@oxyhq/core 1.5.0 → 1.6.0

package/dist/types/mixins/OxyServices.privacy.d.ts

@@ -78,6 +78,7 @@ export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
         getClient(): import("../HttpService").HttpService;
@@ -120,5 +121,4 @@ export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase
             [key: string]: any;
         }>;
     };
-    __resetTokensForTests(): void;
 } & T;

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -194,6 +194,7 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
         getClient(): import("../HttpService").HttpService;
@@ -242,6 +243,5 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
     readonly STATE_STORAGE_KEY: "oxy_auth_state";
     readonly PRE_AUTH_URL_KEY: "oxy_pre_auth_url";
     readonly NONCE_STORAGE_KEY: "oxy_auth_nonce";
-    __resetTokensForTests(): void;
 } & T;
 export { OxyServicesRedirectAuthMixin as RedirectAuthMixin };

package/dist/types/mixins/OxyServices.security.d.ts

@@ -34,6 +34,7 @@ export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBas
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
         getClient(): import("../HttpService").HttpService;
@@ -76,5 +77,4 @@ export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBas
             [key: string]: any;
         }>;
     };
-    __resetTokensForTests(): void;
 } & T;

package/dist/types/mixins/OxyServices.user.d.ts

@@ -138,6 +138,7 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
         getClient(): import("../HttpService").HttpService;
@@ -180,5 +181,4 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
             [key: string]: any;
         }>;
     };
-    __resetTokensForTests(): void;
 } & T;

package/dist/types/mixins/OxyServices.utility.d.ts

@@ -49,19 +49,19 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          *
          * const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
          *
-         * // Protect all routes under /api/protected
-         * app.use('/api/protected', oxy.auth());
+         * // Protect all routes under /protected
+         * app.use('/protected', oxy.auth());
          *
          * // Access user in route handler
-         * app.get('/api/protected/me', (req, res) => {
+         * app.get('/protected/me', (req, res) => {
          *   res.json({ userId: req.userId, user: req.user });
          * });
          *
          * // Load full user profile from API
-         * app.use('/api/admin', oxy.auth({ loadUser: true }));
+         * app.use('/admin', oxy.auth({ loadUser: true }));
          *
          * // Optional auth - attach user if present, don't block if absent
-         * app.use('/api/public', oxy.auth({ optional: true }));
+         * app.use('/public', oxy.auth({ optional: true }));
          * ```
          *
          * @param options Optional configuration
@@ -111,10 +111,12 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
          */
         serviceAuth(options?: {
             debug?: boolean;
+            jwtSecret?: string;
         }): (req: any, res: any, next: any) => Promise<void>;
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
         makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
         getBaseURL(): string;
         getClient(): import("../HttpService").HttpService;
@@ -157,6 +159,5 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
             [key: string]: any;
         }>;
     };
-    __resetTokensForTests(): void;
 } & T;
 export {};

package/dist/types/utils/platform.d.ts

@@ -27,6 +27,14 @@ export declare function isIOS(): boolean;
  * Check if running on Android
  */
 export declare function isAndroid(): boolean;
+/**
+ * Check if running in React Native
+ */
+export declare function isReactNative(): boolean;
+/**
+ * Check if running in Node.js
+ */
+export declare function isNodeJS(): boolean;
 /**
  * Set the platform OS explicitly
  * Called by React Native entry point to register the platform

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/AuthManager.ts

@@ -308,7 +308,7 @@ export class AuthManager {
           // Use session-based token endpoint which handles auto-refresh server-side
           const response = await httpService.request<{ accessToken: string; expiresAt: string }>({
             method: 'GET',
-            url: `/api/session/token/${sessionId}`,
+            url: `/session/token/${sessionId}`,
             cache: false,
             retry: false,
           });

package/src/HttpService.ts

@@ -54,27 +54,21 @@ interface RequestConfig extends RequestOptions {
   params?: Record<string, unknown>;
   /** @internal Used to prevent infinite auth retry loops */
   _isAuthRetry?: boolean;
+  /** @internal Used to prevent infinite CSRF retry loops */
+  _isCsrfRetry?: boolean;
 }
 
 /**
- * Token store for authentication (singleton)
+ * Token store for authentication (instance-based)
+ * Each HttpService gets its own TokenStore to prevent conflicts
+ * when multiple OxyServices instances coexist server-side.
  */
 class TokenStore {
-  private static instance: TokenStore;
   private accessToken: string | null = null;
   private refreshToken: string | null = null;
   private csrfToken: string | null = null;
   private csrfTokenFetchPromise: Promise<string | null> | null = null;
 
