset",
+    providerKey: String(obj.provider_key ?? ""),
+    name: String(obj.name ?? ""),
+    enabled: Boolean(obj.enabled),
+    allowSignIn: Boolean(obj.allow_sign_in),
+    allowSignUp: Boolean(obj.allow_sign_up),
+    blockEmailSubaddresses: Boolean(obj.block_email_subaddresses),
+    clientId: String(obj.client_id ?? ""),
+    scopes,
+    additionalAuthorizationParams: authParams,
+    attributeMapping: mapping,
+    redirectUri: String(obj.redirect_uri ?? ""),
+    issuer: obj.issuer ?? null,
+    discoveryEndpoint: obj.discovery_endpoint ?? null,
+    authorizationEndpoint: obj.authorization_endpoint ?? null,
+    tokenEndpoint: obj.token_endpoint ?? null,
+    userinfoEndpoint: obj.userinfo_endpoint ?? null,
+    jwksUri: obj.jwks_uri ?? null,
+    idTokenSigningAlgs: algs,
+    userinfoMethod: obj.userinfo_method ?? null,
+    userinfoAuth: obj.userinfo_auth ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/Organizations.ts
+var OrganizationsManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/organizations", {
+      query: (params ?? new ListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateOrganization);
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send("POST", "/v1/organizations", {
+      body: data,
+      idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data)
+    });
+    return hydrateOrganization(raw);
+  }
+  async get(orgId) {
+    const raw = await this.transport.send("GET", `/v1/organizations/${encodeURIComponent(orgId)}`);
+    return hydrateOrganization(raw);
+  }
+  async update(orgId, data, idempotencyKey) {
+    const raw = await this.transport.send("PATCH", `/v1/organizations/${encodeURIComponent(orgId)}`, {
+      body: data,
+      idempotencyKey
+    });
+    return hydrateOrganization(raw);
+  }
+  async delete(orgId) {
+    await this.transport.send("DELETE", `/v1/organizations/${encodeURIComponent(orgId)}`);
+  }
+  members(orgId) {
+    return new OrganizationMembershipsManager(this.transport, orgId);
+  }
+  invitations(orgId) {
+    return new OrganizationInvitationsManager(this.transport, orgId);
+  }
+  domains(orgId) {
+    return new OrganizationDomainsManager(this.transport, orgId);
+  }
+};
+var OrganizationMembershipsManager = class {
+  constructor(transport, orgId) {
+    this.transport = transport;
+    this.orgId = orgId;
+  }
+  transport;
+  orgId;
+  async list(params) {
+    const raw = await this.transport.send(
+      "GET",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/memberships`,
+      { query: (params ?? new ListParams()).toQuery() }
+    );
+    return hydratePaginatedList(raw, hydrateOrganizationMembership);
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/memberships`,
+      { body: { user_id: data.userId, role: data.role }, idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data) }
+    );
+    return hydrateOrganizationMembership(raw);
+  }
+  async update(userId, role, idempotencyKey) {
+    const raw = await this.transport.send(
+      "PATCH",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/memberships/${encodeURIComponent(userId)}`,
+      { body: { role }, idempotencyKey }
+    );
+    return hydrateOrganizationMembership(raw);
+  }
+  async delete(userId) {
+    await this.transport.send(
+      "DELETE",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/memberships/${encodeURIComponent(userId)}`
+    );
+  }
+};
+var OrganizationInvitationsManager = class {
+  constructor(transport, orgId) {
+    this.transport = transport;
+    this.orgId = orgId;
+  }
+  transport;
+  orgId;
+  async list(params) {
+    const raw = await this.transport.send(
+      "GET",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/invitations`,
+      { query: (params ?? new ListParams()).toQuery() }
+    );
+    return hydratePaginatedList(raw, hydrateOrganizationInvitation);
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/invitations`,
+      { body: data, idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data) }
+    );
+    return hydrateOrganizationInvitation(raw);
+  }
+  async bulkCreate(invitations, idempotencyKey) {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/invitations/bulk`,
+      { body: { invitations }, idempotencyKey: idempotencyKey ?? idempotencyKeyFor(invitations) }
+    );
+    return (raw?.data ?? []).map(hydrateOrganizationInvitation);
+  }
+  async revoke(invitationId) {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/invitations/${encodeURIComponent(invitationId)}/revoke`
+    );
+    return hydrateOrganizationInvitation(raw);
+  }
+};
+var OrganizationDomainsManager = class {
+  constructor(transport, orgId) {
+    this.transport = transport;
+    this.orgId = orgId;
+  }
+  transport;
+  orgId;
+  async list() {
+    const raw = await this.transport.send(
+      "GET",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/domains`
