npm - @delopay/sdk - Versions diffs - 0.1.7 → 0.3.0 - Mend

@delopay/sdk 0.1.7 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -47,11 +47,19 @@ var DelopayError = class extends Error {
     this.status = options.status;
     this.code = options.code;
     this.type = options.type;
+    if (options.requestId !== void 0) this.requestId = options.requestId;
+    if (options.rawBody !== void 0) this.rawBody = options.rawBody;
   }
 };
 var DelopayAuthenticationError = class extends DelopayError {
-  constructor(message = "Invalid API key") {
-    super(message, { status: 401, code: "AUTH_01", type: "authentication_error" });
+  constructor(message = "Invalid API key", options) {
+    super(message, {
+      status: 401,
+      code: "AUTH_01",
+      type: "authentication_error",
+      requestId: options?.requestId,
+      rawBody: options?.rawBody
+    });
     Object.setPrototypeOf(this, new.target.prototype);
     this.name = "DelopayAuthenticationError";
   }
@@ -71,16 +79,27 @@ var Admin = class {
   async createTenant(params) {
     return this.request("POST", "/admin/tenant_signup", { body: params });
   }
-  // --- Advanced operations (Task 4.10) ---
-  /** Set signup settings. `POST /admin/signup_settings` */
+  /**
+   * Create a new merchant admin user and merchant account atomically.
+   *
+   * This is the correct endpoint for bootstrapping the first admin user in a
+   * fresh deployment — `internal_signup`/`tenant_signup` both require
+   * pre-existing merchant records that don't exist on a clean database.
+   *
+   * `POST /admin/signup_with_merchant_id`
+   */
+  async signupWithMerchantId(params) {
+    return this.request("POST", "/admin/signup_with_merchant_id", { body: params });
+  }
+  /** Toggle public signup on/off. `POST /admin/settings/signup` */
   async setSignupSettings(params) {
-    return this.request("POST", "/admin/signup_settings", { body: params });
+    return this.request("POST", "/admin/settings/signup", { body: params });
   }
-  /** Get signup settings. `GET /admin/signup_settings` */
+  /** Read current public-signup status. `GET /admin/settings/signup` */
   async getSignupSettings() {
-    return this.request("GET", "/admin/signup_settings");
+    return this.request("GET", "/admin/settings/signup");
   }
-  /** Onboard a merchant. `POST /admin/onboard_merchant` */
+  /** Full merchant bootstrap — user + merchant + project + profile + keys. `POST /admin/onboard_merchant` */
   async onboardMerchant(params) {
     return this.request("POST", "/admin/onboard_merchant", { body: params });
   }
@@ -97,7 +116,7 @@ var AdminPortal = class {
     });
   }
   async getCustomer(customerId) {
-    return this.request("GET", `/admin-portal/customers/${customerId}`);
+    return this.request("GET", `/admin-portal/customers/${encodeURIComponent(customerId)}`);
   }
   async listTransactions(params) {
     return this.request("GET", "/admin-portal/transactions", {
@@ -137,7 +156,7 @@ var ApiKeys = class {
    * ```
    */
   async create(merchantId, params) {
-    return this.request("POST", `/api_keys/${merchantId}`, { body: params });
+    return this.request("POST", `/api_keys/${encodeURIComponent(merchantId)}`, { body: params });
   }
   /**
    * Retrieve metadata about an API key (does not return the plaintext secret).
@@ -147,7 +166,10 @@ var ApiKeys = class {
    * @returns The API key metadata.
    */
   async retrieve(merchantId, keyId) {
-    return this.request("GET", `/api_keys/${merchantId}/${keyId}`);
+    return this.request(
+      "GET",
+      `/api_keys/${encodeURIComponent(merchantId)}/${encodeURIComponent(keyId)}`
+    );
   }
   /**
    * Update an API key's name or expiry.
@@ -158,7 +180,11 @@ var ApiKeys = class {
    * @returns The updated API key metadata.
    */
   async update(merchantId, keyId, params) {
-    return this.request("POST", `/api_keys/${merchantId}/${keyId}`, { body: params });
+    return this.request(
+      "POST",
+      `/api_keys/${encodeURIComponent(merchantId)}/${encodeURIComponent(keyId)}`,
+      { body: params }
+    );
   }
   /**
    * Revoke an API key, immediately invalidating it.
@@ -168,7 +194,10 @@ var ApiKeys = class {
    * @returns Revocation confirmation.
    */
   async revoke(merchantId, keyId) {
-    return this.request("DELETE", `/api_keys/${merchantId}/${keyId}`);
+    return this.request(
+      "DELETE",
+      `/api_keys/${encodeURIComponent(merchantId)}/${encodeURIComponent(keyId)}`
+    );
   }
   /**
    * List all API keys for a merchant.
@@ -177,7 +206,7 @@ var ApiKeys = class {
    * @returns Array of API key metadata objects.
    */
   async list(merchantId) {
-    return this.request("GET", `/api_keys/${merchantId}/list`);
+    return this.request("GET", `/api_keys/${encodeURIComponent(merchantId)}/list`);
   }
 };
@@ -192,7 +221,7 @@ var AuditLogs = class {
     });
   }
   async retrieve(logId) {
-    return this.request("GET", `/admin-portal/audit/${logId}`);
+    return this.request("GET", `/admin-portal/audit/${encodeURIComponent(logId)}`);
   }
 };
@@ -205,27 +234,39 @@ var Authentication = class {
     return this.request("POST", "/authentication", { body: params });
   }
   async checkEligibility(authId) {
-    return this.request("POST", `/authentication/${authId}/eligibility`);
+    return this.request("POST", `/authentication/${encodeURIComponent(authId)}/eligibility`);
   }
   async authenticate(authId, params) {
-    return this.request("POST", `/authentication/${authId}/authenticate`, { body: params });
+    return this.request("POST", `/authentication/${encodeURIComponent(authId)}/authenticate`, {
+      body: params
+    });
   }
   async sync(authId, params) {
-    return this.request("POST", `/authentication/${authId}/sync`, { body: params });
+    return this.request("POST", `/authentication/${encodeURIComponent(authId)}/sync`, {
+      body: params
+    });
   }
   /** Redirect after authentication. `POST /authentication/{authId}/redirect` */
   async redirect(authId, params) {
-    return this.request("POST", `/authentication/${authId}/redirect`, { body: params });
+    return this.request("POST", `/authentication/${encodeURIComponent(authId)}/redirect`, {
+      body: params
+    });
   }
   /** Enable authn methods token. `POST /authentication/{authId}/enabled_authn_methods_token` */
   async enabledAuthnMethodsToken(authId, params) {
-    return this.request("POST", `/authentication/${authId}/enabled_authn_methods_token`, {
-      body: params
-    });
+    return this.request(
+      "POST",
+      `/authentication/${encodeURIComponent(authId)}/enabled_authn_methods_token`,
+      {
+        body: params
+      }
+    );
   }
   /** Submit eligibility check. `POST /authentication/{authId}/eligibility-check` */
   async eligibilityCheck(authId, params) {
-    return this.request("POST", `/authentication/${authId}/eligibility-check`, { body: params });
+    return this.request("POST", `/authentication/${encodeURIComponent(authId)}/eligibility-check`, {
+      body: params
+    });
   }
 };
@@ -242,7 +283,11 @@ var BillingAllocations = class {
    * @returns The allocation transfer result.
    */
   async transferIn(merchantId, params) {
-    return this.request("POST", `/billing/${merchantId}/allocations/transfer-in`, { body: params });
+    return this.request(
+      "POST",
+      `/billing/${encodeURIComponent(merchantId)}/allocations/transfer-in`,
+      { body: params }
+    );
   }
   /**
    * Transfer funds from a shop's allocation back to the host merchant treasury.
@@ -252,9 +297,13 @@ var BillingAllocations = class {
    * @returns The allocation transfer result.
    */
   async transferOut(merchantId, params) {
-    return this.request("POST", `/billing/${merchantId}/allocations/transfer-out`, {
-      body: params
-    });
+    return this.request(
+      "POST",
+      `/billing/${encodeURIComponent(merchantId)}/allocations/transfer-out`,
+      {
+        body: params
+      }
+    );
   }
   /**
    * List all shop balance allocations for a merchant.
@@ -263,7 +312,7 @@ var BillingAllocations = class {
    * @returns List of shop allocations.
    */
   async list(merchantId) {
-    return this.request("GET", `/billing/${merchantId}/allocations`);
+    return this.request("GET", `/billing/${encodeURIComponent(merchantId)}/allocations`);
   }
   /**
    * Get the balance allocation for a specific shop.
