@drmhse/sso-sdk 0.2.3 → 0.2.6

package/dist/index.mjs

@@ -438,7 +438,8 @@ var AuthModule = class {
    * ```typescript
    * await sso.auth.logout();
    * sso.setAuthToken(null);
-   * localStorage.removeItem('jwt');
+   * localStorage.removeItem('sso_access_token');
+   * localStorage.removeItem('sso_refresh_token');
    * ```
    */
   async logout() {
@@ -461,8 +462,8 @@ var AuthModule = class {
    * try {
    *   const tokens = await sso.auth.refreshToken(storedRefreshToken);
    *   sso.setAuthToken(tokens.access_token);
-   *   localStorage.setItem('access_token', tokens.access_token);
-   *   localStorage.setItem('refresh_token', tokens.refresh_token);
+   *   localStorage.setItem('sso_access_token', tokens.access_token);
+   *   localStorage.setItem('sso_refresh_token', tokens.refresh_token);
    * } catch (error) {
    *   // Refresh failed - redirect to login
    *   window.location.href = '/login';
@@ -492,6 +493,129 @@ var AuthModule = class {
     const response = await this.http.get(`/api/provider-token/${provider}`);
     return response.data;
   }
+  // ============================================================================
+  // PASSWORD AUTHENTICATION
+  // ============================================================================
+  /**
+   * Register a new user with email and password.
+   * After registration, the user will receive a verification email.
+   *
+   * @param payload Registration details (email and password)
+   * @returns Registration confirmation message
+   *
+   * @example
+   * ```typescript
+   * const response = await sso.auth.register({
+   *   email: 'user@example.com',
+   *   password: 'SecurePassword123!'
+   * });
+   * console.log(response.message);
+   * ```
+   */
+  async register(payload) {
+    const response = await this.http.post("/api/auth/register", payload);
+    return response.data;
+  }
+  /**
+   * Login with email and password.
+   * Returns access token and refresh token on successful authentication.
+   * The user's email must be verified before login.
+   *
+   * @param payload Login credentials (email and password)
+   * @returns Access token, refresh token, and expiration info
+   *
+   * @example
+   * ```typescript
+   * const tokens = await sso.auth.login({
+   *   email: 'user@example.com',
+   *   password: 'SecurePassword123!'
+   * });
+   * sso.setAuthToken(tokens.access_token);
+   * localStorage.setItem('sso_access_token', tokens.access_token);
+   * localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+   * ```
+   */
+  async login(payload) {
+    const response = await this.http.post("/api/auth/login", payload);
+    return response.data;
+  }
+  /**
+   * Verify MFA code and complete authentication.
+   * This method should be called after login when the user has MFA enabled.
+   * The login will return a pre-auth token with a short expiration (5 minutes).
+   * Exchange the pre-auth token and TOTP code for a full session.
+   *
+   * @param preauthToken The pre-authentication token received from login
+   * @param code The TOTP code from the user's authenticator app or a backup code
+   * @returns Full session tokens (access_token and refresh_token)
+   *
+   * @example
+   * ```typescript
+   * // After login, if MFA is enabled:
+   * const loginResponse = await sso.auth.login({
+   *   email: 'user@example.com',
+   *   password: 'password'
+   * });
+   *
+   * // Check if this is a pre-auth token (expires_in will be 300 seconds = 5 minutes)
+   * if (loginResponse.expires_in === 300) {
+   *   // User needs to provide MFA code
+   *   const mfaCode = prompt('Enter your 6-digit code from authenticator app');
+   *   const tokens = await sso.auth.verifyMfa(loginResponse.access_token, mfaCode);
+   *   sso.setAuthToken(tokens.access_token);
+   *   localStorage.setItem('sso_access_token', tokens.access_token);
+   *   localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+   * }
+   * ```
+   */
+  async verifyMfa(preauthToken, code, deviceCodeId) {
+    const response = await this.http.post("/api/auth/mfa/verify", {
+      preauth_token: preauthToken,
+      code,
+      ...deviceCodeId && { device_code_id: deviceCodeId }
+    });
+    return response.data;
+  }
+  /**
+   * Request a password reset for a user account.
+   * If the email exists, a reset link will be sent to the user.
+   * Returns success regardless of whether the email exists (to prevent email enumeration).
+   *
+   * @param payload Forgot password request (email address)
+   * @returns Confirmation message
+   *
+   * @example
+   * ```typescript
+   * const response = await sso.auth.requestPasswordReset({
+   *   email: 'user@example.com'
+   * });
+   * console.log(response.message);
+   * ```
+   */
+  async requestPasswordReset(payload) {
+    const response = await this.http.post("/api/auth/forgot-password", payload);
+    return response.data;
+  }
+  /**
+   * Reset a user's password using a reset token from email.
+   * The token is obtained from the password reset email link.
+   *
+   * @param payload Reset password request (token and new password)
+   * @returns Confirmation message
+   *
+   * @example
+   * ```typescript
+   * const response = await sso.auth.resetPassword({
+   *   token: 'reset-token-from-email',
+   *   new_password: 'NewSecurePassword123!'
+   * });
+   * console.log(response.message);
+   * ```
+   */
+  async resetPassword(payload) {
+    const response = await this.http.post("/api/auth/reset-password", payload);
+    return response.data;
+  }
 };
 
 // src/modules/user.ts
@@ -500,445 +624,1433 @@ var IdentitiesModule = class {
     this.http = http;
   }
   /**
-   * List all social accounts linked to the authenticated user.
+   * List all social accounts linked to the authenticated user.
+   *
+   * @returns Array of linked identities
+   *
+   * @example
+   * ```typescript
+   * const identities = await sso.user.identities.list();
+   * console.log(identities); // [{ provider: 'github' }, { provider: 'google' }]
+   * ```
+   */
+  async list() {
+    const response = await this.http.get("/api/user/identities");
+    return response.data;
+  }
+  /**
+   * Start linking a new social account to the authenticated user.
+   * Returns an authorization URL that the user should be redirected to.
+   *
+   * @param provider The OAuth provider to link (e.g., 'github', 'google', 'microsoft')
+   * @returns Object containing the authorization URL
+   *
+   * @example
+   * ```typescript
+   * const { authorization_url } = await sso.user.identities.startLink('github');
+   * window.location.href = authorization_url; // Redirect user to complete OAuth
+   * ```
+   */
+  async startLink(provider) {
+    const response = await this.http.post(`/api/user/identities/${provider}/link`, {});
+    return response.data;
+  }
+  /**
+   * Unlink a social account from the authenticated user.
+   * Note: Cannot unlink the last remaining identity to prevent account lockout.
+   *
+   * @param provider The OAuth provider to unlink (e.g., 'github', 'google', 'microsoft')
+   *
+   * @example
+   * ```typescript
+   * await sso.user.identities.unlink('google');
+   * ```
+   */
+  async unlink(provider) {
+    await this.http.delete(`/api/user/identities/${provider}`);
+  }
+};
+var MfaModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Get the current MFA status for the authenticated user.
+   *
+   * @returns MFA status
+   *
+   * @example
+   * ```typescript
+   * const status = await sso.user.mfa.getStatus();
+   * console.log(status.enabled); // false
+   * ```
+   */
+  async getStatus() {
+    const response = await this.http.get("/api/user/mfa/status");
+    return response.data;
+  }
+  /**
+   * Initiate MFA setup. Generates a TOTP secret and QR code.
+   * The user must complete setup by calling verify() with a code from their authenticator app.
+   *
+   * @returns MFA setup details including QR code
+   *
+   * @example
+   * ```typescript
+   * const setup = await sso.user.mfa.setup();
+   * console.log(setup.qr_code_svg); // Display this QR code to the user
+   * // User scans QR code with authenticator app and enters code to verify
+   * ```
+   */
+  async setup() {
+    const response = await this.http.post("/api/user/mfa/setup", {});
+    return response.data;
+  }
+  /**
+   * Verify TOTP code and enable MFA.
