@explorins/pers-sdk 1.2.5 → 1.2.6

package/dist/index.cjs

@@ -44,6 +44,241 @@ function mergeWithDefaults(config) {
     };
 }
 
+/**
+ * Platform-Agnostic Auth Admin API Client
+ *
+ * Handles authentication and authorization admin operations using the PERS backend.
+ * Uses @explorins/pers-shared DTOs for consistency with backend.
+ *
+ * Note: Special header handling (bypass-auth-interceptor) may need to be implemented
+ * at the PersApiClient level or through a specialized auth client.
+ */
+class AuthApi {
+    constructor(apiClient) {
+        this.apiClient = apiClient;
+        this.basePath = '/auth';
+    }
+    // ==========================================
+    // ADMIN AUTHENTICATION OPERATIONS
+    // ==========================================
+    /**
+     * ADMIN: Login tenant admin with JWT
+     * Note: JWT handling and auth bypass headers may need special implementation
+     */
+    async loginTenantAdmin(jwt) {
+        const body = {
+            authToken: jwt,
+            authType: persShared.AccountOwnerType.TENANT
+        };
+        return this.apiClient.post(`${this.basePath}/token`, body);
+    }
+    async loginUser(jwt) {
+        const body = {
+            authToken: jwt,
+            authType: persShared.AccountOwnerType.USER
+        };
+        return this.apiClient.post(`${this.basePath}/token`, body);
+    }
+    /**
+     * ADMIN: Refresh access token
+     * Note: Bypass header handling may need special implementation
+     */
+    async refreshAccessToken(refreshToken) {
+        return this.apiClient.post(`${this.basePath}/refresh`, { refreshToken });
+    }
+}
+
+/**
+ * Platform-Agnostic Auth Admin Service
+ *
+ * Contains auth admin business logic and operations that work across platforms.
+ * No framework dependencies - pure TypeScript business logic.
+ *
+ * Focuses only on actual backend capabilities.
+ */
+class AuthService {
+    constructor(authApi, authProvider) {
+        this.authApi = authApi;
+        this.authProvider = authProvider;
+    }
+    // ==========================================
+    // ADMIN AUTHENTICATION OPERATIONS
+    // ==========================================
+    /**
+     * ADMIN: Login tenant admin with JWT
+     * Automatically stores tokens if auth provider supports token storage
+     */
+    async loginTenantAdmin(jwt) {
+        const response = await this.authApi.loginTenantAdmin(jwt);
+        // Store tokens if auth provider supports it
+        if (this.authProvider && response.accessToken) {
+            await this.storeTokens(response.accessToken, response.refreshToken);
+        }
+        return response;
+    }
+    /**
+     * ADMIN: Login user with JWT
+     * Automatically stores tokens if auth provider supports token storage
+     */
+    async loginUser(jwt) {
+        const response = await this.authApi.loginUser(jwt);
+        // Store tokens if auth provider supports it
+        if (this.authProvider && response.accessToken) {
+            await this.storeTokens(response.accessToken, response.refreshToken);
+        }
+        return response;
+    }
+    /**
+     * ADMIN: Refresh access token
+     * Automatically stores new tokens if auth provider supports token storage
+     */
+    async refreshAccessToken(refreshToken) {
+        // Use provided refresh token or get from auth provider
+        const tokenToUse = refreshToken || (this.authProvider?.getRefreshToken ? await this.authProvider.getRefreshToken() : null);
+        if (!tokenToUse) {
+            throw new Error('No refresh token available for token refresh');
+        }
+        const response = await this.authApi.refreshAccessToken(tokenToUse);
+        // Store new tokens if auth provider supports it
+        if (this.authProvider && response.accessToken) {
+            await this.storeTokens(response.accessToken, response.refreshToken);
+        }
+        return response;
+    }
+    /**
+     * Automatic token refresh using stored refresh token
+     * Convenience method for 401 error handling
+     */
+    async autoRefreshToken() {
+        return this.refreshAccessToken(); // Uses stored refresh token
+    }
+    /**
+     * Clear stored tokens if auth provider supports it
+     */
+    async clearTokens() {
+        if (this.authProvider?.clearTokens) {
+            await this.authProvider.clearTokens();
+        }
+    }
+    /**
+     * Check if we have valid tokens for authentication
+     */
+    hasValidAuth() {
+        return this.authProvider?.hasValidToken?.() ?? false;
+    }
+    // ==========================================
+    // PRIVATE HELPERS
+    // ==========================================
+    /**
+     * Store tokens using auth provider if it supports token storage
+     */
+    async storeTokens(accessToken, refreshToken) {
+        if (!this.authProvider)
+            return;
+        try {
+            // Store access token
+            if (this.authProvider.setAccessToken) {
+                await this.authProvider.setAccessToken(accessToken);
+            }
+            // Store refresh token if provided and supported
+            if (refreshToken && this.authProvider.setRefreshToken) {
+                await this.authProvider.setRefreshToken(refreshToken);
+            }
+        }
+        catch (error) {
+            console.error('Failed to store tokens in auth provider:', error);
+            // Don't throw - token storage failure shouldn't break authentication
+        }
+    }
+}
+
+/**
+ * Simple, self-contained authentication provider for SDK
+ *
+ * Manages tokens internally without external dependencies.
