@moovio/sdk 26.4.6 → 26.5.1

package/models/components/transfercontrols.d.ts

@@ -0,0 +1,43 @@
+import * as z from "zod/v3";
+import { Result as SafeParseResult } from "../../types/fp.js";
+import { SDKValidationError } from "../errors/sdkvalidationerror.js";
+/**
+ * Controls for transfers created through a given partner
+ */
+export type TransferControls = {
+    /**
+     * ID of the merchant account.
+     */
+    accountID: string;
+    /**
+     * ID of the partner account.
+     */
+    partnerAccountID: string;
+    /**
+     * Indicates if the account is configured for debt repayment.
+     */
+    debtRepayment: boolean;
+    /**
+     * Indicates if the account is allowed to set dynamic descriptors on transfers.
+     */
+    allowDynamicDescriptor: boolean;
+    /**
+     * Indicates if the account is allowed to apply surcharges to transfers.
+     */
+    allowSurcharge: boolean;
+};
+/** @internal */
+export declare const TransferControls$inboundSchema: z.ZodType<TransferControls, z.ZodTypeDef, unknown>;
+/** @internal */
+export type TransferControls$Outbound = {
+    accountID: string;
+    partnerAccountID: string;
+    debtRepayment: boolean;
+    allowDynamicDescriptor: boolean;
+    allowSurcharge: boolean;
+};
+/** @internal */
+export declare const TransferControls$outboundSchema: z.ZodType<TransferControls$Outbound, z.ZodTypeDef, TransferControls>;
+export declare function transferControlsToJSON(transferControls: TransferControls): string;
+export declare function transferControlsFromJSON(jsonString: string): SafeParseResult<TransferControls, SDKValidationError>;
+//# sourceMappingURL=transfercontrols.d.ts.map

package/models/components/transfercontrols.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transfercontrols.d.ts","sourceRoot":"","sources":["../../src/models/components/transfercontrols.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAE5B,OAAO,EAAE,MAAM,IAAI,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAErE;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,gBAAgB,EAAE,MAAM,CAAC;IACzB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB;;OAEG;IACH,sBAAsB,EAAE,OAAO,CAAC;IAChC;;OAEG;IACH,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,gBAAgB;AAChB,eAAO,MAAM,8BAA8B,EAAE,CAAC,CAAC,OAAO,CACpD,gBAAgB,EAChB,CAAC,CAAC,UAAU,EACZ,OAAO,CAOP,CAAC;AACH,gBAAgB;AAChB,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,OAAO,CAAC;IACvB,sBAAsB,EAAE,OAAO,CAAC;IAChC,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,gBAAgB;AAChB,eAAO,MAAM,+BAA+B,EAAE,CAAC,CAAC,OAAO,CACrD,yBAAyB,EACzB,CAAC,CAAC,UAAU,EACZ,gBAAgB,CAOhB,CAAC;AAEH,wBAAgB,sBAAsB,CACpC,gBAAgB,EAAE,gBAAgB,GACjC,MAAM,CAIR;AACD,wBAAgB,wBAAwB,CACtC,UAAU,EAAE,MAAM,GACjB,eAAe,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,CAMvD"}

package/models/components/transfercontrols.js

@@ -0,0 +1,66 @@
+"use strict";
+/*
+ * Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TransferControls$outboundSchema = exports.TransferControls$inboundSchema = void 0;
+exports.transferControlsToJSON = transferControlsToJSON;
+exports.transferControlsFromJSON = transferControlsFromJSON;
+const z = __importStar(require("zod/v3"));
+const schemas_js_1 = require("../../lib/schemas.js");
+/** @internal */
+exports.TransferControls$inboundSchema = z.object({
+    accountID: z.string(),
+    partnerAccountID: z.string(),
+    debtRepayment: z.boolean(),
+    allowDynamicDescriptor: z.boolean(),
+    allowSurcharge: z.boolean(),
+});
+/** @internal */
+exports.TransferControls$outboundSchema = z.object({
+    accountID: z.string(),
+    partnerAccountID: z.string(),
+    debtRepayment: z.boolean(),
+    allowDynamicDescriptor: z.boolean(),
+    allowSurcharge: z.boolean(),
+});
+function transferControlsToJSON(transferControls) {
+    return JSON.stringify(exports.TransferControls$outboundSchema.parse(transferControls));
+}
+function transferControlsFromJSON(jsonString) {
+    return (0, schemas_js_1.safeParse)(jsonString, (x) => exports.TransferControls$inboundSchema.parse(JSON.parse(x)), `Failed to parse 'TransferControls' from JSON`);
+}
+//# sourceMappingURL=transfercontrols.js.map

