@signalwire/js 4.0.0-dev-20260326210326 → 4.0.0-dev-20260401154549

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.cts CHANGED
@@ -175,6 +175,26 @@ interface Storage {
175
175
  getItem(key: string, scope: StorageScope): Promise<string | null>;
176
176
  removeItem(key: string, scope: StorageScope): Promise<void>;
177
177
  }
178
+ /**
179
+ * Context provided by the SDK when calling {@link CredentialProvider.authenticate}.
180
+ *
181
+ * Contains optional parameters the SDK generates internally (e.g., DPoP fingerprint)
182
+ * that the implementor can forward to their server-side token endpoint.
183
+ */
184
+ interface AuthenticateContext {
185
+ /**
186
+ * JWK Thumbprint (RFC 7638) of the SDK's ephemeral DPoP key pair.
187
+ *
188
+ * When present, the implementor should forward this value as the `fingerprint`
189
+ * parameter to the server-side SAT issuance endpoint alongside `scope: "sat:refresh"`.
190
+ * This enables the server to bind the SAT to the SDK's key pair, allowing
191
+ * automatic Client Bound SAT refresh without developer intervention.
192
+ *
193
+ * When absent (e.g., Web Crypto API not available), the implementor should
194
+ * proceed without DPoP binding.
195
+ */
196
+ fingerprint?: string;
197
+ }
178
198
  /**
179
199
  * Provides authentication credentials to the SDK.
180
200
  *
@@ -194,12 +214,14 @@ interface CredentialProvider {
194
214
  * Implementor responsibilities:
195
215
  * - Resolve with a valid {@link SDKCredential} on success.
196
216
  * - Reject (throw) on failure — this will cause client initialization to fail.
217
+ * - When `context.fingerprint` is provided, forward it to the server-side token
218
+ * endpoint with `scope: "sat:refresh"` to enable automatic token refresh.
197
219
  *
198
220
  * SDK behavior:
199
221
  * - Awaits this method before establishing the WebSocket connection.
200
222
  * - On rejection, propagates the error to the caller of `SignalWire()`.
201
223
  */
202
- authenticate(): Promise<SDKCredential>;
224
+ authenticate(context?: AuthenticateContext): Promise<SDKCredential>;
203
225
  /**
204
226
  * Obtains fresh credentials before the current ones expire. Optional.
205
227
  *
@@ -212,7 +234,10 @@ interface CredentialProvider {
212
234
  * - Scheduled automatically before expiry; implementors do not need to manage timing.
213
235
  * - On rejection, the refresh schedule stops and the session continues with the
214
236
  * current credentials until they expire.
215
- * - When not provided, the SDK uses the initial credentials for the entire session lifetime.
237
+ * - When not provided and the SAT includes a `sat:refresh` scope, the SDK
238
+ * automatically refreshes via Client Bound SAT (DPoP) without developer intervention.
239
+ * - When not provided and no refresh scope is present, the SDK uses the initial
240
+ * credentials for the entire session lifetime.
216
241
  */
217
242
  refresh?: () => Promise<SDKCredential>;
218
243
  }
@@ -389,11 +414,13 @@ interface HTTPRequestControllerOptions {
389
414
  }
390
415
  declare class HTTPRequestController {
391
416
  private baseURL;
392
- private credential;
417
+ private readonly getCredential;
393
418
  private static readonly defaultMaxRetries;
394
419
  private static readonly defaultRetryDelayMinMs;
395
420
  private static readonly defaultRetryDelayMaxMs;
396
421
  private static readonly defaultRequestTimeoutMs;
422
+ /** Sensitive field names to mask in debug logs. */
423
+ private static readonly SENSITIVE_BODY_FIELDS;
397
424
  private readonly maxRetries;
398
425
  private readonly retryDelayMin;
399
426
  private readonly retryDelayMax;
@@ -401,7 +428,7 @@ declare class HTTPRequestController {
401
428
  private _responses$;
402
429
  private _errors$;
403
430
  private _status$;
404
- constructor(baseURL: string, credential: SDKCredential, options?: HTTPRequestControllerOptions);
431
+ constructor(baseURL: string, getCredential: () => SDKCredential, options?: HTTPRequestControllerOptions);
405
432
  get status$(): Observable<HTTPRequestStatus>;
406
433
  get status(): HTTPRequestStatus;
407
434
  get responses$(): Observable<HTTPResponse>;
@@ -411,6 +438,10 @@ declare class HTTPRequestController {
411
438
  private executeRequest;
412
439
  private buildURL;
413
440
  private buildHeaders;
441
+ /**
442
+ * Sanitizes a request body for debug logging by masking sensitive fields.
