@corvushold/guard-sdk 0.7.0 → 0.8.1

package/dist/index.js

@@ -229,11 +229,11 @@ var HttpClient = class {
       } catch {
       }
       if (status === 429) {
-        throw buildRateLimitError({ status, message: body && body.message || "Too Many Requests", requestId, headers: res2.headers, raw: body });
+        throw buildRateLimitError({ status, message: body && (body.message || body.error) || "Too Many Requests", requestId, headers: res2.headers, raw: body });
       }
       throw new ApiError({
         status,
-        message: body && body.message || res2.statusText || `HTTP ${status}`,
+        message: body && (body.message || body.error) || res2.statusText || `HTTP ${status}`,
         code: body && body.code ? String(body.code) : void 0,
         requestId,
         headers: toHeadersMap(res2.headers),
@@ -277,7 +277,7 @@ var HttpClient = class {
 
 // package.json
 var package_default = {
-  version: "0.7.0"};
+  version: "0.8.1"};
 
 // src/client.ts
 function isTenantSelectionRequired(data) {
@@ -355,7 +355,7 @@ var GuardClient = class {
   }
   // Auth: Password login -> returns tokens (200) or MFA challenge (202)
   async passwordLogin(body) {
-    const res = await this.request("/v1/auth/password/login", {
+    const res = await this.request("/api/v1/auth/password/login", {
       method: "POST",
       body: JSON.stringify({ ...body, tenant_id: body.tenant_id ?? this.tenantId })
     });
@@ -364,7 +364,7 @@ var GuardClient = class {
   }
   // Auth: Password signup -> returns tokens (201 Created)
   async passwordSignup(body) {
-    const res = await this.request("/v1/auth/password/signup", {
+    const res = await this.request("/api/v1/auth/password/signup", {
       method: "POST",
       body: JSON.stringify({ ...body, tenant_id: body.tenant_id ?? this.tenantId })
     });
@@ -373,7 +373,7 @@ var GuardClient = class {
   }
   // Auth: Verify MFA challenge -> tokens
   async mfaVerify(body) {
-    const res = await this.request("/v1/auth/mfa/verify", {
+    const res = await this.request("/api/v1/auth/mfa/verify", {
       method: "POST",
       body: JSON.stringify(body)
     });
@@ -384,7 +384,7 @@ var GuardClient = class {
   async refresh(body) {
     let refreshToken = body?.refresh_token ?? null;
     if (!refreshToken) refreshToken = await Promise.resolve(this.storage.getRefreshToken()) ?? null;
-    const res = await this.request("/v1/auth/refresh", {
+    const res = await this.request("/api/v1/auth/refresh", {
       method: "POST",
       body: JSON.stringify({ refresh_token: refreshToken })
     });
@@ -394,7 +394,7 @@ var GuardClient = class {
   // Auth: Logout (revoke refresh token) -> 204
   async logout(body) {
     const b = body ?? {};
-    const res = await this.request("/v1/auth/logout", {
+    const res = await this.request("/api/v1/auth/logout", {
       method: "POST",
       body: JSON.stringify(b)
     });
@@ -405,14 +405,14 @@ var GuardClient = class {
   }
   // Auth: Current user profile
   async me() {
-    return this.request("/v1/auth/me", { method: "GET" });
+    return this.request("/api/v1/auth/me", { method: "GET" });
   }
   // Auth: Email discovery (progressive login)
   async emailDiscover(body) {
     const headers = {};
     const tid = body.tenant_id ?? this.tenantId;
     if (tid) headers["X-Tenant-ID"] = String(tid);
-    return this.request(`/v1/auth/email/discover`, {
+    return this.request(`/api/v1/auth/email/discover`, {
       method: "POST",
       headers,
       body: JSON.stringify({ email: body.email })
