@meistrari/auth-core 1.5.2 → 1.6.0

package/dist/index.d.mts

@@ -2665,6 +2665,70 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
         code?: string | undefined;
         message?: string | undefined;
     }, FetchOptions["throw"] extends true ? true : true>>;
+} & {
+    applications: {
+        listCandidateOrganizations: (applicationId: string) => Promise<{
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: null;
+        } | {
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        }>;
+        startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: StartAuthorizationFlowResponse;
+            error: null;
+        }>;
+        completeAuthorizationFlow: (code: string, codeVerifier: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        refreshAccessToken: (refreshToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        whoAmI: (accessToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: WhoAmIResponse;
+            error: null;
+        }>;
+    };
 } & {
     $Infer: {
         ActiveOrganization: {
@@ -5553,6 +5617,70 @@ declare const stub: {
         code?: string | undefined;
         message?: string | undefined;
     }, FetchOptions["throw"] extends true ? true : true>>;
+} & {
+    applications: {
+        listCandidateOrganizations: (applicationId: string) => Promise<{
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: null;
+        } | {
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        }>;
+        startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: StartAuthorizationFlowResponse;
+            error: null;
+        }>;
+        completeAuthorizationFlow: (code: string, codeVerifier: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        refreshAccessToken: (refreshToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        whoAmI: (accessToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: WhoAmIResponse;
+            error: null;
+        }>;
+    };
 } & {
     $Infer: {
         ActiveOrganization: {
@@ -5996,6 +6124,117 @@ type TeamMember = {
     createdAt: Date;
 };
 
+type InternalOrganization = {
+    id: string;
+    title: string;
+    slug: string | null;
+    avatarUrl: string | null;
+    createdAt: Date;
+    metadata: string | null;
+    settings: unknown;
+};
+type Application = {
+    id: string;
+    name: string;
+    description: string;
+    redirectUris: string[];
+};
+type ListCandidateOrganizationsResponse = {
+    application: Application;
+    organizations: InternalOrganization[];
+};
+type StartAuthorizationFlowResponse = {
+    code: string;
+};
+type CompleteAuthorizationFlowResponse = {
+    accessToken: string;
+    refreshToken: string;
+    user: User;
+    organization: InternalOrganization;
+};
+type WhoAmIResponse = {
+    user: User;
+    organization: InternalOrganization;
+};
+
+declare class BaseError extends Error {
+    code: string;
+    constructor(code: string, message: string, options?: ErrorOptions);
+}
+
+declare class ApplicationError extends BaseError {
+    constructor(message: string, options?: ErrorOptions);
+}
+declare class RefreshTokenExpiredError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class AuthorizationFlowError extends ApplicationError {
+    constructor(message: string, options?: ErrorOptions);
+}
+
+/**
+ * Service for managing applications and their candidate organizations.
+ *
+ * Provides functionality for:
+ * - Listing candidate organizations for an application
+ */
+declare class ApplicationService {
+    private client;
+    /**
+     * Creates a new ApplicationService instance.
+     *
+     * @param client - The API client for making application requests
+     */
+    constructor(client: APIClient);
+    /**
+     * Lists candidate organizations for a specific application.
+     *
+     * Returns organizations where the authenticated user is a member and
+     * the application has been enabled with appropriate entitlement rules.
+     *
+     * @param applicationId - The application ID to get candidate organizations for
+     * @returns The application details and list of candidate organizations
+     */
+    listCandidateOrganizations(applicationId: string): Promise<{
+        organizations: ExtendedOrganization[];
+        application?: Application | undefined;
+    } | {
+        organizations: ExtendedOrganization[];
+        application?: Application | undefined;
+    }>;
+    /**
+     * Starts an authorization flow for a specific application.
+     *
+     * @param applicationId - The application ID to start the authorization flow for
+     * @param redirectUri - The redirect URI to use for the authorization flow
+     * @param codeChallenge - The code challenge to use for the authorization flow
+     * @param organizationId - The organization ID to start the authorization flow for
+     */
+    startAuthorizationFlow(applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string): Promise<StartAuthorizationFlowResponse>;
+    /**
+     * Completes an authorization flow for a specific application.
+     *
+     * @param code - The code to use for the authorization flow
+     * @param codeVerifier - The code verifier to use for the authorization flow
+     */
+    completeAuthorizationFlow(code: string, codeVerifier: string): Promise<CompleteAuthorizationFlowResponse>;
+    /**
+     * Refreshes an authentication token for a specific application.
+     *
+     * @param refreshToken - The refresh token to use for the authentication token refresh
+     * @throws {RefreshTokenExpiredError} When the refresh token has expired or is invalid
+     * @throws {ApplicationError} For other API errors
+     */
+    refreshAccessToken(): Promise<CompleteAuthorizationFlowResponse>;
+    /**
+     * Gets the current user and organization for a specific application.
+     *
+     * @param accessToken - The access token to use for the who am I request
+     * @returns The current user and organization
+     */
+    whoAmI(accessToken?: string): Promise<WhoAmIResponse>;
+}
+
 type UpdateOrganizationPayload = Partial<Pick<ExtendedOrganization, 'name' | 'logo' | 'settings'>>;
 type ListMembersOptions = {
     limit?: number;
@@ -6567,11 +6806,6 @@ declare class ApiKeyService {
     }>;
 }
 
