@centrali-io/centrali-sdk 6.6.0 → 6.8.0

package/dist/index.d.ts

@@ -285,6 +285,11 @@ declare function getAllowedDomainsApiPath(workspaceId: string, domainId?: string
  * Generate Webhook Subscriptions API URL PATH.
  */
 declare function getWebhookSubscriptionsApiPath(workspaceId: string, subscriptionId?: string): string;
+/**
+ * Generate the payload-versions API URL PATH. Lists the outbound payload
+ * versions a subscription can be pinned to.
+ */
+declare function getWebhookPayloadVersionsApiPath(workspaceId: string): string;
 /**
  * Generate rotate-secret API URL PATH for a webhook subscription.
  */
@@ -2339,6 +2344,8 @@ interface FunctionRun {
     triggerType?: string | null;
     orchestrationRunId?: string | null;
     orchestrationStepId?: string | null;
+    /** Inbound durable buffer link (CEN-1297) — set for buffered webhook-trigger runs. */
+    inboundEventId?: string | null;
     originalRunId?: string | null;
     isRerun: boolean;
     rerunCount: number;
@@ -2693,6 +2700,20 @@ interface WebhookSubscription {
      * undefined on subsequent reads so it is safe to pass subscriptions around.
      */
     secret?: string;
+    /**
+     * Outbound payload version this subscription receives — a date-string
+     * (`YYYY-MM`). Deliveries are projected into the shape this version
+     * describes. Frozen at creation; change it to upgrade to a newer shape.
+     */
+    payloadVersion: string;
+    /**
+     * Opaque builder-supplied tenant identifier. Carried onto outbound
+     * delivery rows by the platform so embeds and tenant-scoped views can
+     * filter to a single customer without leaking cross-tenant events.
+     * Centrali never parses or interprets this value — it's the builder's
+     * own customer/account/workspace id, whatever shape that takes.
+     */
+    tenantId?: string | null;
     workspaceSlug: string;
     createdAt?: string;
     updatedAt?: string;
@@ -2716,6 +2737,8 @@ interface WebhookDelivery {
     responseBody?: string | null;
     /** Delivery ID the row was replayed from, or null for original deliveries. */
     replayedFrom?: string | null;
+    /** Outbound payload version this delivery was projected into and served with. */
+    payloadVersion: string;
     createdAt: string;
     updatedAt: string;
 }
@@ -2732,6 +2755,19 @@ interface CreateWebhookSubscriptionInput {
     /** Optional — restrict to a subset of collections. Omit for all collections. */
     recordSlugs?: string[];
     active?: boolean;
+    /**
+     * Optional outbound payload version to pin the subscription to. Omit to
+     * freeze to the latest version at creation time. Must be a value returned
+     * by `getPayloadVersions()`.
+     */
+    payloadVersion?: string;
+    /**
+     * Optional opaque tenant identifier — typically the builder's own
+     * customer or account id. Surfaces on every delivery the subscription
+     * produces so tenant-scoped views (e.g. an embedded Event Log) can
+     * filter to one customer.
+     */
+    tenantId?: string | null;
 }
 interface UpdateWebhookSubscriptionInput {
     name?: string;
@@ -2744,6 +2780,26 @@ interface UpdateWebhookSubscriptionInput {
      */
     recordSlugs?: string[];
     active?: boolean;
+    /**
+     * Upgrade (or downgrade) the outbound payload version. Must be a value
+     * returned by `getPayloadVersions()`. Omit to leave the version unchanged.
+     */
+    payloadVersion?: string;
+    /**
+     * Update the opaque tenant identifier. Pass `null` to clear it; omit to
+     * leave it unchanged. Past deliveries are not retroactively rewritten —
+     * the new value applies to deliveries created after the update.
+     */
+    tenantId?: string | null;
+}
+/**
+ * Outbound payload versions a subscription can be pinned to. Returned by
+ * `getPayloadVersions()`. `versions` is oldest-first; `latest` is what a
+ * subscription created without an explicit version is frozen to.
+ */
+interface WebhookPayloadVersions {
+    versions: string[];
+    latest: string;
 }
 interface ListWebhookDeliveriesOptions {
     status?: WebhookDeliveryStatus;
@@ -2802,6 +2858,66 @@ interface AddAllowedDomainOptions {
     domain: string;
 }
 
