@corvushold/guard-sdk 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +126 -0
  2. package/dist/index.cjs +1010 -0
  3. package/dist/index.cjs.map +1 -0
  4. package/dist/index.d.cts +1157 -0
  5. package/dist/index.d.ts +1157 -0
  6. package/dist/index.js +990 -0
  7. package/dist/index.js.map +1 -0
  8. package/package.json +78 -0
package/dist/index.d.ts ADDED
@@ -0,0 +1,1157 @@
1
+ type HeadersMap = Record<string, string>;
2
+ interface Meta {
3
+ status: number;
4
+ requestId?: string;
5
+ headers?: HeadersMap;
6
+ }
7
+ interface ResponseWrapper<T> {
8
+ data: T;
9
+ meta: Meta;
10
+ }
11
+ type FetchLike = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
12
+ type TenantId = string;
13
+ /**
14
+ * SSO provider slug - can be any string configured in the tenant's SSO providers.
15
+ * Common values include 'okta', 'azure-ad', 'google-saml', 'onelogin', etc.
16
+ * Legacy values 'workos' and 'dev' are still supported for backward compatibility.
17
+ */
18
+ type SsoProviderSlug = string;
19
+ /**
20
+ * @deprecated Use SsoProviderSlug instead. This type is kept for backward compatibility.
21
+ */
22
+ type SsoProvider = SsoProviderSlug;
23
+
24
+ declare class ApiError extends Error {
25
+ readonly status: number;
26
+ readonly code?: string;
27
+ readonly requestId?: string;
28
+ readonly raw?: unknown;
29
+ readonly headers?: HeadersMap;
30
+ constructor(params: {
31
+ status: number;
32
+ message?: string;
33
+ code?: string;
34
+ requestId?: string;
35
+ raw?: unknown;
36
+ headers?: HeadersMap;
37
+ });
38
+ }
39
+ declare class RateLimitError extends ApiError {
40
+ readonly retryAfter?: number;
41
+ readonly nextRetryAt?: Date;
42
+ constructor(params: {
43
+ status: number;
44
+ message?: string;
45
+ code?: string;
46
+ requestId?: string;
47
+ raw?: unknown;
48
+ headers?: HeadersMap;
49
+ retryAfter?: number;
50
+ nextRetryAt?: Date;
51
+ });
52
+ }
53
+ declare function isApiError(e: unknown): e is ApiError;
54
+ declare function isRateLimitError(e: unknown): e is RateLimitError;
55
+
56
+ declare function parseRetryAfter(retryAfter: string | null | undefined): {
57
+ seconds?: number;
58
+ nextRetryAt?: Date;
59
+ };
60
+ declare function toHeadersMap(headers: Headers): HeadersMap;
61
+ declare function buildRateLimitError(args: {
62
+ status: number;
63
+ message?: string;
64
+ requestId?: string;
65
+ headers: Headers;
66
+ raw?: unknown;
67
+ }): RateLimitError;
68
+
69
+ interface TokenStorage {
70
+ getAccessToken(): Promise<string | null> | string | null;
71
+ setAccessToken(token: string | null): Promise<void> | void;
72
+ getRefreshToken(): Promise<string | null> | string | null;
73
+ setRefreshToken(token: string | null): Promise<void> | void;
74
+ clear(): Promise<void> | void;
75
+ }
76
+ interface TokenProvider {
77
+ getAccessToken(): Promise<string | null> | string | null;
78
+ }
79
+ declare const noopStorage: TokenStorage;
80
+
81
+ declare class InMemoryStorage implements TokenStorage {
82
+ private accessToken;
83
+ private refreshToken;
84
+ getAccessToken(): string | null;
85
+ setAccessToken(token: string | null): void;
86
+ getRefreshToken(): string | null;
87
+ setRefreshToken(token: string | null): void;
88
+ clear(): void;
89
+ }
90
+
91
+ declare class WebLocalStorage implements TokenStorage {
92
+ private readonly prefix;
93
+ constructor(prefix?: string);
94
+ private k;
95
+ getAccessToken(): string | null;
96
+ setAccessToken(token: string | null): void;
97
+ getRefreshToken(): string | null;
98
+ setRefreshToken(token: string | null): void;
99
+ clear(): void;
100
+ }
101
+
102
+ interface AsyncStorageLike {
103
+ getItem(key: string): Promise<string | null>;
104
+ setItem(key: string, value: string): Promise<void>;
105
+ removeItem(key: string): Promise<void>;
106
+ }
107
+ declare function reactNativeStorageAdapter(AsyncStorage: AsyncStorageLike, prefix?: string): TokenStorage;
108
+
109
+ type RequestInterceptor = (input: RequestInfo | URL, init: RequestInit) => Promise<[RequestInfo | URL, RequestInit]> | [RequestInfo | URL, RequestInit];
110
+ type ResponseInterceptor = (response: Response) => Promise<Response> | Response;
111
+ interface Interceptors {
112
+ request?: RequestInterceptor[];
113
+ response?: ResponseInterceptor[];
114
+ }
115
+ declare function applyRequestInterceptors(input: RequestInfo | URL, init: RequestInit, interceptors?: RequestInterceptor[]): Promise<[RequestInfo | URL, RequestInit]> | [RequestInfo | URL, RequestInit];
116
+ declare function applyResponseInterceptors(response: Response, interceptors?: ResponseInterceptor[]): Promise<Response>;
117
+
118
+ interface TransportOptions {
119
+ baseUrl: string;
120
+ fetchImpl?: FetchLike;
121
+ interceptors?: Interceptors;
122
+ clientHeader?: string;
123
+ defaultHeaders?: Record<string, string>;
124
+ credentials?: RequestCredentials;
125
+ }
126
+ declare class HttpClient {
127
+ private readonly baseUrl;
128
+ private readonly fetchImpl;
129
+ private readonly interceptors?;
130
+ private readonly clientHeader?;
131
+ private readonly defaultHeaders;
132
+ private readonly credentials?;
133
+ constructor(opts: TransportOptions);
134
+ private buildUrl;
135
+ request<T>(path: string, init?: RequestInit): Promise<ResponseWrapper<T>>;
136
+ requestRaw(path: string, init?: RequestInit): Promise<Response>;
137
+ }
138
