@blimu/backend 1.2.0 → 1.2.2

package/dist/index.mjs

@@ -5,7 +5,7 @@ var __export = (target, all) => {
 };
 
 // src/client.ts
-import { FetchClient as FetchClient10, FetchError } from "@blimu/fetch";
+import { FetchClient, FetchError } from "@blimu/fetch";
 import "@blimu/fetch";
 
 // src/auth-strategies.ts
@@ -22,11 +22,46 @@ function buildAuthStrategies(cfg) {
   return authStrategies;
 }
 
-// src/services/bulk_resources.ts
-import "@blimu/fetch";
-
-// src/schema.ts
-var schema_exports = {};
+// src/services/auth_jwks.ts
+var AuthJwksService = class {
+  constructor(core) {
+    this.core = core;
+  }
+  /**
+   * GET /v1/auth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for environment (Public)*
+   * @description Returns the public keys used to verify JWT tokens issued by this environment. Authenticate using either x-api-key header (secretKey) or x-blimu-publishable-key header (publishableKey).*/
+  getJwks(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/jwks.json`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/.well-known/public-key.pem*
+   * @summary Get environment public key (PEM)*
+   * @description Returns the public key in PEM format for verifying JWT tokens. Authenticate with x-api-key or x-blimu-publishable-key.*/
+  getPublicKeyPem(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/public-key.pem`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/oauth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for OAuth app (Public)*
+   * @description Returns the public key for a specific OAuth app to verify JWT tokens. This is a public endpoint following OAuth2/OIDC standards. Provide client_id to get keys for a specific OAuth app, or use authenticated endpoint for environment keys.*/
+  getOAuthAppJwks(query, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/oauth/.well-known/jwks.json`,
+      query,
+      ...init ?? {}
+    });
+  }
+};
 
 // src/services/bulk_resources.ts
 var BulkResourcesService = class {
@@ -48,7 +83,6 @@ var BulkResourcesService = class {
 };
 
 // src/services/bulk_roles.ts
-import "@blimu/fetch";
 var BulkRolesService = class {
   constructor(core) {
     this.core = core;
@@ -68,7 +102,6 @@ var BulkRolesService = class {
 };
 
 // src/services/entitlements.ts
-import "@blimu/fetch";
 var EntitlementsService = class {
   constructor(core) {
     this.core = core;
@@ -111,8 +144,121 @@ var EntitlementsService = class {
   }
 };
 
+// src/services/oauth.ts
+var OauthService = class {
+  constructor(core) {
+    this.core = core;
+  }
+  /**
+   * GET /v1/oauth/authorize*
+   * @summary Check consent requirement*
+   * @description Checks if user consent is required for the OAuth2 app and requested scopes.*/
+  checkConsentRequired(query, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/oauth/authorize`,
+      query,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/authorize*
+   * @summary Authorize OAuth2 application*
+   * @description Handles user consent approval/denial. Validates auto_approved flag against consent requirements.*/
+  authorize(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/authorize`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/authorize*
+   * @summary Authorize or deny device code*
+   * @description Allows an authenticated user to authorize or deny a device code request. Requires valid user session.*/
+  authorizeDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/authorize`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/code*
+   * @summary Request device authorization codes*
+   * @description Initiates device authorization flow. Returns device_code (for polling) and user_code (for user entry).*/
+  requestDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/code`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/oauth/device/code/{user_code}*
+   * @summary Get device code information*
+   * @description Returns device code information including app name, scopes, and consent requirement status.*/
+  getDeviceCodeInfo(user_code, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/oauth/device/code/${encodeURIComponent(user_code)}`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/token*
+   * @summary Poll for device authorization tokens*
+   * @description Client polls this endpoint to exchange device_code for tokens once user has authorized.*/
+  exchangeDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/token`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/introspect*
+   * @summary Introspect token*
+   * @description Validates a token and returns metadata. Requires client authentication.*/
+  introspect(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/introspect`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/revoke*
+   * @summary Revoke token*
+   * @description Revokes an access or refresh token. Requires client authentication.*/
+  revoke(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/revoke`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/token*
+   * @summary Token endpoint*
+   * @description Issues access and refresh tokens. Supports authorization_code and refresh_token (always available per OAuth2 spec).*/
+  token(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/token`,
+      body,
+      ...init ?? {}
+    });
+  }
+};
+
 // src/services/plans.ts
-import "@blimu/fetch";
 var PlansService = class {
   constructor(core) {
     this.core = core;
@@ -154,7 +300,6 @@ var PlansService = class {
 };
 
 // src/services/resource_members.ts
-import "@blimu/fetch";
 var ResourceMembersService = class {
   constructor(core) {
     this.core = core;
@@ -174,7 +319,6 @@ var ResourceMembersService = class {
 };
 
 // src/services/resources.ts
-import "@blimu/fetch";
 var ResourcesService = class {
   constructor(core) {
     this.core = core;
@@ -240,7 +384,6 @@ var ResourcesService = class {
 };
 