@@ -422,36 +422,36 @@ var GuardClient = class {
   async getLoginOptions(params) {
     const tid = params?.tenant_id ?? this.tenantId;
     const qs = this.buildQuery({ email: params?.email, tenant_id: tid });
-    return this.request(`/v1/auth/login-options${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/login-options${qs}`, { method: "GET" });
   }
   // --- MFA self-service ---
   async mfaStartTotp() {
-    return this.request("/v1/auth/mfa/totp/start", { method: "POST" });
+    return this.request("/api/v1/auth/mfa/totp/start", { method: "POST" });
   }
   async mfaActivateTotp(body) {
-    return this.request("/v1/auth/mfa/totp/activate", { method: "POST", body: JSON.stringify(body) });
+    return this.request("/api/v1/auth/mfa/totp/activate", { method: "POST", body: JSON.stringify(body) });
   }
   async mfaDisableTotp() {
-    return this.request("/v1/auth/mfa/totp/disable", { method: "POST" });
+    return this.request("/api/v1/auth/mfa/totp/disable", { method: "POST" });
   }
   async mfaGenerateBackupCodes(body = {}) {
-    return this.request("/v1/auth/mfa/backup/generate", { method: "POST", body: JSON.stringify({ count: body.count ?? 5 }) });
+    return this.request("/api/v1/auth/mfa/backup/generate", { method: "POST", body: JSON.stringify({ count: body.count ?? 5 }) });
   }
   async mfaCountBackupCodes() {
-    return this.request("/v1/auth/mfa/backup/count", { method: "GET" });
+    return this.request("/api/v1/auth/mfa/backup/count", { method: "GET" });
   }
   // Tenants: Discover tenants for a given email (used by login tenant selection)
   async discoverTenants(params) {
     const qs = this.buildQuery({ email: params.email });
-    return this.request(`/v1/auth/tenants${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/tenants${qs}`, { method: "GET" });
   }
   // Tenants: Create
   async createTenant(body) {
-    return this.request(`/tenants`, { method: "POST", body: JSON.stringify({ name: body.name }) });
+    return this.request(`/api/v1/tenants`, { method: "POST", body: JSON.stringify({ name: body.name }) });
   }
   // Tenants: Get by ID
   async getTenant(id) {
-    return this.request(`/tenants/${encodeURIComponent(id)}`, { method: "GET" });
+    return this.request(`/api/v1/tenants/${encodeURIComponent(id)}`, { method: "GET" });
   }
   // Tenants: List (admin)
   async listTenants(params = {}) {
@@ -461,18 +461,18 @@ var GuardClient = class {
       page_size: params.page_size,
       active: typeof params.active === "boolean" ? params.active ? 1 : 0 : params.active
     });
-    return this.request(`/tenants${qs}`, { method: "GET" });
+    return this.request(`/api/v1/tenants${qs}`, { method: "GET" });
   }
   // Auth: Introspect token (from header or body)
   async introspect(body) {
-    return this.request("/v1/auth/introspect", {
+    return this.request("/api/v1/auth/introspect", {
       method: "POST",
       body: JSON.stringify(body ?? {})
     });
   }
   // Auth: Magic link send
   async magicSend(body) {
-    return this.request("/v1/auth/magic/send", {
+    return this.request("/api/v1/auth/magic/send", {
       method: "POST",
       body: JSON.stringify(body)
     });
@@ -480,7 +480,7 @@ var GuardClient = class {
   // Auth: Magic verify (token in query preferred)
   async magicVerify(params = {}, body) {
     const qs = this.buildQuery(params);
-    const res = await this.request(`/v1/auth/magic/verify${qs}`, {
+    const res = await this.request(`/api/v1/auth/magic/verify${qs}`, {
       method: "GET",
