@banata-auth/sdk 0.1.0

package/dist/index.cjs

@@ -0,0 +1,1281 @@
+'use strict';
+
+var shared = require('@banata-auth/shared');
+
+// src/client.ts
+
+// src/resources/api-keys.ts
+var ApiKeys = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Create a new API key.
+   *
+   * @returns The created key metadata **plus** the raw `key` value.
+   *   The raw key is only returned at creation time and cannot be retrieved later.
+   */
+  async create(options) {
+    return this.http.post("/api/auth/api-key/create", {
+      name: options.name,
+      organizationId: options.organizationId,
+      permissions: options.permissions,
+      expiresAt: options.expiresAt instanceof Date ? options.expiresAt.toISOString() : options.expiresAt
+    });
+  }
+  /**
+   * List all API keys. The raw key value is **not** included.
+   */
+  async list() {
+    return this.http.get("/api/auth/api-key/list");
+  }
+  /**
+   * Delete (revoke) an API key by its ID.
+   */
+  async delete(keyId) {
+    return this.http.post("/api/auth/api-key/delete", { keyId });
+  }
+};
+
+// src/resources/audit-logs.ts
+var AuditLogs = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async createEvent(options) {
+    return this.http.post("/api/auth/banata/audit-logs/create", {
+      action: options.action,
+      actorType: options.actorType,
+      actorId: options.actorId,
+      actorName: options.actorName,
+      actorEmail: options.actorEmail,
+      targets: options.targets ? JSON.stringify(options.targets) : void 0,
+      organizationId: options.organizationId,
+      ipAddress: options.ipAddress,
+      userAgent: options.userAgent,
+      changes: options.changes ? JSON.stringify(options.changes) : void 0,
+      idempotencyKey: options.idempotencyKey,
+      metadata: options.metadata ? JSON.stringify(options.metadata) : void 0,
+      occurredAt: options.occurredAt?.getTime()
+    });
+  }
+  async listEvents(options) {
+    return this.http.post("/api/auth/banata/audit-logs/list", {
+      organizationId: options?.organizationId,
+      action: options?.action,
+      actorId: options?.actorId,
+      after: options?.after,
+      before: options?.before,
+      limit: options?.limit
+    });
+  }
+  async exportEvents(options) {
+    return this.http.post("/api/auth/banata/audit-logs/export", {
+      organizationId: options.organizationId,
+      format: options.format,
+      startDate: options.startDate?.getTime(),
+      endDate: options.endDate?.getTime(),
+      action: options.action,
+      limit: options.limit,
+      cursor: options.cursor
+    });
+  }
+};
+
+// src/resources/directory-sync.ts
+var DirectorySync = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async listDirectories(options) {
+    return this.http.post(
+      "/api/auth/banata/scim/list-providers",
+      this.http.withProjectScope(
+        {
+          organizationId: options?.organizationId,
+          limit: options?.limit,
+          before: options?.before,
+          after: options?.after
+        },
+        options?.projectId
+      )
+    );
+  }
+  async getDirectory(directoryId, options) {
+    return this.http.post(
+      "/api/auth/banata/scim/get-provider",
+      this.http.withProjectScope(
+        {
+          providerId: directoryId
+        },
+        options?.projectId
+      )
+    );
+  }
+  async createDirectory(options) {
+    return this.http.post(
+      "/api/auth/banata/scim/register",
+      this.http.withProjectScope(
+        {
+          organizationId: options.organizationId,
+          name: options.name,
+          provider: options.provider
+        },
+        options.projectId
+      )
+    );
+  }
+  async deleteDirectory(directoryId, options) {
+    return this.http.post(
+      "/api/auth/banata/scim/delete-provider",
+      this.http.withProjectScope(
+        {
+          providerId: directoryId
+        },
+        options?.projectId
+      )
+    );
+  }
+  async listUsers(options) {
+    return this.http.post(
+      "/api/auth/banata/scim/list-users",
+      this.http.withProjectScope(
+        {
+          providerId: options.directoryId,
+          state: options.state,
+          limit: options.limit,
+          before: options.before,
+          after: options.after
+        },
+        options.projectId
+      )
+    );
+  }
+  async getUser(directoryUserId, options) {
+    return this.http.post(
+      "/api/auth/banata/scim/get-user",
+      this.http.withProjectScope(
+        {
+          userId: directoryUserId
+        },
+        options?.projectId
+      )
+    );
+  }
+  async listGroups(options) {
+    return this.http.post(