+    );
+    return hydratePaginatedList(raw, hydrateOrganizationDomain);
+  }
+  async create(name, enrollmentMode = "manual_invitation") {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/domains`,
+      { body: { name, enrollment_mode: enrollmentMode } }
+    );
+    return hydrateOrganizationDomain(raw);
+  }
+  async get(domainId) {
+    const raw = await this.transport.send(
+      "GET",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/domains/${encodeURIComponent(domainId)}`
+    );
+    return hydrateOrganizationDomain(raw);
+  }
+  async update(domainId, patch) {
+    const raw = await this.transport.send(
+      "PATCH",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/domains/${encodeURIComponent(domainId)}`,
+      { body: patch }
+    );
+    return hydrateOrganizationDomain(raw);
+  }
+  async delete(domainId) {
+    await this.transport.send(
+      "DELETE",
+      `/v1/organizations/${encodeURIComponent(this.orgId)}/domains/${encodeURIComponent(domainId)}`
+    );
+  }
+};
+function meta(obj, key) {
+  return obj[key] && typeof obj[key] === "object" ? obj[key] : {};
+}
+function hydrateOrganization(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "organization",
+    name: String(obj.name ?? ""),
+    slug: obj.slug ?? null,
+    imageUrl: obj.image_url ?? null,
+    membersCount: typeof obj.members_count === "number" ? obj.members_count : 0,
+    pendingInvitationsCount: typeof obj.pending_invitations_count === "number" ? obj.pending_invitations_count : 0,
+    maxAllowedMemberships: obj.max_allowed_memberships ?? null,
+    adminDeleteEnabled: Boolean(obj.admin_delete_enabled),
+    publicMetadata: meta(obj, "public_metadata"),
+    privateMetadata: meta(obj, "private_metadata"),
+    createdBy: obj.created_by ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+function hydrateOrganizationMembership(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  const perms = Array.isArray(obj.permissions) ? obj.permissions.filter((p) => typeof p === "string") : [];
+  return {
+    id: String(obj.id ?? ""),
+    object: "organization_membership",
+    organizationId: String(obj.organization_id ?? ""),
+    userId: String(obj.user_id ?? ""),
+    role: String(obj.role ?? ""),
+    permissions: perms,
+    publicMetadata: meta(obj, "public_metadata"),
+    privateMetadata: meta(obj, "private_metadata"),
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+function hydrateOrganizationInvitation(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "organization_invitation",
+    organizationId: String(obj.organization_id ?? ""),
+    emailAddress: String(obj.email_address ?? ""),
+    role: String(obj.role ?? ""),
+    status: String(obj.status ?? ""),
+    inviterUserId: obj.inviter_user_id ?? null,
+    redirectUrl: obj.redirect_url ?? null,
+    publicMetadata: meta(obj, "public_metadata"),
+    expiresAt: obj.expires_at ?? null,
+    url: obj.url ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+function hydrateOrganizationDomain(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "organization_domain",
+    organizationId: String(obj.organization_id ?? ""),
+    name: String(obj.name ?? ""),
+    verified: Boolean(obj.verified),
+    enrollmentMode: String(obj.enrollment_mode ?? "manual_invitation"),
+    currentChallengeId: obj.current_challenge_id ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/PhoneNumbers.ts
+var PhoneNumbersListParams = class extends ListParams {
+  constructor(userId, limit, offset, orderBy) {
+    super(limit, offset, orderBy);
+    this.userId = userId;
+  }
+  userId;
+  toQuery() {
+    const q = super.toQuery();
+    if (this.userId) q.user_id = this.userId;
+    return q;
+  }
+};
+var PhoneNumbersManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/phone-numbers", {
+      query: (params ?? new PhoneNumbersListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydratePhoneNumber);
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send("POST", "/v1/phone-numbers", {
+      body: data,
+      idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data)
+    });
+    return hydratePhoneNumber(raw);
+  }
+  async get(phoneNumberId) {
+    const raw = await this.transport.send("GET", `/v1/phone-numbers/${encodeURIComponent(phoneNumberId)}`);
+    return hydratePhoneNumber(raw);
+  }
+  async update(phoneNumberId, data, idempotencyKey) {
+    const raw = await this.transport.send("PATCH", `/v1/phone-numbers/${encodeURIComponent(phoneNumberId)}`, {
+      body: data,
+      idempotencyKey
+    });
+    return hydratePhoneNumber(raw);
+  }
+  async delete(phoneNumberId) {
+    await this.transport.send("DELETE", `/v1/phone-numbers/${encodeURIComponent(phoneNumberId)}`);
+  }
+};
+function hydratePhoneNumber(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "phone_number",
+    phoneNumber: String(obj.phone_number ?? ""),
