@proveanything/smartlinks 1.13.4 → 1.13.6

package/dist/api/asset.d.ts

@@ -110,6 +110,10 @@ export declare namespace asset {
     /**
      * Request a single-use upload token for a public (unauthenticated) upload.
      * The token encodes the upload policy (allowed types, max size, review requirement).
+      *
+      * Policy source: collection-scoped app config at
+      * `sites/{collectionId}/apps/{appId}` (`uploadPolicy` key).
+      * Global `apps/{appId}` config is not used for this endpoint.
      *
      * @example
      * ```typescript

package/dist/api/asset.js

@@ -9,9 +9,20 @@ var __rest = (this && this.__rest) || function (s, e) {
         }
     return t;
 };
-import { request, post, put, del, getApiHeaders, isProxyEnabled, proxyUploadFormData } from "../http";
+import { request, post, put, del, getApiHeaders, getBaseURL, isProxyEnabled, proxyUploadFormData } from "../http";
 export var asset;
 (function (asset) {
+    function resolveApiUrl(path) {
+        const configuredBase = getBaseURL();
+        if (configuredBase) {
+            return `${configuredBase}${path}`;
+        }
+        // Backward compatibility for legacy browser integrations that set a global base URL.
+        if (typeof window !== 'undefined' && window.SMARTLINKS_API_BASEURL) {
+            return `${window.SMARTLINKS_API_BASEURL}${path}`;
+        }
+        throw new Error('HTTP client is not initialized. Call initializeApi(...) first.');
+    }
     /**
      * Error type for asset uploads
      */
@@ -55,9 +66,7 @@ export var asset;
             formData.append("metadata", JSON.stringify(options.metadata));
         // If progress callback provided and NOT in proxy mode, use XHR for progress events (browser-only)
         if (options.onProgress && typeof window !== "undefined" && !isProxyEnabled()) {
-            const url = (typeof window !== "undefined" && window.SMARTLINKS_API_BASEURL)
-                ? window.SMARTLINKS_API_BASEURL + path
-                : path;
+            const url = resolveApiUrl(path);
             const headers = getApiHeaders ? getApiHeaders() : {};
             return new Promise((resolve, reject) => {
                 const xhr = new XMLHttpRequest();
@@ -346,9 +355,7 @@ export var asset;
         const formData = new FormData();
         formData.append('file', options.file);
         if (options.onProgress && typeof window !== 'undefined' && !isProxyEnabled()) {
-            const url = (typeof window !== 'undefined' && window.SMARTLINKS_API_BASEURL)
-                ? window.SMARTLINKS_API_BASEURL + path
-                : path;
+            const url = resolveApiUrl(path);
             const headers = getApiHeaders ? getApiHeaders() : {};
             return new Promise((resolve, reject) => {
                 const xhr = new XMLHttpRequest();
@@ -424,6 +431,10 @@ export var asset;
     /**
      * Request a single-use upload token for a public (unauthenticated) upload.
      * The token encodes the upload policy (allowed types, max size, review requirement).
+      *
+      * Policy source: collection-scoped app config at
+      * `sites/{collectionId}/apps/{appId}` (`uploadPolicy` key).
+      * Global `apps/{appId}` config is not used for this endpoint.
      *
      * @example
      * ```typescript
@@ -465,9 +476,7 @@ export var asset;
         if (options.metadata)
             formData.append('metadata', JSON.stringify(options.metadata));
         if (options.onProgress && typeof window !== 'undefined' && !isProxyEnabled()) {
-            const baseUrl = (typeof window !== 'undefined' && window.SMARTLINKS_API_BASEURL)
-                ? window.SMARTLINKS_API_BASEURL + path
-                : path;
+            const baseUrl = resolveApiUrl(path);
             const headers = Object.assign(Object.assign({}, getApiHeaders()), { 'X-Upload-Token': options.tokenId });
             return new Promise((resolve, reject) => {
                 const xhr = new XMLHttpRequest();
@@ -504,9 +513,7 @@ export var asset;
         }
         // Pass the token as a header via a custom fetch; post() doesn't accept extra headers,
         // so we build the request manually using the same base URL resolution.
-        const baseUrl = (typeof window !== 'undefined' && window.SMARTLINKS_API_BASEURL)
-            ? window.SMARTLINKS_API_BASEURL + path
-            : path;
+        const baseUrl = resolveApiUrl(path);
         const headers = Object.assign(Object.assign({}, getApiHeaders()), { 'X-Upload-Token': options.tokenId });
         const response = await fetch(baseUrl, { method: 'POST', headers, body: formData });
         if (!response.ok) {

