@taruvi/sdk 1.4.1 → 1.4.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@taruvi/sdk",
-  "version": "1.4.1",
+  "version": "1.4.3",
   "description": "Taruvi SDK",
   "main": "src/index.ts",
   "type": "module",

package/src/client.ts

@@ -33,11 +33,9 @@ export class Client {
     }
 
     /**
-     * Extracts authentication tokens from URL hash and stores them using TokenClient.
-     * This handles Web UI Flow callback URLs like:
-     * #session_token=xxx&access_token=yyy&refresh_token=zzz&expires_in=172800&token_type=Bearer
-     *
-     * After successful extraction, the URL hash is cleared to prevent token exposure.
+     * Extracts session token from URL hash and stores it using TokenClient.
+     * Handles callback URLs like: #session_token=xxx
+     * After extraction, the URL hash is cleared.
      */
     private extractTokensFromUrl(): void {
         if (typeof window === "undefined" || typeof localStorage === "undefined") {
@@ -51,32 +49,12 @@ export class Client {
 
         const params = new URLSearchParams(hash.substring(1))
         const sessionToken = params.get("session_token")
-        const accessToken = params.get("access_token")
-        const refreshToken = params.get("refresh_token")
-        const expiresIn = params.get("expires_in")
-        const tokenType = params.get("token_type")
 
-        // Only proceed if we have the required tokens
-        if (!accessToken || !refreshToken) {
+        if (!sessionToken) {
             return
         }
 
-        // Store tokens using TokenClient
-        const tokens: AuthTokens = {
-            accessToken,
-            refreshToken,
-            tokenType: tokenType || "Bearer"
-        }
-
-        if (sessionToken) {
-            tokens.sessionToken = sessionToken
-        }
-
-        if (expiresIn) {
-            tokens.expiresIn = parseInt(expiresIn, 10)
-        }
-
-        this._tokenClient.setTokens(tokens)
+        this._tokenClient.setTokens({ sessionToken })
 
         // Clear hash from URL without reloading page
         if (window.history && window.history.replaceState) {

package/src/index.ts

@@ -2,7 +2,7 @@
 export { Client } from "./client.js"
 
 // Export error classes
-export { TaruviError, ValidationError, AuthError, ForbiddenError, NotFoundError, ConflictError, TimeoutError, NetworkError } from "./lib-internal/errors/index.js"
+export { TaruviError, ValidationError, AuthError, ForbiddenError, NotFoundError, ConflictError, TimeoutError, NetworkError, RateLimitError } from "./lib-internal/errors/index.js"
 export { ErrorCode } from "./lib-internal/errors/index.js"
 export type { ErrorResponseBody } from "./lib-internal/errors/index.js"
 

package/src/lib/auth/AuthClient.ts

@@ -5,13 +5,8 @@ import { UserRoutes } from "../../lib-internal/routes/UserRoutes.js";
 
 /**
  * Auth Client - Handles user authentication using Web UI Flow
- * Implements cross-domain authentication with redirect-based token delivery
- *
- * Flow:
- * 1. User calls login() → Redirects to backend /accounts/login/
- * 2. User authenticates on backend
- * 3. Backend redirects back with tokens in URL hash
- * 4. Client extracts and stores tokens automatically
+ * Uses session token for API authentication via X-Session-Token header.
+ * On 401/403, tokens are cleared automatically by HttpClient interceptor.
  */
 export class Auth {
     private client: Client
@@ -22,7 +17,6 @@ export class Auth {
 
     /**
      * Redirect to login page (Web UI Flow)
-     * @param callbackUrl - URL to redirect to after successful login (defaults to current page)
      */
     login(callbackUrl?: string): void {
         if (typeof window === "undefined") {
@@ -33,11 +27,8 @@ export class Auth {
         const config = this.client.getConfig()
         const callback = callbackUrl || window.location.origin + window.location.pathname
         const deskUrl = config.deskUrl || config.apiUrl
-
-        // Redirect to /accounts/login/ with redirect_to parameter
         const loginUrl = `${deskUrl}/accounts/login/?redirect_to=${encodeURIComponent(callback)}`
 
-        // Optional: Store state before redirecting
         if (typeof sessionStorage !== "undefined") {
             sessionStorage.setItem("auth_state", JSON.stringify({
                 returnTo: window.location.pathname,
@@ -50,7 +41,6 @@ export class Auth {
 
     /**
      * Redirect to signup page (Web UI Flow)
-     * @param callbackUrl - URL to redirect to after successful signup (defaults to current page)
      */
     signup(callbackUrl?: string): void {
         if (typeof window === "undefined") {
@@ -60,11 +50,8 @@ export class Auth {
 
         const config = this.client.getConfig()
         const callback = callbackUrl || window.location.origin + window.location.pathname
-
-        // Redirect to /accounts/signup/ with redirect_to parameter
         const signupUrl = `${config.apiUrl}/accounts/signup/?redirect_to=${encodeURIComponent(callback)}`
 
