@drmhse/sso-sdk 0.2.8 → 0.3.0

package/dist/index.mjs

@@ -49,6 +49,12 @@ var HttpClient = class {
       timeout: 3e4
     };
   }
+  /**
+   * Allow injecting session manager after construction to avoid circular dep
+   */
+  setSessionManager(manager) {
+    this.sessionManager = manager;
+  }
   /**
    * Build query string from params object
    */
@@ -82,6 +88,12 @@ var HttpClient = class {
       ...this.defaults.headers.common,
       ...options.headers
     };
+    if (this.sessionManager) {
+      const token = await this.sessionManager.getToken();
+      if (token) {
+        headers["Authorization"] = `Bearer ${token}`;
+      }
+    }
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
@@ -92,6 +104,17 @@ var HttpClient = class {
         signal: controller.signal
       });
       clearTimeout(timeoutId);
+      if (response.status === 401 && this.sessionManager && !options._retry && !path.includes("/auth/login") && !path.includes("/auth/refresh")) {
+        try {
+          const newToken = await this.sessionManager.refreshSession();
+          return this.request(path, {
+            ...options,
+            _retry: true,
+            headers: { ...options.headers, Authorization: `Bearer ${newToken}` }
+          });
+        } catch (refreshError) {
+        }
+      }
       let data;
       const contentType = response.headers.get("content-type");
       if (contentType?.includes("application/json")) {
@@ -160,6 +183,16 @@ var HttpClient = class {
       headers: config?.headers
     });
   }
+  /**
+   * PUT request
+   */
+  async put(path, data, config) {
+    return this.request(path, {
+      method: "PUT",
+      body: data,
+      headers: config?.headers
+    });
+  }
   /**
    * PATCH request
    */
@@ -184,6 +217,125 @@ function createHttpAgent(baseURL) {
   return new HttpClient(baseURL);
 }
 
+// src/session.ts
+var SessionManager = class {
+  constructor(storage, refreshHandler, config = { storageKeyPrefix: "sso_" }) {
+    this.storage = storage;
+    this.refreshHandler = refreshHandler;
+    this.config = config;
+    this.accessToken = null;
+    this.refreshToken = null;
+    this.refreshPromise = null;
+    this.listeners = [];
+  }
+  /**
+   * Initialize session from storage
+   */
+  async loadSession() {
+    this.accessToken = await this.storage.getItem(`${this.config.storageKeyPrefix}access_token`);
+    this.refreshToken = await this.storage.getItem(`${this.config.storageKeyPrefix}refresh_token`);
+  }
+  /**
+   * Set the session data (used after login/register)
+   */
+  async setSession(tokens) {
+    this.accessToken = tokens.access_token;
+    await this.storage.setItem(`${this.config.storageKeyPrefix}access_token`, tokens.access_token);
+    if (tokens.refresh_token) {
+      this.refreshToken = tokens.refresh_token;
+      await this.storage.setItem(`${this.config.storageKeyPrefix}refresh_token`, tokens.refresh_token);
+    }
+    this.notifyListeners(true);
+  }
+  /**
+   * Clear session (logout)
+   */
+  async clearSession() {
+    this.accessToken = null;
+    this.refreshToken = null;
+    await this.storage.removeItem(`${this.config.storageKeyPrefix}access_token`);
+    await this.storage.removeItem(`${this.config.storageKeyPrefix}refresh_token`);
+    this.notifyListeners(false);
+  }
+  /**
+   * Get the current access token, refreshing it if necessary/possible
+   */
+  async getToken() {
+    return this.accessToken;
+  }
+  /**
+   * Handle logic for when a 401 occurs
+   */
+  async refreshSession() {
+    if (!this.refreshToken) {
+      throw new Error("No refresh token available");
+    }
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+    this.refreshPromise = (async () => {
+      try {
+        const tokens = await this.refreshHandler(this.refreshToken);
+        await this.setSession(tokens);
+        return tokens.access_token;
+      } catch (err) {
+        await this.clearSession();
+        throw err;
+      } finally {
+        this.refreshPromise = null;
+      }
+    })();
+    return this.refreshPromise;
+  }
+  isAuthenticated() {
+    return !!this.accessToken;
+  }
+  /**
+   * Subscribe to auth state changes (useful for UI updates)
+   */
+  subscribe(listener) {
+    this.listeners.push(listener);
+    return () => {
+      this.listeners = this.listeners.filter((l) => l !== listener);
+    };
+  }
+  notifyListeners(isAuth) {
+    this.listeners.forEach((l) => l(isAuth));
+  }
+};
+
+// src/storage.ts
+var MemoryStorage = class {
+  constructor() {
+    this.store = /* @__PURE__ */ new Map();
+  }
+  getItem(key) {
+    return this.store.get(key) || null;
+  }
+  setItem(key, value) {
+    this.store.set(key, value);
+  }
+  removeItem(key) {
+    this.store.delete(key);
+  }
+};
+var BrowserStorage = class {
+  getItem(key) {
+    return typeof window !== "undefined" ? window.localStorage.getItem(key) : null;
+  }
+  setItem(key, value) {
+    if (typeof window !== "undefined") window.localStorage.setItem(key, value);
+  }
+  removeItem(key) {
+    if (typeof window !== "undefined") window.localStorage.removeItem(key);
+  }
+};
+function resolveStorage(userStorage) {
+  if (userStorage) return userStorage;
+  if (typeof window !== "undefined" && window.localStorage) return new BrowserStorage();
+  return new MemoryStorage();
+}
+
 // src/modules/analytics.ts
 var AnalyticsModule = class {
   constructor(http) {
@@ -289,8 +441,9 @@ var AnalyticsModule = class {
 
 // src/modules/auth.ts
 var AuthModule = class {
-  constructor(http) {
+  constructor(http, session) {
     this.http = http;
+    this.session = session;
     /**
      * Device Flow: Request a device code for CLI/device authentication.
      *
@@ -337,6 +490,9 @@ var AuthModule = class {
       /**
        * Exchange a device code for a JWT token.
        * This should be polled by the device/CLI after displaying the user code.
+       * Note: This returns a TokenResponse (not RefreshTokenResponse) and typically
+       * only includes access_token. For device flows that need persistence,
+       * manually call sso.session.setSession() if needed.
        *
        * @param payload Token request payload
        * @returns Token response with JWT
@@ -352,7 +508,7 @@ var AuthModule = class {
        *       client_id: 'service-client-id'
        *     });
        *     clearInterval(interval);
-       *     sso.setAuthToken(token.access_token);
+       *     // Session is automatically configured
        *   } catch (error) {
        *     if (error.errorCode !== 'authorization_pending') {
        *       clearInterval(interval);
@@ -374,17 +530,29 @@ var AuthModule = class {
    * should redirect the user's browser to this URL.
    *
    * @param provider The OAuth provider to use
-   * @param params Login parameters (org, service, redirect_uri)
+   * @param params Login parameters (org, service, redirect_uri, connection_id)
    * @returns The full URL to redirect the user to
    *
    * @example
    * ```typescript
+   * // Standard OAuth login
    * const url = sso.auth.getLoginUrl('github', {
    *   org: 'acme-corp',
    *   service: 'main-app',
    *   redirect_uri: 'https://app.acme.com/callback'
    * });
    * window.location.href = url;
+   *
+   * // Enterprise IdP login (after HRD lookup)
+   * const hrd = await sso.auth.lookupEmail('user@enterprise.com');
+   * if (hrd.connection_id) {
+   *   const url = sso.auth.getLoginUrl('github', {
+   *     org: 'acme-corp',
+   *     service: 'main-app',
+   *     connection_id: hrd.connection_id
+   *   });
+   *   window.location.href = url;
+   * }
    * ```
    */
   getLoginUrl(provider, params) {
@@ -399,6 +567,9 @@ var AuthModule = class {
     if (params.user_code) {
       searchParams.append("user_code", params.user_code);
     }
+    if (params.connection_id) {
+      searchParams.append("connection_id", params.connection_id);
+    }
     return `${baseURL}/auth/${provider}?${searchParams.toString()}`;
   }
   /**
@@ -431,19 +602,20 @@ var AuthModule = class {
   }
   /**
    * Logout the current user by revoking their JWT.
