@blazeo.com/calendar-client 1.0.24 → 1.0.27

package/README.md

@@ -22,12 +22,26 @@ cd your-app && npm link @blazeo.com/calendar-client
 Configure once at app startup, then use models and their methods:
 
 ```js
-import { configure, setBaseUrl, setConsumer, CalendarModel, createRootStore } from '@blazeo.com/calendar-client';
+import {
+  configure,
+  setBaseUrl,
+  setConsumer,
+  setApiCredentials,
+  fetchAccessToken,
+  CalendarModel,
+  createRootStore,
+} from '@blazeo.com/calendar-client';
 
 configure({ baseUrl: 'https://your-appointment-api.example.com' });
 // or: setBaseUrl('https://localhost:7051');
 setConsumer('my-app');  // optional: sent as Consumer header (e.g. for lead source)
 
+// API JWT (for Authorized routes such as lead export)
+setApiCredentials('your-api-key', 'your-api-secret');
+await fetchAccessToken();
+// Or set a token you obtained elsewhere:
+// setAccessToken('eyJ...', '2026-05-19T12:00:00Z');
+
 // Calendar static methods (no store needed)
 const timezones = await CalendarModel.getTimeZones();
 const calendar = await CalendarModel.get('calendar-guid');
@@ -38,12 +52,33 @@ const cal = store.addCalendar({ calendarId: 'my-cal', name: 'My Calendar' });
 await cal.create(); // POST to backend
 ```
 
+### API JWT authentication
+
+The backend issues JWTs via `POST Api/Auth/Token` (`api_key` + `api_secret`). There is no refresh endpoint; when the token expires (~1 hour), call `fetchAccessToken()` again.
+
+| Function | Purpose |
+|----------|---------|
+| `setApiCredentials(apiKey, apiSecret)` | Store credentials for token exchange |
+| `fetchAccessToken()` | Get JWT from API and store on config |
+| `setAccessToken(token, expiresAtUtc?)` | Use a token you already have |
+| `ensureValidAccessToken()` | Fetch only if missing or near expiry |
+| `clearAuth()` | Clear token and credentials |
+
+All `reqGet` / `reqPost` calls automatically attach `Authorization: Bearer …` and re-issue the token before requests when credentials are configured.
+
+```js
+configure({ baseUrl: 'https://your-api', apiKey: 'key', apiSecret: 'secret' });
+await fetchAccessToken();
+await LeadModel.requestExport('company-key');
+```
+
 ## API overview
 
 - **CalendarModel (static):** `get`, `getByCompany`, `getTimeZones`, `getTimeZone`, `getParticipants`, `getMonth`, `getEvents`, etc.
 - **EventModel (instance):** `get`, `create`, `cancel`, `getCancellable`, `getAvailability`, `setReminder`
 - **FlowModel:** Same pattern as Calendar — `FlowModel.create({}, { env })` with no fields; static `get`, `getRaw`, `list`, `createFlow`, `updateFlow`, `delete`, `duplicate`, appearance/embed/public/preview helpers; instance methods mirror those using `flowId` on the snapshot
 - **LeadModel:** `LeadModel.create({}, { env })`; static `get`, `getRaw`, `getByEmail`, `getByCompany`; instance `get`, `getByEmail`, `getByCompany` (uses `leadId` / `email` / `companyKey` on the snapshot)
+- **ParticipantModel:** static `get`, `getByEmail`, `getByIds`, `getAll`, …; instance `getByEmail` uses `email` + `companyKey` on the snapshot (see `GET /participant/getbyemail`)
 - **AuthModel (calendar OAuth / Connect Calendar):** `getCalendarProviders`, `getAuthorizationUrl`, `getAuthorizationStatus`, `openOAuthPopup`, `onCalendarAuthMessage` — see [Calendar authorization flow](#calendar-authorization-direct-ui)
 - **RootStore:** `addCalendar`, `addEvent`
 

package/dist/index.d.ts

@@ -1,9 +1,61 @@
 /** @blazeo.com/calendar-client - type declarations */
 
-export function configure(env: { baseUrl?: string; consumer?: string; fetch?: typeof fetch; getDefaultOffset?: () => number }): void;
-export function getConfig(): { baseUrl?: string; consumer?: string; fetch?: typeof fetch; getDefaultOffset?: () => number } | null;
+export type AccessTokenResult = {
+  status: string;
+  message?: string;
+  accessToken?: string;
+  expiresAtUtc?: string | null;
+  tokenType?: string;
+};
+
+export type AuthState = {
+  accessToken?: string;
+  tokenExpiresAt?: string;
+  apiKey?: string;
+  apiSecret?: string;
+  hasApiCredentials: boolean;
+};
+
+export function configure(env: {
+  baseUrl?: string;
+  consumer?: string;
+  fetch?: typeof fetch;
+  getDefaultOffset?: () => number;
+  accessToken?: string;
+  expiresAtUtc?: string;
+  tokenExpiresAt?: string;
+  expires_at_utc?: string;
+  apiKey?: string;
+  api_key?: string;
+  apiSecret?: string;
+  api_secret?: string;
+}): void;
+
+export function getConfig(): {
+  baseUrl?: string;
+  consumer?: string;
+  fetch?: typeof fetch;
+  getDefaultOffset?: () => number;
+  accessToken?: string;
+  tokenExpiresAt?: string;
+  hasApiCredentials?: boolean;
+} | null;
+
 export function setBaseUrl(baseUrl: string): void;
 export function setConsumer(consumer: string): void;
+export function setAccessToken(accessToken: string, expiresAtUtc?: string): void;
+export function clearAccessToken(): void;
+export function setApiCredentials(apiKey: string, apiSecret: string): void;
+export function clearApiCredentials(): void;
+export function clearAuth(): void;
+export function getAuth(): AuthState;
+export function fetchAccessToken(apiKey?: string, apiSecret?: string): Promise<AccessTokenResult>;
+export function ensureValidAccessToken(): Promise<string | undefined>;
+export function requestAccessToken(apiKey: string, apiSecret: string, opts?: { baseUrl?: string; fetch?: typeof fetch }): Promise<AccessTokenResult>;
+export function isAccessTokenExpired(expiresAtUtc?: string | number | Date | null, skewMs?: number): boolean;
+export function buildAuthHeaders(extra?: Record<string, string>): Record<string, string>;
+export const TOKEN_PATH: '/Api/Auth/Token';
+export const DEFAULT_TOKEN_REFRESH_SKEW_MS: number;
 export function getConfigStore(): unknown;
 