+    verified: Boolean(obj.verified),
+    currentChallengeId: obj.current_challenge_id ?? null,
+    isPrimary: Boolean(obj.is_primary),
+    reservedForSecondFactor: Boolean(obj.reserved_for_second_factor),
+    defaultSecondFactor: Boolean(obj.default_second_factor),
+    linkedToExternalAccountId: obj.linked_to_external_account_id ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/RedirectUrls.ts
+var RedirectUrlsManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/redirect-urls", {
+      query: (params ?? new ListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateRedirectUrl);
+  }
+  async create(url) {
+    const raw = await this.transport.send("POST", "/v1/redirect-urls", { body: { url } });
+    return hydrateRedirectUrl(raw);
+  }
+  async get(id) {
+    const raw = await this.transport.send("GET", `/v1/redirect-urls/${encodeURIComponent(id)}`);
+    return hydrateRedirectUrl(raw);
+  }
+  async delete(id) {
+    await this.transport.send("DELETE", `/v1/redirect-urls/${encodeURIComponent(id)}`);
+  }
+};
+function hydrateRedirectUrl(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "redirect_url",
+    url: String(obj.url ?? ""),
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/Roles.ts
+var RolesManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/roles", {
+      query: (params ?? new ListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateRole);
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send("POST", "/v1/roles", {
+      body: data,
+      idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data)
+    });
+    return hydrateRole(raw);
+  }
+  async get(roleId) {
+    const raw = await this.transport.send("GET", `/v1/roles/${encodeURIComponent(roleId)}`);
+    return hydrateRole(raw);
+  }
+  async update(roleId, data, idempotencyKey) {
+    const raw = await this.transport.send("PATCH", `/v1/roles/${encodeURIComponent(roleId)}`, {
+      body: data,
+      idempotencyKey
+    });
+    return hydrateRole(raw);
+  }
+  async delete(roleId) {
+    await this.transport.send("DELETE", `/v1/roles/${encodeURIComponent(roleId)}`);
+  }
+  async setPermissions(roleId, permissionKeys) {
+    const raw = await this.transport.send("PUT", `/v1/roles/${encodeURIComponent(roleId)}/permissions`, {
+      body: { permissions: permissionKeys }
+    });
+    return hydrateRole(raw);
+  }
+};
+var PermissionsManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/permissions", {
+      query: (params ?? new ListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydratePermission);
+  }
+};
+function hydrateRole(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  const perms = Array.isArray(obj.permissions) ? obj.permissions.filter((p) => typeof p === "string") : [];
+  return {
+    id: String(obj.id ?? ""),
+    object: "role",
+    key: String(obj.key ?? ""),
+    name: String(obj.name ?? ""),
+    description: obj.description ?? null,
+    isCreatorEligible: Boolean(obj.is_creator_eligible),
+    isDefault: Boolean(obj.is_default),
+    permissions: perms,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+function hydratePermission(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "permission",
+    key: String(obj.key ?? ""),
+    name: String(obj.name ?? ""),
+    description: obj.description ?? null,
+    isSystem: Boolean(obj.is_system),
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/Sessions.ts
+var SessionsListParams = class extends ListParams {
+  constructor(userId, clientId, status, limit, offset, orderBy) {
+    super(limit, offset, orderBy);
+    this.userId = userId;
+    this.clientId = clientId;
+    this.status = status;
+  }
+  userId;
+  clientId;
+  status;
+  toQuery() {
+    const q = super.toQuery();
+    if (this.userId) q.user_id = this.userId;
+    if (this.clientId) q.client_id = this.clientId;
+    if (this.status?.length) q.status = this.status;
+    return q;
+  }
+};
+var SessionsManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/sessions", {
+      query: (params ?? new SessionsListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateSession);
+  }
+  async get(sessionId) {
+    const raw = await this.transport.send("GET", `/v1/sessions/${encodeURIComponent(sessionId)}`);
+    return hydrateSession(raw);
+  }
+  async revoke(sessionId) {
+    const raw = await this.transport.send("POST", `/v1/sessions/${encodeURIComponent(sessionId)}/revoke`);
+    return hydrateSession(raw);
+  }
+  async getToken(sessionId, template) {
+    const path = template ? `/v1/sessions/${encodeURIComponent(sessionId)}/tokens/${encodeURIComponent(template)}` : `/v1/sessions/${encodeURIComponent(sessionId)}/tokens`;
+    const raw = await this.transport.send("POST", path);
+    return raw?.jwt ?? "";
+  }
+};
+function hydrateSession(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "session",
