@insforge/sdk 1.4.0 → 1.4.1

package/README.md

@@ -56,6 +56,19 @@ const admin = createAdminClient({
 
 `apiKey` belongs in `createAdminClient()`. Public and user-scoped clients use `anonKey`.
 
+### Acting as a User on the Server
+
+In edge functions or other server code that receives a user's JWT, seed the client with it via `accessToken`:
+
+```javascript
+const insforge = createClient({
+  baseUrl: "http://localhost:7130",
+  accessToken: userJwt, // e.g. from the request's Authorization header
+});
+```
+
+All requests run as that user (RLS applies). The token is used as-is — the SDK does not refresh it. `edgeFunctionToken` is a deprecated alias for this option.
+
 ### Authentication
 
 ```javascript
@@ -401,7 +414,7 @@ For Next.js Proxy/Middleware, refresh before Server Components render:
 ```typescript
 // proxy.ts on Next.js 16+, middleware.ts on Next.js 15 and earlier
 import { NextResponse, type NextRequest } from "next/server";
-import { updateSession } from "@insforge/sdk/ssr";
+import { updateSession } from "@insforge/sdk/ssr/middleware";
 
 export async function proxy(request: NextRequest) {
   const response = NextResponse.next({ request });
@@ -415,6 +428,9 @@ export async function proxy(request: NextRequest) {
 }
 ```
 
+Use the `/ssr/middleware` subpath in Proxy/Middleware files. It only includes
+the session refresh helpers and avoids bundling the full SDK client.
+
 ## TypeScript Support
 
 The SDK is written in TypeScript and provides full type definitions:

package/SDK-REFERENCE.md

@@ -124,10 +124,14 @@ export async function POST(request: Request) {
 
 ### `updateSession()`
 
+Import `updateSession()` from `@insforge/sdk/ssr/middleware` in Proxy/Middleware
+files. This subpath only includes the session refresh helpers and avoids
+bundling the full SDK client.
+
 ```typescript
 // proxy.ts on Next.js 16+, middleware.ts on Next.js 15 and earlier
 import { NextResponse, type NextRequest } from "next/server";
-import { updateSession } from "@insforge/sdk/ssr";
+import { updateSession } from "@insforge/sdk/ssr/middleware";
 
 export async function proxy(request: NextRequest) {
   const response = NextResponse.next({ request });

package/dist/{client-CqfpCc8Z.d.mts → client-DoWwzWnh.d.ts}

@@ -1,114 +1,7 @@
-import { UserSchema, ErrorCode, CreateUserRequest, CreateUserResponse, CreateSessionRequest, CreateSessionResponse, OAuthProvidersSchema, RefreshSessionResponse, GetProfileResponse, SendVerificationEmailRequest, VerifyEmailRequest, VerifyEmailResponse, SendResetPasswordEmailRequest, ExchangeResetPasswordTokenRequest, ExchangeResetPasswordTokenResponse, ResetPasswordResponse, GetPublicAuthConfigResponse, StorageFileSchema, ListObjectsResponseSchema, ChatCompletionRequest, ImageGenerationRequest, EmbeddingsRequest, SubscribeResponse, SocketMessage, SendRawEmailRequest, SendEmailResponse, StripeEnvironment, CreateCheckoutSessionBody, CreateCheckoutSessionResponse, CreateCustomerPortalSessionBody, CreateCustomerPortalSessionResponse, RazorpayEnvironment, CreateRazorpayOrderBody, CreateRazorpayOrderResponse, VerifyRazorpayOrderBody, VerifyRazorpayOrderResponse, CreateRazorpaySubscriptionBody, CreateRazorpaySubscriptionResponse, VerifyRazorpaySubscriptionBody, VerifyRazorpaySubscriptionResponse, CancelRazorpaySubscriptionBodyInput, CancelRazorpaySubscriptionResponse, PauseRazorpaySubscriptionResponse, ResumeRazorpaySubscriptionResponse } from '@insforge/shared-schemas';
+import { A as AuthSession, I as InsForgeConfig, e as AuthRefreshResponse, d as InsForgeError } from './types-NjykhyRq.js';
+import { UserSchema, CreateUserRequest, CreateUserResponse, CreateSessionRequest, CreateSessionResponse, OAuthProvidersSchema, RefreshSessionResponse, GetProfileResponse, SendVerificationEmailRequest, VerifyEmailRequest, VerifyEmailResponse, SendResetPasswordEmailRequest, ExchangeResetPasswordTokenRequest, ExchangeResetPasswordTokenResponse, ResetPasswordResponse, GetPublicAuthConfigResponse, StorageFileSchema, ListObjectsResponseSchema, ChatCompletionRequest, ImageGenerationRequest, EmbeddingsRequest, SubscribeResponse, SocketMessage, SendRawEmailRequest, SendEmailResponse, StripeEnvironment, CreateCheckoutSessionBody, CreateCheckoutSessionResponse, CreateCustomerPortalSessionBody, CreateCustomerPortalSessionResponse, RazorpayEnvironment, CreateRazorpayOrderBody, CreateRazorpayOrderResponse, VerifyRazorpayOrderBody, VerifyRazorpayOrderResponse, CreateRazorpaySubscriptionBody, CreateRazorpaySubscriptionResponse, VerifyRazorpaySubscriptionBody, VerifyRazorpaySubscriptionResponse, CancelRazorpaySubscriptionBodyInput, CancelRazorpaySubscriptionResponse, PauseRazorpaySubscriptionResponse, ResumeRazorpaySubscriptionResponse } from '@insforge/shared-schemas';
 import * as _supabase_postgrest_js from '@supabase/postgrest-js';
 
