@meistrari/auth-core 1.18.0 → 1.20.0

package/README.md

@@ -1,4 +1,4 @@
-# Identity Provider SDK - Core
+# @meistrari/auth-core
 
 A TypeScript/JavaScript SDK for interacting with the Auth API service.
 
@@ -14,11 +14,18 @@ A TypeScript/JavaScript SDK for interacting with the Auth API service.
   - Team management
   - Member invitations
 - **JWT Token Validation**
+- **Application Authentication**
+  - OAuth PKCE application flows
+  - OAuth Device Authorization Grant endpoints
+  - Application token refresh, logout, and organization switching
+- **API Keys**
+  - User-scoped API key CRUD
+  - Active-organization API key listing
 
 ## Installation
 
 ```bash
-npm install @meistrari/auth-core
+bun add @meistrari/auth-core
 ```
 
 ## Quick Start
@@ -38,6 +45,16 @@ await authClient.session.signInWithEmailAndPassword({
 // List user's organizations
 const organizations = await authClient.organization.listOrganizations()
 console.log('Organizations:', organizations)
+
+// Application auth helpers
+const { code } = await authClient.application.startAuthorizationFlow(
+    'application-id',
+    'https://your-app.com/auth/callback',
+    'pkce-code-challenge',
+    'organization-id',
+)
+const tokens = await authClient.application.completeAuthorizationFlow(code, 'pkce-code-verifier')
+console.log('Application user:', tokens.user.email)
 ```
 
 ## API Reference

package/dist/index.d.mts

@@ -2,7 +2,7 @@ import * as better_auth_plugins from 'better-auth/plugins';
 import * as better_auth from 'better-auth';
 import { JWTPayload as JWTPayload$1 } from 'better-auth';
 export { APIError } from 'better-auth';
-import { z } from 'zod';
+import z$1, { z } from 'zod';
 import * as better_auth_client from 'better-auth/client';
 import { BetterFetchOption } from 'better-auth/client';
 import * as jose from 'jose';
@@ -261,21 +261,24 @@ declare const JWTPayload: z.ZodObject<{
 }, z.core.$strip>;
 type JWTPayload = JWTPayload$1 & z.infer<typeof JWTPayload>;
 
+declare const ApiKeyMetadata: z$1.ZodObject<{
+    user: z$1.ZodObject<{
+        id: z$1.ZodString;
+        email: z$1.ZodString;
+    }, z$1.core.$strip>;
+    workspace: z$1.ZodObject<{
+        id: z$1.ZodString;
+        title: z$1.ZodString;
+    }, z$1.core.$strip>;
+    application: z$1.ZodNullable<z$1.ZodOptional<z$1.ZodObject<{
+        id: z$1.ZodString;
+        name: z$1.ZodString;
+    }, z$1.core.$strip>>>;
+}, z$1.core.$strip>;
 /**
  * Metadata attached to an API key, identifying the owning user and workspace.
  */
-type ApiKeyMetadata = {
-    /** The user who owns this API key. */
-    user: {
-        id: string;
-        email: string;
-    };
-    /** The workspace this API key belongs to. */
-    workspace: {
-        id: string;
-        title: string;
-    };
-} & Record<string, unknown>;
+type ApiKeyMetadata = z$1.infer<typeof ApiKeyMetadata> & Record<string, unknown>;
 /**
  * A full API key including the secret key value.
  *
@@ -3390,32 +3393,8 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
             };
         }>;
         listCandidateOrganizations: (applicationId: string) => Promise<{
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: null;
-        }>;
-        inviteUserToApplication: (options: InviteUserToApplicationOptions) => Promise<{
-            data: null;
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: CreateApplicationInvitationResponse;
-            error: null;
+            data: ListCandidateOrganizationsResponse;
+            error?: unknown;
         }>;
         startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
             data: null;
@@ -4505,8 +4484,7 @@ type ExtendedOrganization = BaseOrganization & {
 /**
  * A complete organization object including its members, invitations, and teams.
