@tokenite/sdk 1.0.0

package/dist/admin/connections.js

@@ -0,0 +1,9 @@
+export const createConnectionsApi = (client) => ({
+    list: () => client.request('GET', '/api/connections'),
+    stats: (id) => client.request('GET', `/api/connections/${id}/stats`),
+    setBudget: (id, budgetLimit) => client.request('PATCH', `/api/connections/${id}/budget`, { budget_limit: budgetLimit }),
+    suspend: (id) => client.request('POST', `/api/connections/${id}/suspend`),
+    resume: (id) => client.request('POST', `/api/connections/${id}/resume`),
+    revoke: (id) => client.request('DELETE', `/api/connections/${id}`),
+});
+//# sourceMappingURL=connections.js.map

package/dist/admin/index.d.ts

@@ -0,0 +1,88 @@
+export type TokeniteAdminConfig = {
+    readonly apiKey: string;
+    readonly baseUrl?: string;
+    readonly accountId?: string;
+};
+export declare const TokeniteAdmin: (config: TokeniteAdminConfig) => {
+    auth: {
+        register: (input: import("./types.js").RegisterUserInput) => Promise<import("./types.js").RegisterUserResult>;
+        login: (input: import("./types.js").LoginInput) => Promise<import("./types.js").LoginResult>;
+        me: () => Promise<import("./types.js").Me>;
+        createToken: (input: import("./types.js").CreateTokenInput) => Promise<import("./types.js").CreatedPat>;
+        listTokens: () => Promise<import("./types.js").PatRecord[]>;
+        revokeToken: (tokenId: string) => Promise<{
+            ok: true;
+        }>;
+    };
+    accounts: {
+        list: () => Promise<import("./types.js").AccountRecord[]>;
+        create: (input: import("./types.js").CreateAccountInput) => Promise<import("./types.js").AccountRecord>;
+        get: (id: string) => Promise<import("./types.js").AccountRecord & {
+            role: "owner" | "member";
+        }>;
+        update: (id: string, input: import("./types.js").UpdateAccountInput) => Promise<import("./types.js").AccountRecord>;
+        delete: (id: string) => Promise<{
+            ok: true;
+        }>;
+        invite: (accountId: string, input: import("./types.js").CreateInvitationInput) => Promise<import("./types.js").InvitationWithClaim>;
+        invitations: (accountId: string) => Promise<import("./types.js").InvitationRecord[]>;
+        cancelInvite: (accountId: string, invitationId: string) => Promise<{
+            ok: true;
+        }>;
+        members: (accountId: string) => Promise<import("./types.js").MemberRecord[]>;
+        updateMember: (accountId: string, userId: string, input: import("./types.js").UpdateMemberInput) => Promise<import("./types.js").MemberRecord>;
+        removeMember: (accountId: string, userId: string) => Promise<{
+            ok: true;
+        }>;
+        leave: (accountId: string) => Promise<{
+            ok: true;
+        }>;
+        claim: (input: import("./types.js").ClaimInvitationInput) => Promise<import("./types.js").ClaimInvitationResult>;
+    };
+    apps: {
+        create: (input: import("./types.js").CreateAppInput) => Promise<import("./types.js").CreatedApp>;
+        list: () => Promise<import("./types.js").AppRecord[]>;
+        get: (id: string) => Promise<import("./types.js").AppRecord>;
+        update: (id: string, input: import("./types.js").UpdateAppInput) => Promise<import("./types.js").AppRecord>;
+        rotateSecret: (id: string) => Promise<{
+            appSecret: string;
+        }>;
+        delete: (id: string) => Promise<{
+            ok: true;
+        }>;
+    };
+    keys: {
+        add: (input: import("./types.js").AddApiKeyInput) => Promise<import("./types.js").ApiKeyRecord>;
+        list: () => Promise<import("./types.js").ApiKeyRecord[]>;
+        remove: (id: string) => Promise<{
+            ok: true;
+        }>;
+    };
+    oauth: {
+        authorize: (input: import("./types.js").AuthorizeInput) => Promise<import("./types.js").AuthorizeResult>;
+        exchange: (input: import("./types.js").ExchangeInput) => Promise<import("./types.js").ExchangeResult>;
+    };
+    connections: {
+        list: () => Promise<import("./types.js").ConnectionRecord[]>;
+        stats: (id: string) => Promise<import("./types.js").ConnectionStats>;
+        setBudget: (id: string, budgetLimit: number) => Promise<{
+            ok: true;
+        }>;
+        suspend: (id: string) => Promise<{
+            ok: true;
+        }>;
+        resume: (id: string) => Promise<{
+            ok: true;
+        }>;
+        revoke: (id: string) => Promise<{
+            ok: true;
+        }>;
+    };
+    spending: {
+        list: (filters?: import("./types.js").SpendingFilters) => Promise<import("./types.js").SpendingEntry[]>;
+    };
+};
+export { AdminClientError } from './client.js';
+export type { AdminClient, AdminClientConfig } from './client.js';
+export type * from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/admin/index.js