+
139
+ interface components {
140
+ schemas: {
141
+ "controller.EmailDiscoveryRequest": {
142
+ email: string;
143
+ };
144
+ "controller.EmailDiscoveryResponse": {
145
+ found?: boolean;
146
+ has_tenant?: boolean;
147
+ suggestions?: string[];
148
+ tenant_id?: string;
149
+ tenant_name?: string;
150
+ user_exists?: boolean;
151
+ };
152
+ "controller.LoginOptionsResponse": {
153
+ /** @description If email domain matches an SSO provider's configured domains */
154
+ domain_matched_sso?: components["schemas"]["controller.SSOProviderOption"];
155
+ magic_link_enabled?: boolean;
156
+ /** @description Authentication methods available */
157
+ password_enabled?: boolean;
158
+ /** @description Recommended/preferred login method based on context
159
+ * Values: "sso", "password", "magic_link", "social" */
160
+ preferred_method?: string;
161
+ /** @description Social login providers (tenant-wide or global) */
162
+ social_providers?: components["schemas"]["controller.SocialProviderOption"][];
163
+ /** @description SSO providers configured for this tenant */
164
+ sso_providers?: components["schemas"]["controller.SSOProviderOption"][];
165
+ /** @description If true, SSO is required for this domain/tenant (password disabled) */
166
+ sso_required?: boolean;
167
+ /** @description Tenant information (if discovered) */
168
+ tenant_id?: string;
169
+ tenant_name?: string;
170
+ /** @description If true, user exists and can use password login */
171
+ user_exists?: boolean;
172
+ };
173
+ "controller.SSOProviderOption": {
174
+ login_url?: string;
175
+ logo_url?: string;
176
+ name?: string;
177
+ /** @description "oidc", "saml" */
178
+ provider_type?: string;
179
+ slug?: string;
180
+ };
181
+ "controller.SocialProviderOption": {
182
+ login_url?: string;
183
+ logo_url?: string;
184
+ name?: string;
185
+ /** @description "google", "github", "microsoft", etc. */
186
+ provider?: string;
187
+ };
188
+ "controller.adminUpdateNamesReq": {
189
+ first_name?: string;
190
+ last_name?: string;
191
+ };
192
+ "controller.adminUpdateRolesReq": {
193
+ roles: string[];
194
+ };
195
+ "controller.adminUser": {
196
+ created_at?: string;
197
+ email_verified?: boolean;
198
+ first_name?: string;
199
+ id?: string;
200
+ is_active?: boolean;
201
+ last_login_at?: string;
202
+ last_name?: string;
203
+ roles?: string[];
204
+ updated_at?: string;
205
+ };
206
+ "controller.adminUsersResp": {
207
+ users?: components["schemas"]["controller.adminUser"][];
208
+ };
209
+ "controller.authExchangeResp": {
210
+ access_token?: string;
211
+ refresh_token?: string;
212
+ /** @example true */
213
+ success?: boolean;
214
+ };
215
+ "controller.changePasswordReq": {
216
+ current_password: string;
217
+ new_password: string;
218
+ };
219
+ "controller.createTenantReq": {
220
+ name: string;
221
+ };
222
+ "controller.fgaAuthorizeReq": {
223
+ object_id?: string;
224
+ object_type: string;
225
+ permission_key: string;
226
+ /** @description SubjectID is optional when subject_type=self; otherwise required.
227
+ * When subject_type=self, the server derives the subject from the caller's token. */
228
+ subject_id?: string;
229
+ /** @enum {string} */
230
+ subject_type: "self" | "user" | "group";
231
+ tenant_id: string;
232
+ };
233
+ "controller.fgaAuthorizeResp": {
234
+ allowed?: boolean;
235
+ reason?: string;
236
+ };
237
+ "controller.fgaCreateACLTupleReq": {
238
+ object_id?: string;
239
+ object_type: string;
240
+ permission_key: string;
241
+ subject_id: string;
242
+ /** @enum {string} */
243
+ subject_type: "user" | "group";
244
+ tenant_id: string;
245
+ };
246
+ "controller.fgaCreateGroupReq": {
247
+ description?: string;
248
+ name: string;
249
+ tenant_id: string;
250
+ };
251
+ "controller.fgaDeleteACLTupleReq": {
252
+ object_id?: string;
253
+ object_type: string;
254
+ permission_key: string;
255
+ subject_id: string;
256
+ /** @enum {string} */
257
+ subject_type: "user" | "group";
258
+ tenant_id: string;
259
+ };
260
+ "controller.fgaGroupItem": {
261
+ description?: string;
262
+ id?: string;
263
+ name?: string;
264
+ tenant_id?: string;
265
+ };
266
+ "controller.fgaListGroupsResp": {
267
+ groups?: components["schemas"]["controller.fgaGroupItem"][];
268
+ };
269
+ "controller.fgaModifyGroupMemberReq": {
270
+ user_id: string;
271
+ };
272
+ "controller.introspectReq": {
273
+ token?: string;
274
+ };
275
+ "controller.listResponse": {
276
+ items?: components["schemas"]["controller.tenantResp"][];
277
+ page?: number;
278
+ page_size?: number;
279
+ total?: number;
280
+ total_pages?: number;
281
+ };
282
+ "controller.loginReq": {
283
+ email: string;
284
+ password: string;
285
+ tenant_id: string;
286
+ };
287
+ "controller.logoutReq": {
288
+ refresh_token?: string;
289
+ };
290
+ "controller.magicSendReq": {
291
+ email: string;
292
+ redirect_url?: string;
293
+ tenant_id: string;
294
+ };
295
+ "controller.magicVerifyReq": {
296
+ token: string;
297
+ };
298
+ "controller.mfaBackupConsumeReq": {
299
+ code: string;
300
+ };
301
+ "controller.mfaBackupConsumeResp": {
302
+ consumed?: boolean;
303
+ };
304
+ "controller.mfaBackupCountResp": {
305
+ count?: number;
306
+ };
307
+ "controller.mfaBackupGenerateReq": {
308
+ count?: number;
309
+ };
310
+ "controller.mfaBackupGenerateResp": {
311
+ codes?: string[];
312
+ };
313