 // src/services/roles.ts
-import "@blimu/fetch";
 var RolesService = class {
   constructor(core) {
     this.core = core;
@@ -283,7 +426,6 @@ var RolesService = class {
 };
 
 // src/services/usage.ts
-import "@blimu/fetch";
 var UsageService = class {
   constructor(core) {
     this.core = core;
@@ -351,7 +493,6 @@ var UsageService = class {
 };
 
 // src/services/users.ts
-import "@blimu/fetch";
 var UsersService = class {
   constructor(core) {
     this.core = core;
@@ -429,9 +570,11 @@ var UsersService = class {
 
 // src/client.ts
 var Blimu = class {
+  authJwks;
   bulkResources;
   bulkRoles;
   entitlements;
+  oauth;
   plans;
   resourceMembers;
   resources;
@@ -442,14 +585,16 @@ var Blimu = class {
     const restCfg = { ...options ?? {} };
     delete restCfg.apiKey;
     const authStrategies = buildAuthStrategies(options ?? {});
-    const core = new FetchClient10({
+    const core = new FetchClient({
       ...restCfg,
       baseURL: options?.baseURL ?? "https://api.blimu.dev",
       ...authStrategies.length > 0 ? { authStrategies } : {}
     });
+    this.authJwks = new AuthJwksService(core);
     this.bulkResources = new BulkResourcesService(core);
     this.bulkRoles = new BulkRolesService(core);
     this.entitlements = new EntitlementsService(core);
+    this.oauth = new OauthService(core);
     this.plans = new PlansService(core);
     this.resourceMembers = new ResourceMembersService(core);
     this.resources = new ResourcesService(core);
@@ -490,19 +635,37 @@ function isNotUndefined(arr) {
   );
 }
 