@@ -0,0 +1,22 @@
+import { createAdminClient } from './client.js';
+import { createAuthApi } from './auth.js';
+import { createAccountsApi } from './accounts.js';
+import { createAppsApi } from './apps.js';
+import { createKeysApi } from './keys.js';
+import { createOAuthApi } from './oauth.js';
+import { createConnectionsApi } from './connections.js';
+import { createSpendingApi } from './spending.js';
+export const TokeniteAdmin = (config) => {
+    const client = createAdminClient(config);
+    return {
+        auth: createAuthApi(client),
+        accounts: createAccountsApi(client),
+        apps: createAppsApi(client),
+        keys: createKeysApi(client),
+        oauth: createOAuthApi(client),
+        connections: createConnectionsApi(client),
+        spending: createSpendingApi(client),
+    };
+};
+export { AdminClientError } from './client.js';
+//# sourceMappingURL=index.js.map

package/dist/admin/keys.d.ts

@@ -0,0 +1,10 @@
+import type { AdminClient } from './client.js';
+import type { ApiKeyRecord, AddApiKeyInput } from './types.js';
+export declare const createKeysApi: (client: AdminClient) => {
+    add: (input: AddApiKeyInput) => Promise<ApiKeyRecord>;
+    list: () => Promise<ApiKeyRecord[]>;
+    remove: (id: string) => Promise<{
+        ok: true;
+    }>;
+};
+//# sourceMappingURL=keys.d.ts.map

package/dist/admin/keys.js

@@ -0,0 +1,6 @@
+export const createKeysApi = (client) => ({
+    add: (input) => client.request('POST', '/api/keys', input),
+    list: () => client.request('GET', '/api/keys'),
+    remove: (id) => client.request('DELETE', `/api/keys/${id}`),
+});
+//# sourceMappingURL=keys.js.map

package/dist/admin/oauth.d.ts

@@ -0,0 +1,7 @@
+import type { AdminClient } from './client.js';
+import type { AuthorizeInput, AuthorizeResult, ExchangeInput, ExchangeResult } from './types.js';
+export declare const createOAuthApi: (client: AdminClient) => {
+    authorize: (input: AuthorizeInput) => Promise<AuthorizeResult>;
+    exchange: (input: ExchangeInput) => Promise<ExchangeResult>;
+};
+//# sourceMappingURL=oauth.d.ts.map

package/dist/admin/oauth.js

@@ -0,0 +1,15 @@
+export const createOAuthApi = (client) => ({
+    authorize: (input) => client.request('POST', '/api/oauth/authorize', {
+        client_id: input.clientId,
+        redirect_uri: input.redirectUri,
+        budget_limit: input.budgetLimit,
+        ...(input.state ? { state: input.state } : {}),
+    }),
+    exchange: (input) => client.request('POST', '/api/oauth/token', {
+        code: input.code,
+        client_id: input.clientId,
+        client_secret: input.clientSecret,
+        redirect_uri: input.redirectUri,
+    }),
+});
+//# sourceMappingURL=oauth.js.map

package/dist/admin/spending.d.ts

@@ -0,0 +1,6 @@
+import type { AdminClient } from './client.js';
+import type { SpendingFilters, SpendingEntry } from './types.js';
+export declare const createSpendingApi: (client: AdminClient) => {
+    list: (filters?: SpendingFilters) => Promise<SpendingEntry[]>;
+};
+//# sourceMappingURL=spending.d.ts.map