-declare class BaseError extends Error {
-    code: string;
-    constructor(code: string, message: string, options?: ErrorOptions);
-}
-
 /**
  * Error thrown when an invalid social provider is specified.
  */
@@ -6624,6 +6858,10 @@ declare class AuthClient {
      * Organization management service for multi-tenant operations
      */
     organization: OrganizationService;
+    /**
+     * Application management service for application operations
+     */
+    application: ApplicationService;
     /**
      * API key management service for API key operations
      */
@@ -6638,20 +6876,28 @@ declare class AuthClient {
 }
 
 /**
- * Checks if a JWT token has expired based on the `exp` claim.
+ * Checks if a JWT token has expired or will expire within a specified time window.
  *
  * @param token - The JWT token string to check
- * @returns `true` if the token is expired, `false` otherwise
+ * @param expiresInMs - Optional time window in milliseconds. If provided, returns `true` if the token will expire within this time window
+ * @returns `true` if the token is expired (or will expire within the specified window), `false` otherwise
  *
  * @example
  * ```typescript
  * const token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...'
+ *
+ * // Check if token is already expired
  * if (isTokenExpired(token)) {
  *   console.log('Token has expired')
  * }
+ *
+ * // Check if token will expire in the next 5 minutes
+ * if (isTokenExpired(token, 5 * 60 * 1000)) {
+ *   console.log('Token will expire in the next 5 minutes')
+ * }
  * ```
  */
-declare function isTokenExpired(token: string): any;
+declare function isTokenExpired(token: string, expiresInMs?: number): boolean;
 /**
  * Validates a JWT token by checking its expiration and verifying its signature
  * against the JWKS endpoint.
@@ -6690,5 +6936,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTTokenPayload;
 
-export { AuthClient, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, Roles, ac, createAPIClient, extractTokenPayload, isTokenExpired, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKeyMetadata, CreateApiKeyPayload, CreateTeamPayload, FullOrganization, Invitation, InviteUserToOrganizationOptions, JWTTokenPayload, ListMembersOptions, ExtendedMember as Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User };
+export { ApplicationError, AuthClient, AuthorizationFlowError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, RefreshTokenExpiredError, Roles, ac, createAPIClient, extractTokenPayload, isTokenExpired, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKeyMetadata, Application, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, FullOrganization, Invitation, InviteUserToOrganizationOptions, JWTTokenPayload, ListCandidateOrganizationsResponse, ListMembersOptions, ExtendedMember as Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIResponse };

package/dist/index.d.ts

@@ -2665,6 +2665,70 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
         code?: string | undefined;
         message?: string | undefined;
     }, FetchOptions["throw"] extends true ? true : true>>;
+} & {
+    applications: {
+        listCandidateOrganizations: (applicationId: string) => Promise<{
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: null;
+        } | {
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        }>;
+        startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: StartAuthorizationFlowResponse;
+            error: null;
+        }>;
+        completeAuthorizationFlow: (code: string, codeVerifier: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        refreshAccessToken: (refreshToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        whoAmI: (accessToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: WhoAmIResponse;
+            error: null;
+        }>;
+    };
 } & {
     $Infer: {
         ActiveOrganization: {
@@ -5553,6 +5617,70 @@ declare const stub: {
         code?: string | undefined;
         message?: string | undefined;
     }, FetchOptions["throw"] extends true ? true : true>>;
+} & {
+    applications: {
+        listCandidateOrganizations: (applicationId: string) => Promise<{
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: null;
+        } | {
+            data: {
+                organizations: ExtendedOrganization[];
+                application?: Application | undefined;
+            };
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        }>;
+        startAuthorizationFlow: (applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: StartAuthorizationFlowResponse;
+            error: null;
+        }>;
+        completeAuthorizationFlow: (code: string, codeVerifier: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        refreshAccessToken: (refreshToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: CompleteAuthorizationFlowResponse;
+            error: null;
+        }>;
+        whoAmI: (accessToken?: string) => Promise<{
+            data: null;
+            error: {
+                message?: string | undefined;
+                status: number;
+                statusText: string;
+            };
+        } | {
+            data: WhoAmIResponse;
+            error: null;
+        }>;
+    };
 } & {
     $Infer: {
         ActiveOrganization: {
@@ -5996,6 +6124,117 @@ type TeamMember = {
     createdAt: Date;
 };
 
+type InternalOrganization = {
+    id: string;
+    title: string;
+    slug: string | null;
+    avatarUrl: string | null;
+    createdAt: Date;
+    metadata: string | null;
+    settings: unknown;
+};
+type Application = {
+    id: string;
+    name: string;
+    description: string;
+    redirectUris: string[];
+};
+type ListCandidateOrganizationsResponse = {
+    application: Application;
+    organizations: InternalOrganization[];
+};
+type StartAuthorizationFlowResponse = {
+    code: string;
+};
+type CompleteAuthorizationFlowResponse = {
+    accessToken: string;
+    refreshToken: string;
+    user: User;
+    organization: InternalOrganization;
+};
+type WhoAmIResponse = {
+    user: User;
+    organization: InternalOrganization;
+};
+
+declare class BaseError extends Error {
+    code: string;
+    constructor(code: string, message: string, options?: ErrorOptions);
+}
+
+declare class ApplicationError extends BaseError {
+    constructor(message: string, options?: ErrorOptions);
+}
+declare class RefreshTokenExpiredError extends ApplicationError {
+    constructor(options?: ErrorOptions);
+}
+declare class AuthorizationFlowError extends ApplicationError {
+    constructor(message: string, options?: ErrorOptions);
+}
+
+/**
+ * Service for managing applications and their candidate organizations.
+ *
+ * Provides functionality for:
+ * - Listing candidate organizations for an application
+ */
+declare class ApplicationService {
+    private client;
+    /**
+     * Creates a new ApplicationService instance.
+     *
+     * @param client - The API client for making application requests
+     */
+    constructor(client: APIClient);
+    /**
+     * Lists candidate organizations for a specific application.
+     *
+     * Returns organizations where the authenticated user is a member and
+     * the application has been enabled with appropriate entitlement rules.
+     *
+     * @param applicationId - The application ID to get candidate organizations for
+     * @returns The application details and list of candidate organizations
+     */
+    listCandidateOrganizations(applicationId: string): Promise<{
+        organizations: ExtendedOrganization[];
+        application?: Application | undefined;
+    } | {
+        organizations: ExtendedOrganization[];
+        application?: Application | undefined;
+    }>;
+    /**
+     * Starts an authorization flow for a specific application.
+     *
+     * @param applicationId - The application ID to start the authorization flow for
+     * @param redirectUri - The redirect URI to use for the authorization flow
+     * @param codeChallenge - The code challenge to use for the authorization flow
+     * @param organizationId - The organization ID to start the authorization flow for
+     */
+    startAuthorizationFlow(applicationId: string, redirectUri: string, codeChallenge: string, organizationId: string): Promise<StartAuthorizationFlowResponse>;
+    /**
+     * Completes an authorization flow for a specific application.
+     *
+     * @param code - The code to use for the authorization flow
+     * @param codeVerifier - The code verifier to use for the authorization flow
+     */
+    completeAuthorizationFlow(code: string, codeVerifier: string): Promise<CompleteAuthorizationFlowResponse>;
+    /**
+     * Refreshes an authentication token for a specific application.
+     *
+     * @param refreshToken - The refresh token to use for the authentication token refresh
+     * @throws {RefreshTokenExpiredError} When the refresh token has expired or is invalid
+     * @throws {ApplicationError} For other API errors
+     */
+    refreshAccessToken(): Promise<CompleteAuthorizationFlowResponse>;
+    /**
+     * Gets the current user and organization for a specific application.
+     *
+     * @param accessToken - The access token to use for the who am I request
+     * @returns The current user and organization
+     */
+    whoAmI(accessToken?: string): Promise<WhoAmIResponse>;
+}
+
 type UpdateOrganizationPayload = Partial<Pick<ExtendedOrganization, 'name' | 'logo' | 'settings'>>;
 type ListMembersOptions = {
     limit?: number;
@@ -6567,11 +6806,6 @@ declare class ApiKeyService {
     }>;
 }
 
