npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/src/server/types.ts CHANGED Viewed

@@ -1,27 +1,107 @@
 import {
   AnyDataModel,
+  DataModelFromSchemaDefinition,
   DocumentByName,
   FunctionReference,
   GenericActionCtx,
   GenericDataModel,
   GenericMutationCtx,
+  GenericQueryCtx,
   RegisteredAction,
   RegisteredMutation,
   RegisteredQuery,
   TableNamesInDataModel,
 } from "convex/server";
+import type { Infer } from "convex/values";
 import { GenericId, Value } from "convex/values";
-import { CredentialsUserConfig } from "../providers/credentials";
+import {
+  vApiKeyDoc,
+  vAuthVerifierDoc,
+  vDeviceCodeDoc,
+  vPasskeyDoc,
+  vTotpFactorDoc,
+  vUserDoc,
+} from "../component/model";
+import schema from "../component/schema";
+import type { CredentialsConfig } from "../providers/credentials";
 // ============================================================================
 // Utility types
 // ============================================================================
-/** A value that is either `T` or a `PromiseLike<T>`. */
+/**
+ * A value that is either `T` or a `PromiseLike<T>`.
+ *
+ * @typeParam T - The underlying value type.
+ */
 export type Awaitable<T> = T | PromiseLike<T>;
 /**
- * The config for the Convex Auth library, passed to `Auth`.
+ * A single role definition within the authorization config.
+ *
+ * Each role has an optional human-readable label and a list of grant strings
+ * that members with this role receive.
+ *
+ * @see {@link AuthAuthorizationConfig}
+ */
+export type AuthRoleDefinition = {
+  /** Optional stable identifier (defaults to the record key). */
+  id?: string;
+  /** Human-readable label for admin UIs. */
+  label?: string;
+  /** Permission grant strings conferred by this role. */
+  grants: string[];
+};
+/**
+ * Authorization configuration mapping role IDs to {@link AuthRoleDefinition}s.
+ *
+ * Passed as `authorization.roles` in {@link ConvexAuthConfig}.
+ *
+ * @see {@link AuthRoleDefinition}
+ * @see {@link ConvexAuthConfig}
+ */
+export type AuthAuthorizationConfig = {
+  roles: Record<string, AuthRoleDefinition>;
+};
+/**
+ * Extracts the union of role ID strings from an authorization config.
+ *
+ * When `TAuthorization` is defined, this resolves to the literal key union
+ * of the `roles` record. Otherwise falls back to `string`.
+ *
+ * @typeParam TAuthorization - The authorization config type, or `undefined`.
+ *
+ * @see {@link AuthGrant}
+ */
+export type AuthRoleId<
+  TAuthorization extends AuthAuthorizationConfig | undefined,
+> = TAuthorization extends { roles: infer TRoles extends Record<string, any> }
+  ? keyof TRoles & string
+  : string;
+/**
+ * Extracts the union of grant strings from all roles in an authorization config.
+ *
+ * When `TAuthorization` is defined, this resolves to the literal union
+ * of all `grants` array elements across every role. Otherwise falls back to `string`.
+ *
+ * @typeParam TAuthorization - The authorization config type, or `undefined`.
+ *
+ * @see {@link AuthRoleId}
+ */
+export type AuthGrant<
+  TAuthorization extends AuthAuthorizationConfig | undefined,
+> = TAuthorization extends {
+  roles: infer TRoles extends Record<string, { grants: readonly any[] }>;
+}
+  ? TRoles[keyof TRoles]["grants"][number] & string
+  : string;
+/**
+ * The config for the Convex Auth library, passed to `createAuth`.
  */
 export type ConvexAuthConfig = {
   /**
@@ -46,12 +126,16 @@ export type ConvexAuthConfig = {
      * How long can a user session last without the user reauthenticating.
      *
      * Defaults to 30 days.
+     *
+     * @defaultValue 2_592_000_000
      */
     totalDurationMs?: number;
     /**
      * How long can a user session last without the user being active.
      *
      * Defaults to 30 days.
+     *
+     * @defaultValue 2_592_000_000
      */
     inactiveDurationMs?: number;
   };
@@ -63,6 +147,8 @@ export type ConvexAuthConfig = {
      * How long is the JWT valid for after it is signed initially.
      *
      * Defaults to 1 hour.
+     *
+     * @defaultValue 3_600_000
      */
     durationMs?: number;
   };
@@ -76,63 +162,11 @@ export type ConvexAuthConfig = {
      *
      * Defaults to 10 times per hour (that is 10 failed attempts, and then
      * allow another one every 6 minutes).
+     *
+     * @defaultValue 10
      */
-    maxFailedAttempsPerHour?: number;
+    maxFailedAttemptsPerHour?: number;
   };
-  /**
-   * API key configuration for programmatic access.
-   *
-   * Enables `auth.key.*` helpers for creating, verifying, and managing
-   * API keys with scoped permissions and optional per-key rate limiting.
-   */
-  apiKeys?: ApiKeyConfig;
-  /**
-   * Email transport configuration.
-   *
-   * Required for magic link authentication.
-   * The library generates email content (subject, styled HTML); you
-   * provide the delivery mechanism — Resend, SendGrid, SES, Postmark,
-   * or any other provider.
-   *
-   * When configured, a magic link email provider (`id: "email"`) is
-   * auto-registered — no need to add a separate Auth.js email provider
-   * to `providers`.
-   *
-   * Works seamlessly with the `@convex-dev/resend` Convex component:
-   *
-   * ```ts
-   * import { Resend } from "@convex-dev/resend";
-   *
-   * const resend = new Resend(components.resend, { testMode: false });
-   *
-   * const auth = new Auth(components.auth, {
-   *   providers: [google],
-   *   email: {
-   *     from: "My App <noreply@example.com>",
-   *     send: (ctx, params) => resend.sendEmail(ctx, params),
-   *   },
-   * });
-   * ```
-   *
-   * Or with any email API directly:
-   *
-   * ```ts
-   * email: {
-   *   from: "My App <noreply@example.com>",
-   *   send: async (_ctx, { from, to, subject, html }) => {
-   *     await fetch("https://api.resend.com/emails", {
-   *       method: "POST",
-   *       headers: {
-   *         Authorization: `Bearer ${process.env.AUTH_RESEND_KEY}`,
-   *         "Content-Type": "application/json",
-   *       },
-   *       body: JSON.stringify({ from, to, subject, html }),
-   *     });
-   *   },
-   * },
-   * ```
-   */
-  email?: EmailTransport;
   /**
    * Lifecycle callbacks for customizing sign-in behavior.
