@oxyhq/core 3.1.0 → 3.2.0

package/dist/types/OxyServices.d.ts

@@ -83,6 +83,7 @@ import { composeOxyServices } from './mixins';
  * - **Karma**: Karma system
  * - **Assets**: File upload and asset management
  * - **Applications**: Application, membership, and credential management
+ * - **Workspaces**: Workspace and membership management
  * - **Location**: Location-based features
  * - **Analytics**: Analytics tracking
  * - **Devices**: Device management

package/dist/types/index.d.ts

@@ -33,7 +33,8 @@ export type { ServiceApp, ServiceActingAsVerification } from './mixins/OxyServic
 export type { CreateManagedAccountInput, ManagedAccountManager, ManagedAccount, } from './mixins/OxyServices.managedAccounts';
 export type { ContactDiscoveryMatch, ContactDiscoveryResponse, } from './mixins/OxyServices.contacts';
 export { OxyAppDataIdentifierError } from './mixins/OxyServices.appData';
-export type { Application, ApplicationMember, ApplicationCredential, ApplicationRole, ApplicationType, ApplicationStatus, ApplicationMemberStatus, ApplicationCredentialType, ApplicationCredentialStatus, ApplicationEnvironment, CreateApplicationInput, UpdateApplicationInput, InviteApplicationMemberInput, UpdateApplicationMemberInput, TransferApplicationOwnershipInput, CreateApplicationCredentialInput, ApplicationCredentialWithSecret, RotateApplicationCredentialResult, ApplicationUsagePeriod, ApplicationUsageSummary, ApplicationUsageByDay, ApplicationUsageByEndpoint, ApplicationUsageStats, ApplicationSuccessResult, } from './mixins/OxyServices.applications';
+export type { Application, PublicApplication, ApplicationMember, ApplicationCredential, ApplicationRole, ApplicationType, ApplicationStatus, ApplicationMemberStatus, ApplicationCredentialType, ApplicationCredentialStatus, ApplicationEnvironment, CreateApplicationInput, UpdateApplicationInput, InviteApplicationMemberInput, UpdateApplicationMemberInput, TransferApplicationOwnershipInput, CreateApplicationCredentialInput, ApplicationCredentialWithSecret, RotateApplicationCredentialResult, ApplicationUsagePeriod, ApplicationUsageSummary, ApplicationUsageByDay, ApplicationUsageByEndpoint, ApplicationUsageStats, ApplicationSuccessResult, } from './mixins/OxyServices.applications';
+export type { Workspace, WorkspaceMember, WorkspaceRole, WorkspaceType, WorkspaceStatus, WorkspaceMemberStatus, CreateWorkspaceInput, UpdateWorkspaceInput, InviteWorkspaceMemberInput, UpdateWorkspaceMemberInput, TransferWorkspaceOwnershipInput, WorkspaceSuccessResult, } from './mixins/OxyServices.workspaces';
 export { SessionSyncRequiredError, AuthenticationFailedError, ensureValidToken, isAuthenticationError, withAuthErrorHandling, authenticatedApiCall, } from './utils/authHelpers';
 export type { HandleApiErrorOptions } from './utils/authHelpers';
 export { mergeSessions, normalizeAndSortSessions, sessionsArraysEqual, } from './utils/sessionUtils';

