@banata-auth/sdk 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +71 -0
  3. package/dist/index.cjs +1281 -0
  4. package/dist/index.cjs.map +1 -0
  5. package/dist/index.d.cts +1095 -0
  6. package/dist/index.d.ts +1095 -0
  7. package/dist/index.js +1234 -0
  8. package/dist/index.js.map +1 -0
  9. package/package.json +55 -0
package/dist/index.d.cts ADDED
@@ -0,0 +1,1095 @@
1
+ import { ApiKey, AuditEvent, PaginatedResult, Directory, DirectoryProvider, DirectoryUser, DirectoryGroup, DomainVerification, Organization, OrganizationMember, OrganizationInvitation, SsoProfile, SsoConnection, User, Session, VaultSecret, WebhookEndpoint, WebhookEvent } from '@banata-auth/shared';
2
+ export { ApiKey, AuditEvent, AuthenticationError, BanataAuthError, ConflictError, Directory, DirectoryGroup, DirectoryUser, DomainVerification, ForbiddenError, InternalError, ListMetadata, NotFoundError, Organization, OrganizationInvitation, OrganizationMember, PaginatedResult, PortalSession, Project, RateLimitError, Session, SsoConnection, SsoProfile, Team, User, ValidationError, VaultSecret, WebhookEndpoint, WebhookEvent } from '@banata-auth/shared';
3
+
4
+ /**
5
+ * API Keys resource.
6
+ * Manages API key lifecycle — creation, listing, and deletion.
7
+ */
8
+ declare class ApiKeys {
9
+ private readonly http;
10
+ constructor(http: HttpClient);
11
+ /**
12
+ * Create a new API key.
13
+ *
14
+ * @returns The created key metadata **plus** the raw `key` value.
15
+ * The raw key is only returned at creation time and cannot be retrieved later.
16
+ */
17
+ create(options: {
18
+ name: string;
19
+ /** Restrict the key to a specific organization. */
20
+ organizationId?: string;
21
+ /** Scoped permissions for this key. */
22
+ permissions?: string[];
23
+ /** When the key should expire (ISO 8601 or Date). */
24
+ expiresAt?: Date | string;
25
+ }): Promise<ApiKey & {
26
+ key: string;
27
+ }>;
28
+ /**
29
+ * List all API keys. The raw key value is **not** included.
30
+ */
31
+ list(): Promise<ApiKey[]>;
32
+ /**
33
+ * Delete (revoke) an API key by its ID.
34
+ */
35
+ delete(keyId: string): Promise<void>;
36
+ }
37
+
38
+ interface CreateAuditEventOptions {
39
+ action: string;
40
+ actorType: AuditEvent["actor"]["type"];
41
+ actorId: string;
42
+ actorName?: string;
43
+ actorEmail?: string;
44
+ targets?: AuditEvent["targets"];
45
+ organizationId?: string;
46
+ ipAddress?: string;
47
+ userAgent?: string;
48
+ changes?: AuditEvent["changes"];
49
+ idempotencyKey?: string;
50
+ metadata?: Record<string, string>;
51
+ occurredAt?: Date;
52
+ }
53
+ interface ListAuditEventsOptions {
54
+ organizationId?: string;
55
+ /** Filter by a single action string. */
56
+ action?: string;
57
+ actorId?: string;
58
+ after?: string;
59
+ before?: string;
60
+ limit?: number;
61
+ }
62
+ interface ExportAuditEventsOptions {
63
+ organizationId?: string;
64
+ format: "csv" | "json";
65
+ /** Start of the date range (converted to epoch ms). */
66
+ startDate?: Date;
67
+ /** End of the date range (converted to epoch ms). */
68
+ endDate?: Date;
69
+ /** Filter by a single action string. */
70
+ action?: string;
71
+ limit?: number;
72
+ /** Cursor for pagination (epoch ms number from the backend). */
73
+ cursor?: number;
74
+ }
75
+ interface ExportAuditEventsResult {
76
+ data: AuditEvent[];
77
+ count: number;
78
+ /** Cursor for next page (epoch ms number). */
79
+ nextCursor?: number;
80
+ }
81
+ declare class AuditLogs {
82
+ private readonly http;
83
+ constructor(http: HttpClient);
84
+ createEvent(options: CreateAuditEventOptions): Promise<AuditEvent>;
85
+ listEvents(options?: ListAuditEventsOptions): Promise<PaginatedResult<AuditEvent>>;
86
+ exportEvents(options: ExportAuditEventsOptions): Promise<ExportAuditEventsResult>;
87
+ }
88
+
89
+ declare class DirectorySync {
90
+ private readonly http;
91
+ constructor(http: HttpClient);
92
+ listDirectories(options?: {
93
+ organizationId?: string;
94
+ limit?: number;
95
+ before?: string;
96
+ after?: string;
97
+ projectId?: string;
98
+ }): Promise<PaginatedResult<Directory>>;
99
+ getDirectory(directoryId: string, options?: {
100
+ projectId?: string;
101
+ }): Promise<Directory>;
102
+ createDirectory(options: {
103
+ organizationId: string;
104
+ name: string;
105
+ provider: DirectoryProvider;
106
+ projectId?: string;
107
+ }): Promise<Directory & {
108
