@relipay/node 0.1.0-beta.0

package/dist/index.js

@@ -0,0 +1,681 @@
+/**
+ * @relipay/node — server SDK for ReliPay.
+ *
+ * One client instance per Application. Construct with the Application's
+ * secret key (`rp_live_…` or `rp_test_…`) and the URL of your ReliPay
+ * deployment. Never ship the secret key to the browser — for browser code
+ * use `@relipay/react` with the Application's public key instead.
+ *
+ * @example Smoke-test your credentials
+ * ```ts
+ * import { ReliPay } from "@relipay/node";
+ *
+ * const relipay = new ReliPay({
+ *   apiUrl: process.env.RELIPAY_URL!,
+ *   secretKey: process.env.RELIPAY_SECRET!,
+ * });
+ *
+ * const me = await relipay.applications.me();
+ * console.log(`Connected to "${me.name}" (${me.slug})`);
+ * ```
+ */
+/**
+ * An error thrown by the ReliPay SDK. Always carries a stable `code` and
+ * (when the server provided one) a concrete `fix` field. **Read `error.fix`
+ * first** when debugging — it is by far the most actionable piece of data.
+ */
+export class RelipayError extends Error {
+    code;
+    fix;
+    docs;
+    statusCode;
+    /** Server-assigned request id — share with support to look up the matching log entry. */
+    requestId;
+    constructor(error) {
+        super(error.message);
+        this.name = 'RelipayError';
+        this.code = error.code;
+        this.fix = error.fix;
+        this.docs = error.docs;
+        this.statusCode = error.statusCode;
+        this.requestId = error.requestId;
+    }
+}
+/**
+ * Top-level ReliPay client. Auth and billing live as namespaces
+ * (`relipay.applications`, `relipay.auth`, `relipay.billing`) so an agent
+ * reading `relipay.` in an editor sees a discoverable surface.
+ */
+export class ReliPay {
+    apiUrl;
+    secretKey;
+    fetchImpl;
+    /** Operations on the calling Application itself. */
+    applications;
+    /** Auth operations — sign-in, sign-up, sessions, passkeys, magic-link. */
+    auth;
+    /** Billing operations — plans, checkout, subscriptions, coupons. */
+    billing;
+    /** End-user organizations — create, invite, members, role changes. */
+    organizations;
+    /** License key verification + activation. */
+    licenses;
+    /** Usage metering — record events, aggregate windows. */
+    usage;
+    /** Prepaid credits — balance reads, idempotent drawdown, ledger. */
+    credits;
+    constructor(config) {
+        if (!config.apiUrl) {
+            throw new RelipayError({
+                code: 'CONFIG_MISSING_API_URL',
+                message: 'ReliPay client requires `apiUrl`.',
+                fix: 'Pass `apiUrl: process.env.RELIPAY_URL` when constructing the client.',
+            });
+        }
+        if (!config.secretKey || !config.secretKey.startsWith('rp_')) {
+            throw new RelipayError({
+                code: 'CONFIG_INVALID_SECRET_KEY',
+                message: 'ReliPay client requires a valid `secretKey` (starts with `rp_`).',
+                fix: 'Get a key from the ReliPay panel under Application → API Keys, then pass it as `secretKey`.',
+            });
+        }
+        this.apiUrl = config.apiUrl.replace(/\/$/, '');
+        this.secretKey = config.secretKey;
+        this.fetchImpl = config.fetch ?? fetch;
+        this.applications = new ApplicationsClient(this);
+        this.auth = new AuthClient(this);
+        this.billing = new BillingClient(this);
+        this.organizations = new OrganizationsClient(this);
+        this.licenses = new LicensesClient(this);
+        this.usage = new UsageClient(this);
+        this.credits = new CreditsClient(this);
+    }
+    /** @internal */
+    async request(method, path, body, extraHeaders) {
+        const res = await this.fetchImpl(`${this.apiUrl}${path}`, {
+            method,
+            headers: {
+                Authorization: `Bearer ${this.secretKey}`,
+                ...(body !== undefined ? { 'Content-Type': 'application/json' } : {}),
+                ...extraHeaders,
+            },
+            ...(body !== undefined ? { body: JSON.stringify(body) } : {}),
+        });
+        const json = (await res.json().catch(() => ({})));
+        if (!res.ok || ('success' in json && json.success === false)) {
+            const requestId = res.headers.get('x-request-id') ?? undefined;
+            const err = 'error' in json
+                ? json.error
+                : {
+                    code: 'UNKNOWN_ERROR',
+                    message: `Request failed with status ${res.status}.`,
+                    fix: 'Check the ReliPay API logs for the matching request id.',
+                };
+            const resolvedRequestId = ('requestId' in err && err.requestId) || requestId;
+            throw new RelipayError({
+                ...err,
+                statusCode: res.status,
+                ...(resolvedRequestId !== undefined && { requestId: resolvedRequestId }),
+            });
+        }
+        return json.data;
+    }
+}
+class ApplicationsClient {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Verify credentials and fetch the calling Application. Use this as your
+     * SDK smoke test — if it returns, your secret key is good and you're
+     * pointed at the right ReliPay deployment.
