@stackframe/stack 2.5.2 → 2.5.4

package/dist/esm/lib/stack-app.js

@@ -1,31 +1,28 @@
 // src/lib/stack-app.ts
-import React, { use, useCallback, useMemo } from "react";
+import { isReactServer } from "@stackframe/stack-sc";
 import { KnownError, KnownErrors, StackAdminInterface, StackClientInterface, StackServerInterface } from "@stackframe/stack-shared";
-import { deleteCookie, getCookie, setOrDeleteCookie } from "./cookie";
+import { getProductionModeErrors } from "@stackframe/stack-shared/dist/helpers/production-mode";
+import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
+import { AsyncCache } from "@stackframe/stack-shared/dist/utils/caches";
+import { scrambleDuringCompileTime } from "@stackframe/stack-shared/dist/utils/compile-time";
+import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
 import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
-import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
+import { DependenciesMap } from "@stackframe/stack-shared/dist/utils/maps";
+import { deepPlainEquals, filterUndefined, omit } from "@stackframe/stack-shared/dist/utils/objects";
+import { neverResolve, runAsynchronously, wait } from "@stackframe/stack-shared/dist/utils/promises";
+import { suspend, suspendIfSsr } from "@stackframe/stack-shared/dist/utils/react";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
-import { suspendIfSsr } from "@stackframe/stack-shared/dist/utils/react";
 import { Store } from "@stackframe/stack-shared/dist/utils/stores";
-import { getProductionModeErrors } from "@stackframe/stack-shared/dist/interface/clientInterface";
-import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
-import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "./auth";
+import { mergeScopeStrings } from "@stackframe/stack-shared/dist/utils/strings";
+import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
+import * as cookie from "cookie";
 import * as NextNavigationUnscrambled from "next/navigation";
+import React, { useCallback, useMemo } from "react";
 import { constructRedirectUrl } from "../utils/url";
-import { deepPlainEquals, filterUndefined, omit, pick } from "@stackframe/stack-shared/dist/utils/objects";
-import { neverResolve, runAsynchronously, wait } from "@stackframe/stack-shared/dist/utils/promises";
-import { AsyncCache } from "@stackframe/stack-shared/dist/utils/caches";
-import { suspend } from "@stackframe/stack-shared/dist/utils/react";
-import { scrambleDuringCompileTime } from "@stackframe/stack-shared/dist/utils/compile-time";
-import { isReactServer } from "@stackframe/stack-sc";
-import * as cookie from "cookie";
-import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
-import { mergeScopeStrings } from "@stackframe/stack-shared/dist/utils/strings";
+import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "./auth";
+import { deleteCookie, getCookie, setOrDeleteCookie } from "./cookie";
 var NextNavigation = scrambleDuringCompileTime(NextNavigationUnscrambled);
-var clientVersion = "js @stackframe/stack@2.5.2";
-function permissionDefinitionScopeToType(scope) {
-  return { "any-team": "team", "specific-team": "team", "global": "global" }[scope.type];
-}
+var clientVersion = "js @stackframe/stack@2.5.4";
 function getUrls(partial) {
   const handler = partial.handler ?? "/handler";
   return {
@@ -74,7 +71,7 @@ function getDefaultSuperSecretAdminKey() {
 function getDefaultBaseUrl() {
   return process.env.NEXT_PUBLIC_STACK_URL || defaultBaseUrl;
 }
-var defaultBaseUrl = "https://app.stack-auth.com";
+var defaultBaseUrl = "https://api.stack-auth.com";
 function createEmptyTokenStore() {
   return new Store({
     refreshToken: null,
@@ -103,7 +100,7 @@ function useAsyncCache(cache, dependencies, caller) {
     getSnapshot,
     () => throwErr(new Error("getServerSnapshot should never be called in useAsyncCache because we restrict to CSR earlier"))
   );
-  return use(promise);
+  return React.use(promise);
 }
 var stackAppInternalsSymbol = Symbol.for("StackAppInternals");
 var allClientApps = /* @__PURE__ */ new Map();
@@ -128,6 +125,97 @@ var numberOfAppsCreated = 0;
 var _StackClientAppImpl = class __StackClientAppImpl {
   constructor(_options) {
     this._options = _options;
+    this._uniqueIdentifier = void 0;
+    this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY = false;
+    this._ownedAdminApps = new DependenciesMap();
+    this._currentUserCache = createCacheBySession(async (session) => {
+      if (this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY) {
+        await wait(2e3);
+      }
+      return await this._interface.getClientUserByToken(session);
+    });
+    this._currentProjectCache = createCache(async () => {
+      return Result.orThrow(await this._interface.getClientProject());
+    });
+    this._ownedProjectsCache = createCacheBySession(async (session) => {
+      return await this._interface.listProjects(session);
+    });
+    this._currentUserPermissionsCache = createCacheBySession(async (session, [teamId, recursive]) => {
+      return await this._interface.listCurrentUserTeamPermissions({ teamId, recursive }, session);
+    });
+    this._currentUserTeamsCache = createCacheBySession(async (session) => {
+      return await this._interface.listCurrentUserTeams(session);
+    });
+    this._currentUserOAuthConnectionAccessTokensCache = createCacheBySession(
+      async (session, [accountId, scope]) => {
+        try {
+          return await this._interface.getAccessToken(accountId, scope || "", session);
+        } catch (err) {
+          if (!(err instanceof KnownErrors.OAuthConnectionDoesNotHaveRequiredScope || err instanceof KnownErrors.OAuthConnectionNotConnectedToUser)) {
+            throw err;
+          }
+        }
+        return null;
+      }
+    );
+    this._currentUserOAuthConnectionCache = createCacheBySession(
+      async (session, [connectionId, scope, redirect]) => {
+        const user = await this._currentUserCache.getOrWait([session], "write-only");
+        let hasConnection = true;
+        if (!user || !user.oauth_providers.find((p) => p.id === connectionId)) {
+          hasConnection = false;
+        }
+        const token = await this._currentUserOAuthConnectionAccessTokensCache.getOrWait([session, connectionId, scope || ""], "write-only");
+        if (!token) {
+          hasConnection = false;
+        }
+        if (!hasConnection && redirect) {
+          await addNewOAuthProviderOrScope(
+            this._interface,
+            {
+              provider: connectionId,
+              redirectUrl: this.urls.oauthCallback,
+              errorRedirectUrl: this.urls.error,
+              providerScope: mergeScopeStrings(scope || "", (this._oauthScopesOnSignIn[connectionId] ?? []).join(" "))
+            },
+            session
+          );
+          return await neverResolve();
+        } else if (!hasConnection) {
+          return null;
+        }
+        const app = this;
+        return {
+          id: connectionId,
+          async getAccessToken() {
+            const result = await app._currentUserOAuthConnectionAccessTokensCache.getOrWait([session, connectionId, scope || ""], "write-only");
+            if (!result) {
+              throw new StackAssertionError("No access token available");
+            }
+            return result;
+          },
+          useAccessToken() {
+            const result = useAsyncCache(app._currentUserOAuthConnectionAccessTokensCache, [session, connectionId, scope || ""], "oauthAccount.useAccessToken()");
+            if (!result) {
+              throw new StackAssertionError("No access token available");
+            }
+            return result;
+          }
+        };
+      }
+    );
+    this._memoryTokenStore = createEmptyTokenStore();
+    this._requestTokenStores = /* @__PURE__ */ new WeakMap();
+    this._storedCookieTokenStore = null;
+    /**
+     * A map from token stores and session keys to sessions.
