@drmhse/sso-sdk 0.3.3 → 0.3.5

package/README.md

@@ -1,9 +1,9 @@
-# AuthOS SDK
+# [AuthOS](https://authos.dev) SDK
 
 [![npm version](https://img.shields.io/npm/v/@drmhse/sso-sdk)](https://www.npmjs.com/package/@drmhse/sso-sdk)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
-A zero-dependency, strongly-typed TypeScript SDK for AuthOS, the multi-tenant authentication platform.
+A zero-dependency, strongly-typed TypeScript SDK for [AuthOS](https://authos.dev), the multi-tenant authentication platform.
 
 **[View Full Documentation →](https://drmhse.com/docs/sso/)**
 
@@ -331,7 +331,7 @@ sso.onAuthStateChange((isAuthenticated) => {
 
 ## Platform Administration
 
-For platform owners managing AuthOS:
+For platform owners managing [AuthOS](https://authos.dev):
 
 ```typescript
 // Approve pending organization
@@ -383,7 +383,7 @@ const login = async (credentials: LoginPayload): Promise<RefreshTokenResponse> =
 
 ## Validating JWTs in Your Backend
 
-AuthOS uses RS256 (asymmetric) JWT signing. Your backend can validate tokens without sharing secrets:
+[AuthOS](https://authos.dev) uses RS256 (asymmetric) JWT signing. Your backend can validate tokens without sharing secrets:
 
 ```typescript
 // Fetch JWKS from the SSO platform

package/dist/index.d.mts

@@ -23,6 +23,31 @@ declare class BrowserStorage implements TokenStorage {
     setItem(key: string, value: string): void;
     removeItem(key: string): void;
 }
+/**
+ * Browser Cookie adapter for SSR frameworks (Next.js, Nuxt, etc.)
+ *
+ * Uses document.cookie for client-side access. Works with server-side
+ * middleware that can read the same cookies.
+ *
+ * For Next.js App Router, pair this with cookies() from 'next/headers'
+ * in server components to pass the initial token.
+ */
+declare class CookieStorage implements TokenStorage {
+    private options;
+    constructor(options?: {
+        domain?: string;
+        path?: string;
+        secure?: boolean;
+        sameSite?: 'strict' | 'lax' | 'none';
+        maxAge?: number;
+    });
+    private getCookie;
+    private setCookie;
+    private deleteCookie;
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
 
 /**
  * Common types used across the SDK
@@ -2027,6 +2052,14 @@ interface SessionConfig {
     storageKeyPrefix?: string;
     autoRefresh?: boolean;
 }
+/**
+ * Snapshot of the current authentication state.
+ * Useful for hydration in SSR frameworks.
+ */
+interface AuthSnapshot {
+    isAuthenticated: boolean;
+    token: string | null;
+}
 declare class SessionManager {
     private storage;
     private refreshHandler;
@@ -2061,7 +2094,13 @@ declare class SessionManager {
     refreshSession(): Promise<string>;
     isAuthenticated(): boolean;
     /**
-     * Subscribe to auth state changes (useful for UI updates)
+     * Get a synchronous snapshot of the current auth state.
+     * Useful for SSR hydration and initial state.
+     */
+    getSnapshot(): AuthSnapshot;
+    /**
+     * Subscribe to auth state changes (useful for UI updates).
+     * The listener is immediately called with the current state upon subscription.
      */
     subscribe(listener: (isAuthenticated: boolean) => void): () => void;
     private notifyListeners;
@@ -5577,6 +5616,19 @@ declare class SsoClient {
      * Gets the current base URL
      */
     getBaseURL(): string;
+    /**
+     * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+     * Use this for stateless token verification in edge functions or middleware.
+     *
+     * @returns The full URL to the .well-known/jwks.json endpoint
+     *
+     * @example
+     * ```typescript
+     * const jwksUrl = sso.getJwksUrl();
+     * // Returns: "https://sso.example.com/.well-known/jwks.json"
+     * ```
+     */
+    getJwksUrl(): string;
     /**
      * Check if the user is currently authenticated
      */
@@ -5607,6 +5659,52 @@ declare class SsoClient {
     getToken(): Promise<string | null>;
 }
 