package/models/components/transfercontrols.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transfercontrols.js","sourceRoot":"","sources":["../../src/models/components/transfercontrols.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmEH,wDAMC;AACD,4DAQC;AAhFD,0CAA4B;AAC5B,qDAAiD;AA8BjD,gBAAgB;AACH,QAAA,8BAA8B,GAIvC,CAAC,CAAC,MAAM,CAAC;IACX,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;IAC5B,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;IAC1B,sBAAsB,EAAE,CAAC,CAAC,OAAO,EAAE;IACnC,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;CAC5B,CAAC,CAAC;AAUH,gBAAgB;AACH,QAAA,+BAA+B,GAIxC,CAAC,CAAC,MAAM,CAAC;IACX,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;IAC5B,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;IAC1B,sBAAsB,EAAE,CAAC,CAAC,OAAO,EAAE;IACnC,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;CAC5B,CAAC,CAAC;AAEH,SAAgB,sBAAsB,CACpC,gBAAkC;IAElC,OAAO,IAAI,CAAC,SAAS,CACnB,uCAA+B,CAAC,KAAK,CAAC,gBAAgB,CAAC,CACxD,CAAC;AACJ,CAAC;AACD,SAAgB,wBAAwB,CACtC,UAAkB;IAElB,OAAO,IAAA,sBAAS,EACd,UAAU,EACV,CAAC,CAAC,EAAE,EAAE,CAAC,sCAA8B,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAC1D,8CAA8C,CAC/C,CAAC;AACJ,CAAC"}

package/models/components/updateinvoice.d.ts

@@ -13,14 +13,14 @@ export type UpdateInvoice = {
     invoiceDate?: Date | null | undefined;
     dueDate?: Date | null | undefined;
     /**
-     * The status can be updated to one of the following values under specific conditions:
+     *   The status can be updated to one of the following values under specific conditions:
      *
      * @remarks
-     * - `canceled`: Can only be set if the current status is `draft`, `unpaid`, or `overdue`. Canceling an invoice
-     *   indicates the invoice is no longer expected to be paid (e.g., the charge was waived or terms changed).
-     *   Canceled invoices still appear in list results by default and remain part of the invoice history.
-     *   To completely discard an invoice created by mistake, use the delete endpoint instead.
-     * - `unpaid`: Can only be set if the current status is `draft`. Setting the status to `unpaid` finalizes the invoice and sends an email with a payment link to the customer.
+     *   - `canceled`: Can only be set if the current status is `draft`, `unpaid`, or `overdue`. Canceling an invoice
+     *     indicates the invoice is no longer expected to be paid (e.g., the charge was waived or terms changed).
+     *     Canceled invoices still appear in list results by default and remain part of the invoice history.
+     *     To completely discard an invoice created by mistake, use the delete endpoint instead.
+     *   - `unpaid`: Can only be set if the current status is `draft`. Setting the status to `unpaid` finalizes the invoice and sends an email with a payment link to the customer.
      */
     status?: InvoiceStatus | undefined;
     taxAmount?: AmountDecimalUpdate | undefined;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@moovio/sdk",
-  "version": "26.4.6",
+  "version": "26.5.1",
   "author": "Moov",
   "bin": {
     "mcp": "bin/mcp-server.js"

