@insureco/relay 0.3.1 → 0.4.0

package/dist/index.d.mts

@@ -73,19 +73,29 @@ interface ApiResponse<T> {
 }
 /** Configuration for the RelayClient */
 interface RelayClientConfig {
-    /** Shared JWT secret for minting service tokens (required when using Janus) */
-    jwtSecret?: string;
-    /** Program/org ID included in the JWT (default: derived from service name) */
-    programId?: string;
+    /**
+     * Async function returning a Bearer token (e.g. Bio-ID client_credentials).
+     * This is the recommended auth method — works with both gateway (Janus) and direct modes.
+     * In gateway mode, the builder auto-provisions BIO_CLIENT_ID + BIO_CLIENT_SECRET.
+     */
+    accessTokenFn?: () => Promise<string>;
     /** Janus gateway URL (default: http://janus.janus-prod.svc.cluster.local:3000) */
     janusUrl?: string;
-    /** Direct relay URL for local dev (bypasses Janus, uses X-Internal-Key auth) */
+    /** Direct relay URL for local dev (bypasses Janus) */
     relayUrl?: string;
-    /** Internal API key for direct relay access */
+    /** Internal API key for direct relay access (local dev only) */
     internalKey?: string;
-    /** Async function returning a Bearer token (e.g. Bio-ID client_credentials). Used in direct mode. */
-    accessTokenFn?: () => Promise<string>;
-    /** JWT token lifetime in seconds (default: 300 = 5 minutes) */
+    /**
+     * @deprecated Use accessTokenFn with Bio-ID client_credentials instead.
+     * Shared JWT secret for minting service tokens.
+     */
+    jwtSecret?: string;
+    /**
+     * @deprecated Use accessTokenFn with Bio-ID client_credentials instead.
+     * Program/org ID included in the JWT.
+     */
+    programId?: string;
+    /** JWT token lifetime in seconds (default: 300). Only used with legacy jwtSecret auth. */
     tokenTtlSeconds?: number;
     /**
      * Number of retry attempts on transient failures (default: 2).
@@ -96,7 +106,7 @@ interface RelayClientConfig {
     retries?: number;
     /** Request timeout in milliseconds (default: 10000) */
     timeoutMs?: number;
-    /** Source service name for metadata (default: programId) */
+    /** Source service name for metadata (default: programId or 'unknown') */
     sourceService?: string;
 }
 /** Base options shared by sendEmail and sendSMS */
@@ -134,7 +144,10 @@ declare class RelayClient {
     /**
      * Create a RelayClient from environment variables.
      *
-     * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+     * Priority:
+     * 1. RELAY_DIRECT_URL — local dev (direct to relay, optional RELAY_INTERNAL_KEY)
+     * 2. BIO_CLIENT_ID + BIO_CLIENT_SECRET — production gateway (Bio-ID token through Janus)
+     * 3. JWT_SECRET + PROGRAM_ID — legacy gateway (self-signed JWT through Janus)
      */
     static fromEnv(): RelayClient;
     /**