+ * Perfect for platform-agnostic usage.
+ */
+class SimpleSdkAuthProvider {
+    constructor(projectKey) {
+        this.accessToken = null;
+        this.refreshToken = null;
+        this.projectKey = null;
+        this.authType = 'admin';
+        this.projectKey = projectKey || null;
+        // Try to load tokens from localStorage if available
+        this.loadTokensFromStorage();
+    }
+    async getToken() {
+        // Return stored access token
+        return this.accessToken;
+    }
+    async getProjectKey() {
+        return this.projectKey;
+    }
+    async onTokenExpired() {
+        console.log('SimpleSdkAuthProvider: Token expired, attempting refresh...');
+        if (!this.refreshToken) {
+            console.warn('SimpleSdkAuthProvider: No refresh token available');
+            throw new Error('No refresh token available for refresh');
+        }
+        // Note: Actual refresh logic would be handled by the SDK's AuthService
+        // This provider just manages token storage
+        console.warn('SimpleSdkAuthProvider: Token refresh should be handled by SDK AuthService');
+    }
+    // Token storage methods
+    async setAccessToken(token) {
+        this.accessToken = token;
+        this.saveTokenToStorage('pers_access_token', token);
+    }
+    async setRefreshToken(token) {
+        this.refreshToken = token;
+        this.saveTokenToStorage('pers_refresh_token', token);
+    }
+    async getRefreshToken() {
+        return this.refreshToken;
+    }
+    async clearTokens() {
+        this.accessToken = null;
+        this.refreshToken = null;
+        // Clear from storage
+        this.removeTokenFromStorage('pers_access_token');
+        this.removeTokenFromStorage('pers_refresh_token');
+    }
+    // Internal methods for token persistence
+    loadTokensFromStorage() {
+        if (typeof localStorage !== 'undefined') {
+            try {
+                this.accessToken = localStorage.getItem('pers_access_token');
+                this.refreshToken = localStorage.getItem('pers_refresh_token');
+            }
+            catch (error) {
+                console.error('Failed to load tokens from localStorage:', error);
+            }
+        }
+        else {
+            console.warn('localStorage is not available for token persistence');
+        }
+    }
+    saveTokenToStorage(key, value) {
+        if (typeof localStorage !== 'undefined') {
+            localStorage.setItem(key, value);
+        }
+    }
+    removeTokenFromStorage(key) {
+        if (typeof localStorage !== 'undefined') {
+            localStorage.removeItem(key);
+        }
+    }
+    // Utility methods for external integration
+    hasValidToken() {
+        const hasToken = !!this.accessToken;
+        return hasToken;
+    }
+    hasRefreshToken() {
+        return !!this.refreshToken;
+    }
+}
+
 // packages/pers-sdk/src/core/pers-api-client.ts
 /**
  * PERS API Client - Core platform-agnostic client for PERS backend
@@ -54,8 +289,15 @@ class PersApiClient {
         this.config = config;
         // Merge user config with defaults (production + v2)
         this.mergedConfig = mergeWithDefaults(config);
+        // Auto-create auth provider if none provided
+        if (!this.mergedConfig.authProvider) {
+            this.mergedConfig.authProvider = new SimpleSdkAuthProvider(this.mergedConfig.apiProjectKey);
+        }
         // Build API root from merged environment and version
         this.apiRoot = buildApiRoot(this.mergedConfig.environment, this.mergedConfig.apiVersion);
+        // Initialize auth services for direct authentication
+        this.authApi = new AuthApi(this);
+        this.authService = new AuthService(this.authApi, this.mergedConfig.authProvider);
     }
     /**
      * Get request headers including auth token and project key
@@ -160,6 +402,45 @@ class PersApiClient {
     async delete(endpoint) {
         return this.request('DELETE', endpoint);
     }
+    // ==========================================
+    // AUTHENTICATION METHODS
+    // ==========================================
+    /**
+     * Login admin user with external JWT (e.g., Firebase)
+     * Automatically stores tokens in auth provider if available
+     */
+    async loginAdmin(externalJwt) {
+        return this.authService.loginTenantAdmin(externalJwt);
+    }
+    /**
+     * Login regular user with external JWT
+     * Automatically stores tokens in auth provider if available
+     */
+    async loginUser(externalJwt) {
+        return this.authService.loginUser(externalJwt);
+    }
+    /**
+     * Refresh access token using stored refresh token
+     */
+    async refreshToken() {
+        const refreshToken = await this.mergedConfig.authProvider?.getRefreshToken?.();
+        if (!refreshToken) {
+            throw new Error('No refresh token available');
+        }
+        return this.authService.refreshAccessToken(refreshToken);
+    }
+    /**
+     * Clear all stored authentication tokens
+     */
+    async clearAuth() {
+        return this.authService.clearTokens();
