@waffo/pancake-ts 0.1.2 → 0.1.5

package/CHANGELOG.md

@@ -4,6 +4,84 @@ All notable changes to `@waffo/pancake-ts` will be documented in this file.
 
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.7] - 2026-03-20
+
+### Added
+
+- **Custom webhook public key** — `WaffoPancakeConfig` accepts optional `webhookPublicKey` to override built-in Waffo public keys for webhook signature verification. Useful for self-hosted deployments or custom key rotation.
+- **`client.webhooks.verify()`** — New resource namespace on the client instance. Uses the configured `webhookPublicKey` automatically; supports per-call override via `options.publicKey`.
+- **`VerifyWebhookOptions.publicKey`** — The standalone `verifyWebhook()` function also accepts a custom public key per call, taking precedence over built-in keys and the `environment` option.
+- **Public key normalization** — `normalizePublicKey()` handles the same flexible input formats as `normalizePrivateKey`: literal `\n` from environment variables, Windows `\r\n` line endings, raw base64 without PEM headers, single-line base64, and PKCS#1 (`BEGIN RSA PUBLIC KEY`) format. Applied automatically when a custom public key is used.
+
+## [0.1.6] - 2026-03-18
+
+### Changed
+
+- **Types (BREAKING)** — `PriceInfo` removes `taxIncluded` field. Prices now only require `amount` and `taxCategory`. The system internally defaults to tax-exclusive pricing; `taxIncluded` may be re-introduced in a future version.
+- **Types (BREAKING)** — `Store` removes `isPublic` field from response type. `UpdateStoreParams` removes `isPublic` field from input type. Store visibility is no longer configurable (defaults to private).
+
+### Migration
+
+Remove `taxIncluded` from all `PriceInfo` / `Prices` objects:
+
+```diff
+ const { product } = await client.onetimeProducts.create({
+   storeId: "store_xxx",
+   name: "My Product",
+   prices: {
+-    USD: { amount: 2900, taxIncluded: false, taxCategory: "digital_goods" },
++    USD: { amount: 2900, taxCategory: "digital_goods" },
+   },
+ });
+```
+
+Remove `isPublic` from `stores.update()` calls:
+
+```diff
+ const { store } = await client.stores.update({
+   id: "store_xxx",
+-  isPublic: true,
+   name: "Updated Name",
+ });
+```
+
+## [0.1.5] - 2026-03-18
+
+### Changed
+
+- **Types** — `CheckoutThemeSettings` removes `checkoutColorTextSecondary` field (7→6 fields). The secondary text color is now derived server-side from `checkoutColorText` and `checkoutColorCard` via color mixing. Merchants only need to configure 5 base color/radius fields; the remaining 7 PSP variables are computed automatically.
+
+### Migration
+
+If your code references `checkoutColorTextSecondary`, remove it. The field is no longer accepted by the API and is silently ignored in stored data.
+
+```diff
+ const theme: CheckoutThemeSettings = {
+   checkoutLogo: null,
+   checkoutColorPrimary: "#6366f1",
+   checkoutColorBackground: "#ffffff",
+   checkoutColorCard: "#f9fafb",
+   checkoutColorText: "#111827",
+-  checkoutColorTextSecondary: "#6b7280",
+   checkoutBorderRadius: "0.5rem",
+ };
+```
+
+## [0.1.4] - 2026-03-16
+
+### Changed
+
+- **Types** — `CheckoutSettings` adds `defaultDarkMode: boolean` field to match API response (store create/update)
+- **Types** — `CreateCheckoutSessionParams` adds optional `darkMode` field for dark mode override
+- **Types** — `CreateCheckoutSessionParams.storeId` changed from optional to required to match API spec
+
+## [0.1.3] - 2026-03-11
+
+### Added
+
+- **Private key normalization** — `privateKey` is automatically normalized at construction time. Accepts literal `\n` from environment variables, Windows `\r\n` line endings, raw base64 without PEM headers, single-line base64, and PKCS#1 (`BEGIN RSA PRIVATE KEY`) format. Invalid or empty keys throw a descriptive error immediately instead of failing on the first API call.
+- **Checkout integration guide** in README — Step-by-step instructions (Issue Token → Create Session → Open Checkout Page) with recommendation to open the checkout URL in a new browser tab.
+
 ## [0.1.2] - 2026-03-11
 
