@better-auth/infra 0.1.10 → 0.1.12

package/dist/index.mjs

@@ -815,7 +815,10 @@ const getOrganizationTriggerInfo = (user) => {
 const initTrackEvents = (options) => {
 	const $fetch = createFetch({
 		baseURL: options.apiUrl,
-		headers: { "x-api-key": options.apiKey }
+		headers: {
+			"user-agent": "better-auth",
+			"x-api-key": options.apiKey
+		}
 	});
 	const trackEvent = (data) => {
 		const track = async () => {
@@ -1523,6 +1526,7 @@ const paths = [
 	"/email-otp/verify-email",
 	"/sign-in/email-otp",
 	"/sign-in/magic-link",
+	"/sign-in/email",
 	"/forget-password/email-otp",
 	"/email-otp/reset-password",
 	"/email-otp/create-verification-otp",
@@ -1555,25 +1559,6 @@ const signIn = new Set(paths.slice(1, 12));
 * @returns boolean
 */
 const allEmail = ({ path }) => !!path && all.has(path);
-/**
-* Path is one of `[
-*   '/email-otp/verify-email',
-*   '/sign-in/email-otp',
-*   '/sign-in/magic-link',
-*   '/sign-in/email',
-*   '/forget-password/email-otp',
-*   '/email-otp/reset-password',
-*   '/email-otp/create-verification-otp',
-*   '/email-otp/get-verification-otp',
-*   '/email-otp/send-verification-otp',
-*   '/forget-password',
-*   '/send-verification-email'
-* ]`.
-* @param context Request context
-* @param context.path Request path
-* @returns boolean
-*/
-const allEmailSignIn = ({ path }) => !!path && signIn.has(path);
 
 //#endregion
 //#region src/validation/email.ts
@@ -1605,9 +1590,13 @@ const PLUS_ADDRESSING_DOMAINS = new Set([
 * - Remove dots from Gmail-like providers (they ignore dots)
 * - Remove plus addressing (user+tag@domain → user@domain)
 * - Normalize googlemail.com to gmail.com
+*
+* @param email - Raw email to normalize
+* @param context - Auth context with getPlugin (for sentinel policy). Pass undefined when context unavailable (e.g. server, hooks).
 */
-function normalizeEmail(email) {
+function normalizeEmail(email, context) {
 	if (!email || typeof email !== "string") return email;
+	if ((context.getPlugin?.("sentinel"))?.options?.emailValidation?.enabled === false) return email;
 	const trimmed = email.trim().toLowerCase();
 	const atIndex = trimmed.lastIndexOf("@");
 	if (atIndex === -1) return trimmed;
@@ -1700,45 +1689,42 @@ function isValidEmailFormatLocal(email) {
 	if (domain.length > 253) return false;
 	return true;
 }
-const getEmail = (ctx) => ({
-	email: ctx.body?.email ?? ctx.query?.email,
-	container: ctx.body ? "body" : "query"
-});
+const getEmail = (ctx) => {
+	if (ctx.path === "/change-email") return {
+		email: ctx.body?.newEmail,
+		container: "body",
+		field: "newEmail"
+	};
+	const body = ctx.body;
+	const query = ctx.query;
+	return {
+		email: body?.email ?? query?.email,
+		container: body ? "body" : "query",
+		field: "email"
+	};
+};
 /**
 * Create email normalization hook (shared between all configurations)
 */
 function createEmailNormalizationHook() {
 	return {
-		matcher: allEmailSignIn,
+		matcher: allEmail,
 		handler: createAuthMiddleware(async (ctx) => {
-			const { email, container } = getEmail(ctx);
+			const { email, container, field } = getEmail(ctx);
 			if (typeof email !== "string") return;
-			const normalizedEmail = normalizeEmail(email);
-			if (normalizedEmail !== email) {
-				const user = await ctx.context.adapter.findOne({
-					model: "user",
-					where: [{
-						field: "normalizedEmail",
-						value: normalizedEmail
-					}]
-				});
-				if (!user) return;
-				return container === "query" ? { context: {
-					...ctx,
-					query: {
-						...ctx.query,
-						email: user.email,
-						normalizedEmail
-					}
-				} } : { context: {
-					...ctx,
-					body: {
-						...ctx.body,
-						email: user.email,
-						normalizedEmail
-					}
-				} };
-			}
+			const normalized = normalizeEmail(email, ctx.context);
+			if (normalized === email) return;
+			const data = container === "query" ? {
+				...ctx.query,
+				[field]: normalized
+			} : {
+				...ctx.body,
+				[field]: normalized
+			};
+			return { context: {
+				...ctx,
+				[container]: data
+			} };
 		})
 	};
 }
@@ -1749,7 +1735,7 @@ function createEmailValidationHook(validator, onDisposableEmail) {
 	return {
 		matcher: allEmail,
 		handler: createAuthMiddleware(async (ctx) => {
-			const email = ctx.path === "/change-email" ? ctx.body?.newEmail : getEmail(ctx).email;
+			const { email } = getEmail(ctx);
 			if (typeof email !== "string") return;
 			if (!isValidEmailFormatLocal(email)) throw new APIError$1("BAD_REQUEST", { message: "Invalid email" });
 			if (validator) {
@@ -1758,7 +1744,7 @@ function createEmailValidationHook(validator, onDisposableEmail) {
 				if (!policy?.enabled) return;
 				const action = policy.action;
 				if (!result.valid) {
-					if ((result.disposable || result.reason === "no_mx_records" || result.reason === "blocklist") && onDisposableEmail) {
+					if ((result.disposable || result.reason === "no_mx_records" || result.reason === "blocklist" || result.reason === "known_invalid_email" || result.reason === "known_invalid_host" || result.reason === "reserved_tld" || result.reason === "provider_local_too_short") && onDisposableEmail) {
 						const ip = ctx.request?.headers?.get("x-forwarded-for")?.split(",")[0] || ctx.request?.headers?.get("cf-connecting-ip") || void 0;
 						onDisposableEmail({
 							email,
@@ -1770,7 +1756,7 @@ function createEmailValidationHook(validator, onDisposableEmail) {
 						});
 					}
 					if (action === "allow") return;
-					throw new APIError$1("BAD_REQUEST", { message: result.reason === "no_mx_records" ? "This email domain cannot receive emails" : result.disposable || result.reason === "blocklist" ? "Disposable email addresses are not allowed" : result.reason === "fake_domain" || result.reason === "fake_pattern" ? "This email address appears to be invalid" : "Invalid email" });
+					throw new APIError$1("BAD_REQUEST", { message: result.reason === "no_mx_records" ? "This email domain cannot receive emails" : result.disposable || result.reason === "blocklist" ? "Disposable email addresses are not allowed" : result.reason === "known_invalid_email" || result.reason === "known_invalid_host" || result.reason === "reserved_tld" || result.reason === "provider_local_too_short" ? "This email address appears to be invalid" : "Invalid email" });
 				}
 			}
 		})
@@ -1809,12 +1795,13 @@ function createEmailHooks(options = {}) {
 		...defaultConfig
 	};
 	if (!emailConfig.enabled) return { before: [] };
-	return { before: [createEmailValidationHook(useApi ? createEmailValidator({
+	const validator = useApi ? createEmailValidator({
 		apiUrl,
 		kvUrl,
 		apiKey,
 		defaultConfig: emailConfig
-	}) : void 0, onDisposableEmail), createEmailNormalizationHook()] };
+	}) : void 0;