package/dist/index.d.ts

@@ -73,19 +73,29 @@ interface ApiResponse<T> {
 }
 /** Configuration for the RelayClient */
 interface RelayClientConfig {
-    /** Shared JWT secret for minting service tokens (required when using Janus) */
-    jwtSecret?: string;
-    /** Program/org ID included in the JWT (default: derived from service name) */
-    programId?: string;
+    /**
+     * Async function returning a Bearer token (e.g. Bio-ID client_credentials).
+     * This is the recommended auth method — works with both gateway (Janus) and direct modes.
+     * In gateway mode, the builder auto-provisions BIO_CLIENT_ID + BIO_CLIENT_SECRET.
+     */
+    accessTokenFn?: () => Promise<string>;
     /** Janus gateway URL (default: http://janus.janus-prod.svc.cluster.local:3000) */
     janusUrl?: string;
-    /** Direct relay URL for local dev (bypasses Janus, uses X-Internal-Key auth) */
+    /** Direct relay URL for local dev (bypasses Janus) */
     relayUrl?: string;
-    /** Internal API key for direct relay access */
+    /** Internal API key for direct relay access (local dev only) */
     internalKey?: string;
-    /** Async function returning a Bearer token (e.g. Bio-ID client_credentials). Used in direct mode. */
-    accessTokenFn?: () => Promise<string>;
-    /** JWT token lifetime in seconds (default: 300 = 5 minutes) */
+    /**
+     * @deprecated Use accessTokenFn with Bio-ID client_credentials instead.
+     * Shared JWT secret for minting service tokens.
+     */
+    jwtSecret?: string;
+    /**
+     * @deprecated Use accessTokenFn with Bio-ID client_credentials instead.
+     * Program/org ID included in the JWT.
+     */
+    programId?: string;
+    /** JWT token lifetime in seconds (default: 300). Only used with legacy jwtSecret auth. */
     tokenTtlSeconds?: number;
     /**
      * Number of retry attempts on transient failures (default: 2).
@@ -96,7 +106,7 @@ interface RelayClientConfig {
     retries?: number;
     /** Request timeout in milliseconds (default: 10000) */
     timeoutMs?: number;
-    /** Source service name for metadata (default: programId) */
+    /** Source service name for metadata (default: programId or 'unknown') */
     sourceService?: string;
 }
 /** Base options shared by sendEmail and sendSMS */
@@ -134,7 +144,10 @@ declare class RelayClient {
     /**
      * Create a RelayClient from environment variables.
      *
-     * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+     * Priority:
+     * 1. RELAY_DIRECT_URL — local dev (direct to relay, optional RELAY_INTERNAL_KEY)
+     * 2. BIO_CLIENT_ID + BIO_CLIENT_SECRET — production gateway (Bio-ID token through Janus)
+     * 3. JWT_SECRET + PROGRAM_ID — legacy gateway (self-signed JWT through Janus)
      */
     static fromEnv(): RelayClient;
     /**