+    clientId: String(obj.client_id ?? ""),
+    userId: String(obj.user_id ?? ""),
+    status: String(obj.status ?? ""),
+    lastActiveAt: obj.last_active_at ?? null,
+    expireAt: obj.expire_at ?? null,
+    abandonAt: obj.abandon_at ?? null,
+    lastActiveOrganizationId: obj.last_active_organization_id ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/SmsTemplates.ts
+var SmsTemplatesManager = class extends Manager {
+  async list() {
+    const raw = await this.transport.send("GET", "/v1/sms-templates");
+    if (!Array.isArray(raw)) return [];
+    return raw.map(hydrateSmsTemplate);
+  }
+  async get(slug) {
+    const raw = await this.transport.send("GET", `/v1/sms-templates/${encodeURIComponent(slug)}`);
+    return hydrateSmsTemplate(raw);
+  }
+  async update(slug, data, idempotencyKey) {
+    const raw = await this.transport.send("PATCH", `/v1/sms-templates/${encodeURIComponent(slug)}`, {
+      body: data,
+      idempotencyKey
+    });
+    return hydrateSmsTemplate(raw);
+  }
+  async revert(slug, idempotencyKey) {
+    const raw = await this.transport.send("POST", `/v1/sms-templates/${encodeURIComponent(slug)}/revert`, {
+      idempotencyKey
+    });
+    return hydrateSmsTemplate(raw);
+  }
+};
+function hydrateSmsTemplate(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "sms_template",
+    slug: String(obj.slug ?? ""),
+    body: String(obj.body ?? ""),
+    deliveredByUs: Boolean(obj.delivered_by_us ?? true),
+    fromNumberOverride: obj.from_number_override ?? null,
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/resources/Users.ts
+var UsersListParams = class extends ListParams {
+  constructor(emailAddress, phoneNumber, username, externalId, query, limit, offset, orderBy) {
+    super(limit, offset, orderBy);
+    this.emailAddress = emailAddress;
+    this.phoneNumber = phoneNumber;
+    this.username = username;
+    this.externalId = externalId;
+    this.query = query;
+  }
+  emailAddress;
+  phoneNumber;
+  username;
+  externalId;
+  query;
+  toQuery() {
+    const q = super.toQuery();
+    if (this.emailAddress?.length) q.email_address = this.emailAddress;
+    if (this.phoneNumber?.length) q.phone_number = this.phoneNumber;
+    if (this.username?.length) q.username = this.username;
+    if (this.externalId?.length) q.external_id = this.externalId;
+    if (this.query) q.query = this.query;
+    return q;
+  }
+};
+var UsersManager = class extends Manager {
+  async list(params) {
+    const raw = await this.transport.send("GET", "/v1/users", {
+      query: (params ?? new UsersListParams()).toQuery()
+    });
+    return hydratePaginatedList(raw, hydrateUser);
+  }
+  async count(params) {
+    const raw = await this.transport.send("GET", "/v1/users/count", {
+      query: (params ?? new UsersListParams()).toQuery()
+    });
+    return raw?.total_count ?? 0;
+  }
+  async create(data, idempotencyKey) {
+    const raw = await this.transport.send("POST", "/v1/users", {
+      body: data,
+      idempotencyKey: idempotencyKey ?? idempotencyKeyFor(data)
+    });
+    return hydrateUser(raw);
+  }
+  async get(userId) {
+    const raw = await this.transport.send("GET", `/v1/users/${encodeURIComponent(userId)}`);
+    return hydrateUser(raw);
+  }
+  async update(userId, data, idempotencyKey) {
+    const raw = await this.transport.send("PATCH", `/v1/users/${encodeURIComponent(userId)}`, {
+      body: data,
+      idempotencyKey
+    });
+    return hydrateUser(raw);
+  }
+  async delete(userId) {
+    await this.transport.send("DELETE", `/v1/users/${encodeURIComponent(userId)}`);
+  }
+  async ban(userId) {
+    const raw = await this.transport.send("POST", `/v1/users/${encodeURIComponent(userId)}/ban`);
+    return hydrateUser(raw);
+  }
+  async unban(userId) {
+    const raw = await this.transport.send("POST", `/v1/users/${encodeURIComponent(userId)}/unban`);
+    return hydrateUser(raw);
+  }
+  async lock(userId) {
+    const raw = await this.transport.send("POST", `/v1/users/${encodeURIComponent(userId)}/lock`);
+    return hydrateUser(raw);
+  }
+  async unlock(userId) {
+    const raw = await this.transport.send("POST", `/v1/users/${encodeURIComponent(userId)}/unlock`);
+    return hydrateUser(raw);
+  }
+  async updateMetadata(userId, patch) {
+    const raw = await this.transport.send("PATCH", `/v1/users/${encodeURIComponent(userId)}/metadata`, {
+      body: patch
+    });
+    return hydrateUser(raw);
+  }
+  async verifyPassword(userId, password) {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/users/${encodeURIComponent(userId)}/verify-password`,
+      { body: { password } }
+    );
+    return raw?.verified === true;
+  }
+  async verifyTotp(userId, code) {
+    const raw = await this.transport.send(
+      "POST",
+      `/v1/users/${encodeURIComponent(userId)}/verify-totp`,
+      { body: { code } }
+    );
