@drmhse/sso-sdk 0.3.2 → 0.3.4

package/README.md

@@ -210,6 +210,45 @@ await sso.organizations.setSmtp('acme-corp', {
 });
 ```
 
+## Subscription & Billing
+
+The SDK provides provider-agnostic billing integration that works with both Stripe and Polar.
+
+```typescript
+// Check billing status
+const billingInfo = await sso.organizations.billing.getInfo('acme-corp');
+console.log(billingInfo.has_billing_account); // true/false
+console.log(billingInfo.provider); // "stripe" or "polar"
+
+// Open billing portal for subscription management
+const portal = await sso.organizations.billing.createPortalSession('acme-corp', {
+  return_url: 'https://app.acme.com/settings/billing'
+});
+// Redirect user to manage their subscription
+window.location.href = portal.url;
+```
+
+### BYOP - Bring Your Own Payment
+
+Organizations can configure their own billing provider credentials to charge their end-users:
+
+```typescript
+// Configure organization's own Stripe credentials
+await sso.organizations.billingCredentials.set('acme-corp', 'stripe', {
+  api_key: 'sk_live_...',
+  webhook_secret: 'whsec_...',
+  mode: 'live' // or 'test'
+});
+
+// Check credential status
+const status = await sso.organizations.billingCredentials.get('acme-corp', 'stripe');
+console.log(status.configured); // true
+console.log(status.mode); // "live"
+
+// Remove credentials
+await sso.organizations.billingCredentials.delete('acme-corp', 'stripe');
+```
+
 ## Services & API Keys
 
 ```typescript

package/dist/index.d.mts

@@ -2027,6 +2027,14 @@ interface SessionConfig {
     storageKeyPrefix?: string;
     autoRefresh?: boolean;
 }
+/**
+ * Snapshot of the current authentication state.
+ * Useful for hydration in SSR frameworks.
+ */
+interface AuthSnapshot {
+    isAuthenticated: boolean;
+    token: string | null;
+}
 declare class SessionManager {
     private storage;
     private refreshHandler;
@@ -2061,7 +2069,13 @@ declare class SessionManager {
     refreshSession(): Promise<string>;
     isAuthenticated(): boolean;
     /**
-     * Subscribe to auth state changes (useful for UI updates)
+     * Get a synchronous snapshot of the current auth state.
+     * Useful for SSR hydration and initial state.
+     */
+    getSnapshot(): AuthSnapshot;
+    /**
+     * Subscribe to auth state changes (useful for UI updates).
+     * The listener is immediately called with the current state upon subscription.
      */
     subscribe(listener: (isAuthenticated: boolean) => void): () => void;
     private notifyListeners;
@@ -3688,6 +3702,124 @@ declare class OrganizationsModule {
          */
         test: (orgSlug: string, configId: string) => Promise<TestConnectionResponse>;
     };
+    /**
+     * Billing and subscription management methods
+     */
+    billing: {
+        /**
+         * Get billing information for an organization.
+         * Returns whether a billing account exists and which provider is being used.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @returns Billing information
+         *
+         * @example
+         * ```typescript
+         * const info = await sso.organizations.billing.getInfo('acme-corp');
+         * if (info.has_billing_account) {
+         *   console.log('Billing provider:', info.provider);
+         * }
+         * ```
+         */
+        getInfo: (orgSlug: string) => Promise<{
+            has_billing_account: boolean;
+            provider: string | null;
+        }>;
+        /**
+         * Create a billing portal session.
+         * Redirects the user to the billing provider's self-service portal to manage their subscription,
+         * update payment methods, view invoices, etc.
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param returnUrl URL to redirect the user to after they leave the portal
+         * @returns Object containing the portal session URL
+         *
+         * @example
+         * ```typescript
+         * const session = await sso.organizations.billing.createPortalSession('acme-corp', {
+         *   return_url: 'https://app.acme.com/billing'
+         * });
+         * // Redirect user to billing portal
+         * window.location.href = session.url;
+         * ```
+         */
+        createPortalSession: (orgSlug: string, payload: {
+            return_url: string;
+        }) => Promise<{
+            url: string;
+        }>;
+    };
+    /**
+     * BYOP (Bring Your Own Payment) credential management.
+     * Allows organizations to configure their own billing provider credentials
+     * to charge their end-users directly.
+     */
+    billingCredentials: {
+        /**
+         * Get the status of billing credentials for a provider.
+         * Returns whether credentials are configured and the mode (test/live).
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param provider Billing provider ('stripe' or 'polar')
+         * @returns Credential configuration status
+         *
+         * @example
+         * ```typescript
+         * const status = await sso.organizations.billingCredentials.get('acme-corp', 'stripe');
+         * if (status.configured) {
+         *   console.log('Mode:', status.mode); // 'test' or 'live'
+         *   console.log('Enabled:', status.enabled);
+         * }
+         * ```
+         */
+        get: (orgSlug: string, provider: "stripe" | "polar") => Promise<{
+            configured: boolean;
+            provider: string;
+            mode: "test" | "live" | null;
+            enabled: boolean;
+        }>;
+        /**
+         * Set or update billing credentials for a provider.
+         * Enables the organization to charge their end-users using their own
+         * payment provider account.
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param provider Billing provider ('stripe' or 'polar')
+         * @param payload Billing credentials
+         *
+         * @example
+         * ```typescript
+         * await sso.organizations.billingCredentials.set('acme-corp', 'stripe', {
+         *   api_key: 'sk_live_...',
+         *   webhook_secret: 'whsec_...',
+         *   mode: 'live'
+         * });
+         * ```
+         */
+        set: (orgSlug: string, provider: "stripe" | "polar", payload: {
+            api_key: string;
+            webhook_secret: string;
+            mode: "test" | "live";
+        }) => Promise<void>;
+        /**
+         * Delete billing credentials for a provider.
+         * The organization will no longer be able to charge end-users directly.
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param provider Billing provider ('stripe' or 'polar')
+         *
+         * @example
+         * ```typescript
+         * await sso.organizations.billingCredentials.delete('acme-corp', 'stripe');
+         * ```
+         */
+        delete: (orgSlug: string, provider: "stripe" | "polar") => Promise<void>;
+    };
 }
 
