@rei-standard/amsg-client 2.0.1 → 2.2.0

package/README.md

@@ -38,6 +38,61 @@ await client.scheduleMessage({
 });
 ```
 
+## 发送即时消息
+
+新代码用 `client.sendInstant(payload)`，走 [`@rei-standard/amsg-instant`](https://github.com/Tosd0/ReiStandard/blob/main/packages/rei-standard-amsg/instant/README.md)。
+
+### 加密模式（默认；兼容 amsg-server / amsg-instant 0.1.x）
+
+```js
+const client = new ReiClient({
+  baseUrl: '/api/v1',
+  customBaseUrls: {
+    instant: 'https://instant.example.com',              // 不传则用 baseUrl
+  },
+  userId: '550e8400-e29b-41d4-a716-446655440000',
+});
+
+await client.init();
+
+await client.sendInstant({
+  contactName: 'Rei',
+  completePrompt: '你是 Rei，用一句话提醒用户带伞',
+  apiUrl: 'https://api.openai.com/v1/chat/completions',
+  apiKey: '...',
+  primaryModel: 'gpt-4o-mini',
+  pushSubscription: subscription.toJSON(),
+});
+```
+
+> `customBaseUrls` 是按端点名（如 `instant`）覆盖 `baseUrl` 的通用机制；后续其他端点也可以用同一字段独立指定 base URL，不会再加新的命名字段。
+
+### 明文模式（配 amsg-instant 0.2.x，单租户自部署）
+
+```js
+const client = new ReiClient({
+  baseUrl: 'https://instant.example.com',   // amsg-instant Worker URL
+  instantEncryption: false,
+  instantClientToken: 'shared-secret-xyz',  // 可选；Worker 端配了再填
+});
+
+// init() 在明文模式下是 no-op，调用与否都跑得通
+await client.sendInstant({
+  contactName: 'Rei',
+  completePrompt: '你是 Rei，用一句话提醒用户带伞',
+  apiUrl: 'https://api.openai.com/v1/chat/completions',
+  apiKey: '...',
+  primaryModel: 'gpt-4o-mini',
+  pushSubscription: subscription.toJSON(),
+});
+```
+
+> ⚠️ **`instantClientToken` 是弱共享密钥**：它会随前端 bundle 发出去，devtools 一开就能看到。它只防 URL 直接被脚本小子打，不防有心人。要真正的鉴权，用 amsg-instant 的 `tokenSigningKey`（HMAC JWT，配合后端签发短期 token）。
+
+> ⚠️ **双模式陷阱**：`instantEncryption: false` 时 `init()` 变成 no-op，`scheduleMessage` / `listMessages` / `updateMessage` 这类**仍走加密**的方法会因 `userKey` 没初始化抛 "Not initialised"。如果同一前端既要 `sendInstant`（明文走 amsg-instant）又要 `scheduleMessage`（加密走 amsg-server），请改回 `instantEncryption: true`（默认）—— amsg-instant 0.1.x 与 amsg-server 用同一份 `userKey` 都吃得下。
+
+旧路径 `scheduleMessage({ ...payload, messageType: 'instant' })` 仍然可用（兼容保留，多一次 DB 来回）。
+
 ## 导出 API（Exports）
 
 - `ReiClient`
@@ -46,6 +101,7 @@ await client.scheduleMessage({
 
 - `init()`
 - `scheduleMessage(payload)`
+- `sendInstant(payload)`
 - `updateMessage(uuid, updates)`
 - `cancelMessage(uuid)`
 - `listMessages(opts)`
@@ -61,8 +117,8 @@ await client.scheduleMessage({
 
 - 浏览器环境（需 `fetch`、`crypto.subtle`）
 - Push 订阅需可用 Service Worker 与 Push API
-- 需要可用的 `baseUrl`（示例：`/api/v1`）
-- `userId` 必须是 UUID v4
+- 需要可用的 `baseUrl`（示例：`/api/v1`；明文 instant 模式下可直接是 Worker URL）
+- `userId` 必须是 UUID v4（明文 instant 模式 `instantEncryption: false` 下可省）
 
 ## 相关链接（绝对 URL）
 

package/dist/index.cjs

@@ -28,17 +28,51 @@ var ReiClient = class {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error("[rei-standard-amsg-client] baseUrl is required");
-    if (!config.userId) throw new Error("[rei-standard-amsg-client] userId is required");
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        "[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)"
+      );
+    }
     this._baseUrl = config.baseUrl.replace(/\/+$/, "");
-    this._userId = config.userId;
+    this._customBaseUrls = {};
+    if (config.customBaseUrls && typeof config.customBaseUrls === "object") {
+      for (const [name, url] of Object.entries(config.customBaseUrls)) {
+        if (typeof url === "string" && url) {
+          this._customBaseUrls[name] = url.replace(/\/+$/, "");
+        }
+      }
+    }
+    this._userId = config.userId || "";
     this._userKey = null;
+    this._instantEncryption = instantEncryption;
+    this._instantClientToken = typeof config.instantClientToken === "string" && config.instantClientToken ? config.instantClientToken : "";
+  }
+  /**
+   * Resolve the base URL for a given endpoint, falling back to `baseUrl`.
