@stackframe/stack-shared 2.8.1 → 2.8.3

package/dist/interface/crud/projects.d.ts

@@ -48,6 +48,8 @@ export declare const projectsCrudAdminReadSchema: import("yup").ObjectSchema<{
         passkey_enabled: boolean;
         client_team_creation_enabled: boolean;
         client_user_deletion_enabled: boolean;
+        allow_user_api_keys: boolean;
+        allow_team_api_keys: boolean;
         oauth_providers: {
             client_id?: string | undefined;
             client_secret?: string | undefined;
@@ -101,6 +103,8 @@ export declare const projectsCrudAdminReadSchema: import("yup").ObjectSchema<{
         passkey_enabled: undefined;
         client_team_creation_enabled: undefined;
         client_user_deletion_enabled: undefined;
+        allow_user_api_keys: undefined;
+        allow_team_api_keys: undefined;
         oauth_providers: undefined;
         enabled_oauth_providers: undefined;
         domains: undefined;
@@ -130,6 +134,8 @@ export declare const projectsCrudClientReadSchema: import("yup").ObjectSchema<{
         passkey_enabled: boolean;
         client_team_creation_enabled: boolean;
         client_user_deletion_enabled: boolean;
+        allow_user_api_keys: boolean;
+        allow_team_api_keys: boolean;
         enabled_oauth_providers: {
             id: "google" | "github" | "microsoft" | "spotify" | "facebook" | "discord" | "gitlab" | "bitbucket" | "linkedin" | "apple" | "x";
         }[];
@@ -144,6 +150,8 @@ export declare const projectsCrudClientReadSchema: import("yup").ObjectSchema<{
         passkey_enabled: undefined;
         client_team_creation_enabled: undefined;
         client_user_deletion_enabled: undefined;
+        allow_user_api_keys: undefined;
+        allow_team_api_keys: undefined;
         enabled_oauth_providers: undefined;
     };
 }, "">;
@@ -159,6 +167,8 @@ export declare const projectsCrudAdminUpdateSchema: import("yup").ObjectSchema<{
         passkey_enabled?: boolean | undefined;
         client_team_creation_enabled?: boolean | undefined;
         client_user_deletion_enabled?: boolean | undefined;
+        allow_user_api_keys?: boolean | undefined;
+        allow_team_api_keys?: boolean | undefined;
         oauth_providers?: {
             client_id?: string | undefined;
             client_secret?: string | undefined;
@@ -211,6 +221,8 @@ export declare const projectsCrudAdminCreateSchema: import("yup").ObjectSchema<{
         passkey_enabled?: boolean | undefined;
         client_team_creation_enabled?: boolean | undefined;
         client_user_deletion_enabled?: boolean | undefined;
+        allow_user_api_keys?: boolean | undefined;
+        allow_team_api_keys?: boolean | undefined;
         oauth_providers?: {
             client_id?: string | undefined;
             client_secret?: string | undefined;
@@ -265,6 +277,8 @@ export declare const projectsCrud: import("../../crud").CrudSchemaFromOptions<{
             passkey_enabled: boolean;
             client_team_creation_enabled: boolean;
             client_user_deletion_enabled: boolean;
+            allow_user_api_keys: boolean;
+            allow_team_api_keys: boolean;
             enabled_oauth_providers: {
                 id: "google" | "github" | "microsoft" | "spotify" | "facebook" | "discord" | "gitlab" | "bitbucket" | "linkedin" | "apple" | "x";
             }[];
@@ -279,6 +293,8 @@ export declare const projectsCrud: import("../../crud").CrudSchemaFromOptions<{
             passkey_enabled: undefined;
             client_team_creation_enabled: undefined;
             client_user_deletion_enabled: undefined;
+            allow_user_api_keys: undefined;
+            allow_team_api_keys: undefined;
             enabled_oauth_providers: undefined;
         };
     }, "">;
@@ -298,6 +314,8 @@ export declare const projectsCrud: import("../../crud").CrudSchemaFromOptions<{
             passkey_enabled: boolean;
             client_team_creation_enabled: boolean;
             client_user_deletion_enabled: boolean;
+            allow_user_api_keys: boolean;
+            allow_team_api_keys: boolean;
             oauth_providers: {
                 client_id?: string | undefined;
                 client_secret?: string | undefined;
@@ -351,6 +369,8 @@ export declare const projectsCrud: import("../../crud").CrudSchemaFromOptions<{
             passkey_enabled: undefined;
             client_team_creation_enabled: undefined;
             client_user_deletion_enabled: undefined;
+            allow_user_api_keys: undefined;
+            allow_team_api_keys: undefined;
             oauth_providers: undefined;
             enabled_oauth_providers: undefined;
             domains: undefined;
@@ -382,6 +402,8 @@ export declare const projectsCrud: import("../../crud").CrudSchemaFromOptions<{
             passkey_enabled?: boolean | undefined;
             client_team_creation_enabled?: boolean | undefined;
             client_user_deletion_enabled?: boolean | undefined;
+            allow_user_api_keys?: boolean | undefined;
+            allow_team_api_keys?: boolean | undefined;
             oauth_providers?: {
                 client_id?: string | undefined;
                 client_secret?: string | undefined;
@@ -464,6 +486,8 @@ export declare const internalProjectsCrud: import("../../crud").CrudSchemaFromOp
             passkey_enabled: boolean;
             client_team_creation_enabled: boolean;
             client_user_deletion_enabled: boolean;
+            allow_user_api_keys: boolean;
+            allow_team_api_keys: boolean;
             oauth_providers: {
                 client_id?: string | undefined;
                 client_secret?: string | undefined;
@@ -517,6 +541,8 @@ export declare const internalProjectsCrud: import("../../crud").CrudSchemaFromOp
             passkey_enabled: undefined;
             client_team_creation_enabled: undefined;
             client_user_deletion_enabled: undefined;
+            allow_user_api_keys: undefined;
+            allow_team_api_keys: undefined;
             oauth_providers: undefined;
             enabled_oauth_providers: undefined;
             domains: undefined;
@@ -548,6 +574,8 @@ export declare const internalProjectsCrud: import("../../crud").CrudSchemaFromOp
             passkey_enabled?: boolean | undefined;
             client_team_creation_enabled?: boolean | undefined;
             client_user_deletion_enabled?: boolean | undefined;
+            allow_user_api_keys?: boolean | undefined;
+            allow_team_api_keys?: boolean | undefined;
             oauth_providers?: {
                 client_id?: string | undefined;
                 client_secret?: string | undefined;

