@iqauth/sdk 2.0.0

package/dist/client-C1DXfB8Z.d.mts

@@ -0,0 +1,911 @@
+import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, J as JwtClaims, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
+import jwt from 'jsonwebtoken';
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/lib/response.ts (envelope: { success: true, data } / { success: false, error: { code, message } })
+ * - Route file: src/middleware/requireAuth.ts (Authorization: Bearer header)
+ * - Route file: src/middleware/requireApiKey.ts (X-API-Key header)
+ * - Verified claims: N/A (HTTP transport layer)
+ * - Last verified: Phase 0 Research Summary
+ */
+
+interface HttpClientConfig {
+    baseUrl: string;
+    environment: IQAuthEnvironment;
+    getAccessToken: () => string | undefined;
+    getRefreshToken: () => string | undefined;
+    getApiKey: () => string | undefined;
+    setTokens: (tokens: TokenPair) => void;
+    autoRefresh: boolean;
+    onTokenRefresh?: (tokens: TokenPair) => void;
+    sessionHeaderName?: string;
+    sessionHeaderValue?: string;
+    retry?: IQAuthRetryConfig;
+}
+declare class HttpClient {
+    private config;
+    private refreshPromise;
+    private retryConfig;
+    constructor(config: HttpClientConfig);
+    private computeBackoffDelay;
+    private isRetryableStatus;
+    private fetchWithRetry;
+    get baseUrl(): string;
+    get environment(): IQAuthEnvironment;
+    isBrowserSession(): boolean;
+    hasCredentials(): boolean;
+    private buildHeaders;
+    private isTokenExpiringSoon;
+    private attemptRefresh;
+    request<T>(method: string, path: string, body?: unknown, options?: {
+        authMode?: "bearer" | "apikey";
+        skipAutoRefresh?: boolean;
+    }): Promise<T>;
+    private requestWithRetry;
+    requestRaw<T>(method: string, path: string, body?: unknown): Promise<T>;
+}
+
+declare class AuthModule {
+    private http;
+    constructor(http: HttpClient);
+    login(email: string, password: string): Promise<LoginResult>;
+    signup(input: SignupRequest): Promise<LoginResult>;
+    completeMfa(mfaChallengeToken: string, code: string, method?: string): Promise<MfaVerifyResult>;
+    completeMfaWithBackup(mfaChallengeToken: string, backupCode: string): Promise<MfaVerifyResult>;
+    sendMfaChallenge(mfaChallengeToken: string, method: string): Promise<{
+        sent: boolean;
+        method: string;
+    }>;
+    selectTenant(tenantSelectionToken: string, tenantId: string): Promise<LoginResult>;
+    logout(): Promise<{
+        message: string;
+    }>;
+    logoutAll(): Promise<{
+        terminatedCount: number;
+    }>;
+    refreshTokens(refreshToken: string): Promise<TokenPair>;
+    forgotPassword(email: string): Promise<{
+        message: string;
+        resetToken?: string;
+        warning?: string;
+        email?: string;
+        expiresInMinutes?: number;
+    }>;
+    resetPassword(token: string, newPassword: string): Promise<{
+        message: string;
+    }>;
+    changePassword(currentPassword: string, newPassword: string): Promise<{
+        message: string;
+    }>;
+    verifyToken(): Promise<Record<string, unknown>>;
+    exchangeOAuthCode(code: string): Promise<LoginResult>;
+    getSessionUser(): Promise<SessionUser>;
+}
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/services/token.service.ts (RS256, issuer "auth.dispositioniq.com", audience array)
+ * - Route file: src/routes/wellknown.routes.ts (JWKS endpoint /.well-known/jwks.json)
+ * - Route file: src/lib/crypto.ts (key rotation with kid)
+ * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
+ * - Last verified: Phase 0 Research Summary
+ */
+
+declare const DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+declare const DEFAULT_TOKEN_AUDIENCE: string[];
+declare const DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+interface TokenVerifyOptions {
+    issuer?: string | string[];
+    audience?: string | string[];
+    clockTolerance?: number;
+    algorithms?: jwt.Algorithm[];
+}
+interface TokensModuleOptions {
+    issuer?: string | string[];
+    audience?: string | string[];
+    clockTolerance?: number;
+}
+declare class TokensModule {
+    private baseUrl;
+    private jwksCache;
+    private inFlightRefresh;
+    private defaultIssuer;
+    private defaultAudience;
+    private defaultClockTolerance;
+    constructor(baseUrl: string, options?: TokensModuleOptions);
+    /**
+     * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
+     * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
+     *
+     * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
+     * clock tolerance default to client config but can be overridden per call.