package/dist/admin/spending.js

@@ -0,0 +1,19 @@
+const buildQuery = (filters) => {
+    const params = new URLSearchParams();
+    if (filters.appId)
+        params.set('appId', filters.appId);
+    if (filters.from)
+        params.set('from', filters.from);
+    if (filters.to)
+        params.set('to', filters.to);
+    if (filters.limit !== undefined)
+        params.set('limit', String(filters.limit));
+    if (filters.offset !== undefined)
+        params.set('offset', String(filters.offset));
+    const qs = params.toString();
+    return qs ? `?${qs}` : '';
+};
+export const createSpendingApi = (client) => ({
+    list: (filters = {}) => client.request('GET', `/api/spending${buildQuery(filters)}`),
+});
+//# sourceMappingURL=spending.js.map

package/dist/admin/types.d.ts

@@ -0,0 +1,197 @@
+import type { Provider } from '../types.js';
+export type ModelStrategy = 'any' | 'tier' | 'models';
+export type RequiredTier = 'cheap' | 'fast' | 'smart' | 'reasoning';
+export type AppRecord = {
+    readonly id: string;
+    readonly builderId: string;
+    readonly name: string;
+    readonly callbackUrl: string;
+    readonly requiredProviders: readonly Provider[];
+    readonly preferredProviders: readonly Provider[];
+    readonly allowSubstitution: boolean;
+    readonly allowedModels?: readonly string[];
+    readonly modelStrategy: ModelStrategy;
+    readonly requiredTier?: RequiredTier;
+    readonly allowsManagedAgents?: boolean;
+    readonly websiteUrl?: string;
+    readonly description?: string;
+    readonly iconUrl?: string;
+    readonly createdAt: string;
+};
+export type CreatedApp = AppRecord & {
+    readonly appSecret: string;
+};
+export type CreateAppInput = {
+    readonly name: string;
+    readonly callbackUrl: string;
+    readonly requiredProviders: readonly Provider[];
+    readonly preferredProviders?: readonly Provider[];
+    readonly allowSubstitution?: boolean;
+    readonly allowedModels?: readonly string[];
+    readonly modelStrategy?: ModelStrategy;
+    readonly requiredTier?: RequiredTier;
+    readonly allowsManagedAgents?: boolean;
+    readonly websiteUrl?: string;
+    readonly description?: string;
+    readonly iconUrl?: string;
+};
+export type UpdateAppInput = Partial<CreateAppInput>;
+export type ApiKeyRecord = {
+    readonly id: string;
+    readonly userId: string;
+    readonly provider: Provider;
+    readonly keyHint: string;
+    readonly isActive: boolean;
+    readonly createdAt: string;
+};
+export type AddApiKeyInput = {
+    readonly apiKey: string;
+    readonly provider?: Provider;
+};
+export type AuthorizeInput = {
+    readonly clientId: string;
+    readonly redirectUri: string;
+    readonly budgetLimit: number;
+    readonly state?: string;
+};
+export type AuthorizeResult = {
+    readonly redirect_to: string;
+    readonly code: string;
+};
+export type ExchangeInput = {
+    readonly code: string;
+    readonly clientId: string;
+    readonly clientSecret: string;
+    readonly redirectUri: string;
+};
+export type ExchangeResult = {
+    readonly access_token: string;
+    readonly token_type: string;
+};
+export type ConnectionRecord = {
+    readonly id: string;
+    readonly appId: string;
+    readonly appName: string;
+    readonly appWebsiteUrl: string | null;
+    readonly appDescription: string | null;
+    readonly appIconUrl: string | null;
+    readonly budgetLimit: number;
+    readonly budgetSpent: number;
+    readonly isSuspended: boolean;
+    readonly createdAt: string;