443
+ */
444
+ private sanitizeBody;
414
445
  private convertResponse;
415
446
  }
416
447
  //#endregion
@@ -460,6 +491,33 @@ interface GetAddressResponse {
460
491
  created_at: string;
461
492
  }
462
493
  //#endregion
494
+ //#region src/core/types/crypto.types.d.ts
495
+ /** Parameters for creating an HTTP DPoP proof (for Prime API endpoints). */
496
+ interface DPoPHttpProofParams {
497
+ /** HTTP method (e.g., "POST"). */
498
+ readonly method: string;
499
+ /** Request URI — should be the full URL per RFC 9449 (e.g., "https://fabric.signalwire.com/api/..."). */
500
+ readonly uri: string;
501
+ /** Access token to bind via `ath` claim (SHA-256 hash). Used for resource endpoints, not token endpoints. */
502
+ readonly accessToken?: string;
503
+ }
504
+ /** Parameters for creating an RPC DPoP proof (for switchblade WebSocket methods). */
505
+ interface DPoPRpcProofParams {
506
+ /** RPC method name (e.g., "signalwire.connect" or "signalwire.reauthenticate"). */
507
+ readonly method: string;
508
+ }
509
+ /** SAT claims returned by /api/fabric/subscriber/info. */
510
+ interface SATClaims {
511
+ /** Token scopes (e.g., ["sat:refresh"]). */
512
+ scope?: string[];
513
+ /** Confirmation claim binding the token to a key. */
514
+ cnf?: {
515
+ jkt: string;
516
+ };
517
+ /** Token expiry timestamp in seconds since epoch. */
518
+ expires_at?: number;
519
+ }
520
+ //#endregion
463
521
  //#region src/core/types/subscriber.types.d.ts
464
522
  /** Raw subscriber profile response from the SignalWire Fabric API. */
465
523
  interface GetSubscriberInfoResponse {
@@ -494,6 +552,8 @@ interface GetSubscriberInfoResponse {
494
552
  };
495
553
  /** Fabric addresses associated with this subscriber. */
496
554
  fabric_addresses: GetAddressResponse[];
555
+ /** Filtered SAT claims (scope, cnf, expires_at) returned when the token has special capabilities. */
556
+ sat_claims?: SATClaims;
497
557
  }
498
558
  //#endregion
499
559
  //#region src/core/entities/Subscriber.d.ts
@@ -533,6 +593,8 @@ declare class Subscriber extends Fetchable<GetSubscriberInfoResponse> {
533
593
  };
534
594
  /** Fabric addresses associated with this subscriber. */
535
595
  addresses: GetAddressResponse[];
596
+ /** Filtered SAT claims when the token has special capabilities (e.g., refresh scope). */
597
+ satClaims?: SATClaims;
536
598
  constructor(http: HTTPRequestController);
537
599
  protected populateInstance(data: GetSubscriberInfoResponse): void;
538
600
  }
@@ -744,6 +806,11 @@ interface CallUpdatedPayload {
744
806
  room_id: string;
745
807
  room_session_id: string;
746
808
  }
809
+ interface RoomUpdatedPayload {
810
+ room_session: RoomSession;
811
+ room_id: string;
812
+ room_session_id: string;
813
+ }
747
814
  interface CallStatePayload {
748
815
  call_id: string;
749
816
  node_id: string;
@@ -931,19 +998,36 @@ declare class MediaTrackError extends Error {
931
998
  originalError: unknown;
932
999
  constructor(operation: string, kind: string, originalError: unknown);
933
1000
  }
1001
+ declare class DPoPInitError extends Error {
1002
+ originalError: unknown;
1003
+ constructor(originalError: unknown, message?: string);