package/dist/interface/crud/projects.js

@@ -68,6 +68,8 @@ export const projectsCrudAdminReadSchema = yupObject({
         // TODO: remove this
         client_team_creation_enabled: schemaFields.projectClientTeamCreationEnabledSchema.defined(),
         client_user_deletion_enabled: schemaFields.projectClientUserDeletionEnabledSchema.defined(),
+        allow_user_api_keys: schemaFields.yupBoolean().defined(),
+        allow_team_api_keys: schemaFields.yupBoolean().defined(),
         oauth_providers: yupArray(oauthProviderSchema.defined()).defined(),
         enabled_oauth_providers: yupArray(enabledOAuthProviderSchema.defined()).defined().meta({ openapiField: { hidden: true } }),
         domains: yupArray(domainSchema.defined()).defined(),
@@ -89,6 +91,8 @@ export const projectsCrudClientReadSchema = yupObject({
         passkey_enabled: schemaFields.projectPasskeyEnabledSchema.defined(),
         client_team_creation_enabled: schemaFields.projectClientTeamCreationEnabledSchema.defined(),
         client_user_deletion_enabled: schemaFields.projectClientUserDeletionEnabledSchema.defined(),
+        allow_user_api_keys: schemaFields.yupBoolean().defined(),
+        allow_team_api_keys: schemaFields.yupBoolean().defined(),
         enabled_oauth_providers: yupArray(enabledOAuthProviderSchema.defined()).defined().meta({ openapiField: { hidden: true } }),
     }).defined(),
 }).defined();
@@ -104,6 +108,8 @@ export const projectsCrudAdminUpdateSchema = yupObject({
         client_team_creation_enabled: schemaFields.projectClientTeamCreationEnabledSchema.optional(),
         client_user_deletion_enabled: schemaFields.projectClientUserDeletionEnabledSchema.optional(),
         allow_localhost: schemaFields.projectAllowLocalhostSchema.optional(),
+        allow_user_api_keys: schemaFields.yupBoolean().optional(),
+        allow_team_api_keys: schemaFields.yupBoolean().optional(),
         email_config: emailConfigSchema.optional().default(undefined),
         domains: yupArray(domainSchema.defined()).optional().default(undefined),
         oauth_providers: yupArray(oauthProviderSchema.defined()).optional().default(undefined),

