npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/dist/component/server/types.d.ts CHANGED Viewed

@@ -1,14 +1,80 @@
+import _default from "../schema.js";
 import { OAuthProviderInstance } from "../providers/oauth.js";
-import { CredentialsUserConfig } from "../providers/credentials.js";
-import { AnyDataModel, DocumentByName, FunctionReference, GenericActionCtx, GenericDataModel, GenericMutationCtx, RegisteredAction, RegisteredMutation, RegisteredQuery, TableNamesInDataModel } from "convex/server";
-import { GenericId, Value } from "convex/values";
+import { CredentialsConfig } from "../providers/credentials.js";
+import { Password } from "../providers/password.js";
+import { Passkey } from "../providers/passkey.js";
+import { Totp } from "../providers/totp.js";
+import { Anonymous } from "../providers/anonymous.js";
+import { Device } from "../providers/device.js";
+import { SSO } from "../providers/sso.js";
+import { Email } from "../providers/email.js";
+import { Phone } from "../providers/phone.js";
+import "../model.js";
+import { AnyDataModel, DataModelFromSchemaDefinition, DocumentByName, GenericActionCtx, GenericDataModel, GenericMutationCtx, GenericQueryCtx, TableNamesInDataModel } from "convex/server";
+import { GenericId, Infer, Value } from "convex/values";
 import * as arctic0 from "arctic";
 //#region src/server/types.d.ts
-/** A value that is either `T` or a `PromiseLike<T>`. */
+/**
+ * A value that is either `T` or a `PromiseLike<T>`.
+ *
+ * @typeParam T - The underlying value type.
+ */
 type Awaitable<T> = T | PromiseLike<T>;
 /**
- * The config for the Convex Auth library, passed to `Auth`.
+ * A single role definition within the authorization config.
+ *
+ * Each role has an optional human-readable label and a list of grant strings
+ * that members with this role receive.
+ *
+ * @see {@link AuthAuthorizationConfig}
+ */
+type AuthRoleDefinition = {
+  /** Optional stable identifier (defaults to the record key). */id?: string; /** Human-readable label for admin UIs. */
+  label?: string; /** Permission grant strings conferred by this role. */
+  grants: string[];
+};
+/**
+ * Authorization configuration mapping role IDs to {@link AuthRoleDefinition}s.
+ *
+ * Passed as `authorization.roles` in {@link ConvexAuthConfig}.
+ *
+ * @see {@link AuthRoleDefinition}
+ * @see {@link ConvexAuthConfig}
+ */
+type AuthAuthorizationConfig = {
+  roles: Record<string, AuthRoleDefinition>;
+};
+/**
+ * Extracts the union of role ID strings from an authorization config.
+ *
+ * When `TAuthorization` is defined, this resolves to the literal key union
+ * of the `roles` record. Otherwise falls back to `string`.
+ *
+ * @typeParam TAuthorization - The authorization config type, or `undefined`.
+ *
+ * @see {@link AuthGrant}
+ */
+type AuthRoleId<TAuthorization extends AuthAuthorizationConfig | undefined> = TAuthorization extends {
+  roles: infer TRoles extends Record<string, any>;
+} ? keyof TRoles & string : string;
+/**
+ * Extracts the union of grant strings from all roles in an authorization config.
+ *
+ * When `TAuthorization` is defined, this resolves to the literal union
+ * of all `grants` array elements across every role. Otherwise falls back to `string`.
+ *
+ * @typeParam TAuthorization - The authorization config type, or `undefined`.
+ *
+ * @see {@link AuthRoleId}
+ */
+type AuthGrant<TAuthorization extends AuthAuthorizationConfig | undefined> = TAuthorization extends {
+  roles: infer TRoles extends Record<string, {
+    grants: readonly any[];
+  }>;
+} ? TRoles[keyof TRoles]["grants"][number] & string : string;
+/**
+ * The config for the Convex Auth library, passed to `createAuth`.
  */
 type ConvexAuthConfig = {
   /**
@@ -33,12 +99,16 @@ type ConvexAuthConfig = {
      * How long can a user session last without the user reauthenticating.
      *
      * Defaults to 30 days.
+     *
+     * @defaultValue 2_592_000_000
      */
     totalDurationMs?: number;
     /**
      * How long can a user session last without the user being active.
      *
      * Defaults to 30 days.
+     *
+     * @defaultValue 2_592_000_000
      */
     inactiveDurationMs?: number;
   };
@@ -50,6 +120,8 @@ type ConvexAuthConfig = {
      * How long is the JWT valid for after it is signed initially.
      *
      * Defaults to 1 hour.
+     *
+     * @defaultValue 3_600_000
      */
     durationMs?: number;
   };
@@ -63,63 +135,11 @@ type ConvexAuthConfig = {
      *
      * Defaults to 10 times per hour (that is 10 failed attempts, and then
      * allow another one every 6 minutes).
+     *
+     * @defaultValue 10
      */
-    maxFailedAttempsPerHour?: number;
+    maxFailedAttemptsPerHour?: number;
   };
-  /**
-   * API key configuration for programmatic access.
