@moon-x/node-sdk 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -64,14 +64,14 @@ Construct once per process. Holds in-memory caches; reuse across requests.
64
64
  | Field | Type | Required | Default |
65
65
  |---|---|---|---|
66
66
  | `publishableKey` | `string` | Yes | — |
67
- | `secretKey` | `string` | No (v0.1 unused) | |
67
+ | `secretKey` | `string` | For `ephemeralSigners` | n/a |
68
68
  | `issuer` | `string` | No | `https://api.moonx-dev.com` |
69
69
  | `baseUrl` | `string` | No | Same as `issuer` |
70
70
  | `jwksTtlMs` | `number` | No | `300_000` (5 min) |
71
71
  | `appResolveTtlMs` | `number` | No | `3_600_000` (1 hour) |
72
72
  | `fetch` | `typeof fetch` | No | `globalThis.fetch` |
73
73
 
74
- The publishable key (`moon_pk_*`) is the same one your iframe / browser SDK uses. It's safe to put in any env var, but in node-sdk it typically reads from a server-only env var alongside the secret key. The secret key (`moon_sk_*`) field is reserved for v0.2 (data + swaps modules).
74
+ The publishable key (`moon_pk_*`) is the same one your iframe / browser SDK uses; it resolves your app id and scopes JWKS lookups. The secret key (`moon_sk_*`) is required to use `ephemeralSigners` (the wallets server-side ephemeral-signer routes are secret-key-only) and by the v0.2 data + swaps modules. Read both from server-only env vars; never expose the secret key to the browser.
75
75
 
76
76
  ### `client.auth.verifyAccessToken(token)`
77
77
 
@@ -148,5 +148,5 @@ Auth providers ship server SDKs partly to abstract away `jose`-style JWT librari
148
148
 
149
149
  ## Roadmap
150
150
 
151
- - **v0.1 (current)** — auth: `verifyAccessToken`, `verifyIdentityToken`, `verifySession`.
152
- - **v0.2 (pending [MX-124](https://linear.app/moonpay/issue/MX-124))** adds `client.tokens.*`, `client.wallets.*`, `client.swaps.*` once the backend's secret-key middleware lands.
151
+ - **Current**: auth (`verifyAccessToken`, `verifyIdentityToken`, `verifySession`) plus `ephemeralSigners` (secret-key gated server-side signing).
152
+ - **v0.2 ([MX-124](https://linear.app/moonpay/issue/MX-124))**: adds `client.tokens.*` and `client.swaps.*`.
package/dist/index.d.mts CHANGED
@@ -61,8 +61,9 @@ interface MoonXClientConfig {
61
61
  publishableKey: string;
62
62
  /**
63
63
  * Optional. The secret key (`moon_sk_*`) for your MoonX app. Required
64
- * for privileged endpoints (datalayer, swaps) not used by v0.1
65
- * (auth-only). Reserved for the v0.2 surface expansion.
64
+ * to use `ephemeralSigners`: the wallets server-side ephemeral-signer
65
+ * routes (/me/wallets, /sign) are secret-key-only (MX-124). Also used
66
+ * by the privileged datalayer / swaps endpoints in the v0.2 surface.
66
67
  *
67
68
  * NEVER hardcode. NEVER expose to the browser. Always read from a
68
69
  * server-only env var.
@@ -104,8 +105,13 @@ interface MoonXClientConfig {
104
105
 
105
106
  interface EphemeralSignersConfig {
106
107
  baseUrl: string;
107
- /** MoonX publishable key — required for the Authorization header on /ephemeral-signers/* calls. */
108
- publishableKey: string;
108
+ /**
109
+ * MoonX secret key (`moon_sk_*`). The server-side ephemeral-signer
110
+ * routes (/me/wallets, /sign) are secret-key-only. Optional here
111
+ * because MoonXClient takes it optionally; sign() throws if it is
112
+ * absent. Server-only; never expose to the browser.
113
+ */
114
+ secretKey?: string;
109
115
  fetchImpl?: typeof fetch;
110
116
  }
111
117
  interface SignEphemeralSignerParams {
@@ -159,9 +165,9 @@ declare class EphemeralSigners {
159
165
  * // session.identity?.email — OIDC profile claim (when identity token sent)
160
166
  * // session.identity?.name — etc.
161
167
  *
162
- * v0.1 ships the `auth` namespace only. The `tokens`, `wallets`, and
163
- * `swaps` namespaces will land in v0.2 once the secret-key middleware
164
- * (MX-124) ships on the backend.
168
+ * Today this ships the `auth` namespace plus `ephemeralSigners` (the
169
+ * latter is secret-key gated; see `secretKey`). The `tokens` and `swaps`
170
+ * namespaces land in v0.2.
165
171
  */
166
172
  declare class MoonXClient {
167
173
  readonly auth: Auth;
package/dist/index.d.ts CHANGED
@@ -61,8 +61,9 @@ interface MoonXClientConfig {
61
61
  publishableKey: string;
62
62
  /**
63
63
  * Optional. The secret key (`moon_sk_*`) for your MoonX app. Required
64
- * for privileged endpoints (datalayer, swaps) not used by v0.1
65
- * (auth-only). Reserved for the v0.2 surface expansion.
64
+ * to use `ephemeralSigners`: the wallets server-side ephemeral-signer
65
+ * routes (/me/wallets, /sign) are secret-key-only (MX-124). Also used
66
+ * by the privileged datalayer / swaps endpoints in the v0.2 surface.
66
67
  *
67
68
  * NEVER hardcode. NEVER expose to the browser. Always read from a
68
69
  * server-only env var.
@@ -104,8 +105,13 @@ interface MoonXClientConfig {
104
105
 
