npm - @drmhse/sso-sdk - Versions diffs - 0.2.3 → 0.2.6 - Mend

@drmhse/sso-sdk 0.2.3 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -263,6 +263,68 @@ interface RefreshTokenResponse {
     refresh_token: string;
     expires_in: number;
 }
+/**
+ * Registration request payload
+ */
+interface RegisterRequest {
+    email: string;
+    password: string;
+    org_slug?: string;
+}
+/**
+ * Registration response
+ */
+interface RegisterResponse {
+    message: string;
+}
+/**
+ * Login request payload
+ */
+interface LoginRequest {
+    email: string;
+    password: string;
+}
+/**
+ * Forgot password request payload
+ */
+interface ForgotPasswordRequest {
+    email: string;
+    org_slug?: string;
+}
+/**
+ * Forgot password response
+ */
+interface ForgotPasswordResponse {
+    message: string;
+}
+/**
+ * Reset password request payload
+ */
+interface ResetPasswordRequest {
+    token: string;
+    new_password: string;
+}
+/**
+ * Reset password response
+ */
+interface ResetPasswordResponse {
+    message: string;
+}
+/**
+ * MFA verification request payload
+ */
+interface MfaVerificationRequest {
+    preauth_token: string;
+    code: string;
+}
+/**
+ * MFA verification response (same as refresh token response)
+ */
+interface MfaVerificationResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+}
 /**
  * User subscription details
@@ -292,6 +354,65 @@ interface Identity {
 interface StartLinkResponse {
     authorization_url: string;
 }
+/**
+ * Change password request payload
+ */
+interface ChangePasswordRequest {
+    current_password: string;
+    new_password: string;
+}
+/**
+ * Change password response
+ */
+interface ChangePasswordResponse {
+    message: string;
+}
+/**
+ * Set password request payload (for OAuth users without a password)
+ */
+interface SetPasswordRequest {
+    new_password: string;
+}
+/**
+ * Set password response
+ */
+interface SetPasswordResponse {
+    message: string;
+}
+/**
+ * MFA status response
+ */
+interface MfaStatusResponse {
+    enabled: boolean;
+    has_backup_codes: boolean;
+}
+/**
+ * MFA setup response
+ */
+interface MfaSetupResponse {
+    secret: string;
+    qr_code_svg: string;
+    qr_code_uri: string;
+}
+/**
+ * MFA verify request
+ */
+interface MfaVerifyRequest {
+    code: string;
+}
+/**
+ * MFA verify response
+ */
+interface MfaVerifyResponse {
+    enabled: boolean;
+    backup_codes: string[];
+}
+/**
+ * Backup codes response
+ */
+interface BackupCodesResponse {
+    backup_codes: string[];
+}
 /**
  * Organization entity
@@ -431,6 +552,211 @@ interface MemberListResponse {
         source: string;
     };
 }
+/**
+ * SMTP configuration request
+ */
+interface SetSmtpRequest {
+    host: string;
+    port: number;
+    username: string;
+    password: string;
+    from_email: string;
+    from_name?: string;
+}
+/**
+ * SMTP configuration response (without password)
+ */
+interface SmtpConfigResponse {
+    host: string;
+    port: number;
+    username: string;
+    from_email: string;
+    from_name?: string;
+    configured: boolean;
+}
+/**
+ * Organization audit log entry
+ */
+interface AuditLog {
+    id: string;
+    org_id: string;
+    actor_user_id: string;
+    actor_user_email?: string;
+    action: string;
+    target_type: string;
+    target_id: string;
+    ip_address?: string;
+    user_agent?: string;
+    success: boolean;
+    details?: string;
+    created_at: string;
+}
+/**
+ * Audit log response with pagination
+ */
+interface AuditLogResponse {
+    logs: AuditLog[];
+    pagination: PaginationInfo;
+}
+/**
+ * Event type information for filtering
+ */
+interface EventTypeInfo {
+    value: string;
+    label: string;
+    category: string;
+}
+/**
+ * Audit log query parameters
+ */
+interface AuditLogQueryParams extends PaginationParams {
+    action?: string;
+    target_type?: string;
+    target_id?: string;
+}
+/**
+ * Webhook configuration
+ */
+interface Webhook {
+    id: string;
+    name: string;
+    url: string;
+    events: string[];
+    is_active: boolean;
+    created_at: string;
+    updated_at: string;
+}
+/**
+ * Webhook response
+ */
+interface WebhookResponse {
+    id: string;
+    name: string;
+    url: string;
+    events: string[];
+    is_active: boolean;
+    created_at: string;
+    updated_at: string;
+}
+/**
+ * Webhook list response
+ */
+interface WebhookListResponse {
+    webhooks: WebhookResponse[];
+    total: number;
+}
+/**
+ * Create webhook request
+ */
+interface CreateWebhookRequest {
+    name: string;
+    url: string;
+    events: string[];
+}
+/**
+ * Update webhook request
+ */
+interface UpdateWebhookRequest {
+    name?: string;
+    url?: string;
+    events?: string[];
+    is_active?: boolean;
+}
+/**
+ * Webhook delivery attempt
+ */
+interface WebhookDelivery {
+    id: string;
+    webhook_id: string;
+    webhook_name: string;
+    event_type: string;
+    payload: any;
+    response_status_code?: number;
+    response_body?: string;
+    attempt_count: number;
+    max_attempts: number;
+    next_retry_at?: string;
+    delivered: boolean;
+    delivery_error?: string;
+    created_at: string;
+    updated_at: string;
+}
+/**
+ * Webhook delivery list response
+ */
+interface WebhookDeliveryListResponse {
+    deliveries: WebhookDelivery[];
+    pagination: PaginationInfo;
+}
+/**
+ * Webhook delivery query parameters
+ */
+interface WebhookDeliveryQueryParams extends PaginationParams {
+    event_type?: string;
+    delivered?: boolean;
+}
+/**
+ * Pagination information
+ */
+interface PaginationInfo {
+    page: number;
+    limit: number;
+    total: number;
+    total_pages: number;
+    has_next: boolean;
+    has_prev: boolean;
+}
+/**
+ * Custom domain configuration
+ */
+interface DomainConfiguration {
+    custom_domain: string | null;
+    domain_verified: boolean;
+}
+/**
+ * Set custom domain request
+ */
+interface SetCustomDomainRequest {
+    domain: string;
+}
+/**
+ * Domain verification method
+ */
+interface DomainVerificationMethod {
+    method: string;
+    instructions: string;
+    record_type?: string;
+    record_name?: string;
+    record_value?: string;
+}
+/**
+ * Domain verification response
+ */
+interface DomainVerificationResponse {
+    verification_token: string;
+    verification_methods: DomainVerificationMethod[];
+}
+/**
+ * Domain verification result
+ */
+interface DomainVerificationResult {
+    verified: boolean;
+    message: string;
+}
+/**
+ * Branding configuration
+ */
+interface BrandingConfiguration {
+    logo_url: string | null;
+    primary_color: string | null;
+}
+/**
+ * Update branding request
+ */
+interface UpdateBrandingRequest {
+    logo_url?: string | null;
+    primary_color?: string | null;
+}
 /**
  * Service entity
@@ -447,6 +773,14 @@ interface Service {
     google_scopes: string[];
     redirect_uris: string[];
     device_activation_uri?: string;
+    saml_enabled: boolean;
+    saml_entity_id?: string;
+    saml_acs_url?: string;
+    saml_slo_url?: string;
+    saml_name_id_format?: string;
+    saml_attribute_mapping?: Record<string, string>;
+    saml_sign_assertions: boolean;
+    saml_sign_response: boolean;
     created_at: string;
 }
 /**
@@ -466,12 +800,18 @@ interface Plan {
     id: string;
     service_id: string;
     name: string;
-    description?: string;
-    price_monthly?: number;
-    features: string[];
-    is_default: boolean;
+    price_cents: number;
+    currency: string;
+    features: string;
     created_at: string;
 }
+/**
+ * Plan response with metadata
+ */
+interface PlanResponse {
+    plan: Plan;
+    subscription_count: number;
+}
 /**
  * Create service payload
  */
@@ -523,10 +863,18 @@ interface ServiceResponse {