-   *
-   * Enables `auth.key.*` helpers for creating, verifying, and managing
-   * API keys with scoped permissions and optional per-key rate limiting.
-   */
-  apiKeys?: ApiKeyConfig;
-  /**
-   * Email transport configuration.
-   *
-   * Required for magic link authentication.
-   * The library generates email content (subject, styled HTML); you
-   * provide the delivery mechanism — Resend, SendGrid, SES, Postmark,
-   * or any other provider.
-   *
-   * When configured, a magic link email provider (`id: "email"`) is
-   * auto-registered — no need to add a separate Auth.js email provider
-   * to `providers`.
-   *
-   * Works seamlessly with the `@convex-dev/resend` Convex component:
-   *
-   * ```ts
-   * import { Resend } from "@convex-dev/resend";
-   *
-   * const resend = new Resend(components.resend, { testMode: false });
-   *
-   * const auth = new Auth(components.auth, {
-   *   providers: [google],
-   *   email: {
-   *     from: "My App <noreply@example.com>",
-   *     send: (ctx, params) => resend.sendEmail(ctx, params),
-   *   },
-   * });
-   * ```
-   *
-   * Or with any email API directly:
-   *
-   * ```ts
-   * email: {
-   *   from: "My App <noreply@example.com>",
-   *   send: async (_ctx, { from, to, subject, html }) => {
-   *     await fetch("https://api.resend.com/emails", {
-   *       method: "POST",
-   *       headers: {
-   *         Authorization: `Bearer ${process.env.AUTH_RESEND_KEY}`,
-   *         "Content-Type": "application/json",
-   *       },
-   *       body: JSON.stringify({ from, to, subject, html }),
-   *     });
-   *   },
-   * },
-   * ```
-   */
-  email?: EmailTransport;
   /**
    * Lifecycle callbacks for customizing sign-in behavior.
    *
@@ -132,20 +152,21 @@ type ConvexAuthConfig = {
      * Control which URLs are allowed as a destination after OAuth sign-in
      * and for magic links:
      *
-      * ```ts
-      * import { Auth } from "@robelest/convex-auth/component";
-      *
-      * export const { auth, signIn, signOut, store } = Auth({
-      *   providers: [google],
-      *   callbacks: {
-      *     async redirect({ redirectTo }) {
-      *       // Check that redirectTo is valid
-      *       // and return the relative or absolute URL
-      *       // to redirect to.
-      *     },
-      *   },
-      * });
-      * ```
+     * ```ts
+     * import { createAuth } from "@robelest/convex-auth/component";
+     * import { components } from "./_generated/api";
+     *
+     * const auth = createAuth(components.auth, {
+     *   providers: [google],
+     *   callbacks: {
+     *     async redirect({ redirectTo }) {
+     *       // Check that redirectTo is valid
+     *       // and return the relative or absolute URL
+     *       // to redirect to.
+     *     },
+     *   },
+     * });
+     * ```
      *
      * Convex Auth performs redirect only during OAuth sign-in. By default,
      * it redirects back to the URL specified via the `SITE_URL` environment
@@ -186,7 +207,7 @@ type ConvexAuthConfig = {
        * If this is a sign-in to an existing account,
        * this is the existing user ID linked to that account.
        */
-      existingUserId: GenericId<"user"> | null;
+      existingUserId: GenericId<"User"> | null;
       /**
        * The provider type or "verification" if this callback is called
        * after an email or phone token verification.
@@ -214,7 +235,7 @@ type ConvexAuthConfig = {
        * The `shouldLink` argument passed to `createAccount`.
        */
       shouldLink?: boolean;
-    }) => Promise<GenericId<"user">>;
+    }) => Promise<GenericId<"User">>;
     /**
      * Perform additional writes after a user is created.
      *
@@ -233,12 +254,12 @@ type ConvexAuthConfig = {
       /**
        * The ID of the user that is being signed in.
        */
-      userId: GenericId<"user">;
+      userId: GenericId<"User">;
       /**
        * If this is a sign-in to an existing account,
        * this is the existing user ID linked to that account.
        */
-      existingUserId: GenericId<"user"> | null;
+      existingUserId: GenericId<"User"> | null;
       /**
        * The provider type or "verification" if this callback is called
        * after an email or phone token verification.
@@ -268,6 +289,15 @@ type ConvexAuthConfig = {
       shouldLink?: boolean;
     }) => Promise<void>;
   };
+  /**
+   * Application-defined role and grant model used by membership access checks.
+   */
+  authorization?: {
+    roles: Record<string, {
+      label?: string;
+      grants: string[];
+    }>;
+  };
 };
 /**
  * Union of all supported auth provider config types.
@@ -277,9 +307,105 @@ type ConvexAuthConfig = {
  * (WebAuthn), and TOTP (2FA). Each can be passed as a config object
  * or a factory function.