package/dist/types/mixins/OxyServices.applications.d.ts

@@ -49,12 +49,22 @@ export interface Application {
     webhookUrl?: string;
     devWebhookUrl?: string;
     createdByUserId: string;
+    /**
+     * The workspace this application belongs to (workspace `_id`), or `null` for
+     * applications not owned by a workspace. Used by the console to scope apps to
+     * a workspace and to branch on workspace-derived access.
+     */
+    workspaceId: string | null;
     createdAt: string;
     updatedAt: string;
     /**
      * The calling user's own membership in this application, embedded by the API
      * on list (`GET /applications`) and detail (`GET /applications/:appId`)
      * responses. Use `callerMembership.permissions` to gate UI affordances.
+     *
+     * When the caller's access is derived from a workspace membership rather than
+     * a direct application membership, the API returns a synthetic membership
+     * with `source: 'workspace'` and `_id: null`.
      */
     callerMembership?: ApplicationMember;
 }
@@ -63,7 +73,11 @@ export interface Application {
  * on the server at write time.
  */
 export interface ApplicationMember {
-    _id: string;
+    /**
+     * The membership's Mongo `_id`. `null` for a synthetic, workspace-derived
+     * membership (see {@link Application.callerMembership} and `source`).
+     */
+    _id: string | null;
     applicationId: string;
     userId: string;
     role: ApplicationRole;
@@ -71,6 +85,13 @@ export interface ApplicationMember {
     invitedByUserId?: string;
     joinedAt?: string;
     status: ApplicationMemberStatus;
+    /**
+     * Origin of this membership. When `'workspace'`, the membership is synthetic
+     * and derived from the caller's workspace membership rather than a direct
+     * application membership (in which case `_id` is `null`). Absent or any other
+     * value indicates a direct application membership.
+     */
+    source?: 'workspace';
     createdAt: string;
     updatedAt: string;
 }
@@ -98,6 +119,38 @@ export interface ApplicationCredential {
     createdAt: string;
     updatedAt: string;
 }
+/**
+ * Sanitized, PUBLIC application identity returned by the API when resolving a
+ * cross-app/OAuth client to a registered {@link Application}.
+ *
+ * Unlike {@link Application}, this shape carries NO sensitive or membership
+ * fields — it is safe to display unauthenticated in consent/authorize screens
+ * and device-flow approval UIs. The API resolves a `client_id` (OAuth
+ * credential public key) to the owning application and projects only the
+ * fields below. `id` is the application's `_id` as a string.
+ */
+export interface PublicApplication {
+    /** The application's Mongo `_id` as a string. */
+    id: string;
+    /** Human-readable application name shown to the user. */
+    name: string;
+    /** Optional short description of what the application does. */
+    description?: string;
+    /** Optional icon URL for the application. */
+    icon?: string;
+    /** Optional public website/homepage URL for the application. */
+    websiteUrl?: string;
+    /** Application classification (set by Oxy platform staff). */
+    type: ApplicationType;
+    /** Whether the application is an officially endorsed Oxy application. */
+    isOfficial: boolean;
+    /** Whether the application is an internal Oxy ecosystem application. */
+    isInternal: boolean;
+    /** OAuth scopes the application is configured to request. */
+    scopes: string[];
+    /** Optional display name of the developer/owner organisation. */
+    developerName?: string;
+}
 /** Input accepted by `createApplication`. Staff-only fields are not settable here. */
 export interface CreateApplicationInput {
     name: string;
@@ -106,6 +159,11 @@ export interface CreateApplicationInput {
     icon?: string;
     redirectUris?: string[];
     scopes?: string[];
+    /**
+     * Optional workspace `_id` to create the app in. Omitted → API defaults to
+     * the caller's personal workspace.
+     */
+    workspaceId?: string;
 }
 /** Input accepted by `updateApplication`. Staff-only fields are not settable here. */
 export interface UpdateApplicationInput {
@@ -192,10 +250,27 @@ export interface ApplicationSuccessResult {
 }
 export declare function OxyServicesApplicationsMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
+        /**
+         * Resolve an OAuth client identifier to the owning application's PUBLIC
+         * identity. No authentication required — the API returns only sanitized,
+         * display-safe metadata ({@link PublicApplication}). Use this to render the
+         * requesting application's name/icon in consent, authorize, and device-flow
+         * approval UIs before any session exists.
+         *
+         * @param clientId - The OAuth `client_id` (an active credential's public
+         *   key). URL-encoded before being placed in the path.
+         */
+        getPublicApplication(clientId: string): Promise<PublicApplication>;
         /**
          * List applications the current user is an active member of.
+         *
+         * @param workspaceId - Optional workspace `_id` to scope the listing to
+         *   applications belonging to that workspace. When provided it is appended
+         *   as a `workspaceId` query parameter (URL-encoded). The query string is
+         *   part of the request path, so the response cache keys on it
+         *   automatically — scoped and unscoped lists never collide.
          */
-        getApplications(): Promise<Application[]>;
+        getApplications(workspaceId?: string): Promise<Application[]>;
         /**
          * Create a new application. The caller becomes its `owner`.
          * @param data - Application configuration. Staff-only fields are ignored.
@@ -329,12 +404,7 @@ export declare function OxyServicesApplicationsMixin<T extends typeof OxyService
         healthCheck(): Promise<{
             status: string;
             users?: number;
-            timestamp? /**
-             * Create a credential. The plaintext `secret` is returned exactly ONCE;
-             * the server stores only a hash and will never return it again.
-             * @param applicationId - The application's Mongo `_id`.
-             * @param data - Credential configuration.
-             */: string;
+            timestamp?: string;
             [key: string]: any;
         }>;
     };