+};
+export type ConnectionStats = {
+    readonly totalRequests: number;
+    readonly totalTokens: number;
+    readonly totalCost: number;
+};
+export type SpendingFilters = {
+    readonly appId?: string;
+    readonly from?: string;
+    readonly to?: string;
+    readonly limit?: number;
+    readonly offset?: number;
+};
+export type SpendingEntry = {
+    readonly id: string;
+    readonly appName: string;
+    readonly provider: string;
+    readonly model: string;
+    readonly inputTokens: number;
+    readonly outputTokens: number;
+    readonly costUsd: number;
+    readonly platformFeeUsd: number;
+    readonly createdAt: string;
+};
+export type RegisterUserInput = {
+    readonly email: string;
+    readonly password: string;
+};
+export type RegisterUserResult = {
+    readonly userId: string;
+    readonly token: string;
+};
+export type LoginInput = RegisterUserInput;
+export type LoginResult = {
+    readonly token: string;
+};
+export type Me = {
+    readonly userId: string;
+    readonly email: string;
+};
+export type CreateTokenInput = {
+    readonly name: string;
+};
+export type PatRecord = {
+    readonly id: string;
+    readonly name: string;
+    readonly keyHint: string;
+    readonly createdAt: string;
+    readonly lastUsedAt: string | null;
+};
+export type CreatedPat = PatRecord & {
+    readonly token: string;
+};
+export type AccountType = 'personal' | 'business';
+export type PoolResetPeriod = 'monthly' | null;
+export type AccountRecord = {
+    readonly id: string;
+    readonly type: AccountType;
+    readonly name: string;
+    readonly ownerUserId: string;
+    readonly poolBudgetLimitUsd: number | null;
+    readonly poolBudgetSpentUsd: number;
+    readonly poolResetPeriod: PoolResetPeriod;
+    readonly poolLastResetAt: string | null;
+    readonly deletedAt: string | null;
+    readonly createdAt: string;
+    /** Present on /api/accounts list responses; absent on bare account records. */
+    readonly role?: 'owner' | 'member';
+};
+export type CreateAccountInput = {
+    readonly type: 'business';
+    readonly name: string;
+};
+export type UpdateAccountInput = {
+    readonly name?: string;
+    readonly poolBudgetLimitUsd?: number | null;
+    readonly poolResetPeriod?: PoolResetPeriod;
+};
+export type InvitationRecord = {
+    readonly id: string;
+    readonly accountId: string;
+    readonly email: string;
+    readonly role: 'owner' | 'member';
+    readonly invitedByUserId: string;
+    readonly expiresAt: string;
+    readonly acceptedAt: string | null;
+    readonly createdAt: string;
+};
+export type InvitationWithClaim = InvitationRecord & {
+    readonly claimUrl: string;
+};
+export type CreateInvitationInput = {
+    readonly email: string;
+    readonly role?: 'owner' | 'member';
+};
+export type MemberRecord = {
+    readonly accountId: string;
+    readonly userId: string;
+    readonly email: string;
+    readonly role: 'owner' | 'member';
+    readonly monthlyCapUsd: number | null;
+    readonly joinedAt: string;
+    readonly mtdSpendUsd: number;
+};
+export type UpdateMemberInput = {
+    readonly role?: 'owner' | 'member';
+    readonly monthlyCapUsd?: number | null;
+};
+export type ClaimInvitationInput = {
+    readonly token: string;
+};
+export type ClaimInvitationResult = {
+    readonly accountId: string;
+    readonly role: 'owner' | 'member';
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/admin/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/client.d.ts