+     *
+     * @example
+     * ```ts
+     * const me = await relipay.applications.me();
+     * console.log(`Connected to "${me.name}" (${me.slug})`);
+     * ```
+     *
+     * @throws {RelipayError} with `code: "API_KEY_INVALID"` if the key is wrong/revoked/expired.
+     */
+    me() {
+        return this.client.request('GET', '/api/v1/me/');
+    }
+}
+class AuthClient {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Create a new end-user in the calling Application via email + password.
+     * Returns the user and a JWT to use for subsequent per-user calls
+     * (e.g. `getCurrentUser(token)`).
+     *
+     * @example
+     * ```ts
+     * const { endUser, token } = await relipay.auth.signUp({
+     *   email: 'alice@example.com',
+     *   password: 'correct-horse-battery-staple',
+     * });
+     * // store token in your session, return it to the browser, etc.
+     * ```
+     *
+     * @throws {RelipayError} `EMAIL_ALREADY_EXISTS` (409) if the email is taken in this Application.
+     * @throws {RelipayError} `PASSWORD_TOO_SHORT` (400) if shorter than the Application's `passwordMinLength`.
+     * @throws {RelipayError} `AUTH_METHOD_DISABLED` (400) if the Application doesn't have `"password"` enabled.
+     */
+    signUp(input) {
+        return this.client.request('POST', '/api/v1/auth/sign-up', input);
+    }
+    /**
+     * Authenticate an existing end-user with email + password.
+     *
+     * Returns a discriminated union over `mfaRequired`:
+     *   - `mfaRequired === false` → full `AuthResultDto` with access+refresh.
+     *   - `mfaRequired === true`  → `mfaChallengeToken` (5-minute lifetime).
+     *     Prompt the user for their TOTP / backup code and call
+     *     `mfaVerify({ mfaChallengeToken, code })` to receive a real session.
+     *
+     * **Branch on `result.mfaRequired` before reading `accessToken`** — the
+     * MFA-required branch has no session tokens.
+     *
+     * @throws {RelipayError} `INVALID_CREDENTIALS` (401) — single code on purpose.
+     *   Don't try to distinguish wrong-email from wrong-password from the SDK side either.
+     */
+    signIn(input) {
+        return this.client.request('POST', '/api/v1/auth/sign-in', input);
+    }
+    /**
+     * Exchange an MFA challenge token + TOTP/backup code for a real session.
+     * Use after `signIn` (or OAuth callback) returns `mfaRequired: true`.
+     *
+     * @throws {RelipayError} `MFA_CHALLENGE_INVALID` (401) if the token is
+     *   forged, expired, or signed with a different secret.
+     * @throws {RelipayError} `MFA_CHALLENGE_WRONG_APPLICATION` (401) if the
+     *   token was issued under a different Application.