package/dist/interface/crud/team-member-profiles.d.ts

@@ -40,8 +40,8 @@ export declare const teamMemberProfilesCrudServerReadSchema: import("yup").Objec
             client_read_only_metadata?: {} | null | undefined;
             server_metadata?: {} | null | undefined;
             id: string;
-            created_at_millis: number;
             display_name: string;
+            created_at_millis: number;
             profile_image_url: string | null;
         } | null;
         signed_up_at_millis: number;
@@ -135,8 +135,8 @@ export declare const teamMemberProfilesCrud: import("../../crud").CrudSchemaFrom
                 client_read_only_metadata?: {} | null | undefined;
                 server_metadata?: {} | null | undefined;
                 id: string;
-                created_at_millis: number;
                 display_name: string;
+                created_at_millis: number;
                 profile_image_url: string | null;
             } | null;
             signed_up_at_millis: number;

package/dist/interface/crud/users.d.ts

@@ -43,8 +43,8 @@ export declare const usersCrudServerReadSchema: import("yup").ObjectSchema<{
         client_read_only_metadata?: {} | null | undefined;
         server_metadata?: {} | null | undefined;
         id: string;
-        created_at_millis: number;
         display_name: string;
+        created_at_millis: number;
         profile_image_url: string | null;
     } | null;
     selected_team_id: string | null;
@@ -148,8 +148,8 @@ export declare const usersCrud: import("../../crud").CrudSchemaFromOptions<{
             client_read_only_metadata?: {} | null | undefined;
             server_metadata?: {} | null | undefined;
             id: string;
-            created_at_millis: number;
             display_name: string;
+            created_at_millis: number;
             profile_image_url: string | null;
         } | null;
         selected_team_id: string | null;
@@ -316,8 +316,8 @@ export declare const userCreatedWebhookEvent: {
             client_read_only_metadata?: {} | null | undefined;
             server_metadata?: {} | null | undefined;
             id: string;
-            created_at_millis: number;
             display_name: string;
+            created_at_millis: number;
             profile_image_url: string | null;
         } | null;
         selected_team_id: string | null;
@@ -387,8 +387,8 @@ export declare const userUpdatedWebhookEvent: {
             client_read_only_metadata?: {} | null | undefined;
             server_metadata?: {} | null | undefined;
             id: string;
-            created_at_millis: number;
             display_name: string;
+            created_at_millis: number;
             profile_image_url: string | null;
         } | null;
         selected_team_id: string | null;

package/dist/interface/serverInterface.d.ts

@@ -5,11 +5,11 @@ import { ClientInterfaceOptions, StackClientInterface } from "./clientInterface"
 import { ContactChannelsCrud } from "./crud/contact-channels";
 import { CurrentUserCrud } from "./crud/current-user";
 import { ConnectedAccountAccessTokenCrud } from "./crud/oauth";
+import { ProjectPermissionsCrud } from "./crud/project-permissions";
 import { SessionsCrud } from "./crud/sessions";
 import { TeamInvitationCrud } from "./crud/team-invitation";
 import { TeamMemberProfilesCrud } from "./crud/team-member-profiles";
 import { TeamMembershipsCrud } from "./crud/team-memberships";
-import { ProjectPermissionsCrud } from "./crud/project-permissions";
 import { TeamPermissionsCrud } from "./crud/team-permissions";
 import { TeamsCrud } from "./crud/teams";
 import { UsersCrud } from "./crud/users";
@@ -66,6 +66,7 @@ export declare class StackServerInterface extends StackClientInterface {
     listServerTeams(options?: {
         userId?: string;
     }): Promise<TeamsCrud['Server']['Read'][]>;
+    getServerTeam(teamId: string): Promise<TeamsCrud['Server']['Read']>;
     listServerTeamUsers(teamId: string): Promise<UsersCrud['Server']['Read'][]>;
     createServerTeam(data: TeamsCrud['Server']['Create']): Promise<TeamsCrud['Server']['Read']>;
     updateServerTeam(teamId: string, data: TeamsCrud['Server']['Update']): Promise<TeamsCrud['Server']['Read']>;