@@ -273,7 +322,10 @@ var BillingAllocations = class {
    * @returns The shop's balance allocation.
    */
   async get(merchantId, profileId) {
-    return this.request("GET", `/billing/${merchantId}/allocations/${profileId}`);
+    return this.request(
+      "GET",
+      `/billing/${encodeURIComponent(merchantId)}/allocations/${encodeURIComponent(profileId)}`
+    );
   }
 };
 var Billing = class {
@@ -294,7 +346,7 @@ var Billing = class {
    * ```
    */
   async getProfile(merchantId) {
-    return this.request("GET", `/billing/${merchantId}`);
+    return this.request("GET", `/billing/${encodeURIComponent(merchantId)}`);
   }
   /**
    * Start a Stripe SetupIntent flow to collect a payment card for auto-recharge.
@@ -304,7 +356,9 @@ var Billing = class {
    * @returns The Stripe client secret needed to render the card element.
    */
   async setup(merchantId, params) {
-    return this.request("POST", `/billing/${merchantId}/setup`, { body: params });
+    return this.request("POST", `/billing/${encodeURIComponent(merchantId)}/setup`, {
+      body: params
+    });
   }
   /**
    * Confirm card setup after the Stripe SetupIntent completes on the frontend.
@@ -314,7 +368,9 @@ var Billing = class {
    * @returns The updated billing profile.
    */
   async completeSetup(merchantId, params) {
-    return this.request("POST", `/billing/${merchantId}/setup/complete`, { body: params });
+    return this.request("POST", `/billing/${encodeURIComponent(merchantId)}/setup/complete`, {
+      body: params
+    });
   }
   /**
    * Manually top up a merchant's prepaid balance by charging their saved card.
@@ -324,7 +380,9 @@ var Billing = class {
    * @returns The top-up result.
    */
   async topup(merchantId, params) {
-    return this.request("POST", `/billing/${merchantId}/topup`, { body: params });
+    return this.request("POST", `/billing/${encodeURIComponent(merchantId)}/topup`, {
+      body: params
+    });
   }
   /**
    * List the balance ledger (credits and debits) for a merchant.
@@ -334,7 +392,7 @@ var Billing = class {
    * @returns The ledger entries.
    */
   async listLedger(merchantId, params) {
-    return this.request("GET", `/billing/${merchantId}/ledger`, {
+    return this.request("GET", `/billing/${encodeURIComponent(merchantId)}/ledger`, {
       query: params
     });
   }
@@ -346,7 +404,9 @@ var Billing = class {
    * @returns The updated billing profile.
    */
   async updateAutoRecharge(merchantId, params) {
-    return this.request("PATCH", `/billing/${merchantId}/auto-recharge`, { body: params });
+    return this.request("PATCH", `/billing/${encodeURIComponent(merchantId)}/auto-recharge`, {
+      body: params
+    });
   }
   /**
    * Admin: manually credit a merchant's balance (e.g. promotional credit).
@@ -356,7 +416,9 @@ var Billing = class {
    * @returns The adjustment result.
    */
   async adminCredit(merchantId, params) {
-    return this.request("POST", `/billing/${merchantId}/admin/credit`, { body: params });
+    return this.request("POST", `/billing/${encodeURIComponent(merchantId)}/admin/credit`, {
+      body: params
+    });
   }
   /**
    * Admin: manually debit a merchant's balance.
@@ -366,7 +428,9 @@ var Billing = class {
    * @returns The adjustment result.
    */
   async adminDebit(merchantId, params) {
-    return this.request("POST", `/billing/${merchantId}/admin/debit`, { body: params });
+    return this.request("POST", `/billing/${encodeURIComponent(merchantId)}/admin/debit`, {
+      body: params
+    });
   }
 };
@@ -400,7 +464,7 @@ var CardIssuers = class {
     return this.request("POST", "/card_issuers", { body: params });
   }
   async update(issuerId, params) {
-    return this.request("PUT", `/card_issuers/${issuerId}`, { body: params });
+    return this.request("PUT", `/card_issuers/${encodeURIComponent(issuerId)}`, { body: params });
   }
   async list() {
     return this.request("GET", "/card_issuers");
@@ -413,21 +477,33 @@ var Connectors = class {
     this.request = request;
   }
   async create(accountId, params) {
-    return this.request("POST", `/account/${accountId}/connectors`, { body: params });
+    return this.request("POST", `/account/${encodeURIComponent(accountId)}/connectors`, {
+      body: params
+    });
   }
   async retrieve(accountId, connectorId) {
-    return this.request("GET", `/account/${accountId}/connectors/${connectorId}`);
+    return this.request(
+      "GET",
+      `/account/${encodeURIComponent(accountId)}/connectors/${encodeURIComponent(connectorId)}`
+    );
   }
   async list(accountId) {
-    return this.request("GET", `/account/${accountId}/connectors`);
+    return this.request("GET", `/account/${encodeURIComponent(accountId)}/connectors`);
   }
   async update(accountId, connectorId, params) {
-    return this.request("POST", `/account/${accountId}/connectors/${connectorId}`, {
-      body: params
-    });
+    return this.request(
+      "POST",
+      `/account/${encodeURIComponent(accountId)}/connectors/${encodeURIComponent(connectorId)}`,
+      {
+        body: params
+      }
+    );
   }
   async delete(accountId, connectorId) {
-    return this.request("DELETE", `/account/${accountId}/connectors/${connectorId}`);
+    return this.request(
+      "DELETE",
+      `/account/${encodeURIComponent(accountId)}/connectors/${encodeURIComponent(connectorId)}`
+    );
   }
   // --- Advanced operations (Task 4.8) ---
   /** Verify connector credentials. `POST /account/connectors/verify` */
@@ -436,11 +512,17 @@ var Connectors = class {
   }
   /** Register a webhook for a connector. `POST /account/{merchantId}/connectors/webhooks/{connectorId}` */
   async registerWebhook(merchantId, connectorId) {
-    return this.request("POST", `/account/${merchantId}/connectors/webhooks/${connectorId}`);
+    return this.request(
+      "POST",
+      `/account/${encodeURIComponent(merchantId)}/connectors/webhooks/${encodeURIComponent(connectorId)}`
+    );
   }
   /** Get a webhook for a connector. `GET /account/{merchantId}/connectors/webhooks/{connectorId}` */
   async getWebhook(merchantId, connectorId) {
-    return this.request("GET", `/account/${merchantId}/connectors/webhooks/${connectorId}`);
+    return this.request(
+      "GET",
+      `/account/${encodeURIComponent(merchantId)}/connectors/webhooks/${encodeURIComponent(connectorId)}`
+    );
   }
   /** List available payment methods. `GET /account/payment_methods` */
   async listPaymentMethods() {
@@ -482,7 +564,7 @@ var Customers = class {
    * ```
    */
   async retrieve(customerId) {
-    return this.request("GET", `/customers/${customerId}`);
+    return this.request("GET", `/customers/${encodeURIComponent(customerId)}`);
   }
   /**
    * Update an existing customer's details.
@@ -492,7 +574,7 @@ var Customers = class {
    * @returns The updated customer.
    */
   async update(customerId, params) {
-    return this.request("POST", `/customers/${customerId}`, { body: params });
+    return this.request("POST", `/customers/${encodeURIComponent(customerId)}`, { body: params });
   }
   /**
    * Delete a customer and all their saved payment methods.
@@ -501,7 +583,7 @@ var Customers = class {
    * @returns The deleted customer object.
    */
   async delete(customerId) {
-    return this.request("DELETE", `/customers/${customerId}`);
+    return this.request("DELETE", `/customers/${encodeURIComponent(customerId)}`);
   }
   /**
    * List customers, optionally filtered by email.
@@ -523,7 +605,7 @@ var Customers = class {
   }
   /** List mandates for a customer. `GET /customers/{customerId}/mandates` */
   async listMandates(customerId) {
-    return this.request("GET", `/customers/${customerId}/mandates`);
+    return this.request("GET", `/customers/${encodeURIComponent(customerId)}/mandates`);
   }
 };
@@ -539,7 +621,7 @@ var Disputes = class {
    * @returns The dispute.
    */
   async retrieve(disputeId) {
-    return this.request("GET", `/disputes/${disputeId}`);
+    return this.request("GET", `/disputes/${encodeURIComponent(disputeId)}`);
   }
   /**
    * List disputes, optionally filtered by status, stage, or date range.
@@ -559,7 +641,7 @@ var Disputes = class {
    * @returns The updated dispute.