    *
@@ -145,20 +179,21 @@ export type ConvexAuthConfig = {
      * Control which URLs are allowed as a destination after OAuth sign-in
      * and for magic links:
      *
-      * ```ts
-      * import { Auth } from "@robelest/convex-auth/component";
-      *
-      * export const { auth, signIn, signOut, store } = Auth({
-      *   providers: [google],
-      *   callbacks: {
-      *     async redirect({ redirectTo }) {
-      *       // Check that redirectTo is valid
-      *       // and return the relative or absolute URL
-      *       // to redirect to.
-      *     },
-      *   },
-      * });
-      * ```
+     * ```ts
+     * import { createAuth } from "@robelest/convex-auth/component";
+     * import { components } from "./_generated/api";
+     *
+     * const auth = createAuth(components.auth, {
+     *   providers: [google],
+     *   callbacks: {
+     *     async redirect({ redirectTo }) {
+     *       // Check that redirectTo is valid
+     *       // and return the relative or absolute URL
+     *       // to redirect to.
+     *     },
+     *   },
+     * });
+     * ```
      *
      * Convex Auth performs redirect only during OAuth sign-in. By default,
      * it redirects back to the URL specified via the `SITE_URL` environment
@@ -201,7 +236,7 @@ export type ConvexAuthConfig = {
          * If this is a sign-in to an existing account,
          * this is the existing user ID linked to that account.
          */
-        existingUserId: GenericId<"user"> | null;
+        existingUserId: GenericId<"User"> | null;
         /**
          * The provider type or "verification" if this callback is called
          * after an email or phone token verification.
@@ -230,7 +265,7 @@ export type ConvexAuthConfig = {
          */
         shouldLink?: boolean;
       },
-    ) => Promise<GenericId<"user">>;
+    ) => Promise<GenericId<"User">>;
     /**
      * Perform additional writes after a user is created.
      *
@@ -251,12 +286,12 @@ export type ConvexAuthConfig = {
         /**
          * The ID of the user that is being signed in.
          */
-        userId: GenericId<"user">;
+        userId: GenericId<"User">;
         /**
          * If this is a sign-in to an existing account,
          * this is the existing user ID linked to that account.
          */
-        existingUserId: GenericId<"user"> | null;
+        existingUserId: GenericId<"User"> | null;
         /**
          * The provider type or "verification" if this callback is called
          * after an email or phone token verification.
@@ -287,6 +322,18 @@ export type ConvexAuthConfig = {
       },
     ) => Promise<void>;
   };
+  /**
+   * Application-defined role and grant model used by membership access checks.
+   */
+  authorization?: {
+    roles: Record<
+      string,
+      {
+        label?: string;
+        grants: string[];
+      }
+    >;
+  };
 };
 /**
@@ -299,6 +346,14 @@ export type ConvexAuthConfig = {
  */
 export type AuthProviderConfig =
   | import("../providers/oauth").OAuthProviderInstance
+  | import("../providers/password").Password
+  | import("../providers/passkey").Passkey
+  | import("../providers/totp").Totp
+  | import("../providers/anonymous").Anonymous
+  | import("../providers/device").Device
+  | import("../providers/sso").SSO
+  | import("../providers/email").Email
+  | import("../providers/phone").Phone
   | OAuthMaterializedConfig
   | ConvexCredentialsConfig
   | ((...args: any) => ConvexCredentialsConfig)
@@ -311,10 +366,117 @@ export type AuthProviderConfig =
   | TotpProviderConfig
   | ((...args: any) => TotpProviderConfig)
   | DeviceProviderConfig
-  | ((...args: any) => DeviceProviderConfig);
+  | ((...args: any) => DeviceProviderConfig)
+  | SSOProviderConfig;
+/**
+ * Minimal config stored for the SSO provider at runtime.
+ * No options — enterprise configuration is entirely per-tenant runtime state.
+ */
+export interface SSOProviderConfig {
+  id: string;
+  type: "sso";
+}
+/**
+ * Account linking strategy for enterprise SSO sign-in.
+ *
+ * - `"verifiedEmail"` — link accounts when the IdP-provided email matches a verified email on an existing user.
+ * - `"none"` — never auto-link; always create a new account.
+ */
+export type EnterpriseAccountLinkingPolicy = "verifiedEmail" | "none";
+/**
+ * Policy for reusing existing users during SCIM provisioning.
+ *
+ * - `"externalId"` — match by the SCIM `externalId` to reuse a previously provisioned user.
+ * - `"none"` — always create a new user for each SCIM provision request.
+ */
+export type EnterpriseScimReuseUserPolicy = "externalId" | "none";
+/**
+ * Just-in-time provisioning mode for enterprise SSO.
+ *
+ * - `"off"` — no JIT provisioning; users must be pre-provisioned.
+ * - `"createUser"` — create a user record on first SSO sign-in.
+ * - `"createUserAndMembership"` — create a user and add them to the enterprise group on first SSO sign-in.
+ */
+export type EnterpriseJitProvisioningMode =
+  | "off"
+  | "createUser"
+  | "createUserAndMembership";
+/**
+ * Deprovisioning strategy when a SCIM user is deleted.
+ *
+ * - `"soft"` — mark the user as inactive but preserve the record.
+ * - `"hard"` — permanently delete the user and associated data.
+ */
+export type EnterpriseDeprovisionMode = "soft" | "hard";
+/**
+ * Effective enterprise policy document stored for an SSO/SCIM tenant.
+ *
+ * Controls account linking, JIT provisioning, SCIM reuse behavior,
+ * deprovisioning, and any app-defined extension metadata.