  */
-type AuthProviderConfig = OAuthProviderInstance | OAuthMaterializedConfig | ConvexCredentialsConfig | ((...args: any) => ConvexCredentialsConfig) | EmailConfig | ((...args: any) => EmailConfig) | PhoneConfig | ((...args: any) => PhoneConfig) | PasskeyProviderConfig | ((...args: any) => PasskeyProviderConfig) | TotpProviderConfig | ((...args: any) => TotpProviderConfig) | DeviceProviderConfig | ((...args: any) => DeviceProviderConfig);
+type AuthProviderConfig = OAuthProviderInstance | Password | Passkey | Totp | Anonymous | Device | SSO | Email | Phone | OAuthMaterializedConfig | ConvexCredentialsConfig | ((...args: any) => ConvexCredentialsConfig) | EmailConfig | ((...args: any) => EmailConfig) | PhoneConfig | ((...args: any) => PhoneConfig) | PasskeyProviderConfig | ((...args: any) => PasskeyProviderConfig) | TotpProviderConfig | ((...args: any) => TotpProviderConfig) | DeviceProviderConfig | ((...args: any) => DeviceProviderConfig) | SSOProviderConfig;
+/**
+ * Minimal config stored for the SSO provider at runtime.
+ * No options — enterprise configuration is entirely per-tenant runtime state.
+ */
+interface SSOProviderConfig {
+  id: string;
+  type: "sso";
+}
+/**
+ * Account linking strategy for enterprise SSO sign-in.
+ *
+ * - `"verifiedEmail"` — link accounts when the IdP-provided email matches a verified email on an existing user.
+ * - `"none"` — never auto-link; always create a new account.
+ */
+type EnterpriseAccountLinkingPolicy = "verifiedEmail" | "none";
+/**
+ * Policy for reusing existing users during SCIM provisioning.
+ *
+ * - `"externalId"` — match by the SCIM `externalId` to reuse a previously provisioned user.
+ * - `"none"` — always create a new user for each SCIM provision request.
+ */
+type EnterpriseScimReuseUserPolicy = "externalId" | "none";
+/**
+ * Just-in-time provisioning mode for enterprise SSO.
+ *
+ * - `"off"` — no JIT provisioning; users must be pre-provisioned.
+ * - `"createUser"` — create a user record on first SSO sign-in.
+ * - `"createUserAndMembership"` — create a user and add them to the enterprise group on first SSO sign-in.
+ */
+type EnterpriseJitProvisioningMode = "off" | "createUser" | "createUserAndMembership";
+/**
+ * Deprovisioning strategy when a SCIM user is deleted.
+ *
+ * - `"soft"` — mark the user as inactive but preserve the record.
+ * - `"hard"` — permanently delete the user and associated data.
+ */
+type EnterpriseDeprovisionMode = "soft" | "hard";
+/**
+ * Effective enterprise policy document stored for an SSO/SCIM tenant.
+ *
+ * Controls account linking, JIT provisioning, SCIM reuse behavior,
+ * deprovisioning, and any app-defined extension metadata.
+ *
+ * @see {@link EnterprisePolicyPatch}
+ */
+interface EnterprisePolicy {
+  version: 1;
+  identity: {
+    accountLinking: {
+      oidc: EnterpriseAccountLinkingPolicy;
+      saml: EnterpriseAccountLinkingPolicy;
+    };
+  };
+  provisioning: {
+    scimReuse: {
+      user: EnterpriseScimReuseUserPolicy;
+    };
+    jit: {
+      mode: EnterpriseJitProvisioningMode;
+      defaultRoleIds: string[];
+    };
+    deprovision: {
+      mode: EnterpriseDeprovisionMode;
+    };
+  };
+  extend?: Record<string, unknown>;
+}
+/**
+ * Partial update payload for {@link EnterprisePolicy}.
+ *
+ * Use this when patching only selected enterprise policy sections without
+ * replacing the entire stored policy document.
+ */
+interface EnterprisePolicyPatch {
+  identity?: {
+    accountLinking?: {
+      oidc?: EnterpriseAccountLinkingPolicy;
+      saml?: EnterpriseAccountLinkingPolicy;
+    };
+  };
+  provisioning?: {
+    scimReuse?: {
+      user?: EnterpriseScimReuseUserPolicy;
+    };
+    jit?: {
+      mode?: EnterpriseJitProvisioningMode;
+      defaultRoleIds?: string[];
+    };
+    deprovision?: {
+      mode?: EnterpriseDeprovisionMode;
+    };
+  };
+  extend?: Record<string, unknown>;
+}
 /**
  * Email provider config for magic link / OTP sign-in.
+ *
+ * @typeParam DataModel - The Convex data model for typed action contexts.
  */
 interface EmailConfig<DataModel extends GenericDataModel = GenericDataModel> {
   /** Provider identifier (e.g. `"email"`, `"resend"`). */
@@ -290,7 +416,11 @@ interface EmailConfig<DataModel extends GenericDataModel = GenericDataModel> {
   name?: string;
   /** Sender address (e.g. `"My App <noreply@example.com>"`). */
   from?: string;
-  /** Token expiration in seconds. Defaults to 86 400 (24 hours). */
+  /**
+   * Token expiration in seconds. Defaults to 86 400 (24 hours).
+   *
+   * @defaultValue 86400
+   */
   maxAge?: number;
   /**
    * Send the verification token to the user.