  */
 interface CreatePlanPayload {
     name: string;
-    description?: string;
-    price_monthly?: number;
-    features: string[];
-    is_default?: boolean;
+    price_cents: number;
+    currency: string;
+    features?: string[];
+}
+/**
+ * Update plan payload
+ */
+interface UpdatePlanPayload {
+    name?: string;
+    price_cents?: number;
+    currency?: string;
+    features?: string[];
 }
 /**
  * Service with aggregated details
@@ -546,6 +894,93 @@ interface ServiceListResponse {
         tier: string;
     };
 }
+/**
+ * API Key for service-to-service authentication
+ */
+interface ApiKey {
+    id: string;
+    service_id: string;
+    name: string;
+    prefix: string;
+    permissions: string[];
+    last_used_at?: string;
+    expires_at?: string;
+    created_at: string;
+    created_by: string;
+}
+/**
+ * API Key creation response (includes the full key - only returned once)
+ */
+interface ApiKeyCreateResponse {
+    id: string;
+    service_id: string;
+    name: string;
+    prefix: string;
+    permissions: string[];
+    expires_at?: string;
+    created_at: string;
+    created_by: string;
+    key: string;
+}
+/**
+ * Create API key payload
+ */
+interface CreateApiKeyPayload {
+    name: string;
+    permissions: string[];
+    expires_in_days?: number;
+}
+/**
+ * List API keys response
+ */
+interface ListApiKeysResponse {
+    api_keys: ApiKey[];
+    total: number;
+}
+/**
+ * SAML configuration for a service (acting as Identity Provider)
+ */
+interface SamlConfig {
+    enabled: boolean;
+    entity_id?: string;
+    acs_url?: string;
+    slo_url?: string;
+    name_id_format?: string;
+    attribute_mapping?: Record<string, string>;
+    sign_assertions: boolean;
+    sign_response: boolean;
+    has_certificate: boolean;
+}
+/**
+ * Configure SAML IdP payload
+ */
+interface ConfigureSamlPayload {
+    enabled: boolean;
+    entity_id: string;
+    acs_url: string;
+    slo_url?: string;
+    name_id_format?: string;
+    attribute_mapping?: Record<string, string>;
+    sign_assertions?: boolean;
+    sign_response?: boolean;
+}
+/**
+ * SAML configuration response
+ */
+interface ConfigureSamlResponse {
+    success: boolean;
+    message: string;
+}
+/**
+ * SAML signing certificate info
+ */
+interface SamlCertificate {
+    public_key: string;
+    valid_from: string;
+    valid_until: string;
+    is_active: boolean;
+    created_at: string;
+}
 /**
  * Invitation entity
@@ -802,6 +1237,10 @@ interface EndUserDetailResponse {
  * List end-users query params
  */
 interface ListEndUsersParams extends PaginationParams {
+    /**
+     * Optional service slug to filter users by a specific service
+     */
+    service_slug?: string;
 }
 /**
  * Revoke sessions response
@@ -1034,7 +1473,8 @@ declare class AuthModule {
      * ```typescript
      * await sso.auth.logout();
      * sso.setAuthToken(null);
-     * localStorage.removeItem('jwt');
+     * localStorage.removeItem('sso_access_token');
+     * localStorage.removeItem('sso_refresh_token');
      * ```
      */
     logout(): Promise<void>;
@@ -1055,8 +1495,8 @@ declare class AuthModule {
      * try {
      *   const tokens = await sso.auth.refreshToken(storedRefreshToken);
      *   sso.setAuthToken(tokens.access_token);
-     *   localStorage.setItem('access_token', tokens.access_token);
-     *   localStorage.setItem('refresh_token', tokens.refresh_token);
+     *   localStorage.setItem('sso_access_token', tokens.access_token);
+     *   localStorage.setItem('sso_refresh_token', tokens.refresh_token);
      * } catch (error) {
      *   // Refresh failed - redirect to login
      *   window.location.href = '/login';
@@ -1078,6 +1518,107 @@ declare class AuthModule {
      * ```
      */
     getProviderToken(provider: OAuthProvider): Promise<ProviderToken>;
+    /**
+     * Register a new user with email and password.
+     * After registration, the user will receive a verification email.
+     *
+     * @param payload Registration details (email and password)
+     * @returns Registration confirmation message
+     *
+     * @example
+     * ```typescript
+     * const response = await sso.auth.register({
+     *   email: 'user@example.com',
+     *   password: 'SecurePassword123!'
+     * });
+     * console.log(response.message);
+     * ```
+     */
+    register(payload: RegisterRequest): Promise<RegisterResponse>;
+    /**
+     * Login with email and password.
+     * Returns access token and refresh token on successful authentication.
+     * The user's email must be verified before login.
+     *
+     * @param payload Login credentials (email and password)
+     * @returns Access token, refresh token, and expiration info
+     *
+     * @example
+     * ```typescript
+     * const tokens = await sso.auth.login({
+     *   email: 'user@example.com',
+     *   password: 'SecurePassword123!'
+     * });
+     * sso.setAuthToken(tokens.access_token);
+     * localStorage.setItem('sso_access_token', tokens.access_token);
+     * localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+     * ```
+     */
+    login(payload: LoginRequest): Promise<RefreshTokenResponse>;
+    /**
+     * Verify MFA code and complete authentication.
+     * This method should be called after login when the user has MFA enabled.
+     * The login will return a pre-auth token with a short expiration (5 minutes).
+     * Exchange the pre-auth token and TOTP code for a full session.
+     *
+     * @param preauthToken The pre-authentication token received from login
+     * @param code The TOTP code from the user's authenticator app or a backup code
+     * @returns Full session tokens (access_token and refresh_token)
+     *
+     * @example
+     * ```typescript
+     * // After login, if MFA is enabled:
+     * const loginResponse = await sso.auth.login({
+     *   email: 'user@example.com',
+     *   password: 'password'
+     * });
+     *
+     * // Check if this is a pre-auth token (expires_in will be 300 seconds = 5 minutes)
+     * if (loginResponse.expires_in === 300) {
+     *   // User needs to provide MFA code
+     *   const mfaCode = prompt('Enter your 6-digit code from authenticator app');
+     *   const tokens = await sso.auth.verifyMfa(loginResponse.access_token, mfaCode);
+     *   sso.setAuthToken(tokens.access_token);
+     *   localStorage.setItem('sso_access_token', tokens.access_token);
+     *   localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+     * }
+     * ```
+     */
+    verifyMfa(preauthToken: string, code: string, deviceCodeId?: string): Promise<MfaVerificationResponse>;
+    /**
+     * Request a password reset for a user account.
+     * If the email exists, a reset link will be sent to the user.
+     * Returns success regardless of whether the email exists (to prevent email enumeration).
+     *
+     * @param payload Forgot password request (email address)
+     * @returns Confirmation message
+     *
+     * @example
+     * ```typescript
+     * const response = await sso.auth.requestPasswordReset({
+     *   email: 'user@example.com'
+     * });
+     * console.log(response.message);
+     * ```
+     */
+    requestPasswordReset(payload: ForgotPasswordRequest): Promise<ForgotPasswordResponse>;
+    /**
+     * Reset a user's password using a reset token from email.
+     * The token is obtained from the password reset email link.
+     *
+     * @param payload Reset password request (token and new password)
+     * @returns Confirmation message
+     *
+     * @example
+     * ```typescript
+     * const response = await sso.auth.resetPassword({
+     *   token: 'reset-token-from-email',
+     *   new_password: 'NewSecurePassword123!'