+ "controller.mfaChallengeResp": {
314
+ challenge_token?: string;
315
+ methods?: string[];
316
+ };
317
+ "controller.mfaTOTPActivateReq": {
318
+ code: string;
319
+ };
320
+ "controller.mfaTOTPStartResp": {
321
+ otpauth_url?: string;
322
+ secret?: string;
323
+ };
324
+ "controller.mfaVerifyReq": {
325
+ challenge_token: string;
326
+ code: string;
327
+ /** @enum {string} */
328
+ method: "totp" | "backup_code";
329
+ };
330
+ "controller.oauth2MetadataResp": {
331
+ grant_types_supported?: string[];
332
+ guard_auth_mode_default?: string;
333
+ /** @description Guard-specific extensions */
334
+ guard_auth_modes_supported?: string[];
335
+ guard_version?: string;
336
+ introspection_endpoint?: string;
337
+ introspection_endpoint_auth_methods_supported?: string[];
338
+ issuer?: string;
339
+ response_types_supported?: string[];
340
+ revocation_endpoint?: string;
341
+ revocation_endpoint_auth_methods_supported?: string[];
342
+ scopes_supported?: string[];
343
+ token_endpoint?: string;
344
+ token_endpoint_auth_methods_supported?: string[];
345
+ userinfo_endpoint?: string;
346
+ };
347
+ "controller.permissionGrantItem": {
348
+ key?: string;
349
+ object_id?: string;
350
+ object_type?: string;
351
+ };
352
+ "controller.putSettingsRequest": {
353
+ /** @description App */
354
+ app_cors_allowed_origins?: string;
355
+ /** @description Auth */
356
+ jwt_signing_key?: string;
357
+ /** @description Scope is deprecated and ignored. Kept for backward compatibility with older SDKs. */
358
+ scope?: string;
359
+ sso_provider?: string;
360
+ sso_redirect_allowlist?: string;
361
+ sso_state_ttl?: string;
362
+ workos_api_key?: string;
363
+ workos_client_id?: string;
364
+ workos_client_secret?: string;
365
+ workos_default_connection_id?: string;
366
+ workos_default_organization_id?: string;
367
+ };
368
+ "controller.rbacCreateRoleReq": {
369
+ description?: string;
370
+ name: string;
371
+ tenant_id: string;
372
+ };
373
+ "controller.rbacModifyUserRoleReq": {
374
+ role_id: string;
375
+ tenant_id: string;
376
+ };
377
+ "controller.rbacPermissionItem": {
378
+ created_at?: string;
379
+ description?: string;
380
+ id?: string;
381
+ key?: string;
382
+ updated_at?: string;
383
+ };
384
+ "controller.rbacPermissionsResp": {
385
+ permissions?: components["schemas"]["controller.rbacPermissionItem"][];
386
+ };
387
+ "controller.rbacResolvedPermissionsResp": {
388
+ grants?: components["schemas"]["controller.permissionGrantItem"][];
389
+ };
390
+ "controller.rbacRoleItem": {
391
+ created_at?: string;
392
+ description?: string;
393
+ id?: string;
394
+ name?: string;
395
+ tenant_id?: string;
396
+ updated_at?: string;
397
+ };
398
+ "controller.rbacRolePermissionReq": {
399
+ permission_key: string;
400
+ resource_id?: string;
401
+ resource_type?: string;
402
+ scope_type: string;
403
+ };
404
+ "controller.rbacRolesResp": {
405
+ roles?: components["schemas"]["controller.rbacRoleItem"][];
406
+ };
407
+ "controller.rbacUpdateRoleReq": {
408
+ description?: string;
409
+ name: string;
410
+ tenant_id: string;
411
+ };
412
+ "controller.rbacUserRolesResp": {
413
+ role_ids?: string[];
414
+ };
415
+ "controller.refreshReq": {
416
+ refresh_token?: string;
417
+ };
418
+ "controller.resetPasswordConfirmReq": {
419
+ new_password: string;
420
+ tenant_id?: string;
421
+ token: string;
422
+ };
423
+ "controller.resetPasswordRequestReq": {
424
+ email: string;
425
+ tenant_id?: string;
426
+ };
427
+ "controller.revokeReq": {
428
+ token: string;
429
+ token_type: string;
430
+ };
431
+ "controller.sessionItem": {
432
+ auth_method?: string;
433
+ created_at?: string;
434
+ expires_at?: string;
435
+ id?: string;
436
+ ip?: string;
437
+ revoked?: boolean;
438
+ sso_provider_id?: string;
439
+ sso_provider_name?: string;
440
+ sso_provider_slug?: string;
441
+ user_agent?: string;
442
+ };
443
+ "controller.sessionsListResp": {
444
+ sessions?: components["schemas"]["controller.sessionItem"][];
445
+ };
446
+ "controller.settingsResponse": {
447
+ /** @description App */
448
+ app_cors_allowed_origins?: string;
449
+ /** @description SSO */
450
+ sso_provider?: string;
451
+ sso_redirect_allowlist?: string;
452
+ sso_state_ttl?: string;
453
+ /** @description masked */
454
+ workos_api_key?: string;
455
+ workos_client_id?: string;
456
+ /** @description masked */
457
+ workos_client_secret?: string;
458
+ workos_default_connection_id?: string;
459
+ workos_default_organization_id?: string;
460
+ };
461
+ "controller.signupReq": {
462
+ email: string;
463
+ first_name?: string;
464
+ last_name?: string;
465
+ password: string;
466
+ tenant_id: string;
467
+ };
468
+ "controller.spInfoResponse": {
469
+ acs_url?: string;
470
+ base_url?: string;
471
+ entity_id?: string;
472
+ login_url?: string;
473
+ metadata_url?: string;
474
+ slo_url?: string;
475
+ tenant_id?: string;
476
+ };
477
+ "controller.tenantResp": {
478
+ created_at?: string;
479
+ id?: string;
480
+ is_active?: boolean;
481
+ name?: string;
482
+ updated_at?: string;
483
+ };
484
+ "controller.updateProfileReq": {
485
+ first_name?: string;
486
+ last_name?: string;
487
+ };
488
+ "domain.Introspection": {
489
+ active?: boolean;
490
+ email?: string;
491
+ email_verified?: boolean;
492
+ exp?: number;
493
+ iat?: number;
494
+ mfa_verified?: boolean;
495
+ roles?: string[];
496
