@corti/sdk 1.0.0-alpha → 1.0.0-alpha.1

package/dist/esm/custom/OAuthAuthProvider.d.mts

@@ -0,0 +1,99 @@
+import type * as Corti from "../api/index.mjs";
+import type { BaseClientOptions } from "../BaseClient.mjs";
+import * as core from "../core/index.mjs";
+import { CLIENT_ID_PARAM, CLIENT_SECRET_PARAM, CODE_PARAM, CODE_VERIFIER_PARAM, PASSWORD_PARAM, REDIRECT_URI_PARAM, USERNAME_PARAM } from "./utils/oauthAuthHelpers.mjs";
+/** Patch: Re-export for consumers; implementation shared with OAuthRopcAuthProvider, OAuthAuthCodeAuthProvider and OAuthPkceAuthProvider. */
+export { BUFFER_IN_MINUTES, CLIENT_ID_PARAM, CLIENT_ID_REQUIRED_ERROR_MESSAGE, CLIENT_SECRET_PARAM, CLIENT_SECRET_REQUIRED_ERROR_MESSAGE, CODE_PARAM, CODE_VERIFIER_PARAM, getExpiresAt, PASSWORD_PARAM, PASSWORD_REQUIRED_ERROR_MESSAGE, REDIRECT_URI_PARAM, USERNAME_PARAM, USERNAME_REQUIRED_ERROR_MESSAGE, } from "./utils/oauthAuthHelpers.mjs";
+declare const TOKEN_PARAM: "token";
+export declare class OAuthAuthProvider implements core.AuthProvider {
+    private readonly options;
+    /**
+     * Patch: Use CortiAuth (real token endpoint) instead of AuthClient (fake-token).
+     */
+    private readonly authClient;
+    private accessToken;
+    private expiresAt;
+    private refreshPromise;
+    private storedRefreshToken;
+    private refreshExpiresAt;
+    constructor(options: OAuthAuthProvider.Options & OAuthAuthProvider.ClientCredentials);
+    static canCreate(options?: Partial<OAuthAuthProvider.ClientCredentials & BaseClientOptions>): boolean;
+    private clientIdSupplier;
+    private clientSecretSupplier;
+    getAuthRequest({ endpointMetadata, }?: {
+        endpointMetadata?: core.EndpointMetadata;
+    }): Promise<core.AuthRequest>;
+    private getToken;
+    private refresh;
+}
+export declare class OAuthTokenOverrideAuthProvider implements core.AuthProvider {
+    private readonly authClient;
+    private readonly _tokenSupplier;
+    private readonly _clientIdSupplier;
+    private readonly _refreshAccessToken;
+    private accessToken;
+    private expiresAt;
+    private storedRefreshToken;
+    private refreshExpiresAt;
+    private _seedPromise;
+    constructor(options: OAuthAuthProvider.TokenOverride & BaseClientOptions);
+    static canCreate(options?: Partial<OAuthAuthProvider.TokenOverride & BaseClientOptions>): options is OAuthAuthProvider.TokenOverride & BaseClientOptions;
+    getAuthRequest({ endpointMetadata, }?: {
+        endpointMetadata?: core.EndpointMetadata;
+    }): Promise<core.AuthRequest>;
+}
+export declare namespace OAuthAuthProvider {
+    const AUTH_SCHEME: "OAuth";
+    /** Patch: Message extended to mention ROPC (clientId, username, password). */
+    const AUTH_CONFIG_ERROR_MESSAGE: string;
+    type ClientCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [CLIENT_SECRET_PARAM]: core.Supplier<string>;
+    };
+    /**
+     * Patch: tokenType and expiresIn made optional — the provider only strictly needs accessToken.
+     * Mirrors AuthTokenResponse but relaxes the two required fields so custom refresh functions
+     * don't need to return fields the provider doesn't use.