+   * Returns backup codes that must be stored securely by the user.
+   *
+   * @param code TOTP code from authenticator app
+   * @returns Verification response with backup codes
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.user.mfa.verify('123456');
+   * console.log(result.backup_codes); // Store these securely!
+   * ```
+   */
+  async verify(code) {
+    const response = await this.http.post("/api/user/mfa/verify", { code });
+    return response.data;
+  }
+  /**
+   * Disable MFA for the authenticated user.
+   *
+   * @example
+   * ```typescript
+   * await sso.user.mfa.disable();
+   * ```
+   */
+  async disable() {
+    const response = await this.http.delete("/api/user/mfa");
+    return response.data;
+  }
+  /**
+   * Regenerate backup codes.
+   * Invalidates all previous backup codes and returns new ones.
+   *
+   * @returns New backup codes
+   *
+   * @example
+   * ```typescript
+   * const { backup_codes } = await sso.user.mfa.regenerateBackupCodes();
+   * console.log(backup_codes); // Store these securely!
+   * ```
+   */
+  async regenerateBackupCodes() {
+    const response = await this.http.post("/api/user/mfa/backup-codes/regenerate", {});
+    return response.data;
+  }
+};
+var UserModule = class {
+  constructor(http) {
+    this.http = http;
+    this.identities = new IdentitiesModule(http);
+    this.mfa = new MfaModule(http);
+  }
+  /**
+   * Get the profile of the currently authenticated user.
+   * The response includes context from the JWT (org, service).
+   *
+   * @returns User profile
+   *
+   * @example
+   * ```typescript
+   * const profile = await sso.user.getProfile();
+   * console.log(profile.email, profile.org, profile.service);
+   * ```
+   */
+  async getProfile() {
+    const response = await this.http.get("/api/user");
+    return response.data;
+  }
+  /**
+   * Update the authenticated user's profile.
+   *
+   * @param payload Update payload
+   * @returns Updated user profile
+   *
+   * @example
+   * ```typescript
+   * const updated = await sso.user.updateProfile({
+   *   email: 'newemail@example.com'
+   * });
+   * ```
+   */
+  async updateProfile(payload) {
+    const response = await this.http.patch("/api/user", payload);
+    return response.data;
+  }
+  /**
+   * Get the current user's subscription details for the service in their JWT.
+   *
+   * @returns Subscription details
+   *
+   * @example
+   * ```typescript
+   * const subscription = await sso.user.getSubscription();
+   * console.log(subscription.plan, subscription.features);
+   * ```
+   */
+  async getSubscription() {
+    const response = await this.http.get("/api/subscription");
+    return response.data;
+  }
+  /**
+   * Change the authenticated user's password.
+   * Requires the current password for verification.
+   *
+   * @param payload Change password request (current and new password)
+   * @returns Confirmation message
+   *
+   * @example
+   * ```typescript
+   * const response = await sso.user.changePassword({
+   *   current_password: 'OldPassword123!',
+   *   new_password: 'NewSecurePassword456!'
+   * });
+   * console.log(response.message);
+   * ```
+   */
+  async changePassword(payload) {
+    const response = await this.http.post("/api/user/change-password", payload);
+    return response.data;
+  }
+  /**
+   * Set a password for the authenticated user (OAuth users only).
+   * This endpoint is for OAuth users who don't have a password yet.
+   * If a password is already set, this will return an error.
+   *
+   * @param payload Set password request (new password only)
+   * @returns Confirmation message
+   *
+   * @example
+   * ```typescript
+   * const response = await sso.user.setPassword({
+   *   new_password: 'MyNewSecurePassword123!'
+   * });
+   * console.log(response.message); // "Password set successfully"
+   * ```
+   */
+  async setPassword(payload) {
+    const response = await this.http.post("/api/user/set-password", payload);
+    return response.data;
+  }
+};
+
+// src/modules/organizations/audit.ts
+var AuditLogsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Get audit logs for an organization.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param params Optional query parameters for filtering and pagination
+   * @returns Paginated audit log response
+   *
+   * @example
+   * ```typescript
+   * // Get all audit logs
+   * const logs = await sso.organizations.auditLogs.get('acme-corp');
+   *
+   * // Filter by specific action
+   * const userLogs = await sso.organizations.auditLogs.get('acme-corp', {
+   *   action: 'user.role_updated',
+   *   page: 1,
+   *   limit: 20
+   * });
+   *
+   * // Filter by target
+   * const serviceLogs = await sso.organizations.auditLogs.get('acme-corp', {
+   *   target_type: 'service',
+   *   target_id: 'service-123'
+   * });
+   * ```
+   */
+  async get(orgSlug, params) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/audit-log`,
+      { params }
+    );
+    return response.data;
+  }
+  /**
+   * Get available audit event types for filtering.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @returns Array of event type information
+   *
+   * @example
+   * ```typescript
+   * const eventTypes = await sso.organizations.auditLogs.getEventTypes('acme-corp');
+   *
+   * // Group by category for UI display
+   * const byCategory = eventTypes.reduce((acc, event) => {
+   *   if (!acc[event.category]) {
+   *     acc[event.category] = [];
+   *   }
+   *   acc[event.category].push(event);
+   *   return acc;
+   * }, {});
+   * ```
+   */
+  async getEventTypes(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/audit-log/event-types`
+    );
+    return response.data;
+  }
+};
+
+// src/modules/organizations/webhooks.ts
+var WebhooksModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Create a new webhook for an organization.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param webhook Webhook creation payload
+   * @returns Created webhook details
+   *
+   * @example
+   * ```typescript
+   * const webhook = await sso.organizations.webhooks.create('acme-corp', {
+   *   name: 'User Activity',
+   *   url: 'https://api.example.com/webhooks',
+   *   events: ['user.invited', 'user.joined', 'user.removed']
+   * });
+   * console.log('Created webhook:', webhook.id);
+   * ```
+   */
+  async create(orgSlug, webhook) {
+    const response = await this.http.post(
+      `/api/organizations/${orgSlug}/webhooks`,
+      webhook
+    );
+    return response.data;
+  }
+  /**
+   * List all webhooks for an organization.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @returns List of webhooks with total count
+   *
+   * @example
+   * ```typescript
+   * const { webhooks, total } = await sso.organizations.webhooks.list('acme-corp');
+   * console.log(`Found ${total} webhooks`);
+   * webhooks.forEach(w => console.log(w.name, w.is_active));
+   * ```
+   */
+  async list(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/webhooks`
+    );
+    return response.data;
+  }
+  /**
+   * Get a specific webhook by ID.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param webhookId Webhook ID
+   * @returns Webhook details
+   *
+   * @example
+   * ```typescript
+   * const webhook = await sso.organizations.webhooks.get('acme-corp', 'webhook-123');
+   * console.log('Webhook URL:', webhook.url);
+   * console.log('Subscribed events:', webhook.events);
+   * ```
+   */
+  async get(orgSlug, webhookId) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/webhooks/${webhookId}`
+    );
+    return response.data;
+  }
+  /**
+   * Update an existing webhook.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param webhookId Webhook ID
+   * @param updates Partial webhook update payload
+   * @returns Updated webhook details
+   *
+   * @example
+   * ```typescript
+   * // Update webhook URL and add new events
+   * const updated = await sso.organizations.webhooks.update('acme-corp', 'webhook-123', {
+   *   url: 'https://api.example.com/webhooks/v2',
+   *   events: ['user.invited', 'user.joined', 'user.removed', 'user.role_updated']
+   * });
+   *
+   * // Deactivate webhook temporarily
+   * await sso.organizations.webhooks.update('acme-corp', 'webhook-123', {
+   *   is_active: false
+   * });
+   * ```
+   */
+  async update(orgSlug, webhookId, updates) {
+    const response = await this.http.patch(
+      `/api/organizations/${orgSlug}/webhooks/${webhookId}`,
+      updates
+    );
+    return response.data;
+  }
+  /**
+   * Delete a webhook.