-declare class BaseError extends Error {
-    code: string;
-    constructor(code: string, message: string, options?: ErrorOptions);
-}
-
 /**
  * Error thrown when an invalid social provider is specified.
  */
@@ -6624,6 +6858,10 @@ declare class AuthClient {
      * Organization management service for multi-tenant operations
      */
     organization: OrganizationService;
+    /**
+     * Application management service for application operations
+     */
+    application: ApplicationService;
     /**
      * API key management service for API key operations
      */
@@ -6638,20 +6876,28 @@ declare class AuthClient {
 }
 
 /**
- * Checks if a JWT token has expired based on the `exp` claim.
+ * Checks if a JWT token has expired or will expire within a specified time window.
  *
  * @param token - The JWT token string to check
- * @returns `true` if the token is expired, `false` otherwise
+ * @param expiresInMs - Optional time window in milliseconds. If provided, returns `true` if the token will expire within this time window
+ * @returns `true` if the token is expired (or will expire within the specified window), `false` otherwise
  *
  * @example
  * ```typescript
  * const token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...'
+ *
+ * // Check if token is already expired
  * if (isTokenExpired(token)) {
  *   console.log('Token has expired')
  * }
+ *
+ * // Check if token will expire in the next 5 minutes
+ * if (isTokenExpired(token, 5 * 60 * 1000)) {
+ *   console.log('Token will expire in the next 5 minutes')
+ * }
  * ```
  */
-declare function isTokenExpired(token: string): any;
+declare function isTokenExpired(token: string, expiresInMs?: number): boolean;
 /**
  * Validates a JWT token by checking its expiration and verifying its signature
  * against the JWKS endpoint.
@@ -6690,5 +6936,5 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
  */
 declare function extractTokenPayload(token: string): JWTTokenPayload;
 
-export { AuthClient, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, Roles, ac, createAPIClient, extractTokenPayload, isTokenExpired, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
-export type { APIClient, ApiKeyMetadata, CreateApiKeyPayload, CreateTeamPayload, FullOrganization, Invitation, InviteUserToOrganizationOptions, JWTTokenPayload, ListMembersOptions, ExtendedMember as Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User };
+export { ApplicationError, AuthClient, AuthorizationFlowError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, RefreshTokenExpiredError, Roles, ac, createAPIClient, extractTokenPayload, isTokenExpired, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export type { APIClient, ApiKeyMetadata, Application, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, FullOrganization, Invitation, InviteUserToOrganizationOptions, JWTTokenPayload, ListCandidateOrganizationsResponse, ListMembersOptions, ExtendedMember as Member, ExtendedOrganization as Organization, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIResponse };

package/dist/index.mjs

@@ -6,7 +6,7 @@ import { createAccessControl } from 'better-auth/plugins/access';
 import { defaultStatements } from 'better-auth/plugins/organization/access';
 export { BetterFetchError as APIError } from '@better-fetch/fetch';
 