1004
+ }
1005
+ declare class DeviceTokenError extends Error {
1006
+ originalError?: unknown | undefined;
1007
+ constructor(message: string, originalError?: unknown | undefined);
1008
+ }
1009
+ declare class TokenRefreshError extends Error {
1010
+ originalError?: unknown | undefined;
1011
+ constructor(message: string, originalError?: unknown | undefined);
1012
+ }
934
1013
  //#endregion
935
1014
  //#region src/core/RPCMessages/RPCConnect.d.ts
936
1015
  interface Authorization {
937
1016
  jti: string;
938
1017
  project_id: string;
1018
+ data_zone?: string;
1019
+ scope?: string[];
939
1020
  fabric_subscriber: {
940
1021
  version: number;
941
1022
  expires_at: number;
942
1023
  subscriber_id: string;
943
- application_id: string;
1024
+ application_id: string | null;
944
1025
  project_id: string;
945
1026
  space_id: string;
946
1027
  };
1028
+ cnf?: {
1029
+ jkt: string;
1030
+ };
947
1031
  }
948
1032
  //#endregion
949
1033
  //#region src/core/utils.d.ts
@@ -1962,6 +2046,90 @@ declare class TransportManager extends Destroyable {
1962
2046
  private _init;
1963
2047
  }
1964
2048
  //#endregion
2049
+ //#region src/controllers/CryptoController.d.ts
2050
+ /**
2051
+ * Controls DPoP (Demonstrating Proof-of-Possession) cryptographic operations.
2052
+ *
2053
+ * Generates an ephemeral RSA-2048 key pair where the private key is
2054
+ * non-extractable, computes the JWK Thumbprint (RFC 7638) as the fingerprint,
2055
+ * and creates signed DPoP proof JWTs for both HTTP API requests and
2056
+ * WebSocket RPC calls.
2057
+ *
2058
+ * @example
2059
+ * ```typescript
2060
+ * const crypto = new CryptoController();
2061
+ * await crypto.init();
2062
+ *
2063
+ * // Get fingerprint for SAT issuance
2064
+ * const fingerprint = crypto.fingerprint;
2065
+ *
2066
+ * // Create proof for HTTP endpoint
2067
+ * const httpProof = await crypto.createHttpProof({
2068
+ * method: 'POST',
2069
+ * uri: '/api/fabric/subscriber/devices/token'
2070
+ * });
2071
+ *
2072
+ * // Create proof for RPC call
2073
+ * const rpcProof = await crypto.createRpcProof({
2074
+ * method: 'signalwire.connect'
2075
+ * });
2076
+ * ```
2077
+ */
2078
+ declare class CryptoController {
2079
+ private _keyPair;
2080
+ private _publicJwk;
2081
+ private _fingerprint;
2082
+ private _initialized;
2083
+ /**
2084
+ * Generates the ephemeral RSA key pair and computes the fingerprint.
2085
+ *
2086
+ * Must be called before any other method. The private key is generated
2087
+ * as non-extractable to prevent accidental exposure.
2088
+ *
2089
+ * @returns The JWK Thumbprint (fingerprint) for the generated key.
2090
+ */
2091
+ init(): Promise<string>;
2092
+ /**
2093
+ * The JWK Thumbprint (RFC 7638) of the public key.
2094
+ * Used as the `fingerprint` parameter when requesting scoped SATs.
2095
+ *
2096
+ * @throws {DPoPInitError} If {@link init} has not been called.
2097
+ */
2098
+ get fingerprint(): string;
2099
+ /**
2100
+ * Whether the controller has been initialized with a key pair.
2101
+ */
2102
+ get initialized(): boolean;
2103
+ /**
2104
+ * Creates a DPoP proof JWT for an HTTP API request.