package/src/hooks/access-token-hook.ts

@@ -0,0 +1,73 @@
+import { SDKOptions } from "../lib/config.js";
+import {
+  BeforeRequestContext,
+  BeforeRequestHook,
+  SDKInitHook,
+} from "./types.js";
+
+const gt: unknown = typeof globalThis === "undefined" ? null : globalThis;
+const webWorkerLike = typeof gt === "object"
+  && gt != null
+  && "importScripts" in gt
+  && typeof gt["importScripts"] === "function";
+const isBrowserLike = webWorkerLike
+  || (typeof navigator !== "undefined" && "serviceWorker" in navigator)
+  || (typeof window === "object" && typeof window.document !== "undefined");
+
+/**
+ * Applies bearer-token authentication and validates auth-related SDK
+ * options at construction time.
+ *
+ * `accessToken` is exposed as a top-level SDK option via the
+ * `x-speakeasy-globals` overlay in `.speakeasy/overlays/access-token.yaml`.
+ * Speakeasy doesn't auto-send it (no operation declares a matching
+ * parameter), so this hook is responsible for translating it into the
+ * `Authorization: Bearer …` header.
+ *
+ * HTTP Basic credentials (`security.username` / `security.password`) are
+ * still handled automatically by Speakeasy's generated security pipeline.
+ *
+ * Validation rules enforced at SDK init:
+ *   - `accessToken` and `security.username`/`password` cannot both be set.
+ *   - HTTP Basic credentials are rejected in browser-like environments.
+ *     Browsers must use `accessToken` instead.
+ */
+export class AccessTokenHook implements SDKInitHook, BeforeRequestHook {
+  sdkInit(opts: SDKOptions): SDKOptions {
+    const token = (opts as SDKOptions & { accessToken: string }).accessToken;
+    const hasToken = typeof token === "string" && token.length > 0;
+
+    if (hasToken && opts.security != null) {
+      throw new Error(
+        "Moov SDK: `accessToken` and `security.username`/`password` cannot "
+          + "both be set. Use `accessToken` for OAuth2 bearer auth "
+          + "(typically client-side) or `security.username`/`password` for "
+          + "HTTP Basic auth with API keys (server-side).",
+      );
+    }
+
+    if (isBrowserLike && opts.security != null) {
+      throw new Error(
+        "Moov SDK: HTTP Basic credentials were provided in a browser-like "
+          + "environment. API keys must never be embedded in client-side "
+          + "code. Mint a short-lived OAuth2 access token on your server "
+          + "and pass it via the `accessToken` option instead.",
+      );
+    }
+
+    return opts;
+  }
+
+  beforeRequest(ctx: BeforeRequestContext, request: Request): Request {
+    const token = (ctx.options as SDKOptions & { accessToken: string }).accessToken;
+
+    // Bail early if there's no token or the request already has an Authorization header.
+    if (!token || request.headers.has("Authorization")) {
+      return request;
+    }
+
+    const next = new Request(request);
+    next.headers.set("Authorization", `Bearer ${token}`);
+    return next;
+  }
+}

package/src/hooks/registration.ts

@@ -1,3 +1,4 @@
+import { AccessTokenHook } from "./access-token-hook.js";
 import { MoovVersionHook } from "./moov-version-hook.js";
 import { Hooks } from "./types.js";
 
@@ -14,4 +15,8 @@ export function initHooks(hooks: Hooks) {
 
   const versionHook = new MoovVersionHook();
   hooks.registerBeforeRequestHook(versionHook);
+
+  const accessTokenHook = new AccessTokenHook();
+  hooks.registerSDKInitHook(accessTokenHook);
+  hooks.registerBeforeRequestHook(accessTokenHook);
 }

package/src/lib/config.ts

@@ -27,6 +27,11 @@ export type SDKOptions = {
     | (() => Promise<components.Security>)
     | undefined;
 