-/**
- * InsForge SDK Types - only SDK-specific types here
- * Use @insforge/shared-schemas directly for API types
- */
-
-type InsForgeErrorCode = ErrorCode | (string & {});
-interface InsForgeConfig {
-    /**
-     * The base URL of the InsForge backend API
-     * @default "http://localhost:7130"
-     */
-    baseUrl?: string;
-    /**
-     * Anonymous API key (optional)
-     * Used for public/unauthenticated requests when no user token is set
-     */
-    anonKey?: string;
-    /**
-     * Edge Function Token (optional)
-     * Use this when running in edge functions/serverless with a user's JWT token
-     * This token will be used for all authenticated requests
-     */
-    edgeFunctionToken?: string;
-    /**
-     * Direct URL to Deno Subhosting functions (optional)
-     * When provided, SDK will try this URL first for function invocations.
-     * Falls back to proxy URL if subhosting returns 404.
-     * @example "https://{appKey}.functions.insforge.app"
-     */
-    functionsUrl?: string;
-    /**
-     * Custom fetch implementation (useful for Node.js environments)
-     */
-    fetch?: typeof fetch;
-    /**
-     * Enable server-side auth mode (SSR/Node runtime)
-     * In this mode auth endpoints use `client_type=mobile` and refresh_token body flow.
-     *
-     * @deprecated Use `createServerClient()`, `createBrowserClient()`, and
-     * `updateSession()` from `@insforge/sdk/ssr` for SSR apps.
-     * @default false
-     */
-    isServerMode?: boolean;
-    /**
-     * Custom headers to include with every request
-     */
-    headers?: Record<string, string>;
-    /**
-     * Enable debug logging for HTTP requests and responses.
-     * When true, request/response details are logged to the console.
-     * Can also be a custom log function for advanced use cases.
-     * @default false
-     */
-    debug?: boolean | ((message: string, ...args: any[]) => void);
-    /**
-     * Request timeout in milliseconds.
-     * Requests that exceed this duration will be aborted.
-     * Set to 0 to disable timeout.
-     * @default 30000
-     */
-    timeout?: number;
-    /**
-     * Maximum number of retry attempts for failed requests.
-     * Retries are triggered on network errors and server errors (5xx).
-     * Client errors (4xx) are never retried.
-     * Set to 0 to disable retries.
-     * @default 3
-     */
-    retryCount?: number;
-    /**
-     * Initial delay in milliseconds before the first retry.
-     * The delay doubles with each subsequent attempt (exponential backoff)
-     * with ±15% jitter to prevent thundering herd.
-     * @default 500
-     */
-    retryDelay?: number;
-}
-type InsForgeAdminConfig = Omit<InsForgeConfig, 'anonKey' | 'edgeFunctionToken' | 'isServerMode'> & {
-    /**
-     * Project admin API key. Keep this server-side only.
-     */
-    apiKey: string;
-};
-interface AuthSession {
-    user: UserSchema;
-    accessToken: string;
-    expiresAt?: Date;
-}
-interface AuthRefreshResponse {
-    user: UserSchema;
-    accessToken: string;
-    csrfToken?: string;
-    refreshToken?: string;
-}
-interface ApiError {
-    error: InsForgeErrorCode;
-    message: string;
-    statusCode: number;
-    nextActions?: string;
-}
-declare class InsForgeError extends Error {
-    statusCode: number;
-    error: InsForgeErrorCode;
-    nextActions?: string;
-    constructor(message: string, statusCode: number, error: InsForgeErrorCode, nextActions?: string);
-    static fromApiError(apiError: ApiError): InsForgeError;
-}
-
 type LogFunction = (message: string, ...args: any[]) => void;
 /**
  * Debug logger for the InsForge SDK.
@@ -572,10 +465,57 @@ declare class StorageBucket {
         error: InsForgeError | null;
     }>;
     /**
-     * Get public URL for a file
+     * Get the public URL for an object in a public bucket.
+     *
+     * Pure string construction — no network call, no auth. The URL only resolves
+     * if the bucket is public; for private objects use {@link createSignedUrl}.
+     *
+     * @param path - The object key/path
+     * @returns `{ data: { publicUrl }, error }` — matches the external SDK pattern,
+     *   so `const { data } = getPublicUrl(path)` then `data.publicUrl`.
+     */
+    getPublicUrl(path: string): StorageResponse<{
+        publicUrl: string;
+    }>;
+    /**
+     * Resolve a download strategy (signed or direct URL) for an object with a
+     * caller-supplied TTL. Prefers the canonical GET route and falls back to the
+     * legacy POST alias so signed-URL creation still works against older backends
+     * that predate the GET route (they return 404/405 for it). A genuine
+     * "object not found" (STORAGE_NOT_FOUND) is not retried.
+     */
+    private requestDownloadStrategy;
+    /**
+     * Create a signed URL for an object.
+     *
+     * Returns a time-limited, credential-free URL that can be handed directly to
+     * a browser (`<img src>`), an email, or a third party — no SDK or session is
+     * needed to fetch it. Authorization is enforced when the URL is minted (the
+     * caller must be allowed to read the object), so the resulting link is a
+     * pre-authorized capability scoped to this one object until it expires.
+     *
      * @param path - The object key/path
+     * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d).
+     *   Honored for private buckets; public buckets return their long-lived URL.
+     */
+    createSignedUrl(path: string, expiresIn?: number): Promise<StorageResponse<{
+        signedUrl: string;
+        expiresAt: string | null;
+    }>>;
+    /**
+     * Create signed URLs for multiple objects in a single call.
+     *
+     * Each entry resolves independently: a failure on one key (not found / not
+     * permitted) is reported on that entry's `error` without failing the rest.
+     *
+     * @param paths - The object keys/paths
+     * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d)
      */
-    getPublicUrl(path: string): string;
+    createSignedUrls(paths: string[], expiresIn?: number): Promise<StorageResponse<Array<{
+        path: string;
+        signedUrl: string | null;
+        error: string | null;
+    }>>>;
     /**
      * List objects in the bucket
      * @param prefix - Filter by key prefix
@@ -1165,4 +1105,4 @@ declare class InsForgeClient {
     setAccessToken(token: string | null): void;
 }
 