+    }
+    /**
+     * Check if user has valid authentication token
+     */
+    hasValidAuth() {
+        return this.mergedConfig.authProvider?.hasValidToken?.() || false;
+    }
     /**
      * Get current configuration (returns merged config)
      */
@@ -182,168 +463,48 @@ class PersApiError extends Error {
         this.name = 'PersApiError';
     }
 }
-/**
- * PERS API Client - Core platform-agnostic client for PERS backend
- */
-/*import { HttpClient, RequestOptions } from './abstractions/http-client';
-import { PersConfig, buildApiRoot, mergeWithDefaults } from './pers-config';
-
-export class PersApiClient {
-  private readonly apiRoot: string;
-  private readonly mergedConfig: ReturnType<typeof mergeWithDefaults>;
-
-  constructor(
-    private httpClient: HttpClient,
-    private config: PersConfig
-  ) {
-    // Merge user config with defaults (production + v2)
-    this.mergedConfig = mergeWithDefaults(config);
-    
-    // Build API root from merged environment and version
-    this.apiRoot = buildApiRoot(this.mergedConfig.environment, this.mergedConfig.apiVersion);
-  }
-
-  /**
-   * Get request headers including auth token and project key
-   */
-/*private async getHeaders(): Promise<Record<string, string>> {
-  const headers: Record<string, string> = {
-    'Content-Type': 'application/json',
-  };
-
-  // Add authentication token
-  if (this.mergedConfig.authProvider) {
-    const token = await this.mergedConfig.authProvider.getToken();
-    if (token) {
-      headers['Authorization'] = `Bearer ${token}`;
-    }
-  }
-
-  // Add project key
-  if (this.mergedConfig.authProvider) {
-    const projectKey = await this.mergedConfig.authProvider.getProjectKey();
-    if (projectKey) {
-      headers['x-project-key'] = projectKey;
-    }
-  } else if(this.mergedConfig.apiProjectKey) {
-    // Fallback to config project key if no auth provider
-    headers['x-project-key'] = this.mergedConfig.apiProjectKey;
-  }
-
-  return headers;
-}
 
 /**
- * Make a request with proper headers, auth, and error handling
+ * Memory-based token storage (default)
  */
-/*private async request<T>(
-  method: 'GET' | 'POST' | 'PUT' | 'DELETE',
-  endpoint: string,
-  body?: any,
-  options?: { retryCount?: number }
-): Promise<T> {
-  const { retryCount = 0 } = options || {};
-  const url = `${this.apiRoot}${endpoint}`;
-  
-  const requestOptions: RequestOptions = {
-    headers: await this.getHeaders(),
-    timeout: this.mergedConfig.timeout,
-  };
-
-  try {
-    switch (method) {
-      case 'GET':
-        return await this.httpClient.get<T>(url, requestOptions);
-      case 'POST':
-        return await this.httpClient.post<T>(url, body, requestOptions);
-      case 'PUT':
-        return await this.httpClient.put<T>(url, body, requestOptions);
-      case 'DELETE':
-        return await this.httpClient.delete<T>(url, requestOptions);
-      default:
-        throw new Error(`Unsupported HTTP method: ${method}`);
-    }
-  } catch (error: any) {
-    // Handle 401 errors with automatic token refresh
-    if (error.status === 401 && retryCount === 0 && this.mergedConfig.authProvider?.onTokenExpired) {
-      try {
-        await this.mergedConfig.authProvider.onTokenExpired();
-        // Retry once with refreshed token
-        return this.request<T>(method, endpoint, body, { ...options, retryCount: 1 });
-      } catch (refreshError) {
-        throw new PersApiError(
-          `Authentication refresh failed: ${refreshError}`,
-          endpoint,
-          method,
-          401
-        );
-      }
+class MemoryTokenStorage {
+    constructor() {
+        this.storage = new Map();
+    }
+    async setItem(key, value) {
+        this.storage.set(key, value);
+    }
+    async getItem(key) {
+        return this.storage.get(key) || null;
+    }
+    async removeItem(key) {
+        this.storage.delete(key);
     }
-
-    throw new PersApiError(
-      `PERS API request failed: ${error.message || error}`,
-      endpoint,
-      method,
-      error.status
-    );
-  }
-}
-
-/**
- * Generic GET request
- */
-/*async get<T>(endpoint: string): Promise<T> {
-  return this.request<T>('GET', endpoint);
-}
-
-/**
- * Generic POST request
- */
-/*async post<T>(endpoint: string, body?: any): Promise<T> {
-  return this.request<T>('POST', endpoint, body);
-}
-
-/**
- * Generic PUT request
- */
-/*async put<T>(endpoint: string, body?: any): Promise<T> {
-  return this.request<T>('PUT', endpoint, body);
-}
-
-/**
- * Generic DELETE request
- */
-/*async delete<T>(endpoint: string): Promise<T> {
-  return this.request<T>('DELETE', endpoint);
-}
-
-/**
- * Get current configuration (returns merged config)
- */
-/*getConfig(): ReturnType<typeof mergeWithDefaults> {
-  return this.mergedConfig;
 }
-
 /**
- * Get original user configuration
+ * localStorage-based token storage (browser only)
  */
-/*getOriginalConfig(): PersConfig {
-  return this.config;
-}
-}
-
-export class PersApiError extends Error {
-constructor(
-  message: string,
-  public endpoint: string,
-  public method: string,