+  /**
+   * Allows setting the accessToken parameter for all supported operations
+   */
+  accessToken?: string | undefined;
+
   httpClient?: HTTPClient;
   /**
    * Allows overriding the default server used by the SDK
@@ -68,7 +73,7 @@ export function serverURLFromOptions(options: SDKOptions): URL | null {
 export const SDK_METADATA = {
   language: "typescript",
   openapiDocVersion: "v2026.04.00",
-  sdkVersion: "26.4.6",
-  genVersion: "2.884.0",
-  userAgent: "speakeasy-sdk/typescript 26.4.6 2.884.0 v2026.04.00 @moovio/sdk",
+  sdkVersion: "26.5.1",
+  genVersion: "2.893.0",
+  userAgent: "speakeasy-sdk/typescript 26.5.1 2.893.0 v2026.04.00 @moovio/sdk",
 } as const;

package/src/mcp-server/cli/start/command.ts

@@ -51,6 +51,15 @@ export const startCommand = buildCommand({
           return z.string().parse(value);
         },
       },
+      "access-token": {
+        kind: "parsed",
+        brief:
+          "Allows setting the accessToken parameter for all supported operations",
+        optional: true,
+        parse: (value) => {
+          return z.string().parse(value);
+        },
+      },
       "server-url": {
         kind: "parsed",
         brief: "Overrides the default server URL used by the SDK",

package/src/mcp-server/cli/start/impl.ts

@@ -20,6 +20,7 @@ interface StartCommandFlags {
   readonly tool?: string[];
   readonly username?: string | undefined;
   readonly password?: string | undefined;
+  readonly "access-token"?: SDKOptions["accessToken"] | undefined;
   readonly "server-url"?: string;
   readonly "server-index"?: SDKOptions["serverIdx"];
   readonly "log-level": ConsoleLoggerLevel;
@@ -53,6 +54,7 @@ async function startStdio(flags: StartCommandFlags) {
       username: flags.username ?? "",
       password: flags.password ?? "",
     }),
+    accessToken: flags["access-token"],
     serverURL: flags["server-url"],
     serverIdx: flags["server-index"],
   });
@@ -76,6 +78,7 @@ async function startSSE(flags: StartCommandFlags) {
       username: flags.username ?? "",
       password: flags.password ?? "",
     }),
+    accessToken: flags["access-token"],
     serverURL: flags["server-url"],
     serverIdx: flags["server-index"],
   });

package/src/mcp-server/mcp-server.ts

@@ -19,7 +19,7 @@ const routes = buildRouteMap({
 export const app = buildApplication(routes, {
   name: "mcp",
   versionInfo: {
-    currentVersion: "26.4.6",
+    currentVersion: "26.5.1",
   },
 });
 

package/src/mcp-server/server.ts

@@ -207,15 +207,17 @@ export function createMCPServer(deps: {
   scopes?: MCPScope[] | undefined;
   serverURL?: string | undefined;
   security?: SDKOptions["security"] | undefined;
+  accessToken?: SDKOptions["accessToken"] | undefined;
   serverIdx?: SDKOptions["serverIdx"] | undefined;
 }) {
   const server = new McpServer({
     name: "Moov",
-    version: "26.4.6",
+    version: "26.5.1",
   });
 
   const client = new MoovCore({
     security: deps.security,
+    accessToken: deps.accessToken,
     serverURL: deps.serverURL,
     serverIdx: deps.serverIdx,
   });

package/src/models/components/index.ts

@@ -517,6 +517,7 @@ export * from "./transferaccount.js";
 export * from "./transferachaddendarecord.js";
 export * from "./transferamountdetails.js";
 export * from "./transferconfig.js";
+export * from "./transfercontrols.js";
 export * from "./transferdestination.js";
 export * from "./transferentrymode.js";
 export * from "./transferfailurereason.js";

package/src/models/components/invoice.ts

@@ -61,7 +61,7 @@ export type Invoice = {
   subtotalAmount: AmountDecimal;
   taxAmount: AmountDecimal;
   /**
-   * Total amount of the invoice, sum of subTotalAmount and taxAmount
+   * Total amount of the invoice, including subtotal, tax, and surcharge amounts.
    */
   totalAmount: AmountDecimal;
   /**

package/src/models/components/transferconfig.ts

@@ -12,6 +12,12 @@ import {
   TipPresets$Outbound,
   TipPresets$outboundSchema,
 } from "./tippresets.js";
+import {
+  TransferControls,
+  TransferControls$inboundSchema,
+  TransferControls$Outbound,
+  TransferControls$outboundSchema,
+} from "./transfercontrols.js";
 