+   * Requires 'owner' or 'admin' role.
+   * This will also delete all delivery history for this webhook.
+   *
+   * @param orgSlug Organization slug
+   * @param webhookId Webhook ID
+   *
+   * @example
+   * ```typescript
+   * await sso.organizations.webhooks.delete('acme-corp', 'webhook-123');
+   * console.log('Webhook deleted successfully');
+   * ```
+   */
+  async delete(orgSlug, webhookId) {
+    await this.http.delete(
+      `/api/organizations/${orgSlug}/webhooks/${webhookId}`
+    );
+  }
+  /**
+   * Get delivery history for a specific webhook.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param webhookId Webhook ID
+   * @param params Optional query parameters for filtering and pagination
+   * @returns Paginated webhook delivery response
+   *
+   * @example
+   * ```typescript
+   * // Get all delivery attempts
+   * const deliveries = await sso.organizations.webhooks.getDeliveries('acme-corp', 'webhook-123');
+   *
+   * // Get only failed deliveries
+   * const failed = await sso.organizations.webhooks.getDeliveries('acme-corp', 'webhook-123', {
+   *   delivered: false,
+   *   page: 1,
+   *   limit: 20
+   * });
+   *
+   * // Get deliveries for specific event type
+   * const userEvents = await sso.organizations.webhooks.getDeliveries('acme-corp', 'webhook-123', {
+   *   event_type: 'user.invited'
+   * });
+   * ```
+   */
+  async getDeliveries(orgSlug, webhookId, params) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/webhooks/${webhookId}/deliveries`,
+      { params }
+    );
+    return response.data;
+  }
+  /**
+   * Get available webhook event types that can be subscribed to.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @returns Array of available event types with categories
+   *
+   * @example
+   * ```typescript
+   * const eventTypes = await sso.organizations.webhooks.getEventTypes('acme-corp');
+   *
+   * // Group events by category for UI display
+   * const byCategory = eventTypes.reduce((acc, event) => {
+   *   if (!acc[event.category]) {
+   *     acc[event.category] = [];
+   *   }
+   *   acc[event.category].push(event);
+   *   return acc;
+   * }, {});
+   *
+   * // Display available events
+   * Object.entries(byCategory).forEach(([category, events]) => {
+   *   console.log(`\n${category}:`);
+   *   events.forEach(e => console.log(`  - ${e.label} (${e.value})`));
+   * });
+   * ```
+   */
+  async getEventTypes(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/webhooks/event-types`
+    );
+    return response.data;
+  }
+};
+
+// src/modules/organizations.ts
+var OrganizationsModule = class {
+  constructor(http) {
+    this.http = http;
+    /**
+     * Member management methods
+     */
+    this.members = {
+      /**
+       * List all members of an organization.
+       *
+       * @param orgSlug Organization slug
+       * @returns Member list response with pagination metadata
+       *
+       * @example
+       * ```typescript
+       * const result = await sso.organizations.members.list('acme-corp');
+       * console.log(`Total members: ${result.total}`);
+       * result.members.forEach(m => console.log(m.email, m.role));
+       * ```
+       */
+      list: async (orgSlug) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/members`
+        );
+        return response.data;
+      },
+      /**
+       * Update a member's role.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param userId User ID to update
+       * @param payload Role update payload
+       * @returns Updated member details
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.members.updateRole('acme-corp', 'user-id', {
+       *   role: 'admin'
+       * });
+       * ```
+       */
+      updateRole: async (orgSlug, userId, payload) => {
+        const response = await this.http.patch(
+          `/api/organizations/${orgSlug}/members/${userId}`,
+          payload
+        );
+        return response.data;
+      },
+      /**
+       * Remove a member from the organization.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param userId User ID to remove
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.members.remove('acme-corp', 'user-id');
+       * ```
+       */
+      remove: async (orgSlug, userId) => {
+        await this.http.post(`/api/organizations/${orgSlug}/members/${userId}`);
+      },
+      /**
+       * Transfer organization ownership to another member.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param payload Transfer payload with new owner ID
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.members.transferOwnership('acme-corp', {
+       *   new_owner_user_id: 'new-owner-id'
+       * });
+       * ```
+       */
+      transferOwnership: async (orgSlug, payload) => {
+        await this.http.post(`/api/organizations/${orgSlug}/members/transfer-ownership`, payload);
+      }
+    };
+    /**
+     * End-user management methods
+     * Manage organization's customers (end-users with subscriptions)
+     */
+    this.endUsers = {
+      /**
+       * List all end-users for an organization.
+       * Returns users who have identities (logged in) or subscriptions for the organization's services.
+       *
+       * @param orgSlug Organization slug
+       * @param params Optional query parameters for pagination and filtering
+       * @param params.service_slug Optional service slug to filter users by a specific service
+       * @returns Paginated list of end-users with their subscriptions and identities
+       *
+       * @example
+       * ```typescript
+       * // List all end-users across all services
+       * const allUsers = await sso.organizations.endUsers.list('acme-corp', {
+       *   page: 1,
+       *   limit: 20
+       * });
+       * 
+       * // Filter by specific service
+       * const serviceUsers = await sso.organizations.endUsers.list('acme-corp', {
+       *   service_slug: 'my-app',
+       *   page: 1,
+       *   limit: 20
+       * });
+       * console.log(`Total end-users: ${allUsers.total}`);
+       * ```
+       */
+      list: async (orgSlug, params) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/users`,
+          { params }
+        );
+        return response.data;
+      },
+      /**
+       * Get detailed information about a specific end-user.
+       *
+       * @param orgSlug Organization slug
+       * @param userId User ID
+       * @returns End-user details with subscriptions, identities, and session count
+       *
+       * @example
+       * ```typescript
+       * const endUser = await sso.organizations.endUsers.get('acme-corp', 'user-id');
+       * console.log(`Active sessions: ${endUser.session_count}`);
+       * ```
+       */
+      get: async (orgSlug, userId) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/users/${userId}`
+        );
+        return response.data;
+      },
+      /**
+       * Revoke all active sessions for an end-user.
+       * Requires admin or owner role.
+       * This will force the user to re-authenticate.
+       *
+       * @param orgSlug Organization slug
+       * @param userId User ID
+       * @returns Response with number of revoked sessions
+       *
+       * @example
+       * ```typescript
+       * const result = await sso.organizations.endUsers.revokeSessions('acme-corp', 'user-id');
+       * console.log(`Revoked ${result.revoked_count} sessions`);
+       * ```
+       */
+      revokeSessions: async (orgSlug, userId) => {
+        const response = await this.http.delete(
+          `/api/organizations/${orgSlug}/users/${userId}/sessions`
+        );
+        return response.data;
+      }
+    };
+    /**
+     * BYOO (Bring Your Own OAuth) credential management
+     */
+    this.oauthCredentials = {
+      /**
+       * Set or update custom OAuth credentials for a provider.
+       * This enables white-labeled authentication using the organization's
+       * own OAuth application.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param provider OAuth provider
+       * @param payload OAuth credentials
+       * @returns Created/updated credentials (without secret)
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.oauthCredentials.set('acme-corp', 'github', {
+       *   client_id: 'Iv1.abc123',
+       *   client_secret: 'secret-value'
+       * });
+       * ```
+       */
+      set: async (orgSlug, provider, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/oauth-credentials/${provider}`,
+          payload
+        );
+        return response.data;
+      },
+      /**
+       * Get the configured OAuth credentials for a provider.