       // Some servers accept body on GET per spec; include if provided
       ...body ? { body: JSON.stringify(body) } : {}
@@ -490,28 +490,28 @@ var GuardClient = class {
   }
   // Auth: Request password reset -> 202 (always, to prevent email enumeration)
   async passwordResetRequest(body) {
-    return this.request("/v1/auth/password/reset/request", {
+    return this.request("/api/v1/auth/password/reset/request", {
       method: "POST",
       body: JSON.stringify({ ...body, tenant_id: body.tenant_id ?? this.tenantId })
     });
   }
   // Auth: Confirm password reset -> 200 on success
   async passwordResetConfirm(body) {
-    return this.request("/v1/auth/password/reset/confirm", {
+    return this.request("/api/v1/auth/password/reset/confirm", {
       method: "POST",
       body: JSON.stringify({ ...body, tenant_id: body.tenant_id ?? this.tenantId })
     });
   }
   // Auth: Change password (requires auth) -> 200 on success
   async changePassword(body) {
-    return this.request("/v1/auth/password/change", {
+    return this.request("/api/v1/auth/password/change", {
       method: "POST",
       body: JSON.stringify(body)
     });
   }
   // Auth: Update profile (first/last name) -> 200 on success
   async updateProfile(body) {
-    return this.request("/v1/auth/profile", {
+    return this.request("/api/v1/auth/profile", {
       method: "PATCH",
       body: JSON.stringify(body)
     });
@@ -520,37 +520,37 @@ var GuardClient = class {
   async listUsers(params = {}) {
     const tenant = params.tenant_id ?? this.tenantId;
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/auth/admin/users${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/admin/users${qs}`, { method: "GET" });
   }
   // Admin: Update user names
   async updateUserNames(id, body) {
     const payload = {};
     if (typeof body?.first_name === "string") payload.first_name = body.first_name;
     if (typeof body?.last_name === "string") payload.last_name = body.last_name;
-    return this.request(`/v1/auth/admin/users/${encodeURIComponent(id)}`, {
+    return this.request(`/api/v1/auth/admin/users/${encodeURIComponent(id)}`, {
       method: "PATCH",
       body: JSON.stringify(payload)
     });
   }
   // Admin: Block user
   async blockUser(id) {
-    return this.request(`/v1/auth/admin/users/${encodeURIComponent(id)}/block`, { method: "POST" });
+    return this.request(`/api/v1/auth/admin/users/${encodeURIComponent(id)}/block`, { method: "POST" });
   }
   // Admin: Unblock user
   async unblockUser(id) {
-    return this.request(`/v1/auth/admin/users/${encodeURIComponent(id)}/unblock`, { method: "POST" });
+    return this.request(`/api/v1/auth/admin/users/${encodeURIComponent(id)}/unblock`, { method: "POST" });
   }
   // Admin: Verify user email (set email_verified=true)
   async verifyUserEmail(id) {
-    return this.request(`/v1/auth/admin/users/${encodeURIComponent(id)}/verify-email`, { method: "POST" });
+    return this.request(`/api/v1/auth/admin/users/${encodeURIComponent(id)}/verify-email`, { method: "POST" });
   }
   // Admin: Unverify user email (set email_verified=false)
   async unverifyUserEmail(id) {
-    return this.request(`/v1/auth/admin/users/${encodeURIComponent(id)}/unverify-email`, { method: "POST" });
+    return this.request(`/api/v1/auth/admin/users/${encodeURIComponent(id)}/unverify-email`, { method: "POST" });
   }
   // Sessions: List sessions. When includeAll=false, filter to active (non-revoked, not expired) client-side to match example app UX.