-        // Optional: Store state before redirecting
         if (typeof sessionStorage !== "undefined") {
             sessionStorage.setItem("auth_state", JSON.stringify({
                 returnTo: window.location.pathname,
@@ -77,8 +64,6 @@ export class Auth {
 
     /**
      * Logout user and redirect to logout page
-     * Fetches frontendUrl from site settings for redirect
-     * @param callbackUrl - URL to redirect to after logout (overrides frontendUrl from settings)
      */
     async logout(callbackUrl?: string): Promise<void> {
         if (typeof window === "undefined") {
@@ -86,14 +71,12 @@ export class Auth {
             return
         }
 
-        // Clear tokens immediately
         this.client.tokenClient.clearTokens()
 
         const config = this.client.getConfig()
         const deskUrl = config.deskUrl || config.apiUrl
         let callback: string = callbackUrl || ""
 
-        // If no callback provided, fetch frontendUrl from site settings
         if (!callback) {
             try {
                 const settings = await this.client.httpClient.get<{ frontend_url?: string }>(
@@ -106,93 +89,22 @@ export class Auth {
             }
         }
 
-        // Redirect to /accounts/logout/
         const logoutUrl = `${deskUrl}/accounts/logout/?redirect_to=${encodeURIComponent(callback)}`
-
         window.location.href = logoutUrl
     }
 
     /**
-     * Check if user is authenticated
+     * Check if user is authenticated (has session token)
      */
     isUserAuthenticated(): boolean {
         return this.client.tokenClient.isAuthenticated()
     }
 
     /**
-     * Get the current access token
+     * Get the current session token
      */
-    getAccessToken(): string | null {
-        return this.client.tokenClient.getToken()
-    }
-
-    /**
-     * Get the current refresh token
-     */
-    getRefreshToken(): string | null {
-        return this.client.tokenClient.getRefreshToken()
-    }
-
-    /**
-     * Check if the access token is expired
-     */
-    isTokenExpired(): boolean {
-        return this.client.tokenClient.isTokenExpired()
-    }
-
-    /**
-     * Refresh the access token using the refresh token
-     * ⚠️ IMPORTANT: Taruvi uses refresh token rotation
-     * You will receive BOTH a new access token AND a new refresh token
-     *
-     * @returns Promise with new tokens or null if refresh failed
-     */
-    async refreshAccessToken(): Promise<{ access: string; refresh: string; expires_in: number } | null> {
-        const refreshToken = this.client.tokenClient.getRefreshToken()
-
-        if (!refreshToken) {
-            console.error("No refresh token available")
-            return null
-        }
-
-        try {
-            const config = this.client.getConfig()
-            const response = await fetch(`${config.apiUrl}/api/cloud/auth/jwt/token/refresh/`, {
-                method: "POST",
-                headers: { "Content-Type": "application/json" },
-                body: JSON.stringify({ refresh: refreshToken })
-            })
-
-            if (!response.ok) {
-                throw new Error(`Token refresh failed: ${response.statusText}`)
-            }
-
-            const data = await response.json()
-
-            // Update tokens in storage (both access and refresh due to rotation)
-            this.client.tokenClient.updateAccessToken(data.access, data.expires_in || 172800)
-
-            if (data.refresh) {
-                this.client.tokenClient.updateRefreshToken(data.refresh)
-            }
-
-            return {
-                access: data.access,
-                refresh: data.refresh || refreshToken,
-                expires_in: data.expires_in || 172800
-            }
-        } catch (error) {
-            console.error("Failed to refresh access token:", error)
-
-            // Clear tokens and redirect to login
-            this.client.tokenClient.clearTokens()
-
-            if (typeof window !== "undefined") {
-                this.login()
-            }
-
-            return null
-        }
+    getSessionToken(): string | null {
+        return this.client.tokenClient.getSessionToken()
     }
 
     /**
@@ -211,4 +123,4 @@ export class Auth {
             return null
         }
     }
-}
+}

package/src/lib/database/DatabaseClient.ts

@@ -22,8 +22,9 @@ export class Database<T = Record<string, unknown>> {
     private queryParams: DatabaseFilters | undefined
     private graphParams: GraphQueryParams
     private isEdges: boolean
+    private isUpsert: boolean
 
-    constructor(client: Client, urlParams: UrlParams = {}, operation?: HttpMethod | undefined, body?: object | undefined, queryParams?: DatabaseFilters, graphParams: GraphQueryParams = {}, isEdges: boolean = false) {
+    constructor(client: Client, urlParams: UrlParams = {}, operation?: HttpMethod | undefined, body?: object | undefined, queryParams?: DatabaseFilters, graphParams: GraphQueryParams = {}, isEdges: boolean = false, isUpsert: boolean = false) {
         this.client = client
         this.urlParams = urlParams
         this.operation = operation
@@ -32,6 +33,7 @@ export class Database<T = Record<string, unknown>> {
         this.queryParams = queryParams
         this.graphParams = graphParams
         this.isEdges = isEdges
+        this.isUpsert = isUpsert
     }
 
     from<U = Record<string, unknown>>(dataTables: string): Database<U> {
@@ -135,10 +137,18 @@ export class Database<T = Record<string, unknown>> {
         return new Database<T>(this.client, { ...this.urlParams }, HttpMethod.POST, body as object, this.queryParams, { ...this.graphParams }, this.isEdges)
     }
 