+       * The secret is never returned.
+       *
+       * @param orgSlug Organization slug
+       * @param provider OAuth provider
+       * @returns OAuth credentials (without secret)
+       *
+       * @example
+       * ```typescript
+       * const creds = await sso.organizations.oauthCredentials.get('acme-corp', 'github');
+       * console.log(creds.client_id);
+       * ```
+       */
+      get: async (orgSlug, provider) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/oauth-credentials/${provider}`
+        );
+        return response.data;
+      }
+    };
+    this.auditLogs = new AuditLogsModule(http);
+    this.webhooks = new WebhooksModule(http);
+  }
+  /**
+   * Create a new organization (public endpoint).
+   * The organization will be created with 'pending' status and requires
+   * platform owner approval before becoming active.
+   *
+   * @param payload Organization creation payload
+   * @returns Created organization with owner and membership details
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.organizations.createPublic({
+   *   slug: 'acme-corp',
+   *   name: 'Acme Corporation',
+   *   owner_email: 'founder@acme.com'
+   * });
+   * ```
+   */
+  async createPublic(payload) {
+    const response = await this.http.post("/api/organizations", payload);
+    return response.data;
+  }
+  /**
+   * List all organizations the authenticated user is a member of.
+   *
+   * @param params Optional query parameters for filtering and pagination
+   * @returns Array of organization responses
+   *
+   * @example
+   * ```typescript
+   * const orgs = await sso.organizations.list({
+   *   status: 'active',
+   *   page: 1,
+   *   limit: 20
+   * });
+   * ```
+   */
+  async list(params) {
+    const response = await this.http.get("/api/organizations", { params });
+    return response.data;
+  }
+  /**
+   * Get detailed information for a specific organization.
+   *
+   * @param orgSlug Organization slug
+   * @returns Organization details
+   *
+   * @example
+   * ```typescript
+   * const org = await sso.organizations.get('acme-corp');
+   * console.log(org.organization.name, org.membership_count);
+   * ```
+   */
+  async get(orgSlug) {
+    const response = await this.http.get(`/api/organizations/${orgSlug}`);
+    return response.data;
+  }
+  /**
+   * Update organization details.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param payload Update payload
+   * @returns Updated organization details
+   *
+   * @example
+   * ```typescript
+   * const updated = await sso.organizations.update('acme-corp', {
+   *   name: 'Acme Corporation Inc.',
+   *   max_services: 20
+   * });
+   * ```
+   */
+  async update(orgSlug, payload) {
+    const response = await this.http.patch(
+      `/api/organizations/${orgSlug}`,
+      payload
+    );
+    return response.data;
+  }
+  /**
+   * Delete an organization and all its associated data.
+   * This is a destructive operation that cannot be undone.
+   * Requires 'owner' role.
+   *
+   * All related data will be cascaded deleted including:
+   * - Members and invitations
+   * - Services and plans
+   * - Subscriptions
+   * - OAuth credentials
+   * - Audit logs
+   *
+   * @param orgSlug Organization slug
+   *
+   * @example
+   * ```typescript
+   * await sso.organizations.delete('acme-corp');
+   * ```
+   */
+  async delete(orgSlug) {
+    await this.http.delete(`/api/organizations/${orgSlug}`);
+  }
+  // ============================================================================
+  // SMTP MANAGEMENT
+  // ============================================================================
+  /**
+   * Configure SMTP settings for an organization.
+   * Only owners and admins can configure SMTP.
+   * The organization will use these settings for sending transactional emails
+   * (registration, password reset, etc.).
+   *
+   * @param orgSlug Organization slug
+   * @param config SMTP configuration
+   * @returns Success message
+   *
+   * @example
+   * ```typescript
+   * await sso.organizations.setSmtp('acme-corp', {
+   *   host: 'smtp.gmail.com',
+   *   port: 587,
+   *   username: 'notifications@acme.com',
+   *   password: 'your-app-password',
+   *   from_email: 'notifications@acme.com',
+   *   from_name: 'Acme Corp'
+   * });
+   * ```
+   */
+  async setSmtp(orgSlug, config) {
+    const response = await this.http.post(
+      `/api/organizations/${orgSlug}/smtp`,
+      config
+    );
+    return response.data;
+  }
+  /**
+   * Get SMTP configuration for an organization.
+   * Only owners and admins can view SMTP settings.
+   * Password is never returned for security reasons.
    *
-   * @returns Array of linked identities
+   * @param orgSlug Organization slug
+   * @returns SMTP configuration (without password)
    *
    * @example
    * ```typescript
-   * const identities = await sso.user.identities.list();
-   * console.log(identities); // [{ provider: 'github' }, { provider: 'google' }]
+   * const config = await sso.organizations.getSmtp('acme-corp');
+   * if (config.configured) {
+   *   console.log('SMTP host:', config.host);
+   * }
    * ```
    */
-  async list() {
-    const response = await this.http.get("/api/user/identities");
+  async getSmtp(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/smtp`
+    );
     return response.data;
   }
   /**
-   * Start linking a new social account to the authenticated user.
-   * Returns an authorization URL that the user should be redirected to.
+   * Delete SMTP configuration for an organization.
+   * The organization will revert to using platform-level SMTP.
+   * Only owners and admins can delete SMTP settings.
    *
-   * @param provider The OAuth provider to link (e.g., 'github', 'google', 'microsoft')
-   * @returns Object containing the authorization URL
+   * @param orgSlug Organization slug
+   * @returns Success message
    *
    * @example
    * ```typescript
-   * const { authorization_url } = await sso.user.identities.startLink('github');
-   * window.location.href = authorization_url; // Redirect user to complete OAuth
+   * await sso.organizations.deleteSmtp('acme-corp');
+   * // Organization now uses platform SMTP
    * ```
    */
-  async startLink(provider) {
-    const response = await this.http.post(`/api/user/identities/${provider}/link`, {});
+  async deleteSmtp(orgSlug) {
+    const response = await this.http.delete(
+      `/api/organizations/${orgSlug}/smtp`
+    );
     return response.data;
   }
+  // ============================================================================
+  // CUSTOM DOMAINS & BRANDING
+  // ============================================================================
   /**
-   * Unlink a social account from the authenticated user.
-   * Note: Cannot unlink the last remaining identity to prevent account lockout.
+   * Set a custom domain for an organization.
+   * This enables white-labeling by allowing the organization to use their own domain
+   * (e.g., auth.acme.com) instead of the platform's domain.
+   * Requires 'owner' or 'admin' role.
    *
-   * @param provider The OAuth provider to unlink (e.g., 'github', 'google', 'microsoft')
+   * @param orgSlug Organization slug
+   * @param request Custom domain request
+   * @returns Domain verification instructions
    *
    * @example
    * ```typescript
-   * await sso.user.identities.unlink('google');
+   * const verification = await sso.organizations.setCustomDomain('acme-corp', {
+   *   domain: 'auth.acme.com'
+   * });
+   * console.log('Verification token:', verification.verification_token);
+   * verification.verification_methods.forEach(method => {
+   *   console.log(method.method, method.instructions);
+   * });
    * ```
    */
-  async unlink(provider) {
-    await this.http.delete(`/api/user/identities/${provider}`);
+  async setCustomDomain(orgSlug, request) {
+    const response = await this.http.post(
+      `/api/organizations/${orgSlug}/domain`,
+      request
+    );
+    return response.data;
   }
-};
-var UserModule = class {
-  constructor(http) {
-    this.http = http;
-    this.identities = new IdentitiesModule(http);
+  /**
+   * Verify a custom domain by checking DNS TXT record or HTTP file.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @returns Verification result
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.organizations.verifyCustomDomain('acme-corp');
+   * if (result.verified) {
+   *   console.log('Domain verified successfully!');
+   * } else {
+   *   console.log('Verification failed:', result.message);
+   * }
+   * ```
+   */
+  async verifyCustomDomain(orgSlug) {
+    const response = await this.http.post(
+      `/api/organizations/${orgSlug}/domain/verify`
+    );
+    return response.data;
   }
   /**
-   * Get the profile of the currently authenticated user.