+// src/schema.ts
+var schema_exports = {};
+
 // src/schema.zod.ts
 var schema_zod_exports = {};
 __export(schema_zod_exports, {
+  AuthJwksGetOAuthAppJwksQuerySchema: () => AuthJwksGetOAuthAppJwksQuerySchema,
+  AuthorizeRequestSchema: () => AuthorizeRequestSchema,
   BalanceResponseSchema: () => BalanceResponseSchema,
   CheckLimitResponseSchema: () => CheckLimitResponseSchema,
+  ConsentCheckResponseSchema: () => ConsentCheckResponseSchema,
+  DeviceAuthorizeRequestSchema: () => DeviceAuthorizeRequestSchema,
+  DeviceAuthorizeResponseSchema: () => DeviceAuthorizeResponseSchema,
+  DeviceCodeInfoResponseSchema: () => DeviceCodeInfoResponseSchema,
+  DeviceCodeRequestSchema: () => DeviceCodeRequestSchema,
+  DeviceCodeResponseSchema: () => DeviceCodeResponseSchema,
+  DeviceTokenRequestSchema: () => DeviceTokenRequestSchema,
   EntitlementCheckBodySchema: () => EntitlementCheckBodySchema,
   EntitlementCheckResultSchema: () => EntitlementCheckResultSchema,
+  EntitlementTypeSchema: () => EntitlementTypeSchema,
   EntitlementsListForResourceQuerySchema: () => EntitlementsListForResourceQuerySchema,
   EntitlementsListForTenantQuerySchema: () => EntitlementsListForTenantQuerySchema,
   EntitlementsListResultSchema: () => EntitlementsListResultSchema,
+  IntrospectionRequestSchema: () => IntrospectionRequestSchema,
+  IntrospectionResponseSchema: () => IntrospectionResponseSchema,
+  JWKSchema: () => JWKSchema,
+  OauthCheckConsentRequiredQuerySchema: () => OauthCheckConsentRequiredQuerySchema,
   PlanAssignBodySchema: () => PlanAssignBodySchema,
   PlanDeleteResponseSchema: () => PlanDeleteResponseSchema,
   PlanResponseSchema: () => PlanResponseSchema,
+  PlanTypeSchema: () => PlanTypeSchema,
   ResourceBulkCreateBodySchema: () => ResourceBulkCreateBodySchema,
   ResourceBulkResultSchema: () => ResourceBulkResultSchema,
   ResourceCreateBodySchema: () => ResourceCreateBodySchema,
@@ -510,20 +673,25 @@ __export(schema_zod_exports, {
   ResourceMemberListSchema: () => ResourceMemberListSchema,
   ResourceMembersListQuerySchema: () => ResourceMembersListQuerySchema,
   ResourceSchema: () => ResourceSchema,
+  ResourceTypeSchema: () => ResourceTypeSchema,
   ResourceUpdateBodySchema: () => ResourceUpdateBodySchema,
   ResourcesListQuerySchema: () => ResourcesListQuerySchema,
+  RevocationRequestSchema: () => RevocationRequestSchema,
   RoleBulkCreateBodySchema: () => RoleBulkCreateBodySchema,
   RoleBulkResultSchema: () => RoleBulkResultSchema,
   RoleCreateBodySchema: () => RoleCreateBodySchema,
   RoleListSchema: () => RoleListSchema,
   RoleSchema: () => RoleSchema,
   RolesListQuerySchema: () => RolesListQuerySchema,
+  TokenRequestSchema: () => TokenRequestSchema,
+  TokenResponseSchema: () => TokenResponseSchema,
   TransactionHistoryResponseSchema: () => TransactionHistoryResponseSchema,
   UsageCheckBodySchema: () => UsageCheckBodySchema,
   UsageConsumeBodySchema: () => UsageConsumeBodySchema,
   UsageCreditBodySchema: () => UsageCreditBodySchema,
   UsageGetBalanceQuerySchema: () => UsageGetBalanceQuerySchema,
   UsageGetTransactionHistoryQuerySchema: () => UsageGetTransactionHistoryQuerySchema,
+  UsageLimitTypeSchema: () => UsageLimitTypeSchema,
   UsageWalletResponseSchema: () => UsageWalletResponseSchema,
   UserCreateBodySchema: () => UserCreateBodySchema,
   UserListSchema: () => UserListSchema,
@@ -533,6 +701,32 @@ __export(schema_zod_exports, {
   UsersListQuerySchema: () => UsersListQuerySchema
 });
 import { z } from "zod";
+var EntitlementTypeSchema = z.string();
+var PlanTypeSchema = z.string();
+var ResourceTypeSchema = z.string();
+var UsageLimitTypeSchema = z.string();
+var AuthorizeRequestSchema = z.object({
+  /** Action to take: allow or deny */
+  action: z.enum(["allow", "deny"]),
+  /** True if consent was auto-approved (not required or previously granted) */
+  auto_approved: z.boolean().optional(),
+  /** OAuth2 client ID */
+  client_id: z.string(),
+  /** PKCE code challenge */
+  code_challenge: z.string().optional(),
+  /** PKCE code challenge method */
+  code_challenge_method: z.string().optional(),
+  /** Redirect URI */
+  redirect_uri: z.string(),
+  /** Response type (typically "code") */
+  response_type: z.string(),
+  /** Space-separated list of scopes */
+  scope: z.string().optional(),
+  /** State parameter for CSRF protection */
+  state: z.string().optional(),
+  /** True if user explicitly clicked Allow, false if auto-approved */
+  user_action: z.boolean().optional()
+});
 var BalanceResponseSchema = z.object({ balance: z.number() });
 var CheckLimitResponseSchema = z.object({
   allowed: z.boolean(),
@@ -540,9 +734,216 @@ var CheckLimitResponseSchema = z.object({
   remaining: z.number().optional(),
   requested: z.number()
 });
+var ConsentCheckResponseSchema = z.object({
+  /** Whether user consent is required */
+  consent_required: z.boolean(),
+  /** Whether consent was previously granted for this app and scopes */
+  previously_granted: z.boolean()
+});