+ tenant_id?: string;
497
+ user_id?: string;
498
+ };
499
+ "domain.PortalLink": {
500
+ link?: string;
501
+ };
502
+ "domain.UserProfile": {
503
+ email?: string;
504
+ email_verified?: boolean;
505
+ first_name?: string;
506
+ id?: string;
507
+ last_login_at?: string;
508
+ last_name?: string;
509
+ mfa_enabled?: boolean;
510
+ roles?: string[];
511
+ tenant_id?: string;
512
+ };
513
+ };
514
+ responses: never;
515
+ parameters: never;
516
+ requestBodies: {
517
+ /** @description Magic token in JSON body */
518
+ "controller.magicVerifyReq": {
519
+ content: {
520
+ "application/json": components["schemas"]["controller.magicVerifyReq"];
521
+ };
522
+ };
523
+ /** @description permission_key, scope_type, optional resource_type/resource_id */
524
+ "controller.rbacRolePermissionReq": {
525
+ content: {
526
+ "application/json": components["schemas"]["controller.rbacRolePermissionReq"];
527
+ };
528
+ };
529
+ /** @description user_id */
530
+ "controller.fgaModifyGroupMemberReq": {
531
+ content: {
532
+ "application/json": components["schemas"]["controller.fgaModifyGroupMemberReq"];
533
+ };
534
+ };
535
+ /** @description tenant_id, role_id */
536
+ "controller.rbacModifyUserRoleReq": {
537
+ content: {
538
+ "application/json": components["schemas"]["controller.rbacModifyUserRoleReq"];
539
+ };
540
+ };
541
+ };
542
+ headers: never;
543
+ pathItems: never;
544
+ }
545
+
546
+ interface GuardClientOptions {
547
+ baseUrl: string;
548
+ tenantId?: TenantId;
549
+ fetchImpl?: FetchLike;
550
+ storage?: TokenStorage;
551
+ defaultHeaders?: Record<string, string>;
552
+ authMode?: 'bearer' | 'cookie';
553
+ }
554
+ type TokensResp = {
555
+ access_token?: string | null;
556
+ refresh_token?: string | null;
557
+ success?: boolean;
558
+ };
559
+ type MfaChallengeResp = components['schemas']['controller.mfaChallengeResp'];
560
+ type OAuth2MetadataResp = components['schemas']['controller.oauth2MetadataResp'];
561
+ type PortalLink = components['schemas']['domain.PortalLink'] & {
562
+ link: string;
563
+ };
564
+ interface SsoPortalSessionResp {
565
+ tenant_id: string;
566
+ provider_slug: string;
567
+ portal_token_id: string;
568
+ intent: string;
569
+ }
570
+ interface TenantOption {
571
+ tenant_id: string;
572
+ tenant_name: string;
573
+ }
574
+ interface TenantSelectionRequiredResp {
575
+ error: 'tenant_selection_required';
576
+ message: string;
577
+ tenants: TenantOption[];
578
+ }
579
+ declare function isTenantSelectionRequired(data: unknown): data is TenantSelectionRequiredResp;
580
+ interface SsoPortalContext {
581
+ session: SsoPortalSessionResp;
582
+ provider: SsoProviderItem;
583
+ }
584
+ declare function isTokensResp(data: unknown): data is TokensResp;
585
+ declare function isMfaChallengeResp(data: unknown): data is MfaChallengeResp;
586
+ type MfaVerifyReq = components['schemas']['controller.mfaVerifyReq'];
587
+ type RefreshReq = components['schemas']['controller.refreshReq'];
588
+ type RbacPermissionsResp = components['schemas']['controller.rbacPermissionsResp'];
589
+ type RbacRolesResp = components['schemas']['controller.rbacRolesResp'];
590
+ type RbacRoleItem = components['schemas']['controller.rbacRoleItem'];
591
+ type RbacCreateRoleReq = components['schemas']['controller.rbacCreateRoleReq'];
592
+ type RbacUpdateRoleReq = components['schemas']['controller.rbacUpdateRoleReq'];
593
+ type RbacRolePermissionReq = components['schemas']['controller.rbacRolePermissionReq'];
594
+ type RbacUserRolesResp = components['schemas']['controller.rbacUserRolesResp'];
595
+ type RbacModifyUserRoleReq = components['schemas']['controller.rbacModifyUserRoleReq'];
596
+ type RbacResolvedPermissionsResp = components['schemas']['controller.rbacResolvedPermissionsResp'];
597
+ type FgaGroup = {
598
+ id: string;
599
+ tenant_id: string;
600
+ name: string;
601
+ description?: string;
602
+ created_at: string;
603
+ updated_at: string;
604
+ };
605
+ type FgaGroupsResp = {
606
+ groups: FgaGroup[];
607
+ };
608
+ type FgaAclTuple = {
609
+ id: string;
610
+ tenant_id: string;
611
+ subject_type: string;
612
+ subject_id: string;
613
+ permission_key?: string;
614
+ object_type: string;
615
+ object_id?: string | null;
616
+ created_by?: string | null;
617
+ created_at: string;
618
+ };
619
+ interface TenantSummary {
620
+ id: string;
621
+ name?: string;
622
+ }
623
+ interface DiscoverTenantsResp {
624
+ tenants: TenantSummary[];
625
+ }
626
+ type UserProfile = components['schemas']['domain.UserProfile'];
627
+ type Introspection = components['schemas']['domain.Introspection'];
628
+ type MagicSendReq = components['schemas']['controller.magicSendReq'];
629
+ type MagicVerifyReq = components['schemas']['controller.magicVerifyReq'];
630
+ type PasswordSignupInput = {
631
+ email: string;
632
+ password: string;
633
+ tenant_id?: string;
634
+ first_name?: string;
635
+ last_name?: string;
636
+ };
637
+ interface AdminUser {
638
+ id: string;
639
+ email_verified: boolean;
640
+ is_active: boolean;
641
+ first_name: string;
642
+ last_name: string;
643
+ roles: string[];
644
+ created_at: string;
645
+ updated_at: string;
646
+ last_login_at?: string | null;
647
+ }
648
+ interface AdminUsersResp {
649
+ users: AdminUser[];
650
+ }
651
+ /** Auth method used to create a session */
652
+ type AuthMethod = 'password' | 'sso' | 'magic_link';