 ### Fixed

package/README.md

@@ -31,8 +31,8 @@ const { product } = await client.onetimeProducts.create({
   storeId: store.id,
   name: "E-Book: TypeScript Handbook",
   prices: {
-    USD: { amount: 2900, taxIncluded: false, taxCategory: "digital_goods" },
-    EUR: { amount: 2700, taxIncluded: true, taxCategory: "digital_goods" },
+    USD: { amount: 2900, taxCategory: "digital_goods" },
+    EUR: { amount: 2700, taxCategory: "digital_goods" },
   },
 });
 
@@ -56,9 +56,45 @@ const result = await client.graphql.query<{ stores: Array<{ id: string; name: st
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
 | `merchantId` | `string` | Yes | Merchant ID, sent as `X-Merchant-Id` header |
-| `privateKey` | `string` | Yes | RSA private key in PEM format for request signing |
+| `privateKey` | `string` | Yes | RSA private key (see [Private Key Formats](#private-key-formats) below) |
 | `baseUrl` | `string` | No | API base URL (default: `https://waffo-pancake-auth-service.vercel.app`) |
 | `fetch` | `typeof fetch` | No | Custom fetch implementation |
+| `webhookPublicKey` | `string` | No | Custom RSA public key for webhook verification (see [Public Key Formats](#public-key-formats) below). Overrides built-in keys when set. |
+
+### Private Key Formats
+
+The SDK automatically normalizes `privateKey` at construction time, so all of the following formats are accepted:
+
+| Format | Example | Notes |
+|--------|---------|-------|
+| Standard PKCS#8 PEM | `-----BEGIN PRIVATE KEY-----\n...` | Recommended |
+| PKCS#1 PEM | `-----BEGIN RSA PRIVATE KEY-----\n...` | Also accepted |
+| Literal `\n` (env vars) | `"-----BEGIN PRIVATE KEY-----\\nMIIE..."` | Common when stored in `.env` or CI secrets |
+| Windows line endings | `\r\n` | Converted to `\n` |
+| Raw base64 (no headers) | `MIIEvQIBADANBgkqhki...` | Wrapped with PKCS#8 headers automatically |
+| Single-line base64 with headers | Header + all base64 on one line + footer | Re-wrapped to 64-char lines |
+
+If the key is invalid or empty, the constructor throws a descriptive error immediately rather than failing silently on the first API call.
+
+```typescript
+// All of these work:
+new WaffoPancake({ merchantId: "m_1", privateKey: process.env.PRIVATE_KEY! });         // .env with literal \n
+new WaffoPancake({ merchantId: "m_1", privateKey: fs.readFileSync("key.pem", "utf8") }); // file read
+new WaffoPancake({ merchantId: "m_1", privateKey: rawBase64String });                   // raw base64
+```
+
+### Public Key Formats
+
+The `webhookPublicKey` option (and the `publicKey` field in `VerifyWebhookOptions`) accepts the same flexible formats as private keys:
+
+| Format | Example | Notes |
+|--------|---------|-------|
+| Standard SPKI PEM | `-----BEGIN PUBLIC KEY-----\n...` | Recommended |
+| PKCS#1 PEM | `-----BEGIN RSA PUBLIC KEY-----\n...` | Also accepted |
+| Literal `\n` (env vars) | `"-----BEGIN PUBLIC KEY-----\\nMIIB..."` | Common when stored in `.env` or CI secrets |
+| Windows line endings | `\r\n` | Converted to `\n` |
+| Raw base64 (no headers) | `MIIBIjANBgkqhki...` | Wrapped with SPKI headers automatically |
+| Single-line base64 with headers | Header + all base64 on one line + footer | Re-wrapped to 64-char lines |
 
 ## Resources
 
@@ -73,9 +109,118 @@ const result = await client.graphql.query<{ stores: Array<{ id: string; name: st
 | `client.orders` | `cancelSubscription()` | Order management (pending→canceled, active→canceling) |
 | `client.checkout` | `createSession()` | Create a checkout session with trial toggle, billing detail, and price snapshot |
 | `client.graphql` | `query<T>()` | Typed GraphQL queries (Query only, no Mutations) |
+| `client.webhooks` | `verify<T>()` | Webhook signature verification (uses configured `webhookPublicKey` or built-in keys) |
 
 See [API Reference](docs/api-reference.md) for complete parameter tables and return types.
 