+ scimConfig: {
109
+ baseUrl: string;
110
+ bearerToken: string;
111
+ };
112
+ }>;
113
+ deleteDirectory(directoryId: string, options?: {
114
+ projectId?: string;
115
+ }): Promise<void>;
116
+ listUsers(options: {
117
+ directoryId: string;
118
+ state?: "active" | "suspended" | "deprovisioned";
119
+ limit?: number;
120
+ before?: string;
121
+ after?: string;
122
+ projectId?: string;
123
+ }): Promise<PaginatedResult<DirectoryUser>>;
124
+ getUser(directoryUserId: string, options?: {
125
+ projectId?: string;
126
+ }): Promise<DirectoryUser>;
127
+ listGroups(options: {
128
+ directoryId: string;
129
+ limit?: number;
130
+ before?: string;
131
+ after?: string;
132
+ projectId?: string;
133
+ }): Promise<PaginatedResult<DirectoryGroup>>;
134
+ getGroup(directoryGroupId: string, options?: {
135
+ projectId?: string;
136
+ }): Promise<DirectoryGroup>;
137
+ }
138
+
139
+ declare class Domains {
140
+ private readonly http;
141
+ constructor(http: HttpClient);
142
+ createVerification(options: {
143
+ organizationId: string;
144
+ domain: string;
145
+ projectId?: string;
146
+ }): Promise<DomainVerification>;
147
+ getVerification(verificationId: string, options?: {
148
+ projectId?: string;
149
+ }): Promise<DomainVerification>;
150
+ verify(verificationId: string, options?: {
151
+ projectId?: string;
152
+ }): Promise<DomainVerification>;
153
+ list(options: {
154
+ organizationId: string;
155
+ limit?: number;
156
+ before?: string;
157
+ after?: string;
158
+ projectId?: string;
159
+ }): Promise<PaginatedResult<DomainVerification>>;
160
+ delete(verificationId: string, options?: {
161
+ projectId?: string;
162
+ }): Promise<void>;
163
+ }
164
+
165
+ /**
166
+ * Built-in email template types supported by Banata Auth.
167
+ */
168
+ type BuiltInEmailTemplateType = "verification" | "password-reset" | "magic-link" | "email-otp" | "invitation" | "welcome";
169
+ /**
170
+ * Options for sending an email via the SDK.
171
+ */
172
+ interface SendEmailOptions {
173
+ /** Recipient email address. */
174
+ to: string;
175
+ /**
176
+ * Template to render.
177
+ * Can be a built-in type (e.g. "verification") or a custom template slug
178
+ * (e.g. "marketing-welcome", "onboarding-day-3").
179
+ */
180
+ template: string;
181
+ /**
182
+ * Data/variables for the template. Shape depends on the template:
183
+ *
184
+ * Built-in templates:
185
+ * - `verification`: `{ userName, verificationUrl, token }`
186
+ * - `password-reset`: `{ userName, resetUrl, token }`
187
+ * - `magic-link`: `{ email, magicLinkUrl, token }`
188
+ * - `email-otp`: `{ email, otp }`
189
+ * - `invitation`: `{ email, invitationId, organizationName, inviterName, acceptUrl? }`
190
+ * - `welcome`: `{ userName, dashboardUrl? }`
191
+ *
192
+ * Custom templates: Keys match `{{variable}}` placeholders in the template blocks.
193
+ */
194
+ data: Record<string, unknown>;
195
+ }
196
+ /**
197
+ * Result of sending an email.
198
+ */
199
+ interface SendEmailResult {
200
+ success: boolean;
201
+ messageId?: string;
202
+ error?: string;
203
+ }
204
+ /**
205
+ * Preview of a rendered email template.
206
+ */
207
+ interface EmailPreview {
208
+ subject: string;
209
+ html: string;
210
+ text: string;
211
+ }
212
+ /**
213
+ * Email template category.
214
+ */
215
+ type EmailTemplateCategory = "auth" | "marketing" | "transactional" | "onboarding" | "notification" | "custom";
216
+ /**
217
+ * An email template definition (returned by the API).
218
+ */
219
+ interface EmailTemplate {
220
+ id: string;
221
+ name: string;
222
+ slug: string;
223
+ subject: string;
224
+ previewText?: string | null;
225
+ category: string;
226
+ description?: string | null;
227
+ blocksJson: string;
228
+ variablesJson?: string | null;
229
+ builtIn: boolean;
230
+ builtInType?: string | null;
231
+ createdAt: number;
232
+ updatedAt: number;
233
+ }
234
+ /**
235
+ * Options for creating a new email template.
236
+ */
237
+ interface CreateEmailTemplateOptions {
238
+ name: string;
239
+ slug: string;
240
+ subject: string;
241
+ previewText?: string;
242
+ category: EmailTemplateCategory;
243
+ description?: string;
244
+ /** JSON-serialized EmailBlock[] array. */
245
+ blocksJson: string;
246
+ /** JSON-serialized EmailTemplateVariable[] array. */
247
+ variablesJson?: string;
248
+ }
249
+ /**
250
+ * Options for updating an existing email template.