+ *
+ * @see {@link EnterprisePolicyPatch}
+ */
+export interface EnterprisePolicy {
+  version: 1;
+  identity: {
+    accountLinking: {
+      oidc: EnterpriseAccountLinkingPolicy;
+      saml: EnterpriseAccountLinkingPolicy;
+    };
+  };
+  provisioning: {
+    scimReuse: {
+      user: EnterpriseScimReuseUserPolicy;
+    };
+    jit: {
+      mode: EnterpriseJitProvisioningMode;
+      defaultRoleIds: string[];
+    };
+    deprovision: {
+      mode: EnterpriseDeprovisionMode;
+    };
+  };
+  extend?: Record<string, unknown>;
+}
+/**
+ * Partial update payload for {@link EnterprisePolicy}.
+ *
+ * Use this when patching only selected enterprise policy sections without
+ * replacing the entire stored policy document.
+ */
+export interface EnterprisePolicyPatch {
+  identity?: {
+    accountLinking?: {
+      oidc?: EnterpriseAccountLinkingPolicy;
+      saml?: EnterpriseAccountLinkingPolicy;
+    };
+  };
+  provisioning?: {
+    scimReuse?: {
+      user?: EnterpriseScimReuseUserPolicy;
+    };
+    jit?: {
+      mode?: EnterpriseJitProvisioningMode;
+      defaultRoleIds?: string[];
+    };
+    deprovision?: {
+      mode?: EnterpriseDeprovisionMode;
+    };
+  };
+  extend?: Record<string, unknown>;
+}
 /**
  * Email provider config for magic link / OTP sign-in.
+ *
+ * @typeParam DataModel - The Convex data model for typed action contexts.
  */
 export interface EmailConfig<
   DataModel extends GenericDataModel = GenericDataModel,
@@ -327,7 +489,11 @@ export interface EmailConfig<
   name?: string;
   /** Sender address (e.g. `"My App <noreply@example.com>"`). */
   from?: string;
-  /** Token expiration in seconds. Defaults to 86 400 (24 hours). */
+  /**
+   * Token expiration in seconds. Defaults to 86 400 (24 hours).
+   *
+   * @defaultValue 86400
+   */
   maxAge?: number;
   /**
    * Send the verification token to the user.
@@ -369,14 +535,18 @@ export interface EmailConfig<
      * The values passed to the `signIn` function.
      */
     params: Record<string, Value | undefined>,
-    account: GenericDoc<DataModel, "account">,
+    account: GenericDoc<DataModel, "Account">,
   ) => Promise<void>;
   /** Raw user options before merging with defaults. */
   options: EmailUserConfig<DataModel>;
 }
 /**
- * Configurable options for an email provider config.
+ * User-facing configuration shape accepted by the email provider.
+ *
+ * Equivalent to `Partial<EmailConfig>` without internal runtime-only fields.
+ *
+ * @typeParam DataModel - The Convex data model.
  */
 export type EmailUserConfig<
   DataModel extends GenericDataModel = GenericDataModel,
@@ -385,6 +555,8 @@ export type EmailUserConfig<
 /**
  * Same as email provider config, but verifies
  * phone number instead of the email address.
+ *
+ * @typeParam DataModel - The Convex data model for typed action contexts.
  */
 export interface PhoneConfig<
   DataModel extends GenericDataModel = GenericDataModel,
@@ -439,22 +611,26 @@ export interface PhoneConfig<
      * The values passed to the `signIn` function.
      */
     params: Record<string, Value | undefined>,
-    account: GenericDoc<DataModel, "account">,
+    account: GenericDoc<DataModel, "Account">,
   ) => Promise<void>;
   options: PhoneUserConfig<DataModel>;
 }
 /**
- * Configurable options for a phone provider config.
+ * User-facing configuration shape accepted by the phone provider.
+ *
+ * Equivalent to `Partial<PhoneConfig>` without internal runtime-only fields.
+ *
+ * @typeParam DataModel - The Convex data model.
  */
 export type PhoneUserConfig<
   DataModel extends GenericDataModel = GenericDataModel,
 > = Omit<Partial<PhoneConfig<DataModel>>, "options" | "type">;
 /**
- * Similar to Auth.js Credentials config.
+ * Credentials provider config used by Convex Auth.
  */
-export type ConvexCredentialsConfig = CredentialsUserConfig<any> & {
+export type ConvexCredentialsConfig = CredentialsConfig<any> & {
   type: "credentials";
   id: string;
 };
@@ -472,17 +648,37 @@ export interface PasskeyProviderConfig {
     rpId?: string;
     /** Allowed origins for credential verification. Defaults to SITE_URL. */
     origin?: string | string[];
-    /** Attestation conveyance preference. Defaults to "none". */
+    /**
+     * Attestation conveyance preference. Defaults to "none".
+     *
+     * @defaultValue "none"
+     */
     attestation?: "none" | "direct";
-    /** User verification requirement. Defaults to "required". */
+    /**
+     * User verification requirement. Defaults to "required".
+     *
+     * @defaultValue "required"
+     */
     userVerification?: "required" | "preferred" | "discouraged";
-    /** Resident key (discoverable credential) preference. Defaults to "preferred". */
+    /**
+     * Resident key (discoverable credential) preference. Defaults to "preferred".
+     *
+     * @defaultValue "preferred"
+     */
     residentKey?: "required" | "preferred" | "discouraged";
     /** Restrict to platform or cross-platform authenticators. */
     authenticatorAttachment?: "platform" | "cross-platform";
-    /** Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)]. */
+    /**
+     * Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)].
+     *
+     * @defaultValue [-7, -257]
+     */
     algorithms?: number[];
-    /** Challenge expiration in ms. Defaults to 300_000 (5 minutes). */
+    /**
+     * Challenge expiration in ms. Defaults to 300_000 (5 minutes).
+     *
+     * @defaultValue 300_000
+     */
     challengeExpirationMs?: number;
   };
 }
@@ -496,9 +692,17 @@ export interface TotpProviderConfig {
   options: {
     /** Issuer name shown in authenticator apps (e.g. "My App"). */
     issuer: string;
-    /** Number of digits in each code (default: 6). */
+    /**
+     * Number of digits in each code (default: 6).