+## Checkout Integration
+
+Guide buyers from your site to the Waffo checkout page in three steps:
+
+```
+1. Issue Session Token      →  Obtain a buyer identity credential (JWT)
+2. Create Checkout Session  →  Create a session and get the checkout URL
+3. Open Checkout Page       →  Open the checkout in a new browser tab
+```
+
+### Step 1 — Issue a Session Token
+
+Your backend requests a Session Token on behalf of the buyer. The token carries the buyer's identity and is used by the checkout page to load order details and place orders.
+
+```typescript
+const { token } = await client.auth.issueSessionToken({
+  storeId: "store_xxx",
+  buyerIdentity: "customer@example.com",
+});
+```
+
+### Step 2 — Create a Checkout Session
+
+Create a checkout session with your API Key. The response includes a checkout URL with the token embedded in the URL fragment.
+
+```typescript
+import { CheckoutSessionProductType } from "@waffo/pancake-ts";
+
+const session = await client.checkout.createSession({
+  storeId: "store_xxx",
+  productId: "prod_xxx",
+  productType: CheckoutSessionProductType.Onetime,
+  currency: "USD",
+  buyerEmail: "customer@example.com",
+  successUrl: "https://example.com/thank-you",
+});
+// session.checkoutUrl format:
+// https://waffo.ai/store/{slug}/checkout/{sessionId}#token={JWT}
+```
+
+The token is passed via the URL fragment (after `#`), which is never sent to the server and never appears in the `Referer` header.
+
+### Step 3 — Open Checkout Page (New Tab)
+
+**We recommend opening the checkout page in a new tab** rather than navigating in the current page. Benefits:
+
+- Buyers can return to your site immediately after payment or if they close the checkout tab
+- Merchant page state (cart, forms, scroll position) is preserved
+- Payment flow is decoupled from the browsing experience, reducing checkout abandonment
+
+```typescript
+// Frontend — recommended: open in a new tab
+window.open(session.checkoutUrl, "_blank", "noopener,noreferrer");
+
+// Or via an <a> tag
+// <a href={checkoutUrl} target="_blank" rel="noopener noreferrer">Proceed to Checkout</a>
+```
+
+> **Not recommended:** `window.location.href = session.checkoutUrl` replaces the current page, preventing buyers from returning to your site without browser back navigation.
+
+### Complete Example (Express)
+
+```typescript
+import express from "express";
+import { WaffoPancake, CheckoutSessionProductType } from "@waffo/pancake-ts";
+
+const client = new WaffoPancake({
+  merchantId: process.env.WAFFO_MERCHANT_ID!,
+  privateKey: process.env.WAFFO_PRIVATE_KEY!,
+});
+
+const app = express();
+
+app.post("/api/checkout", async (req, res) => {
+  const { productId, currency, buyerEmail } = req.body;
+
+  // Step 1: Issue session token
+  const { token } = await client.auth.issueSessionToken({
+    storeId: "store_xxx",
+    buyerIdentity: buyerEmail,
+  });
+
+  // Step 2: Create checkout session
+  const session = await client.checkout.createSession({
+    storeId: "store_xxx",
+    productId,
+    productType: CheckoutSessionProductType.Onetime,
+    currency,
+    buyerEmail,
+    successUrl: "https://example.com/thank-you",
+  });
+
+  // Return URL to frontend (frontend opens in new tab)
+  res.json({ checkoutUrl: session.checkoutUrl });
+});
+```
+
+```typescript
+// Frontend
+const res = await fetch("/api/checkout", {
+  method: "POST",
+  headers: { "Content-Type": "application/json" },
+  body: JSON.stringify({ productId: "prod_xxx", currency: "USD", buyerEmail: "customer@example.com" }),
+});
+const { checkoutUrl } = await res.json();
+window.open(checkoutUrl, "_blank", "noopener,noreferrer");
+```
+
 ## Usage Examples
 
