@omnikit-ai/sdk 2.2.3 → 2.2.5

package/dist/index.d.mts

@@ -7,7 +7,7 @@ export { cleanTokenFromUrl, getAccessToken, isTokenInUrl, removeAccessToken, sav
  * Like Base44's connectors module - allows backend functions to get access tokens
  * for making direct API calls to external services.
  *
- * SECURITY: getAccessToken requires service token authentication.
+ * SECURITY: getAccessToken requires API key (X-API-Key) authentication.
  * Only available to backend functions, not frontend code.
  */
 type ConnectorType = 'slack' | 'google_calendar' | 'gmail' | 'google_sheets' | 'notion' | 'salesforce';
@@ -32,7 +32,7 @@ interface ConnectorsModule$1 {
     /**
      * Get access token for a connector.
      *
-     * SECURITY: Requires service token authentication.
+     * SECURITY: Requires API key (X-API-Key) authentication.
      * Only available in backend functions, not frontend code.
      *
      * @example
@@ -98,17 +98,16 @@ interface OmnikitConfig {
      * If not provided, will auto-detect from URL or localStorage
      */
     token?: string;
-    /**
-     * Service role token for elevated admin operations (optional)
-     * When provided, enables asServiceRole operations
-     */
-    serviceToken?: string;
     /**
      * API key for server-to-server authentication (optional)
-     * Used in backend functions (Deno Edge Functions) where user auth isn't needed.
-     * Takes precedence over serviceToken if both are provided.
+     * Used in backend functions (Deno Edge Functions) for privileged operations.
+     * When provided, enables service role operations via omnikit.service
      */
     apiKey?: string;
+    /**
+     * @deprecated Use apiKey instead. serviceToken is an alias for backwards compatibility.
+     */
+    serviceToken?: string;
     /**
      * Auto-detect and load token from URL params or localStorage
      * @default true
@@ -1239,7 +1238,7 @@ interface ConnectorsModule {
 }
 /**
  * Service role client interface (elevated admin operations)
- * Available when serviceToken is provided in config
+ * Available when apiKey is provided in config
  */
 interface ServiceRoleClient {
     /** Collection operations with service role privileges */
@@ -1321,8 +1320,8 @@ interface OmnikitClient {
     auth: AuthModule;
     /**
      * Service-level operations (elevated privileges).
-     * Only available when serviceToken is provided (e.g., via createServerClient).
-     * Throws error if accessed without serviceToken.
+     * Only available when apiKey is provided (e.g., via createServerClient).
+     * Throws error if accessed without apiKey.
      *
      * @example
      * ```typescript
@@ -1383,19 +1382,20 @@ interface OmnikitClient {
     /**
      * Get a secret value at runtime (for backend functions).
      *
-     * This method securely fetches secrets from the Omnikit API using the app's API key.
-     * Use this in Supabase Edge Functions instead of storing secrets in Supabase's
-     * environment variables to ensure proper isolation between apps.
+     * This method securely fetches secrets from the Omnikit API at runtime.
+     * Secrets are NOT injected into function code - they are fetched via API
+     * to ensure they cannot be leaked through source code, logs, or backups.
      *
      * @example
      * ```typescript
+     * const omnikit = createServerClient(req);
      * const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
      * const stripe = new Stripe(stripeKey);
      * ```
      *
      * @param secretName - Name of the secret to retrieve
      * @returns The decrypted secret value
-     * @throws Error if the secret is not found or API key is invalid
+     * @throws Error if the secret is not found or service token is invalid
      */
     getSecret(secretName: string): Promise<string>;
 }
@@ -1802,7 +1802,6 @@ declare class APIClient implements OmnikitClient {
     appId: string;
     baseUrl: string;
     private userToken;
-    private _serviceToken;
     private _apiKey;
     private initialized;
     private initPromise;
@@ -1899,7 +1898,7 @@ declare class APIClient implements OmnikitClient {
     get auth(): AuthModule;
     /**
      * Service-level operations (elevated privileges).
-     * Only available when serviceToken is provided (e.g., via createServerClient).
+     * Only available when apiKey is provided (e.g., via createServerClient).