+   *
+   * @private
+   * @param {string} endpointName
+   * @returns {string}
+   */
+  _resolveBaseUrl(endpointName) {
+    return this._customBaseUrls[endpointName] || this._baseUrl;
   }
   // ─── Initialisation ─────────────────────────────────────────────
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: "GET",
       headers: { "X-User-Id": this._userId }
@@ -53,7 +87,14 @@ var ReiClient = class {
   }
   // ─── Public API ─────────────────────────────────────────────────
   /**
-   * Schedule (or instantly send) a message.
+   * Schedule a message.
+   *
+   * Note: For `messageType: 'instant'`, prefer `sendInstant()` instead.
+   * That routes through `@rei-standard/amsg-instant` (stateless, no DB
+   * round-trip) rather than `amsg-server`'s schedule-message endpoint.
+   * This method still works for instant via amsg-server for backward
+   * compatibility — see CHANGELOG / README for details.
+   *
    * The payload is automatically encrypted before transmission.
    *
    * @param {Object} payload - Schedule message payload.
@@ -73,6 +114,58 @@ var ReiClient = class {
     });
     return res.json();
   }
+  /**
+   * Send a one-shot instant message via `@rei-standard/amsg-instant`.
+   *
+   * Compared to `scheduleMessage({ messageType: 'instant', ... })`:
+   *   - No DB round-trip on the server side (stateless)
+   *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
+   *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
+   *
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
+   *
+   * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
+   *
+   * @param {Object} payload - Instant message payload.
+   * @param {string} [endpointPath] - Path under the resolved base URL. Default '/instant'.
+   * @param {{ authorization?: string }} [opts] - Optional auth header to forward.
+   * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
+   */
+  async sendInstant(payload, endpointPath = "/instant", opts = {}) {
+    const headers = { "Content-Type": "application/json" };
+    let body;
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers["X-Client-Token"] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers["X-User-Id"] = this._userId;
+      headers["X-Payload-Encrypted"] = "true";
+      headers["X-Encryption-Version"] = "1";
+      body = JSON.stringify(encrypted);
+    }
+    if (opts.authorization) {
+      headers["Authorization"] = opts.authorization;
+    }
+    const path = endpointPath.startsWith("/") ? endpointPath : `/${endpointPath}`;
+    const res = await fetch(`${this._resolveBaseUrl("instant")}${path}`, {
+      method: "POST",
+      headers,
+      body
+    });
+    return res.json();
+  }
   /**
    * Update an existing scheduled message.
    *

package/dist/index.d.cts

@@ -1,11 +1,11 @@
 /**
  * ReiStandard Client SDK
- * v2.0.1
  *
  * Lightweight browser client that handles:
- *  - AES-256-GCM encryption using the Web Crypto API
+ *  - AES-256-GCM encryption using the Web Crypto API (for amsg-server's
+ *    schedule path and amsg-instant 0.1.x)
+ *  - Optional plaintext mode for amsg-instant 0.2.x (instantEncryption: false)
  *  - Push subscription management via the Push API
- *  - Convenient request helpers for all 7 endpoints
  *
  * Usage:
  *   import { ReiClient } from '@rei-standard/amsg-client';
@@ -24,8 +24,32 @@
 
 /**
  * @typedef {Object} ReiClientConfig
- * @property {string} baseUrl  - Base URL of the API (e.g. https://host/api/v1).