+     * });
+     * console.log(response.message);
+     * ```
+     */
+    resetPassword(payload: ResetPasswordRequest): Promise<ResetPasswordResponse>;
 }
 /**
@@ -1126,11 +1667,84 @@ declare class IdentitiesModule {
     unlink(provider: string): Promise<void>;
 }
 /**
- * User profile and subscription methods
+ * Multi-Factor Authentication (MFA) methods
+ */
+declare class MfaModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Get the current MFA status for the authenticated user.
+     *
+     * @returns MFA status
+     *
+     * @example
+     * ```typescript
+     * const status = await sso.user.mfa.getStatus();
+     * console.log(status.enabled); // false
+     * ```
+     */
+    getStatus(): Promise<MfaStatusResponse>;
+    /**
+     * Initiate MFA setup. Generates a TOTP secret and QR code.
+     * The user must complete setup by calling verify() with a code from their authenticator app.
+     *
+     * @returns MFA setup details including QR code
+     *
+     * @example
+     * ```typescript
+     * const setup = await sso.user.mfa.setup();
+     * console.log(setup.qr_code_svg); // Display this QR code to the user
+     * // User scans QR code with authenticator app and enters code to verify
+     * ```
+     */
+    setup(): Promise<MfaSetupResponse>;
+    /**
+     * Verify TOTP code and enable MFA.
+     * Returns backup codes that must be stored securely by the user.
+     *
+     * @param code TOTP code from authenticator app
+     * @returns Verification response with backup codes
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.user.mfa.verify('123456');
+     * console.log(result.backup_codes); // Store these securely!
+     * ```
+     */
+    verify(code: string): Promise<MfaVerifyResponse>;
+    /**
+     * Disable MFA for the authenticated user.
+     *
+     * @example
+     * ```typescript
+     * await sso.user.mfa.disable();
+     * ```
+     */
+    disable(): Promise<{
+        success: boolean;
+        message: string;
+    }>;
+    /**
+     * Regenerate backup codes.
+     * Invalidates all previous backup codes and returns new ones.
+     *
+     * @returns New backup codes
+     *
+     * @example
+     * ```typescript
+     * const { backup_codes } = await sso.user.mfa.regenerateBackupCodes();
+     * console.log(backup_codes); // Store these securely!
+     * ```
+     */
+    regenerateBackupCodes(): Promise<BackupCodesResponse>;
+}
+/**
+ * User profile and subscription methods
  */
 declare class UserModule {
     private http;
     readonly identities: IdentitiesModule;
+    readonly mfa: MfaModule;
     constructor(http: HttpClient);
     /**
      * Get the profile of the currently authenticated user.
@@ -1171,6 +1785,251 @@ declare class UserModule {
      * ```
      */
     getSubscription(): Promise<Subscription>;
+    /**
+     * Change the authenticated user's password.
+     * Requires the current password for verification.
+     *
+     * @param payload Change password request (current and new password)
+     * @returns Confirmation message
+     *
+     * @example
+     * ```typescript
+     * const response = await sso.user.changePassword({
+     *   current_password: 'OldPassword123!',
+     *   new_password: 'NewSecurePassword456!'
+     * });
+     * console.log(response.message);
+     * ```
+     */
+    changePassword(payload: ChangePasswordRequest): Promise<ChangePasswordResponse>;
+    /**
+     * Set a password for the authenticated user (OAuth users only).
+     * This endpoint is for OAuth users who don't have a password yet.
+     * If a password is already set, this will return an error.
+     *
+     * @param payload Set password request (new password only)
+     * @returns Confirmation message
+     *
+     * @example
+     * ```typescript
+     * const response = await sso.user.setPassword({
+     *   new_password: 'MyNewSecurePassword123!'
+     * });
+     * console.log(response.message); // "Password set successfully"
+     * ```
+     */
+    setPassword(payload: SetPasswordRequest): Promise<SetPasswordResponse>;
+}
+/**
+ * Organization audit logs management methods
+ */
+declare class AuditLogsModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Get audit logs for an organization.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param params Optional query parameters for filtering and pagination
+     * @returns Paginated audit log response
+     *
+     * @example
+     * ```typescript
+     * // Get all audit logs
+     * const logs = await sso.organizations.auditLogs.get('acme-corp');
+     *
+     * // Filter by specific action
+     * const userLogs = await sso.organizations.auditLogs.get('acme-corp', {
+     *   action: 'user.role_updated',
+     *   page: 1,
+     *   limit: 20
+     * });
+     *
+     * // Filter by target
+     * const serviceLogs = await sso.organizations.auditLogs.get('acme-corp', {
+     *   target_type: 'service',
+     *   target_id: 'service-123'
+     * });
+     * ```
+     */
+    get(orgSlug: string, params?: AuditLogQueryParams): Promise<AuditLogResponse>;
+    /**
+     * Get available audit event types for filtering.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @returns Array of event type information
+     *
+     * @example
+     * ```typescript
+     * const eventTypes = await sso.organizations.auditLogs.getEventTypes('acme-corp');
+     *
+     * // Group by category for UI display
+     * const byCategory = eventTypes.reduce((acc, event) => {
+     *   if (!acc[event.category]) {
+     *     acc[event.category] = [];
+     *   }
+     *   acc[event.category].push(event);
+     *   return acc;
+     * }, {});
+     * ```
+     */
+    getEventTypes(orgSlug: string): Promise<EventTypeInfo[]>;
+}
+/**
+ * Organization webhooks management methods
+ */
+declare class WebhooksModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Create a new webhook for an organization.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param webhook Webhook creation payload
+     * @returns Created webhook details
+     *
+     * @example
+     * ```typescript
+     * const webhook = await sso.organizations.webhooks.create('acme-corp', {
+     *   name: 'User Activity',
+     *   url: 'https://api.example.com/webhooks',
+     *   events: ['user.invited', 'user.joined', 'user.removed']
+     * });
+     * console.log('Created webhook:', webhook.id);
+     * ```
+     */
+    create(orgSlug: string, webhook: CreateWebhookRequest): Promise<WebhookResponse>;
+    /**
+     * List all webhooks for an organization.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @returns List of webhooks with total count
+     *
+     * @example
+     * ```typescript
+     * const { webhooks, total } = await sso.organizations.webhooks.list('acme-corp');
+     * console.log(`Found ${total} webhooks`);
+     * webhooks.forEach(w => console.log(w.name, w.is_active));
+     * ```
+     */
+    list(orgSlug: string): Promise<WebhookListResponse>;
+    /**
+     * Get a specific webhook by ID.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param webhookId Webhook ID
+     * @returns Webhook details
+     *
+     * @example
+     * ```typescript
+     * const webhook = await sso.organizations.webhooks.get('acme-corp', 'webhook-123');
+     * console.log('Webhook URL:', webhook.url);
+     * console.log('Subscribed events:', webhook.events);
+     * ```
+     */
+    get(orgSlug: string, webhookId: string): Promise<WebhookResponse>;
+    /**
+     * Update an existing webhook.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param webhookId Webhook ID
+     * @param updates Partial webhook update payload
+     * @returns Updated webhook details
+     *
+     * @example
+     * ```typescript
+     * // Update webhook URL and add new events
+     * const updated = await sso.organizations.webhooks.update('acme-corp', 'webhook-123', {
+     *   url: 'https://api.example.com/webhooks/v2',
+     *   events: ['user.invited', 'user.joined', 'user.removed', 'user.role_updated']
+     * });
+     *
+     * // Deactivate webhook temporarily
+     * await sso.organizations.webhooks.update('acme-corp', 'webhook-123', {
+     *   is_active: false
+     * });
+     * ```
+     */
+    update(orgSlug: string, webhookId: string, updates: UpdateWebhookRequest): Promise<WebhookResponse>;
+    /**
+     * Delete a webhook.