package/dist/api/realtime.js

@@ -75,7 +75,7 @@ export async function getPublicToken(params) {
     if (params.appId) {
         queryParams.append('appId', params.appId);
     }
-    return request(`/api/public/push/token?${queryParams.toString()}`);
+    return request(`/public/push/token?${queryParams.toString()}`);
 }
 /**
  * Get an Ably token for admin real-time communication.
@@ -109,5 +109,5 @@ export async function getPublicToken(params) {
  * ```
  */
 export async function getAdminToken() {
-    return request('/api/admin/auth/push');
+    return request('/admin/auth/push');
 }

package/dist/docs/API_SUMMARY.md

@@ -1,6 +1,6 @@
 # Smartlinks API Summary
 
-Version: 1.13.4  |  Generated: 2026-05-09T09:51:34.841Z
+Version: 1.13.6  |  Generated: 2026-05-09T13:35:50.729Z
 
 This is a concise summary of all available API functions and types.
 
@@ -2472,10 +2472,25 @@ interface BulkDeleteAssetsOptions {
 }
 ```
 
+**UploadPolicyConfig** (interface)
+```typescript
+interface UploadPolicyConfig {
+  enabled: boolean
+  requireLevel?: 'anonymous' | 'contact' | 'owner'
+  allowedMimeTypes?: string[]
+  maxFileSizeBytes?: number
+  reviewRequired?: boolean
+  tokenTtlSeconds?: number
+  maxUsesPerToken?: number
+}
+```
+
 **RequestUploadTokenOptions** (interface)
 ```typescript
 interface RequestUploadTokenOptions {
   collectionId: string
+  * App ID whose collection-scoped config provides `uploadPolicy`.
+  * Resolved from `sites/{collectionId}/apps/{appId}`.
   appId: string
   contactId?: string
   productId?: string
@@ -7797,7 +7812,7 @@ Restore a soft-deleted asset (clears `deletedAt`).
 Soft-delete multiple assets in one request.
 
 **requestUploadToken**(options: RequestUploadTokenOptions) → `Promise<UploadTokenResponse>`
-Request a single-use upload token for a public (unauthenticated) upload. The token encodes the upload policy (allowed types, max size, review requirement). ```typescript const { tokenId, policy } = await asset.requestUploadToken({ collectionId: 'my-collection', appId: 'user-gallery', contactId: contact.id, }) const uploaded = await asset.publicUploadWithToken({ collectionId: 'my-collection', tokenId, file: selectedFile, }) ```
+Request a single-use upload token for a public (unauthenticated) upload. The token encodes the upload policy (allowed types, max size, review requirement). Policy source: collection-scoped app config at `sites/{collectionId}/apps/{appId}` (`uploadPolicy` key). Global `apps/{appId}` config is not used for this endpoint. ```typescript const { tokenId, policy } = await asset.requestUploadToken({ collectionId: 'my-collection', appId: 'user-gallery', contactId: contact.id, }) const uploaded = await asset.publicUploadWithToken({ collectionId: 'my-collection', tokenId, file: selectedFile, }) ```
 
 **publicUploadWithToken**(options: PublicTokenUploadOptions) → `Promise<Asset>`
 Upload a file using a single-use upload token (no admin auth required). Assets are created with `status: 'pending_review'` when the token policy has `reviewRequired: true`.

package/dist/docs/assets.md

@@ -249,6 +249,32 @@ For anonymous or contact-initiated uploads from the portal — no admin auth req
 
 ### 1. Request an upload token
 
+```
+POST /api/public/collection/:collectionId/asset/token
+```
+
+Policy source (important):
+
+- Public upload policy is resolved from the collection-scoped app config at `sites/{collectionId}/apps/{appId}`.
+- Global app config (`apps/{appId}`) is not used for this endpoint.
+- SDKs/clients that provision app config should save `uploadPolicy` on the collection app document.
+
+Expected app config shape:
+
+```typescript
+{
+  uploadPolicy: {
+    enabled: boolean
+    requireLevel?: 'anonymous' | 'contact' | 'owner'
+    allowedMimeTypes?: string[]
+    maxFileSizeBytes?: number
+    reviewRequired?: boolean
+    tokenTtlSeconds?: number
+    maxUsesPerToken?: number
+  }
+}
+```
+
 ```typescript
 const { tokenId, expiresAt, policy } = await Api.asset.requestUploadToken({
   collectionId: 'my-collection',