+/**
+ * Standard authentication error codes returned by the AuthOS API.
+ * Use these to reliably switch UI states based on error type.
+ */
+declare enum AuthErrorCodes {
+    /** Multi-factor authentication is required to complete login */
+    MFA_REQUIRED = "MFA_REQUIRED",
+    /** User must select or create an organization */
+    ORG_REQUIRED = "ORG_REQUIRED",
+    /** The provided credentials are invalid */
+    INVALID_CREDENTIALS = "INVALID_CREDENTIALS",
+    /** The JWT token has expired */
+    TOKEN_EXPIRED = "TOKEN_EXPIRED",
+    /** The refresh token is invalid or has been revoked */
+    REFRESH_TOKEN_INVALID = "REFRESH_TOKEN_INVALID",
+    /** The user is not authorized to perform this action */
+    UNAUTHORIZED = "UNAUTHORIZED",
+    /** The user does not have permission for this resource */
+    FORBIDDEN = "FORBIDDEN",
+    /** The requested resource was not found */
+    NOT_FOUND = "NOT_FOUND",
+    /** The request failed validation */
+    VALIDATION_ERROR = "VALIDATION_ERROR",
+    /** The email address is already registered */
+    EMAIL_ALREADY_EXISTS = "EMAIL_ALREADY_EXISTS",
+    /** Email verification is required */
+    EMAIL_NOT_VERIFIED = "EMAIL_NOT_VERIFIED",
+    /** The account has been suspended */
+    ACCOUNT_SUSPENDED = "ACCOUNT_SUSPENDED",
+    /** The organization has been suspended */
+    ORG_SUSPENDED = "ORG_SUSPENDED",
+    /** Rate limit exceeded */
+    RATE_LIMITED = "RATE_LIMITED",
+    /** The password does not meet requirements */
+    WEAK_PASSWORD = "WEAK_PASSWORD",
+    /** The MFA code is invalid */
+    INVALID_MFA_CODE = "INVALID_MFA_CODE",
+    /** The magic link or verification token has expired */
+    LINK_EXPIRED = "LINK_EXPIRED",
+    /** The device code has expired */
+    DEVICE_CODE_EXPIRED = "DEVICE_CODE_EXPIRED",
+    /** Authorization is still pending (device flow) */
+    AUTHORIZATION_PENDING = "AUTHORIZATION_PENDING",
+    /** The passkey authentication failed */
+    PASSKEY_ERROR = "PASSKEY_ERROR"
+}
 /**
  * Custom error class for SSO API errors.
  * Provides structured error information from the API.
@@ -5643,4 +5741,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
 
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthMethod, AuthModule, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthErrorCodes, AuthMethod, AuthModule, type AuthSnapshot, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, CookieStorage, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };

package/dist/index.d.ts

@@ -23,6 +23,31 @@ declare class BrowserStorage implements TokenStorage {
     setItem(key: string, value: string): void;
     removeItem(key: string): void;
 }
+/**
+ * Browser Cookie adapter for SSR frameworks (Next.js, Nuxt, etc.)
+ *
+ * Uses document.cookie for client-side access. Works with server-side
+ * middleware that can read the same cookies.
+ *
+ * For Next.js App Router, pair this with cookies() from 'next/headers'
+ * in server components to pass the initial token.
+ */
+declare class CookieStorage implements TokenStorage {
+    private options;
+    constructor(options?: {
+        domain?: string;
+        path?: string;
+        secure?: boolean;
+        sameSite?: 'strict' | 'lax' | 'none';
+        maxAge?: number;
+    });
+    private getCookie;
+    private setCookie;
+    private deleteCookie;
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
 