+    upsert(body: Partial<T> | Partial<T>[]): Database<T> {
+        return new Database<T>(this.client, { ...this.urlParams }, HttpMethod.POST, body as object, this.queryParams, { ...this.graphParams }, this.isEdges, true)
+    }
+
     update(body: Partial<T> | EdgeRequest): Database<T> {
         return new Database<T>(this.client, { ...this.urlParams }, HttpMethod.PATCH, body as object, this.queryParams, { ...this.graphParams }, this.isEdges)
     }
 
+    bulkUpdate(body: Partial<T>[]): Database<T> {
+        return new Database<T>(this.client, { ...this.urlParams }, HttpMethod.PATCH, body as object, this.queryParams, { ...this.graphParams }, this.isEdges)
+    }
+
     delete(recordIdOrEdgeIds: string | number[]): Database<T> {
         if (Array.isArray(recordIdOrEdgeIds)) {
             const body: EdgeDeleteRequest = { edge_ids: recordIdOrEdgeIds }
@@ -147,6 +157,17 @@ export class Database<T = Record<string, unknown>> {
         return new Database<T>(this.client, { ...this.urlParams, recordId: recordIdOrEdgeIds }, HttpMethod.DELETE, undefined, this.queryParams, { ...this.graphParams }, this.isEdges)
     }
 
+    bulkDelete(ids: string[]): Database<T> {
+        return new Database<T>(this.client, { ...this.urlParams }, HttpMethod.DELETE, undefined, {
+            ...this.queryParams,
+            ids: ids.join(',')
+        }, { ...this.graphParams }, this.isEdges)
+    }
+
+    deleteFiltered(): Database<T> {
+        return new Database<T>(this.client, { ...this.urlParams }, HttpMethod.DELETE, undefined, this.queryParams, { ...this.graphParams }, this.isEdges)
+    }
+
     async first(): Promise<T | null> {
         const response = await this.execute()
         const data = response.data
@@ -175,6 +196,7 @@ export class Database<T = Record<string, unknown>> {
         const base = DatabaseRoutes.baseUrl(this.config.appSlug) +
             DatabaseRoutes.dataTables(tableName) +
             (this.urlParams.recordId ? DatabaseRoutes.recordId(this.urlParams.recordId) : '') +
+            (this.isUpsert ? DatabaseRoutes.upsert() : '') +
             '/'
 
         // Merge database filters and graph params into one query string
@@ -195,7 +217,7 @@ export class Database<T = Record<string, unknown>> {
                 return await this.client.httpClient.post(url, this.body)
 
             case HttpMethod.PATCH:
-                if (!this.urlParams.recordId) {
+                if (!this.urlParams.recordId && !Array.isArray(this.body)) {
                     throw new Error('PATCH operation requires a record ID.')
                 }
                 return await this.client.httpClient.patch(url, this.body)

package/src/lib-internal/errors/ErrorClient.ts

@@ -63,6 +63,16 @@ export class TimeoutError extends TaruviError {
     }
 }
 
+export class RateLimitError extends TaruviError {
+    public readonly retryAfter: number | undefined
+
+    constructor(message = 'Rate limit exceeded', retryAfter?: number) {
+        super(message, 429, ErrorCode.RATE_LIMITED)
+        this.name = 'RateLimitError'
+        this.retryAfter = retryAfter
+    }
+}
+
 export class NetworkError extends TaruviError {
     constructor(message = 'Network error') {
         super(message, 0, ErrorCode.NETWORK_ERROR)
@@ -94,6 +104,8 @@ export function createErrorFromResponse(statusCode: number, body?: ErrorResponse
             return new NotFoundError(message)
         case 409:
             return new ConflictError(message, detail)
+        case 429:
+            return new RateLimitError(message)
         case 504:
             return new TimeoutError(message)
         default:

package/src/lib-internal/errors/index.ts

@@ -1,3 +1,3 @@
-export { TaruviError, ValidationError, AuthError, ForbiddenError, NotFoundError, ConflictError, TimeoutError, NetworkError, createErrorFromResponse } from './ErrorClient.js'
+export { TaruviError, ValidationError, AuthError, ForbiddenError, NotFoundError, ConflictError, TimeoutError, NetworkError, RateLimitError, createErrorFromResponse } from './ErrorClient.js'
 export { ErrorCode } from './types.js'
 export type { ErrorResponseBody } from './types.js'