package/dist/openapi.yaml

@@ -57,6 +57,27 @@ tags:
 security:
   - bearerAuth: []
 paths:
+  /admin/auth/push:
+    get:
+      tags:
+        - realtime
+      summary: Get an Ably token for admin real-time communication.
+      operationId: realtime_getAdminToken
+      security:
+        - bearerAuth: []
+      responses:
+        200:
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AblyTokenRequest"
+        400:
+          description: Bad request
+        401:
+          description: Unauthorized
+        404:
+          description: Not found
   /admin/auth/requestJWT:
     post:
       tags:
@@ -7835,57 +7856,6 @@ paths:
           application/json:
             schema:
               $ref: "#/components/schemas/TranslationUpdateRequest"
-  /api/admin/auth/push:
-    get:
-      tags:
-        - realtime
-      summary: Get an Ably token for admin real-time communication.
-      operationId: realtime_getAdminToken
-      security: []
-      responses:
-        200:
-          description: Success
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/AblyTokenRequest"
-        400:
-          description: Bad request
-        401:
-          description: Unauthorized
-        404:
-          description: Not found
-  /api/public/push/token:
-    get:
-      tags:
-        - realtime
-      summary: realtime.getPublicToken
-      operationId: realtime_getPublicToken
-      security: []
-      parameters:
-        - name: collectionId
-          in: query
-          required: false
-          schema:
-            type: string
-        - name: appId
-          in: query
-          required: false
-          schema:
-            type: string
-      responses:
-        200:
-          description: Success
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/AblyTokenRequest"
-        400:
-          description: Bad request
-        401:
-          description: Unauthorized
-        404:
-          description: Not found
   /authKit/{authKitId}/config:
     get:
       tags:
@@ -11840,6 +11810,37 @@ paths:
           application/json:
             schema:
               $ref: "#/components/schemas/NfcValidateRequest"
+  /public/push/token:
+    get:
+      tags:
+        - realtime
+      summary: realtime.getPublicToken
+      operationId: realtime_getPublicToken
+      security: []
+      parameters:
+        - name: collectionId
+          in: query
+          required: false
+          schema:
+            type: string
+        - name: appId
+          in: query
+          required: false
+          schema:
+            type: string
+      responses:
+        200:
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AblyTokenRequest"
+        400:
+          description: Bad request
+        401:
+          description: Unauthorized
+        404:
+          description: Not found
   /public/qr/lookupShortCode/{shortId}/{code}:
     get:
       tags:
@@ -16825,6 +16826,31 @@ components:
       required:
         - collectionId
         - assetIds
+    UploadPolicyConfig:
+      type: object
+      properties:
+        enabled:
+          type: boolean
+        requireLevel:
+          type: string
+          enum:
+            - anonymous
+            - contact
+            - owner
+        allowedMimeTypes:
+          type: array
+          items:
+            type: string
+        maxFileSizeBytes:
+          type: number
+        reviewRequired:
+          type: boolean
+        tokenTtlSeconds:
+          type: number
+        maxUsesPerToken:
+          type: number
+      required:
+        - enabled
     RequestUploadTokenOptions:
       type: object
       properties:

