@thunderid/nuxt 0.0.1

package/dist/runtime/server/index.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * @thunderid/nuxt/server
+ *
+ * Public server-only barrel. Import from this subpath to access
+ * server utilities without bundling them into the client.
+ *
+ * @example
+ * ```ts
+ * import { useServerSession, requireServerSession } from '@thunderid/nuxt/server';
+ * ```
+ */
+export { useServerSession, requireServerSession } from './utils/serverSession.js';
+export { getValidAccessToken } from './utils/token-refresh.js';
+export { getThunderIDContext } from './utils/event-context.js';
+export type { ThunderIDEventContext } from './utils/event-context.js';
+export type { ThunderIDSessionPayload, ThunderIDNuxtConfig } from '../types.js';

package/dist/runtime/server/index.js

@@ -0,0 +1,3 @@
+export { useServerSession, requireServerSession } from "./utils/serverSession.js";
+export { getValidAccessToken } from "./utils/token-refresh.js";
+export { getThunderIDContext } from "./utils/event-context.js";

package/dist/runtime/server/plugins/thunderid-ssr.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * Nitro server plugin — the Nuxt equivalent of `ThunderIDServerProvider` in the
+ * Next.js SDK.
+ *
+ * On every page request it:
+ * 1. Initialises the singleton {@link ThunderIDNuxtClient} once (idempotent).
+ * 2. Verifies the JWT session cookie → resolves `isSignedIn`.
+ * 3. When signed in, detects org context from the ID token (`user_org`) and
+ *    switches `resolvedBaseUrl` to `${baseUrl}/o` when the user is acting
+ *    within an organisation.
+ * 4. In parallel (gated by `preferences`):
+ *    - Fetches user + SCIM2 user profile  (`preferences.user.fetchUserProfile !== false`)
+ *    - Fetches current org + my orgs      (`preferences.user.fetchOrganizations !== false`)
+ *    - Fetches branding preference        (`preferences.theme.inheritFromBranding !== false`)
+ * 5. Writes the full {@link ThunderIDSSRData} to `event.context.thunderid.ssr`
+ *    so the Nuxt plugin can seed `useState` keys for zero-cost hydration.
+ *
+ * Each fetch is individually wrapped in try/catch so a broken SCIM or branding
+ * call never crashes SSR — the client layer can recover via the existing
+ * `/api/auth/*` routes.
+ */
+declare const _default: import("nitropack/types").NitroAppPlugin;
+export default _default;