+     * @throws {RelipayError} `MFA_CODE_INVALID` (401) if the code doesn't
+     *   verify against the user's TOTP secret or remaining backup codes.
+     */
+    mfaVerify(input) {
+        return this.client.request('POST', '/api/v1/auth/mfa-verify', input);
+    }
+    /**
+     * Request a magic-link sign-in email. Enumeration-safe: same response
+     * shape whether the email exists or not. When the Application has
+     * email transport configured, the link is sent and `magicLinkToken`
+     * is null; otherwise the raw token is returned for you to forward.
+     */
+    requestMagicLink(input) {
+        return this.client.request('POST', '/api/v1/auth/magic-link/request', input);
+    }
+    /**
+     * Consume a magic-link token. Returns `SignInOutcome` — branch on
+     * `mfaRequired` before reading `accessToken`. For MFA-enrolled users
+     * the response carries `mfaChallengeToken` and you must complete via
+     * `mfaVerify(...)`.
+     */
+    verifyMagicLink(input) {
+        return this.client.request('POST', '/api/v1/auth/magic-link/verify', input);
+    }
+    /**
+     * Begin a passkey authentication ceremony. Returns the WebAuthn options
+     * to forward to the browser (`navigator.credentials.get(...)`) along
+     * with `expectedChallenge` — bind the challenge to your session and
+     * pass both back via `verifyPasskeyAuthentication(...)`.
+     */
+    startPasskeyAuthentication(input) {
+        return this.client.request('POST', '/api/v1/auth/passkey/authenticate/start', input ?? {});
+    }
+    /**
+     * Complete a passkey authentication. Returns the same `SignInOutcome`
+     * shape as `signIn` — but passkeys are themselves a strong factor, so
+     * `mfaRequired` will always be `false` in practice.
+     */
+    verifyPasskeyAuthentication(input) {
+        return this.client.request('POST', '/api/v1/auth/passkey/authenticate/complete', input);
+    }
+    /**
+     * Begin a passkey registration ceremony for an authenticated user.
+     * Forward `options` to `navigator.credentials.create(...)`; store
+     * `expectedChallenge` in session; POST both back via
+     * `verifyPasskeyRegistration(...)`.
+     */
+    startPasskeyRegistration(accessToken) {
+        return this.client.request('POST', '/api/v1/auth/passkey/register/start', undefined, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    verifyPasskeyRegistration(accessToken, input) {
+        return this.client.request('POST', '/api/v1/auth/passkey/register/complete', input, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /** List the user's registered passkeys. */
+    listPasskeys(accessToken) {
+        return this.client.request('GET', '/api/v1/auth/passkeys', undefined, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /** Remove a passkey. Returns `{deleted: false}` if the row doesn't belong to this user. */
+    deletePasskey(accessToken, credentialRowId) {
+        return this.client.request('DELETE', `/api/v1/auth/passkeys/${encodeURIComponent(credentialRowId)}`, undefined, { 'X-Relipay-User-Token': accessToken });
+    }
+    // ---------- End-user organizations / teams ----------
+    //
+    // All authenticated. `authConfig.organizationsEnabled` must be true on
+    // the Application — otherwise every call returns `ORGANIZATIONS_NOT_ENABLED`.
+    createOrganization(accessToken, input) {
+        return this.client.request('POST', '/api/v1/users/me/organizations/', input, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    listMyOrganizations(accessToken) {
+        return this.client.request('GET', '/api/v1/users/me/organizations/', undefined, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    inviteToOrganization(accessToken, organizationId, input) {
+        return this.client.request('POST', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}/invitations`, input, { 'X-Relipay-User-Token': accessToken });
+    }
+    acceptOrganizationInvitation(accessToken, input) {
+        return this.client.request('POST', '/api/v1/auth/organizations/accept-invitation', input, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /**
+     * Resolve the end-user behind a presented access token.
+     *
+     * @throws {RelipayError} `USER_TOKEN_INVALID` (401) if expired/forged/wrong-secret.
+     * @throws {RelipayError} `USER_TOKEN_WRONG_APPLICATION` (401) if the token was issued
+     *   by a different Application than the calling secret key represents.