@@ -328,17 +458,23 @@ interface EmailConfig<DataModel extends GenericDataModel = GenericDataModel> {
   /**
    * The values passed to the `signIn` function.
    */
-  params: Record<string, Value | undefined>, account: GenericDoc<DataModel, "account">) => Promise<void>;
+  params: Record<string, Value | undefined>, account: GenericDoc<DataModel, "Account">) => Promise<void>;
   /** Raw user options before merging with defaults. */
   options: EmailUserConfig<DataModel>;
 }
 /**
- * Configurable options for an email provider config.
+ * User-facing configuration shape accepted by the email provider.
+ *
+ * Equivalent to `Partial<EmailConfig>` without internal runtime-only fields.
+ *
+ * @typeParam DataModel - The Convex data model.
  */
 type EmailUserConfig<DataModel extends GenericDataModel = GenericDataModel> = Omit<Partial<EmailConfig<DataModel>>, "options" | "type">;
 /**
  * Same as email provider config, but verifies
  * phone number instead of the email address.
+ *
+ * @typeParam DataModel - The Convex data model for typed action contexts.
  */
 interface PhoneConfig<DataModel extends GenericDataModel = GenericDataModel> {
   id: string;
@@ -387,17 +523,21 @@ interface PhoneConfig<DataModel extends GenericDataModel = GenericDataModel> {
   /**
    * The values passed to the `signIn` function.
    */
-  params: Record<string, Value | undefined>, account: GenericDoc<DataModel, "account">) => Promise<void>;
+  params: Record<string, Value | undefined>, account: GenericDoc<DataModel, "Account">) => Promise<void>;
   options: PhoneUserConfig<DataModel>;
 }
 /**
- * Configurable options for a phone provider config.
+ * User-facing configuration shape accepted by the phone provider.
+ *
+ * Equivalent to `Partial<PhoneConfig>` without internal runtime-only fields.
+ *
+ * @typeParam DataModel - The Convex data model.
  */
 type PhoneUserConfig<DataModel extends GenericDataModel = GenericDataModel> = Omit<Partial<PhoneConfig<DataModel>>, "options" | "type">;
 /**
- * Similar to Auth.js Credentials config.
+ * Credentials provider config used by Convex Auth.
  */
-type ConvexCredentialsConfig = CredentialsUserConfig<any> & {
+type ConvexCredentialsConfig = CredentialsConfig<any> & {
   type: "credentials";
   id: string;
 };
@@ -410,12 +550,37 @@ interface PasskeyProviderConfig {
   options: {
     /** Relying Party display name. Defaults to SITE_URL hostname. */rpName?: string; /** Relying Party ID (hostname). Defaults to SITE_URL hostname. */
     rpId?: string; /** Allowed origins for credential verification. Defaults to SITE_URL. */
-    origin?: string | string[]; /** Attestation conveyance preference. Defaults to "none". */
-    attestation?: "none" | "direct"; /** User verification requirement. Defaults to "required". */
-    userVerification?: "required" | "preferred" | "discouraged"; /** Resident key (discoverable credential) preference. Defaults to "preferred". */
+    origin?: string | string[];
+    /**
+     * Attestation conveyance preference. Defaults to "none".
+     *
+     * @defaultValue "none"
+     */
+    attestation?: "none" | "direct";
+    /**
+     * User verification requirement. Defaults to "required".
+     *
+     * @defaultValue "required"
+     */
+    userVerification?: "required" | "preferred" | "discouraged";
+    /**
+     * Resident key (discoverable credential) preference. Defaults to "preferred".
+     *
+     * @defaultValue "preferred"
+     */
     residentKey?: "required" | "preferred" | "discouraged"; /** Restrict to platform or cross-platform authenticators. */
-    authenticatorAttachment?: "platform" | "cross-platform"; /** Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)]. */
-    algorithms?: number[]; /** Challenge expiration in ms. Defaults to 300_000 (5 minutes). */
+    authenticatorAttachment?: "platform" | "cross-platform";
+    /**
+     * Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)].
+     *
+     * @defaultValue [-7, -257]
+     */
+    algorithms?: number[];
+    /**
+     * Challenge expiration in ms. Defaults to 300_000 (5 minutes).
+     *
+     * @defaultValue 300_000
+     */
     challengeExpirationMs?: number;
   };
 }
@@ -426,8 +591,18 @@ interface TotpProviderConfig {
   id: string;
   type: "totp";
   options: {
-    /** Issuer name shown in authenticator apps (e.g. "My App"). */issuer: string; /** Number of digits in each code (default: 6). */
-    digits: number; /** Time period in seconds for code rotation (default: 30). */
+    /** Issuer name shown in authenticator apps (e.g. "My App"). */issuer: string;
+    /**
+     * Number of digits in each code (default: 6).
+     *
+     * @defaultValue 6
+     */
+    digits: number;
+    /**
+     * Time period in seconds for code rotation (default: 30).