+      "/api/auth/banata/scim/list-groups",
+      this.http.withProjectScope(
+        {
+          providerId: options.directoryId,
+          limit: options.limit,
+          before: options.before,
+          after: options.after
+        },
+        options.projectId
+      )
+    );
+  }
+  async getGroup(directoryGroupId, options) {
+    return this.http.post(
+      "/api/auth/banata/scim/get-group",
+      this.http.withProjectScope(
+        {
+          groupId: directoryGroupId
+        },
+        options?.projectId
+      )
+    );
+  }
+};
+
+// src/resources/domains.ts
+var Domains = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async createVerification(options) {
+    return this.http.post(
+      "/api/auth/banata/domains/create",
+      this.http.withProjectScope(
+        {
+          organizationId: options.organizationId,
+          domain: options.domain
+        },
+        options.projectId
+      )
+    );
+  }
+  async getVerification(verificationId, options) {
+    return this.http.post(
+      "/api/auth/banata/domains/get",
+      this.http.withProjectScope(
+        {
+          id: verificationId
+        },
+        options?.projectId
+      )
+    );
+  }
+  async verify(verificationId, options) {
+    return this.http.post(
+      "/api/auth/banata/domains/verify",
+      this.http.withProjectScope(
+        {
+          id: verificationId
+        },
+        options?.projectId
+      )
+    );
+  }
+  async list(options) {
+    return this.http.post(
+      "/api/auth/banata/domains/list",
+      this.http.withProjectScope(
+        {
+          organizationId: options.organizationId,
+          limit: options.limit,
+          before: options.before,
+          after: options.after
+        },
+        options.projectId
+      )
+    );
+  }
+  async delete(verificationId, options) {
+    return this.http.post(
+      "/api/auth/banata/domains/delete",
+      this.http.withProjectScope(
+        {
+          id: verificationId
+        },
+        options?.projectId
+      )
+    );
+  }
+};
+
+// src/resources/emails.ts
+var Emails = class {
+  constructor(http) {
+    this.http = http;
+    this.templates = new EmailTemplates(http);
+  }
+  templates;
+  /**
+   * Send a transactional email using a built-in or custom template.
+   *
+   * The email is rendered using the configured branding (colors, logo,
+   * app name) and sent via the active email provider configured in the
+   * dashboard.
+   */
+  async send(options) {
+    return this.http.post("/api/auth/banata/emails/send", {
+      to: options.to,
+      template: options.template,
+      data: options.data
+    });
+  }
+  /**
+   * Preview a rendered email template.
+   *
+   * Returns the subject, HTML, and plain text of the template with
+   * the current branding applied. Uses sample data if none provided.
+   */
+  async preview(template, data) {
+    return this.http.post("/api/auth/banata/emails/preview", {
+      template,
+      data
+    });
+  }
+  /**
+   * Send a test email to verify the email provider configuration.
+   *
+   * Uses the "welcome" template by default with sample data.
+   */
+  async sendTest(to, template) {
+    return this.http.post("/api/auth/banata/test-email", {
+      to,
+      template
+    });
+  }
+};
+var EmailTemplates = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List all email templates, optionally filtered by category.
+   */
+  async list(category) {
+    const payload = await this.http.post(
+      "/api/auth/banata/emails/templates/list",
+      { category }
+    );
+    return payload.templates ?? [];
+  }
+  /**
+   * Get a single email template by ID or slug.
+   */
+  async get(idOrSlug) {
+    const payload = await this.http.post(
+      "/api/auth/banata/emails/templates/get",
+      { idOrSlug }
+    );
+    return payload.template ?? null;
+  }
+  /**
+   * Create a new custom email template.
+   */
+  async create(options) {
+    const payload = await this.http.post("/api/auth/banata/emails/templates/create", options);
+    if (!payload.success) {
+      throw new Error(payload.error ?? "Failed to create template");
+    }
+    return payload.template;
+  }
+  /**
+   * Update an existing email template.
+   */
+  async update(id, options) {
+    const payload = await this.http.post("/api/auth/banata/emails/templates/update", { id, ...options });
+    if (!payload.success) {
+      throw new Error(payload.error ?? "Failed to update template");
+    }
+    return payload.template;
+  }
+  /**
+   * Delete a custom email template.
+   * Built-in templates cannot be deleted.