- * @property {string} userId   - Current user identifier.
+ * @property {string} baseUrl                            - Default base URL of the API (e.g. https://host/api/v1).
+ *                                                         In plaintext-instant mode (`instantEncryption: false`)
+ *                                                         this can be the amsg-instant Worker URL directly.
+ * @property {Record<string, string>} [customBaseUrls]   - Optional per-endpoint base URL overrides.
+ *                                                         Key is the endpoint name (e.g. `instant`); value is
+ *                                                         the base URL to use for that endpoint instead of
+ *                                                         `baseUrl`. Useful when different endpoints live on
+ *                                                         different deployments (e.g. `instant` on Cloudflare
+ *                                                         Workers while the rest run on Netlify). Future
+ *                                                         endpoints (e.g. `schedule`, `messages`) can be
+ *                                                         overridden the same way without an API change.
+ * @property {string} [userId]                           - Current user identifier (UUID v4). Required for the
+ *                                                         encrypted path (default `instantEncryption: true`,
+ *                                                         and for `scheduleMessage` / `listMessages` /
+ *                                                         `updateMessage` always). Can be omitted only when
+ *                                                         `instantEncryption: false` AND you do not call any
+ *                                                         encrypted method.
+ * @property {boolean} [instantEncryption=true]          - When `false`, `sendInstant()` posts plaintext JSON
+ *                                                         to amsg-instant 0.2.x. `init()` becomes a no-op.
+ *                                                         All other methods (`scheduleMessage` etc.) keep
+ *                                                         using AES-256-GCM regardless of this flag.
+ * @property {string} [instantClientToken]               - When set, sent as the `X-Client-Token` header by
+ *                                                         `sendInstant()` in plaintext mode. Note: this is
+ *                                                         a *weak* shared secret — it ships inside any
+ *                                                         frontend bundle that uses it, so devtools can
+ *                                                         read it. Use for casual URL-direct abuse only.
  */
 
 class ReiClient {
@@ -34,14 +58,46 @@ class ReiClient {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error('[rei-standard-amsg-client] baseUrl is required');
-    if (!config.userId) throw new Error('[rei-standard-amsg-client] userId is required');
+
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        '[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)'
+      );
+    }
 
     /** @private */
     this._baseUrl = config.baseUrl.replace(/\/+$/, '');
     /** @private */
-    this._userId = config.userId;
+    this._customBaseUrls = {};
+    if (config.customBaseUrls && typeof config.customBaseUrls === 'object') {
+      for (const [name, url] of Object.entries(config.customBaseUrls)) {
+        if (typeof url === 'string' && url) {
+          this._customBaseUrls[name] = url.replace(/\/+$/, '');
+        }
+      }
+    }
+    /** @private */
+    this._userId = config.userId || '';
     /** @private */
     this._userKey = null;
+    /** @private */
+    this._instantEncryption = instantEncryption;
+    /** @private */
+    this._instantClientToken = typeof config.instantClientToken === 'string' && config.instantClientToken
+      ? config.instantClientToken
+      : '';
+  }
+
+  /**
+   * Resolve the base URL for a given endpoint, falling back to `baseUrl`.
+   *
+   * @private
+   * @param {string} endpointName
+   * @returns {string}
+   */
+  _resolveBaseUrl(endpointName) {
+    return this._customBaseUrls[endpointName] || this._baseUrl;
   }
 
   // ─── Initialisation ─────────────────────────────────────────────
@@ -49,8 +105,18 @@ class ReiClient {
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
+
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: 'GET',
       headers: { 'X-User-Id': this._userId }
@@ -70,7 +136,14 @@ class ReiClient {
   // ─── Public API ─────────────────────────────────────────────────
 
   /**
-   * Schedule (or instantly send) a message.
+   * Schedule a message.