653
+ interface SessionItem {
654
+ id: string;
655
+ revoked: boolean;
656
+ user_agent: string;
657
+ ip: string;
658
+ created_at: string;
659
+ expires_at: string;
660
+ auth_method: AuthMethod;
661
+ sso_provider_id?: string;
662
+ sso_provider_name?: string;
663
+ sso_provider_slug?: string;
664
+ }
665
+ interface SessionsListResp {
666
+ sessions: SessionItem[];
667
+ }
668
+ interface TenantSettingsResponse {
669
+ sso_provider: string;
670
+ workos_client_id: string;
671
+ workos_client_secret?: string;
672
+ workos_api_key?: string;
673
+ workos_default_connection_id?: string;
674
+ workos_default_organization_id?: string;
675
+ sso_state_ttl: string;
676
+ sso_redirect_allowlist: string;
677
+ }
678
+ interface TenantSettingsPutRequest {
679
+ sso_provider?: string | null;
680
+ workos_client_id?: string | null;
681
+ workos_client_secret?: string | null;
682
+ workos_api_key?: string | null;
683
+ workos_default_connection_id?: string | null;
684
+ workos_default_organization_id?: string | null;
685
+ sso_state_ttl?: string | null;
686
+ sso_redirect_allowlist?: string | null;
687
+ }
688
+ type SsoProviderType = 'oidc' | 'saml';
689
+ type SsoLinkingPolicy = 'never' | 'verified_email' | 'always';
690
+ interface SsoProviderItem {
691
+ id: string;
692
+ tenant_id: string;
693
+ name: string;
694
+ slug: string;
695
+ provider_type: SsoProviderType;
696
+ enabled: boolean;
697
+ allow_signup: boolean;
698
+ trust_email_verified: boolean;
699
+ domains: string[];
700
+ attribute_mapping?: Record<string, any>;
701
+ issuer?: string;
702
+ authorization_endpoint?: string;
703
+ token_endpoint?: string;
704
+ userinfo_endpoint?: string;
705
+ jwks_uri?: string;
706
+ client_id?: string;
707
+ client_secret?: string;
708
+ scopes?: string[];
709
+ response_type?: string;
710
+ response_mode?: string;
711
+ entity_id?: string;
712
+ acs_url?: string;
713
+ slo_url?: string;
714
+ idp_metadata_url?: string;
715
+ idp_metadata_xml?: string;
716
+ idp_entity_id?: string;
717
+ idp_sso_url?: string;
718
+ idp_slo_url?: string;
719
+ idp_certificate?: string;
720
+ sp_certificate?: string;
721
+ sp_private_key?: string;
722
+ sp_certificate_expires_at?: string;
723
+ want_assertions_signed?: boolean;
724
+ want_response_signed?: boolean;
725
+ sign_requests?: boolean;
726
+ force_authn?: boolean;
727
+ allow_idp_initiated?: boolean;
728
+ linking_policy?: SsoLinkingPolicy;
729
+ created_at: string;
730
+ updated_at: string;
731
+ created_by?: string;
732
+ updated_by?: string;
733
+ }
734
+ interface SsoProvidersListResp {
735
+ providers: SsoProviderItem[];
736
+ total: number;
737
+ }
738
+ interface SsoProviderOption {
739
+ slug: string;
740
+ name: string;
741
+ provider_type: SsoProviderType;
742
+ logo_url?: string;
743
+ login_url: string;
744
+ }
745
+ interface LoginOptionsResp {
746
+ password_enabled: boolean;
747
+ magic_link_enabled: boolean;
748
+ sso_providers: SsoProviderOption[];
749
+ preferred_method: AuthMethod;
750
+ sso_required: boolean;
751
+ user_exists: boolean;
752
+ tenant_id?: string;
753
+ tenant_name?: string;
754
+ domain_matched_sso?: SsoProviderOption;
755
+ }
756
+ interface CreateSsoProviderReq {
757
+ tenant_id: string;
758
+ name: string;
759
+ slug: string;
760
+ provider_type: SsoProviderType;
761
+ enabled?: boolean;
762
+ allow_signup?: boolean;
763
+ trust_email_verified?: boolean;
764
+ domains?: string[];
765
+ attribute_mapping?: Record<string, any>;
766
+ issuer?: string;
767
+ authorization_endpoint?: string;
768
+ token_endpoint?: string;
769
+ userinfo_endpoint?: string;
770
+ jwks_uri?: string;
771
+ client_id?: string;
772
+ client_secret?: string;
773
+ scopes?: string[];
774
+ response_type?: string;
775
+ response_mode?: string;
776
+ entity_id?: string;
777
+ acs_url?: string;
778
+ slo_url?: string;
779
+ idp_metadata_url?: string;
780
+ idp_metadata_xml?: string;
781
+ idp_entity_id?: string;
782
+ idp_sso_url?: string;
783
+ idp_slo_url?: string;
784
+ idp_certificate?: string;
785
+ sp_certificate?: string;
786
+ sp_private_key?: string;
787
+ want_assertions_signed?: boolean;
788
+ want_response_signed?: boolean;
789
+ sign_requests?: boolean;
790
+ force_authn?: boolean;
791
+ allow_idp_initiated?: boolean;
792
+ linking_policy?: SsoLinkingPolicy;
793
+ }
794
+ interface UpdateSsoProviderReq {
795
+ name?: string;
796
+ enabled?: boolean;
797
+ allow_signup?: boolean;
798
+ trust_email_verified?: boolean;
799
+ domains?: string[];
800
+ attribute_mapping?: Record<string, any>;
801
+ issuer?: string;
802
+ authorization_endpoint?: string;
803
+ token_endpoint?: string;
804
+ userinfo_endpoint?: string;
805
+ jwks_uri?: string;
806
+ client_id?: string;
807
+ client_secret?: string;
808
+ scopes?: string[];
809
+ response_type?: string;
810
+ response_mode?: string;
811
+ entity_id?: string;
812
+ acs_url?: string;
813
+ slo_url?: string;
814
+ idp_metadata_url?: string;
815
+ idp_metadata_xml?: string;
816
+ idp_entity_id?: string;
817
+ idp_sso_url?: string;
818
+ idp_slo_url?: string;
819
+ idp_certificate?: string;
820
+ sp_certificate?: string;
821
+ sp_private_key?: string;
822
+ want_assertions_signed?: boolean;
823
+ want_response_signed?: boolean;
824
+ sign_requests?: boolean;
825
+ force_authn?: boolean;
826
+ allow_idp_initiated?: boolean;
827
+ linking_policy?: SsoLinkingPolicy;