-const version = "1.5.2";
+const version = "1.6.0";
 
 const statements = {
   ...defaultStatements,
@@ -48,6 +48,80 @@ const organizationAdditionalFields = {
   }
 };
 
+function applicationsPluginClient() {
+  return {
+    id: "applications",
+    getActions: ($fetch) => {
+      return {
+        applications: {
+          listCandidateOrganizations: async (applicationId) => {
+            const response = await $fetch("/applications/candidate-organizations", {
+              query: {
+                applicationId
+              }
+            });
+            const organizations = response.data?.organizations.map((organization) => ({
+              id: organization.id,
+              name: organization.title,
+              slug: organization.slug ?? "",
+              createdAt: organization.createdAt,
+              logo: organization.avatarUrl,
+              metadata: organization.metadata
+            })) ?? [];
+            return {
+              ...response,
+              data: {
+                ...response.data,
+                organizations
+              }
+            };
+          },
+          startAuthorizationFlow: async (applicationId, redirectUri, codeChallenge, organizationId) => {
+            return await $fetch("/applications/authorize", {
+              method: "POST",
+              body: {
+                applicationId,
+                redirectUri,
+                codeChallenge,
+                organizationId
+              }
+            });
+          },
+          completeAuthorizationFlow: async (code, codeVerifier) => {
+            return await $fetch("/applications/token", {
+              method: "POST",
+              body: {
+                code,
+                codeVerifier
+              }
+            });
+          },
+          refreshAccessToken: async (refreshToken) => {
+            const headers = new Headers();
+            if (refreshToken) {
+              headers.set("Cookie", `tela-refresh-token=${refreshToken}`);
+            }
+            return await $fetch("/applications/token/refresh", {
+              method: "POST",
+              headers
+            });
+          },
+          whoAmI: async (accessToken) => {
+            const headers = new Headers();
+            if (accessToken) {
+              headers.set("Cookie", `tela-access-token=${accessToken}`);
+            }
+            return await $fetch("/applications/whoami", {
+              method: "GET",
+              headers
+            });
+          }
+        }
+      };
+    }
+  };
+}
+
 function customEndpointsPluginClient() {
   return {
     id: "custom-endpoints",
@@ -94,7 +168,8 @@ function createAPIClient(apiUrl, fetchOptions = {}) {
       adminClient(),
       inferAdditionalFields({
         user: userAdditionalFields
-      })
+      }),
+      applicationsPluginClient()
     ],
     fetchOptions: {
       ...fetchOptions,
@@ -109,6 +184,119 @@ function createAPIClient(apiUrl, fetchOptions = {}) {
 }
 createAPIClient("");
 