+   *
+   * Note: For `messageType: 'instant'`, prefer `sendInstant()` instead.
+   * That routes through `@rei-standard/amsg-instant` (stateless, no DB
+   * round-trip) rather than `amsg-server`'s schedule-message endpoint.
+   * This method still works for instant via amsg-server for backward
+   * compatibility — see CHANGELOG / README for details.
+   *
    * The payload is automatically encrypted before transmission.
    *
    * @param {Object} payload - Schedule message payload.
@@ -93,6 +166,63 @@ class ReiClient {
     return res.json();
   }
 
+  /**
+   * Send a one-shot instant message via `@rei-standard/amsg-instant`.
+   *
+   * Compared to `scheduleMessage({ messageType: 'instant', ... })`:
+   *   - No DB round-trip on the server side (stateless)
+   *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
+   *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
+   *
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
+   *
+   * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
+   *
+   * @param {Object} payload - Instant message payload.
+   * @param {string} [endpointPath] - Path under the resolved base URL. Default '/instant'.
+   * @param {{ authorization?: string }} [opts] - Optional auth header to forward.
+   * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
+   */
+  async sendInstant(payload, endpointPath = '/instant', opts = {}) {
+    const headers = { 'Content-Type': 'application/json' };
+    let body;
+
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers['X-Client-Token'] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers['X-User-Id'] = this._userId;
+      headers['X-Payload-Encrypted'] = 'true';
+      headers['X-Encryption-Version'] = '1';
+      body = JSON.stringify(encrypted);
+    }
+
+    if (opts.authorization) {
+      headers['Authorization'] = opts.authorization;
+    }
+
+    const path = endpointPath.startsWith('/') ? endpointPath : `/${endpointPath}`;
+    const res = await fetch(`${this._resolveBaseUrl('instant')}${path}`, {
+      method: 'POST',
+      headers,
+      body
+    });
+
+    return res.json();
+  }
+
   /**
    * Update an existing scheduled message.
    *

package/dist/index.d.ts

@@ -1,11 +1,11 @@
 /**
  * ReiStandard Client SDK
- * v2.0.1
  *
  * Lightweight browser client that handles:
- *  - AES-256-GCM encryption using the Web Crypto API
+ *  - AES-256-GCM encryption using the Web Crypto API (for amsg-server's
+ *    schedule path and amsg-instant 0.1.x)
+ *  - Optional plaintext mode for amsg-instant 0.2.x (instantEncryption: false)
  *  - Push subscription management via the Push API
- *  - Convenient request helpers for all 7 endpoints
  *
  * Usage:
  *   import { ReiClient } from '@rei-standard/amsg-client';
@@ -24,8 +24,32 @@
 
 /**
  * @typedef {Object} ReiClientConfig
- * @property {string} baseUrl  - Base URL of the API (e.g. https://host/api/v1).
- * @property {string} userId   - Current user identifier.
+ * @property {string} baseUrl                            - Default base URL of the API (e.g. https://host/api/v1).
+ *                                                         In plaintext-instant mode (`instantEncryption: false`)
+ *                                                         this can be the amsg-instant Worker URL directly.
+ * @property {Record<string, string>} [customBaseUrls]   - Optional per-endpoint base URL overrides.
+ *                                                         Key is the endpoint name (e.g. `instant`); value is
+ *                                                         the base URL to use for that endpoint instead of
+ *                                                         `baseUrl`. Useful when different endpoints live on
+ *                                                         different deployments (e.g. `instant` on Cloudflare
+ *                                                         Workers while the rest run on Netlify). Future
+ *                                                         endpoints (e.g. `schedule`, `messages`) can be
+ *                                                         overridden the same way without an API change.
+ * @property {string} [userId]                           - Current user identifier (UUID v4). Required for the
+ *                                                         encrypted path (default `instantEncryption: true`,
+ *                                                         and for `scheduleMessage` / `listMessages` /
+ *                                                         `updateMessage` always). Can be omitted only when
+ *                                                         `instantEncryption: false` AND you do not call any
+ *                                                         encrypted method.