251
+ */
252
+ interface UpdateEmailTemplateOptions {
253
+ name?: string;
254
+ slug?: string;
255
+ subject?: string;
256
+ previewText?: string;
257
+ category?: EmailTemplateCategory;
258
+ description?: string;
259
+ blocksJson?: string;
260
+ variablesJson?: string;
261
+ }
262
+ /**
263
+ * Emails resource.
264
+ * Send transactional emails, manage custom email templates, and preview
265
+ * templates using the configured email provider.
266
+ *
267
+ * @example
268
+ * ```ts
269
+ * const banataAuth = new BanataAuth({ apiKey: "sk_live_..." });
270
+ *
271
+ * // Send a built-in welcome email
272
+ * await banataAuth.emails.send({
273
+ * to: "user@example.com",
274
+ * template: "welcome",
275
+ * data: { userName: "Jane Doe", dashboardUrl: "https://app.example.com" },
276
+ * });
277
+ *
278
+ * // Send a custom template
279
+ * await banataAuth.emails.send({
280
+ * to: "user@example.com",
281
+ * template: "marketing-welcome",
282
+ * data: { userName: "Jane", promoCode: "WELCOME10" },
283
+ * });
284
+ *
285
+ * // List all templates
286
+ * const templates = await banataAuth.emails.templates.list();
287
+ *
288
+ * // Create a custom template
289
+ * await banataAuth.emails.templates.create({
290
+ * name: "Marketing Welcome",
291
+ * slug: "marketing-welcome",
292
+ * subject: "Welcome, {{userName}}!",
293
+ * category: "marketing",
294
+ * blocksJson: JSON.stringify([...blocks]),
295
+ * });
296
+ * ```
297
+ */
298
+ declare class Emails {
299
+ private readonly http;
300
+ readonly templates: EmailTemplates;
301
+ constructor(http: HttpClient);
302
+ /**
303
+ * Send a transactional email using a built-in or custom template.
304
+ *
305
+ * The email is rendered using the configured branding (colors, logo,
306
+ * app name) and sent via the active email provider configured in the
307
+ * dashboard.
308
+ */
309
+ send(options: SendEmailOptions): Promise<SendEmailResult>;
310
+ /**
311
+ * Preview a rendered email template.
312
+ *
313
+ * Returns the subject, HTML, and plain text of the template with
314
+ * the current branding applied. Uses sample data if none provided.
315
+ */
316
+ preview(template: string, data?: Record<string, unknown>): Promise<EmailPreview>;
317
+ /**
318
+ * Send a test email to verify the email provider configuration.
319
+ *
320
+ * Uses the "welcome" template by default with sample data.
321
+ */
322
+ sendTest(to: string, template?: string): Promise<{
323
+ success: boolean;
324
+ message?: string;
325
+ }>;
326
+ }
327
+ /**
328
+ * Email templates sub-resource for CRUD operations on custom email templates.
329
+ */
330
+ declare class EmailTemplates {
331
+ private readonly http;
332
+ constructor(http: HttpClient);
333
+ /**
334
+ * List all email templates, optionally filtered by category.
335
+ */
336
+ list(category?: EmailTemplateCategory): Promise<EmailTemplate[]>;
337
+ /**
338
+ * Get a single email template by ID or slug.
339
+ */
340
+ get(idOrSlug: string): Promise<EmailTemplate | null>;
341
+ /**
342
+ * Create a new custom email template.
343
+ */
344
+ create(options: CreateEmailTemplateOptions): Promise<EmailTemplate>;
345
+ /**
346
+ * Update an existing email template.
347
+ */
348
+ update(id: string, options: UpdateEmailTemplateOptions): Promise<EmailTemplate>;
349
+ /**
350
+ * Delete a custom email template.
351
+ * Built-in templates cannot be deleted.
352
+ */
353
+ delete(id: string): Promise<void>;
354
+ }
355
+
356
+ interface ListEventsOptions {
357
+ /** Filter by one or more event types (action strings). */
358
+ eventTypes?: string[];
359
+ /** Cursor for forward pagination. */
360
+ after?: string;
361
+ /** Maximum number of events to return. Default: 50, max: 200. */
362
+ limit?: number;
363
+ /** Filter by organization. */
364
+ organizationId?: string;
365
+ /** Range start date. */
366
+ rangeStart?: Date;
367
+ /** Range end date. */
368
+ rangeEnd?: Date;
369
+ }
370
+ interface EventPayload {
371
+ id: string;
372
+ type: string;
373
+ data: Record<string, unknown>;
374
+ createdAt: number;
375
+ }
376
+ interface ListEventsResult {
377
+ data: EventPayload[];
378
+ cursor?: string;
379
+ hasMore: boolean;
380
+ }
381
+ /**
382
+ * Events resource.
383
+ *
384
+ * Provides a pollable, unified event stream sourced from audit log records.
385
+ * Use this as an alternative to webhooks for consuming auth events.
386
+ */
387
+ declare class Events {
388
+ private readonly http;
389
+ constructor(http: HttpClient);
390
+ /**
391
+ * List events with optional filters and cursor-based pagination.