package/dist/interface/serverInterface.js

@@ -123,6 +123,10 @@ export class StackServerInterface extends StackClientInterface {
         const result = await response.json();
         return result.items;
     }
+    async getServerTeam(teamId) {
+        const response = await this.sendServerRequest(`/teams/${teamId}`, {}, null);
+        return await response.json();
+    }
     async listServerTeamUsers(teamId) {
         const response = await this.sendServerRequest(`/users?team_id=${teamId}`, {}, null);
         const result = await response.json();

package/dist/interface/webhooks.d.ts

@@ -21,8 +21,8 @@ export declare const webhookEvents: readonly [{
             client_read_only_metadata?: {} | null | undefined;
             server_metadata?: {} | null | undefined;
             id: string;
-            created_at_millis: number;
             display_name: string;
+            created_at_millis: number;
             profile_image_url: string | null;
         } | null;
         selected_team_id: string | null;
@@ -91,8 +91,8 @@ export declare const webhookEvents: readonly [{
             client_read_only_metadata?: {} | null | undefined;
             server_metadata?: {} | null | undefined;
             id: string;
-            created_at_millis: number;
             display_name: string;
+            created_at_millis: number;
             profile_image_url: string | null;
         } | null;
         selected_team_id: string | null;
@@ -254,4 +254,36 @@ export declare const webhookEvents: readonly [{
         description: string;
         tags: string[];
     };
+}, {
+    type: string;
+    schema: yup.ObjectSchema<{
+        id: string;
+        user_id: string;
+        team_id: string;
+    }, yup.AnyObject, {
+        id: undefined;
+        user_id: undefined;
+        team_id: undefined;
+    }, "">;
+    metadata: {
+        summary: string;
+        description: string;
+        tags: string[];
+    };
+}, {
+    type: string;
+    schema: yup.ObjectSchema<{
+        id: string;
+        user_id: string;
+        team_id: string;
+    }, yup.AnyObject, {
+        id: undefined;
+        user_id: undefined;
+        team_id: undefined;
+    }, "">;
+    metadata: {
+        summary: string;
+        description: string;
+        tags: string[];
+    };
 }];

package/dist/interface/webhooks.js

@@ -1,4 +1,5 @@
 import { teamMembershipCreatedWebhookEvent, teamMembershipDeletedWebhookEvent } from "./crud/team-memberships";
+import { teamPermissionCreatedWebhookEvent, teamPermissionDeletedWebhookEvent } from "./crud/team-permissions";
 import { teamCreatedWebhookEvent, teamDeletedWebhookEvent, teamUpdatedWebhookEvent } from "./crud/teams";
 import { userCreatedWebhookEvent, userDeletedWebhookEvent, userUpdatedWebhookEvent } from "./crud/users";
 export const webhookEvents = [
@@ -10,4 +11,6 @@ export const webhookEvents = [
     teamDeletedWebhookEvent,
     teamMembershipCreatedWebhookEvent,
     teamMembershipDeletedWebhookEvent,
+    teamPermissionCreatedWebhookEvent,
+    teamPermissionDeletedWebhookEvent,
 ];