package/dist/types/asset.d.ts

@@ -253,8 +253,27 @@ export interface BulkDeleteAssetsOptions {
     assetIds: string[];
     graceDays?: number;
 }
+/**
+ * Collection-scoped app config policy used by `requestUploadToken`.
+ *
+ * Important: this policy is read from `sites/{collectionId}/apps/{appId}`
+ * (collection app config), not from global `apps/{appId}` config.
+ */
+export interface UploadPolicyConfig {
+    enabled: boolean;
+    requireLevel?: 'anonymous' | 'contact' | 'owner';
+    allowedMimeTypes?: string[];
+    maxFileSizeBytes?: number;
+    reviewRequired?: boolean;
+    tokenTtlSeconds?: number;
+    maxUsesPerToken?: number;
+}
 export interface RequestUploadTokenOptions {
     collectionId: string;
+    /**
+     * App ID whose collection-scoped config provides `uploadPolicy`.
+     * Resolved from `sites/{collectionId}/apps/{appId}`.
+     */
     appId: string;
     /** Required when the app policy requireLevel is 'contact' */
     contactId?: string;

package/docs/API_SUMMARY.md

@@ -1,6 +1,6 @@
 # Smartlinks API Summary
 
-Version: 1.13.4  |  Generated: 2026-05-09T09:51:34.841Z
+Version: 1.13.6  |  Generated: 2026-05-09T13:35:50.729Z
 
 This is a concise summary of all available API functions and types.
 
@@ -2472,10 +2472,25 @@ interface BulkDeleteAssetsOptions {
 }
 ```
 
+**UploadPolicyConfig** (interface)
+```typescript
+interface UploadPolicyConfig {
+  enabled: boolean
+  requireLevel?: 'anonymous' | 'contact' | 'owner'
+  allowedMimeTypes?: string[]
+  maxFileSizeBytes?: number
+  reviewRequired?: boolean
+  tokenTtlSeconds?: number
+  maxUsesPerToken?: number
+}
+```
+
 **RequestUploadTokenOptions** (interface)
 ```typescript
 interface RequestUploadTokenOptions {
   collectionId: string
+  * App ID whose collection-scoped config provides `uploadPolicy`.
+  * Resolved from `sites/{collectionId}/apps/{appId}`.
   appId: string
   contactId?: string
   productId?: string
@@ -7797,7 +7812,7 @@ Restore a soft-deleted asset (clears `deletedAt`).
 Soft-delete multiple assets in one request.
 
 **requestUploadToken**(options: RequestUploadTokenOptions) → `Promise<UploadTokenResponse>`
-Request a single-use upload token for a public (unauthenticated) upload. The token encodes the upload policy (allowed types, max size, review requirement). ```typescript const { tokenId, policy } = await asset.requestUploadToken({ collectionId: 'my-collection', appId: 'user-gallery', contactId: contact.id, }) const uploaded = await asset.publicUploadWithToken({ collectionId: 'my-collection', tokenId, file: selectedFile, }) ```
+Request a single-use upload token for a public (unauthenticated) upload. The token encodes the upload policy (allowed types, max size, review requirement). Policy source: collection-scoped app config at `sites/{collectionId}/apps/{appId}` (`uploadPolicy` key). Global `apps/{appId}` config is not used for this endpoint. ```typescript const { tokenId, policy } = await asset.requestUploadToken({ collectionId: 'my-collection', appId: 'user-gallery', contactId: contact.id, }) const uploaded = await asset.publicUploadWithToken({ collectionId: 'my-collection', tokenId, file: selectedFile, }) ```
 
 **publicUploadWithToken**(options: PublicTokenUploadOptions) → `Promise<Asset>`
 Upload a file using a single-use upload token (no admin auth required). Assets are created with `status: 'pending_review'` when the token policy has `reviewRequired: true`.

package/docs/assets.md

@@ -249,6 +249,32 @@ For anonymous or contact-initiated uploads from the portal — no admin auth req
 