+     */
+    type ExpectedTokenResponse = Omit<Corti.AuthTokenResponse, "tokenType" | "expiresIn"> & {
+        tokenType?: string;
+        expiresIn?: number;
+    };
+    /** Patch: Custom refresh function — sync or async, receives the last known refresh token. */
+    type RefreshAccessTokenFunction = (refreshToken?: string) => Promise<OAuthAuthProvider.ExpectedTokenResponse> | OAuthAuthProvider.ExpectedTokenResponse;
+    type TokenOverride = {
+        [TOKEN_PARAM]?: core.Supplier<string>;
+        /** Patch: Custom callback called to obtain/renew the access token. Takes priority over built-in clientId+refreshToken path. */
+        refreshAccessToken?: OAuthAuthProvider.RefreshAccessTokenFunction;
+        expiresIn?: number;
+        refreshToken?: string;
+        refreshExpiresIn?: number;
+        clientId?: core.Supplier<string>;
+        /** Patch: Pre-seeded token response from resolveClientOptions — avoids a second refreshAccessToken call on first API request. */
+        initialTokenResponse?: Promise<OAuthAuthProvider.ExpectedTokenResponse>;
+    };
+    /** Patch: ROPC grant credentials (clientId + username + password) */
+    type RopcCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [USERNAME_PARAM]: core.Supplier<string>;
+        [PASSWORD_PARAM]: core.Supplier<string>;
+    };
+    /** Patch: Authorization code credentials (clientId + clientSecret + code + redirectUri) */
+    type AuthCodeCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [CLIENT_SECRET_PARAM]: core.Supplier<string>;
+        [CODE_PARAM]: core.Supplier<string>;
+        [REDIRECT_URI_PARAM]: core.Supplier<string>;
+    };
+    /** Patch: PKCE credentials (clientId + code + redirectUri; no clientSecret) */
+    type PkceCredentials = {
+        [CLIENT_ID_PARAM]: core.Supplier<string>;
+        [CODE_PARAM]: core.Supplier<string>;
+        [REDIRECT_URI_PARAM]: core.Supplier<string>;
+        [CODE_VERIFIER_PARAM]?: core.Supplier<string>;
+    };
+    /** Patch: Include RopcCredentials, AuthCodeCredentials and PkceCredentials so CortiClient can use those auth flows. */
+    type AuthOptions = ClientCredentials | TokenOverride | RopcCredentials | AuthCodeCredentials | PkceCredentials;
+    type Options = BaseClientOptions & AuthOptions;
+    function createInstance(options: Options): core.AuthProvider;
+}

package/dist/esm/custom/OAuthAuthProvider.mjs

@@ -0,0 +1,239 @@
+// This file was auto-generated by Fern from our API Definition.
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import * as core from "../core/index.mjs";
+import { CortiAuth } from "./CortiAuth.mjs";
+import { OAuthAuthCodeAuthProvider } from "./OAuthAuthCodeAuthProvider.mjs";
+import { OAuthPkceAuthProvider } from "./OAuthPkceAuthProvider.mjs";
+import { OAuthRopcAuthProvider } from "./OAuthRopcAuthProvider.mjs";
+import { BUFFER_IN_MINUTES, CLIENT_ID_PARAM, CLIENT_ID_REQUIRED_ERROR_MESSAGE, CLIENT_SECRET_PARAM, CLIENT_SECRET_REQUIRED_ERROR_MESSAGE, CODE_PARAM, CODE_VERIFIER_PARAM, getExpiresAt, PASSWORD_PARAM, REDIRECT_URI_PARAM, USERNAME_PARAM, } from "./utils/oauthAuthHelpers.mjs";
+import * as errors from "../errors/index.mjs";
+/** Patch: Re-export for consumers; implementation shared with OAuthRopcAuthProvider, OAuthAuthCodeAuthProvider and OAuthPkceAuthProvider. */
+export { BUFFER_IN_MINUTES, CLIENT_ID_PARAM, CLIENT_ID_REQUIRED_ERROR_MESSAGE, CLIENT_SECRET_PARAM, CLIENT_SECRET_REQUIRED_ERROR_MESSAGE, CODE_PARAM, CODE_VERIFIER_PARAM, getExpiresAt, PASSWORD_PARAM, PASSWORD_REQUIRED_ERROR_MESSAGE, REDIRECT_URI_PARAM, USERNAME_PARAM, USERNAME_REQUIRED_ERROR_MESSAGE, } from "./utils/oauthAuthHelpers.mjs";
+const TOKEN_PARAM = "token";
+const TOKEN_PARAM_REQUIRED_ERROR_MESSAGE = `${TOKEN_PARAM} is required. Please provide it in options.`;
+export class OAuthAuthProvider {
+    constructor(options) {
+        this.options = options;
+        /**
+         * Patch: Use CortiAuth (real token endpoint) instead of AuthClient (fake-token).