-  public statusCode?: number
-) {
-  super(message);
-  this.name = 'PersApiError';
+class LocalStorageTokenStorage {
+    async setItem(key, value) {
+        if (typeof localStorage !== 'undefined') {
+            localStorage.setItem(key, value);
+        }
+        else {
+            throw new Error('localStorage is not available in this environment');
+        }
+    }
+    async getItem(key) {
+        if (typeof localStorage !== 'undefined') {
+            return localStorage.getItem(key);
+        }
+        return null;
+    }
+    async removeItem(key) {
+        if (typeof localStorage !== 'undefined') {
+            localStorage.removeItem(key);
+        }
+    }
 }
-}*/
-
 /**
  * Creates a platform-agnostic AuthProvider from simple configuration
  *
@@ -354,12 +515,33 @@ constructor(
  * - Token caching with refresh support
  * - Automatic token refresh on expiration
  * - Configurable token providers
- * - Platform-independent (no localStorage assumptions)
+ * - Token storage (memory, localStorage, custom)
+ * - Platform-independent
  *
  * @param config - Simple auth configuration
  * @returns AuthProvider implementation
  */
 function createAuthProvider(config) {
+    // Initialize token storage
+    let tokenStorage;
+    switch (config.tokenStorage) {
+        case 'localStorage':
+            tokenStorage = new LocalStorageTokenStorage();
+            break;
+        case 'custom':
+            if (!config.customTokenStorage) {
+                throw new Error('Custom token storage configuration is required when tokenStorage is "custom"');
+            }
+            tokenStorage = config.customTokenStorage;
+            break;
+        case 'memory':
+        default:
+            tokenStorage = new MemoryTokenStorage();
+            break;
+    }
+    // Token storage keys
+    const ACCESS_TOKEN_KEY = `pers_access_token_${config.authType || 'user'}`;
+    const REFRESH_TOKEN_KEY = `pers_refresh_token_${config.authType || 'user'}`;
     // Store current token for refresh scenarios and caching
     let currentToken = config.token || null;
     let isRefreshing = false; // Prevent concurrent refresh attempts
@@ -376,6 +558,17 @@ function createAuthProvider(config) {
             if (currentToken) {
                 return currentToken;
             }
+            // Try to get token from storage
+            try {
+                const storedToken = await tokenStorage.getItem(ACCESS_TOKEN_KEY);
+                if (storedToken) {
+                    currentToken = storedToken;
+                    return storedToken;
+                }
+            }
+            catch (error) {
+                console.warn('Failed to retrieve token from storage:', error);
+            }
             // Custom token provider function (always fresh)
             if (config.tokenProvider) {
                 const token = await config.tokenProvider();
@@ -388,6 +581,48 @@ function createAuthProvider(config) {
         async getProjectKey() {
             return config.projectKey || null;
         },
+        // Token storage methods
+        async setAccessToken(token) {
+            currentToken = token;
+            try {
+                await tokenStorage.setItem(ACCESS_TOKEN_KEY, token);
+            }
+            catch (error) {
+                console.error('Failed to store access token:', error);
+                throw error;
+            }
+        },
+        async setRefreshToken(token) {
+            try {
+                await tokenStorage.setItem(REFRESH_TOKEN_KEY, token);
+            }
+            catch (error) {
+                console.error('Failed to store refresh token:', error);
+                throw error;
+            }
+        },
+        async getRefreshToken() {
+            try {
+                return await tokenStorage.getItem(REFRESH_TOKEN_KEY);
+            }
+            catch (error) {
+                console.warn('Failed to retrieve refresh token from storage:', error);
+                return null;
+            }
+        },
+        async clearTokens() {
+            currentToken = null;
+            try {
+                await Promise.all([
+                    tokenStorage.removeItem(ACCESS_TOKEN_KEY),
+                    tokenStorage.removeItem(REFRESH_TOKEN_KEY)
+                ]);
+            }
+            catch (error) {
+                console.error('Failed to clear tokens from storage:', error);
+                throw error;
+            }
+        },
         async onTokenExpired() {
             // Prevent concurrent refresh attempts
             if (isRefreshing) {
@@ -399,7 +634,13 @@ function createAuthProvider(config) {
             // No refresh logic provided
             if (!config.onTokenExpired) {
                 console.warn('Token expired but no refresh logic provided');
-                currentToken = null; // Clear expired token
+                currentToken = null;
+                try {
+                    await tokenStorage.removeItem(ACCESS_TOKEN_KEY);
+                }
+                catch (error) {
