@robelest/convex-auth 0.0.2-preview.2 → 0.0.3-preview

package/dist/server/implementation/apiKey.d.ts

@@ -0,0 +1,74 @@
+/**
+ * API Key crypto utilities.
+ *
+ * Uses `@oslojs/crypto` primitives for key generation and hashing:
+ * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)
+ * - Cryptographically secure random generation for key material
+ *
+ * @module
+ */
+import type { KeyScope, ScopeChecker } from "../types.js";
+/**
+ * Generate a new API key.
+ *
+ * Returns the raw key (to be shown once to the user) and metadata for storage.
+ * The raw key is `{prefix}{32 random alphanumeric chars}`.
+ *
+ * @param prefix - Key prefix, defaults to "sk_live_"
+ * @returns `{ raw, hashedKey, displayPrefix }`
+ */
+export declare function generateApiKey(prefix?: string): Promise<{
+    /** The full raw key — show to user once, never store. */
+    raw: string;
+    /** SHA-256 hex hash of the raw key — store this. */
+    hashedKey: string;
+    /** Truncated prefix for display (e.g. "sk_live_aBc1..."). */
+    displayPrefix: string;
+}>;
+/**
+ * Hash a raw API key for lookup.
+ *
+ * Used during Bearer token verification to find the stored key record.
+ */
+export declare function hashApiKey(rawKey: string): Promise<string>;
+/**
+ * Build a `ScopeChecker` from an array of `KeyScope` entries.
+ *
+ * The checker provides a `.can(resource, action)` method that returns `true`
+ * if any scope entry grants the requested permission.
+ *
+ * A wildcard action `"*"` grants all actions on that resource.
+ * A wildcard resource `"*"` grants the action on all resources.
+ */
+export declare function buildScopeChecker(scopes: KeyScope[]): ScopeChecker;
+/**
+ * Validate that requested scopes are a subset of the allowed scopes
+ * defined in the API key config.
+ *
+ * @param requested - Scopes the user wants on the new key.
+ * @param allowed - The scope definition from `apiKeys.scopes` config.
+ * @throws Error if any requested scope is not in the allowed set.
+ */
+export declare function validateScopes(requested: KeyScope[], allowed: Record<string, string[]> | undefined): void;
+/**
+ * Check whether a key is rate-limited based on its stored state.
+ *
+ * Uses the same token-bucket algorithm as sign-in rate limiting:
+ * tokens refill linearly over the configured window.
+ *
+ * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`
+ */
+export declare function checkKeyRateLimit(rateLimit: {
+    maxRequests: number;
+    windowMs: number;
+}, state: {
+    attemptsLeft: number;
+    lastAttemptTime: number;
+} | undefined): {
+    limited: boolean;
+    newState: {
+        attemptsLeft: number;
+        lastAttemptTime: number;
+    };
+};
+//# sourceMappingURL=apiKey.d.ts.map

package/dist/server/implementation/apiKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiKey.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/apiKey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAqB1D;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,MAAM,GAAE,MAA2B,GAAG,OAAO,CAAC;IACjF,yDAAyD;IACzD,GAAG,EAAE,MAAM,CAAC;IACZ,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC,CAOD;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEhE;AAMD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAWlE;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,QAAQ,EAAE,EACrB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,SAAS,GAC5C,IAAI,CAuBN;AAMD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EACpD,KAAK,EAAE;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,GACnE;IACD,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC;CAC7D,CAsCA"}

package/dist/server/implementation/apiKey.js

@@ -0,0 +1,140 @@
+/**
+ * API Key crypto utilities.
+ *
+ * Uses `@oslojs/crypto` primitives for key generation and hashing:
+ * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)
+ * - Cryptographically secure random generation for key material
+ *
+ * @module
+ */
+import { sha256, generateRandomString } from "./utils.js";
+// ============================================================================
+// Constants
+// ============================================================================
+const DEFAULT_KEY_PREFIX = "sk_live_";
+const KEY_RANDOM_LENGTH = 32;
+const KEY_RANDOM_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+/**
+ * How many characters of the full key to store as the visible prefix.
+ * Includes the prefix string (e.g. "sk_live_") plus a few random chars.
+ */
+const VISIBLE_PREFIX_EXTRA_CHARS = 4;
+// ============================================================================
+// Key generation
+// ============================================================================
+/**
+ * Generate a new API key.