+     * Requires 'owner' or 'admin' role.
+     * This will also delete all delivery history for this webhook.
+     *
+     * @param orgSlug Organization slug
+     * @param webhookId Webhook ID
+     *
+     * @example
+     * ```typescript
+     * await sso.organizations.webhooks.delete('acme-corp', 'webhook-123');
+     * console.log('Webhook deleted successfully');
+     * ```
+     */
+    delete(orgSlug: string, webhookId: string): Promise<void>;
+    /**
+     * Get delivery history for a specific webhook.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param webhookId Webhook ID
+     * @param params Optional query parameters for filtering and pagination
+     * @returns Paginated webhook delivery response
+     *
+     * @example
+     * ```typescript
+     * // Get all delivery attempts
+     * const deliveries = await sso.organizations.webhooks.getDeliveries('acme-corp', 'webhook-123');
+     *
+     * // Get only failed deliveries
+     * const failed = await sso.organizations.webhooks.getDeliveries('acme-corp', 'webhook-123', {
+     *   delivered: false,
+     *   page: 1,
+     *   limit: 20
+     * });
+     *
+     * // Get deliveries for specific event type
+     * const userEvents = await sso.organizations.webhooks.getDeliveries('acme-corp', 'webhook-123', {
+     *   event_type: 'user.invited'
+     * });
+     * ```
+     */
+    getDeliveries(orgSlug: string, webhookId: string, params?: WebhookDeliveryQueryParams): Promise<WebhookDeliveryListResponse>;
+    /**
+     * Get available webhook event types that can be subscribed to.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @returns Array of available event types with categories
+     *
+     * @example
+     * ```typescript
+     * const eventTypes = await sso.organizations.webhooks.getEventTypes('acme-corp');
+     *
+     * // Group events by category for UI display
+     * const byCategory = eventTypes.reduce((acc, event) => {
+     *   if (!acc[event.category]) {
+     *     acc[event.category] = [];
+     *   }
+     *   acc[event.category].push(event);
+     *   return acc;
+     * }, {});
+     *
+     * // Display available events
+     * Object.entries(byCategory).forEach(([category, events]) => {
+     *   console.log(`\n${category}:`);
+     *   events.forEach(e => console.log(`  - ${e.label} (${e.value})`));
+     * });
+     * ```
+     */
+    getEventTypes(orgSlug: string): Promise<EventTypeInfo[]>;
 }
 /**
@@ -1179,6 +2038,14 @@ declare class UserModule {
 declare class OrganizationsModule {
     private http;
     constructor(http: HttpClient);
+    /**
+     * Audit logs management
+     */
+    auditLogs: AuditLogsModule;
+    /**
+     * Webhooks management
+     */
+    webhooks: WebhooksModule;
     /**
      * Create a new organization (public endpoint).
      * The organization will be created with 'pending' status and requires
@@ -1243,6 +2110,26 @@ declare class OrganizationsModule {
      * ```
      */
     update(orgSlug: string, payload: UpdateOrganizationPayload): Promise<OrganizationResponse>;
+    /**
+     * Delete an organization and all its associated data.
+     * This is a destructive operation that cannot be undone.
+     * Requires 'owner' role.
+     *
+     * All related data will be cascaded deleted including:
+     * - Members and invitations
+     * - Services and plans
+     * - Subscriptions
+     * - OAuth credentials
+     * - Audit logs
+     *
+     * @param orgSlug Organization slug
+     *
+     * @example
+     * ```typescript
+     * await sso.organizations.delete('acme-corp');
+     * ```
+     */
+    delete(orgSlug: string): Promise<void>;
     /**
      * Member management methods
      */
@@ -1314,19 +2201,28 @@ declare class OrganizationsModule {
     endUsers: {
         /**
          * List all end-users for an organization.
-         * End-users are customers who have subscriptions to the organization's services.
+         * Returns users who have identities (logged in) or subscriptions for the organization's services.
          *
          * @param orgSlug Organization slug
-         * @param params Optional query parameters for pagination
-         * @returns Paginated list of end-users with their subscriptions
+         * @param params Optional query parameters for pagination and filtering
+         * @param params.service_slug Optional service slug to filter users by a specific service
+         * @returns Paginated list of end-users with their subscriptions and identities
          *
          * @example
          * ```typescript
-         * const endUsers = await sso.organizations.endUsers.list('acme-corp', {
+         * // List all end-users across all services
+         * const allUsers = await sso.organizations.endUsers.list('acme-corp', {
+         *   page: 1,
+         *   limit: 20
+         * });
+         *
+         * // Filter by specific service
+         * const serviceUsers = await sso.organizations.endUsers.list('acme-corp', {
+         *   service_slug: 'my-app',
          *   page: 1,
          *   limit: 20
          * });
-         * console.log(`Total end-users: ${endUsers.total}`);
+         * console.log(`Total end-users: ${allUsers.total}`);
          * ```
          */
         list: (orgSlug: string, params?: ListEndUsersParams) => Promise<EndUserListResponse>;
@@ -1366,168 +2262,629 @@ declare class OrganizationsModule {
      */
     oauthCredentials: {
         /**
-         * Set or update custom OAuth credentials for a provider.
-         * This enables white-labeled authentication using the organization's
-         * own OAuth application.
+         * Set or update custom OAuth credentials for a provider.
+         * This enables white-labeled authentication using the organization's
+         * own OAuth application.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param provider OAuth provider
+         * @param payload OAuth credentials
+         * @returns Created/updated credentials (without secret)
+         *
+         * @example
+         * ```typescript
+         * await sso.organizations.oauthCredentials.set('acme-corp', 'github', {
+         *   client_id: 'Iv1.abc123',
+         *   client_secret: 'secret-value'
+         * });
+         * ```
+         */
+        set: (orgSlug: string, provider: OAuthProvider, payload: SetOAuthCredentialsPayload) => Promise<OAuthCredentials>;
+        /**
+         * Get the configured OAuth credentials for a provider.
+         * The secret is never returned.
+         *
+         * @param orgSlug Organization slug
+         * @param provider OAuth provider
+         * @returns OAuth credentials (without secret)
+         *
+         * @example
+         * ```typescript
+         * const creds = await sso.organizations.oauthCredentials.get('acme-corp', 'github');
+         * console.log(creds.client_id);
+         * ```
+         */
+        get: (orgSlug: string, provider: OAuthProvider) => Promise<OAuthCredentials>;
+    };
+    /**
+     * Configure SMTP settings for an organization.
+     * Only owners and admins can configure SMTP.
+     * The organization will use these settings for sending transactional emails
+     * (registration, password reset, etc.).
+     *
+     * @param orgSlug Organization slug
+     * @param config SMTP configuration
+     * @returns Success message
+     *
+     * @example
+     * ```typescript
+     * await sso.organizations.setSmtp('acme-corp', {
+     *   host: 'smtp.gmail.com',
+     *   port: 587,
+     *   username: 'notifications@acme.com',
+     *   password: 'your-app-password',
+     *   from_email: 'notifications@acme.com',
+     *   from_name: 'Acme Corp'
+     * });
+     * ```
+     */
+    setSmtp(orgSlug: string, config: SetSmtpRequest): Promise<{
+        message: string;
+    }>;
+    /**
+     * Get SMTP configuration for an organization.
+     * Only owners and admins can view SMTP settings.
+     * Password is never returned for security reasons.
+     *
+     * @param orgSlug Organization slug
+     * @returns SMTP configuration (without password)
+     *
+     * @example
+     * ```typescript
+     * const config = await sso.organizations.getSmtp('acme-corp');
+     * if (config.configured) {
+     *   console.log('SMTP host:', config.host);
+     * }
+     * ```
+     */
+    getSmtp(orgSlug: string): Promise<SmtpConfigResponse>;
+    /**
+     * Delete SMTP configuration for an organization.