package/src/lib-internal/errors/types.ts

@@ -10,6 +10,7 @@ export enum ErrorCode {
     NOT_FOUND = 'NOT_FOUND',
     CONFLICT = 'CONFLICT',
     INTERNAL_ERROR = 'INTERNAL_ERROR',
+    RATE_LIMITED = 'RATE_LIMITED',
     GATEWAY_TIMEOUT = 'GATEWAY_TIMEOUT',
     NETWORK_ERROR = 'NETWORK_ERROR'
 }

package/src/lib-internal/http/HttpClient.ts

@@ -1,40 +1,53 @@
 import type { TaruviConfig } from "../../types.js";
 import type { TokenClient } from "../token/TokenClient.js";
-import axios, { AxiosError } from "axios";
+import axios, { AxiosError, type AxiosInstance, type InternalAxiosRequestConfig } from "axios";
 import { createErrorFromResponse, NetworkError, TaruviError } from "../errors/index.js";
 import type { ErrorResponseBody } from "../errors/index.js";
 
 /**
  * HttpClient handles all HTTP requests to the Taruvi API.
- * Automatically adds authentication headers and converts
- * error responses to typed SDK errors.
+ * Sends session token via X-Session-Token header.
+ * Clears tokens on 401/403 auth failures.
  *
  * @internal
  */
 export class HttpClient {
     private config: TaruviConfig
     private tokenClient: TokenClient
+    private axiosInstance: AxiosInstance
 
     constructor(config: TaruviConfig, tokenClient: TokenClient) {
         this.config = config
         this.tokenClient = tokenClient
+        this.axiosInstance = axios.create({ baseURL: config.apiUrl, withCredentials: true })
+        this.setupInterceptors()
     }
 
-    private getAuthHeaders(isFormData: boolean = false): Record<string, string> {
-        const headers: Record<string, string> = {}
-
-        // Don't set Content-Type for FormData - let axios set it with the boundary
-        if (!isFormData) {
-            headers['Content-Type'] = 'application/json'
-        }
-
-        // Tenant admin session token
-        const jwt = this.tokenClient.getToken()
-        if (jwt) {
-            headers['Authorization'] = `Bearer ${jwt}`
-        }
+    private setupInterceptors(): void {
+        // Request interceptor: attach session token
+        this.axiosInstance.interceptors.request.use((config: InternalAxiosRequestConfig) => {
+            const isFormData = config.data instanceof FormData
+            if (!isFormData) {
+                config.headers['Content-Type'] = 'application/json'
+            }
+            const sessionToken = this.tokenClient.getSessionToken()
+            if (sessionToken) {
+                config.headers['X-Session-Token'] = sessionToken
+            }
+            return config
+        })
 
-        return headers
+        // Response interceptor: clear tokens on auth failure
+        this.axiosInstance.interceptors.response.use(
+            (response) => response,
+            (error: AxiosError) => {
+                const status = error.response?.status
+                if (status === 401 || status === 403) {
+                    this.tokenClient.clearTokens()
+                }
+                return Promise.reject(error)
+            }
+        )
     }
 
     private handleError(error: unknown): never {
@@ -47,19 +60,15 @@ export class HttpClient {
                 const body = error.response.data as ErrorResponseBody | undefined
                 throw createErrorFromResponse(error.response.status, body)
             }
-            // No response — network error
             throw new NetworkError(error.message)
         }
 
-        // Unknown error
         throw error
     }
 
     async get<T>(endpoint: string): Promise<T> {
         try {
-            const { data } = await axios.get<T>(`${this.config.apiUrl}/${endpoint}`, {
-                headers: this.getAuthHeaders()
-            })
+            const { data } = await this.axiosInstance.get<T>(`/${endpoint}`)
             return data
         } catch (error) {
             this.handleError(error)
@@ -68,14 +77,7 @@ export class HttpClient {
 
     async post<T, D = unknown>(endpoint: string, body: D): Promise<T> {
         try {
-            const isFormData = body instanceof FormData
-            const { data } = await axios.post<T>(
-                `${this.config.apiUrl}/${endpoint}`,
-                body,
-                {
-                    headers: this.getAuthHeaders(isFormData)
-                }
-            )
+            const { data } = await this.axiosInstance.post<T>(`/${endpoint}`, body)
             return data
         } catch (error) {
             this.handleError(error)
@@ -84,12 +86,7 @@ export class HttpClient {
 
     async put<T, D = unknown>(endpoint: string, body: D): Promise<T> {
         try {
-            const isFormData = body instanceof FormData
-            const { data } = await axios.put<T>(`${this.config.apiUrl}/${endpoint}`,
-                body,
-                {
-                    headers: this.getAuthHeaders(isFormData)
-                })
+            const { data } = await this.axiosInstance.put<T>(`/${endpoint}`, body)
             return data
         } catch (error) {
             this.handleError(error)
@@ -98,13 +95,7 @@ export class HttpClient {
 