+ *
+ * Returns the raw key (to be shown once to the user) and metadata for storage.
+ * The raw key is `{prefix}{32 random alphanumeric chars}`.
+ *
+ * @param prefix - Key prefix, defaults to "sk_live_"
+ * @returns `{ raw, hashedKey, displayPrefix }`
+ */
+export async function generateApiKey(prefix = DEFAULT_KEY_PREFIX) {
+    const randomPart = generateRandomString(KEY_RANDOM_LENGTH, KEY_RANDOM_ALPHABET);
+    const raw = `${prefix}${randomPart}`;
+    const hashedKey = await sha256(raw);
+    const displayPrefix = `${raw.substring(0, prefix.length + VISIBLE_PREFIX_EXTRA_CHARS)}...`;
+    return { raw, hashedKey, displayPrefix };
+}
+/**
+ * Hash a raw API key for lookup.
+ *
+ * Used during Bearer token verification to find the stored key record.
+ */
+export async function hashApiKey(rawKey) {
+    return sha256(rawKey);
+}
+// ============================================================================
+// Scope checker
+// ============================================================================
+/**
+ * Build a `ScopeChecker` from an array of `KeyScope` entries.
+ *
+ * The checker provides a `.can(resource, action)` method that returns `true`
+ * if any scope entry grants the requested permission.
+ *
+ * A wildcard action `"*"` grants all actions on that resource.
+ * A wildcard resource `"*"` grants the action on all resources.
+ */
+export function buildScopeChecker(scopes) {
+    return {
+        scopes,
+        can(resource, action) {
+            return scopes.some((scope) => (scope.resource === resource || scope.resource === "*") &&
+                (scope.actions.includes(action) || scope.actions.includes("*")));
+        },
+    };
+}
+/**
+ * Validate that requested scopes are a subset of the allowed scopes
+ * defined in the API key config.
+ *
+ * @param requested - Scopes the user wants on the new key.
+ * @param allowed - The scope definition from `apiKeys.scopes` config.
+ * @throws Error if any requested scope is not in the allowed set.
+ */
+export function validateScopes(requested, allowed) {
+    if (!allowed) {
+        // No scope restrictions configured — allow anything.
+        return;
+    }
+    for (const scope of requested) {
+        const allowedActions = allowed[scope.resource];
+        if (!allowedActions) {
+            throw new Error(`Unknown resource "${scope.resource}" in API key scopes. ` +
+                `Allowed resources: ${Object.keys(allowed).join(", ")}`);
+        }
+        for (const action of scope.actions) {
+            if (action !== "*" && !allowedActions.includes(action)) {
+                throw new Error(`Unknown action "${action}" for resource "${scope.resource}". ` +
+                    `Allowed actions: ${allowedActions.join(", ")}`);
+            }
+        }
+    }
+}
+// ============================================================================
+// Per-key rate limiting (token-bucket)
+// ============================================================================
+/**
+ * Check whether a key is rate-limited based on its stored state.
+ *
+ * Uses the same token-bucket algorithm as sign-in rate limiting:
+ * tokens refill linearly over the configured window.
+ *
+ * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`
+ */
+export function checkKeyRateLimit(rateLimit, state) {
+    const now = Date.now();
+    if (!state) {
+        // First request — create initial state with one token consumed.