-   * After calling this, you should clear the token from storage
-   * and call `sso.setAuthToken(null)`.
+   * Automatically clears the session and tokens from storage.
    *
    * @example
    * ```typescript
    * await sso.auth.logout();
-   * sso.setAuthToken(null);
-   * localStorage.removeItem('sso_access_token');
-   * localStorage.removeItem('sso_refresh_token');
+   * // Session is automatically cleared - no need for manual cleanup
    * ```
    */
   async logout() {
-    await this.http.post("/api/auth/logout");
+    try {
+      await this.http.post("/api/auth/logout");
+    } finally {
+      await this.session.clearSession();
+    }
   }
   /**
    * Refresh an expired JWT access token using a refresh token.
@@ -516,10 +688,26 @@ var AuthModule = class {
     const response = await this.http.post("/api/auth/register", payload);
     return response.data;
   }
+  /**
+   * Verify an email address using the token from the verification email.
+   *
+   * @param token Verification token
+   * @returns HTML success page string
+   *
+   * @example
+   * ```typescript
+   * const html = await sso.auth.verifyEmail('token-from-email');
+   * ```
+   */
+  async verifyEmail(token) {
+    const response = await this.http.get("/auth/verify-email", {
+      params: { token }
+    });
+    return response.data;
+  }
   /**
    * Login with email and password.
-   * Returns access token and refresh token on successful authentication.
-   * The user's email must be verified before login.
+   * Automatically persists the session and configures the client.
    *
    * @param payload Login credentials (email and password)
    * @returns Access token, refresh token, and expiration info
@@ -530,13 +718,15 @@ var AuthModule = class {
    *   email: 'user@example.com',
    *   password: 'SecurePassword123!'
    * });
-   * sso.setAuthToken(tokens.access_token);
-   * localStorage.setItem('sso_access_token', tokens.access_token);
-   * localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+   * // Session is automatically saved - no need for manual token management
    * ```
    */
   async login(payload) {
     const response = await this.http.post("/api/auth/login", payload);
+    await this.session.setSession({
+      access_token: response.data.access_token,
+      refresh_token: response.data.refresh_token
+    });
     return response.data;
   }
   /**
@@ -544,6 +734,7 @@ var AuthModule = class {
    * This method should be called after login when the user has MFA enabled.
    * The login will return a pre-auth token with a short expiration (5 minutes).
    * Exchange the pre-auth token and TOTP code for a full session.
+   * Automatically persists the session after successful MFA verification.
    *
    * @param preauthToken The pre-authentication token received from login
    * @param code The TOTP code from the user's authenticator app or a backup code
@@ -562,9 +753,7 @@ var AuthModule = class {
    *   // User needs to provide MFA code
    *   const mfaCode = prompt('Enter your 6-digit code from authenticator app');
    *   const tokens = await sso.auth.verifyMfa(loginResponse.access_token, mfaCode);
-   *   sso.setAuthToken(tokens.access_token);
-   *   localStorage.setItem('sso_access_token', tokens.access_token);
-   *   localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+   *   // Session is automatically saved - no need for manual token management
    * }
    * ```
    */
@@ -574,6 +763,10 @@ var AuthModule = class {
       code,
       ...deviceCodeId && { device_code_id: deviceCodeId }
     });
+    await this.session.setSession({
+      access_token: response.data.access_token,
+      refresh_token: response.data.refresh_token
+    });
     return response.data;
   }
   /**
@@ -616,6 +809,52 @@ var AuthModule = class {
     const response = await this.http.post("/api/auth/reset-password", payload);
     return response.data;
   }
+  // ============================================================================
+  // HOME REALM DISCOVERY (HRD)
+  // ============================================================================
+  /**
+   * Lookup an email address to determine which authentication method to use.
+   * This implements Home Realm Discovery (HRD), allowing users to simply enter
+   * their email address and be automatically routed to the correct identity provider.
+   *
+   * The system will:
+   * 1. Extract the domain from the email address
+   * 2. Check if the domain is verified and mapped to an enterprise IdP
+   * 3. Return routing information (connection_id) if found
+   * 4. Otherwise, indicate to use default authentication (password or OAuth)
+   *
+   * @param email The user's email address
+   * @returns HRD response with routing information
+   *
+   * @example
+   * ```typescript
+   * // Lookup email to determine authentication flow
+   * const result = await sso.auth.lookupEmail('john@acmecorp.com');
+   *
+   * if (result.auth_method === 'upstream' && result.connection_id) {
+   *   // Route to enterprise IdP
+   *   console.log(`Redirecting to ${result.provider_name}`);
+   *   const url = sso.auth.getLoginUrl('github', {
+   *     org: 'acme-corp',
+   *     service: 'main-app',
+   *     connection_id: result.connection_id
+   *   });
+   *   window.location.href = url;
+   * } else if (result.auth_method === 'password') {
+   *   // Show password login form
+   *   showPasswordForm();
+   * } else {
+   *   // Show default OAuth provider buttons (GitHub, Google, Microsoft)
+   *   showOAuthButtons();
+   * }
+   * ```
+   */
+  async lookupEmail(email) {
+    const response = await this.http.post("/api/auth/lookup-email", {
+      email
+    });
+    return response.data;
+  }
 };
 
 // src/modules/user.ts
@@ -752,11 +991,127 @@ var MfaModule = class {
     return response.data;
   }
 };
+var DevicesModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List all devices associated with the authenticated user.
+   *
+   * @param options Optional query parameters for pagination
+   * @returns Array of user devices
+   *
+   * @example
+   * ```typescript
+   * const { devices, total } = await sso.user.devices.list();
+   * console.log(devices); // Array of trusted devices
+   * ```
+   */
+  async list(options) {
+    const params = new URLSearchParams();
+    if (options?.page) params.append("page", options.page.toString());
+    if (options?.limit) params.append("limit", options.limit.toString());
+    if (options?.sort_by) params.append("sort_by", options.sort_by);
+    if (options?.sort_order) params.append("sort_order", options.sort_order);
+    const query = params.toString();
+    const url = `/api/user/devices${query ? `?${query}` : ""}`;
+    const response = await this.http.get(url);
+    return response.data;
+  }
+  /**
+   * Get details for a specific device.
+   *
+   * @param deviceId The device ID to retrieve
+   * @returns Device details
+   *
+   * @example
+   * ```typescript
+   * const device = await sso.user.devices.get('device-123');
+   * console.log(device.device_name, device.is_trusted);
+   * ```
+   */
+  async get(deviceId) {
+    const response = await this.http.get(`/api/user/devices/${deviceId}`);
+    return response.data;
+  }
+  /**
+   * Revoke access for a specific device.
+   * This will remove the device's trust and require re-authentication.
+   *
+   * @param deviceId The device ID to revoke
+   * @param reason Optional reason for revocation
+   * @returns Confirmation message
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.user.devices.revoke('device-123', 'Device lost');
+   * console.log(result.message);
+   * ```
+   */
+  async revoke(deviceId, reason) {
+    const payload = reason ? { reason } : {};
+    const response = await this.http.post(`/api/user/devices/${deviceId}/revoke`, payload);
+    return response.data;
+  }
+  /**
+   * Revoke all devices except the current one.