+	return { before: [createEmailNormalizationHook(), createEmailValidationHook(validator, onDisposableEmail)] };
 }
 /**
 * Default email hooks using local validation only
@@ -2084,100 +2071,107 @@ const sentinel = (options) => {
 	return {
 		id: "sentinel",
 		init() {
-			return { options: { databaseHooks: {
-				user: { create: {
-					async before(_user, ctx) {
-						if (!ctx) return;
-						const visitorId = ctx.context.visitorId;
-						if (visitorId && opts.security?.freeTrialAbuse?.enabled) {
-							const abuseCheck = await securityService.checkFreeTrialAbuse(visitorId);
-							if (abuseCheck.isAbuse && abuseCheck.action === "block") throw new APIError("FORBIDDEN", { message: "Account creation is not allowed from this device." });
-						}
-					},
-					async after(user, ctx) {
-						if (!ctx) return;
-						const visitorId = ctx.context.visitorId;
-						if (visitorId && opts.security?.freeTrialAbuse?.enabled) await ctx.context.runInBackgroundOrAwait(securityService.trackFreeTrialSignup(visitorId, user.id));
-					}
-				} },
-				session: { create: {
-					async before(session, ctx) {
-						if (!ctx) return;
-						const visitorId = ctx.context.visitorId;
-						const identification = ctx.context.identification;
-						if (session.userId && identification?.location && visitorId) {
-							const travelCheck = await securityService.checkImpossibleTravel(session.userId, identification.location, visitorId);
-							if (travelCheck?.isImpossible) {
-								if (travelCheck.action === "block") throw new APIError("FORBIDDEN", { message: "Login blocked due to suspicious location change." });
-								if (travelCheck.action === "challenge" && travelCheck.challenge) throwChallengeError(travelCheck.challenge, "impossible_travel", "Unusual login location detected. Please complete a security check.");
+			return { options: {
+				emailValidation: opts.security?.emailValidation,
+				databaseHooks: {
+					user: { create: {
+						async before(user, ctx) {
+							if (!ctx) return;
+							const visitorId = ctx.context.visitorId;
+							if (visitorId && opts.security?.freeTrialAbuse?.enabled) {
+								const abuseCheck = await securityService.checkFreeTrialAbuse(visitorId);
+								if (abuseCheck.isAbuse && abuseCheck.action === "block") throw new APIError("FORBIDDEN", { message: "Account creation is not allowed from this device." });
 							}
+							if (user.email && typeof user.email === "string") return { data: {
+								...user,
+								email: normalizeEmail(user.email, ctx.context)
+							} };
+						},
+						async after(user, ctx) {
+							if (!ctx) return;
+							const visitorId = ctx.context.visitorId;
+							if (visitorId && opts.security?.freeTrialAbuse?.enabled) await ctx.context.runInBackgroundOrAwait(securityService.trackFreeTrialSignup(visitorId, user.id));
 						}
-					},
-					async after(session, ctx) {
-						if (!ctx || !session.userId) return;
-						const visitorId = ctx.context.visitorId;
-						const identification = ctx.context.identification;
-						let user = null;
-						try {
-							user = await ctx.context.adapter.findOne({
-								model: "user",
-								select: [
-									"email",
-									"name",
-									"lastActiveAt"
-								],
-								where: [{
-									field: "id",
-									value: session.userId
-								}]
-							});
-						} catch (error) {
-							logger.warn("[Sentinel] Failed to fetch user for security checks:", error);
-						}
-						if (visitorId) {
-							if (await securityService.checkUnknownDevice(session.userId, visitorId) && user?.email) await ctx.context.runInBackgroundOrAwait(securityService.notifyUnknownDevice(session.userId, user.email, identification));
-						}
-						if (opts.security?.staleUsers?.enabled && user) {
-							const staleCheck = await securityService.checkStaleUser(session.userId, user.lastActiveAt || null);
-							if (staleCheck.isStale) {
-								const staleOpts = opts.security.staleUsers;
-								const notificationPromises = [];
-								if (staleCheck.notifyUser && user.email) notificationPromises.push(securityService.notifyStaleAccountUser(user.email, user.name || null, staleCheck.daysSinceLastActive || 0, identification));
-								if (staleCheck.notifyAdmin && staleOpts.adminEmail) notificationPromises.push(securityService.notifyStaleAccountAdmin(staleOpts.adminEmail, session.userId, user.email || "unknown", user.name || null, staleCheck.daysSinceLastActive || 0, identification));
-								if (notificationPromises.length > 0) Promise.all(notificationPromises).catch((error) => {
-									logger.error("[Sentinel] Failed to send stale account notifications:", error);
-								});
-								trackEvent({
-									eventKey: session.userId,
-									eventType: "security_stale_account",
-									eventDisplayName: "Security: stale account reactivated",
-									eventData: {
-										action: staleCheck.action === "block" ? "blocked" : staleCheck.action === "challenge" ? "challenged" : "logged",
-										reason: "stale_account_reactivation",
-										userId: session.userId,
-										daysSinceLastActive: staleCheck.daysSinceLastActive,
-										staleDays: staleCheck.staleDays,
-										lastActiveAt: staleCheck.lastActiveAt,
-										notifyUser: staleCheck.notifyUser,
-										notifyAdmin: staleCheck.notifyAdmin,
-										detectionLabel: "Stale Account Reactivation",
-										description: `Dormant account (inactive for ${staleCheck.daysSinceLastActive} days) became active`
-									},
-									ipAddress: identification?.ip || void 0,
-									city: identification?.location?.city || void 0,
-									country: identification?.location?.country?.name || void 0,
-									countryCode: identification?.location?.country?.code || void 0
-								});
-								if (staleCheck.action === "block") throw new APIError("FORBIDDEN", {
-									message: "This account has been inactive for an extended period. Please contact support to reactivate.",
-									code: "STALE_ACCOUNT"
+					} },
+					session: { create: {
+						async before(session, ctx) {
+							if (!ctx) return;
+							const visitorId = ctx.context.visitorId;
+							const identification = ctx.context.identification;
+							if (session.userId && identification?.location && visitorId) {
+								const travelCheck = await securityService.checkImpossibleTravel(session.userId, identification.location, visitorId);
+								if (travelCheck?.isImpossible) {
+									if (travelCheck.action === "block") throw new APIError("FORBIDDEN", { message: "Login blocked due to suspicious location change." });
+									if (travelCheck.action === "challenge" && travelCheck.challenge) throwChallengeError(travelCheck.challenge, "impossible_travel", "Unusual login location detected. Please complete a security check.");