+     *
+     * This isn't just a map from session keys to sessions for two reasons:
+     *
+     * - So we can garbage-collect Session objects when the token store is garbage-collected
+     * - So different token stores are separated and don't leak information between each other, eg. if the same user sends two requests to the same server they should get a different session object
+     */
+    this._sessionsByTokenStoreAndSessionKey = /* @__PURE__ */ new WeakMap();
     if ("interface" in _options) {
       this._interface = _options.interface;
     } else {
@@ -145,94 +233,13 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       this._uniqueIdentifier = _options.uniqueIdentifier;
       this._initUniqueIdentifier();
     }
-    numberOfAppsCreated++;
-    if (numberOfAppsCreated > 10) {
-      (process.env.NODE_ENV === "development" ? console.log : console.warn)(`You have created more than 10 Stack apps (${numberOfAppsCreated}). This is usually a sign of a memory leak, but can sometimes be caused by hot reload of your tech stack. In production, make sure to minimize the number of Stack apps per page (usually, one per project).`);
-    }
-  }
-  _uniqueIdentifier = void 0;
-  _interface;
-  _tokenStoreInit;
-  _urlOptions;
-  _oauthScopesOnSignIn;
-  __DEMO_ENABLE_SLIGHT_FETCH_DELAY = false;
-  _currentUserCache = createCacheBySession(async (session) => {
-    if (this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY) {
-      await wait(2e3);
-    }
-    const user = await this._interface.getClientUserByToken(session);
-    return Result.or(user, null);
-  });
-  _currentProjectCache = createCache(async () => {
-    return Result.orThrow(await this._interface.getClientProject());
-  });
-  _ownedProjectsCache = createCacheBySession(async (session) => {
-    return await this._interface.listProjects(session);
-  });
-  _currentUserPermissionsCache = createCacheBySession(async (session, [teamId, type, direct]) => {
-    return await this._interface.listClientUserTeamPermissions({ teamId, type, direct }, session);
-  });
-  _currentUserTeamsCache = createCacheBySession(async (session) => {
-    return await this._interface.listClientUserTeams(session);
-  });
-  _currentUserOAuthConnectionAccessTokensCache = createCacheBySession(
-    async (session, [accountId, scope]) => {
-      try {
-        return await this._interface.getAccessToken(accountId, scope || "", session);
-      } catch (err) {
-        if (!(err instanceof KnownErrors.OAuthConnectionDoesNotHaveRequiredScope || err instanceof KnownErrors.OAuthConnectionNotConnectedToUser)) {
-          throw err;
-        }
-      }
-      return null;
-    }
-  );
-  _currentUserOAuthConnectionCache = createCacheBySession(
-    async (session, [connectionId, scope, redirect]) => {
-      const user = await this._currentUserCache.getOrWait([session], "write-only");
-      let hasConnection = true;
-      if (!user || !user.oauthProviders.find((p) => p === connectionId)) {
-        hasConnection = false;
+    if (!_options.noAutomaticPrefetch) {
+      numberOfAppsCreated++;
+      if (numberOfAppsCreated > 10) {
+        (process.env.NODE_ENV === "development" ? console.log : console.warn)(`You have created more than 10 Stack apps with automatic pre-fetch enabled (${numberOfAppsCreated}). This is usually a sign of a memory leak, but can sometimes be caused by hot reload of your tech stack. If you are getting this error and it is not caused by hot reload, make sure to minimize the number of Stack apps per page (usually, one per project). (If it is caused by hot reload and does not occur in production, you can safely ignore it.)`);
       }
-      const token = await this._currentUserOAuthConnectionAccessTokensCache.getOrWait([session, connectionId, scope || ""], "write-only");
-      if (!token) {
-        hasConnection = false;
-      }
-      if (!hasConnection && redirect) {
-        await addNewOAuthProviderOrScope(
-          this._interface,
-          {
-            provider: connectionId,
-            redirectUrl: this.urls.oauthCallback,
-            errorRedirectUrl: this.urls.error,
-            providerScope: mergeScopeStrings(scope || "", (this._oauthScopesOnSignIn[connectionId] ?? []).join(" "))
-          },
-          session
-        );
-        return await neverResolve();
-      } else if (!hasConnection) {
-        return null;
-      }
-      const app = this;
-      return {
-        id: connectionId,
-        async getAccessToken() {
-          const result = await app._currentUserOAuthConnectionAccessTokensCache.getOrWait([session, connectionId, scope || ""], "write-only");
-          if (!result) {
-            throw new StackAssertionError("No access token available");
-          }
-          return result;
-        },
-        useAccessToken() {
-          const result = useAsyncCache(app._currentUserOAuthConnectionAccessTokensCache, [session, connectionId, scope || ""], "oauthAccount.useAccessToken()");
-          if (!result) {
-            throw new StackAssertionError("No access token available");
-          }
-          return result;
-        }
-      };
     }
-  );
+  }
   _initUniqueIdentifier() {
     if (!this._uniqueIdentifier) {
       throw new StackAssertionError("Unique identifier not initialized");
@@ -244,7 +251,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   /**
    * Cloudflare workers does not allow use of randomness on the global scope (on which the Stack app is probably
-   * initialized). For that reason, we generate the unique identifier lazily when it is first needed.
+   * initialized). For that reason, we generate the unique identifier lazily when it is first needed instead of in the
+   * constructor.
    */
   _getUniqueIdentifier() {
     if (!this._uniqueIdentifier) {
@@ -260,9 +268,6 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     runAsynchronously(this._checkFeatureSupport(featureName, options));
     throw new StackAssertionError(`${featureName} is not currently supported. Please reach out to Stack support for more information.`);
   }
-  _memoryTokenStore = createEmptyTokenStore();
-  _requestTokenStores = /* @__PURE__ */ new WeakMap();
-  _storedCookieTokenStore = null;
   get _refreshTokenCookieName() {
     return `stack-refresh-${this.projectId}`;
   }
@@ -390,15 +395,6 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     }
   }
-  /**
-   * A map from token stores and session keys to sessions.