+     *
+     * @defaultValue 6
+     */
     digits: number;
-    /** Time period in seconds for code rotation (default: 30). */
+    /**
+     * Time period in seconds for code rotation (default: 30).
+     *
+     * @defaultValue 30
+     */
     period: number;
   };
 }
@@ -526,6 +730,8 @@ export interface OAuthProfile {
  *
  * This is what the OAuth flow code receives — it maps to the user-facing
  * `OAuthConfig` from `@robelest/convex-auth/providers`.
+ *
+ * @internal
  */
 export interface OAuthProviderConfig {
   /** OAuth scopes to request. */
@@ -573,52 +779,107 @@ export type AuthUpdateAccountArgs = {
 /** Arguments for `auth.session.invalidate()`. */
 export type AuthInvalidateSessionsArgs = {
-  userId: GenericId<"user">;
-  except?: GenericId<"session">[];
+  userId: GenericId<"User">;
+  except?: GenericId<"Session">[];
 };
 /** Arguments for `auth.provider.signIn()`. */
 export type AuthProviderSignInArgs = {
-  accountId?: GenericId<"account">;
+  accountId?: GenericId<"Account">;
   params?: Record<string, Value | undefined>;
 };
 /** Return type of `auth.provider.signIn()` — user and session IDs, or `null` on failure. */
 export type AuthProviderSignInResult = {
-  userId: GenericId<"user">;
-  sessionId: GenericId<"session">;
+  userId: GenericId<"User">;
+  sessionId: GenericId<"Session">;
 } | null;
-/** Server-side auth helpers available on enriched action contexts. */
+/** Arguments for `auth.member.resolve()`. */
+export type AuthMemberResolveArgs = {
+  userId: GenericId<"User">;
+  groupId: GenericId<"Group">;
+  ancestry?: boolean;
+  roleIds?: string[];
+  grants?: string[];
+  maxDepth?: number;
+};
+/** Result of `auth.member.resolve()` — membership check with role and grant details. */
+export type AuthMemberResolveResult = {
+  ok: boolean;
+  membership: GenericDoc<GenericDataModel, "GroupMember"> | null;
+  matchedGroupId: GenericId<"Group"> | null;
+  roleIds: string[];
+  grants: string[];
+  missingGrants: string[];
+  depth: number | null;
+  isDirect: boolean;
+  isInherited: boolean;
+  traversedGroupIds: GenericId<"Group">[];
+  code?: "INVALID_ROLE_IDS";
+  invalidRoleIds?: string[];
+};
+/**
+ * Server-side auth helper methods injected into `ctx.auth` within provider actions.
+ *
+ * Provides programmatic access to account management, session lifecycle,
+ * membership resolution, and provider sign-in from within Convex actions
+ * that use {@link GenericActionCtxWithAuthConfig}.
+ *
+ * @see {@link GenericActionCtxWithAuthConfig}
+ *
+ * @example
+ * ```ts
+ * // Inside a credentials provider's authorize callback:
+ * const { account, user } = await ctx.auth.account.get(ctx, {
+ *   provider: "password",
+ *   account: { id: email },
+ * });
+ * ```
+ */
 export type AuthServerHelpers = {
+  /** Account management: create, retrieve, and update provider-linked accounts. */
   account: {
     create: (
       ctx: GenericActionCtx<any>,
       args: AuthCreateAccountArgs,
     ) => Promise<{
-      account: GenericDoc<GenericDataModel, "account">;
-      user: GenericDoc<GenericDataModel, "user">;
+      ok: true;
+      account: GenericDoc<GenericDataModel, "Account">;
+      user: GenericDoc<GenericDataModel, "User">;
     }>;
     get: (
       ctx: GenericActionCtx<any>,
       args: AuthRetrieveAccountArgs,
     ) => Promise<{
-      account: GenericDoc<GenericDataModel, "account">;
-      user: GenericDoc<GenericDataModel, "user">;
+      account: GenericDoc<GenericDataModel, "Account">;
+      user: GenericDoc<GenericDataModel, "User">;
     }>;
     update: (
       ctx: GenericActionCtx<any>,
       args: AuthUpdateAccountArgs,
-    ) => Promise<void>;
+    ) => Promise<{ ok: true; accountId: GenericId<"Account"> }>;
   };
   session: {
-    current: (
-      ctx: { auth: GenericActionCtx<GenericDataModel>["auth"] },
-    ) => Promise<GenericId<"session"> | null>;
+    current: (ctx: {
+      auth: GenericActionCtx<GenericDataModel>["auth"];
+    }) => Promise<GenericId<"Session"> | null>;
     invalidate: (
       ctx: GenericActionCtx<any>,
       args: AuthInvalidateSessionsArgs,
-    ) => Promise<void>;
+    ) => Promise<{
+      ok: true;
+      userId: GenericId<"User">;
+      except: GenericId<"Session">[];
+    }>;
+  };
+  member: {
+    resolve: (
+      ctx: GenericActionCtx<any>,
+      args: AuthMemberResolveArgs,
+    ) => Promise<AuthMemberResolveResult>;
   };
   provider: {
     signIn: (
@@ -631,7 +892,9 @@ export type AuthServerHelpers = {
 /**
  * Your `ActionCtx` enriched with `ctx.auth.config` field with
- * the config passed to `Auth`.
+ * the config passed to `createAuth`.
+ *
+ * @typeParam DataModel - The Convex data model.
  */
 export type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> =
   GenericActionCtx<DataModel> & {
@@ -641,7 +904,7 @@ export type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> =
   };
 /**
- * The config for the Convex Auth library, passed to `Auth`,
+ * The config for the Convex Auth library, passed to `createAuth`,
  * with defaults and initialized providers.
  *
  * See {@link ConvexAuthConfig}
@@ -650,29 +913,67 @@ export type ConvexAuthMaterializedConfig = {
   providers: AuthProviderMaterializedConfig[];
 } & Pick<
   ConvexAuthConfig,
-  "component" | "session" | "jwt" | "signIn" | "callbacks"
+  "component" | "session" | "jwt" | "signIn" | "callbacks" | "authorization"
 >;
+/**
+ * Maps SAML assertion attribute names to user profile fields.