392
+ */
393
+ listEvents(options?: ListEventsOptions): Promise<ListEventsResult>;
394
+ }
395
+
396
+ interface ListOrganizationsOptions {
397
+ limit?: number;
398
+ before?: string;
399
+ after?: string;
400
+ order?: "asc" | "desc";
401
+ }
402
+ interface CreateOrganizationOptions {
403
+ name: string;
404
+ slug?: string;
405
+ logo?: string;
406
+ metadata?: Record<string, unknown>;
407
+ requireMfa?: boolean;
408
+ allowedEmailDomains?: string[];
409
+ maxMembers?: number;
410
+ }
411
+ interface UpdateOrganizationOptions {
412
+ organizationId: string;
413
+ name?: string;
414
+ slug?: string;
415
+ logo?: string | null;
416
+ metadata?: Record<string, unknown>;
417
+ requireMfa?: boolean;
418
+ ssoEnforced?: boolean;
419
+ allowedEmailDomains?: string[] | null;
420
+ maxMembers?: number | null;
421
+ }
422
+ interface ListMembersOptions {
423
+ organizationId: string;
424
+ role?: string;
425
+ limit?: number;
426
+ before?: string;
427
+ after?: string;
428
+ }
429
+ interface SendInvitationOptions {
430
+ organizationId: string;
431
+ email: string;
432
+ role: string;
433
+ }
434
+ /**
435
+ * Organizations resource.
436
+ * Handles organization CRUD, member management, and invitations.
437
+ */
438
+ declare class Organizations {
439
+ private readonly http;
440
+ constructor(http: HttpClient);
441
+ listOrganizations(options?: ListOrganizationsOptions): Promise<PaginatedResult<Organization>>;
442
+ getOrganization(organizationId: string): Promise<Organization>;
443
+ createOrganization(options: CreateOrganizationOptions): Promise<Organization>;
444
+ updateOrganization(options: UpdateOrganizationOptions): Promise<Organization>;
445
+ deleteOrganization(organizationId: string): Promise<void>;
446
+ listMembers(options: ListMembersOptions): Promise<PaginatedResult<OrganizationMember>>;
447
+ removeMember(options: {
448
+ organizationId: string;
449
+ memberIdOrUserId: string;
450
+ }): Promise<void>;
451
+ updateMemberRole(options: {
452
+ organizationId: string;
453
+ memberIdOrUserId: string;
454
+ role: string;
455
+ }): Promise<OrganizationMember>;
456
+ sendInvitation(options: SendInvitationOptions): Promise<OrganizationInvitation>;
457
+ revokeInvitation(invitationId: string): Promise<void>;
458
+ listInvitations(options: {
459
+ organizationId: string;
460
+ status?: string;
461
+ limit?: number;
462
+ before?: string;
463
+ after?: string;
464
+ }): Promise<PaginatedResult<OrganizationInvitation>>;
465
+ }
466
+
467
+ type PortalIntent = "sso" | "dsync" | "domain_verification" | "audit_logs" | "log_streams" | "users";
468
+ interface GeneratePortalLinkOptions {
469
+ /** The organization to generate a portal link for. */
470
+ organizationId: string;
471
+ /** The portal section to open. */
472
+ intent: PortalIntent;
473
+ /** URL to redirect the admin back to after completing the portal flow. */
474
+ returnUrl?: string;
475
+ /** Session lifetime in seconds. Default: 300 (5 minutes). Max: 3600 (1 hour). */
476
+ expiresIn?: number;
477
+ }
478
+ interface PortalLinkResult {
479
+ /** The generated portal URL with embedded session token. */
480
+ link: string;
481
+ /** The portal session ID. */
482
+ sessionId: string;
483
+ /** The portal intent. */
484
+ intent: PortalIntent;
485
+ /** The organization ID. */
486
+ organizationId: string;
487
+ /** ISO 8601 expiration timestamp. */
488
+ expiresAt: string;
489
+ }
490
+ /**
491
+ * Portal resource.
492
+ *
493
+ * Generates short-lived admin portal links for organization IT admins.
494
+ * Each link grants access to a specific portal section (SSO config,
495
+ * Directory Sync, Audit Logs, etc.) within an organization context.
496
+ */
497
+ declare class Portal {
498
+ private readonly http;
499
+ constructor(http: HttpClient);
500
+ /**
501
+ * Generate a short-lived admin portal link for an organization's IT admin.
502
+ *
503
+ * @param options - Portal link generation options
504
+ * @returns The generated portal link and session metadata
505
+ */
506
+ generateLink(options: GeneratePortalLinkOptions): Promise<PortalLinkResult>;
507
+ }
508
+
509
+ interface SdkProject {
510
+ id: string;
511
+ name: string;
512
+ slug: string;
513
+ description?: string;
514
+ logoUrl?: string;
515
+ ownerId: string;
516
+ createdAt: number;
517
+ updatedAt: number;
518
+ }
519
+ interface CreateProjectOptions {
520
+ name: string;
521
+ slug: string;
522
+ description?: string;
523
+ logoUrl?: string;
524
+ }
525
+ interface UpdateProjectOptions {
526
+ name?: string;
527
+ slug?: string;
528
+ description?: string;
529
+ logoUrl?: string;
530
+ }
531
+ /**
532
+ * Manage projects.
533
+ *
534
+ * Each project is a fully isolated auth tenant with its own users, sessions,
535
+ * organizations, branding, email templates, API keys, webhooks, etc.