     async delete<T, D = unknown>(endpoint: string, body?: D): Promise<T> {
         try {
-            const { data } = await axios.delete<T>(
-                `${this.config.apiUrl}/${endpoint}`,
-                {
-                    headers: this.getAuthHeaders(),
-                    data: body
-                }
-            )
+            const { data } = await this.axiosInstance.delete<T>(`/${endpoint}`, { data: body })
             return data
         } catch (error) {
             this.handleError(error)
@@ -113,14 +104,7 @@ export class HttpClient {
 
     async patch<T, D = unknown>(endpoint: string, body: D): Promise<T> {
         try {
-            const isFormData = body instanceof FormData
-            const { data } = await axios.patch<T>(
-                `${this.config.apiUrl}/${endpoint}`,
-                body,
-                {
-                    headers: this.getAuthHeaders(isFormData)
-                }
-            )
+            const { data } = await this.axiosInstance.patch<T>(`/${endpoint}`, body)
             return data
         } catch (error) {
             this.handleError(error)

package/src/lib-internal/routes/DatabaseRoutes.ts

@@ -1,7 +1,8 @@
 export const DatabaseRoutes = {
     baseUrl: (appSlug: string) => `api/apps/${appSlug}`,
     dataTables: (tableName: string): string => `/datatables/${tableName}/data`,
-    recordId: (recordId: string): string => `/${recordId}`
+    recordId: (recordId: string): string => `/${recordId}`,
+    upsert: (): string => `/upsert`
 }
 
 type AllRouteKeys = keyof typeof DatabaseRoutes

package/src/lib-internal/token/TokenClient.ts

@@ -1,27 +1,14 @@
 import { getRuntimeEnvironment } from "../../utils/utils.js"
 
 /**
- * Token management interface for Web UI Flow authentication
+ * TokenClient - Manages session token for browser authentication
  */
 export interface AuthTokens {
-    sessionToken?: string | undefined;
-    accessToken: string;
-    refreshToken: string;
-    expiresIn?: number | undefined;
-    expiresAt?: number | undefined;
-    tokenType?: string | undefined;
+    sessionToken: string;
 }
 
-/**
- * TokenClient - Manages authentication tokens for both browser and server environments
- * Implements Web UI Flow token handling as described in Taruvi documentation
- */
 export class TokenClient {
-    private static readonly ACCESS_TOKEN_KEY = 'jwt';
-    private static readonly REFRESH_TOKEN_KEY = 'refresh_token';
     private static readonly SESSION_TOKEN_KEY = 'session_token';
-    private static readonly EXPIRES_AT_KEY = 'token_expires_at';
-    private static readonly TOKEN_TYPE_KEY = 'token_type';
 
     private runTimeEnvironment: string
     private browserRunTime: boolean
@@ -31,179 +18,61 @@ export class TokenClient {
         this.runTimeEnvironment = getRuntimeEnvironment()
         this.browserRunTime = this.runTimeEnvironment == "Browser"
 
-        // For server-side usage, store the token
         if (!this.browserRunTime && token) {
             this.serverToken = token
         }
     }
 
     /**
-     * Get access token (supports both browser and server)
+     * Get session token
      */
-    getToken(): string | null {
+    getSessionToken(): string | null {
         if (this.browserRunTime) {
             if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
                 return null
             }
-            return localStorage.getItem(TokenClient.ACCESS_TOKEN_KEY)
+            return localStorage.getItem(TokenClient.SESSION_TOKEN_KEY)
         }
         return this.serverToken
     }
 
     /**
-     * Set all authentication tokens from Web UI Flow callback
+     * Alias for getSessionToken (used by server-side code)
      */
-    setTokens(tokens: AuthTokens): void {
-        if (!this.browserRunTime) {
-            console.warn('Token storage is only available in browser environment')
-            return
-        }
-
-        if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
-            return
-        }
-
-        try {
-            // Store access token
-            localStorage.setItem(TokenClient.ACCESS_TOKEN_KEY, tokens.accessToken)
-
-            // Store refresh token
-            localStorage.setItem(TokenClient.REFRESH_TOKEN_KEY, tokens.refreshToken)
-
-            // Store session token if provided
-            if (tokens.sessionToken) {
-                localStorage.setItem(TokenClient.SESSION_TOKEN_KEY, tokens.sessionToken)
-            }
-
-            // Calculate and store expiration time
-            if (tokens.expiresIn) {
-                const expiresAt = Date.now() + (tokens.expiresIn * 1000)
-                localStorage.setItem(TokenClient.EXPIRES_AT_KEY, expiresAt.toString())
-            } else if (tokens.expiresAt) {
-                localStorage.setItem(TokenClient.EXPIRES_AT_KEY, tokens.expiresAt.toString())
-            }
-
-            // Store token type
-            if (tokens.tokenType) {
-                localStorage.setItem(TokenClient.TOKEN_TYPE_KEY, tokens.tokenType)
-            }
-        } catch (err) {
-            console.error('Failed to store authentication tokens:', err)
-        }
+    getToken(): string | null {
+        return this.getSessionToken()
     }
 