package/dist/index.js

@@ -66,6 +66,7 @@ function isTokenExpired(token, bufferSeconds = 30) {
 var DEFAULT_JANUS_URL = "http://janus.janus-prod.svc.cluster.local:3000";
 var RELAY_API_PATH = "/api/relay";
 var DEFAULT_TIMEOUT_MS = 1e4;
+var DEFAULT_BIO_ID_URL = "https://bio.tawa.insureco.io";
 var RelayError = class extends Error {
   constructor(message, statusCode, code, details) {
     super(message);
@@ -79,12 +80,15 @@ var RelayClient = class _RelayClient {
   config;
   cachedToken = null;
   constructor(config) {
-    if (!config.jwtSecret && !config.relayUrl) {
+    const hasAccessTokenFn = typeof config.accessTokenFn === "function";
+    const hasJwtSecret = !!config.jwtSecret;
+    const hasRelayUrl = !!config.relayUrl;
+    if (!hasAccessTokenFn && !hasJwtSecret && !hasRelayUrl) {
       throw new Error(
-        "iec-relay: Either jwtSecret (for Janus) or relayUrl (for direct) is required"
+        "iec-relay: Provide accessTokenFn (recommended), jwtSecret (legacy), or relayUrl (local dev)"
       );
     }
-    if (config.jwtSecret && !config.programId) {
+    if (hasJwtSecret && !config.programId) {
       throw new Error("iec-relay: programId is required when using jwtSecret");
     }
     this.config = {
@@ -98,29 +102,71 @@ var RelayClient = class _RelayClient {
   /**
    * Create a RelayClient from environment variables.
    *
-   * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+   * Priority:
+   * 1. RELAY_DIRECT_URL — local dev (direct to relay, optional RELAY_INTERNAL_KEY)
+   * 2. BIO_CLIENT_ID + BIO_CLIENT_SECRET — production gateway (Bio-ID token through Janus)
+   * 3. JWT_SECRET + PROGRAM_ID — legacy gateway (self-signed JWT through Janus)
    */
   static fromEnv() {
     const relayUrl = process.env.RELAY_DIRECT_URL;
-    const internalKey = process.env.RELAY_INTERNAL_KEY;
     if (relayUrl) {
       return new _RelayClient({
         relayUrl,
-        internalKey,
+        internalKey: process.env.RELAY_INTERNAL_KEY,
         sourceService: process.env.PROGRAM_ID ?? process.env.SERVICE_NAME
       });
     }
+    const bioClientId = process.env.BIO_CLIENT_ID;
+    const bioClientSecret = process.env.BIO_CLIENT_SECRET;
+    if (bioClientId && bioClientSecret) {
+      const bioIdUrl = process.env.BIO_ID_URL || DEFAULT_BIO_ID_URL;
+      let cachedBioToken = null;
+      let bioTokenExpiresAt = 0;
+      const accessTokenFn = async () => {
+        const now = Date.now();
+        if (cachedBioToken && now < bioTokenExpiresAt) {
+          return cachedBioToken;
+        }
+        const response = await fetch(`${bioIdUrl}/api/oauth/token`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            grant_type: "client_credentials",
+            client_id: bioClientId,
+            client_secret: bioClientSecret
+          })
+        });
+        if (!response.ok) {
+          const body = await response.text();
+          throw new RelayError(
+            `Bio-ID token request failed (${response.status}): ${body}`,
+            response.status,
+            "AUTH_ERROR"
+          );
+        }
+        const data = await response.json();
+        cachedBioToken = data.access_token;
+        const expiresIn = (data.expires_in || 900) * 1e3;
+        bioTokenExpiresAt = now + expiresIn - 3e4;
+        return cachedBioToken;
+      };
+      return new _RelayClient({
+        accessTokenFn,
+        janusUrl: process.env.JANUS_URL,
+        sourceService: process.env.SERVICE_NAME ?? process.env.PROGRAM_ID
+      });
+    }
     const jwtSecret = process.env.JWT_SECRET;
-    if (!jwtSecret) {
-      throw new Error(
-        "iec-relay: Set JWT_SECRET + PROGRAM_ID (for Janus) or RELAY_DIRECT_URL (for direct)"
-      );
+    if (jwtSecret) {
+      return new _RelayClient({
+        jwtSecret,
+        programId: process.env.PROGRAM_ID,
+        janusUrl: process.env.JANUS_URL
+      });
     }
-    return new _RelayClient({
-      jwtSecret,
-      programId: process.env.PROGRAM_ID,
-      janusUrl: process.env.JANUS_URL
-    });
+    throw new Error(
+      "iec-relay: No auth configured. Set BIO_CLIENT_ID + BIO_CLIENT_SECRET (recommended), JWT_SECRET + PROGRAM_ID (legacy), or RELAY_DIRECT_URL (local dev)"
+    );
   }
   /**
    * Send an email through InsureRelay.
@@ -323,6 +369,10 @@ var RelayClient = class _RelayClient {
     }
     const baseUrl = this.config.janusUrl ?? DEFAULT_JANUS_URL;
     const url = `${baseUrl}${RELAY_API_PATH}${path}`;
+    if (this.config.accessTokenFn) {
+      headers["Authorization"] = `Bearer ${await this.config.accessTokenFn()}`;
+      return { url, headers };
+    }
     headers["Authorization"] = `Bearer ${this.getToken()}`;
     return { url, headers };
   }
@@ -332,7 +382,7 @@ var RelayClient = class _RelayClient {
     }
     if (!this.config.jwtSecret || !this.config.programId) {
       throw new RelayError(
-        "jwtSecret and programId are required for Janus auth",
+        "jwtSecret and programId are required for legacy Janus auth",
         500,
         "CONFIG_ERROR"
       );