+/**
+ * Types for the Event Log embed surface (CEN-1301).
+ *
+ * Mirrors the request/response shapes defined by IAM at
+ * services/backend/iam/src/controllers/embedTokenController.ts.
+ * Keep field names in sync with that controller's Zod schemas.
+ */
+/**
+ * Capabilities that can be encoded into an embed token.
+ *
+ * - `events:read` — list + retrieve event-log rows for the tenant.
+ *   IAM unconditionally injects this on every minted token, so omitting
+ *   `capabilities` is equivalent to `['events:read']`.
+ * - `events:replay` — allow the iframe to replay a failed delivery. The
+ *   issuing service account must also hold `webhook-subscriptions:replay`.
+ */
+type EmbedCapability = 'events:read' | 'events:replay';
+interface IssueEmbedTokenInput {
+    /**
+     * Tenant id the embed is allowed to read. Burned into the token claim;
+     * the data-service auto-injects this as a filter on every query the
+     * iframe makes. Centrali never interprets the bytes — treat it as
+     * opaque (1-255 chars).
+     */
+    tenantId: string;
+    /**
+     * Defaults to `['events:read']`. Pass `['events:read', 'events:replay']`
+     * to allow the iframe's "Replay" action. The issuing service account
+     * must already hold the corresponding capability.
+     */
+    capabilities?: EmbedCapability[];
+    /**
+     * Optional cohort id. Useful if you want to revoke every token issued
+     * for one of your end-users on logout — mint each with the same
+     * `sessionId`, then call `revokeSession({ sessionId })` later. Server
+     * mints a random one if omitted (returned in the response).
+     */
+    sessionId?: string;
+    /**
+     * Token TTL in seconds. Defaults to 600 (10 min). Capped at 3600 (1h)
+     * server-side; out-of-range values 400.
+     */
+    ttlSeconds?: number;
+}
+interface IssueEmbedTokenResult {
+    /** `ev_…` JWT for the iframe's URL fragment. */
+    token: string;
+    /** Echo of the input sessionId, or the server-minted one if omitted. */
+    sessionId: string;
+    /** ISO-8601 timestamp at which the token's `exp` claim fires. */
+    expiresAt: string;
+}
+interface RevokeEmbedSessionInput {
+    sessionId: string;
+}
+interface RevokeEmbedSessionResult {
+    sessionId: string;
+    revokedAt: string;
+}
+
 /**
  * Internal configuration for realtime connections.
  */
@@ -5112,6 +5228,102 @@ declare class WebhookSubscriptionsManager {
      * capture it before closing the response.
      */
     rotateSecret(subscriptionId: string): Promise<ApiResponse<WebhookSubscription>>;
+    /**
+     * List the outbound payload versions a subscription can be pinned to via
+     * `create`/`update`'s `payloadVersion`. Each version selects the shape its
+     * deliveries are projected into; subscribers upgrade on their own timeline.
+     *
+     * @example
+     * ```ts
+     * const { data } = await centrali.webhookSubscriptions.getPayloadVersions();
+     * console.log('Latest payload version:', data.latest);
+     * ```
+     */
+    getPayloadVersions(): Promise<ApiResponse<WebhookPayloadVersions>>;
+}
+
+/**
+ * Embed manager — server-side helpers for the white-label Event Log iframe
+ * (`embed.centrali.io/v1/event-log`, CEN-1301).
+ *
+ * Why this lives outside the main axios instance:
+ *   The shared client mints workspace JWTs with `resource=<data-service>`,
+ *   so its `aud` claim is the data plane. IAM's embed issuance endpoint
+ *   explicitly rejects data-audienced tokens (`audience_mismatch`) — see
+ *   services/backend/iam/src/controllers/embedTokenController.ts. This
+ *   manager keeps its own axios instance pointed at the IAM host and its
+ *   own cached IAM-audienced workspace JWT, minted via
+ *   `fetchIamAudiencedToken`.
+ *
+ * Confidential credentials only: IAM also rejects publishable keys and
+ * service-account dev tokens. The manager throws up front if the SDK was
+ * constructed without `clientId` + `clientSecret`.
+ */
+
+interface EmbedManagerOptions {
+    baseUrl: string;
+    workspaceId: string;
+    clientId?: string;
+    clientSecret?: string;
+    /**
+     * Pass-through of the SDK's `axiosConfig` (custom CA, agent, timeouts,
+     * etc.). The manager always disables HTTP_PROXY/HTTPS_PROXY env vars
+     * to match the main client + token mint, but caller-supplied fields
+     * are merged on top — including an explicit `proxy` override.
+     */
+    axiosConfig?: AxiosRequestConfig;
+}
+/**
+ * Server-side helpers for the Event Log embed iframe. Access via
+ * `client.embed.eventLog`.
+ *
+ * @example
+ * ```ts
+ * const { token, sessionId, expiresAt } = await client.embed.eventLog.issueToken({
+ *   tenantId: customerOrgId,
+ *   capabilities: ['events:read', 'events:replay'],
+ *   ttlSeconds: 900,
+ * });
+ *
+ * // Render in your frontend:
+ * // <iframe src={`https://embed.centrali.io/v1/event-log#token=${token}&o=${origin}`} />
+ *
+ * // On user logout:
+ * await client.embed.eventLog.revokeSession({ sessionId });
+ * ```
+ */
+declare class EmbedManager {
+    private readonly _eventLog;
+    constructor(opts: EmbedManagerOptions);
+    get eventLog(): EventLogEmbed;
+}
+declare class EventLogEmbed {
+    private readonly baseUrl;
+    private readonly workspaceId;
+    private readonly clientId?;
+    private readonly clientSecret?;
+    private readonly axios;
+    /**
+     * Cached IAM-audienced workspace JWT. Reused across calls; refreshed
+     * lazily on 401 (which is what IAM returns when `exp` fires).
+     */
+    private iamToken;
+    private inflightTokenMint;
+    constructor(opts: EmbedManagerOptions);
+    /**
+     * Mint a short-lived `ev_…` embed token. Hand the result to your
+     * frontend and drop it into the iframe URL fragment as `#token=…&o=…`.
+     */
+    issueToken(input: IssueEmbedTokenInput): Promise<IssueEmbedTokenResult>;
+    /**
+     * Revoke an embed session (typically tied to your user's logout).
+     * Every embed token carrying this `sessionId` is rejected by
+     * data-service until the entry expires (max token TTL).
+     */
+    revokeSession(input: RevokeEmbedSessionInput): Promise<RevokeEmbedSessionResult>;
+    private serializeIssueBody;
+    private postWithIamToken;
+    private getIamToken;
 }
 
 /** Mirror of `@centrali/query`'s `ValidateOptions`. */
@@ -5237,6 +5449,7 @@ declare class CentraliSDK {
     private _files;
     private _webhookSubscriptions;
     private _query;
+    private _embed;
     private isRefreshingToken;
     private tokenRefreshPromise;
     constructor(options: CentraliSDKOptions);
@@ -5674,6 +5887,17 @@ declare class CentraliSDK {
      * ```
      */
     get webhookSubscriptions(): WebhookSubscriptionsManager;
+    /**
+     * Server-side helpers for the white-label Event Log embed
+     * (CEN-1301 — see `embed.centrali.io/v1/event-log`). Use to mint
+     * short-lived tokens that scope the iframe to one of your end-user
+     * tenants, and to revoke them on logout.
+     *
+     * Requires the SDK to be constructed with `clientId` + `clientSecret`
+     * (service-account client credentials). Publishable keys and
+     * supplied bearer tokens are rejected by IAM for this surface.
+     */
+    get embed(): EmbedManager;
     /**
      * Manually set or update the bearer token for subsequent requests.
      */
@@ -6058,4 +6282,4 @@ declare class CentraliSDK {
     checkAuthorization(options: CheckAuthorizationOptions): Promise<ApiResponse<AuthorizationResult>>;
 }
 