828
+ }
829
+ interface SsoTestProviderResp {
830
+ success: boolean;
831
+ metadata?: Record<string, any>;
832
+ error?: string;
833
+ }
834
+ interface SsoSPInfoResp {
835
+ /** SP Entity ID / Issuer URL (also called "Identifier" in some IdPs) */
836
+ entity_id: string;
837
+ /** Assertion Consumer Service URL where the IdP sends SAML responses */
838
+ acs_url: string;
839
+ /** Single Logout URL (optional) */
840
+ slo_url?: string;
841
+ /** URL where SP metadata XML can be downloaded */
842
+ metadata_url: string;
843
+ /** URL to initiate SSO login */
844
+ login_url: string;
845
+ /** Public base URL of the Guard service */
846
+ base_url: string;
847
+ /** Tenant ID used in the URL paths */
848
+ tenant_id: string;
849
+ }
850
+ type PasswordLoginInput = {
851
+ email: string;
852
+ password: string;
853
+ tenant_id?: string;
854
+ };
855
+ declare class GuardClient {
856
+ readonly baseUrl: string;
857
+ private readonly tenantId?;
858
+ private readonly storage;
859
+ private readonly http;
860
+ constructor(opts: GuardClientOptions);
861
+ protected request<T>(path: string, init: RequestInit): Promise<ResponseWrapper<T>>;
862
+ private persistTokensFrom;
863
+ private buildQuery;
864
+ passwordLogin(body: PasswordLoginInput): Promise<ResponseWrapper<TokensResp | MfaChallengeResp>>;
865
+ passwordSignup(body: PasswordSignupInput): Promise<ResponseWrapper<TokensResp>>;
866
+ mfaVerify(body: MfaVerifyReq): Promise<ResponseWrapper<TokensResp>>;
867
+ refresh(body?: Partial<RefreshReq>): Promise<ResponseWrapper<TokensResp>>;
868
+ logout(body?: {
869
+ refresh_token?: string | null;
870
+ }): Promise<ResponseWrapper<unknown>>;
871
+ me(): Promise<ResponseWrapper<UserProfile>>;
872
+ emailDiscover(body: {
873
+ email: string;
874
+ tenant_id?: string;
875
+ }): Promise<ResponseWrapper<{
876
+ found: boolean;
877
+ has_tenant: boolean;
878
+ tenant_id?: string;
879
+ tenant_name?: string;
880
+ user_exists: boolean;
881
+ suggestions?: string[];
882
+ }>>;
883
+ getLoginOptions(params?: {
884
+ email?: string;
885
+ tenant_id?: string;
886
+ }): Promise<ResponseWrapper<LoginOptionsResp>>;
887
+ mfaStartTotp(): Promise<ResponseWrapper<{
888
+ secret: string;
889
+ otpauth_url: string;
890
+ }>>;
891
+ mfaActivateTotp(body: {
892
+ code: string;
893
+ }): Promise<ResponseWrapper<unknown>>;
894
+ mfaDisableTotp(): Promise<ResponseWrapper<unknown>>;
895
+ mfaGenerateBackupCodes(body?: {
896
+ count?: number;
897
+ }): Promise<ResponseWrapper<{
898
+ codes: string[];
899
+ }>>;
900
+ mfaCountBackupCodes(): Promise<ResponseWrapper<{
901
+ count: number;
902
+ }>>;
903
+ discoverTenants(params: {
904
+ email: string;
905
+ }): Promise<ResponseWrapper<DiscoverTenantsResp>>;
906
+ createTenant(body: {
907
+ name: string;
908
+ }): Promise<ResponseWrapper<{
909
+ id: string;
910
+ name: string;
911
+ is_active?: boolean;
912
+ created_at?: string;
913
+ updated_at?: string;
914
+ }>>;
915
+ getTenant(id: string): Promise<ResponseWrapper<{
916
+ id: string;
917
+ name: string;
918
+ is_active: boolean;
919
+ created_at: string;
920
+ updated_at: string;
921
+ }>>;
922
+ listTenants(params?: {
923
+ q?: string;
924
+ page?: number;
925
+ page_size?: number;
926
+ active?: number | boolean;
927
+ }): Promise<ResponseWrapper<{
928
+ items: Array<{
929
+ id: string;
930
+ name: string;
931
+ is_active: boolean;
932
+ created_at: string;
933
+ updated_at: string;
934
+ }>;
935
+ total: number;
936
+ page: number;
937
+ page_size: number;
938
+ total_pages: number;
939
+ }>>;
940
+ introspect(body?: {
941
+ token?: string;
942
+ }): Promise<ResponseWrapper<Introspection>>;
943
+ magicSend(body: MagicSendReq): Promise<ResponseWrapper<unknown>>;
944
+ magicVerify(params?: {
945
+ token?: string;
946
+ }, body?: MagicVerifyReq): Promise<ResponseWrapper<TokensResp>>;
947
+ passwordResetRequest(body: {
948
+ tenant_id?: string;
949
+ email: string;
950
+ }): Promise<ResponseWrapper<unknown>>;
951
+ passwordResetConfirm(body: {
952
+ tenant_id?: string;
953
+ token: string;
954
+ new_password: string;
955
+ }): Promise<ResponseWrapper<unknown>>;
956
+ changePassword(body: {
957
+ current_password: string;
958
+ new_password: string;
959
+ }): Promise<ResponseWrapper<unknown>>;
960
+ updateProfile(body: {
961
+ first_name?: string;
962
+ last_name?: string;
963
+ }): Promise<ResponseWrapper<unknown>>;
964
+ listUsers(params?: {
965
+ tenant_id?: string;
966
+ }): Promise<ResponseWrapper<AdminUsersResp>>;
967
+ updateUserNames(id: string, body: {
968
+ first_name?: string;
969
+ last_name?: string;
970
+ }): Promise<ResponseWrapper<unknown>>;
971
+ blockUser(id: string): Promise<ResponseWrapper<unknown>>;
972
+ unblockUser(id: string): Promise<ResponseWrapper<unknown>>;
973
+ verifyUserEmail(id: string): Promise<ResponseWrapper<unknown>>;
974
+ unverifyUserEmail(id: string): Promise<ResponseWrapper<unknown>>;
975
+ listSessions(options?: {
976
+ includeAll?: boolean;
977
+ }): Promise<ResponseWrapper<SessionsListResp>>;
978
+ revokeSession(id: string): Promise<ResponseWrapper<unknown>>;
979
+ getTenantSettings(tenantId?: string): Promise<ResponseWrapper<TenantSettingsResponse>>;
980
+ updateTenantSettings(tenantId: string, settings: TenantSettingsPutRequest): Promise<ResponseWrapper<unknown>>;
981
+ /**
982
+ * Start SSO flow with a provider slug.
