@tailor-platform/sdk 1.33.2 → 1.34.0

package/dist/utils/test/index.d.mts

@@ -1,6 +1,6 @@
 /// <reference types="@tailor-platform/function-types" />
-import { H as TailorDBType, nt as TailorField } from "../../plugin-DQqzlulP.mjs";
-import { et as WORKFLOW_TEST_ENV_KEY, n as output } from "../../index-DlivLpTN.mjs";
+import { U as TailorDBType, rt as TailorField } from "../../plugin-D8hKE6rZ.mjs";
+import { et as WORKFLOW_TEST_ENV_KEY, n as output } from "../../index--9iVDOXn.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/utils/test/mock.d.ts

package/dist/{workflow.generated-u9MgzqbM.d.mts → workflow.generated-DMt8PNVd.d.mts}

@@ -1,5 +1,5 @@
 /// <reference types="@tailor-platform/function-types" />
-import { At as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-DQqzlulP.mjs";
+import { Pt as BuiltinIdP, S as TailorDBServiceInput, T as AuthConfig } from "./plugin-D8hKE6rZ.mjs";
 
 //#region src/types/idp.generated.d.ts
 /**
@@ -203,4 +203,4 @@ type RetryPolicy = {
 };
 //#endregion
 export { IdPEmailConfig as _, ResolverExternalConfig as a, IdPInput as b, WorkflowServiceConfig as c, defineStaticWebSite as d, SecretsConfig as f, IdpDefinitionBrand as g, IdPExternalConfig as h, ExecutorServiceInput as i, WorkflowServiceInput as l, IdPConfig as m, AppConfig as n, ResolverServiceConfig as o, defineSecretManager as p, ExecutorServiceConfig as r, ResolverServiceInput as s, RetryPolicy as t, StaticWebsiteConfig as u, IdPGqlOperations as v, IdPGqlOperationsInput as y };
-//# sourceMappingURL=workflow.generated-u9MgzqbM.d.mts.map
+//# sourceMappingURL=workflow.generated-DMt8PNVd.d.mts.map