    */
   async accept(disputeId) {
-    return this.request("POST", `/disputes/accept/${disputeId}`);
+    return this.request("POST", `/disputes/accept/${encodeURIComponent(disputeId)}`);
   }
   /**
    * Submit evidence to challenge a dispute.
@@ -585,7 +667,7 @@ var Disputes = class {
    * @returns The submitted evidence.
    */
   async retrieveEvidence(disputeId) {
-    return this.request("GET", `/disputes/evidence/${disputeId}`);
+    return this.request("GET", `/disputes/evidence/${encodeURIComponent(disputeId)}`);
   }
   /**
    * Delete submitted evidence for a dispute.
@@ -619,9 +701,17 @@ var Disputes = class {
   async aggregateByProfile(params) {
     return this.request("GET", "/disputes/profile/aggregate", { query: params });
   }
-  /** Fetch dispute from connector. `POST /disputes/{disputeId}/fetch_from_connector` */
-  async fetchFromConnector(disputeId) {
-    return this.request("POST", `/disputes/${disputeId}/fetch_from_connector`);
+  /**
+   * Fetch the latest dispute state from the connector (gateway).
+   * `GET /disputes/{connectorId}/fetch`
+   *
+   * Note: the path parameter is the **connector dispute id** on the gateway, not the
+   * Delopay dispute id. Method is GET (not POST) and this method signature was
+   * previously wrong — callers depending on the old `POST /disputes/{id}/fetch_from_connector`
+   * path were silently hitting 404s.
+   */
+  async fetchFromConnector(connectorId) {
+    return this.request("GET", `/disputes/${encodeURIComponent(connectorId)}/fetch`);
   }
 };
@@ -652,7 +742,7 @@ var EphemeralKeys = class {
    * @returns The deleted key object.
    */
   async delete(keyId) {
-    return this.request("DELETE", `/ephemeral_keys/${keyId}`);
+    return this.request("DELETE", `/ephemeral_keys/${encodeURIComponent(keyId)}`);
   }
 };
@@ -662,13 +752,19 @@ var Events = class {
     this.request = request;
   }
   async list(merchantId, params) {
-    return this.request("POST", `/events/${merchantId}`, { body: params });
+    return this.request("POST", `/events/${encodeURIComponent(merchantId)}`, { body: params });
   }
   async listDeliveryAttempts(merchantId, eventId) {
-    return this.request("GET", `/events/${merchantId}/${eventId}/attempts`);
+    return this.request(
+      "GET",
+      `/events/${encodeURIComponent(merchantId)}/${encodeURIComponent(eventId)}/attempts`
+    );
   }
   async retryDelivery(merchantId, eventId) {
-    return this.request("POST", `/events/${merchantId}/${eventId}/retry`);
+    return this.request(
+      "POST",
+      `/events/${encodeURIComponent(merchantId)}/${encodeURIComponent(eventId)}/retry`
+    );
   }
   // --- Profile-scoped listing (Task 4.12) ---
   /** List events (profile-scoped). `POST /events/profile/list` */
@@ -713,7 +809,7 @@ var PlatformFees = class {
    * @returns The fee schedule.
    */
   async retrieve(feeId) {
-    return this.request("GET", `/admin/fees/${feeId}`);
+    return this.request("GET", `/admin/fees/${encodeURIComponent(feeId)}`);
   }
   /**
    * Update a fee schedule (admin only).
@@ -723,7 +819,7 @@ var PlatformFees = class {
    * @returns The updated fee schedule.
    */
   async update(feeId, params) {
-    return this.request("PUT", `/admin/fees/${feeId}`, { body: params });
+    return this.request("PUT", `/admin/fees/${encodeURIComponent(feeId)}`, { body: params });
   }
   /**
    * Delete a fee schedule (admin only).
@@ -732,7 +828,7 @@ var PlatformFees = class {
    * @returns The deleted fee schedule.
    */
   async delete(feeId) {
-    return this.request("DELETE", `/admin/fees/${feeId}`);
+    return this.request("DELETE", `/admin/fees/${encodeURIComponent(feeId)}`);
   }
 };
 var MerchantFees = class {
@@ -771,7 +867,7 @@ var MerchantFees = class {
    * @returns The updated fee schedule.
    */
   async update(feeId, params) {
-    return this.request("PUT", `/merchant_fees/${feeId}`, { body: params });
+    return this.request("PUT", `/merchant_fees/${encodeURIComponent(feeId)}`, { body: params });
   }
   /**
    * Delete a merchant-scoped fee schedule.
@@ -780,7 +876,7 @@ var MerchantFees = class {
    * @returns The deleted fee schedule.
    */
   async delete(feeId) {
-    return this.request("DELETE", `/merchant_fees/${feeId}`);
+    return this.request("DELETE", `/merchant_fees/${encodeURIComponent(feeId)}`);
   }
 };
 var Fees = class {
@@ -821,7 +917,7 @@ var Mandates = class {
    * @returns The mandate.
    */
   async retrieve(mandateId) {
-    return this.request("GET", `/mandates/${mandateId}`);
+    return this.request("GET", `/mandates/${encodeURIComponent(mandateId)}`);
   }
   /**
    * Revoke an active mandate, preventing future charges.
@@ -830,7 +926,7 @@ var Mandates = class {
    * @returns Revocation confirmation.
    */
   async revoke(mandateId) {
-    return this.request("POST", `/mandates/revoke/${mandateId}`);
+    return this.request("POST", `/mandates/revoke/${encodeURIComponent(mandateId)}`);
   }
   /**
    * List mandates, optionally filtered by customer or status.
@@ -854,13 +950,13 @@ var MerchantAccounts = class {
     return this.request("POST", "/accounts", { body: params });
   }
   async retrieve(accountId) {
-    return this.request("GET", `/accounts/${accountId}`);
+    return this.request("GET", `/accounts/${encodeURIComponent(accountId)}`);
   }
   async update(accountId, params) {
-    return this.request("POST", `/accounts/${accountId}`, { body: params });
+    return this.request("POST", `/accounts/${encodeURIComponent(accountId)}`, { body: params });
   }
   async delete(accountId) {
-    return this.request("DELETE", `/accounts/${accountId}`);
+    return this.request("DELETE", `/accounts/${encodeURIComponent(accountId)}`);
   }
   // --- Advanced operations (Task 4.9) ---
   /** List all merchant accounts. `GET /accounts/list` */
@@ -869,15 +965,15 @@ var MerchantAccounts = class {
   }
   /** Toggle key-value store for a merchant. `POST /accounts/{accountId}/kv` */
   async toggleKv(accountId) {
-    return this.request("POST", `/accounts/${accountId}/kv`);
+    return this.request("POST", `/accounts/${encodeURIComponent(accountId)}/kv`);
   }
   /** Get KV status for a merchant. `GET /accounts/{accountId}/kv` */
   async getKvStatus(accountId) {
-    return this.request("GET", `/accounts/${accountId}/kv`);
+    return this.request("GET", `/accounts/${encodeURIComponent(accountId)}/kv`);
   }
-  /** Transfer keys between merchants. `POST /accounts/transfer_keys` */
+  /** Transfer keys between merchants. `POST /accounts/transfer` */
   async transferKeys(params) {
-    return this.request("POST", "/accounts/transfer_keys", { body: params });
+    return this.request("POST", "/accounts/transfer", { body: params });
   }
 };
@@ -893,7 +989,7 @@ var PaymentLinks = class {
    * @returns The payment link details.
    */
   async retrieve(linkId) {
-    return this.request("GET", `/payment_link/${linkId}`);
+    return this.request("GET", `/payment_link/${encodeURIComponent(linkId)}`);
   }
   /**
    * List payment links, optionally filtered by status or date range.
@@ -906,11 +1002,17 @@ var PaymentLinks = class {
   }
   /** Initiate (render) a payment link page. `GET /payment_link/{merchantId}/{paymentId}` */
   async initiate(merchantId, paymentId) {
-    return this.request("GET", `/payment_link/${merchantId}/${paymentId}`);
+    return this.request(
+      "GET",
+      `/payment_link/${encodeURIComponent(merchantId)}/${encodeURIComponent(paymentId)}`
+    );
   }
   /** Get payment link status. `GET /payment_linkstatus/{merchantId}/{paymentId}` */
   async status(merchantId, paymentId) {
-    return this.request("GET", `/payment_linkstatus/${merchantId}/${paymentId}`);
+    return this.request(
+      "GET",
+      `/payment_linkstatus/${encodeURIComponent(merchantId)}/${encodeURIComponent(paymentId)}`
+    );
   }
 };
@@ -944,7 +1046,7 @@ var PaymentMethods = class {
    * @returns The payment method.
