npm - @workos-inc/node - Versions diffs - 8.0.0-rc.6 → 8.0.0-rc.8 - Mend

@workos-inc/node 8.0.0-rc.6 → 8.0.0-rc.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

package/lib/workos.js CHANGED Viewed

@@ -1,17 +1,12 @@
-import { SubtleCryptoProvider } from "./common/crypto/subtle-crypto-provider.js";
-import { HttpClientError } from "./common/net/http-client.js";
-import { ParseError } from "./common/exceptions/parse-error.js";
-import { FetchHttpClient } from "./common/net/fetch-client.js";
+import { ApiKeyRequiredException } from "./common/exceptions/api-key-required.exception.js";
 import { GenericServerException } from "./common/exceptions/generic-server.exception.js";
 import { BadRequestException } from "./common/exceptions/bad-request.exception.js";
-import { NoApiKeyProvidedException } from "./common/exceptions/no-api-key-provided.exception.js";
 import { NotFoundException } from "./common/exceptions/not-found.exception.js";
 import { OauthException } from "./common/exceptions/oauth.exception.js";
 import { RateLimitExceededException } from "./common/exceptions/rate-limit-exceeded.exception.js";
 import { UnauthorizedException } from "./common/exceptions/unauthorized.exception.js";
 import { UnprocessableEntityException } from "./common/exceptions/unprocessable-entity.exception.js";
-import { Actions } from "./actions/actions.js";
-import { Webhooks } from "./webhooks/webhooks.js";
+import { PKCE } from "./pkce/pkce.js";
 import { ApiKeys } from "./api-keys/api-keys.js";
 import { DirectorySync } from "./directory-sync/directory-sync.js";
 import { Events } from "./events/events.js";
@@ -21,18 +16,25 @@ import { Passwordless } from "./passwordless/passwordless.js";
 import { Pipes } from "./pipes/pipes.js";
 import { Portal } from "./portal/portal.js";
 import { SSO } from "./sso/sso.js";
+import { Webhooks } from "./webhooks/webhooks.js";
 import { Mfa } from "./mfa/mfa.js";
 import { AuditLogs } from "./audit-logs/audit-logs.js";
 import { getEnv } from "./common/utils/env.js";
 import { UserManagement } from "./user-management/user-management.js";
 import { FGA } from "./fga/fga.js";
+import { FeatureFlags } from "./feature-flags/feature-flags.js";
+import { HttpClientError } from "./common/net/http-client.js";
+import { SubtleCryptoProvider } from "./common/crypto/subtle-crypto-provider.js";
+import { ParseError } from "./common/exceptions/parse-error.js";
+import { FetchHttpClient } from "./common/net/fetch-client.js";
 import { Widgets } from "./widgets/widgets.js";
+import { Actions } from "./actions/actions.js";
 import { Vault } from "./vault/vault.js";
 import { ConflictException } from "./common/exceptions/conflict.exception.js";
 import { getRuntimeInfo } from "./common/utils/runtime-info.js";
 //#region src/workos.ts
-const VERSION = "8.0.0-rc.6";
+const VERSION = "8.0.0-rc.8";
 const DEFAULT_HOSTNAME = "api.workos.com";
 const HEADER_AUTHORIZATION = "Authorization";
 const HEADER_IDEMPOTENCY_KEY = "Idempotency-Key";
@@ -41,43 +43,71 @@ var WorkOS = class {
 	baseURL;
 	client;
 	clientId;
+	key;
+	options;
+	pkce;
+	hasApiKey;
 	actions;
 	apiKeys = new ApiKeys(this);
 	auditLogs = new AuditLogs(this);
 	directorySync = new DirectorySync(this);
+	events = new Events(this);
+	featureFlags = new FeatureFlags(this);
+	fga = new FGA(this);
+	mfa = new Mfa(this);
 	organizations = new Organizations(this);
 	organizationDomains = new OrganizationDomains(this);
 	passwordless = new Passwordless(this);
 	pipes = new Pipes(this);
 	portal = new Portal(this);
 	sso = new SSO(this);
-	webhooks;
-	mfa = new Mfa(this);
-	events = new Events(this);
 	userManagement;
-	fga = new FGA(this);
-	widgets = new Widgets(this);
 	vault = new Vault(this);
-	constructor(key, options = {}) {
-		this.key = key;
-		this.options = options;
-		if (!key) {
-			this.key = getEnv("WORKOS_API_KEY");
-			if (!this.key) throw new NoApiKeyProvidedException();
+	webhooks;
+	widgets = new Widgets(this);
+	/**
+	* Create a new WorkOS client.