 /**
@@ -4348,6 +4480,32 @@ declare class PlatformModule {
          * ```
          */
         updateTier: (orgId: string, payload: UpdateOrganizationTierPayload) => Promise<Organization>;
+        /**
+         * Update an organization's feature overrides.
+         *
+         * @param orgId Organization ID
+         * @param payload Feature override flags
+         * @returns Updated organization
+         *
+         * @example
+         * ```typescript
+         * await sso.platform.organizations.updateFeatures('org-id', {
+         *   allow_saml: true,
+         *   allow_scim: false,
+         *   allow_custom_domain: true,
+         *   allow_custom_branding: false
+         * });
+         * ```
+         */
+        updateFeatures: (orgId: string, payload: {
+            allow_saml?: boolean;
+            allow_scim?: boolean;
+            allow_custom_domain?: boolean;
+            allow_custom_branding?: boolean;
+            allow_advanced_risk_engine?: boolean;
+            allow_siem_integration?: boolean;
+            allow_webhooks?: boolean;
+        }) => Promise<Organization>;
         /**
          * Delete an organization and all its associated data.
          * This is a destructive operation that cannot be undone.
@@ -5433,6 +5591,19 @@ declare class SsoClient {
      * Gets the current base URL
      */
     getBaseURL(): string;
+    /**
+     * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+     * Use this for stateless token verification in edge functions or middleware.
+     *
+     * @returns The full URL to the .well-known/jwks.json endpoint
+     *
+     * @example
+     * ```typescript
+     * const jwksUrl = sso.getJwksUrl();
+     * // Returns: "https://sso.example.com/.well-known/jwks.json"
+     * ```
+     */
+    getJwksUrl(): string;
     /**
      * Check if the user is currently authenticated
      */
@@ -5463,6 +5634,52 @@ declare class SsoClient {
     getToken(): Promise<string | null>;
 }
 
+/**
+ * Standard authentication error codes returned by the AuthOS API.
+ * Use these to reliably switch UI states based on error type.
+ */
+declare enum AuthErrorCodes {
+    /** Multi-factor authentication is required to complete login */
+    MFA_REQUIRED = "MFA_REQUIRED",
+    /** User must select or create an organization */
+    ORG_REQUIRED = "ORG_REQUIRED",
+    /** The provided credentials are invalid */
+    INVALID_CREDENTIALS = "INVALID_CREDENTIALS",
+    /** The JWT token has expired */
+    TOKEN_EXPIRED = "TOKEN_EXPIRED",
+    /** The refresh token is invalid or has been revoked */
+    REFRESH_TOKEN_INVALID = "REFRESH_TOKEN_INVALID",
+    /** The user is not authorized to perform this action */
+    UNAUTHORIZED = "UNAUTHORIZED",
+    /** The user does not have permission for this resource */
+    FORBIDDEN = "FORBIDDEN",
+    /** The requested resource was not found */
+    NOT_FOUND = "NOT_FOUND",
+    /** The request failed validation */
+    VALIDATION_ERROR = "VALIDATION_ERROR",
+    /** The email address is already registered */
+    EMAIL_ALREADY_EXISTS = "EMAIL_ALREADY_EXISTS",
+    /** Email verification is required */
+    EMAIL_NOT_VERIFIED = "EMAIL_NOT_VERIFIED",
+    /** The account has been suspended */
+    ACCOUNT_SUSPENDED = "ACCOUNT_SUSPENDED",
+    /** The organization has been suspended */
+    ORG_SUSPENDED = "ORG_SUSPENDED",
+    /** Rate limit exceeded */
+    RATE_LIMITED = "RATE_LIMITED",
+    /** The password does not meet requirements */
+    WEAK_PASSWORD = "WEAK_PASSWORD",
+    /** The MFA code is invalid */
+    INVALID_MFA_CODE = "INVALID_MFA_CODE",
+    /** The magic link or verification token has expired */
+    LINK_EXPIRED = "LINK_EXPIRED",
+    /** The device code has expired */
+    DEVICE_CODE_EXPIRED = "DEVICE_CODE_EXPIRED",
+    /** Authorization is still pending (device flow) */
+    AUTHORIZATION_PENDING = "AUTHORIZATION_PENDING",
+    /** The passkey authentication failed */
+    PASSKEY_ERROR = "PASSKEY_ERROR"
+}
 /**
  * Custom error class for SSO API errors.
  * Provides structured error information from the API.
@@ -5499,4 +5716,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
 