package/docs/cli/auth.md

@@ -1,6 +1,167 @@
 # Auth Resource Commands
 
-Commands for managing Auth service resources (machine users and OAuth2 clients).
+Commands for managing Auth service resources (auth connections, machine users, and OAuth2 clients).
+
+<!-- politty:command:authconnection:heading:start -->
+
+## authconnection
+
+<!-- politty:command:authconnection:heading:end -->
+
+<!-- politty:command:authconnection:description:start -->
+
+Manage auth connections.
+
+<!-- politty:command:authconnection:description:end -->
+
+<!-- politty:command:authconnection:usage:start -->
+
+**Usage**
+
+```
+tailor-sdk authconnection [command]
+```
+
+<!-- politty:command:authconnection:usage:end -->
+
+<!-- politty:command:authconnection:subcommands:start -->
+
+**Commands**
+
+| Command                                                 | Description                                   |
+| ------------------------------------------------------- | --------------------------------------------- |
+| [`authconnection authorize`](#authconnection-authorize) | Authorize an auth connection via OAuth2 flow. |
+| [`authconnection list`](#authconnection-list)           | List all auth connections.                    |
+| [`authconnection revoke`](#authconnection-revoke)       | Revoke an auth connection.                    |
+
+<!-- politty:command:authconnection:subcommands:end -->
+
+<!-- politty:command:authconnection:global-options-link:start -->
+
+See [Global Options](../cli-reference.md#global-options) for options available to all commands.
+
+<!-- politty:command:authconnection:global-options-link:end -->
+<!-- politty:command:authconnection authorize:heading:start -->
+
+### authconnection authorize
+
+<!-- politty:command:authconnection authorize:heading:end -->
+
+<!-- politty:command:authconnection authorize:description:start -->
+
+Authorize an auth connection via OAuth2 flow.
+
+<!-- politty:command:authconnection authorize:description:end -->
+
+<!-- politty:command:authconnection authorize:usage:start -->
+
+**Usage**
+
+```
+tailor-sdk authconnection authorize [options]
+```
+
+<!-- politty:command:authconnection authorize:usage:end -->
+
+<!-- politty:command:authconnection authorize:options:start -->
+
+**Options**
+
+| Option                          | Alias | Description                                | Required | Default                  | Env                            |
+| ------------------------------- | ----- | ------------------------------------------ | -------- | ------------------------ | ------------------------------ |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID                               | No       | -                        | `TAILOR_PLATFORM_WORKSPACE_ID` |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile                          | No       | -                        | `TAILOR_PLATFORM_PROFILE`      |
+| `--name <NAME>`                 | `-n`  | Auth connection name                       | Yes      | -                        | -                              |
+| `--scopes <SCOPES>`             | -     | OAuth2 scopes to request (comma-separated) | No       | `"openid,profile,email"` | -                              |
+| `--port <PORT>`                 | -     | Local callback server port                 | No       | `8080`                   | -                              |
+| `--no-browser`                  | -     | Don't open browser automatically           | No       | `false`                  | -                              |
+
+<!-- politty:command:authconnection authorize:options:end -->
+
+<!-- politty:command:authconnection authorize:global-options-link:start -->
+
+See [Global Options](../cli-reference.md#global-options) for options available to all commands.
+
+<!-- politty:command:authconnection authorize:global-options-link:end -->
+
+<!-- politty:command:authconnection list:heading:start -->
+
+### authconnection list
+
+<!-- politty:command:authconnection list:heading:end -->
+
+<!-- politty:command:authconnection list:description:start -->
+
+List all auth connections.
+
+<!-- politty:command:authconnection list:description:end -->
+
+<!-- politty:command:authconnection list:usage:start -->
+
+**Usage**
+
+```
+tailor-sdk authconnection list [options]
+```
+
+<!-- politty:command:authconnection list:usage:end -->
+
+<!-- politty:command:authconnection list:options:start -->
+
+**Options**
+
+| Option                          | Alias | Description       | Required | Default | Env                            |
+| ------------------------------- | ----- | ----------------- | -------- | ------- | ------------------------------ |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID      | No       | -       | `TAILOR_PLATFORM_WORKSPACE_ID` |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile | No       | -       | `TAILOR_PLATFORM_PROFILE`      |
+
+<!-- politty:command:authconnection list:options:end -->
+
+<!-- politty:command:authconnection list:global-options-link:start -->
+
+See [Global Options](../cli-reference.md#global-options) for options available to all commands.
+
+<!-- politty:command:authconnection list:global-options-link:end -->
+<!-- politty:command:authconnection revoke:heading:start -->
+
+### authconnection revoke
+
+<!-- politty:command:authconnection revoke:heading:end -->
+
+<!-- politty:command:authconnection revoke:description:start -->
+
+Revoke an auth connection.
+
+<!-- politty:command:authconnection revoke:description:end -->
+
+<!-- politty:command:authconnection revoke:usage:start -->
+
+**Usage**
+
+```
+tailor-sdk authconnection revoke [options]
+```
+
+<!-- politty:command:authconnection revoke:usage:end -->
+
+<!-- politty:command:authconnection revoke:options:start -->
+
+**Options**
+
+| Option                          | Alias | Description               | Required | Default | Env                            |
+| ------------------------------- | ----- | ------------------------- | -------- | ------- | ------------------------------ |
+| `--workspace-id <WORKSPACE_ID>` | `-w`  | Workspace ID              | No       | -       | `TAILOR_PLATFORM_WORKSPACE_ID` |
+| `--profile <PROFILE>`           | `-p`  | Workspace profile         | No       | -       | `TAILOR_PLATFORM_PROFILE`      |
+| `--name <NAME>`                 | `-n`  | Auth connection name      | Yes      | -       | -                              |
+| `--yes`                         | `-y`  | Skip confirmation prompts | No       | `false` | -                              |
+
+<!-- politty:command:authconnection revoke:options:end -->
+
+<!-- politty:command:authconnection revoke:global-options-link:start -->
+
+See [Global Options](../cli-reference.md#global-options) for options available to all commands.
+
+<!-- politty:command:authconnection revoke:global-options-link:end -->
 
 <!-- politty:command:machineuser:heading:start -->
 

package/docs/cli-reference.md

@@ -175,12 +175,15 @@ Commands for managing workspaces and profiles.
 