+   * This is useful when you suspect account compromise or want to force re-authentication on all devices.
+   *
+   * @returns Confirmation message
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.user.devices.revokeAll();
+   * console.log(result.message); // "All other devices have been revoked"
+   * ```
+   */
+  async revokeAll() {
+    const response = await this.http.post("/api/user/devices/revoke-all", {});
+    return response.data;
+  }
+  /**
+   * Update the name of a device.
+   *
+   * @param deviceId The device ID to update
+   * @param deviceName New device name
+   * @returns Updated device information
+   *
+   * @example
+   * ```typescript
+   * const device = await sso.user.devices.updateName('device-123', 'My Laptop');
+   * console.log(device.device_name); // "My Laptop"
+   * ```
+   */
+  async updateName(deviceId, deviceName) {
+    const response = await this.http.patch(`/api/user/devices/${deviceId}`, {
+      device_name: deviceName
+    });
+    return response.data;
+  }
+  /**
+   * Mark a device as trusted manually.
+   * This is useful for devices that you want to explicitly trust regardless of risk assessment.
+   *
+   * @param deviceId The device ID to trust
+   * @returns Updated device information
+   *
+   * @example
+   * ```typescript
+   * const device = await sso.user.devices.trust('device-123');
+   * console.log(device.is_trusted); // true
+   * ```
+   */
+  async trust(deviceId) {
+    const response = await this.http.post(`/api/user/devices/${deviceId}/trust`, {});
+    return response.data;
+  }
+};
 var UserModule = class {
   constructor(http) {
     this.http = http;
     this.identities = new IdentitiesModule(http);
     this.mfa = new MfaModule(http);
+    this.devices = new DevicesModule(http);
   }
   /**
    * Get the profile of the currently authenticated user.
@@ -1109,6 +1464,43 @@ var WebhooksModule = class {
 var OrganizationsModule = class {
   constructor(http) {
     this.http = http;
+    /**
+     * SCIM token management methods
+     */
+    this.scim = {
+      /**
+       * Create a new SCIM token.
+       * The token is only returned once upon creation.
+       */
+      createToken: async (orgSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/scim-tokens`,
+          payload
+        );
+        return response.data;
+      },
+      /**
+       * List all SCIM tokens.
+       */
+      listTokens: async (orgSlug) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/scim-tokens`
+        );
+        return response.data;
+      },
+      /**
+       * Revoke a SCIM token.
+       */
+      revokeToken: async (orgSlug, tokenId) => {
+        await this.http.post(`/api/organizations/${orgSlug}/scim-tokens/${tokenId}/revoke`);
+      },
+      /**
+       * Delete a SCIM token.
+       */
+      deleteToken: async (orgSlug, tokenId) => {
+        await this.http.delete(`/api/organizations/${orgSlug}/scim-tokens/${tokenId}`);
+      }
+    };
     /**
      * Member management methods
      */
@@ -1132,6 +1524,24 @@ var OrganizationsModule = class {
         );
         return response.data;
       },
+      /**
+       * Add a member to the organization (Invite + Accept).
+       * This is a convenience method that creates an invitation and immediately accepts it.
+       * Useful for testing and admin operations.
+       *
+       * @param orgSlug Organization slug
+       * @param payload Member details (email, role)
+       * @returns The created invitation
+       */
+      add: async (orgSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/invitations`,
+          payload
+        );
+        const invitation = response.data;
+        await this.http.post("/api/invitations/accept", { token: invitation.token });
+        return invitation;
+      },
       /**
        * Update a member's role.
        * Requires 'owner' role.
@@ -1318,81 +1728,296 @@ var OrganizationsModule = class {
         return response.data;
       }
     };
-    this.auditLogs = new AuditLogsModule(http);
-    this.webhooks = new WebhooksModule(http);
-  }
-  /**
-   * Create a new organization (requires authentication).
-   * The authenticated user becomes the organization owner.
-   * Returns JWT tokens with organization context, eliminating the need to re-authenticate.
-   *
-   * @param payload Organization creation payload
-   * @returns Created organization with owner, membership, and JWT tokens
-   *
-   * @example
-   * ```typescript
-   * const result = await sso.organizations.create({
-   *   slug: 'acme-corp',
-   *   name: 'Acme Corporation'
-   * });
-   * // Store the new tokens with org context
-   * authStore.setTokens(result.access_token, result.refresh_token);
-   * ```
-   */
-  async create(payload) {
-    const response = await this.http.post("/api/organizations", payload);
-    return response.data;
-  }
-  /**
-   * List all organizations the authenticated user is a member of.
-   *
-   * @param params Optional query parameters for filtering and pagination
-   * @returns Array of organization responses
-   *
-   * @example
-   * ```typescript
-   * const orgs = await sso.organizations.list({
-   *   status: 'active',
-   *   page: 1,
-   *   limit: 20
-   * });
-   * ```
-   */
-  async list(params) {
-    const response = await this.http.get("/api/organizations", { params });
-    return response.data;
-  }
-  /**
-   * Get detailed information for a specific organization.
-   *
-   * @param orgSlug Organization slug
-   * @returns Organization details
-   *
-   * @example
-   * ```typescript
-   * const org = await sso.organizations.get('acme-corp');
-   * console.log(org.organization.name, org.membership_count);
-   * ```
-   */
-  async get(orgSlug) {
-    const response = await this.http.get(`/api/organizations/${orgSlug}`);
-    return response.data;
-  }
-  /**
-   * Update organization details.
-   * Requires 'owner' or 'admin' role.