 export const ConfigModel: unknown;
@@ -79,6 +131,7 @@ export const CalendarParticipantModel: {
 };
 export const ParticipantModel: {
   get(participantId: string): Promise<unknown>;
+  getByEmail(email: string, companyKey: string): Promise<unknown>;
   getByIds(participantIds: string[] | string): Promise<unknown[] | null>;
   getAll(companyKey: string): Promise<unknown[] | null>;
   add(payload: object, calendarId?: string): Promise<unknown>;

package/dist/index.js

@@ -34,6 +34,7 @@ __export(index_exports, {
   CompanyModel: () => Company_default,
   ConfigModel: () => ConfigModel_default,
   CustomFieldModel: () => CustomField_default,
+  DEFAULT_TOKEN_REFRESH_SKEW_MS: () => DEFAULT_TOKEN_REFRESH_SKEW_MS,
   DayOfWeek: () => DayOfWeek,
   EmailProvider: () => EmailProvider,
   EventModel: () => Event_default,
@@ -48,14 +49,27 @@ __export(index_exports, {
   RecurringFrequency: () => RecurringFrequency,
   RootStore: () => RootStore,
   SettingModel: () => Setting_default,
+  TOKEN_PATH: () => TOKEN_PATH,
   TimeFrameModel: () => TimeFrame_default,
   TimeSlotModel: () => TimeSlot_default,
   Unit: () => Unit,
+  buildAuthHeaders: () => buildAuthHeaders,
+  clearAccessToken: () => clearAccessToken,
+  clearApiCredentials: () => clearApiCredentials,
+  clearAuth: () => clearAuth,
   configure: () => configure,
   createRootStore: () => createRootStore,
+  ensureValidAccessToken: () => ensureValidAccessToken,
+  fetchAccessToken: () => fetchAccessToken2,
+  getAuth: () => getAuth,
   getConfig: () => getConfig,
   getConfigStore: () => getConfigStore,
-  setBaseUrl: () => setBaseUrl
+  isAccessTokenExpired: () => isAccessTokenExpired,
+  requestAccessToken: () => requestAccessToken,
+  setAccessToken: () => setAccessToken,
+  setApiCredentials: () => setApiCredentials,
+  setBaseUrl: () => setBaseUrl,
+  setConsumer: () => setConsumer
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -69,6 +83,10 @@ var ConfigModel = import_mobx_state_tree.types.model("Config", {
   consumer: import_mobx_state_tree.types.optional(import_mobx_state_tree.types.string, "")
 }).volatile(() => ({
   fetch: void 0,
+  accessToken: void 0,
+  tokenExpiresAt: void 0,
+  apiKey: void 0,
+  apiSecret: void 0,
   getDefaultOffset: () => -(/* @__PURE__ */ new Date()).getTimezoneOffset()
 })).actions((self) => ({
   setBaseUrl(url) {
@@ -83,19 +101,57 @@ var ConfigModel = import_mobx_state_tree.types.model("Config", {
   setGetDefaultOffset(fn) {
     self.getDefaultOffset = fn;
   },
+  setAccessToken(token, expiresAtUtc = void 0) {
+    self.accessToken = token ? String(token) : void 0;
+    self.tokenExpiresAt = expiresAtUtc != null && expiresAtUtc !== "" ? String(expiresAtUtc) : void 0;
+  },
+  clearAccessToken() {
+    self.accessToken = void 0;
+    self.tokenExpiresAt = void 0;
+  },
+  setApiCredentials(apiKey, apiSecret) {
+    self.apiKey = apiKey != null ? String(apiKey) : void 0;
+    self.apiSecret = apiSecret != null ? String(apiSecret) : void 0;
+  },
+  clearApiCredentials() {
+    self.apiKey = void 0;
+    self.apiSecret = void 0;
+  },
+  clearAuth() {
+    self.clearAccessToken();
+    self.clearApiCredentials();
+  },
   configure(env) {
     if (env.baseUrl != null) self.baseUrl = env.baseUrl;
     if (env.consumer != null) self.consumer = env.consumer;
     if (env.fetch != null) self.fetch = env.fetch;
     if (env.getDefaultOffset != null) self.getDefaultOffset = env.getDefaultOffset;
+    if (env.accessToken != null) {
+      self.setAccessToken(
+        env.accessToken,
+        env.expiresAtUtc ?? env.tokenExpiresAt ?? env.expires_at_utc
+      );
+    }
+    if (env.apiKey != null || env.api_key != null) {
+      self.apiKey = String(env.apiKey ?? env.api_key);
+    }
+    if (env.apiSecret != null || env.api_secret != null) {
+      self.apiSecret = String(env.apiSecret ?? env.api_secret);
+    }
   }
 })).views((self) => ({
+  get hasApiCredentials() {
+    return Boolean(self.apiKey && self.apiSecret);
+  },
   getEnv() {
     return {
       baseUrl: self.baseUrl || void 0,
       consumer: self.consumer || void 0,
       fetch: self.fetch,
-      getDefaultOffset: self.getDefaultOffset
+      getDefaultOffset: self.getDefaultOffset,
+      accessToken: self.accessToken,
+      tokenExpiresAt: self.tokenExpiresAt,
+      hasApiCredentials: self.hasApiCredentials
     };
   }
 }));
@@ -106,6 +162,122 @@ function getConfigStore() {
 }
 var ConfigModel_default = ConfigModel;
 