package/dist/types/mixins/OxyServices.workspaces.d.ts

@@ -0,0 +1,199 @@
+/**
+ * Workspaces Methods Mixin
+ *
+ * Provides methods for managing Oxy workspaces and their members via the
+ * `/workspaces` API. A workspace is a multi-user container that owns
+ * applications and other resources: membership (with a role) grants
+ * permissions. A `personal` workspace is created implicitly for every user;
+ * `team` workspaces are created explicitly and can invite additional members.
+ *
+ * Reference workspaces by their Mongo `_id` and members by their member `_id`.
+ * Never by name or slug.
+ */
+import type { OxyServicesBase } from '../OxyServices.base';
+/** Role a member holds within a workspace. */
+export type WorkspaceRole = 'owner' | 'admin' | 'member' | 'viewer';
+/** Workspace classification. A `personal` workspace is implicit per user. */
+export type WorkspaceType = 'personal' | 'team';
+/** Lifecycle status of a workspace. */
+export type WorkspaceStatus = 'active' | 'deleted';
+/** Membership lifecycle status. */
+export type WorkspaceMemberStatus = 'active' | 'invited' | 'removed';
+/**
+ * Client-facing WorkspaceMember shape. `permissions` is derived from `role`
+ * on the server at write time.
+ */
+export interface WorkspaceMember {
+    _id: string;
+    workspaceId: string;
+    userId: string;
+    role: WorkspaceRole;
+    permissions: string[];
+    invitedByUserId?: string | null;
+    joinedAt?: string | null;
+    status: WorkspaceMemberStatus;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * Client-facing Workspace shape returned by the `/workspaces` API. Mirrors the
+ * server `Workspace` model with `_id` as a string and dates serialized to ISO
+ * strings.
+ */
+export interface Workspace {
+    _id: string;
+    name: string;
+    slug: string;
+    type: WorkspaceType;
+    description?: string | null;
+    icon?: string | null;
+    ownerId: string;
+    status: WorkspaceStatus;
+    createdAt: string;
+    updatedAt: string;
+    /**
+     * The calling user's own membership in this workspace, embedded by the API
+     * on list (`GET /workspaces`) and detail (`GET /workspaces/:id`) responses.
+     * Use `callerMembership.permissions` to gate UI affordances.
+     */
+    callerMembership?: WorkspaceMember | null;
+}
+/** Input accepted by `createWorkspace`. */
+export interface CreateWorkspaceInput {
+    name: string;
+    description?: string;
+    icon?: string;
+}
+/** Input accepted by `updateWorkspace`. */
+export interface UpdateWorkspaceInput {
+    name?: string;
+    description?: string | null;
+    icon?: string | null;
+}
+/** Input accepted by `inviteWorkspaceMember`. The owner role cannot be invited. */
+export interface InviteWorkspaceMemberInput {
+    userId: string;
+    role: Exclude<WorkspaceRole, 'owner'>;
+}
+/** Input accepted by `updateWorkspaceMember`. The owner role cannot be assigned. */
+export interface UpdateWorkspaceMemberInput {
+    role: Exclude<WorkspaceRole, 'owner'>;
+}
+/** Input accepted by `transferWorkspaceOwnership`. */
+export interface TransferWorkspaceOwnershipInput {
+    userId: string;
+}
+/** Result of a delete/remove/transfer operation. */
+export interface WorkspaceSuccessResult {
+    success: boolean;
+}
+export declare function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /**
+         * List workspaces the current user is an active member of.
+         */
+        getWorkspaces(): Promise<Workspace[]>;
+        /**
+         * Create a new team workspace. The caller becomes its `owner`.
+         * @param data - Workspace configuration.
+         */
+        createWorkspace(data: CreateWorkspaceInput): Promise<Workspace>;
+        /**
+         * Fetch a single workspace by id.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        getWorkspace(workspaceId: string): Promise<Workspace>;
+        /**
+         * Update a workspace's mutable fields.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Subset of updatable fields.
+         */
+        updateWorkspace(workspaceId: string, data: UpdateWorkspaceInput): Promise<Workspace>;
+        /**
+         * Soft-delete a workspace (owner only).
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        deleteWorkspace(workspaceId: string): Promise<WorkspaceSuccessResult>;
+        /**
+         * List members of a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        getWorkspaceMembers(workspaceId: string): Promise<WorkspaceMember[]>;
+        /**
+         * Add a member to a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Target user id and role (never `owner`).
+         */
+        inviteWorkspaceMember(workspaceId: string, data: InviteWorkspaceMemberInput): Promise<WorkspaceMember>;
+        /**
+         * Change a member's role.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         * @param data - New role (never `owner`).
+         */
+        updateWorkspaceMember(workspaceId: string, memberId: string, data: UpdateWorkspaceMemberInput): Promise<WorkspaceMember>;
+        /**
+         * Remove a member from a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         */
+        removeWorkspaceMember(workspaceId: string, memberId: string): Promise<WorkspaceSuccessResult>;
+        /**
+         * Transfer ownership of a workspace to another member (owner only).
+         * Demotes the current owner and promotes the target to `owner`.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Target user id.
+         */
+        transferWorkspaceOwnership(workspaceId: string, data: TransferWorkspaceOwnershipInput): Promise<WorkspaceSuccessResult>;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getSessionBaseUrl(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+} & T;