-   * The response includes context from the JWT (org, service).
+   * Get custom domain configuration for an organization.
    *
-   * @returns User profile
+   * @param orgSlug Organization slug
+   * @returns Domain configuration
    *
    * @example
    * ```typescript
-   * const profile = await sso.user.getProfile();
-   * console.log(profile.email, profile.org, profile.service);
+   * const config = await sso.organizations.getDomainConfiguration('acme-corp');
+   * if (config.custom_domain && config.domain_verified) {
+   *   console.log('Custom domain active:', config.custom_domain);
+   * }
    * ```
    */
-  async getProfile() {
-    const response = await this.http.get("/api/user");
+  async getDomainConfiguration(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/domain`
+    );
     return response.data;
   }
   /**
-   * Update the authenticated user's profile.
+   * Delete custom domain configuration.
+   * Requires 'owner' or 'admin' role.
    *
-   * @param payload Update payload
-   * @returns Updated user profile
+   * @param orgSlug Organization slug
    *
    * @example
    * ```typescript
-   * const updated = await sso.user.updateProfile({
-   *   email: 'newemail@example.com'
+   * await sso.organizations.deleteCustomDomain('acme-corp');
+   * // Organization reverts to using platform domain
+   * ```
+   */
+  async deleteCustomDomain(orgSlug) {
+    await this.http.delete(`/api/organizations/${orgSlug}/domain`);
+  }
+  /**
+   * Update branding configuration (logo and primary color).
+   * This controls the visual appearance of authentication pages.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param request Branding configuration
+   * @returns Updated branding configuration
+   *
+   * @example
+   * ```typescript
+   * await sso.organizations.updateBranding('acme-corp', {
+   *   logo_url: 'https://cdn.acme.com/logo.png',
+   *   primary_color: '#FF5733'
    * });
    * ```
    */
-  async updateProfile(payload) {
-    const response = await this.http.patch("/api/user", payload);
+  async updateBranding(orgSlug, request) {
+    const response = await this.http.patch(
+      `/api/organizations/${orgSlug}/branding`,
+      request
+    );
     return response.data;
   }
   /**
-   * Get the current user's subscription details for the service in their JWT.
+   * Get branding configuration for an organization.
    *
-   * @returns Subscription details
+   * @param orgSlug Organization slug
+   * @returns Branding configuration
    *
    * @example
    * ```typescript
-   * const subscription = await sso.user.getSubscription();
-   * console.log(subscription.plan, subscription.features);
+   * const branding = await sso.organizations.getBranding('acme-corp');
+   * if (branding.logo_url) {
+   *   console.log('Logo URL:', branding.logo_url);
+   * }
    * ```
    */
-  async getSubscription() {
-    const response = await this.http.get("/api/subscription");
+  async getBranding(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/branding`
+    );
+    return response.data;
+  }
+  /**
+   * Get public branding configuration (no authentication required).
+   * This endpoint is used by login pages to display organization branding.
+   *
+   * @param orgSlug Organization slug
+   * @returns Branding configuration
+   *
+   * @example
+   * ```typescript
+   * // Can be called without authentication
+   * const branding = await sso.organizations.getPublicBranding('acme-corp');
+   * ```
+   */
+  async getPublicBranding(orgSlug) {
+    const response = await this.http.get(
+      `/api/organizations/${orgSlug}/branding/public`
+    );
     return response.data;
   }
 };
 
-// src/modules/organizations.ts
-var OrganizationsModule = class {
+// src/modules/services.ts
+var ServicesModule = class {
   constructor(http) {
     this.http = http;
     /**
-     * Member management methods
+     * Plan management methods
      */
-    this.members = {
+    this.plans = {
       /**
-       * List all members of an organization.
+       * Create a new subscription plan for a service.
+       * Requires 'owner' or 'admin' role.
        *
        * @param orgSlug Organization slug
-       * @returns Member list response with pagination metadata
+       * @param serviceSlug Service slug
+       * @param payload Plan creation payload
+       * @returns Created plan with subscription count
        *
        * @example
        * ```typescript
-       * const result = await sso.organizations.members.list('acme-corp');
-       * console.log(`Total members: ${result.total}`);
-       * result.members.forEach(m => console.log(m.email, m.role));
+       * const result = await sso.services.plans.create('acme-corp', 'main-app', {
+       *   name: 'pro',
+       *   price_cents: 2999,
+       *   currency: 'usd',
+       *   features: ['api-access', 'advanced-analytics', 'priority-support']
+       * });
+       * console.log(result.plan.name, result.subscription_count);
        * ```
        */
-      list: async (orgSlug) => {
+      create: async (orgSlug, serviceSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/plans`,
+          payload
+        );
+        return response.data;
+      },
+      /**
+       * List all plans for a service.
+       *
+       * @param orgSlug Organization slug
+       * @param serviceSlug Service slug
+       * @returns Array of plans with subscription counts
+       *
+       * @example
+       * ```typescript
+       * const plans = await sso.services.plans.list('acme-corp', 'main-app');
+       * plans.forEach(p => console.log(p.plan.name, p.subscription_count));
+       * ```
+       */
+      list: async (orgSlug, serviceSlug) => {
         const response = await this.http.get(
-          `/api/organizations/${orgSlug}/members`
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/plans`
         );
         return response.data;
       },
       /**
-       * Update a member's role.
-       * Requires 'owner' role.
+       * Update a subscription plan.
+       * Requires 'owner' or 'admin' role.
        *
        * @param orgSlug Organization slug
-       * @param userId User ID to update
-       * @param payload Role update payload
-       * @returns Updated member details
+       * @param serviceSlug Service slug
+       * @param planId Plan ID
+       * @param payload Plan update payload
+       * @returns Updated plan with subscription count
        *
        * @example
        * ```typescript
-       * await sso.organizations.members.updateRole('acme-corp', 'user-id', {
-       *   role: 'admin'
+       * const result = await sso.services.plans.update('acme-corp', 'main-app', 'plan_123', {
+       *   name: 'Pro Plus',
+       *   price_cents: 3999,
+       *   currency: 'usd',
+       *   features: ['api-access', 'advanced-analytics', 'priority-support', 'custom-integrations']
        * });
+       * console.log('Updated plan:', result.plan.name);
        * ```
        */
-      updateRole: async (orgSlug, userId, payload) => {
+      update: async (orgSlug, serviceSlug, planId, payload) => {
         const response = await this.http.patch(
-          `/api/organizations/${orgSlug}/members/${userId}`,
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/plans/${planId}`,
           payload
         );
         return response.data;
       },
       /**
-       * Remove a member from the organization.
+       * Delete a subscription plan.
        * Requires 'owner' or 'admin' role.
        *
+       * WARNING: This will fail if the plan has active subscriptions.
+       * You must migrate or cancel all subscriptions before deleting a plan.
+       *
        * @param orgSlug Organization slug
-       * @param userId User ID to remove
+       * @param serviceSlug Service slug
+       * @param planId Plan ID
        *
        * @example
        * ```typescript
-       * await sso.organizations.members.remove('acme-corp', 'user-id');
+       * try {
+       *   await sso.services.plans.delete('acme-corp', 'main-app', 'plan_123');
+       *   console.log('Plan deleted successfully');
+       * } catch (error) {
+       *   console.error('Cannot delete plan with active subscriptions');
+       * }
        * ```
        */
-      remove: async (orgSlug, userId) => {
-        await this.http.post(`/api/organizations/${orgSlug}/members/${userId}`);
+      delete: async (orgSlug, serviceSlug, planId) => {
+        await this.http.delete(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/plans/${planId}`
+        );
+      }
+    };
+    /**
+     * API Key management methods for service-to-service authentication
+     */
+    this.apiKeys = {
+      /**
+       * Create a new API key for a service.