  */
-type FullOrganization = Omit<ExtendedOrganization, 'slug'> & {
-    slug: string | null;
+type FullOrganization = ExtendedOrganization & {
     members: Member[];
     invitations: Invitation[];
     teams: Team[];
@@ -4556,12 +4534,7 @@ type Application = {
 /**
  * Response returned when listing candidate organizations for an application.
  */
-type ListCandidateOrganizationsResponse = {
-    /** The application being queried. */
-    application: Application;
-    /** Organizations where the user is a member and the application is entitled. */
-    organizations: FullOrganization[];
-};
+type ListCandidateOrganizationsResponse = FullOrganization[];
 /**
  * Public application context used to preserve continuity during auth redirects.
  */
@@ -4612,30 +4585,6 @@ type WhoAmIOptions = {
      */
     include?: WhoAmIInclude[];
 };
-type InviteUserToApplicationOptions = {
-    organizationId: string;
-    applicationId: string;
-    email: string;
-    role: Role;
-    teamId?: string;
-    resend?: boolean;
-    sendEmail?: boolean;
-};
-type ApplicationInvitationResponse = {
-    id: string;
-    organizationId: string;
-    email: string;
-    role: string | null;
-    teamId: string | null;
-    applicationId: string | null;
-    status: string;
-    expiresAt: Date | string;
-    inviterId: string;
-    createdAt: Date | string;
-};
-type CreateApplicationInvitationResponse = {
-    data?: ApplicationInvitationResponse;
-};
 /**
  * Response returned when starting a device authorization flow (RFC 8628).
  */
@@ -4810,22 +4759,9 @@ declare class ApplicationService {
      * the application has been enabled with appropriate entitlement rules.
      *
      * @param applicationId - The application ID to get candidate organizations for
-     * @returns The application details and list of candidate organizations
+     * @returns The list of candidate organizations
      */
-    listCandidateOrganizations(applicationId: string): Promise<{
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    } | {
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    }>;
-    /**
-     * Invites a user to an application through an organization entitlement.
-     *
-     * @param options - Invitation details including organization, application, email, and role
-     * @returns The created invitation
-     */
-    inviteUserToApplication(options: InviteUserToApplicationOptions): Promise<CreateApplicationInvitationResponse>;
+    listCandidateOrganizations(applicationId: string): Promise<ListCandidateOrganizationsResponse>;
     /**
      * Starts an authorization flow for a specific application.
      *
@@ -4952,6 +4888,10 @@ type ListMembersOptions = {
 };
 /**
  * Options for inviting a user to the active organization.
+ *
+ * When the SDK is authenticated with an application-scoped session, the invitation
+ * is automatically scoped to that application. First-party callers receive a
+ * plain organization invitation.
  */
 type InviteUserToOrganizationOptions = {
     /** Email address of the user to invite. */
@@ -4962,16 +4902,6 @@ type InviteUserToOrganizationOptions = {
     teamId?: string;
     /** Whether to resend the invitation if one already exists for this email. */
     resend?: boolean;
-    /**
-     * Application scope for legacy callers that still pass this option through
-     * the organization invitation path.
-     *
-     * New app-scoped invitations should use
-     * `applications.inviteUserToApplication`, which calls
-     * `POST /api/auth/applications/invitations`. The server rejects legacy
-     * organization invitation creation when this field is present.
-     */
-    applicationId?: string;
 };
 /**
  * Options for removing a user from the active organization.
@@ -5156,15 +5086,17 @@ declare class OrganizationService {
     /**
      * Invites a user to join the active organization.
      *
+     * When the SDK runs with an application-scoped session, the server
+     * automatically scopes the resulting invitation to that application.