+     */
+    getCurrentUser(accessToken) {
+        return this.client.request('GET', '/api/v1/users/me/', undefined, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /**
+     * Exchange a refresh token for a fresh {access, refresh} pair. The presented
+     * refresh is revoked atomically — call this **once** and store the new
+     * `refreshToken` from the response immediately.
+     *
+     * @throws {RelipayError} `REFRESH_TOKEN_REUSED` (401) if you replay an already-used token.
+     *   This is a strong signal the original was leaked; treat as compromise.
+     * @throws {RelipayError} `REFRESH_TOKEN_EXPIRED` (401) after the 30-day refresh window.
+     */
+    refresh(refreshToken) {
+        // /auth/refresh returns the same shape as /auth/mfa-verify — always a
+        // full session (refresh requires a prior MFA-verified session by
+        // definition).
+        return this.client.request('POST', '/api/v1/auth/refresh', { refreshToken });
+    }
+    /**
+     * Revoke a refresh token. Idempotent — no-op for unknown tokens. The
+     * access token paired with this refresh remains valid until its short
+     * (15 min) expiry; for true "log out everywhere" semantics, also clear
+     * the access token from your client.
+     */
+    signOut(refreshToken) {
+        return this.client.request('POST', '/api/v1/auth/sign-out', { refreshToken });
+    }
+    /**
+     * Request a password-reset token for an email. Always succeeds — never
+     * tells you whether the email exists. **You must email the returned
+     * `resetToken` to the user**: ReliPay does not send email.
+     *
+     * @example
+     * ```ts
+     * const { resetToken } = await relipay.auth.requestPasswordReset({ email });
+     * if (resetToken) await sendgrid.send({ to: email, subject: 'Reset', text: `link: ${url(resetToken)}` });
+     * ```
+     */
+    requestPasswordReset(input) {
+        return this.client.request('POST', '/api/v1/auth/forgot-password', input);
+    }
+    /**
+     * Consume a reset token + set a new password. Single-use. On success,
+     * every refresh token for the user is revoked.
+     *
+     * @throws {RelipayError} `PASSWORD_RESET_TOKEN_INVALID` / `_USED` / `_EXPIRED` / `_WRONG_APPLICATION`
+     * @throws {RelipayError} `PASSWORD_TOO_SHORT` if below the Application's `passwordMinLength`
+     */
+    resetPassword(input) {
+        return this.client.request('POST', '/api/v1/auth/reset-password', input);
+    }
+    /**
+     * Authenticated password change. Pass the user's *current* access token.
+     * On success, every refresh token for the user is revoked — other devices
+     * are signed out.
+     */
+    changePassword(accessToken, input) {
+        return this.client.request('POST', '/api/v1/auth/change-password', input, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /**
+     * Revoke every refresh token for the calling user. "Sign out of all
+     * devices." The caller's access token remains valid until 15-min expiry
+     * — clear it client-side for full logout.
+     */
+    signOutEverywhere(accessToken) {
+        return this.client.request('POST', '/api/v1/auth/sign-out-everywhere', undefined, { 'X-Relipay-User-Token': accessToken });
+    }
+    /**
+     * Send (or re-send) an email-verification link to the current user.
+     * If email transport is configured on the Application, ReliPay sends
+     * the email and `verificationToken` is null. Otherwise the raw token
+     * is returned for the caller to forward via their own provider.
+     *
+     * Pass `verifyUrl` containing `{token}` to template the link target
+     * (e.g. `https://app.example.com/verify?t={token}`).
+     */
+    sendVerificationEmail(accessToken, input) {
+        return this.client.request('POST', '/api/v1/auth/send-verification', input ?? {}, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /**
+     * Consume an email-verification token. Single-use, 24-hour lifetime.
+     * Marks `emailVerified: true` on the user record. Cross-Application
+     * tokens are refused with `EMAIL_VERIFICATION_TOKEN_WRONG_APPLICATION`.