+// src/apiAuth.js
+var TOKEN_PATH = "/Api/Auth/Token";
+var DEFAULT_TOKEN_REFRESH_SKEW_MS = 6e4;
+function defaultFetch() {
+  if (typeof fetch === "undefined") {
+    throw new Error("fetch not available");
+  }
+  return fetch;
+}
+function pickTokenPayload(data) {
+  if (!data || typeof data !== "object") return null;
+  const nested = data.data && typeof data.data === "object" ? data.data : data;
+  const accessToken = nested.access_token ?? nested.accessToken ?? nested.AccessToken ?? null;
+  if (!accessToken) return null;
+  const expiresAtUtc = nested.expires_at_utc ?? nested.expiresAtUtc ?? nested.ExpiresAtUtc ?? null;
+  return {
+    accessToken: String(accessToken),
+    expiresAtUtc: expiresAtUtc != null ? String(expiresAtUtc) : null,
+    tokenType: nested.token_type ?? nested.tokenType ?? "Bearer"
+  };
+}
+function isAccessTokenExpired(expiresAtUtc, skewMs = DEFAULT_TOKEN_REFRESH_SKEW_MS) {
+  if (expiresAtUtc == null || expiresAtUtc === "") return false;
+  const expMs = new Date(expiresAtUtc).getTime();
+  if (Number.isNaN(expMs)) return false;
+  return Date.now() >= expMs - skewMs;
+}
+function getAuthState() {
+  const store = getConfigStore();
+  return {
+    accessToken: store.accessToken ?? void 0,
+    tokenExpiresAt: store.tokenExpiresAt ?? void 0,
+    apiKey: store.apiKey ?? void 0,
+    apiSecret: store.apiSecret ?? void 0,
+    hasApiCredentials: Boolean(store.apiKey && store.apiSecret)
+  };
+}
+async function requestAccessToken(apiKey, apiSecret, opts = {}) {
+  const store = getConfigStore();
+  const baseUrl = opts.baseUrl ?? store.baseUrl;
+  if (!baseUrl) {
+    return { status: "failure", message: "baseUrl required. Call configure({ baseUrl }) first." };
+  }
+  const key = apiKey != null ? String(apiKey).trim() : "";
+  const secret = apiSecret != null ? String(apiSecret).trim() : "";
+  if (!key || !secret) {
+    return { status: "failure", message: "api_key and api_secret are required" };
+  }
+  const fetchFn = opts.fetch ?? store.fetch ?? defaultFetch();
+  const url = `${String(baseUrl).replace(/\/+$/, "")}${TOKEN_PATH}`;
+  const httpRes = await fetchFn(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ api_key: key, api_secret: secret })
+  });
+  const text = await httpRes.text();
+  let body;
+  try {
+    body = JSON.parse(text);
+  } catch {
+    body = { status: "failure", message: text || httpRes.statusText };
+  }
+  if (!httpRes.ok && body.status !== "failure") {
+    body.status = "failure";
+    body.message = body.message ?? `HTTP ${httpRes.status}`;
+  }
+  if (body.status !== "success") {
+    return {
+      status: "failure",
+      message: body.message ?? "Failed to obtain access token"
+    };
+  }
+  const parsed = pickTokenPayload(body);
+  if (!parsed) {
+    return { status: "failure", message: "Token response missing access_token" };
+  }
+  return {
+    status: "success",
+    accessToken: parsed.accessToken,
+    expiresAtUtc: parsed.expiresAtUtc,
+    tokenType: parsed.tokenType
+  };
+}
+async function fetchAccessToken(apiKey, apiSecret) {
+  const store = getConfigStore();
+  const key = apiKey ?? store.apiKey;
+  const secret = apiSecret ?? store.apiSecret;
+  const result = await requestAccessToken(key, secret);
+  if (result.status === "success") {
+    store.setAccessToken(result.accessToken, result.expiresAtUtc);
+  }
+  return result;
+}
+async function ensureAccessToken() {
+  const store = getConfigStore();
+  const { accessToken, tokenExpiresAt, apiKey, apiSecret } = getAuthState();
+  if (accessToken && !isAccessTokenExpired(tokenExpiresAt)) {
+    return accessToken;
+  }
+  if (apiKey && apiSecret) {
+    const result = await fetchAccessToken(apiKey, apiSecret);
+    if (result.status === "success") return result.accessToken;
+  }
+  return accessToken;
+}
+function buildAuthHeaders(extra = {}) {
+  const headers = { ...extra };
+  const { consumer } = getConfigStore();
+  const { accessToken } = getAuthState();
+  if (!headers.Consumer && consumer) headers.Consumer = consumer;
+  if (!headers.Authorization && accessToken) {
+    headers.Authorization = `Bearer ${accessToken}`;
+  }
+  return headers;
+}
+
 // src/config.js
 function configure(env) {
   const store = getConfigStore();
@@ -119,6 +291,33 @@ function getConfig() {
 function setBaseUrl(baseUrl) {
   getConfigStore().setBaseUrl(baseUrl);
 }
+function setConsumer(consumer) {
+  getConfigStore().setConsumer(consumer);
+}
+function setAccessToken(accessToken, expiresAtUtc) {
+  getConfigStore().setAccessToken(accessToken, expiresAtUtc);
+}
+function clearAccessToken() {
+  getConfigStore().clearAccessToken();
+}
+function setApiCredentials(apiKey, apiSecret) {
+  getConfigStore().setApiCredentials(apiKey, apiSecret);
+}
+function clearApiCredentials() {
+  getConfigStore().clearApiCredentials();
+}
+function clearAuth() {
+  getConfigStore().clearAuth();
+}
+function getAuth() {
+  return getAuthState();
+}
+function fetchAccessToken2(apiKey, apiSecret) {
+  return fetchAccessToken(apiKey, apiSecret);
+}
+function ensureValidAccessToken() {
+  return ensureAccessToken();
+}
 