+         */
+        this.authClient = new CortiAuth(options);
+        this.expiresAt = new Date();
+    }
+    static canCreate(options) {
+        return (options === null || options === void 0 ? void 0 : options[CLIENT_ID_PARAM]) != null && (options === null || options === void 0 ? void 0 : options[CLIENT_SECRET_PARAM]) != null;
+    }
+    clientIdSupplier() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            const supplier = this.options[CLIENT_ID_PARAM];
+            if (supplier == null) {
+                throw new errors.CortiError({
+                    message: CLIENT_ID_REQUIRED_ERROR_MESSAGE,
+                });
+            }
+            return core.EndpointSupplier.get(supplier, { endpointMetadata });
+        });
+    }
+    clientSecretSupplier() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            const supplier = this.options[CLIENT_SECRET_PARAM];
+            if (supplier == null) {
+                throw new errors.CortiError({
+                    message: CLIENT_SECRET_REQUIRED_ERROR_MESSAGE,
+                });
+            }
+            return core.EndpointSupplier.get(supplier, { endpointMetadata });
+        });
+    }
+    getAuthRequest() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            const token = yield this.getToken({ endpointMetadata });
+            return {
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                },
+            };
+        });
+    }
+    getToken() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata } = {}) {
+            if (this.accessToken && this.expiresAt > new Date()) {
+                return this.accessToken;
+            }
+            // If a refresh is already in progress, return the existing promise
+            if (this.refreshPromise != null) {
+                return this.refreshPromise;
+            }
+            return this.refresh({ endpointMetadata });
+        });
+    }
+    refresh() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata } = {}) {
+            this.refreshPromise = (() => __awaiter(this, void 0, void 0, function* () {
+                try {
+                    const clientId = yield this.clientIdSupplier({ endpointMetadata });
+                    const clientSecret = yield this.clientSecretSupplier({ endpointMetadata });
+                    const tokenResponse = clientId && this.storedRefreshToken && this.refreshExpiresAt && this.refreshExpiresAt > new Date()
+                        ? yield this.authClient.refreshToken({
+                            clientId,
+                            refreshToken: this.storedRefreshToken,
+                        })
+                        : yield this.authClient.getToken({ clientId, clientSecret });
+                    this.accessToken = tokenResponse.accessToken;
+                    this.expiresAt = getExpiresAt(tokenResponse.expiresIn, BUFFER_IN_MINUTES);
+                    if (tokenResponse.refreshToken) {
+                        this.storedRefreshToken = tokenResponse.refreshToken;
+                        this.refreshExpiresAt = tokenResponse.refreshExpiresIn
+                            ? getExpiresAt(tokenResponse.refreshExpiresIn, BUFFER_IN_MINUTES)
+                            : undefined;
+                    }
+                    return this.accessToken;
+                }
+                finally {
+                    this.refreshPromise = undefined;
+                }
+            }))();
+            return this.refreshPromise;
+        });
+    }
+}
+export class OAuthTokenOverrideAuthProvider {
+    constructor(options) {
+        this._tokenSupplier = options[TOKEN_PARAM];
+        this._clientIdSupplier = options.clientId;
+        // Patch: store custom refresh callback
+        this._refreshAccessToken = options.refreshAccessToken;
+        this.expiresAt = options.expiresIn ? getExpiresAt(options.expiresIn, BUFFER_IN_MINUTES) : undefined;
+        this.storedRefreshToken = options.refreshToken;
+        this.refreshExpiresAt = options.refreshExpiresIn
+            ? getExpiresAt(options.refreshExpiresIn, BUFFER_IN_MINUTES)
+            : undefined;
+        if (options.clientId && options.refreshToken) {
+            this.authClient = new CortiAuth(options);
+        }
+        // Patch: pre-seed token from discovery promise so getAuthRequest doesn't call refreshAccessToken again
+        if (options.initialTokenResponse) {
+            this._seedPromise = options.initialTokenResponse
+                .then((resp) => {
+                this.accessToken = resp.accessToken;