@@ -0,0 +1,120 @@
+import type { TokeniteConfig, AuthorizeOptions, PopupOptions, PopupResult, TokenResponse, Provider, ProxyCallOptions, ProxyResponse, AllowedProvidersResponse } from './types.js';
+/**
+ * Tokenite client.
+ *
+ * Two ways to obtain an access token:
+ *
+ * **Modal (single-page apps)** — open an iframe consent screen and
+ * receive an OAuth authorization code. The code must be exchanged
+ * server-side because the exchange requires `clientSecret`:
+ * ```typescript
+ * const { code } = await tk.popup({ suggestedBudget: 5 });
+ * await fetch('/api/auth/exchange', {
+ *   method: 'POST',
+ *   body: JSON.stringify({ code }),
+ * });
+ * ```
+ *
+ * **Redirect (server-side)** — classic OAuth bounce:
+ * ```typescript
+ * res.redirect(tk.getAuthorizeUrl());
+ * // ...later in /callback:
+ * const { access_token } = await tk.exchangeCode(req.query.code);
+ * ```
+ *
+ * Once you have the access token, call the LLM through the proxy:
+ * ```typescript
+ * const result = await tk.call({
+ *   accessToken,
+ *   provider: 'anthropic',
+ *   path: '/v1/messages',
+ *   body: { model: 'claude-3-5-sonnet-latest', max_tokens: 1024, messages: [...] },
+ * });
+ * if (isProxyError(result)) console.error(result.error);
+ * else console.log(result.data);
+ * ```
+ *
+ * For streaming responses, use a vendor SDK with `baseURL: tk.proxyUrl(...)`
+ * — streams bypass the unified envelope and are forwarded as-is.
+ */
+export declare const Tokenite: (config: TokeniteConfig) => {
+    /**
+     * Build the authorization URL for a full-page redirect.
+     * Supports optional suggested budget that pre-fills the consent screen.
+     */
+    getAuthorizeUrl: (options?: AuthorizeOptions) => string;
+    /**
+     * Open the consent screen and resolve with an OAuth authorization
+     * code when the user approves. The code must then be exchanged
+     * server-side via `tk.exchangeCode(code)` (the exchange requires
+     * `clientSecret`, which must never run in browser code).
+     *
+     * Two presentation modes:
+     *
+     * - `mode: 'iframe'` (default) — overlay an iframe modal in the
+     *   current window. Cleaner UX, but the consent screen's host must
+     *   allow being framed (no `X-Frame-Options: DENY`).
+     * - `mode: 'window'` — open a separate browser popup window via
+     *   `window.open`. Works regardless of frame policy.
+     *
+     * ```typescript
+     * const { code } = await tk.popup({ suggestedBudget: 5 });
+     * await fetch('/api/auth/exchange', {
+     *   method: 'POST',
+     *   body: JSON.stringify({ code }),
+     * });
+     * ```
+     */
+    popup: (options?: PopupOptions) => Promise<PopupResult>;
+    /**
+     * Exchange an authorization code for an access token.
+     * Call this server-side in your callback handler.
+     * Requires clientSecret to be set in config.
+     */
+    exchangeCode: (code: string) => Promise<TokenResponse>;
+    /**
+     * Make an authenticated, non-streaming request through the proxy.
+     * Returns a unified envelope: `ProxySuccess` on success, `ProxyError`
+     * on failure. Narrow the result with `isProxyError` / `isProxySuccess`.
+     *
+     * For streaming responses, use a vendor SDK with `baseURL: tk.proxyUrl(...)`
+     * — streams bypass the envelope and are forwarded as-is.
+     *
+     * ```typescript
+     * const result = await tk.call({
+     *   accessToken,
+     *   provider: 'anthropic',
+     *   path: '/v1/messages',
+     *   body: { model: 'claude-3-5-sonnet-latest', max_tokens: 1024, messages: [...] },
+     * });
+     * ```
+     */
+    call: (options: ProxyCallOptions) => Promise<ProxyResponse>;
+    /**
+     * Fetch the access context for an access token: which app it belongs
+     * to and which providers the user has authorised it to call.
+     *
+     * The returned `providers` list is exactly the set that will succeed
+     * through `tk.call()` (budget permitting). Use it to render a picker,
+     * gate UI, or detect that the user is missing a required provider.
+     *
+     * ```typescript
+     * const { app, providers } = await tk.getAllowedProviders(accessToken);
+     * for (const p of providers) {
+     *   console.log(p.displayName, p.logoUrl);
+     * }
+     * ```
+     */
+    getAllowedProviders: (accessToken: string) => Promise<AllowedProvidersResponse>;
+    /**
+     * Get the proxy URL for a specific provider.
+     * Use as `baseURL` in a vendor SDK for streaming requests, which
+     * bypass the unified envelope.
+     */
+    proxyUrl: (provider: Provider) => string;
+    /** The Tokenite dashboard base URL */
+    baseUrl: string;
+    /** The Tokenite proxy base URL */
+    proxyBase: string;
+};
+//# sourceMappingURL=client.d.ts.map