 /**
  * Configurable options for a transfer.
@@ -21,6 +27,7 @@ export type TransferConfig = {
    * Tip presets when calculating tips for a transfer.
    */
   tipPresets?: TipPresets | undefined;
+  transferControls?: Array<TransferControls> | undefined;
 };
 
 /** @internal */
@@ -30,10 +37,12 @@ export const TransferConfig$inboundSchema: z.ZodType<
   unknown
 > = z.object({
   tipPresets: TipPresets$inboundSchema.optional(),
+  transferControls: z.array(TransferControls$inboundSchema).optional(),
 });
 /** @internal */
 export type TransferConfig$Outbound = {
   tipPresets?: TipPresets$Outbound | undefined;
+  transferControls?: Array<TransferControls$Outbound> | undefined;
 };
 
 /** @internal */
@@ -43,6 +52,7 @@ export const TransferConfig$outboundSchema: z.ZodType<
   TransferConfig
 > = z.object({
   tipPresets: TipPresets$outboundSchema.optional(),
+  transferControls: z.array(TransferControls$outboundSchema).optional(),
 });
 
 export function transferConfigToJSON(transferConfig: TransferConfig): string {

package/src/models/components/transfercontrols.ts

@@ -0,0 +1,85 @@
+/*
+ * Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT.
+ */
+
+import * as z from "zod/v3";
+import { safeParse } from "../../lib/schemas.js";
+import { Result as SafeParseResult } from "../../types/fp.js";
+import { SDKValidationError } from "../errors/sdkvalidationerror.js";
+
+/**
+ * Controls for transfers created through a given partner
+ */
+export type TransferControls = {
+  /**
+   * ID of the merchant account.
+   */
+  accountID: string;
+  /**
+   * ID of the partner account.
+   */
+  partnerAccountID: string;
+  /**
+   * Indicates if the account is configured for debt repayment.
+   */
+  debtRepayment: boolean;
+  /**
+   * Indicates if the account is allowed to set dynamic descriptors on transfers.
+   */
+  allowDynamicDescriptor: boolean;
+  /**
+   * Indicates if the account is allowed to apply surcharges to transfers.
+   */
+  allowSurcharge: boolean;
+};
+
+/** @internal */
+export const TransferControls$inboundSchema: z.ZodType<
+  TransferControls,
+  z.ZodTypeDef,
+  unknown
+> = z.object({
+  accountID: z.string(),
+  partnerAccountID: z.string(),
+  debtRepayment: z.boolean(),
+  allowDynamicDescriptor: z.boolean(),
+  allowSurcharge: z.boolean(),
+});
+/** @internal */
+export type TransferControls$Outbound = {
+  accountID: string;
+  partnerAccountID: string;
+  debtRepayment: boolean;
+  allowDynamicDescriptor: boolean;
+  allowSurcharge: boolean;
+};
+
+/** @internal */
+export const TransferControls$outboundSchema: z.ZodType<
+  TransferControls$Outbound,
+  z.ZodTypeDef,
+  TransferControls
+> = z.object({
+  accountID: z.string(),
+  partnerAccountID: z.string(),
+  debtRepayment: z.boolean(),
+  allowDynamicDescriptor: z.boolean(),
+  allowSurcharge: z.boolean(),
+});
+
+export function transferControlsToJSON(
+  transferControls: TransferControls,
+): string {
+  return JSON.stringify(
+    TransferControls$outboundSchema.parse(transferControls),
+  );
+}
+export function transferControlsFromJSON(
+  jsonString: string,
+): SafeParseResult<TransferControls, SDKValidationError> {
+  return safeParse(
+    jsonString,
+    (x) => TransferControls$inboundSchema.parse(JSON.parse(x)),
+    `Failed to parse 'TransferControls' from JSON`,
+  );
+}