 /**
  * Common types used across the SDK
@@ -2027,6 +2052,14 @@ interface SessionConfig {
     storageKeyPrefix?: string;
     autoRefresh?: boolean;
 }
+/**
+ * Snapshot of the current authentication state.
+ * Useful for hydration in SSR frameworks.
+ */
+interface AuthSnapshot {
+    isAuthenticated: boolean;
+    token: string | null;
+}
 declare class SessionManager {
     private storage;
     private refreshHandler;
@@ -2061,7 +2094,13 @@ declare class SessionManager {
     refreshSession(): Promise<string>;
     isAuthenticated(): boolean;
     /**
-     * Subscribe to auth state changes (useful for UI updates)
+     * Get a synchronous snapshot of the current auth state.
+     * Useful for SSR hydration and initial state.
+     */
+    getSnapshot(): AuthSnapshot;
+    /**
+     * Subscribe to auth state changes (useful for UI updates).
+     * The listener is immediately called with the current state upon subscription.
      */
     subscribe(listener: (isAuthenticated: boolean) => void): () => void;
     private notifyListeners;
@@ -5577,6 +5616,19 @@ declare class SsoClient {
      * Gets the current base URL
      */
     getBaseURL(): string;
+    /**
+     * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+     * Use this for stateless token verification in edge functions or middleware.
+     *
+     * @returns The full URL to the .well-known/jwks.json endpoint
+     *
+     * @example
+     * ```typescript
+     * const jwksUrl = sso.getJwksUrl();
+     * // Returns: "https://sso.example.com/.well-known/jwks.json"
+     * ```
+     */
+    getJwksUrl(): string;
     /**
      * Check if the user is currently authenticated
      */
@@ -5607,6 +5659,52 @@ declare class SsoClient {
     getToken(): Promise<string | null>;
 }
 
+/**
+ * Standard authentication error codes returned by the AuthOS API.
+ * Use these to reliably switch UI states based on error type.
+ */
+declare enum AuthErrorCodes {
+    /** Multi-factor authentication is required to complete login */
+    MFA_REQUIRED = "MFA_REQUIRED",
+    /** User must select or create an organization */
+    ORG_REQUIRED = "ORG_REQUIRED",
+    /** The provided credentials are invalid */
+    INVALID_CREDENTIALS = "INVALID_CREDENTIALS",
+    /** The JWT token has expired */
+    TOKEN_EXPIRED = "TOKEN_EXPIRED",
+    /** The refresh token is invalid or has been revoked */
+    REFRESH_TOKEN_INVALID = "REFRESH_TOKEN_INVALID",
+    /** The user is not authorized to perform this action */
+    UNAUTHORIZED = "UNAUTHORIZED",
+    /** The user does not have permission for this resource */
+    FORBIDDEN = "FORBIDDEN",
+    /** The requested resource was not found */
+    NOT_FOUND = "NOT_FOUND",
+    /** The request failed validation */
+    VALIDATION_ERROR = "VALIDATION_ERROR",
+    /** The email address is already registered */
+    EMAIL_ALREADY_EXISTS = "EMAIL_ALREADY_EXISTS",
+    /** Email verification is required */
+    EMAIL_NOT_VERIFIED = "EMAIL_NOT_VERIFIED",
+    /** The account has been suspended */
+    ACCOUNT_SUSPENDED = "ACCOUNT_SUSPENDED",
+    /** The organization has been suspended */
+    ORG_SUSPENDED = "ORG_SUSPENDED",
+    /** Rate limit exceeded */
+    RATE_LIMITED = "RATE_LIMITED",
+    /** The password does not meet requirements */
+    WEAK_PASSWORD = "WEAK_PASSWORD",
+    /** The MFA code is invalid */
+    INVALID_MFA_CODE = "INVALID_MFA_CODE",
+    /** The magic link or verification token has expired */
+    LINK_EXPIRED = "LINK_EXPIRED",
+    /** The device code has expired */
+    DEVICE_CODE_EXPIRED = "DEVICE_CODE_EXPIRED",
+    /** Authorization is still pending (device flow) */
+    AUTHORIZATION_PENDING = "AUTHORIZATION_PENDING",
+    /** The passkey authentication failed */
+    PASSKEY_ERROR = "PASSKEY_ERROR"
+}
 /**
  * Custom error class for SSO API errors.
  * Provides structured error information from the API.
@@ -5643,4 +5741,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
 