+   */
+  async delete(id) {
+    const payload = await this.http.post(
+      "/api/auth/banata/emails/templates/delete",
+      { id }
+    );
+    if (!payload.success) {
+      throw new Error(payload.error ?? "Failed to delete template");
+    }
+  }
+};
+
+// src/resources/events.ts
+var Events = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List events with optional filters and cursor-based pagination.
+   */
+  async listEvents(options) {
+    return this.http.post("/api/auth/banata/events/list", {
+      eventTypes: options?.eventTypes,
+      after: options?.after,
+      limit: options?.limit,
+      organizationId: options?.organizationId,
+      rangeStart: options?.rangeStart?.getTime(),
+      rangeEnd: options?.rangeEnd?.getTime()
+    });
+  }
+};
+
+// src/resources/organizations.ts
+var Organizations = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async listOrganizations(options) {
+    return this.http.post("/api/auth/organization/list", {
+      limit: options?.limit,
+      before: options?.before,
+      after: options?.after,
+      order: options?.order
+    });
+  }
+  async getOrganization(organizationId) {
+    return this.http.post("/api/auth/organization/get-full-organization", {
+      organizationId
+    });
+  }
+  async createOrganization(options) {
+    return this.http.post("/api/auth/organization/create", options);
+  }
+  async updateOrganization(options) {
+    const { organizationId, ...data } = options;
+    return this.http.post("/api/auth/organization/update", {
+      organizationId,
+      data
+    });
+  }
+  async deleteOrganization(organizationId) {
+    return this.http.post("/api/auth/organization/delete", {
+      organizationId
+    });
+  }
+  // ─── Members ───────────────────────────────────────────────────────────
+  async listMembers(options) {
+    return this.http.post(
+      "/api/auth/organization/list-members",
+      {
+        organizationId: options.organizationId,
+        role: options.role,
+        limit: options.limit,
+        before: options.before,
+        after: options.after
+      }
+    );
+  }
+  async removeMember(options) {
+    return this.http.post("/api/auth/organization/remove-member", options);
+  }
+  async updateMemberRole(options) {
+    return this.http.post("/api/auth/organization/update-member-role", options);
+  }
+  // ─── Invitations ───────────────────────────────────────────────────────
+  async sendInvitation(options) {
+    return this.http.post("/api/auth/organization/invite-member", options);
+  }
+  async revokeInvitation(invitationId) {
+    return this.http.post("/api/auth/organization/cancel-invitation", {
+      invitationId
+    });
+  }
+  async listInvitations(options) {
+    return this.http.post(
+      "/api/auth/organization/list-invitations",
+      {
+        organizationId: options.organizationId,
+        status: options.status,
+        limit: options.limit,
+        before: options.before,
+        after: options.after
+      }
+    );
+  }
+};
+
+// src/resources/portal.ts
+var Portal = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Generate a short-lived admin portal link for an organization's IT admin.
+   *
+   * @param options - Portal link generation options
+   * @returns The generated portal link and session metadata
+   */
+  async generateLink(options) {
+    return this.http.post("/banata/portal/generate-link", options);
+  }
+};
+
+// src/resources/projects.ts
+var Projects = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List all projects.
+   */
+  async listProjects() {
+    const res = await this.http.post("/api/auth/banata/projects/list");
+    return res.projects;
+  }
+  /**
+   * Get a single project by ID.
+   */
+  async getProject(id) {
+    const res = await this.http.post(
+      "/api/auth/banata/projects/get",
+      { id }
+    );
+    return res.project;
+  }
+  /**
+   * Create a new project.
+   * Returns the project and seeds RBAC permissions + super_admin role.
+   */
+  async createProject(data) {
+    return this.http.post("/api/auth/banata/projects/create", data);
+  }
+  /**
+   * Update a project's metadata.
+   */
+  async updateProject(id, update) {
+    return this.http.post("/api/auth/banata/projects/update", { id, ...update });
+  }
+  /**
+   * Delete a project.
+   *
+   * Note: This deletes the project record only. Project-scoped data (users,
+   * organizations, etc.) is not automatically cascade-deleted. Use the
+   * `clearAllData` migration for a full reset.
+   */
+  async deleteProject(id) {
+    return this.http.post("/api/auth/banata/projects/delete", { id });
+  }
+  /**
+   * Ensure at least one project exists. If none exist, creates a
+   * "Default Project" with seeded RBAC permissions.