-export { type AuthSession as A, type ConnectionState as C, Database as D, Emails as E, Functions as F, HttpClient as H, InsForgeClient as I, Logger as L, Payments as P, Realtime as R, Storage as S, TokenManager as T, type InsForgeConfig as a, type InsForgeAdminConfig as b, type ApiError as c, type InsForgeErrorCode as d, InsForgeError as e, Auth as f, StorageBucket as g, type StorageResponse as h, AI as i, type FunctionInvokeOptions as j, type PaymentsResponse as k, type EventCallback as l, type AuthRefreshResponse as m };
+export { Auth as A, type ConnectionState as C, Database as D, Emails as E, Functions as F, HttpClient as H, InsForgeClient as I, Logger as L, Payments as P, Realtime as R, Storage as S, TokenManager as T, StorageBucket as a, type StorageResponse as b, AI as c, type FunctionInvokeOptions as d, type PaymentsResponse as e, type EventCallback as f };

package/dist/{client-CqfpCc8Z.d.ts → client-hYdj36T6.d.mts}

@@ -1,114 +1,7 @@
-import { UserSchema, ErrorCode, CreateUserRequest, CreateUserResponse, CreateSessionRequest, CreateSessionResponse, OAuthProvidersSchema, RefreshSessionResponse, GetProfileResponse, SendVerificationEmailRequest, VerifyEmailRequest, VerifyEmailResponse, SendResetPasswordEmailRequest, ExchangeResetPasswordTokenRequest, ExchangeResetPasswordTokenResponse, ResetPasswordResponse, GetPublicAuthConfigResponse, StorageFileSchema, ListObjectsResponseSchema, ChatCompletionRequest, ImageGenerationRequest, EmbeddingsRequest, SubscribeResponse, SocketMessage, SendRawEmailRequest, SendEmailResponse, StripeEnvironment, CreateCheckoutSessionBody, CreateCheckoutSessionResponse, CreateCustomerPortalSessionBody, CreateCustomerPortalSessionResponse, RazorpayEnvironment, CreateRazorpayOrderBody, CreateRazorpayOrderResponse, VerifyRazorpayOrderBody, VerifyRazorpayOrderResponse, CreateRazorpaySubscriptionBody, CreateRazorpaySubscriptionResponse, VerifyRazorpaySubscriptionBody, VerifyRazorpaySubscriptionResponse, CancelRazorpaySubscriptionBodyInput, CancelRazorpaySubscriptionResponse, PauseRazorpaySubscriptionResponse, ResumeRazorpaySubscriptionResponse } from '@insforge/shared-schemas';
+import { A as AuthSession, I as InsForgeConfig, e as AuthRefreshResponse, d as InsForgeError } from './types-NjykhyRq.mjs';
+import { UserSchema, CreateUserRequest, CreateUserResponse, CreateSessionRequest, CreateSessionResponse, OAuthProvidersSchema, RefreshSessionResponse, GetProfileResponse, SendVerificationEmailRequest, VerifyEmailRequest, VerifyEmailResponse, SendResetPasswordEmailRequest, ExchangeResetPasswordTokenRequest, ExchangeResetPasswordTokenResponse, ResetPasswordResponse, GetPublicAuthConfigResponse, StorageFileSchema, ListObjectsResponseSchema, ChatCompletionRequest, ImageGenerationRequest, EmbeddingsRequest, SubscribeResponse, SocketMessage, SendRawEmailRequest, SendEmailResponse, StripeEnvironment, CreateCheckoutSessionBody, CreateCheckoutSessionResponse, CreateCustomerPortalSessionBody, CreateCustomerPortalSessionResponse, RazorpayEnvironment, CreateRazorpayOrderBody, CreateRazorpayOrderResponse, VerifyRazorpayOrderBody, VerifyRazorpayOrderResponse, CreateRazorpaySubscriptionBody, CreateRazorpaySubscriptionResponse, VerifyRazorpaySubscriptionBody, VerifyRazorpaySubscriptionResponse, CancelRazorpaySubscriptionBodyInput, CancelRazorpaySubscriptionResponse, PauseRazorpaySubscriptionResponse, ResumeRazorpaySubscriptionResponse } from '@insforge/shared-schemas';
 import * as _supabase_postgrest_js from '@supabase/postgrest-js';
 