+                    console.warn('Failed to clear expired token from storage:', error);
+                }
                 return;
             }
             // Start refresh process
@@ -413,6 +654,13 @@ function createAuthProvider(config) {
                         const newToken = await config.tokenProvider();
                         if (newToken && newToken !== currentToken) {
                             currentToken = newToken;
+                            // Store the new token
+                            try {
+                                await tokenStorage.setItem(ACCESS_TOKEN_KEY, newToken);
+                            }
+                            catch (error) {
+                                console.warn('Failed to store refreshed token:', error);
+                            }
                             // Notify about successful token refresh
                             if (config.onTokenRefreshed) {
                                 config.onTokenRefreshed(newToken);
@@ -421,17 +669,35 @@ function createAuthProvider(config) {
                         else {
                             console.warn('Token refresh completed but no new token received');
                             currentToken = null;
+                            try {
+                                await tokenStorage.removeItem(ACCESS_TOKEN_KEY);
+                            }
+                            catch (error) {
+                                console.warn('Failed to clear token after failed refresh:', error);
+                            }
                         }
                     }
                     else {
                         // For static token configs, clear the token since we can't refresh
                         console.warn('Token expired for static token config - clearing token');
                         currentToken = null;
+                        try {
+                            await tokenStorage.removeItem(ACCESS_TOKEN_KEY);
+                        }
+                        catch (error) {
+                            console.warn('Failed to clear expired static token:', error);
+                        }
                     }
                 }
                 catch (error) {
                     console.error('Token refresh failed:', error);
                     currentToken = null; // Clear token on refresh failure
+                    try {
+                        await tokenStorage.removeItem(ACCESS_TOKEN_KEY);
+                    }
+                    catch (storageError) {
+                        console.warn('Failed to clear token after refresh failure:', storageError);
+                    }
                     throw error; // Re-throw to let SDK handle the error
                 }
                 finally {
@@ -468,6 +734,44 @@ function createAuthProvider(config) {
   };
 } */
 
+/**
+ * @explorins/pers-sdk/core/auth - Consolidated Auth Module
+ *
+ * All authentication functionality in one place:
+ * - Auth provider interfaces and implementations
+ * - Auth API and service logic
+ * - Token management
+ */
+// Auth provider interfaces and implementations
+/**
+ * Create a complete Auth SDK instance (for backward compatibility)
+ * Note: This is now handled directly by PersApiClient
+ *
+ * @param apiClient - Configured PERS API client
+ * @param authProvider - Optional auth provider. If not provided, uses SimpleSdkAuthProvider
+ * @returns Auth SDK with flattened structure for better DX
+ */
+function createAuthSDK(apiClient, authProvider) {
+    // Use simple internal auth provider if none provided
+    const provider = authProvider || new SimpleSdkAuthProvider();
+    const authApi = new AuthApi(apiClient);
+    const authService = new AuthService(authApi, provider);
+    return {
+        // Direct access to service methods (primary interface)
+        // Admin authentication methods
+        loginTenantAdmin: (jwt) => authService.loginTenantAdmin(jwt),
+        loginUser: (jwt) => authService.loginUser(jwt),
+        refreshAccessToken: (refreshToken) => authService.refreshAccessToken(refreshToken),
+        clearTokens: () => authService.clearTokens(),
+        // Auth provider access for external integration
+        getAuthProvider: () => provider,
+        hasValidToken: () => provider.hasValidToken?.() || false,
+        // Advanced access for edge cases
+        api: authApi,
+        service: authService
+    };
+}
+
 /**
  * PERS SDK - Minimal platform-agnostic client with built-in authentication
  * Authentication is now handled at the SDK core level for better scalability
@@ -1265,113 +1569,6 @@ function createAnalyticsSDK(apiClient) {
     };
 }
 
-/**
- * Platform-Agnostic Auth Admin API Client
- *
- * Handles authentication and authorization admin operations using the PERS backend.
- * Uses @explorins/pers-shared DTOs for consistency with backend.
- *
- * Note: Special header handling (bypass-auth-interceptor) may need to be implemented
- * at the PersApiClient level or through a specialized auth client.