+    return { verified: raw?.verified === true, reason: raw?.reason ?? null };
+  }
+  async disableMfa(userId) {
+    const raw = await this.transport.send("DELETE", `/v1/users/${encodeURIComponent(userId)}/mfa`);
+    return hydrateUser(raw);
+  }
+  async uploadProfileImage(userId, bytes, mime) {
+    const headers = { "Content-Type": mime };
+    const raw = await this.transport.send("POST", `/v1/users/${encodeURIComponent(userId)}/profile-image`, {
+      body: bytes,
+      headers
+    });
+    return hydrateUser(raw);
+  }
+  async deleteProfileImage(userId) {
+    await this.transport.send("DELETE", `/v1/users/${encodeURIComponent(userId)}/profile-image`);
+  }
+};
+function hydrateUser(raw) {
+  const obj = raw && typeof raw === "object" ? raw : {};
+  const arr = (key) => Array.isArray(obj[key]) ? obj[key] : [];
+  const meta2 = (key) => obj[key] && typeof obj[key] === "object" ? obj[key] : {};
+  return {
+    id: String(obj.id ?? ""),
+    object: "user",
+    externalId: obj.external_id ?? null,
+    username: obj.username ?? null,
+    firstName: obj.first_name ?? null,
+    lastName: obj.last_name ?? null,
+    imageUrl: obj.image_url ?? null,
+    primaryEmailAddressId: obj.primary_email_address_id ?? null,
+    primaryPhoneNumberId: obj.primary_phone_number_id ?? null,
+    emailAddresses: arr("email_addresses"),
+    phoneNumbers: arr("phone_numbers"),
+    externalAccounts: arr("external_accounts"),
+    passwordEnabled: Boolean(obj.password_enabled),
+    totpEnabled: Boolean(obj.totp_enabled),
+    backupCodesEnabled: Boolean(obj.backup_codes_enabled),
+    twoFactorEnabled: Boolean(obj.two_factor_enabled),
+    banned: Boolean(obj.banned),
+    locked: Boolean(obj.locked),
+    lastSignInAt: obj.last_sign_in_at ?? null,
+    lastActiveAt: obj.last_active_at ?? null,
+    publicMetadata: meta2("public_metadata"),
+    privateMetadata: meta2("private_metadata"),
+    unsafeMetadata: meta2("unsafe_metadata"),
+    createdAt: typeof obj.created_at === "number" ? obj.created_at : 0,
+    updatedAt: typeof obj.updated_at === "number" ? obj.updated_at : 0,
+    raw: obj
+  };
+}
+
+// src/transport/Transport.ts
+var Transport = class {
+  apiUrl;
+  secretKey;
+  fetcher;
+  defaultTimeoutMs;
+  userAgent;
+  constructor(opts) {
+    this.apiUrl = opts.apiUrl.replace(/\/$/, "");
+    this.secretKey = opts.secretKey;
+    this.fetcher = opts.fetch ?? globalThis.fetch;
+    this.defaultTimeoutMs = opts.timeoutMs ?? 1e4;
+    const base = `@authn-sh/sdk-node`;
+    this.userAgent = opts.userAgentSuffix ? `${base} ${opts.userAgentSuffix}` : base;
+  }
+  /**
+   * Send a request and parse the response as JSON. For 204 returns `null`.
+   * Throws AuthnHttpError on non-2xx.
+   */
+  async send(method, path, opts = {}) {
+    const url = this.buildUrl(path, opts.query);
+    const headers = {
+      Authorization: `Bearer ${this.secretKey}`,
+      Accept: "application/json",
+      "User-Agent": this.userAgent,
+      ...opts.headers ?? {}
+    };
+    let body;
+    if (opts.body !== void 0 && opts.body !== null && method !== "GET" && method !== "DELETE") {
+      if (opts.body instanceof Uint8Array) {
+        body = opts.body;
+      } else {
+        headers["Content-Type"] = "application/json";
+        body = JSON.stringify(opts.body);
+      }
+    }
+    if (opts.idempotencyKey) {
+      headers["Idempotency-Key"] = opts.idempotencyKey;
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), opts.timeoutMs ?? this.defaultTimeoutMs);
+    let res;
+    try {
+      const init = { method, headers, signal: controller.signal };
+      if (body !== void 0) {
+        init.body = body;
+      }
+      res = await this.fetcher(url, init);
+    } finally {
+      clearTimeout(timeoutId);
+    }
+    const requestId = res.headers.get("x-request-id");
+    if (res.status === 204) {
+      return null;
+    }
+    const text = await res.text();
+    let parsed = null;
+    if (text.length > 0) {
+      try {
+        parsed = JSON.parse(text);
+      } catch {
+      }
+    }
+    if (!res.ok) {
+      const errors = this.extractApiErrors(parsed);
+      throw new AuthnHttpError(res.status, errors, requestId);
+    }
+    return parsed;
+  }
+  buildUrl(path, query) {
+    const base = `${this.apiUrl}${path.startsWith("/") ? path : "/" + path}`;
+    if (!query) return base;
+    const params = new URLSearchParams();
+    for (const [k, v] of Object.entries(query)) {
+      if (v === void 0 || v === null || v === "") continue;
+      if (Array.isArray(v)) {
+        for (const item of v) {
+          if (item !== void 0 && item !== null) params.append(k, String(item));
+        }
+      } else {
+        params.append(k, String(v));
+      }
+    }
+    const qs = params.toString();
+    return qs ? `${base}?${qs}` : base;
+  }
+  extractApiErrors(payload) {