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthMethod, AuthModule, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthErrorCodes, AuthMethod, AuthModule, type AuthSnapshot, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, CookieStorage, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };

package/dist/index.js

@@ -20,9 +20,11 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  AuthErrorCodes: () => AuthErrorCodes,
   AuthMethod: () => AuthMethod,
   AuthModule: () => AuthModule,
   BrowserStorage: () => BrowserStorage,
+  CookieStorage: () => CookieStorage,
   InvitationsModule: () => InvitationsModule,
   MagicLinks: () => MagicLinks,
   MemoryStorage: () => MemoryStorage,
@@ -42,6 +44,29 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/errors.ts
+var AuthErrorCodes = /* @__PURE__ */ ((AuthErrorCodes2) => {
+  AuthErrorCodes2["MFA_REQUIRED"] = "MFA_REQUIRED";
+  AuthErrorCodes2["ORG_REQUIRED"] = "ORG_REQUIRED";
+  AuthErrorCodes2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+  AuthErrorCodes2["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
+  AuthErrorCodes2["REFRESH_TOKEN_INVALID"] = "REFRESH_TOKEN_INVALID";
+  AuthErrorCodes2["UNAUTHORIZED"] = "UNAUTHORIZED";
+  AuthErrorCodes2["FORBIDDEN"] = "FORBIDDEN";
+  AuthErrorCodes2["NOT_FOUND"] = "NOT_FOUND";
+  AuthErrorCodes2["VALIDATION_ERROR"] = "VALIDATION_ERROR";
+  AuthErrorCodes2["EMAIL_ALREADY_EXISTS"] = "EMAIL_ALREADY_EXISTS";
+  AuthErrorCodes2["EMAIL_NOT_VERIFIED"] = "EMAIL_NOT_VERIFIED";
+  AuthErrorCodes2["ACCOUNT_SUSPENDED"] = "ACCOUNT_SUSPENDED";
+  AuthErrorCodes2["ORG_SUSPENDED"] = "ORG_SUSPENDED";
+  AuthErrorCodes2["RATE_LIMITED"] = "RATE_LIMITED";
+  AuthErrorCodes2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
+  AuthErrorCodes2["INVALID_MFA_CODE"] = "INVALID_MFA_CODE";
+  AuthErrorCodes2["LINK_EXPIRED"] = "LINK_EXPIRED";
+  AuthErrorCodes2["DEVICE_CODE_EXPIRED"] = "DEVICE_CODE_EXPIRED";
+  AuthErrorCodes2["AUTHORIZATION_PENDING"] = "AUTHORIZATION_PENDING";
+  AuthErrorCodes2["PASSKEY_ERROR"] = "PASSKEY_ERROR";
+  return AuthErrorCodes2;
+})(AuthErrorCodes || {});
 var SsoApiError = class _SsoApiError extends Error {
   constructor(message, statusCode, errorCode, timestamp) {
     super(message);
@@ -334,10 +359,22 @@ var SessionManager = class {
     return !!this.accessToken;
   }
   /**
-   * Subscribe to auth state changes (useful for UI updates)
+   * Get a synchronous snapshot of the current auth state.
+   * Useful for SSR hydration and initial state.
+   */
+  getSnapshot() {
+    return {
+      isAuthenticated: !!this.accessToken,
+      token: this.accessToken
+    };
+  }
+  /**
+   * Subscribe to auth state changes (useful for UI updates).
+   * The listener is immediately called with the current state upon subscription.
    */
   subscribe(listener) {
     this.listeners.push(listener);
+    listener(this.isAuthenticated());