package/dist/runtime/server/plugins/thunderid-ssr.js

@@ -0,0 +1,135 @@
+import { getRequestURL } from "h3";
+import { defineNitroPlugin } from "nitropack/runtime";
+import { createLogger } from "../../utils/log.js";
+import ThunderIDNuxtClient from "../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+const log = createLogger("thunderid-ssr");
+const CALLBACK_PATH = "/api/auth/callback";
+function resolveCallbackUrl(event) {
+  const url = getRequestURL(event, { xForwardedHost: true, xForwardedProto: true });
+  return `${url.origin}${CALLBACK_PATH}`;
+}
+export default defineNitroPlugin((nitro) => {
+  nitro.hooks.hook("request", async (event) => {
+    const client = ThunderIDNuxtClient.getInstance();
+    if (!client.isInitialized) {
+      const config2 = useRuntimeConfig(event);
+      const publicConfig2 = config2.public.thunderid;
+      const privateConfig = config2.thunderid;
+      if (!publicConfig2?.baseUrl || !publicConfig2?.clientId) {
+        log.error(
+          "Missing required config: baseUrl and clientId. Set NUXT_PUBLIC_THUNDERID_BASE_URL and NUXT_PUBLIC_THUNDERID_CLIENT_ID."
+        );
+        return;
+      }
+      const sessionSecret2 = process.env["THUNDERID_SESSION_SECRET"] || privateConfig?.sessionSecret;
+      if (!sessionSecret2) {
+        if (process.env["NODE_ENV"] === "production") {
+          log.error(
+            "THUNDERID_SESSION_SECRET is required in production. Set it to a secure random string of at least 32 characters. Refusing to initialize ThunderID client."
+          );
+          return;
+        }
+        log.warn(
+          "THUNDERID_SESSION_SECRET is not set. Using an insecure default for development only. Set THUNDERID_SESSION_SECRET before deploying."
+        );
+      }
+      try {
+        await client.initialize({
+          afterSignInUrl: resolveCallbackUrl(event),
+          afterSignOutUrl: publicConfig2.afterSignOutUrl || "/",
+          baseUrl: publicConfig2.baseUrl,
+          clientId: publicConfig2.clientId,
+          clientSecret: privateConfig?.clientSecret || void 0,
+          platform: publicConfig2.platform,
+          scopes: publicConfig2.scopes || ["openid", "profile"],
+          tokenRequest: publicConfig2.tokenRequest
+        });
+      } catch (err) {
+        log.error("Failed to initialize ThunderID client:", err);
+        return;
+      }
+    }
+    const url = event.path || "";
+    if (url.startsWith("/api/") || url.startsWith("/_nuxt/") || url.startsWith("/__nuxt_")) {
+      return;
+    }
+    const config = useRuntimeConfig(event);
+    const publicConfig = config.public.thunderid;
+    const prefs = publicConfig?.preferences;
+    const sessionSecret = process.env["THUNDERID_SESSION_SECRET"] || config.thunderid?.sessionSecret;
+    const session = await verifyAndRehydrateSession(
+      event,
+      sessionSecret
+    );
+    if (!session) {
+      const eventContext2 = event.context;
+      eventContext2.thunderid = { isSignedIn: false, session: null };
+      return;
+    }
+    const baseUrl = publicConfig?.baseUrl ?? "";
+    let resolvedBaseUrl = baseUrl;
+    try {
+      if (session.organizationId) {
+        resolvedBaseUrl = `${baseUrl}/o`;
+      } else {
+        const idToken = await client.getDecodedIdToken(
+          session.sessionId
+        );
+        if (idToken?.["user_org"]) {
+          resolvedBaseUrl = `${baseUrl}/o`;
+        }
+      }
+    } catch {
+    }
+    const shouldFetchProfile = prefs?.user?.fetchUserProfile !== false;
+    const shouldFetchOrgs = prefs?.user?.fetchOrganizations !== false;
+    const shouldFetchBranding = prefs?.theme?.inheritFromBranding !== false;
+    const [userResult, userProfileResult, orgsResult, currentOrgResult, brandingResult] = await Promise.allSettled([
+      // Always fetch the basic user object (needed for ThunderIDAuthState.user)
+      client.getUser(session.sessionId),
+      // SCIM2 user profile (flattened + schemas)
+      shouldFetchProfile ? client.getUserProfile(session.sessionId) : Promise.resolve(null),
+      // User's organisations
+      shouldFetchOrgs ? client.getMyOrganizations(session.sessionId) : Promise.resolve([]),
+      // Current organisation (derived from the ID token)
+      shouldFetchOrgs ? client.getCurrentOrganization(session.sessionId) : Promise.resolve(null),
+      // Branding preference (does not require a session)
+      shouldFetchBranding ? client.getBrandingPreference({ baseUrl: resolvedBaseUrl }) : Promise.resolve(null)
+    ]);
+    if (userResult.status === "rejected") {
+      log.debug("Failed to fetch user:", userResult.reason);
+    }
+    if (userProfileResult.status === "rejected") {
+      log.warn("Failed to fetch user profile (SCIM2):", userProfileResult.reason);
+    }
+    if (orgsResult.status === "rejected") {
+      log.warn("Failed to fetch my organisations:", orgsResult.reason);
+    }
+    if (currentOrgResult.status === "rejected") {
+      log.warn("Failed to resolve current organisation:", currentOrgResult.reason);
+    }
+    if (brandingResult.status === "rejected") {
+      log.warn("Failed to fetch branding preference:", brandingResult.reason);
+    }
+    const ssrData = {
+      brandingPreference: brandingResult.status === "fulfilled" ? brandingResult.value : null,
+      currentOrganization: currentOrgResult.status === "fulfilled" ? currentOrgResult.value : null,
+      isSignedIn: true,
+      myOrganizations: orgsResult.status === "fulfilled" && Array.isArray(orgsResult.value) ? orgsResult.value : [],
+      resolvedBaseUrl,
+      session,
+      user: userResult.status === "fulfilled" ? userResult.value : null,
+      userProfile: userProfileResult.status === "fulfilled" ? userProfileResult.value : null
+    };
+    const eventContext = event.context;
+    eventContext.thunderid = { isSignedIn: true, session, ssr: ssrData };
+    const authState = {
+      isLoading: false,
+      isSignedIn: true,
+      user: ssrData.user
+    };
+    eventContext["__thunderidAuth"] = authState;
+  });
+});