- */
-class AuthAdminApi {
-    constructor(apiClient) {
-        this.apiClient = apiClient;
-        this.basePath = '/auth';
-    }
-    // ==========================================
-    // ADMIN AUTHENTICATION OPERATIONS
-    // ==========================================
-    /**
-     * ADMIN: Login tenant admin with JWT
-     * Note: JWT handling and auth bypass headers may need special implementation
-     */
-    async loginTenantAdmin(jwt) {
-        const body = {
-            authToken: jwt,
-            authType: persShared.AccountOwnerType.TENANT
-        };
-        return this.apiClient.post(`${this.basePath}/token`, body);
-    }
-    async loginUser(jwt) {
-        const body = {
-            authToken: jwt,
-            authType: persShared.AccountOwnerType.USER
-        };
-        return this.apiClient.post(`${this.basePath}/token`, body);
-    }
-    /**
-     * ADMIN: Refresh access token
-     * Note: Bypass header handling may need special implementation
-     */
-    async refreshAccessToken(refreshToken) {
-        return this.apiClient.post(`${this.basePath}/refresh`, { refreshToken });
-    }
-}
-
-/**
- * Platform-Agnostic Auth Admin Service
- *
- * Contains auth admin business logic and operations that work across platforms.
- * No framework dependencies - pure TypeScript business logic.
- *
- * Focuses only on actual backend capabilities.
- */
-class AuthAdminService {
-    constructor(authAdminApi) {
-        this.authAdminApi = authAdminApi;
-    }
-    // ==========================================
-    // ADMIN AUTHENTICATION OPERATIONS
-    // ==========================================
-    /**
-     * ADMIN: Login tenant admin with JWT
-     */
-    async loginTenantAdmin(jwt) {
-        return this.authAdminApi.loginTenantAdmin(jwt);
-    }
-    /**
-     * ADMIN: Login user with JWT
-     */
-    async loginUser(jwt) {
-        return this.authAdminApi.loginUser(jwt);
-    }
-    /**
-     * ADMIN: Refresh access token
-     */
-    async refreshAccessToken(refreshToken) {
-        return this.authAdminApi.refreshAccessToken(refreshToken);
-    }
-}
-
-/**
- * @explorins/pers-sdk-auth-admin
- *
- * Platform-agnostic Auth Admin Domain SDK for PERS ecosystem
- * Handles authentication and authorization admin operations
- */
-// API Layer
-/**
- * Create a complete Auth Admin SDK instance
- *
- * @param apiClient - Configured PERS API client
- * @returns Auth Admin SDK with flattened structure for better DX
- */
-function createAuthAdminSDK(apiClient) {
-    const authAdminApi = new AuthAdminApi(apiClient);
-    const authAdminService = new AuthAdminService(authAdminApi);
-    return {
-        // Direct access to service methods (primary interface)
-        // Admin authentication methods
-        loginTenantAdmin: (jwt) => authAdminService.loginTenantAdmin(jwt),
-        loginUser: (jwt) => authAdminService.loginUser(jwt),
-        refreshAccessToken: (refreshToken) => authAdminService.refreshAccessToken(refreshToken),
-        // Advanced access for edge cases
-        api: authAdminApi,
-        service: authAdminService
-    };
-}
-
 /**
  * Platform-Agnostic Campaign API Client (NEW - RESTful Design)
  *
@@ -2240,29 +2437,22 @@ class RedemptionApi {
     // PUBLIC OPERATIONS (Project Key)
     // ==========================================
     /**
-     * PUBLIC: Get redemptions (intelligent access)
+     * UNIFIED: Get redemptions with intelligent access control
      *
-     * NEW: Intelligent endpoint that adapts based on authentication
+     * Intelligent endpoint that adapts based on authentication:
      * - Public users: Get active redemptions only
      * - Admin users: Get all redemptions with optional filtering
      *
-     * Replaces: getActiveRedemptions() + getRedemptionsAsAdmin()
+     * @param options.active - Filter by active status (undefined = all for admins/active for public)
+     * @param options.adminAccess - Force admin access (requires admin auth)
      */
-    async getRedemptions(active) {
+    async getRedemptions(options) {
         let url = `${this.basePath}`;
-        if (active !== undefined) {
-            url += `?active=${active}`;
+        if (options?.active !== undefined) {
+            url += `?active=${options.active}`;
         }
         return this.apiClient.get(url);
     }
-    /**
-     * PUBLIC: Get active redemptions
-     *
-     * Updated: Now uses unified endpoint (backward compatibility)
-     */
-    async getActiveRedemptions() {
-        return this.getRedemptions(); // Will return active only for public access
-    }
     /**