2105
+ *
2106
+ * Used for Prime API endpoints like `/api/fabric/subscriber/devices/token`
2107
+ * and `/api/fabric/subscriber/devices/refresh`.
2108
+ *
2109
+ * @param params - HTTP method and URI for the proof.
2110
+ * @returns Signed DPoP proof JWT string.
2111
+ */
2112
+ createHttpProof(params: DPoPHttpProofParams): Promise<string>;
2113
+ /**
2114
+ * Creates a DPoP proof JWT for a WebSocket RPC call.
2115
+ *
2116
+ * Used for switchblade RPC methods like `signalwire.connect` and
2117
+ * `signalwire.reauthenticate`.
2118
+ *
2119
+ * @param params - RPC method name for the proof.
2120
+ * @returns Signed DPoP proof JWT string.
2121
+ */
2122
+ createRpcProof(params: DPoPRpcProofParams): Promise<string>;
2123
+ /**
2124
+ * Releases the key pair references.
2125
+ * After calling destroy, the controller must be re-initialized to be used again.
2126
+ */
2127
+ destroy(): void;
2128
+ private get publicJwk();
2129
+ private get privateKey();
2130
+ private signProof;
2131
+ }
2132
+ //#endregion
1965
2133
  //#region src/core/entities/Directory.d.ts
1966
2134
  /**
1967
2135
  * Directory interface for managing addresses
@@ -2072,11 +2240,12 @@ interface SessionState extends ClientSession {
2072
2240
  //#endregion
2073
2241
  //#region src/managers/ClientSessionManager.d.ts
2074
2242
  declare class ClientSessionManager extends Destroyable implements SessionState {
2075
- private credential;
2243
+ private readonly getCredential;
2076
2244
  private readonly transport;
2077
2245
  private readonly storage;
2078
2246
  private readonly authorizationStateKey;
2079
2247
  private readonly attachManager;
2248
+ private readonly dpopManager?;
2080
2249
  private callFactory;
2081
2250
  private callCreateTimeout;
2082
2251
  private readonly agent;
@@ -2084,14 +2253,21 @@ declare class ClientSessionManager extends Destroyable implements SessionState {
2084
2253
  initialized$: Observable<boolean>;
2085
2254
  private authorizationState$;
2086
2255
  private connectVersion;
2256
+ /**
2257
+ * Optional hook called before a fresh connect on reconnect.
2258
+ * Used by SignalWire to refresh expired credentials before re-authenticating.
2259
+ * @internal
2260
+ */
2261
+ onBeforeReconnect?: () => Promise<void>;
2087
2262
  private _authorization$;
2088
2263
  private _errors$;
2089
2264
  private _directory?;
2090
2265
  private _authenticated$;
2266
+ private _clientBound;
2091
2267
  private _subscriberInfo$;
2092
2268
  private _calls$;
2093
2269
  private _iceServers$;
2094
- constructor(credential: SDKCredential, transport: TransportManager, storage: StorageManager, authorizationStateKey: string, deviceController: DeviceController, attachManager: AttachManager, webRTCApiProvider: WebRTCApiProvider);
2270
+ constructor(getCredential: () => SDKCredential, transport: TransportManager, storage: StorageManager, authorizationStateKey: string, deviceController: DeviceController, attachManager: AttachManager, webRTCApiProvider: WebRTCApiProvider, dpopManager?: CryptoController | undefined);
2095
2271
  get incomingCalls$(): Observable<Call[]>;
2096
2272
  get incomingCalls(): Call[];
2097
2273
  get subscriberInfo$(): Observable<Address | null>;
@@ -2104,6 +2280,13 @@ declare class ClientSessionManager extends Destroyable implements SessionState {
2104
2280
  get errors$(): Observable<Error>;
2105
2281
  get authenticated$(): Observable<boolean>;
2106
2282
  get authenticated(): boolean;
2283
+ /**
2284
+ * Whether this session is client-bound (using a Client Bound SAT).
2285
+ * When client-bound, DPoP proof creation failures are treated as
2286
+ * authentication errors rather than silently degraded.