536
+ */
537
+ declare class Projects {
538
+ private readonly http;
539
+ constructor(http: HttpClient);
540
+ /**
541
+ * List all projects.
542
+ */
543
+ listProjects(): Promise<SdkProject[]>;
544
+ /**
545
+ * Get a single project by ID.
546
+ */
547
+ getProject(id: string): Promise<SdkProject | null>;
548
+ /**
549
+ * Create a new project.
550
+ * Returns the project and seeds RBAC permissions + super_admin role.
551
+ */
552
+ createProject(data: CreateProjectOptions): Promise<{
553
+ success: boolean;
554
+ project?: SdkProject;
555
+ error?: string;
556
+ }>;
557
+ /**
558
+ * Update a project's metadata.
559
+ */
560
+ updateProject(id: string, update: UpdateProjectOptions): Promise<{
561
+ success: boolean;
562
+ project?: SdkProject;
563
+ error?: string;
564
+ }>;
565
+ /**
566
+ * Delete a project.
567
+ *
568
+ * Note: This deletes the project record only. Project-scoped data (users,
569
+ * organizations, etc.) is not automatically cascade-deleted. Use the
570
+ * `clearAllData` migration for a full reset.
571
+ */
572
+ deleteProject(id: string): Promise<{
573
+ success: boolean;
574
+ }>;
575
+ /**
576
+ * Ensure at least one project exists. If none exist, creates a
577
+ * "Default Project" with seeded RBAC permissions.
578
+ */
579
+ ensureDefaultProject(): Promise<{
580
+ created: boolean;
581
+ project: SdkProject | null;
582
+ }>;
583
+ }
584
+
585
+ interface RoleDefinition {
586
+ id: string;
587
+ name: string;
588
+ slug: string;
589
+ description: string;
590
+ permissions: string[];
591
+ isDefault: boolean;
592
+ createdAt: string;
593
+ }
594
+ interface PermissionDefinition {
595
+ id: string;
596
+ name: string;
597
+ slug: string;
598
+ description: string;
599
+ createdAt: string;
600
+ }
601
+ interface CreateRoleOptions {
602
+ name: string;
603
+ slug: string;
604
+ description?: string;
605
+ }
606
+ interface CreatePermissionOptions {
607
+ name: string;
608
+ slug: string;
609
+ description?: string;
610
+ }
611
+ interface AssignRoleOptions {
612
+ organizationId: string;
613
+ userId: string;
614
+ role: string;
615
+ }
616
+ interface PermissionCheck {
617
+ resource: string;
618
+ action: string;
619
+ }
620
+ interface CheckPermissionOptions {
621
+ projectId: string;
622
+ permission: string | PermissionCheck;
623
+ }
624
+ interface CheckPermissionsOptions {
625
+ projectId: string;
626
+ permissions: Array<string | PermissionCheck>;
627
+ operator?: "all" | "any";
628
+ }
629
+ declare class Rbac {
630
+ private readonly http;
631
+ constructor(http: HttpClient);
632
+ listRoles(): Promise<RoleDefinition[]>;
633
+ createRole(options: CreateRoleOptions): Promise<RoleDefinition>;
634
+ deleteRole(id: string): Promise<void>;
635
+ listPermissions(): Promise<PermissionDefinition[]>;
636
+ createPermission(options: CreatePermissionOptions): Promise<PermissionDefinition>;
637
+ deletePermission(id: string): Promise<void>;
638
+ assignRole(options: AssignRoleOptions): Promise<void>;
639
+ checkPermission(options: CheckPermissionOptions): Promise<{
640
+ allowed: boolean;
641
+ }>;
642
+ checkPermissions(options: CheckPermissionsOptions): Promise<{
643
+ allowed: boolean;
644
+ }>;
645
+ getMyPermissions(projectId: string): Promise<string[]>;
646
+ hasPermission(projectId: string, permission: string | PermissionCheck): Promise<boolean>;
647
+ requirePermission(projectId: string, permission: string | PermissionCheck): Promise<void>;
648
+ revokeRole(options: {
649
+ organizationId: string;
650
+ userId: string;
651
+ fallbackRole?: string;
652
+ }): Promise<void>;
653
+ }
654
+
655
+ interface GetAuthorizationUrlOptions {
656
+ connectionId?: string;
657
+ organizationId?: string;
658
+ provider?: string;
659
+ loginHint?: string;
660
+ redirectUri: string;
661
+ state?: string;
662
+ domainHint?: string;
663
+ projectId?: string;
664
+ }
665
+ interface GetProfileAndTokenOptions {
666
+ code: string;
667
+ }
668
+ interface CreateConnectionOptions {
669
+ organizationId: string;
670
+ type: "saml" | "oidc";
671
+ name: string;
672
+ domains: string[];
673
+ projectId?: string;
674
+ samlConfig?: {
675
+ idpEntityId: string;
676
+ idpSsoUrl: string;
677
+ idpCertificate: string;
678
+ nameIdFormat?: string;
679
+ signRequest?: boolean;
680
+ allowIdpInitiated?: boolean;
681
+ attributeMapping?: Record<string, string>;
682
+ };
683
+ oidcConfig?: {
684
+ issuer: string;
685
+ clientId: string;
686
+ clientSecret: string;
687
+ scopes?: string[];
688
+ };
689
+ }
690
+ interface ListConnectionsOptions {
691
+ organizationId?: string;
692
+ connectionType?: "saml" | "oidc";
693
+ limit?: number;
694
+ before?: string;
695
+ after?: string;
696
+ projectId?: string;
697
+ }
698
+ /**
699
+ * SSO resource.