+ * @property {boolean} [instantEncryption=true]          - When `false`, `sendInstant()` posts plaintext JSON
+ *                                                         to amsg-instant 0.2.x. `init()` becomes a no-op.
+ *                                                         All other methods (`scheduleMessage` etc.) keep
+ *                                                         using AES-256-GCM regardless of this flag.
+ * @property {string} [instantClientToken]               - When set, sent as the `X-Client-Token` header by
+ *                                                         `sendInstant()` in plaintext mode. Note: this is
+ *                                                         a *weak* shared secret — it ships inside any
+ *                                                         frontend bundle that uses it, so devtools can
+ *                                                         read it. Use for casual URL-direct abuse only.
  */
 
 class ReiClient {
@@ -34,14 +58,46 @@ class ReiClient {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error('[rei-standard-amsg-client] baseUrl is required');
-    if (!config.userId) throw new Error('[rei-standard-amsg-client] userId is required');
+
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        '[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)'
+      );
+    }
 
     /** @private */
     this._baseUrl = config.baseUrl.replace(/\/+$/, '');
     /** @private */
-    this._userId = config.userId;
+    this._customBaseUrls = {};
+    if (config.customBaseUrls && typeof config.customBaseUrls === 'object') {
+      for (const [name, url] of Object.entries(config.customBaseUrls)) {
+        if (typeof url === 'string' && url) {
+          this._customBaseUrls[name] = url.replace(/\/+$/, '');
+        }
+      }
+    }
+    /** @private */
+    this._userId = config.userId || '';
     /** @private */
     this._userKey = null;
+    /** @private */
+    this._instantEncryption = instantEncryption;
+    /** @private */
+    this._instantClientToken = typeof config.instantClientToken === 'string' && config.instantClientToken
+      ? config.instantClientToken
+      : '';
+  }
+
+  /**
+   * Resolve the base URL for a given endpoint, falling back to `baseUrl`.
+   *
+   * @private
+   * @param {string} endpointName
+   * @returns {string}
+   */
+  _resolveBaseUrl(endpointName) {
+    return this._customBaseUrls[endpointName] || this._baseUrl;
   }
 
   // ─── Initialisation ─────────────────────────────────────────────
@@ -49,8 +105,18 @@ class ReiClient {
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
+
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: 'GET',
       headers: { 'X-User-Id': this._userId }
@@ -70,7 +136,14 @@ class ReiClient {
   // ─── Public API ─────────────────────────────────────────────────
 
   /**
-   * Schedule (or instantly send) a message.
+   * Schedule a message.
+   *
+   * Note: For `messageType: 'instant'`, prefer `sendInstant()` instead.
+   * That routes through `@rei-standard/amsg-instant` (stateless, no DB
+   * round-trip) rather than `amsg-server`'s schedule-message endpoint.
+   * This method still works for instant via amsg-server for backward
+   * compatibility — see CHANGELOG / README for details.
+   *
    * The payload is automatically encrypted before transmission.
    *
    * @param {Object} payload - Schedule message payload.
@@ -93,6 +166,63 @@ class ReiClient {
     return res.json();
   }
 
+  /**
+   * Send a one-shot instant message via `@rei-standard/amsg-instant`.
+   *
+   * Compared to `scheduleMessage({ messageType: 'instant', ... })`:
+   *   - No DB round-trip on the server side (stateless)
+   *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
+   *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
+   *
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
+   *
+   * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
+   *
+   * @param {Object} payload - Instant message payload.
+   * @param {string} [endpointPath] - Path under the resolved base URL. Default '/instant'.
+   * @param {{ authorization?: string }} [opts] - Optional auth header to forward.
+   * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
+   */
+  async sendInstant(payload, endpointPath = '/instant', opts = {}) {
+    const headers = { 'Content-Type': 'application/json' };
+    let body;
+
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers['X-Client-Token'] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers['X-User-Id'] = this._userId;
+      headers['X-Payload-Encrypted'] = 'true';
+      headers['X-Encryption-Version'] = '1';
+      body = JSON.stringify(encrypted);
+    }
+
+    if (opts.authorization) {
+      headers['Authorization'] = opts.authorization;
+    }
+
+    const path = endpointPath.startsWith('/') ? endpointPath : `/${endpointPath}`;
+    const res = await fetch(`${this._resolveBaseUrl('instant')}${path}`, {
+      method: 'POST',
+      headers,
+      body
+    });
+
+    return res.json();
+  }
+
   /**
    * Update an existing scheduled message.