-   * 
-   * This isn't just a map from session keys to sessions for two reasons:
-   * 
-   * - So we can garbage-collect Session objects when the token store is garbage-collected
-   * - So different token stores are separated and don't leak information between each other, eg. if the same user sends two requests to the same server they should get a different session object
-   */
-  _sessionsByTokenStoreAndSessionKey = /* @__PURE__ */ new WeakMap();
   _getSessionFromTokenStore(tokenStore) {
     const tokenObj = tokenStore.get();
     const sessionKey = InternalSession.calculateSessionKey(tokenObj);
@@ -461,38 +457,28 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       throw new Error("Cannot call this function on a Stack app with a project ID other than 'internal'.");
     }
   }
-  _permissionFromJson(json) {
-    const type = permissionDefinitionScopeToType(json.scope);
-    if (type === "team") {
-      return {
-        id: json.id,
-        type,
-        teamId: json.scope.teamId
-      };
-    } else {
-      return {
-        id: json.id,
-        type
-      };
-    }
-  }
-  _teamFromJson(json) {
+  _clientProjectFromCrud(crud) {
     return {
-      id: json.id,
-      displayName: json.displayName,
-      profileImageUrl: json.profileImageUrl,
-      createdAt: new Date(json.createdAtMillis),
-      toJson() {
-        return json;
+      id: crud.id,
+      config: {
+        credentialEnabled: crud.config.credential_enabled,
+        magicLinkEnabled: crud.config.magic_link_enabled,
+        oauthProviders: crud.config.oauth_providers.map((p) => ({
+          id: p.id
+        }))
       }
     };
   }
-  _teamMemberFromJson(json) {
-    if (json === null) return null;
+  _clientTeamPermissionFromCrud(crud) {
+    return {
+      id: crud.id
+    };
+  }
+  _clientTeamFromCrud(crud) {
     return {
-      teamId: json.teamId,
-      userId: json.userId,
-      displayName: json.displayName
+      id: crud.id,
+      displayName: crud.display_name,
+      profileImageUrl: crud.profile_image_url
     };
   }
   _createAuth(session) {
@@ -522,41 +508,29 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     };
   }
-  _createBaseUser(json) {
+  _createBaseUser(crud) {
+    if (!crud) {
+      throw new StackAssertionError("User not found");
+    }
     return {
-      projectId: json.projectId,
-      id: json.id,
-      displayName: json.displayName,
-      primaryEmail: json.primaryEmail,
-      primaryEmailVerified: json.primaryEmailVerified,
-      profileImageUrl: json.profileImageUrl,
-      signedUpAt: new Date(json.signedUpAtMillis),
-      clientMetadata: json.clientMetadata,
-      hasPassword: json.hasPassword,
-      authWithEmail: json.authWithEmail,
-      oauthProviders: json.oauthProviders,
-      selectedTeam: json.selectedTeam && this._teamFromJson(json.selectedTeam),
+      projectId: crud.project_id,
+      id: crud.id,
+      displayName: crud.display_name,
+      primaryEmail: crud.primary_email,
+      primaryEmailVerified: crud.primary_email_verified,
+      profileImageUrl: crud.profile_image_url,
+      signedUpAt: new Date(crud.signed_up_at_millis),
+      clientMetadata: crud.client_metadata,
+      hasPassword: crud.has_password,
+      emailAuthEnabled: crud.auth_with_email,
+      oauthProviders: crud.oauth_providers,
+      selectedTeam: crud.selected_team && this._clientTeamFromCrud(crud.selected_team),
       toClientJson() {
-        return pick(json, [
-          "projectId",
-          "id",
-          "displayName",
-          "primaryEmail",
-          "primaryEmailVerified",
-          "profileImageUrl",
-          "signedUpAtMillis",
-          "clientMetadata",
-          "hasPassword",
-          "authMethod",
-          "authWithEmail",
-          "selectedTeamId",
-          "selectedTeam",
-          "oauthProviders"
-        ]);
+        return crud;
       }
     };
   }
-  _createUserExtra(json, session) {
+  _createCurrentUserExtra(crud, session) {
     const app = this;
     async function getConnectedAccount(id, options) {
       const scopeString = options?.scopes?.join(" ");
@@ -590,24 +564,26 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       },
       async listTeams() {
         const teams = await app._currentUserTeamsCache.getOrWait([session], "write-only");
-        return teams.map((json2) => app._teamFromJson(json2));
+        return teams.map((crud2) => app._clientTeamFromCrud(crud2));
       },
       useTeams() {
         const teams = useAsyncCache(app._currentUserTeamsCache, [session], "user.useTeams()");
-        return useMemo(() => teams.map((json2) => app._teamFromJson(json2)), [teams]);
+        return useMemo(() => teams.map((crud2) => app._clientTeamFromCrud(crud2)), [teams]);
       },
       async createTeam(data) {
-        const teamJson = await app._interface.createTeamForCurrentUser(data, session);
+        const crud2 = await app._interface.createTeamForCurrentUser(teamCreateOptionsToCrud(data), session);
         await app._currentUserTeamsCache.refresh([session]);
-        return app._teamFromJson(teamJson);
+        return app._clientTeamFromCrud(crud2);
       },
       async listPermissions(scope, options) {
-        const permissions = await app._currentUserPermissionsCache.getOrWait([session, scope.id, "team", !!options?.direct], "write-only");
-        return permissions.map((json2) => app._permissionFromJson(json2));
+        const recursive = options?.recursive ?? true;
+        const permissions = await app._currentUserPermissionsCache.getOrWait([session, scope.id, recursive], "write-only");
+        return permissions.map((crud2) => app._clientTeamPermissionFromCrud(crud2));
       },
       usePermissions(scope, options) {
-        const permissions = useAsyncCache(app._currentUserPermissionsCache, [session, scope.id, "team", !!options?.direct], "user.usePermissions()");
-        return useMemo(() => permissions.map((json2) => app._permissionFromJson(json2)), [permissions]);
+        const recursive = options?.recursive ?? true;
+        const permissions = useAsyncCache(app._currentUserPermissionsCache, [session, scope.id, recursive], "user.usePermissions()");
+        return useMemo(() => permissions.map((crud2) => app._clientTeamPermissionFromCrud(crud2)), [permissions]);
       },
       usePermission(scope, permissionId) {
         const permissions = this.usePermissions(scope);
@@ -621,7 +597,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         return await this.getPermission(scope, permissionId) !== null;
       },
       update(update) {
-        return app._updateUser(update, session);
+        return app._updateClientUser(update, session);
       },
       sendVerificationEmail() {
         return app._sendVerificationEmail(session);
@@ -646,58 +622,27 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     };
   }
-  _createCurrentUser(json, session) {
+  _currentUserFromCrud(crud, session) {
     const currentUser = {
-      ...this._createBaseUser(json),
+      ...this._createBaseUser(crud),
       ...this._createAuth(session),
-      ...this._createUserExtra(json, session),
+      ...this._createCurrentUserExtra(crud, session),
       ...this._isInternalProject() ? this._createInternalUserExtra(session) : {}
     };
     Object.freeze(currentUser);
     return currentUser;
   }
-  _projectAdminFromJson(data, adminInterface, onRefresh) {
-    if (data.id !== adminInterface.projectId) {
-      throw new Error(`The project ID of the provided project JSON (${data.id}) does not match the project ID of the app (${adminInterface.projectId})! This is a Stack bug.`);
+  _getOwnedAdminApp(forProjectId, session) {
+    if (!this._ownedAdminApps.has([session, forProjectId])) {
+      this._ownedAdminApps.set([session, forProjectId], new _StackAdminAppImpl({