      */
     get service(): ServiceRoleClient;
     /**
@@ -2158,21 +2157,24 @@ declare class APIClient implements OmnikitClient {
     /**
      * Get a secret value at runtime (for backend functions).
      *
-     * This method securely fetches secrets from the Omnikit API using the app's API key.
-     * Use this in Supabase Edge Functions instead of storing secrets in Supabase's
-     * environment variables to ensure proper isolation between apps.
+     * This method securely fetches secrets from the Omnikit API at runtime.
+     * Secrets are NOT injected into function code - they are fetched via API
+     * to ensure they cannot be leaked through source code, logs, or backups.
      *
      * @example
      * ```typescript
      * // In a backend function (Deno Edge Function)
-     * const omnikit = createClient({
-     *   appId: __OMNIKIT_APP_ID__,
-     *   serverUrl: __OMNIKIT_API_URL__,
-     *   apiKey: __OMNIKIT_API_KEY__,
-     * });
+     * import { createServerClient } from '@omnikit-ai/sdk';
      *
-     * const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
-     * const stripe = new Stripe(stripeKey);
+     * Deno.serve(async (req) => {
+     *   const omnikit = createServerClient(req);
+     *
+     *   // Fetch secret at runtime - secure, never in source code
+     *   const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
+     *   const stripe = new Stripe(stripeKey);
+     *
+     *   // ... rest of function
+     * });
      * ```
      *
      * @param secretName - Name of the secret to retrieve
@@ -2231,7 +2233,7 @@ interface ServerRequest {
  *   // Access user data (user JWT auth)
  *   const currentUser = await omnikit.auth.me();
  *
- *   // Access connectors (requires service token)
+ *   // Access connectors (requires API key)
  *   const { access_token } = await omnikit.service.connectors.getAccessToken('slack');
  *
  *   // Make direct Slack API call

package/dist/index.d.ts

@@ -7,7 +7,7 @@ export { cleanTokenFromUrl, getAccessToken, isTokenInUrl, removeAccessToken, sav
  * Like Base44's connectors module - allows backend functions to get access tokens
  * for making direct API calls to external services.
  *
- * SECURITY: getAccessToken requires service token authentication.
+ * SECURITY: getAccessToken requires API key (X-API-Key) authentication.
  * Only available to backend functions, not frontend code.
  */
 type ConnectorType = 'slack' | 'google_calendar' | 'gmail' | 'google_sheets' | 'notion' | 'salesforce';
@@ -32,7 +32,7 @@ interface ConnectorsModule$1 {
     /**
      * Get access token for a connector.
      *
-     * SECURITY: Requires service token authentication.
+     * SECURITY: Requires API key (X-API-Key) authentication.
      * Only available in backend functions, not frontend code.
      *
      * @example
@@ -98,17 +98,16 @@ interface OmnikitConfig {
      * If not provided, will auto-detect from URL or localStorage
      */
     token?: string;
-    /**
-     * Service role token for elevated admin operations (optional)
-     * When provided, enables asServiceRole operations
-     */
-    serviceToken?: string;
     /**
      * API key for server-to-server authentication (optional)
-     * Used in backend functions (Deno Edge Functions) where user auth isn't needed.
-     * Takes precedence over serviceToken if both are provided.
+     * Used in backend functions (Deno Edge Functions) for privileged operations.
+     * When provided, enables service role operations via omnikit.service
      */
     apiKey?: string;
+    /**
+     * @deprecated Use apiKey instead. serviceToken is an alias for backwards compatibility.
+     */
+    serviceToken?: string;
     /**
      * Auto-detect and load token from URL params or localStorage
      * @default true
@@ -1239,7 +1238,7 @@ interface ConnectorsModule {
 }
 /**
  * Service role client interface (elevated admin operations)
- * Available when serviceToken is provided in config
+ * Available when apiKey is provided in config
  */
 interface ServiceRoleClient {
     /** Collection operations with service role privileges */
@@ -1321,8 +1320,8 @@ interface OmnikitClient {
     auth: AuthModule;
     /**
      * Service-level operations (elevated privileges).
-     * Only available when serviceToken is provided (e.g., via createServerClient).
-     * Throws error if accessed without serviceToken.
+     * Only available when apiKey is provided (e.g., via createServerClient).
+     * Throws error if accessed without apiKey.