+     *
      * @param options - Invitation configuration
      * @param options.userEmail - Email address of the user to invite
      * @param options.role - Role to assign to the invited user
      * @param options.teamId - Team ID to add the user to
-     * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
      * @param options.resend - Whether to resend if invitation already exists
      * @returns The created invitation
      */
-    inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }: InviteUserToOrganizationOptions): Promise<NonNullable<{
+    inviteUserToOrganization({ userEmail, role, teamId, resend }: InviteUserToOrganizationOptions): Promise<NonNullable<{
         id: string;
         organizationId: string;
         email: string;
@@ -5653,5 +5585,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTPayload;
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, ApplicationInvitationResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateApplicationInvitationResponse, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToApplicationOptions, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };
+export { ApiKeyMetadata, ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };

package/dist/index.d.ts

@@ -2,7 +2,7 @@ import * as better_auth_plugins from 'better-auth/plugins';
 import * as better_auth from 'better-auth';
 import { JWTPayload as JWTPayload$1 } from 'better-auth';
 export { APIError } from 'better-auth';
-import { z } from 'zod';
+import z$1, { z } from 'zod';
 import * as better_auth_client from 'better-auth/client';
 import { BetterFetchOption } from 'better-auth/client';
 import * as jose from 'jose';
@@ -261,21 +261,24 @@ declare const JWTPayload: z.ZodObject<{
 }, z.core.$strip>;
 type JWTPayload = JWTPayload$1 & z.infer<typeof JWTPayload>;
 
+declare const ApiKeyMetadata: z$1.ZodObject<{
+    user: z$1.ZodObject<{
+        id: z$1.ZodString;
+        email: z$1.ZodString;
+    }, z$1.core.$strip>;
+    workspace: z$1.ZodObject<{
+        id: z$1.ZodString;
+        title: z$1.ZodString;
+    }, z$1.core.$strip>;
+    application: z$1.ZodNullable<z$1.ZodOptional<z$1.ZodObject<{
+        id: z$1.ZodString;
+        name: z$1.ZodString;
+    }, z$1.core.$strip>>>;
+}, z$1.core.$strip>;
 /**
  * Metadata attached to an API key, identifying the owning user and workspace.
  */
-type ApiKeyMetadata = {
-    /** The user who owns this API key. */
-    user: {
-        id: string;
-        email: string;
-    };
-    /** The workspace this API key belongs to. */
-    workspace: {
-        id: string;
-        title: string;
-    };
-} & Record<string, unknown>;
+type ApiKeyMetadata = z$1.infer<typeof ApiKeyMetadata> & Record<string, unknown>;
 /**
  * A full API key including the secret key value.
  *
@@ -3390,32 +3393,8 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
             };
         }>;
         listCandidateOrganizations: (applicationId: string) => Promise<{
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: {
-                organizations: FullOrganization[];
-                application?: Application | undefined;
-            };
-            error: null;
-        }>;
-        inviteUserToApplication: (options: InviteUserToApplicationOptions) => Promise<{
-            data: null;
-            error: {
-                message?: string | undefined;
-                status: number;
-                statusText: string;
-            };
-        } | {
-            data: CreateApplicationInvitationResponse;
-            error: null;
+            data: ListCandidateOrganizationsResponse;
+            error?: unknown;
         }>;
         startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
             data: null;
@@ -4505,8 +4484,7 @@ type ExtendedOrganization = BaseOrganization & {
 /**
  * A complete organization object including its members, invitations, and teams.
  */
-type FullOrganization = Omit<ExtendedOrganization, 'slug'> & {
-    slug: string | null;
+type FullOrganization = ExtendedOrganization & {
     members: Member[];
     invitations: Invitation[];
     teams: Team[];
@@ -4556,12 +4534,7 @@ type Application = {
 /**
  * Response returned when listing candidate organizations for an application.
  */
-type ListCandidateOrganizationsResponse = {
-    /** The application being queried. */
-    application: Application;
-    /** Organizations where the user is a member and the application is entitled. */
-    organizations: FullOrganization[];
-};
+type ListCandidateOrganizationsResponse = FullOrganization[];
 /**
  * Public application context used to preserve continuity during auth redirects.
  */
@@ -4612,30 +4585,6 @@ type WhoAmIOptions = {
      */
     include?: WhoAmIInclude[];
 };
-type InviteUserToApplicationOptions = {
-    organizationId: string;
-    applicationId: string;
-    email: string;
-    role: Role;
-    teamId?: string;
-    resend?: boolean;
-    sendEmail?: boolean;
-};
-type ApplicationInvitationResponse = {
-    id: string;
-    organizationId: string;
-    email: string;
-    role: string | null;
-    teamId: string | null;
-    applicationId: string | null;
-    status: string;
-    expiresAt: Date | string;
-    inviterId: string;
-    createdAt: Date | string;
-};
-type CreateApplicationInvitationResponse = {
-    data?: ApplicationInvitationResponse;
-};
 /**
  * Response returned when starting a device authorization flow (RFC 8628).