-export { type AcceptSuggestionResult, type AddAllowedDomainOptions, type AllowedDomain, type AllowedDomainsListResponse, AllowedDomainsManager, type AnomalyAnalysisResult, type AnomalyDetectionData, type AnomalyEventType, type AnomalyInsight, type AnomalyInsightData, AnomalyInsightsManager, type ApiResponse, type ArrayPropertyDefinition, AuditLogManager, type AuthorizationResult, type BasePropertyDefinition, type BatchScanResult, type BatchScanStatus, type BooleanPropertyDefinition, type BulkOperationResult, CANONICAL_OPERATORS, type CanonicalOperator, CentraliError, CentraliSDK, type CentraliSDKOptions, type CheckAuthorizationOptions, CollectionsManager, type ComputeEventType, type ComputeFunction, ComputeFunctionsManager, type ComputeJobStatus, type ComputeJobStatusResponse, type ConditionOperator, type CreateComputeFunctionInput, type CreateOrchestrationInput, type CreateSmartQueryInput, type CreateStructureInput, type CreateTriggerInput, type CreateWebhookSubscriptionInput, type DateTimePropertyDefinition, type DateWindowOption, type DeleteRecordOptions, type EndpointResponse, type ExecuteSavedQueryValues, type ExecuteSmartQueryOptions, type ExpandOptions, type FieldCondition, type FieldConditionMap, type FileMetadata, FilesManager, type FilterOperators, type FilterValue, type FunctionMemoryUsage, type FunctionRun, type FunctionRunError, type FunctionRunExecutionSource, type FunctionRunStatus, FunctionRunsManager, type FunctionTrigger, type GetRecordOptions, type IncludeClause, type InsightSeverity, type InsightStatus, type InsightType, type InsightsSummary, type InvokeEndpointOptions, type InvokeTriggerOptions, JOINS_MAX_LENGTH, type JoinClause, type JoinType, type LegacyTranslateOptions, type LegacyTranslateResult, type LegacyTranslateWarning, type ListAllTriggersOptions, type ListCollectionsOptions, type ListComputeFunctionsOptions, type ListFunctionRunsOptions, type ListInsightsOptions, type ListOrchestrationRunsOptions, type ListOrchestrationsOptions, type ListSmartQueryOptions, type ListStructuresOptions, type ListValidationSuggestionsOptions, type ListWebhookDeliveriesOptions, type NumberPropertyDefinition, OPERATOR_METADATA, type ObjectPropertyDefinition, type OperatorMeta, type OperatorTypeApplicability, type OperatorValueShape, type Orchestration, type OrchestrationCaseEvaluation, type OrchestrationCondition, type OrchestrationConditionEvaluation, type OrchestrationDecisionCase, type OrchestrationDecisionResult, type OrchestrationDelayConfig, type OrchestrationEventType, type OrchestrationFailureReason, type OrchestrationOnFailure, type OrchestrationOnSuccess, type OrchestrationRetryConfig, type OrchestrationRun, type OrchestrationRunStatus, type OrchestrationRunStep, OrchestrationRunsManager, type OrchestrationScheduleType, type OrchestrationStatus, type OrchestrationStep, type OrchestrationStepError, type OrchestrationStepStatus, type OrchestrationStepType, type OrchestrationTrigger, type OrchestrationTriggerMetadata, type OrchestrationTriggerType, OrchestrationsManager, type PageClause, type PaginatedResponse, type ParsedUrlQuery, type PropertyDefinition, type PropertyType, type QueryDefinition, type QueryError, type QueryErrorCode, type QueryExecutionMode, type QueryHttpError, type QueryHttpErrorCode, QueryManager, type QueryRecordOptions, type QueryResult, type QueryResultMeta, type QueryValidateOptions, type QueryVariableDefinition, RECORDS_PAGE_DEFAULT_LIMIT, RECORDS_PAGE_MAX_LIMIT, type RealtimeAnomalyDetectionEvent, type RealtimeAnomalyInsightEvent, type RealtimeCloseEvent, type RealtimeError, type RealtimeEvent, type RealtimeEventType, type RealtimeFunctionRunEvent, RealtimeManager, type RealtimeOrchestrationRunEvent, type RealtimeRecordEvent, type RealtimeSubscribeOptions, type RealtimeSubscription, type RealtimeValidationBatchEvent, type RealtimeValidationSuggestionEvent, type RecordEventType, RecordEvents, type RecordTtlOptions, RecordsManager, type ReferencePropertyDefinition, type ResourceCategory, type SavedQueryDefinition, type SavedQueryScalarBinding, type ScalarValue, type SchemaDiscoveryMode, type SearchHit, type SearchOptions, type SearchResponse, type SelectClause, SmartQueriesManager, type SmartQuery, type SmartQueryDefinition, type SmartQueryExecuteResult, type SmartQueryFieldCondition, type SmartQueryJoin, type SmartQuerySort, type SmartQueryWhereClause, type SortClause, type StepEncryptedParam, type StringPropertyDefinition, type Structure, StructuresManager, type TestComputeFunctionInput, type TestComputeFunctionResult, type TestSmartQueryInput, type TextSearchClause, type TriggerExecutionType, type TriggerHealthMetrics, type TriggerHealthStatus, type TriggerInvokeResponse, type TriggerOrchestrationRunOptions, type TriggerScanOptions, type TriggerWithHealth, TriggersManager, type UpdateComputeFunctionInput, type UpdateOrchestrationInput, type UpdateSmartQueryInput, type UpdateStructureInput, type UpdateTriggerInput, type UpdateWebhookSubscriptionInput, type UrlParserOptions, type ValidateStructureInput, type ValidationBatchData, type ValidationEventType, type ValidationIssueType, ValidationManager, type ValidationResult, type ValidationSuggestion, type ValidationSuggestionData, type ValidationSuggestionStatus, type ValidationSummary, type VariableType, type WaitForScanOptions, type WebhookCancelResponse, type WebhookDeliveriesListMeta, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookDeliverySummary, type WebhookReplayResponse, type WebhookSubscription, WebhookSubscriptionsManager, type WhereExpression, fetchClientToken, getAllowedDomainsApiPath, getAnomalyAnalysisTriggerApiPath, getAnomalyInsightAcknowledgeApiPath, getAnomalyInsightDismissApiPath, getAnomalyInsightsApiPath, getAnomalyInsightsBulkAcknowledgeApiPath, getAnomalyInsightsSummaryApiPath, getApiUrl, getAuthUrl, getCollectionBySlugApiPath, getCollectionInsightsApiPath, getCollectionValidateApiPath, getCollectionsApiPath, getComputeFunctionTestApiPath, getComputeFunctionsApiPath, getComputeJobStatusApiPath, getEndpointApiPath, getFileUploadApiPath, getFilesCanonicalApiPath, getFunctionRunsApiPath, getFunctionRunsByFunctionApiPath, getFunctionRunsByTriggerApiPath, getFunctionTriggerExecuteApiPath, getFunctionTriggerPauseApiPath, getFunctionTriggerResumeApiPath, getFunctionTriggersApiPath, getOrchestrationRunStepsApiPath, getOrchestrationRunsApiPath, getOrchestrationRunsCanonicalApiPath, getOrchestrationsApiPath, getRealtimeUrl, getRecordApiPath, getSavedQueryCanonicalByIdPath, getSavedQueryCanonicalCollectionPath, getSavedQueryCanonicalExecutePath, getSavedQueryCanonicalTestPath, getSearchApiPath, getSmartQueriesApiPath, getSmartQueriesStructureApiPath, getSmartQueryByNameApiPath, getSmartQueryExecuteApiPath, getSmartQueryTestApiPath, getStructureBySlugApiPath, getStructureInsightsApiPath, getStructureValidateApiPath, getStructuresApiPath, getValidationBulkAcceptApiPath, getValidationBulkRejectApiPath, getValidationPendingCountApiPath, getValidationRecordSuggestionsApiPath, getValidationScanApiPath, getValidationSuggestionAcceptApiPath, getValidationSuggestionRejectApiPath, getValidationSuggestionsApiPath, getValidationSummaryApiPath, getWebhookDeliveryCancelApiPath, getWebhookDeliveryRetryApiPath, getWebhookSubscriptionDeliveriesApiPath, getWebhookSubscriptionRotateSecretApiPath, getWebhookSubscriptionsApiPath, isCentraliError, operatorsForFieldType };