-   *
-   * @param orgSlug Organization slug
-   * @param payload Update payload
-   * @returns Updated organization details
-   *
-   * @example
-   * ```typescript
-   * const updated = await sso.organizations.update('acme-corp', {
-   *   name: 'Acme Corporation Inc.',
-   *   max_services: 20
-   * });
-   * ```
+    // ============================================================================
+    // RISK SETTINGS
+    // ============================================================================
+    /**
+     * Risk settings management methods
+     */
+    this.riskSettings = {
+      /**
+       * Get risk settings for an organization.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @returns Risk settings configuration
+       *
+       * @example
+       * ```typescript
+       * const settings = await sso.organizations.riskSettings.get('acme-corp');
+       * console.log('Enforcement mode:', settings.enforcement_mode);
+       * console.log('Low threshold:', settings.low_threshold);
+       * ```
+       */
+      get: async (orgSlug) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/risk-settings`
+        );
+        return response.data;
+      },
+      /**
+       * Update risk settings for an organization.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param payload Risk settings update payload
+       * @returns Updated risk settings
+       *
+       * @example
+       * ```typescript
+       * const result = await sso.organizations.riskSettings.update('acme-corp', {
+       *   enforcement_mode: 'challenge',
+       *   low_threshold: 30,
+       *   medium_threshold: 70,
+       *   new_device_score: 20,
+       *   impossible_travel_score: 50
+       * });
+       * console.log(result.message);
+       * ```
+       */
+      update: async (orgSlug, payload) => {
+        const response = await this.http.put(
+          `/api/organizations/${orgSlug}/risk-settings`,
+          payload
+        );
+        return response.data;
+      },
+      /**
+       * Reset risk settings to default values.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @returns Reset confirmation with default values
+       *
+       * @example
+       * ```typescript
+       * const result = await sso.organizations.riskSettings.reset('acme-corp');
+       * console.log('Risk settings reset to defaults');
+       * ```
+       */
+      reset: async (orgSlug) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/risk-settings/reset`
+        );
+        return response.data;
+      }
+    };
+    // ============================================================================
+    // SIEM CONFIGURATIONS
+    // ============================================================================
+    /**
+     * SIEM (Security Information and Event Management) configuration methods
+     */
+    this.siem = {
+      /**
+       * Create a new SIEM configuration.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param payload SIEM configuration payload
+       * @returns Created SIEM configuration
+       *
+       * @example
+       * ```typescript
+       * const config = await sso.organizations.siem.create('acme-corp', {
+       *   name: 'Datadog Integration',
+       *   provider_type: 'Datadog',
+       *   endpoint_url: 'https://http-intake.logs.datadoghq.com/v1/input',
+       *   api_key: 'dd-api-key',
+       *   batch_size: 100
+       * });
+       * ```
+       */
+      create: async (orgSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/siem-configs`,
+          payload
+        );
+        return response.data;
+      },
+      /**
+       * List all SIEM configurations for an organization.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @returns List of SIEM configurations
+       *
+       * @example
+       * ```typescript
+       * const result = await sso.organizations.siem.list('acme-corp');
+       * console.log(`Total SIEM configs: ${result.total}`);
+       * result.siem_configs.forEach(config => {
+       *   console.log(config.name, config.provider_type, config.enabled);
+       * });
+       * ```
+       */
+      list: async (orgSlug) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/siem-configs`
+        );
+        return response.data;
+      },
+      /**
+       * Get a specific SIEM configuration.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param configId SIEM configuration ID
+       * @returns SIEM configuration
+       *
+       * @example
+       * ```typescript
+       * const config = await sso.organizations.siem.get('acme-corp', 'config-id');
+       * console.log(config.name, config.endpoint_url);
+       * ```
+       */
+      get: async (orgSlug, configId) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/siem-configs/${configId}`
+        );
+        return response.data;
+      },
+      /**
+       * Update a SIEM configuration.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param configId SIEM configuration ID
+       * @param payload Update payload
+       * @returns Updated SIEM configuration
+       *
+       * @example
+       * ```typescript
+       * const updated = await sso.organizations.siem.update('acme-corp', 'config-id', {
+       *   enabled: false,
+       *   batch_size: 200
+       * });
+       * ```
+       */
+      update: async (orgSlug, configId, payload) => {
+        const response = await this.http.patch(
+          `/api/organizations/${orgSlug}/siem-configs/${configId}`,
+          payload
+        );
+        return response.data;
+      },
+      /**
+       * Delete a SIEM configuration.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param configId SIEM configuration ID
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.siem.delete('acme-corp', 'config-id');
+       * console.log('SIEM configuration deleted');
+       * ```
+       */
+      delete: async (orgSlug, configId) => {
+        await this.http.delete(`/api/organizations/${orgSlug}/siem-configs/${configId}`);
+      },
+      /**
+       * Test connection to a SIEM endpoint.
+       * Sends a test event to verify the configuration.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @param configId SIEM configuration ID
+       * @returns Test result
+       *
+       * @example
+       * ```typescript
+       * const result = await sso.organizations.siem.test('acme-corp', 'config-id');
+       * if (result.success) {
+       *   console.log('Connection successful:', result.message);
+       * } else {
+       *   console.error('Connection failed:', result.message);
+       * }
+       * ```
+       */
+      test: async (orgSlug, configId) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/siem-configs/${configId}/test`
+        );
+        return response.data;
+      }
+    };
+    this.auditLogs = new AuditLogsModule(http);
+    this.webhooks = new WebhooksModule(http);
+  }
+  /**
+   * Create a new organization (requires authentication).
+   * The authenticated user becomes the organization owner.
+   * Returns JWT tokens with organization context, eliminating the need to re-authenticate.
+   *
+   * @param payload Organization creation payload
+   * @returns Created organization with owner, membership, and JWT tokens
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.organizations.create({
+   *   slug: 'acme-corp',
+   *   name: 'Acme Corporation'
+   * });
+   * // Store the new tokens with org context
+   * authStore.setTokens(result.access_token, result.refresh_token);
+   * ```
+   */
+  async create(payload) {
+    const response = await this.http.post("/api/organizations", payload);
+    return response.data;
+  }
+  /**
+   * List all organizations the authenticated user is a member of.
+   *
+   * @param params Optional query parameters for filtering and pagination
+   * @returns Array of organization responses
+   *
+   * @example
+   * ```typescript
+   * const orgs = await sso.organizations.list({
+   *   status: 'active',
+   *   page: 1,
+   *   limit: 20
+   * });
+   * ```
+   */
+  async list(params) {
+    const response = await this.http.get("/api/organizations", { params });
+    return response.data;
+  }
+  /**
+   * Get detailed information for a specific organization.
+   *
+   * @param orgSlug Organization slug
+   * @returns Organization details
+   *
+   * @example
+   * ```typescript
+   * const org = await sso.organizations.get('acme-corp');
+   * console.log(org.organization.name, org.membership_count);
+   * ```
+   */
+  async get(orgSlug) {
+    const response = await this.http.get(`/api/organizations/${orgSlug}`);
+    return response.data;
+  }
+  /**
+   * Update organization details.
+   * Requires 'owner' or 'admin' role.
+   *
+   * @param orgSlug Organization slug
+   * @param payload Update payload
+   * @returns Updated organization details
+   *
+   * @example
+   * ```typescript
+   * const updated = await sso.organizations.update('acme-corp', {
+   *   name: 'Acme Corporation Inc.',
+   *   max_services: 20
+   * });
+   * ```
    */
   async update(orgSlug, payload) {
     const response = await this.http.patch(
@@ -1958,6 +2583,26 @@ var ServicesModule = class {
         );
         return response.data;
       },
+      /**
+       * Initiate an IdP-initiated SAML login.
+       * Returns an HTML page with an auto-submitting form that POSTs the SAML assertion to the Service Provider.
+       *
+       * @param orgSlug Organization slug
+       * @param serviceSlug Service slug
+       * @returns HTML page with auto-submitting form
+       *
+       * @example
+       * ```typescript
+       * const html = await sso.services.saml.initiateLogin('acme-corp', 'salesforce');
+       * document.body.innerHTML = html; // Auto-submits
+       * ```
+       */
+      initiateLogin: async (orgSlug, serviceSlug) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/saml/login`
+        );
+        return response.data;
+      },
       /**
        * Generate a new SAML signing certificate for the IdP.
        * Requires 'owner' or 'admin' role.
@@ -2054,6 +2699,41 @@ var ServicesModule = class {
         return `${baseURL}/saml/${orgSlug}/${serviceSlug}/sso`;
       }
     };
+    /**
+     * Stripe billing and checkout methods
+     */
+    this.billing = {
+      /**
+       * Create a Stripe checkout session for the authenticated user to subscribe to a plan.
+       * Requires organization membership.
+       *
+       * IMPORTANT: The plan must have a `stripe_price_id` configured to be available for purchase.
+       *
+       * @param orgSlug Organization slug
+       * @param serviceSlug Service slug
+       * @param payload Checkout payload containing plan_id and redirect URLs
+       * @returns Checkout session with URL to redirect user to
+       *
+       * @example
+       * ```typescript
+       * const checkout = await sso.services.billing.createCheckout('acme-corp', 'main-app', {
+       *   plan_id: 'plan_pro',
+       *   success_url: 'https://app.acme.com/billing/success?session_id={CHECKOUT_SESSION_ID}',
+       *   cancel_url: 'https://app.acme.com/billing/cancel'
+       * });
+       *
+       * // Redirect user to Stripe checkout
+       * window.location.href = checkout.checkout_url;
+       * ```
+       */
+      createCheckout: async (orgSlug, serviceSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/services/${serviceSlug}/checkout`,
+          payload
+        );
+        return response.data;
+      }
+    };
   }
   /**
    * Create a new service for an organization.