+var DeviceAuthorizeRequestSchema = z.object({
+  /** Action to take: allow or deny */
+  action: z.enum(["allow", "deny"]),
+  /** True if consent was auto-approved (not required or previously granted) */
+  auto_approved: z.boolean().optional(),
+  /** True if user explicitly clicked Allow, false if auto-approved */
+  user_action: z.boolean().optional(),
+  /** The user code displayed to the user */
+  user_code: z.string()
+});
+var DeviceAuthorizeResponseSchema = z.object({
+  /** Whether the authorization was successful */
+  success: z.boolean()
+});
+var DeviceCodeInfoResponseSchema = z.object({
+  /** The name of the OAuth2 application */
+  appName: z.string(),
+  /** Whether the user has already granted consent for this app and scopes */
+  previouslyGranted: z.boolean(),
+  /** Whether the app requires user consent */
+  requireConsent: z.boolean(),
+  /** The scopes requested by the device code */
+  scopes: z.string().array()
+});
+var DeviceCodeRequestSchema = z.object({
+  /** OAuth2 client ID */
+  client_id: z.string(),
+  /** PKCE code challenge (base64url encoded SHA256 hash) */
+  code_challenge: z.string().optional(),
+  /** PKCE code challenge method */
+  code_challenge_method: z.enum(["S256", "plain"]).optional(),
+  /** Space-separated list of scopes */
+  scope: z.string().optional()
+});
+var DeviceCodeResponseSchema = z.object({
+  /** Device verification code (for polling) */
+  device_code: z.string(),
+  /** Device code expiration time in seconds */
+  expires_in: z.number(),
+  /** Minimum polling interval in seconds */
+  interval: z.number(),
+  /** User verification code (short, human-readable) */
+  user_code: z.string(),
+  /** Verification URI for user */
+  verification_uri: z.string(),
+  /** Complete verification URI with user code */
+  verification_uri_complete: z.string()
+});
+var DeviceTokenRequestSchema = z.object({
+  /** OAuth2 client ID */
+  client_id: z.string(),
+  /** PKCE code verifier (if challenge was provided) */
+  code_verifier: z.string().optional(),
+  /** Device code from authorization response */
+  device_code: z.string(),
+  /** Grant type (must be device_code) */
+  grant_type: z.enum([
+    "urn:ietf:params:oauth:grant-type:device_code"
+  ])
+});
+var IntrospectionRequestSchema = z.object({
+  /** The token to introspect */
+  token: z.string(),
+  /** Hint about token type */
+  token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+});
+var IntrospectionResponseSchema = z.object({
+  /** Whether the token is active */
+  active: z.boolean(),
+  /** Client ID */
+  client_id: z.string().optional(),
+  /** Environment ID */
+  environment_id: z.string().optional(),
+  /** Token expiration timestamp */
+  exp: z.number().optional(),
+  /** Token issued at timestamp */
+  iat: z.number().optional(),
+  /** Space-separated list of scopes */
+  scope: z.string().optional(),
+  /** Subject (user ID) */
+  sub: z.string().optional(),
+  /** Token type */
+  token_type: z.string().optional(),
+  /** Username or user ID */
+  username: z.string().optional()
+});
+var JWKSchema = z.object({
+  keys: z.object({
+    alg: z.string(),
+    e: z.string(),
+    kid: z.string(),
+    kty: z.string(),
+    n: z.string(),
+    use: z.string()
+  }).array()
+});
+var PlanDeleteResponseSchema = z.object({ success: z.boolean() });
+var ResourceMemberListSchema = z.object({
+  items: z.object({
+    inherited: z.boolean(),
+    role: z.string(),
+    user: z.object({
+      avatarUrl: z.string().nullable(),
+      createdAt: z.iso.datetime(),
+      email: z.email(),
+      emailVerified: z.boolean(),
+      firstName: z.string().nullable(),
+      id: z.string(),
+      lastLoginAt: z.iso.datetime().nullable(),
+      lastName: z.string().nullable(),
+      lookupKey: z.string().nullable(),
+      updatedAt: z.iso.datetime()
+    }),
+    userId: z.string()
+  }).array(),
+  limit: z.number(),
+  page: z.number(),
+  total: z.number()
+});
+var RevocationRequestSchema = z.object({
+  /** The token to revoke */
+  token: z.string(),
+  /** Hint about token type */
+  token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+});
+var TokenRequestSchema = z.object({
+  /** OAuth2 client ID */
+  client_id: z.string(),
+  /** OAuth2 client secret (required for confidential clients) */
+  client_secret: z.string().optional(),
+  /** Authorization code (required for authorization_code grant) */
+  code: z.string().optional(),
+  /** PKCE code verifier (if challenge was provided) */
+  code_verifier: z.string().optional(),
+  /** OAuth2 grant type */
+  grant_type: z.enum(["authorization_code", "refresh_token"]),
+  /** Redirect URI (required for authorization_code grant) */
+  redirect_uri: z.string().optional(),
+  /** Refresh token (required for refresh_token grant) */
+  refresh_token: z.string().optional(),
+  /** Space-separated list of scopes (optional for refresh) */
+  scope: z.string().optional()
+});
+var TokenResponseSchema = z.object({
+  /** Access token (JWT) */
+  access_token: z.string(),