+        return {
+            limited: false,
+            newState: {
+                attemptsLeft: rateLimit.maxRequests - 1,
+                lastAttemptTime: now,
+            },
+        };
+    }
+    const elapsed = now - state.lastAttemptTime;
+    const refillRate = rateLimit.maxRequests / rateLimit.windowMs;
+    const refilled = Math.min(rateLimit.maxRequests, state.attemptsLeft + elapsed * refillRate);
+    if (refilled < 1) {
+        return {
+            limited: true,
+            newState: {
+                attemptsLeft: refilled,
+                lastAttemptTime: now,
+            },
+        };
+    }
+    return {
+        limited: false,
+        newState: {
+            attemptsLeft: refilled - 1,
+            lastAttemptTime: now,
+        },
+    };
+}
+//# sourceMappingURL=apiKey.js.map

package/dist/server/implementation/apiKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiKey.js","sourceRoot":"","sources":["../../../src/server/implementation/apiKey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAG1D,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,kBAAkB,GAAG,UAAU,CAAC;AACtC,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,mBAAmB,GACvB,gEAAgE,CAAC;AAEnE;;;GAGG;AACH,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAErC,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB,kBAAkB;IAQtE,MAAM,UAAU,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAChF,MAAM,GAAG,GAAG,GAAG,MAAM,GAAG,UAAU,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,aAAa,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,0BAA0B,CAAC,KAAK,CAAC;IAE3F,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;AAC3C,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc;IAC7C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC;AACxB,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAkB;IAClD,OAAO;QACL,MAAM;QACN,GAAG,CAAC,QAAgB,EAAE,MAAc;YAClC,OAAO,MAAM,CAAC,IAAI,CAChB,CAAC,KAAK,EAAE,EAAE,CACR,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,KAAK,GAAG,CAAC;gBACvD,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAClE,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAqB,EACrB,OAA6C;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,qDAAqD;QACrD,OAAO;IACT,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CACb,qBAAqB,KAAK,CAAC,QAAQ,uBAAuB;gBACxD,sBAAsB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1D,CAAC;QACJ,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvD,MAAM,IAAI,KAAK,CACb,mBAAmB,MAAM,mBAAmB,KAAK,CAAC,QAAQ,KAAK;oBAC7D,oBAAoB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClD,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,uCAAuC;AACvC,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAoD,EACpD,KAAoE;IAKpE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,gEAAgE;QAChE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE;gBACR,YAAY,EAAE,SAAS,CAAC,WAAW,GAAG,CAAC;gBACvC,eAAe,EAAE,GAAG;aACrB;SACF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,GAAG,KAAK,CAAC,eAAe,CAAC;IAC5C,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CACvB,SAAS,CAAC,WAAW,EACrB,KAAK,CAAC,YAAY,GAAG,OAAO,GAAG,UAAU,CAC1C,CAAC;IAEF,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE;gBACR,YAAY,EAAE,QAAQ;gBACtB,eAAe,EAAE,GAAG;aACrB;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE;YACR,YAAY,EAAE,QAAQ,GAAG,CAAC;YAC1B,eAAe,EAAE,GAAG;SACrB;KACF,CAAC;AACJ,CAAC"}

package/dist/server/implementation/index.d.ts

@@ -266,12 +266,15 @@ export declare function Auth(config_: ConvexAuthConfig): {
              * Create a new invitation.
              *
              * @param data.groupId - Optional group to invite the user into.
-             * @param data.invitedByUserId - The user sending the invitation.
-             * @param data.email - The email address of the invitee.
+             * @param data.invitedByUserId - Optional user sending the invitation
+             *   (omit for CLI-generated invites).
+             * @param data.email - Optional email of the invitee (omit for
+             *   CLI-generated invite links where the email is unknown upfront).
              * @param data.tokenHash - Hashed token for secure acceptance.
              * @param data.role - Optional role to assign on acceptance.
              * @param data.status - Initial status (typically "pending").
-             * @param data.expiresTime - Timestamp when the invite expires.
+             * @param data.expiresTime - Optional expiration timestamp (omit for
+             *   single-use, non-expiring invites).
              * @param data.extend - Optional arbitrary JSON extension data.
              * @throws ConvexError with code `DUPLICATE_INVITE` if a pending invite
              * already exists for this email and scope.
@@ -279,18 +282,22 @@ export declare function Auth(config_: ConvexAuthConfig): {
              */
             create: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, data: {
                 groupId?: string;
-                invitedByUserId: string;
-                email: string;
+                invitedByUserId?: string;
+                email?: string;
                 tokenHash: string;
                 role?: string;
                 status: "pending" | "accepted" | "revoked" | "expired";
-                expiresTime: number;
+                expiresTime?: number;
                 extend?: Record<string, unknown>;
             }) => Promise<string>;
             /**
              * Retrieve an invite by its ID. Returns `null` if not found.
              */
             get: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery">, inviteId: string) => Promise<any>;
+            /**
+             * Retrieve an invite by its token hash. Returns `null` if not found.
+             */
+            getByTokenHash: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery">, tokenHash: string) => Promise<any>;
             /**
              * List invites, optionally filtered by group and/or status.