     /**
-     * Get all stored tokens
+     * Store session token
      */
-    getTokens(): AuthTokens | null {
+    setTokens(tokens: AuthTokens): void {
         if (!this.browserRunTime) {
-            return null
+            console.warn('Token storage is only available in browser environment')
+            return
         }
 
         if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
-            return null
+            return
         }
 
         try {
-            const accessToken = localStorage.getItem(TokenClient.ACCESS_TOKEN_KEY)
-            const refreshToken = localStorage.getItem(TokenClient.REFRESH_TOKEN_KEY)
-            const sessionToken = localStorage.getItem(TokenClient.SESSION_TOKEN_KEY)
-            const expiresAt = localStorage.getItem(TokenClient.EXPIRES_AT_KEY)
-            const tokenType = localStorage.getItem(TokenClient.TOKEN_TYPE_KEY)
-
-            if (!accessToken || !refreshToken) {
-                return null
-            }
-
-            const tokens: AuthTokens = {
-                accessToken,
-                refreshToken,
-                tokenType: tokenType || 'Bearer',
-            }
-
-            if (sessionToken) {
-                tokens.sessionToken = sessionToken
-            }
-
-            if (expiresAt) {
-                tokens.expiresIn = Math.floor((parseInt(expiresAt) - Date.now()) / 1000)
-                tokens.expiresAt = parseInt(expiresAt)
-            }
-
-            return tokens
+            localStorage.setItem(TokenClient.SESSION_TOKEN_KEY, tokens.sessionToken)
         } catch (err) {
-            console.error('Failed to retrieve authentication tokens:', err)
-            return null
-        }
-    }
-
-    /**
-     * Get refresh token
-     */
-    getRefreshToken(): string | null {
-        if (!this.browserRunTime) {
-            return null
-        }
-
-        if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
-            return null
-        }
-
-        return localStorage.getItem(TokenClient.REFRESH_TOKEN_KEY)
-    }
-
-    /**
-     * Get session token
-     */
-    getSessionToken(): string | null {
-        if (!this.browserRunTime) {
-            return null
-        }
-
-        if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
-            return null
+            console.error('Failed to store session token:', err)
         }
-
-        return localStorage.getItem(TokenClient.SESSION_TOKEN_KEY)
-    }
-
-    /**
-     * Check if user is authenticated (has valid access token)
-     */
-    isAuthenticated(): boolean {
-        return !!this.getToken()
     }
 
     /**
-     * Check if access token is expired
-     */
-    isTokenExpired(): boolean {
-        if (!this.browserRunTime) {
-            return true
-        }
-
-        if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
-            return true
-        }
-
-        const expiresAt = localStorage.getItem(TokenClient.EXPIRES_AT_KEY)
-        if (!expiresAt) {
-            return true
-        }
-
-        return parseInt(expiresAt) < Date.now()
-    }
-
-    /**
-     * Set access token directly (e.g., from external storage)
+     * Set session token directly
      */
     setAccessToken(token: string): void {
         if (this.browserRunTime) {
             if (typeof window === 'undefined' || typeof localStorage === 'undefined') return
             try {
-                localStorage.setItem(TokenClient.ACCESS_TOKEN_KEY, token)
+                localStorage.setItem(TokenClient.SESSION_TOKEN_KEY, token)
             } catch (err) {
-                console.error('Failed to set access token:', err)
+                console.error('Failed to set session token:', err)
             }
         } else {
             this.serverToken = token
@@ -211,53 +80,14 @@ export class TokenClient {
     }
 
     /**
-     * Update access token after refresh
-     * ⚠️ IMPORTANT: Taruvi uses refresh token rotation
-     * When you refresh, you get BOTH a new access token AND a new refresh token
+     * Check if user is authenticated (has a session token)
      */
-    updateAccessToken(accessToken: string, expiresIn: number): void {
-        if (!this.browserRunTime) {
-            console.warn('Token update is only available in browser environment')
-            return
-        }
-
-        if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
-            return
-        }
-
-        try {
-            localStorage.setItem(TokenClient.ACCESS_TOKEN_KEY, accessToken)
-            const expiresAt = Date.now() + (expiresIn * 1000)
-            localStorage.setItem(TokenClient.EXPIRES_AT_KEY, expiresAt.toString())
-        } catch (err) {
-            console.error('Failed to update access token:', err)
-        }
-    }
-
-    /**
-     * Update refresh token after rotation
-     * ⚠️ IMPORTANT: Taruvi rotates refresh tokens
-     * Always update the refresh token when you receive a new one
-     */
-    updateRefreshToken(refreshToken: string): void {
-        if (!this.browserRunTime) {
-            console.warn('Token update is only available in browser environment')
-            return
-        }
-
-        if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
-            return
-        }
-
-        try {
-            localStorage.setItem(TokenClient.REFRESH_TOKEN_KEY, refreshToken)
-        } catch (err) {
-            console.error('Failed to update refresh token:', err)
-        }
+    isAuthenticated(): boolean {
+        return !!this.getSessionToken()
     }
 