+     */
+    verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
+    /**
+     * Decode a JWT without verification. Returns null if malformed.
+     *
+     * @remarks Local decode only — no network call
+     */
+    decode(token: string): JwtClaims | null;
+    /**
+     * Check if a token is expired based on the `exp` claim.
+     *
+     * @remarks Local check only — no network call
+     */
+    isExpired(token: string): boolean;
+    /**
+     * Get the claims from a token without verification.
+     *
+     * @remarks Local decode only — no network call
+     */
+    getClaims(token: string): JwtClaims;
+    private getPublicKey;
+    private refreshJwks;
+    private jwkToPem;
+    /** @internal Exposed for testing — clears JWKS cache */
+    clearCache(): void;
+}
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/routes/sessions.routes.ts (GET /, DELETE /:sessionId)
+ * - Route file: src/routes/auth.routes.ts (GET /sessions, DELETE /sessions/:sessionId, POST /logout-all)
+ * - Verified claims: sub, sessionId
+ * - Last verified: Phase 0 Research Summary
+ */
+
+declare class SessionsModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * List all active sessions for the current user.
+     *
+     * @remarks Wraps GET /api/v1/sessions
+     */
+    list(): Promise<Session[]>;
+    /**
+     * Revoke (terminate) a specific session by ID.
+     *
+     * @remarks Wraps DELETE /api/v1/sessions/:sessionId
+     */
+    revoke(sessionId: string): Promise<{
+        message: string;
+    }>;
+    /**
+     * Revoke all sessions for the current user.
+     *
+     * @remarks Wraps POST /api/v1/auth/logout-all
+     */
+    revokeAll(): Promise<{
+        terminatedCount: number;
+    }>;
+}
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/routes/users.routes.ts (GET /me, PATCH /me, GET /, GET /:id, PATCH /:id/deactivate, PATCH /:id/reactivate, PATCH /:id/unlock)
+ * - Route file: src/routes/tenants.routes.ts (POST /:tenantId/users/provision)
+ * - Verified claims: sub, email, name, tenantId, roles
+ * - Last verified: Phase 0 Research Summary
+ */
+
+declare class UsersModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Get the currently authenticated user's profile.
+     *
+     * @remarks Wraps GET /api/v1/users/me
+     */
+    getCurrent(): Promise<UserProfile>;
+    /**
+     * Get a user by ID.
+     *
+     * @remarks Wraps GET /api/v1/users/:id
+     */
+    getById(userId: string): Promise<UserProfile>;
+    /**
+     * List users in the current tenant. Requires tenant_admin role.
+     *
+     * @remarks Wraps GET /api/v1/users
+     */
+    list(params?: {
+        email?: string;
+        tenantId?: string;
+    }): Promise<UserProfile[]>;
+    /**
+     * Provision (create) a new user in a tenant. Requires platform_admin or tenant-scoped API key with admin role.
+     *
+     * @remarks Wraps POST /api/v1/tenants/:tenantId/users/provision
+     */
+    create(tenantId: string, data: ProvisionUserRequest): Promise<ProvisionUserResponse>;
+    /**
+     * Update the current user's profile (name, picture).
+     *
+     * @remarks Wraps PATCH /api/v1/users/me
+     */
+    update(data: {
+        name?: string;
+        picture?: string;
+    }): Promise<UserProfile>;
+    /**
+     * Deactivate a user in the current tenant. Requires tenant_admin role.
+     *
+     * @remarks Wraps PATCH /api/v1/users/:id/deactivate
+     */
+    deactivate(userId: string): Promise<{
+        message: string;
+    }>;
+    /**
+     * Reactivate a user in the current tenant. Requires tenant_admin role.
+     *
+     * @remarks Wraps PATCH /api/v1/users/:id/reactivate
+     */
+    reactivate(userId: string): Promise<{
+        message: string;
+    }>;
+    /**
+     * Unlock a locked user account in the current tenant. Requires tenant_admin role.
+     *
+     * @remarks Wraps PATCH /api/v1/users/:id/unlock
+     */
+    unlock(userId: string): Promise<{
+        message: string;
+    }>;
+    /**
+     * Get effective permissions for a user for a specific product.