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthMethod, AuthModule, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthErrorCodes, AuthMethod, AuthModule, type AuthSnapshot, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };

package/dist/index.d.ts

@@ -2027,6 +2027,14 @@ interface SessionConfig {
     storageKeyPrefix?: string;
     autoRefresh?: boolean;
 }
+/**
+ * Snapshot of the current authentication state.
+ * Useful for hydration in SSR frameworks.
+ */
+interface AuthSnapshot {
+    isAuthenticated: boolean;
+    token: string | null;
+}
 declare class SessionManager {
     private storage;
     private refreshHandler;
@@ -2061,7 +2069,13 @@ declare class SessionManager {
     refreshSession(): Promise<string>;
     isAuthenticated(): boolean;
     /**
-     * Subscribe to auth state changes (useful for UI updates)
+     * Get a synchronous snapshot of the current auth state.
+     * Useful for SSR hydration and initial state.
+     */
+    getSnapshot(): AuthSnapshot;
+    /**
+     * Subscribe to auth state changes (useful for UI updates).
+     * The listener is immediately called with the current state upon subscription.
      */
     subscribe(listener: (isAuthenticated: boolean) => void): () => void;
     private notifyListeners;
@@ -3688,6 +3702,124 @@ declare class OrganizationsModule {
          */
         test: (orgSlug: string, configId: string) => Promise<TestConnectionResponse>;
     };
+    /**
+     * Billing and subscription management methods
+     */
+    billing: {
+        /**
+         * Get billing information for an organization.
+         * Returns whether a billing account exists and which provider is being used.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @returns Billing information
+         *
+         * @example
+         * ```typescript
+         * const info = await sso.organizations.billing.getInfo('acme-corp');
+         * if (info.has_billing_account) {
+         *   console.log('Billing provider:', info.provider);
+         * }
+         * ```
+         */
+        getInfo: (orgSlug: string) => Promise<{
+            has_billing_account: boolean;
+            provider: string | null;
+        }>;
+        /**
+         * Create a billing portal session.
+         * Redirects the user to the billing provider's self-service portal to manage their subscription,
+         * update payment methods, view invoices, etc.
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param returnUrl URL to redirect the user to after they leave the portal
+         * @returns Object containing the portal session URL
+         *
+         * @example
+         * ```typescript
+         * const session = await sso.organizations.billing.createPortalSession('acme-corp', {
+         *   return_url: 'https://app.acme.com/billing'
+         * });
+         * // Redirect user to billing portal
+         * window.location.href = session.url;
+         * ```
+         */
+        createPortalSession: (orgSlug: string, payload: {
+            return_url: string;
+        }) => Promise<{
+            url: string;
+        }>;
+    };
+    /**
+     * BYOP (Bring Your Own Payment) credential management.
+     * Allows organizations to configure their own billing provider credentials
+     * to charge their end-users directly.
+     */
+    billingCredentials: {
+        /**
+         * Get the status of billing credentials for a provider.
+         * Returns whether credentials are configured and the mode (test/live).
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param provider Billing provider ('stripe' or 'polar')
+         * @returns Credential configuration status
+         *
+         * @example
+         * ```typescript
+         * const status = await sso.organizations.billingCredentials.get('acme-corp', 'stripe');
+         * if (status.configured) {
+         *   console.log('Mode:', status.mode); // 'test' or 'live'
+         *   console.log('Enabled:', status.enabled);
+         * }
+         * ```
+         */
+        get: (orgSlug: string, provider: "stripe" | "polar") => Promise<{
+            configured: boolean;
+            provider: string;
+            mode: "test" | "live" | null;
+            enabled: boolean;
+        }>;
+        /**
+         * Set or update billing credentials for a provider.
+         * Enables the organization to charge their end-users using their own
+         * payment provider account.
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param provider Billing provider ('stripe' or 'polar')
+         * @param payload Billing credentials
+         *
+         * @example
+         * ```typescript
+         * await sso.organizations.billingCredentials.set('acme-corp', 'stripe', {
+         *   api_key: 'sk_live_...',
+         *   webhook_secret: 'whsec_...',
+         *   mode: 'live'
+         * });
+         * ```
+         */
+        set: (orgSlug: string, provider: "stripe" | "polar", payload: {
+            api_key: string;
+            webhook_secret: string;
+            mode: "test" | "live";
+        }) => Promise<void>;
+        /**
+         * Delete billing credentials for a provider.
+         * The organization will no longer be able to charge end-users directly.
+         * Requires 'owner' role.
+         *
+         * @param orgSlug Organization slug
+         * @param provider Billing provider ('stripe' or 'polar')
+         *
+         * @example
+         * ```typescript
+         * await sso.organizations.billingCredentials.delete('acme-corp', 'stripe');
+         * ```
+         */
+        delete: (orgSlug: string, provider: "stripe" | "polar") => Promise<void>;
+    };
 }
 