package/src/models/components/updateinvoice.ts

@@ -33,14 +33,14 @@ export type UpdateInvoice = {
   invoiceDate?: Date | null | undefined;
   dueDate?: Date | null | undefined;
   /**
-   * The status can be updated to one of the following values under specific conditions:
+   *   The status can be updated to one of the following values under specific conditions:
    *
    * @remarks
-   * - `canceled`: Can only be set if the current status is `draft`, `unpaid`, or `overdue`. Canceling an invoice
-   *   indicates the invoice is no longer expected to be paid (e.g., the charge was waived or terms changed).
-   *   Canceled invoices still appear in list results by default and remain part of the invoice history.
-   *   To completely discard an invoice created by mistake, use the delete endpoint instead.
-   * - `unpaid`: Can only be set if the current status is `draft`. Setting the status to `unpaid` finalizes the invoice and sends an email with a payment link to the customer.
+   *   - `canceled`: Can only be set if the current status is `draft`, `unpaid`, or `overdue`. Canceling an invoice
+   *     indicates the invoice is no longer expected to be paid (e.g., the charge was waived or terms changed).
+   *     Canceled invoices still appear in list results by default and remain part of the invoice history.
+   *     To completely discard an invoice created by mistake, use the delete endpoint instead.
+   *   - `unpaid`: Can only be set if the current status is `draft`. Setting the status to `unpaid` finalizes the invoice and sends an email with a payment link to the customer.
    */
   status?: InvoiceStatus | undefined;
   taxAmount?: AmountDecimalUpdate | undefined;

package/src/types/async.ts

@@ -21,16 +21,17 @@ export type APICall =
 
 export class APIPromise<T> implements Promise<T> {
   readonly #promise: Promise<[T, APICall]>;
-  readonly #unwrapped: Promise<T>;
+  #unwrapped: Promise<T> | null;
 
   readonly [Symbol.toStringTag] = "APIPromise";
 
   constructor(p: [T, APICall] | Promise<[T, APICall]>) {
     this.#promise = p instanceof Promise ? p : Promise.resolve(p);
-    this.#unwrapped =
-      p instanceof Promise
-        ? this.#promise.then(([value]) => value)
-        : Promise.resolve(p[0]);
+    this.#unwrapped = p instanceof Promise ? null : Promise.resolve(p[0]);
+  }
+
+  #getUnwrapped(): Promise<T> {
+    return (this.#unwrapped ??= this.#promise.then(([value]) => value));
   }
 
   then<TResult1 = T, TResult2 = never>(
@@ -55,11 +56,11 @@ export class APIPromise<T> implements Promise<T> {
       | null
       | undefined,
   ): Promise<T | TResult> {
-    return this.#unwrapped.catch(onrejected);
+    return this.#getUnwrapped().catch(onrejected);
   }
 
   finally(onfinally?: (() => void) | null | undefined): Promise<T> {
-    return this.#unwrapped.finally(onfinally);
+    return this.#getUnwrapped().finally(onfinally);
   }
 