+   */
+  async ensureDefaultProject() {
+    return this.http.post("/api/auth/banata/projects/ensure-default");
+  }
+};
+
+// src/resources/rbac.ts
+function normalizePermission(permission) {
+  if (typeof permission === "string") return permission;
+  return `${permission.resource}.${permission.action}`;
+}
+var Rbac = class {
+  constructor(http) {
+    this.http = http;
+  }
+  async listRoles() {
+    const result = await this.http.post(
+      "/api/auth/banata/config/roles/list",
+      {}
+    );
+    return result.roles ?? [];
+  }
+  async createRole(options) {
+    const result = await this.http.post(
+      "/api/auth/banata/config/roles/create",
+      options
+    );
+    return result.role;
+  }
+  async deleteRole(id) {
+    await this.http.post("/api/auth/banata/config/roles/delete", { id });
+  }
+  async listPermissions() {
+    const result = await this.http.post(
+      "/api/auth/banata/config/permissions/list",
+      {}
+    );
+    return result.permissions ?? [];
+  }
+  async createPermission(options) {
+    const result = await this.http.post(
+      "/api/auth/banata/config/permissions/create",
+      options
+    );
+    return result.permission;
+  }
+  async deletePermission(id) {
+    await this.http.post("/api/auth/banata/config/permissions/delete", { id });
+  }
+  async assignRole(options) {
+    await this.http.post("/api/auth/organization/update-member-role", {
+      memberIdOrUserId: options.userId,
+      role: options.role,
+      organizationId: options.organizationId
+    });
+  }
+  async checkPermission(options) {
+    return this.http.post("/api/auth/banata/rbac/check-permission", {
+      projectId: options.projectId,
+      permission: normalizePermission(options.permission)
+    });
+  }
+  async checkPermissions(options) {
+    return this.http.post("/api/auth/banata/rbac/check-permissions", {
+      projectId: options.projectId,
+      permissions: options.permissions.map(normalizePermission),
+      operator: options.operator ?? "all"
+    });
+  }
+  async getMyPermissions(projectId) {
+    const result = await this.http.post(
+      "/api/auth/banata/rbac/my-permissions",
+      {
+        projectId
+      }
+    );
+    return result.permissions ?? [];
+  }
+  async hasPermission(projectId, permission) {
+    const result = await this.checkPermission({
+      projectId,
+      permission
+    });
+    return result.allowed;
+  }
+  async requirePermission(projectId, permission) {
+    const allowed = await this.hasPermission(projectId, permission);
+    if (!allowed) {
+      throw new Error(`Missing permission: ${normalizePermission(permission)}`);
+    }
+  }
+  async revokeRole(options) {
+    await this.http.post("/api/auth/organization/update-member-role", {
+      memberIdOrUserId: options.userId,
+      role: options.fallbackRole ?? "super_admin",
+      organizationId: options.organizationId
+    });
+  }
+};
+
+// src/resources/sso.ts
+var SSO = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Get the authorization URL to redirect the user to for SSO.
+   * Supports routing by organization ID or callback URL.
+   */
+  async getAuthorizationUrl(options) {
+    return this.http.post("/api/auth/sign-in/sso", {
+      providerId: options.connectionId,
+      organizationId: options.organizationId,
+      issuer: options.provider,
+      loginHint: options.loginHint,
+      domain: options.domainHint,
+      callbackURL: options.redirectUri
+    });
+  }
+  /**
+   * @deprecated Better Auth handles SSO token exchange internally via callback.
+   * This method is kept for backward compatibility but will throw.
+   */
+  async getProfileAndToken(_options) {
+    throw new Error(
+      "getProfileAndToken() is not supported with Better Auth. SSO token exchange is handled internally via the callback URL."