package/dist/types/mixins/index.d.ts

@@ -17,6 +17,7 @@ import { OxyServicesPaymentMixin } from './OxyServices.payment';
 import { OxyServicesKarmaMixin } from './OxyServices.karma';
 import { OxyServicesAssetsMixin } from './OxyServices.assets';
 import { OxyServicesApplicationsMixin } from './OxyServices.applications';
+import { OxyServicesWorkspacesMixin } from './OxyServices.workspaces';
 import { OxyServicesLocationMixin } from './OxyServices.location';
 import { OxyServicesAnalyticsMixin } from './OxyServices.analytics';
 import { OxyServicesDevicesMixin } from './OxyServices.devices';
@@ -36,7 +37,7 @@ import { OxyServicesAppDataMixin } from './OxyServices.appData';
  * If you add a new mixin to `MIXIN_PIPELINE`, add it here too so its methods
  * are visible without a cast.
  */
-type AllMixinInstances = InstanceType<ReturnType<typeof OxyServicesAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesFedCMMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPopupAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesRedirectAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesSsoMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesUserMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPrivacyMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesLanguageMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPaymentMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesKarmaMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAssetsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesApplicationsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesLocationMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAnalyticsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesDevicesMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesSecurityMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesFeaturesMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesTopicsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesManagedAccountsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesContactsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAppDataMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesUtilityMixin<typeof OxyServicesBase>>>;
+type AllMixinInstances = InstanceType<ReturnType<typeof OxyServicesAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesFedCMMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPopupAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesRedirectAuthMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesSsoMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesUserMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPrivacyMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesLanguageMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesPaymentMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesKarmaMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAssetsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesApplicationsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesWorkspacesMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesLocationMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAnalyticsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesDevicesMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesSecurityMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesFeaturesMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesTopicsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesManagedAccountsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesContactsMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesAppDataMixin<typeof OxyServicesBase>>> & InstanceType<ReturnType<typeof OxyServicesUtilityMixin<typeof OxyServicesBase>>>;
 /**
  * Constructor type for the fully composed mixin pipeline. Each mixin returns
  * a new constructor that augments its input; reducing across the pipeline

package/dist/types/models/interfaces.d.ts

@@ -17,6 +17,15 @@ export interface OxyConfig {
     sessionBaseUrl?: string;
     authWebUrl?: string;
     authRedirectUri?: string;
+    /**
+     * The app's Oxy OAuth client id (ApplicationCredential publicKey).
+     *
+     * Identifies this app in OAuth authorize / consent flows (issue #214). Purely
+     * declarative: the SDK stores it on `OxyServices.config.clientId` for later
+     * OAuth-authorize use. It is unrelated to the cross-domain `/sso?client_id=…`
+     * bounce (which uses the RP origin, not this registered client id).
+     */
+    clientId?: string;
     enableCache?: boolean;
     cacheTTL?: number;
     enableRequestDeduplication?: boolean;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "3.1.0",
+  "version": "3.2.0",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/AuthManager.ts

@@ -851,7 +851,14 @@ export class AuthManager {
    * Get a valid access token, refreshing automatically if expired or expiring soon.
    */
   async getAccessToken(): Promise<string | null> {
-    const token = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+    // In cookieOnly / cookie-restore flows the active access token lives only in
+    // memory (`_lastKnownAccessToken` + httpService) and is intentionally never
+    // written to JS storage — the cookieOnly contract forbids persisting tokens
+    // in JS-accessible storage. Fall back to the in-memory token when storage has
+    // none, otherwise getAccessToken returns null after every cold-boot/reload and
+    // standalone API clients (e.g. the Console axios client) send no Authorization
+    // header → 401 on every authed endpoint while `isAuthenticated` is still true.
+    const token = (await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN)) ?? this._lastKnownAccessToken;
     if (!token) return null;
 