+       * Requires 'owner' or 'admin' role.
+       *
+       * IMPORTANT: The full API key is only returned once upon creation.
+       * Store it securely as it cannot be retrieved again.
+       *
+       * @param orgSlug Organization slug
+       * @param serviceSlug Service slug
+       * @param payload API key creation payload
+       * @returns Created API key with the full key value
+       *
+       * @example
+       * ```typescript
+       * const apiKey = await sso.services.apiKeys.create('acme-corp', 'main-app', {
+       *   name: 'Production Backend',
+       *   permissions: ['read:users', 'write:subscriptions'],
+       *   expires_in_days: 90
+       * });
+       *
+       * // IMPORTANT: Store this key securely - it won't be shown again
+       * console.log('API Key:', apiKey.key);
+       * console.log('Prefix:', apiKey.prefix);
+       * ```
+       */
+      create: async (orgSlug, serviceSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/api-keys`,
+          payload
+        );
+        return response.data;
       },
       /**
-       * Transfer organization ownership to another member.
-       * Requires 'owner' role.
+       * List all API keys for a service.
+       * Note: The full key values are not included in this response.
        *
        * @param orgSlug Organization slug
-       * @param payload Transfer payload with new owner ID
+       * @param serviceSlug Service slug
+       * @param options Optional query parameters for pagination
+       * @returns List of API keys with metadata
        *
        * @example
        * ```typescript
-       * await sso.organizations.members.transferOwnership('acme-corp', {
-       *   new_owner_user_id: 'new-owner-id'
+       * const result = await sso.services.apiKeys.list('acme-corp', 'main-app', {
+       *   limit: 50,
+       *   offset: 0
+       * });
+       *
+       * console.log(`Total API keys: ${result.total}`);
+       * result.api_keys.forEach(key => {
+       *   console.log(`${key.name} (${key.prefix})`);
+       *   console.log(`Permissions: ${key.permissions.join(', ')}`);
+       *   console.log(`Last used: ${key.last_used_at || 'Never'}`);
        * });
        * ```
        */
-      transferOwnership: async (orgSlug, payload) => {
-        await this.http.post(`/api/organizations/${orgSlug}/members/transfer-ownership`, payload);
+      list: async (orgSlug, serviceSlug, options) => {
+        const queryParams = new URLSearchParams();
+        if (options?.limit) queryParams.set("limit", options.limit.toString());
+        if (options?.offset) queryParams.set("offset", options.offset.toString());
+        const query = queryParams.toString() ? `?${queryParams.toString()}` : "";
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/api-keys${query}`
+        );
+        return response.data;
+      },
+      /**
+       * Get details for a specific API key.
+       * Note: The full key value is not included in this response.
+       *
+       * @param orgSlug Organization slug
+       * @param serviceSlug Service slug
+       * @param apiKeyId API key ID
+       * @returns API key details
+       *
+       * @example
+       * ```typescript
+       * const apiKey = await sso.services.apiKeys.get('acme-corp', 'main-app', 'key_abc123');
+       * console.log(`Name: ${apiKey.name}`);
+       * console.log(`Permissions: ${apiKey.permissions.join(', ')}`);
+       * console.log(`Expires: ${apiKey.expires_at || 'Never'}`);
+       * ```
+       */
+      get: async (orgSlug, serviceSlug, apiKeyId) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/api-keys/${apiKeyId}`
+        );
+        return response.data;
+      },
+      /**
+       * Delete an API key.
+       * Requires 'owner' or 'admin' role.
+       *
+       * WARNING: This action is immediate and cannot be undone.
+       * Any services using this key will lose access immediately.
+       *
+       * @param orgSlug Organization slug
+       * @param serviceSlug Service slug
+       * @param apiKeyId API key ID
+       *
+       * @example
+       * ```typescript
+       * await sso.services.apiKeys.delete('acme-corp', 'main-app', 'key_abc123');
+       * console.log('API key deleted successfully');
+       * ```
+       */
+      delete: async (orgSlug, serviceSlug, apiKeyId) => {
+        await this.http.delete(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/api-keys/${apiKeyId}`
+        );
       }
     };
     /**
-     * End-user management methods
-     * Manage organization's customers (end-users with subscriptions)
+     * SAML 2.0 Identity Provider (IdP) management methods
+     *
+     * Configure your service as a SAML IdP to enable SSO into third-party applications
+     * (Salesforce, AWS, Google Workspace, etc.)
      */
-    this.endUsers = {
+    this.saml = {
       /**
-       * List all end-users for an organization.
-       * End-users are customers who have subscriptions to the organization's services.
+       * Configure SAML IdP settings for a service.
+       * Requires 'owner' or 'admin' role.
        *
        * @param orgSlug Organization slug
-       * @param params Optional query parameters for pagination
-       * @returns Paginated list of end-users with their subscriptions
+       * @param serviceSlug Service slug
+       * @param payload SAML configuration payload
+       * @returns Configuration success response
        *
        * @example
        * ```typescript
-       * const endUsers = await sso.organizations.endUsers.list('acme-corp', {
-       *   page: 1,
-       *   limit: 20
+       * const result = await sso.services.saml.configure('acme-corp', 'main-app', {
+       *   enabled: true,
+       *   entity_id: 'https://salesforce.example.com',
+       *   acs_url: 'https://salesforce.example.com/saml/acs',
+       *   name_id_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+       *   attribute_mapping: {
+       *     email: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
+       *   },
+       *   sign_assertions: true,
+       *   sign_response: true
        * });
-       * console.log(`Total end-users: ${endUsers.total}`);
        * ```
        */
-      list: async (orgSlug, params) => {
-        const response = await this.http.get(
-          `/api/organizations/${orgSlug}/users`,
-          { params }
+      configure: async (orgSlug, serviceSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/saml`,
+          payload
         );
         return response.data;
       },
       /**
-       * Get detailed information about a specific end-user.
+       * Get current SAML IdP configuration for a service.
        *
-       * @param orgSlug Organization slug
-       * @param userId User ID
-       * @returns End-user details with subscriptions, identities, and session count
+       * @param orgSlug Organization slug
+       * @param serviceSlug Service slug
+       * @returns Current SAML configuration
        *
        * @example
        * ```typescript
-       * const endUser = await sso.organizations.endUsers.get('acme-corp', 'user-id');
-       * console.log(`Active sessions: ${endUser.session_count}`);
+       * const config = await sso.services.saml.getConfig('acme-corp', 'main-app');
+       * if (config.enabled && config.has_certificate) {
+       *   console.log('SAML IdP is ready');
+       *   console.log('Entity ID:', config.entity_id);
+       *   console.log('ACS URL:', config.acs_url);
+       * }
        * ```
        */
-      get: async (orgSlug, userId) => {
+      getConfig: async (orgSlug, serviceSlug) => {
         const response = await this.http.get(
-          `/api/organizations/${orgSlug}/users/${userId}`
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/saml`
         );
         return response.data;
       },
       /**
-       * Revoke all active sessions for an end-user.
-       * Requires admin or owner role.
-       * This will force the user to re-authenticate.
+       * Delete SAML IdP configuration and deactivate all certificates.
+       * Requires 'owner' or 'admin' role.
+       *
+       * WARNING: This will break SSO for all third-party applications using this IdP.