+  /** Access token expiration time in seconds */
+  expires_in: z.number(),
+  /** Refresh token (for obtaining new access tokens) */
+  refresh_token: z.string(),
+  /** Space-separated list of granted scopes */
+  scope: z.string().optional(),
+  /** Token type */
+  token_type: z.string()
+});
+var UserSchema = z.object({
+  avatarUrl: z.string().nullable(),
+  createdAt: z.iso.datetime(),
+  email: z.email(),
+  emailVerified: z.boolean(),
+  firstName: z.string().nullable(),
+  id: z.string(),
+  lastLoginAt: z.iso.datetime().nullable(),
+  lastName: z.string().nullable(),
+  lookupKey: z.string().nullable(),
+  updatedAt: z.iso.datetime()
+});
+var UserCreateBodySchema = z.object({
+  avatarUrl: z.url().optional(),
+  email: z.email(),
+  firstName: z.string().nullable().optional(),
+  lastName: z.string().nullable().optional(),
+  lookupKey: z.string(),
+  newUser: z.boolean().nullable().optional(),
+  password: z.string().nullable().optional()
+});
+var UserListSchema = z.object({
+  items: z.object({
+    avatarUrl: z.string().nullable(),
+    createdAt: z.iso.datetime(),
+    email: z.email(),
+    emailVerified: z.boolean(),
+    firstName: z.string().nullable(),
+    id: z.string(),
+    lastLoginAt: z.iso.datetime().nullable(),
+    lastName: z.string().nullable(),
+    lookupKey: z.string().nullable(),
+    updatedAt: z.iso.datetime()
+  }).array(),
+  limit: z.number(),
+  page: z.number(),
+  total: z.number()
+});
+var UserUpdateBodySchema = z.object({
+  avatarUrl: z.url().nullable().optional(),
+  email: z.email().optional(),
+  firstName: z.string().nullable().optional(),
+  lastName: z.string().nullable().optional(),
+  lookupKey: z.string().optional(),
+  password: z.string().optional()
+});
 var EntitlementCheckBodySchema = z.object({
   amount: z.number().int().optional(),
-  entitlement: z.string(),
+  entitlement: EntitlementTypeSchema,
   resourceId: z.string(),
   userId: z.string()
 });
@@ -552,15 +953,15 @@ var EntitlementCheckResultSchema = z.object({
     allowed: z.boolean(),
     current: z.number().optional(),
     limit: z.number().optional(),
-    plan: z.string().nullable().optional(),
+    plan: PlanTypeSchema.optional(),
     reason: z.string().optional(),
     remaining: z.number().optional(),
     scope: z.string().optional()
   }).nullable().optional(),
   plans: z.object({
     allowed: z.boolean(),
-    allowedPlans: z.string().array().optional(),
-    plan: z.string().nullable().optional(),
+    allowedPlans: PlanTypeSchema.array().optional(),
+    plan: PlanTypeSchema.optional(),
     reason: z.string().optional()
   }).nullable().optional(),
   roles: z.object({
@@ -570,30 +971,29 @@ var EntitlementCheckResultSchema = z.object({
     userRoles: z.string().array().optional()
   }).nullable().optional()
 });
+var PlanAssignBodySchema = z.object({ planKey: PlanTypeSchema });
 var EntitlementsListResultSchema = z.object({
   results: z.object({
     entitlements: z.object({
       allowed: z.boolean(),
       allowedByPlan: z.boolean(),
       allowedByRole: z.boolean(),
-      allowedPlans: z.string().array().optional(),
+      allowedPlans: PlanTypeSchema.array().optional(),
       allowedRoles: z.string().array(),
-      currentPlan: z.string().optional(),
+      currentPlan: PlanTypeSchema.optional(),
       currentRole: z.string().optional(),
-      entitlement: z.string()
+      entitlement: EntitlementTypeSchema
     }).array(),
     resourceId: z.string(),
-    resourceType: z.string()
+    resourceType: ResourceTypeSchema
   }).array()
 });
-var PlanAssignBodySchema = z.object({ planKey: z.string() });
-var PlanDeleteResponseSchema = z.object({ success: z.boolean() });
 var PlanResponseSchema = z.object({
   createdAt: z.iso.datetime(),
   environmentId: z.string(),
-  planKey: z.string(),
+  planKey: PlanTypeSchema,
   resourceId: z.string(),
-  resourceType: z.string(),
+  resourceType: ResourceTypeSchema,
   updatedAt: z.iso.datetime()
 });
 var ResourceSchema = z.object({
@@ -602,9 +1002,9 @@ var ResourceSchema = z.object({
   name: z.string().nullable(),
   parents: z.object({
     id: z.string(),
-    type: z.string()
+    type: ResourceTypeSchema
   }).array().optional(),
-  type: z.string()
+  type: ResourceTypeSchema
 });
 var ResourceBulkCreateBodySchema = z.object({
   resources: z.object({
@@ -612,7 +1012,7 @@ var ResourceBulkCreateBodySchema = z.object({
     name: z.string().optional(),
     parents: z.object({
       id: z.string(),
-      type: z.string()
+      type: ResourceTypeSchema
     }).array().optional(),
     roles: z.object({
       role: z.string(),
@@ -624,7 +1024,7 @@ var ResourceBulkResultSchema = z.object({
   created: z.object({
     environmentId: z.string(),
     id: z.string(),
-    type: z.string()
+    type: ResourceTypeSchema
   }).array(),
   errors: z.object({
     error: z.string(),
@@ -634,7 +1034,7 @@ var ResourceBulkResultSchema = z.object({
       name: z.string().optional(),
       parents: z.object({
         id: z.string(),