   async listSessions(options = {}) {
-    const res = await this.request("/v1/auth/sessions", { method: "GET", cache: "no-store" });
+    const res = await this.request("/api/v1/auth/sessions", { method: "GET", cache: "no-store" });
     if (res.meta.status >= 200 && res.meta.status < 300) {
       const includeAll = !!options.includeAll;
       const sessions = Array.isArray(res.data?.sessions) ? res.data.sessions : [];
@@ -568,17 +568,17 @@ var GuardClient = class {
   }
   // Sessions: Revoke session
   async revokeSession(id) {
-    return this.request(`/v1/auth/sessions/${encodeURIComponent(id)}/revoke`, { method: "POST" });
+    return this.request(`/api/v1/auth/sessions/${encodeURIComponent(id)}/revoke`, { method: "POST" });
   }
   // Tenants: Get settings
   async getTenantSettings(tenantId) {
     const id = tenantId ?? this.tenantId;
     if (!id) throw new Error("tenantId is required");
-    return this.request(`/v1/tenants/${encodeURIComponent(id)}/settings`, { method: "GET" });
+    return this.request(`/api/v1/tenants/${encodeURIComponent(id)}/settings`, { method: "GET" });
   }
   // Tenants: Update settings
   async updateTenantSettings(tenantId, settings) {
-    return this.request(`/v1/tenants/${encodeURIComponent(tenantId)}/settings`, {
+    return this.request(`/api/v1/tenants/${encodeURIComponent(tenantId)}/settings`, {
       method: "PUT",
       body: JSON.stringify(settings ?? {})
     });
@@ -606,7 +606,7 @@ var GuardClient = class {
       force_authn: params.force_authn
     });
     const res = await this.http.requestRaw(
-      `/auth/sso/t/${encodeURIComponent(tenant)}/${encodeURIComponent(providerSlug)}/login${qs}`,
+      `/api/v1/auth/sso/t/${encodeURIComponent(tenant)}/${encodeURIComponent(providerSlug)}/login${qs}`,
       { method: "GET", redirect: "manual" }
     );
     const loc = res.headers.get("location");
@@ -643,7 +643,7 @@ var GuardClient = class {
     if (!tenant) throw new Error("tenant_id is required for SSO callback");
     const qs = this.buildQuery({ code: params.code, state: params.state });
     const res = await this.request(
-      `/auth/sso/t/${encodeURIComponent(tenant)}/${encodeURIComponent(providerSlug)}/callback${qs}`,
+      `/api/v1/auth/sso/t/${encodeURIComponent(tenant)}/${encodeURIComponent(providerSlug)}/callback${qs}`,
       { method: "GET" }
     );
     if (res.meta.status === 200) this.persistTokensFrom(res.data);
@@ -696,20 +696,20 @@ var GuardClient = class {
   async getSsoOrganizationPortalLink(provider, params) {
     const tenant = params.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
-    if (!params?.organization_id) throw new Error("organization_id is required");
+    if (provider === "workos" && !params?.organization_id) throw new Error("organization_id is required");
     const qs = this.buildQuery({
       tenant_id: tenant,
       organization_id: params.organization_id,
       intent: params.intent
     });
-    return this.request(`/v1/auth/sso/${provider}/portal-link${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/sso/${provider}/portal-link${qs}`, { method: "GET" });
   }
   // SSO: Portal token session exchange (public, portal-token gated)
   async ssoPortalSession(token) {
     if (!token || typeof token !== "string") {
       throw new Error("token is required");
     }
-    return this.request("/v1/sso/portal/session", {
+    return this.request("/api/v1/sso/portal/session", {
       method: "POST",
       body: JSON.stringify({ token })
     });
@@ -720,7 +720,7 @@ var GuardClient = class {
       throw new Error("token is required");
     }
     const headers = { "X-Portal-Token": token };
-    return this.request("/v1/sso/portal/provider", {
+    return this.request("/api/v1/sso/portal/provider", {
       method: "GET",
       headers
     });
@@ -762,37 +762,37 @@ var GuardClient = class {
   async ssoListProviders(params = {}) {
     const tenant = params.tenant_id ?? this.tenantId;
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/sso/providers${qs}`, { method: "GET" });
+    return this.request(`/api/v1/sso/providers${qs}`, { method: "GET" });
   }
   // Create a new SSO provider
   async ssoCreateProvider(body) {
-    return this.request("/v1/sso/providers", {