package/dist/runtime/server/routes/auth/branding/branding.get.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { BrandingPreference } from '@thunderid/node';
+/**
+ * GET /api/auth/branding
+ *
+ * Returns the branding preference for the current tenant / organisation context.
+ * Resolves the correct `baseUrl` (org-scoped if the session is inside an org).
+ * Does not require an authenticated session — unauthenticated callers receive
+ * the root-tenant branding.
+ *
+ * Used by `ThunderIDRoot.revalidateBranding` to refresh client-side branding
+ * state without a full page reload.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<BrandingPreference | null>>;
+export default _default;

package/dist/runtime/server/routes/auth/branding/branding.get.js

@@ -0,0 +1,40 @@
+import { defineEventHandler, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event);
+  const publicConfig = config.public.thunderid;
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const baseUrl = publicConfig?.baseUrl ?? "";
+  let resolvedBaseUrl = baseUrl;
+  try {
+    const session = await verifyAndRehydrateSession(
+      event,
+      sessionSecret
+    );
+    if (session) {
+      if (session.organizationId) {
+        resolvedBaseUrl = `${baseUrl}/o`;
+      } else {
+        const client = ThunderIDNuxtClient.getInstance();
+        const idToken = await client.getDecodedIdToken(
+          session.sessionId
+        );
+        if (idToken?.["user_org"]) {
+          resolvedBaseUrl = `${baseUrl}/o`;
+        }
+      }
+    }
+  } catch {
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.getBrandingPreference({ baseUrl: resolvedBaseUrl });
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to retrieve branding preference: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+});

package/dist/runtime/server/routes/auth/organizations/current.get.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { Organization } from '@thunderid/node';
+/**
+ * GET /api/auth/organizations/current
+ *
+ * Returns the organisation the authenticated user is currently acting within,
+ * derived from the session's ID token (`org_id` / `org_name` claims).
+ * Returns `null` when the user is not inside an organisation context.
+ *
+ * Used by `ThunderIDRoot.revalidateCurrentOrganization` callback.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Organization | null>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations/current.get.js

@@ -0,0 +1,24 @@
+import { defineEventHandler, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.getCurrentOrganization(session.sessionId);
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to retrieve current organisation: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+});

package/dist/runtime/server/routes/auth/organizations/id.get.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { OrganizationDetails } from '@thunderid/node';
+/**
+ * GET /api/auth/organizations/:id
+ *
+ * Returns the details of a single organisation by its ID.
+ * Requires an active session.
+ *
+ * Mirrors `getOrganizationAction` in the Next.js SDK.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<OrganizationDetails>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations/id.get.js

@@ -0,0 +1,28 @@
+import { defineEventHandler, getRouterParam, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  const organizationId = getRouterParam(event, "id");
+  if (!organizationId) {
+    throw createError({ statusCode: 400, statusMessage: "Organization ID is required." });
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.getOrganization(organizationId, session.sessionId);
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to retrieve organisation: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+});

package/dist/runtime/server/routes/auth/organizations/index.get.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { AllOrganizationsApiResponse } from '@thunderid/node';
+/**
+ * GET /api/auth/organizations
+ *
+ * Returns all organisations accessible to the authenticated user (paginated).
+ * Used by `ThunderIDRoot.getAllOrganizations` callback.
+ *
+ * Mirrors `getAllOrganizations` server action in the Next.js SDK.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<AllOrganizationsApiResponse>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations/index.get.js