-  private constructor() {}
-
-  static getInstance(): TokenStore {
-    if (!TokenStore.instance) {
-      TokenStore.instance = new TokenStore();
-    }
-    return TokenStore.instance;
-  }
-
   setTokens(accessToken: string, refreshToken = ''): void {
     this.accessToken = accessToken;
     this.refreshToken = refreshToken;
@@ -134,6 +128,7 @@ export class HttpService {
   private logger: SimpleLogger;
   private config: OxyConfig;
   private tokenRefreshPromise: Promise<string | null> | null = null;
+  private tokenRefreshCooldownUntil: number = 0;
   private _onTokenRefreshed: ((accessToken: string) => void) | null = null;
 
   // Performance monitoring
@@ -149,7 +144,7 @@ export class HttpService {
   constructor(config: OxyConfig) {
     this.config = config;
     this.baseURL = config.baseURL;
-    this.tokenStore = TokenStore.getInstance();
+    this.tokenStore = new TokenStore();
     
     this.logger = new SimpleLogger(
       config.enableLogging || false,
@@ -346,6 +341,20 @@ export class HttpService {
             this.tokenStore.clearTokens();
           }
 
+          // On 403 with CSRF error, clear cached token and retry once
+          if (response.status === 403 && !config._isCsrfRetry) {
+            try {
+              const clonedResponse = response.clone();
+              const errBody = await clonedResponse.json() as { code?: string } | null;
+              if (errBody?.code === 'CSRF_TOKEN_INVALID' || errBody?.code === 'CSRF_TOKEN_MISSING') {
+                this.tokenStore.clearCsrfToken();
+                return this.request<T>({ ...config, _isCsrfRetry: true, retry: false });
+              }
+            } catch {
+              // Failed to parse error body — not a CSRF error
+            }
+          }
+
           // Try to parse error response (handle empty/malformed JSON)
           let errorMessage = `HTTP ${response.status}: ${response.statusText}`;
           const contentType = response.headers.get('content-type');
@@ -518,52 +527,58 @@ export class HttpService {
     }
 
     const fetchPromise = (async () => {
-      try {
-        if (isDev()) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/api/csrf-token`);
+      const maxAttempts = 2;
+      for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+        try {
+          if (isDev()) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
 
-        // Use AbortController for timeout (more compatible than AbortSignal.timeout)
-        const controller = new AbortController();
-        const timeoutId = setTimeout(() => controller.abort(), 5000);
+          // Use AbortController for timeout (more compatible than AbortSignal.timeout)
+          const controller = new AbortController();
+          const timeoutId = setTimeout(() => controller.abort(), 5000);
 
-        const response = await fetch(`${this.baseURL}/api/csrf-token`, {
-          method: 'GET',
-          headers: { 'Accept': 'application/json' },
-          credentials: 'include', // Required to receive and send cookies
-          signal: controller.signal,
-        });
+          const response = await fetch(`${this.baseURL}/csrf-token`, {
+            method: 'GET',
+            headers: { 'Accept': 'application/json' },
+            credentials: 'include', // Required to receive and send cookies
+            signal: controller.signal,
+          });
 
-        clearTimeout(timeoutId);
+          clearTimeout(timeoutId);
 
-        if (isDev()) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
+          if (isDev()) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
 
-        if (response.ok) {
-          const data = await response.json() as { csrfToken?: string };
-          if (isDev()) console.log('[HttpService] CSRF response data:', data);
-          const token = data.csrfToken || null;
-          this.tokenStore.setCsrfToken(token);
-          this.logger.debug('CSRF token fetched');
-          return token;
-        }
+          if (response.ok) {
+            const data = await response.json() as { csrfToken?: string };
+            if (isDev()) console.log('[HttpService] CSRF response data:', data);
+            const token = data.csrfToken || null;
+            this.tokenStore.setCsrfToken(token);
+            this.logger.debug('CSRF token fetched');
+            return token;
+          }
 
-        // Also check response header for CSRF token
-        const headerToken = response.headers.get('X-CSRF-Token');
-        if (headerToken) {
-          this.tokenStore.setCsrfToken(headerToken);
-          this.logger.debug('CSRF token from header');
-          return headerToken;
-        }
+          // Also check response header for CSRF token
+          const headerToken = response.headers.get('X-CSRF-Token');
+          if (headerToken) {
+            this.tokenStore.setCsrfToken(headerToken);
+            this.logger.debug('CSRF token from header');
+            return headerToken;
+          }
 