 Commands for managing Auth service resources.
 
-| Command                                              | Description                                              |
-| ---------------------------------------------------- | -------------------------------------------------------- |
-| [machineuser list](./cli/auth.md#machineuser-list)   | List all machine users in the application.               |
-| [machineuser token](./cli/auth.md#machineuser-token) | Get an access token for a machine user.                  |
-| [oauth2client list](./cli/auth.md#oauth2client-list) | List all OAuth2 clients in the application.              |
-| [oauth2client get](./cli/auth.md#oauth2client-get)   | Get OAuth2 client credentials (including client secret). |
+| Command                                                            | Description                                              |
+| ------------------------------------------------------------------ | -------------------------------------------------------- |
+| [authconnection authorize](./cli/auth.md#authconnection-authorize) | Authorize an auth connection via OAuth2 flow.            |
+| [authconnection list](./cli/auth.md#authconnection-list)           | List all auth connections.                               |
+| [authconnection revoke](./cli/auth.md#authconnection-revoke)       | Revoke an auth connection.                               |
+| [machineuser list](./cli/auth.md#machineuser-list)                 | List all machine users in the application.               |
+| [machineuser token](./cli/auth.md#machineuser-token)               | Get an access token for a machine user.                  |
+| [oauth2client list](./cli/auth.md#oauth2client-list)               | List all OAuth2 clients in the application.              |
+| [oauth2client get](./cli/auth.md#oauth2client-get)                 | Get OAuth2 client credentials (including client secret). |
 
 ### [Workflow Commands](./cli/workflow.md)
 

package/docs/services/auth.md

@@ -10,6 +10,7 @@ Auth provides:
 - Machine users for service-to-service authentication
 - OAuth 2.0 client configuration
 - Identity provider integration
+- Auth connections for external OAuth2 provider integration
 
 For the official Tailor Platform documentation, see [Auth Guide](https://docs.tailor.tech/guides/auth/overview).
 
@@ -47,6 +48,15 @@ const auth = defineAuth("my-auth", {
       grantTypes: ["authorization_code", "refresh_token"],
     },
   },
+  connections: {
+    "google-connection": {
+      type: "oauth2",
+      providerUrl: "https://accounts.google.com",
+      issuerUrl: "https://accounts.google.com",
+      clientId: process.env.GOOGLE_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    },
+  },
   idProvider: idp.provider("my-provider", "my-client"),
 });
 
@@ -341,6 +351,106 @@ idProvider: idp.provider("my-provider", "my-client"),
 
 See [IdP](./idp.md) for configuring identity providers.
 