@@ -2176,7 +2856,7 @@ var InvitationsModule = class {
    * @example
    * ```typescript
    * const invitation = await sso.invitations.create('acme-corp', {
-   *   invitee_email: 'newuser@example.com',
+   *   email: 'newuser@example.com',
    *   role: 'member'
    * });
    * ```
@@ -2670,6 +3350,41 @@ var PlatformModule = class {
     const response = await this.http.get("/api/platform/audit-log", { params });
     return response.data;
   }
+  /**
+   * Impersonate a user (Platform Owner or Org Admin only).
+   * Returns a short-lived JWT (15 minutes) that allows acting as the target user.
+   *
+   * Security:
+   * - Platform Owners can impersonate any user
+   * - Organization Admins can only impersonate users within their organization
+   * - All impersonation actions are logged to the platform audit log with HIGH severity
+   * - Tokens contain RFC 8693 actor claim for full audit trail
+   *
+   * @param payload Impersonation details (user_id and reason)
+   * @returns Impersonation token and user context
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.platform.impersonateUser({
+   *   user_id: 'user-uuid-123',
+   *   reason: 'Investigating support ticket #456'
+   * });
+   *
+   * // Use the returned token to create a new client acting as the user
+   * const userClient = new SsoClient({
+   *   baseURL: 'https://sso.example.com',
+   *   token: result.token
+   * });
+   *
+   * // Now all requests with userClient are made as the target user
+   * const profile = await userClient.user.getProfile();
+   * console.log('Acting as:', result.target_user.email);
+   * ```
+   */
+  async impersonateUser(payload) {
+    const response = await this.http.post("/api/platform/impersonate", payload);
+    return response.data;
+  }
 };
 
 // src/modules/serviceApi.ts
@@ -2678,14 +3393,86 @@ var ServiceApiModule = class {
     this.http = http;
   }
   /**
-   * Create a new user
-   * Requires 'write:users' permission on the API key
+   * List all users for the service
+   * Requires 'read:users' permission on the API key
    *
-   * @param request User creation request
-   * @returns Created user
+   * @param params Optional pagination parameters
+   * @returns List of users with total count
    */
-  async createUser(request) {
-    const response = await this.http.post("/api/service/users", request);
+  async listUsers(params) {
+    const queryParams = new URLSearchParams();
+    if (params?.limit) queryParams.set("limit", params.limit.toString());
+    if (params?.offset) queryParams.set("offset", params.offset.toString());
+    const query = queryParams.toString() ? `?${queryParams.toString()}` : "";
+    const response = await this.http.get(`/api/service/users${query}`);
+    return response.data;
+  }
+  /**
+   * Get a specific user by ID
+   * Requires 'read:users' permission on the API key
+   *
+   * @param userId User ID to retrieve
+   * @returns User details
+   */
+  async getUser(userId) {
+    const response = await this.http.get(`/api/service/users/${userId}`);
+    return response.data;
+  }
+  /**
+   * List all subscriptions for the service
+   * Requires 'read:subscriptions' permission on the API key
+   *
+   * @param params Optional pagination parameters
+   * @returns List of subscriptions with total count
+   */
+  async listSubscriptions(params) {
+    const queryParams = new URLSearchParams();
+    if (params?.limit) queryParams.set("limit", params.limit.toString());
+    if (params?.offset) queryParams.set("offset", params.offset.toString());
+    const query = queryParams.toString() ? `?${queryParams.toString()}` : "";
+    const response = await this.http.get(`/api/service/subscriptions${query}`);
+    return response.data;
+  }
+  /**
+   * Get subscription for a specific user
+   * Requires 'read:subscriptions' permission on the API key
+   *
+   * @param userId User ID whose subscription to retrieve
+   * @returns User's subscription
+   */
+  async getSubscription(userId) {
+    const response = await this.http.get(`/api/service/subscriptions/${userId}`);
+    return response.data;
+  }
+  /**
+   * Get analytics for the service
+   * Requires 'read:analytics' permission on the API key
+   *
+   * @returns Service analytics data
+   */
+  async getAnalytics() {
+    const response = await this.http.get("/api/service/analytics");
+    return response.data;
+  }
+  /**
+   * Get service information
+   * Requires 'read:service' permission on the API key
+   *
+   * @returns Service information
+   */
+  async getServiceInfo() {
+    const response = await this.http.get("/api/service/info");
+    return response.data;
+  }
+  /**
+   * Create a new user
+   * Requires 'write:users' permission on the API key
+   *
+   * @param request User creation request
+   * @returns Created user
+   */
+  async createUser(request) {
+    const response = await this.http.post("/api/service/users", request);
     return response.data;
   }
   /**
@@ -2754,24 +3541,676 @@ var ServiceApiModule = class {
   }
 };
 
+// src/modules/permissions.ts
+var PermissionsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Check if user has a specific permission.
+   * Fetches from user profile API (which uses cached permissions).
+   *
+   * @param permission Permission in format "namespace:object_id#relation"
+   * @returns true if the permission is present
+   *
+   * @example
+   * ```typescript
+   * const hasAccess = await sso.permissions.hasPermission('organization:acme#owner');
+   * ```
+   */
+  async hasPermission(permission) {
+    const response = await this.http.get("/api/user");
+    return response.data.permissions.includes(permission);
+  }
+  /**
+   * Get all user permissions.
+   * Fetches from user profile API (which uses cached permissions).
+   *
+   * @returns Array of permission strings
+   *
+   * @example
+   * ```typescript
+   * const permissions = await sso.permissions.listPermissions();
+   * // ["organization:acme#owner", "service:api#admin"]
+   * ```
+   */
+  async listPermissions() {
+    const response = await this.http.get("/api/user");
+    return response.data.permissions;
+  }
+  /**
+   * Check if user has access to a feature.
+   *
+   * @param feature Feature name to check
+   * @returns true if the feature is available
+   *
+   * @example
+   * ```typescript
+   * const canExport = await sso.permissions.hasFeature('advanced-export');
+   * ```
+   */
+  async hasFeature(feature) {
+    const response = await this.http.get("/api/user");
+    return response.data.features?.includes(feature) ?? false;
+  }
+  /**
+   * Get current plan name.
+   *
+   * @returns Current plan name or null if not in org/service context
+   *
+   * @example
+   * ```typescript
+   * const plan = await sso.permissions.getPlan();
+   * console.log(plan); // "pro", "enterprise", etc.
+   * ```
+   */
+  async getPlan() {
+    const response = await this.http.get("/api/user");
+    return response.data.plan;
+  }
+  /**
+   * Check if user has a specific permission on a resource.
+   *
+   * @param namespace The permission namespace (e.g., "organization", "service")
+   * @param objectId The object ID (e.g., organization slug, service slug)
+   * @param relation The relation type (e.g., "owner", "admin", "member")
+   * @returns true if the user has the permission
+   *
+   * @example
+   * ```typescript
+   * const isOwner = await sso.permissions.can('organization', 'acme-corp', 'owner');
+   * ```
+   */
+  async can(namespace, objectId, relation) {
+    return this.hasPermission(`${namespace}:${objectId}#${relation}`);
+  }
+  /**
+   * Check if user is a member of an organization.
+   *
+   * @param orgId The organization ID or slug
+   * @returns true if the user is a member
+   *
+   * @example
+   * ```typescript
+   * if (await sso.permissions.isOrgMember('acme-corp')) {
+   *   // User is a member
+   * }
+   * ```
+   */
+  async isOrgMember(orgId) {
+    return this.hasPermission(`organization:${orgId}#member`);
+  }
+  /**
+   * Check if user is an admin of an organization.