package/dist/known-errors.d.ts

@@ -66,6 +66,9 @@ export declare const KnownErrors: {
     ProjectAuthenticationError: KnownErrorConstructor<KnownError & KnownErrorBrand<"PROJECT_AUTHENTICATION_ERROR">, [statusCode: number, humanReadableMessage: string, details?: Json | undefined]> & {
         errorCode: "PROJECT_AUTHENTICATION_ERROR";
     };
+    PermissionIdAlreadyExists: KnownErrorConstructor<KnownError & KnownErrorBrand<"PERMISSION_ID_ALREADY_EXISTS">, [permissionId: string]> & {
+        errorCode: "PERMISSION_ID_ALREADY_EXISTS";
+    };
     InvalidProjectAuthentication: KnownErrorConstructor<KnownError & KnownErrorBrand<"PROJECT_AUTHENTICATION_ERROR"> & {
         constructorArgs: [statusCode: number, humanReadableMessage: string, details?: Json | undefined];
     } & KnownErrorBrand<"INVALID_PROJECT_AUTHENTICATION">, [statusCode: number, humanReadableMessage: string, details?: Json | undefined]> & {
@@ -232,7 +235,9 @@ export declare const KnownErrors: {
     UserNotFound: KnownErrorConstructor<KnownError & KnownErrorBrand<"USER_NOT_FOUND">, []> & {
         errorCode: "USER_NOT_FOUND";
     };
-    ApiKeyNotFound: KnownErrorConstructor<KnownError & KnownErrorBrand<"API_KEY_NOT_FOUND">, []> & {
+    ApiKeyNotFound: KnownErrorConstructor<KnownError & KnownErrorBrand<"API_KEY_NOT_VALID"> & {
+        constructorArgs: [statusCode: number, humanReadableMessage: string, details?: Json | undefined];
+    } & KnownErrorBrand<"API_KEY_NOT_FOUND">, []> & {
         errorCode: "API_KEY_NOT_FOUND";
     };
     ProjectNotFound: KnownErrorConstructor<KnownError & KnownErrorBrand<"PROJECT_NOT_FOUND">, [projectId: string]> & {
@@ -400,5 +405,23 @@ export declare const KnownErrors: {
     InvalidPollingCodeError: KnownErrorConstructor<KnownError & KnownErrorBrand<"INVALID_POLLING_CODE">, [details?: Json | undefined]> & {
         errorCode: "INVALID_POLLING_CODE";
     };
+    ApiKeyNotValid: KnownErrorConstructor<KnownError & KnownErrorBrand<"API_KEY_NOT_VALID">, [statusCode: number, humanReadableMessage: string, details?: Json | undefined]> & {
+        errorCode: "API_KEY_NOT_VALID";
+    };
+    ApiKeyExpired: KnownErrorConstructor<KnownError & KnownErrorBrand<"API_KEY_NOT_VALID"> & {
+        constructorArgs: [statusCode: number, humanReadableMessage: string, details?: Json | undefined];
+    } & KnownErrorBrand<"API_KEY_EXPIRED">, []> & {
+        errorCode: "API_KEY_EXPIRED";
+    };
+    ApiKeyRevoked: KnownErrorConstructor<KnownError & KnownErrorBrand<"API_KEY_NOT_VALID"> & {
+        constructorArgs: [statusCode: number, humanReadableMessage: string, details?: Json | undefined];
+    } & KnownErrorBrand<"API_KEY_REVOKED">, []> & {
+        errorCode: "API_KEY_REVOKED";
+    };
+    WrongApiKeyType: KnownErrorConstructor<KnownError & KnownErrorBrand<"API_KEY_NOT_VALID"> & {
+        constructorArgs: [statusCode: number, humanReadableMessage: string, details?: Json | undefined];
+    } & KnownErrorBrand<"WRONG_API_KEY_TYPE">, [expectedType: string, actualType: string]> & {
+        errorCode: "WRONG_API_KEY_TYPE";
+    };
 };
 export {};

package/dist/known-errors.js

@@ -293,10 +293,6 @@ const UserNotFound = createKnownErrorConstructor(KnownError, "USER_NOT_FOUND", (
     404,
     "User not found.",
 ], () => []);
-const ApiKeyNotFound = createKnownErrorConstructor(KnownError, "API_KEY_NOT_FOUND", () => [
-    404,
-    "API key not found.",
-], () => []);
 const ProjectNotFound = createKnownErrorConstructor(KnownError, "PROJECT_NOT_FOUND", (projectId) => {
     if (typeof projectId !== "string")
         throw new StackAssertionError("projectId of KnownErrors.ProjectNotFound must be a string");
@@ -570,6 +566,31 @@ const InvalidPollingCodeError = createKnownErrorConstructor(KnownError, "INVALID
     "The polling code is invalid or does not exist.",
     details,
 ], (json) => [json]);
+const ApiKeyNotValid = createKnownErrorConstructor(KnownError, "API_KEY_NOT_VALID", "inherit", "inherit");
+const ApiKeyExpired = createKnownErrorConstructor(ApiKeyNotValid, "API_KEY_EXPIRED", () => [
+    401,
+    "API key has expired.",
+], () => []);
+const ApiKeyRevoked = createKnownErrorConstructor(ApiKeyNotValid, "API_KEY_REVOKED", () => [
+    401,
+    "API key has been revoked.",
+], () => []);
+const WrongApiKeyType = createKnownErrorConstructor(ApiKeyNotValid, "WRONG_API_KEY_TYPE", (expectedType, actualType) => [
+    400,
+    `This endpoint is for ${expectedType} API keys, but a ${actualType} API key was provided.`,
+    { expected_type: expectedType, actual_type: actualType },
+], (json) => [json.expected_type, json.actual_type]);
+const ApiKeyNotFound = createKnownErrorConstructor(ApiKeyNotValid, "API_KEY_NOT_FOUND", () => [
+    404,
+    "API key not found.",
+], () => []);
+const PermissionIdAlreadyExists = createKnownErrorConstructor(KnownError, "PERMISSION_ID_ALREADY_EXISTS", (permissionId) => [
+    400,
+    `Permission with ID "${permissionId}" already exists. Choose a different ID.`,
+    {
+        permission_id: permissionId,
+    },
+], (json) => [json.permission_id]);
 export const KnownErrors = {
     CannotDeleteCurrentSession,
     UnsupportedError,
@@ -577,6 +598,7 @@ export const KnownErrors = {
     SchemaError,
     AllOverloadsFailed,
     ProjectAuthenticationError,
+    PermissionIdAlreadyExists,
     InvalidProjectAuthentication,
     ProjectKeyWithoutAccessType,
     InvalidAccessType,
@@ -665,6 +687,10 @@ export const KnownErrors = {
     OAuthProviderAccessDenied,
     ContactChannelAlreadyUsedForAuthBySomeoneElse,
     InvalidPollingCodeError,
+    ApiKeyNotValid,
+    ApiKeyExpired,
+    ApiKeyRevoked,
+    WrongApiKeyType,
 };
 // ensure that all known error codes are unique
 const knownErrorCodes = new Set();