+                this.expiresAt = resp.expiresIn ? getExpiresAt(resp.expiresIn, BUFFER_IN_MINUTES) : undefined;
+                if (resp.refreshToken) {
+                    this.storedRefreshToken = resp.refreshToken;
+                    this.refreshExpiresAt = resp.refreshExpiresIn
+                        ? getExpiresAt(resp.refreshExpiresIn, BUFFER_IN_MINUTES)
+                        : undefined;
+                }
+            })
+                .finally(() => {
+                this._seedPromise = undefined;
+            });
+        }
+    }
+    static canCreate(options) {
+        // Patch: either token or refreshAccessToken is sufficient
+        return (options === null || options === void 0 ? void 0 : options[TOKEN_PARAM]) != null || (options === null || options === void 0 ? void 0 : options.refreshAccessToken) != null;
+    }
+    getAuthRequest() {
+        return __awaiter(this, arguments, void 0, function* ({ endpointMetadata, } = {}) {
+            // Patch: await seed promise so the initial token from resolveClientOptions is set before checking expiry
+            if (this._seedPromise) {
+                yield this._seedPromise;
+            }
+            const isExpiredOrAbsent = !this.accessToken || (this.expiresAt != null && this.expiresAt <= new Date());
+            // Patch: custom refreshAccessToken takes priority — call it when token is absent or expired
+            if (this._refreshAccessToken && isExpiredOrAbsent) {
+                const result = yield this._refreshAccessToken(this.storedRefreshToken);
+                this.accessToken = result.accessToken;
+                this.expiresAt = result.expiresIn ? getExpiresAt(result.expiresIn, BUFFER_IN_MINUTES) : undefined;
+                if (result.refreshToken) {
+                    this.storedRefreshToken = result.refreshToken;
+                    this.refreshExpiresAt = result.refreshExpiresIn
+                        ? getExpiresAt(result.refreshExpiresIn, BUFFER_IN_MINUTES)
+                        : undefined;
+                }
+                return { headers: { Authorization: `Bearer ${this.accessToken}` } };
+            }
+            // Built-in: if access token is expired and we have a valid SDK refresh token, use it
+            if (this.expiresAt != null &&
+                this.expiresAt <= new Date() &&
+                this._clientIdSupplier &&
+                this.storedRefreshToken &&
+                this.refreshExpiresAt &&
+                this.refreshExpiresAt > new Date() &&
+                this.authClient) {
+                const clientId = yield core.EndpointSupplier.get(this._clientIdSupplier, { endpointMetadata });
+                const tokenResponse = yield this.authClient.refreshToken({
+                    clientId,
+                    refreshToken: this.storedRefreshToken,
+                });
+                this.accessToken = tokenResponse.accessToken;
+                this.expiresAt = getExpiresAt(tokenResponse.expiresIn, BUFFER_IN_MINUTES);
+                if (tokenResponse.refreshToken) {
+                    this.storedRefreshToken = tokenResponse.refreshToken;
+                    this.refreshExpiresAt = tokenResponse.refreshExpiresIn
+                        ? getExpiresAt(tokenResponse.refreshExpiresIn, BUFFER_IN_MINUTES)
+                        : undefined;
+                }
+                return { headers: { Authorization: `Bearer ${this.accessToken}` } };
+            }
+            // Token not yet acquired — resolve from supplier (static token / initial value)
+            if (!this.accessToken) {
+                if (this._tokenSupplier == null) {
+                    throw new errors.CortiError({ message: TOKEN_PARAM_REQUIRED_ERROR_MESSAGE });
+                }
+                this.accessToken = yield core.EndpointSupplier.get(this._tokenSupplier, { endpointMetadata });
+            }
+            if (!this.accessToken) {
+                throw new errors.CortiError({ message: TOKEN_PARAM_REQUIRED_ERROR_MESSAGE });
+            }
+            return { headers: { Authorization: `Bearer ${this.accessToken}` } };
+        });
+    }
+}
+(function (OAuthAuthProvider) {
+    OAuthAuthProvider.AUTH_SCHEME = "OAuth";
+    /** Patch: Message extended to mention ROPC (clientId, username, password). */
+    OAuthAuthProvider.AUTH_CONFIG_ERROR_MESSAGE = `Insufficient options to create OAuthAuthProvider. Please provide '${CLIENT_ID_PARAM}' and '${CLIENT_SECRET_PARAM}', or ${TOKEN_PARAM}, or ROPC (${CLIENT_ID_PARAM}, username, password).`;
+    function createInstance(options) {
+        if (OAuthTokenOverrideAuthProvider.canCreate(options)) {