983
+ * Uses V2 tenant-scoped URLs: /auth/sso/t/{tenant_id}/{slug}/login
984
+ *
985
+ * @param providerSlug - The provider slug (e.g., 'okta', 'azure-ad', 'google-saml')
986
+ * @param params - Optional parameters for the SSO flow
987
+ * @returns The redirect URL to send the user to for authentication
988
+ *
989
+ * @example
990
+ * ```ts
991
+ * const result = await client.startSso('okta', { redirect_url: 'https://myapp.com/callback' });
992
+ * window.location.href = result.data.redirect_url;
993
+ * ```
994
+ */
995
+ startSso(providerSlug: SsoProvider, params?: {
996
+ tenant_id?: string;
997
+ redirect_url?: string;
998
+ login_hint?: string;
999
+ force_authn?: boolean;
1000
+ }): Promise<ResponseWrapper<{
1001
+ redirect_url: string;
1002
+ }>>;
1003
+ /**
1004
+ * Handle SSO callback and exchange code for tokens.
1005
+ * Uses V2 tenant-scoped URLs: /auth/sso/t/{tenant_id}/{slug}/callback
1006
+ *
1007
+ * @param providerSlug - The provider slug used in startSso
1008
+ * @param params - Callback parameters (code, state from IdP redirect)
1009
+ * @returns Access and refresh tokens
1010
+ */
1011
+ handleSsoCallback(providerSlug: SsoProvider, params: {
1012
+ tenant_id?: string;
1013
+ code: string;
1014
+ state?: string;
1015
+ }): Promise<ResponseWrapper<TokensResp>>;
1016
+ /**
1017
+ * Parse SSO callback tokens from URL query parameters or fragment.
1018
+ * Use this when Guard redirects to your app's callback URL with tokens.
1019
+ *
1020
+ * **Note:** This method has a side effect: when tokens are successfully parsed,
1021
+ * they are automatically persisted to the configured TokenStorage.
1022
+ *
1023
+ * @param url - The full callback URL or just the query/fragment string (e.g., window.location.search or window.location.hash)
1024
+ * @returns Tokens if access_token is present in URL, null otherwise
1025
+ *
1026
+ * @remarks
1027
+ * - access_token is required for a successful return
1028
+ * - refresh_token is optional (some flows don't provide it)
1029
+ * - When refresh_token is missing, token refresh via `refresh()` will not be available
1030
+ * - Tokens are persisted to storage on successful parse (side effect)
1031
+ */
1032
+ parseSsoCallbackTokens(url: string): TokensResp | null;
1033
+ getSsoOrganizationPortalLink(provider: SsoProvider, params: {
1034
+ tenant_id?: string;
1035
+ organization_id: string;
1036
+ intent?: string;
1037
+ }): Promise<ResponseWrapper<PortalLink>>;
1038
+ ssoPortalSession(token: string): Promise<ResponseWrapper<SsoPortalSessionResp>>;
1039
+ ssoPortalProvider(token: string): Promise<ResponseWrapper<SsoProviderItem>>;
1040
+ loadSsoPortalContext(token: string): Promise<SsoPortalContext>;
1041
+ private extractErrorDetails;
1042
+ ssoListProviders(params?: {
1043
+ tenant_id?: string;
1044
+ }): Promise<ResponseWrapper<SsoProvidersListResp>>;
1045
+ ssoCreateProvider(body: CreateSsoProviderReq): Promise<ResponseWrapper<SsoProviderItem>>;
1046
+ ssoGetProvider(id: string): Promise<ResponseWrapper<SsoProviderItem>>;
1047
+ ssoUpdateProvider(id: string, body: UpdateSsoProviderReq): Promise<ResponseWrapper<SsoProviderItem>>;
1048
+ ssoDeleteProvider(id: string): Promise<ResponseWrapper<unknown>>;
1049
+ ssoTestProvider(id: string): Promise<ResponseWrapper<SsoTestProviderResp>>;
1050
+ /**
1051
+ * Get computed Service Provider (SP) URLs for SAML configuration.
1052
+ * These URLs are needed by admins to configure their Identity Provider (IdP).