 // src/apiRequest.js
 function buildQuery(params) {
@@ -135,10 +334,18 @@ function buildQuery(params) {
   return q ? `?${q}` : "";
 }
 async function request(baseUrl, fetchFn, path, options = {}) {
-  const { method = "GET", headers = {}, body, query, skipContentType } = options;
+  const { method = "GET", headers = {}, body, query, skipContentType, skipAuth } = options;
   const url = `${String(baseUrl).replace(/\/+$/, "")}${path}${buildQuery(query)}`;
   const reqHeaders = { ...headers };
   if (!skipContentType && typeof body === "string") reqHeaders["Content-Type"] = "application/json";
+  if (!skipAuth) {
+    const store = getConfigStore();
+    if (!reqHeaders["Consumer"] && store.consumer) reqHeaders["Consumer"] = store.consumer;
+    const { accessToken } = getAuthState();
+    if (!reqHeaders["Authorization"] && accessToken) {
+      reqHeaders["Authorization"] = `Bearer ${accessToken}`;
+    }
+  }
   const res = await fetchFn(url, { method, headers: reqHeaders, body });
   const text = await res.text();
   let data;
@@ -151,23 +358,35 @@ async function request(baseUrl, fetchFn, path, options = {}) {
     data.status = "failure";
     data.message = data.message ?? `HTTP ${res.status}`;
   }
+  data._httpStatus = res.status;
   return data;
 }
-function mergeConsumerHeader(env, opts) {
+function mergeRequestHeaders(env, opts) {
   const headers = { ...opts.headers || {} };
-  if (!headers["Consumer"] && (env == null ? void 0 : env.consumer)) headers["Consumer"] = env.consumer;
+  const store = getConfigStore();
+  if (!headers["Consumer"] && ((env == null ? void 0 : env.consumer) || store.consumer)) {
+    headers["Consumer"] = (env == null ? void 0 : env.consumer) || store.consumer;
+  }
+  const { accessToken } = getAuthState();
+  if (!headers["Authorization"] && accessToken) {
+    headers["Authorization"] = `Bearer ${accessToken}`;
+  }
   return { ...opts, headers };
 }
+async function executeRequest(baseUrl, fetchFn, path, opts) {
+  if (!opts.skipAuth) await ensureAccessToken();
+  return request(baseUrl, fetchFn, path, mergeRequestHeaders(null, opts));
+}
 function createRequestHelpers(self, getEnv12) {
   const env = () => getEnv12(self);
   const baseUrl = () => env().baseUrl;
-  const fetchFn = () => env().fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
+  const fetchFn = () => env().fetch ?? getConfigStore().fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
   const req = (path, opts = {}) => {
     const url = baseUrl();
     if (!url) throw new Error("Model env requires baseUrl. Call configure({ baseUrl }) at app startup.");
-    return request(url, fetchFn(), path, mergeConsumerHeader(env(), opts));
+    return executeRequest(url, fetchFn(), path, opts);
   };
   return {
     req,
@@ -178,14 +397,14 @@ function createRequestHelpers(self, getEnv12) {
 function createRequestHelpersFromEnv(env) {
   const e = env ?? getConfig();
   if (!e) throw new Error("Env required. Pass env to the method or call configure({ baseUrl }) at app startup.");
-  const baseUrl = () => e == null ? void 0 : e.baseUrl;
-  const fetchFn = () => (e == null ? void 0 : e.fetch) ?? (typeof fetch !== "undefined" ? fetch : () => {
+  const baseUrl = () => (e == null ? void 0 : e.baseUrl) ?? getConfigStore().baseUrl;
+  const fetchFn = () => (e == null ? void 0 : e.fetch) ?? getConfigStore().fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
   const req = (path, opts = {}) => {
     const url = baseUrl();
     if (!url) throw new Error("Env requires baseUrl. Call configure({ baseUrl }) at app startup.");
-    return request(url, fetchFn(), path, mergeConsumerHeader(e, opts));
+    return executeRequest(url, fetchFn(), path, opts);
   };
   return {
     env: e,
@@ -1300,6 +1519,15 @@ var ParticipantModel = import_mobx_state_tree11.types.model("Participant", {
       if (res.status === "success" && res.data) (0, import_mobx_state_tree11.applySnapshot)(self, mapFromApi2(res.data));
       return res;
     },
+    /** GET participant/getbyemail – fetch by companyKey + email on this snapshot */
+    async getByEmail() {
+      const res = await reqGet("/participant/getbyemail", {
+        email: self.email,
+        company_key: self.companyKey
+      });
+      if (res.status === "success" && res.data) (0, import_mobx_state_tree11.applySnapshot)(self, mapFromApi2(res.data));
+      return res;
+    },
     /** POST participant/save – save participant (add or update) */
     async save() {
       const payload = toPayload(self);
@@ -1415,6 +1643,14 @@ function mapCalendarFromApi2(d) {
     modifiedOn: pick2("modifiedOn", "ModifiedOn", "modified_on") ?? null
   };
 }
+ParticipantModel.getByEmail = async (email, companyKey) => {
+  const { reqGet } = createRequestHelpersFromEnv(getConfig());
+  const res = await reqGet("/participant/getbyemail", { email, company_key: companyKey });
+  if (res.status === "success" && res.data) {
+    return ParticipantModel.create(mapFromApi2(res.data), { env: getConfig() });
+  }
+  return null;
+};
 ParticipantModel.get = async (participantId) => {
   const { reqGet } = createRequestHelpersFromEnv(getConfig());
   const res = await reqGet("/participant/get", { participant_id: participantId });
@@ -1593,6 +1829,7 @@ SettingModel.save = async (payload) => {
 SettingModel.uploadLogo = async (calendarId, file) => {
   const cfg = getConfig();
   if (!(cfg == null ? void 0 : cfg.baseUrl)) throw new Error("Configure baseUrl before uploadLogo");
+  await ensureAccessToken();
   const fetchFn = cfg.fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
@@ -1602,6 +1839,7 @@ SettingModel.uploadLogo = async (calendarId, file) => {
   formData.append("file", file);
   const res = await fetchFn(url, {
     method: "POST",
+    headers: buildAuthHeaders(),
     body: formData
   });
   const text = await res.text();
@@ -1724,6 +1962,7 @@ AssetModel.upload = async (file, opts = {}) => {
   if (!file) return { status: "failure", message: "file is required" };
   const category = opts.category != null ? String(opts.category).trim() : "";
   if (!category) return { status: "failure", message: "category is required" };
+  await ensureAccessToken();
   const fetchFn = cfg.fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
@@ -1738,8 +1977,7 @@ AssetModel.upload = async (file, opts = {}) => {
   if (opts.calendarId != null && String(opts.calendarId).trim() !== "") {
     formData.append("calendar_id", String(opts.calendarId).trim());
   }
-  const headers = {};
-  if (cfg.consumer) headers.Consumer = cfg.consumer;
+  const headers = buildAuthHeaders();
   if (opts.consumer != null && String(opts.consumer).trim() !== "") {
     headers.Consumer = String(opts.consumer).trim();
   }
@@ -2782,6 +3020,7 @@ function createRootStore(initialState = {}) {
   CompanyModel,
   ConfigModel,
   CustomFieldModel,
+  DEFAULT_TOKEN_REFRESH_SKEW_MS,
   DayOfWeek,
   EmailProvider,
   EventModel,
@@ -2796,12 +3035,25 @@ function createRootStore(initialState = {}) {
   RecurringFrequency,
   RootStore,
   SettingModel,
+  TOKEN_PATH,
   TimeFrameModel,
   TimeSlotModel,
   Unit,
+  buildAuthHeaders,
+  clearAccessToken,
+  clearApiCredentials,
+  clearAuth,
   configure,
   createRootStore,
+  ensureValidAccessToken,
+  fetchAccessToken,
+  getAuth,
   getConfig,
   getConfigStore,
-  setBaseUrl
+  isAccessTokenExpired,
+  requestAccessToken,
+  setAccessToken,
+  setApiCredentials,
+  setBaseUrl,
+  setConsumer
 });