+class BaseError extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+  }
+}
+
+class ApplicationError extends BaseError {
+  constructor(message, options) {
+    super("APPLICATION_ERROR", message, options);
+  }
+}
+class RefreshTokenExpiredError extends ApplicationError {
+  constructor(options) {
+    super("Refresh token has expired or is invalid", options);
+    this.code = "REFRESH_TOKEN_EXPIRED";
+  }
+}
+class AuthorizationFlowError extends ApplicationError {
+  constructor(message, options) {
+    super(message, options);
+    this.code = "AUTHORIZATION_FLOW_ERROR";
+  }
+}
+
+class ApplicationService {
+  /**
+   * Creates a new ApplicationService instance.
+   *
+   * @param client - The API client for making application requests
+   */
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * Lists candidate organizations for a specific application.
+   *
+   * Returns organizations where the authenticated user is a member and
+   * the application has been enabled with appropriate entitlement rules.
+   *
+   * @param applicationId - The application ID to get candidate organizations for
+   * @returns The application details and list of candidate organizations
+   */
+  async listCandidateOrganizations(applicationId) {
+    const response = await this.client.applications.listCandidateOrganizations(applicationId);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+  /**
+   * Starts an authorization flow for a specific application.
+   *
+   * @param applicationId - The application ID to start the authorization flow for
+   * @param redirectUri - The redirect URI to use for the authorization flow
+   * @param codeChallenge - The code challenge to use for the authorization flow
+   * @param organizationId - The organization ID to start the authorization flow for
+   */
+  async startAuthorizationFlow(applicationId, redirectUri, codeChallenge, organizationId) {
+    const response = await this.client.applications.startAuthorizationFlow(applicationId, redirectUri, codeChallenge, organizationId);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+  /**
+   * Completes an authorization flow for a specific application.
+   *
+   * @param code - The code to use for the authorization flow
+   * @param codeVerifier - The code verifier to use for the authorization flow
+   */
+  async completeAuthorizationFlow(code, codeVerifier) {
+    const response = await this.client.applications.completeAuthorizationFlow(code, codeVerifier);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+  /**
+   * Refreshes an authentication token for a specific application.
+   *
+   * @param refreshToken - The refresh token to use for the authentication token refresh
+   * @throws {RefreshTokenExpiredError} When the refresh token has expired or is invalid
+   * @throws {ApplicationError} For other API errors
+   */
+  async refreshAccessToken() {
+    const response = await this.client.applications.refreshAccessToken();
+    if (!response.data) {
+      const error = response.error;
+      const status = error?.status;
+      if (status === 404) {
+        throw new RefreshTokenExpiredError({ cause: error });
+      }
+      throw new ApplicationError(error?.message || "Failed to refresh access token", { cause: error });
+    }
+    return response.data;
+  }
+  /**
+   * Gets the current user and organization for a specific application.
+   *
+   * @param accessToken - The access token to use for the who am I request
+   * @returns The current user and organization
+   */
+  async whoAmI(accessToken) {
+    const response = await this.client.applications.whoAmI(accessToken);
+    if (!response.data) {
+      throw new Error("No data returned from the API", { cause: response.error });
+    }
+    return response.data;
+  }
+}
+
 class OrganizationService {
   /**
    * Creates a new OrganizationService instance.
@@ -337,14 +525,6 @@ class OrganizationService {
   }
 }
 
-class BaseError extends Error {
-  code;
-  constructor(code, message, options) {
-    super(message, options);
-    this.code = code;
-  }
-}
-
 class InvalidSocialProvider extends BaseError {
   constructor(message) {
     super("INVALID_SOCIAL_PROVIDER", message);
@@ -583,6 +763,10 @@ class AuthClient {
    * Organization management service for multi-tenant operations
    */
   organization;
+  /**
+   * Application management service for application operations
+   */
+  application;
   /**
    * API key management service for API key operations
    */
@@ -597,13 +781,21 @@ class AuthClient {
     this.client = createAPIClient(apiUrl, fetchOptions);
     this.session = new SessionService(this.client, apiUrl);
     this.organization = new OrganizationService(this.client);
+    this.application = new ApplicationService(this.client);
     this.apiKey = new ApiKeyService(this.client);
   }
 }
 
-function isTokenExpired(token) {
+function isTokenExpired(token, expiresInMs) {
   const payload = JSON.parse(atob(token.split(".")[1] ?? ""));
-  return payload.exp && Date.now() / 1e3 > payload.exp;
+  if (!payload.exp) return false;
+  const nowInSeconds = Date.now() / 1e3;
+  const expirationTime = payload.exp;
+  if (expiresInMs !== void 0) {
+    const futureTimeInSeconds = nowInSeconds + expiresInMs / 1e3;
+    return futureTimeInSeconds >= expirationTime;
+  }
+  return nowInSeconds > expirationTime;
 }
 async function validateToken(token, apiUrl) {
   if (isTokenExpired(token)) {
@@ -626,4 +818,4 @@ function extractTokenPayload(token) {
   return payload;
 }
 
-export { AuthClient, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, Roles, ac, extractTokenPayload, isTokenExpired, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
+export { ApplicationError, AuthClient, AuthorizationFlowError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, RefreshTokenExpiredError, Roles, ac, extractTokenPayload, isTokenExpired, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meistrari/auth-core",
-  "version": "1.5.2",
+  "version": "1.6.0",
   "type": "module",
   "exports": {
     ".": {