+        baseUrl: this._interface.options.baseUrl,
+        projectId: forProjectId,
+        tokenStore: null,
+        projectOwnerSession: session,
+        noAutomaticPrefetch: true
+      }));
     }
-    return {
-      id: data.id,
-      displayName: data.displayName,
-      description: data.description,
-      createdAt: new Date(data.createdAtMillis),
-      userCount: data.userCount,
-      isProductionMode: data.isProductionMode,
-      evaluatedConfig: {
-        id: data.evaluatedConfig.id,
-        credentialEnabled: data.evaluatedConfig.credentialEnabled,
-        magicLinkEnabled: data.evaluatedConfig.magicLinkEnabled,
-        allowLocalhost: data.evaluatedConfig.allowLocalhost,
-        oauthProviders: data.evaluatedConfig.oauthProviders,
-        emailConfig: data.evaluatedConfig.emailConfig,
-        domains: data.evaluatedConfig.domains,
-        createTeamOnSignUp: data.evaluatedConfig.createTeamOnSignUp,
-        teamCreatorDefaultPermissions: data.evaluatedConfig.teamCreatorDefaultPermissions,
-        teamMemberDefaultPermissions: data.evaluatedConfig.teamMemberDefaultPermissions
-      },
-      async update(update) {
-        await adminInterface.updateProject(update);
-        await onRefresh();
-      },
-      toJson() {
-        return data;
-      },
-      getProductionModeErrors() {
-        return getProductionModeErrors(this.toJson());
-      }
-    };
-  }
-  _createAdminInterface(forProjectId, session) {
-    return new StackAdminInterface({
-      baseUrl: this._interface.options.baseUrl,
-      projectId: forProjectId,
-      clientVersion,
-      projectOwnerSession: session
-    });
+    return this._ownedAdminApps.get([session, forProjectId]);
   }
   get projectId() {
     return this._interface.projectId;
@@ -777,8 +722,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   async getUser(options) {
     this._ensurePersistentTokenStore(options?.tokenStore);
     const session = this._getSession(options?.tokenStore);
-    const userJson = await this._currentUserCache.getOrWait([session], "write-only");
-    if (userJson === null) {
+    const crud = await this._currentUserCache.getOrWait([session], "write-only");
+    if (crud === null) {
       switch (options?.or) {
         case "redirect": {
           await this.redirectToSignIn();
@@ -792,14 +737,14 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         }
       }
     }
-    return userJson && this._createCurrentUser(userJson, session);
+    return crud && this._currentUserFromCrud(crud, session);
   }
   useUser(options) {
     this._ensurePersistentTokenStore(options?.tokenStore);
     const router = NextNavigation.useRouter();
     const session = this._useSession(options?.tokenStore);
-    const userJson = useAsyncCache(this._currentUserCache, [session], "useUser()");
-    if (userJson === null) {
+    const crud = useAsyncCache(this._currentUserCache, [session], "useUser()");
+    if (crud === null) {
       switch (options?.or) {
         case "redirect": {
           setTimeout(() => router.replace(this.urls.signIn), 0);
@@ -815,11 +760,11 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     }
     return useMemo(() => {
-      return userJson && this._createCurrentUser(userJson, session);
-    }, [userJson, session, options?.or]);
+      return crud && this._currentUserFromCrud(crud, session);
+    }, [crud, session, options?.or]);
   }
-  async _updateUser(update, session) {
-    const res = await this._interface.setClientUserCustomizableData(update, session);
+  async _updateClientUser(update, session) {
+    const res = await this._interface.updateClientUser(userUpdateOptionsToCrud(update), session);
     await this._refreshUser(session);
     return res;
   }
@@ -863,8 +808,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   async signInWithMagicLink(code) {
     this._ensurePersistentTokenStore();
-    const session = this._getSession();
-    const result = await this._interface.signInWithMagicLink(code, session);
+    const result = await this._interface.signInWithMagicLink(code);
     if (result instanceof KnownError) {
       return result;
     }
@@ -911,35 +855,34 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     }
   }
   async getProject() {
-    return await this._currentProjectCache.getOrWait([], "write-only");
+    const crud = await this._currentProjectCache.getOrWait([], "write-only");
+    return this._clientProjectFromCrud(crud);
   }
   useProject() {
-    return useAsyncCache(this._currentProjectCache, [], "useProject()");
+    const crud = useAsyncCache(this._currentProjectCache, [], "useProject()");
+    return useMemo(() => this._clientProjectFromCrud(crud), [crud]);
   }
   async _listOwnedProjects(session) {
     this._ensureInternalProject();
-    const json = await this._ownedProjectsCache.getOrWait([session], "write-only");
-    return json.map((j) => this._projectAdminFromJson(
+    const crud = await this._ownedProjectsCache.getOrWait([session], "write-only");
+    return crud.map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(
       j,
-      this._createAdminInterface(j.id, session),
       () => this._refreshOwnedProjects(session)
     ));
   }
   _useOwnedProjects(session) {
     this._ensureInternalProject();
-    const json = useAsyncCache(this._ownedProjectsCache, [session], "useOwnedProjects()");
-    return useMemo(() => json.map((j) => this._projectAdminFromJson(
+    const projects = useAsyncCache(this._ownedProjectsCache, [session], "useOwnedProjects()");
+    return useMemo(() => projects.map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(
       j,
-      this._createAdminInterface(j.id, session),
       () => this._refreshOwnedProjects(session)
-    )), [json]);
+    )), [projects]);
   }
   async _createProject(session, newProject) {
     this._ensureInternalProject();
-    const json = await this._interface.createProject(newProject, session);
-    const res = this._projectAdminFromJson(
-      json,
-      this._createAdminInterface(json.id, session),
+    const crud = await this._interface.createProject(adminProjectCreateOptionsToCrud(newProject), session);
+    const res = this._getOwnedAdminApp(crud.id, session)._adminOwnedProjectFromCrud(
+      crud,
       () => this._refreshOwnedProjects(session)
     );
     await this._refreshOwnedProjects(session);
@@ -1003,33 +946,6 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
 };
 var _StackServerAppImpl = class extends _StackClientAppImpl {
-  // TODO override the client user cache to use the server user cache, so we save some requests
-  _currentServerUserCache = createCacheBySession(async (session) => {
-    const user = await this._interface.getServerUserByToken(session);
-    return Result.or(user, null);
-  });
-  _serverUsersCache = createCache(async () => {
-    return await this._interface.listServerUsers();
-  });
-  _serverUserCache = createCache(async ([userId]) => {
-    const user = await this._interface.getServerUserById(userId);
-    return Result.or(user, null);
-  });
-  _serverTeamsCache = createCache(async () => {
-    return await this._interface.listServerTeams();
-  });
-  _serverTeamMembersCache = createCache(async ([teamId]) => {
-    return await this._interface.listServerTeamMembers(teamId);
-  });
-  _serverTeamPermissionDefinitionsCache = createCache(async () => {
-    return await this._interface.listPermissionDefinitions();
-  });
-  _serverTeamUserPermissionsCache = createCache(async ([teamId, userId, type, direct]) => {
-    return await this._interface.listServerTeamMemberPermissions({ teamId, userId, type, direct });
-  });
-  _serverEmailTemplatesCache = createCache(async () => {
-    return await this._interface.listEmailTemplates();
-  });
   constructor(options) {
     super("interface" in options ? {