+     *
+     * @remarks Wraps GET /api/v1/users/:id/permissions?product=...
+     */
+    getPermissions(userId: string, product: string): Promise<UserPermissions>;
+    /**
+     * Change the current user's password.
+     *
+     * @remarks Wraps POST /api/v1/auth/password/change
+     */
+    updatePassword(currentPassword: string, newPassword: string): Promise<{
+        message: string;
+    }>;
+}
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/types/index.ts (JwtPayload.roles, JwtPayload.entitlements)
+ * - Route file: src/services/auth.service.ts (roles and entitlements written into JWT)
+ * - Verified claims: roles (string[]), entitlements (string[])
+ * - Last verified: Phase 0 Research Summary
+ */
+
+declare class PermissionsModule {
+    private getClaims;
+    constructor(claimsProvider: () => JwtClaims | null);
+    /**
+     * Get the roles from the current JWT claims.
+     *
+     * @remarks Extracted from JWT claim `roles` (string[])
+     */
+    getRoles(): string[];
+    /**
+     * Get the entitlements from the current JWT claims.
+     *
+     * @remarks Extracted from JWT claim `entitlements` (string[])
+     */
+    getEntitlements(): string[];
+    /**
+     * Check if the current user has a specific role.
+     *
+     * @remarks Checks against JWT claim `roles`
+     */
+    hasRole(role: string): boolean;
+    /**
+     * Check if the current user has a specific entitlement.
+     *
+     * @remarks Checks against JWT claim `entitlements`
+     */
+    hasEntitlement(entitlement: string): boolean;
+    /**
+     * Check if the current user has all of the specified roles.
+     *
+     * @remarks Checks against JWT claim `roles`
+     */
+    hasAllRoles(roles: string[]): boolean;
+    /**
+     * Check if the current user has any of the specified roles.
+     *
+     * @remarks Checks against JWT claim `roles`
+     */
+    hasAnyRole(roles: string[]): boolean;
+    /**
+     * Check if the current user has all of the specified entitlements.
+     *
+     * @remarks Checks against JWT claim `entitlements`
+     */
+    hasAllEntitlements(entitlements: string[]): boolean;
+    /**
+     * Check if the current user has any of the specified entitlements.
+     *
+     * @remarks Checks against JWT claim `entitlements`
+     */
+    hasAnyEntitlement(entitlements: string[]): boolean;
+}
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/routes/oidc.routes.ts (GET /discovery, POST /token, GET /userinfo)
+ * - Route file: src/routes/wellknown.routes.ts (GET /.well-known/openid-configuration, GET /.well-known/jwks.json)
+ * - Verified claims: sub, email, name, picture, roles, at_hash, auth_time
+ * - Last verified: Phase 0 Research Summary
+ */
+
+interface OidcStoredRequest {
+    codeVerifier: string;
+    state: string;
+    nonce: string;
+    redirectUri: string;
+    clientId: string;
+    expiresAt: number;
+}
+/**
+ * Pluggable storage adapter for PKCE/state/nonce binding. The default
+ * implementation is in-memory and adequate for single-process Node servers
+ * and short-lived browser sessions; provide your own (Redis, signed cookies,
+ * etc.) for distributed/cross-tab scenarios.
+ */
+interface OidcStateStore {
+    set(state: string, value: OidcStoredRequest): void | Promise<void>;
+    get(state: string): OidcStoredRequest | null | Promise<OidcStoredRequest | null>;
+    delete(state: string): void | Promise<void>;
+}
+declare class InMemoryOidcStateStore implements OidcStateStore {
+    private map;
+    set(state: string, value: OidcStoredRequest): void;
+    get(state: string): OidcStoredRequest | null;
+    delete(state: string): void;
+}
+interface OidcModuleOptions {
+    stateStore?: OidcStateStore;
+    /** TTL for stored auth requests in milliseconds. Defaults to 10 minutes. */
+    requestTtlMs?: number;
+    /** Tokens module used to verify id_token signatures and claims. */
+    tokens?: TokensModule;
+}
+interface OidcAuthRequest {
+    authorizationUrl: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    codeChallenge: string;
+    codeChallengeMethod: "S256";
+}
+interface OidcCallbackResult {
+    tokens: OidcTokenResponse;
+    idTokenClaims: JwtClaims | null;
+}
+declare class OidcModule {
+    private http;
+    private baseUrl;
+    private stateStore;
+    private requestTtlMs;
+    private tokensModule?;
+    constructor(http: HttpClient, baseUrl: string, options?: OidcModuleOptions);
+    /** @internal Allow the client to inject its TokensModule after construction. */
+    _setTokensModule(tokens: TokensModule): void;
+    /**
+     * Fetch the OpenID Connect discovery document.