+            return new OAuthTokenOverrideAuthProvider(options);
+        }
+        /** Patch: ROPC provider before client credentials so ROPC auth is used when username+password provided. */
+        if (OAuthRopcAuthProvider.canCreate(options)) {
+            return new OAuthRopcAuthProvider(options);
+        }
+        /** Patch: PKCE provider before auth code — both have clientId+code+redirectUri, but PKCE has no clientSecret. */
+        if (OAuthPkceAuthProvider.canCreate(options)) {
+            return new OAuthPkceAuthProvider(options);
+        }
+        /** Patch: Auth code provider before client credentials — both have clientId+clientSecret, code+redirectUri distinguishes auth code. */
+        if (OAuthAuthCodeAuthProvider.canCreate(options)) {
+            return new OAuthAuthCodeAuthProvider(options);
+        }
+        if (OAuthAuthProvider.canCreate(options)) {
+            return new OAuthAuthProvider(options);
+        }
+        /** Patch: No credentials provided — proxy/passthrough mode; requests are sent without an Authorization header. */
+        const partialOptions = options;
+        const hasNoCredentials = partialOptions[CLIENT_ID_PARAM] == null &&
+            partialOptions[CLIENT_SECRET_PARAM] == null &&
+            partialOptions[TOKEN_PARAM] == null &&
+            partialOptions.refreshAccessToken == null &&
+            partialOptions[USERNAME_PARAM] == null;
+        if (hasNoCredentials) {
+            return new core.NoOpAuthProvider();
+        }
+        throw new errors.CortiError({
+            message: OAuthAuthProvider.AUTH_CONFIG_ERROR_MESSAGE,
+        });
+    }
+    OAuthAuthProvider.createInstance = createInstance;
+})(OAuthAuthProvider || (OAuthAuthProvider = {}));

package/dist/esm/custom/auth/CortiAuth.d.mts

@@ -0,0 +1,129 @@
+import type * as Corti from "../../api/index.mjs";
+import { AuthClient } from "../../api/resources/auth/client/Client.mjs";
+import type { OAuthAuthProvider } from "../../auth/OAuthAuthProvider.mjs";
+import * as core from "../../core/index.mjs";
+import { type Environment } from "../utils/environment.mjs";
+interface Options {
+    skipRedirect?: boolean;
+}
+export declare namespace CortiAuth {
+    /** Auth (clientId/clientSecret or token) is optional; credentials can be passed to getToken() instead. */
+    type Options = Omit<AuthClient.Options, "clientId" | "clientSecret" | "token" | "environment"> & Partial<OAuthAuthProvider.ClientCredentials> & Partial<OAuthAuthProvider.TokenOverride> & {
+        environment: Environment;
+    };
+    /** Optional scopes on getToken request. */
+    interface GetTokenRequest extends Corti.OAuthTokenRequest {
+        scopes?: string[];
+    }
+    /** ROPC (resource owner password credentials) request for getRopcFlowToken. */
+    interface GetRopcFlowTokenRequest {
+        clientId: string;
+        username: string;
+        password: string;
+        scopes?: string[];
+    }
+    /** Refresh token request for refreshToken. */
+    interface RefreshTokenRequest {
+        clientId: string;
+        refreshToken: string;
+        clientSecret?: string;
+        scopes?: string[];
+    }
+    /** Authorization code grant request for getCodeFlowToken. */
+    interface GetCodeFlowTokenRequest {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+        code: string;
+        scopes?: string[];
+    }
+    /** PKCE grant request for getPkceFlowToken. codeVerifier is optional — if omitted, reads from localStorage. */
+    interface GetPkceFlowTokenRequest {
+        clientId: string;
+        redirectUri: string;
+        code: string;
+        codeVerifier?: string;
+        scopes?: string[];
+    }
+    /** Parameters for authorizeURL — builds the Keycloak authorization endpoint URL. */
+    interface AuthorizationCodeClient {
+        clientId: string;
+        redirectUri: string;
+        codeChallenge?: string;
+        scopes?: string[];
+    }
+    /** Parameters for authorizePkceUrl — like AuthorizationCodeClient but without codeChallenge (generated internally). */
+    interface PkceClient {
+        clientId: string;
+        redirectUri: string;
+        scopes?: string[];
+        codeVerifier?: string;
+    }
+}
+export declare class CortiAuth extends AuthClient {
+    /** No-op auth provider so super.token() does not trigger OAuth refresh. When auth is omitted, a dummy token is passed so the base constructor does not throw. */
+    constructor(options: CortiAuth.Options);
+    /**
+     * Exchange credentials for a short-lived access token using the tenant token endpoint (client_credentials).