+     *
+     * @defaultValue 30
+     */
     period: number;
   };
 }
@@ -477,37 +652,89 @@ type AuthUpdateAccountArgs = {
 };
 /** Arguments for `auth.session.invalidate()`. */
 type AuthInvalidateSessionsArgs = {
-  userId: GenericId<"user">;
-  except?: GenericId<"session">[];
+  userId: GenericId<"User">;
+  except?: GenericId<"Session">[];
 };
 /** Arguments for `auth.provider.signIn()`. */
 type AuthProviderSignInArgs = {
-  accountId?: GenericId<"account">;
+  accountId?: GenericId<"Account">;
   params?: Record<string, Value | undefined>;
 };
 /** Return type of `auth.provider.signIn()` — user and session IDs, or `null` on failure. */
 type AuthProviderSignInResult = {
-  userId: GenericId<"user">;
-  sessionId: GenericId<"session">;
+  userId: GenericId<"User">;
+  sessionId: GenericId<"Session">;
 } | null;
-/** Server-side auth helpers available on enriched action contexts. */
+/** Arguments for `auth.member.resolve()`. */
+type AuthMemberResolveArgs = {
+  userId: GenericId<"User">;
+  groupId: GenericId<"Group">;
+  ancestry?: boolean;
+  roleIds?: string[];
+  grants?: string[];
+  maxDepth?: number;
+};
+/** Result of `auth.member.resolve()` — membership check with role and grant details. */
+type AuthMemberResolveResult = {
+  ok: boolean;
+  membership: GenericDoc<GenericDataModel, "GroupMember"> | null;
+  matchedGroupId: GenericId<"Group"> | null;
+  roleIds: string[];
+  grants: string[];
+  missingGrants: string[];
+  depth: number | null;
+  isDirect: boolean;
+  isInherited: boolean;
+  traversedGroupIds: GenericId<"Group">[];
+  code?: "INVALID_ROLE_IDS";
+  invalidRoleIds?: string[];
+};
+/**
+ * Server-side auth helper methods injected into `ctx.auth` within provider actions.
+ *
+ * Provides programmatic access to account management, session lifecycle,
+ * membership resolution, and provider sign-in from within Convex actions
+ * that use {@link GenericActionCtxWithAuthConfig}.
+ *
+ * @see {@link GenericActionCtxWithAuthConfig}
+ *
+ * @example
+ * ```ts
+ * // Inside a credentials provider's authorize callback:
+ * const { account, user } = await ctx.auth.account.get(ctx, {
+ *   provider: "password",
+ *   account: { id: email },
+ * });
+ * ```
+ */
 type AuthServerHelpers = {
-  account: {
+  /** Account management: create, retrieve, and update provider-linked accounts. */account: {
     create: (ctx: GenericActionCtx<any>, args: AuthCreateAccountArgs) => Promise<{
-      account: GenericDoc<GenericDataModel, "account">;
-      user: GenericDoc<GenericDataModel, "user">;
+      ok: true;
+      account: GenericDoc<GenericDataModel, "Account">;
+      user: GenericDoc<GenericDataModel, "User">;
     }>;
     get: (ctx: GenericActionCtx<any>, args: AuthRetrieveAccountArgs) => Promise<{
-      account: GenericDoc<GenericDataModel, "account">;
-      user: GenericDoc<GenericDataModel, "user">;
+      account: GenericDoc<GenericDataModel, "Account">;
+      user: GenericDoc<GenericDataModel, "User">;
+    }>;
+    update: (ctx: GenericActionCtx<any>, args: AuthUpdateAccountArgs) => Promise<{
+      ok: true;
+      accountId: GenericId<"Account">;
     }>;
-    update: (ctx: GenericActionCtx<any>, args: AuthUpdateAccountArgs) => Promise<void>;
   };
   session: {
     current: (ctx: {
       auth: GenericActionCtx<GenericDataModel>["auth"];
-    }) => Promise<GenericId<"session"> | null>;
-    invalidate: (ctx: GenericActionCtx<any>, args: AuthInvalidateSessionsArgs) => Promise<void>;
+    }) => Promise<GenericId<"Session"> | null>;
+    invalidate: (ctx: GenericActionCtx<any>, args: AuthInvalidateSessionsArgs) => Promise<{
+      ok: true;
+      userId: GenericId<"User">;
+      except: GenericId<"Session">[];
+    }>;
+  };
+  member: {
+    resolve: (ctx: GenericActionCtx<any>, args: AuthMemberResolveArgs) => Promise<AuthMemberResolveResult>;
   };
   provider: {
     signIn: (ctx: GenericActionCtx<any>, provider: AuthProviderConfig, args: AuthProviderSignInArgs) => Promise<AuthProviderSignInResult>;
@@ -515,7 +742,9 @@ type AuthServerHelpers = {
 };
 /**
  * Your `ActionCtx` enriched with `ctx.auth.config` field with
- * the config passed to `Auth`.
+ * the config passed to `createAuth`.
+ *
+ * @typeParam DataModel - The Convex data model.
  */
 type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> = GenericActionCtx<DataModel> & {
   auth: GenericActionCtx<DataModel>["auth"] & {
@@ -523,34 +752,51 @@ type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> = Generi
   } & AuthServerHelpers;
 };
 /**
- * The config for the Convex Auth library, passed to `Auth`,
+ * The config for the Convex Auth library, passed to `createAuth`,
  * with defaults and initialized providers.