+    );
+  }
+  // ─── Connection Management ─────────────────────────────────────────────
+  async listConnections(options) {
+    return this.http.post(
+      "/api/auth/banata/sso/list-providers",
+      this.http.withProjectScope(
+        {
+          organizationId: options?.organizationId,
+          connectionType: options?.connectionType,
+          limit: options?.limit,
+          before: options?.before,
+          after: options?.after
+        },
+        options?.projectId
+      )
+    );
+  }
+  async getConnection(connectionId, options) {
+    return this.http.post(
+      "/api/auth/banata/sso/get-provider",
+      this.http.withProjectScope(
+        {
+          providerId: connectionId
+        },
+        options?.projectId
+      )
+    );
+  }
+  async createConnection(options) {
+    return this.http.post(
+      "/api/auth/banata/sso/register",
+      this.http.withProjectScope(
+        {
+          organizationId: options.organizationId,
+          type: options.type,
+          domain: options.domains?.[0],
+          name: options.name,
+          domains: options.domains,
+          samlConfig: options.samlConfig,
+          oidcConfig: options.oidcConfig
+        },
+        options.projectId
+      )
+    );
+  }
+  async updateConnection(options) {
+    const { connectionId, projectId, ...body } = options;
+    return this.http.post(
+      "/api/auth/banata/sso/update-provider",
+      this.http.withProjectScope(
+        {
+          providerId: connectionId,
+          ...body
+        },
+        projectId
+      )
+    );
+  }
+  async deleteConnection(connectionId, options) {
+    return this.http.post(
+      "/api/auth/banata/sso/delete-provider",
+      this.http.withProjectScope(
+        {
+          providerId: connectionId
+        },
+        options?.projectId
+      )
+    );
+  }
+  async activateConnection(connectionId, options) {
+    return this.http.post(
+      "/api/auth/banata/sso/update-provider",
+      this.http.withProjectScope(
+        {
+          providerId: connectionId,
+          active: true
+        },
+        options?.projectId
+      )
+    );
+  }
+  async deactivateConnection(connectionId, options) {
+    return this.http.post(
+      "/api/auth/banata/sso/update-provider",
+      this.http.withProjectScope(
+        {
+          providerId: connectionId,
+          active: false
+        },
+        options?.projectId
+      )
+    );
+  }
+};
+
+// src/resources/user-management.ts
+function emptyListMetadata() {
+  return {
+    before: null,
+    after: null
+  };
+}
+var UserManagement = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List users with optional filtering and pagination.
+   */
+  async listUsers(options) {
+    const payload = await this.http.post("/api/auth/admin/list-users", {
+      projectId: options?.projectId,
+      email: options?.email,
+      organizationId: options?.organizationId,
+      role: options?.role,
+      limit: options?.limit,
+      before: options?.before,
+      after: options?.after,
+      order: options?.order
+    });
+    return {
+      data: payload.data ?? payload.users ?? [],
+      listMetadata: emptyListMetadata()
+    };
+  }
+  /**
+   * Get a user by ID.
+   */
+  async getUser(userId, options) {
+    return this.http.post("/api/auth/admin/get-user", {
+      userId,
+      projectId: options?.projectId
+    });
+  }
+  /**
+   * Create a new user.
+   */
+  async createUser(options) {
+    const payload = await this.http.post("/api/auth/admin/create-user", {
+      projectId: options.projectId,
+      email: options.email,
+      password: options.password,
+      name: options.name,
+      image: options.image,
+      username: options.username,
+      phoneNumber: options.phoneNumber,
+      emailVerified: options.emailVerified,
+      role: options.role ?? "user",
+      metadata: options.metadata,
+      data: options.data
+    });
+    return payload.user;
+  }
+  /**
+   * Update an existing user.
+   */
+  async updateUser(options) {
+    const { userId, ...body } = options;
+    return this.http.post("/api/auth/admin/update-user", {
+      userId,
+      ...body
+    });
+  }
+  /**
+   * Delete a user.
+   */
+  async deleteUser(userId, options) {
+    return this.http.post("/api/auth/admin/remove-user", {
+      userId,
+      projectId: options?.projectId
+    });
+  }
+  /**
+   * Ban a user.
+   */
+  async banUser(options) {
+    const payload = await this.http.post("/api/auth/admin/ban-user", {
+      userId: options.userId,
+      projectId: options.projectId,
+      banReason: options.reason,
+      banExpires: options.expiresAt?.getTime()
+    });
+    return payload.user;
+  }
+  /**
+   * Unban a user.
+   */
+  async unbanUser(userId, options) {
+    const payload = await this.http.post("/api/auth/admin/unban-user", {
+      userId,
+      projectId: options?.projectId
+    });
+    return payload.user;
+  }
+  /**
+   * List active sessions for a user.
+   */
+  async listUserSessions(userId, options) {
+    const payload = await this.http.post(
+      "/api/auth/admin/list-user-sessions",
+      {
+        userId,
+        projectId: options?.projectId
+      }
+    );
+    return {
+      data: payload.data ?? payload.sessions ?? [],
+      listMetadata: emptyListMetadata()
+    };
+  }
+  /**
+   * Start impersonating a user.