      * PUBLIC: Get redemption types
      *
@@ -2308,12 +2498,27 @@ class RedemptionApi {
     // REDEMPTION REDEEMS QUERIES (NEW ENDPOINTS)
     // ==========================================
     /**
-     * Get redemption redeems with filtering (unified endpoint)
+     * UNIFIED: Get redemption redeems with filtering and intelligent access
      *
-     * NEW: GET /redemption-redeems with query parameters
-     * Role-based access: Users see only their own, admins can filter by userId/businessId
+     * Role-based access with unified filtering:
+     * - Users: See only their own redeems (userId/businessId filters ignored)
+     * - Admins: Can filter by userId, businessId, or redemptionId
+     *
+     * @param filters.redemptionId - Filter by specific redemption
+     * @param filters.userId - Admin only: Filter by user ID
+     * @param filters.businessId - Admin only: Filter by business ID
+     * @param filters.myRedeems - Force user's own redeems (uses /me endpoint)
      */
     async getRedemptionRedeems(filters) {
+        // Use convenience endpoint for user's own redeems
+        if (filters?.myRedeems) {
+            let url = `${this.redeemsPath}/me`;
+            if (filters.redemptionId) {
+                url += `?redemptionId=${filters.redemptionId}`;
+            }
+            return this.apiClient.get(url);
+        }
+        // Use admin endpoint with filtering
         let url = this.redeemsPath;
         const params = new URLSearchParams();
         if (filters?.redemptionId)
@@ -2329,67 +2534,22 @@ class RedemptionApi {
         return this.apiClient.get(url);
     }
     /**
-     * Get specific redemption redeem by ID
-     *
-     * NEW: GET /redemption-redeems/:id
+     * UNIFIED: Get specific redemption redeem by ID
      */
     async getRedemptionRedeemById(id) {
         return this.apiClient.get(`${this.redeemsPath}/${id}`);
     }
-    /**
-     * USER: Get my redemption redeems (convenience endpoint)
-     *
-     * NEW: GET /redemption-redeems/me with optional filtering
-     */
-    async getMyRedemptionRedeems(redemptionId) {
-        let url = `${this.redeemsPath}/me`;
-        if (redemptionId) {
-            url += `?redemptionId=${redemptionId}`;
-        }
-        return this.apiClient.get(url);
-    }
-    /**
-     * ADMIN: Get redemption redeems by user ID
-     *
-     * NEW: GET /redemption-redeems?userId=X
-     */
-    async getRedemptionRedeemsByUserId(userId, redemptionId) {
-        return this.getRedemptionRedeems({ userId, redemptionId });
-    }
-    /**
-     * ADMIN: Get redemption redeems by business ID
-     *
-     * NEW: GET /redemption-redeems?businessId=X
-     */
-    async getRedemptionRedeemsByBusinessId(businessId, redemptionId) {
-        return this.getRedemptionRedeems({ businessId, redemptionId });
-    }
-    /**
-     * ADMIN: Get redemption redeems by redemption ID
-     *
-     * NEW: GET /redemption-redeems?redemptionId=X
-     */
-    async getRedemptionRedeemsByRedemptionId(redemptionId) {
-        return this.getRedemptionRedeems({ redemptionId });
-    }
     // ==========================================
     // USER OPERATIONS (JWT + Project Key)
     // ==========================================
     /**
-     * USER: Get user redemption history
-     *
-     * Updated: Uses new convenience endpoint /redemption-redeems/me
-     */
-    async getUserRedemptionHistory() {
-        return this.getMyRedemptionRedeems();
-    }
-    /**
-     * USER: Get user redemptions (backward compatibility)
+     * UNIFIED: Get user redemption history
      *
-     * Deprecated: Use getUserRedemptionHistory() instead
+     * Uses convenience endpoint /redemption-redeems/me with optional filtering
+     * @param redemptionId - Optional filter by specific redemption
      */
-    async getUserRedeems() {
-        return this.getUserRedemptionHistory();
+    async getUserRedeems(redemptionId) {
+        return this.getRedemptionRedeems({ myRedeems: true, redemptionId });
     }
     // ==========================================
     // ADMIN OPERATIONS (Tenant Admin JWT)
@@ -2401,7 +2561,7 @@ class RedemptionApi {
      * The unified endpoint will detect admin privileges and allow filtering
      */
     async getRedemptionsAsAdmin(active) {
-        return this.getRedemptions(active); // Uses intelligent endpoint
+        return this.getRedemptions({ active, adminAccess: true });
     }
     /**
      * ADMIN: Create redemption
@@ -2420,21 +2580,13 @@ class RedemptionApi {
         return this.apiClient.put(`${this.basePath}/${id}`, redemptionCreateRequest);
     }