+     *
+     * @remarks Wraps GET /.well-known/openid-configuration
+     */
+    getDiscovery(): Promise<OidcDiscovery>;
+    /**
+     * Fetch the JSON Web Key Set.
+     *
+     * @remarks Wraps GET /.well-known/jwks.json
+     */
+    getJwks(): Promise<JwksResponse>;
+    /**
+     * Build an OIDC authorization URL for redirect-based login.
+     *
+     * @remarks Constructs URL pointing to /oidc/authorize. Prefer
+     * {@link createAuthRequest} which also generates and stores PKCE/state/nonce.
+     */
+    buildAuthorizationUrl(params: {
+        clientId: string;
+        redirectUri: string;
+        scope?: string;
+        state: string;
+        nonce?: string;
+        codeChallenge?: string;
+        codeChallengeMethod?: string;
+    }): string;
+    /**
+     * Generate `code_verifier`, `code_challenge`, `state`, and `nonce`, persist
+     * them via the configured storage adapter, and return an authorization URL
+     * ready to redirect the user to.
+     */
+    createAuthRequest(params: {
+        clientId: string;
+        redirectUri: string;
+        scope?: string;
+    }): Promise<OidcAuthRequest>;
+    /**
+     * Validate the callback `state`, exchange the code with the bound PKCE
+     * verifier, and verify that the returned `id_token` (if any) carries the
+     * stored `nonce` and `aud === clientId`.
+     */
+    handleCallback(params: {
+        code: string;
+        state: string;
+        /** Optional client secret if your client is confidential. */
+        clientSecret?: string;
+    }): Promise<OidcCallbackResult>;
+    /**
+     * Exchange an authorization code for tokens at the OIDC token endpoint.
+     *
+     * @remarks Wraps POST /oidc/token (or /api/v1/oidc/token)
+     */
+    exchangeCode(params: {
+        code: string;
+        redirectUri: string;
+        clientId: string;
+        clientSecret?: string;
+        codeVerifier?: string;
+    }): Promise<OidcTokenResponse>;
+    /**
+     * Get user info from the OIDC userinfo endpoint.
+     *
+     * @remarks Wraps GET /oidc/userinfo (requires Bearer token)
+     */
+    getUserInfo(): Promise<Record<string, unknown>>;
+    getClientContext(clientId: string): Promise<HostedClientContext>;
+}
+
+declare class TenantsModule {
+    private http;
+    constructor(http: HttpClient);
+    getCurrent(tenantId: string): Promise<TenantInfo>;
+    get(tenantId: string): Promise<TenantInfo>;
+    list(params?: {
+        vendorId?: string;
+    }): Promise<TenantInfo[] | TenantInfo | null>;
+    create(data: CreateTenantRequest): Promise<TenantInfo>;
+    update(tenantId: string, data: UpdateTenantRequest): Promise<TenantInfo>;
+    delete(tenantId: string): Promise<{
+        message: string;
+    }>;
+    promoteToVendor(tenantId: string, data: PromoteToVendorRequest): Promise<PromoteToVendorResult>;
+    getUsers(tenantId: string): Promise<TenantUser[]>;
+    inviteUser(tenantId: string, data: InviteTenantUserRequest): Promise<InviteTenantUserResult>;
+    changeUserRole(tenantId: string, userId: string, role: string): Promise<TenantUserRoleUpdate>;
+    migrateUser(tenantId: string, userId: string, data: MigrateUserRequest): Promise<{
+        message: string;
+    }>;
+    removeUser(tenantId: string, userId: string): Promise<{
+        message: string;
+    }>;
+    getPasswordPolicy(tenantId: string): Promise<PasswordPolicy>;
+    updatePasswordPolicy(tenantId: string, data: Partial<PasswordPolicy>): Promise<PasswordPolicy>;
+    getMfaPolicies(tenantId: string): Promise<MfaPolicy[]>;
+    updateMfaPolicy(tenantId: string, role: string, data: Partial<MfaPolicy>): Promise<MfaPolicy>;
+    getPublicBranding(params?: {