+	*
+	* @param keyOrOptions - API key string, or options object
+	* @param maybeOptions - Options when first argument is API key
+	*
+	* @example
+	* // Server-side with API key (string)
+	* const workos = new WorkOS('sk_...');
+	*
+	* @example
+	* // Server-side with API key (object)
+	* const workos = new WorkOS({ apiKey: 'sk_...', clientId: 'client_...' });
+	*
+	* @example
+	* // PKCE/public client (no API key)
+	* const workos = new WorkOS({ clientId: 'client_...' });
+	*/
+	constructor(keyOrOptions, maybeOptions) {
+		if (typeof keyOrOptions === "object") {
+			this.key = keyOrOptions.apiKey;
+			this.options = keyOrOptions;
+		} else {
+			this.key = keyOrOptions;
+			this.options = maybeOptions ?? {};
 		}
+		if (!this.key) this.key = getEnv("WORKOS_API_KEY");
+		this.hasApiKey = !!this.key;
 		if (this.options.https === void 0) this.options.https = true;
 		this.clientId = this.options.clientId;
 		if (!this.clientId) this.clientId = getEnv("WORKOS_CLIENT_ID");
+		if (!this.hasApiKey && !this.clientId) throw new Error("WorkOS requires either an API key or a clientId. For server-side: new WorkOS(\"sk_...\") or new WorkOS({ apiKey: \"sk_...\" }). For PKCE/public clients: new WorkOS({ clientId: \"client_...\" })");
 		const protocol = this.options.https ? "https" : "http";
 		const apiHostname = this.options.apiHostname || DEFAULT_HOSTNAME;
 		const port = this.options.port;
 		this.baseURL = `${protocol}://${apiHostname}`;
 		if (port) this.baseURL = this.baseURL + `:${port}`;
+		this.pkce = new PKCE();
 		this.webhooks = this.createWebhookClient();
 		this.actions = this.createActionsClient();
 		this.userManagement = new UserManagement(this);
-		const userAgent = this.createUserAgent(options);
-		this.client = this.createHttpClient(options, userAgent);
+		const userAgent = this.createUserAgent(this.options);
+		this.client = this.createHttpClient(this.options, userAgent);
 	}
 	createUserAgent(options) {
 		let userAgent = `workos-node/${VERSION}`;
@@ -99,20 +129,29 @@ var WorkOS = class {
 		return new SubtleCryptoProvider();
 	}
 	createHttpClient(options, userAgent) {
+		const headers = { "User-Agent": userAgent };
+		const configHeaders = options.config?.headers;
+		if (configHeaders && typeof configHeaders === "object" && !Array.isArray(configHeaders) && !(configHeaders instanceof Headers)) Object.assign(headers, configHeaders);
+		if (this.key) headers["Authorization"] = `Bearer ${this.key}`;
 		return new FetchHttpClient(this.baseURL, {
 			...options.config,
 			timeout: options.timeout,
-			headers: {
-				...options.config?.headers,
-				Authorization: `Bearer ${this.key}`,
-				"User-Agent": userAgent
-			}
+			headers
 		});
 	}
 	get version() {
 		return VERSION;
 	}
+	/**
+	* Require API key for methods that need it.