700
+ * Handles SSO connection management and authentication flows.
701
+ */
702
+ declare class SSO {
703
+ private readonly http;
704
+ constructor(http: HttpClient);
705
+ /**
706
+ * Get the authorization URL to redirect the user to for SSO.
707
+ * Supports routing by organization ID or callback URL.
708
+ */
709
+ getAuthorizationUrl(options: GetAuthorizationUrlOptions): Promise<{
710
+ url: string;
711
+ }>;
712
+ /**
713
+ * @deprecated Better Auth handles SSO token exchange internally via callback.
714
+ * This method is kept for backward compatibility but will throw.
715
+ */
716
+ getProfileAndToken(_options: GetProfileAndTokenOptions): Promise<{
717
+ profile: SsoProfile;
718
+ accessToken: string;
719
+ }>;
720
+ listConnections(options?: ListConnectionsOptions): Promise<PaginatedResult<SsoConnection>>;
721
+ getConnection(connectionId: string, options?: {
722
+ projectId?: string;
723
+ }): Promise<SsoConnection>;
724
+ createConnection(options: CreateConnectionOptions): Promise<SsoConnection>;
725
+ updateConnection(options: {
726
+ connectionId: string;
727
+ name?: string;
728
+ domains?: string[];
729
+ samlConfig?: Partial<CreateConnectionOptions["samlConfig"]>;
730
+ oidcConfig?: Partial<CreateConnectionOptions["oidcConfig"]>;
731
+ projectId?: string;
732
+ }): Promise<SsoConnection>;
733
+ deleteConnection(connectionId: string, options?: {
734
+ projectId?: string;
735
+ }): Promise<void>;
736
+ activateConnection(connectionId: string, options?: {
737
+ projectId?: string;
738
+ }): Promise<SsoConnection>;
739
+ deactivateConnection(connectionId: string, options?: {
740
+ projectId?: string;
741
+ }): Promise<SsoConnection>;
742
+ }
743
+
744
+ interface ListUsersOptions {
745
+ projectId?: string;
746
+ email?: string;
747
+ organizationId?: string;
748
+ role?: string;
749
+ limit?: number;
750
+ before?: string;
751
+ after?: string;
752
+ order?: "asc" | "desc";
753
+ }
754
+ interface CreateUserOptions {
755
+ projectId?: string;
756
+ email: string;
757
+ password?: string;
758
+ name: string;
759
+ image?: string;
760
+ username?: string;
761
+ phoneNumber?: string;
762
+ emailVerified?: boolean;
763
+ role?: string | string[];
764
+ metadata?: Record<string, unknown>;
765
+ data?: Record<string, unknown>;
766
+ }
767
+ interface UpdateUserOptions {
768
+ userId: string;
769
+ projectId?: string;
770
+ name?: string;
771
+ image?: string | null;
772
+ username?: string;
773
+ phoneNumber?: string | null;
774
+ emailVerified?: boolean;
775
+ password?: string;
776
+ role?: string | string[];
777
+ metadata?: Record<string, unknown>;
778
+ data?: Record<string, unknown>;
779
+ }
780
+ interface AdminPermissionStatements {
781
+ [resource: string]: string[];
782
+ }
783
+ type AdminPermissionCheckInput = string | string[] | AdminPermissionStatements;
784
+ type AdminPermissionCheckOptions = {
785
+ projectId?: string;
786
+ userId?: string;
787
+ role?: string | string[];
788
+ permission: AdminPermissionCheckInput;
789
+ } | {
790
+ projectId?: string;
791
+ userId?: string;
792
+ role?: string | string[];
793
+ permissions: AdminPermissionCheckInput;
794
+ };
795
+ interface AdminSessionResponse {
796
+ session: Session;
797
+ user: User;
798
+ }
799
+ /**
800
+ * User Management resource.
801
+ * Handles user CRUD, session management, and account operations.
802
+ */
803
+ declare class UserManagement {
804
+ private readonly http;
805
+ constructor(http: HttpClient);
806
+ /**
807
+ * List users with optional filtering and pagination.
808
+ */
809
+ listUsers(options?: ListUsersOptions): Promise<PaginatedResult<User>>;
810
+ /**
811
+ * Get a user by ID.
812
+ */
813
+ getUser(userId: string, options?: {
814
+ projectId?: string;
815
+ }): Promise<User>;
816
+ /**
817
+ * Create a new user.
818
+ */
819
+ createUser(options: CreateUserOptions): Promise<User>;
820
+ /**
821
+ * Update an existing user.
822
+ */
823
+ updateUser(options: UpdateUserOptions): Promise<User>;
824
+ /**
825
+ * Delete a user.