2287
+ * @internal
2288
+ */
2289
+ get clientBound(): boolean;
2107
2290
  /**
2108
2291
  * Set the directory instance
2109
2292
  * Called by SignalWire after directory is created
@@ -2192,6 +2375,16 @@ declare class ClientSessionManager extends Destroyable implements SessionState {
2192
2375
  params: CallConnectPayload;
2193
2376
  }, "event_channel"> & {
2194
2377
  event_channel: string;
2378
+ }) | (Omit<{
2379
+ event_type: "room.updated";
2380
+ event_channel: EventChannel;
2381
+ timestamp: number;
2382
+ project_id?: string;
2383
+ node_id?: string;
2384
+ is_author?: boolean;
2385
+ params: RoomUpdatedPayload;
2386
+ }, "event_channel"> & {
2387
+ event_channel: string;
2195
2388
  }) | Omit<{
2196
2389
  event_type: "member.updated";
2197
2390
  event_channel: EventChannel;
@@ -2266,7 +2459,9 @@ declare class ClientSessionManager extends Destroyable implements SessionState {
2266
2459
  private handleAuthenticationError;
2267
2460
  cleanupStoredConnectionParams(): Promise<void>;
2268
2461
  protected updateAuthState(authorization_state: string): Promise<void>;
2269
- reauthenticate(token: string): Promise<void>;
2462
+ reauthenticate(token: string, dpopToken?: string, options?: {
2463
+ clientBound?: boolean;
2464
+ }): Promise<void>;
2270
2465
  private authenticate;
2271
2466
  disconnect(): Promise<void>;
2272
2467
  private createInboundCall;
@@ -2354,6 +2549,16 @@ declare class ClientSessionWrapper implements SessionState {
2354
2549
  params: CallConnectPayload;
2355
2550
  }, "event_channel"> & {
2356
2551
  event_channel: string;
2552
+ }) | (Omit<{
2553
+ event_type: "room.updated";
2554
+ event_channel: EventChannel;
2555
+ timestamp: number;
2556
+ project_id?: string;
2557
+ node_id?: string;
2558
+ is_author?: boolean;
2559
+ params: RoomUpdatedPayload;
2560
+ }, "event_channel"> & {
2561
+ event_channel: string;
2357
2562
  }) | Omit<{
2358
2563
  event_type: "member.updated";
2359
2564
  event_channel: EventChannel;
@@ -2476,6 +2681,9 @@ declare class SignalWire extends Destroyable implements DeviceController {
2476
2681
  private _errors$;
2477
2682
  private _options;
2478
2683
  private _refreshTimerId?;
2684
+ private _dpopManager?;
2685
+ private _deviceTokenManager?;
2686
+ private _credentialProvider?;
2479
2687
  private _deps;
2480
2688
  /**
2481
2689
  * Creates a new SignalWire client and begins connecting.
@@ -2484,6 +2692,10 @@ declare class SignalWire extends Destroyable implements DeviceController {
2484
2692
  * @param options - Configuration options (connection, device monitoring, preferences).
2485
2693
  */
2486
2694
  constructor(credentialProvider: CredentialProvider, options?: SignalWireOptions);
2695
+ /**
2696
+ * Initializes DPoP if not already set up. Returns the fingerprint on success.