              */
@@ -329,7 +336,7 @@ export declare function Auth(config_: ConvexAuthConfig): {
              * });
              * ```
              */
-            accept: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, inviteId: string) => Promise<void>;
+            accept: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, inviteId: string, acceptedByUserId?: string) => Promise<void>;
             /**
              * Revoke a pending invitation.
              *
@@ -340,6 +347,154 @@ export declare function Auth(config_: ConvexAuthConfig): {
              */
             revoke: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, inviteId: string) => Promise<void>;
         };
+        /**
+         * Manage passkey credentials for users.
+         *
+         * ```ts
+         * const passkeys = await auth.passkey.list(ctx, { userId });
+         * await auth.passkey.rename(ctx, passkeyId, "MacBook Touch ID");
+         * await auth.passkey.remove(ctx, passkeyId);
+         * ```
+         */
+        passkey: {
+            /**
+             * List all passkeys for a user.
+             *
+             * @param opts.userId - The user whose passkeys to list.
+             * @returns Array of passkey records with credentialId, name, deviceType,
+             * backedUp, createdAt, and lastUsedAt.
+             */
+            list: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery">, opts: {
+                userId: string;
+            }) => Promise<any>;
+            /**
+             * Rename a passkey (set a user-friendly display name).
+             *
+             * @param passkeyId - The passkey document ID.
+             * @param name - New display name (e.g. "MacBook Touch ID").
+             */
+            rename: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, passkeyId: string, name: string) => Promise<void>;
+            /**
+             * Delete a passkey credential.
+             *
+             * @param passkeyId - The passkey document ID to remove.
+             */
+            remove: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, passkeyId: string) => Promise<void>;
+        };
+        /**
+         * Manage TOTP two-factor authentication enrollments for users.
+         *
+         * ```ts
+         * const enrollments = await auth.totp.list(ctx, { userId });
+         * await auth.totp.remove(ctx, totpId);
+         * ```
+         */
+        totp: {
+            /**
+             * List all TOTP enrollments for a user.
+             *
+             * @param opts.userId - The user whose enrollments to list.
+             * @returns Array of TOTP enrollment records.
+             */
+            list: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery">, opts: {
+                userId: string;
+            }) => Promise<any>;
+            /**
+             * Delete a TOTP enrollment.
+             *
+             * @param totpId - The TOTP document ID to remove.
+             */
+            remove: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, totpId: string) => Promise<void>;
+        };
+        /**
+         * Manage API keys for programmatic access.
+         *
+         * Keys use SHA-256 hashing (via `@oslojs/crypto`) and support
+         * scoped resource:action permissions with optional per-key rate limiting.
+         *
+         * ```ts
+         * const { keyId, raw } = await auth.key.create(ctx, {
+         *   userId,
+         *   name: "CI Pipeline",
+         *   scopes: [{ resource: "users", actions: ["read", "list"] }],
+         * });
+         * // raw = "sk_live_abc123..." — show once, never stored
+         *
+         * const result = await auth.key.verify(ctx, rawKey);
+         * result.scopes.can("users", "read"); // true
+         * ```
+         */
+        key: {
+            /**
+             * Create a new API key. Returns the raw key **once** — it cannot
+             * be retrieved again after creation.
+             *
+             * @param opts.userId - The user this key belongs to.
+             * @param opts.name - Human-readable name (e.g. "CI Pipeline").
+             * @param opts.scopes - Resource:action permissions for this key.
+             * @param opts.rateLimit - Optional per-key rate limit override.
+             * @param opts.expiresAt - Optional expiration timestamp.
+             * @returns `{ keyId, raw }` where `raw` is the full key string.
+             */
+            create: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, opts: {
+                userId: string;
+                name: string;
+                scopes: import("../types.js").KeyScope[];
+                rateLimit?: {
+                    maxRequests: number;
+                    windowMs: number;
+                };
+                expiresAt?: number;
+            }) => Promise<{
+                keyId: string;
+                raw: string;
+            }>;
+            /**
+             * Verify a raw API key string. Returns the userId and a scope checker
+             * if the key is valid, not revoked, not expired, and not rate-limited.
+             *
+             * Also updates `lastUsedAt` and rate limit state as a side effect.
+             *
+             * @throws Error if the key is invalid, revoked, expired, or rate-limited.