   $inspect(): Promise<[T, APICall]> {

package/test/tests/accessToken.test.ts

@@ -0,0 +1,86 @@
+import { describe, expect, test } from "bun:test";
+import { HTTPClient, Moov } from "@moovio/sdk";
+
+/**
+ * Builds a Moov SDK instance whose HTTPClient captures every outgoing
+ * Request without hitting the network. The captured Request can then be
+ * inspected for headers, URL, etc.
+ */
+function captureRequests(opts: ConstructorParameters<typeof Moov>[0]) {
+  const requests: Request[] = [];
+  const httpClient = new HTTPClient({
+    fetcher: async (input, init) => {
+      const req = input instanceof Request ? input : new Request(input, init);
+      requests.push(req.clone());
+      return new Response(null, { status: 200 });
+    },
+  });
+
+  const moov = new Moov({ ...opts, httpClient });
+  return { moov, requests };
+}
+
+describe("accessToken option", () => {
+  test("sets Authorization: Bearer header on outgoing requests", async () => {
+    const { moov, requests } = captureRequests({
+      accessToken: "test-access-token-123",
+    });
+
+    await moov.ping.ping();
+
+    expect(requests.length).toBe(1);
+    expect(requests[0].headers.get("Authorization")).toBe(
+      "Bearer test-access-token-123",
+    );
+  });
+
+  test("applies bearer auth on every request, not just the first", async () => {
+    const { moov, requests } = captureRequests({
+      accessToken: "another-token",
+    });
+
+    await moov.ping.ping();
+    await moov.ping.ping();
+    await moov.ping.ping();
+
+    expect(requests.length).toBe(3);
+    for (const req of requests) {
+      expect(req.headers.get("Authorization")).toBe("Bearer another-token");
+    }
+  });
+
+  test("HTTP Basic auth still works when accessToken is not set", async () => {
+    const { moov, requests } = captureRequests({
+      security: { username: "my-public-key", password: "my-secret-key" },
+    });
+
+    await moov.ping.ping();
+
+    expect(requests.length).toBe(1);
+    const auth = requests[0].headers.get("Authorization");
+    expect(auth).toMatch(/^Basic /);
+
+    // Decode the base64 portion and confirm the credentials round-trip.
+    const encoded = auth!.slice("Basic ".length);
+    const decoded = Buffer.from(encoded, "base64").toString("utf8");
+    expect(decoded).toBe("my-public-key:my-secret-key");
+  });
+
+  test("no Authorization header is sent when neither auth mode is configured", async () => {
+    const { moov, requests } = captureRequests({});
+
+    await moov.ping.ping();
+
+    expect(requests.length).toBe(1);
+    expect(requests[0].headers.get("Authorization")).toBeNull();
+  });
+
+  test("throws at construction when both accessToken and Basic creds are set", () => {
+    expect(() =>
+      new Moov({
+        accessToken: "some-token",
+        security: { username: "u", password: "p" },
+      })
+    ).toThrow(/cannot both be set/i);
+  });
+});

package/types/async.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"async.d.ts","sourceRoot":"","sources":["../src/types/async.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,OAAO,GACf;IACE,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB,GACD;IACE,MAAM,EAAE,eAAe,CAAC;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACtB,GACD;IACE,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACtB,CAAC;AAEN,qBAAa,UAAU,CAAC,CAAC,CAAE,YAAW,OAAO,CAAC,CAAC,CAAC;;IAI9C,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,gBAAgB;gBAEjC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAQnD,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,QAAQ,GAAG,KAAK,EACjC,WAAW,CAAC,EACR,CAAC,CAAC,KAAK,EAAE,CAAC,KAAK,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,GAChD,IAAI,GACJ,SAAS,EACb,UAAU,CAAC,EACP,CAAC,CAAC,MAAM,EAAE,GAAG,KAAK,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,GACnD,IAAI,GACJ,SAAS,GACZ,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAO/B,KAAK,CAAC,OAAO,GAAG,KAAK,EACnB,UAAU,CAAC,EACP,CAAC,CAAC,MAAM,EAAE,GAAG,KAAK,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,GACjD,IAAI,GACJ,SAAS,GACZ,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC;IAIvB,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhE,QAAQ,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;CAGlC"}
+{"version":3,"file":"async.d.ts","sourceRoot":"","sources":["../src/types/async.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,OAAO,GACf;IACE,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB,GACD;IACE,MAAM,EAAE,eAAe,CAAC;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACtB,GACD;IACE,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACtB,CAAC;AAEN,qBAAa,UAAU,CAAC,CAAC,CAAE,YAAW,OAAO,CAAC,CAAC,CAAC;;IAI9C,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,gBAAgB;gBAEjC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IASnD,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,QAAQ,GAAG,KAAK,EACjC,WAAW,CAAC,EACR,CAAC,CAAC,KAAK,EAAE,CAAC,KAAK,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,GAChD,IAAI,GACJ,SAAS,EACb,UAAU,CAAC,EACP,CAAC,CAAC,MAAM,EAAE,GAAG,KAAK,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,GACnD,IAAI,GACJ,SAAS,GACZ,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAO/B,KAAK,CAAC,OAAO,GAAG,KAAK,EACnB,UAAU,CAAC,EACP,CAAC,CAAC,MAAM,EAAE,GAAG,KAAK,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,GACjD,IAAI,GACJ,SAAS,GACZ,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC;IAIvB,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhE,QAAQ,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;CAGlC"}