-        type: z.string()
+        type: ResourceTypeSchema
       }).array().optional(),
       roles: z.object({
         role: z.string(),
@@ -654,55 +1054,33 @@ var ResourceCreateBodySchema = z.object({
   name: z.string().optional(),
   parents: z.object({
     id: z.string(),
-    type: z.string()
+    type: ResourceTypeSchema
   }).array().optional(),
   roles: z.object({
     role: z.string(),
     userId: z.string()
   }).array().optional()
 });
-var ResourceMemberListSchema = z.object({
-  items: z.object({
-    inherited: z.boolean(),
-    role: z.string(),
-    user: z.object({
-      avatarUrl: z.string().nullable(),
-      createdAt: z.iso.datetime(),
-      email: z.email(),
-      emailVerified: z.boolean(),
-      firstName: z.string().nullable(),
-      id: z.string(),
-      lastLoginAt: z.iso.datetime().nullable(),
-      lastName: z.string().nullable(),
-      lookupKey: z.string().nullable(),
-      updatedAt: z.iso.datetime()
-    }),
-    userId: z.string()
-  }).array(),
-  limit: z.number(),
-  page: z.number(),
-  total: z.number()
-});
 var ResourceUpdateBodySchema = z.object({
   name: z.string().optional(),
   /** Creates relationships with other resources. Parent resources must already exist. */
   parents: z.object({
     id: z.string(),
-    type: z.string()
+    type: ResourceTypeSchema
   }).array().optional()
 });
 var RoleSchema = z.object({
   createdAt: z.string(),
   environmentId: z.string(),
   resourceId: z.string(),
-  resourceType: z.string(),
+  resourceType: ResourceTypeSchema,
   role: z.string(),
   userId: z.string()
 });
 var RoleBulkCreateBodySchema = z.object({
   roles: z.object({
     resourceId: z.string(),
-    resourceType: z.string(),
+    resourceType: ResourceTypeSchema,
     role: z.string(),
     userId: z.string()
   }).array()
@@ -712,7 +1090,7 @@ var RoleBulkResultSchema = z.object({
     createdAt: z.string(),
     environmentId: z.string(),
     resourceId: z.string(),
-    resourceType: z.string(),
+    resourceType: ResourceTypeSchema,
     role: z.string(),
     userId: z.string()
   }).array(),
@@ -721,7 +1099,7 @@ var RoleBulkResultSchema = z.object({
     index: z.number(),
     role: z.object({
       resourceId: z.string(),
-      resourceType: z.string(),
+      resourceType: ResourceTypeSchema,
       role: z.string(),
       userId: z.string()
     })
@@ -735,7 +1113,7 @@ var RoleBulkResultSchema = z.object({
 });
 var RoleCreateBodySchema = z.object({
   resourceId: z.string(),
-  resourceType: z.string(),
+  resourceType: ResourceTypeSchema,
   role: z.string()
 });
 var RoleListSchema = z.object({
@@ -745,43 +1123,58 @@ var RoleListSchema = z.object({
     createdAt: z.string(),
     environmentId: z.string(),
     resourceId: z.string(),
-    resourceType: z.string(),
+    resourceType: ResourceTypeSchema,
     role: z.string(),
     userId: z.string()
   }).array(),
   total: z.number()
 });
+var UserResourceListSchema = z.array(
+  z.object({
+    inherited: z.boolean(),
+    resource: z.object({
+      id: z.string(),
+      name: z.string(),
+      parents: z.object({
+        id: z.string(),
+        type: ResourceTypeSchema
+      }).array(),
+      type: ResourceTypeSchema
+    }).catchall(z.unknown()),
+    role: z.string()
+  })
+);
 var TransactionHistoryResponseSchema = z.object({
   items: z.object({
     amount: z.number().int(),
     createdAt: z.iso.datetime(),
     environmentId: z.string(),
     id: z.string(),
-    limitType: z.string(),
+    limitType: UsageLimitTypeSchema,
     resourceId: z.string(),
-    resourceType: z.string(),
+    resourceType: ResourceTypeSchema,
     tags: z.record(z.string(), z.unknown()).nullable()
   }).array()
 });
 var UsageCheckBodySchema = z.object({
   amount: z.number().int(),
-  limitType: z.string(),
+  limitType: UsageLimitTypeSchema,
   period: z.enum(["monthly", "yearly", "lifetime"]),
   resourceId: z.string(),
-  resourceType: z.string()
+  resourceType: ResourceTypeSchema
 });
 var UsageConsumeBodySchema = z.object({
   amount: z.number().int(),
-  limitType: z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: z.string(),
-  resourceType: z.string(),
+  resourceType: ResourceTypeSchema,
   tags: z.record(z.string(), z.unknown()).optional()
 });
 var UsageCreditBodySchema = z.object({
   amount: z.number().int(),
-  limitType: z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: z.string(),
-  resourceType: z.string(),
+  resourceType: ResourceTypeSchema,
   tags: z.record(z.string(), z.unknown()).optional()
 });
 var UsageWalletResponseSchema = z.object({
@@ -789,78 +1182,21 @@ var UsageWalletResponseSchema = z.object({
   createdAt: z.iso.datetime(),
   environmentId: z.string(),
   id: z.string(),
-  limitType: z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: z.string(),
-  resourceType: z.string(),
+  resourceType: ResourceTypeSchema,
   tags: z.record(z.string(), z.unknown()).nullable()
 });
-var UserSchema = z.object({
-  avatarUrl: z.string().nullable(),