 ### Auth — Issue a Buyer Session Token
@@ -130,9 +275,9 @@ const { product } = await client.onetimeProducts.create({
   name: "E-Book: TypeScript Handbook",
   description: "Complete TypeScript guide for developers",
   prices: {
-    USD: { amount: 2900, taxIncluded: false, taxCategory: TaxCategory.DigitalGoods },
-    EUR: { amount: 2700, taxIncluded: true, taxCategory: TaxCategory.DigitalGoods },
-    JPY: { amount: 4500, taxIncluded: true, taxCategory: TaxCategory.DigitalGoods },
+    USD: { amount: 2900, taxCategory: TaxCategory.DigitalGoods },
+    EUR: { amount: 2700, taxCategory: TaxCategory.DigitalGoods },
+    JPY: { amount: 4500, taxCategory: TaxCategory.DigitalGoods },
   },
   media: [{ type: "image", url: "https://example.com/cover.jpg", alt: "Book cover" }],
   metadata: { sku: "ebook-ts-001" },
@@ -142,7 +287,7 @@ const { product } = await client.onetimeProducts.create({
 await client.onetimeProducts.update({
   id: product.id,
   name: "E-Book: TypeScript Handbook v2",
-  prices: { USD: { amount: 3900, taxIncluded: false, taxCategory: "digital_goods" } },
+  prices: { USD: { amount: 3900, taxCategory: "digital_goods" } },
 });
 
 // Publish test version → production
@@ -161,7 +306,7 @@ const { product } = await client.subscriptionProducts.create({
   storeId: "store_xxx",
   name: "Pro Plan",
   billingPeriod: BillingPeriod.Monthly,
-  prices: { USD: { amount: 999, taxIncluded: false, taxCategory: TaxCategory.SaaS } },
+  prices: { USD: { amount: 999, taxCategory: TaxCategory.SaaS } },
   description: "Unlimited access to all features",
 });
 
@@ -218,6 +363,7 @@ const session = await client.checkout.createSession({
 
 // Subscription with trial and billing detail
 const subSession = await client.checkout.createSession({
+  storeId: "store_xxx",
   productId: "prod_yyy",
   productType: CheckoutSessionProductType.Subscription,
   currency: "USD",
@@ -260,7 +406,9 @@ See [GraphQL Guide](docs/graphql-guide.md) for introspection, filters, paginatio
 
 ## Webhook Verification
 
-The SDK exports a standalone `verifyWebhook()` function with **embedded RSA-SHA256 public keys** for both test and production environments. No need to manage keys yourself.
+Two ways to verify webhooks: the **standalone function** `verifyWebhook()` with built-in public keys, or the **client instance method** `client.webhooks.verify()` which uses the configured `webhookPublicKey`.
+
+### Option A — Standalone Function (built-in keys)
 
 ```typescript
 import { verifyWebhook, WebhookEventType } from "@waffo/pancake-ts";
@@ -314,6 +462,32 @@ const event = verifyWebhook(body, sig, { environment: "prod" });
 const event = verifyWebhook(body, sig, { toleranceMs: 0 }); // disable replay check
 ```
 
+### Option B — Client Instance Method (custom public key)
+
+When you provide a `webhookPublicKey` in the client config, `client.webhooks.verify()` uses that key automatically. Useful for self-hosted deployments or custom key rotation.
+
+```typescript
+const client = new WaffoPancake({
+  merchantId: process.env.WAFFO_MERCHANT_ID!,
+  privateKey: process.env.WAFFO_PRIVATE_KEY!,
+  webhookPublicKey: process.env.WAFFO_WEBHOOK_PUBLIC_KEY!, // any format accepted
+});
+
+// Uses the configured public key — no need to pass it per call
+const event = client.webhooks.verify(rawBody, signatureHeader);
+
+// You can still override per call if needed
+const event = client.webhooks.verify(rawBody, sig, { publicKey: anotherKey });
+```
+
+### Standalone Function with Custom Key
+
+You can also pass a custom key directly to the standalone function without creating a client:
+
+```typescript
+const event = verifyWebhook(body, sig, { publicKey: process.env.MY_PUBLIC_KEY! });
+```
+
 See [Webhook Guide](docs/webhook-guide.md) for all 10 event types, signature algorithm, and best practices.
 