-        if (isDev()) console.log('[HttpService] CSRF fetch failed with status:', response.status);
-        this.logger.warn('Failed to fetch CSRF token:', response.status);
-        return null;
-      } catch (error) {
-        if (isDev()) console.log('[HttpService] CSRF fetch error:', error);
-        this.logger.warn('CSRF token fetch error:', error);
-        return null;
-      } finally {
-        this.tokenStore.setCsrfTokenFetchPromise(null);
+          if (isDev()) console.log('[HttpService] CSRF fetch failed with status:', response.status);
+          this.logger.warn('Failed to fetch CSRF token:', response.status);
+        } catch (error) {
+          if (isDev()) console.log('[HttpService] CSRF fetch error:', error);
+          this.logger.warn('CSRF token fetch error:', error);
+        }
+        // Wait before retry (500ms)
+        if (attempt < maxAttempts) {
+          await new Promise(resolve => setTimeout(resolve, 500));
+        }
       }
-    })();
+      return null;
+    })().finally(() => {
+      this.tokenStore.setCsrfTokenFetchPromise(null);
+    });
 
     this.tokenStore.setCsrfTokenFetchPromise(fetchPromise);
     return fetchPromise;
@@ -584,16 +599,23 @@ export class HttpService {
 
       // If token expires in less than 60 seconds, refresh it
       if (decoded.exp && decoded.exp - currentTime < 60 && decoded.sessionId) {
-        // Deduplicate concurrent refresh attempts
-        if (!this.tokenRefreshPromise) {
-          this.tokenRefreshPromise = this._refreshTokenFromSession(decoded.sessionId);
+        // Skip if we recently failed a refresh (5s cooldown to prevent storms)
+        if (Date.now() < this.tokenRefreshCooldownUntil) {
+          return `Bearer ${accessToken}`;
         }
-        try {
-          const result = await this.tokenRefreshPromise;
-          if (result) return result;
-        } finally {
-          this.tokenRefreshPromise = null;
+        // Deduplicate concurrent refresh attempts. The promise is shared
+        // across all concurrent callers and cleared only after it settles,
+        // so every awaiter receives the same result.
+        if (!this.tokenRefreshPromise) {
+          this.tokenRefreshPromise = this._refreshTokenFromSession(decoded.sessionId)
+            .then((result) => {
+              if (!result) this.tokenRefreshCooldownUntil = Date.now() + 5000;
+              return result;
+            })
+            .finally(() => { this.tokenRefreshPromise = null; });
         }
+        const result = await this.tokenRefreshPromise;
+        if (result) return result;
       }
 
       return `Bearer ${accessToken}`;
@@ -605,7 +627,7 @@ export class HttpService {
 
   private async _refreshTokenFromSession(sessionId: string): Promise<string | null> {
     try {
-      const refreshUrl = `${this.baseURL}/api/session/token/${sessionId}`;
+      const refreshUrl = `${this.baseURL}/session/token/${sessionId}`;
       const response = await fetch(refreshUrl, {
         method: 'GET',
         headers: { 'Accept': 'application/json' },
@@ -778,14 +800,10 @@ export class HttpService {
     return { ...this.requestMetrics };
   }
 
-  // Test-only utility
-  static __resetTokensForTests(): void {
-    try {
-      TokenStore.getInstance().clearTokens();
-    } catch (error) {
-      // Silently fail in test cleanup - this is expected behavior
-      // TokenStore might not be initialized in some test scenarios
-    }
+  // Test-only utility — clears tokens on this instance
+  __resetTokensForTests(): void {
+    this.tokenStore.clearTokens();
+    this.tokenStore.clearCsrfToken();
   }
 }
 

package/src/OxyServices.base.ts

@@ -41,9 +41,10 @@ export class OxyServicesBase {
     this.httpService = new HttpService(config);
   }
 
-  // Test-only utility to reset global tokens between jest tests
-  static __resetTokensForTests(): void {
-    HttpService.__resetTokensForTests();
+  // Test-only utility to reset tokens on this instance between jest tests
+  // Note: tokens are now per-instance, so create new instances in tests for isolation
+  __resetTokensForTests(): void {
+    this.httpService.__resetTokensForTests();
   }
 