-  createdAt: z.iso.datetime(),
-  email: z.email(),
-  emailVerified: z.boolean(),
-  firstName: z.string().nullable(),
-  id: z.string(),
-  lastLoginAt: z.iso.datetime().nullable(),
-  lastName: z.string().nullable(),
-  lookupKey: z.string().nullable(),
-  updatedAt: z.iso.datetime()
-});
-var UserCreateBodySchema = z.object({
-  avatarUrl: z.url().optional(),
-  email: z.email(),
-  firstName: z.string().nullable().optional(),
-  lastName: z.string().nullable().optional(),
-  lookupKey: z.string(),
-  newUser: z.boolean().nullable().optional(),
-  password: z.string().nullable().optional()
-});
-var UserListSchema = z.object({
-  items: z.object({
-    avatarUrl: z.string().nullable(),
-    createdAt: z.iso.datetime(),
-    email: z.email(),
-    emailVerified: z.boolean(),
-    firstName: z.string().nullable(),
-    id: z.string(),
-    lastLoginAt: z.iso.datetime().nullable(),
-    lastName: z.string().nullable(),
-    lookupKey: z.string().nullable(),
-    updatedAt: z.iso.datetime()
-  }).array(),
-  limit: z.number(),
-  page: z.number(),
-  total: z.number()
-});
-var UserResourceListSchema = z.array(
-  z.object({
-    inherited: z.boolean(),
-    resource: z.object({
-      id: z.string(),
-      name: z.string(),
-      parents: z.object({
-        id: z.string(),
-        type: z.string()
-      }).array(),
-      type: z.string()
-    }).catchall(z.unknown()),
-    role: z.string()
-  })
-);
-var UserUpdateBodySchema = z.object({
-  avatarUrl: z.url().nullable().optional(),
-  email: z.email().optional(),
-  firstName: z.string().nullable().optional(),
-  lastName: z.string().nullable().optional(),
-  lookupKey: z.string().optional(),
-  password: z.string().optional()
-});
 var ResourceListSchema = z.object({
   items: ResourceSchema.array(),
   limit: z.number(),
   page: z.number(),
   total: z.number()
 });
+var AuthJwksGetOAuthAppJwksQuerySchema = z.object({
+  /** OAuth app client ID to get public keys for */
+  client_id: z.string().optional()
+});
 var EntitlementsListForResourceQuerySchema = z.object({
   /** The unique identifier of the user */
   userId: z.string()
@@ -869,6 +1205,14 @@ var EntitlementsListForTenantQuerySchema = z.object({
   /** The unique identifier of the user */
   userId: z.string()
 });
+var OauthCheckConsentRequiredQuerySchema = z.object({
+  /** OAuth2 client ID */
+  client_id: z.string(),
+  /** Redirect URI */
+  redirect_uri: z.string().optional(),
+  /** Space-separated list of scopes */
+  scope: z.string().optional()
+});
 var ResourceMembersListQuerySchema = z.object({
   /** Number of items per page (minimum: 1, maximum: 100) */
   limit: z.number().optional(),
@@ -893,7 +1237,7 @@ var RolesListQuerySchema = z.object({
   /** Filter roles by specific resource ID */
   resourceId: z.string().optional(),
   /** Filter roles by resource type */
-  resourceType: z.string().optional(),
+  resourceType: ResourceTypeSchema.optional(),
   /** Filter by role name */
   role: z.string().optional()
 });
@@ -921,40 +1265,14 @@ var UsersListQuerySchema = z.object({
 // src/token-verifier.ts
 import * as crypto from "crypto";
 import * as jwt from "jsonwebtoken";
+import { FetchClient as FetchClient2 } from "@blimu/fetch";
 var TokenVerifier = class {
   cache = /* @__PURE__ */ new Map();
   cacheTTL;
-  runtimeApiUrl;
+  baseURL;
   constructor(options) {
     this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1e3;
-    this.runtimeApiUrl = options?.runtimeApiUrl ?? "https://api.blimu.dev";
-  }
-  /**
-   * Fetch JWK Set from runtime-api
-   */
-  async fetchJWKSet(endpoint, headers) {
-    console.log(`[TokenVerifier] \u{1F4E1} Fetching JWK Set from: ${endpoint}`);
-    if (headers) {
-      console.log(
-        `[TokenVerifier] \u{1F4E1} Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === "x-api-key" ? "***" : headers[k]}`))}`
-      );
-    }
-    const response = await fetch(endpoint, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json",
-        ...headers
-      }
-    });
-    console.log(`[TokenVerifier] \u{1F4E1} Response status: ${response.status} ${response.statusText}`);
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error(`[TokenVerifier] \u274C Failed to fetch JWKs: ${response.status} ${errorText}`);
-      throw new FetchError("Failed to fetch JWKs", response.status, errorText);
-    }
-    const jwkSet = await response.json();
-    console.log(`[TokenVerifier] \u2705 Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);
-    return jwkSet;
+    this.baseURL = options?.runtimeApiUrl ?? "https://api.blimu.dev";
   }
   /**
    * Convert JWK to KeyObject
@@ -973,25 +1291,19 @@ var TokenVerifier = class {
   /**
    * Get public key for a specific key ID
    */
-  async getPublicKey(kid, cacheKey, endpoint, headers) {
+  async getPublicKey(kid, cacheKey, fetchJwks) {
     const cached = this.cache.get(cacheKey);
     if (cached && cached.expiresAt > Date.now()) {
-      console.log(`[TokenVerifier] \u2705 Using cached key for kid: ${kid}`);