 ## Error Handling
@@ -406,7 +580,8 @@ src/
     ├── subscription-product-groups.ts
     ├── orders.ts
     ├── checkout.ts
-    └── graphql.ts
+    ├── graphql.ts
+    └── webhooks.ts
 docs/
 ├── api-reference.md       # Complete API reference
 ├── graphql-guide.md       # GraphQL usage guide

package/dist/index.cjs

@@ -59,6 +59,104 @@ var WaffoPancakeError = class extends Error {
 
 // src/signing.ts
 var import_node_crypto = require("crypto");
+var PKCS8_HEADER = "-----BEGIN PRIVATE KEY-----";
+var PKCS8_FOOTER = "-----END PRIVATE KEY-----";
+var PKCS1_HEADER = "-----BEGIN RSA PRIVATE KEY-----";
+var PKCS1_FOOTER = "-----END RSA PRIVATE KEY-----";
+var SPKI_HEADER = "-----BEGIN PUBLIC KEY-----";
+var SPKI_FOOTER = "-----END PUBLIC KEY-----";
+var PKCS1_PUB_HEADER = "-----BEGIN RSA PUBLIC KEY-----";
+var PKCS1_PUB_FOOTER = "-----END RSA PUBLIC KEY-----";
+function normalizePrivateKey(raw) {
+  if (!raw || !raw.trim()) {
+    throw new Error(
+      "Private key is empty. Provide an RSA private key in PEM format."
+    );
+  }
+  let pem = raw.replace(/\\n/g, "\n").replace(/\r\n/g, "\n");
+  pem = pem.trim();
+  const hasPkcs8Header = pem.includes(PKCS8_HEADER);
+  const hasPkcs1Header = pem.includes(PKCS1_HEADER);
+  const hasHeader = hasPkcs8Header || hasPkcs1Header;
+  if (hasHeader) {
+    const base64 = pem.replace(/-----BEGIN (?:RSA )?PRIVATE KEY-----/g, "").replace(/-----END (?:RSA )?PRIVATE KEY-----/g, "").replace(/\s+/g, "");
+    if (!base64) {
+      throw new Error(
+        "Private key contains PEM headers but no key data. Check the key content."
+      );
+    }
+    const header = hasPkcs1Header ? PKCS1_HEADER : PKCS8_HEADER;
+    const footer = hasPkcs1Header ? PKCS1_FOOTER : PKCS8_FOOTER;
+    const wrapped = base64.match(/.{1,64}/g).join("\n");
+    pem = `${header}
+${wrapped}
+${footer}`;
+  } else {
+    const base64 = pem.replace(/\s+/g, "");
+    if (!/^[A-Za-z0-9+/]+=*$/.test(base64)) {
+      throw new Error(
+        "Private key is not valid PEM or base64. Expected an RSA private key in PEM format or raw base64."
+      );
+    }
+    const wrapped = base64.match(/.{1,64}/g).join("\n");
+    pem = `${PKCS8_HEADER}
+${wrapped}
+${PKCS8_FOOTER}`;
+  }
+  try {
+    (0, import_node_crypto.createPrivateKey)(pem);
+  } catch {
+    throw new Error(
+      "Private key could not be parsed. Ensure it is a valid RSA private key in PKCS#8 or PKCS#1 (PEM) format."
+    );
+  }
+  return pem;
+}
+function normalizePublicKey(raw) {
+  if (!raw || !raw.trim()) {
+    throw new Error(
+      "Public key is empty. Provide an RSA public key in PEM format."
+    );
+  }
+  let pem = raw.replace(/\\n/g, "\n").replace(/\r\n/g, "\n");
+  pem = pem.trim();
+  const hasSpkiHeader = pem.includes(SPKI_HEADER);
+  const hasPkcs1PubHeader = pem.includes(PKCS1_PUB_HEADER);
+  const hasHeader = hasSpkiHeader || hasPkcs1PubHeader;
+  if (hasHeader) {
+    const base64 = pem.replace(/-----BEGIN (?:RSA )?PUBLIC KEY-----/g, "").replace(/-----END (?:RSA )?PUBLIC KEY-----/g, "").replace(/\s+/g, "");
+    if (!base64) {
+      throw new Error(
+        "Public key contains PEM headers but no key data. Check the key content."
+      );
+    }
+    const header = hasPkcs1PubHeader ? PKCS1_PUB_HEADER : SPKI_HEADER;
+    const footer = hasPkcs1PubHeader ? PKCS1_PUB_FOOTER : SPKI_FOOTER;
+    const wrapped = base64.match(/.{1,64}/g).join("\n");
+    pem = `${header}
+${wrapped}
+${footer}`;
+  } else {
+    const base64 = pem.replace(/\s+/g, "");
+    if (!/^[A-Za-z0-9+/]+=*$/.test(base64)) {
+      throw new Error(
+        "Public key is not valid PEM or base64. Expected an RSA public key in PEM format or raw base64."
+      );
+    }
+    const wrapped = base64.match(/.{1,64}/g).join("\n");
+    pem = `${SPKI_HEADER}
+${wrapped}
+${SPKI_FOOTER}`;
+  }
+  try {
+    (0, import_node_crypto.createPublicKey)(pem);
+  } catch {
+    throw new Error(
+      "Public key could not be parsed. Ensure it is a valid RSA public key in SPKI or PKCS#1 (PEM) format."
+    );
+  }
+  return pem;
+}
 function signRequest(method, path, timestamp, body, privateKey) {
   const bodyHash = (0, import_node_crypto.createHash)("sha256").update(body).digest("base64");
   const canonicalRequest = `${method}
@@ -79,7 +177,7 @@ var HttpClient = class {
   _fetch;
   constructor(config) {
     this.merchantId = config.merchantId;
-    this.privateKey = config.privateKey;
+    this.privateKey = normalizePrivateKey(config.privateKey);
     this.baseUrl = (config.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
     this._fetch = config.fetch ?? fetch;
   }
@@ -210,7 +308,7 @@ var OnetimeProductsResource = class {
    * const { product } = await client.onetimeProducts.create({
    *   storeId: "store_xxx",
    *   name: "E-Book",
-   *   prices: { USD: { amount: 2900, taxIncluded: false, taxCategory: "digital_goods" } },
+   *   prices: { USD: { amount: 2900, taxCategory: "digital_goods" } },
    * });
    */
   async create(params) {
@@ -226,7 +324,7 @@ var OnetimeProductsResource = class {
    * const { product } = await client.onetimeProducts.update({
    *   id: "prod_xxx",
    *   name: "E-Book v2",
-   *   prices: { USD: { amount: 3900, taxIncluded: false, taxCategory: "digital_goods" } },
+   *   prices: { USD: { amount: 3900, taxCategory: "digital_goods" } },
    * });
    */
   async update(params) {
@@ -367,7 +465,6 @@ var StoresResource = class {
    * const { store } = await client.stores.update({
    *   id: "store_xxx",
    *   name: "Updated Name",
-   *   supportEmail: "help@example.com",
    * });
    */
   async update(params) {
@@ -466,7 +563,7 @@ var SubscriptionProductsResource = class {
    *   storeId: "store_xxx",
    *   name: "Pro Plan",
    *   billingPeriod: "monthly",
-   *   prices: { USD: { amount: 999, taxIncluded: false, taxCategory: "saas" } },
+   *   prices: { USD: { amount: 999, taxCategory: "saas" } },
    * });
    */
   async create(params) {
@@ -483,7 +580,7 @@ var SubscriptionProductsResource = class {
    *   id: "prod_xxx",
    *   name: "Pro Plan v2",
    *   billingPeriod: "monthly",
-   *   prices: { USD: { amount: 1499, taxIncluded: false, taxCategory: "saas" } },
+   *   prices: { USD: { amount: 1499, taxCategory: "saas" } },
    * });
    */
   async update(params) {
@@ -518,32 +615,6 @@ var SubscriptionProductsResource = class {
   }
 };
 