        *
        * @param orgSlug Organization slug
-       * @param userId User ID
-       * @returns Response with number of revoked sessions
+       * @param serviceSlug Service slug
        *
        * @example
        * ```typescript
-       * const result = await sso.organizations.endUsers.revokeSessions('acme-corp', 'user-id');
-       * console.log(`Revoked ${result.revoked_count} sessions`);
+       * await sso.services.saml.deleteConfig('acme-corp', 'main-app');
+       * console.log('SAML IdP configuration deleted');
        * ```
        */
-      revokeSessions: async (orgSlug, userId) => {
+      deleteConfig: async (orgSlug, serviceSlug) => {
         const response = await this.http.delete(
-          `/api/organizations/${orgSlug}/users/${userId}/sessions`
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/saml`
         );
         return response.data;
-      }
-    };
-    /**
-     * BYOO (Bring Your Own OAuth) credential management
-     */
-    this.oauthCredentials = {
+      },
       /**
-       * Set or update custom OAuth credentials for a provider.
-       * This enables white-labeled authentication using the organization's
-       * own OAuth application.
+       * Generate a new SAML signing certificate for the IdP.
        * Requires 'owner' or 'admin' role.
        *
+       * IMPORTANT: This automatically deactivates any existing active certificates.
+       * Provide the returned certificate to your Service Provider during SAML setup.
+       *
        * @param orgSlug Organization slug
-       * @param provider OAuth provider
-       * @param payload OAuth credentials
-       * @returns Created/updated credentials (without secret)
+       * @param serviceSlug Service slug
+       * @returns Certificate information including public key
        *
        * @example
        * ```typescript
-       * await sso.organizations.oauthCredentials.set('acme-corp', 'github', {
-       *   client_id: 'Iv1.abc123',
-       *   client_secret: 'secret-value'
-       * });
+       * const cert = await sso.services.saml.generateCertificate('acme-corp', 'main-app');
+       * console.log('Certificate generated, valid until:', cert.valid_until);
+       * console.log('Public certificate:\n', cert.public_key);
+       * // Provide cert.public_key to your Service Provider
        * ```
        */
-      set: async (orgSlug, provider, payload) => {
+      generateCertificate: async (orgSlug, serviceSlug) => {
         const response = await this.http.post(
-          `/api/organizations/${orgSlug}/oauth-credentials/${provider}`,
-          payload
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/saml/certificate`,
+          {}
         );
         return response.data;
       },
       /**
-       * Get the configured OAuth credentials for a provider.
-       * The secret is never returned.
+       * Get the active SAML signing certificate.
        *
        * @param orgSlug Organization slug
-       * @param provider OAuth provider
-       * @returns OAuth credentials (without secret)
+       * @param serviceSlug Service slug
+       * @returns Active certificate information
        *
        * @example
        * ```typescript
-       * const creds = await sso.organizations.oauthCredentials.get('acme-corp', 'github');
-       * console.log(creds.client_id);
+       * try {
+       *   const cert = await sso.services.saml.getCertificate('acme-corp', 'main-app');
+       *   console.log('Certificate expires:', cert.valid_until);
+       * } catch (error) {
+       *   console.log('No active certificate - generate one first');
+       * }
        * ```
        */
-      get: async (orgSlug, provider) => {
+      getCertificate: async (orgSlug, serviceSlug) => {
         const response = await this.http.get(
-          `/api/organizations/${orgSlug}/oauth-credentials/${provider}`
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/saml/certificate`
         );
         return response.data;
-      }
-    };
-  }
-  /**
-   * Create a new organization (public endpoint).
-   * The organization will be created with 'pending' status and requires
-   * platform owner approval before becoming active.
-   *
-   * @param payload Organization creation payload
-   * @returns Created organization with owner and membership details
-   *
-   * @example
-   * ```typescript
-   * const result = await sso.organizations.createPublic({
-   *   slug: 'acme-corp',
-   *   name: 'Acme Corporation',
-   *   owner_email: 'founder@acme.com'
-   * });
-   * ```
-   */
-  async createPublic(payload) {
-    const response = await this.http.post("/api/organizations", payload);
-    return response.data;
-  }
-  /**
-   * List all organizations the authenticated user is a member of.
-   *
-   * @param params Optional query parameters for filtering and pagination
-   * @returns Array of organization responses
-   *
-   * @example
-   * ```typescript
-   * const orgs = await sso.organizations.list({
-   *   status: 'active',
-   *   page: 1,
-   *   limit: 20
-   * });
-   * ```
-   */
-  async list(params) {
-    const response = await this.http.get("/api/organizations", { params });
-    return response.data;
-  }
-  /**
-   * Get detailed information for a specific organization.
-   *
-   * @param orgSlug Organization slug
-   * @returns Organization details
-   *
-   * @example
-   * ```typescript
-   * const org = await sso.organizations.get('acme-corp');
-   * console.log(org.organization.name, org.membership_count);
-   * ```
-   */
-  async get(orgSlug) {
-    const response = await this.http.get(`/api/organizations/${orgSlug}`);
-    return response.data;
-  }
-  /**
-   * Update organization details.
-   * Requires 'owner' or 'admin' role.
-   *
-   * @param orgSlug Organization slug
-   * @param payload Update payload
-   * @returns Updated organization details
-   *
-   * @example
-   * ```typescript
-   * const updated = await sso.organizations.update('acme-corp', {
-   *   name: 'Acme Corporation Inc.',
-   *   max_services: 20
-   * });
-   * ```
-   */
-  async update(orgSlug, payload) {
-    const response = await this.http.patch(
-      `/api/organizations/${orgSlug}`,
-      payload
-    );
-    return response.data;
-  }
-};
-
-// src/modules/services.ts
-var ServicesModule = class {
-  constructor(http) {
-    this.http = http;
-    /**
-     * Plan management methods
-     */
-    this.plans = {
+      },
       /**
-       * Create a new subscription plan for a service.
-       * Requires 'owner' or 'admin' role.
+       * Get the SAML IdP metadata URL for this service.
+       * This URL can be provided to Service Providers for automatic configuration.
        *
+       * @param baseURL SSO platform base URL
        * @param orgSlug Organization slug
        * @param serviceSlug Service slug
-       * @param payload Plan creation payload
-       * @returns Created plan
+       * @returns Metadata URL
        *
        * @example
        * ```typescript
-       * const plan = await sso.services.plans.create('acme-corp', 'main-app', {
-       *   name: 'pro',
-       *   description: 'Pro tier with advanced features',
-       *   price_monthly: 29.99,
-       *   features: ['api-access', 'advanced-analytics', 'priority-support']
-       * });
+       * const metadataUrl = sso.services.saml.getMetadataUrl(
+       *   'https://sso.example.com',
+       *   'acme-corp',
+       *   'main-app'
+       * );
+       * console.log('Provide this URL to your SP:', metadataUrl);
+       * // https://sso.example.com/saml/acme-corp/main-app/metadata
        * ```
        */
-      create: async (orgSlug, serviceSlug, payload) => {
-        const response = await this.http.post(
-          `/api/organizations/${orgSlug}/services/${serviceSlug}/plans`,
-          payload
-        );
-        return response.data;
+      getMetadataUrl: (baseURL, orgSlug, serviceSlug) => {
+        return `${baseURL}/saml/${orgSlug}/${serviceSlug}/metadata`;
       },
       /**
-       * List all plans for a service.
+       * Get the SAML SSO endpoint URL for this service.
+       * This is where Service Providers should redirect users to initiate SSO.