 /**
@@ -4348,6 +4480,32 @@ declare class PlatformModule {
          * ```
          */
         updateTier: (orgId: string, payload: UpdateOrganizationTierPayload) => Promise<Organization>;
+        /**
+         * Update an organization's feature overrides.
+         *
+         * @param orgId Organization ID
+         * @param payload Feature override flags
+         * @returns Updated organization
+         *
+         * @example
+         * ```typescript
+         * await sso.platform.organizations.updateFeatures('org-id', {
+         *   allow_saml: true,
+         *   allow_scim: false,
+         *   allow_custom_domain: true,
+         *   allow_custom_branding: false
+         * });
+         * ```
+         */
+        updateFeatures: (orgId: string, payload: {
+            allow_saml?: boolean;
+            allow_scim?: boolean;
+            allow_custom_domain?: boolean;
+            allow_custom_branding?: boolean;
+            allow_advanced_risk_engine?: boolean;
+            allow_siem_integration?: boolean;
+            allow_webhooks?: boolean;
+        }) => Promise<Organization>;
         /**
          * Delete an organization and all its associated data.
          * This is a destructive operation that cannot be undone.
@@ -5433,6 +5591,19 @@ declare class SsoClient {
      * Gets the current base URL
      */
     getBaseURL(): string;
+    /**
+     * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+     * Use this for stateless token verification in edge functions or middleware.
+     *
+     * @returns The full URL to the .well-known/jwks.json endpoint
+     *
+     * @example
+     * ```typescript
+     * const jwksUrl = sso.getJwksUrl();
+     * // Returns: "https://sso.example.com/.well-known/jwks.json"
+     * ```
+     */
+    getJwksUrl(): string;
     /**
      * Check if the user is currently authenticated
      */
@@ -5463,6 +5634,52 @@ declare class SsoClient {
     getToken(): Promise<string | null>;
 }
 
+/**
+ * Standard authentication error codes returned by the AuthOS API.
+ * Use these to reliably switch UI states based on error type.
+ */
+declare enum AuthErrorCodes {
+    /** Multi-factor authentication is required to complete login */
+    MFA_REQUIRED = "MFA_REQUIRED",
+    /** User must select or create an organization */
+    ORG_REQUIRED = "ORG_REQUIRED",
+    /** The provided credentials are invalid */
+    INVALID_CREDENTIALS = "INVALID_CREDENTIALS",
+    /** The JWT token has expired */
+    TOKEN_EXPIRED = "TOKEN_EXPIRED",
+    /** The refresh token is invalid or has been revoked */
+    REFRESH_TOKEN_INVALID = "REFRESH_TOKEN_INVALID",
+    /** The user is not authorized to perform this action */
+    UNAUTHORIZED = "UNAUTHORIZED",
+    /** The user does not have permission for this resource */
+    FORBIDDEN = "FORBIDDEN",
+    /** The requested resource was not found */
+    NOT_FOUND = "NOT_FOUND",
+    /** The request failed validation */
+    VALIDATION_ERROR = "VALIDATION_ERROR",
+    /** The email address is already registered */
+    EMAIL_ALREADY_EXISTS = "EMAIL_ALREADY_EXISTS",
+    /** Email verification is required */
+    EMAIL_NOT_VERIFIED = "EMAIL_NOT_VERIFIED",
+    /** The account has been suspended */
+    ACCOUNT_SUSPENDED = "ACCOUNT_SUSPENDED",
+    /** The organization has been suspended */
+    ORG_SUSPENDED = "ORG_SUSPENDED",
+    /** Rate limit exceeded */
+    RATE_LIMITED = "RATE_LIMITED",
+    /** The password does not meet requirements */
+    WEAK_PASSWORD = "WEAK_PASSWORD",
+    /** The MFA code is invalid */
+    INVALID_MFA_CODE = "INVALID_MFA_CODE",
+    /** The magic link or verification token has expired */
+    LINK_EXPIRED = "LINK_EXPIRED",
+    /** The device code has expired */
+    DEVICE_CODE_EXPIRED = "DEVICE_CODE_EXPIRED",
+    /** Authorization is still pending (device flow) */
+    AUTHORIZATION_PENDING = "AUTHORIZATION_PENDING",
+    /** The passkey authentication failed */
+    PASSKEY_ERROR = "PASSKEY_ERROR"
+}
 /**
  * Custom error class for SSO API errors.
  * Provides structured error information from the API.
@@ -5499,4 +5716,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
 