+             */
+            verify: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, rawKey: string) => Promise<{
+                userId: string;
+                keyId: string;
+                scopes: import("../types.js").ScopeChecker;
+            }>;
+            /**
+             * List all API keys for a user.
+             * Never includes the raw key — only the display prefix.
+             */
+            list: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery">, opts: {
+                userId: string;
+            }) => Promise<any>;
+            /**
+             * Get a single API key by its document ID.
+             * Returns `null` if not found.
+             */
+            get: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery">, keyId: string) => Promise<any>;
+            /**
+             * Update an API key's metadata (name, scopes, rate limit).
+             */
+            update: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, keyId: string, data: {
+                name?: string;
+                scopes?: import("../types.js").KeyScope[];
+                rateLimit?: {
+                    maxRequests: number;
+                    windowMs: number;
+                };
+            }) => Promise<void>;
+            /**
+             * Revoke an API key (soft delete). The key record is preserved
+             * for audit purposes but can no longer be used for authentication.
+             */
+            revoke: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, keyId: string) => Promise<void>;
+            /**
+             * Hard delete an API key record.
+             */
+            remove: (ctx: Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">, keyId: string) => Promise<void>;
+        };
         /**
          * Add HTTP actions for JWT verification and OAuth sign-in.
          *
@@ -384,6 +539,13 @@ export declare function Auth(config_: ConvexAuthConfig): {
         verifier?: string;
         tokens?: Tokens | null;
         started?: boolean;
+        options?: Record<string, any>;
+        totpRequired?: boolean;
+        totpSetup?: {
+            uri: string;
+            secret: string;
+            totpId: string;
+        };
     }>>;
     /**
      * Action called by the client to invalidate the current session.

package/dist/server/implementation/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,IAAI,EACJ,gBAAgB,EAChB,gBAAgB,EAChB,UAAU,EAIX,MAAM,eAAe,CAAC;AACvB,OAAO,EAAe,SAAS,EAAK,MAAM,eAAe,CAAC;AAG1D,OAAO,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AAMjE,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AAErB,OAAO,EAA0B,MAAM,EAAE,MAAM,YAAY,CAAC;AAC5D,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