     /**
-     * Clear all tokens (logout)
+     * Clear session token
      */
     clearTokens(): void {
         if (!this.browserRunTime) {
@@ -270,13 +100,9 @@ export class TokenClient {
         }
 
         try {
-            localStorage.removeItem(TokenClient.ACCESS_TOKEN_KEY)
-            localStorage.removeItem(TokenClient.REFRESH_TOKEN_KEY)
             localStorage.removeItem(TokenClient.SESSION_TOKEN_KEY)
-            localStorage.removeItem(TokenClient.EXPIRES_AT_KEY)
-            localStorage.removeItem(TokenClient.TOKEN_TYPE_KEY)
         } catch (err) {
-            console.error('Failed to clear tokens:', err)
+            console.error('Failed to clear session token:', err)
         }
     }
 }

package/tests/unit/auth/AuthClient.test.ts

@@ -5,11 +5,8 @@ import { Client } from '../../../src/client.js'
 const mockTokenClient = {
     isAuthenticated: vi.fn(),
     getToken: vi.fn(),
-    getRefreshToken: vi.fn(),
-    isTokenExpired: vi.fn(),
+    getSessionToken: vi.fn(),
     clearTokens: vi.fn(),
-    updateAccessToken: vi.fn(),
-    updateRefreshToken: vi.fn()
 }
 
 const mockHttpClient = {
@@ -47,45 +44,17 @@ describe('Auth', () => {
         })
     })
 
-    describe('getAccessToken()', () => {
-        it('returns access token from tokenClient', () => {
-            mockTokenClient.getToken.mockReturnValue('access-token-123')
+    describe('getSessionToken()', () => {
+        it('returns session token from tokenClient', () => {
+            mockTokenClient.getSessionToken.mockReturnValue('session-token-123')
             const auth = new Auth(mockClient)
-            expect(auth.getAccessToken()).toBe('access-token-123')
+            expect(auth.getSessionToken()).toBe('session-token-123')
         })
 
-        it('returns null when no token exists', () => {
-            mockTokenClient.getToken.mockReturnValue(null)
+        it('returns null when no session token exists', () => {
+            mockTokenClient.getSessionToken.mockReturnValue(null)
             const auth = new Auth(mockClient)
-            expect(auth.getAccessToken()).toBeNull()
-        })
-    })
-
-    describe('getRefreshToken()', () => {
-        it('returns refresh token from tokenClient', () => {
-            mockTokenClient.getRefreshToken.mockReturnValue('refresh-token-456')
-            const auth = new Auth(mockClient)
-            expect(auth.getRefreshToken()).toBe('refresh-token-456')
-        })
-
-        it('returns null when no refresh token exists', () => {
-            mockTokenClient.getRefreshToken.mockReturnValue(null)
-            const auth = new Auth(mockClient)
-            expect(auth.getRefreshToken()).toBeNull()
-        })
-    })
-
-    describe('isTokenExpired()', () => {
-        it('returns true when token is expired', () => {
-            mockTokenClient.isTokenExpired.mockReturnValue(true)
-            const auth = new Auth(mockClient)
-            expect(auth.isTokenExpired()).toBe(true)
-        })
-
-        it('returns false when token is valid', () => {
-            mockTokenClient.isTokenExpired.mockReturnValue(false)
-            const auth = new Auth(mockClient)
-            expect(auth.isTokenExpired()).toBe(false)
+            expect(auth.getSessionToken()).toBeNull()
         })
     })
 
@@ -119,13 +88,4 @@ describe('Auth', () => {
             expect(result).toBeNull()
         })
     })
-
-    describe('refreshAccessToken()', () => {
-        it('returns null when no refresh token available', async () => {
-            mockTokenClient.getRefreshToken.mockReturnValue(null)
-            const auth = new Auth(mockClient)
-            const result = await auth.refreshAccessToken()
-            expect(result).toBeNull()
-        })
-    })
 })

package/tests/unit/database/DatabaseClient.test.ts

@@ -423,6 +423,84 @@ describe('Database', () => {
         })
     })
 