     try {
@@ -862,7 +869,9 @@ export class AuthManager {
         if (decoded.exp - now < buffer) {
           const refreshed = await this.refreshToken();
           if (refreshed) {
-            return this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+            // refreshToken() updates both storage and `_lastKnownAccessToken`;
+            // prefer storage but fall back to memory for the cookieOnly path.
+            return (await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN)) ?? this._lastKnownAccessToken;
           }
         }
       }

package/src/OxyServices.ts

@@ -86,6 +86,7 @@ import { composeOxyServices } from './mixins';
  * - **Karma**: Karma system
  * - **Assets**: File upload and asset management
  * - **Applications**: Application, membership, and credential management
+ * - **Workspaces**: Workspace and membership management
  * - **Location**: Location-based features
  * - **Analytics**: Analytics tracking
  * - **Devices**: Device management

package/src/__tests__/authManager.cookiePath.test.ts

@@ -337,3 +337,52 @@ describe('AuthManager.initialize (cookieOnly)', () => {
     expect(services.httpService.setTokens).not.toHaveBeenCalled();
   });
 });
+
+describe('AuthManager.getAccessToken (cookieOnly in-memory fallback)', () => {
+  it('returns the in-memory token after a cold-boot cookie restore even though storage holds no token', async () => {
+    // Regression: the cookie restore path plants the active token ONLY in memory
+    // (`_lastKnownAccessToken` + httpService) and intentionally NEVER writes
+    // `oxy_access_token`. getAccessToken() must fall back to that in-memory token,
+    // otherwise standalone API clients reading `authManager.getAccessToken()` send
+    // no Authorization header → 401 on every authed endpoint after every reload.
+    const services = makeMockServices();
+    services.refreshAllSessions.mockResolvedValueOnce(TWO_ACCOUNTS);
+    const storage = new InMemoryStorage();
+    const manager = makeManager(services, storage);
+
+    await manager.restoreFromCookies();
+
+    // Storage was never touched for the access token (cookieOnly contract holds).
+    expect(storage.has('oxy_access_token')).toBe(false);
+
+    // getAccessToken still resolves the active slot's token from memory.
+    const token = await manager.getAccessToken();
+    expect(token).toBe(TOKEN_SLOT_0);
+  });
+
+  it('returns null when neither storage nor the in-memory token is present', async () => {
+    const services = makeMockServices();
+    const storage = new InMemoryStorage();
+    const manager = makeManager(services, storage);
+
+    const token = await manager.getAccessToken();
+    expect(token).toBeNull();
+  });
+
+  it('prefers the storage token over the in-memory token when both are present', async () => {
+    const services = makeMockServices();
+    services.refreshAllSessions.mockResolvedValueOnce(TWO_ACCOUNTS);
+    const storage = new InMemoryStorage();
+    const manager = makeManager(services, storage);
+
+    // After restore the in-memory token is TOKEN_SLOT_0.
+    await manager.restoreFromCookies();
+
+    // Simulate a path that DID write storage (legacy/bearer flow). Storage wins.
+    const STORAGE_TOKEN = buildAccessToken({ sessionId: 'sess-storage', userId: 'user-storage', exp: 9999999999 });
+    storage.setItem('oxy_access_token', STORAGE_TOKEN);
+
+    const token = await manager.getAccessToken();
+    expect(token).toBe(STORAGE_TOKEN);
+  });
+});

package/src/index.ts

@@ -67,6 +67,7 @@ export { OxyAppDataIdentifierError } from './mixins/OxyServices.appData';
 // ---------------------------------------------------------------------------
 export type {
     Application,
+    PublicApplication,
     ApplicationMember,
     ApplicationCredential,
     ApplicationRole,
@@ -92,6 +93,24 @@ export type {
     ApplicationSuccessResult,
 } from './mixins/OxyServices.applications';
 
+// ---------------------------------------------------------------------------
+// Workspaces (multi-user containers: membership, roles)
+// ---------------------------------------------------------------------------
+export type {
+    Workspace,
+    WorkspaceMember,
+    WorkspaceRole,
+    WorkspaceType,
+    WorkspaceStatus,
+    WorkspaceMemberStatus,
+    CreateWorkspaceInput,
+    UpdateWorkspaceInput,
+    InviteWorkspaceMemberInput,
+    UpdateWorkspaceMemberInput,
+    TransferWorkspaceOwnershipInput,
+    WorkspaceSuccessResult,
+} from './mixins/OxyServices.workspaces';
+
 // ---------------------------------------------------------------------------
 // Auth helpers (token refresh, error normalisation, retry policies)
 // ---------------------------------------------------------------------------