       return cached.key;
     }
-    console.log(`[TokenVerifier] \u{1F50D} Cache miss or expired. Fetching new key for kid: ${kid}`);
-    const jwkSet = await this.fetchJWKSet(endpoint, headers);
+    const jwkSet = await fetchJwks();
     const jwk = jwkSet.keys.find((k) => k.kid === kid);
     if (!jwk) {
       const availableKids = jwkSet.keys.map((k) => k.kid).join(", ");
-      console.error(
-        `[TokenVerifier] \u274C Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
       throw new Error(
         `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
       );
     }
-    console.log(`[TokenVerifier] \u2705 Found key with kid: ${kid}`);
     const keyObject = this.jwkToKeyObject(jwk);
     this.cache.set(cacheKey, {
       key: keyObject,
@@ -1001,15 +1313,16 @@ var TokenVerifier = class {
     return keyObject;
   }
   /**
-   * Verify JWT token using JWKs from runtime-api
+   * Verify JWT token using JWKs from Blimu runtime API.
+   * Supports: environment/session tokens (secretKey) or OAuth app tokens (clientId).
    */
   async verifyToken(options) {
-    const { url, secretKey, token, runtimeApiUrl } = options;
-    if (!url && !secretKey) {
-      throw new Error("Either url or secretKey must be provided");
-    }
-    if (url && secretKey) {
-      throw new Error("Cannot provide both url and secretKey");
+    const { secretKey, clientId, token, runtimeApiUrl } = options;
+    const provided = [secretKey, clientId].filter(Boolean);
+    if (provided.length !== 1) {
+      throw new Error(
+        "Exactly one of secretKey or clientId must be provided. Use secretKey for environment/session tokens, clientId for OAuth app access tokens."
+      );
     }
     const decoded = jwt.decode(token, { complete: true });
     if (!decoded || typeof decoded === "string") {
@@ -1019,67 +1332,38 @@ var TokenVerifier = class {
     if (!header.kid) {
       throw new Error("Token missing kid in header");
     }
-    let endpoint;
+    const baseURL = runtimeApiUrl ?? this.baseURL;
     let cacheKey;
-    let headers;
+    let fetchJwks;
     if (secretKey) {
-      const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;
-      endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;
       cacheKey = secretKey;
-      headers = {
-        "x-api-key": secretKey
-      };
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      const core = new FetchClient2({
+        baseURL,
+        authStrategies: buildAuthStrategies({ apiKey: secretKey, baseURL })
+      });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getJwks();
     } else {
-      endpoint = url;
-      cacheKey = url;
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      cacheKey = `oauth:${clientId}`;
+      const core = new FetchClient2({ baseURL });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getOAuthAppJwks({ client_id: clientId });
     }
     let publicKey;
     try {
-      publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-      console.log(`[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid}`);
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`
-      );
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
+    } catch {
       this.clearCache(cacheKey);
-      console.log(`[TokenVerifier] \u{1F504} Retrying after cache clear...`);
-      try {
-        publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-        console.log(
-          `[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid} (retry)`
-        );
-      } catch (retryError) {
-        console.error(
-          `[TokenVerifier] \u274C Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`
-        );
-        throw retryError;
-      }
-    }
-    try {
-      const payload = jwt.verify(token, publicKey, {
-        algorithms: ["RS256"]
-      });
-      console.log(`[TokenVerifier] \u2705 Token verified successfully`);
-      return payload;
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C JWT verification failed: ${error instanceof Error ? error.message : String(error)}`
-      );
-      throw error;
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
     }
+    return jwt.verify(token, publicKey, { algorithms: ["RS256"] });
   }
   /**
    * Clear cache (useful for testing or key rotation)
    */
-  clearCache(secretKeyOrUrl) {
-    if (secretKeyOrUrl) {
-      this.cache.delete(secretKeyOrUrl);
+  clearCache(cacheKey) {
+    if (cacheKey) {
+      this.cache.delete(cacheKey);
     } else {
       this.cache.clear();
     }
@@ -1089,7 +1373,14 @@ async function verifyToken(options) {
   const verifier = new TokenVerifier();
   return verifier.verifyToken(options);
 }
+async function verifyOAuthToken(options) {
+  return verifyToken({
+    ...options,
+    clientId: options.clientId
+  });
+}
 export {
+  AuthJwksService,
   Blimu,
   BlimuError,
   BulkResourcesService,
@@ -1110,6 +1401,7 @@ export {
   paginate,
   parseNDJSONStream,
   parseSSEStream,
+  verifyOAuthToken,
   verifyToken
 };
 //# sourceMappingURL=index.mjs.map