       interface: options.interface,
@@ -1048,24 +964,46 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       urls: options.urls ?? {},
       oauthScopesOnSignIn: options.oauthScopesOnSignIn ?? {}
     });
+    // TODO override the client user cache to use the server user cache, so we save some requests
+    this._currentServerUserCache = createCacheBySession(async (session) => {
+      return await this._interface.getServerUserByToken(session);
+    });
+    this._serverUsersCache = createCache(async () => {
+      return await this._interface.listServerUsers();
+    });
+    this._serverUserCache = createCache(async ([userId]) => {
+      const user = await this._interface.getServerUserById(userId);
+      return Result.or(user, null);
+    });
+    this._serverTeamsCache = createCache(async () => {
+      return await this._interface.listServerTeams();
+    });
+    this._serverCurrentUserTeamsCache = createCacheBySession(async (session) => {
+      return await this._interface.listServerCurrentUserTeams(session);
+    });
+    this._serverTeamUsersCache = createCache(async ([teamId]) => {
+      return await this._interface.listServerTeamUsers(teamId);
+    });
+    this._serverTeamUserPermissionsCache = createCache(async ([teamId, userId, recursive]) => {
+      return await this._interface.listServerTeamMemberPermissions({ teamId, userId, recursive });
+    });
   }
-  _createBaseUser(json) {
+  _createBaseUser(crud) {
+    if (!crud) {
+      throw new StackAssertionError("User not found");
+    }
     return {
-      ...super._createBaseUser(json),
-      ..."serverMetadata" in json ? {
-        serverMetadata: json.serverMetadata,
-        toServerJson() {
-          return {
-            ...this.toClientJson(),
-            ...pick(json, [
-              "serverMetadata"
-            ])
-          };
-        }
+      ...super._createBaseUser(crud),
+      ..."server_metadata" in crud ? {
+        // server user
+        serverMetadata: crud.server_metadata
       } : {}
     };
   }
-  _createUserExtra(json) {
+  _createCurrentUserExtra(crud) {
+    if (!crud) {
+      throw new StackAssertionError("User not found");
+    }
     const app = this;
     return {
       async setDisplayName(displayName) {
@@ -1081,7 +1019,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         return await this.update({ selectedTeamId: team?.id ?? null });
       },
       async setPrimaryEmail(email, options) {
-        return await this.update({ primaryEmail: email });
+        return await this.update({ primaryEmail: email, primaryEmailVerified: options?.verified });
       },
       getConnectedAccount: async () => {
         return await app._checkFeatureSupport("getConnectedAccount() on ServerUser", {});
@@ -1094,31 +1032,29 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         return teams.find((t) => t.id === teamId) ?? null;
       },
       useTeam(teamId) {
-        const teams = this.useTeams();
-        return useMemo(() => {
-          return teams.find((t) => t.id === teamId) ?? null;
-        }, [teams, teamId]);
+        return app._useCheckFeatureSupport("useTeam() on ServerUser", {});
       },
       async listTeams() {
-        const teams = await app.listTeams();
-        const withMembers = await Promise.all(teams.map(async (t) => [t, await t.listMembers()]));
-        return withMembers.filter(([_, members]) => members.find((m) => m.userId === json.id)).map(([t]) => t);
+        const crud2 = await app._serverCurrentUserTeamsCache.getOrWait([app._getSession()], "write-only");
+        return crud2.map((t) => app._serverTeamFromCrud(t));
       },
       useTeams() {
         return app._useCheckFeatureSupport("useTeams() on ServerUser", {});
       },
       createTeam: async (data) => {
-        const team = await app._interface.createServerTeamForUser(json.id, data, app._getSession());
+        const team = await app._interface.createServerTeam(serverTeamCreateOptionsToCrud(data), app._getSession());
         await app._serverTeamsCache.refresh([]);
-        return app._serverTeamFromJson(team);
+        return app._serverTeamFromCrud(team);
       },
       async listPermissions(scope, options) {
-        const permissions = await app._serverTeamUserPermissionsCache.getOrWait([scope.id, json.id, "team", !!options?.direct], "write-only");
-        return permissions.map((json2) => app._serverPermissionFromJson(json2));
+        const recursive = options?.recursive ?? true;
+        const permissions = await app._serverTeamUserPermissionsCache.getOrWait([scope.id, crud.id, recursive], "write-only");
+        return permissions.map((crud2) => app._serverPermissionFromCrud(crud2));
       },
       usePermissions(scope, options) {
-        const permissions = useAsyncCache(app._serverTeamUserPermissionsCache, [scope.id, json.id, "team", !!options?.direct], "user.usePermissions()");
-        return useMemo(() => permissions.map((json2) => app._serverPermissionFromJson(json2)), [permissions]);
+        const recursive = options?.recursive ?? true;
+        const permissions = useAsyncCache(app._serverTeamUserPermissionsCache, [scope.id, crud.id, recursive], "user.usePermissions()");
+        return useMemo(() => permissions.map((crud2) => app._serverPermissionFromCrud(crud2)), [permissions]);
       },
       async getPermission(scope, permissionId) {
         const permissions = await this.listPermissions(scope);
@@ -1132,26 +1068,25 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         return await this.getPermission(scope, permissionId) !== null;
       },
       async grantPermission(scope, permissionId) {
-        await app._interface.grantServerTeamUserPermission(scope.id, json.id, permissionId, "team");
-        for (const direct of [true, false]) {
-          await app._serverTeamUserPermissionsCache.refresh([scope.id, json.id, "team", direct]);
+        await app._interface.grantServerTeamUserPermission(scope.id, crud.id, permissionId);
+        for (const recursive of [true, false]) {
+          await app._serverTeamUserPermissionsCache.refresh([scope.id, crud.id, recursive]);
         }
       },
       async revokePermission(scope, permissionId) {
-        await app._interface.revokeServerTeamUserPermission(scope.id, json.id, permissionId, "team");
-        for (const direct of [true, false]) {
-          await app._serverTeamUserPermissionsCache.refresh([scope.id, json.id, "team", direct]);
+        await app._interface.revokeServerTeamUserPermission(scope.id, crud.id, permissionId);
+        for (const recursive of [true, false]) {
+          await app._serverTeamUserPermissionsCache.refresh([scope.id, crud.id, recursive]);
         }
       },
       async delete() {
-        const res = await app._interface.deleteServerServerUser(json.id);
+        const res = await app._interface.deleteServerServerUser(crud.id);
         await app._refreshUsers();
         return res;
       },
       async update(update) {
-        const res = await app._interface.setServerUserCustomizableData(json.id, update);
+        const res = await app._interface.updateServerUser(crud.id, serverUserUpdateOptionsToCrud(update));
         await app._refreshUsers();
-        return res;
       },
       async sendVerificationEmail() {
         return await app._checkFeatureSupport("sendVerificationEmail() on ServerUser", {});
@@ -1161,76 +1096,65 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       }
     };
   }
-  _createUser(json) {
+  _serverUserFromCrud(crud) {
     return {
-      ...this._createBaseUser(json),
-      ...this._createUserExtra(json)
+      ...this._createBaseUser(crud),
+      ...this._createCurrentUserExtra(crud)
     };
   }
-  _createCurrentUser(json, session) {
+  _currentUserFromCrud(crud, session) {
     const app = this;
     const currentUser = {