+     * The organization will revert to using platform-level SMTP.
+     * Only owners and admins can delete SMTP settings.
+     *
+     * @param orgSlug Organization slug
+     * @returns Success message
+     *
+     * @example
+     * ```typescript
+     * await sso.organizations.deleteSmtp('acme-corp');
+     * // Organization now uses platform SMTP
+     * ```
+     */
+    deleteSmtp(orgSlug: string): Promise<{
+        message: string;
+    }>;
+    /**
+     * Set a custom domain for an organization.
+     * This enables white-labeling by allowing the organization to use their own domain
+     * (e.g., auth.acme.com) instead of the platform's domain.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param request Custom domain request
+     * @returns Domain verification instructions
+     *
+     * @example
+     * ```typescript
+     * const verification = await sso.organizations.setCustomDomain('acme-corp', {
+     *   domain: 'auth.acme.com'
+     * });
+     * console.log('Verification token:', verification.verification_token);
+     * verification.verification_methods.forEach(method => {
+     *   console.log(method.method, method.instructions);
+     * });
+     * ```
+     */
+    setCustomDomain(orgSlug: string, request: SetCustomDomainRequest): Promise<DomainVerificationResponse>;
+    /**
+     * Verify a custom domain by checking DNS TXT record or HTTP file.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @returns Verification result
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.organizations.verifyCustomDomain('acme-corp');
+     * if (result.verified) {
+     *   console.log('Domain verified successfully!');
+     * } else {
+     *   console.log('Verification failed:', result.message);
+     * }
+     * ```
+     */
+    verifyCustomDomain(orgSlug: string): Promise<DomainVerificationResult>;
+    /**
+     * Get custom domain configuration for an organization.
+     *
+     * @param orgSlug Organization slug
+     * @returns Domain configuration
+     *
+     * @example
+     * ```typescript
+     * const config = await sso.organizations.getDomainConfiguration('acme-corp');
+     * if (config.custom_domain && config.domain_verified) {
+     *   console.log('Custom domain active:', config.custom_domain);
+     * }
+     * ```
+     */
+    getDomainConfiguration(orgSlug: string): Promise<DomainConfiguration>;
+    /**
+     * Delete custom domain configuration.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     *
+     * @example
+     * ```typescript
+     * await sso.organizations.deleteCustomDomain('acme-corp');
+     * // Organization reverts to using platform domain
+     * ```
+     */
+    deleteCustomDomain(orgSlug: string): Promise<void>;
+    /**
+     * Update branding configuration (logo and primary color).
+     * This controls the visual appearance of authentication pages.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param request Branding configuration
+     * @returns Updated branding configuration
+     *
+     * @example
+     * ```typescript
+     * await sso.organizations.updateBranding('acme-corp', {
+     *   logo_url: 'https://cdn.acme.com/logo.png',
+     *   primary_color: '#FF5733'
+     * });
+     * ```
+     */
+    updateBranding(orgSlug: string, request: UpdateBrandingRequest): Promise<BrandingConfiguration>;
+    /**
+     * Get branding configuration for an organization.
+     *
+     * @param orgSlug Organization slug
+     * @returns Branding configuration
+     *
+     * @example
+     * ```typescript
+     * const branding = await sso.organizations.getBranding('acme-corp');
+     * if (branding.logo_url) {
+     *   console.log('Logo URL:', branding.logo_url);
+     * }
+     * ```
+     */
+    getBranding(orgSlug: string): Promise<BrandingConfiguration>;
+    /**
+     * Get public branding configuration (no authentication required).
+     * This endpoint is used by login pages to display organization branding.
+     *
+     * @param orgSlug Organization slug
+     * @returns Branding configuration
+     *
+     * @example
+     * ```typescript
+     * // Can be called without authentication
+     * const branding = await sso.organizations.getPublicBranding('acme-corp');
+     * ```
+     */
+    getPublicBranding(orgSlug: string): Promise<BrandingConfiguration>;
+}
+/**
+ * Service management methods
+ */
+declare class ServicesModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Create a new service for an organization.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param payload Service creation payload
+     * @returns Created service with details
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.services.create('acme-corp', {
+     *   slug: 'main-app',
+     *   name: 'Main Application',
+     *   service_type: 'web',
+     *   github_scopes: ['user:email', 'read:org'],
+     *   redirect_uris: ['https://app.acme.com/callback']
+     * });
+     * console.log(result.service.client_id);
+     * ```
+     */
+    create(orgSlug: string, payload: CreateServicePayload): Promise<CreateServiceResponse>;
+    /**
+     * List all services for an organization.
+     *
+     * @param orgSlug Organization slug
+     * @returns Service list response with usage metadata
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.services.list('acme-corp');
+     * console.log(`Using ${result.usage.current_services} of ${result.usage.max_services} services`);
+     * result.services.forEach(svc => console.log(svc.name, svc.client_id));
+     * ```
+     */
+    list(orgSlug: string): Promise<ServiceListResponse>;
+    /**
+     * Get detailed information for a specific service.
+     *
+     * @param orgSlug Organization slug
+     * @param serviceSlug Service slug
+     * @returns Service with provider grants and plans
+     *
+     * @example
+     * ```typescript
+     * const service = await sso.services.get('acme-corp', 'main-app');
+     * console.log(service.service.redirect_uris);
+     * console.log(service.plans);
+     * ```
+     */
+    get(orgSlug: string, serviceSlug: string): Promise<ServiceResponse>;
+    /**
+     * Update service configuration.
+     * Requires 'owner' or 'admin' role.
+     *
+     * @param orgSlug Organization slug
+     * @param serviceSlug Service slug
+     * @param payload Update payload
+     * @returns Updated service
+     *
+     * @example
+     * ```typescript
+     * const updated = await sso.services.update('acme-corp', 'main-app', {
+     *   name: 'Main Application v2',
+     *   redirect_uris: ['https://app.acme.com/callback', 'https://app.acme.com/oauth']
+     * });
+     * ```
+     */
+    update(orgSlug: string, serviceSlug: string, payload: UpdateServicePayload): Promise<Service>;
+    /**
+     * Delete a service.
+     * Requires 'owner' role.
+     *
+     * @param orgSlug Organization slug
+     * @param serviceSlug Service slug
+     *
+     * @example
+     * ```typescript
+     * await sso.services.delete('acme-corp', 'old-app');
+     * ```
+     */
+    delete(orgSlug: string, serviceSlug: string): Promise<void>;
+    /**
+     * Plan management methods
+     */
+    plans: {
+        /**
+         * Create a new subscription plan for a service.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param payload Plan creation payload
+         * @returns Created plan with subscription count
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.services.plans.create('acme-corp', 'main-app', {
+         *   name: 'pro',
+         *   price_cents: 2999,
+         *   currency: 'usd',
+         *   features: ['api-access', 'advanced-analytics', 'priority-support']
+         * });
+         * console.log(result.plan.name, result.subscription_count);
+         * ```
+         */
+        create: (orgSlug: string, serviceSlug: string, payload: CreatePlanPayload) => Promise<PlanResponse>;
+        /**
+         * List all plans for a service.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @returns Array of plans with subscription counts
+         *
+         * @example
+         * ```typescript
+         * const plans = await sso.services.plans.list('acme-corp', 'main-app');
+         * plans.forEach(p => console.log(p.plan.name, p.subscription_count));
+         * ```
+         */
+        list: (orgSlug: string, serviceSlug: string) => Promise<PlanResponse[]>;
+        /**
+         * Update a subscription plan.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param planId Plan ID
+         * @param payload Plan update payload
+         * @returns Updated plan with subscription count
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.services.plans.update('acme-corp', 'main-app', 'plan_123', {
+         *   name: 'Pro Plus',
+         *   price_cents: 3999,
+         *   currency: 'usd',
+         *   features: ['api-access', 'advanced-analytics', 'priority-support', 'custom-integrations']
+         * });
+         * console.log('Updated plan:', result.plan.name);
+         * ```
+         */
+        update: (orgSlug: string, serviceSlug: string, planId: string, payload: UpdatePlanPayload) => Promise<PlanResponse>;
+        /**
+         * Delete a subscription plan.