+   *
+   * @param orgId The organization ID or slug
+   * @returns true if the user is an admin
+   *
+   * @example
+   * ```typescript
+   * if (await sso.permissions.isOrgAdmin('acme-corp')) {
+   *   // User is an admin
+   * }
+   * ```
+   */
+  async isOrgAdmin(orgId) {
+    return this.hasPermission(`organization:${orgId}#admin`);
+  }
+  /**
+   * Check if user is an owner of an organization.
+   *
+   * @param orgId The organization ID or slug
+   * @returns true if the user is an owner
+   *
+   * @example
+   * ```typescript
+   * if (await sso.permissions.isOrgOwner('acme-corp')) {
+   *   // User is an owner
+   * }
+   * ```
+   */
+  async isOrgOwner(orgId) {
+    return this.hasPermission(`organization:${orgId}#owner`);
+  }
+  /**
+   * Check if user has access to a service.
+   *
+   * @param serviceId The service ID or slug
+   * @returns true if the user has access
+   *
+   * @example
+   * ```typescript
+   * if (await sso.permissions.hasServiceAccess('api-service')) {
+   *   // User has access to the service
+   * }
+   * ```
+   */
+  async hasServiceAccess(serviceId) {
+    return this.hasPermission(`service:${serviceId}#member`);
+  }
+  /**
+   * Filter permissions by namespace.
+   *
+   * @param namespace The namespace to filter by (e.g., "organization", "service")
+   * @returns Array of permissions matching the namespace
+   *
+   * @example
+   * ```typescript
+   * const orgPermissions = await sso.permissions.getPermissionsByNamespace('organization');
+   * ```
+   */
+  async getPermissionsByNamespace(namespace) {
+    const allPermissions = await this.listPermissions();
+    return allPermissions.filter((p) => p.startsWith(`${namespace}:`));
+  }
+  // ============================================================================
+  // DEPRECATED METHODS - Token-based permission checking (legacy)
+  // ============================================================================
+  /**
+   * @deprecated Use `hasPermission()` instead (without token parameter)
+   * Decode a JWT token to extract claims (including permissions)
+   * Note: This does NOT verify the signature - it only decodes the payload
+   *
+   * @param token The JWT access token
+   * @returns The decoded JWT claims
+   * @throws Error if the token is malformed
+   */
+  decodeToken(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throw new Error("Invalid JWT format");
+      }
+      const payload = parts[1];
+      const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+      return JSON.parse(decoded);
+    } catch (error) {
+      throw new Error(`Failed to decode JWT: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `hasPermission(permission)` instead.
+   * Check if a JWT token contains a specific permission
+   *
+   * @param token The JWT access token (ignored)
+   * @param permission Permission in format "namespace:object_id#relation"
+   * @returns true if the permission is present in the token
+   */
+  hasPermissionFromToken(token, permission) {
+    const claims = this.decodeToken(token);
+    return claims.permissions?.includes(permission) ?? false;
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `can(namespace, objectId, relation)` instead.
+   * Check if a user has a specific permission on a resource
+   *
+   * @param token The JWT access token (ignored)
+   * @param namespace The permission namespace (e.g., "organization", "service")
+   * @param objectId The object ID (e.g., organization slug, service slug)
+   * @param relation The relation type (e.g., "owner", "admin", "member")
+   * @returns true if the user has the permission
+   */
+  canFromToken(token, namespace, objectId, relation) {
+    return this.hasPermissionFromToken(token, `${namespace}:${objectId}#${relation}`);
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `isOrgMember(orgId)` instead.
+   * Check if user is a member of an organization
+   *
+   * @param token The JWT access token (ignored)
+   * @param orgId The organization ID or slug
+   * @returns true if the user is a member
+   */
+  isOrgMemberFromToken(token, orgId) {
+    return this.hasPermissionFromToken(token, `organization:${orgId}#member`);
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `isOrgAdmin(orgId)` instead.
+   * Check if user is an admin of an organization
+   *
+   * @param token The JWT access token (ignored)
+   * @param orgId The organization ID or slug
+   * @returns true if the user is an admin
+   */
+  isOrgAdminFromToken(token, orgId) {
+    return this.hasPermissionFromToken(token, `organization:${orgId}#admin`);
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `isOrgOwner(orgId)` instead.
+   * Check if user is an owner of an organization
+   *
+   * @param token The JWT access token (ignored)
+   * @param orgId The organization ID or slug
+   * @returns true if the user is an owner
+   */
+  isOrgOwnerFromToken(token, orgId) {
+    return this.hasPermissionFromToken(token, `organization:${orgId}#owner`);
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `hasServiceAccess(serviceId)` instead.
+   * Check if user has access to a service
+   *
+   * @param token The JWT access token (ignored)
+   * @param serviceId The service ID or slug
+   * @returns true if the user has access
+   */
+  hasServiceAccessFromToken(token, serviceId) {
+    return this.hasPermissionFromToken(token, `service:${serviceId}#member`);
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `listPermissions()` instead.
+   * Get all permissions from a JWT token
+   *
+   * @param token The JWT access token
+   * @returns Array of permission strings, or empty array if none
+   */
+  getAllPermissionsFromToken(token) {
+    const claims = this.decodeToken(token);
+    return claims.permissions ?? [];
+  }
+  /**
+   * Parse a permission string into its components
+   *
+   * @param permission Permission string in format "namespace:object_id#relation"
+   * @returns Parsed permission components or null if invalid format
+   *
+   * @example
+   * ```typescript
+   * const parsed = sso.permissions.parsePermission('organization:acme#owner');
+   * // { namespace: 'organization', objectId: 'acme', relation: 'owner' }
+   * ```
+   */
+  parsePermission(permission) {
+    const match = permission.match(/^([^:]+):([^#]+)#(.+)$/);
+    if (!match) {
+      return null;
+    }
+    return {
+      namespace: match[1],
+      objectId: match[2],
+      relation: match[3]
+    };
+  }
+  /**
+   * @deprecated JWT tokens no longer contain permissions. Use `getPermissionsByNamespace(namespace)` instead.
+   * Filter permissions by namespace
+   *
+   * @param token The JWT access token (ignored)
+   * @param namespace The namespace to filter by (e.g., "organization", "service")
+   * @returns Array of permissions matching the namespace
+   */
+  getPermissionsByNamespaceFromToken(token, namespace) {
+    const allPermissions = this.getAllPermissionsFromToken(token);
+    return allPermissions.filter((p) => p.startsWith(`${namespace}:`));
+  }
+};
+
+// src/modules/passkeys.ts
+var PasskeysModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Check if WebAuthn is supported in the current browser
+   */
+  isSupported() {
+    return typeof window !== "undefined" && window.PublicKeyCredential !== void 0 && typeof window.PublicKeyCredential === "function";
+  }
+  /**
+   * Check if platform authenticator (like Touch ID, Face ID, Windows Hello) is available
+   */
+  async isPlatformAuthenticatorAvailable() {
+    if (!this.isSupported()) {
+      return false;
+    }
+    return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+  }
+  /**
+   * Register a new passkey for the authenticated user
+   *
+   * This method requires an authenticated session (JWT token must be set).
+   * It starts the WebAuthn registration ceremony, prompts the user to create
+   * a passkey using their device's authenticator (e.g., Touch ID, Face ID,
+   * Windows Hello, or hardware security key), and stores the credential.
+   *
+   * @param displayName Optional display name for the passkey
+   * @returns Promise resolving to the registered passkey ID
+   * @throws {Error} If WebAuthn is not supported or registration fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const passkeyId = await sso.passkeys.register('My MacBook Pro');
+   *   console.log('Passkey registered:', passkeyId);
+   * } catch (error) {
+   *   console.error('Passkey registration failed:', error);
+   * }
+   * ```
+   */
+  /**
+   * Start the passkey registration ceremony.