+        vendor?: string;
+    }): Promise<BrandingConfig | null>;
+    getPublicBrandingBySlug(vendorSlug: string): Promise<BrandingConfig | null>;
+}
+
+/**
+ * SOURCE REFS:
+ * - Route file: src/routes/apps.routes.ts (GET /, GET /:appKey, POST /sync)
+ * - Service file: src/services/appManifest.service.ts (AppManifest, PermissionNodeManifest, syncManifest)
+ * - Service file: src/services/bootstrapApps.ts (manifest shape example)
+ * - Verified claims: requires auth + apps.view/apps.manage permissions, platform_admin for sync
+ * - Last verified: Phase 0 Research Summary + apps.routes.ts
+ */
+
+interface CreateAppRequest {
+    name: string;
+    key?: string;
+    description?: string;
+    redirectUris?: string[];
+    allowedOrigins?: string[];
+    mode?: "test" | "live";
+}
+interface CreateAppResponse {
+    app: AppInfo & {
+        appKey: string;
+    };
+    client: {
+        clientId: string;
+        clientSecret: string;
+    };
+    publishableKey: {
+        id: string;
+        rawKey: string;
+        kid: string;
+    };
+    secretKey: {
+        id: string;
+        rawKey: string;
+    };
+    origins: string[];
+}
+declare class AppsModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Self-service Phase A: provision an app + OIDC client + key pair in one shot.
+     * Caller must be authenticated as a tenant_admin (or platform_admin).
+     *
+     * @remarks Wraps POST /api/v1/apps
+     */
+    create(data: CreateAppRequest): Promise<CreateAppResponse>;
+    update(id: string, data: {
+        name?: string;
+        description?: string;
+        mode?: "test" | "live";
+        isActive?: boolean;
+    }): Promise<unknown>;
+    remove(id: string): Promise<{
+        id: string;
+    }>;
+    listOrigins(id: string): Promise<{
+        origins: string[];
+    }>;
+    addOrigin(id: string, origin: string): Promise<{
+        origin: string;
+    }>;
+    removeOrigin(id: string, origin: string): Promise<{
+        removed: boolean;
+    }>;
+    listKeys(id: string): Promise<Array<{
+        id: string;
+        kind: string;
+        mode: string;
+        keyPrefix: string;
+        isActive: boolean;
+    }>>;
+    createKey(id: string, data: {
+        kind: "publishable" | "secret";
+        mode?: "test" | "live";
+        name?: string;
+    }): Promise<unknown>;
+    rotateKey(id: string, keyId: string): Promise<{
+        rawKey: string;
+        previousKeyExpiresAt: string | null;
+    }>;
+    revokeKey(id: string, keyId: string): Promise<{
+        revoked: boolean;
+    }>;
+    /**
+     * List all registered applications.
+     * Requires `apps.view` permission on the `iqauth-admin` app.
+     *
+     * @remarks Wraps GET /api/v1/apps
+     */
+    list(): Promise<AppInfo[]>;
+    /**
+     * Get a registered application by its unique key, including its permission nodes.
+     * Requires `apps.view` permission on the `iqauth-admin` app.
+     *
+     * @remarks Wraps GET /api/v1/apps/:appKey
+     */
+    get(appKey: string): Promise<AppInfo & {
+        permissionNodes: PermissionNodeInfo[];
+    }>;
+    /**
+     * Register or sync an application manifest. This is an idempotent upsert —
+     * it creates the app if it doesn't exist, or updates it if it does.
+     * Permission nodes are also upserted (created or updated) from the manifest tree.
+     *
+     * Requires `platform_admin` role and `apps.manage` permission.
+     *
+     * @remarks Wraps POST /api/v1/apps/sync
+     */
+    register(manifest: AppManifest): Promise<AppSyncResult>;
+    /**
+     * Check if an application is registered by its key.
+     * Returns `true` if the app exists, `false` otherwise.