+    if (payload && typeof payload === "object" && "errors" in payload && Array.isArray(payload.errors)) {
+      const out = [];
+      for (const entry of payload.errors) {
+        if (entry && typeof entry === "object") {
+          const e = entry;
+          const err = {
+            code: typeof e.code === "string" ? e.code : "unknown",
+            message: typeof e.message === "string" ? e.message : "Unknown error"
+          };
+          if (typeof e.long_message === "string") err.longMessage = e.long_message;
+          if (e.meta && typeof e.meta === "object") err.meta = e.meta;
+          out.push(err);
+        }
+      }
+      if (out.length > 0) return out;
+    }
+    return [{ code: "unknown", message: "Unknown error from authn.sh API" }];
+  }
+};
+
+// src/Authn.ts
+var Authn = class {
+  /** Underlying HTTP transport — exposed for advanced use cases. */
+  transport;
+  users;
+  sessions;
+  organizations;
+  oauthProviders;
+  phoneNumbers;
+  externalAccounts;
+  smsTemplates;
+  invitations;
+  allowlistIdentifiers;
+  blocklistIdentifiers;
+  redirectUrls;
+  roles;
+  permissions;
+  instance;
+  constructor(opts) {
+    if (!opts.secretKey || typeof opts.secretKey !== "string") {
+      throw new AuthnConfigError("Authn: secretKey is required.");
+    }
+    if (!opts.secretKey.startsWith("sk_test_") && !opts.secretKey.startsWith("sk_live_")) {
+      throw new AuthnConfigError("Authn: secretKey must start with sk_test_ or sk_live_.");
+    }
+    const transportOpts = {
+      apiUrl: opts.apiUrl ?? "https://api.authn.sh",
+      secretKey: opts.secretKey
+    };
+    if (opts.fetch !== void 0) transportOpts.fetch = opts.fetch;
+    if (opts.timeoutMs !== void 0) transportOpts.timeoutMs = opts.timeoutMs;
+    if (opts.userAgentSuffix !== void 0) transportOpts.userAgentSuffix = opts.userAgentSuffix;
+    this.transport = new Transport(transportOpts);
+    this.users = new UsersManager(this.transport);
+    this.sessions = new SessionsManager(this.transport);
+    this.organizations = new OrganizationsManager(this.transport);
+    this.oauthProviders = new OauthProvidersManager(this.transport);
+    this.phoneNumbers = new PhoneNumbersManager(this.transport);
+    this.externalAccounts = new ExternalAccountsManager(this.transport);
+    this.smsTemplates = new SmsTemplatesManager(this.transport);
+    this.invitations = new InvitationsManager(this.transport);
+    this.allowlistIdentifiers = new AllowlistIdentifiersManager(this.transport);
+    this.blocklistIdentifiers = new BlocklistIdentifiersManager(this.transport);
+    this.redirectUrls = new RedirectUrlsManager(this.transport);
+    this.roles = new RolesManager(this.transport);
+    this.permissions = new PermissionsManager(this.transport);
+    this.instance = new InstanceManager(this.transport);
+  }
+};
+
+// src/tokens/VerifiedClaims.ts
+var VerifiedClaims = class {
+  constructor(sub, sid, iss, azp, exp, iat, nbf, actor, organization, wasTest, twoFactorVerified, secondFactorAgeSeconds, firstFactorAgeSeconds, phoneNumberVerified, defaultSecondFactor, raw) {
+    this.sub = sub;
+    this.sid = sid;
+    this.iss = iss;
+    this.azp = azp;
+    this.exp = exp;
+    this.iat = iat;
+    this.nbf = nbf;
+    this.actor = actor;
+    this.organization = organization;
+    this.wasTest = wasTest;
+    this.twoFactorVerified = twoFactorVerified;
+    this.secondFactorAgeSeconds = secondFactorAgeSeconds;
+    this.firstFactorAgeSeconds = firstFactorAgeSeconds;
+    this.phoneNumberVerified = phoneNumberVerified;
+    this.defaultSecondFactor = defaultSecondFactor;
+    this.raw = raw;
+  }
+  sub;
+  sid;
+  iss;
+  azp;
+  exp;
+  iat;
+  nbf;
+  actor;
+  organization;
+  wasTest;
+  twoFactorVerified;
+  secondFactorAgeSeconds;
+  firstFactorAgeSeconds;
+  phoneNumberVerified;
+  defaultSecondFactor;
+  raw;
+  hasRole(roleKey) {
+    return this.organization?.role === roleKey;
+  }
+  hasPermission(permissionKey) {
+    return this.organization?.permissions.includes(permissionKey) ?? false;
+  }
+  hasVerifiedPhoneNumber() {
+    return this.phoneNumberVerified;
+  }
+  preferredSecondFactor() {
+    return this.defaultSecondFactor;
+  }
+};
+function buildVerifiedClaims(claims) {
+  const num = (k) => typeof claims[k] === "number" ? claims[k] : 0;
+  const numOrNull = (k) => typeof claims[k] === "number" ? claims[k] : null;
+  const str = (k) => typeof claims[k] === "string" ? claims[k] : "";
+  const strOrNull = (k) => typeof claims[k] === "string" ? claims[k] : null;
+  const actorRaw = claims["actor"];
+  const actor = actorRaw && typeof actorRaw === "object" ? {
+    iss: typeof actorRaw.iss === "string" ? actorRaw.iss : "",
+    sub: typeof actorRaw.sub === "string" ? actorRaw.sub : "",
+    sid: typeof actorRaw.sid === "string" ? actorRaw.sid : ""
+  } : null;
+  const orgRaw = claims["org"];
+  let organization = null;