  *
  * See {@link ConvexAuthConfig}
  */
 type ConvexAuthMaterializedConfig = {
   providers: AuthProviderMaterializedConfig[];
-} & Pick<ConvexAuthConfig, "component" | "session" | "jwt" | "signIn" | "callbacks">;
+} & Pick<ConvexAuthConfig, "component" | "session" | "jwt" | "signIn" | "callbacks" | "authorization">;
 /**
  * Materialized OAuth provider config (Arctic-based).
  *
  * Carries the Arctic provider instance along with scopes and profile config.
- * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.
+  * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.
  */
 interface OAuthMaterializedConfig {
+  /**
+   * Provider identifier (e.g. `"google"`, `"github"`).
+   * @readonly
+   */
   readonly id: string;
+  /**
+   * Discriminant for provider type routing.
+   * @readonly
+   */
   readonly type: "oauth";
-  /** The Arctic provider instance. */
+  /**
+   * The Arctic provider instance.
+   * @readonly
+   */
   readonly provider: any;
-  /** OAuth scopes to request. */
+  /**
+   * OAuth scopes to request.
+   * @readonly
+   */
   readonly scopes: string[];
-  /** User-provided profile extraction callback. */
+  /**
+   * User-provided profile extraction callback.
+   * @readonly
+   */
   readonly profile?: (tokens: arctic0.OAuth2Tokens) => Promise<OAuthProfile>;
   /**
-   * Allow linking accounts by email even if the email is unverified.
-   * Use with caution — only enable for providers you trust.
+   * Account-linking policy for OAuth identities. Defaults to verified email linking.
+   * @readonly
    */
-  readonly allowDangerousEmailAccountLinking?: boolean;
+  readonly accountLinking?: "verifiedEmail" | "none";
 }
 /**
  * Device authorization provider config (RFC 8628).
@@ -580,49 +826,14 @@ interface DeviceProviderConfig {
 /**
  * Materialized auth provider config — the fully resolved form stored at runtime.
  */
-type AuthProviderMaterializedConfig = OAuthMaterializedConfig | EmailConfig | PhoneConfig | ConvexCredentialsConfig | PasskeyProviderConfig | TotpProviderConfig | DeviceProviderConfig;
+type AuthProviderMaterializedConfig = OAuthMaterializedConfig | EmailConfig | PhoneConfig | ConvexCredentialsConfig | PasskeyProviderConfig | TotpProviderConfig | DeviceProviderConfig | SSOProviderConfig;
 /**
- * Email delivery parameters passed to `EmailTransport.send`.
- */
-interface EmailMessage {
-  /** Sender address (from `email.from` in your Auth config). */
-  from: string;
-  /** Recipient email address. */
-  to: string;
-  /** Email subject line. */
-  subject: string;
-  /** HTML body content. */
-  html: string;
-}
-/**
- * Email transport configuration for the Auth library.
+ * Resolves to `true` when the providers list includes `SSO`, otherwise `false`.
  *
- * Provides a delivery mechanism for library-generated emails.
- * The library owns the email content; you provide the transport.
+ * Used to make `auth.sso` conditionally present on the `createAuth`
+ * return type — it only appears when `new SSO()` is in the providers array.
  */
-interface EmailTransport {
-  /** Sender address shown in the From field (e.g. "My App \<noreply@example.com\>"). */
-  from: string;
-  /**
-   * Deliver an email. Called by the library for magic links.
-   *
-   * Receives the Convex action context as the first argument, enabling
-   * use with Convex components like `@convex-dev/resend`:
-   *
-   * ```ts
-   * send: (ctx, params) => resend.sendEmail(ctx, params)
-   * ```
-   *
-   * For plain HTTP email APIs, ignore the `ctx` parameter:
-   *
-   * ```ts
-   * send: async (_ctx, { from, to, subject, html }) => {
-   *   await fetch("https://api.resend.com/emails", { ... });
-   * }
-   * ```
-   */
-  send: (ctx: GenericActionCtx<any>, params: EmailMessage) => Promise<void>;
-}
+type HasSSO<P extends AuthProviderConfig[]> = SSO extends P[number] ? true : false;
 /**
  * A single scope entry stored per API key.
  * Uses a resource:action pattern for structured permissions.
@@ -652,41 +863,6 @@ interface ScopeChecker {
   /** The raw scope entries from the key. */
   scopes: KeyScope[];
 }
-/**
- * Configuration for API key support on the Auth class.
- *
- * ```ts
- * const auth = new Auth(components.auth, {
- *   providers: [github],
- *   apiKeys: {
- *     scopes: {
- *       users: ["read", "list", "create", "delete"],
- *       messages: ["read", "write"],
- *     },
- *     defaultRateLimit: { maxRequests: 1000, windowMs: 3600000 },
- *   },
- * });
- * ```
- */
-interface ApiKeyConfig {
-  /**
-   * Define the available resource:action scopes for your API keys.
-   * Keys can only be created with scopes that are a subset of these.
-   */
-  scopes?: Record<string, string[]>;
-  /**
-   * Default rate limit applied to new keys when not specified per-key.