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthMethod, AuthModule, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthErrorCodes, AuthMethod, AuthModule, type AuthSnapshot, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };

package/dist/index.js

@@ -20,6 +20,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  AuthErrorCodes: () => AuthErrorCodes,
   AuthMethod: () => AuthMethod,
   AuthModule: () => AuthModule,
   BrowserStorage: () => BrowserStorage,
@@ -42,6 +43,29 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/errors.ts
+var AuthErrorCodes = /* @__PURE__ */ ((AuthErrorCodes2) => {
+  AuthErrorCodes2["MFA_REQUIRED"] = "MFA_REQUIRED";
+  AuthErrorCodes2["ORG_REQUIRED"] = "ORG_REQUIRED";
+  AuthErrorCodes2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+  AuthErrorCodes2["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
+  AuthErrorCodes2["REFRESH_TOKEN_INVALID"] = "REFRESH_TOKEN_INVALID";
+  AuthErrorCodes2["UNAUTHORIZED"] = "UNAUTHORIZED";
+  AuthErrorCodes2["FORBIDDEN"] = "FORBIDDEN";
+  AuthErrorCodes2["NOT_FOUND"] = "NOT_FOUND";
+  AuthErrorCodes2["VALIDATION_ERROR"] = "VALIDATION_ERROR";
+  AuthErrorCodes2["EMAIL_ALREADY_EXISTS"] = "EMAIL_ALREADY_EXISTS";
+  AuthErrorCodes2["EMAIL_NOT_VERIFIED"] = "EMAIL_NOT_VERIFIED";
+  AuthErrorCodes2["ACCOUNT_SUSPENDED"] = "ACCOUNT_SUSPENDED";
+  AuthErrorCodes2["ORG_SUSPENDED"] = "ORG_SUSPENDED";
+  AuthErrorCodes2["RATE_LIMITED"] = "RATE_LIMITED";
+  AuthErrorCodes2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
+  AuthErrorCodes2["INVALID_MFA_CODE"] = "INVALID_MFA_CODE";
+  AuthErrorCodes2["LINK_EXPIRED"] = "LINK_EXPIRED";
+  AuthErrorCodes2["DEVICE_CODE_EXPIRED"] = "DEVICE_CODE_EXPIRED";
+  AuthErrorCodes2["AUTHORIZATION_PENDING"] = "AUTHORIZATION_PENDING";
+  AuthErrorCodes2["PASSKEY_ERROR"] = "PASSKEY_ERROR";
+  return AuthErrorCodes2;
+})(AuthErrorCodes || {});
 var SsoApiError = class _SsoApiError extends Error {
   constructor(message, statusCode, errorCode, timestamp) {
     super(message);
@@ -334,10 +358,22 @@ var SessionManager = class {
     return !!this.accessToken;
   }
   /**
-   * Subscribe to auth state changes (useful for UI updates)
+   * Get a synchronous snapshot of the current auth state.
+   * Useful for SSR hydration and initial state.
+   */
+  getSnapshot() {
+    return {
+      isAuthenticated: !!this.accessToken,
+      token: this.accessToken
+    };
+  }
+  /**
+   * Subscribe to auth state changes (useful for UI updates).
+   * The listener is immediately called with the current state upon subscription.
    */
   subscribe(listener) {
     this.listeners.push(listener);
+    listener(this.isAuthenticated());
     return () => {
       this.listeners = this.listeners.filter((l) => l !== listener);
     };
@@ -1986,6 +2022,137 @@ var OrganizationsModule = class {
         return response.data;
       }
     };
+    // ============================================================================
+    // BILLING
+    // ============================================================================
+    /**
+     * Billing and subscription management methods
+     */
+    this.billing = {
+      /**
+       * Get billing information for an organization.
+       * Returns whether a billing account exists and which provider is being used.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @returns Billing information
+       *
+       * @example
+       * ```typescript
+       * const info = await sso.organizations.billing.getInfo('acme-corp');
+       * if (info.has_billing_account) {
+       *   console.log('Billing provider:', info.provider);
+       * }
+       * ```
+       */
+      getInfo: async (orgSlug) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/billing/info`
+        );
+        return response.data;
+      },
+      /**
+       * Create a billing portal session.
+       * Redirects the user to the billing provider's self-service portal to manage their subscription,
+       * update payment methods, view invoices, etc.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param returnUrl URL to redirect the user to after they leave the portal
+       * @returns Object containing the portal session URL
+       *
+       * @example
+       * ```typescript
+       * const session = await sso.organizations.billing.createPortalSession('acme-corp', {
+       *   return_url: 'https://app.acme.com/billing'
+       * });
+       * // Redirect user to billing portal
+       * window.location.href = session.url;
+       * ```
+       */
+      createPortalSession: async (orgSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/billing/portal`,
+          payload
+        );