      *
      * @example
      * ```typescript
@@ -1383,19 +1382,20 @@ interface OmnikitClient {
     /**
      * Get a secret value at runtime (for backend functions).
      *
-     * This method securely fetches secrets from the Omnikit API using the app's API key.
-     * Use this in Supabase Edge Functions instead of storing secrets in Supabase's
-     * environment variables to ensure proper isolation between apps.
+     * This method securely fetches secrets from the Omnikit API at runtime.
+     * Secrets are NOT injected into function code - they are fetched via API
+     * to ensure they cannot be leaked through source code, logs, or backups.
      *
      * @example
      * ```typescript
+     * const omnikit = createServerClient(req);
      * const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
      * const stripe = new Stripe(stripeKey);
      * ```
      *
      * @param secretName - Name of the secret to retrieve
      * @returns The decrypted secret value
-     * @throws Error if the secret is not found or API key is invalid
+     * @throws Error if the secret is not found or service token is invalid
      */
     getSecret(secretName: string): Promise<string>;
 }
@@ -1802,7 +1802,6 @@ declare class APIClient implements OmnikitClient {
     appId: string;
     baseUrl: string;
     private userToken;
-    private _serviceToken;
     private _apiKey;
     private initialized;
     private initPromise;
@@ -1899,7 +1898,7 @@ declare class APIClient implements OmnikitClient {
     get auth(): AuthModule;
     /**
      * Service-level operations (elevated privileges).
-     * Only available when serviceToken is provided (e.g., via createServerClient).
+     * Only available when apiKey is provided (e.g., via createServerClient).
      */
     get service(): ServiceRoleClient;
     /**
@@ -2158,21 +2157,24 @@ declare class APIClient implements OmnikitClient {
     /**
      * Get a secret value at runtime (for backend functions).
      *
-     * This method securely fetches secrets from the Omnikit API using the app's API key.
-     * Use this in Supabase Edge Functions instead of storing secrets in Supabase's
-     * environment variables to ensure proper isolation between apps.
+     * This method securely fetches secrets from the Omnikit API at runtime.
+     * Secrets are NOT injected into function code - they are fetched via API
+     * to ensure they cannot be leaked through source code, logs, or backups.
      *
      * @example
      * ```typescript
      * // In a backend function (Deno Edge Function)
-     * const omnikit = createClient({
-     *   appId: __OMNIKIT_APP_ID__,
-     *   serverUrl: __OMNIKIT_API_URL__,
-     *   apiKey: __OMNIKIT_API_KEY__,
-     * });
+     * import { createServerClient } from '@omnikit-ai/sdk';
      *
-     * const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
-     * const stripe = new Stripe(stripeKey);
+     * Deno.serve(async (req) => {
+     *   const omnikit = createServerClient(req);
+     *
+     *   // Fetch secret at runtime - secure, never in source code
+     *   const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
+     *   const stripe = new Stripe(stripeKey);
+     *
+     *   // ... rest of function
+     * });
      * ```
      *
      * @param secretName - Name of the secret to retrieve
@@ -2231,7 +2233,7 @@ interface ServerRequest {
  *   // Access user data (user JWT auth)
  *   const currentUser = await omnikit.auth.me();
  *
- *   // Access connectors (requires service token)
+ *   // Access connectors (requires API key)
  *   const { access_token } = await omnikit.service.connectors.getAccessToken('slack');
  *
  *   // Make direct Slack API call

package/dist/index.js

@@ -436,13 +436,13 @@ var LiveVoiceSessionImpl = class {
 };
 
 // src/connectors.ts
-function createConnectorsModule(makeRequest, appId, baseUrl, getServiceToken) {
+function createConnectorsModule(makeRequest, appId, baseUrl, getApiKey) {
   return {
     async getAccessToken(connectorType) {
-      const serviceToken = getServiceToken();
-      if (!serviceToken) {
+      const apiKey = getApiKey();
+      if (!apiKey) {
         throw new Error(
-          "Service token is required to get connector access token. This method is only available in backend functions. Make sure you created the client with a serviceToken."
+          "API key is required to get connector access token. This method is only available in backend functions. Use createServerClient(req) to get an authenticated client."