     return () => {
       this.listeners = this.listeners.filter((l) => l !== listener);
     };
@@ -373,6 +410,60 @@ var BrowserStorage = class {
     if (typeof window !== "undefined") window.localStorage.removeItem(key);
   }
 };
+var CookieStorage = class {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  getCookie(name) {
+    if (typeof window === "undefined") return null;
+    const value = `; ${document.cookie}`;
+    const parts = value.split(`; ${name}=`);
+    if (parts.length === 2) {
+      return parts.pop()?.split(";").shift() || null;
+    }
+    return null;
+  }
+  setCookie(name, value) {
+    if (typeof window === "undefined") return;
+    let cookie = `${name}=${value}`;
+    if (this.options.path) {
+      cookie += `; Path=${this.options.path}`;
+    }
+    if (this.options.domain) {
+      cookie += `; Domain=${this.options.domain}`;
+    }
+    if (this.options.secure !== false) {
+      cookie += "; Secure";
+    }
+    if (this.options.sameSite ?? "lax") {
+      cookie += `; SameSite=${this.options.sameSite ?? "lax"}`;
+    }
+    if (this.options.maxAge) {
+      cookie += `; Max-Age=${this.options.maxAge}`;
+    }
+    document.cookie = cookie;
+  }
+  deleteCookie(name) {
+    if (typeof window === "undefined") return;
+    let cookie = `${name}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+    if (this.options.path) {
+      cookie += `; Path=${this.options.path}`;
+    }
+    if (this.options.domain) {
+      cookie += `; Domain=${this.options.domain}`;
+    }
+    document.cookie = cookie;
+  }
+  getItem(key) {
+    return this.getCookie(key);
+  }
+  setItem(key, value) {
+    this.setCookie(key, value);
+  }
+  removeItem(key) {
+    this.deleteCookie(key);
+  }
+};
 function resolveStorage(userStorage) {
   if (userStorage) return userStorage;
   if (typeof window !== "undefined" && window.localStorage) return new BrowserStorage();
@@ -4484,6 +4575,22 @@ var SsoClient = class {
   getBaseURL() {
     return this.http.defaults.baseURL || "";
   }
+  /**
+   * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+   * Use this for stateless token verification in edge functions or middleware.
+   *
+   * @returns The full URL to the .well-known/jwks.json endpoint
+   *
+   * @example
+   * ```typescript
+   * const jwksUrl = sso.getJwksUrl();
+   * // Returns: "https://sso.example.com/.well-known/jwks.json"
+   * ```
+   */
+  getJwksUrl() {
+    const baseUrl = this.getBaseURL().replace(/\/$/, "");
+    return `${baseUrl}/.well-known/jwks.json`;
+  }
   /**
    * Check if the user is currently authenticated
    */
@@ -4561,9 +4668,11 @@ var RiskEventOutcome = /* @__PURE__ */ ((RiskEventOutcome2) => {
 })(RiskEventOutcome || {});
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AuthErrorCodes,
   AuthMethod,
   AuthModule,
   BrowserStorage,
+  CookieStorage,
   InvitationsModule,
   MagicLinks,
   MemoryStorage,