-/**
- * InsForge SDK Types - only SDK-specific types here
- * Use @insforge/shared-schemas directly for API types
- */
-
-type InsForgeErrorCode = ErrorCode | (string & {});
-interface InsForgeConfig {
-    /**
-     * The base URL of the InsForge backend API
-     * @default "http://localhost:7130"
-     */
-    baseUrl?: string;
-    /**
-     * Anonymous API key (optional)
-     * Used for public/unauthenticated requests when no user token is set
-     */
-    anonKey?: string;
-    /**
-     * Edge Function Token (optional)
-     * Use this when running in edge functions/serverless with a user's JWT token
-     * This token will be used for all authenticated requests
-     */
-    edgeFunctionToken?: string;
-    /**
-     * Direct URL to Deno Subhosting functions (optional)
-     * When provided, SDK will try this URL first for function invocations.
-     * Falls back to proxy URL if subhosting returns 404.
-     * @example "https://{appKey}.functions.insforge.app"
-     */
-    functionsUrl?: string;
-    /**
-     * Custom fetch implementation (useful for Node.js environments)
-     */
-    fetch?: typeof fetch;
-    /**
-     * Enable server-side auth mode (SSR/Node runtime)
-     * In this mode auth endpoints use `client_type=mobile` and refresh_token body flow.
-     *
-     * @deprecated Use `createServerClient()`, `createBrowserClient()`, and
-     * `updateSession()` from `@insforge/sdk/ssr` for SSR apps.
-     * @default false
-     */
-    isServerMode?: boolean;
-    /**
-     * Custom headers to include with every request
-     */
-    headers?: Record<string, string>;
-    /**
-     * Enable debug logging for HTTP requests and responses.
-     * When true, request/response details are logged to the console.
-     * Can also be a custom log function for advanced use cases.
-     * @default false
-     */
-    debug?: boolean | ((message: string, ...args: any[]) => void);
-    /**
-     * Request timeout in milliseconds.
-     * Requests that exceed this duration will be aborted.
-     * Set to 0 to disable timeout.
-     * @default 30000
-     */
-    timeout?: number;
-    /**
-     * Maximum number of retry attempts for failed requests.
-     * Retries are triggered on network errors and server errors (5xx).
-     * Client errors (4xx) are never retried.
-     * Set to 0 to disable retries.
-     * @default 3
-     */
-    retryCount?: number;
-    /**
-     * Initial delay in milliseconds before the first retry.
-     * The delay doubles with each subsequent attempt (exponential backoff)
-     * with ±15% jitter to prevent thundering herd.
-     * @default 500
-     */
-    retryDelay?: number;
-}
-type InsForgeAdminConfig = Omit<InsForgeConfig, 'anonKey' | 'edgeFunctionToken' | 'isServerMode'> & {
-    /**
-     * Project admin API key. Keep this server-side only.
-     */
-    apiKey: string;
-};
-interface AuthSession {
-    user: UserSchema;
-    accessToken: string;
-    expiresAt?: Date;
-}
-interface AuthRefreshResponse {
-    user: UserSchema;
-    accessToken: string;
-    csrfToken?: string;
-    refreshToken?: string;
-}
-interface ApiError {
-    error: InsForgeErrorCode;
-    message: string;