826
+ */
827
+ deleteUser(userId: string, options?: {
828
+ projectId?: string;
829
+ }): Promise<void>;
830
+ /**
831
+ * Ban a user.
832
+ */
833
+ banUser(options: {
834
+ userId: string;
835
+ projectId?: string;
836
+ reason?: string;
837
+ expiresAt?: Date;
838
+ }): Promise<User>;
839
+ /**
840
+ * Unban a user.
841
+ */
842
+ unbanUser(userId: string, options?: {
843
+ projectId?: string;
844
+ }): Promise<User>;
845
+ /**
846
+ * List active sessions for a user.
847
+ */
848
+ listUserSessions(userId: string, options?: {
849
+ projectId?: string;
850
+ }): Promise<PaginatedResult<Session>>;
851
+ /**
852
+ * Start impersonating a user.
853
+ */
854
+ impersonateUser(userId: string, options?: {
855
+ projectId?: string;
856
+ }): Promise<AdminSessionResponse>;
857
+ /**
858
+ * Stop impersonating the current user.
859
+ */
860
+ stopImpersonating(): Promise<AdminSessionResponse>;
861
+ /**
862
+ * Revoke a specific session.
863
+ */
864
+ revokeSession(sessionId: string, options?: {
865
+ projectId?: string;
866
+ }): Promise<void>;
867
+ /**
868
+ * Revoke all sessions for a user.
869
+ */
870
+ revokeAllSessions(userId: string, options?: {
871
+ projectId?: string;
872
+ }): Promise<void>;
873
+ /**
874
+ * Set a user's global role.
875
+ */
876
+ setRole(userId: string, role: string | string[], options?: {
877
+ projectId?: string;
878
+ }): Promise<User>;
879
+ /**
880
+ * Force-set a user's password.
881
+ */
882
+ setUserPassword(userId: string, newPassword: string, options?: {
883
+ projectId?: string;
884
+ }): Promise<boolean>;
885
+ /**
886
+ * Check whether a user or role has the requested permissions.
887
+ */
888
+ hasPermission(options: AdminPermissionCheckOptions): Promise<boolean>;
889
+ }
890
+
891
+ /**
892
+ * Vault resource.
893
+ *
894
+ * Provides envelope encryption for secrets using AES-256-GCM.
895
+ * Secrets are encrypted at rest and can be decrypted by providing
896
+ * the correct context.
897
+ */
898
+ declare class Vault {
899
+ private readonly http;
900
+ constructor(http: HttpClient);
901
+ /**
902
+ * Encrypt and store a secret.
903
+ *
904
+ * @returns The ID of the stored secret.
905
+ */
906
+ encrypt(options: {
907
+ name: string;
908
+ data: string;
909
+ context?: string;
910
+ organizationId?: string;
911
+ metadata?: Record<string, string>;
912
+ }): Promise<{
913
+ id: string;
914
+ }>;
915
+ /**
916
+ * Decrypt and return a secret by ID.
917
+ *
918
+ * @param options.context - Must match the context used during encryption.
919
+ */
920
+ decrypt(options: {
921
+ secretId: string;
922
+ context?: string;
923
+ }): Promise<{
924
+ data: string;
925
+ }>;
926
+ /**
927
+ * List vault secrets (metadata only — decrypted values are never returned).
928
+ */
929
+ list(options?: {
930
+ organizationId?: string;
931
+ limit?: number;
932
+ before?: string;
933
+ after?: string;
934
+ }): Promise<PaginatedResult<VaultSecret>>;
935
+ /**
936
+ * Delete a vault secret by ID.
937
+ */
938
+ delete(options: {
939
+ secretId: string;
940
+ }): Promise<{
941
+ status: string;
942
+ }>;
943
+ /**
944
+ * Rotate the encryption key by re-encrypting all secrets
945
+ * with the next version's derived key.
946
+ *
947
+ * @returns Status and count of rotated/failed secrets.
948
+ */
949
+ rotateKey(options?: {
950
+ batchSize?: number;
951
+ }): Promise<{
952
+ status: string;
953
+ rotated: number;
954
+ failed: number;
955
+ remaining: number;
956
+ }>;
957
+ }
958
+
959
+ /**
960
+ * Webhooks resource.
961
+ * Handles webhook endpoint management and signature verification.
962
+ */
963
+ declare class Webhooks {
964
+ private readonly http;
965
+ constructor(http: HttpClient);
966
+ listEndpoints(options?: {
967
+ limit?: number;
968
+ before?: string;
969
+ after?: string;
970
+ }): Promise<PaginatedResult<WebhookEndpoint>>;
971
+ createEndpoint(options: {
972
+ url: string;
973
+ eventTypes?: string[];
974
+ enabled?: boolean;
975
+ }): Promise<WebhookEndpoint & {
976
+ secret: string;
977
+ }>;
978
+ updateEndpoint(options: {
979
+ endpointId: string;
980
+ url?: string;
981
+ eventTypes?: string[];
982
+ enabled?: boolean;
983
+ }): Promise<WebhookEndpoint>;
984
+ deleteEndpoint(endpointId: string): Promise<void>;
985
+ /**
986
+ * Verify a webhook signature and construct the event payload.
987
+ * Uses the Web Crypto API for HMAC-SHA256 signature verification.