AA4BzC;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG,2BAA2B,CACpD,UAAU,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,CAClC,CAAC;AACF;;;;;GAKG;AACH,MAAM,MAAM,aAAa,GAAG,2BAA2B,CACrD,UAAU,CAAC,OAAO,IAAI,CAAC,CAAC,SAAS,CAAC,CACnC,CAAC;AACF;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,IAAI,CAAC,OAAO,EAAE,gBAAgB;IAuqB1C;;OAEG;;;YAxnBD;;;eAGG;2BACkB;gBAAE,IAAI,EAAE,IAAI,CAAA;aAAE;YAQnC;;;eAGG;2BACkB;gBAAE,IAAI,EAAE,IAAI,CAAA;aAAE;YAQnC;;eAEG;qFACwC,MAAM;YAGjD;;;eAGG;;sBAlDgD,IAAI;;YA0DvD;;eAEG;;gBAED;;;mBAGG;wFACuC;oBAAE,MAAM,EAAE,MAAM,CAAA;iBAAE;gBAG5D;;;;mBAIG;uFAGK;oBAAE,MAAM,EAAE,MAAM,CAAC;oBAAC,OAAO,EAAE,MAAM,CAAA;iBAAE;;;;YAU7C;;;eAGG;2BACkB;gBAAE,IAAI,EAAE,IAAI,CAAA;aAAE;YAQnC;;eAEG;yBACgB,SAAS,SAAS,gBAAgB,OAC9C,gBAAgB,CAAC,SAAS,CAAC,QAC1B;gBACJ,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;gBAC1B,MAAM,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;aACjC,KACA,OAAO,CAAC,IAAI,CAAC;;;YAMhB;;eAEG;qBACY,SAAS,SAAS,gBAAgB,OAC1C,gBAAgB,CAAC,SAAS,CAAC;0BAlH1B,MAAM;;wBAFc,MAAM;6BAAW,MAAM;;yBAI5C,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;qCACX,OAAO;qCACP,OAAO;;;;;YAoH1B;;eAEG;kBACS,SAAS,SAAS,gBAAgB,OACvC,gBAAgB,CAAC,SAAS,CAAC;0BAtHC,MAAM;;wBARb,MAAM;6BAAW,MAAM;;;;;;YAwInD;;eAEG;gCACuB,SAAS,SAAS,gBAAgB,OACrD,gBAAgB,CAAC,SAAS,CAAC;0BAlI1B,MAAM;yBACP;oBAAE,EAAE,EAAE,MAAM,CAAC;oBAAC,MAAM,EAAE,MAAM,CAAA;iBAAE;kBAmIlC,OAAO,CAAC,IAAI,CAAC;;;YAMhB;;eAEG;qBACY,SAAS,SAAS,gBAAgB,OAC1C,gBAAgB,CAAC,SAAS,CAAC,YACtB,kBAAkB,QACtB;gBACJ,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;gBACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;aAClC;;;;;QAkBL;;;;;;;;;;;WAWG;;YAED;;;;;eAKG;sGAGK;gBACJ,IAAI,EAAE,MAAM,CAAC;gBACb,IAAI,CAAC,EAAE,MAAM,CAAC;gBACd,aAAa,CAAC,EAAE,MAAM,CAAC;gBACvB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;aAClC,KACA,OAAO,CAAC,MAAM,CAAC;YAMlB;;eAEG;sFACyC,MAAM;YAGlD;;;eAGG;qFACwC;gBAAE,aAAa,CAAC,EAAE,MAAM,CAAA;aAAE;YAKrE;;eAEG;yGAGQ,MAAM,QACT,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;YAI/B;;;;eAIG;yGACwC,MAAM;YAIjD;;;;;;eAMG;;gBAED;;;;;;;;;;;mBAWG;uGAGK;oBACJ,OAAO,EAAE,MAAM,CAAC;oBAChB,MAAM,EAAE,MAAM,CAAC;oBACf,IAAI,CAAC,EAAE,MAAM,CAAC;oBACd,MAAM,CAAC,EAAE,MAAM,CAAC;oBAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;iBAClC,KACA,OAAO,CAAC,MAAM,CAAC;gBAMlB;;mBAEG;2FAC0C,MAAM;gBAGnD;;mBAEG;wFACuC;oBAAE,OAAO,EAAE,MAAM,CAAA;iBAAE;gBAG7D;;mBAEG;8GACyC,MAAM;gBAGlD;;;;;;mBAMG;8GAGS,MAAM,QACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;QAUnC;;;;;WAKG;;YAED;;;;;;;;;;;;;;eAcG;sGAGK;gBACJ,OAAO,CAAC,EAAE,MAAM,CAAC;gBACjB,eAAe,EAAE,MAAM,CAAC;gBACxB,KAAK,EAAE,MAAM,CAAC;gBACd,SAAS,EAAE,MAAM,CAAC;gBAClB,IAAI,CAAC,EAAE,MAAM,CAAC;gBACd,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;gBACvD,WAAW,EAAE,MAAM,CAAC;gBACpB