    *

package/dist/index.mjs

@@ -5,17 +5,51 @@ var ReiClient = class {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error("[rei-standard-amsg-client] baseUrl is required");
-    if (!config.userId) throw new Error("[rei-standard-amsg-client] userId is required");
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        "[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)"
+      );
+    }
     this._baseUrl = config.baseUrl.replace(/\/+$/, "");
-    this._userId = config.userId;
+    this._customBaseUrls = {};
+    if (config.customBaseUrls && typeof config.customBaseUrls === "object") {
+      for (const [name, url] of Object.entries(config.customBaseUrls)) {
+        if (typeof url === "string" && url) {
+          this._customBaseUrls[name] = url.replace(/\/+$/, "");
+        }
+      }
+    }
+    this._userId = config.userId || "";
     this._userKey = null;
+    this._instantEncryption = instantEncryption;
+    this._instantClientToken = typeof config.instantClientToken === "string" && config.instantClientToken ? config.instantClientToken : "";
+  }
+  /**
+   * Resolve the base URL for a given endpoint, falling back to `baseUrl`.
+   *
+   * @private
+   * @param {string} endpointName
+   * @returns {string}
+   */
+  _resolveBaseUrl(endpointName) {
+    return this._customBaseUrls[endpointName] || this._baseUrl;
   }
   // ─── Initialisation ─────────────────────────────────────────────
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: "GET",
       headers: { "X-User-Id": this._userId }
@@ -30,7 +64,14 @@ var ReiClient = class {
   }
   // ─── Public API ─────────────────────────────────────────────────
   /**
-   * Schedule (or instantly send) a message.
+   * Schedule a message.
+   *
+   * Note: For `messageType: 'instant'`, prefer `sendInstant()` instead.
+   * That routes through `@rei-standard/amsg-instant` (stateless, no DB
+   * round-trip) rather than `amsg-server`'s schedule-message endpoint.
+   * This method still works for instant via amsg-server for backward
+   * compatibility — see CHANGELOG / README for details.
+   *
    * The payload is automatically encrypted before transmission.
    *
    * @param {Object} payload - Schedule message payload.
@@ -50,6 +91,58 @@ var ReiClient = class {
     });
     return res.json();
   }
+  /**
+   * Send a one-shot instant message via `@rei-standard/amsg-instant`.
+   *
+   * Compared to `scheduleMessage({ messageType: 'instant', ... })`:
+   *   - No DB round-trip on the server side (stateless)
+   *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
+   *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
+   *
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
+   *
+   * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
+   *
+   * @param {Object} payload - Instant message payload.
+   * @param {string} [endpointPath] - Path under the resolved base URL. Default '/instant'.
+   * @param {{ authorization?: string }} [opts] - Optional auth header to forward.
+   * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
+   */
+  async sendInstant(payload, endpointPath = "/instant", opts = {}) {
+    const headers = { "Content-Type": "application/json" };
+    let body;
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers["X-Client-Token"] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers["X-User-Id"] = this._userId;
+      headers["X-Payload-Encrypted"] = "true";
+      headers["X-Encryption-Version"] = "1";
+      body = JSON.stringify(encrypted);
+    }
+    if (opts.authorization) {
+      headers["Authorization"] = opts.authorization;
+    }
+    const path = endpointPath.startsWith("/") ? endpointPath : `/${endpointPath}`;
+    const res = await fetch(`${this._resolveBaseUrl("instant")}${path}`, {
+      method: "POST",
+      headers,
+      body
+    });
+    return res.json();
+  }
   /**
    * Update an existing scheduled message.
    *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rei-standard/amsg-client",
-  "version": "2.0.1",
+  "version": "2.2.0",
   "description": "ReiStandard Active Messaging browser client SDK",
   "repository": {
     "type": "git",