105
106
  interface EphemeralSignersConfig {
106
107
  baseUrl: string;
107
- /** MoonX publishable key — required for the Authorization header on /ephemeral-signers/* calls. */
108
- publishableKey: string;
108
+ /**
109
+ * MoonX secret key (`moon_sk_*`). The server-side ephemeral-signer
110
+ * routes (/me/wallets, /sign) are secret-key-only. Optional here
111
+ * because MoonXClient takes it optionally; sign() throws if it is
112
+ * absent. Server-only; never expose to the browser.
113
+ */
114
+ secretKey?: string;
109
115
  fetchImpl?: typeof fetch;
110
116
  }
111
117
  interface SignEphemeralSignerParams {
@@ -159,9 +165,9 @@ declare class EphemeralSigners {
159
165
  * // session.identity?.email — OIDC profile claim (when identity token sent)
160
166
  * // session.identity?.name — etc.
161
167
  *
162
- * v0.1 ships the `auth` namespace only. The `tokens`, `wallets`, and
163
- * `swaps` namespaces will land in v0.2 once the secret-key middleware
164
- * (MX-124) ships on the backend.
168
+ * Today this ships the `auth` namespace plus `ephemeralSigners` (the
169
+ * latter is secret-key gated; see `secretKey`). The `tokens` and `swaps`
170
+ * namespaces land in v0.2.
165
171
  */
166
172
  declare class MoonXClient {
167
173
  readonly auth: Auth;
package/dist/index.js CHANGED
@@ -23,7 +23,7 @@ __export(src_exports, {
23
23
  AppResolutionError: () => AppResolutionError,
24
24
  AudienceMismatchError: () => AudienceMismatchError,
25
25
  ConfigurationError: () => ConfigurationError,
26
- EphemeralSignerSignError: () => import_sdk2.EphemeralSignerSignError,
26
+ EphemeralSignerSignError: () => import_sdk3.EphemeralSignerSignError,
27
27
  EphemeralSigners: () => EphemeralSigners,
28
28
  ExpiredTokenError: () => ExpiredTokenError,
29
29
  InvalidTokenError: () => InvalidTokenError,
@@ -468,7 +468,8 @@ var Auth = class {
468
468
  };
469
469
 
470
470
  // src/config.ts
471
- var DEFAULT_ISSUER = "https://api.moonx-dev.com";
471
+ var import_sdk = require("@moon-x/core/sdk");
472
+ var DEFAULT_ISSUER = import_sdk.DEFAULT_API_BASE_URL;
472
473
  function resolveConfig(input) {
473
474
  if (!input.publishableKey) {
474
475
  throw new ConfigurationError(
@@ -480,7 +481,7 @@ function resolveConfig(input) {
480
481
  "MoonXClient: publishableKey must start with 'moon_pk_' (got a string that doesn't \u2014 did you pass a secret key by mistake?)"
481
482
  );
482
483
  }
483
- if (input.secretKey !== void 0 && !input.secretKey.startsWith("moon_sk_")) {
484
+ if (input.secretKey && !input.secretKey.startsWith("moon_sk_")) {
484
485
  throw new ConfigurationError(
485
486
  "MoonXClient: secretKey must start with 'moon_sk_' (got a string that doesn't)"
486
487
  );
@@ -503,7 +504,7 @@ function resolveConfig(input) {
503
504
  }
504
505
 