+export { type AcceptSuggestionResult, type AddAllowedDomainOptions, type AllowedDomain, type AllowedDomainsListResponse, AllowedDomainsManager, type AnomalyAnalysisResult, type AnomalyDetectionData, type AnomalyEventType, type AnomalyInsight, type AnomalyInsightData, AnomalyInsightsManager, type ApiResponse, type ArrayPropertyDefinition, AuditLogManager, type AuthorizationResult, type BasePropertyDefinition, type BatchScanResult, type BatchScanStatus, type BooleanPropertyDefinition, type BulkOperationResult, CANONICAL_OPERATORS, type CanonicalOperator, CentraliError, CentraliSDK, type CentraliSDKOptions, type CheckAuthorizationOptions, CollectionsManager, type ComputeEventType, type ComputeFunction, ComputeFunctionsManager, type ComputeJobStatus, type ComputeJobStatusResponse, type ConditionOperator, type CreateComputeFunctionInput, type CreateOrchestrationInput, type CreateSmartQueryInput, type CreateStructureInput, type CreateTriggerInput, type CreateWebhookSubscriptionInput, type DateTimePropertyDefinition, type DateWindowOption, type DeleteRecordOptions, type EmbedCapability, EmbedManager, type EndpointResponse, EventLogEmbed, type ExecuteSavedQueryValues, type ExecuteSmartQueryOptions, type ExpandOptions, type FieldCondition, type FieldConditionMap, type FileMetadata, FilesManager, type FilterOperators, type FilterValue, type FunctionMemoryUsage, type FunctionRun, type FunctionRunError, type FunctionRunExecutionSource, type FunctionRunStatus, FunctionRunsManager, type FunctionTrigger, type GetRecordOptions, type IncludeClause, type InsightSeverity, type InsightStatus, type InsightType, type InsightsSummary, type InvokeEndpointOptions, type InvokeTriggerOptions, type IssueEmbedTokenInput, type IssueEmbedTokenResult, JOINS_MAX_LENGTH, type JoinClause, type JoinType, type LegacyTranslateOptions, type LegacyTranslateResult, type LegacyTranslateWarning, type ListAllTriggersOptions, type ListCollectionsOptions, type ListComputeFunctionsOptions, type ListFunctionRunsOptions, type ListInsightsOptions, type ListOrchestrationRunsOptions, type ListOrchestrationsOptions, type ListSmartQueryOptions, type ListStructuresOptions, type ListValidationSuggestionsOptions, type ListWebhookDeliveriesOptions, type NumberPropertyDefinition, OPERATOR_METADATA, type ObjectPropertyDefinition, type OperatorMeta, type OperatorTypeApplicability, type OperatorValueShape, type Orchestration, type OrchestrationCaseEvaluation, type OrchestrationCondition, type OrchestrationConditionEvaluation, type OrchestrationDecisionCase, type OrchestrationDecisionResult, type OrchestrationDelayConfig, type OrchestrationEventType, type OrchestrationFailureReason, type OrchestrationOnFailure, type OrchestrationOnSuccess, type OrchestrationRetryConfig, type OrchestrationRun, type OrchestrationRunStatus, type OrchestrationRunStep, OrchestrationRunsManager, type OrchestrationScheduleType, type OrchestrationStatus, type OrchestrationStep, type OrchestrationStepError, type OrchestrationStepStatus, type OrchestrationStepType, type OrchestrationTrigger, type OrchestrationTriggerMetadata, type OrchestrationTriggerType, OrchestrationsManager, type PageClause, type PaginatedResponse, type ParsedUrlQuery, type PropertyDefinition, type PropertyType, type QueryDefinition, type QueryError, type QueryErrorCode, type QueryExecutionMode, type QueryHttpError, type QueryHttpErrorCode, QueryManager, type QueryRecordOptions, type QueryResult, type QueryResultMeta, type QueryValidateOptions, type QueryVariableDefinition, RECORDS_PAGE_DEFAULT_LIMIT, RECORDS_PAGE_MAX_LIMIT, type RealtimeAnomalyDetectionEvent, type RealtimeAnomalyInsightEvent, type RealtimeCloseEvent, type RealtimeError, type RealtimeEvent, type RealtimeEventType, type RealtimeFunctionRunEvent, RealtimeManager, type RealtimeOrchestrationRunEvent, type RealtimeRecordEvent, type RealtimeSubscribeOptions, type RealtimeSubscription, type RealtimeValidationBatchEvent, type RealtimeValidationSuggestionEvent, type RecordEventType, RecordEvents, type RecordTtlOptions, RecordsManager, type ReferencePropertyDefinition, type ResourceCategory, type RevokeEmbedSessionInput, type RevokeEmbedSessionResult, type SavedQueryDefinition, type SavedQueryScalarBinding, type ScalarValue, type SchemaDiscoveryMode, type SearchHit, type SearchOptions, type SearchResponse, type SelectClause, SmartQueriesManager, type SmartQuery, type SmartQueryDefinition, type SmartQueryExecuteResult, type SmartQueryFieldCondition, type SmartQueryJoin, type SmartQuerySort, type SmartQueryWhereClause, type SortClause, type StepEncryptedParam, type StringPropertyDefinition, type Structure, StructuresManager, type TestComputeFunctionInput, type TestComputeFunctionResult, type TestSmartQueryInput, type TextSearchClause, type TriggerExecutionType, type TriggerHealthMetrics, type TriggerHealthStatus, type TriggerInvokeResponse, type TriggerOrchestrationRunOptions, type TriggerScanOptions, type TriggerWithHealth, TriggersManager, type UpdateComputeFunctionInput, type UpdateOrchestrationInput, type UpdateSmartQueryInput, type UpdateStructureInput, type UpdateTriggerInput, type UpdateWebhookSubscriptionInput, type UrlParserOptions, type ValidateStructureInput, type ValidationBatchData, type ValidationEventType, type ValidationIssueType, ValidationManager, type ValidationResult, type ValidationSuggestion, type ValidationSuggestionData, type ValidationSuggestionStatus, type ValidationSummary, type VariableType, type WaitForScanOptions, type WebhookCancelResponse, type WebhookDeliveriesListMeta, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookDeliverySummary, type WebhookPayloadVersions, type WebhookReplayResponse, type WebhookSubscription, WebhookSubscriptionsManager, type WhereExpression, fetchClientToken, getAllowedDomainsApiPath, getAnomalyAnalysisTriggerApiPath, getAnomalyInsightAcknowledgeApiPath, getAnomalyInsightDismissApiPath, getAnomalyInsightsApiPath, getAnomalyInsightsBulkAcknowledgeApiPath, getAnomalyInsightsSummaryApiPath, getApiUrl, getAuthUrl, getCollectionBySlugApiPath, getCollectionInsightsApiPath, getCollectionValidateApiPath, getCollectionsApiPath, getComputeFunctionTestApiPath, getComputeFunctionsApiPath, getComputeJobStatusApiPath, getEndpointApiPath, getFileUploadApiPath, getFilesCanonicalApiPath, getFunctionRunsApiPath, getFunctionRunsByFunctionApiPath, getFunctionRunsByTriggerApiPath, getFunctionTriggerExecuteApiPath, getFunctionTriggerPauseApiPath, getFunctionTriggerResumeApiPath, getFunctionTriggersApiPath, getOrchestrationRunStepsApiPath, getOrchestrationRunsApiPath, getOrchestrationRunsCanonicalApiPath, getOrchestrationsApiPath, getRealtimeUrl, getRecordApiPath, getSavedQueryCanonicalByIdPath, getSavedQueryCanonicalCollectionPath, getSavedQueryCanonicalExecutePath, getSavedQueryCanonicalTestPath, getSearchApiPath, getSmartQueriesApiPath, getSmartQueriesStructureApiPath, getSmartQueryByNameApiPath, getSmartQueryExecuteApiPath, getSmartQueryTestApiPath, getStructureBySlugApiPath, getStructureInsightsApiPath, getStructureValidateApiPath, getStructuresApiPath, getValidationBulkAcceptApiPath, getValidationBulkRejectApiPath, getValidationPendingCountApiPath, getValidationRecordSuggestionsApiPath, getValidationScanApiPath, getValidationSuggestionAcceptApiPath, getValidationSuggestionRejectApiPath, getValidationSuggestionsApiPath, getValidationSummaryApiPath, getWebhookDeliveryCancelApiPath, getWebhookDeliveryRetryApiPath, getWebhookPayloadVersionsApiPath, getWebhookSubscriptionDeliveriesApiPath, getWebhookSubscriptionRotateSecretApiPath, getWebhookSubscriptionsApiPath, isCentraliError, operatorsForFieldType };