package/dist/index.mjs

@@ -1,4 +1,27 @@
 // src/errors.ts
+var AuthErrorCodes = /* @__PURE__ */ ((AuthErrorCodes2) => {
+  AuthErrorCodes2["MFA_REQUIRED"] = "MFA_REQUIRED";
+  AuthErrorCodes2["ORG_REQUIRED"] = "ORG_REQUIRED";
+  AuthErrorCodes2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+  AuthErrorCodes2["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
+  AuthErrorCodes2["REFRESH_TOKEN_INVALID"] = "REFRESH_TOKEN_INVALID";
+  AuthErrorCodes2["UNAUTHORIZED"] = "UNAUTHORIZED";
+  AuthErrorCodes2["FORBIDDEN"] = "FORBIDDEN";
+  AuthErrorCodes2["NOT_FOUND"] = "NOT_FOUND";
+  AuthErrorCodes2["VALIDATION_ERROR"] = "VALIDATION_ERROR";
+  AuthErrorCodes2["EMAIL_ALREADY_EXISTS"] = "EMAIL_ALREADY_EXISTS";
+  AuthErrorCodes2["EMAIL_NOT_VERIFIED"] = "EMAIL_NOT_VERIFIED";
+  AuthErrorCodes2["ACCOUNT_SUSPENDED"] = "ACCOUNT_SUSPENDED";
+  AuthErrorCodes2["ORG_SUSPENDED"] = "ORG_SUSPENDED";
+  AuthErrorCodes2["RATE_LIMITED"] = "RATE_LIMITED";
+  AuthErrorCodes2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
+  AuthErrorCodes2["INVALID_MFA_CODE"] = "INVALID_MFA_CODE";
+  AuthErrorCodes2["LINK_EXPIRED"] = "LINK_EXPIRED";
+  AuthErrorCodes2["DEVICE_CODE_EXPIRED"] = "DEVICE_CODE_EXPIRED";
+  AuthErrorCodes2["AUTHORIZATION_PENDING"] = "AUTHORIZATION_PENDING";
+  AuthErrorCodes2["PASSKEY_ERROR"] = "PASSKEY_ERROR";
+  return AuthErrorCodes2;
+})(AuthErrorCodes || {});
 var SsoApiError = class _SsoApiError extends Error {
   constructor(message, statusCode, errorCode, timestamp) {
     super(message);
@@ -291,10 +314,22 @@ var SessionManager = class {
     return !!this.accessToken;
   }
   /**
-   * Subscribe to auth state changes (useful for UI updates)
+   * Get a synchronous snapshot of the current auth state.
+   * Useful for SSR hydration and initial state.
+   */
+  getSnapshot() {
+    return {
+      isAuthenticated: !!this.accessToken,
+      token: this.accessToken
+    };
+  }
+  /**
+   * Subscribe to auth state changes (useful for UI updates).
+   * The listener is immediately called with the current state upon subscription.
    */
   subscribe(listener) {
     this.listeners.push(listener);
+    listener(this.isAuthenticated());
     return () => {
       this.listeners = this.listeners.filter((l) => l !== listener);
     };
@@ -330,6 +365,60 @@ var BrowserStorage = class {
     if (typeof window !== "undefined") window.localStorage.removeItem(key);
   }
 };
+var CookieStorage = class {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  getCookie(name) {
+    if (typeof window === "undefined") return null;
+    const value = `; ${document.cookie}`;
+    const parts = value.split(`; ${name}=`);
+    if (parts.length === 2) {
+      return parts.pop()?.split(";").shift() || null;
+    }
+    return null;
+  }
+  setCookie(name, value) {
+    if (typeof window === "undefined") return;
+    let cookie = `${name}=${value}`;
+    if (this.options.path) {
+      cookie += `; Path=${this.options.path}`;
+    }
+    if (this.options.domain) {
+      cookie += `; Domain=${this.options.domain}`;
+    }
+    if (this.options.secure !== false) {
+      cookie += "; Secure";
+    }
+    if (this.options.sameSite ?? "lax") {
+      cookie += `; SameSite=${this.options.sameSite ?? "lax"}`;
+    }
+    if (this.options.maxAge) {
+      cookie += `; Max-Age=${this.options.maxAge}`;
+    }
+    document.cookie = cookie;
+  }
+  deleteCookie(name) {
+    if (typeof window === "undefined") return;
+    let cookie = `${name}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+    if (this.options.path) {
+      cookie += `; Path=${this.options.path}`;
+    }
+    if (this.options.domain) {
+      cookie += `; Domain=${this.options.domain}`;
+    }
+    document.cookie = cookie;
+  }
+  getItem(key) {
+    return this.getCookie(key);
+  }
+  setItem(key, value) {
+    this.setCookie(key, value);
+  }
+  removeItem(key) {
+    this.deleteCookie(key);
+  }
+};
 function resolveStorage(userStorage) {
   if (userStorage) return userStorage;
   if (typeof window !== "undefined" && window.localStorage) return new BrowserStorage();
@@ -4441,6 +4530,22 @@ var SsoClient = class {
   getBaseURL() {
     return this.http.defaults.baseURL || "";
   }
+  /**
+   * Gets the JWKS (JSON Web Key Set) URL for JWT verification.
+   * Use this for stateless token verification in edge functions or middleware.
+   *
+   * @returns The full URL to the .well-known/jwks.json endpoint
+   *
+   * @example
+   * ```typescript
+   * const jwksUrl = sso.getJwksUrl();
+   * // Returns: "https://sso.example.com/.well-known/jwks.json"
+   * ```
+   */
+  getJwksUrl() {
+    const baseUrl = this.getBaseURL().replace(/\/$/, "");
+    return `${baseUrl}/.well-known/jwks.json`;
+  }
   /**
    * Check if the user is currently authenticated
    */
@@ -4517,9 +4622,11 @@ var RiskEventOutcome = /* @__PURE__ */ ((RiskEventOutcome2) => {
   return RiskEventOutcome2;
 })(RiskEventOutcome || {});
 export {
+  AuthErrorCodes,
   AuthMethod,
   AuthModule,
   BrowserStorage,
+  CookieStorage,
   InvitationsModule,
   MagicLinks,
   MemoryStorage,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@drmhse/sso-sdk",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "Zero-dependency TypeScript SDK for AuthOS, the multi-tenant authentication platform",
   "main": "dist/index.js",
   "module": "dist/index.mjs",