+   */
+  async impersonateUser(userId, options) {
+    return this.http.post("/api/auth/admin/impersonate-user", {
+      userId,
+      projectId: options?.projectId
+    });
+  }
+  /**
+   * Stop impersonating the current user.
+   */
+  async stopImpersonating() {
+    return this.http.post("/api/auth/admin/stop-impersonating");
+  }
+  /**
+   * Revoke a specific session.
+   */
+  async revokeSession(sessionId, options) {
+    return this.http.post("/api/auth/admin/revoke-user-session", {
+      sessionId,
+      projectId: options?.projectId
+    });
+  }
+  /**
+   * Revoke all sessions for a user.
+   */
+  async revokeAllSessions(userId, options) {
+    return this.http.post("/api/auth/admin/revoke-user-sessions", {
+      userId,
+      projectId: options?.projectId
+    });
+  }
+  /**
+   * Set a user's global role.
+   */
+  async setRole(userId, role, options) {
+    const payload = await this.http.post("/api/auth/admin/set-role", {
+      userId,
+      role,
+      projectId: options?.projectId
+    });
+    return payload.user;
+  }
+  /**
+   * Force-set a user's password.
+   */
+  async setUserPassword(userId, newPassword, options) {
+    const payload = await this.http.post("/api/auth/admin/set-user-password", {
+      userId,
+      newPassword,
+      projectId: options?.projectId
+    });
+    return payload.status === true;
+  }
+  /**
+   * Check whether a user or role has the requested permissions.
+   */
+  async hasPermission(options) {
+    const payload = await this.http.post("/api/auth/admin/has-permission", {
+      ...options
+    });
+    return payload.success === true;
+  }
+};
+
+// src/resources/vault.ts
+var Vault = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Encrypt and store a secret.
+   *
+   * @returns The ID of the stored secret.
+   */
+  async encrypt(options) {
+    return this.http.post("/api/auth/banata/vault/encrypt", options);
+  }
+  /**
+   * Decrypt and return a secret by ID.
+   *
+   * @param options.context - Must match the context used during encryption.
+   */
+  async decrypt(options) {
+    return this.http.post("/api/auth/banata/vault/decrypt", options);
+  }
+  /**
+   * List vault secrets (metadata only — decrypted values are never returned).
+   */
+  async list(options) {
+    return this.http.post("/api/auth/banata/vault/list", {
+      organizationId: options?.organizationId,
+      limit: options?.limit,
+      before: options?.before,
+      after: options?.after
+    });
+  }
+  /**
+   * Delete a vault secret by ID.
+   */
+  async delete(options) {
+    return this.http.post("/api/auth/banata/vault/delete", {
+      id: options.secretId
+    });
+  }
+  /**
+   * Rotate the encryption key by re-encrypting all secrets
+   * with the next version's derived key.
+   *
+   * @returns Status and count of rotated/failed secrets.
+   */
+  async rotateKey(options) {
+    return this.http.post("/api/auth/banata/vault/rotate-key", {
+      batchSize: options?.batchSize
+    });
+  }
+};
+
+// src/resources/webhooks.ts
+var Webhooks = class {
+  constructor(http) {
+    this.http = http;
+  }
+  // ─── Endpoint Management ───────────────────────────────────────────────
+  async listEndpoints(options) {
+    return this.http.post("/api/auth/banata/webhooks/list", {
+      limit: options?.limit,
+      before: options?.before,
+      after: options?.after
+    });
+  }
+  async createEndpoint(options) {
+    return this.http.post("/api/auth/banata/webhooks/create", options);
+  }
+  async updateEndpoint(options) {
+    const { endpointId, ...body } = options;
+    return this.http.post("/api/auth/banata/webhooks/update", {
+      id: endpointId,
+      ...body
+    });
+  }
+  async deleteEndpoint(endpointId) {
+    return this.http.post("/api/auth/banata/webhooks/delete", {
+      id: endpointId
+    });
+  }
+  // ─── Signature Verification ────────────────────────────────────────────
+  /**
+   * Verify a webhook signature and construct the event payload.
+   * Uses the Web Crypto API for HMAC-SHA256 signature verification.