package/dist/index.js

@@ -75,6 +75,8 @@ __export(index_exports, {
   CentraliSDK: () => CentraliSDK,
   CollectionsManager: () => CollectionsManager,
   ComputeFunctionsManager: () => ComputeFunctionsManager,
+  EmbedManager: () => EmbedManager,
+  EventLogEmbed: () => EventLogEmbed,
   FilesManager: () => FilesManager,
   FunctionRunsManager: () => FunctionRunsManager,
   JOINS_MAX_LENGTH: () => JOINS_MAX_LENGTH,
@@ -150,6 +152,7 @@ __export(index_exports, {
   getValidationSummaryApiPath: () => getValidationSummaryApiPath,
   getWebhookDeliveryCancelApiPath: () => getWebhookDeliveryCancelApiPath,
   getWebhookDeliveryRetryApiPath: () => getWebhookDeliveryRetryApiPath,
+  getWebhookPayloadVersionsApiPath: () => getWebhookPayloadVersionsApiPath,
   getWebhookSubscriptionDeliveriesApiPath: () => getWebhookSubscriptionDeliveriesApiPath,
   getWebhookSubscriptionRotateSecretApiPath: () => getWebhookSubscriptionRotateSecretApiPath,
   getWebhookSubscriptionsApiPath: () => getWebhookSubscriptionsApiPath,
@@ -385,6 +388,9 @@ function getWebhookSubscriptionsApiPath(workspaceId, subscriptionId) {
   const basePath = `data/workspace/${workspaceId}/api/v1/webhook-subscriptions`;
   return subscriptionId ? `${basePath}/${subscriptionId}` : basePath;
 }
+function getWebhookPayloadVersionsApiPath(workspaceId) {
+  return `data/workspace/${workspaceId}/api/v1/webhook-subscriptions/payload-versions`;
+}
 function getWebhookSubscriptionRotateSecretApiPath(workspaceId, subscriptionId) {
   return `data/workspace/${workspaceId}/api/v1/webhook-subscriptions/${subscriptionId}/rotate-secret`;
 }
@@ -406,14 +412,25 @@ function encodeFormData(data) {
 }
 function fetchClientToken(clientId, clientSecret, baseUrl) {
   return __async(this, null, function* () {
-    const authUrl = getAuthUrl(baseUrl);
     const apiUrl = getApiUrl(baseUrl);
+    return fetchClientTokenForResource(clientId, clientSecret, baseUrl, `${apiUrl}/data`);
+  });
+}
+function fetchIamAudiencedToken(clientId, clientSecret, baseUrl) {
+  return __async(this, null, function* () {
+    const authUrl = getAuthUrl(baseUrl);
+    return fetchClientTokenForResource(clientId, clientSecret, baseUrl, authUrl);
+  });
+}
+function fetchClientTokenForResource(clientId, clientSecret, baseUrl, resource) {
+  return __async(this, null, function* () {
+    const authUrl = getAuthUrl(baseUrl);
     const tokenEndpoint = `${authUrl}/token`;
     const form = encodeFormData({
       grant_type: "client_credentials",
       client_id: clientId,
       client_secret: clientSecret,
-      resource: `${apiUrl}/data`
+      resource
     });
     const resp = yield import_axios2.default.post(
       tokenEndpoint,
@@ -7999,10 +8016,128 @@ var WebhookSubscriptionsManager = class {
     const path = getWebhookSubscriptionRotateSecretApiPath(this.workspaceId, subscriptionId);
     return this.requestFn("POST", path);
   }
+  /**
+   * List the outbound payload versions a subscription can be pinned to via
+   * `create`/`update`'s `payloadVersion`. Each version selects the shape its
+   * deliveries are projected into; subscribers upgrade on their own timeline.
+   *
+   * @example
+   * ```ts
+   * const { data } = await centrali.webhookSubscriptions.getPayloadVersions();
+   * console.log('Latest payload version:', data.latest);
+   * ```
+   */
+  getPayloadVersions() {
+    const path = getWebhookPayloadVersionsApiPath(this.workspaceId);
+    return this.requestFn("GET", path);
+  }
 };
 
-// src/client.ts
+// src/managers/embed.ts
 var import_axios3 = __toESM(require("axios"));
+var EmbedManager = class {
+  constructor(opts) {
+    this._eventLog = new EventLogEmbed(opts);
+  }
+  get eventLog() {
+    return this._eventLog;
+  }
+};
+var EventLogEmbed = class {
+  constructor(opts) {
+    /**
+     * Cached IAM-audienced workspace JWT. Reused across calls; refreshed
+     * lazily on 401 (which is what IAM returns when `exp` fires).
+     */
+    this.iamToken = null;
+    this.inflightTokenMint = null;
+    this.baseUrl = opts.baseUrl;
+    this.workspaceId = opts.workspaceId;
+    this.clientId = opts.clientId;
+    this.clientSecret = opts.clientSecret;
+    this.axios = import_axios3.default.create(__spreadValues({
+      baseURL: getAuthUrl(opts.baseUrl),
+      headers: { "Content-Type": "application/json" },
+      proxy: false
+    }, opts.axiosConfig));
+  }
+  /**
+   * Mint a short-lived `ev_…` embed token. Hand the result to your
+   * frontend and drop it into the iframe URL fragment as `#token=…&o=…`.
+   */
+  issueToken(input) {
+    return __async(this, null, function* () {
+      const path = `/workspace/${this.workspaceId}/embed/event-log/issue-token`;
+      return this.postWithIamToken(path, this.serializeIssueBody(input));
+    });
+  }
+  /**
+   * Revoke an embed session (typically tied to your user's logout).
+   * Every embed token carrying this `sessionId` is rejected by
+   * data-service until the entry expires (max token TTL).
+   */
+  revokeSession(input) {
+    return __async(this, null, function* () {
+      const path = `/workspace/${this.workspaceId}/embed/event-log/revoke-session`;
+      return this.postWithIamToken(path, { sessionId: input.sessionId });
+    });
+  }
+  serializeIssueBody(input) {
+    const body = { tenantId: input.tenantId };
+    if (input.capabilities) body.capabilities = input.capabilities;
+    if (input.sessionId) body.sessionId = input.sessionId;
+    if (input.ttlSeconds !== void 0) body.ttlSeconds = input.ttlSeconds;
+    return body;
+  }
+  postWithIamToken(path, body) {
+    return __async(this, null, function* () {
+      var _a;
+      const token = yield this.getIamToken();
+      try {
+        const resp = yield this.axios.post(path, body, {
+          headers: { Authorization: `Bearer ${token}` }
+        });
+        return resp.data;
+      } catch (err) {
+        const status = (_a = err == null ? void 0 : err.response) == null ? void 0 : _a.status;
+        if (status === 401) {
+          this.iamToken = null;
+          const fresh = yield this.getIamToken();
+          const resp = yield this.axios.post(path, body, {
+            headers: { Authorization: `Bearer ${fresh}` }
+          });
+          return resp.data;
+        }
+        throw err;
+      }
+    });
+  }
+  getIamToken() {
+    return __async(this, null, function* () {
+      if (this.iamToken) return this.iamToken;
+      if (this.inflightTokenMint) return this.inflightTokenMint;
+      if (!this.clientId || !this.clientSecret) {
+        throw new Error(
+          "Embed token issuance requires the SDK to be configured with clientId + clientSecret (service-account client credentials). Publishable keys and supplied bearer tokens are not accepted by IAM for this endpoint."
+        );
+      }
+      this.inflightTokenMint = fetchIamAudiencedToken(
+        this.clientId,
+        this.clientSecret,
+        this.baseUrl
+      );
+      try {
+        this.iamToken = yield this.inflightTokenMint;
+        return this.iamToken;
+      } finally {
+        this.inflightTokenMint = null;
+      }
+    });
+  }
+};
+
+// src/client.ts
+var import_axios4 = __toESM(require("axios"));
 var import_qs = __toESM(require("qs"));
 