+   * returns the options required to create credentials in the browser.
+   */
+  async registerStart(displayName) {
+    const response = await this.http.post(
+      "/api/auth/passkeys/register/start",
+      { name: displayName }
+    );
+    return response.data;
+  }
+  /**
+   * Finish the passkey registration ceremony.
+   * Verifies the credential created by the browser.
+   */
+  async registerFinish(challengeId, credential) {
+    const response = await this.http.post(
+      "/api/auth/passkeys/register/finish",
+      {
+        challenge_id: challengeId,
+        credential
+      }
+    );
+    return response.data;
+  }
+  /**
+   * Register a new passkey for the authenticated user
+   * ...
+   */
+  async register(displayName) {
+    if (!this.isSupported()) {
+      throw new Error("WebAuthn is not supported in this browser");
+    }
+    const startData = await this.registerStart(displayName);
+    const createOptions = {
+      publicKey: {
+        ...startData.options,
+        challenge: this.base64UrlToUint8Array(startData.options.challenge),
+        user: {
+          ...startData.options.user,
+          id: this.base64UrlToUint8Array(startData.options.user.id)
+        },
+        excludeCredentials: startData.options.excludeCredentials?.map((cred) => ({
+          ...cred,
+          id: this.base64UrlToUint8Array(cred.id)
+        }))
+      }
+    };
+    const credential = await navigator.credentials.create(createOptions);
+    if (!credential || !(credential instanceof PublicKeyCredential)) {
+      throw new Error("Failed to create passkey");
+    }
+    if (!(credential.response instanceof AuthenticatorAttestationResponse)) {
+      throw new Error("Invalid credential response type");
+    }
+    const credentialJSON = {
+      id: credential.id,
+      rawId: this.uint8ArrayToBase64Url(new Uint8Array(credential.rawId)),
+      response: {
+        clientDataJSON: this.uint8ArrayToBase64Url(new Uint8Array(credential.response.clientDataJSON)),
+        attestationObject: this.uint8ArrayToBase64Url(new Uint8Array(credential.response.attestationObject)),
+        transports: credential.response.getTransports?.()
+      },
+      authenticatorAttachment: credential.authenticatorAttachment,
+      clientExtensionResults: credential.getClientExtensionResults(),
+      type: credential.type
+    };
+    const finishResponse = await this.registerFinish(startData.challenge_id, credentialJSON);
+    return finishResponse.passkey_id;
+  }
+  /**
+   * Authenticate with a passkey and obtain a JWT token
+   *
+   * This method prompts the user to authenticate using their passkey.
+   * Upon successful authentication, a JWT token is returned which can
+   * be used to make authenticated API requests.
+   *
+   * @param email User's email address
+   * @returns Promise resolving to authentication response with JWT token
+   * @throws {Error} If WebAuthn is not supported or authentication fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const { token, user_id } = await sso.passkeys.login('user@example.com');
+   *   sso.setToken(token);
+   *   console.log('Logged in as:', user_id);
+   * } catch (error) {
+   *   console.error('Passkey login failed:', error);
+   * }
+   * ```
+   */
+  /**
+   * Start the passkey authentication ceremony.
+   * Returns the options required to get credentials from the browser.
+   */
+  async authenticateStart(email) {
+    const response = await this.http.post(
+      "/api/auth/passkeys/authenticate/start",
+      { email }
+    );
+    return response.data;
+  }
+  /**
+   * Finish the passkey authentication ceremony.
+   * Verifies the assertion returned by the browser.
+   */
+  async authenticateFinish(challengeId, credential) {
+    const response = await this.http.post(
+      "/api/auth/passkeys/authenticate/finish",
+      {
+        challenge_id: challengeId,
+        credential
+      }
+    );
+    return response.data;
+  }
+  /**
+   * Authenticate with a passkey and obtain a JWT token
+   * ...
+   */
+  async login(email) {
+    if (!this.isSupported()) {
+      throw new Error("WebAuthn is not supported in this browser");
+    }
+    const startData = await this.authenticateStart(email);
+    const getOptions = {
+      publicKey: {
+        ...startData.options,
+        challenge: this.base64UrlToUint8Array(startData.options.challenge),
+        allowCredentials: startData.options.allowCredentials?.map((cred) => ({
+          ...cred,
+          id: this.base64UrlToUint8Array(cred.id)
+        }))
+      }
+    };
+    const credential = await navigator.credentials.get(getOptions);
+    if (!credential || !(credential instanceof PublicKeyCredential)) {
+      throw new Error("Failed to get passkey");
+    }
+    if (!(credential.response instanceof AuthenticatorAssertionResponse)) {
+      throw new Error("Invalid credential response type");
+    }
+    const credentialJSON = {
+      id: credential.id,
+      rawId: this.uint8ArrayToBase64Url(new Uint8Array(credential.rawId)),
+      response: {
+        clientDataJSON: this.uint8ArrayToBase64Url(new Uint8Array(credential.response.clientDataJSON)),
+        authenticatorData: this.uint8ArrayToBase64Url(new Uint8Array(credential.response.authenticatorData)),
+        signature: this.uint8ArrayToBase64Url(new Uint8Array(credential.response.signature)),
+        userHandle: credential.response.userHandle ? this.uint8ArrayToBase64Url(new Uint8Array(credential.response.userHandle)) : void 0
+      },
+      authenticatorAttachment: credential.authenticatorAttachment,
+      clientExtensionResults: credential.getClientExtensionResults(),
+      type: credential.type
+    };
+    return this.authenticateFinish(startData.challenge_id, credentialJSON);
+  }
+  /**
+   * Convert Base64URL string to Uint8Array
+   */
+  base64UrlToUint8Array(base64url) {
+    const padding = "=".repeat((4 - base64url.length % 4) % 4);
+    const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/") + padding;
+    const rawData = atob(base64);
+    const outputArray = new Uint8Array(rawData.length);
+    for (let i = 0; i < rawData.length; ++i) {
+      outputArray[i] = rawData.charCodeAt(i);
+    }
+    return outputArray;
+  }
+  /**
+   * Convert Uint8Array to Base64URL string
+   */
+  uint8ArrayToBase64Url(array) {
+    let binary = "";
+    for (let i = 0; i < array.byteLength; i++) {
+      binary += String.fromCharCode(array[i]);
+    }
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  }
+};
+
+// src/modules/magic.ts
+var MagicLinks = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Request a magic link to be sent to the user's email
+   *
+   * @param data Magic link request data
+   * @returns Promise resolving to magic link response
+   */
+  async request(data) {
+    const response = await this.http.post("/api/auth/magic-link/request", data);
+    return response.data;
+  }
+  /**
+   * Verify a magic link token and complete authentication
+   * Note: This is typically handled by redirecting to the magic link URL
+   * The backend will handle verification and either redirect or return tokens
+   *
+   * @param token The magic link token to verify
+   * @param redirectUri Optional where to redirect after success
+   * @returns URL to redirect to for verification
+   */
+  getVerificationUrl(token, redirectUri) {
+    const params = new URLSearchParams({ token });
+    if (redirectUri) {
+      params.append("redirect_uri", redirectUri);
+    }
+    return `/api/auth/magic-link/verify?${params.toString()}`;
+  }
+  /**
+   * Verify a magic link token via API call
+   * This is an alternative to redirect-based verification
+   *
+   * @param token The magic link token
+   * @param redirectUri Optional redirect URI
+   * @returns Promise resolving to authentication response
+   */
+  async verify(token, redirectUri) {
+    const params = new URLSearchParams({ token });
+    if (redirectUri) {
+      params.append("redirect_uri", redirectUri);
+    }
+    return this.http.get(`/api/auth/magic-link/verify?${params.toString()}`);
+  }
+  /**
+   * Construct the complete magic link URL that would be sent via email
+   *
+   * @param token The magic link token
+   * @param redirectUri Optional redirect URI
+   * @returns Complete magic link URL
+   */
+  constructMagicLink(token, redirectUri) {
+    return this.getVerificationUrl(token, redirectUri);
+  }
+};
+
+// src/modules/privacy.ts
+var PrivacyModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Export all user data (GDPR Right to Access).