  */
@@ -4810,22 +4759,9 @@ declare class ApplicationService {
      * the application has been enabled with appropriate entitlement rules.
      *
      * @param applicationId - The application ID to get candidate organizations for
-     * @returns The application details and list of candidate organizations
+     * @returns The list of candidate organizations
      */
-    listCandidateOrganizations(applicationId: string): Promise<{
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    } | {
-        organizations: FullOrganization[];
-        application?: Application | undefined;
-    }>;
-    /**
-     * Invites a user to an application through an organization entitlement.
-     *
-     * @param options - Invitation details including organization, application, email, and role
-     * @returns The created invitation
-     */
-    inviteUserToApplication(options: InviteUserToApplicationOptions): Promise<CreateApplicationInvitationResponse>;
+    listCandidateOrganizations(applicationId: string): Promise<ListCandidateOrganizationsResponse>;
     /**
      * Starts an authorization flow for a specific application.
      *
@@ -4952,6 +4888,10 @@ type ListMembersOptions = {
 };
 /**
  * Options for inviting a user to the active organization.
+ *
+ * When the SDK is authenticated with an application-scoped session, the invitation
+ * is automatically scoped to that application. First-party callers receive a
+ * plain organization invitation.
  */
 type InviteUserToOrganizationOptions = {
     /** Email address of the user to invite. */
@@ -4962,16 +4902,6 @@ type InviteUserToOrganizationOptions = {
     teamId?: string;
     /** Whether to resend the invitation if one already exists for this email. */
     resend?: boolean;
-    /**
-     * Application scope for legacy callers that still pass this option through
-     * the organization invitation path.
-     *
-     * New app-scoped invitations should use
-     * `applications.inviteUserToApplication`, which calls
-     * `POST /api/auth/applications/invitations`. The server rejects legacy
-     * organization invitation creation when this field is present.
-     */
-    applicationId?: string;
 };
 /**
  * Options for removing a user from the active organization.
@@ -5156,15 +5086,17 @@ declare class OrganizationService {
     /**
      * Invites a user to join the active organization.
      *
+     * When the SDK runs with an application-scoped session, the server
+     * automatically scopes the resulting invitation to that application.
+     *
      * @param options - Invitation configuration
      * @param options.userEmail - Email address of the user to invite
      * @param options.role - Role to assign to the invited user
      * @param options.teamId - Team ID to add the user to
-     * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
      * @param options.resend - Whether to resend if invitation already exists
      * @returns The created invitation
      */
-    inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }: InviteUserToOrganizationOptions): Promise<NonNullable<{
+    inviteUserToOrganization({ userEmail, role, teamId, resend }: InviteUserToOrganizationOptions): Promise<NonNullable<{
         id: string;
         organizationId: string;
         email: string;
@@ -5653,5 +5585,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTPayload;
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKey, ApiKeyMetadata, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, ApplicationInvitationResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateApplicationInvitationResponse, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToApplicationOptions, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };
+export { ApiKeyMetadata, ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };

package/dist/index.mjs

@@ -5,10 +5,10 @@ import { createAuthClient } from 'better-auth/client';
 import { organizationClient, inferOrgAdditionalFields, twoFactorClient, jwtClient, adminClient, inferAdditionalFields } from 'better-auth/client/plugins';
 import { createAccessControl } from 'better-auth/plugins/access';
 import { defaultStatements } from 'better-auth/plugins/organization/access';
-import { z } from 'zod';
+import z$1, { z } from 'zod';
 export { APIError } from 'better-auth';
 
-const version = "1.18.0";
+const version = "1.20.0";
 
 const statements = {
   ...defaultStatements,
@@ -86,6 +86,17 @@ const JWTPayload = z.object({
 });
 
 const DEVICE_CODE_GRANT = "urn:ietf:params:oauth:grant-type:device_code";
+function normalizeOrganizationsResponse(response) {