package/dist/index.mjs

@@ -8,6 +8,10 @@ var ConfigModel = types.model("Config", {
   consumer: types.optional(types.string, "")
 }).volatile(() => ({
   fetch: void 0,
+  accessToken: void 0,
+  tokenExpiresAt: void 0,
+  apiKey: void 0,
+  apiSecret: void 0,
   getDefaultOffset: () => -(/* @__PURE__ */ new Date()).getTimezoneOffset()
 })).actions((self) => ({
   setBaseUrl(url) {
@@ -22,19 +26,57 @@ var ConfigModel = types.model("Config", {
   setGetDefaultOffset(fn) {
     self.getDefaultOffset = fn;
   },
+  setAccessToken(token, expiresAtUtc = void 0) {
+    self.accessToken = token ? String(token) : void 0;
+    self.tokenExpiresAt = expiresAtUtc != null && expiresAtUtc !== "" ? String(expiresAtUtc) : void 0;
+  },
+  clearAccessToken() {
+    self.accessToken = void 0;
+    self.tokenExpiresAt = void 0;
+  },
+  setApiCredentials(apiKey, apiSecret) {
+    self.apiKey = apiKey != null ? String(apiKey) : void 0;
+    self.apiSecret = apiSecret != null ? String(apiSecret) : void 0;
+  },
+  clearApiCredentials() {
+    self.apiKey = void 0;
+    self.apiSecret = void 0;
+  },
+  clearAuth() {
+    self.clearAccessToken();
+    self.clearApiCredentials();
+  },
   configure(env) {
     if (env.baseUrl != null) self.baseUrl = env.baseUrl;
     if (env.consumer != null) self.consumer = env.consumer;
     if (env.fetch != null) self.fetch = env.fetch;
     if (env.getDefaultOffset != null) self.getDefaultOffset = env.getDefaultOffset;
+    if (env.accessToken != null) {
+      self.setAccessToken(
+        env.accessToken,
+        env.expiresAtUtc ?? env.tokenExpiresAt ?? env.expires_at_utc
+      );
+    }
+    if (env.apiKey != null || env.api_key != null) {
+      self.apiKey = String(env.apiKey ?? env.api_key);
+    }
+    if (env.apiSecret != null || env.api_secret != null) {
+      self.apiSecret = String(env.apiSecret ?? env.api_secret);
+    }
   }
 })).views((self) => ({
+  get hasApiCredentials() {
+    return Boolean(self.apiKey && self.apiSecret);
+  },
   getEnv() {
     return {
       baseUrl: self.baseUrl || void 0,
       consumer: self.consumer || void 0,
       fetch: self.fetch,
-      getDefaultOffset: self.getDefaultOffset
+      getDefaultOffset: self.getDefaultOffset,
+      accessToken: self.accessToken,
+      tokenExpiresAt: self.tokenExpiresAt,
+      hasApiCredentials: self.hasApiCredentials
     };
   }
 }));
@@ -45,6 +87,122 @@ function getConfigStore() {
 }
 var ConfigModel_default = ConfigModel;
 
+// src/apiAuth.js
+var TOKEN_PATH = "/Api/Auth/Token";
+var DEFAULT_TOKEN_REFRESH_SKEW_MS = 6e4;
+function defaultFetch() {
+  if (typeof fetch === "undefined") {
+    throw new Error("fetch not available");
+  }
+  return fetch;
+}
+function pickTokenPayload(data) {
+  if (!data || typeof data !== "object") return null;
+  const nested = data.data && typeof data.data === "object" ? data.data : data;
+  const accessToken = nested.access_token ?? nested.accessToken ?? nested.AccessToken ?? null;
+  if (!accessToken) return null;
+  const expiresAtUtc = nested.expires_at_utc ?? nested.expiresAtUtc ?? nested.ExpiresAtUtc ?? null;
+  return {
+    accessToken: String(accessToken),
+    expiresAtUtc: expiresAtUtc != null ? String(expiresAtUtc) : null,
+    tokenType: nested.token_type ?? nested.tokenType ?? "Bearer"
+  };
+}
+function isAccessTokenExpired(expiresAtUtc, skewMs = DEFAULT_TOKEN_REFRESH_SKEW_MS) {
+  if (expiresAtUtc == null || expiresAtUtc === "") return false;
+  const expMs = new Date(expiresAtUtc).getTime();
+  if (Number.isNaN(expMs)) return false;
+  return Date.now() >= expMs - skewMs;
+}
+function getAuthState() {
+  const store = getConfigStore();
+  return {
+    accessToken: store.accessToken ?? void 0,
+    tokenExpiresAt: store.tokenExpiresAt ?? void 0,
+    apiKey: store.apiKey ?? void 0,