-    statusCode: number;
-    nextActions?: string;
-}
-declare class InsForgeError extends Error {
-    statusCode: number;
-    error: InsForgeErrorCode;
-    nextActions?: string;
-    constructor(message: string, statusCode: number, error: InsForgeErrorCode, nextActions?: string);
-    static fromApiError(apiError: ApiError): InsForgeError;
-}
-
 type LogFunction = (message: string, ...args: any[]) => void;
 /**
  * Debug logger for the InsForge SDK.
@@ -572,10 +465,57 @@ declare class StorageBucket {
         error: InsForgeError | null;
     }>;
     /**
-     * Get public URL for a file
+     * Get the public URL for an object in a public bucket.
+     *
+     * Pure string construction — no network call, no auth. The URL only resolves
+     * if the bucket is public; for private objects use {@link createSignedUrl}.
+     *
+     * @param path - The object key/path
+     * @returns `{ data: { publicUrl }, error }` — matches the external SDK pattern,
+     *   so `const { data } = getPublicUrl(path)` then `data.publicUrl`.
+     */
+    getPublicUrl(path: string): StorageResponse<{
+        publicUrl: string;
+    }>;
+    /**
+     * Resolve a download strategy (signed or direct URL) for an object with a
+     * caller-supplied TTL. Prefers the canonical GET route and falls back to the
+     * legacy POST alias so signed-URL creation still works against older backends
+     * that predate the GET route (they return 404/405 for it). A genuine
+     * "object not found" (STORAGE_NOT_FOUND) is not retried.
+     */
+    private requestDownloadStrategy;
+    /**
+     * Create a signed URL for an object.
+     *
+     * Returns a time-limited, credential-free URL that can be handed directly to
+     * a browser (`<img src>`), an email, or a third party — no SDK or session is
+     * needed to fetch it. Authorization is enforced when the URL is minted (the
+     * caller must be allowed to read the object), so the resulting link is a
+     * pre-authorized capability scoped to this one object until it expires.
+     *
      * @param path - The object key/path
+     * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d).
+     *   Honored for private buckets; public buckets return their long-lived URL.
+     */
+    createSignedUrl(path: string, expiresIn?: number): Promise<StorageResponse<{
+        signedUrl: string;
+        expiresAt: string | null;
+    }>>;
+    /**
+     * Create signed URLs for multiple objects in a single call.
+     *
+     * Each entry resolves independently: a failure on one key (not found / not
+     * permitted) is reported on that entry's `error` without failing the rest.
+     *
+     * @param paths - The object keys/paths
+     * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d)
      */
-    getPublicUrl(path: string): string;
+    createSignedUrls(paths: string[], expiresIn?: number): Promise<StorageResponse<Array<{
+        path: string;
+        signedUrl: string | null;
+        error: string | null;
+    }>>>;
     /**
      * List objects in the bucket
      * @param prefix - Filter by key prefix
@@ -1165,4 +1105,4 @@ declare class InsForgeClient {
     setAccessToken(token: string | null): void;
 }
 