+     */
+    verifyEmail(input) {
+        return this.client.request('POST', '/api/v1/auth/verify-email', input);
+    }
+}
+class OrganizationsClient {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /** Create an organization; the calling user becomes the OWNER. */
+    create(accessToken, input) {
+        return this.client.request('POST', '/api/v1/users/me/organizations/', input, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /** List organizations the calling user belongs to, with their role. */
+    listMine(accessToken) {
+        return this.client.request('GET', '/api/v1/users/me/organizations/', undefined, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /** Fetch one organization the caller belongs to. */
+    get(accessToken, organizationId) {
+        return this.client.request('GET', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}`, undefined, { 'X-Relipay-User-Token': accessToken });
+    }
+    /** Update org name / metadata. OWNER + ADMIN only. */
+    update(accessToken, organizationId, input) {
+        return this.client.request('PATCH', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}`, input, { 'X-Relipay-User-Token': accessToken });
+    }
+    /** List members of an organization the caller belongs to. */
+    listMembers(accessToken, organizationId) {
+        return this.client.request('GET', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}/members`, undefined, { 'X-Relipay-User-Token': accessToken });
+    }
+    /**
+     * Invite a user. Returns the raw token ONCE — surface via your own
+     * email/share channel. OWNER + ADMIN only.
+     */
+    invite(accessToken, organizationId, input) {
+        return this.client.request('POST', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}/invitations`, input, { 'X-Relipay-User-Token': accessToken });
+    }
+    /** Revoke a pending invitation. OWNER + ADMIN only. Idempotent. */
+    revokeInvitation(accessToken, organizationId, invitationId) {
+        return this.client.request('POST', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}/invitations/${encodeURIComponent(invitationId)}/revoke`, undefined, { 'X-Relipay-User-Token': accessToken });
+    }
+    /**
+     * Change a member's role. OWNER manages anyone; ADMIN manages MEMBER
+     * only. Last-OWNER guard refuses demoting the only OWNER.
+     */
+    setMemberRole(accessToken, organizationId, targetEndUserId, input) {
+        return this.client.request('PATCH', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}/members/${encodeURIComponent(targetEndUserId)}`, input, { 'X-Relipay-User-Token': accessToken });
+    }
+    /** Remove a member (or self). Refuses removing the last OWNER. */
+    removeMember(accessToken, organizationId, targetEndUserId) {
+        return this.client.request('DELETE', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}/members/${encodeURIComponent(targetEndUserId)}`, undefined, { 'X-Relipay-User-Token': accessToken });
+    }
+    /** Self-leave. Refuses leaving as the last OWNER. */
+    leave(accessToken, organizationId) {
+        return this.client.request('POST', `/api/v1/users/me/organizations/${encodeURIComponent(organizationId)}/leave`, undefined, { 'X-Relipay-User-Token': accessToken });
+    }
+    /**
+     * Accept an organization invitation by raw token. Refuses cross-
+     * Application invitations. Idempotent if the caller is already a member.
+     */
+    acceptInvitation(accessToken, input) {
+        return this.client.request('POST', '/api/v1/auth/organizations/accept-invitation', input, { 'X-Relipay-User-Token': accessToken });
+    }
+}
+class LicensesClient {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Verify a license key + record an activation for this machine. Call
+     * once at app startup; you'll get a deterministic body (`ok=false` for
+     * invalid licenses — never an HTTP error — so your software can loop
+     * on the result without try/catch noise).
+     *
+     * `machineFingerprint` should be a stable identifier you derive client-
+     * side (hostname + OS + mac address, hashed). The same fingerprint
+     * across re-verifications does NOT consume a new seat.
+     *
+     * @example
+     * ```ts
+     * const result = await relipay.licenses.verify({
+     *   key,
+     *   machineFingerprint,
+     *   label: 'Adam\'s MacBook',
+     * });
+     * if (!result.ok) showLicenseError(result.reason);
+     * ```
+     */
+    verify(input) {
+        return this.client.request('POST', '/api/v1/licenses/verify', input);
+    }
+}
+class UsageClient {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Record a usage event against a named meter. `quantity` can be
+     * negative to credit back (e.g. refunds). `occurredAt` defaults to
+     * server time; pass an ISO string when ingesting historical events.