+ *
+ * Use this to tell the SSO flow which SAML attributes correspond to
+ * the user's subject identifier, email, and display name fields.
+ */
+export interface SAMLAttributeMapping {
+  /** SAML attribute for the unique subject identifier (NameID). */
+  subject?: string;
+  /** SAML attribute for the user's email address. */
+  email?: string;
+  /** SAML attribute for the user's full display name. */
+  name?: string;
+  /** SAML attribute for the user's first / given name. */
+  firstName?: string;
+  /** SAML attribute for the user's last / family name. */
+  lastName?: string;
+}
 /**
  * Materialized OAuth provider config (Arctic-based).
  *
  * Carries the Arctic provider instance along with scopes and profile config.
- * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.
+  * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.
  */
 export interface OAuthMaterializedConfig {
+  /**
+   * Provider identifier (e.g. `"google"`, `"github"`).
+   * @readonly
+   */
   readonly id: string;
+  /**
+   * Discriminant for provider type routing.
+   * @readonly
+   */
   readonly type: "oauth";
-  /** The Arctic provider instance. */
+  /**
+   * The Arctic provider instance.
+   * @readonly
+   */
   readonly provider: any;
-  /** OAuth scopes to request. */
+  /**
+   * OAuth scopes to request.
+   * @readonly
+   */
   readonly scopes: string[];
-  /** User-provided profile extraction callback. */
-  readonly profile?: (tokens: import("arctic").OAuth2Tokens) => Promise<OAuthProfile>;
   /**
-   * Allow linking accounts by email even if the email is unverified.
-   * Use with caution — only enable for providers you trust.
+   * User-provided profile extraction callback.
+   * @readonly
+   */
+  readonly profile?: (
+    tokens: import("arctic").OAuth2Tokens,
+  ) => Promise<OAuthProfile>;
+  /**
+   * Account-linking policy for OAuth identities. Defaults to verified email linking.
+   * @readonly
    */
-  readonly allowDangerousEmailAccountLinking?: boolean;
+  readonly accountLinking?: "verifiedEmail" | "none";
 }
 /**
@@ -711,58 +1012,26 @@ export type AuthProviderMaterializedConfig =
   | ConvexCredentialsConfig
   | PasskeyProviderConfig
   | TotpProviderConfig
-  | DeviceProviderConfig;
-// ============================================================================
-// Email transport types
-// ============================================================================
-/**
- * Email delivery parameters passed to `EmailTransport.send`.
- */
-export interface EmailMessage {
-  /** Sender address (from `email.from` in your Auth config). */
-  from: string;
-  /** Recipient email address. */
-  to: string;
-  /** Email subject line. */
-  subject: string;
-  /** HTML body content. */
-  html: string;
-}
+  | DeviceProviderConfig
+  | SSOProviderConfig;
 /**
- * Email transport configuration for the Auth library.
+ * Resolves to `true` when the providers list includes `SSO`, otherwise `false`.
  *
- * Provides a delivery mechanism for library-generated emails.
- * The library owns the email content; you provide the transport.
+ * Used to make `auth.sso` conditionally present on the `createAuth`
+ * return type — it only appears when `new SSO()` is in the providers array.
  */
-export interface EmailTransport {
-  /** Sender address shown in the From field (e.g. "My App \<noreply@example.com\>"). */
-  from: string;
-  /**
-   * Deliver an email. Called by the library for magic links.
-   *
-   * Receives the Convex action context as the first argument, enabling
-   * use with Convex components like `@convex-dev/resend`:
-   *
-   * ```ts
-   * send: (ctx, params) => resend.sendEmail(ctx, params)
-   * ```
-   *
-   * For plain HTTP email APIs, ignore the `ctx` parameter:
-   *
-   * ```ts
-   * send: async (_ctx, { from, to, subject, html }) => {
-   *   await fetch("https://api.resend.com/emails", { ... });
-   * }
-   * ```
-   */
-  send: (
-    ctx: GenericActionCtx<any>,
-    params: EmailMessage,
-  ) => Promise<void>;
-}
+export type HasSSO<P extends AuthProviderConfig[]> =
+  import("../providers/sso").SSO extends P[number] ? true : false;
+export type HasPasskeyProvider<P extends AuthProviderConfig[]> =
+  import("../providers/passkey").Passkey extends P[number] ? true : false;
+export type HasTotpProvider<P extends AuthProviderConfig[]> =
+  import("../providers/totp").Totp extends P[number] ? true : false;
+export type HasDeviceProvider<P extends AuthProviderConfig[]> =
+  import("../providers/device").Device extends P[number] ? true : false;
 // ============================================================================
 // API Key types
@@ -799,39 +1068,6 @@ export interface ScopeChecker {
   scopes: KeyScope[];
 }
-/**
- * Configuration for API key support on the Auth class.
- *
- * ```ts
- * const auth = new Auth(components.auth, {
- *   providers: [github],
- *   apiKeys: {
- *     scopes: {
- *       users: ["read", "list", "create", "delete"],
- *       messages: ["read", "write"],
- *     },
- *     defaultRateLimit: { maxRequests: 1000, windowMs: 3600000 },
- *   },
- * });
- * ```
- */
-export interface ApiKeyConfig {
-  /**
-   * Define the available resource:action scopes for your API keys.
-   * Keys can only be created with scopes that are a subset of these.
-   */
-  scopes?: Record<string, string[]>;
-  /**
-   * Default rate limit applied to new keys when not specified per-key.
-   * Uses a token-bucket algorithm.
-   */
-  defaultRateLimit?: { maxRequests: number; windowMs: number };
-  /**
-   * Key prefix. Defaults to `"sk_live_"`.
-   */
-  prefix?: string;
-}
 /**
  * An API key record as returned by `auth.key.list()` and `auth.key.get()`.
  * Never includes the raw key material — only the display prefix.