+        return response.data;
+      }
+    };
+    // ============================================================================
+    // BYOP - BRING YOUR OWN PAYMENT
+    // ============================================================================
+    /**
+     * BYOP (Bring Your Own Payment) credential management.
+     * Allows organizations to configure their own billing provider credentials
+     * to charge their end-users directly.
+     */
+    this.billingCredentials = {
+      /**
+       * Get the status of billing credentials for a provider.
+       * Returns whether credentials are configured and the mode (test/live).
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param provider Billing provider ('stripe' or 'polar')
+       * @returns Credential configuration status
+       *
+       * @example
+       * ```typescript
+       * const status = await sso.organizations.billingCredentials.get('acme-corp', 'stripe');
+       * if (status.configured) {
+       *   console.log('Mode:', status.mode); // 'test' or 'live'
+       *   console.log('Enabled:', status.enabled);
+       * }
+       * ```
+       */
+      get: async (orgSlug, provider) => {
+        const response = await this.http.get(`/api/organizations/${orgSlug}/billing-credentials/${provider}`);
+        return response.data;
+      },
+      /**
+       * Set or update billing credentials for a provider.
+       * Enables the organization to charge their end-users using their own
+       * payment provider account.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param provider Billing provider ('stripe' or 'polar')
+       * @param payload Billing credentials
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.billingCredentials.set('acme-corp', 'stripe', {
+       *   api_key: 'sk_live_...',
+       *   webhook_secret: 'whsec_...',
+       *   mode: 'live'
+       * });
+       * ```
+       */
+      set: async (orgSlug, provider, payload) => {
+        await this.http.post(
+          `/api/organizations/${orgSlug}/billing-credentials/${provider}`,
+          payload
+        );
+      },
+      /**
+       * Delete billing credentials for a provider.
+       * The organization will no longer be able to charge end-users directly.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param provider Billing provider ('stripe' or 'polar')
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.billingCredentials.delete('acme-corp', 'stripe');
+       * ```
+       */
+      delete: async (orgSlug, provider) => {
+        await this.http.delete(
+          `/api/organizations/${orgSlug}/billing-credentials/${provider}`
+        );
+      }
+    };
     this.auditLogs = new AuditLogsModule(http);
     this.webhooks = new WebhooksModule(http);
   }
@@ -3122,6 +3289,30 @@ var PlatformModule = class {
         );
         return response.data;
       },
+      /**
+       * Update an organization's feature overrides.
+       *
+       * @param orgId Organization ID
+       * @param payload Feature override flags
+       * @returns Updated organization
+       *
+       * @example
+       * ```typescript
+       * await sso.platform.organizations.updateFeatures('org-id', {
+       *   allow_saml: true,
+       *   allow_scim: false,
+       *   allow_custom_domain: true,
+       *   allow_custom_branding: false
+       * });
+       * ```
+       */
+      updateFeatures: async (orgId, payload) => {
+        const response = await this.http.patch(
+          `/api/platform/organizations/${orgId}/features`,
+          payload
+        );
+        return response.data;
+      },
       /**
        * Delete an organization and all its associated data.
        * This is a destructive operation that cannot be undone.
@@ -4329,6 +4520,22 @@ var SsoClient = class {
   getBaseURL() {
     return this.http.defaults.baseURL || "";
   }
+  /**
+   * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+   * Use this for stateless token verification in edge functions or middleware.
+   *
+   * @returns The full URL to the .well-known/jwks.json endpoint
+   *
+   * @example
+   * ```typescript
+   * const jwksUrl = sso.getJwksUrl();
+   * // Returns: "https://sso.example.com/.well-known/jwks.json"
+   * ```
+   */
+  getJwksUrl() {
+    const baseUrl = this.getBaseURL().replace(/\/$/, "");
+    return `${baseUrl}/.well-known/jwks.json`;
+  }
   /**
    * Check if the user is currently authenticated
    */
@@ -4406,6 +4613,7 @@ var RiskEventOutcome = /* @__PURE__ */ ((RiskEventOutcome2) => {
 })(RiskEventOutcome || {});
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AuthErrorCodes,
   AuthMethod,
   AuthModule,
   BrowserStorage,