    */
   async retrieve(methodId) {
-    return this.request("GET", `/payment_methods/${methodId}`);
+    return this.request("GET", `/payment_methods/${encodeURIComponent(methodId)}`);
   }
   /**
    * Update an existing payment method (e.g. update card expiry).
@@ -954,7 +1056,9 @@ var PaymentMethods = class {
    * @returns The updated payment method.
    */
   async update(methodId, params) {
-    return this.request("POST", `/payment_methods/${methodId}/update`, { body: params });
+    return this.request("POST", `/payment_methods/${encodeURIComponent(methodId)}/update`, {
+      body: params
+    });
   }
   /**
    * Delete a saved payment method.
@@ -963,7 +1067,7 @@ var PaymentMethods = class {
    * @returns Deletion confirmation.
    */
   async delete(methodId) {
-    return this.request("DELETE", `/payment_methods/${methodId}`);
+    return this.request("DELETE", `/payment_methods/${encodeURIComponent(methodId)}`);
   }
   /**
    * List payment methods using a client secret.
@@ -977,18 +1081,25 @@ var PaymentMethods = class {
     });
   }
   /**
-   * List all saved payment methods for a customer.
+   * List all saved payment methods for a customer, optionally filtered.
    *
    * @param customerId - The customer ID.
+   * @param params - Optional filters: `client_secret`, `accepted_countries`, `accepted_currencies`,
+   *   `amount`, `recurring_enabled`, `installment_payment_enabled`, `limit`, `card_networks`.
    * @returns Customer's saved payment methods.
    *
    * @example
    * ```typescript
-   * const { customer_payment_methods } = await delopay.paymentMethods.listForCustomer('cus_123');
+   * const { customer_payment_methods } = await delopay.paymentMethods.listForCustomer(
+   *   'cus_123',
+   *   { accepted_currencies: ['EUR'], amount: 5000 },
+   * );
    * ```
    */
-  async listForCustomer(customerId) {
-    return this.request("GET", `/customers/${customerId}/payment_methods`);
+  async listForCustomer(customerId, params) {
+    return this.request("GET", `/customers/${encodeURIComponent(customerId)}/payment_methods`, {
+      query: params
+    });
   }
   /**
    * Set a payment method as the default for a customer.
@@ -998,7 +1109,10 @@ var PaymentMethods = class {
    * @returns The updated payment method.
    */
   async setDefault(customerId, methodId) {
-    return this.request("POST", `/customers/${customerId}/payment_methods/${methodId}/default`);
+    return this.request(
+      "POST",
+      `/customers/${encodeURIComponent(customerId)}/payment_methods/${encodeURIComponent(methodId)}/default`
+    );
   }
   // --- Advanced operations (Task 3.3) ---
   /** Migrate a payment method. `POST /payment_methods/migrate` */
@@ -1031,7 +1145,9 @@ var PaymentMethods = class {
   }
   /** Save a payment method. `POST /payment_methods/{methodId}/save` */
   async save(methodId, params) {
-    return this.request("POST", `/payment_methods/${methodId}/save`, { body: params });
+    return this.request("POST", `/payment_methods/${encodeURIComponent(methodId)}/save`, {
+      body: params
+    });
   }
   /** Create payment method auth link token. `POST /payment_methods/auth/link` */
   async createAuthLink(params) {
@@ -1043,7 +1159,9 @@ var PaymentMethods = class {
   }
   /** Tokenize card using existing PM. `POST /payment_methods/{methodId}/tokenize-card` */
   async tokenizeCardForMethod(methodId, params) {
-    return this.request("POST", `/payment_methods/${methodId}/tokenize-card`, { body: params });
+    return this.request("POST", `/payment_methods/${encodeURIComponent(methodId)}/tokenize-card`, {
+      body: params
+    });
   }
 };
@@ -1082,7 +1200,7 @@ var Payments = class {
    * ```
    */
   async retrieve(paymentId) {
-    return this.request("GET", `/payments/${paymentId}`);
+    return this.request("GET", `/payments/${encodeURIComponent(paymentId)}`);
   }
   /**
    * Update an existing payment intent before it is confirmed.
@@ -1092,7 +1210,7 @@ var Payments = class {
    * @returns The updated payment intent.
    */
   async update(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}`, { body: params });
   }
   /**
    * Confirm a payment intent, triggering authorisation with the selected gateway.
@@ -1102,7 +1220,9 @@ var Payments = class {
    * @returns The updated payment intent.
    */
   async confirm(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/confirm`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/confirm`, {
+      body: params
+    });
   }
   /**
    * Capture a previously authorised payment.
@@ -1112,7 +1232,9 @@ var Payments = class {
    * @returns The updated payment intent.
    */
   async capture(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/capture`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/capture`, {
+      body: params
+    });
   }
   /**
    * Cancel a payment intent that has not yet been captured.
@@ -1122,7 +1244,9 @@ var Payments = class {
    * @returns The updated payment intent.
    */
   async cancel(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/cancel`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/cancel`, {
+      body: params
+    });
   }
   /**
    * List payment intents, optionally filtered by customer or date range.
@@ -1151,33 +1275,47 @@ var Payments = class {
   }
   /** Cancel after partial capture. `POST /payments/{paymentId}/cancel_post_capture` */
   async cancelPostCapture(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/cancel_post_capture`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/cancel_post_capture`, {
+      body: params
+    });
   }
   /** Incrementally authorize more funds. `POST /payments/{paymentId}/incremental_authorization` */
   async incrementalAuthorization(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/incremental_authorization`, {
-      body: params
-    });
+    return this.request(
+      "POST",
+      `/payments/${encodeURIComponent(paymentId)}/incremental_authorization`,
+      {
+        body: params
+      }
+    );
   }
   /** Extend authorization window. `POST /payments/{paymentId}/extend_authorization` */
   async extendAuthorization(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/extend_authorization`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/extend_authorization`, {
+      body: params
+    });
   }
   /** Complete authorization. `POST /payments/{paymentId}/complete_authorize` */
   async completeAuthorize(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/complete_authorize`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/complete_authorize`, {
+      body: params
+    });
   }
   /** Dynamic tax calculation. `POST /payments/{paymentId}/calculate_tax` */
   async calculateTax(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/calculate_tax`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/calculate_tax`, {
+      body: params
+    });
   }
   /** Update payment metadata. `POST /payments/{paymentId}/update_metadata` */
   async updateMetadata(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/update_metadata`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/update_metadata`, {
+      body: params
+    });
   }
   /** Retrieve extended card info. `GET /payments/{paymentId}/extended_card_info` */
   async extendedCardInfo(paymentId) {
-    return this.request("GET", `/payments/${paymentId}/extended_card_info`);
+    return this.request("GET", `/payments/${encodeURIComponent(paymentId)}/extended_card_info`);
   }
   // --- OLAP extensions (Task 4.2) ---
   /** List payments (profile-scoped). `GET /payments/profile/list` */
@@ -1214,19 +1352,27 @@ var Payments = class {
   }
   /** Manually update payment status. `PUT /payments/{paymentId}/manual-update` */
   async manualUpdate(paymentId, params) {
-    return this.request("PUT", `/payments/${paymentId}/manual-update`, { body: params });
+    return this.request("PUT", `/payments/${encodeURIComponent(paymentId)}/manual-update`, {
+      body: params
+    });
   }
   /** Approve a payment waiting for review. `POST /payments/{paymentId}/approve` */
   async approve(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/approve`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/approve`, {
+      body: params
+    });
   }
   /** Reject a payment waiting for review. `POST /payments/{paymentId}/reject` */
   async reject(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/reject`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/reject`, {
+      body: params
+    });
   }
   /** Initiate external 3DS authentication. `POST /payments/{paymentId}/3ds/authentication` */
   async threeDsAuthentication(paymentId, params) {
-    return this.request("POST", `/payments/${paymentId}/3ds/authentication`, { body: params });
+    return this.request("POST", `/payments/${encodeURIComponent(paymentId)}/3ds/authentication`, {
+      body: params
+    });
   }
 };
@@ -1260,7 +1406,7 @@ var Payouts = class {
    * @returns The payout.
    */
   async retrieve(payoutId) {
-    return this.request("GET", `/payouts/${payoutId}`);
+    return this.request("GET", `/payouts/${encodeURIComponent(payoutId)}`);
   }
   /**
    * Update a payout before it is confirmed.
@@ -1270,7 +1416,7 @@ var Payouts = class {
    * @returns The updated payout.
    */
   async update(payoutId, params) {
-    return this.request("PUT", `/payouts/${payoutId}`, { body: params });
+    return this.request("PUT", `/payouts/${encodeURIComponent(payoutId)}`, { body: params });
   }
   /**
    * Confirm a payout, triggering the actual transfer.
@@ -1280,7 +1426,9 @@ var Payouts = class {
    * @returns The updated payout.
    */
   async confirm(payoutId, params) {
-    return this.request("POST", `/payouts/${payoutId}/confirm`, { body: params });
+    return this.request("POST", `/payouts/${encodeURIComponent(payoutId)}/confirm`, {
+      body: params
+    });
   }
   /**
    * Cancel a payout before it is fulfilled.
@@ -1289,7 +1437,7 @@ var Payouts = class {
    * @returns The cancelled payout.
    */
   async cancel(payoutId) {
-    return this.request("POST", `/payouts/${payoutId}/cancel`);
+    return this.request("POST", `/payouts/${encodeURIComponent(payoutId)}/cancel`);
   }
   /**
    * Mark a payout as fulfilled (manual confirmation of successful transfer).
@@ -1298,7 +1446,7 @@ var Payouts = class {
    * @returns The fulfilled payout.
    */
   async fulfill(payoutId) {
-    return this.request("POST", `/payouts/${payoutId}/fulfill`);
+    return this.request("POST", `/payouts/${encodeURIComponent(payoutId)}/fulfill`);
   }
   /**
    * List payouts, optionally filtered by status or date range.
@@ -1340,7 +1488,9 @@ var Payouts = class {
   }
   /** Manually update payout status. `PUT /payouts/{payoutId}/manual-update` */
   async manualUpdate(payoutId, params) {
-    return this.request("PUT", `/payouts/${payoutId}/manual-update`, { body: params });
+    return this.request("PUT", `/payouts/${encodeURIComponent(payoutId)}/manual-update`, {
+      body: params
+    });
   }
 };
@@ -1350,7 +1500,7 @@ var Poll = class {
     this.request = request;
   }
   async getStatus(pollId) {
-    return this.request("GET", `/poll/status/${pollId}`);
+    return this.request("GET", `/poll/status/${encodeURIComponent(pollId)}`);
   }
 };
@@ -1363,9 +1513,13 @@ var ProfileAcquirers = class {
     return this.request("POST", "/profile_acquirer", { body: params });
   }
   async update(profileId, profileAcquirerId, params) {
-    return this.request("POST", `/profile_acquirer/${profileId}/${profileAcquirerId}`, {
-      body: params
-    });
+    return this.request(
+      "POST",
+      `/profile_acquirer/${encodeURIComponent(profileId)}/${encodeURIComponent(profileAcquirerId)}`,
+      {
+        body: params
+      }
+    );
   }
 };
@@ -1375,35 +1529,47 @@ var Profiles = class {
     this.request = request;
   }
   async create(accountId, params) {
-    return this.request("POST", `/account/${accountId}/business_profile`, { body: params });
+    return this.request("POST", `/account/${encodeURIComponent(accountId)}/business_profile`, {
+      body: params
+    });
   }
   async retrieve(accountId, profileId) {
-    return this.request("GET", `/account/${accountId}/business_profile/${profileId}`);
+    return this.request(
+      "GET",
+      `/account/${encodeURIComponent(accountId)}/business_profile/${encodeURIComponent(profileId)}`
+    );
   }
   async list(accountId) {
-    return this.request("GET", `/account/${accountId}/business_profile`);
+    return this.request("GET", `/account/${encodeURIComponent(accountId)}/business_profile`);
   }
   async update(accountId, profileId, params) {
-    return this.request("POST", `/account/${accountId}/business_profile/${profileId}`, {
-      body: params
-    });
+    return this.request(
+      "POST",
+      `/account/${encodeURIComponent(accountId)}/business_profile/${encodeURIComponent(profileId)}`,
+      {
+        body: params
+      }
+    );
   }
   async delete(accountId, profileId) {
-    return this.request("DELETE", `/account/${accountId}/business_profile/${profileId}`);
+    return this.request(
+      "DELETE",
+      `/account/${encodeURIComponent(accountId)}/business_profile/${encodeURIComponent(profileId)}`
+    );
   }
   // --- Advanced operations (Task 4.8) ---
   /** Toggle extended card info for a profile. `POST /account/{accountId}/business_profile/{profileId}/toggle_extended_card_info` */
   async toggleExtendedCardInfo(accountId, profileId) {
     return this.request(
       "POST",
-      `/account/${accountId}/business_profile/${profileId}/toggle_extended_card_info`
+      `/account/${encodeURIComponent(accountId)}/business_profile/${encodeURIComponent(profileId)}/toggle_extended_card_info`
     );
   }
   /** Toggle connector agnostic MIT. `POST /account/{accountId}/business_profile/{profileId}/toggle_connector_agnostic_mit` */
   async toggleConnectorAgnosticMit(accountId, profileId) {
     return this.request(
       "POST",
-      `/account/${accountId}/business_profile/${profileId}/toggle_connector_agnostic_mit`
+      `/account/${encodeURIComponent(accountId)}/business_profile/${encodeURIComponent(profileId)}/toggle_connector_agnostic_mit`
     );
   }
 };
@@ -1438,7 +1604,7 @@ var Projects = class {
    * @returns The project.
    */
   async retrieve(projectId) {
-    return this.request("GET", `/projects/${projectId}`);
+    return this.request("GET", `/projects/${encodeURIComponent(projectId)}`);
   }
   /**
    * Update a project's details.
@@ -1448,7 +1614,7 @@ var Projects = class {
    * @returns The updated project.
    */
   async update(projectId, params) {
-    return this.request("PUT", `/projects/${projectId}`, { body: params });
+    return this.request("PUT", `/projects/${encodeURIComponent(projectId)}`, { body: params });
   }
   /**
    * Delete a project.
@@ -1457,7 +1623,7 @@ var Projects = class {
    * @returns The deleted project object.
    */
   async delete(projectId) {
-    return this.request("DELETE", `/projects/${projectId}`);
+    return this.request("DELETE", `/projects/${encodeURIComponent(projectId)}`);
   }
   /**
    * List all projects for a merchant.
@@ -1528,7 +1694,7 @@ var Refunds = class {
    * ```
    */
   async retrieve(refundId) {
-    return this.request("GET", `/refunds/${refundId}`);
+    return this.request("GET", `/refunds/${encodeURIComponent(refundId)}`);
   }
   /**
    * Update the reason or metadata on an existing refund.
@@ -1538,7 +1704,7 @@ var Refunds = class {
    * @returns The updated refund.
    */
   async update(refundId, params) {
-    return this.request("POST", `/refunds/${refundId}`, { body: params });
+    return this.request("POST", `/refunds/${encodeURIComponent(refundId)}`, { body: params });
   }
   /**
    * List refunds, optionally filtered by payment, status, or date range.
@@ -1572,7 +1738,9 @@ var Refunds = class {
   }
   /** Manually update refund status. `PUT /refunds/{refundId}/manual-update` */
   async manualUpdate(refundId, params) {
-    return this.request("PUT", `/refunds/${refundId}/manual-update`, { body: params });
+    return this.request("PUT", `/refunds/${encodeURIComponent(refundId)}/manual-update`, {
+      body: params
+    });
   }
 };
@@ -1585,7 +1753,7 @@ var Relay = class {
     return this.request("POST", "/relay", { body: params });
   }
   async retrieve(relayId) {
-    return this.request("GET", `/relay/${relayId}`);
+    return this.request("GET", `/relay/${encodeURIComponent(relayId)}`);
   }
 };
@@ -1619,7 +1787,7 @@ var Routing = class {
    * @returns The routing configuration.
    */
   async retrieve(algorithmId) {
-    return this.request("GET", `/routing/${algorithmId}`);
+    return this.request("GET", `/routing/${encodeURIComponent(algorithmId)}`);
   }
   /**
    * Activate a routing algorithm, making it the active routing strategy for the shop.
@@ -1628,7 +1796,7 @@ var Routing = class {
    * @returns The activated routing configuration.
    */
   async activate(algorithmId) {
-    return this.request("POST", `/routing/${algorithmId}/activate`);
+    return this.request("POST", `/routing/${encodeURIComponent(algorithmId)}/activate`);
   }
   /**
    * Deactivate the currently active routing algorithm (falls back to default routing).