 // src/internal/queryGuard.ts
@@ -8032,6 +8167,7 @@ var CentraliSDK = class {
     this._files = null;
     this._webhookSubscriptions = null;
     this._query = null;
+    this._embed = null;
     this.isRefreshingToken = false;
     this.tokenRefreshPromise = null;
     this.options = options;
@@ -8048,7 +8184,7 @@ var CentraliSDK = class {
       throw new Error("Cannot use getToken with clientId/clientSecret. Use one auth method.");
     }
     const apiUrl = getApiUrl(options.baseUrl);
-    this.axios = import_axios3.default.create(__spreadValues({
+    this.axios = import_axios4.default.create(__spreadValues({
       baseURL: apiUrl,
       paramsSerializer: (params) => import_qs.default.stringify(params, { arrayFormat: "repeat" }),
       proxy: false
@@ -8731,6 +8867,28 @@ var CentraliSDK = class {
     }
     return this._webhookSubscriptions;
   }
+  /**
+   * Server-side helpers for the white-label Event Log embed
+   * (CEN-1301 — see `embed.centrali.io/v1/event-log`). Use to mint
+   * short-lived tokens that scope the iframe to one of your end-user
+   * tenants, and to revoke them on logout.
+   *
+   * Requires the SDK to be constructed with `clientId` + `clientSecret`
+   * (service-account client credentials). Publishable keys and
+   * supplied bearer tokens are rejected by IAM for this surface.
+   */
+  get embed() {
+    if (!this._embed) {
+      this._embed = new EmbedManager({
+        baseUrl: this.options.baseUrl,
+        workspaceId: this.options.workspaceId,
+        clientId: this.options.clientId,
+        clientSecret: this.options.clientSecret,
+        axiosConfig: this.options.axiosConfig
+      });
+    }
+    return this._embed;
+  }
   /**
    * Manually set or update the bearer token for subsequent requests.
    */
@@ -9240,6 +9398,8 @@ var CentraliSDK = class {
   CentraliSDK,
   CollectionsManager,
   ComputeFunctionsManager,
+  EmbedManager,
+  EventLogEmbed,
   FilesManager,
   FunctionRunsManager,
   JOINS_MAX_LENGTH,
@@ -9315,6 +9475,7 @@ var CentraliSDK = class {
   getValidationSummaryApiPath,
   getWebhookDeliveryCancelApiPath,
   getWebhookDeliveryRetryApiPath,
+  getWebhookPayloadVersionsApiPath,
   getWebhookSubscriptionDeliveriesApiPath,
   getWebhookSubscriptionRotateSecretApiPath,
   getWebhookSubscriptionsApiPath,

package/index.ts

@@ -32,6 +32,7 @@ export * from './src/types/insights';
 export * from './src/types/validation';
 export * from './src/types/webhooks';
 export * from './src/types/allowedDomains';
+export * from './src/types/embed';
 
 // Realtime
 export { RealtimeManager } from './src/realtime/manager';
@@ -52,6 +53,7 @@ export { FunctionRunsManager } from './src/managers/functionRuns';
 export { OrchestrationRunsManager } from './src/managers/orchestrationRuns';
 export { FilesManager, FileMetadata } from './src/managers/files';
 export { WebhookSubscriptionsManager } from './src/managers/webhookSubscriptions';
+export { EmbedManager, EventLogEmbed } from './src/managers/embed';
 export {
     QueryManager,
     type QueryValidateOptions,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@centrali-io/centrali-sdk",
-  "version": "6.6.0",
+  "version": "6.8.0",
   "description": "Centrali Node SDK",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/client.ts

@@ -36,6 +36,7 @@ import { OrchestrationRunsManager } from './managers/orchestrationRuns';
 import { FilesManager } from './managers/files';
 import { WebhookSubscriptionsManager } from './managers/webhookSubscriptions';
 import { QueryManager } from './managers/query';
+import { EmbedManager } from './managers/embed';
 
 export class CentraliSDK {
     private axios: AxiosInstance;
@@ -59,6 +60,7 @@ export class CentraliSDK {
     private _files: FilesManager | null = null;
     private _webhookSubscriptions: WebhookSubscriptionsManager | null = null;
     private _query: QueryManager | null = null;
+    private _embed: EmbedManager | null = null;
     private isRefreshingToken: boolean = false;
     private tokenRefreshPromise: Promise<string> | null = null;
 
@@ -814,6 +816,29 @@ export class CentraliSDK {
         return this._webhookSubscriptions;
     }
 
+    /**
+     * Server-side helpers for the white-label Event Log embed
+     * (CEN-1301 — see `embed.centrali.io/v1/event-log`). Use to mint
+     * short-lived tokens that scope the iframe to one of your end-user
+     * tenants, and to revoke them on logout.
+     *
+     * Requires the SDK to be constructed with `clientId` + `clientSecret`
+     * (service-account client credentials). Publishable keys and
+     * supplied bearer tokens are rejected by IAM for this surface.
+     */
+    public get embed(): EmbedManager {
+        if (!this._embed) {
+            this._embed = new EmbedManager({
+                baseUrl: this.options.baseUrl,
+                workspaceId: this.options.workspaceId,
+                clientId: this.options.clientId,
+                clientSecret: this.options.clientSecret,
+                axiosConfig: this.options.axiosConfig,
+            });
+        }
+        return this._embed;
+    }
+
     /**
      * Manually set or update the bearer token for subsequent requests.
      */

package/src/internal/auth.ts

@@ -14,14 +14,37 @@ export async function fetchClientToken(
     clientSecret: string,
     baseUrl: string
 ): Promise<string> {
-    const authUrl = getAuthUrl(baseUrl);
     const apiUrl = getApiUrl(baseUrl);
+    return fetchClientTokenForResource(clientId, clientSecret, baseUrl, `${apiUrl}/data`);
+}
+
+/**
+ * Mint an IAM-audienced workspace JWT. Required for the embed-token issuance
+ * endpoint, which rejects data-audienced tokens with `audience_mismatch`
+ * (see services/backend/iam/src/controllers/embedTokenController.ts).
+ */
+export async function fetchIamAudiencedToken(
+    clientId: string,
+    clientSecret: string,
+    baseUrl: string
+): Promise<string> {
+    const authUrl = getAuthUrl(baseUrl);
+    return fetchClientTokenForResource(clientId, clientSecret, baseUrl, authUrl);
+}
+
+async function fetchClientTokenForResource(
+    clientId: string,
+    clientSecret: string,
+    baseUrl: string,
+    resource: string
+): Promise<string> {
+    const authUrl = getAuthUrl(baseUrl);
     const tokenEndpoint = `${authUrl}/token`;
     const form = encodeFormData({
         grant_type: 'client_credentials',
         client_id: clientId,
         client_secret: clientSecret,
-        resource: `${apiUrl}/data`
+        resource,
     });
     const resp = await axios.post(
         tokenEndpoint,

package/src/internal/paths.ts

@@ -424,6 +424,14 @@ export function getWebhookSubscriptionsApiPath(workspaceId: string, subscription
     return subscriptionId ? `${basePath}/${subscriptionId}` : basePath;
 }
 