 ### 1. Request an upload token
 
+```
+POST /api/public/collection/:collectionId/asset/token
+```
+
+Policy source (important):
+
+- Public upload policy is resolved from the collection-scoped app config at `sites/{collectionId}/apps/{appId}`.
+- Global app config (`apps/{appId}`) is not used for this endpoint.
+- SDKs/clients that provision app config should save `uploadPolicy` on the collection app document.
+
+Expected app config shape:
+
+```typescript
+{
+  uploadPolicy: {
+    enabled: boolean
+    requireLevel?: 'anonymous' | 'contact' | 'owner'
+    allowedMimeTypes?: string[]
+    maxFileSizeBytes?: number
+    reviewRequired?: boolean
+    tokenTtlSeconds?: number
+    maxUsesPerToken?: number
+  }
+}
+```
+
 ```typescript
 const { tokenId, expiresAt, policy } = await Api.asset.requestUploadToken({
   collectionId: 'my-collection',

package/openapi.yaml

@@ -57,6 +57,27 @@ tags:
 security:
   - bearerAuth: []
 paths:
+  /admin/auth/push:
+    get:
+      tags:
+        - realtime
+      summary: Get an Ably token for admin real-time communication.
+      operationId: realtime_getAdminToken
+      security:
+        - bearerAuth: []
+      responses:
+        200:
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AblyTokenRequest"
+        400:
+          description: Bad request
+        401:
+          description: Unauthorized
+        404:
+          description: Not found
   /admin/auth/requestJWT:
     post:
       tags:
@@ -7835,57 +7856,6 @@ paths:
           application/json:
             schema:
               $ref: "#/components/schemas/TranslationUpdateRequest"
-  /api/admin/auth/push:
-    get:
-      tags:
-        - realtime
-      summary: Get an Ably token for admin real-time communication.
-      operationId: realtime_getAdminToken
-      security: []
-      responses:
-        200:
-          description: Success
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/AblyTokenRequest"
-        400:
-          description: Bad request
-        401:
-          description: Unauthorized
-        404:
-          description: Not found
-  /api/public/push/token:
-    get:
-      tags:
-        - realtime
-      summary: realtime.getPublicToken
-      operationId: realtime_getPublicToken
-      security: []
-      parameters:
-        - name: collectionId
-          in: query
-          required: false
-          schema:
-            type: string
-        - name: appId
-          in: query
-          required: false
-          schema:
-            type: string
-      responses:
-        200:
-          description: Success
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/AblyTokenRequest"
-        400:
-          description: Bad request
-        401:
-          description: Unauthorized
-        404:
-          description: Not found
   /authKit/{authKitId}/config:
     get:
       tags:
@@ -11840,6 +11810,37 @@ paths:
           application/json:
             schema:
               $ref: "#/components/schemas/NfcValidateRequest"
+  /public/push/token:
+    get:
+      tags:
+        - realtime
+      summary: realtime.getPublicToken
+      operationId: realtime_getPublicToken
+      security: []
+      parameters:
+        - name: collectionId
+          in: query
+          required: false
+          schema:
+            type: string
+        - name: appId
+          in: query
+          required: false
+          schema:
+            type: string
+      responses:
+        200:
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AblyTokenRequest"
+        400:
+          description: Bad request
+        401:
+          description: Unauthorized
+        404:
+          description: Not found
   /public/qr/lookupShortCode/{shortId}/{code}:
     get:
       tags:
@@ -16825,6 +16826,31 @@ components:
       required:
         - collectionId
         - assetIds
+    UploadPolicyConfig:
+      type: object
+      properties:
+        enabled:
+          type: boolean
+        requireLevel:
+          type: string
+          enum:
+            - anonymous
+            - contact
+            - owner
+        allowedMimeTypes:
+          type: array
+          items:
+            type: string
+        maxFileSizeBytes:
+          type: number
+        reviewRequired:
+          type: boolean
+        tokenTtlSeconds:
+          type: number
+        maxUsesPerToken:
+          type: number
+      required:
+        - enabled
     RequestUploadTokenOptions:
       type: object
       properties:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@proveanything/smartlinks",
-  "version": "1.13.4",
+  "version": "1.13.6",
   "description": "Official JavaScript/TypeScript SDK for the Smartlinks API",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",