+         * Requires 'owner' or 'admin' role.
+         *
+         * WARNING: This will fail if the plan has active subscriptions.
+         * You must migrate or cancel all subscriptions before deleting a plan.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param planId Plan ID
+         *
+         * @example
+         * ```typescript
+         * try {
+         *   await sso.services.plans.delete('acme-corp', 'main-app', 'plan_123');
+         *   console.log('Plan deleted successfully');
+         * } catch (error) {
+         *   console.error('Cannot delete plan with active subscriptions');
+         * }
+         * ```
+         */
+        delete: (orgSlug: string, serviceSlug: string, planId: string) => Promise<void>;
+    };
+    /**
+     * API Key management methods for service-to-service authentication
+     */
+    apiKeys: {
+        /**
+         * Create a new API key for a service.
+         * Requires 'owner' or 'admin' role.
+         *
+         * IMPORTANT: The full API key is only returned once upon creation.
+         * Store it securely as it cannot be retrieved again.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param payload API key creation payload
+         * @returns Created API key with the full key value
+         *
+         * @example
+         * ```typescript
+         * const apiKey = await sso.services.apiKeys.create('acme-corp', 'main-app', {
+         *   name: 'Production Backend',
+         *   permissions: ['read:users', 'write:subscriptions'],
+         *   expires_in_days: 90
+         * });
+         *
+         * // IMPORTANT: Store this key securely - it won't be shown again
+         * console.log('API Key:', apiKey.key);
+         * console.log('Prefix:', apiKey.prefix);
+         * ```
+         */
+        create: (orgSlug: string, serviceSlug: string, payload: CreateApiKeyPayload) => Promise<ApiKeyCreateResponse>;
+        /**
+         * List all API keys for a service.
+         * Note: The full key values are not included in this response.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param options Optional query parameters for pagination
+         * @returns List of API keys with metadata
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.services.apiKeys.list('acme-corp', 'main-app', {
+         *   limit: 50,
+         *   offset: 0
+         * });
+         *
+         * console.log(`Total API keys: ${result.total}`);
+         * result.api_keys.forEach(key => {
+         *   console.log(`${key.name} (${key.prefix})`);
+         *   console.log(`Permissions: ${key.permissions.join(', ')}`);
+         *   console.log(`Last used: ${key.last_used_at || 'Never'}`);
+         * });
+         * ```
+         */
+        list: (orgSlug: string, serviceSlug: string, options?: {
+            limit?: number;
+            offset?: number;
+        }) => Promise<ListApiKeysResponse>;
+        /**
+         * Get details for a specific API key.
+         * Note: The full key value is not included in this response.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param apiKeyId API key ID
+         * @returns API key details
+         *
+         * @example
+         * ```typescript
+         * const apiKey = await sso.services.apiKeys.get('acme-corp', 'main-app', 'key_abc123');
+         * console.log(`Name: ${apiKey.name}`);
+         * console.log(`Permissions: ${apiKey.permissions.join(', ')}`);
+         * console.log(`Expires: ${apiKey.expires_at || 'Never'}`);
+         * ```
+         */
+        get: (orgSlug: string, serviceSlug: string, apiKeyId: string) => Promise<ApiKey>;
+        /**
+         * Delete an API key.
+         * Requires 'owner' or 'admin' role.
+         *
+         * WARNING: This action is immediate and cannot be undone.
+         * Any services using this key will lose access immediately.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param apiKeyId API key ID
+         *
+         * @example
+         * ```typescript
+         * await sso.services.apiKeys.delete('acme-corp', 'main-app', 'key_abc123');
+         * console.log('API key deleted successfully');
+         * ```
+         */
+        delete: (orgSlug: string, serviceSlug: string, apiKeyId: string) => Promise<void>;
+    };
+    /**
+     * SAML 2.0 Identity Provider (IdP) management methods
+     *
+     * Configure your service as a SAML IdP to enable SSO into third-party applications
+     * (Salesforce, AWS, Google Workspace, etc.)
+     */
+    saml: {
+        /**
+         * Configure SAML IdP settings for a service.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param payload SAML configuration payload
+         * @returns Configuration success response
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.services.saml.configure('acme-corp', 'main-app', {
+         *   enabled: true,
+         *   entity_id: 'https://salesforce.example.com',
+         *   acs_url: 'https://salesforce.example.com/saml/acs',
+         *   name_id_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+         *   attribute_mapping: {
+         *     email: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
+         *   },
+         *   sign_assertions: true,
+         *   sign_response: true
+         * });
+         * ```
+         */
+        configure: (orgSlug: string, serviceSlug: string, payload: ConfigureSamlPayload) => Promise<ConfigureSamlResponse>;
+        /**
+         * Get current SAML IdP configuration for a service.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @returns Current SAML configuration
+         *
+         * @example
+         * ```typescript
+         * const config = await sso.services.saml.getConfig('acme-corp', 'main-app');
+         * if (config.enabled && config.has_certificate) {
+         *   console.log('SAML IdP is ready');
+         *   console.log('Entity ID:', config.entity_id);
+         *   console.log('ACS URL:', config.acs_url);
+         * }
+         * ```
+         */
+        getConfig: (orgSlug: string, serviceSlug: string) => Promise<SamlConfig>;
+        /**
+         * Delete SAML IdP configuration and deactivate all certificates.
+         * Requires 'owner' or 'admin' role.
+         *
+         * WARNING: This will break SSO for all third-party applications using this IdP.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         *
+         * @example
+         * ```typescript
+         * await sso.services.saml.deleteConfig('acme-corp', 'main-app');
+         * console.log('SAML IdP configuration deleted');
+         * ```
+         */
+        deleteConfig: (orgSlug: string, serviceSlug: string) => Promise<ConfigureSamlResponse>;
+        /**
+         * Generate a new SAML signing certificate for the IdP.
          * Requires 'owner' or 'admin' role.
          *
+         * IMPORTANT: This automatically deactivates any existing active certificates.
+         * Provide the returned certificate to your Service Provider during SAML setup.
+         *
          * @param orgSlug Organization slug
-         * @param provider OAuth provider
-         * @param payload OAuth credentials
-         * @returns Created/updated credentials (without secret)
+         * @param serviceSlug Service slug
+         * @returns Certificate information including public key
          *
          * @example
          * ```typescript
-         * await sso.organizations.oauthCredentials.set('acme-corp', 'github', {
-         *   client_id: 'Iv1.abc123',
-         *   client_secret: 'secret-value'
-         * });
+         * const cert = await sso.services.saml.generateCertificate('acme-corp', 'main-app');
+         * console.log('Certificate generated, valid until:', cert.valid_until);
+         * console.log('Public certificate:\n', cert.public_key);
+         * // Provide cert.public_key to your Service Provider
          * ```
          */
-        set: (orgSlug: string, provider: OAuthProvider, payload: SetOAuthCredentialsPayload) => Promise<OAuthCredentials>;
+        generateCertificate: (orgSlug: string, serviceSlug: string) => Promise<SamlCertificate>;
         /**
-         * Get the configured OAuth credentials for a provider.
-         * The secret is never returned.
+         * Get the active SAML signing certificate.