package/dist/schema-fields.d.ts

@@ -130,7 +130,7 @@ export declare const signInResponseSchema: yup.ObjectSchema<{
     is_new_user: undefined;
     user_id: undefined;
 }, "">;
-export declare const teamSystemPermissions: readonly ["$update_team", "$delete_team", "$read_members", "$remove_members", "$invite_members"];
+export declare const teamSystemPermissions: readonly ["$update_team", "$delete_team", "$read_members", "$remove_members", "$invite_members", "$manage_api_keys"];
 export declare const permissionDefinitionIdSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const customPermissionDefinitionIdSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const teamPermissionDescriptionSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;

package/dist/schema-fields.js

@@ -147,7 +147,7 @@ export function yupUnion(...args) {
         const errors = [];
         for (const schema of args) {
             try {
-                await schema.validate(value, context.options);
+                await yupValidate(schema, value, context.options);
                 return true;
             }
             catch (e) {
@@ -326,6 +326,7 @@ export const teamSystemPermissions = [
     '$read_members',
     '$remove_members',
     '$invite_members',
+    '$manage_api_keys',
 ];
 export const permissionDefinitionIdSchema = yupString()
     .matches(/^\$?[a-z0-9_:]+$/, 'Only lowercase letters, numbers, ":", "_" and optional "$" at the beginning are allowed')

package/dist/utils/api-keys.d.ts

@@ -0,0 +1,23 @@
+/**
+ * An api key has the following format:
+ * <prefix_without_underscores>_<secret_part_45_chars><id_part_32_chars><type_user_or_team_4_chars><scanner_and_marker_10_chars><checksum_8_chars>
+ *
+ * The scanner and marker is a base32 character that is used to determine if the api key is a public or private key
+ * and if it is a cloud or self-hosted key.
+ *
+ * The checksum is a crc32 checksum of the api key encoded in hex.
+ *
+ */
+type ProjectApiKey = {
+    id: string;
+    prefix: string;
+    isPublic: boolean;
+    isCloudVersion: boolean;
+    secret: string;
+    checksum: string;
+    type: "user" | "team";
+};
+export declare function isApiKey(secret: string): boolean;
+export declare function createProjectApiKey(options: Pick<ProjectApiKey, "id" | "isPublic" | "isCloudVersion" | "type">): string;
+export declare function parseProjectApiKey(secret: string): ProjectApiKey;
+export {};