+  if (orgRaw && typeof orgRaw === "object") {
+    const o = orgRaw;
+    const perms = Array.isArray(o.per) ? o.per.filter((p) => typeof p === "string") : [];
+    organization = {
+      id: typeof o.id === "string" ? o.id : "",
+      slug: typeof o.slg === "string" ? o.slg : void 0,
+      role: typeof o.rol === "string" ? o.rol : void 0,
+      permissions: perms
+    };
+  }
+  const dsfRaw = claims["dsf"];
+  const dsf = dsfRaw === "totp" || dsfRaw === "phone_code" || dsfRaw === "backup_code" ? dsfRaw : null;
+  return new VerifiedClaims(
+    str("sub"),
+    str("sid"),
+    str("iss"),
+    strOrNull("azp"),
+    num("exp"),
+    num("iat"),
+    numOrNull("nbf"),
+    actor,
+    organization,
+    claims["wt"] === true,
+    claims["tfv"] === true,
+    numOrNull("sfa"),
+    numOrNull("ffa"),
+    claims["pnv"] === true,
+    dsf,
+    claims
+  );
+}
+
+// src/tokens/TokenVerifier.ts
+var SUPPORTED_ALGS = ["RS256", "ES256", "ES384", "ES512"];
+var TokenVerifier = class {
+  frontendApiUrl;
+  jwks;
+  allowedClockSkew;
+  constructor(opts = {}) {
+    if (!opts.publishableKey && !opts.frontendApiUrl) {
+      throw new AuthnConfigError("TokenVerifier: either publishableKey or frontendApiUrl is required.");
+    }
+    this.frontendApiUrl = opts.frontendApiUrl ? opts.frontendApiUrl.replace(/\/$/, "") : decodeFrontendApiUrl(opts.publishableKey ?? "");
+    const jwksUrl = new URL(`${this.frontendApiUrl}/v1/jwks`);
+    this.jwks = createRemoteJWKSet(jwksUrl, {
+      cacheMaxAge: (opts.jwksCacheTtlSeconds ?? 600) * 1e3,
+      cooldownDuration: 3e4,
+      ...opts.fetch ? { [/* @__PURE__ */ Symbol.for("jose.fetch")]: opts.fetch } : {}
+    });
+    this.allowedClockSkew = opts.allowedClockSkewSeconds ?? 5;
+  }
+  /**
+   * Verify a JWT and return its claims. Throws AuthnTokenInvalidError on failure.
+   *
+   * @param expectedAzp If provided, the token's `azp` must match one of these.
+   */
+  async verify(jwt, expectedAzp = []) {
+    if (typeof jwt !== "string" || jwt === "") {
+      throw new AuthnTokenInvalidError("malformed", "Token is empty.");
+    }
+    let header;
+    try {
+      header = decodeProtectedHeader(jwt);
+    } catch (e) {
+      throw new AuthnTokenInvalidError("malformed", e.message);
+    }
+    if (!header.alg || !SUPPORTED_ALGS.includes(header.alg)) {
+      throw new AuthnTokenInvalidError("signature_invalid", `Unsupported alg: ${String(header.alg)}`);
+    }
+    let claims;
+    try {
+      const result = await jwtVerify(jwt, this.jwks, {
+        issuer: this.frontendApiUrl,
+        clockTolerance: this.allowedClockSkew,
+        algorithms: [...SUPPORTED_ALGS]
+      });
+      claims = result.payload;
+    } catch (e) {
+      const err = e;
+      const reason = mapJoseError(err.code);
+      throw new AuthnTokenInvalidError(reason, err.message);
+    }
+    if (expectedAzp.length > 0) {
+      const azp = typeof claims.azp === "string" ? claims.azp : null;
+      if (azp === null || !expectedAzp.includes(azp)) {
+        throw new AuthnTokenInvalidError(
+          "audience_mismatch",
+          `azp claim "${String(azp)}" did not match the expected origins.`
+        );
+      }
+    }
+    return buildVerifiedClaims(claims);
+  }
+  /**
+   * Same as `verify` but returns `null` on failure instead of throwing.
+   * Useful for "best-effort" auth that falls back to unauthenticated.
+   */
+  async tryVerify(jwt, expectedAzp = []) {
+    try {
+      return await this.verify(jwt, expectedAzp);
+    } catch {
+      return null;
+    }
+  }
+};
+function mapJoseError(code) {
+  switch (code) {
+    case "ERR_JWT_EXPIRED":
+      return "expired";
+    case "ERR_JWT_CLAIM_VALIDATION_FAILED":
+      return "issuer_mismatch";
+    case "ERR_JWS_SIGNATURE_VERIFICATION_FAILED":
+    case "ERR_JWS_INVALID":
+      return "signature_invalid";
+    case "ERR_JWKS_NO_MATCHING_KEY":
+      return "key_not_found";
+    case "ERR_JWKS_TIMEOUT":
+      return "jwks_fetch_failed";
+    default:
+      return "signature_invalid";
+  }
+}
+function decodeFrontendApiUrl(publishableKey) {
+  if (!publishableKey.startsWith("pk_test_") && !publishableKey.startsWith("pk_live_")) {
+    throw new AuthnConfigError(
+      `TokenVerifier: publishableKey must start with pk_test_ or pk_live_, got "${publishableKey.slice(0, 8)}\u2026".`
+    );
+  }
+  const payload = publishableKey.replace(/^pk_(test|live)_/, "").replace(/\$$/, "");
+  let host;
+  try {
+    host = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+  } catch {
+    throw new AuthnConfigError(`TokenVerifier: publishableKey "${publishableKey.slice(0, 16)}\u2026" is not base64url.`);
+  }
+  if (host === "") {
+    throw new AuthnConfigError("TokenVerifier: publishableKey decoded to an empty host.");
+  }
+  return `https://${host.replace(/\/$/, "")}`;
+}
+var WebhookSignatureVerifier = class {
+  secrets;