          *
          * @param orgSlug Organization slug
-         * @param provider OAuth provider
-         * @returns OAuth credentials (without secret)
+         * @param serviceSlug Service slug
+         * @returns Active certificate information
          *
          * @example
          * ```typescript
-         * const creds = await sso.organizations.oauthCredentials.get('acme-corp', 'github');
-         * console.log(creds.client_id);
+         * try {
+         *   const cert = await sso.services.saml.getCertificate('acme-corp', 'main-app');
+         *   console.log('Certificate expires:', cert.valid_until);
+         * } catch (error) {
+         *   console.log('No active certificate - generate one first');
+         * }
          * ```
          */
-        get: (orgSlug: string, provider: OAuthProvider) => Promise<OAuthCredentials>;
-    };
-}
-/**
- * Service management methods
- */
-declare class ServicesModule {
-    private http;
-    constructor(http: HttpClient);
-    /**
-     * Create a new service for an organization.
-     * Requires 'owner' or 'admin' role.
-     *
-     * @param orgSlug Organization slug
-     * @param payload Service creation payload
-     * @returns Created service with details
-     *
-     * @example
-     * ```typescript
-     * const result = await sso.services.create('acme-corp', {
-     *   slug: 'main-app',
-     *   name: 'Main Application',
-     *   service_type: 'web',
-     *   github_scopes: ['user:email', 'read:org'],
-     *   redirect_uris: ['https://app.acme.com/callback']
-     * });
-     * console.log(result.service.client_id);
-     * ```
-     */
-    create(orgSlug: string, payload: CreateServicePayload): Promise<CreateServiceResponse>;
-    /**
-     * List all services for an organization.
-     *
-     * @param orgSlug Organization slug
-     * @returns Service list response with usage metadata
-     *
-     * @example
-     * ```typescript
-     * const result = await sso.services.list('acme-corp');
-     * console.log(`Using ${result.usage.current_services} of ${result.usage.max_services} services`);
-     * result.services.forEach(svc => console.log(svc.name, svc.client_id));
-     * ```
-     */
-    list(orgSlug: string): Promise<ServiceListResponse>;
-    /**
-     * Get detailed information for a specific service.
-     *
-     * @param orgSlug Organization slug
-     * @param serviceSlug Service slug
-     * @returns Service with provider grants and plans
-     *
-     * @example
-     * ```typescript
-     * const service = await sso.services.get('acme-corp', 'main-app');
-     * console.log(service.service.redirect_uris);
-     * console.log(service.plans);
-     * ```
-     */
-    get(orgSlug: string, serviceSlug: string): Promise<ServiceResponse>;
-    /**
-     * Update service configuration.
-     * Requires 'owner' or 'admin' role.
-     *
-     * @param orgSlug Organization slug
-     * @param serviceSlug Service slug
-     * @param payload Update payload
-     * @returns Updated service
-     *
-     * @example
-     * ```typescript
-     * const updated = await sso.services.update('acme-corp', 'main-app', {
-     *   name: 'Main Application v2',
-     *   redirect_uris: ['https://app.acme.com/callback', 'https://app.acme.com/oauth']
-     * });
-     * ```
-     */
-    update(orgSlug: string, serviceSlug: string, payload: UpdateServicePayload): Promise<Service>;
-    /**
-     * Delete a service.
-     * Requires 'owner' role.
-     *
-     * @param orgSlug Organization slug
-     * @param serviceSlug Service slug
-     *
-     * @example
-     * ```typescript
-     * await sso.services.delete('acme-corp', 'old-app');
-     * ```
-     */
-    delete(orgSlug: string, serviceSlug: string): Promise<void>;
-    /**
-     * Plan management methods
-     */
-    plans: {
+        getCertificate: (orgSlug: string, serviceSlug: string) => Promise<SamlCertificate>;
         /**
-         * Create a new subscription plan for a service.
-         * Requires 'owner' or 'admin' role.
+         * Get the SAML IdP metadata URL for this service.
+         * This URL can be provided to Service Providers for automatic configuration.
          *
+         * @param baseURL SSO platform base URL
          * @param orgSlug Organization slug
          * @param serviceSlug Service slug
-         * @param payload Plan creation payload
-         * @returns Created plan
+         * @returns Metadata URL
          *
          * @example
          * ```typescript
-         * const plan = await sso.services.plans.create('acme-corp', 'main-app', {
-         *   name: 'pro',
-         *   description: 'Pro tier with advanced features',
-         *   price_monthly: 29.99,
-         *   features: ['api-access', 'advanced-analytics', 'priority-support']
-         * });
+         * const metadataUrl = sso.services.saml.getMetadataUrl(
+         *   'https://sso.example.com',
+         *   'acme-corp',
+         *   'main-app'
+         * );
+         * console.log('Provide this URL to your SP:', metadataUrl);
+         * // https://sso.example.com/saml/acme-corp/main-app/metadata
          * ```
          */
-        create: (orgSlug: string, serviceSlug: string, payload: CreatePlanPayload) => Promise<Plan>;
+        getMetadataUrl: (baseURL: string, orgSlug: string, serviceSlug: string) => string;
         /**
-         * List all plans for a service.
+         * Get the SAML SSO endpoint URL for this service.
+         * This is where Service Providers should redirect users to initiate SSO.
          *
+         * @param baseURL SSO platform base URL
          * @param orgSlug Organization slug
          * @param serviceSlug Service slug
-         * @returns Array of plans
+         * @returns SSO endpoint URL
          *
          * @example
          * ```typescript
-         * const plans = await sso.services.plans.list('acme-corp', 'main-app');
-         * plans.forEach(plan => console.log(plan.name, plan.price_monthly));
+         * const ssoUrl = sso.services.saml.getSsoUrl(
+         *   'https://sso.example.com',
+         *   'acme-corp',
+         *   'main-app'
+         * );
+         * console.log('SSO endpoint:', ssoUrl);
+         * // https://sso.example.com/saml/acme-corp/main-app/sso
          * ```
          */
-        list: (orgSlug: string, serviceSlug: string) => Promise<Plan[]>;
+        getSsoUrl: (baseURL: string, orgSlug: string, serviceSlug: string) => string;
     };
 }
@@ -1730,6 +3087,31 @@ declare class PlatformModule {
          * ```
          */
         updateTier: (orgId: string, payload: UpdateOrganizationTierPayload) => Promise<Organization>;
+        /**
+         * Delete an organization and all its associated data.
+         * This is a destructive operation that cannot be undone.
+         * Only platform owners can delete organizations.
+         *
+         * All related data will be cascaded deleted including:
+         * - Members and invitations
+         * - Services and plans
+         * - Subscriptions
+         * - OAuth credentials
+         * - Audit logs
+         *
+         * @param orgId Organization ID
+         * @returns Success confirmation
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.platform.organizations.delete('org-id');
+         * console.log(result.message); // 'Organization deleted successfully'
+         * ```
+         */
+        delete: (orgId: string) => Promise<{
+            success: boolean;
+            message: string;
+        }>;
     };
     /**
      * Promote an existing user to platform owner.
@@ -1755,6 +3137,70 @@ declare class PlatformModule {
      * ```
      */
     demoteOwner(userId: string): Promise<void>;
+    /**
+     * User MFA management methods for platform administrators
+     */
+    users: {
+        /**
+         * Get MFA status for a specific user.
+         *
+         * @param userId The ID of the user
+         * @returns MFA status information
+         *
+         * @example
+         * ```typescript
+         * const mfaStatus = await sso.platform.users.getMfaStatus('user-uuid-here');
+         * console.log(mfaStatus.enabled, mfaStatus.has_backup_codes);
+         * ```
+         */
+        getMfaStatus: (userId: string) => Promise<{
+            enabled: boolean;
+            has_backup_codes: boolean;
+        }>;
+        /**
+         * Search users by email address or user ID.