         );
       }
       return makeRequest(
@@ -450,6 +450,7 @@ function createConnectorsModule(makeRequest, appId, baseUrl, getServiceToken) {
         "GET",
         null,
         { useServiceToken: true }
+        // Still uses this flag internally to trigger API key usage
       );
     },
     async isConnected(connectorType) {
@@ -543,7 +544,6 @@ var getMetadataCacheKey = (appId) => `omnikit_metadata_${appId}`;
 var APIClient = class {
   constructor(config) {
     this.userToken = null;
-    this._serviceToken = null;
     this._apiKey = null;
     this.initialized = false;
     this.initPromise = null;
@@ -557,8 +557,7 @@ var APIClient = class {
     this._userListeners = /* @__PURE__ */ new Set();
     this.appId = config.appId;
     this.baseUrl = config.serverUrl || config.baseUrl || "http://localhost:8001/api";
-    this._serviceToken = config.serviceToken || null;
-    this._apiKey = config.apiKey || null;
+    this._apiKey = config.apiKey || config.serviceToken || null;
     const isBrowser2 = typeof window !== "undefined" && typeof localStorage !== "undefined";
     this._metadata = this.loadCachedMetadata(config.initialMetadata);
     if (isBrowser2) {
@@ -820,14 +819,14 @@ var APIClient = class {
   }
   /**
    * Service-level operations (elevated privileges).
-   * Only available when serviceToken is provided (e.g., via createServerClient).
+   * Only available when apiKey is provided (e.g., via createServerClient).
    */
   get service() {
-    if (!this._serviceToken) {
+    if (!this._apiKey) {
       throw new OmnikitError(
-        "Service token is required. Use createServerClient(req) in backend functions.",
+        "API key is required. Use createServerClient(req) in backend functions.",
         403,
-        "SERVICE_TOKEN_REQUIRED"
+        "API_KEY_REQUIRED"
       );
     }
     if (this._asServiceRole) {
@@ -878,7 +877,7 @@ var APIClient = class {
         this.makeRequest.bind(this),
         this.appId,
         this.baseUrl,
-        () => this._serviceToken
+        () => this._apiKey
       );
     }
     return this._connectors;
@@ -1162,7 +1161,7 @@ Example: await ${collectionName}.list({ limit: 100, sort: '-created_at' })`,
                   }
                   if (useServiceToken) {
                     const originalGetToken = client.getAuthToken.bind(client);
-                    client.getAuthToken = () => client._serviceToken;
+                    client.getAuthToken = () => client._apiKey;
                     try {
                       const result = await collection[method](...args);
                       client.getAuthToken = originalGetToken;
@@ -1246,9 +1245,6 @@ Example: await ${collectionName}.list({ limit: 100, sort: '-created_at' })`,
     if (token) {
       headers["Authorization"] = `Bearer ${token}`;
     }
-    if (this._serviceToken) {
-      headers["X-Service-Token"] = this._serviceToken;
-    }
     if (this._apiKey) {
       headers["X-API-Key"] = this._apiKey;
     }
@@ -2252,9 +2248,6 @@ Example: await ${collectionName}.list({ limit: 100, sort: '-created_at' })`,
     if (userToken) {
       fetchOptions.headers.Authorization = `Bearer ${userToken}`;
     }
-    if (this._serviceToken) {
-      fetchOptions.headers["X-Service-Token"] = this._serviceToken;
-    }
     if (this._apiKey) {
       fetchOptions.headers["X-API-Key"] = this._apiKey;
     }
@@ -2301,9 +2294,6 @@ Example: await ${collectionName}.list({ limit: 100, sort: '-created_at' })`,
     if (userToken) {
       fetchOptions.headers.Authorization = `Bearer ${userToken}`;
     }
-    if (this._serviceToken) {
-      fetchOptions.headers["X-Service-Token"] = this._serviceToken;
-    }
     if (this._apiKey) {
       fetchOptions.headers["X-API-Key"] = this._apiKey;
     }
@@ -2424,9 +2414,6 @@ Example: await ${collectionName}.list({ limit: 100, sort: '-created_at' })`,
     if (token) {
       headers["Authorization"] = `Bearer ${token}`;
     }
-    if (this._serviceToken) {
-      headers["X-Service-Token"] = this._serviceToken;
-    }
     if (this._apiKey) {
       headers["X-API-Key"] = this._apiKey;
     }
@@ -2689,21 +2676,24 @@ Example: await ${collectionName}.list({ limit: 100, sort: '-created_at' })`,
   /**
    * Get a secret value at runtime (for backend functions).