package/dist/index.mjs

@@ -37,6 +37,7 @@ function isTokenExpired(token, bufferSeconds = 30) {
 var DEFAULT_JANUS_URL = "http://janus.janus-prod.svc.cluster.local:3000";
 var RELAY_API_PATH = "/api/relay";
 var DEFAULT_TIMEOUT_MS = 1e4;
+var DEFAULT_BIO_ID_URL = "https://bio.tawa.insureco.io";
 var RelayError = class extends Error {
   constructor(message, statusCode, code, details) {
     super(message);
@@ -50,12 +51,15 @@ var RelayClient = class _RelayClient {
   config;
   cachedToken = null;
   constructor(config) {
-    if (!config.jwtSecret && !config.relayUrl) {
+    const hasAccessTokenFn = typeof config.accessTokenFn === "function";
+    const hasJwtSecret = !!config.jwtSecret;
+    const hasRelayUrl = !!config.relayUrl;
+    if (!hasAccessTokenFn && !hasJwtSecret && !hasRelayUrl) {
       throw new Error(
-        "iec-relay: Either jwtSecret (for Janus) or relayUrl (for direct) is required"
+        "iec-relay: Provide accessTokenFn (recommended), jwtSecret (legacy), or relayUrl (local dev)"
       );
     }
-    if (config.jwtSecret && !config.programId) {
+    if (hasJwtSecret && !config.programId) {
       throw new Error("iec-relay: programId is required when using jwtSecret");
     }
     this.config = {
@@ -69,29 +73,71 @@ var RelayClient = class _RelayClient {
   /**
    * Create a RelayClient from environment variables.
    *
-   * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+   * Priority:
+   * 1. RELAY_DIRECT_URL — local dev (direct to relay, optional RELAY_INTERNAL_KEY)
+   * 2. BIO_CLIENT_ID + BIO_CLIENT_SECRET — production gateway (Bio-ID token through Janus)
+   * 3. JWT_SECRET + PROGRAM_ID — legacy gateway (self-signed JWT through Janus)
    */
   static fromEnv() {
     const relayUrl = process.env.RELAY_DIRECT_URL;
-    const internalKey = process.env.RELAY_INTERNAL_KEY;
     if (relayUrl) {
       return new _RelayClient({
         relayUrl,
-        internalKey,
+        internalKey: process.env.RELAY_INTERNAL_KEY,
         sourceService: process.env.PROGRAM_ID ?? process.env.SERVICE_NAME
       });
     }
+    const bioClientId = process.env.BIO_CLIENT_ID;
+    const bioClientSecret = process.env.BIO_CLIENT_SECRET;
+    if (bioClientId && bioClientSecret) {
+      const bioIdUrl = process.env.BIO_ID_URL || DEFAULT_BIO_ID_URL;
+      let cachedBioToken = null;
+      let bioTokenExpiresAt = 0;
+      const accessTokenFn = async () => {
+        const now = Date.now();
+        if (cachedBioToken && now < bioTokenExpiresAt) {
+          return cachedBioToken;
+        }
+        const response = await fetch(`${bioIdUrl}/api/oauth/token`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            grant_type: "client_credentials",
+            client_id: bioClientId,
+            client_secret: bioClientSecret
+          })
+        });
+        if (!response.ok) {
+          const body = await response.text();
+          throw new RelayError(
+            `Bio-ID token request failed (${response.status}): ${body}`,
+            response.status,
+            "AUTH_ERROR"
+          );
+        }
+        const data = await response.json();
+        cachedBioToken = data.access_token;
+        const expiresIn = (data.expires_in || 900) * 1e3;
+        bioTokenExpiresAt = now + expiresIn - 3e4;
+        return cachedBioToken;
+      };
+      return new _RelayClient({
+        accessTokenFn,
+        janusUrl: process.env.JANUS_URL,
+        sourceService: process.env.SERVICE_NAME ?? process.env.PROGRAM_ID
+      });
+    }
     const jwtSecret = process.env.JWT_SECRET;
-    if (!jwtSecret) {
-      throw new Error(
-        "iec-relay: Set JWT_SECRET + PROGRAM_ID (for Janus) or RELAY_DIRECT_URL (for direct)"
-      );
+    if (jwtSecret) {
+      return new _RelayClient({
+        jwtSecret,
+        programId: process.env.PROGRAM_ID,
+        janusUrl: process.env.JANUS_URL
+      });
     }
-    return new _RelayClient({
-      jwtSecret,
-      programId: process.env.PROGRAM_ID,
-      janusUrl: process.env.JANUS_URL
-    });
+    throw new Error(
+      "iec-relay: No auth configured. Set BIO_CLIENT_ID + BIO_CLIENT_SECRET (recommended), JWT_SECRET + PROGRAM_ID (legacy), or RELAY_DIRECT_URL (local dev)"
+    );
   }
   /**
    * Send an email through InsureRelay.
@@ -294,6 +340,10 @@ var RelayClient = class _RelayClient {
     }
     const baseUrl = this.config.janusUrl ?? DEFAULT_JANUS_URL;
     const url = `${baseUrl}${RELAY_API_PATH}${path}`;
+    if (this.config.accessTokenFn) {
+      headers["Authorization"] = `Bearer ${await this.config.accessTokenFn()}`;
+      return { url, headers };
+    }
     headers["Authorization"] = `Bearer ${this.getToken()}`;
     return { url, headers };
   }
@@ -303,7 +353,7 @@ var RelayClient = class _RelayClient {
     }
     if (!this.config.jwtSecret || !this.config.programId) {
       throw new RelayError(
-        "jwtSecret and programId are required for Janus auth",
+        "jwtSecret and programId are required for legacy Janus auth",
         500,
         "CONFIG_ERROR"
       );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@insureco/relay",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "description": "SDK for sending email and SMS through InsureRelay on the Tawa platform",
   "main": "dist/index.js",
   "module": "dist/index.mjs",