+         *
+         * @param query The search query (email or user ID)
+         * @param limit Optional maximum number of results (default: 10, max: 50)
+         * @returns Array of matching users
+         *
+         * @example
+         * ```typescript
+         * const users = await sso.platform.users.search('john@example.com');
+         * console.log(users); // [{ id: 'user-uuid', email: 'john@example.com', ... }]
+         *
+         * // Search by user ID
+         * const users = await sso.platform.users.search('user-uuid-here');
+         *
+         * // Limit results
+         * const users = await sso.platform.users.search('john@', { limit: 5 });
+         * ```
+         */
+        search: (query: string, options?: {
+            limit?: number;
+        }) => Promise<Array<{
+            id: string;
+            email: string;
+            is_platform_owner: boolean;
+            created_at: string;
+        }>>;
+        /**
+         * Force disable MFA for a user (emergency access).
+         *
+         * @param userId The ID of the user
+         * @returns Success confirmation
+         *
+         * @example
+         * ```typescript
+         * await sso.platform.users.forceDisableMfa('user-uuid-here');
+         * console.log('MFA disabled for user');
+         * ```
+         */
+        forceDisableMfa: (userId: string) => Promise<{
+            success: boolean;
+            message: string;
+        }>;
+    };
     /**
      * Retrieve the platform-wide audit log with optional filters.
      *
@@ -1858,6 +3304,155 @@ declare class PlatformModule {
     };
 }
+/**
+ * Request body for creating a user
+ */
+interface CreateUserRequest {
+    email: string;
+}
+/**
+ * Request body for updating a user
+ */
+interface UpdateUserRequest {
+    email?: string;
+}
+/**
+ * Request body for creating a subscription
+ */
+interface CreateSubscriptionRequest {
+    user_id: string;
+    plan_id: string;
+    status?: string;
+    current_period_end?: string;
+}
+/**
+ * Request body for updating a subscription
+ */
+interface UpdateSubscriptionRequest {
+    status?: string;
+    current_period_end?: string;
+}
+/**
+ * Request body for updating service info
+ */
+interface UpdateServiceInfoRequest {
+    name?: string;
+}
+/**
+ * Service API User response
+ */
+interface ServiceApiUser {
+    id: string;
+    email: string;
+    created_at: string;
+}
+/**
+ * Service API Subscription response
+ */
+interface ServiceApiSubscription {
+    id: string;
+    user_id: string;
+    plan_id: string;
+    plan_name: string;
+    status: string;
+    current_period_end: string;
+}
+/**
+ * Service API info response
+ */
+interface ServiceApiInfo {
+    id: string;
+    name: string;
+    slug: string;
+    service_type: string;
+    created_at: string;
+}
+/**
+ * Service API module for API key-based service-to-service operations.
+ * Provides write operations for managing users, subscriptions, and service configuration.
+ *
+ * @example
+ * ```typescript
+ * const sso = new SsoClient({
+ *   baseURL: 'https://sso.example.com',
+ *   apiKey: 'sk_live_abcd1234...'
+ * });
+ *
+ * // Create a user
+ * const user = await sso.serviceApi.createUser({ email: 'user@example.com' });
+ *
+ * // Create a subscription
+ * const subscription = await sso.serviceApi.createSubscription({
+ *   user_id: user.id,
+ *   plan_id: 'plan_123',
+ *   status: 'active'
+ * });
+ *
+ * // Update user
+ * await sso.serviceApi.updateUser(user.id, { email: 'newemail@example.com' });
+ * ```
+ */
+declare class ServiceApiModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Create a new user
+     * Requires 'write:users' permission on the API key
+     *
+     * @param request User creation request
+     * @returns Created user
+     */
+    createUser(request: CreateUserRequest): Promise<ServiceApiUser>;
+    /**
+     * Update user details
+     * Requires 'write:users' permission on the API key
+     *
+     * @param userId User ID to update
+     * @param request User update request
+     * @returns Updated user
+     */
+    updateUser(userId: string, request: UpdateUserRequest): Promise<ServiceApiUser>;
+    /**
+     * Create a new subscription for a user
+     * Requires 'write:subscriptions' permission on the API key
+     *
+     * @param request Subscription creation request
+     * @returns Created subscription
+     */
+    createSubscription(request: CreateSubscriptionRequest): Promise<ServiceApiSubscription>;
+    /**
+     * Update a subscription for a user
+     * Requires 'write:subscriptions' permission on the API key
+     *
+     * @param userId User ID whose subscription to update
+     * @param request Subscription update request
+     * @returns Updated subscription
+     */
+    updateSubscription(userId: string, request: UpdateSubscriptionRequest): Promise<ServiceApiSubscription>;
+    /**
+     * Update service configuration
+     * Requires 'write:service' permission on the API key
+     *
+     * @param request Service update request
+     * @returns Updated service info
+     */
+    updateServiceInfo(request: UpdateServiceInfoRequest): Promise<ServiceApiInfo>;
+    /**
+     * Delete a user
+     * Requires 'delete:users' permission on the API key
+     *
+     * @param userId User ID to delete
+     */
+    deleteUser(userId: string): Promise<void>;
+    /**
+     * Delete a subscription for a user
+     * Requires 'delete:subscriptions' permission on the API key
+     *
+     * @param userId User ID whose subscription to delete
+     */
+    deleteSubscription(userId: string): Promise<void>;
+}
 /**
  * Configuration options for the SSO client
  */
@@ -1867,9 +3462,13 @@ interface SsoClientOptions {
      */
     baseURL: string;
     /**
-     * Optional JWT token to initialize with
+     * Optional JWT token to initialize with (for user authentication)
      */
     token?: string;
+    /**
+     * Optional API key for service-to-service authentication
+     */
+    apiKey?: string;
 }
 /**
  * Main SSO client class.
@@ -1879,7 +3478,7 @@ interface SsoClientOptions {
  * ```typescript
  * const sso = new SsoClient({
  *   baseURL: 'https://sso.example.com',
- *   token: localStorage.getItem('jwt')
+ *   token: localStorage.getItem('sso_access_token')
  * });
  *
  * // Use the modules
@@ -1917,6 +3516,10 @@ declare class SsoClient {
      * Platform owner administration methods
      */
     readonly platform: PlatformModule;
+    /**
+     * Service API methods (requires API key authentication)
+     */
+    readonly serviceApi: ServiceApiModule;
     constructor(options: SsoClientOptions);
     /**
      * Sets the JWT for all subsequent authenticated requests.
@@ -1934,6 +3537,22 @@ declare class SsoClient {
      * ```
      */
     setAuthToken(token: string | null): void;
+    /**
+     * Sets the API key for service-to-service authentication.
+     * Pass null to clear the API key.
+     *
+     * @param apiKey The API key string, or null to clear
+     *
+     * @example
+     * ```typescript
+     * // Set API key
+     * sso.setApiKey('sk_live_abcd1234...');
+     *
+     * // Clear API key
+     * sso.setApiKey(null);
+     * ```
+     */
+    setApiKey(apiKey: string | null): void;
     /**
      * Gets the current base URL
      */
@@ -1976,4 +3595,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApproveOrganizationPayload, type AuditLogEntry, AuthModule, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateServicePayload, type CreateServiceResponse, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceVerifyResponse, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type GetAuditLogParams, type GrowthTrendPoint, type Identity, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type LoginActivityPoint, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type MemberListResponse, type MemberRole, type Membership, type OAuthCredentials, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationParams, type Plan, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RejectOrganizationPayload, type RevokeSessionsResponse, type Service, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetOAuthCredentialsPayload, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TokenRequest, type TokenResponse, type TopOrganization, type TransferOwnershipPayload, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdateServicePayload, type UpdateUserProfilePayload, type User, UserModule, type UserProfile };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthModule, type BackupCodesResponse, type BrandingConfiguration, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateServicePayload, type CreateServiceResponse, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetAuditLogParams, type GrowthTrendPoint, type Identity, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type LoginActivityPoint, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type MemberListResponse, type MemberRole, type Membership, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeSessionsResponse, type SamlCertificate, type SamlConfig, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TokenRequest, type TokenResponse, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateServicePayload, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };