@workos-inc/node 7.41.0 → 7.42.0

package/lib/common/exceptions/conflict.exception.d.ts

@@ -0,0 +1,11 @@
+import { RequestException } from '../interfaces/request-exception.interface';
+export declare class ConflictException extends Error implements RequestException {
+    readonly status = 409;
+    readonly name = "ConflictException";
+    readonly requestID: string;
+    constructor({ error, message, requestID, }: {
+        error?: string;
+        message?: string;
+        requestID: string;
+    });
+}

package/lib/common/exceptions/conflict.exception.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConflictException = void 0;
+class ConflictException extends Error {
+    constructor({ error, message, requestID, }) {
+        super();
+        this.status = 409;
+        this.name = 'ConflictException';
+        this.requestID = requestID;
+        if (message) {
+            this.message = message;
+        }
+        else if (error) {
+            this.message = `Error: ${error}`;
+        }
+        else {
+            this.message = `An conflict has occurred on the server.`;
+        }
+    }
+}
+exports.ConflictException = ConflictException;

package/lib/common/utils/test-utils.d.ts

@@ -5,6 +5,7 @@ export declare function fetchSearchParams(): {
     [k: string]: string;
 };
 export declare function fetchHeaders(): HeadersInit | undefined;
+export declare function fetchMethod(): string | undefined;
 export declare function fetchBody({ raw }?: {
     raw?: boolean | undefined;
 }): any;

package/lib/common/utils/test-utils.js

@@ -14,7 +14,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.fetchBody = exports.fetchHeaders = exports.fetchSearchParams = exports.fetchURL = exports.fetchOnce = void 0;
+exports.fetchBody = exports.fetchMethod = exports.fetchHeaders = exports.fetchSearchParams = exports.fetchURL = exports.fetchOnce = void 0;
 const jest_fetch_mock_1 = __importDefault(require("jest-fetch-mock"));
 function fetchOnce(response = {}, _a = {}) {
     var { status = 200, headers } = _a, rest = __rest(_a, ["status", "headers"]);
@@ -34,6 +34,11 @@ function fetchHeaders() {
     return (_a = jest_fetch_mock_1.default.mock.calls[0][1]) === null || _a === void 0 ? void 0 : _a.headers;
 }
 exports.fetchHeaders = fetchHeaders;
+function fetchMethod() {
+    var _a;
+    return (_a = jest_fetch_mock_1.default.mock.calls[0][1]) === null || _a === void 0 ? void 0 : _a.method;
+}
+exports.fetchMethod = fetchMethod;
 function fetchBody({ raw = false } = {}) {
     var _a;
     const body = (_a = jest_fetch_mock_1.default.mock.calls[0][1]) === null || _a === void 0 ? void 0 : _a.body;

package/lib/vault/cryptography/decrypt.d.ts

@@ -0,0 +1,9 @@
+/// <reference types="node" />
+export interface Decoded {
+    iv: Buffer;
+    tag: Buffer;
+    keys: string;
+    ciphertext: Buffer;
+}
+export declare const decrypt: (payload: string | Decoded, dataKey: string) => string;
+export declare const decode: (payload: string) => Decoded;

package/lib/vault/cryptography/decrypt.js

@@ -0,0 +1,37 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decode = exports.decrypt = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const leb_1 = require("leb");
+const decrypt = (payload, dataKey) => {
+    if (typeof payload === 'string') {
+        payload = (0, exports.decode)(payload);
+    }
+    const { iv, tag, ciphertext } = payload;
+    const key = Buffer.from(dataKey, 'base64');
+    const decipher = crypto_1.default.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = decipher.update(ciphertext, undefined, 'utf-8') + decipher.final('utf-8');
+    return decrypted;
+};
+exports.decrypt = decrypt;
+const decode = (payload) => {
+    const inputData = Buffer.from(payload, 'base64');
+    const iv = inputData.slice(0, 32);
+    const tag = inputData.slice(32, 48);
+    const { value: keyLen, nextIndex } = (0, leb_1.decodeUInt32)(inputData, 48);
+    const keys = inputData
+        .slice(nextIndex, nextIndex + keyLen)
+        .toString('base64');
+    const ciphertext = inputData.slice(nextIndex + keyLen);
+    return {
+        iv,
+        tag,
+        keys,
+        ciphertext,
+    };
+};
+exports.decode = decode;

package/lib/vault/cryptography/encrypt.d.ts

@@ -0,0 +1 @@
+export declare const encrypt: (data: string, dataKey: string, encryptedKeys: string) => string;

package/lib/vault/cryptography/encrypt.js

@@ -0,0 +1,31 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encrypt = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const leb_1 = require("leb");
+const encrypt = (data, dataKey, encryptedKeys) => {
+    // encrypt using the returned data key
+    const key = Buffer.from(dataKey, 'base64');
+    const keyBlob = Buffer.from(encryptedKeys, 'base64');
+    const prefixLen = (0, leb_1.encodeUInt32)(keyBlob.length);
+    const iv = crypto_1.default.randomBytes(32);
+    const cipher = crypto_1.default.createCipheriv('aes-256-gcm', key, iv);
+    const ciphertext = Buffer.concat([
+        cipher.update(data, 'utf8'),
+        cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+    // store the encrypted keys with the ciphertext
+    const payload = Buffer.concat([
+        iv,
+        tag,
+        prefixLen,
+        keyBlob,
+        ciphertext,
+    ]).toString('base64');
+    return payload;
+};
+exports.encrypt = encrypt;

package/lib/vault/interfaces/index.d.ts

@@ -0,0 +1,10 @@
+export * from './key/create-data-key.interface';
+export * from './key/decrypt-data-key.interface';
+export * from './key.interface';
+export * from './secret/create-secret.interface';
+export * from './secret/delete-secret.interface';
+export * from './secret/list-secret-versions.interface';
+export * from './secret/list-secrets.interface';
+export * from './secret/read-secret.interface';
+export * from './secret/update-secret.interface';
+export * from './secret.interface';

package/lib/vault/interfaces/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./key/create-data-key.interface"), exports);
+__exportStar(require("./key/decrypt-data-key.interface"), exports);
+__exportStar(require("./key.interface"), exports);
+__exportStar(require("./secret/create-secret.interface"), exports);
+__exportStar(require("./secret/delete-secret.interface"), exports);
+__exportStar(require("./secret/list-secret-versions.interface"), exports);
+__exportStar(require("./secret/list-secrets.interface"), exports);
+__exportStar(require("./secret/read-secret.interface"), exports);
+__exportStar(require("./secret/update-secret.interface"), exports);
+__exportStar(require("./secret.interface"), exports);

package/lib/vault/interfaces/key/create-data-key.interface.d.ts

@@ -0,0 +1,10 @@
+import { SecretContext } from '../secret.interface';
+export interface CreateDataKeyOptions {
+    context: SecretContext;
+}
+export interface CreateDataKeyResponse {
+    context: SecretContext;
+    data_key: string;
+    encrypted_keys: string;
+    id: string;
+}

package/lib/vault/interfaces/key/create-data-key.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/key/decrypt-data-key.interface.d.ts

@@ -0,0 +1,7 @@
+export interface DecryptDataKeyOptions {
+    keys: string;
+}
+export interface DecryptDataKeyResponse {
+    data_key: string;
+    id: string;
+}

package/lib/vault/interfaces/key/decrypt-data-key.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/key.interface.d.ts

@@ -0,0 +1,10 @@
+import { SecretContext } from './secret.interface';
+export interface DataKeyPair {
+    context: SecretContext;
+    dataKey: DataKey;
+    encryptedKeys: string;
+}
+export interface DataKey {
+    key: string;
+    id: string;
+}

package/lib/vault/interfaces/key.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/secret/create-secret.interface.d.ts

@@ -0,0 +1,11 @@
+import { SecretContext } from '../secret.interface';
+export interface CreateSecretEntity {
+    name: string;
+    value: string;
+    key_context: SecretContext;
+}
+export interface CreateSecretOptions {
+    name: string;
+    value: string;
+    context: SecretContext;
+}

package/lib/vault/interfaces/secret/create-secret.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/secret/delete-secret.interface.d.ts

@@ -0,0 +1,3 @@
+export interface DeleteSecretOptions {
+    id: string;
+}

package/lib/vault/interfaces/secret/delete-secret.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/secret/list-secret-versions.interface.d.ts

@@ -0,0 +1,8 @@
+export interface SecretVersionResponse {
+    id: string;
+    created_at: string;
+    current_version: boolean;
+}
+export interface ListSecretVersionsResponse {
+    data: SecretVersionResponse[];
+}

package/lib/vault/interfaces/secret/list-secret-versions.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/secret/list-secrets.interface.d.ts

@@ -0,0 +1,5 @@
+export interface SecretDigestResponse {
+    id: string;
+    name: string;
+    updated_at: string;
+}

package/lib/vault/interfaces/secret/list-secrets.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/secret/read-secret.interface.d.ts

@@ -0,0 +1,19 @@
+import { SecretContext, SecretUpdateBy } from '../secret.interface';
+export interface ReadSecretOptions {
+    id: string;
+}
+export interface ReadSecretMetadataResponse {
+    context: SecretContext;
+    environment_id: string;
+    id: string;
+    key_id: string;
+    updated_at: string;
+    updated_by: SecretUpdateBy;
+    version_id: string;
+}
+export interface ReadSecretResponse {
+    id: string;
+    metadata: ReadSecretMetadataResponse;
+    name: string;
+    value: string;
+}

package/lib/vault/interfaces/secret/read-secret.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/secret/update-secret.interface.d.ts

@@ -0,0 +1,9 @@
+export interface UpdateSecretEntity {
+    value: string;
+    version_check?: string;
+}
+export interface UpdateSecretOptions {
+    id: string;
+    value: string;
+    versionCheck?: string;
+}

package/lib/vault/interfaces/secret/update-secret.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/interfaces/secret.interface.d.ts

@@ -0,0 +1,32 @@
+export interface SecretContext {
+    [key: string]: any;
+}
+export interface SecretDigest {
+    id: string;
+    name: string;
+    updatedAt: Date;
+}
+export interface SecretUpdateBy {
+    id: string;
+    name: string;
+}
+export interface SecretMetadata {
+    context: SecretContext;
+    environmentId: string;
+    id: string;
+    keyId: string;
+    updatedAt: Date;
+    updatedBy: SecretUpdateBy;
+    versionId: string;
+}
+export interface VaultSecret {
+    id: string;
+    metadata: SecretMetadata;
+    name: string;
+    value?: string;
+}
+export interface SecretVersion {
+    createdAt: Date;
+    currentVersion: boolean;
+    id: string;
+}

package/lib/vault/interfaces/secret.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/vault/serializers/vault-key.serializer.d.ts

@@ -0,0 +1,5 @@
+import { CreateDataKeyResponse } from '../interfaces/key/create-data-key.interface';
+import { DecryptDataKeyResponse } from '../interfaces/key/decrypt-data-key.interface';
+import { DataKey, DataKeyPair } from '../interfaces/key.interface';
+export declare const deserializeCreateDataKeyResponse: (key: CreateDataKeyResponse) => DataKeyPair;
+export declare const deserializeDecryptDataKeyResponse: (key: DecryptDataKeyResponse) => DataKey;

package/lib/vault/serializers/vault-key.serializer.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deserializeDecryptDataKeyResponse = exports.deserializeCreateDataKeyResponse = void 0;
+const deserializeCreateDataKeyResponse = (key) => ({
+    context: key.context,
+    dataKey: {
+        key: key.data_key,
+        id: key.id,
+    },
+    encryptedKeys: key.encrypted_keys,
+});
+exports.deserializeCreateDataKeyResponse = deserializeCreateDataKeyResponse;
+const deserializeDecryptDataKeyResponse = (key) => ({
+    key: key.data_key,
+    id: key.id,
+});
+exports.deserializeDecryptDataKeyResponse = deserializeDecryptDataKeyResponse;

package/lib/vault/serializers/vault-secret.serializer.d.ts

@@ -0,0 +1,8 @@
+import { List, ListResponse } from '../../common/interfaces';
+import { ReadSecretMetadataResponse, ReadSecretResponse, UpdateSecretOptions, UpdateSecretEntity, SecretMetadata, VaultSecret, SecretVersion, CreateSecretOptions, CreateSecretEntity, SecretDigestResponse, SecretDigest, ListSecretVersionsResponse } from '../interfaces';
+export declare const deserializeSecretMetadata: (metadata: ReadSecretMetadataResponse) => SecretMetadata;
+export declare const deserializeSecret: (secret: ReadSecretResponse) => VaultSecret;
+export declare const deserializeListSecrets: (list: ListResponse<SecretDigestResponse>) => List<SecretDigest>;
+export declare const desrializeListSecretVersions: (list: ListSecretVersionsResponse) => SecretVersion[];
+export declare const serializeCreateSecretEntity: (options: CreateSecretOptions) => CreateSecretEntity;
+export declare const serializeUpdateSecretEntity: (options: UpdateSecretOptions) => UpdateSecretEntity;

package/lib/vault/serializers/vault-secret.serializer.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.serializeUpdateSecretEntity = exports.serializeCreateSecretEntity = exports.desrializeListSecretVersions = exports.deserializeListSecrets = exports.deserializeSecret = exports.deserializeSecretMetadata = void 0;
+const deserializeSecretMetadata = (metadata) => ({
+    context: metadata.context,
+    environmentId: metadata.environment_id,
+    id: metadata.id,
+    keyId: metadata.key_id,
+    updatedAt: new Date(Date.parse(metadata.updated_at)),
+    updatedBy: metadata.updated_by,
+    versionId: metadata.version_id,
+});
+exports.deserializeSecretMetadata = deserializeSecretMetadata;
+const deserializeSecret = (secret) => ({
+    id: secret.id,
+    name: secret.name,
+    value: secret.value,
+    metadata: (0, exports.deserializeSecretMetadata)(secret.metadata),
+});
+exports.deserializeSecret = deserializeSecret;
+const deserializeSecretDigest = (digest) => ({
+    id: digest.id,
+    name: digest.name,
+    updatedAt: new Date(Date.parse(digest.updated_at)),
+});
+const deserializeListSecrets = (list) => {
+    var _a, _b;
+    return ({
+        object: 'list',
+        data: list.data.map(deserializeSecretDigest),
+        listMetadata: {
+            after: (_a = list.list_metadata.after) !== null && _a !== void 0 ? _a : undefined,
+            before: (_b = list.list_metadata.before) !== null && _b !== void 0 ? _b : undefined,
+        },
+    });
+};
+exports.deserializeListSecrets = deserializeListSecrets;
+const desrializeListSecretVersions = (list) => list.data.map(deserializeSecretVersion);
+exports.desrializeListSecretVersions = desrializeListSecretVersions;
+const deserializeSecretVersion = (version) => ({
+    createdAt: new Date(Date.parse(version.created_at)),
+    currentVersion: version.current_version,
+    id: version.id,
+});
+const serializeCreateSecretEntity = (options) => ({
+    name: options.name,
+    value: options.value,
+    key_context: options.context,
+});
+exports.serializeCreateSecretEntity = serializeCreateSecretEntity;
+const serializeUpdateSecretEntity = (options) => ({
+    value: options.value,
+    version_check: options.versionCheck,
+});
+exports.serializeUpdateSecretEntity = serializeUpdateSecretEntity;

package/lib/vault/vault-live-test.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/vault/vault-live-test.spec.js

@@ -0,0 +1,245 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jest_fetch_mock_1 = require("jest-fetch-mock");
+const workos_1 = require("../workos");
+const crypto_1 = require("crypto");
+const index_worker_1 = require("../index.worker");
+const conflict_exception_1 = require("../common/exceptions/conflict.exception");
+describe.skip('Vault Live Test', () => {
+    let workos;
+    const secretPrefix = (0, crypto_1.randomUUID)();
+    beforeAll(() => {
+        (0, jest_fetch_mock_1.disableFetchMocks)();
+        workos = new workos_1.WorkOS('API_KEY');
+    });
+    afterAll(() => {
+        (0, jest_fetch_mock_1.enableFetchMocks)();
+    });
+    afterEach(() => __awaiter(void 0, void 0, void 0, function* () {
+        let listLimit = 0;
+        let before;
+        do {
+            const allSecrets = yield workos.vault.listSecrets({ after: before });
+            for (const secret of allSecrets.data) {
+                if (secret.name.startsWith(secretPrefix)) {
+                    yield workos.vault.deleteSecret({ id: secret.id });
+                }
+            }
+            before = allSecrets.listMetadata.before;
+            listLimit++;
+        } while (listLimit < 100 && before !== undefined);
+    }));
+    describe('CRUD secrets', () => {
+        it('Creates secrets', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = `${secretPrefix}-lima`;
+            const newSecret = yield workos.vault.createSecret({
+                name: secretName,
+                value: 'Huacaya 27.7 micron',
+                context: { fiber: 'Alpalca' },
+            });
+            const expectedMetadata = {
+                id: expect.any(String),
+                context: {
+                    fiber: 'Alpalca',
+                },
+                environmentId: expect.any(String),
+                keyId: expect.any(String),
+                updatedAt: expect.any(Date),
+                updatedBy: {
+                    id: expect.any(String),
+                    name: expect.any(String),
+                },
+                versionId: expect.any(String),
+            };
+            expect(newSecret).toStrictEqual(expectedMetadata);
+            const secretValue = yield workos.vault.readSecret({ id: newSecret.id });
+            expect(secretValue).toStrictEqual({
+                id: newSecret.id,
+                name: secretName,
+                value: 'Huacaya 27.7 micron',
+                metadata: expectedMetadata,
+            });
+        }));
+        it('Fails to create secrets with the same name', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = `${secretPrefix}-lima`;
+            yield workos.vault.createSecret({
+                name: secretName,
+                value: 'Huacaya 27.7 micron',
+                context: { fiber: 'Alpalca' },
+            });
+            yield expect(workos.vault.createSecret({
+                name: secretName,
+                value: 'Huacaya 27.7 micron',
+                context: { fiber: 'Alpalca' },
+            })).rejects.toThrow(conflict_exception_1.ConflictException);
+        }));
+        it('Updates secrets', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = `${secretPrefix}-cusco`;
+            const newSecret = yield workos.vault.createSecret({
+                name: secretName,
+                value: 'Tapada 20-30 micron',
+                context: { fiber: 'Alpalca' },
+            });
+            const updatedSecret = yield workos.vault.updateSecret({
+                id: newSecret.id,
+                value: 'Ccara 30-40 micron',
+            });
+            const expectedMetadata = {
+                id: expect.any(String),
+                context: {
+                    fiber: 'Alpalca',
+                },
+                environmentId: expect.any(String),
+                keyId: expect.any(String),
+                updatedAt: expect.any(Date),
+                updatedBy: {
+                    id: expect.any(String),
+                    name: expect.any(String),
+                },
+                versionId: expect.any(String),
+            };
+            expect(updatedSecret).toStrictEqual({
+                id: newSecret.id,
+                name: secretName,
+                value: undefined,
+                metadata: expectedMetadata,
+            });
+            const secretValue = yield workos.vault.readSecret({ id: newSecret.id });
+            expect(secretValue).toStrictEqual({
+                id: newSecret.id,
+                name: secretName,
+                value: 'Ccara 30-40 micron',
+                metadata: expectedMetadata,
+            });
+        }));
+        it('Fails to update secrets with wrong version check', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = `${secretPrefix}-cusco`;
+            const newSecret = yield workos.vault.createSecret({
+                name: secretName,
+                value: 'Tapada 20-30 micron',
+                context: { fiber: 'Alpalca' },
+            });
+            yield workos.vault.updateSecret({
+                id: newSecret.id,
+                value: 'Ccara 30-40 micron',
+            });
+            yield expect(workos.vault.updateSecret({
+                id: newSecret.id,
+                value: 'Ccara 30-40 micron',
+                versionCheck: newSecret.versionId,
+            })).rejects.toThrow(conflict_exception_1.ConflictException);
+        }));
+        it('Deletes secrets', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = `${secretPrefix}-machu`;
+            const newSecret = yield workos.vault.createSecret({
+                name: secretName,
+                value: 'Tapada 20-30 micron',
+                context: { fiber: 'Alpalca' },
+            });
+            yield workos.vault.deleteSecret({ id: newSecret.id });
+            yield expect(workos.vault.readSecret({ id: newSecret.id })).rejects.toThrow(index_worker_1.NotFoundException);
+        }));
+        it('Describes secrets', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = `${(0, crypto_1.randomUUID)()}-trujillo`;
+            const newSecret = yield workos.vault.createSecret({
+                name: secretName,
+                value: 'Qiviut 11-13 micron',
+                context: { fiber: 'Musk Ox' },
+            });
+            const secretDescription = yield workos.vault.describeSecret({
+                id: newSecret.id,
+            });
+            const expectedMetadata = {
+                id: expect.any(String),
+                context: {
+                    fiber: 'Musk Ox',
+                },
+                environmentId: expect.any(String),
+                keyId: expect.any(String),
+                updatedAt: expect.any(Date),
+                updatedBy: {
+                    id: expect.any(String),
+                    name: expect.any(String),
+                },
+                versionId: expect.any(String),
+            };
+            expect(secretDescription).toStrictEqual({
+                id: newSecret.id,
+                name: secretName,
+                metadata: expectedMetadata,
+                value: undefined,
+            });
+        }));
+        it('Lists secrets with pagination', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretNames = [];
+            const numSecrets = 6;
+            const listPrefix = `${secretPrefix}-${(0, crypto_1.randomUUID)()}`;
+            for (let i = 0; i < numSecrets; i++) {
+                const secretName = `${listPrefix}-${i}`;
+                yield workos.vault.createSecret({
+                    name: secretName,
+                    value: 'Qiviut 11-13 micron',
+                    context: { fiber: 'Musk Ox' },
+                });
+                secretNames.push(secretName);
+            }
+            const allSecretNames = [];
+            let before;
+            do {
+                const list = yield workos.vault.listSecrets({
+                    limit: 2,
+                    after: before,
+                });
+                for (const secret of list.data) {
+                    if (secret.name.startsWith(listPrefix)) {
+                        allSecretNames.push(secret.name);
+                    }
+                }
+                before = list.listMetadata.before;
+            } while (before !== undefined);
+            const missingSecrets = secretNames.filter((name) => !allSecretNames.includes(name));
+            expect(allSecretNames.length).toEqual(numSecrets);
+            expect(missingSecrets).toStrictEqual([]);
+        }));
+        it('Lists secret versions', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = `${secretPrefix}-arequipa`;
+            const newSecret = yield workos.vault.createSecret({
+                name: secretName,
+                value: 'Tapada 20-30 micron',
+                context: { fiber: 'Alpalca' },
+            });
+            const updatedSecret = yield workos.vault.updateSecret({
+                id: newSecret.id,
+                value: 'Ccara 30-40 micron',
+            });
+            const versions = yield workos.vault.listSecretVersions({
+                id: newSecret.id,
+            });
+            expect(versions.length).toBe(2);
+            const currentVersion = versions.find((v) => v.currentVersion);
+            expect(currentVersion === null || currentVersion === void 0 ? void 0 : currentVersion.id).toBe(updatedSecret.metadata.versionId);
+            const firstVersion = versions.find((v) => v.id === newSecret.versionId);
+            expect(firstVersion === null || firstVersion === void 0 ? void 0 : firstVersion.currentVersion).toBe(false);
+        }));
+    });
+    describe('encrypt and decrypt', () => {
+        it('encrypts and decrypts data', () => __awaiter(void 0, void 0, void 0, function* () {
+            const superSecret = 'hot water freezes faster than cold water';
+            const keyContext = {
+                everything: 'everywhere',
+            };
+            const encrypted = yield workos.vault.encrypt(superSecret, keyContext);
+            const decrypted = yield workos.vault.decrypt(encrypted);
+            expect(decrypted).toBe(superSecret);
+        }));
+    });
+});

package/lib/vault/vault.d.ts

@@ -0,0 +1,19 @@
+import { PaginationOptions } from '../index.worker';
+import { WorkOS } from '../workos';
+import { CreateDataKeyOptions, CreateSecretOptions, DataKey, DataKeyPair, DecryptDataKeyOptions, DeleteSecretOptions, ReadSecretOptions, SecretContext, SecretDigest, SecretMetadata, SecretVersion, UpdateSecretOptions, VaultSecret } from './interfaces';
+import { List } from '../common/interfaces';
+export declare class Vault {
+    private readonly workos;
+    constructor(workos: WorkOS);
+    createSecret(options: CreateSecretOptions): Promise<SecretMetadata>;
+    listSecrets(options?: PaginationOptions | undefined): Promise<List<SecretDigest>>;
+    listSecretVersions(options: ReadSecretOptions): Promise<SecretVersion[]>;
+    readSecret(options: ReadSecretOptions): Promise<VaultSecret>;
+    describeSecret(options: ReadSecretOptions): Promise<VaultSecret>;
+    updateSecret(options: UpdateSecretOptions): Promise<VaultSecret>;
+    deleteSecret(options: DeleteSecretOptions): Promise<void>;
+    createDataKey(options: CreateDataKeyOptions): Promise<DataKeyPair>;
+    decryptDataKey(options: DecryptDataKeyOptions): Promise<DataKey>;
+    encrypt(data: string, context: SecretContext): Promise<string>;
+    decrypt(encryptedData: string): Promise<string>;
+}

package/lib/vault/vault.js

@@ -0,0 +1,97 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Vault = void 0;
+const decrypt_1 = require("./cryptography/decrypt");
+const encrypt_1 = require("./cryptography/encrypt");
+const vault_key_serializer_1 = require("./serializers/vault-key.serializer");
+const vault_secret_serializer_1 = require("./serializers/vault-secret.serializer");
+class Vault {
+    constructor(workos) {
+        this.workos = workos;
+    }
+    createSecret(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.post(`/vault/v1/kv`, (0, vault_secret_serializer_1.serializeCreateSecretEntity)(options));
+            return (0, vault_secret_serializer_1.deserializeSecretMetadata)(data);
+        });
+    }
+    listSecrets(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const url = new URL('/vault/v1/kv', this.workos.baseURL);
+            if (options === null || options === void 0 ? void 0 : options.after) {
+                url.searchParams.set('after', options.after);
+            }
+            if (options === null || options === void 0 ? void 0 : options.limit) {
+                url.searchParams.set('limit', options.limit.toString());
+            }
+            const { data } = yield this.workos.get(url.toString());
+            return (0, vault_secret_serializer_1.deserializeListSecrets)(data);
+        });
+    }
+    listSecretVersions(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}/versions`);
+            return (0, vault_secret_serializer_1.desrializeListSecretVersions)(data);
+        });
+    }
+    readSecret(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}`);
+            return (0, vault_secret_serializer_1.deserializeSecret)(data);
+        });
+    }
+    describeSecret(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}/metadata`);
+            return (0, vault_secret_serializer_1.deserializeSecret)(data);
+        });
+    }
+    updateSecret(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.put(`/vault/v1/kv/${encodeURIComponent(options.id)}`, (0, vault_secret_serializer_1.serializeUpdateSecretEntity)(options));
+            return (0, vault_secret_serializer_1.deserializeSecret)(data);
+        });
+    }
+    deleteSecret(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.workos.delete(`/vault/v1/kv/${encodeURIComponent(options.id)}`);
+        });
+    }
+    createDataKey(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.post(`/vault/v1/keys/data-key`, options);
+            return (0, vault_key_serializer_1.deserializeCreateDataKeyResponse)(data);
+        });
+    }
+    decryptDataKey(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.post(`/vault/v1/keys/decrypt`, options);
+            return (0, vault_key_serializer_1.deserializeDecryptDataKeyResponse)(data);
+        });
+    }
+    encrypt(data, context) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { dataKey, encryptedKeys } = yield this.createDataKey({
+                context,
+            });
+            return (0, encrypt_1.encrypt)(data, dataKey.key, encryptedKeys);
+        });
+    }
+    decrypt(encryptedData) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const decoded = (0, decrypt_1.decode)(encryptedData);
+            const dataKey = yield this.decryptDataKey({ keys: decoded.keys });
+            return (0, decrypt_1.decrypt)(decoded, dataKey.key);
+        });
+    }
+}
+exports.Vault = Vault;

package/lib/vault/vault.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/vault/vault.spec.js

@@ -0,0 +1,247 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jest_fetch_mock_1 = __importDefault(require("jest-fetch-mock"));
+const test_utils_1 = require("../common/utils/test-utils");
+const workos_1 = require("../workos");
+const conflict_exception_1 = require("../common/exceptions/conflict.exception");
+const workos = new workos_1.WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
+describe('Vault', () => {
+    beforeEach(() => jest_fetch_mock_1.default.resetMocks());
+    describe('createSecret', () => {
+        it('creates secret', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = 'charger';
+            (0, test_utils_1.fetchOnce)({
+                id: 's1',
+                context: {
+                    type: 'spore',
+                },
+                environment_id: 'xxx',
+                key_id: 'k1',
+                updated_at: '2029-03-17T04:37:46.748303Z',
+                updated_by: {
+                    id: 'key_xxx',
+                    name: 'Local Test Key',
+                },
+                version_id: 'v1',
+            });
+            const resource = yield workos.vault.createSecret({
+                name: secretName,
+                context: { type: 'spore' },
+                value: 'Full speed ahead',
+            });
+            expect((0, test_utils_1.fetchURL)()).toContain(`/vault/v1/kv`);
+            expect((0, test_utils_1.fetchMethod)()).toBe('POST');
+            expect(resource).toStrictEqual({
+                id: 's1',
+                context: {
+                    type: 'spore',
+                },
+                environmentId: 'xxx',
+                keyId: 'k1',
+                updatedAt: new Date(Date.parse('2029-03-17T04:37:46.748303Z')),
+                updatedBy: {
+                    id: 'key_xxx',
+                    name: 'Local Test Key',
+                },
+                versionId: 'v1',
+            });
+        }));
+        it('throws an error if secret exists', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = 'charger';
+            (0, test_utils_1.fetchOnce)({
+                error: 'Item already exists',
+            }, { status: 409 });
+            yield expect(workos.vault.createSecret({
+                name: secretName,
+                context: { type: 'spore' },
+                value: 'Full speed ahead',
+            })).rejects.toThrow(conflict_exception_1.ConflictException);
+            expect((0, test_utils_1.fetchURL)()).toContain(`/vault/v1/kv`);
+            expect((0, test_utils_1.fetchMethod)()).toBe('POST');
+        }));
+    });
+    describe('readSecret', () => {
+        it('reads a secret by id', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretName = 'lima';
+            const secretId = 'secret1';
+            (0, test_utils_1.fetchOnce)({
+                id: secretId,
+                metadata: {
+                    id: secretId,
+                    context: {
+                        emporer: 'groove',
+                    },
+                    environment_id: 'environment_d',
+                    key_id: 'key1',
+                    updated_at: '2025-03-11T02:18:54.250931Z',
+                    updated_by: {
+                        id: 'key_xxx',
+                        name: 'Local Test Key',
+                    },
+                    version_id: 'version1',
+                },
+                name: secretName,
+                value: 'Pull the lever Gronk',
+            });
+            const resource = yield workos.vault.readSecret({
+                id: secretId,
+            });
+            expect((0, test_utils_1.fetchURL)()).toContain(`/vault/v1/kv/${secretId}`);
+            expect((0, test_utils_1.fetchMethod)()).toBe('GET');
+            expect(resource).toStrictEqual({
+                id: secretId,
+                metadata: {
+                    id: secretId,
+                    context: {
+                        emporer: 'groove',
+                    },
+                    environmentId: 'environment_d',
+                    keyId: 'key1',
+                    updatedAt: new Date(Date.parse('2025-03-11T02:18:54.250931Z')),
+                    updatedBy: {
+                        id: 'key_xxx',
+                        name: 'Local Test Key',
+                    },
+                    versionId: 'version1',
+                },
+                name: secretName,
+                value: 'Pull the lever Gronk',
+            });
+        }));
+    });
+    describe('listSecrets', () => {
+        it('gets a paginated list of secrets', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)({
+                data: [
+                    {
+                        id: 's1',
+                        name: 'charger',
+                        updated_at: '2029-03-17T04:37:46.748303Z',
+                    },
+                ],
+                list_metadata: {
+                    after: null,
+                    before: 'charger',
+                },
+            });
+            const resource = yield workos.vault.listSecrets();
+            expect((0, test_utils_1.fetchURL)()).toContain(`/vault/v1/kv`);
+            expect((0, test_utils_1.fetchMethod)()).toBe('GET');
+            expect(resource).toStrictEqual({
+                object: 'list',
+                data: [
+                    {
+                        id: 's1',
+                        name: 'charger',
+                        updatedAt: new Date(Date.parse('2029-03-17T04:37:46.748303Z')),
+                    },
+                ],
+                listMetadata: {
+                    after: undefined,
+                    before: 'charger',
+                },
+            });
+        }));
+    });
+    describe('listSecretVersions', () => {
+        it('gets a paginated list of secret versions', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)({
+                data: [
+                    {
+                        id: 'raZUqoHteQkLihH6AG5bj6sYAqMcJS76',
+                        size: 270,
+                        etag: '"5147c963627323edcb15910ceea573bf"',
+                        created_at: '2029-03-17T15:51:57.000000Z',
+                        current_version: true,
+                    },
+                ],
+                list_metadata: {
+                    after: null,
+                    before: 'raZUqoHteQkLihH6AG5bj6sYAqMcJS76',
+                },
+            });
+            const resource = yield workos.vault.listSecretVersions({ id: 'secret1' });
+            expect((0, test_utils_1.fetchURL)()).toContain(`/vault/v1/kv/secret1/versions`);
+            expect((0, test_utils_1.fetchMethod)()).toBe('GET');
+            expect(resource).toStrictEqual([
+                {
+                    createdAt: new Date(Date.parse('2029-03-17T15:51:57.000000Z')),
+                    currentVersion: true,
+                    id: 'raZUqoHteQkLihH6AG5bj6sYAqMcJS76',
+                },
+            ]);
+        }));
+    });
+    describe('updateSecret', () => {
+        it('updates secret', () => __awaiter(void 0, void 0, void 0, function* () {
+            const secretId = 's1';
+            (0, test_utils_1.fetchOnce)({
+                id: secretId,
+                name: 'charger',
+                metadata: {
+                    id: secretId,
+                    context: {
+                        type: 'spore',
+                    },
+                    environment_id: 'xxx',
+                    key_id: 'k1',
+                    updated_at: '2029-03-17T04:37:46.748303Z',
+                    updated_by: {
+                        id: 'key_xxx',
+                        name: 'Local Test Key',
+                    },
+                    version_id: 'v1',
+                },
+            });
+            const resource = yield workos.vault.updateSecret({
+                id: secretId,
+                value: 'Full speed ahead',
+            });
+            expect((0, test_utils_1.fetchURL)()).toContain(`/vault/v1/kv/${secretId}`);
+            expect((0, test_utils_1.fetchMethod)()).toBe('PUT');
+            expect(resource).toStrictEqual({
+                id: secretId,
+                name: 'charger',
+                metadata: {
+                    id: secretId,
+                    context: {
+                        type: 'spore',
+                    },
+                    environmentId: 'xxx',
+                    keyId: 'k1',
+                    updatedAt: new Date(Date.parse('2029-03-17T04:37:46.748303Z')),
+                    updatedBy: {
+                        id: 'key_xxx',
+                        name: 'Local Test Key',
+                    },
+                    versionId: 'v1',
+                },
+                value: undefined,
+            });
+        }));
+        it('throws an error if secret version check fails', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)({
+                error: 'Item already exists',
+            }, { status: 409 });
+            yield expect(workos.vault.updateSecret({
+                id: 'secret1',
+                value: 'Full speed ahead',
+                versionCheck: 'notaversion',
+            })).rejects.toThrow(conflict_exception_1.ConflictException);
+            expect((0, test_utils_1.fetchURL)()).toContain(`/vault/v1/kv/secret1`);
+            expect((0, test_utils_1.fetchMethod)()).toBe('PUT');
+        }));
+    });
+});