+     */
+    record(input) {
+        return this.client.request('POST', '/api/v1/usage/record', input);
+    }
+    /**
+     * Sum recorded quantity for a meter, optionally bounded by a time
+     * window and/or scoped to one end-user. Use to drive in-app "you've
+     * used X of your Y quota this month" displays.
+     */
+    aggregate(input) {
+        const params = new URLSearchParams();
+        params.set('meterSlug', input.meterSlug);
+        if (input.from)
+            params.set('from', input.from);
+        if (input.to)
+            params.set('to', input.to);
+        if (input.endUserId)
+            params.set('endUserId', input.endUserId);
+        return this.client.request('GET', `/api/v1/usage/aggregate?${params.toString()}`);
+    }
+}
+/**
+ * Prepaid credits — the "lead pack" / pay-as-you-go drawdown model. The
+ * customer's backend grants credits (by selling a CREDIT-kind plan, which
+ * grants automatically on payment) and draws them down per unit consumed.
+ *
+ * All calls are server-to-server (secret key) and scoped to an end-user id.
+ */
+class CreditsClient {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /** Current spendable balance for an end-user (0 if they've never held credits). */
+    getBalance(endUserId) {
+        return this.client.request('GET', `/api/v1/credits/balance?endUserId=${encodeURIComponent(endUserId)}`);
+    }
+    /**
+     * Deduct credits from an end-user. Throws `RelipayError` with
+     * `code: "CREDITS_INSUFFICIENT"` (HTTP 402) when the balance is too low.
+     *
+     * Pass `idempotencyKey` (e.g. the lead id) so a retried call never
+     * double-charges — a repeat with the same key returns the original result
+     * with `applied: false`.
+     */
+    consume(input) {
+        return this.client.request('POST', '/api/v1/credits/consume', input);
+    }
+    /** Recent ledger entries for an end-user, newest first. */
+    listLedger(endUserId, limit) {
+        const params = new URLSearchParams({ endUserId });
+        if (limit !== undefined)
+            params.set('limit', String(limit));
+        return this.client.request('GET', `/api/v1/credits/ledger?${params.toString()}`);
+    }
+}
+/**
+ * Verify the HMAC signature on an inbound webhook from ReliPay. Returns
+ * `true` only when (a) the timestamp is fresh (within `toleranceSeconds`,
+ * default 300) AND (b) the signature matches a constant-time compare.
+ *
+ * Use against the `X-Relipay-Signature` header and the raw request body
+ * BYTES (not the parsed JSON — any reserialization breaks the HMAC).
+ *
+ * @example
+ * ```ts
+ * import { verifyWebhookSignature } from '@relipay/node';
+ *
+ * app.post('/webhooks/relipay', { config: { rawBody: true } }, (req) => {
+ *   const ok = verifyWebhookSignature({
+ *     header: req.headers['x-relipay-signature'] as string,
+ *     payload: req.rawBody!,
+ *     secret: process.env.RELIPAY_WEBHOOK_SECRET!,
+ *   });
+ *   if (!ok) return reply.status(401).send({ error: 'bad signature' });
+ *   // safe to act on req.body
+ * });
+ * ```
+ */
+export function verifyWebhookSignature(args) {
+    if (!args.header)
+        return false;
+    const tolerance = (args.toleranceSeconds ?? 300) * 1000;
+    const nowMs = args.now ? args.now() : Date.now();
+    const parts = args.header.split(',').reduce((acc, p) => {
+        const [k, v] = p.split('=', 2);
+        if (k && v)
+            acc[k.trim()] = v.trim();
+        return acc;
+    }, {});
+    const t = Number(parts.t);
+    const v1 = parts.v1;
+    if (!Number.isFinite(t) || !v1)
+        return false;
+    if (Math.abs(nowMs - t * 1000) > tolerance)
+        return false;
+    // Lazy-load Node crypto so the SDK still runs in edge runtimes that
+    // don't bundle it (signature verification is the only place we need
+    // crypto — everything else uses fetch).