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;aAClC,KACA,OAAO,CAAC,MAAM,CAAC;YAGlB;;eAEG;uFAC0C,MAAM;YAGnD;;eAEG;qFAGM;gBACL,OAAO,CAAC,EAAE,MAAM,CAAC;gBACjB,MAAM,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;aACzD;YAOH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eA8BG;0GACyC,MAAM;YAGjD;;;;;;;eAOG;0GACwC,MAAM;;QAIpD;;;;;;;;;;;;;;;;;;;;;;;;;WAyBG;8BACmB,UAAU;;IA6MhC;;;;OAIG;;;;;;;;mBAaY,MAAM;mBACN,MAAM;iBACR,MAAM,GAAG,IAAI;kBACZ,OAAO;;IA4BrB;;OAEG;;IAQH;;;OAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EASN"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,IAAI,EACJ,gBAAgB,EAChB,gBAAgB,EAChB,UAAU,EAIX,MAAM,eAAe,CAAC;AACvB,OAAO,EAAe,SAAS,EAAK,MAAM,eAAe,CAAC;AAG1D,OAAO,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AAMjE,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AAErB,OAAO,EAA0B,MAAM,EAAE,MAAM,YAAY,CAAC;AAC5D,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AAmCzC;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG,2BAA2B,CACpD,UAAU,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,CAClC,CAAC;AACF;;;;;GAKG;AACH,MAAM,MAAM,aAAa,GAAG,2BAA2B,CACrD,UAAU,CAAC,OAAO,IAAI,CAAC,CAAC,SAAS,CAAC,CACnC,CAAC;AACF;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,IAAI,CAAC,OAAO,EAAE,gBAAgB;IA47B1C;;OAEG;;;YA74BD;;;eAGG;2BACkB;gBAAE,IAAI,EAAE,IAAI,CAAA;aAAE;YAQnC;;;eAGG;2BACkB;gBAAE,IAAI,EAAE,IAAI,CAAA;aAAE;YAQnC;;eAEG;qFACwC,MAAM;YAGjD;;;eAGG;;sBAlDgD,IAAI;;YA0DvD;;eAEG;;gBAED;;;mBAGG;wFACuC;oBAAE,MAAM,EAAE,MAAM,CAAA;iBAAE;gBAG5D;;;;mBAIG;uFAGK;oBAAE,MAAM,EAAE,MAAM,CAAC;oBAAC,OAAO,EAAE,MAAM,CAAA;iBAAE;;;;YAU7C;;;eAGG;2BACkB;gBAAE,IAAI,EAAE,IAAI,CAAA;aAAE;YAQnC;;eAEG;yBACgB,SAAS,SAAS,gBAAgB,OAC9C,gBAAgB,CAAC,SAAS,CAAC,QAC1B;gBACJ,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;gBAC1B,MAAM,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;aACjC,KACA,OAAO,CAAC,IAAI,CAAC;;;YAMhB;;eAEG;qBACY,SAAS,SAAS,gBAAgB,OAC1C,gBAAgB,CAAC,SAAS,CAAC;0BAlH1B,MAAM;;wBAFc,MAAM;6BAAW,MAAM;;yBAI5C,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;qCACX,OAAO;qCACP,OAAO;;;;;YAoH1B;;eAEG;kBACS,SAAS,SAAS,gBAAgB,OACvC,gBAAgB,CAAC,SAAS,CAAC;0BAtHC,MAAM;;wBARb,MAAM;6BAAW,MAAM;;;;;;YAwInD;;eAEG;gCACuB,SAAS,SAAS,gBAAgB,OACrD,gBAAgB,CAAC,SAAS,CAAC;0BAlI1B,MAAM;yBACP;oBAAE,EAAE,EAAE,MAAM,CAAC;oBAAC,MAAM,EAAE,MAAM,CAAA;iBAAE;kBAmIlC,OAAO,CAAC,IAAI,CAAC;;;YAMhB;;eAEG;qBACY,SAAS,SAAS,gBAAgB,OAC1C,gBAAgB,CAAC,SAAS,CAAC,YACtB,kBAAkB,QACtB;gBACJ,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;gBACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;aAClC;;;;;QAkBL;;;;;;;;;;;WAWG;;YAED;;;;;eAKG;sGAGK;gBACJ,IAAI,EAAE,MAAM,CAAC;gBACb,IAAI,CAAC,EAAE,MAAM,CAAC;gBACd,aAAa,CAAC,EAAE,MAAM,CAAC;gBACvB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;aAClC,KACA,OAAO,CAAC