-export { type AuthSession as A, type ConnectionState as C, Database as D, Emails as E, Functions as F, HttpClient as H, InsForgeClient as I, Logger as L, Payments as P, Realtime as R, Storage as S, TokenManager as T, type InsForgeConfig as a, type InsForgeAdminConfig as b, type ApiError as c, type InsForgeErrorCode as d, InsForgeError as e, Auth as f, StorageBucket as g, type StorageResponse as h, AI as i, type FunctionInvokeOptions as j, type PaymentsResponse as k, type EventCallback as l, type AuthRefreshResponse as m };
+export { Auth as A, type ConnectionState as C, Database as D, Emails as E, Functions as F, HttpClient as H, InsForgeClient as I, Logger as L, Payments as P, Realtime as R, Storage as S, TokenManager as T, StorageBucket as a, type StorageResponse as b, AI as c, type FunctionInvokeOptions as d, type PaymentsResponse as e, type EventCallback as f };

package/dist/index.d.mts

@@ -1,5 +1,7 @@
-import { I as InsForgeClient, a as InsForgeConfig, b as InsForgeAdminConfig } from './client-CqfpCc8Z.mjs';
-export { i as AI, c as ApiError, f as Auth, A as AuthSession, C as ConnectionState, D as Database, E as Emails, l as EventCallback, j as FunctionInvokeOptions, F as Functions, H as HttpClient, e as InsForgeError, d as InsForgeErrorCode, L as Logger, P as Payments, k as PaymentsResponse, R as Realtime, S as Storage, g as StorageBucket, h as StorageResponse, T as TokenManager } from './client-CqfpCc8Z.mjs';
+import { I as InsForgeClient } from './client-hYdj36T6.mjs';
+export { c as AI, A as Auth, C as ConnectionState, D as Database, E as Emails, f as EventCallback, d as FunctionInvokeOptions, F as Functions, H as HttpClient, L as Logger, P as Payments, e as PaymentsResponse, R as Realtime, S as Storage, a as StorageBucket, b as StorageResponse, T as TokenManager } from './client-hYdj36T6.mjs';
+import { I as InsForgeConfig, a as InsForgeAdminConfig } from './types-NjykhyRq.mjs';
+export { b as ApiError, A as AuthSession, d as InsForgeError, c as InsForgeErrorCode } from './types-NjykhyRq.mjs';
 export { AuthErrorResponse, CreateSessionRequest, CreateUserRequest, RealtimeErrorPayload, SendRawEmailRequest as SendEmailOptions, SendEmailResponse, SocketMessage, SubscribeResponse, UserSchema } from '@insforge/shared-schemas';
 import '@supabase/postgrest-js';
 