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { createHmac, timingSafeEqual } = require('node:crypto');
+    const body = typeof args.payload === 'string' ? Buffer.from(args.payload, 'utf8') : args.payload;
+    const signed = `${t}.${body.toString('utf8')}`;
+    const expected = createHmac('sha256', args.secret).update(signed).digest('hex');
+    const a = Buffer.from(expected, 'hex');
+    const b = Buffer.from(v1, 'hex');
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(a, b);
+}
+class BillingClient {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * List the calling Application's active plans. Public — pricing pages
+     * typically render straight from this. Application API key only; no
+     * user JWT needed.
+     *
+     * `amount` is in the smallest currency unit (cents/paise/sen) — never
+     * a float. Format on display: `${amount / 100} ${currency}`.
+     */
+    getPlans() {
+        return this.client.request('GET', '/api/v1/billing/plans');
+    }
+    /**
+     * Fetch the current end-user's active subscription, or `null` if they
+     * have none. Returns the most recent ACTIVE / PENDING / PAST_DUE row.
+     *
+     * Pass the user's access token (the SDK puts it in `X-Relipay-User-Token`).
+     */
+    getSubscription(accessToken) {
+        return this.client.request('GET', '/api/v1/billing/subscription', undefined, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /**
+     * Start a hosted-checkout session. Returns the URL to redirect the user
+     * to and the local PENDING Subscription row. Subscription activation
+     * happens via the provider's webhook — not synchronously here.
+     *
+     * Pass `couponCode` to apply a discount. The whole checkout fails if the
+     * coupon doesn't validate (typed `RelipayError` with the precise reason).
+     *
+     * @example
+     * ```ts
+     * const { url, discountAmount } = await relipay.billing.createCheckout(userAccessToken, {
+     *   planSlug: 'pro_monthly',
+     *   successUrl: 'https://yourapp.com/billing?status=ok',
+     *   cancelUrl:  'https://yourapp.com/billing?status=cancel',
+     *   couponCode: 'LAUNCH50', // optional
+     * });
+     * res.redirect(url);
+     * ```
+     */
+    createCheckout(accessToken, input) {
+        return this.client.request('POST', '/api/v1/billing/checkout', input, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /**
+     * Validate a coupon for the current user against a plan, *without*
+     * applying it. Render "$50 off" on a pricing page before submit.
+     *
+     * @throws {RelipayError} with one of `COUPON_NOT_FOUND` / `COUPON_INACTIVE`
+     *   / `COUPON_NOT_YET_STARTED` / `COUPON_EXPIRED` / `COUPON_NOT_APPLICABLE`
+     *   / `COUPON_CURRENCY_MISMATCH` / `COUPON_REDEMPTION_LIMIT_REACHED` /
+     *   `COUPON_USER_LIMIT_REACHED`. Surface the message + fix to the user.
+     */
+    validateCoupon(accessToken, input) {
+        return this.client.request('POST', '/api/v1/billing/coupons/validate', input, {
+            'X-Relipay-User-Token': accessToken,
+        });
+    }
+    /**
+     * List the billing providers configured + enabled for this Application,
+     * in the order the geo router would prefer them. Forward the end-user's
+     * `country` (ISO 3166-1 alpha-2) when you have it — the panel/SDK will
+     * surface India-specific providers (Razorpay) for IN-country users, etc.
+     *
+     * Returns the resolved country (echoed back from the server's view of
+     * `CF-IPCountry` etc.) plus the ordered provider list. Use this to render
+     * a "Pay with..." picker on your pricing page.
+     */
+    getProviders(country) {
+        const headers = {};
+        if (country)
+            headers['x-country'] = country.toUpperCase();
+        return this.client.request('GET', '/api/v1/billing/providers', undefined, headers);
+    }
+}
+//# sourceMappingURL=index.js.map