+     * Resolves tenant from client options. Supports optional scopes (openid is always included).
+     *
+     * @param request - Client credentials and optional scopes
+     * @param requestOptions - Request-specific configuration
+     *
+     * @throws {@link Corti.BadRequestError}
+     * @throws {@link Corti.UnauthorizedError}
+     *
+     * @example
+     *     const response = await auth.getToken({
+     *         clientId: "client_id",
+     *         clientSecret: "client_secret",
+     *         scopes: ["profile"]
+     *     });
+     */
+    getToken(request: CortiAuth.GetTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    private _getTokenWithTenant;
+    /** Exchange username/password for access token via ROPC (resource owner password credentials). */
+    getRopcFlowToken(request: CortiAuth.GetRopcFlowTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /**
+     * Exchange a refresh token for a new access token (refresh_token grant).
+     * Resolves tenant from client options.
+     *
+     * @param request - Client ID, refresh token, and optional scopes
+     * @param requestOptions - Request-specific configuration
+     *
+     * @throws {@link Corti.BadRequestError}
+     * @throws {@link Corti.UnauthorizedError}
+     *
+     * @example
+     *     const response = await auth.refreshToken({
+     *         clientId: "client_id",
+     *         refreshToken: "refresh_token",
+     *     });
+     */
+    refreshToken(request: CortiAuth.RefreshTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /** Exchange an authorization code for an access token (authorization_code grant). */
+    getCodeFlowToken(request: CortiAuth.GetCodeFlowTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /**
+     * Exchange a PKCE authorization code for an access token (authorization_code grant with code_verifier).
+     * If codeVerifier is omitted, it is read from localStorage (set by authorizePkceUrl).
+     */
+    getPkceFlowToken(request: CortiAuth.GetPkceFlowTokenRequest, requestOptions?: AuthClient.RequestOptions): core.HttpResponsePromise<Corti.AuthTokenResponse>;
+    /**
+     * Build the Keycloak authorization endpoint URL for the PKCE flow.
+     * Generates a code verifier if not provided, stores it in localStorage, and computes the challenge.
+     * In a browser environment, redirects to the URL unless skipRedirect is true.
+     */
+    authorizePkceUrl({ clientId, redirectUri, scopes, codeVerifier }: CortiAuth.PkceClient, options?: Options): Promise<string>;
+    /** Read the PKCE code verifier stored in localStorage by authorizePkceUrl. Returns null if not found. */
+    static getCodeVerifier(): string | null;
+    /**
+     * Build the Keycloak authorization endpoint URL for the authorization code flow.
+     * In a browser environment, redirects to the URL unless skipRedirect is true.
+     * In a server environment (no window), always returns the URL string.