,MAAM,CAAC;YAMlB;;eAEG;sFACyC,MAAM;YAGlD;;;eAGG;qFACwC;gBAAE,aAAa,CAAC,EAAE,MAAM,CAAA;aAAE;YAKrE;;eAEG;yGAGQ,MAAM,QACT,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;YAI/B;;;;eAIG;yGACwC,MAAM;YAIjD;;;;;;eAMG;;gBAED;;;;;;;;;;;mBAWG;uGAGK;oBACJ,OAAO,EAAE,MAAM,CAAC;oBAChB,MAAM,EAAE,MAAM,CAAC;oBACf,IAAI,CAAC,EAAE,MAAM,CAAC;oBACd,MAAM,CAAC,EAAE,MAAM,CAAC;oBAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;iBAClC,KACA,OAAO,CAAC,MAAM,CAAC;gBAMlB;;mBAEG;2FAC0C,MAAM;gBAGnD;;mBAEG;wFACuC;oBAAE,OAAO,EAAE,MAAM,CAAA;iBAAE;gBAG7D;;mBAEG;8GACyC,MAAM;gBAGlD;;;;;;mBAMG;8GAGS,MAAM,QACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;QAUnC;;;;;WAKG;;YAED;;;;;;;;;;;;;;;;;eAiBG;sGAGK;gBACJ,OAAO,CAAC,EAAE,MAAM,CAAC;gBACjB,eAAe,CAAC,EAAE,MAAM,CAAC;gBACzB,KAAK,CAAC,EAAE,MAAM,CAAC;gBACf,SAAS,EAAE,MAAM,CAAC;gBAClB,IAAI,CAAC,EAAE,MAAM,CAAC;gBACd,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;gBACvD,WAAW,CAAC,EAAE,MAAM,CAAC;gBACrB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;aAClC,KACA,OAAO,CAAC,MAAM,CAAC;YAGlB;;eAEG;uFAC0C,MAAM;YAGnD;;eAEG;mGACsD,MAAM;YAG/D;;eAEG;qFAGM;gBACL,OAAO,CAAC,EAAE,MAAM,CAAC;gBACjB,MAAM,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;aACzD;YAOH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eA8BG;0GACyC,MAAM,qBAAqB,MAAM;YAM5E;;;;;;;eAOG;0GACwC,MAAM;;QAIpD;;;;;;;;WAQG;;YAED;;;;;;eAMG;oFACuC;gBAAE,MAAM,EAAE,MAAM,CAAA;aAAE;YAM5D;;;;;eAKG;2GAC0C,MAAM,QAAQ,MAAM;YAMjE;;;;eAIG;2GAC0C,MAAM;;QAOrD;;;;;;;WAOG;;YAED;;;;;eAKG;oFACuC;gBAAE,MAAM,EAAE,MAAM,CAAA;aAAE;YAM5D;;;;eAIG;wGACuC,MAAM;;QAOlD;;;;;;;;;;;;;;;;;WAiBG;;YAED;;;;;;;;;;eAUG;sGAGK;gBACJ,MAAM,EAAE,MAAM,CAAC;gBACf,IAAI,EAAE,MAAM,CAAC;gBACb,MAAM,EAAE,OAAO,aAAa,EAAE,QAAQ,EAAE,CAAC;gBACzC,SAAS,CAAC,EAAE;oBAAE,WAAW,EAAE,MAAM,CAAC;oBAAC,QAAQ,EAAE,MAAM,CAAA;iBAAE,CAAC;gBACtD,SAAS,CAAC,EAAE,MAAM,CAAC;aACpB,KACA,OAAO,CAAC;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,GAAG,EAAE,MAAM,CAAA;aAAE,CAAC;YAwB1C;;;;;;;eAOG;wGAGO,MAAM,KACb,OAAO,CAAC;gBACT,MAAM,EAAE,MAAM,CAAC;gBACf,KAAK,EAAE,MAAM,CAAC;gBACd,MAAM,EAAE,OAAO,aAAa,EAAE,YAAY,CAAC;aAC5C,CAAC;YA4CF;;;eAGG;oFACuC;gBAAE,MAAM,EAAE,MAAM,CAAA;aAAE;YAO5D;;;eAGG;oFACuC,MAAM;YAOhD;;eAEG;uGAGM,MAAM,QACP;gBACJ,IAAI,CAAC,EAAE,MAAM,CAAC;gBACd,MAAM,CAAC,EAAE,OAAO,aAAa,EAAE,QAAQ,EAAE,CAAC;gBAC1C,SAAS,CAAC,EAAE;oBAAE,WAAW,EAAE,MAAM,CAAC;oBAAC,QAAQ,EAAE,MAAM,CAAA;iBAAE,CAAC;aACvD;YAWH;;;eAGG;uGACsC,MAAM;YAO/C;;eAEG;uGACsC,MAAM;;QAMjD;;;;;;;;;;;;;;;;;;;;;;;;;WAyBG;8BACmB,UAAU;;IA6MhC;;;;OAIG;;;;;;;;mBAaY,MAAM;mBACN,MAAM;iBACR,MAAM,GAAG,IAAI;kBACZ,OAAO;kBACP,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;uBACd,OAAO;oBACV;YAAE,GAAG,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE;;IAkC/D;;OAEG;;IAQH;;;OAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EASN"}