-      ...this._createUser(json),
+      ...this._serverUserFromCrud(crud),
       ...this._createAuth(session),
       ...this._isInternalProject() ? this._createInternalUserExtra(session) : {}
     };
     Object.freeze(currentUser);
     return currentUser;
   }
-  _serverTeamMemberFromJson(json) {
-    if (json === null) return null;
-    const app = this;
-    return {
-      ...app._teamMemberFromJson(json),
-      user: app._createUser(json.user)
-    };
-  }
-  _serverTeamFromJson(json) {
+  _serverTeamFromCrud(crud) {
     const app = this;
     return {
-      id: json.id,
-      displayName: json.displayName,
-      profileImageUrl: json.profileImageUrl,
-      createdAt: new Date(json.createdAtMillis),
-      async listMembers() {
-        return (await app._interface.listServerTeamMembers(json.id)).map((u) => app._serverTeamMemberFromJson(u));
+      id: crud.id,
+      displayName: crud.display_name,
+      profileImageUrl: crud.profile_image_url,
+      createdAt: new Date(crud.created_at_millis),
+      async listUsers() {
+        return (await app._interface.listServerTeamUsers(crud.id)).map((u) => app._serverUserFromCrud(u));
       },
       async update(update) {
-        await app._interface.updateServerTeam(json.id, update);
+        await app._interface.updateServerTeam(crud.id, serverTeamUpdateOptionsToCrud(update));
         await app._serverTeamsCache.refresh([]);
       },
       async delete() {
-        await app._interface.deleteServerTeam(json.id);
+        await app._interface.deleteServerTeam(crud.id);
         await app._serverTeamsCache.refresh([]);
       },
-      useMembers() {
-        const result = useAsyncCache(app._serverTeamMembersCache, [json.id], "team.useUsers()");
-        return useMemo(() => result.map((u) => app._serverTeamMemberFromJson(u)), [result]);
+      useUsers() {
+        const result = useAsyncCache(app._serverTeamUsersCache, [crud.id], "team.useUsers()");
+        return useMemo(() => result.map((u) => app._serverUserFromCrud(u)), [result]);
       },
       async addUser(userId) {
         await app._interface.addServerUserToTeam({
-          teamId: json.id,
+          teamId: crud.id,
           userId
         });
-        await app._serverTeamMembersCache.refresh([json.id]);
+        await app._serverTeamUsersCache.refresh([crud.id]);
       },
       async removeUser(userId) {
         await app._interface.removeServerUserFromTeam({
-          teamId: json.id,
+          teamId: crud.id,
           userId
         });
-        await app._serverTeamMembersCache.refresh([json.id]);
-      },
-      toJson() {
-        return json;
+        await app._serverTeamUsersCache.refresh([crud.id]);
       }
     };
   }
   async getUser(options) {
     this._ensurePersistentTokenStore(options?.tokenStore);
     const session = this._getSession(options?.tokenStore);
-    const userJson = await this._currentServerUserCache.getOrWait([session], "write-only");
-    if (userJson === null) {
+    const crud = await this._currentServerUserCache.getOrWait([session], "write-only");
+    if (crud === null) {
       switch (options?.or) {
         case "redirect": {
           await this.redirectToSignIn();
@@ -1244,22 +1168,22 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         }
       }
     }
-    return userJson && this._createCurrentUser(userJson, session);
+    return crud && this._currentUserFromCrud(crud, session);
   }
   async getServerUser() {
     console.warn("stackServerApp.getServerUser is deprecated; use stackServerApp.getUser instead");
     return await this.getUser();
   }
   async getServerUserById(userId) {
-    const json = await this._serverUserCache.getOrWait([userId], "write-only");
-    return json && this._createUser(json);
+    const crud = await this._serverUserCache.getOrWait([userId], "write-only");
+    return crud && this._serverUserFromCrud(crud);
   }
   useUser(options) {
     this._ensurePersistentTokenStore(options?.tokenStore);
     const router = NextNavigation.useRouter();
     const session = this._getSession(options?.tokenStore);
-    const userJson = useAsyncCache(this._currentServerUserCache, [session], "useUser()");
-    if (userJson === null) {
+    const crud = useAsyncCache(this._currentServerUserCache, [session], "useUser()");
+    if (crud === null) {
       switch (options?.or) {
         case "redirect": {
           setTimeout(() => router.replace(this.urls.signIn), 0);
@@ -1275,65 +1199,50 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       }
     }
     return useMemo(() => {
-      return userJson && this._createCurrentUser(userJson, session);
-    }, [userJson, session, options?.or]);
+      return crud && this._currentUserFromCrud(crud, session);
+    }, [crud, session, options?.or]);
   }
   useUserById(userId) {
-    const json = useAsyncCache(this._serverUserCache, [userId], "useUserById()");
+    const crud = useAsyncCache(this._serverUserCache, [userId], "useUserById()");
     return useMemo(() => {
-      return json && this._createUser(json);
-    }, [json]);
+      return crud && this._serverUserFromCrud(crud);
+    }, [crud]);
   }
   async listUsers() {
-    const json = await this._serverUsersCache.getOrWait([], "write-only");
-    return json.map((j) => this._createUser(j));
+    const crud = await this._serverUsersCache.getOrWait([], "write-only");
+    return crud.map((j) => this._serverUserFromCrud(j));
   }
   useUsers() {
-    const json = useAsyncCache(this._serverUsersCache, [], "useServerUsers()");
+    const crud = useAsyncCache(this._serverUsersCache, [], "useServerUsers()");
     return useMemo(() => {
-      return json.map((j) => this._createUser(j));
-    }, [json]);
-  }
-  async listPermissionDefinitions() {
-    return await this._serverTeamPermissionDefinitionsCache.getOrWait([], "write-only");
+      return crud.map((j) => this._serverUserFromCrud(j));
+    }, [crud]);
   }
-  usePermissionDefinitions() {
-    return useAsyncCache(this._serverTeamPermissionDefinitionsCache, [], "usePermissions()");
-  }
-  _serverPermissionFromJson(json) {
+  _serverPermissionFromCrud(crud) {
     return {
-      ...this._permissionFromJson(json),
-      __databaseUniqueId: json.__databaseUniqueId,
-      description: json.description,
-      containPermissionIds: json.containPermissionIds
+      id: crud.id
     };
   }
-  async createPermissionDefinition(data) {
-    const permission = this._serverPermissionFromJson(await this._interface.createPermissionDefinition(data));
-    await this._serverTeamPermissionDefinitionsCache.refresh([]);
-    return permission;
-  }
-  async updatePermissionDefinition(permissionId, data) {
-    await this._interface.updatePermissionDefinition(permissionId, data);
-    await this._serverTeamPermissionDefinitionsCache.refresh([]);
-  }
-  async deletePermissionDefinition(permissionId) {
-    await this._interface.deletePermissionDefinition(permissionId);
-    await this._serverTeamPermissionDefinitionsCache.refresh([]);
+  _serverTeamPermissionDefinitionFromCrud(crud) {
+    return {
+      id: crud.id,
+      description: crud.description,
+      containedPermissionIds: crud.contained_permission_ids
+    };
   }
   async listTeams() {
     const teams = await this._serverTeamsCache.getOrWait([], "write-only");
-    return teams.map((t) => this._serverTeamFromJson(t));
+    return teams.map((t) => this._serverTeamFromCrud(t));
   }
   async createTeam(data) {
-    const team = await this._interface.createServerTeam(data);
+    const team = await this._interface.createServerTeam(serverTeamCreateOptionsToCrud(data));
     await this._serverTeamsCache.refresh([]);
-    return this._serverTeamFromJson(team);
+    return this._serverTeamFromCrud(team);
   }
   useTeams() {
     const teams = useAsyncCache(this._serverTeamsCache, [], "useServerTeams()");