+   *
+   * @example
+   * ```ts
+   * const event = await banataAuth.webhooks.constructEvent({
+   *   payload: req.body,
+   *   sigHeader: req.headers["x-banataauth-signature"],
+   *   secret: webhookSecret,
+   * });
+   * ```
+   */
+  async constructEvent(options) {
+    const { payload, sigHeader, secret, tolerance = 300 } = options;
+    if (!await this.verifySignature({ payload, sigHeader, secret, tolerance })) {
+      throw new Error("Invalid webhook signature");
+    }
+    return JSON.parse(payload);
+  }
+  /**
+   * Verify a webhook signature using the Web Crypto API (HMAC-SHA256).
+   */
+  async verifySignature(options) {
+    const { payload, sigHeader, secret, tolerance = 300 } = options;
+    const parts = sigHeader.split(",");
+    const timestampPart = parts.find((p) => p.startsWith("t="));
+    const signaturePart = parts.find((p) => p.startsWith("v1="));
+    if (!timestampPart || !signaturePart) {
+      return false;
+    }
+    const timestamp = Number.parseInt(timestampPart.slice(2), 10);
+    const signature = signaturePart.slice(3);
+    const now = Math.floor(Date.now() / 1e3);
+    if (Math.abs(now - timestamp) > tolerance) {
+      return false;
+    }
+    const signedPayload = `${timestamp}.${payload}`;
+    const expectedSignature = await this.computeHmacAsync(secret, signedPayload);
+    return this.timingSafeEqual(signature, expectedSignature);
+  }
+  async computeHmacAsync(secret, payload) {
+    const encoder = new TextEncoder();
+    const key = await crypto.subtle.importKey(
+      "raw",
+      encoder.encode(secret),
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["sign"]
+    );
+    const signatureBuffer = await crypto.subtle.sign("HMAC", key, encoder.encode(payload));
+    return Array.from(new Uint8Array(signatureBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  timingSafeEqual(a, b) {
+    if (a.length !== b.length) return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+      result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+  }
+};
+
+// src/client.ts
+var HttpClient = class {
+  apiKey;
+  baseUrl;
+  timeout;
+  maxRetries;
+  projectId;
+  constructor(options) {
+    this.apiKey = options.apiKey;
+    this.baseUrl = (options.baseUrl ?? "").replace(/\/$/, "");
+    this.timeout = options.timeout ?? 3e4;
+    this.maxRetries = options.retries ?? 3;
+    this.projectId = options.projectId;
+    if (this.baseUrl && !this.baseUrl.startsWith("https://") && !this.baseUrl.startsWith("http://localhost") && !this.baseUrl.startsWith("http://127.0.0.1")) {
+      console.warn(
+        "[BanataAuth SDK] WARNING: baseUrl does not use HTTPS. API keys will be transmitted in plaintext. Use HTTPS in production to protect your credentials."
+      );
+    }
+  }
+  withProjectScope(body, projectId) {
+    const resolvedProjectId = projectId ?? this.projectId;
+    if (!resolvedProjectId) {
+      return body;
+    }
+    return {
+      ...body,
+      projectId: resolvedProjectId
+    };
+  }
+  async request(method, path, options) {
+    const url = new URL(`${this.baseUrl}${path}`);
+    if (options?.query) {
+      for (const [key, value] of Object.entries(options.query)) {
+        if (value !== void 0) {
+          url.searchParams.set(key, String(value));
+        }
+      }
+    }
+    const headers = {
+      Authorization: `Bearer ${this.apiKey}`,
+      "Content-Type": "application/json",
+      "User-Agent": "banata-auth-sdk/0.1.0",
+      ...options?.headers
+    };
+    let lastError = null;
+    for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+        const response = await fetch(url.toString(), {
+          method,
+          headers,
+          body: options?.body ? JSON.stringify(options.body) : void 0,
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        const requestId = response.headers.get("x-request-id") ?? "";
+        if (response.ok) {
+          if (response.status === 204) {
+            return void 0;
+          }
+          return await response.json();
+        }
+        const errorBody = await response.json().catch(() => ({}));
+        const error = shared.createErrorFromStatus(
+          response.status,
+          errorBody,
+          requestId
+        );
+        if ((response.status >= 500 || response.status === 429) && attempt < this.maxRetries) {
+          lastError = error;
+          let delayMs = 200 * 2 ** attempt;