package/dist/utils/api-keys.js

@@ -0,0 +1,75 @@
+import { getBase32CharacterFromIndex } from "@stackframe/stack-shared/dist/utils/bytes";
+import { generateSecureRandomString } from "@stackframe/stack-shared/dist/utils/crypto";
+import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+import crc32 from 'crc/crc32';
+const STACK_AUTH_MARKER = "574ck4u7h";
+// API key part lengths
+const API_KEY_LENGTHS = {
+    SECRET_PART: 45,
+    ID_PART: 32,
+    TYPE_PART: 4,
+    SCANNER_AND_MARKER: 10,
+    CHECKSUM: 8,
+};
+function createChecksumSync(checksummablePart) {
+    const data = new TextEncoder().encode(checksummablePart);
+    const calculated_checksum = crc32(data);
+    return calculated_checksum.toString(16).padStart(8, "0");
+}
+function createApiKeyParts(options) {
+    const { id, isPublic, isCloudVersion, type } = options;
+    const prefix = isPublic ? "pk" : "sk";
+    const scannerFlag = (isCloudVersion ? 0 : 1) + (isPublic ? 2 : 0) + ( /* version */0);
+    const secretPart = generateSecureRandomString();
+    const idPart = id.replace(/-/g, "");
+    const scannerAndMarker = getBase32CharacterFromIndex(scannerFlag).toLowerCase() + STACK_AUTH_MARKER;
+    const checksummablePart = `${prefix}_${secretPart}${idPart}${type}${scannerAndMarker}`;
+    return { checksummablePart, idPart, prefix, scannerAndMarker, type };
+}
+function parseApiKeyParts(secret) {
+    const regex = new RegExp(`^([^_]+)_` + // prefix
+        `(.{${API_KEY_LENGTHS.SECRET_PART}})` + // secretPart
+        `(.{${API_KEY_LENGTHS.ID_PART}})` + // idPart
+        `(.{${API_KEY_LENGTHS.TYPE_PART}})` + // type
+        `(.{${API_KEY_LENGTHS.SCANNER_AND_MARKER}})` + // scannerAndMarker
+        `(.{${API_KEY_LENGTHS.CHECKSUM}})$` // checksum
+    );
+    const match = secret.match(regex);
+    if (!match) {
+        throw new StackAssertionError("Invalid API key format");
+    }
+    const [, prefix, secretPart, idPart, type, scannerAndMarker, checksum] = match;
+    const scannerFlag = scannerAndMarker.replace(STACK_AUTH_MARKER, "");
+    const isCloudVersion = parseInt(scannerFlag, 32) % 2 === 0;
+    const isPublic = (parseInt(scannerFlag, 32) & 2) !== 0;
+    const checksummablePart = `${prefix}_${secretPart}${idPart}${type}${scannerAndMarker}`;
+    const restored_id = idPart.replace(/(.{8})(.{4})(.{4})(.{4})(.{12})/, "$1-$2-$3-$4-$5");
+    if (!["user", "team"].includes(type)) {
+        throw new StackAssertionError("Invalid type");
+    }
+    return { checksummablePart, checksum, id: restored_id, isCloudVersion, isPublic, prefix, type: type };
+}
+export function isApiKey(secret) {
+    return secret.includes("_") && secret.includes(STACK_AUTH_MARKER);
+}
+export function createProjectApiKey(options) {
+    const { checksummablePart } = createApiKeyParts(options);
+    const checksum = createChecksumSync(checksummablePart);
+    return `${checksummablePart}${checksum}`;
+}
+export function parseProjectApiKey(secret) {
+    const { checksummablePart, checksum, id, isCloudVersion, isPublic, prefix, type } = parseApiKeyParts(secret);
+    const calculated_checksum = createChecksumSync(checksummablePart);
+    if (calculated_checksum !== checksum) {
+        throw new StackAssertionError("Checksum mismatch");
+    }
+    return {
+        id,
+        prefix,
+        isPublic,
+        isCloudVersion,
+        secret,
+        checksum,
+        type,
+    };
+}

package/dist/utils/bytes.d.ts

@@ -1,3 +1,6 @@
+export declare function toHexString(input: Uint8Array): string;
+export declare function getBase32CharacterFromIndex(index: number): string;
+export declare function getBase32IndexFromCharacter(character: string): number;
 export declare function encodeBase32(input: Uint8Array): string;
 export declare function decodeBase32(input: string): Uint8Array;
 export declare function encodeBase64(input: Uint8Array): string;