1053
+ * URLs use V2 tenant-scoped format: /auth/sso/t/{tenant_id}/{slug}/*
1054
+ *
1055
+ * @param slug - The provider slug (e.g. 'okta', 'azure-ad')
1056
+ * @param tenantId - Optional tenant ID (uses client's default if not provided)
1057
+ * @returns SP info including Entity ID, ACS URL, SLO URL, Metadata URL, Login URL, and Tenant ID
1058
+ *
1059
+ * @example
1060
+ * ```ts
1061
+ * const spInfo = await client.ssoGetSPInfo('okta');
1062
+ * console.log(spInfo.data.entity_id); // https://api.example.com/auth/sso/t/{tenant_id}/okta/metadata
1063
+ * console.log(spInfo.data.acs_url); // https://api.example.com/auth/sso/t/{tenant_id}/okta/callback
1064
+ * console.log(spInfo.data.tenant_id); // The tenant UUID used in the URLs
1065
+ * ```
1066
+ */
1067
+ ssoGetSPInfo(slug: string, tenantId?: string): Promise<ResponseWrapper<SsoSPInfoResp>>;
1068
+ rbacListPermissions(): Promise<ResponseWrapper<RbacPermissionsResp>>;
1069
+ rbacListRoles(params?: {
1070
+ tenant_id?: string;
1071
+ }): Promise<ResponseWrapper<RbacRolesResp>>;
1072
+ rbacCreateRole(body: Omit<RbacCreateRoleReq, 'tenant_id'> & {
1073
+ tenant_id?: string;
1074
+ }): Promise<ResponseWrapper<RbacRoleItem>>;
1075
+ rbacUpdateRole(id: string, body: Omit<RbacUpdateRoleReq, 'tenant_id'> & {
1076
+ tenant_id?: string;
1077
+ }): Promise<ResponseWrapper<RbacRoleItem>>;
1078
+ rbacDeleteRole(id: string, params?: {
1079
+ tenant_id?: string;
1080
+ }): Promise<ResponseWrapper<unknown>>;
1081
+ rbacListUserRoles(userId: string, params?: {
1082
+ tenant_id?: string;
1083
+ }): Promise<ResponseWrapper<RbacUserRolesResp>>;
1084
+ rbacAddUserRole(userId: string, body: Omit<RbacModifyUserRoleReq, 'tenant_id'> & {
1085
+ tenant_id?: string;
1086
+ }): Promise<ResponseWrapper<unknown>>;
1087
+ rbacRemoveUserRole(userId: string, body: Omit<RbacModifyUserRoleReq, 'tenant_id'> & {
1088
+ tenant_id?: string;
1089
+ }): Promise<ResponseWrapper<unknown>>;
1090
+ rbacUpsertRolePermission(roleId: string, body: RbacRolePermissionReq): Promise<ResponseWrapper<unknown>>;
1091
+ rbacDeleteRolePermission(roleId: string, body: RbacRolePermissionReq): Promise<ResponseWrapper<unknown>>;
1092
+ rbacResolveUserPermissions(userId: string, params: {
1093
+ tenant_id?: string;
1094
+ }): Promise<ResponseWrapper<RbacResolvedPermissionsResp>>;
1095
+ fgaListGroups(params: {
1096
+ tenant_id?: string;
1097
+ }): Promise<ResponseWrapper<FgaGroupsResp>>;
1098
+ fgaCreateGroup(body: {
1099
+ tenant_id?: string;
1100
+ name: string;
1101
+ description?: string | null;
1102
+ }): Promise<ResponseWrapper<FgaGroup>>;
1103
+ fgaDeleteGroup(id: string, params: {
1104
+ tenant_id?: string;
1105
+ }): Promise<ResponseWrapper<unknown>>;
1106
+ fgaAddGroupMember(groupId: string, body: {
1107
+ user_id: string;
1108
+ }): Promise<ResponseWrapper<unknown>>;
1109
+ fgaRemoveGroupMember(groupId: string, body: {
1110
+ user_id: string;
1111
+ }): Promise<ResponseWrapper<unknown>>;
1112
+ fgaCreateAclTuple(body: {
1113
+ tenant_id?: string;
1114
+ subject_type: string;
1115
+ subject_id: string;
1116
+ permission_key: string;
1117
+ object_type: string;
1118
+ object_id?: string | null;
1119
+ created_by?: string | null;
1120
+ }): Promise<ResponseWrapper<FgaAclTuple>>;
1121
+ fgaDeleteAclTuple(body: {
1122
+ tenant_id?: string;
1123
+ subject_type: string;
1124
+ subject_id: string;
1125
+ permission_key: string;
1126
+ object_type: string;
1127
+ object_id?: string | null;
1128
+ }): Promise<ResponseWrapper<unknown>>;
1129
+ /**
1130
+ * Fetch OAuth 2.0 Authorization Server Metadata (RFC 8414)
1131
+ * Returns server capabilities including supported auth modes, endpoints, and grant types.
1132
+ * This endpoint is public and does not require authentication.
1133
+ */
1134
+ getOAuth2Metadata(): Promise<ResponseWrapper<OAuth2MetadataResp>>;
1135
+ /**
1136
+ * Static helper to discover OAuth2 metadata from any Guard API base URL.
1137
+ * Useful for auto-configuration before creating a GuardClient instance.
1138
+ *
1139
+ * @example
1140
+ * ```ts
1141
+ * const metadata = await GuardClient.discover('https://api.example.com');
1142
+ * console.log(metadata.guard_auth_modes_supported); // ['bearer', 'cookie']
1143
+ * console.log(metadata.guard_auth_mode_default); // 'bearer'
1144
+ *
1145
+ * // Create client with discovered default auth mode
1146
+ * const client = new GuardClient({
1147
+ * baseUrl: 'https://api.example.com',
1148
+ * authMode: metadata.guard_auth_mode_default as 'bearer' | 'cookie'
1149
+ * });
1150
+ * ```
1151
+ */
1152
+ static discover(baseUrl: string, fetchImpl?: FetchLike): Promise<OAuth2MetadataResp>;
1153
+ }
1154
+
1155
+ declare function generateTOTPCode(base32Secret: string): string;
1156
+
1157
+ export { type AdminUser, type AdminUsersResp, ApiError, type AsyncStorageLike, type AuthMethod, type CreateSsoProviderReq, type DiscoverTenantsResp, type FetchLike, type FgaAclTuple, type FgaGroup, type FgaGroupsResp, GuardClient, type GuardClientOptions, type HeadersMap, HttpClient, InMemoryStorage, type Interceptors, type LoginOptionsResp, type Meta, RateLimitError, type RequestInterceptor, type ResponseInterceptor, type ResponseWrapper, type SessionItem, type SessionsListResp, type SsoLinkingPolicy, type SsoPortalContext, type SsoPortalSessionResp, type SsoProvider, type SsoProviderItem, type SsoProviderOption, type SsoProviderSlug, type SsoProviderType, type SsoProvidersListResp, type SsoSPInfoResp, type SsoTestProviderResp, type TenantId, type TenantOption, type TenantSelectionRequiredResp, type TenantSettingsPutRequest, type TenantSettingsResponse, type TenantSummary, type TokenProvider, type TokenStorage, type TransportOptions, type UpdateSsoProviderReq, WebLocalStorage, applyRequestInterceptors, applyResponseInterceptors, buildRateLimitError, generateTOTPCode, isApiError, isMfaChallengeResp, isRateLimitError, isTenantSelectionRequired, isTokensResp, noopStorage, parseRetryAfter, reactNativeStorageAdapter, toHeadersMap };