+     *
+     * @remarks Uses GET /api/v1/apps/:appKey — catches 404 errors
+     */
+    isRegistered(appKey: string): Promise<boolean>;
+}
+
+declare class RolesModule {
+    private http;
+    constructor(http: HttpClient);
+    list(tenantId: string): Promise<Role[]>;
+    create(tenantId: string, data: CreateRoleRequest): Promise<Role>;
+    update(tenantId: string, roleId: string, data: UpdateRoleRequest): Promise<Role>;
+    delete(tenantId: string, roleId: string): Promise<{
+        message: string;
+    }>;
+    getUserRoles(tenantId: string, userId: string): Promise<Role[]>;
+    assignRole(tenantId: string, userId: string, data: AssignRoleRequest): Promise<UserRoleAssignment>;
+    removeRole(tenantId: string, userId: string, roleId: string): Promise<{
+        message: string;
+    }>;
+}
+
+declare class PermissionGroupsModule {
+    private http;
+    constructor(http: HttpClient);
+    list(tenantId: string): Promise<PermissionGroup[]>;
+    create(tenantId: string, name: string, description?: string): Promise<PermissionGroup>;
+    update(tenantId: string, groupId: string, data: {
+        name?: string;
+        description?: string;
+    }): Promise<PermissionGroup>;
+    delete(tenantId: string, groupId: string): Promise<{
+        message: string;
+    }>;
+    getPermissions(tenantId: string, groupId: string): Promise<GroupPermission[]>;
+    addPermission(tenantId: string, groupId: string, data: AddGroupPermissionRequest): Promise<GroupPermission>;
+    removePermission(tenantId: string, groupId: string, permissionId: string): Promise<{
+        message: string;
+    }>;
+    addInheritance(tenantId: string, groupId: string, inheritsFromGroupId: string): Promise<InheritanceRelation>;
+    removeInheritance(tenantId: string, groupId: string, inheritedGroupId: string): Promise<{
+        message: string;
+    }>;
+    getUserGroups(tenantId: string, userId: string): Promise<PermissionGroup[]>;
+    assignUserToGroup(tenantId: string, userId: string, groupId: string): Promise<UserGroupAssignment>;
+    removeUserFromGroup(tenantId: string, userId: string, groupId: string): Promise<{
+        message: string;
+    }>;
+    getUserOverrides(tenantId: string, userId: string): Promise<UserPermissionOverride[]>;
+    addUserOverride(tenantId: string, userId: string, data: AddUserOverrideRequest): Promise<UserPermissionOverride>;
+    removeUserOverride(tenantId: string, userId: string, overrideId: string): Promise<{
+        message: string;
+    }>;
+    getEffectivePermissions(tenantId: string, userId: string, params: {
+        product?: string;
+        appKey?: string;
+    }): Promise<EffectivePermission[]>;
+    checkPermission(tenantId: string, userId: string, appKey: string, nodeKey: string): Promise<PermissionCheckResult>;
+}
+
+declare class ApiKeysModule {
+    private http;
+    constructor(http: HttpClient);
+    create(data: CreateApiKeyRequest): Promise<CreateApiKeyResult>;
+    list(params?: {
+        tenantId?: string;
+    }): Promise<ApiKeyInfo[]>;
+    revoke(id: string): Promise<{
+        message: string;
+    }>;
+    introspect(apiKey: string): Promise<ApiKeyIntrospection>;
+}
+
+declare class InvitesModule {
+    private http;
+    constructor(http: HttpClient);
+    create(data: CreateInviteRequest): Promise<{
+        invitation: Invitation;
+        inviteToken?: string;
+        warning?: string;
+    }>;
+    validate(token: string): Promise<InviteValidation>;
+    accept(token: string, data: AcceptInviteRequest): Promise<{
+        message: string;
+        userId?: string;
+    }>;
+}
+
+declare class WebhooksModule {
+    private http;
+    constructor(http: HttpClient);
+    createEndpoint(data: CreateWebhookRequest): Promise<CreateWebhookResult>;
+    listEndpoints(): Promise<WebhookEndpoint[]>;
+    deleteEndpoint(id: string): Promise<{
+        message: string;
+    }>;
+    getDeliveries(endpointId: string): Promise<WebhookDelivery[]>;
+    testEndpoint(id: string): Promise<WebhookTestResult>;
+    rotateSecret(id: string): Promise<{