+## Auth Connections
+
+Auth connections enable OAuth2 authentication with external providers (Google, Microsoft 365, QuickBooks, etc.) for application-to-application flows. Functions can access connection tokens at runtime via `tailor.authconnection.getConnectionToken()`.
+
+For the official Tailor Platform documentation, see [AuthConnection Guide](https://docs.tailor.tech/guides/auth/authconnection).
+
+### Setup Flow
+
+Setting up an auth connection requires two steps:
+
+1. **Create** the connection (registers the OAuth2 provider credentials)
+2. **Authorize** the connection (runs the OAuth2 flow to obtain and store tokens)
+
+Both steps are needed regardless of whether you manage connections via config or CLI.
+
+### Configuration
+
+Define connections in `defineAuth()`:
+
+```typescript
+import { defineAuth } from "@tailor-platform/sdk";
+
+export const auth = defineAuth("my-auth", {
+  // ... other auth config
+  connections: {
+    "google-connection": {
+      type: "oauth2",
+      providerUrl: "https://accounts.google.com",
+      issuerUrl: "https://accounts.google.com",
+      clientId: process.env.GOOGLE_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    },
+  },
+});
+```
+
+After `tailor-sdk apply`, authorize the connection:
+
+```bash
+tailor-sdk authconnection authorize --name google-connection \
+  --scopes "openid,profile,email"
+```
+
+The authorize command opens a browser for the OAuth2 flow. The authorization code is sent to the platform, which exchanges it for tokens using the client secret registered in the connection config.
+
+### Connection Config Fields
+
+| Field          | Type     | Required | Description                                 |
+| -------------- | -------- | -------- | ------------------------------------------- |
+| `type`         | `string` | Yes      | Connection type. Currently only `"oauth2"`. |
+| `providerUrl`  | `string` | Yes      | OAuth2 provider URL.                        |
+| `issuerUrl`    | `string` | Yes      | OAuth2 issuer URL for JWT validation.       |
+| `clientId`     | `string` | Yes      | OAuth2 client ID.                           |
+| `clientSecret` | `string` | Yes      | OAuth2 client secret.                       |
+| `authUrl`      | `string` | No       | Override for the authorization endpoint.    |
+| `tokenUrl`     | `string` | No       | Override for the token endpoint.            |
+
+### Change Detection
+
+The SDK uses hash-based change detection for connection configs. Only connections whose configuration has changed since the last `apply` are updated (revoked and recreated). Deleting the `.tailor-sdk/` directory forces all connections to be re-sent.
+
+### `auth.getConnectionToken()`
+
+`auth.getConnectionToken()` retrieves connection tokens at runtime by calling `tailor.authconnection.getConnectionToken()` internally. When `connections` is defined in `defineAuth()`, the connection name is type-checked and autocompleted against the defined keys:
+
+```typescript
+import { auth } from "../tailor.config";
+
+// In a resolver, executor, or workflow:
+const tokens = await auth.getConnectionToken("google-connection");
+const response = await fetch("https://www.googleapis.com/...", {
+  headers: { Authorization: `Bearer ${tokens.access_token}` },
+});
+
+// auth.getConnectionToken("unknown"); // Type error — only "google-connection" is allowed
+```
+
+When `connections` is not defined, `getConnectionToken()` accepts any string. This supports connections managed entirely via the CLI.
+
+See [Built-in Interfaces](https://docs.tailor.tech/guides/function/builtin-interfaces.html#auth-connection) for the full runtime API.
+
+### CLI Management
+
+Auth connections can also be managed via the CLI:
+
+```bash
+# Authorize (opens browser for OAuth2 flow)
+tailor-sdk authconnection authorize --name google-connection
+
+# List all connections
+tailor-sdk authconnection list
+
+# Revoke a connection
+tailor-sdk authconnection revoke --name google-connection
+```
+
+Connection creation is handled by `tailor-sdk apply` via the config.
+
+See [Auth Resource Commands](../cli/auth.md) for full CLI documentation.
+
 ## Before Login Hook
 
 Run custom logic before a user logs in. This is useful for JIT (Just-In-Time) user provisioning — automatically creating or updating user records when a user authenticates for the first time.
@@ -379,6 +489,11 @@ export const auth = defineAuth("my-auth", {
 Manage Auth resources using the CLI:
 
 ```bash
+# Auth connections
+tailor-sdk authconnection authorize --name <name>
+tailor-sdk authconnection list
+tailor-sdk authconnection revoke --name <name>
+
 # List machine users
 tailor-sdk machineuser list
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tailor-platform/sdk",
-  "version": "1.33.2",
+  "version": "1.34.0",
   "description": "Tailor Platform SDK - The SDK to work with Tailor Platform",
   "license": "MIT",
   "repository": {