+    describe('upsert()', () => {
+        it('calls httpClient.post with body to upsert URL', async () => {
+            const body = { name: 'Test', status: 'active' }
+            mockHttpClient.post.mockResolvedValue({ id: '1', ...body })
+            await new Database(mockClient).from('accounts').upsert(body).execute()
+            expect(mockHttpClient.post).toHaveBeenCalledWith(
+                'api/apps/test-app/datatables/accounts/data/upsert/',
+                body
+            )
+        })
+
+        it('builds correct upsert URL with array body', async () => {
+            const body = [{ name: 'A' }, { name: 'B' }]
+            mockHttpClient.post.mockResolvedValue({ data: body })
+            await new Database(mockClient).from('accounts').upsert(body).execute()
+            expect(mockHttpClient.post).toHaveBeenCalledWith(
+                'api/apps/test-app/datatables/accounts/data/upsert/',
+                body
+            )
+        })
+    })
+
+    describe('bulkUpdate()', () => {
+        it('calls httpClient.patch with array body without recordId', async () => {
+            const body = [{ id: '1', status: 'inactive' }, { id: '2', status: 'active' }]
+            mockHttpClient.patch.mockResolvedValue({ data: body })
+            await new Database(mockClient).from('accounts').bulkUpdate(body).execute()
+            expect(mockHttpClient.patch).toHaveBeenCalledWith(
+                'api/apps/test-app/datatables/accounts/data/',
+                body
+            )
+        })
+
+        it('does not throw without recordId when body is array', async () => {
+            const body = [{ id: '1', name: 'Updated' }]
+            mockHttpClient.patch.mockResolvedValue({ data: body })
+            await expect(
+                new Database(mockClient).from('accounts').bulkUpdate(body).execute()
+            ).resolves.toBeDefined()
+        })
+    })
+
+    describe('bulkDelete()', () => {
+        it('calls httpClient.delete with ids in query string', async () => {
+            mockHttpClient.delete.mockResolvedValue({ status: 'success' })
+            await new Database(mockClient).from('accounts').bulkDelete(['1']).execute()
+            expect(mockHttpClient.delete).toHaveBeenCalledWith(
+                expect.stringContaining('ids=1')
+            )
+        })
+
+        it('joins multiple ids with comma', async () => {
+            mockHttpClient.delete.mockResolvedValue({ status: 'success' })
+            await new Database(mockClient).from('accounts').bulkDelete(['1', '2', '3']).execute()
+            expect(mockHttpClient.delete).toHaveBeenCalledWith(
+                expect.stringContaining('ids=1%2C2%2C3')
+            )
+        })
+    })
+
+    describe('deleteFiltered()', () => {
+        it('calls httpClient.delete with filter params in query string', async () => {
+            mockHttpClient.delete.mockResolvedValue({ status: 'success' })
+            await new Database(mockClient).from('accounts').filter('status', 'eq', 'inactive').deleteFiltered().execute()
+            const url = mockHttpClient.delete.mock.calls[0][0]
+            expect(url).toContain('status=inactive')
+            expect(url).not.toContain('/undefined/')
+        })
+
+        it('hits collection endpoint without recordId', async () => {
+            mockHttpClient.delete.mockResolvedValue({ status: 'success' })
+            await new Database(mockClient).from('accounts').filter('age', 'lt', 18).deleteFiltered().execute()
+            expect(mockHttpClient.delete).toHaveBeenCalledWith(
+                expect.stringContaining('api/apps/test-app/datatables/accounts/data/?')
+            )
+        })
+    })
+
     describe('edges()', () => {
         it('targets _edges table for list', async () => {
             mockHttpClient.get.mockResolvedValue({ edges: [], total: 0 })

package/tests/unit/errors/errors.test.ts

@@ -8,6 +8,7 @@ import {
     ConflictError,
     TimeoutError,
     NetworkError,
+    RateLimitError,
     createErrorFromResponse,
     ErrorCode
 } from '../../../src/lib-internal/errors/index.js'
@@ -81,6 +82,21 @@ describe('Error classes', () => {
         expect(err.code).toBe('NETWORK_ERROR')
     })
 
+    it('RateLimitError defaults', () => {
+        const err = new RateLimitError()
+        expect(err.name).toBe('RateLimitError')
+        expect(err.statusCode).toBe(429)
+        expect(err.code).toBe('RATE_LIMITED')
+        expect(err.retryAfter).toBeUndefined()
+    })
+
+    it('RateLimitError with retryAfter', () => {
+        const err = new RateLimitError('Too many requests', 60)
+        expect(err.message).toBe('Too many requests')
+        expect(err.retryAfter).toBe(60)
+        expect(err).toBeInstanceOf(TaruviError)
+    })
+
     it('all errors are instanceof TaruviError', () => {
         expect(new ValidationError()).toBeInstanceOf(TaruviError)
         expect(new AuthError()).toBeInstanceOf(TaruviError)
@@ -89,6 +105,7 @@ describe('Error classes', () => {
         expect(new ConflictError()).toBeInstanceOf(TaruviError)
         expect(new TimeoutError()).toBeInstanceOf(TaruviError)
         expect(new NetworkError()).toBeInstanceOf(TaruviError)
+        expect(new RateLimitError()).toBeInstanceOf(TaruviError)
     })
 
     it('all errors are instanceof Error', () => {
@@ -171,6 +188,16 @@ describe('createErrorFromResponse', () => {
         expect(err).toBeInstanceOf(TimeoutError)
     })
 
+    it('429 returns RateLimitError', () => {
+        const err = createErrorFromResponse(429, {
+            status: 'error',
+            code: 'RATE_LIMITED',
+            message: 'Too many requests'
+        })
+        expect(err).toBeInstanceOf(RateLimitError)
+        expect(err.message).toBe('Too many requests')
+    })
+
     it('500 returns TaruviError', () => {
         const err = createErrorFromResponse(500, {
             status: 'error',