@@ -1661,7 +1829,9 @@ var Routing = class {
   }
   /** Update default config for a profile. `POST /routing/default/profile/{profileId}` */
   async updateDefaultProfile(profileId, params) {
-    return this.request("POST", `/routing/default/profile/${profileId}`, { body: params });
+    return this.request("POST", `/routing/default/profile/${encodeURIComponent(profileId)}`, {
+      body: params
+    });
   }
   /** List routing configs for profile. `GET /routing/list/profile` */
   async listForProfile() {
@@ -1728,7 +1898,11 @@ var ShopGateways = class {
    * @returns The created gateway connection.
    */
   async connect(merchantId, shopId, params) {
-    return this.request("POST", `/shops/${merchantId}/${shopId}/gateways`, { body: params });
+    return this.request(
+      "POST",
+      `/shops/${encodeURIComponent(merchantId)}/${encodeURIComponent(shopId)}/gateways`,
+      { body: params }
+    );
   }
   /**
    * List all gateway connections for a shop.
@@ -1738,7 +1912,10 @@ var ShopGateways = class {
    * @returns Array of gateway connections.
    */
   async list(merchantId, shopId) {
-    return this.request("GET", `/shops/${merchantId}/${shopId}/gateways`);
+    return this.request(
+      "GET",
+      `/shops/${encodeURIComponent(merchantId)}/${encodeURIComponent(shopId)}/gateways`
+    );
   }
   /**
    * Disconnect a gateway from a shop.
@@ -1749,7 +1926,10 @@ var ShopGateways = class {
    * @returns The removed gateway connection.
    */
   async disconnect(merchantId, shopId, gatewayId) {
-    return this.request("DELETE", `/shops/${merchantId}/${shopId}/gateways/${gatewayId}`);
+    return this.request(
+      "DELETE",
+      `/shops/${encodeURIComponent(merchantId)}/${encodeURIComponent(shopId)}/gateways/${encodeURIComponent(gatewayId)}`
+    );
   }
 };
 var Shops = class {
@@ -1770,7 +1950,7 @@ var Shops = class {
    * ```
    */
   async create(merchantId, params) {
-    return this.request("POST", `/shops/${merchantId}`, { body: params });
+    return this.request("POST", `/shops/${encodeURIComponent(merchantId)}`, { body: params });
   }
   /**
    * Retrieve a shop by its ID.
@@ -1780,7 +1960,10 @@ var Shops = class {
    * @returns The shop.
    */
   async retrieve(merchantId, shopId) {
-    return this.request("GET", `/shops/${merchantId}/${shopId}`);
+    return this.request(
+      "GET",
+      `/shops/${encodeURIComponent(merchantId)}/${encodeURIComponent(shopId)}`
+    );
   }
   /**
    * Update a shop's configuration.
@@ -1791,7 +1974,11 @@ var Shops = class {
    * @returns The updated shop.
    */
   async update(merchantId, shopId, params) {
-    return this.request("PUT", `/shops/${merchantId}/${shopId}`, { body: params });
+    return this.request(
+      "PUT",
+      `/shops/${encodeURIComponent(merchantId)}/${encodeURIComponent(shopId)}`,
+      { body: params }
+    );
   }
   /**
    * Delete a shop.
@@ -1801,7 +1988,10 @@ var Shops = class {
    * @returns The deleted shop object.
    */
   async delete(merchantId, shopId) {
-    return this.request("DELETE", `/shops/${merchantId}/${shopId}`);
+    return this.request(
+      "DELETE",
+      `/shops/${encodeURIComponent(merchantId)}/${encodeURIComponent(shopId)}`
+    );
   }
   /**
    * List all shops under a merchant account.
@@ -1810,7 +2000,7 @@ var Shops = class {
    * @returns Array of shops.
    */
   async list(merchantId) {
-    return this.request("GET", `/shops/${merchantId}`);
+    return this.request("GET", `/shops/${encodeURIComponent(merchantId)}`);
   }
 };
@@ -2068,11 +2258,11 @@ var Users = class {
   }
   /** Get role by ID. `GET /user/role/{roleId}` */
   async getRoleById(roleId) {
-    return this.request("GET", `/user/role/${roleId}`);
+    return this.request("GET", `/user/role/${encodeURIComponent(roleId)}`);
   }
   /** Update role by ID. `PUT /user/role/{roleId}` */
   async updateRole(roleId, params) {
-    return this.request("PUT", `/user/role/${roleId}`, { body: params });
+    return this.request("PUT", `/user/role/${encodeURIComponent(roleId)}`, { body: params });
   }
 };
@@ -2082,7 +2272,9 @@ var Verification = class {
     this.request = request;
   }
   async registerApplePayDomains(merchantId, params) {
-    return this.request("POST", `/verify/apple_pay/${merchantId}`, { body: params });
+    return this.request("POST", `/verify/apple_pay/${encodeURIComponent(merchantId)}`, {
+      body: params
+    });
   }
   async getApplePayVerifiedDomains(params) {
     return this.request("GET", "/verify/applepay_verified_domains", {
@@ -2092,10 +2284,23 @@ var Verification = class {
 };
 // src/resources/webhooks.ts
+function hexToBytes(hex) {
+  if (hex.length === 0 || hex.length % 2 !== 0) return null;
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    const byte = Number.parseInt(hex.slice(i, i + 2), 16);
+    if (Number.isNaN(byte)) return null;
+    bytes[i / 2] = byte;
+  }
+  return bytes;
+}
 var Webhooks = {
   /**
    * Verify the signature of an incoming Delopay webhook and return the parsed event.
    *
+   * Uses the Web Crypto API (`globalThis.crypto.subtle`), so it runs unchanged in
+   * Node 18+, modern browsers, Deno, Bun, and edge runtimes (Cloudflare Workers, Vercel Edge).
+   *
    * This method is available as a static property on the `Delopay` class
    * (`Delopay.webhooks.verify`) and does not require a client instance.
    *
@@ -2103,14 +2308,14 @@ var Webhooks = {
    * @param signatureHeader - The value of the `delopay-signature` HTTP header.
    * @param secret - Your webhook signing secret from the Delopay dashboard.
    * @param options - Optional verification settings (replay tolerance).
-   * @returns The parsed webhook event.
+   * @returns Promise that resolves to the parsed webhook event.
    * @throws {Error} When the signature is invalid, the timestamp is missing, or the event is too old.