+    return this.request("/api/v1/sso/providers", {
       method: "POST",
       body: JSON.stringify(body)
     });
   }
   // Get a specific SSO provider by ID
   async ssoGetProvider(id) {
-    return this.request(`/v1/sso/providers/${encodeURIComponent(id)}`, {
+    return this.request(`/api/v1/sso/providers/${encodeURIComponent(id)}`, {
       method: "GET"
     });
   }
   // Update an existing SSO provider
   async ssoUpdateProvider(id, body) {
-    return this.request(`/v1/sso/providers/${encodeURIComponent(id)}`, {
+    return this.request(`/api/v1/sso/providers/${encodeURIComponent(id)}`, {
       method: "PUT",
       body: JSON.stringify(body)
     });
   }
   // Delete an SSO provider
   async ssoDeleteProvider(id) {
-    return this.request(`/v1/sso/providers/${encodeURIComponent(id)}`, {
+    return this.request(`/api/v1/sso/providers/${encodeURIComponent(id)}`, {
       method: "DELETE"
     });
   }
   // Test SSO provider configuration
   async ssoTestProvider(id) {
-    return this.request(`/v1/sso/providers/${encodeURIComponent(id)}/test`, {
+    return this.request(`/api/v1/sso/providers/${encodeURIComponent(id)}/test`, {
       method: "POST"
     });
   }
@@ -819,78 +819,78 @@ var GuardClient = class {
     const params = { slug };
     if (tenant) params.tenant_id = tenant;
     const qs = this.buildQuery(params);
-    return this.request(`/v1/sso/sp-info${qs}`, { method: "GET" });
+    return this.request(`/api/v1/sso/sp-info${qs}`, { method: "GET" });
   }
   // ==============================
   // RBAC v2 (Admin-only endpoints)
   // ==============================
   // RBAC: List all permissions (admin-only)
   async rbacListPermissions() {
-    return this.request("/v1/auth/admin/rbac/permissions", { method: "GET" });
+    return this.request("/api/v1/auth/admin/rbac/permissions", { method: "GET" });
   }
   // RBAC: List roles for a tenant
   async rbacListRoles(params = {}) {
     const tenant = params.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/auth/admin/rbac/roles${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/admin/rbac/roles${qs}`, { method: "GET" });
   }
   // RBAC: Create role
   async rbacCreateRole(body) {
     const tenant = body.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const payload = { tenant_id: tenant, name: body.name, description: body.description };
-    return this.request("/v1/auth/admin/rbac/roles", { method: "POST", body: JSON.stringify(payload) });
+    return this.request("/api/v1/auth/admin/rbac/roles", { method: "POST", body: JSON.stringify(payload) });
   }
   // RBAC: Update role
   async rbacUpdateRole(id, body) {
     const tenant = body.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const payload = { tenant_id: tenant, name: body.name, description: body.description };
-    return this.request(`/v1/auth/admin/rbac/roles/${encodeURIComponent(id)}`, { method: "PATCH", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/rbac/roles/${encodeURIComponent(id)}`, { method: "PATCH", body: JSON.stringify(payload) });
   }
   // RBAC: Delete role
   async rbacDeleteRole(id, params = {}) {
     const tenant = params.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/auth/admin/rbac/roles/${encodeURIComponent(id)}${qs}`, { method: "DELETE" });
+    return this.request(`/api/v1/auth/admin/rbac/roles/${encodeURIComponent(id)}${qs}`, { method: "DELETE" });
   }
   // RBAC: List user roles
   async rbacListUserRoles(userId, params = {}) {
     const tenant = params.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/roles${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/roles${qs}`, { method: "GET" });
   }
   // RBAC: Add user role
   async rbacAddUserRole(userId, body) {
     const tenant = body.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const payload = { tenant_id: tenant, role_id: body.role_id };
-    return this.request(`/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/roles`, { method: "POST", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/roles`, { method: "POST", body: JSON.stringify(payload) });
   }
   // RBAC: Remove user role
   async rbacRemoveUserRole(userId, body) {
     const tenant = body.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const payload = { tenant_id: tenant, role_id: body.role_id };