@@ -841,7 +1077,7 @@ export interface KeyRecord {
   _id: string;
   /** Owner user ID. */
   userId: string;
-  /** Display prefix (e.g. `"sk_live_abc1"`). Safe to show in UIs. */
+  /** Display prefix (e.g. `"sk_abc1"`). Safe to show in UIs. */
   prefix: string;
   /** Human-readable name (e.g. "CI Pipeline"). */
   name: string;
@@ -857,6 +1093,8 @@ export interface KeyRecord {
   createdAt: number;
   /** `true` when the key has been revoked (soft-deleted). */
   revoked: boolean;
+  /** Arbitrary app-specific metadata attached to the key. */
+  metadata?: Record<string, unknown>;
 }
 // ============================================================================
@@ -867,6 +1105,9 @@ export interface KeyRecord {
  * Options for paginated list queries. Every entity list method uses this
  * same shape with entity-specific `TWhere` and `TOrderBy` type parameters.
  *
+ * @typeParam TWhere - The type of the optional filter object.
+ * @typeParam TOrderBy - The union of sortable field names.
+ *
  * ```ts
  * const result = await auth.group.list(ctx, {
  *   where: { type: "team" },
@@ -894,6 +1135,8 @@ export type ListOptions<
 /**
  * Paginated list result returned by every entity list method.
+ *
+ * @typeParam T - The type of items in the result array.
  */
 export type ListResult<T> = {
   /** The page of items. */
@@ -938,16 +1181,16 @@ export type GroupWhere = {
 /** Sortable fields for `auth.group.list()`. */
 export type GroupOrderBy = "_creationTime" | "name" | "slug" | "type";
-/** Filter fields for `auth.group.member.list()`. All optional. */
+/** Filter fields for `auth.member.list()`. All optional. */
 export type MemberWhere = {
   groupId?: string;
   userId?: string;
-  role?: string;
+  roleId?: string;
   status?: string;
 };
-/** Sortable fields for `auth.group.member.list()`. */
-export type MemberOrderBy = "_creationTime" | "role" | "status";
+/** Sortable fields for `auth.member.list()`. */
+export type MemberOrderBy = "_creationTime" | "status";
 /** Filter fields for `auth.invite.list()`. All optional. */
 export type InviteWhere = {
@@ -956,7 +1199,7 @@ export type InviteWhere = {
   status?: "pending" | "accepted" | "revoked" | "expired";
   email?: string;
   invitedByUserId?: string;
-  role?: string;
+  roleId?: string;
   acceptedByUserId?: string;
 };
@@ -1043,7 +1286,7 @@ export interface CorsConfig {
  * Component function references required by core auth runtime.
  *
  * @internal Consumers should not depend on this shape — it may change
- * between minor versions. Pass `components.auth` directly to the `Auth` constructor.
+ * between minor versions. Pass `components.auth` directly to `createAuth`.
  */
 export type AuthComponentApi = {
   public: {
@@ -1054,9 +1297,11 @@ export type AuthComponentApi = {
     userInsert: FunctionReference<"mutation", "internal">;
     userUpsert: FunctionReference<"mutation", "internal">;
     userPatch: FunctionReference<"mutation", "internal">;
+    userDelete: FunctionReference<"mutation", "internal">;
     accountGet: FunctionReference<"query", "internal">;
     accountGetById: FunctionReference<"query", "internal">;
     accountInsert: FunctionReference<"mutation", "internal">;
+    accountListByUser: FunctionReference<"query", "internal">;
     accountPatch: FunctionReference<"mutation", "internal">;
     accountDelete: FunctionReference<"mutation", "internal">;
     sessionCreate: FunctionReference<"mutation", "internal">;
@@ -1091,20 +1336,20 @@ export type AuthComponentApi = {
     memberAdd: FunctionReference<"mutation", "internal">;
     memberGet: FunctionReference<"query", "internal">;
     memberList: FunctionReference<"query", "internal">;
-    memberListByUser: FunctionReference<"query", "internal">;
     memberGetByGroupAndUser: FunctionReference<"query", "internal">;
     memberRemove: FunctionReference<"mutation", "internal">;
     memberUpdate: FunctionReference<"mutation", "internal">;
     inviteCreate: FunctionReference<"mutation", "internal">;
     inviteGet: FunctionReference<"query", "internal">;
+    inviteGetByTokenHash: FunctionReference<"query", "internal">;
     inviteList: FunctionReference<"query", "internal">;
     inviteAccept: FunctionReference<"mutation", "internal">;
+    inviteAcceptByToken: FunctionReference<"mutation", "internal">;
     inviteRevoke: FunctionReference<"mutation", "internal">;
     keyInsert: FunctionReference<"mutation", "internal">;
     keyGetByHashedKey: FunctionReference<"query", "internal">;
     keyGetById: FunctionReference<"query", "internal">;
     keyList: FunctionReference<"query", "internal">;
-    keyListByUserId: FunctionReference<"query", "internal">;
     keyPatch: FunctionReference<"mutation", "internal">;
     keyDelete: FunctionReference<"mutation", "internal">;
     passkeyInsert: FunctionReference<"mutation", "internal">;
@@ -1126,6 +1371,142 @@ export type AuthComponentApi = {
     deviceAuthorize: FunctionReference<"mutation", "internal", any, any>;
     deviceUpdateLastPolled: FunctionReference<"mutation", "internal", any, any>;
     deviceDelete: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseCreate: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseGet: FunctionReference<"query", "internal", any, any>;
+    enterpriseGetByGroup: FunctionReference<"query", "internal", any, any>;
+    enterpriseGetByDomain: FunctionReference<"query", "internal", any, any>;
+    enterpriseList: FunctionReference<"query", "internal", any, any>;
+    enterpriseUpdate: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseDelete: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseDomainAdd: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseDomainList: FunctionReference<"query", "internal", any, any>;
+    enterpriseDomainDelete: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseDomainVerificationGet: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseDomainVerificationUpsert: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseDomainVerificationDelete: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseDomainVerify: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseSecretUpsert: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseSecretGet: FunctionReference<"query", "internal", any, any>;