+     *
+     * @param client - clientId, redirectUri, and optional codeChallenge/scopes
+     * @param options - { skipRedirect?: boolean }
+     */
+    authorizeURL({ clientId, redirectUri, codeChallenge, scopes }: CortiAuth.AuthorizationCodeClient, options?: Options): Promise<string>;
+}
+export {};

package/dist/esm/custom/auth/CortiAuth.mjs

@@ -0,0 +1,158 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import { AuthClient } from "../../api/resources/auth/client/Client.mjs";
+import * as core from "../../core/index.mjs";
+import { ParseError } from "../../core/schemas/index.mjs";
+import { buildTokenRequestBody } from "../utils/buildTokenRequestBody.mjs";
+import { getEnvironment } from "../utils/environment.mjs";
+import { CODE_VERIFIER_KEY, getLocalStorageItem, setLocalStorageItem } from "../utils/localStorageHelpers.mjs";
+import { generateCodeChallenge, generateCodeVerifier } from "../utils/pkceHelpers.mjs";
+export class CortiAuth extends AuthClient {
+    /** No-op auth provider so super.token() does not trigger OAuth refresh. When auth is omitted, a dummy token is passed so the base constructor does not throw. */
+    constructor(options) {
+        var _a;
+        const { environment } = options, rest = __rest(options, ["environment"]);
+        super(Object.assign(Object.assign({}, rest), { environment: getEnvironment(environment), token: (_a = options.token) !== null && _a !== void 0 ? _a : (() => "") }));
+        this._options.authProvider = new core.NoOpAuthProvider();
+    }
+    /**
+     * Exchange credentials for a short-lived access token using the tenant token endpoint (client_credentials).
+     * Resolves tenant from client options. Supports optional scopes (openid is always included).
+     *
+     * @param request - Client credentials and optional scopes
+     * @param requestOptions - Request-specific configuration
+     *
+     * @throws {@link Corti.BadRequestError}
+     * @throws {@link Corti.UnauthorizedError}
+     *
+     * @example
+     *     const response = await auth.getToken({
+     *         clientId: "client_id",
+     *         clientSecret: "client_secret",
+     *         scopes: ["profile"]
+     *     });
+     */
+    getToken(request, requestOptions) {
+        return core.HttpResponsePromise.fromPromise(this._getTokenWithTenant(request, requestOptions !== null && requestOptions !== void 0 ? requestOptions : {}));
+    }
+    _getTokenWithTenant(request, requestOptions) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const authRequest = buildTokenRequestBody(request);
+            const tenantName = yield core.Supplier.get(this._options.tenantName);
+            return this.token(tenantName, authRequest, requestOptions).withRawResponse();
+        });
+    }
+    /** Exchange username/password for access token via ROPC (resource owner password credentials). */
+    getRopcFlowToken(request, requestOptions) {
+        return core.HttpResponsePromise.fromPromise(this._getTokenWithTenant(request, requestOptions !== null && requestOptions !== void 0 ? requestOptions : {}));
+    }
+    /**
+     * Exchange a refresh token for a new access token (refresh_token grant).
+     * Resolves tenant from client options.
+     *
+     * @param request - Client ID, refresh token, and optional scopes
+     * @param requestOptions - Request-specific configuration
+     *
+     * @throws {@link Corti.BadRequestError}
+     * @throws {@link Corti.UnauthorizedError}
+     *
+     * @example
+     *     const response = await auth.refreshToken({
+     *         clientId: "client_id",
+     *         refreshToken: "refresh_token",
+     *     });
+     */
+    refreshToken(request, requestOptions) {
+        return core.HttpResponsePromise.fromPromise(this._getTokenWithTenant(request, requestOptions !== null && requestOptions !== void 0 ? requestOptions : {}));
+    }
+    /** Exchange an authorization code for an access token (authorization_code grant). */
+    getCodeFlowToken(request, requestOptions) {
+        return core.HttpResponsePromise.fromPromise(this._getTokenWithTenant(request, requestOptions !== null && requestOptions !== void 0 ? requestOptions : {}));
+    }
+    /**
+     * Exchange a PKCE authorization code for an access token (authorization_code grant with code_verifier).
+     * If codeVerifier is omitted, it is read from localStorage (set by authorizePkceUrl).
+     */
+    getPkceFlowToken(request, requestOptions) {
+        var _a;
+        const codeVerifier = (_a = request.codeVerifier) !== null && _a !== void 0 ? _a : getLocalStorageItem(CODE_VERIFIER_KEY);
+        if (!codeVerifier) {
+            throw new ParseError([
+                {
+                    path: ["codeVerifier"],
+                    message: "Code verifier was not provided and not found in localStorage.",
+                },
+            ]);
+        }
+        return core.HttpResponsePromise.fromPromise(this._getTokenWithTenant(Object.assign(Object.assign({}, request), { codeVerifier }), requestOptions !== null && requestOptions !== void 0 ? requestOptions : {}));
+    }
+    /**
+     * Build the Keycloak authorization endpoint URL for the PKCE flow.