+								}
+							}
+						},
+						async after(session, ctx) {
+							if (!ctx || !session.userId) return;
+							const visitorId = ctx.context.visitorId;
+							const identification = ctx.context.identification;
+							let user = null;
+							try {
+								user = await ctx.context.adapter.findOne({
+									model: "user",
+									select: [
+										"email",
+										"name",
+										"lastActiveAt"
+									],
+									where: [{
+										field: "id",
+										value: session.userId
+									}]
 								});
+							} catch (error) {
+								logger.warn("[Sentinel] Failed to fetch user for security checks:", error);
+							}
+							if (visitorId) {
+								if (await securityService.checkUnknownDevice(session.userId, visitorId) && user?.email) await ctx.context.runInBackgroundOrAwait(securityService.notifyUnknownDevice(session.userId, user.email, identification));
+							}
+							if (opts.security?.staleUsers?.enabled && user) {
+								const staleCheck = await securityService.checkStaleUser(session.userId, user.lastActiveAt || null);
+								if (staleCheck.isStale) {
+									const staleOpts = opts.security.staleUsers;
+									const notificationPromises = [];
+									if (staleCheck.notifyUser && user.email) notificationPromises.push(securityService.notifyStaleAccountUser(user.email, user.name || null, staleCheck.daysSinceLastActive || 0, identification));
+									if (staleCheck.notifyAdmin && staleOpts.adminEmail) notificationPromises.push(securityService.notifyStaleAccountAdmin(staleOpts.adminEmail, session.userId, user.email || "unknown", user.name || null, staleCheck.daysSinceLastActive || 0, identification));
+									if (notificationPromises.length > 0) Promise.all(notificationPromises).catch((error) => {
+										logger.error("[Sentinel] Failed to send stale account notifications:", error);
+									});
+									trackEvent({
+										eventKey: session.userId,
+										eventType: "security_stale_account",
+										eventDisplayName: "Security: stale account reactivated",
+										eventData: {
+											action: staleCheck.action === "block" ? "blocked" : staleCheck.action === "challenge" ? "challenged" : "logged",
+											reason: "stale_account_reactivation",
+											userId: session.userId,
+											daysSinceLastActive: staleCheck.daysSinceLastActive,
+											staleDays: staleCheck.staleDays,
+											lastActiveAt: staleCheck.lastActiveAt,
+											notifyUser: staleCheck.notifyUser,
+											notifyAdmin: staleCheck.notifyAdmin,
+											detectionLabel: "Stale Account Reactivation",
+											description: `Dormant account (inactive for ${staleCheck.daysSinceLastActive} days) became active`
+										},
+										ipAddress: identification?.ip || void 0,
+										city: identification?.location?.city || void 0,
+										country: identification?.location?.country?.name || void 0,
+										countryCode: identification?.location?.country?.code || void 0
+									});
+									if (staleCheck.action === "block") throw new APIError("FORBIDDEN", {
+										message: "This account has been inactive for an extended period. Please contact support to reactivate.",
+										code: "STALE_ACCOUNT"
+									});
+								}
 							}
+							if (identification?.location) await ctx.context.runInBackgroundOrAwait(securityService.storeLastLocation(session.userId, identification.location));
 						}
-						if (identification?.location) await ctx.context.runInBackgroundOrAwait(securityService.storeLastLocation(session.userId, identification.location));
-					}
-				} }
-			} } };
+					} }
+				}
+			} };
 		},
 		hooks: {
 			before: [
@@ -2633,7 +2627,7 @@ const initTeamEvents = (tracker) => {
 //#region src/jwt.ts
 /**
 * Hash the given value
-* Note: Must match @infra/crypto hash()
+* Note: Must match @infra/utils/crypto hash()
 * @param value - The value to hash
 */
 async function hash(value) {
@@ -2687,13 +2681,16 @@ function isRecentlyIssued(payload) {
 }
 const jwtMiddleware = (options, schema, getJWT) => createAuthMiddleware(async (ctx) => {
 	const jwsFromHeader = getJWT ? await getJWT(ctx) : ctx.headers?.get("Authorization")?.split(" ")[1];
-	if (!jwsFromHeader) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	if (!jwsFromHeader) {
+		ctx.context.logger.warn("[Dash] JWT is missing from header");
+		throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	}
 	const { payload } = await jwtVerify(jwsFromHeader, await getJWKs(options.apiUrl), { maxTokenAge: "5m" }).catch((e) => {
-		ctx.context.logger.error("[Dash] JWT verification failed:", e);
+		ctx.context.logger.warn("[Dash] JWT verification failed:", e);
 		throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
 	});
 	if (!isRecentlyIssued(payload)) {
-		if (!(await betterFetch("/api/auth/check-jti", {
+		const { error, data } = await betterFetch("/api/auth/check-jti", {
 			baseURL: options.apiUrl,
 			method: "POST",
 			headers: { "x-api-key": options.apiKey },
@@ -2701,18 +2698,52 @@ const jwtMiddleware = (options, schema, getJWT) => createAuthMiddleware(async (c
 				jti: payload.jti,
 				expiresAt: payload.exp
 			}
-		})).data?.valid) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+		});
+		if (error || !data?.valid) {
+			ctx.context.logger.warn("[Dash] JTI check failed with error", error, data?.valid);
+			throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+		}
 	}
 	const apiKeyHash = payload.apiKeyHash;
-	if (typeof apiKeyHash !== "string" || !options.apiKey) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
-	if (apiKeyHash !== await hash(options.apiKey)) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	if (typeof apiKeyHash !== "string" || !options.apiKey) {
+		ctx.context.logger.warn("[Dash] API key hash is missing or invalid", {
+			apiKeyHash,
+			apiKey: options.apiKey ? "present" : "missing"
+		});
+		throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	}
+	const expectedHash = await hash(options.apiKey);
+	if (apiKeyHash !== expectedHash) {
+		ctx.context.logger.warn("[Dash] API key hash is invalid", apiKeyHash, expectedHash);
+		throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	}
 	if (schema) {
 		const parsed = schema.safeParse(payload);
-		if (!parsed.success) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+		if (!parsed.success) {
+			ctx.context.logger.warn("[Dash] JWT payload is invalid", parsed.error);
+			throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+		}
 		return { payload: parsed.data };
 	}
 	return { payload };
 });
+/**
+* Lightweight JWT middleware for /dash/validate. Verifies JWT signature and
+* apiKeyHash only—no JTI check. Used during onboarding when the org doesn't
+* exist yet.