     return useMemo(() => {
-      return teams.map((t) => this._serverTeamFromJson(t));
+      return teams.map((t) => this._serverTeamFromCrud(t));
     }, [teams]);
   }
   async getTeam(teamId) {
@@ -1358,28 +1267,8 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       this._serverUsersCache.refresh([])
     ]);
   }
-  useEmailTemplates() {
-    return useAsyncCache(this._serverEmailTemplatesCache, [], "useEmailTemplates()");
-  }
-  async listEmailTemplates() {
-    return await this._serverEmailTemplatesCache.getOrWait([], "write-only");
-  }
-  async updateEmailTemplate(type, data) {
-    await this._interface.updateEmailTemplate(type, data);
-    await this._serverEmailTemplatesCache.refresh([]);
-  }
-  async resetEmailTemplate(type) {
-    await this._interface.resetEmailTemplate(type);
-    await this._serverEmailTemplatesCache.refresh([]);
-  }
 };
 var _StackAdminAppImpl = class extends _StackServerAppImpl {
-  _adminProjectCache = createCache(async () => {
-    return await this._interface.getProject();
-  });
-  _apiKeySetsCache = createCache(async () => {
-    return await this._interface.listApiKeySets();
-  });
   constructor(options) {
     super({
       interface: new StackAdminInterface({
@@ -1398,15 +1287,117 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
       urls: options.urls,
       oauthScopesOnSignIn: options.oauthScopesOnSignIn
     });
+    this._adminProjectCache = createCache(async () => {
+      return await this._interface.getProject();
+    });
+    this._apiKeysCache = createCache(async () => {
+      return await this._interface.listApiKeys();
+    });
+    this._adminEmailTemplatesCache = createCache(async () => {
+      return await this._interface.listEmailTemplates();
+    });
+    this._adminTeamPermissionDefinitionsCache = createCache(async () => {
+      return await this._interface.listPermissionDefinitions();
+    });
   }
-  _createApiKeySetBaseFromJson(data) {
+  _adminOwnedProjectFromCrud(data, onRefresh) {
+    if (this._tokenStoreInit !== null) {
+      throw new StackAssertionError("Owned apps must always have tokenStore === null \u2014 did you not create this project with app._createOwnedApp()?");
+      ;
+    }
+    return {
+      ...this._adminProjectFromCrud(data, onRefresh),
+      app: this
+    };
+  }
+  _adminProjectFromCrud(data, onRefresh) {
+    if (data.id !== this.projectId) {
+      throw new StackAssertionError(`The project ID of the provided project JSON (${data.id}) does not match the project ID of the app (${this.projectId})!`);
+    }
     const app = this;
     return {
       id: data.id,
+      displayName: data.display_name,
       description: data.description,
-      expiresAt: new Date(data.expiresAtMillis),
-      manuallyRevokedAt: data.manuallyRevokedAtMillis ? new Date(data.manuallyRevokedAtMillis) : null,
-      createdAt: new Date(data.createdAtMillis),
+      createdAt: new Date(data.created_at_millis),
+      userCount: data.user_count,
+      isProductionMode: data.is_production_mode,
+      config: {
+        id: data.config.id,
+        credentialEnabled: data.config.credential_enabled,
+        magicLinkEnabled: data.config.magic_link_enabled,
+        allowLocalhost: data.config.allow_localhost,
+        oauthProviders: data.config.oauth_providers.map((p) => p.type === "shared" ? {
+          id: p.id,
+          enabled: p.enabled,
+          type: "shared"
+        } : {
+          id: p.id,
+          enabled: p.enabled,
+          type: "standard",
+          clientId: p.client_id ?? throwErr("Client ID is missing"),
+          clientSecret: p.client_secret ?? throwErr("Client secret is missing")
+        }),
+        emailConfig: data.config.email_config.type === "shared" ? {
+          type: "shared"
+        } : {
+          type: "standard",
+          host: data.config.email_config.host ?? throwErr("Email host is missing"),
+          port: data.config.email_config.port ?? throwErr("Email port is missing"),
+          username: data.config.email_config.username ?? throwErr("Email username is missing"),
+          password: data.config.email_config.password ?? throwErr("Email password is missing"),
+          senderName: data.config.email_config.sender_name ?? throwErr("Email sender name is missing"),
+          senderEmail: data.config.email_config.sender_email ?? throwErr("Email sender email is missing")
+        },
+        domains: data.config.domains.map((d) => ({
+          domain: d.domain,
+          handlerPath: d.handler_path
+        })),
+        createTeamOnSignUp: data.config.create_team_on_sign_up,
+        teamCreatorDefaultPermissions: data.config.team_creator_default_permissions,
+        teamMemberDefaultPermissions: data.config.team_member_default_permissions
+      },
+      async update(update) {
+        await app._interface.updateProject(adminProjectUpdateOptionsToCrud(update));
+        await onRefresh();
+      },
+      async getProductionModeErrors() {
+        return getProductionModeErrors(data);
+      },
+      useProductionModeErrors() {
+        return getProductionModeErrors(data);
+      }
+    };
+  }
+  _adminEmailTemplateFromCrud(data) {
+    return {
+      type: data.type,
+      subject: data.subject,
+      content: data.content,
+      isDefault: data.is_default
+    };
+  }
+  async getProject() {
+    return this._adminProjectFromCrud(
+      await this._adminProjectCache.getOrWait([], "write-only"),
+      () => this._refreshProject()
+    );
+  }
+  useProject() {
+    const crud = useAsyncCache(this._adminProjectCache, [], "useProjectAdmin()");
+    return useMemo(() => this._adminProjectFromCrud(
+      crud,
+      () => this._refreshProject()
+    ), [crud]);
+  }
+  _createApiKeyBaseFromCrud(data) {
+    const app = this;
+    return {
+      id: data.id,
+      description: data.description,
+      expiresAt: new Date(data.expires_at_millis),
+      manuallyRevokedAt: data.manually_revoked_at_millis ? new Date(data.manually_revoked_at_millis) : null,
+      createdAt: new Date(data.created_at_millis),
       isValid() {
         return this.whyInvalid() === null;
       },
@@ -1416,57 +1407,83 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
         return null;
       },
       async revoke() {
-        const res = await app._interface.revokeApiKeySetById(data.id);
-        await app._refreshApiKeySets();
+        const res = await app._interface.revokeApiKeyById(data.id);
+        await app._refreshApiKeys();
         return res;
       }
     };
   }
-  _createApiKeySetFromJson(data) {
+  _createApiKeyFromCrud(data) {
     return {
-      ...this._createApiKeySetBaseFromJson(data),
-      publishableClientKey: data.publishableClientKey ? { lastFour: data.publishableClientKey.lastFour } : null,
-      secretServerKey: data.secretServerKey ? { lastFour: data.secretServerKey.lastFour } : null,
-      superSecretAdminKey: data.superSecretAdminKey ? { lastFour: data.superSecretAdminKey.lastFour } : null
+      ...this._createApiKeyBaseFromCrud(data),
+      publishableClientKey: data.publishable_client_key ? { lastFour: data.publishable_client_key.last_four } : null,
+      secretServerKey: data.secret_server_key ? { lastFour: data.secret_server_key.last_four } : null,
+      superSecretAdminKey: data.super_secret_admin_key ? { lastFour: data.super_secret_admin_key.last_four } : null
     };
   }
-  _createApiKeySetFirstViewFromJson(data) {
+  _createApiKeyFirstViewFromCrud(data) {
     return {
-      ...this._createApiKeySetBaseFromJson(data),
-      publishableClientKey: data.publishableClientKey,
-      secretServerKey: data.secretServerKey,
-      superSecretAdminKey: data.superSecretAdminKey
+      ...this._createApiKeyBaseFromCrud(data),
+      publishableClientKey: data.publishable_client_key,