988
+ *
989
+ * @example
990
+ * ```ts
991
+ * const event = await banataAuth.webhooks.constructEvent({
992
+ * payload: req.body,
993
+ * sigHeader: req.headers["x-banataauth-signature"],
994
+ * secret: webhookSecret,
995
+ * });
996
+ * ```
997
+ */
998
+ constructEvent(options: {
999
+ payload: string;
1000
+ sigHeader: string;
1001
+ secret: string;
1002
+ tolerance?: number;
1003
+ }): Promise<WebhookEvent>;
1004
+ /**
1005
+ * Verify a webhook signature using the Web Crypto API (HMAC-SHA256).
1006
+ */
1007
+ verifySignature(options: {
1008
+ payload: string;
1009
+ sigHeader: string;
1010
+ secret: string;
1011
+ tolerance?: number;
1012
+ }): Promise<boolean>;
1013
+ private computeHmacAsync;
1014
+ private timingSafeEqual;
1015
+ }
1016
+
1017
+ interface BanataAuthOptions {
1018
+ /** API key for authentication. */
1019
+ apiKey: string;
1020
+ /** Base URL for the Banata Auth API. Defaults to Convex site URL. */
1021
+ baseUrl?: string;
1022
+ /** Request timeout in milliseconds. Default: 30000. */
1023
+ timeout?: number;
1024
+ /** Number of retries on 5xx errors. Default: 3. */
1025
+ retries?: number;
1026
+ /** Project ID to scope all operations to. */
1027
+ projectId?: string;
1028
+ /** Environment ID to scope all operations to. */
1029
+ environmentId?: string;
1030
+ }
1031
+ /**
1032
+ * Internal HTTP client used by all resource classes.
1033
+ */
1034
+ declare class HttpClient {
1035
+ private readonly apiKey;
1036
+ private readonly baseUrl;
1037
+ private readonly timeout;
1038
+ private readonly maxRetries;
1039
+ private readonly projectId?;
1040
+ constructor(options: BanataAuthOptions);
1041
+ withProjectScope<T extends Record<string, unknown>>(body: T, projectId?: string): T & {
1042
+ projectId?: string;
1043
+ };
1044
+ request<T>(method: string, path: string, options?: {
1045
+ body?: unknown;
1046
+ query?: Record<string, string | number | boolean | undefined>;
1047
+ headers?: Record<string, string>;
1048
+ }): Promise<T>;
1049
+ get<T>(path: string, query?: Record<string, string | number | boolean | undefined>): Promise<T>;
1050
+ post<T>(path: string, body?: unknown): Promise<T>;
1051
+ put<T>(path: string, body?: unknown): Promise<T>;
1052
+ patch<T>(path: string, body?: unknown): Promise<T>;
1053
+ delete<T>(path: string): Promise<T>;
1054
+ }
1055
+ /**
1056
+ * Main Banata Auth SDK client.
1057
+ *
1058
+ * @example
1059
+ * ```ts
1060
+ * import { BanataAuth } from "@banata-auth/sdk";
1061
+ *
1062
+ * const banataAuth = new BanataAuth({ apiKey: "sk_live_..." });
1063
+ *
1064
+ * // List users
1065
+ * const users = await banataAuth.userManagement.listUsers();
1066
+ *
1067
+ * // Create organization
1068
+ * const org = await banataAuth.organizations.createOrganization({
1069
+ * name: "Acme Corp",
1070
+ * });
1071
+ * ```
1072
+ */
1073
+ declare class BanataAuth {
1074
+ private readonly httpClient;
1075
+ readonly apiKeys: ApiKeys;
1076
+ readonly userManagement: UserManagement;
1077
+ readonly organizations: Organizations;
1078
+ readonly sso: SSO;
1079
+ readonly directorySync: DirectorySync;
1080
+ readonly auditLogs: AuditLogs;
1081
+ readonly emails: Emails;
1082
+ readonly events: Events;
1083
+ readonly webhooks: Webhooks;
1084
+ readonly portal: Portal;
1085
+ readonly vault: Vault;
1086
+ readonly domains: Domains;
1087
+ readonly rbac: Rbac;
1088
+ readonly projects: Projects;
1089
+ constructor(options: string | BanataAuthOptions);
1090
+ get users(): UserManagement;
1091
+ get directories(): DirectorySync;
1092
+ get orgs(): Organizations;
1093
+ }
1094
+
1095
+ export { ApiKeys, AuditLogs, BanataAuth, type BanataAuthOptions, type BuiltInEmailTemplateType, type CreateAuditEventOptions, type CreateEmailTemplateOptions, type CreateProjectOptions, DirectorySync, Domains, type EmailPreview, type EmailTemplate, type EmailTemplateCategory, Emails, type EventPayload, Events, type ExportAuditEventsOptions, type ExportAuditEventsResult, type GeneratePortalLinkOptions, type ListAuditEventsOptions, type ListEventsOptions, type ListEventsResult, Organizations, Portal, type PortalIntent, type PortalLinkResult, Projects, Rbac, SSO, type SdkProject, type SendEmailOptions, type SendEmailResult, type UpdateEmailTemplateOptions, type UpdateProjectOptions, UserManagement, Vault, Webhooks };