+        newSecret: string;
+    }>;
+}
+
+declare class EntitlementsModule {
+    private http;
+    constructor(http: HttpClient);
+    list(tenantId: string): Promise<Entitlement[]>;
+    grant(tenantId: string, data: GrantEntitlementRequest): Promise<Entitlement>;
+    revoke(tenantId: string, product: string): Promise<{
+        message: string;
+    }>;
+}
+
+declare class VendorsModule {
+    private http;
+    constructor(http: HttpClient);
+    list(): Promise<Vendor[]>;
+    get(vendorId: string): Promise<Vendor>;
+    create(data: CreateVendorRequest): Promise<Vendor>;
+    update(vendorId: string, data: UpdateVendorRequest): Promise<Vendor>;
+    delete(vendorId: string): Promise<{
+        message: string;
+    }>;
+}
+
+declare class SourcesModule {
+    private http;
+    constructor(http: HttpClient);
+    create(vendorId: string, data: CreateSourceRequest): Promise<Source>;
+    listForVendor(vendorId: string): Promise<Source[]>;
+    get(sourceId: string): Promise<Source>;
+    update(sourceId: string, data: UpdateSourceRequest): Promise<Source>;
+    delete(sourceId: string): Promise<{
+        message: string;
+    }>;
+    createClient(sourceId: string, data: CreateClientRequest): Promise<Client>;
+    listClients(sourceId: string): Promise<Client[]>;
+}
+
+declare class ClientsModule {
+    private http;
+    constructor(http: HttpClient);
+    get(clientId: string): Promise<Client>;
+    update(clientId: string, data: UpdateClientRequest): Promise<Client>;
+    delete(clientId: string): Promise<{
+        message: string;
+    }>;
+}
+
+declare class HierarchyModule {
+    private http;
+    constructor(http: HttpClient);
+    getGraph(): Promise<HierarchyVendor[]>;
+    linkVendorSource(vendorId: string, sourceId: string): Promise<HierarchyLink>;
+    unlinkVendorSource(vendorId: string, sourceId: string): Promise<{
+        removed: boolean;
+    }>;
+    linkSourceClient(sourceId: string, clientId: string): Promise<HierarchyLink>;
+    unlinkSourceClient(sourceId: string, clientId: string): Promise<{
+        removed: boolean;
+    }>;
+}
+
+declare class MembershipsModule {
+    private http;
+    constructor(http: HttpClient);
+    listForUser(userId: string, tenantId: string): Promise<{
+        memberships: MembershipWithDetails[];
+    }>;
+    listForScope(scopeType: string, scopeId: string): Promise<{
+        memberships: MembershipWithDetails[];
+    }>;
+    grant(data: CreateMembershipRequest): Promise<Membership>;
+    revoke(id: string): Promise<{
+        message: string;
+    }>;
+    update(id: string, data: UpdateMembershipRequest): Promise<Membership>;
+    listForTenant(params?: {
+        scopeType?: string;
+        roleName?: string;
+    }): Promise<{
+        memberships: MembershipWithDetails[];
+    }>;
+}
+
+declare class ScopeModule {
+    private http;
+    constructor(http: HttpClient);
+    getAvailable(): Promise<AvailableScopesTree>;
+    switchScope(scopeType: string, scopeId: string): Promise<ScopeSwitchResult>;
+}
+
+declare class GdprModule {
+    private http;
+    constructor(http: HttpClient);
+    exportData(): Promise<GdprExportData>;
+    deleteAccount(confirmEmail: string): Promise<{
+        message: string;
+    }>;
+}
+
+declare class PinModule {
+    private http;
+    constructor(http: HttpClient);
+    set(pin: string): Promise<{
+        message: string;
+    }>;
+    change(currentPin: string, newPin: string): Promise<{
+        message: string;
+    }>;
+    remove(): Promise<{
+        message: string;
+    }>;
+    getStatus(): Promise<PinStatus>;
+    login(email: string, pin: string, deviceFingerprint?: string): Promise<LoginResult>;
+}
+
+declare class MfaModule {
+    private http;
+    constructor(http: HttpClient);
+    getAvailableMethods(): Promise<MfaAvailableMethods>;
+    enrollTotp(): Promise<TotpEnrollResult>;
+    verifyTotpEnrollment(code: string, secret: string): Promise<TotpVerifyResult>;
+    enrollSms(phoneNumber: string): Promise<SmsEnrollResult>;
+    verifySmsEnrollment(code: string, phoneNumber: string): Promise<{