505
506
  // src/ephemeral-signers/index.ts
506
- var import_sdk = require("@moon-x/core/sdk");
507
+ var import_sdk2 = require("@moon-x/core/sdk");
507
508
  var EphemeralSigners = class {
508
509
  constructor(cfg) {
509
510
  this.cfg = cfg;
@@ -514,10 +515,15 @@ var EphemeralSigners = class {
514
515
  * — that's an implementation detail consumed by SES internally).
515
516
  */
516
517
  async sign(params) {
517
- return (0, import_sdk.signWithEphemeralSigner)({
518
+ if (!this.cfg.secretKey) {
519
+ throw new Error(
520
+ "MoonXClient: secretKey is required to use ephemeralSigners. The wallets ephemeral-signer endpoints are secret-key-only; pass secretKey to new MoonXClient({ ... })."
521
+ );
522
+ }
523
+ return (0, import_sdk2.signWithEphemeralSigner)({
518
524
  ...params,
519
525
  baseUrl: this.cfg.baseUrl,
520
- publishableKey: this.cfg.publishableKey,
526
+ secretKey: this.cfg.secretKey,
521
527
  fetchImpl: this.cfg.fetchImpl
522
528
  });
523
529
  }
@@ -537,14 +543,14 @@ var MoonXClient = class {
537
543
  });
538
544
  this.ephemeralSigners = new EphemeralSigners({
539
545
  baseUrl: cfg.baseUrl,
540
- publishableKey: cfg.publishableKey,
546
+ secretKey: cfg.secretKey,
541
547
  fetchImpl: cfg.fetch
542
548
  });
543
549
  }
544
550
  };
545
551
 
546
552
  // src/index.ts
547
- var import_sdk2 = require("@moon-x/core/sdk");
553
+ var import_sdk3 = require("@moon-x/core/sdk");
548
554
  // Annotate the CommonJS export names for ESM import in node:
549
555
  0 && (module.exports = {
550
556
  AppResolutionError,
package/dist/index.mjs CHANGED
@@ -428,7 +428,8 @@ var Auth = class {
428
428
  };
429
429
 
430
430
  // src/config.ts
431
- var DEFAULT_ISSUER = "https://api.moonx-dev.com";
431
+ import { DEFAULT_API_BASE_URL } from "@moon-x/core/sdk";
432
+ var DEFAULT_ISSUER = DEFAULT_API_BASE_URL;
432
433
  function resolveConfig(input) {
433
434
  if (!input.publishableKey) {
434
435
  throw new ConfigurationError(
@@ -440,7 +441,7 @@ function resolveConfig(input) {
440
441
  "MoonXClient: publishableKey must start with 'moon_pk_' (got a string that doesn't \u2014 did you pass a secret key by mistake?)"
441
442
  );
442
443
  }
443
- if (input.secretKey !== void 0 && !input.secretKey.startsWith("moon_sk_")) {
444
+ if (input.secretKey && !input.secretKey.startsWith("moon_sk_")) {
444
445
  throw new ConfigurationError(
445
446
  "MoonXClient: secretKey must start with 'moon_sk_' (got a string that doesn't)"
446
447
  );
@@ -476,10 +477,15 @@ var EphemeralSigners = class {
476
477
  * — that's an implementation detail consumed by SES internally).
477
478
  */
478
479
  async sign(params) {
480
+ if (!this.cfg.secretKey) {
481
+ throw new Error(
482
+ "MoonXClient: secretKey is required to use ephemeralSigners. The wallets ephemeral-signer endpoints are secret-key-only; pass secretKey to new MoonXClient({ ... })."
483
+ );
484
+ }
479
485
  return signWithEphemeralSigner({
480
486
  ...params,
481
487
  baseUrl: this.cfg.baseUrl,
482
- publishableKey: this.cfg.publishableKey,
488
+ secretKey: this.cfg.secretKey,
483
489
  fetchImpl: this.cfg.fetchImpl
484
490
  });
485
491
  }
@@ -499,7 +505,7 @@ var MoonXClient = class {
499
505
  });
500
506
  this.ephemeralSigners = new EphemeralSigners({
501
507
  baseUrl: cfg.baseUrl,
502
- publishableKey: cfg.publishableKey,
508
+ secretKey: cfg.secretKey,
503
509
  fetchImpl: cfg.fetch
504
510
  });
505
511
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@moon-x/node-sdk",
3
- "version": "0.5.0",
3
+ "version": "0.7.0",
4
4
  "description": "MoonX server-side SDK for Node.js. Verify MoonX-issued access + identity tokens with zero runtime dependencies.",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.mjs",
@@ -30,7 +30,7 @@
30
30
  "access": "public"
31
31
  },
32
32
  "dependencies": {
33
- "@moon-x/core": "0.8.0"
33
+ "@moon-x/core": "0.10.0"
34
34
  },
35
35
  "devDependencies": {
36
36
  "tsup": "8.5.1",