+/**
+ * Generate the payload-versions API URL PATH. Lists the outbound payload
+ * versions a subscription can be pinned to.
+ */
+export function getWebhookPayloadVersionsApiPath(workspaceId: string): string {
+    return `data/workspace/${workspaceId}/api/v1/webhook-subscriptions/payload-versions`;
+}
+
 /**
  * Generate rotate-secret API URL PATH for a webhook subscription.
  */

package/src/managers/embed.ts

@@ -0,0 +1,180 @@
+/**
+ * Embed manager — server-side helpers for the white-label Event Log iframe
+ * (`embed.centrali.io/v1/event-log`, CEN-1301).
+ *
+ * Why this lives outside the main axios instance:
+ *   The shared client mints workspace JWTs with `resource=<data-service>`,
+ *   so its `aud` claim is the data plane. IAM's embed issuance endpoint
+ *   explicitly rejects data-audienced tokens (`audience_mismatch`) — see
+ *   services/backend/iam/src/controllers/embedTokenController.ts. This
+ *   manager keeps its own axios instance pointed at the IAM host and its
+ *   own cached IAM-audienced workspace JWT, minted via
+ *   `fetchIamAudiencedToken`.
+ *
+ * Confidential credentials only: IAM also rejects publishable keys and
+ * service-account dev tokens. The manager throws up front if the SDK was
+ * constructed without `clientId` + `clientSecret`.
+ */
+import axios, { AxiosError, AxiosInstance, AxiosRequestConfig } from 'axios';
+
+import { fetchIamAudiencedToken } from '../internal/auth';
+import { getAuthUrl } from '../urls';
+import type {
+    IssueEmbedTokenInput,
+    IssueEmbedTokenResult,
+    RevokeEmbedSessionInput,
+    RevokeEmbedSessionResult,
+} from '../types/embed';
+
+interface EmbedManagerOptions {
+    baseUrl: string;
+    workspaceId: string;
+    clientId?: string;
+    clientSecret?: string;
+    /**
+     * Pass-through of the SDK's `axiosConfig` (custom CA, agent, timeouts,
+     * etc.). The manager always disables HTTP_PROXY/HTTPS_PROXY env vars
+     * to match the main client + token mint, but caller-supplied fields
+     * are merged on top — including an explicit `proxy` override.
+     */
+    axiosConfig?: AxiosRequestConfig;
+}
+
+/**
+ * Server-side helpers for the Event Log embed iframe. Access via
+ * `client.embed.eventLog`.
+ *
+ * @example
+ * ```ts
+ * const { token, sessionId, expiresAt } = await client.embed.eventLog.issueToken({
+ *   tenantId: customerOrgId,
+ *   capabilities: ['events:read', 'events:replay'],
+ *   ttlSeconds: 900,
+ * });
+ *
+ * // Render in your frontend:
+ * // <iframe src={`https://embed.centrali.io/v1/event-log#token=${token}&o=${origin}`} />
+ *
+ * // On user logout:
+ * await client.embed.eventLog.revokeSession({ sessionId });
+ * ```
+ */
+export class EmbedManager {
+    private readonly _eventLog: EventLogEmbed;
+
+    constructor(opts: EmbedManagerOptions) {
+        this._eventLog = new EventLogEmbed(opts);
+    }
+
+    public get eventLog(): EventLogEmbed {
+        return this._eventLog;
+    }
+}
+
+export class EventLogEmbed {
+    private readonly baseUrl: string;
+    private readonly workspaceId: string;
+    private readonly clientId?: string;
+    private readonly clientSecret?: string;
+    private readonly axios: AxiosInstance;
+
+    /**
+     * Cached IAM-audienced workspace JWT. Reused across calls; refreshed
+     * lazily on 401 (which is what IAM returns when `exp` fires).
+     */
+    private iamToken: string | null = null;
+    private inflightTokenMint: Promise<string> | null = null;
+
+    constructor(opts: EmbedManagerOptions) {
+        this.baseUrl = opts.baseUrl;
+        this.workspaceId = opts.workspaceId;
+        this.clientId = opts.clientId;
+        this.clientSecret = opts.clientSecret;
+        // Mirror the main client + `fetchClientToken`: disable HTTP_PROXY/
+        // HTTPS_PROXY env-var pickup by default so embed-token traffic doesn't
+        // get silently routed through an outbound proxy a caller hasn't
+        // opted into. Caller-supplied `axiosConfig` (custom CA, agent,
+        // timeouts, explicit `proxy`) is merged on top.
+        this.axios = axios.create({
+            baseURL: getAuthUrl(opts.baseUrl),
+            headers: { 'Content-Type': 'application/json' },
+            proxy: false,
+            ...opts.axiosConfig,
+        });
+    }
+
+    /**
+     * Mint a short-lived `ev_…` embed token. Hand the result to your
+     * frontend and drop it into the iframe URL fragment as `#token=…&o=…`.
+     */
+    public async issueToken(input: IssueEmbedTokenInput): Promise<IssueEmbedTokenResult> {
+        const path = `/workspace/${this.workspaceId}/embed/event-log/issue-token`;
+        return this.postWithIamToken<IssueEmbedTokenResult>(path, this.serializeIssueBody(input));
+    }
+
+    /**
+     * Revoke an embed session (typically tied to your user's logout).
+     * Every embed token carrying this `sessionId` is rejected by
+     * data-service until the entry expires (max token TTL).
+     */
+    public async revokeSession(input: RevokeEmbedSessionInput): Promise<RevokeEmbedSessionResult> {
+        const path = `/workspace/${this.workspaceId}/embed/event-log/revoke-session`;
+        return this.postWithIamToken<RevokeEmbedSessionResult>(path, { sessionId: input.sessionId });
+    }
+
+    private serializeIssueBody(input: IssueEmbedTokenInput): Record<string, unknown> {
+        const body: Record<string, unknown> = { tenantId: input.tenantId };
+        if (input.capabilities) body.capabilities = input.capabilities;
+        if (input.sessionId) body.sessionId = input.sessionId;
+        if (input.ttlSeconds !== undefined) body.ttlSeconds = input.ttlSeconds;
+        return body;
+    }
+
+    private async postWithIamToken<T>(path: string, body: Record<string, unknown>): Promise<T> {
+        const token = await this.getIamToken();
+        try {
+            const resp = await this.axios.post<T>(path, body, {
+                headers: { Authorization: `Bearer ${token}` },
+            });
+            return resp.data;
+        } catch (err) {
+            // Refresh-on-401 once. Any subsequent 401 is propagated so the
+            // caller sees the real reason (missing capability, revoked SA,
+            // misconfigured audience, etc.) instead of a silent loop.
+            const status = (err as AxiosError)?.response?.status;
+            if (status === 401) {
+                this.iamToken = null;
+                const fresh = await this.getIamToken();
+                const resp = await this.axios.post<T>(path, body, {
+                    headers: { Authorization: `Bearer ${fresh}` },
+                });
+                return resp.data;
+            }
+            throw err;
+        }
+    }
+
+    private async getIamToken(): Promise<string> {
+        if (this.iamToken) return this.iamToken;
+        if (this.inflightTokenMint) return this.inflightTokenMint;
+        if (!this.clientId || !this.clientSecret) {
+            throw new Error(
+                'Embed token issuance requires the SDK to be configured with ' +
+                'clientId + clientSecret (service-account client credentials). ' +
+                'Publishable keys and supplied bearer tokens are not accepted by ' +
+                'IAM for this endpoint.',
+            );
+        }
+        this.inflightTokenMint = fetchIamAudiencedToken(
+            this.clientId,
+            this.clientSecret,
+            this.baseUrl,
+        );
+        try {
+            this.iamToken = await this.inflightTokenMint;
+            return this.iamToken;
+        } finally {
+            this.inflightTokenMint = null;
+        }
+    }
+}