package/dist/index.mjs

@@ -1,4 +1,27 @@
 // src/errors.ts
+var AuthErrorCodes = /* @__PURE__ */ ((AuthErrorCodes2) => {
+  AuthErrorCodes2["MFA_REQUIRED"] = "MFA_REQUIRED";
+  AuthErrorCodes2["ORG_REQUIRED"] = "ORG_REQUIRED";
+  AuthErrorCodes2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+  AuthErrorCodes2["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
+  AuthErrorCodes2["REFRESH_TOKEN_INVALID"] = "REFRESH_TOKEN_INVALID";
+  AuthErrorCodes2["UNAUTHORIZED"] = "UNAUTHORIZED";
+  AuthErrorCodes2["FORBIDDEN"] = "FORBIDDEN";
+  AuthErrorCodes2["NOT_FOUND"] = "NOT_FOUND";
+  AuthErrorCodes2["VALIDATION_ERROR"] = "VALIDATION_ERROR";
+  AuthErrorCodes2["EMAIL_ALREADY_EXISTS"] = "EMAIL_ALREADY_EXISTS";
+  AuthErrorCodes2["EMAIL_NOT_VERIFIED"] = "EMAIL_NOT_VERIFIED";
+  AuthErrorCodes2["ACCOUNT_SUSPENDED"] = "ACCOUNT_SUSPENDED";
+  AuthErrorCodes2["ORG_SUSPENDED"] = "ORG_SUSPENDED";
+  AuthErrorCodes2["RATE_LIMITED"] = "RATE_LIMITED";
+  AuthErrorCodes2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
+  AuthErrorCodes2["INVALID_MFA_CODE"] = "INVALID_MFA_CODE";
+  AuthErrorCodes2["LINK_EXPIRED"] = "LINK_EXPIRED";
+  AuthErrorCodes2["DEVICE_CODE_EXPIRED"] = "DEVICE_CODE_EXPIRED";
+  AuthErrorCodes2["AUTHORIZATION_PENDING"] = "AUTHORIZATION_PENDING";
+  AuthErrorCodes2["PASSKEY_ERROR"] = "PASSKEY_ERROR";
+  return AuthErrorCodes2;
+})(AuthErrorCodes || {});
 var SsoApiError = class _SsoApiError extends Error {
   constructor(message, statusCode, errorCode, timestamp) {
     super(message);
@@ -291,10 +314,22 @@ var SessionManager = class {
     return !!this.accessToken;
   }
   /**
-   * Subscribe to auth state changes (useful for UI updates)
+   * Get a synchronous snapshot of the current auth state.
+   * Useful for SSR hydration and initial state.
+   */
+  getSnapshot() {
+    return {
+      isAuthenticated: !!this.accessToken,
+      token: this.accessToken
+    };
+  }
+  /**
+   * Subscribe to auth state changes (useful for UI updates).
+   * The listener is immediately called with the current state upon subscription.
    */
   subscribe(listener) {
     this.listeners.push(listener);
+    listener(this.isAuthenticated());
     return () => {
       this.listeners = this.listeners.filter((l) => l !== listener);
     };
@@ -1943,6 +1978,137 @@ var OrganizationsModule = class {
         return response.data;
       }
     };
+    // ============================================================================
+    // BILLING
+    // ============================================================================
+    /**
+     * Billing and subscription management methods
+     */
+    this.billing = {
+      /**
+       * Get billing information for an organization.
+       * Returns whether a billing account exists and which provider is being used.
+       * Requires 'owner' or 'admin' role.
+       *
+       * @param orgSlug Organization slug
+       * @returns Billing information
+       *
+       * @example
+       * ```typescript
+       * const info = await sso.organizations.billing.getInfo('acme-corp');
+       * if (info.has_billing_account) {
+       *   console.log('Billing provider:', info.provider);
+       * }
+       * ```
+       */
+      getInfo: async (orgSlug) => {
+        const response = await this.http.get(
+          `/api/organizations/${orgSlug}/billing/info`
+        );
+        return response.data;
+      },
+      /**
+       * Create a billing portal session.
+       * Redirects the user to the billing provider's self-service portal to manage their subscription,
+       * update payment methods, view invoices, etc.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param returnUrl URL to redirect the user to after they leave the portal
+       * @returns Object containing the portal session URL
+       *
+       * @example
+       * ```typescript
+       * const session = await sso.organizations.billing.createPortalSession('acme-corp', {
+       *   return_url: 'https://app.acme.com/billing'
+       * });
+       * // Redirect user to billing portal
+       * window.location.href = session.url;
+       * ```
+       */
+      createPortalSession: async (orgSlug, payload) => {
+        const response = await this.http.post(
+          `/api/organizations/${orgSlug}/billing/portal`,
+          payload
+        );
+        return response.data;
+      }
+    };
+    // ============================================================================
+    // BYOP - BRING YOUR OWN PAYMENT
+    // ============================================================================
+    /**
+     * BYOP (Bring Your Own Payment) credential management.
+     * Allows organizations to configure their own billing provider credentials