     /**
-     * ADMIN: Toggle redemption status
+     * UNIFIED: Toggle redemption active status
      *
      * Updated: /redemption/admin/:id/toggle-active → /redemptions/:id/status
      * Following standard /status pattern used across domains
      */
-    async toggleRedemptionStatus(redemptionId) {
-        return this.apiClient.put(`${this.basePath}/${redemptionId}/status`, {});
-    }
-    /**
-     * ADMIN: Toggle redemption active (backward compatibility)
-     *
-     * Deprecated: Use toggleRedemptionStatus() instead
-     */
     async toggleRedemptionActive(redemptionId) {
-        return this.toggleRedemptionStatus(redemptionId);
+        return this.apiClient.put(`${this.basePath}/${redemptionId}/status`, {});
     }
     /**
      * ADMIN: Delete redemption
@@ -2480,21 +2632,13 @@ class RedemptionApi {
         return this.apiClient.delete(`${this.basePath}/${redemptionId}/token-units/${redemptionTokenUnitId}`);
     }
     // ==========================================
-    // BACKWARD COMPATIBILITY METHODS
+    // CONVENIENCE METHODS (Legacy Support)
     // ==========================================
     /**
-     * @deprecated Use getRedemptions() instead
-     * Backward compatibility for old admin endpoint
+     * Convenience: Get active redemptions (public access)
      */
-    async getRedemptionsAdmin(active) {
-        return this.getRedemptionsAsAdmin(active);
-    }
-    /**
-     * @deprecated Use redeemRedemption() instead
-     * Backward compatibility for old redeem method
-     */
-    async redeem(redemptionId) {
-        return this.redeemRedemption(redemptionId);
+    async getActiveRedemptions() {
+        return this.getRedemptions({ active: true });
     }
 }
 
@@ -2514,7 +2658,15 @@ class RedemptionService {
     // PUBLIC OPERATIONS
     // ==========================================
     /**
-     * PUBLIC: Get active redemptions
+     * UNIFIED: Get redemptions with intelligent access control
+     * @param options.active - Filter by active status
+     * @param options.adminAccess - Force admin access
+     */
+    async getRedemptions(options) {
+        return this.redemptionApi.getRedemptions(options);
+    }
+    /**
+     * Convenience: Get active redemptions (public)
      */
     async getActiveRedemptions() {
         return this.redemptionApi.getActiveRedemptions();
@@ -2535,7 +2687,13 @@ class RedemptionService {
         return this.redemptionApi.redeemRedemption(redemptionId);
     }
     /**
-     * AUTH: Get user redemptions
+     * UNIFIED: Get redemption redeems with filtering
+     */
+    async getRedemptionRedeems(filters) {
+        return this.redemptionApi.getRedemptionRedeems(filters);
+    }
+    /**
+     * Convenience: Get user redemptions
      */
     async getUserRedeems() {
         return this.redemptionApi.getUserRedeems();
@@ -2544,7 +2702,7 @@ class RedemptionService {
     // ADMIN OPERATIONS
     // ==========================================
     /**
-     * ADMIN: Get redemptions with optional active filter
+     * Convenience: Get redemptions as admin
      */
     async getRedemptionsAsAdmin(active) {
         return this.redemptionApi.getRedemptionsAsAdmin(active);
@@ -4698,10 +4856,14 @@ function createWeb3SDK(apiClient) {
     };
 }
 
+Object.defineProperty(exports, "AccountOwnerType", {
+    enumerable: true,
+    get: function () { return persShared.AccountOwnerType; }
+});
 exports.AnalyticsApi = AnalyticsApi;
 exports.AnalyticsService = AnalyticsService;
-exports.AuthAdminApi = AuthAdminApi;
-exports.AuthAdminService = AuthAdminService;
+exports.AuthApi = AuthApi;
+exports.AuthService = AuthService;
 exports.BaseTokenService = BaseTokenService;
 exports.BusinessApi = BusinessApi;
 exports.BusinessService = BusinessService;
@@ -4719,6 +4881,7 @@ exports.PersApiError = PersApiError;
 exports.PersSDK = PersSDK;
 exports.RedemptionApi = RedemptionApi;
 exports.RedemptionService = RedemptionService;
+exports.SimpleSdkAuthProvider = SimpleSdkAuthProvider;
 exports.TenantApi = TenantApi;
 exports.TenantService = TenantService;
 exports.TokenApi = TokenApi;
@@ -4737,8 +4900,8 @@ exports.Web3InfrastructureApi = Web3InfrastructureApi;
 exports.Web3ProviderService = Web3ProviderService;
 exports.buildApiRoot = buildApiRoot;
 exports.createAnalyticsSDK = createAnalyticsSDK;
-exports.createAuthAdminSDK = createAuthAdminSDK;
 exports.createAuthProvider = createAuthProvider;
+exports.createAuthSDK = createAuthSDK;
 exports.createBusinessSDK = createBusinessSDK;
 exports.createCampaignSDK = createCampaignSDK;
 exports.createDonationSDK = createDonationSDK;