+        enrollment: MfaEnrollment;
+    }>;
+    startEmailEnrollment(): Promise<EmailEnrollResult>;
+    verifyEmailEnrollment(code: string): Promise<{
+        enrollment: MfaEnrollment;
+    }>;
+    listEnrollments(): Promise<MfaEnrollment[]>;
+    setPrimaryEnrollment(enrollmentId: string): Promise<MfaEnrollment>;
+    deactivateEnrollment(enrollmentId: string): Promise<{
+        message: string;
+    }>;
+    regenerateBackupCodes(): Promise<BackupCodesResult>;
+    getBackupCodeCount(): Promise<BackupCodeCountResult>;
+}
+
+declare class BrandingModule {
+    private http;
+    constructor(http: HttpClient);
+    get(vendorId: string): Promise<BrandingConfig>;
+    updateBranding(vendorId: string, data: UpdateBrandingRequest): Promise<BrandingConfig>;
+    publishBranding(vendorId: string): Promise<BrandingConfig>;
+    unpublishBranding(vendorId: string): Promise<BrandingConfig>;
+    resetBranding(vendorId: string): Promise<BrandingConfig>;
+    uploadAsset(vendorId: string, data: UploadAssetRequest): Promise<BrandingAsset>;
+    listAssets(vendorId: string): Promise<BrandingAsset[]>;
+    deleteAsset(vendorId: string, assetId: string): Promise<{
+        deleted: boolean;
+    }>;
+    listDomains(vendorId: string): Promise<BrandingDomainMapping[]>;
+    addDomain(vendorId: string, domain: string): Promise<BrandingDomainMapping>;
+    removeDomain(vendorId: string, domainId: string): Promise<{
+        deleted: boolean;
+    }>;
+}
+
+declare class IQAuthClient {
+    private config;
+    private httpClient;
+    private _accessToken?;
+    private _refreshToken?;
+    private _apiKey?;
+    readonly auth: AuthModule;
+    readonly tokens: TokensModule;
+    readonly sessions: SessionsModule;
+    readonly users: UsersModule;
+    readonly permissions: PermissionsModule;
+    readonly oidc: OidcModule;
+    readonly tenants: TenantsModule;
+    readonly apps: AppsModule;
+    readonly roles: RolesModule;
+    readonly permissionGroups: PermissionGroupsModule;
+    readonly apiKeys: ApiKeysModule;
+    readonly invites: InvitesModule;
+    readonly webhooks: WebhooksModule;
+    readonly entitlements: EntitlementsModule;
+    readonly vendors: VendorsModule;
+    readonly sources: SourcesModule;
+    readonly clients: ClientsModule;
+    readonly hierarchy: HierarchyModule;
+    readonly memberships: MembershipsModule;
+    readonly scope: ScopeModule;
+    readonly gdpr: GdprModule;
+    readonly pin: PinModule;
+    readonly mfa: MfaModule;
+    readonly branding: BrandingModule;
+    readonly environment: IQAuthEnvironment;
+    constructor(config: IQAuthClientConfig);
+    static forBrowserSession(config: Omit<IQAuthBrowserSessionClientConfig, "environment">): IQAuthClient;
+    static forServer(config: IQAuthTokenClientConfig): IQAuthClient;
+    static forMobile(config: IQAuthTokenClientConfig): IQAuthClient;
+    static forService(config: IQAuthTokenClientConfig): IQAuthClient;
+    setTokens(tokens: TokenPair): void;
+    getAccessToken(): string | undefined;
+    getRefreshToken(): string | undefined;
+    private getCurrentClaims;
+    private static resolveEnvironment;
+}
+
+export { AuthModule as A, BrandingModule as B, type CreateAppRequest as C, DEFAULT_TOKEN_ISSUER as D, EntitlementsModule as E, GdprModule as G, HierarchyModule as H, IQAuthClient as I, MembershipsModule as M, OidcModule as O, PermissionsModule as P, RolesModule as R, SessionsModule as S, TokensModule as T, UsersModule as U, VendorsModule as V, WebhooksModule as W, InMemoryOidcStateStore as a, type OidcStateStore as b, type OidcStoredRequest as c, type OidcAuthRequest as d, type OidcCallbackResult as e, type OidcModuleOptions as f, DEFAULT_TOKEN_AUDIENCE as g, DEFAULT_CLOCK_TOLERANCE_SECONDS as h, type TokenVerifyOptions as i, type TokensModuleOptions as j, TenantsModule as k, AppsModule as l, type CreateAppResponse as m, PermissionGroupsModule as n, ApiKeysModule as o, InvitesModule as p, SourcesModule as q, ClientsModule as r, ScopeModule as s, PinModule as t, MfaModule as u };