+      secretServerKey: data.secret_server_key,
+      superSecretAdminKey: data.super_secret_admin_key
     };
   }
-  async getProjectAdmin() {
-    return this._projectAdminFromJson(
-      await this._adminProjectCache.getOrWait([], "write-only"),
-      this._interface,
-      () => this._refreshProject()
-    );
+  async listApiKeys() {
+    const crud = await this._apiKeysCache.getOrWait([], "write-only");
+    return crud.map((j) => this._createApiKeyFromCrud(j));
   }
-  useProjectAdmin() {
-    const json = useAsyncCache(this._adminProjectCache, [], "useProjectAdmin()");
-    return useMemo(() => this._projectAdminFromJson(
-      json,
-      this._interface,
-      () => this._refreshProject()
-    ), [json]);
+  useApiKeys() {
+    const crud = useAsyncCache(this._apiKeysCache, [], "useApiKeys()");
+    return useMemo(() => {
+      return crud.map((j) => this._createApiKeyFromCrud(j));
+    }, [crud]);
   }
-  async listApiKeySets() {
-    const json = await this._apiKeySetsCache.getOrWait([], "write-only");
-    return json.map((j) => this._createApiKeySetFromJson(j));
+  async createApiKey(options) {
+    const crud = await this._interface.createApiKey(apiKeyCreateOptionsToCrud(options));
+    await this._refreshApiKeys();
+    return this._createApiKeyFirstViewFromCrud(crud);
   }
-  useApiKeySets() {
-    const json = useAsyncCache(this._apiKeySetsCache, [], "useApiKeySets()");
+  useEmailTemplates() {
+    const crud = useAsyncCache(this._adminEmailTemplatesCache, [], "useEmailTemplates()");
     return useMemo(() => {
-      return json.map((j) => this._createApiKeySetFromJson(j));
-    }, [json]);
+      return crud.map((j) => this._adminEmailTemplateFromCrud(j));
+    }, [crud]);
   }
-  async createApiKeySet(options) {
-    const json = await this._interface.createApiKeySet(options);
-    await this._refreshApiKeySets();
-    return this._createApiKeySetFirstViewFromJson(json);
+  async listEmailTemplates() {
+    const crud = await this._adminEmailTemplatesCache.getOrWait([], "write-only");
+    return crud.map((j) => this._adminEmailTemplateFromCrud(j));
+  }
+  async updateEmailTemplate(type, data) {
+    await this._interface.updateEmailTemplate(type, adminEmailTemplateUpdateOptionsToCrud(data));
+    await this._adminEmailTemplatesCache.refresh([]);
+  }
+  async resetEmailTemplate(type) {
+    await this._interface.resetEmailTemplate(type);
+    await this._adminEmailTemplatesCache.refresh([]);
+  }
+  async createTeamPermissionDefinition(data) {
+    const crud = await this._interface.createPermissionDefinition(serverTeamPermissionDefinitionCreateOptionsToCrud(data));
+    await this._adminTeamPermissionDefinitionsCache.refresh([]);
+    return this._serverTeamPermissionDefinitionFromCrud(crud);
+  }
+  async updateTeamPermissionDefinition(permissionId, data) {
+    await this._interface.updatePermissionDefinition(permissionId, data);
+    await this._adminTeamPermissionDefinitionsCache.refresh([]);
+  }
+  async deleteTeamPermissionDefinition(permissionId) {
+    await this._interface.deletePermissionDefinition(permissionId);
+    await this._adminTeamPermissionDefinitionsCache.refresh([]);
+  }
+  async listTeamPermissionDefinitions() {
+    const crud = await this._adminTeamPermissionDefinitionsCache.getOrWait([], "write-only");
+    return crud.map((p) => this._serverTeamPermissionDefinitionFromCrud(p));
+  }
+  useTeamPermissionDefinitions() {
+    const crud = useAsyncCache(this._adminTeamPermissionDefinitionsCache, [], "usePermissions()");
+    return useMemo(() => {
+      return crud.map((p) => this._serverTeamPermissionDefinitionFromCrud(p));
+    }, [crud]);
   }
   async _refreshProject() {
     await Promise.all([
@@ -1474,17 +1491,125 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
       this._adminProjectCache.refresh([])
     ]);
   }
-  async _refreshApiKeySets() {
-    await this._apiKeySetsCache.refresh([]);
+  async _refreshApiKeys() {
+    await this._apiKeysCache.refresh([]);
   }
 };
+function userUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    client_metadata: options.clientMetadata,
+    selected_team_id: options.selectedTeamId
+  };
+}
+function serverUserUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    client_metadata: options.clientMetadata,
+    selected_team_id: options.selectedTeamId,
+    primary_email: options.primaryEmail,
+    primary_email_verified: options.primaryEmailVerified,
+    server_metadata: options.serverMetadata
+  };
+}
+function adminProjectUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    description: options.description,
+    is_production_mode: options.isProductionMode,
+    config: {
+      domains: options.config?.domains?.map((d) => ({
+        domain: d.domain,
+        handler_path: d.handlerPath
+      })),
+      oauth_providers: options.config?.oauthProviders?.map((p) => ({
+        id: p.id,
+        enabled: p.enabled,
+        type: p.type,
+        ...p.type === "standard" && {
+          client_id: p.clientId,
+          client_secret: p.clientSecret
+        }
+      })),
+      email_config: options.config?.emailConfig && (options.config.emailConfig.type === "shared" ? {
+        type: "shared"
+      } : {
+        type: "standard",
+        host: options.config.emailConfig.host,
+        port: options.config.emailConfig.port,
+        username: options.config.emailConfig.username,
+        password: options.config.emailConfig.password,
+        sender_name: options.config.emailConfig.senderName,
+        sender_email: options.config.emailConfig.senderEmail
+      }),
+      credential_enabled: options.config?.credentialEnabled,
+      magic_link_enabled: options.config?.magicLinkEnabled,
+      allow_localhost: options.config?.allowLocalhost,
+      create_team_on_sign_up: options.config?.createTeamOnSignUp,
+      team_creator_default_permissions: options.config?.teamCreatorDefaultPermissions,
+      team_member_default_permissions: options.config?.teamMemberDefaultPermissions
+    }
+  };
+}
+function adminProjectCreateOptionsToCrud(options) {
+  return {
+    ...adminProjectUpdateOptionsToCrud(options),
+    display_name: options.displayName
+  };
+}
+function apiKeyCreateOptionsToCrud(options) {
+  return {
+    description: options.description,
+    expires_at_millis: options.expiresAt.getTime(),
+    has_publishable_client_key: options.hasPublishableClientKey,
+    has_secret_server_key: options.hasSecretServerKey,
+    has_super_secret_admin_key: options.hasSuperSecretAdminKey
+  };
+}
+function teamCreateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    profile_image_url: options.profileImageUrl
+  };
+}
+function serverTeamCreateOptionsToCrud(options) {
+  return teamCreateOptionsToCrud(options);
+}
+function serverTeamUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    profile_image_url: options.profileImageUrl
+  };
+}
+function serverTeamPermissionDefinitionCreateOptionsToCrud(options) {
+  return {
+    id: options.id,
+    description: options.description,
+    contained_permission_ids: options.containedPermissionIds
+  };
+}
+function serverTeamPermissionDefinitionUpdateOptionsToCrud(options) {
+  return {
+    id: options.id,
+    description: options.description,
+    contained_permission_ids: options.containedPermissionIds
+  };
+}
 var StackClientApp = _StackClientAppImpl;
 var StackServerApp = _StackServerAppImpl;
 var StackAdminApp = _StackAdminAppImpl;
+function adminEmailTemplateUpdateOptionsToCrud(options) {
+  return {
+    subject: options.subject,
+    content: options.content
+  };
+}
 export {
   StackAdminApp,
   StackClientApp,
   StackServerApp,
+  serverTeamPermissionDefinitionCreateOptionsToCrud,
+  serverTeamPermissionDefinitionUpdateOptionsToCrud,
   stackAppInternalsSymbol
 };
 //# sourceMappingURL=stack-app.js.map