package/dist/index.d.ts

@@ -1,5 +1,7 @@
-import { I as InsForgeClient, a as InsForgeConfig, b as InsForgeAdminConfig } from './client-CqfpCc8Z.js';
-export { i as AI, c as ApiError, f as Auth, A as AuthSession, C as ConnectionState, D as Database, E as Emails, l as EventCallback, j as FunctionInvokeOptions, F as Functions, H as HttpClient, e as InsForgeError, d as InsForgeErrorCode, L as Logger, P as Payments, k as PaymentsResponse, R as Realtime, S as Storage, g as StorageBucket, h as StorageResponse, T as TokenManager } from './client-CqfpCc8Z.js';
+import { I as InsForgeClient } from './client-DoWwzWnh.js';
+export { c as AI, A as Auth, C as ConnectionState, D as Database, E as Emails, f as EventCallback, d as FunctionInvokeOptions, F as Functions, H as HttpClient, L as Logger, P as Payments, e as PaymentsResponse, R as Realtime, S as Storage, a as StorageBucket, b as StorageResponse, T as TokenManager } from './client-DoWwzWnh.js';
+import { I as InsForgeConfig, a as InsForgeAdminConfig } from './types-NjykhyRq.js';
+export { b as ApiError, A as AuthSession, d as InsForgeError, c as InsForgeErrorCode } from './types-NjykhyRq.js';
 export { AuthErrorResponse, CreateSessionRequest, CreateUserRequest, RealtimeErrorPayload, SendRawEmailRequest as SendEmailOptions, SendEmailResponse, SocketMessage, SubscribeResponse, UserSchema } from '@insforge/shared-schemas';
 import '@supabase/postgrest-js';
 

package/dist/index.js

@@ -28,8 +28,8 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
-var index_exports = {};
-__export(index_exports, {
+var src_exports = {};
+__export(src_exports, {
   AI: () => AI,
   Auth: () => Auth,
   Database: () => Database,
@@ -46,9 +46,9 @@ __export(index_exports, {
   TokenManager: () => TokenManager,
   createAdminClient: () => createAdminClient,
   createClient: () => createClient,
-  default: () => index_default
+  default: () => src_default
 });
-module.exports = __toCommonJS(index_exports);
+module.exports = __toCommonJS(src_exports);
 