+*/
+const jwtValidateMiddleware = (options) => createAuthMiddleware(async (ctx) => {
+	const jwsFromHeader = ctx.headers?.get("Authorization")?.split(" ")[1];
+	if (!jwsFromHeader) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	const { payload } = await jwtVerify(jwsFromHeader, await getJWKs(options.apiUrl), { maxTokenAge: "5m" }).catch((e) => {
+		ctx.context.logger.error("[Dash] JWT verification failed:", e);
+		throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	});
+	const apiKeyHash = payload.apiKeyHash;
+	if (typeof apiKeyHash !== "string" || !options.apiKey) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	if (apiKeyHash !== await hash(options.apiKey)) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	return { payload };
+});
 
 //#endregion
 //#region src/routes/config.ts
@@ -2765,7 +2796,7 @@ const getConfig = (options) => {
 					schema: plugin.schema,
 					options: sanitizePluginOptions(plugin.id, plugin.options)
 				};
-			}),
+			}) ?? [],
 			organization: {
 				sendInvitationEmailEnabled: !!organizationPlugin?.options?.sendInvitationEmail,
 				additionalFields: (() => {
@@ -2894,7 +2925,8 @@ async function getScimProviderOwner(ctx, organizationId, providerId) {
 	});
 	return (await ctx.context.adapter.findOne({
 		model: "scimProvider",
-		where
+		where,
+		select: ["userId"]
 	}))?.userId ?? null;
 }
 function getScimEndpoint(baseUrl) {
@@ -3367,7 +3399,8 @@ const acceptInvitation = (options) => {
 				throw new APIError("BAD_REQUEST", { message: "This invitation has expired." });
 			}
 		}
-		const existingUser = await ctx.context.internalAdapter.findUserByEmail(invitation.email).then((user$1) => user$1?.user);
+		const invitationEmail = normalizeEmail(invitation.email, ctx.context);
+		const existingUser = await ctx.context.internalAdapter.findUserByEmail(invitationEmail).then((user$1) => user$1?.user);
 		if (existingUser) {
 			await $api("/api/internal/invitations/mark-accepted", {
 				method: "POST",
@@ -3381,7 +3414,7 @@ const acceptInvitation = (options) => {
 				user: existingUser
 			});
 			const redirectUrl$1 = invitation.redirectUrl || ctx.context.options.baseURL || "/";
-			return ctx.redirect(redirectUrl$1);
+			return ctx.redirect(redirectUrl$1.toString());
 		}
 		if (invitation.authMode === "auth") {
 			const platformUrl = options.apiUrl || INFRA_API_URL;
@@ -3392,7 +3425,7 @@ const acceptInvitation = (options) => {
 			return ctx.redirect(acceptPageUrl.toString());
 		}
 		const user = await ctx.context.internalAdapter.createUser({
-			email: invitation.email,
+			email: invitationEmail,
 			name: invitation.name || invitation.email.split("@")[0] || "",
 			emailVerified: true,
 			createdAt: /* @__PURE__ */ new Date(),
@@ -3410,7 +3443,7 @@ const acceptInvitation = (options) => {
 			user
 		});
 		const redirectUrl = invitation.redirectUrl || ctx.context.options.baseURL || "/";
-		return ctx.redirect(redirectUrl);
+		return ctx.redirect(redirectUrl.toString());
 	});
 };
 /**
@@ -3442,7 +3475,8 @@ const completeInvitation = (options) => {
 		if (error || !invitation) throw new APIError("BAD_REQUEST", { message: "Invalid or expired invitation." });
 		if (invitation.status !== "pending") throw new APIError("BAD_REQUEST", { message: `This invitation has already been ${invitation.status}.` });
 		if (!ctx.context) throw new APIError("BAD_REQUEST", { message: "Context is required" });
-		const existingUser = await ctx.context.internalAdapter.findUserByEmail(invitation.email).then((user$1) => user$1?.user);
+		const invitationEmail = normalizeEmail(invitation.email, ctx.context);
+		const existingUser = await ctx.context.internalAdapter.findUserByEmail(invitationEmail).then((user$1) => user$1?.user);
 		if (existingUser) {
 			await $api("/api/internal/invitations/mark-accepted", {
 				method: "POST",
@@ -3461,7 +3495,7 @@ const completeInvitation = (options) => {
 			};
 		}
 		const user = await ctx.context.internalAdapter.createUser({
-			email: invitation.email,
+			email: invitationEmail,
 			name: invitation.name || invitation.email.split("@")[0] || "",
 			emailVerified: true,
 			createdAt: /* @__PURE__ */ new Date(),
@@ -3509,7 +3543,8 @@ const checkUserExists = (_options) => {
 	}, async (ctx) => {
 		const { email } = ctx.body;
 		if (!ctx.request?.headers.get("Authorization")) throw new APIError("UNAUTHORIZED", { message: "Authorization required" });
-		const existingUser = await ctx.context.internalAdapter.findUserByEmail(email.toLowerCase()).then((user) => user?.user);
+		const normalizedEmail = normalizeEmail(email, ctx.context);
+		const existingUser = await ctx.context.internalAdapter.findUserByEmail(normalizedEmail).then((user) => user?.user);
 		return {
 			exists: !!existingUser,
 			userId: existingUser?.id || null
@@ -3719,7 +3754,7 @@ const deleteOrganizationLogDrain = (options) => {
 		body: z$1.object({ logDrainId: z$1.string() })
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		if (!await ctx.context.adapter.findOne({
+		if (await ctx.context.adapter.count({
 			model: "orgLogDrain",
 			where: [{
 				field: "id",
@@ -3728,7 +3763,7 @@ const deleteOrganizationLogDrain = (options) => {
 				field: "organizationId",
 				value: organizationId
 			}]
-		})) throw ctx.error("NOT_FOUND", { message: "Log drain not found" });
+		}) === 0) throw ctx.error("NOT_FOUND", { message: "Log drain not found" });
 		await ctx.context.adapter.delete({
 			model: "orgLogDrain",
 			where: [{
@@ -3917,6 +3952,15 @@ const exportFactory = (input, options) => async (ctx) => {
 
 //#endregion
 //#region src/helper.ts
+/**
+* Checks whether a plugin is registered by its ID.