+  if (Array.isArray(response)) {
+    return {
+      data: response
+    };
+  }
+  return {
+    ...response,
+    data: Array.isArray(response.data) ? response.data : []
+  };
+}
 function applicationsPluginClient() {
   return {
     id: "applications",
@@ -100,25 +111,12 @@ function applicationsPluginClient() {
             });
           },
           listCandidateOrganizations: async (applicationId) => {
-            const response = await $fetch("/applications/candidate-organizations", {
+            const response = await $fetch("/organization/list", {
               query: {
                 applicationId
               }
             });
-            const organizations = response.data?.organizations ?? [];
-            return {
-              ...response,
-              data: {
-                ...response.data,
-                organizations
-              }
-            };
-          },
-          inviteUserToApplication: async (options) => {
-            return await $fetch("/applications/invitations", {
-              method: "POST",
-              body: options
-            });
+            return normalizeOrganizationsResponse(response);
           },
           startAuthorizationFlow: async (applicationId, redirectUri, codeChallenge, organizationId) => {
             return await $fetch("/applications/authorize", {
@@ -409,7 +407,7 @@ class ApplicationService {
    * the application has been enabled with appropriate entitlement rules.
    *
    * @param applicationId - The application ID to get candidate organizations for
-   * @returns The application details and list of candidate organizations
+   * @returns The list of candidate organizations
    */
   async listCandidateOrganizations(applicationId) {
     const response = await this.client.applications.listCandidateOrganizations(applicationId);
@@ -418,20 +416,6 @@ class ApplicationService {
     }
     return response.data;
   }
-  /**
-   * Invites a user to an application through an organization entitlement.
-   *
-   * @param options - Invitation details including organization, application, email, and role
-   * @returns The created invitation
-   */
-  async inviteUserToApplication(options) {
-    const response = await this.client.applications.inviteUserToApplication(options);
-    const invitation = response.data;
-    if (!invitation) {
-      throw new Error("No invitation returned from application invitation endpoint");
-    }
-    return invitation;
-  }
   /**
    * Starts an authorization flow for a specific application.
    *
@@ -707,23 +691,23 @@ class OrganizationService {
   /**
    * Invites a user to join the active organization.
    *
+   * When the SDK runs with an application-scoped session, the server
+   * automatically scopes the resulting invitation to that application.
+   *
    * @param options - Invitation configuration
    * @param options.userEmail - Email address of the user to invite
    * @param options.role - Role to assign to the invited user
    * @param options.teamId - Team ID to add the user to
-   * @param options.applicationId - Legacy application scope; prefer applications.inviteUserToApplication for new app-scoped invites
    * @param options.resend - Whether to resend if invitation already exists
    * @returns The created invitation
    */
-  async inviteUserToOrganization({ userEmail, role, teamId, resend, applicationId }) {
-    const invitation = {
+  async inviteUserToOrganization({ userEmail, role, teamId, resend }) {
+    return await this.client.organization.inviteMember({
       email: userEmail,
       role,
       teamId,
-      resend: resend ?? false,
-      applicationId
-    };
-    return await this.client.organization.inviteMember(invitation);
+      resend: resend ?? false
+    });
   }
   /**
    * Cancels a pending organization invitation.
@@ -1113,6 +1097,21 @@ class ApiKeyService {
   }
 }
 
+const ApiKeyMetadata = z$1.object({
+  user: z$1.object({
+    id: z$1.string(),
+    email: z$1.string()
+  }),
+  workspace: z$1.object({
+    id: z$1.string(),
+    title: z$1.string()
+  }),
+  application: z$1.object({
+    id: z$1.string(),
+    name: z$1.string()
+  }).optional().nullable()
+});
+
 class AuthClient {
   client;
   /**
@@ -1179,4 +1178,4 @@ function extractTokenPayload(token) {
   return payload;
 }
 
-export { ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export { ApiKeyMetadata, ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-core",
-  "version": "1.18.0",
+  "version": "1.20.0",
   "type": "module",
   "exports": {
     ".": {