+    apiSecret: store.apiSecret ?? void 0,
+    hasApiCredentials: Boolean(store.apiKey && store.apiSecret)
+  };
+}
+async function requestAccessToken(apiKey, apiSecret, opts = {}) {
+  const store = getConfigStore();
+  const baseUrl = opts.baseUrl ?? store.baseUrl;
+  if (!baseUrl) {
+    return { status: "failure", message: "baseUrl required. Call configure({ baseUrl }) first." };
+  }
+  const key = apiKey != null ? String(apiKey).trim() : "";
+  const secret = apiSecret != null ? String(apiSecret).trim() : "";
+  if (!key || !secret) {
+    return { status: "failure", message: "api_key and api_secret are required" };
+  }
+  const fetchFn = opts.fetch ?? store.fetch ?? defaultFetch();
+  const url = `${String(baseUrl).replace(/\/+$/, "")}${TOKEN_PATH}`;
+  const httpRes = await fetchFn(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ api_key: key, api_secret: secret })
+  });
+  const text = await httpRes.text();
+  let body;
+  try {
+    body = JSON.parse(text);
+  } catch {
+    body = { status: "failure", message: text || httpRes.statusText };
+  }
+  if (!httpRes.ok && body.status !== "failure") {
+    body.status = "failure";
+    body.message = body.message ?? `HTTP ${httpRes.status}`;
+  }
+  if (body.status !== "success") {
+    return {
+      status: "failure",
+      message: body.message ?? "Failed to obtain access token"
+    };
+  }
+  const parsed = pickTokenPayload(body);
+  if (!parsed) {
+    return { status: "failure", message: "Token response missing access_token" };
+  }
+  return {
+    status: "success",
+    accessToken: parsed.accessToken,
+    expiresAtUtc: parsed.expiresAtUtc,
+    tokenType: parsed.tokenType
+  };
+}
+async function fetchAccessToken(apiKey, apiSecret) {
+  const store = getConfigStore();
+  const key = apiKey ?? store.apiKey;
+  const secret = apiSecret ?? store.apiSecret;
+  const result = await requestAccessToken(key, secret);
+  if (result.status === "success") {
+    store.setAccessToken(result.accessToken, result.expiresAtUtc);
+  }
+  return result;
+}
+async function ensureAccessToken() {
+  const store = getConfigStore();
+  const { accessToken, tokenExpiresAt, apiKey, apiSecret } = getAuthState();
+  if (accessToken && !isAccessTokenExpired(tokenExpiresAt)) {
+    return accessToken;
+  }
+  if (apiKey && apiSecret) {
+    const result = await fetchAccessToken(apiKey, apiSecret);
+    if (result.status === "success") return result.accessToken;
+  }
+  return accessToken;
+}
+function buildAuthHeaders(extra = {}) {
+  const headers = { ...extra };
+  const { consumer } = getConfigStore();
+  const { accessToken } = getAuthState();
+  if (!headers.Consumer && consumer) headers.Consumer = consumer;
+  if (!headers.Authorization && accessToken) {
+    headers.Authorization = `Bearer ${accessToken}`;
+  }
+  return headers;
+}
+
 // src/config.js
 function configure(env) {
   const store = getConfigStore();
@@ -58,6 +216,33 @@ function getConfig() {
 function setBaseUrl(baseUrl) {
   getConfigStore().setBaseUrl(baseUrl);
 }
+function setConsumer(consumer) {
+  getConfigStore().setConsumer(consumer);
+}
+function setAccessToken(accessToken, expiresAtUtc) {
+  getConfigStore().setAccessToken(accessToken, expiresAtUtc);
+}
+function clearAccessToken() {
+  getConfigStore().clearAccessToken();
+}
+function setApiCredentials(apiKey, apiSecret) {
+  getConfigStore().setApiCredentials(apiKey, apiSecret);
+}
+function clearApiCredentials() {
+  getConfigStore().clearApiCredentials();
+}
+function clearAuth() {
+  getConfigStore().clearAuth();
+}
+function getAuth() {
+  return getAuthState();
+}
+function fetchAccessToken2(apiKey, apiSecret) {
+  return fetchAccessToken(apiKey, apiSecret);
+}
+function ensureValidAccessToken() {
+  return ensureAccessToken();
+}
 