 // src/types.ts
 var InsForgeError = class _InsForgeError extends Error {
@@ -449,7 +449,7 @@ var HttpClient = class {
     return Math.round(jitter);
   }
   shouldRefreshAccessToken(statusCode, errorCode, authToken, options = {}) {
-    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
+    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.accessToken && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
   }
   async fetchWithRetry(args) {
     const {
@@ -1661,7 +1661,7 @@ var StorageBucket = class {
           size: file.size,
           mimeType: file.type || "application/octet-stream",
           uploadedAt: (/* @__PURE__ */ new Date()).toISOString(),
-          url: this.getPublicUrl(strategy.key)
+          url: this.getPublicUrl(strategy.key).data.publicUrl
         },
         error: null
       };
@@ -1733,11 +1733,101 @@ var StorageBucket = class {
     }
   }
   /**
-   * Get public URL for a file
+   * Get the public URL for an object in a public bucket.
+   *
+   * Pure string construction — no network call, no auth. The URL only resolves
+   * if the bucket is public; for private objects use {@link createSignedUrl}.
+   *
    * @param path - The object key/path
+   * @returns `{ data: { publicUrl }, error }` — matches the external SDK pattern,
+   *   so `const { data } = getPublicUrl(path)` then `data.publicUrl`.
    */
   getPublicUrl(path) {
-    return `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    const publicUrl = `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    return { data: { publicUrl }, error: null };
+  }
+  /**
+   * Resolve a download strategy (signed or direct URL) for an object with a
+   * caller-supplied TTL. Prefers the canonical GET route and falls back to the
+   * legacy POST alias so signed-URL creation still works against older backends
+   * that predate the GET route (they return 404/405 for it). A genuine
+   * "object not found" (STORAGE_NOT_FOUND) is not retried.
+   */
+  async requestDownloadStrategy(path, expiresIn) {
+    const encoded = encodeURIComponent(path);
+    try {
+      return await this.http.get(
+        `/api/storage/buckets/${this.bucketName}/download-strategy/objects/${encoded}`,
+        { params: { expiresIn: expiresIn.toString() } }
+      );
+    } catch (error) {
+      const status = error instanceof InsForgeError ? error.statusCode : void 0;
+      const isMissingRoute = (status === 404 || status === 405) && !(error instanceof InsForgeError && error.error === "STORAGE_NOT_FOUND");
+      if (!isMissingRoute) throw error;
+      return await this.http.post(
+        `/api/storage/buckets/${this.bucketName}/objects/${encoded}/download-strategy`,
+        { expiresIn }
+      );
+    }
+  }
+  /**
+   * Create a signed URL for an object.
+   *
+   * Returns a time-limited, credential-free URL that can be handed directly to
+   * a browser (`<img src>`), an email, or a third party — no SDK or session is
+   * needed to fetch it. Authorization is enforced when the URL is minted (the
+   * caller must be allowed to read the object), so the resulting link is a
+   * pre-authorized capability scoped to this one object until it expires.
+   *
+   * @param path - The object key/path
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d).
+   *   Honored for private buckets; public buckets return their long-lived URL.
+   */
+  async createSignedUrl(path, expiresIn = 3600) {
+    try {
+      const strategy = await this.requestDownloadStrategy(path, expiresIn);
+      return {
+        data: {
+          signedUrl: strategy.url,
+          expiresAt: strategy.expiresAt ? new Date(strategy.expiresAt).toISOString() : null
+        },
+        error: null
+      };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URL", 500, "STORAGE_ERROR")
+      };
+    }
+  }
+  /**
+   * Create signed URLs for multiple objects in a single call.
+   *
+   * Each entry resolves independently: a failure on one key (not found / not
+   * permitted) is reported on that entry's `error` without failing the rest.
+   *
+   * @param paths - The object keys/paths
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d)
+   */
+  async createSignedUrls(paths, expiresIn = 3600) {
+    try {
+      const data = await Promise.all(
+        paths.map(async (path) => {
+          const { data: signed, error } = await this.createSignedUrl(path, expiresIn);
+          return {
+            path,
+            signedUrl: signed?.signedUrl ?? null,
+            error: error ? error.message : null
+          };
+        })
+      );
+      return { data, error: null };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URLs", 500, "STORAGE_ERROR")
+      };
+    }
   }
   /**
    * List objects in the bucket
@@ -2716,12 +2806,13 @@ var InsForgeClient = class {
     const logger = new Logger(config.debug);
     this.tokenManager = new TokenManager();
     this.http = new HttpClient(config, this.tokenManager, logger);
-    if (config.edgeFunctionToken) {
-      this.http.setAuthToken(config.edgeFunctionToken);
-      this.tokenManager.setAccessToken(config.edgeFunctionToken);
+    const accessToken = config.accessToken ?? config.edgeFunctionToken;
+    if (accessToken) {
+      this.http.setAuthToken(accessToken);
+      this.tokenManager.setAccessToken(accessToken);
     }
     this.auth = new Auth(this.http, this.tokenManager, {
-      isServerMode: config.isServerMode ?? !!config.edgeFunctionToken
+      isServerMode: config.isServerMode ?? !!accessToken
     });
     this.database = new Database(this.http);
     this.storage = new Storage(this.http);
@@ -2800,11 +2891,11 @@ function createAdminClient(config) {
   }
   return new InsForgeClient({
     ...clientConfig,
-    edgeFunctionToken: apiKey,
+    accessToken: apiKey,
     isServerMode: true
   });
 }
-var index_default = InsForgeClient;
+var src_default = InsForgeClient;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AI,