-// src/client.ts
-var WaffoPancake = class {
-  http;
-  auth;
-  stores;
-  storeMerchants;
-  onetimeProducts;
-  subscriptionProducts;
-  subscriptionProductGroups;
-  orders;
-  checkout;
-  graphql;
-  constructor(config) {
-    this.http = new HttpClient(config);
-    this.auth = new AuthResource(this.http);
-    this.stores = new StoresResource(this.http);
-    this.storeMerchants = new StoreMerchantsResource(this.http);
-    this.onetimeProducts = new OnetimeProductsResource(this.http);
-    this.subscriptionProducts = new SubscriptionProductsResource(this.http);
-    this.subscriptionProductGroups = new SubscriptionProductGroupsResource(this.http);
-    this.orders = new OrdersResource(this.http);
-    this.checkout = new CheckoutResource(this.http);
-    this.graphql = new GraphQLResource(this.http);
-  }
-};
-
 // src/webhooks.ts
 var import_node_crypto3 = require("crypto");
 var DEFAULT_TOLERANCE_MS = 5 * 60 * 1e3;
@@ -602,27 +673,97 @@ function verifyWebhook(payload, signatureHeader, options) {
     }
   }
   const signatureInput = `${t}.${payload}`;
-  const env = options?.environment;
-  if (env === "test") {
-    if (!rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY)) {
-      throw new Error("Invalid webhook signature (test key)");
-    }
-  } else if (env === "prod") {
-    if (!rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY)) {
-      throw new Error("Invalid webhook signature (prod key)");
+  const customKey = options?.publicKey;
+  if (customKey) {
+    const normalizedKey = normalizePublicKey(customKey);
+    if (!rsaVerify(signatureInput, v1, normalizedKey)) {
+      throw new Error("Invalid webhook signature (custom key)");
     }
   } else {
-    const prodValid = rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY);
-    if (!prodValid) {
-      const testValid = rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY);
-      if (!testValid) {
-        throw new Error("Invalid webhook signature (tried both prod and test keys)");
+    const env = options?.environment;
+    if (env === "test") {
+      if (!rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY)) {
+        throw new Error("Invalid webhook signature (test key)");
+      }
+    } else if (env === "prod") {
+      if (!rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY)) {
+        throw new Error("Invalid webhook signature (prod key)");
+      }
+    } else {
+      const prodValid = rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY);
+      if (!prodValid) {
+        const testValid = rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY);
+        if (!testValid) {
+          throw new Error("Invalid webhook signature (tried both prod and test keys)");
+        }
       }
     }
   }
   return JSON.parse(payload);
 }
 