+          if (response.status === 429) {
+            const retryAfter = response.headers.get("retry-after");
+            if (retryAfter) {
+              const parsed = Number(retryAfter);
+              delayMs = Number.isNaN(parsed) ? Math.max(0, new Date(retryAfter).getTime() - Date.now()) : parsed * 1e3;
+              delayMs = Math.min(delayMs, 6e4);
+            }
+          }
+          await new Promise((resolve) => setTimeout(resolve, delayMs));
+          continue;
+        }
+        throw error;
+      } catch (error) {
+        if (error instanceof Error && error.name === "AbortError") {
+          lastError = new Error(`Request timed out after ${this.timeout}ms`);
+          if (attempt < this.maxRetries) {
+            await new Promise((resolve) => setTimeout(resolve, 200 * 2 ** attempt));
+            continue;
+          }
+        }
+        throw error;
+      }
+    }
+    throw lastError ?? new Error("Request failed after all retries");
+  }
+  get(path, query) {
+    return this.request("GET", path, { query });
+  }
+  post(path, body) {
+    return this.request("POST", path, { body });
+  }
+  put(path, body) {
+    return this.request("PUT", path, { body });
+  }
+  patch(path, body) {
+    return this.request("PATCH", path, { body });
+  }
+  delete(path) {
+    return this.request("DELETE", path);
+  }
+};
+var BanataAuth = class {
+  httpClient;
+  apiKeys;
+  userManagement;
+  organizations;
+  sso;
+  directorySync;
+  auditLogs;
+  emails;
+  events;
+  webhooks;
+  portal;
+  vault;
+  domains;
+  rbac;
+  projects;
+  constructor(options) {
+    const opts = typeof options === "string" ? { apiKey: options } : options;
+    if (!opts.apiKey) {
+      throw new Error(
+        "Banata Auth API key is required. Pass it as a string or as { apiKey: '...' }"
+      );
+    }
+    this.httpClient = new HttpClient(opts);
+    this.apiKeys = new ApiKeys(this.httpClient);
+    this.userManagement = new UserManagement(this.httpClient);
+    this.organizations = new Organizations(this.httpClient);
+    this.sso = new SSO(this.httpClient);
+    this.directorySync = new DirectorySync(this.httpClient);
+    this.auditLogs = new AuditLogs(this.httpClient);
+    this.emails = new Emails(this.httpClient);
+    this.events = new Events(this.httpClient);
+    this.webhooks = new Webhooks(this.httpClient);
+    this.portal = new Portal(this.httpClient);
+    this.vault = new Vault(this.httpClient);
+    this.domains = new Domains(this.httpClient);
+    this.rbac = new Rbac(this.httpClient);
+    this.projects = new Projects(this.httpClient);
+  }
+  // Convenience aliases (WorkOS-compatible)
+  get users() {
+    return this.userManagement;
+  }
+  get directories() {
+    return this.directorySync;
+  }
+  get orgs() {
+    return this.organizations;
+  }
+};
+
+Object.defineProperty(exports, "AuthenticationError", {
+  enumerable: true,
+  get: function () { return shared.AuthenticationError; }
+});
+Object.defineProperty(exports, "BanataAuthError", {
+  enumerable: true,
+  get: function () { return shared.BanataAuthError; }
+});
+Object.defineProperty(exports, "ConflictError", {
+  enumerable: true,
+  get: function () { return shared.ConflictError; }
+});
+Object.defineProperty(exports, "ForbiddenError", {
+  enumerable: true,
+  get: function () { return shared.ForbiddenError; }
+});
+Object.defineProperty(exports, "InternalError", {
+  enumerable: true,
+  get: function () { return shared.InternalError; }
+});
+Object.defineProperty(exports, "NotFoundError", {
+  enumerable: true,
+  get: function () { return shared.NotFoundError; }
+});
+Object.defineProperty(exports, "RateLimitError", {
+  enumerable: true,
+  get: function () { return shared.RateLimitError; }
+});
+Object.defineProperty(exports, "ValidationError", {
+  enumerable: true,
+  get: function () { return shared.ValidationError; }
+});
+exports.ApiKeys = ApiKeys;
+exports.AuditLogs = AuditLogs;
+exports.BanataAuth = BanataAuth;
+exports.DirectorySync = DirectorySync;
+exports.Domains = Domains;
+exports.Emails = Emails;
+exports.Events = Events;
+exports.Organizations = Organizations;
+exports.Portal = Portal;
+exports.Projects = Projects;
+exports.Rbac = Rbac;
+exports.SSO = SSO;
+exports.UserManagement = UserManagement;
+exports.Vault = Vault;
+exports.Webhooks = Webhooks;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map