        *
+       * @param baseURL SSO platform base URL
        * @param orgSlug Organization slug
        * @param serviceSlug Service slug
-       * @returns Array of plans
+       * @returns SSO endpoint URL
        *
        * @example
        * ```typescript
-       * const plans = await sso.services.plans.list('acme-corp', 'main-app');
-       * plans.forEach(plan => console.log(plan.name, plan.price_monthly));
+       * const ssoUrl = sso.services.saml.getSsoUrl(
+       *   'https://sso.example.com',
+       *   'acme-corp',
+       *   'main-app'
+       * );
+       * console.log('SSO endpoint:', ssoUrl);
+       * // https://sso.example.com/saml/acme-corp/main-app/sso
        * ```
        */
-      list: async (orgSlug, serviceSlug) => {
-        const response = await this.http.get(
-          `/api/organizations/${orgSlug}/services/${serviceSlug}/plans`
-        );
-        return response.data;
+      getSsoUrl: (baseURL, orgSlug, serviceSlug) => {
+        return `${baseURL}/saml/${orgSlug}/${serviceSlug}/sso`;
       }
     };
   }
@@ -1285,6 +2397,97 @@ var PlatformModule = class {
           payload
         );
         return response.data;
+      },
+      /**
+       * Delete an organization and all its associated data.
+       * This is a destructive operation that cannot be undone.
+       * Only platform owners can delete organizations.
+       *
+       * All related data will be cascaded deleted including:
+       * - Members and invitations
+       * - Services and plans
+       * - Subscriptions
+       * - OAuth credentials
+       * - Audit logs
+       *
+       * @param orgId Organization ID
+       * @returns Success confirmation
+       *
+       * @example
+       * ```typescript
+       * const result = await sso.platform.organizations.delete('org-id');
+       * console.log(result.message); // 'Organization deleted successfully'
+       * ```
+       */
+      delete: async (orgId) => {
+        const response = await this.http.delete(
+          `/api/platform/organizations/${orgId}`
+        );
+        return response.data;
+      }
+    };
+    /**
+     * User MFA management methods for platform administrators
+     */
+    this.users = {
+      /**
+       * Get MFA status for a specific user.
+       *
+       * @param userId The ID of the user
+       * @returns MFA status information
+       *
+       * @example
+       * ```typescript
+       * const mfaStatus = await sso.platform.users.getMfaStatus('user-uuid-here');
+       * console.log(mfaStatus.enabled, mfaStatus.has_backup_codes);
+       * ```
+       */
+      getMfaStatus: async (userId) => {
+        const response = await this.http.get(`/api/platform/users/${userId}/mfa/status`);
+        return response.data;
+      },
+      /**
+       * Search users by email address or user ID.
+       *
+       * @param query The search query (email or user ID)
+       * @param limit Optional maximum number of results (default: 10, max: 50)
+       * @returns Array of matching users
+       *
+       * @example
+       * ```typescript
+       * const users = await sso.platform.users.search('john@example.com');
+       * console.log(users); // [{ id: 'user-uuid', email: 'john@example.com', ... }]
+       *
+       * // Search by user ID
+       * const users = await sso.platform.users.search('user-uuid-here');
+       *
+       * // Limit results
+       * const users = await sso.platform.users.search('john@', { limit: 5 });
+       * ```
+       */
+      search: async (query, options) => {
+        const params = {
+          q: query.trim(),
+          limit: options?.limit ? Math.min(options.limit, 50) : void 0
+        };
+        const response = await this.http.get("/api/platform/users/search", { params });
+        return response.data;
+      },
+      /**
+       * Force disable MFA for a user (emergency access).
+       *
+       * @param userId The ID of the user
+       * @returns Success confirmation
+       *
+       * @example
+       * ```typescript
+       * await sso.platform.users.forceDisableMfa('user-uuid-here');
+       * console.log('MFA disabled for user');
+       * ```
+       */
+      forceDisableMfa: async (userId) => {
+        const response = await this.http.delete(`/api/platform/users/${userId}/mfa`);
+        return response.data;
       }
     };
     /**
@@ -1468,6 +2671,88 @@ var PlatformModule = class {
   }
 };
 
+// src/modules/serviceApi.ts
+var ServiceApiModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Create a new user
+   * Requires 'write:users' permission on the API key
+   *
+   * @param request User creation request
+   * @returns Created user
+   */
+  async createUser(request) {
+    const response = await this.http.post("/api/service/users", request);
+    return response.data;
+  }
+  /**
+   * Update user details
+   * Requires 'write:users' permission on the API key
+   *
+   * @param userId User ID to update
+   * @param request User update request
+   * @returns Updated user
+   */
+  async updateUser(userId, request) {
+    const response = await this.http.patch(`/api/service/users/${userId}`, request);
+    return response.data;
+  }
+  /**
+   * Create a new subscription for a user
+   * Requires 'write:subscriptions' permission on the API key
+   *
+   * @param request Subscription creation request
+   * @returns Created subscription
+   */
+  async createSubscription(request) {
+    const response = await this.http.post("/api/service/subscriptions", request);
+    return response.data;
+  }
+  /**
+   * Update a subscription for a user
+   * Requires 'write:subscriptions' permission on the API key
+   *
+   * @param userId User ID whose subscription to update
+   * @param request Subscription update request
+   * @returns Updated subscription
+   */
+  async updateSubscription(userId, request) {
+    const response = await this.http.patch(`/api/service/subscriptions/${userId}`, request);
+    return response.data;
+  }
+  /**
+   * Update service configuration
+   * Requires 'write:service' permission on the API key
+   *
+   * @param request Service update request
+   * @returns Updated service info
+   */
+  async updateServiceInfo(request) {
+    const response = await this.http.patch("/api/service/info", request);
+    return response.data;
+  }
+  /**
+   * Delete a user
+   * Requires 'delete:users' permission on the API key
+   *
+   * @param userId User ID to delete
+   */
+  async deleteUser(userId) {
+    await this.http.delete(`/api/service/users/${userId}`);
+  }
+  /**
+   * Delete a subscription for a user
+   * Requires 'delete:subscriptions' permission on the API key
+   *
+   * @param userId User ID whose subscription to delete
+   */
+  async deleteSubscription(userId) {
+    await this.http.delete(`/api/service/subscriptions/${userId}`);
+  }
+};
+
 // src/client.ts
 var SsoClient = class {
   constructor(options) {
@@ -1475,6 +2760,9 @@ var SsoClient = class {
     if (options.token) {
       this.setAuthToken(options.token);
     }
+    if (options.apiKey) {
+      this.setApiKey(options.apiKey);
+    }
     this.analytics = new AnalyticsModule(this.http);
     this.auth = new AuthModule(this.http);
     this.user = new UserModule(this.http);
@@ -1482,6 +2770,7 @@ var SsoClient = class {
     this.services = new ServicesModule(this.http);
     this.invitations = new InvitationsModule(this.http);
     this.platform = new PlatformModule(this.http);
+    this.serviceApi = new ServiceApiModule(this.http);
   }
   /**
    * Sets the JWT for all subsequent authenticated requests.
@@ -1505,6 +2794,28 @@ var SsoClient = class {
       delete this.http.defaults.headers.common["Authorization"];
     }
   }
+  /**
+   * Sets the API key for service-to-service authentication.
+   * Pass null to clear the API key.
+   *
+   * @param apiKey The API key string, or null to clear
+   *
+   * @example
+   * ```typescript
+   * // Set API key
+   * sso.setApiKey('sk_live_abcd1234...');
+   *
+   * // Clear API key
+   * sso.setApiKey(null);
+   * ```
+   */
+  setApiKey(apiKey) {
+    if (apiKey) {
+      this.http.defaults.headers.common["X-Api-Key"] = apiKey;
+    } else {
+      delete this.http.defaults.headers.common["X-Api-Key"];
+    }
+  }
   /**
    * Gets the current base URL
    */
@@ -1517,6 +2828,7 @@ export {
   InvitationsModule,
   OrganizationsModule,
   PlatformModule,
+  ServiceApiModule,
   ServicesModule,
   SsoApiError,
   SsoClient,