+* Prefers the native `hasPlugin` when available, otherwise
+* falls back to scanning `options.plugins`.
+*/
+function hasPlugin(context, pluginId) {
+	if (typeof context.hasPlugin === "function") return context.hasPlugin(pluginId);
+	return context.options.plugins?.some((p) => p.id === pluginId) ?? false;
+}
 function* chunkArray(arr, options) {
 	const batchSize = options?.batchSize || 200;
 	for (let i = 0; i < arr.length; i += batchSize) yield arr.slice(i, i + batchSize);
@@ -4129,32 +4173,26 @@ const listOrganizations = (options) => {
 			sortBy: {
 				field: dbSortBy,
 				direction: sortOrder
-			}
+			},
+			join: { member: { limit: 5 } }
 		}), needsInMemoryProcessing ? Promise.resolve(0) : ctx.context.adapter.count({
 			model: "organization",
 			where
 		})]);
 		const orgIds = organizations.map((o) => o.id);
-		const allMembers = orgIds.length > 0 ? await ctx.context.adapter.findMany({
+		const memberCounts = await withConcurrency(orgIds, (orgId) => ctx.context.adapter.count({
 			model: "member",
 			where: [{
 				field: "organizationId",
-				value: orgIds,
-				operator: "in"
+				value: orgId
 			}]
-		}) : [];
-		const membersByOrg = /* @__PURE__ */ new Map();
-		for (const m of allMembers) {
-			const list = membersByOrg.get(m.organizationId) || [];
-			list.push(m);
-			membersByOrg.set(m.organizationId, list);
-		}
+		}), { concurrency: 10 });
+		const memberCountByOrg = new Map(orgIds.map((orgId, i) => [orgId, memberCounts[i]]));
 		let withCounts = organizations.map((organization) => {
-			const orgMembers = membersByOrg.get(organization.id) || [];
+			const memberCount = memberCountByOrg.get(organization.id) ?? 0;
 			return {
 				...organization,
-				_members: orgMembers,
-				memberCount: orgMembers.length
+				memberCount
 			};
 		});
 		if (filterMembers) {
@@ -4174,25 +4212,26 @@ const listOrganizations = (options) => {
 		const total = needsInMemoryProcessing ? withCounts.length : initialTotal;
 		if (needsInMemoryProcessing) withCounts = withCounts.slice(offset, offset + limit);
 		const allUserIds = /* @__PURE__ */ new Set();
-		for (const organization of withCounts) for (const member of organization._members.slice(0, 5)) allUserIds.add(member.userId);
+		for (const organization of withCounts) for (const member of organization.member) allUserIds.add(member.userId);
 		const users = allUserIds.size > 0 ? await ctx.context.adapter.findMany({
 			model: "user",
 			where: [{
 				field: "id",
 				value: Array.from(allUserIds),
 				operator: "in"
-			}]
+			}],
+			limit: allUserIds.size
 		}) : [];
 		const userMap = new Map(users.map((u) => [u.id, u]));
 		return {
 			organizations: withCounts.map((organization) => {
-				const members = organization._members.slice(0, 5).map((m) => userMap.get(m.userId)).filter((u) => u !== void 0).map((u) => ({
+				const members = organization.member.map((m) => userMap.get(m.userId)).filter((u) => u !== void 0).map((u) => ({
 					id: u.id,
 					name: u.name,
 					email: u.email,
 					image: u.image
 				}));
-				const { _members, ...org } = organization;
+				const { member: _members, ...org } = organization;
 				return {
 					...org,
 					members
@@ -4284,17 +4323,9 @@ const listOrganizationMembers = (options) => {
 			where: [{
 				field: "organizationId",
 				value: ctx.params.id
-			}]
+			}],
+			join: { user: true }
 		});
-		const userIds = members.map((m) => m.userId);
-		const users = userIds.length ? await ctx.context.adapter.findMany({
-			model: "user",
-			where: [{
-				field: "id",
-				value: userIds,
-				operator: "in"
-			}]
-		}) : [];
 		const invitations = await ctx.context.adapter.findMany({
 			model: "invitation",
 			where: [{
@@ -4303,22 +4334,17 @@ const listOrganizationMembers = (options) => {
 			}, {
 				field: "status",
 				value: "accepted"
-			}]
+			}],
+			join: { user: true }
 		});
-		const inviterIds = [...new Set(invitations.map((i) => i.inviterId).filter(Boolean))];
-		const inviters = inviterIds.length ? await ctx.context.adapter.findMany({
-			model: "user",
-			where: [{
-				field: "id",
-				value: inviterIds,
-				operator: "in"
-			}]
-		}) : [];
-		const inviterById = new Map(inviters.map((u) => [u.id, u]));
-		const userById = new Map(users.map((u) => [u.id, u]));
+		const inviterById = /* @__PURE__ */ new Map();
+		for (const inv of invitations) {
+			const inviter = Array.isArray(inv.user) ? inv.user[0] : inv.user;
+			if (inviter && inv.inviterId) inviterById.set(inv.inviterId, inviter);
+		}
 		const invitationByEmail = new Map(invitations.map((i) => [i.email.toLowerCase(), i]));
 		return members.map((m) => {
-			const user = userById.get(m.userId);
+			const user = (Array.isArray(m.user) ? m.user[0] : m.user) ?? null;
 			const invitation = user ? invitationByEmail.get(user.email.toLowerCase()) : null;
 			const inviter = invitation ? inviterById.get(invitation.inviterId) : null;
 			return {
@@ -4351,7 +4377,7 @@ const listOrganizationInvitations = (options) => {
 				value: ctx.params.id
 			}]
 		});
-		const emails = [...new Set(invitations.map((i) => i.email.toLowerCase()))];
+		const emails = [...new Set(invitations.map((i) => normalizeEmail(i.email, ctx.context)))];
 		const users = emails.length ? await ctx.context.adapter.findMany({
 			model: "user",
 			where: [{
@@ -4360,9 +4386,10 @@ const listOrganizationInvitations = (options) => {
 				operator: "in"
 			}]
 		}) : [];
-		const userByEmail = new Map(users.map((u) => [u.email.toLowerCase(), u]));
+		const userByEmail = new Map(users.map((u) => [normalizeEmail(u.email, ctx.context), u]));
 		return invitations.map((invitation) => {
-			const user = userByEmail.get(invitation.email.toLowerCase());
+			const invitationEmail = normalizeEmail(invitation.email, ctx.context);
+			const user = userByEmail.get(invitationEmail);
 			return {
 				...invitation,
 				user: user ? {
@@ -4398,17 +4425,12 @@ const deleteOrganization = (options) => {
 				field: "createdAt",
 				direction: "asc"
 			},
-			limit: 1
+			limit: 1,
+			join: { user: true }
 		});
 		if (owners.length === 0) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		const owner = owners[0];
-		const deletedByUser = await ctx.context.adapter.findOne({
-			model: "user",
-			where: [{
-				field: "id",
-				value: owner.userId
-			}]
-		});
+		const deletedByUser = Array.isArray(owner.user) ? owner.user[0] : owner.user;
 		if (!deletedByUser) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		const organization = await ctx.context.adapter.findOne({
 			model: "organization",
@@ -4555,17 +4577,12 @@ const updateTeam = (options) => {
 				field: "createdAt",
 				direction: "asc"
 			},
-			limit: 1
+			limit: 1,
+			join: { user: true }
 		});
 		if (owners.length === 0) throw ctx.error("NOT_FOUND", { message: "Owner not found" });
 		const owner = owners[0];
-		const user = await ctx.context.adapter.findOne({
-			model: "user",
-			where: [{
-				field: "id",
-				value: owner.userId
-			}]
-		});
+		const user = Array.isArray(owner.user) ? owner.user[0] : owner.user;
 		if (!user) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		let updateData = { updatedAt: /* @__PURE__ */ new Date() };
 		if (ctx.body.name) updateData.name = ctx.body.name;
@@ -4649,17 +4666,12 @@ const deleteTeam = (options) => {
 				field: "createdAt",
 				direction: "asc"
 			},
-			limit: 1
+			limit: 1,
+			join: { user: true }
 		});
 		if (owners.length === 0) throw ctx.error("NOT_FOUND", { message: "Owner not found" });
 		const owner = owners[0];
-		const user = await ctx.context.adapter.findOne({
-			model: "user",
-			where: [{
-				field: "id",
-				value: owner.userId
-			}]
-		});
+		const user = Array.isArray(owner.user) ? owner.user[0] : owner.user;
 		if (!user) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		if (orgOptions?.organizationHooks?.beforeDeleteTeam) await orgOptions.organizationHooks.beforeDeleteTeam({
 			team,
@@ -4727,17 +4739,12 @@ const createTeam = (options) => {
 				field: "createdAt",
 				direction: "asc"
 			},
-			limit: 1
+			limit: 1,
+			join: { user: true }
 		});
 		if (owners.length === 0) throw ctx.error("NOT_FOUND", { message: "Owner not found" });
 		const owner = owners[0];
-		const user = await ctx.context.adapter.findOne({
-			model: "user",
-			where: [{
-				field: "id",
-				value: owner.userId
-			}]
-		});
+		const user = Array.isArray(owner.user) ? owner.user[0] : owner.user;
 		if (!user) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		let teamData = {
 			name: ctx.body.name,
@@ -4773,7 +4780,7 @@ const listTeamMembers = (options) => {
 		use: [jwtMiddleware(options)]
 	}, async (ctx) => {
 		try {
-			if (!await ctx.context.adapter.findOne({
+			if (await ctx.context.adapter.count({
 				model: "team",
 				where: [{
 					field: "id",
@@ -4782,22 +4789,16 @@ const listTeamMembers = (options) => {
 					field: "organizationId",
 					value: ctx.params.orgId
 				}]
-			})) throw ctx.error("NOT_FOUND", { message: "Team not found" });
-			const teamMembers = await ctx.context.adapter.findMany({
+			}) === 0) throw ctx.error("NOT_FOUND", { message: "Team not found" });
+			return (await ctx.context.adapter.findMany({
 				model: "teamMember",
 				where: [{
 					field: "teamId",
 					value: ctx.params.teamId
-				}]
-			});
-			return await Promise.all(teamMembers.map(async (tm) => {
-				const user = await ctx.context.adapter.findOne({
-					model: "user",
-					where: [{
-						field: "id",
-						value: tm.userId
-					}]
-				});
+				}],
+				join: { user: true }
+			})).map((tm) => {
+				const user = Array.isArray(tm.user) ? tm.user[0] : tm.user;
 				return {
 					...tm,
 					user: user ? {
@@ -4807,7 +4808,7 @@ const listTeamMembers = (options) => {
 						image: user.image
 					} : null
 				};
-			}));
+			});
 		} catch (e) {
 			ctx.context.logger.warn("[Dash] Failed to list team members:", e);
 			return [];
@@ -4865,7 +4866,7 @@ const addTeamMember = (options) => {
 				value: organizationId
 			}]
 		})) throw ctx.error("BAD_REQUEST", { message: "User is not a member of this organization" });
-		if (await ctx.context.adapter.findOne({
+		if (await ctx.context.adapter.count({
 			model: "teamMember",
 			where: [{
 				field: "teamId",
@@ -4874,7 +4875,7 @@ const addTeamMember = (options) => {
 				field: "userId",
 				value: ctx.body.userId
 			}]
-		})) throw ctx.error("BAD_REQUEST", { message: "User is already a member of this team" });
+		}) > 0) throw ctx.error("BAD_REQUEST", { message: "User is already a member of this team" });
 		if (orgOptions?.teams?.maximumMembersPerTeam) {
 			const teamMemberCount = await ctx.context.adapter.count({
 				model: "teamMember",
@@ -5023,13 +5024,13 @@ const createOrganization = (options) => {
 		});
 		if (!user) throw ctx.error("BAD_REQUEST", { message: "User not found" });
 		const orgOptions = organizationPlugin.options || {};
-		if (await ctx.context.adapter.findOne({
+		if (await ctx.context.adapter.count({
 			model: "organization",
 			where: [{
 				field: "slug",
 				value: ctx.body.slug
 			}]
-		})) throw ctx.error("BAD_REQUEST", { message: "Organization already exists" });
+		}) > 0) throw ctx.error("BAD_REQUEST", { message: "Organization already exists" });
 		let orgData = {
 			...ctx.body,
 			defaultTeamName: void 0
@@ -5178,14 +5179,15 @@ const updateOrganization = (options) => {
 		const { organizationId } = ctx.context.payload;
 		const orgOptions = ctx.context.getPlugin("organization")?.options || {};
 		if (ctx.body.slug) {
-			const existingOrg = await ctx.context.adapter.findOne({
+			const orgWithSlug = await ctx.context.adapter.findOne({
 				model: "organization",
 				where: [{
 					field: "slug",
 					value: ctx.body.slug
-				}]
+				}],
+				select: ["id"]
 			});
-			if (existingOrg && existingOrg.id !== organizationId) throw ctx.error("BAD_REQUEST", { message: "Slug already exists" });
+			if (orgWithSlug && orgWithSlug.id !== organizationId) throw ctx.error("BAD_REQUEST", { message: "Slug already exists" });
 		}
 		const owners = await ctx.context.adapter.findMany({
 			model: "member",
@@ -5200,17 +5202,12 @@ const updateOrganization = (options) => {
 				field: "createdAt",
 				direction: "asc"
 			},
-			limit: 1
+			limit: 1,
+			join: { user: true }
 		});
 		if (owners.length === 0) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		const owner = owners[0];
-		const updatedByUser = await ctx.context.adapter.findOne({
-			model: "user",
-			where: [{
-				field: "id",
-				value: owner.userId
-			}]
-		});
+		const updatedByUser = Array.isArray(owner.user) ? owner.user[0] : owner.user;
 		if (!updatedByUser) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		let updateData = { ...ctx.body };
 		if (typeof updateData.metadata === "string") try {
@@ -5472,10 +5469,11 @@ const inviteMember = (options) => {
 			}]
 		});
 		if (!invitedBy) throw ctx.error("BAD_REQUEST", { message: "Invited by user not found" });
+		const invitationEmail = normalizeEmail(ctx.body.email, ctx.context);
 		return await organizationPlugin.endpoints.createInvitation({
 			headers: ctx.request?.headers ?? new Headers(),
 			body: {
-				email: ctx.body.email,
+				email: invitationEmail,
 				role: ctx.body.role,
 				organizationId
 			},
@@ -5497,11 +5495,12 @@ const checkUserByEmail = (options) => {
 		use: [jwtMiddleware(options, z$1.object({ organizationId: z$1.string() }))]
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
+		const email = normalizeEmail(ctx.body.email, ctx.context);
 		const user = await ctx.context.adapter.findOne({
 			model: "user",
 			where: [{
 				field: "email",
-				value: ctx.body.email
+				value: email
 			}]
 		});
 		if (!user) return {
@@ -6095,10 +6094,11 @@ const resendInvitation = (options) => {
 		});
 		if (!invitedByUser) throw ctx.error("BAD_REQUEST", { message: "Inviter user not found" });
 		if (!organizationPlugin.endpoints?.createInvitation) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Organization plugin endpoints not available" });
+		const invitationEmail = normalizeEmail(invitation.email, ctx.context);
 		await organizationPlugin.endpoints.createInvitation({
 			headers: ctx.request?.headers ?? new Headers(),
 			body: {
-				email: invitation.email,
+				email: invitationEmail,
 				role: invitation.role,
 				organizationId,
 				resend: true
@@ -6137,28 +6137,31 @@ const listAllSessions = (options) => {
 		}).optional()
 	}, async (ctx) => {
 		const sessionsCount = await ctx.context.adapter.count({ model: "session" });
+		const limit = ctx.query?.limit || sessionsCount;
+		const offset = ctx.query?.offset || 0;
 		const sessions = await ctx.context.adapter.findMany({
 			model: "session",
-			limit: ctx.query?.limit || sessionsCount,
-			offset: ctx.query?.offset || 0,
+			limit,
+			offset,
 			sortBy: {
 				field: "createdAt",
 				direction: "desc"
-			}
-		});
-		return (await ctx.context.adapter.findMany({
-			model: "user",
-			where: [{
-				field: "id",
-				value: sessions.map((s) => s.userId),
-				operator: "in"
-			}]
-		})).map((u) => {
-			return {
-				...u,
-				sessions: sessions.filter((s) => s.userId === u.id)
-			};
-		});
+			},
+			join: { user: true }
+		});
+		const userMap = /* @__PURE__ */ new Map();
+		for (const s of sessions) {
+			const user = Array.isArray(s.user) ? s.user[0] : s.user;
+			if (!user) continue;
+			const { user: _u, ...sessionData } = s;
+			const session = sessionData;
+			if (!userMap.has(user.id)) userMap.set(user.id, {
+				...user,
+				sessions: []
+			});
+			userMap.get(user.id).sessions.push(session);
+		}
+		return Array.from(userMap.values());
 	});
 };
 const revokeSession = (options) => createAuthEndpoint("/dash/sessions/revoke", {
@@ -6267,7 +6270,7 @@ const getUsers = (options) => {
 			totalQuery,
 			onlineUsersQuery
 		]);
-		const hasAdminPlugin = ctx.context.hasPlugin("admin");
+		const hasAdminPlugin = hasPlugin(ctx.context, "admin");
 		return {
 			users: users.map((user) => {
 				const u = user;
@@ -6292,7 +6295,7 @@ const exportUsers = (options) => {
 		use: [jwtMiddleware(options)],
 		query: getUsersQuerySchema
 	}, async (ctx) => {
-		const hasAdminPlugin = ctx.context.hasPlugin("admin");
+		const hasAdminPlugin = hasPlugin(ctx.context, "admin");
 		return exportFactory({
 			model: "user",
 			limit: ctx.query?.limit,
@@ -6428,7 +6431,8 @@ const createUser = (options) => {
 		}).passthrough()
 	}, async (ctx) => {
 		const userData = ctx.body;
-		if (await ctx.context.internalAdapter.findUserByEmail(userData.email)) throw new APIError("BAD_REQUEST", { message: "User with this email already exist" });
+		const email = normalizeEmail(userData.email, ctx.context);
+		if (await ctx.context.internalAdapter.findUserByEmail(email)) throw new APIError("BAD_REQUEST", { message: "User with this email already exist" });
 		let password = null;
 		if (userData.generatePassword && !userData.password) password = generateId(12);
 		else if (userData.password && userData.password.trim() !== "") password = userData.password;
@@ -6449,6 +6453,7 @@ const createUser = (options) => {
 		}
 		const user = await ctx.context.internalAdapter.createUser({
 			...userData,
+			email,
 			emailVerified: userData.emailVerified,
 			createdAt: /* @__PURE__ */ new Date(),
 			updatedAt: /* @__PURE__ */ new Date()
@@ -6562,7 +6567,7 @@ const getUserDetails = (options) => {
 	}, async (ctx) => {
 		const { userId } = ctx.context.payload;
 		const minimal = !!ctx.query?.minimal;
-		const hasAdminPlugin = ctx.context.hasPlugin("admin");
+		const hasAdminPlugin = hasPlugin(ctx.context, "admin");
 		const user = await ctx.context.adapter.findOne({
 			model: "user",
 			where: [{
@@ -6632,47 +6637,39 @@ const getUserOrganizations = (options) => {
 		const isOrgEnabled = ctx.context.getPlugin("organization");
 		if (!isOrgEnabled) return { organizations: [] };
 		const isTeamEnabled = isOrgEnabled.options?.teams?.enabled;
-		const [member, teamMembers] = await Promise.all([ctx.context.adapter.findMany({
+		const [membersWithOrg, teamMembersWithTeam] = await Promise.all([ctx.context.adapter.findMany({
 			model: "member",
 			where: [{
 				field: "userId",
 				value: userId
-			}]
+			}],
+			join: { organization: true }
 		}), isTeamEnabled ? ctx.context.adapter.findMany({
 			model: "teamMember",
 			where: [{
 				field: "userId",
 				value: userId
-			}]
+			}],
+			join: { team: true }
 		}).catch((e) => {
 			ctx.context.logger.error("[Dash] Failed to fetch team members:", e);
 			return [];
 		}) : Promise.resolve([])]);
-		if (member.length === 0) return { organizations: [] };
-		const [organizations, teams] = await Promise.all([ctx.context.adapter.findMany({
-			model: "organization",
-			where: [{
-				field: "id",
-				value: member.map((m) => m.organizationId),
-				operator: "in"
-			}]
-		}), isTeamEnabled && teamMembers.length > 0 ? ctx.context.adapter.findMany({
-			model: "team",
-			where: [{
-				field: "id",
-				value: teamMembers.map((tm) => tm.teamId),
-				operator: "in"
-			}]
-		}) : Promise.resolve([])]);
-		return { organizations: organizations.map((organization) => ({
-			id: organization.id,
-			name: organization.name,
-			logo: organization.logo,
-			createdAt: organization.createdAt,
-			slug: organization.slug,
-			role: member.find((m) => m.organizationId === organization.id)?.role,
-			teams: teams.filter((team) => team.organizationId === organization.id)
-		})) };
+		if (membersWithOrg.length === 0) return { organizations: [] };
+		const teams = teamMembersWithTeam.map((tm) => Array.isArray(tm.team) ? tm.team[0] : tm.team).filter((t) => t != null);
+		return { organizations: membersWithOrg.map((m) => {
+			const organization = Array.isArray(m.organization) ? m.organization[0] : m.organization;
+			if (!organization) return null;
+			return {
+				id: organization.id,
+				name: organization.name,
+				logo: organization.logo,
+				createdAt: organization.createdAt,
+				slug: organization.slug,
+				role: m.role,
+				teams: teams.filter((team) => team.organizationId === organization.id)
+			};
+		}).filter(Boolean) };
 	});
 };
 const updateUser = (options) => createAuthEndpoint("/dash/update-user", {
@@ -7462,6 +7459,20 @@ const generateBackupCodes = (options) => createAuthEndpoint("/dash/generate-back
 	return { backupCodes: newBackupCodes };
 });
 
+//#endregion
+//#region src/routes/validate.ts
+/**
+* Lightweight endpoint to verify API key ownership during onboarding
+*/
+const getValidate = (options) => {
+	return createAuthEndpoint("/dash/validate", {
+		method: "GET",
+		use: [jwtValidateMiddleware(options)]
+	}, async () => {
+		return { valid: true };
+	});
+};
+
 //#endregion
 //#region src/pow.ts
 /** Default difficulty in bits (18 = ~500ms solve time) */
@@ -7965,6 +7976,7 @@ const dash = (options) => {
 		},
 		endpoints: {
 			getDashConfig: getConfig(opts),
+			getDashValidate: getValidate(opts),
 			getDashUsers: getUsers(opts),
 			exportDashUsers: exportUsers(opts),
 			getOnlineUsersCount: getOnlineUsersCount(opts),
@@ -8051,4 +8063,4 @@ const dash = (options) => {
 };
 
 //#endregion
-export { CHALLENGE_TTL, DEFAULT_DIFFICULTY, EMAIL_TEMPLATES, SMS_TEMPLATES, USER_EVENT_TYPES, createEmailSender, createSMSSender, dash, decodePoWChallenge, encodePoWSolution, sendBulkEmails, sendEmail, sendSMS, sentinel, solvePoWChallenge, verifyPoWSolution };
+export { CHALLENGE_TTL, DEFAULT_DIFFICULTY, EMAIL_TEMPLATES, SMS_TEMPLATES, USER_EVENT_TYPES, createEmailSender, createSMSSender, dash, decodePoWChallenge, encodePoWSolution, normalizeEmail, sendBulkEmails, sendEmail, sendSMS, sentinel, solvePoWChallenge, verifyPoWSolution };