+// src/resources/webhooks.ts
+var WebhooksResource = class {
+  /** @param publicKey - Optional custom RSA public key (PEM or raw base64) */
+  constructor(publicKey) {
+    this.publicKey = publicKey;
+  }
+  /**
+   * Verify and parse an incoming webhook event.
+   *
+   * When the client was created with a `webhookPublicKey`, that key is used
+   * automatically. You can still override per-call via `options.publicKey`.
+   *
+   * @param payload - Raw request body string (must be unparsed)
+   * @param signatureHeader - Value of the `X-Waffo-Signature` header
+   * @param options - Verification options (optional)
+   * @returns Parsed webhook event
+   * @throws Error if signature is invalid, header is malformed, or timestamp is stale
+   *
+   * @example
+   * const event = client.webhooks.verify(rawBody, signatureHeader);
+   *
+   * @example
+   * // Override tolerance per call
+   * const event = client.webhooks.verify(rawBody, sig, { toleranceMs: 0 });
+   */
+  verify(payload, signatureHeader, options) {
+    const mergedOptions = {
+      ...options,
+      publicKey: options?.publicKey ?? this.publicKey
+    };
+    return verifyWebhook(payload, signatureHeader, mergedOptions);
+  }
+};
+
+// src/client.ts
+var WaffoPancake = class {
+  http;
+  auth;
+  stores;
+  storeMerchants;
+  onetimeProducts;
+  subscriptionProducts;
+  subscriptionProductGroups;
+  orders;
+  checkout;
+  graphql;
+  webhooks;
+  constructor(config) {
+    this.http = new HttpClient(config);
+    this.auth = new AuthResource(this.http);
+    this.stores = new StoresResource(this.http);
+    this.storeMerchants = new StoreMerchantsResource(this.http);
+    this.onetimeProducts = new OnetimeProductsResource(this.http);
+    this.subscriptionProducts = new SubscriptionProductsResource(this.http);
+    this.subscriptionProductGroups = new SubscriptionProductGroupsResource(this.http);
+    this.orders = new OrdersResource(this.http);
+    this.checkout = new CheckoutResource(this.http);
+    this.graphql = new GraphQLResource(this.http);
+    this.webhooks = new WebhooksResource(config.webhookPublicKey);
+  }
+};
+
 // src/types.ts
 var Environment = /* @__PURE__ */ ((Environment2) => {
   Environment2["Test"] = "test";