+   * Users can export their own data, or organization owners can export their members' data.
+   *
+   * @param userId User ID to export data for
+   * @returns Complete user data export including memberships, login events, identities, MFA events, and passkeys
+   *
+   * @example
+   * ```typescript
+   * const userData = await sso.privacy.exportData('user-id');
+   * console.log(`Exported ${userData.login_events_count} login events`);
+   * console.log(`User has ${userData.memberships.length} organization memberships`);
+   * ```
+   */
+  async exportData(userId) {
+    const response = await this.http.get(`/api/privacy/export/${userId}`);
+    return response.data;
+  }
+  /**
+   * Anonymize user data (GDPR Right to be Forgotten).
+   * Requires organization owner permission for all organizations the user is a member of.
+   * Platform owners cannot be anonymized.
+   *
+   * This operation:
+   * - Soft-deletes the user account
+   * - Hard-deletes PII from identities and passkeys tables
+   * - Preserves audit logs for compliance
+   *
+   * @param userId User ID to anonymize
+   * @returns Anonymization confirmation response
+   *
+   * @example
+   * ```typescript
+   * const result = await sso.privacy.forgetUser('user-id');
+   * console.log(result.message);
+   * // "User data has been anonymized. PII has been removed while preserving audit logs."
+   * ```
+   */
+  async forgetUser(userId) {
+    const response = await this.http.delete(`/api/privacy/forget/${userId}`);
+    return response.data;
+  }
+};
+
 // src/client.ts
 var SsoClient = class {
   constructor(options) {
     this.http = createHttpAgent(options.baseURL);
-    if (options.token) {
-      this.setAuthToken(options.token);
-    }
-    if (options.apiKey) {
-      this.setApiKey(options.apiKey);
-    }
+    this.session = new SessionManager(
+      resolveStorage(options.storage),
+      async (refreshToken) => {
+        const res = await this.http.post("/api/auth/refresh", { refresh_token: refreshToken });
+        return res.data;
+      },
+      { storageKeyPrefix: options.storagePrefix || "sso_" }
+    );
+    this.http.setSessionManager(this.session);
     this.analytics = new AnalyticsModule(this.http);
-    this.auth = new AuthModule(this.http);
+    this.auth = new AuthModule(this.http, this.session);
     this.user = new UserModule(this.http);
     this.organizations = new OrganizationsModule(this.http);
     this.services = new ServicesModule(this.http);
     this.invitations = new InvitationsModule(this.http);
     this.platform = new PlatformModule(this.http);
     this.serviceApi = new ServiceApiModule(this.http);
+    this.permissions = new PermissionsModule(this.http);
+    this.passkeys = new PasskeysModule(this.http);
+    this.magicLinks = new MagicLinks(this.http);
+    this.privacy = new PrivacyModule(this.http);
+    if (options.apiKey) {
+      this.setApiKey(options.apiKey);
+    }
+    if (options.token) {
+      this.session.setSession({ access_token: options.token });
+    } else {
+      this.session.loadSession().catch(console.error);
+    }
   }
   /**
    * Sets the JWT for all subsequent authenticated requests.
@@ -2823,12 +4262,95 @@ var SsoClient = class {
   getBaseURL() {
     return this.http.defaults.baseURL || "";
   }
+  /**
+   * Check if the user is currently authenticated
+   */
+  isAuthenticated() {
+    return this.session.isAuthenticated();
+  }
+  /**
+   * Subscribe to authentication state changes.
+   * Useful for updating UI when login/logout/expiration occurs.
+   *
+   * @param listener Callback function that receives the authentication state
+   * @returns Unsubscribe function
+   *
+   * @example
+   * ```typescript
+   * const unsubscribe = sso.onAuthStateChange((isAuth) => {
+   *   console.log(isAuth ? 'User is logged in' : 'User is logged out');
+   * });
+   *
+   * // Later, to stop listening
+   * unsubscribe();
+   * ```
+   */
+  onAuthStateChange(listener) {
+    return this.session.subscribe(listener);
+  }
+  /**
+   * Manually retrieve the current access token
+   *
+   * @returns The current access token, or null if not authenticated
+   */
+  async getToken() {
+    return this.session.getToken();
+  }
 };
+
+// src/types/risk.ts
+var RiskAction = /* @__PURE__ */ ((RiskAction2) => {
+  RiskAction2["ALLOW"] = "allow";
+  RiskAction2["LOG_ONLY"] = "log_only";
+  RiskAction2["CHALLENGE_MFA"] = "challenge_mfa";
+  RiskAction2["BLOCK"] = "block";
+  return RiskAction2;
+})(RiskAction || {});
+var RiskFactorType = /* @__PURE__ */ ((RiskFactorType2) => {
+  RiskFactorType2["NEW_IP"] = "new_ip";
+  RiskFactorType2["HIGH_RISK_LOCATION"] = "high_risk_location";
+  RiskFactorType2["IMPOSSIBLE_TRAVEL"] = "impossible_travel";
+  RiskFactorType2["NEW_DEVICE"] = "new_device";
+  RiskFactorType2["FAILED_ATTEMPTS"] = "failed_attempts";
+  RiskFactorType2["UNUSUAL_TIME"] = "unusual_time";
+  RiskFactorType2["SUSPICIOUS_USER_AGENT"] = "suspicious_user_agent";
+  RiskFactorType2["ANONYMOUS_NETWORK"] = "anonymous_network";
+  RiskFactorType2["NEW_ACCOUNT"] = "new_account";
+  RiskFactorType2["SUSPICIOUS_HISTORY"] = "suspicious_history";
+  RiskFactorType2["HIGH_VELOCITY"] = "high_velocity";
+  RiskFactorType2["CUSTOM_RULE"] = "custom_rule";
+  return RiskFactorType2;
+})(RiskFactorType || {});
+var AuthMethod = /* @__PURE__ */ ((AuthMethod2) => {
+  AuthMethod2["PASSWORD"] = "password";
+  AuthMethod2["OAUTH"] = "oauth";
+  AuthMethod2["PASSKEY"] = "passkey";
+  AuthMethod2["MAGIC_LINK"] = "magic_link";
+  AuthMethod2["MFA"] = "mfa";
+  AuthMethod2["SAML"] = "saml";
+  return AuthMethod2;
+})(AuthMethod || {});
+var RiskEventOutcome = /* @__PURE__ */ ((RiskEventOutcome2) => {
+  RiskEventOutcome2["ALLOWED"] = "allowed";
+  RiskEventOutcome2["BLOCKED"] = "blocked";
+  RiskEventOutcome2["CHALLENGED"] = "challenged";
+  RiskEventOutcome2["LOGGED"] = "logged";
+  return RiskEventOutcome2;
+})(RiskEventOutcome || {});
 export {
+  AuthMethod,
   AuthModule,
+  BrowserStorage,
   InvitationsModule,
+  MagicLinks,
+  MemoryStorage,
   OrganizationsModule,
+  PasskeysModule,
+  PermissionsModule,
   PlatformModule,
+  RiskAction,
+  RiskEventOutcome,
+  RiskFactorType,
   ServiceApiModule,
   ServicesModule,
   SsoApiError,