    *
    * @example
    * ```typescript
    * // Express example
-   * app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
-   *   const event = Delopay.webhooks.verify(
+   * app.post('/webhook', express.raw({ type: 'application/json' }), async (req, res) => {
+   *   const event = await Delopay.webhooks.verify(
    *     req.body.toString(),
    *     req.headers['delopay-signature'] as string,
    *     process.env.DELOPAY_WEBHOOK_SECRET!,
@@ -2120,7 +2325,7 @@ var Webhooks = {
    * });
    * ```
    */
-  verify(rawBody, signatureHeader, secret, options) {
+  async verify(rawBody, signatureHeader, secret, options) {
     const tolerance = options?.tolerance ?? 300;
     const parts = signatureHeader.split(",");
     const timestampPart = parts.find((p) => p.startsWith("t="));
@@ -2128,19 +2333,29 @@ var Webhooks = {
     if (!timestampPart || !signaturePart) {
       throw new Error("Invalid webhook signature format");
     }
-    const timestamp = parseInt(timestampPart.slice(2), 10);
+    const timestamp = Number.parseInt(timestampPart.slice(2), 10);
     if (!Number.isFinite(timestamp)) {
       throw new Error("Invalid webhook timestamp");
     }
-    const signature = signaturePart.slice(3);
-    const crypto = require("crypto");
-    const signedPayload = `${timestamp}.${rawBody}`;
-    const expected = crypto.createHmac("sha256", secret).update(signedPayload).digest("hex");
-    const sigBuf = Buffer.from(signature);
-    const expBuf = Buffer.from(expected);
-    const lengthsMatch = sigBuf.length === expBuf.length;
-    const paddedSig = lengthsMatch ? sigBuf : Buffer.alloc(expBuf.length, 0);
-    const signaturesMatch = lengthsMatch && crypto.timingSafeEqual(paddedSig, expBuf);
+    const signatureHex = signaturePart.slice(3);
+    const signatureBytes = hexToBytes(signatureHex);
+    const subtle = globalThis.crypto?.subtle;
+    if (!subtle) {
+      throw new Error(
+        "Web Crypto unavailable: Delopay.webhooks.verify requires globalThis.crypto.subtle (Node 18+, modern browsers, Workers, Deno)"
+      );
+    }
+    const encoder = new TextEncoder();
+    const asBufferSource = (bytes) => bytes;
+    const key = await subtle.importKey(
+      "raw",
+      asBufferSource(encoder.encode(secret)),
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+    const signedPayload = asBufferSource(encoder.encode(`${timestamp}.${rawBody}`));
+    const signaturesMatch = signatureBytes !== null && await subtle.verify("HMAC", key, asBufferSource(signatureBytes), signedPayload);
     if (!signaturesMatch) {
       throw new Error("Invalid webhook signature");
     }
@@ -2161,22 +2376,30 @@ var AnalyticsDomain = class {
   /** Get metrics. `POST /analytics/v1/metrics/{domain}` */
   async metrics(params, scope) {
     const prefix = scope ? `/analytics/v1/${scope}` : "/analytics/v1";
-    return this.request("POST", `${prefix}/metrics/${this.domain}`, { body: [params] });
+    return this.request("POST", `${prefix}/metrics/${encodeURIComponent(this.domain)}`, {
+      body: [params]
+    });
   }
   /** Get filters. `POST /analytics/v1/filters/{domain}` */
   async filters(params, scope) {
     const prefix = scope ? `/analytics/v1/${scope}` : "/analytics/v1";
-    return this.request("POST", `${prefix}/filters/${this.domain}`, { body: params });
+    return this.request("POST", `${prefix}/filters/${encodeURIComponent(this.domain)}`, {
+      body: params
+    });
   }
   /** Generate report. `POST /analytics/v1/report/{domain}` */
   async report(params, scope) {
     const prefix = scope ? `/analytics/v1/${scope}` : "/analytics/v1";
-    return this.request("POST", `${prefix}/report/${this.domain}`, { body: params });
+    return this.request("POST", `${prefix}/report/${encodeURIComponent(this.domain)}`, {
+      body: params
+    });
   }
   /** Sankey chart data. `POST /analytics/v1/metrics/{domain}/sankey` */
   async sankey(params, scope) {
     const prefix = scope ? `/analytics/v1/${scope}` : "/analytics/v1";
-    return this.request("POST", `${prefix}/metrics/${this.domain}/sankey`, { body: params });
+    return this.request("POST", `${prefix}/metrics/${encodeURIComponent(this.domain)}/sankey`, {
+      body: params
+    });
   }
 };
 var Analytics = class {
@@ -2197,11 +2420,13 @@ var Analytics = class {
   }
   /** Domain-specific search. `POST /analytics/v1/search/{domain}` */
   async searchDomain(domain, params) {
-    return this.request("POST", `/analytics/v1/search/${domain}`, { body: params });
+    return this.request("POST", `/analytics/v1/search/${encodeURIComponent(domain)}`, {
+      body: params
+    });
   }
   /** Get analytics info. `GET /analytics/v1/{domain}/info` */
   async getInfo(domain) {
-    return this.request("GET", `/analytics/v1/${domain}/info`);
+    return this.request("GET", `/analytics/v1/${encodeURIComponent(domain)}/info`);
   }
   /** Get API event logs. `GET /analytics/v1/api_event_logs` */
   async apiEventLogs(params) {
@@ -2247,7 +2472,7 @@ var Cache = class {
   }
   /** Invalidate a cache entry by key. `POST /cache/invalidate/{key}` */
   async invalidate(key) {
-    return this.request("POST", `/cache/invalidate/${key}`);
+    return this.request("POST", `/cache/invalidate/${encodeURIComponent(key)}`);
   }
 };
@@ -2266,7 +2491,7 @@ var Cards = class {
   }
   /** Retrieve card info by BIN. `GET /cards/{bin}` */
   async retrieve(bin) {
-    return this.request("GET", `/cards/${bin}`);
+    return this.request("GET", `/cards/${encodeURIComponent(bin)}`);
   }
 };
@@ -2281,15 +2506,15 @@ var Configs = class {
   }
   /** Retrieve a config by key. `GET /configs/{key}` */
   async retrieve(key) {
-    return this.request("GET", `/configs/${key}`);
+    return this.request("GET", `/configs/${encodeURIComponent(key)}`);
   }
   /** Update a config. `PUT /configs/{key}` */
   async update(key, params) {
-    return this.request("PUT", `/configs/${key}`, { body: params });
+    return this.request("PUT", `/configs/${encodeURIComponent(key)}`, { body: params });
   }
   /** Delete a config. `DELETE /configs/{key}` */
   async delete(key) {
-    return this.request("DELETE", `/configs/${key}`);
+    return this.request("DELETE", `/configs/${encodeURIComponent(key)}`);
   }
 };
@@ -2326,11 +2551,11 @@ var Files = class {
   }
   /** Retrieve/download a file. `GET /files/{fileId}` */
   async retrieve(fileId) {
-    return this.request("GET", `/files/${fileId}`);
+    return this.request("GET", `/files/${encodeURIComponent(fileId)}`);
   }
   /** Delete a file. `DELETE /files/{fileId}` */
   async delete(fileId) {
-    return this.request("DELETE", `/files/${fileId}`);
+    return this.request("DELETE", `/files/${encodeURIComponent(fileId)}`);
   }
 };
@@ -2360,15 +2585,15 @@ var Regions = class {
   }
   /** Retrieve a region by ID. `GET /regions/{regionId}` */
   async retrieve(regionId) {
-    return this.request("GET", `/regions/${regionId}`);
+    return this.request("GET", `/regions/${encodeURIComponent(regionId)}`);
   }
   /** Update a region. `PUT /regions/{regionId}` */
   async update(regionId, params) {
-    return this.request("PUT", `/regions/${regionId}`, { body: params });
+    return this.request("PUT", `/regions/${encodeURIComponent(regionId)}`, { body: params });
   }
   /** Delete a region. `DELETE /regions/{regionId}` */
   async delete(regionId) {
-    return this.request("DELETE", `/regions/${regionId}`);
+    return this.request("DELETE", `/regions/${encodeURIComponent(regionId)}`);
   }
   /** List all regions. `GET /regions/list` */
   async list() {
@@ -2391,17 +2616,19 @@ var Subscriptions = class {
   }
   /** Retrieve a subscription by ID. `GET /subscriptions/{subscriptionId}` */
   async retrieve(subscriptionId) {
-    return this.request("GET", `/subscriptions/${subscriptionId}`);
+    return this.request("GET", `/subscriptions/${encodeURIComponent(subscriptionId)}`);
   }
   /** Confirm a subscription. `POST /subscriptions/{subscriptionId}/confirm` */
   async confirm(subscriptionId, params) {
-    return this.request("POST", `/subscriptions/${subscriptionId}/confirm`, {
+    return this.request("POST", `/subscriptions/${encodeURIComponent(subscriptionId)}/confirm`, {
       body: params
     });
   }
   /** Update a subscription. `PUT /subscriptions/{subscriptionId}/update` */
   async update(subscriptionId, params) {
-    return this.request("PUT", `/subscriptions/${subscriptionId}/update`, { body: params });
+    return this.request("PUT", `/subscriptions/${encodeURIComponent(subscriptionId)}/update`, {
+      body: params
+    });
   }
   /** List subscriptions. `GET /subscriptions/list` */
   async list(params) {
@@ -2419,21 +2646,95 @@ var Subscriptions = class {
   }
   /** Pause a subscription. `POST /subscriptions/{subscriptionId}/pause` */
   async pause(subscriptionId) {
-    return this.request("POST", `/subscriptions/${subscriptionId}/pause`);
+    return this.request("POST", `/subscriptions/${encodeURIComponent(subscriptionId)}/pause`);
   }
   /** Resume a subscription. `POST /subscriptions/{subscriptionId}/resume` */
   async resume(subscriptionId) {
-    return this.request("POST", `/subscriptions/${subscriptionId}/resume`);
+    return this.request("POST", `/subscriptions/${encodeURIComponent(subscriptionId)}/resume`);
   }
   /** Cancel a subscription. `POST /subscriptions/{subscriptionId}/cancel` */
   async cancel(subscriptionId) {
-    return this.request("POST", `/subscriptions/${subscriptionId}/cancel`);
+    return this.request("POST", `/subscriptions/${encodeURIComponent(subscriptionId)}/cancel`);
   }
 };
 // src/client.ts
 var PRODUCTION_URL = "https://api.delopay.net";
 var SANDBOX_URL = "https://sandbox.delopay.net";
+var MAX_RAW_BODY_BYTES = 2048;
+var MAX_RETRY_AFTER_MS = 3e4;
+function parseRetryAfter(header) {
+  if (!header) return null;
+  const trimmed = header.trim();
+  const seconds = Number(trimmed);
+  if (Number.isFinite(seconds) && seconds >= 0) {
+    return Math.min(seconds * 1e3, MAX_RETRY_AFTER_MS);
+  }
+  const date = Date.parse(trimmed);
+  if (Number.isFinite(date)) {
+    const delta = date - Date.now();
+    return delta > 0 ? Math.min(delta, MAX_RETRY_AFTER_MS) : 0;
+  }
+  return null;
+}
+function truncateRawBody(raw) {
+  if (!raw) return void 0;
+  return raw.length > MAX_RAW_BODY_BYTES ? raw.slice(0, MAX_RAW_BODY_BYTES) + "\u2026" : raw;
+}
+function findIdempotencyKey(headers) {
+  for (const [k, v] of Object.entries(headers)) {
+    if (k.toLowerCase() === "idempotency-key") return v;
+  }
+  return void 0;
+}
+function noop() {
+}
+function combineSignals(signals) {
+  const controller = new AbortController();
+  const listeners = [];
+  const dispose = () => {
+    for (const { signal, handler } of listeners) {
+      signal.removeEventListener("abort", handler);
+    }
+    listeners.length = 0;
+  };
+  for (const signal of signals) {
+    if (signal.aborted) {
+      controller.abort(signal.reason);
+      dispose();
+      return { signal: controller.signal, dispose: noop };
+    }
+    const handler = () => {
+      controller.abort(signal.reason);
+      dispose();
+    };
+    signal.addEventListener("abort", handler, { once: true });
+    listeners.push({ signal, handler });
+  }
+  return { signal: controller.signal, dispose };
+}
+var SENSITIVE_QUERY_KEYS = /* @__PURE__ */ new Set([
+  "client_secret",
+  "ephemeral_key",
+  "api_key",
+  "publishable_key"
+]);
+function redactUrlForLogging(url) {
+  const qIdx = url.indexOf("?");
+  if (qIdx === -1) return url;
+  const base = url.slice(0, qIdx);
+  const query = url.slice(qIdx + 1);
+  const parts = query.split("&").map((pair) => {
+    const eqIdx = pair.indexOf("=");
+    if (eqIdx === -1) return pair;
+    const key = pair.slice(0, eqIdx);
+    if (SENSITIVE_QUERY_KEYS.has(decodeURIComponent(key).toLowerCase())) {
+      return `${key}=REDACTED`;
+    }
+    return pair;
+  });
+  return `${base}?${parts.join("&")}`;
+}
 var Delopay = class {
   /**
    * Create a new Delopay client.