+    enterpriseSecretDelete: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseScimConfigUpsert: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimConfigGetByEnterprise: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimConfigGetByTokenHash: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimIdentityGet: FunctionReference<"query", "internal", any, any>;
+    enterpriseScimIdentityGetByUser: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimIdentityGetByEnterpriseAndUser: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimIdentityGetByMappedGroup: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimIdentityListByEnterprise: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimIdentityUpsert: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseScimIdentityDelete: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseAuditEventCreate: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseAuditEventList: FunctionReference<"query", "internal", any, any>;
+    enterpriseWebhookEndpointCreate: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseWebhookEndpointList: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseWebhookEndpointGet: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseWebhookEndpointUpdate: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseWebhookDeliveryEnqueue: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseWebhookDeliveryListReady: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseWebhookDeliveryPatch: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
   };
 };
@@ -1177,3 +1558,387 @@ export type FunctionReferenceFromExport<Export> =
 type ConvertReturnType<T> = UndefinedToNull<Awaited<T>>;
 type UndefinedToNull<T> = T extends void ? null : T;
+// Internal server data-model types (merged from former internalTypes.ts)
+/** Data model derived from the component schema. */
+export type AuthDataModel = DataModelFromSchemaDefinition<typeof schema>;
+/** Action context typed to the auth component's data model. */
+export type ActionCtx = GenericActionCtx<AuthDataModel>;
+/** Mutation context typed to the auth component's data model. */
+export type MutationCtx = GenericMutationCtx<AuthDataModel>;
+/** Query context typed to the auth component's data model. */
+export type QueryCtx = GenericQueryCtx<AuthDataModel>;
+/** A document from any table in the auth component schema. */
+export type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<
+  AuthDataModel,
+  T
+>;
+/** A pair of JWT access token and refresh token. */
+export type Tokens = { token: string; refreshToken: string };
+/** Session information returned after authentication. */
+export type SessionInfo = {
+  userId: GenericId<"User">;
+  sessionId: GenericId<"Session">;
+  tokens: Tokens | null;
+};
+/** Session information with guaranteed non-null tokens. */
+export type SessionInfoWithTokens = {
+  userId: GenericId<"User">;
+  sessionId: GenericId<"Session">;
+  tokens: Tokens;
+};
+// ---------------------------------------------------------------------------
+// Cross-component document shapes
+// ---------------------------------------------------------------------------
+// These mirror the component schema tables. They exist so that server-side
+// code can work with typed results from cross-component queries/mutations
+// instead of casting to `any` at every field access.
+export type TotpDoc = Infer<typeof vTotpFactorDoc>;
+export type PasskeyDoc = Infer<typeof vPasskeyDoc>;
+export type VerifierDoc = Infer<typeof vAuthVerifierDoc>;
+/**
+ * Cross-component user document shape inferred from the component validator.
+ *
+ * Used by internal typed wrappers (`queryUserById`, etc.) so server code stays
+ * aligned with the component runtime contract. Not intended for consumer use —
+ * consumers should use `UserDoc` (exported from
+ * `@robelest/convex-auth/component`).
+ *
+ * @internal
+ */
+export type CrossComponentUserDoc = Infer<typeof vUserDoc>;
+export type KeyDoc = Infer<typeof vApiKeyDoc>;
+// ---------------------------------------------------------------------------
+// Cross-component wrapper context
+// ---------------------------------------------------------------------------
+// Structural type accepted by all wrappers below.  Works for both action and
+// mutation contexts — the only capabilities we need are runQuery / runMutation
+// and access to the component API via `auth.config.component`.
+/** @internal */
+export type ComponentCallCtx = {
+  runQuery: GenericActionCtx<AuthDataModel>["runQuery"];
+  runMutation: GenericActionCtx<AuthDataModel>["runMutation"];
+  auth: { config: { component: AuthComponentApi } };
+};
+// ---------------------------------------------------------------------------
+// Typed wrappers for cross-component calls
+// ---------------------------------------------------------------------------
+// Each wrapper encapsulates the single `as any` cast at the component
+// boundary so that callers get full type safety on both args and return
+// values.
+// -- User queries --
+export async function queryUserById(
+  ctx: ComponentCallCtx,
+  userId: string,
+): Promise<CrossComponentUserDoc | null> {
+  return (await ctx.runQuery(ctx.auth.config.component.public.userGetById, {
+    userId,
+  })) as CrossComponentUserDoc | null;
+}
+export async function queryUserByVerifiedEmail(
+  ctx: ComponentCallCtx,
+  email: string,
+): Promise<CrossComponentUserDoc | null> {
+  return (await ctx.runQuery(
+    ctx.auth.config.component.public.userFindByVerifiedEmail,
+    { email },
+  )) as CrossComponentUserDoc | null;
+}
+// -- Verifier queries / mutations --
+export async function queryVerifierById(
+  ctx: ComponentCallCtx,
+  verifierId: string,
+): Promise<VerifierDoc | null> {
+  return (await ctx.runQuery(ctx.auth.config.component.public.verifierGetById, {
+    verifierId,
+  })) as VerifierDoc | null;
+}
+export async function mutateVerifierDelete(
+  ctx: ComponentCallCtx,
+  verifierId: string,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.verifierDelete, {