+     * Generates a code verifier if not provided, stores it in localStorage, and computes the challenge.
+     * In a browser environment, redirects to the URL unless skipRedirect is true.
+     */
+    authorizePkceUrl(_a, options_1) {
+        return __awaiter(this, arguments, void 0, function* ({ clientId, redirectUri, scopes, codeVerifier }, options) {
+            const verifier = codeVerifier !== null && codeVerifier !== void 0 ? codeVerifier : generateCodeVerifier();
+            setLocalStorageItem(CODE_VERIFIER_KEY, verifier);
+            const codeChallenge = yield generateCodeChallenge(verifier);
+            return this.authorizeURL({ clientId, redirectUri, codeChallenge, scopes }, options);
+        });
+    }
+    /** Read the PKCE code verifier stored in localStorage by authorizePkceUrl. Returns null if not found. */
+    static getCodeVerifier() {
+        return getLocalStorageItem(CODE_VERIFIER_KEY);
+    }
+    /**
+     * Build the Keycloak authorization endpoint URL for the authorization code flow.
+     * In a browser environment, redirects to the URL unless skipRedirect is true.
+     * In a server environment (no window), always returns the URL string.
+     *
+     * @param client - clientId, redirectUri, and optional codeChallenge/scopes
+     * @param options - { skipRedirect?: boolean }
+     */
+    authorizeURL(_a, options_1) {
+        return __awaiter(this, arguments, void 0, function* ({ clientId, redirectUri, codeChallenge, scopes }, options) {
+            const envUrls = yield core.Supplier.get(this._options.environment);
+            const tenantName = yield core.Supplier.get(this._options.tenantName);
+            const authUrl = new URL(core.url.join(envUrls.login, tenantName, "protocol/openid-connect/auth"));
+            authUrl.searchParams.set("response_type", "code");
+            const allScopes = ["openid", "profile", ...(scopes !== null && scopes !== void 0 ? scopes : [])];
+            authUrl.searchParams.set("scope", [...new Set(allScopes)].join(" "));
+            if (clientId !== undefined) {
+                authUrl.searchParams.set("client_id", clientId);
+            }
+            if (redirectUri !== undefined) {
+                authUrl.searchParams.set("redirect_uri", redirectUri);
+            }
+            if (codeChallenge !== undefined) {
+                authUrl.searchParams.set("code_challenge", codeChallenge);
+                authUrl.searchParams.set("code_challenge_method", "S256");
+            }
+            const authUrlString = authUrl.toString();
+            if (typeof window !== "undefined" && !(options === null || options === void 0 ? void 0 : options.skipRedirect)) {
+                window.location.href = authUrlString;
+                return authUrlString;
+            }
+            return authUrlString;
+        });
+    }
+}

package/dist/esm/custom/auth/OAuthAuthCodeAuthProvider.d.mts

@@ -0,0 +1,23 @@
+import type { OAuthAuthProvider } from "../../auth/OAuthAuthProvider.mjs";
+import type { BaseClientOptions } from "../../BaseClient.mjs";
+import * as core from "../../core/index.mjs";
+export declare class OAuthAuthCodeAuthProvider implements core.AuthProvider {
+    private readonly options;
+    private readonly authClient;
+    private accessToken;
+    private expiresAt;
+    private refreshPromise;
+    private storedRefreshToken;
+    private refreshExpiresAt;
+    constructor(options: BaseClientOptions & OAuthAuthProvider.AuthCodeCredentials);
+    static canCreate(options?: Partial<OAuthAuthProvider.AuthCodeCredentials & BaseClientOptions>): options is BaseClientOptions & OAuthAuthProvider.AuthCodeCredentials;
+    private clientIdSupplier;
+    private clientSecretSupplier;
+    private codeSupplier;
+    private redirectUriSupplier;
+    getAuthRequest({ endpointMetadata, }?: {
+        endpointMetadata?: core.EndpointMetadata;
+    }): Promise<core.AuthRequest>;
+    private getToken;
+    private refresh;
+}