@@ -0,0 +1,24 @@
+import { defineEventHandler, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.getAllOrganizations(void 0, session.sessionId);
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to retrieve all organisations: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+});

package/dist/runtime/server/routes/auth/organizations/index.post.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { Organization } from '@thunderid/node';
+/**
+ * POST /api/auth/organizations
+ *
+ * Creates a new sub-organisation under the authenticated user's root organisation.
+ *
+ * Request body: {@link CreateOrganizationPayload}
+ * Response: {@link Organization}
+ *
+ * Mirrors `createOrganization` server action in the Next.js SDK.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Organization>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations/index.post.js

@@ -0,0 +1,30 @@
+import { defineEventHandler, readBody, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  let payload;
+  try {
+    payload = await readBody(event);
+  } catch {
+    throw createError({ statusCode: 400, statusMessage: "Invalid request body." });
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.createOrganization(payload, session.sessionId);
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to create organisation: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+});

package/dist/runtime/server/routes/auth/organizations/me.get.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import type { Organization } from '@thunderid/node';
+/**
+ * GET /api/auth/organizations/me
+ *
+ * Returns the list of organisations the authenticated user is a member of.
+ * Used by `ThunderIDRoot.revalidateMyOrganizations` to refresh client-side state.
+ *
+ * Mirrors `getMyOrganizations` server action in the Next.js SDK.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Organization[]>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations/me.get.js

@@ -0,0 +1,24 @@
+import { defineEventHandler, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    return await client.getMyOrganizations(session.sessionId);
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to retrieve organisations: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+});

package/dist/runtime/server/routes/auth/organizations/switch.post.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/**
+ * POST /api/auth/organizations/switch
+ *
+ * Performs an `organization_switch` token exchange for the given organisation,
+ * then re-issues the JWT session cookie so subsequent requests carry the new
+ * organisation context.
+ *
+ * Request body: `{ organization: Organization }`
+ *
+ * Mirrors `switchOrganization` server action in the Next.js SDK.
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+}>>;
+export default _default;

package/dist/runtime/server/routes/auth/organizations/switch.post.js

@@ -0,0 +1,49 @@
+import { defineEventHandler, readBody, createError } from "h3";
+import ThunderIDNuxtClient from "../../../ThunderIDNuxtClient.js";
+import { verifyAndRehydrateSession } from "../../../utils/serverSession.js";
+import { issueSessionCookie } from "../../../utils/session.js";
+import { useRuntimeConfig } from "#imports";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const sessionSecret = config.thunderid?.sessionSecret;
+  const session = await verifyAndRehydrateSession(
+    event,
+    sessionSecret
+  );
+  if (!session) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized: Invalid or expired session." });
+  }
+  const { sessionId } = session;
+  let organization;
+  try {
+    const body = await readBody(event);
+    organization = body.organization;
+  } catch {
+    throw createError({ statusCode: 400, statusMessage: "Invalid request body." });
+  }
+  if (!organization?.id) {
+    throw createError({ statusCode: 400, statusMessage: "organization.id is required." });
+  }
+  let tokenResponse;
+  try {
+    const client = ThunderIDNuxtClient.getInstance();
+    const response = await client.switchOrganization(organization, sessionId);
+    tokenResponse = response;
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Organisation switch failed: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+  try {
+    const runtimeConfig = useRuntimeConfig();
+    const runtimeSessionSecret = runtimeConfig.thunderid?.sessionSecret;
+    await issueSessionCookie(event, sessionId, tokenResponse, runtimeSessionSecret);
+  } catch (err) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: `Failed to establish new session after organisation switch: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+  return { success: true };
+});