+     * to charge their end-users directly.
+     */
+    this.billingCredentials = {
+      /**
+       * Get the status of billing credentials for a provider.
+       * Returns whether credentials are configured and the mode (test/live).
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param provider Billing provider ('stripe' or 'polar')
+       * @returns Credential configuration status
+       *
+       * @example
+       * ```typescript
+       * const status = await sso.organizations.billingCredentials.get('acme-corp', 'stripe');
+       * if (status.configured) {
+       *   console.log('Mode:', status.mode); // 'test' or 'live'
+       *   console.log('Enabled:', status.enabled);
+       * }
+       * ```
+       */
+      get: async (orgSlug, provider) => {
+        const response = await this.http.get(`/api/organizations/${orgSlug}/billing-credentials/${provider}`);
+        return response.data;
+      },
+      /**
+       * Set or update billing credentials for a provider.
+       * Enables the organization to charge their end-users using their own
+       * payment provider account.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param provider Billing provider ('stripe' or 'polar')
+       * @param payload Billing credentials
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.billingCredentials.set('acme-corp', 'stripe', {
+       *   api_key: 'sk_live_...',
+       *   webhook_secret: 'whsec_...',
+       *   mode: 'live'
+       * });
+       * ```
+       */
+      set: async (orgSlug, provider, payload) => {
+        await this.http.post(
+          `/api/organizations/${orgSlug}/billing-credentials/${provider}`,
+          payload
+        );
+      },
+      /**
+       * Delete billing credentials for a provider.
+       * The organization will no longer be able to charge end-users directly.
+       * Requires 'owner' role.
+       *
+       * @param orgSlug Organization slug
+       * @param provider Billing provider ('stripe' or 'polar')
+       *
+       * @example
+       * ```typescript
+       * await sso.organizations.billingCredentials.delete('acme-corp', 'stripe');
+       * ```
+       */
+      delete: async (orgSlug, provider) => {
+        await this.http.delete(
+          `/api/organizations/${orgSlug}/billing-credentials/${provider}`
+        );
+      }
+    };
     this.auditLogs = new AuditLogsModule(http);
     this.webhooks = new WebhooksModule(http);
   }
@@ -3079,6 +3245,30 @@ var PlatformModule = class {
         );
         return response.data;
       },
+      /**
+       * Update an organization's feature overrides.
+       *
+       * @param orgId Organization ID
+       * @param payload Feature override flags
+       * @returns Updated organization
+       *
+       * @example
+       * ```typescript
+       * await sso.platform.organizations.updateFeatures('org-id', {
+       *   allow_saml: true,
+       *   allow_scim: false,
+       *   allow_custom_domain: true,
+       *   allow_custom_branding: false
+       * });
+       * ```
+       */
+      updateFeatures: async (orgId, payload) => {
+        const response = await this.http.patch(
+          `/api/platform/organizations/${orgId}/features`,
+          payload
+        );
+        return response.data;
+      },
       /**
        * Delete an organization and all its associated data.
        * This is a destructive operation that cannot be undone.
@@ -4286,6 +4476,22 @@ var SsoClient = class {
   getBaseURL() {
     return this.http.defaults.baseURL || "";
   }
+  /**
+   * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+   * Use this for stateless token verification in edge functions or middleware.
+   *
+   * @returns The full URL to the .well-known/jwks.json endpoint
+   *
+   * @example
+   * ```typescript
+   * const jwksUrl = sso.getJwksUrl();
+   * // Returns: "https://sso.example.com/.well-known/jwks.json"
+   * ```
+   */
+  getJwksUrl() {
+    const baseUrl = this.getBaseURL().replace(/\/$/, "");
+    return `${baseUrl}/.well-known/jwks.json`;
+  }
   /**
    * Check if the user is currently authenticated
    */
@@ -4362,6 +4568,7 @@ var RiskEventOutcome = /* @__PURE__ */ ((RiskEventOutcome2) => {
   return RiskEventOutcome2;
 })(RiskEventOutcome || {});
 export {
+  AuthErrorCodes,
   AuthMethod,
   AuthModule,
   BrowserStorage,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@drmhse/sso-sdk",
-  "version": "0.3.2",
+  "version": "0.3.4",
   "description": "Zero-dependency TypeScript SDK for AuthOS, the multi-tenant authentication platform",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -60,4 +60,4 @@
   "publishConfig": {
     "access": "public"
   }
-}
+}