+  tolerance;
+  now;
+  constructor(opts) {
+    const list = Array.isArray(opts.signingSecret) ? opts.signingSecret : [opts.signingSecret];
+    this.secrets = list.filter((s) => typeof s === "string" && s !== "");
+    if (this.secrets.length === 0) {
+      throw new Error("WebhookSignatureVerifier: at least one signing secret must be provided.");
+    }
+    this.tolerance = opts.toleranceSeconds ?? 300;
+    this.now = opts.now ?? (() => Math.floor(Date.now() / 1e3));
+  }
+  verify(rawBody, headers) {
+    const id = headerLine(headers, "svix-id");
+    const timestamp = headerLine(headers, "svix-timestamp");
+    const signature = headerLine(headers, "svix-signature");
+    if (!id || !timestamp || !signature) {
+      throw new AuthnWebhookSignatureInvalidError("missing_signature_header");
+    }
+    if (!/^\d+$/.test(timestamp)) {
+      throw new AuthnWebhookSignatureInvalidError("malformed_signature_header", "svix-timestamp must be a unix-second integer.");
+    }
+    const tsInt = parseInt(timestamp, 10);
+    if (Math.abs(this.now() - tsInt) > this.tolerance) {
+      throw new AuthnWebhookSignatureInvalidError("timestamp_too_old");
+    }
+    const signedPayload = `${id}.${timestamp}.${rawBody}`;
+    const providedSignatures = extractV1Signatures(signature);
+    if (providedSignatures.length === 0) {
+      throw new AuthnWebhookSignatureInvalidError("malformed_signature_header", "No v1 signatures found in svix-signature.");
+    }
+    if (!this.matchesAny(signedPayload, providedSignatures)) {
+      throw new AuthnWebhookSignatureInvalidError("no_matching_signature");
+    }
+    let payload;
+    try {
+      const parsed = JSON.parse(rawBody);
+      payload = parsed && typeof parsed === "object" ? parsed : {};
+    } catch {
+      throw new AuthnWebhookSignatureInvalidError("malformed_signature_header", "Webhook body is not JSON.");
+    }
+    return {
+      type: typeof payload.type === "string" ? payload.type : "",
+      data: payload.data && typeof payload.data === "object" ? payload.data : {},
+      timestamp: tsInt,
+      instanceId: typeof payload.instance_id === "string" ? payload.instance_id : "",
+      wasTest: payload.was_test === true,
+      messageId: id
+    };
+  }
+  tryVerify(rawBody, headers) {
+    try {
+      return this.verify(rawBody, headers);
+    } catch {
+      return null;
+    }
+  }
+  matchesAny(signedPayload, providedSignatures) {
+    for (const secret of this.secrets) {
+      const key = stripWhsecPrefix(secret);
+      const expected = createHmac("sha256", Buffer.from(key, "base64")).update(signedPayload).digest();
+      for (const sig of providedSignatures) {
+        let provided;
+        try {
+          provided = Buffer.from(sig, "base64");
+        } catch {
+          continue;
+        }
+        if (provided.length === expected.length && timingSafeEqual(provided, expected)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+};
+function headerLine(headers, name) {
+  const lookup = name.toLowerCase();
+  for (const [k, v] of Object.entries(headers)) {
+    if (k.toLowerCase() === lookup) {
+      if (Array.isArray(v)) return v[0] ?? null;
+      if (typeof v === "string") return v;
+    }
+  }
+  return null;
+}
+function extractV1Signatures(header) {
+  const parts = header.split(/\s+/);
+  const out = [];
+  for (const part of parts) {
+    const eqIndex = part.indexOf(",");
+    if (eqIndex === -1) continue;
+    const scheme = part.slice(0, eqIndex);
+    const value = part.slice(eqIndex + 1);
+    if (scheme === "v1") out.push(value);
+  }
+  return out;
+}
+function stripWhsecPrefix(secret) {
+  return secret.startsWith("whsec_") ? secret.slice(6) : secret;
+}
+
+export { AllowlistIdentifiersManager, Authn, AuthnConfigError, AuthnHttpError, AuthnTokenInvalidError, AuthnWebhookSignatureInvalidError, BlocklistIdentifiersManager, ExternalAccountsListParams, ExternalAccountsManager, InstanceManager, InvitationsListParams, InvitationsManager, ListParams, OauthProvidersManager, OrganizationDomainsManager, OrganizationInvitationsManager, OrganizationMembershipsManager, OrganizationsManager, PermissionsManager, PhoneNumbersListParams, PhoneNumbersManager, RedirectUrlsManager, RolesManager, SessionsListParams, SessionsManager, SmsTemplatesManager, TokenVerifier, Transport, UsersListParams, UsersManager, VerifiedClaims, WebhookSignatureVerifier, buildVerifiedClaims, decodeFrontendApiUrl, hydrateAllowlistIdentifier, hydrateBlocklistIdentifier, hydrateExternalAccount, hydrateInstance, hydrateInvitation, hydrateOauthProvider, hydrateOrganization, hydrateOrganizationDomain, hydrateOrganizationInvitation, hydrateOrganizationMembership, hydratePermission, hydratePhoneNumber, hydrateRedirectUrl, hydrateRole, hydrateSession, hydrateSmsTemplate, hydrateUser };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map