    *
-   * This method securely fetches secrets from the Omnikit API using the app's API key.
-   * Use this in Supabase Edge Functions instead of storing secrets in Supabase's
-   * environment variables to ensure proper isolation between apps.
+   * This method securely fetches secrets from the Omnikit API at runtime.
+   * Secrets are NOT injected into function code - they are fetched via API
+   * to ensure they cannot be leaked through source code, logs, or backups.
    *
    * @example
    * ```typescript
    * // In a backend function (Deno Edge Function)
-   * const omnikit = createClient({
-   *   appId: __OMNIKIT_APP_ID__,
-   *   serverUrl: __OMNIKIT_API_URL__,
-   *   apiKey: __OMNIKIT_API_KEY__,
-   * });
+   * import { createServerClient } from '@omnikit-ai/sdk';
    *
-   * const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
-   * const stripe = new Stripe(stripeKey);
+   * Deno.serve(async (req) => {
+   *   const omnikit = createServerClient(req);
+   *
+   *   // Fetch secret at runtime - secure, never in source code
+   *   const stripeKey = await omnikit.getSecret('STRIPE_SECRET_KEY');
+   *   const stripe = new Stripe(stripeKey);
+   *
+   *   // ... rest of function
+   * });
    * ```
    *
    * @param secretName - Name of the secret to retrieve
@@ -2713,19 +2703,20 @@ Example: await ${collectionName}.list({ limit: 100, sort: '-created_at' })`,
   async getSecret(secretName) {
     if (!this._apiKey) {
       throw new OmnikitError(
-        "API key is required to fetch secrets. Provide apiKey in config.",
+        "API key required. Use createServerClient(req) in backend functions.",
         403,
-        "API_KEY_REQUIRED"
+        "AUTH_REQUIRED"
       );
     }
+    const headers = {
+      "Content-Type": "application/json",
+      "X-API-Key": this._apiKey
+    };
     const response = await fetch(
       `${this.baseUrl}/apps/${this.appId}/secrets/${secretName}/value`,
       {
         method: "GET",
-        headers: {
-          "X-API-Key": this._apiKey,
-          "Content-Type": "application/json"
-        }
+        headers
       }
     );
     if (!response.ok) {
@@ -2752,12 +2743,12 @@ function createServerClient(request) {
   };
   const authHeader = getHeader("Authorization") || getHeader("authorization");
   const userToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-  const serviceToken = getHeader("X-Omnikit-Service-Authorization") || getHeader("x-omnikit-service-authorization");
-  const appId = getHeader("X-Omnikit-App-Id") || getHeader("x-omnikit-app-id");
-  const serverUrl = getHeader("X-Omnikit-Server-Url") || getHeader("x-omnikit-server-url") || "https://omnikit.ai/api";
+  const apiKey = getHeader("X-API-Key") || getHeader("x-api-key");
+  const appId = (typeof __OMNIKIT_APP_ID__ !== "undefined" ? __OMNIKIT_APP_ID__ : null) || getHeader("X-Omnikit-App-Id") || getHeader("x-omnikit-app-id");
+  const serverUrl = (typeof __OMNIKIT_API_URL__ !== "undefined" ? __OMNIKIT_API_URL__ : null) || getHeader("X-Omnikit-Server-Url") || getHeader("x-omnikit-server-url") || "https://omnikit.ai/api";
   if (!appId) {
     throw new OmnikitError(
-      "X-Omnikit-App-Id header is required. This function should be invoked through the Omnikit platform.",
+      "App ID not found. Ensure function is deployed through Omnikit platform (or X-Omnikit-App-Id header is set).",
       400,
       "MISSING_APP_ID"
     );
@@ -2766,7 +2757,7 @@ function createServerClient(request) {
     appId,
     serverUrl,
     token: userToken || void 0,
-    serviceToken: serviceToken || void 0,
+    apiKey: apiKey || void 0,
     autoInitAuth: false
     // Don't auto-detect from localStorage in backend
   });