package/dist/utils/bytes.js

@@ -5,6 +5,43 @@ const crockfordReplacements = new Map([
     ["i", "1"],
     ["l", "1"],
 ]);
+export function toHexString(input) {
+    return Array.from(input).map(b => b.toString(16).padStart(2, "0")).join("");
+}
+import.meta.vitest?.test("toHexString", ({ expect }) => {
+    expect(toHexString(new Uint8Array([]))).toBe("");
+    expect(toHexString(new Uint8Array([0]))).toBe("00");
+    expect(toHexString(new Uint8Array([15]))).toBe("0f");
+    expect(toHexString(new Uint8Array([16]))).toBe("10");
+    expect(toHexString(new Uint8Array([255]))).toBe("ff");
+    expect(toHexString(new Uint8Array([1, 2, 3]))).toBe("010203");
+});
+export function getBase32CharacterFromIndex(index) {
+    if (index < 0 || index >= crockfordAlphabet.length) {
+        throw new StackAssertionError(`Invalid base32 index: ${index}`);
+    }
+    return crockfordAlphabet[index];
+}
+import.meta.vitest?.test("getBase32CharacterFromIndex", ({ expect }) => {
+    expect(getBase32CharacterFromIndex(0)).toBe("0");
+    expect(getBase32CharacterFromIndex(15)).toBe("F");
+    expect(() => getBase32CharacterFromIndex(32)).toThrow();
+});
+export function getBase32IndexFromCharacter(character) {
+    if (character.length !== 1) {
+        throw new StackAssertionError(`Invalid base32 character: ${character}`);
+    }
+    const index = crockfordAlphabet.indexOf(character.toUpperCase());
+    if (index === -1) {
+        throw new StackAssertionError(`Invalid base32 character: ${character}`);
+    }
+    return index;
+}
+import.meta.vitest?.test("getBase32IndexFromCharacter", ({ expect }) => {
+    expect(getBase32IndexFromCharacter("0")).toBe(0);
+    expect(getBase32IndexFromCharacter("F")).toBe(15);
+    expect(() => getBase32IndexFromCharacter("_")).toThrow();
+});
 export function encodeBase32(input) {
     let bits = 0;
     let value = 0;
@@ -13,12 +50,12 @@ export function encodeBase32(input) {
         value = (value << 8) | input[i];
         bits += 8;
         while (bits >= 5) {
-            output += crockfordAlphabet[(value >>> (bits - 5)) & 31];
+            output += getBase32CharacterFromIndex((value >>> (bits - 5)) & 31);
             bits -= 5;
         }
     }
     if (bits > 0) {
-        output += crockfordAlphabet[(value << (5 - bits)) & 31];
+        output += getBase32CharacterFromIndex((value << (5 - bits)) & 31);
     }
     // sanity check
     if (!isBase32(output)) {
@@ -26,6 +63,14 @@ export function encodeBase32(input) {
     }
     return output;
 }
+import.meta.vitest?.test("encodeBase32", ({ expect }) => {
+    expect(encodeBase32(new Uint8Array([]))).toBe("");
+    expect(encodeBase32(new Uint8Array([1]))).toBe("04");
+    expect(encodeBase32(new Uint8Array([15]))).toBe("1W");
+    expect(encodeBase32(new Uint8Array([16]))).toBe("20");
+    expect(encodeBase32(new Uint8Array([255]))).toBe("ZW");
+    expect(encodeBase32(new Uint8Array([255, 255]))).toBe("ZZZG");
+});
 export function decodeBase32(input) {
     if (!isBase32(input)) {
         throw new StackAssertionError("Invalid base32 string");
@@ -41,10 +86,7 @@ export function decodeBase32(input) {
         if (crockfordReplacements.has(char)) {
             char = crockfordReplacements.get(char);
         }
-        const index = crockfordAlphabet.indexOf(char);
-        if (index === -1) {
-            throw new Error(`Invalid character: ${char}`);
-        }
+        const index = getBase32IndexFromCharacter(char);
         value = (value << 5) | index;
         bits += 5;
         if (bits >= 8) {
@@ -54,6 +96,13 @@ export function decodeBase32(input) {
     }
     return output;
 }
+import.meta.vitest?.test("decodeBase32", ({ expect }) => {
+    expect(decodeBase32("")).toEqual(new Uint8Array([]));
+    expect(decodeBase32("00")).toEqual(new Uint8Array([0]));
+    expect(decodeBase32("1W")).toEqual(new Uint8Array([15]));
+    expect(decodeBase32("20")).toEqual(new Uint8Array([16]));
+    expect(decodeBase32("ZW")).toEqual(new Uint8Array([255]));
+});
 export function encodeBase64(input) {
     const res = btoa(String.fromCharCode(...input));
     // Skip sanity check for test cases