-   * Uses a token-bucket algorithm.
-   */
-  defaultRateLimit?: {
-    maxRequests: number;
-    windowMs: number;
-  };
-  /**
-   * Key prefix. Defaults to `"sk_live_"`.
-   */
-  prefix?: string;
-}
 /**
  * An API key record as returned by `auth.key.list()` and `auth.key.get()`.
  * Never includes the raw key material — only the display prefix.
@@ -696,7 +872,7 @@ interface KeyRecord {
   _id: string;
   /** Owner user ID. */
   userId: string;
-  /** Display prefix (e.g. `"sk_live_abc1"`). Safe to show in UIs. */
+  /** Display prefix (e.g. `"sk_abc1"`). Safe to show in UIs. */
   prefix: string;
   /** Human-readable name (e.g. "CI Pipeline"). */
   name: string;
@@ -715,16 +891,9 @@ interface KeyRecord {
   createdAt: number;
   /** `true` when the key has been revoked (soft-deleted). */
   revoked: boolean;
+  /** Arbitrary app-specific metadata attached to the key. */
+  metadata?: Record<string, unknown>;
 }
-/** Filter fields for `auth.user.list()`. All optional. */
-type UserWhere = {
-  email?: string;
-  phone?: string;
-  isAnonymous?: boolean;
-  name?: string;
-};
-/** Sortable fields for `auth.user.list()`. */
-type UserOrderBy = "_creationTime" | "name" | "email" | "phone";
 /**
  * Context injected into `auth.http.action()` and `auth.http.route()` handlers.
  *
@@ -760,95 +929,6 @@ interface CorsConfig {
   /** Allowed request headers. Defaults to `"Content-Type,Authorization"`. */
   headers?: string;
 }
-/**
- * Component function references required by core auth runtime.
- *
- * @internal Consumers should not depend on this shape — it may change
- * between minor versions. Pass `components.auth` directly to the `Auth` constructor.
- */
-type AuthComponentApi = {
-  public: {
-    userGetById: FunctionReference<"query", "internal">;
-    userList: FunctionReference<"query", "internal">;
-    userFindByVerifiedEmail: FunctionReference<"query", "internal">;
-    userFindByVerifiedPhone: FunctionReference<"query", "internal">;
-    userInsert: FunctionReference<"mutation", "internal">;
-    userUpsert: FunctionReference<"mutation", "internal">;
-    userPatch: FunctionReference<"mutation", "internal">;
-    accountGet: FunctionReference<"query", "internal">;
-    accountGetById: FunctionReference<"query", "internal">;
-    accountInsert: FunctionReference<"mutation", "internal">;
-    accountPatch: FunctionReference<"mutation", "internal">;
-    accountDelete: FunctionReference<"mutation", "internal">;
-    sessionCreate: FunctionReference<"mutation", "internal">;
-    sessionGetById: FunctionReference<"query", "internal">;
-    sessionDelete: FunctionReference<"mutation", "internal">;
-    sessionListByUser: FunctionReference<"query", "internal">;
-    verifierCreate: FunctionReference<"mutation", "internal">;
-    verifierGetById: FunctionReference<"query", "internal">;
-    verifierGetBySignature: FunctionReference<"query", "internal">;
-    verifierPatch: FunctionReference<"mutation", "internal">;
-    verifierDelete: FunctionReference<"mutation", "internal">;
-    verificationCodeGetByAccountId: FunctionReference<"query", "internal">;
-    verificationCodeGetByCode: FunctionReference<"query", "internal">;
-    verificationCodeCreate: FunctionReference<"mutation", "internal">;
-    verificationCodeDelete: FunctionReference<"mutation", "internal">;
-    refreshTokenCreate: FunctionReference<"mutation", "internal">;
-    refreshTokenGetById: FunctionReference<"query", "internal">;
-    refreshTokenPatch: FunctionReference<"mutation", "internal">;
-    refreshTokenGetChildren: FunctionReference<"query", "internal">;
-    refreshTokenListBySession: FunctionReference<"query", "internal">;
-    refreshTokenDeleteAll: FunctionReference<"mutation", "internal">;
-    refreshTokenGetActive: FunctionReference<"query", "internal">;
-    rateLimitGet: FunctionReference<"query", "internal">;
-    rateLimitCreate: FunctionReference<"mutation", "internal">;
-    rateLimitPatch: FunctionReference<"mutation", "internal">;
-    rateLimitDelete: FunctionReference<"mutation", "internal">;
-    groupCreate: FunctionReference<"mutation", "internal">;
-    groupGet: FunctionReference<"query", "internal">;
-    groupList: FunctionReference<"query", "internal">;
-    groupUpdate: FunctionReference<"mutation", "internal">;
-    groupDelete: FunctionReference<"mutation", "internal">;
-    memberAdd: FunctionReference<"mutation", "internal">;
-    memberGet: FunctionReference<"query", "internal">;
-    memberList: FunctionReference<"query", "internal">;
-    memberListByUser: FunctionReference<"query", "internal">;