+    verifierId,
+  });
+}
+// -- TOTP queries / mutations --
+export async function queryTotpById(
+  ctx: ComponentCallCtx,
+  totpId: string,
+): Promise<TotpDoc | null> {
+  return (await ctx.runQuery(ctx.auth.config.component.public.totpGetById, {
+    totpId,
+  })) as TotpDoc | null;
+}
+export async function queryTotpVerifiedByUserId(
+  ctx: ComponentCallCtx,
+  userId: string,
+): Promise<TotpDoc | null> {
+  return (await ctx.runQuery(
+    ctx.auth.config.component.public.totpGetVerifiedByUserId,
+    { userId },
+  )) as TotpDoc | null;
+}
+export async function mutateTotpInsert(
+  ctx: ComponentCallCtx,
+  args: {
+    userId: string;
+    secret: ArrayBuffer;
+    digits: number;
+    period: number;
+    verified: boolean;
+    name?: string;
+    createdAt: number;
+  },
+): Promise<string> {
+  return (await ctx.runMutation(
+    ctx.auth.config.component.public.totpInsert,
+    args,
+  )) as string;
+}
+export async function mutateTotpMarkVerified(
+  ctx: ComponentCallCtx,
+  totpId: string,
+  lastUsedAt: number,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.totpMarkVerified, {
+    totpId,
+    lastUsedAt,
+  });
+}
+export async function mutateTotpUpdateLastUsed(
+  ctx: ComponentCallCtx,
+  totpId: string,
+  lastUsedAt: number,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.totpUpdateLastUsed, {
+    totpId,
+    lastUsedAt,
+  });
+}
+// -- Passkey queries / mutations --
+export async function queryPasskeysByUserId(
+  ctx: ComponentCallCtx,
+  userId: string,
+): Promise<PasskeyDoc[]> {
+  return (await ctx.runQuery(
+    ctx.auth.config.component.public.passkeyListByUserId,
+    { userId },
+  )) as PasskeyDoc[];
+}
+export async function queryPasskeyByCredentialId(
+  ctx: ComponentCallCtx,
+  credentialId: string,
+): Promise<PasskeyDoc | null> {
+  return (await ctx.runQuery(
+    ctx.auth.config.component.public.passkeyGetByCredentialId,
+    { credentialId },
+  )) as PasskeyDoc | null;
+}
+export async function mutatePasskeyInsert(
+  ctx: ComponentCallCtx,
+  args: {
+    userId: string;
+    credentialId: string;
+    publicKey: ArrayBuffer | ArrayBufferLike;
+    algorithm: number;
+    counter: number;
+    transports?: string[];
+    deviceType: string;
+    backedUp: boolean;
+    name?: string;
+    createdAt: number;
+  },
+): Promise<string> {
+  return (await ctx.runMutation(
+    ctx.auth.config.component.public.passkeyInsert,
+    args,
+  )) as string;
+}
+export async function mutatePasskeyUpdateCounter(
+  ctx: ComponentCallCtx,
+  passkeyId: string,
+  counter: number,
+  lastUsedAt: number,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.passkeyUpdateCounter, {
+    passkeyId,
+    counter,
+    lastUsedAt,
+  });
+}
+// -- Key queries / mutations --
+export async function mutateKeyInsert(
+  ctx: ComponentCallCtx,
+  args: {
+    userId: string;
+    prefix: string;
+    hashedKey: string;
+    name: string;
+    scopes: Array<{ resource: string; actions: string[] }>;
+    rateLimit?: { maxRequests: number; windowMs: number };
+    expiresAt?: number;
+  },
+): Promise<string> {
+  return (await ctx.runMutation(
+    ctx.auth.config.component.public.keyInsert,
+    args,
+  )) as string;
+}
+export async function queryKeysByUserId(
+  ctx: ComponentCallCtx,
+  userId: string,
+): Promise<KeyDoc[]> {
+  const items: KeyDoc[] = [];
+  let cursor: string | null = null;
+  do {
+    const page = (await ctx.runQuery(ctx.auth.config.component.public.keyList, {
+      where: { userId },
+      limit: 100,
+      cursor,
+    })) as {
+      items: KeyDoc[];
+      nextCursor: string | null;
+    };
+    items.push(...page.items);
+    cursor = page.nextCursor;
+  } while (cursor !== null);
+  return items;
+}
+export async function queryKeyById(
+  ctx: ComponentCallCtx,
+  keyId: string,
+): Promise<KeyDoc | null> {
+  return (await ctx.runQuery(ctx.auth.config.component.public.keyGetById, {
+    keyId,
+  })) as KeyDoc | null;
+}
+export async function mutateKeyPatch(
+  ctx: ComponentCallCtx,
+  keyId: string,
+  data: Record<string, unknown>,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.keyPatch, {
+    keyId,
+    data,
+  });
+}
+export async function mutateKeyDelete(
+  ctx: ComponentCallCtx,
+  keyId: string,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.keyDelete, { keyId });
+}
+// -- Device authorization queries / mutations --
+export type DeviceDoc = Infer<typeof vDeviceCodeDoc>;
+export async function mutateDeviceInsert(
+  ctx: ComponentCallCtx,
+  args: {
+    deviceCodeHash: string;
+    userCode: string;
+    expiresAt: number;
+    interval: number;
+    status: "pending" | "authorized" | "denied";
+  },
+): Promise<string> {
+  return (await ctx.runMutation(
+    ctx.auth.config.component.public.deviceInsert,
+    args,
+  )) as string;
+}
+export async function queryDeviceByCodeHash(
+  ctx: ComponentCallCtx,
+  deviceCodeHash: string,
+): Promise<DeviceDoc | null> {
+  return (await ctx.runQuery(
+    ctx.auth.config.component.public.deviceGetByCodeHash,
+    { deviceCodeHash },
+  )) as DeviceDoc | null;
+}
+export async function queryDeviceByUserCode(
+  ctx: ComponentCallCtx,
+  userCode: string,
+): Promise<DeviceDoc | null> {
+  return (await ctx.runQuery(
+    ctx.auth.config.component.public.deviceGetByUserCode,
+    { userCode },
+  )) as DeviceDoc | null;
+}
+export async function mutateDeviceAuthorize(
+  ctx: ComponentCallCtx,
+  deviceId: string,
+  userId: string,
+  sessionId: string,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.deviceAuthorize, {
+    deviceId,
+    userId,
+    sessionId,
+  });
+}
+export async function mutateDeviceUpdateLastPolled(
+  ctx: ComponentCallCtx,
+  deviceId: string,
+  lastPolledAt: number,
+): Promise<void> {
+  await ctx.runMutation(
+    ctx.auth.config.component.public.deviceUpdateLastPolled,
+    { deviceId, lastPolledAt },
+  );
+}
+export async function mutateDeviceDelete(
+  ctx: ComponentCallCtx,
+  deviceId: string,
+): Promise<void> {
+  await ctx.runMutation(ctx.auth.config.component.public.deviceDelete, {
+    deviceId,
+  });
+}