   /**
@@ -304,7 +305,7 @@ export class OxyServicesBase {
     }
 
     try {
-      const res = await this.makeRequest<{ valid: boolean }>('GET', '/api/auth/validate', undefined, {
+      const res = await this.makeRequest<{ valid: boolean }>('GET', '/auth/validate', undefined, {
         cache: false,
         retry: false,
       });

package/src/crypto/keyManager.ts

@@ -7,7 +7,7 @@
 
 import { ec as EC } from 'elliptic';
 import type { ECKeyPair } from 'elliptic';
-import { isWeb, isIOS, isAndroid } from '../utils/platform';
+import { isWeb, isIOS, isAndroid, isReactNative, isNodeJS } from '../utils/platform';
 import { logger } from '../utils/loggerUtils';
 import { isDev } from '../shared/utils/debugUtils';
 
@@ -64,20 +64,6 @@ async function initSecureStore(): Promise<typeof import('expo-secure-store')> {
   return SecureStore;
 }
 
-/**
- * Check if we're in a React Native environment
- */
-function isReactNative(): boolean {
-  return typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
-}
-
-/**
- * Check if we're in a Node.js environment
- */
-function isNodeJS(): boolean {
-  return typeof process !== 'undefined' && process.versions != null && process.versions.node != null;
-}
-
 /**
  * Check if we're on web platform
  * Identity storage is only available on native platforms (iOS/Android)

package/src/crypto/signatureService.ts

@@ -7,26 +7,13 @@
 
 import { ec as EC } from 'elliptic';
 import { KeyManager } from './keyManager';
+import { isReactNative, isNodeJS } from '../utils/platform';
 
 // Lazy import for expo-crypto
 let ExpoCrypto: typeof import('expo-crypto') | null = null;
 
 const ec = new EC('secp256k1');
 
-/**
- * Check if we're in a React Native environment
- */
-function isReactNative(): boolean {
-  return typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
-}
-
-/**
- * Check if we're in a Node.js environment
- */
-function isNodeJS(): boolean {
-  return typeof process !== 'undefined' && process.versions != null && process.versions.node != null;
-}
-
 /**
  * Initialize expo-crypto module
  */
@@ -55,9 +42,7 @@ async function sha256(message: string): Promise<string> {
   // In Node.js, use Node's crypto module
   if (isNodeJS()) {
     try {
-      // eslint-disable-next-line @typescript-eslint/no-implied-eval
-      const getCrypto = new Function('return require("crypto")');
-      const nodeCrypto = getCrypto();
+      const nodeCrypto = await import('crypto');
       return nodeCrypto.createHash('sha256').update(message).digest('hex');
     } catch {
       // Fall through to Web Crypto API

package/src/mixins/OxyServices.analytics.ts

@@ -19,7 +19,7 @@ export function OxyServicesAnalyticsMixin<T extends typeof OxyServicesBase>(Base
      */
     async trackEvent(eventName: string, properties?: Record<string, any>): Promise<void> {
       try {
-        await this.makeRequest('POST', '/api/analytics/events', {
+        await this.makeRequest('POST', '/analytics/events', {
           event: eventName,
           properties
         }, { cache: false, retry: false }); // Don't retry analytics events
@@ -40,7 +40,7 @@ export function OxyServicesAnalyticsMixin<T extends typeof OxyServicesBase>(Base
         if (startDate) params.startDate = startDate;
         if (endDate) params.endDate = endDate;
         
-        return await this.makeRequest('GET', '/api/analytics', params, {
+        return await this.makeRequest('GET', '/analytics', params, {
           cache: true,
           cacheTTL: CACHE_TIMES.LONG,
         });

package/src/mixins/OxyServices.assets.ts

@@ -12,7 +12,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
      */
     async deleteFile(fileId: string): Promise<any> {
       try {
-        return await this.makeRequest('DELETE', `/api/assets/${encodeURIComponent(fileId)}`, undefined, { cache: false });
+        return await this.makeRequest('DELETE', `/assets/${encodeURIComponent(fileId)}`, undefined, { cache: false });
       } catch (error) {
         throw this.handleError(error);
       }
@@ -31,7 +31,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
       if (token) params.set('token', token);
 
       const qs = params.toString();
-      return `${base}/api/assets/${encodeURIComponent(fileId)}/stream${qs ? `?${qs}` : ''}`;
+      return `${base}/assets/${encodeURIComponent(fileId)}/stream${qs ? `?${qs}` : ''}`;
     }
 