-    return this.request(`/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/roles`, { method: "DELETE", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/roles`, { method: "DELETE", body: JSON.stringify(payload) });
   }
   // RBAC: Upsert role permission
   async rbacUpsertRolePermission(roleId, body) {
-    return this.request(`/v1/auth/admin/rbac/roles/${encodeURIComponent(roleId)}/permissions`, { method: "POST", body: JSON.stringify(body) });
+    return this.request(`/api/v1/auth/admin/rbac/roles/${encodeURIComponent(roleId)}/permissions`, { method: "POST", body: JSON.stringify(body) });
   }
   // RBAC: Delete role permission
   async rbacDeleteRolePermission(roleId, body) {
-    return this.request(`/v1/auth/admin/rbac/roles/${encodeURIComponent(roleId)}/permissions`, { method: "DELETE", body: JSON.stringify(body) });
+    return this.request(`/api/v1/auth/admin/rbac/roles/${encodeURIComponent(roleId)}/permissions`, { method: "DELETE", body: JSON.stringify(body) });
   }
   // RBAC: Resolve user permissions
   async rbacResolveUserPermissions(userId, params) {
     const tenant = params?.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/permissions/resolve${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/admin/rbac/users/${encodeURIComponent(userId)}/permissions/resolve${qs}`, { method: "GET" });
   }
   // ==============================
   // FGA (Admin-only endpoints)
@@ -900,45 +900,45 @@ var GuardClient = class {
     const tenant = params?.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/auth/admin/fga/groups${qs}`, { method: "GET" });
+    return this.request(`/api/v1/auth/admin/fga/groups${qs}`, { method: "GET" });
   }
   // Groups: create
   async fgaCreateGroup(body) {
     const tenant = body?.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const payload = { tenant_id: tenant, name: body.name, description: body?.description ?? null };
-    return this.request(`/v1/auth/admin/fga/groups`, { method: "POST", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/fga/groups`, { method: "POST", body: JSON.stringify(payload) });
   }
   // Groups: delete
   async fgaDeleteGroup(id, params) {
     const tenant = params?.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const qs = this.buildQuery({ tenant_id: tenant });
-    return this.request(`/v1/auth/admin/fga/groups/${encodeURIComponent(id)}${qs}`, { method: "DELETE" });
+    return this.request(`/api/v1/auth/admin/fga/groups/${encodeURIComponent(id)}${qs}`, { method: "DELETE" });
   }
   // Group membership: add
   async fgaAddGroupMember(groupId, body) {
     const payload = { user_id: body.user_id };
-    return this.request(`/v1/auth/admin/fga/groups/${encodeURIComponent(groupId)}/members`, { method: "POST", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/fga/groups/${encodeURIComponent(groupId)}/members`, { method: "POST", body: JSON.stringify(payload) });
   }
   // Group membership: remove
   async fgaRemoveGroupMember(groupId, body) {
     const payload = { user_id: body.user_id };
-    return this.request(`/v1/auth/admin/fga/groups/${encodeURIComponent(groupId)}/members`, { method: "DELETE", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/fga/groups/${encodeURIComponent(groupId)}/members`, { method: "DELETE", body: JSON.stringify(payload) });
   }
   // ACL tuples: create
   async fgaCreateAclTuple(body) {
     const tenant = body?.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const payload = { ...body, tenant_id: tenant };
-    return this.request(`/v1/auth/admin/fga/acl/tuples`, { method: "POST", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/fga/acl/tuples`, { method: "POST", body: JSON.stringify(payload) });
   }
   // ACL tuples: delete
   async fgaDeleteAclTuple(body) {
     const tenant = body?.tenant_id ?? this.tenantId;
     if (!tenant) throw new Error("tenant_id is required");
     const payload = { ...body, tenant_id: tenant };
-    return this.request(`/v1/auth/admin/fga/acl/tuples`, { method: "DELETE", body: JSON.stringify(payload) });
+    return this.request(`/api/v1/auth/admin/fga/acl/tuples`, { method: "DELETE", body: JSON.stringify(payload) });
   }
   // ==============================
   // OAuth2 Discovery (RFC 8414)