 // src/apiRequest.js
 function buildQuery(params) {
@@ -74,10 +259,18 @@ function buildQuery(params) {
   return q ? `?${q}` : "";
 }
 async function request(baseUrl, fetchFn, path, options = {}) {
-  const { method = "GET", headers = {}, body, query, skipContentType } = options;
+  const { method = "GET", headers = {}, body, query, skipContentType, skipAuth } = options;
   const url = `${String(baseUrl).replace(/\/+$/, "")}${path}${buildQuery(query)}`;
   const reqHeaders = { ...headers };
   if (!skipContentType && typeof body === "string") reqHeaders["Content-Type"] = "application/json";
+  if (!skipAuth) {
+    const store = getConfigStore();
+    if (!reqHeaders["Consumer"] && store.consumer) reqHeaders["Consumer"] = store.consumer;
+    const { accessToken } = getAuthState();
+    if (!reqHeaders["Authorization"] && accessToken) {
+      reqHeaders["Authorization"] = `Bearer ${accessToken}`;
+    }
+  }
   const res = await fetchFn(url, { method, headers: reqHeaders, body });
   const text = await res.text();
   let data;
@@ -90,23 +283,35 @@ async function request(baseUrl, fetchFn, path, options = {}) {
     data.status = "failure";
     data.message = data.message ?? `HTTP ${res.status}`;
   }
+  data._httpStatus = res.status;
   return data;
 }
-function mergeConsumerHeader(env, opts) {
+function mergeRequestHeaders(env, opts) {
   const headers = { ...opts.headers || {} };
-  if (!headers["Consumer"] && (env == null ? void 0 : env.consumer)) headers["Consumer"] = env.consumer;
+  const store = getConfigStore();
+  if (!headers["Consumer"] && ((env == null ? void 0 : env.consumer) || store.consumer)) {
+    headers["Consumer"] = (env == null ? void 0 : env.consumer) || store.consumer;
+  }
+  const { accessToken } = getAuthState();
+  if (!headers["Authorization"] && accessToken) {
+    headers["Authorization"] = `Bearer ${accessToken}`;
+  }
   return { ...opts, headers };
 }
+async function executeRequest(baseUrl, fetchFn, path, opts) {
+  if (!opts.skipAuth) await ensureAccessToken();
+  return request(baseUrl, fetchFn, path, mergeRequestHeaders(null, opts));
+}
 function createRequestHelpers(self, getEnv12) {
   const env = () => getEnv12(self);
   const baseUrl = () => env().baseUrl;
-  const fetchFn = () => env().fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
+  const fetchFn = () => env().fetch ?? getConfigStore().fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
   const req = (path, opts = {}) => {
     const url = baseUrl();
     if (!url) throw new Error("Model env requires baseUrl. Call configure({ baseUrl }) at app startup.");
-    return request(url, fetchFn(), path, mergeConsumerHeader(env(), opts));
+    return executeRequest(url, fetchFn(), path, opts);
   };
   return {
     req,
@@ -117,14 +322,14 @@ function createRequestHelpers(self, getEnv12) {
 function createRequestHelpersFromEnv(env) {
   const e = env ?? getConfig();
   if (!e) throw new Error("Env required. Pass env to the method or call configure({ baseUrl }) at app startup.");
-  const baseUrl = () => e == null ? void 0 : e.baseUrl;
-  const fetchFn = () => (e == null ? void 0 : e.fetch) ?? (typeof fetch !== "undefined" ? fetch : () => {
+  const baseUrl = () => (e == null ? void 0 : e.baseUrl) ?? getConfigStore().baseUrl;
+  const fetchFn = () => (e == null ? void 0 : e.fetch) ?? getConfigStore().fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
   const req = (path, opts = {}) => {
     const url = baseUrl();
     if (!url) throw new Error("Env requires baseUrl. Call configure({ baseUrl }) at app startup.");
-    return request(url, fetchFn(), path, mergeConsumerHeader(e, opts));
+    return executeRequest(url, fetchFn(), path, opts);
   };
   return {
     env: e,
@@ -1239,6 +1444,15 @@ var ParticipantModel = types11.model("Participant", {
       if (res.status === "success" && res.data) applySnapshot3(self, mapFromApi2(res.data));