-    memberGetByGroupAndUser: FunctionReference<"query", "internal">;
-    memberRemove: FunctionReference<"mutation", "internal">;
-    memberUpdate: FunctionReference<"mutation", "internal">;
-    inviteCreate: FunctionReference<"mutation", "internal">;
-    inviteGet: FunctionReference<"query", "internal">;
-    inviteList: FunctionReference<"query", "internal">;
-    inviteAccept: FunctionReference<"mutation", "internal">;
-    inviteRevoke: FunctionReference<"mutation", "internal">;
-    keyInsert: FunctionReference<"mutation", "internal">;
-    keyGetByHashedKey: FunctionReference<"query", "internal">;
-    keyGetById: FunctionReference<"query", "internal">;
-    keyList: FunctionReference<"query", "internal">;
-    keyListByUserId: FunctionReference<"query", "internal">;
-    keyPatch: FunctionReference<"mutation", "internal">;
-    keyDelete: FunctionReference<"mutation", "internal">;
-    passkeyInsert: FunctionReference<"mutation", "internal">;
-    passkeyGetByCredentialId: FunctionReference<"query", "internal">;
-    passkeyListByUserId: FunctionReference<"query", "internal">;
-    passkeyUpdateCounter: FunctionReference<"mutation", "internal">;
-    passkeyUpdateMeta: FunctionReference<"mutation", "internal">;
-    passkeyDelete: FunctionReference<"mutation", "internal">;
-    totpInsert: FunctionReference<"mutation", "internal", any, any>;
-    totpGetVerifiedByUserId: FunctionReference<"query", "internal", any, any>;
-    totpListByUserId: FunctionReference<"query", "internal", any, any>;
-    totpGetById: FunctionReference<"query", "internal", any, any>;
-    totpMarkVerified: FunctionReference<"mutation", "internal", any, any>;
-    totpUpdateLastUsed: FunctionReference<"mutation", "internal", any, any>;
-    totpDelete: FunctionReference<"mutation", "internal", any, any>;
-    deviceInsert: FunctionReference<"mutation", "internal", any, any>;
-    deviceGetByCodeHash: FunctionReference<"query", "internal", any, any>;
-    deviceGetByUserCode: FunctionReference<"query", "internal", any, any>;
-    deviceAuthorize: FunctionReference<"mutation", "internal", any, any>;
-    deviceUpdateLastPolled: FunctionReference<"mutation", "internal", any, any>;
-    deviceDelete: FunctionReference<"mutation", "internal", any, any>;
-  };
-};
 /**
  * Convex document from a given table.
  */
@@ -856,12 +936,21 @@ type GenericDoc<DataModel extends GenericDataModel, TableName extends TableNames
   _id: GenericId<TableName>;
   _creationTime: number;
 };
-/**
- * @internal
- */
-type FunctionReferenceFromExport<Export> = Export extends RegisteredQuery<infer Visibility, infer Args, infer Output> ? FunctionReference<"query", Visibility, Args, ConvertReturnType<Output>> : Export extends RegisteredMutation<infer Visibility, infer Args, infer Output> ? FunctionReference<"mutation", Visibility, Args, ConvertReturnType<Output>> : Export extends RegisteredAction<infer Visibility, infer Args, infer Output> ? FunctionReference<"action", Visibility, Args, ConvertReturnType<Output>> : never;
-type ConvertReturnType<T> = UndefinedToNull<Awaited<T>>;
-type UndefinedToNull<T> = T extends void ? null : T;
+/** Data model derived from the component schema. */
+type AuthDataModel = DataModelFromSchemaDefinition<typeof _default>;
+/** A document from any table in the auth component schema. */
+type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<AuthDataModel, T>;
+/** A pair of JWT access token and refresh token. */
+type Tokens = {
+  token: string;
+  refreshToken: string;
+};
+/** Session information returned after authentication. */
+type SessionInfo = {
+  userId: GenericId<"User">;
+  sessionId: GenericId<"Session">;
+  tokens: Tokens | null;
+};
 //#endregion
-export { ApiKeyConfig, AuthProviderConfig, AuthProviderMaterializedConfig, ConvexAuthConfig, ConvexAuthMaterializedConfig, ConvexCredentialsConfig, CorsConfig, DeviceProviderConfig, EmailConfig, EmailUserConfig, FunctionReferenceFromExport, GenericActionCtxWithAuthConfig, GenericDoc, HttpKeyContext, KeyRecord, KeyScope, OAuthProfile, PhoneConfig, PhoneUserConfig, ScopeChecker, UserOrderBy, UserWhere };
+export { AuthAuthorizationConfig, AuthGrant, AuthProviderConfig, AuthRoleId, ConvexAuthConfig, ConvexCredentialsConfig, CorsConfig, DeviceProviderConfig, Doc, EmailConfig, EmailUserConfig, EnterprisePolicy, EnterprisePolicyPatch, GenericActionCtxWithAuthConfig, GenericDoc, HasSSO, HttpKeyContext, KeyRecord, KeyScope, OAuthProfile, PhoneConfig, PhoneUserConfig, ScopeChecker, SessionInfo };
 //# sourceMappingURL=types.d.ts.map