@@ -2447,6 +2748,7 @@ var Delopay = class {
     this.timeout = options?.timeout ?? 3e4;
     this.maxRetries = options?.maxRetries ?? 2;
     this.debug = options?.debug ?? false;
+    if (options?.logger !== void 0) this.logger = options.logger;
     if (options?.baseUrl !== void 0) {
       this.baseUrl = options.baseUrl;
     } else if (options?.sandbox) {
@@ -2532,7 +2834,12 @@ var Delopay = class {
     if (options?.query) {
       const params = new URLSearchParams();
       for (const [key, value] of Object.entries(options.query)) {
-        if (value !== void 0) {
+        if (value === void 0 || value === null) continue;
+        if (Array.isArray(value)) {
+          for (const v of value) {
+            if (v !== void 0 && v !== null) params.append(key, String(v));
+          }
+        } else {
           params.set(key, String(value));
         }
       }
@@ -2548,46 +2855,94 @@ var Delopay = class {
     if (options?.body) {
       headers["Content-Type"] = "application/json";
     }
-    const isRetryable = method === "GET" || method === "DELETE" || "Idempotency-Key" in headers;
+    const idempotencyKey = findIdempotencyKey(headers)?.trim();
+    const isRetryable = method === "GET" || method === "DELETE" || idempotencyKey !== void 0 && idempotencyKey !== "";
+    const serializedBody = options?.body ? JSON.stringify(options.body) : void 0;
+    const callerSignal = options?.signal;
+    if (callerSignal?.aborted) {
+      throw new DelopayError("Request aborted", {
+        status: 0,
+        code: "ABORTED",
+        type: "abort_error"
+      });
+    }
+    const timeoutMs = options?.timeout ?? this.timeout;
     let lastError;
+    let retryAfterOverrideMs = null;
+    const safeUrl = () => redactUrlForLogging(url);
+    const emit = (event, data) => {
+      if (!this.debug) return;
+      if (this.logger) {
+        this.logger(event, data);
+        return;
+      }
+      if (event === "request")
+        console.log(`[delopay] ${data.method} ${data.url}`);
+      else if (event === "response")
+        console.log(
+          `[delopay] ${data.status} ${data.method} ${data.path}`
+        );
+      else
+        console.log(
+          `[delopay] retry ${data.attempt}/${data.maxRetries} ${data.method} ${data.path}`
+        );
+    };
     for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
       if (attempt > 0) {
-        const delay = Math.min(500 * 2 ** (attempt - 1), 5e3);
+        const base = Math.min(500 * 2 ** (attempt - 1), 5e3);
+        const jittered = Math.random() * base;
+        const delay = Math.max(retryAfterOverrideMs ?? 0, jittered);
+        retryAfterOverrideMs = null;
         await new Promise((resolve) => setTimeout(resolve, delay));
-        if (this.debug) {
-          console.log(`[delopay] retry ${attempt}/${this.maxRetries} ${method} ${path}`);
-        }
+        emit("retry", { attempt, maxRetries: this.maxRetries, method, path });
       }
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+      const timeoutCtrl = new AbortController();
+      const timeoutId = setTimeout(() => timeoutCtrl.abort(), timeoutMs);
+      const combined = combineSignals(
+        callerSignal ? [timeoutCtrl.signal, callerSignal] : [timeoutCtrl.signal]
+      );
       try {
-        if (this.debug) {
-          console.log(`[delopay] ${method} ${url}`);
-        }
+        emit("request", { method, url: safeUrl(), path });
         const response = await fetch(url, {
           method,
           headers,
-          body: options?.body ? JSON.stringify(options.body) : void 0,
-          signal: controller.signal
+          body: serializedBody,
+          signal: combined.signal
         });
-        if (this.debug) {
-          console.log(`[delopay] ${response.status} ${method} ${path}`);
-        }
+        const requestId = response.headers?.get("x-request-id") ?? response.headers?.get("x-trace-id") ?? void 0;
+        emit("response", { status: response.status, method, path, requestId });
         if (!response.ok) {
-          const body = await response.json().catch(() => ({}));
-          const err = body.error ?? body;
+          const rawBody = await response.text().catch(() => "");
+          let parsed = {};
+          if (rawBody) {
+            try {
+              parsed = JSON.parse(rawBody);
+            } catch {
+            }
+          }
+          const err = parsed.error ?? parsed;
           const message = err.message ?? `Request failed with status ${response.status}`;
           const code = err.code ?? "";
           const type = err.error_type ?? err.type ?? "";
+          const truncatedRaw = truncateRawBody(rawBody);
           if (response.status === 401) {
-            throw new DelopayAuthenticationError(message);
+            throw new DelopayAuthenticationError(message, {
+              requestId,
+              rawBody: truncatedRaw
+            });
           }
           const error = new DelopayError(message, {
             status: response.status,
             code,
-            type
+            type,
+            requestId,
+            rawBody: truncatedRaw
           });
-          if (response.status >= 500 && isRetryable && attempt < this.maxRetries) {
+          const isTransientStatus = response.status >= 500 || response.status === 429;
+          if (isTransientStatus && isRetryable && attempt < this.maxRetries) {
+            if (response.status === 429) {
+              retryAfterOverrideMs = parseRetryAfter(response.headers?.get("retry-after") ?? null);
+            }
             lastError = error;
             continue;
           }
@@ -2599,7 +2954,14 @@ var Delopay = class {
         if (err instanceof DelopayError || err instanceof DelopayAuthenticationError) {
           throw err;
         }
-        if (err instanceof DOMException && err.name === "AbortError") {
+        if (err instanceof Error && err.name === "AbortError") {
+          if (callerSignal?.aborted) {
+            throw new DelopayError("Request aborted", {
+              status: 0,
+              code: "ABORTED",
+              type: "abort_error"
+            });
+          }
           lastError = new DelopayError("Request timed out", {
             status: 0,
             code: "TIMEOUT",
@@ -2620,6 +2982,7 @@ var Delopay = class {
         throw err;
       } finally {
         clearTimeout(timeoutId);
+        combined.dispose();
       }
     }
     throw lastError;