package/lib/workos.d.ts

@@ -15,6 +15,7 @@ import { HttpClient } from './common/net/http-client';
 import { IronSessionProvider } from './common/iron-session/iron-session-provider';
 import { Widgets } from './widgets/widgets';
 import { Actions } from './actions/actions';
+import { Vault } from './vault/vault';
 export declare class WorkOS {
     readonly key?: string | undefined;
     readonly options: WorkOSOptions;
@@ -35,6 +36,7 @@ export declare class WorkOS {
     readonly userManagement: UserManagement;
     readonly fga: FGA;
     readonly widgets: Widgets;
+    readonly vault: Vault;
     constructor(key?: string | undefined, options?: WorkOSOptions);
     createWebhookClient(): Webhooks;
     createActionsClient(): Actions;

package/lib/workos.js

@@ -29,7 +29,9 @@ const subtle_crypto_provider_1 = require("./common/crypto/subtle-crypto-provider
 const fetch_client_1 = require("./common/net/fetch-client");
 const widgets_1 = require("./widgets/widgets");
 const actions_1 = require("./actions/actions");
-const VERSION = '7.41.0';
+const vault_1 = require("./vault/vault");
+const conflict_exception_1 = require("./common/exceptions/conflict.exception");
+const VERSION = '7.42.0';
 const DEFAULT_HOSTNAME = 'api.workos.com';
 const HEADER_AUTHORIZATION = 'Authorization';
 const HEADER_IDEMPOTENCY_KEY = 'Idempotency-Key';
@@ -49,6 +51,7 @@ class WorkOS {
         this.events = new events_1.Events(this);
         this.fga = new fga_1.FGA(this);
         this.widgets = new widgets_1.Widgets(this);
+        this.vault = new vault_1.Vault(this);
         if (!key) {
             // process might be undefined in some environments
             this.key =
@@ -194,6 +197,9 @@ class WorkOS {
                 case 401: {
                     throw new exceptions_1.UnauthorizedException(requestID);
                 }
+                case 409: {
+                    throw new conflict_exception_1.ConflictException({ requestID, message, error });
+                }
                 case 422: {
                     throw new exceptions_1.UnprocessableEntityException({
                         code,

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "7.41.0",
+  "version": "7.42.0",
   "name": "@workos-inc/node",
   "author": "WorkOS",
   "description": "A Node wrapper for the WorkOS API",
@@ -40,6 +40,7 @@
   "dependencies": {
     "iron-session": "~6.3.1",
     "jose": "~5.6.3",
+    "leb": "^1.0.0",
     "pluralize": "8.0.0"
   },
   "devDependencies": {