     /**
@@ -60,7 +60,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
         const paramsObj: any = {};
         if (limit) paramsObj.limit = limit;
         if (offset) paramsObj.offset = offset;
-        return await this.makeRequest('GET', '/api/assets', paramsObj, {
+        return await this.makeRequest('GET', '/assets', paramsObj, {
           cache: false,
         });
       } catch (error) {
@@ -73,7 +73,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
      */
     async getAccountStorageUsage(): Promise<AccountStorageUsageResponse> {
       try {
-        return await this.makeRequest<AccountStorageUsageResponse>('GET', '/api/storage/usage', undefined, {
+        return await this.makeRequest<AccountStorageUsageResponse>('GET', '/storage/usage', undefined, {
           cache: false,
         });
       } catch (error) {
@@ -128,7 +128,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
      */
     async getBatchFileAccess(fileIds: string[], context?: string): Promise<Record<string, any>> {
       try {
-        return await this.makeRequest('POST', '/api/assets/batch-access', { 
+        return await this.makeRequest('POST', '/assets/batch-access', { 
           fileIds, 
           context 
         });
@@ -191,7 +191,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
 
         const response = await this.getClient().request<{ file: any }>({
           method: 'POST',
-          url: '/api/assets/upload',
+          url: '/assets/upload',
           data: formData,
           cache: false,
         });
@@ -250,7 +250,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
         const body: any = { app, entityType, entityId };
         if (visibility) body.visibility = visibility;
         if (webhookUrl) body.webhookUrl = webhookUrl;
-        return await this.makeRequest('POST', `/api/assets/${fileId}/links`, body, { cache: false });
+        return await this.makeRequest('POST', `/assets/${fileId}/links`, body, { cache: false });
       } catch (error) {
         throw this.handleError(error);
       }
@@ -261,7 +261,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
      */
     async assetUnlink(fileId: string, app: string, entityType: string, entityId: string): Promise<any> {
       try {
-        return await this.makeRequest('DELETE', `/api/assets/${fileId}/links`, {
+        return await this.makeRequest('DELETE', `/assets/${fileId}/links`, {
           app,
           entityType,
           entityId
@@ -276,7 +276,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
      */
     async assetGet(fileId: string): Promise<any> {
       try {
-        return await this.makeRequest('GET', `/api/assets/${fileId}`, undefined, {
+        return await this.makeRequest('GET', `/assets/${fileId}`, undefined, {
           cache: true,
           cacheTTL: 5 * 60 * 1000,
         });
@@ -294,7 +294,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
         if (variant) params.variant = variant;
         if (expiresIn) params.expiresIn = expiresIn;
         
-        return await this.makeRequest<AssetUrlResponse>('GET', `/api/assets/${fileId}/url`, params, {
+        return await this.makeRequest<AssetUrlResponse>('GET', `/assets/${fileId}/url`, params, {
           cache: true,
           cacheTTL: 10 * 60 * 1000,
         });
@@ -308,7 +308,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
      */
     async assetRestore(fileId: string): Promise<any> {
       try {
-        return await this.makeRequest('POST', `/api/assets/${fileId}/restore`, undefined, { cache: false });
+        return await this.makeRequest('POST', `/assets/${fileId}/restore`, undefined, { cache: false });
       } catch (error) {
         throw this.handleError(error);
       }
@@ -320,7 +320,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
     async assetDelete(fileId: string, force: boolean = false): Promise<any> {
       try {
         const params: any = force ? { force: 'true' } : undefined;
-        return await this.makeRequest('DELETE', `/api/assets/${fileId}`, params, { cache: false });
+        return await this.makeRequest('DELETE', `/assets/${fileId}`, params, { cache: false });
       } catch (error) {
         throw this.handleError(error);
       }
@@ -343,7 +343,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
      */
     async assetUpdateVisibility(fileId: string, visibility: 'private' | 'public' | 'unlisted'): Promise<any> {
       try {
-        return await this.makeRequest('PATCH', `/api/assets/${fileId}/visibility`, {
+        return await this.makeRequest('PATCH', `/assets/${fileId}/visibility`, {
           visibility
         }, { cache: false });
       } catch (error) {
@@ -388,7 +388,7 @@ export function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>(Base: T
 
       const urlRes = await this.makeRequest<{ url: string }>(
         'GET',
-        `/api/assets/${encodeURIComponent(fileId)}/url`,
+        `/assets/${encodeURIComponent(fileId)}/url`,
         Object.keys(params).length ? params : undefined,
         {
           cache: true,