package/src/managers/webhookSubscriptions.ts

@@ -11,12 +11,14 @@ import type {
     WebhookDeliveriesListMeta,
     WebhookReplayResponse,
     WebhookCancelResponse,
+    WebhookPayloadVersions,
     CreateWebhookSubscriptionInput,
     UpdateWebhookSubscriptionInput,
     ListWebhookDeliveriesOptions,
 } from '../types/webhooks';
 import {
     getWebhookSubscriptionsApiPath,
+    getWebhookPayloadVersionsApiPath,
     getWebhookSubscriptionRotateSecretApiPath,
     getWebhookSubscriptionDeliveriesApiPath,
     getWebhookDeliveryRetryApiPath,
@@ -203,4 +205,20 @@ export class WebhookSubscriptionsManager {
         const path = getWebhookSubscriptionRotateSecretApiPath(this.workspaceId, subscriptionId);
         return this.requestFn<WebhookSubscription>('POST', path);
     }
+
+    /**
+     * List the outbound payload versions a subscription can be pinned to via
+     * `create`/`update`'s `payloadVersion`. Each version selects the shape its
+     * deliveries are projected into; subscribers upgrade on their own timeline.
+     *
+     * @example
+     * ```ts
+     * const { data } = await centrali.webhookSubscriptions.getPayloadVersions();
+     * console.log('Latest payload version:', data.latest);
+     * ```
+     */
+    public getPayloadVersions(): Promise<ApiResponse<WebhookPayloadVersions>> {
+        const path = getWebhookPayloadVersionsApiPath(this.workspaceId);
+        return this.requestFn<WebhookPayloadVersions>('GET', path);
+    }
 }

package/src/types/compute.ts

@@ -102,6 +102,8 @@ export interface FunctionRun {
     triggerType?: string | null;
     orchestrationRunId?: string | null;
     orchestrationStepId?: string | null;
+    /** Inbound durable buffer link (CEN-1297) — set for buffered webhook-trigger runs. */
+    inboundEventId?: string | null;
     originalRunId?: string | null;
     isRerun: boolean;
     rerunCount: number;

package/src/types/embed.ts

@@ -0,0 +1,67 @@
+/**
+ * Types for the Event Log embed surface (CEN-1301).
+ *
+ * Mirrors the request/response shapes defined by IAM at
+ * services/backend/iam/src/controllers/embedTokenController.ts.
+ * Keep field names in sync with that controller's Zod schemas.
+ */
+
+/**
+ * Capabilities that can be encoded into an embed token.
+ *
+ * - `events:read` — list + retrieve event-log rows for the tenant.
+ *   IAM unconditionally injects this on every minted token, so omitting
+ *   `capabilities` is equivalent to `['events:read']`.
+ * - `events:replay` — allow the iframe to replay a failed delivery. The
+ *   issuing service account must also hold `webhook-subscriptions:replay`.
+ */
+export type EmbedCapability = 'events:read' | 'events:replay';
+
+export interface IssueEmbedTokenInput {
+    /**
+     * Tenant id the embed is allowed to read. Burned into the token claim;
+     * the data-service auto-injects this as a filter on every query the
+     * iframe makes. Centrali never interprets the bytes — treat it as
+     * opaque (1-255 chars).
+     */
+    tenantId: string;
+
+    /**
+     * Defaults to `['events:read']`. Pass `['events:read', 'events:replay']`
+     * to allow the iframe's "Replay" action. The issuing service account
+     * must already hold the corresponding capability.
+     */
+    capabilities?: EmbedCapability[];
+
+    /**
+     * Optional cohort id. Useful if you want to revoke every token issued
+     * for one of your end-users on logout — mint each with the same
+     * `sessionId`, then call `revokeSession({ sessionId })` later. Server
+     * mints a random one if omitted (returned in the response).
+     */
+    sessionId?: string;
+
+    /**
+     * Token TTL in seconds. Defaults to 600 (10 min). Capped at 3600 (1h)
+     * server-side; out-of-range values 400.
+     */
+    ttlSeconds?: number;
+}
+
+export interface IssueEmbedTokenResult {
+    /** `ev_…` JWT for the iframe's URL fragment. */
+    token: string;
+    /** Echo of the input sessionId, or the server-minted one if omitted. */
+    sessionId: string;
+    /** ISO-8601 timestamp at which the token's `exp` claim fires. */
+    expiresAt: string;
+}
+
+export interface RevokeEmbedSessionInput {
+    sessionId: string;
+}
+
+export interface RevokeEmbedSessionResult {
+    sessionId: string;
+    revokedAt: string;
+}

package/src/types/webhooks.ts

@@ -22,6 +22,20 @@ export interface WebhookSubscription {
      * undefined on subsequent reads so it is safe to pass subscriptions around.
      */
     secret?: string;
+    /**
+     * Outbound payload version this subscription receives — a date-string
+     * (`YYYY-MM`). Deliveries are projected into the shape this version
+     * describes. Frozen at creation; change it to upgrade to a newer shape.
+     */
+    payloadVersion: string;
+    /**
+     * Opaque builder-supplied tenant identifier. Carried onto outbound
+     * delivery rows by the platform so embeds and tenant-scoped views can
+     * filter to a single customer without leaking cross-tenant events.
+     * Centrali never parses or interprets this value — it's the builder's
+     * own customer/account/workspace id, whatever shape that takes.
+     */
+    tenantId?: string | null;
     workspaceSlug: string;
     createdAt?: string;
     updatedAt?: string;
@@ -46,6 +60,8 @@ export interface WebhookDelivery {
     responseBody?: string | null;
     /** Delivery ID the row was replayed from, or null for original deliveries. */
     replayedFrom?: string | null;
+    /** Outbound payload version this delivery was projected into and served with. */
+    payloadVersion: string;
     createdAt: string;
     updatedAt: string;
 }
@@ -64,6 +80,19 @@ export interface CreateWebhookSubscriptionInput {
     /** Optional — restrict to a subset of collections. Omit for all collections. */
     recordSlugs?: string[];
     active?: boolean;
+    /**
+     * Optional outbound payload version to pin the subscription to. Omit to
+     * freeze to the latest version at creation time. Must be a value returned
+     * by `getPayloadVersions()`.
+     */
+    payloadVersion?: string;
+    /**
+     * Optional opaque tenant identifier — typically the builder's own
+     * customer or account id. Surfaces on every delivery the subscription
+     * produces so tenant-scoped views (e.g. an embedded Event Log) can
+     * filter to one customer.
+     */
+    tenantId?: string | null;
 }
 
 export interface UpdateWebhookSubscriptionInput {
@@ -77,6 +106,27 @@ export interface UpdateWebhookSubscriptionInput {
      */
     recordSlugs?: string[];
     active?: boolean;
+    /**
+     * Upgrade (or downgrade) the outbound payload version. Must be a value
+     * returned by `getPayloadVersions()`. Omit to leave the version unchanged.
+     */
+    payloadVersion?: string;
+    /**
+     * Update the opaque tenant identifier. Pass `null` to clear it; omit to
+     * leave it unchanged. Past deliveries are not retroactively rewritten —
+     * the new value applies to deliveries created after the update.
+     */
+    tenantId?: string | null;
+}
+
+/**
+ * Outbound payload versions a subscription can be pinned to. Returned by
+ * `getPayloadVersions()`. `versions` is oldest-first; `latest` is what a
+ * subscription created without an explicit version is frozen to.
+ */
+export interface WebhookPayloadVersions {
+    versions: string[];
+    latest: string;
 }
 
 export interface ListWebhookDeliveriesOptions {