       return res;
     },
+    /** GET participant/getbyemail – fetch by companyKey + email on this snapshot */
+    async getByEmail() {
+      const res = await reqGet("/participant/getbyemail", {
+        email: self.email,
+        company_key: self.companyKey
+      });
+      if (res.status === "success" && res.data) applySnapshot3(self, mapFromApi2(res.data));
+      return res;
+    },
     /** POST participant/save – save participant (add or update) */
     async save() {
       const payload = toPayload(self);
@@ -1354,6 +1568,14 @@ function mapCalendarFromApi2(d) {
     modifiedOn: pick2("modifiedOn", "ModifiedOn", "modified_on") ?? null
   };
 }
+ParticipantModel.getByEmail = async (email, companyKey) => {
+  const { reqGet } = createRequestHelpersFromEnv(getConfig());
+  const res = await reqGet("/participant/getbyemail", { email, company_key: companyKey });
+  if (res.status === "success" && res.data) {
+    return ParticipantModel.create(mapFromApi2(res.data), { env: getConfig() });
+  }
+  return null;
+};
 ParticipantModel.get = async (participantId) => {
   const { reqGet } = createRequestHelpersFromEnv(getConfig());
   const res = await reqGet("/participant/get", { participant_id: participantId });
@@ -1532,6 +1754,7 @@ SettingModel.save = async (payload) => {
 SettingModel.uploadLogo = async (calendarId, file) => {
   const cfg = getConfig();
   if (!(cfg == null ? void 0 : cfg.baseUrl)) throw new Error("Configure baseUrl before uploadLogo");
+  await ensureAccessToken();
   const fetchFn = cfg.fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
@@ -1541,6 +1764,7 @@ SettingModel.uploadLogo = async (calendarId, file) => {
   formData.append("file", file);
   const res = await fetchFn(url, {
     method: "POST",
+    headers: buildAuthHeaders(),
     body: formData
   });
   const text = await res.text();
@@ -1663,6 +1887,7 @@ AssetModel.upload = async (file, opts = {}) => {
   if (!file) return { status: "failure", message: "file is required" };
   const category = opts.category != null ? String(opts.category).trim() : "";
   if (!category) return { status: "failure", message: "category is required" };
+  await ensureAccessToken();
   const fetchFn = cfg.fetch ?? (typeof fetch !== "undefined" ? fetch : () => {
     throw new Error("fetch not available");
   });
@@ -1677,8 +1902,7 @@ AssetModel.upload = async (file, opts = {}) => {
   if (opts.calendarId != null && String(opts.calendarId).trim() !== "") {
     formData.append("calendar_id", String(opts.calendarId).trim());
   }
-  const headers = {};
-  if (cfg.consumer) headers.Consumer = cfg.consumer;
+  const headers = buildAuthHeaders();
   if (opts.consumer != null && String(opts.consumer).trim() !== "") {
     headers.Consumer = String(opts.consumer).trim();
   }
@@ -2720,6 +2944,7 @@ export {
   Company_default as CompanyModel,
   ConfigModel_default as ConfigModel,
   CustomField_default as CustomFieldModel,
+  DEFAULT_TOKEN_REFRESH_SKEW_MS,
   DayOfWeek,
   EmailProvider,
   Event_default as EventModel,
@@ -2734,12 +2959,25 @@ export {
   RecurringFrequency,
   RootStore,
   Setting_default as SettingModel,
+  TOKEN_PATH,
   TimeFrame_default as TimeFrameModel,
   TimeSlot_default as TimeSlotModel,
   Unit,
+  buildAuthHeaders,
+  clearAccessToken,
+  clearApiCredentials,
+  clearAuth,
   configure,
   createRootStore,
+  ensureValidAccessToken,
+  fetchAccessToken2 as fetchAccessToken,
+  getAuth,
   getConfig,
   getConfigStore,
-  setBaseUrl
+  isAccessTokenExpired,
+  requestAccessToken,
+  setAccessToken,
+  setApiCredentials,
+  setBaseUrl,
+  setConsumer
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blazeo.com/calendar-client",
-  "version": "1.0.24",
+  "version": "1.0.27",
   "description": "Blazeo Calendar / Appointment API client with MobX State Tree models",
   "exports": {
     ".": {