2697
+ */
2698
+ private initDPoP;
2487
2699
  private validateCredentials;
2488
2700
  private init;
2489
2701
  private handleAttachments;
@@ -2924,6 +3136,7 @@ interface WebRTCVerto extends VertoManager {
2924
3136
  //#endregion
2925
3137
  //#region src/managers/CallEventsManager.d.ts
2926
3138
  interface WebRTCCallEventManagerOptions {}
3139
+ /** @internal */
2927
3140
  declare class CallEventsManager extends Destroyable {
2928
3141
  protected webRtcCallSession: CallManager;
2929
3142
  protected options: WebRTCCallEventManagerOptions;
@@ -3200,7 +3413,7 @@ declare class WebRTCCall extends Destroyable implements CallManager {
3200
3413
  /** Observable of WebRTC-specific signaling messages. */
3201
3414
  get webrtcMessages$(): Observable<WebrtcMessagePayload>;
3202
3415
  /** Observable of call-level signaling events. */
3203
- get callEvent$(): Observable<WebrtcMessagePayload | CallJoinedPayload | CallLeftPayload | CallUpdatedPayload | CallStatePayload | CallPlayPayload | CallConnectPayload | MemberUpdatedPayload | MemberJoinedPayload | MemberLeftPayload | MemberTalkingPayload | LayoutChangedPayload | ConversationMessagePayload>;
3416
+ get callEvent$(): Observable<WebrtcMessagePayload | CallJoinedPayload | CallLeftPayload | CallUpdatedPayload | CallStatePayload | CallPlayPayload | CallConnectPayload | RoomUpdatedPayload | MemberUpdatedPayload | MemberJoinedPayload | MemberLeftPayload | MemberTalkingPayload | LayoutChangedPayload | ConversationMessagePayload>;
3204
3417
  /** Observable of layout-changed signaling events. */
3205
3418
  get layoutEvent$(): Observable<LayoutChangedPayload>;
3206
3419
  /**
@@ -3292,5 +3505,5 @@ declare const version: string;
3292
3505
  */
3293
3506
  declare const ready: boolean;
3294
3507
  //#endregion
3295
- export { Address, type AddressHistory, type Call, type CallAddress, type CallCapabilitiesState, CallCreateError, type CallError, type CallErrorKind, type CallOptions, type CallParticipant, type CallSelfParticipant, type CallState, type CallStatus, ClientPreferences, CollectionFetchError, type CredentialProvider, type DeviceController, type DialOptions, type Directory, type ExecuteMethod, InvalidCredentialsError, type JSONRPCErrorResponse, type JSONRPCRequest, type JSONRPCResponse, type JSONRPCSuccessResponse, type LayoutLayer, type MediaDirection, type MediaDirections, type MediaOptions, MediaTrackError, type MemberCapabilities, MessageParseError, type NodeSocketAdapter, type OnOffCapability, Participant, type PendingRPCOptions, type SDKCredential, SelfCapabilities, SelfParticipant, type SessionState, SignalWire, type SignalWireOptions, StaticCredentialProvider, type Storage, Subscriber, type TextMessage, type TransferOptions, UnexpectedError, VertoPongError, type VideoPosition, type WebRTCApiProvider, WebRTCCall, type WebRTCMediaDevices, type WebSocketAdapter, embeddableCall, isSelfParticipant, ready, version };
3508
+ export { Address, type AddressHistory, type AuthenticateContext, type Call, type CallAddress, type CallCapabilitiesState, CallCreateError, type CallError, type CallErrorKind, type CallOptions, type CallParticipant, type CallSelfParticipant, type CallState, type CallStatus, ClientPreferences, CollectionFetchError, type CredentialProvider, DPoPInitError, type DeviceController, DeviceTokenError, type DialOptions, type Directory, type ExecuteMethod, InvalidCredentialsError, type JSONRPCErrorResponse, type JSONRPCRequest, type JSONRPCResponse, type JSONRPCSuccessResponse, type LayoutLayer, type MediaDirection, type MediaDirections, type MediaOptions, MediaTrackError, type MemberCapabilities, MessageParseError, type NodeSocketAdapter, type OnOffCapability, Participant, type PendingRPCOptions, type SATClaims, type SDKCredential, SelfCapabilities, SelfParticipant, type SessionState, SignalWire, type SignalWireOptions, StaticCredentialProvider, type Storage, Subscriber, type TextMessage, TokenRefreshError, type TransferOptions, UnexpectedError, VertoPongError, type VideoPosition, type WebRTCApiProvider, WebRTCCall, type WebRTCMediaDevices, type WebSocketAdapter, embeddableCall, isSelfParticipant, ready, version };
3296
3509
  //# sourceMappingURL=index.d.cts.map