+	* @param methodName - Name of the method requiring API key (for error message)
+	* @throws ApiKeyRequiredException if no API key was provided
+	*/
+	requireApiKey(methodName) {
+		if (!this.hasApiKey) throw new ApiKeyRequiredException(methodName);
+	}
 	async post(path, entity, options = {}) {
+		if (!options.skipApiKeyCheck) this.requireApiKey(path);
 		const requestHeaders = {};
 		if (options.idempotencyKey) requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;
 		if (options.warrantToken) requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;
@@ -137,6 +176,7 @@ var WorkOS = class {
 		}
 	}
 	async get(path, options = {}) {
+		if (!options.skipApiKeyCheck) this.requireApiKey(path);
 		const requestHeaders = {};
 		if (options.accessToken) requestHeaders[HEADER_AUTHORIZATION] = `Bearer ${options.accessToken}`;
 		if (options.warrantToken) requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;
@@ -161,6 +201,7 @@ var WorkOS = class {
 		}
 	}
 	async put(path, entity, options = {}) {
+		if (!options.skipApiKeyCheck) this.requireApiKey(path);
 		const requestHeaders = {};
 		if (options.idempotencyKey) requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;
 		let res;
@@ -184,6 +225,7 @@ var WorkOS = class {
 		}
 	}
 	async delete(path, query) {
+		this.requireApiKey(path);
 		try {
 			await this.client.delete(path, { params: query });
 		} catch (error) {

package/lib/workos.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"workos.js","names":["key?: string","options: WorkOSOptions","protocol: string","apiHostname: string","port: number \| undefined","userAgent: string","requestHeaders: Record<string, string>","res: HttpClientResponseInterface","error"],"sources":["../src/workos.ts"],"sourcesContent":["import {\n GenericServerException,\n NoApiKeyProvidedException,\n NotFoundException,\n UnauthorizedException,\n UnprocessableEntityException,\n OauthException,\n RateLimitExceededException,\n} from './common/exceptions';\nimport {\n GetOptions,\n HttpClientResponseInterface,\n PostOptions,\n PutOptions,\n WorkOSOptions,\n WorkOSResponseError,\n} from './common/interfaces';\nimport { ApiKeys } from './api-keys/api-keys';\nimport { DirectorySync } from './directory-sync/directory-sync';\nimport { Events } from './events/events';\nimport { Organizations } from './organizations/organizations';\nimport { OrganizationDomains } from './organization-domains/organization-domains';\nimport { Passwordless } from './passwordless/passwordless';\nimport { Pipes } from './pipes/pipes';\nimport { Portal } from './portal/portal';\nimport { SSO } from './sso/sso';\nimport { Webhooks } from './webhooks/webhooks';\nimport { Mfa } from './mfa/mfa';\nimport { AuditLogs } from './audit-logs/audit-logs';\nimport { UserManagement } from './user-management/user-management';\nimport { FGA } from './fga/fga';\nimport { BadRequestException } from './common/exceptions/bad-request.exception';\n\nimport { HttpClient, HttpClientError } from './common/net/http-client';\nimport { SubtleCryptoProvider } from './common/crypto/subtle-crypto-provider';\nimport { FetchHttpClient } from './common/net/fetch-client';\nimport { Widgets } from './widgets/widgets';\nimport { Actions } from './actions/actions';\nimport { Vault } from './vault/vault';\nimport { ConflictException } from './common/exceptions/conflict.exception';\nimport { CryptoProvider } from './common/crypto/crypto-provider';\nimport { ParseError } from './common/exceptions/parse-error';\nimport { getEnv } from './common/utils/env';\nimport { getRuntimeInfo } from './common/utils/runtime-info';\n\nconst VERSION = '8.0.0-rc.6';\n\nconst DEFAULT_HOSTNAME = 'api.workos.com';\n\nconst HEADER_AUTHORIZATION = 'Authorization';\nconst HEADER_IDEMPOTENCY_KEY = 'Idempotency-Key';\nconst HEADER_WARRANT_TOKEN = 'Warrant-Token';\n\nexport class WorkOS {\n readonly baseURL: string;\n readonly client: HttpClient;\n readonly clientId?: string;\n\n readonly actions: Actions;\n readonly apiKeys = new ApiKeys(this);\n readonly auditLogs = new AuditLogs(this);\n readonly directorySync = new DirectorySync(this);\n readonly organizations = new Organizations(this);\n readonly organizationDomains = new OrganizationDomains(this);\n readonly passwordless = new Passwordless(this);\n readonly pipes = new Pipes(this);\n readonly portal = new Portal(this);\n readonly sso = new SSO(this);\n readonly webhooks: Webhooks;\n readonly mfa = new Mfa(this);\n readonly events = new Events(this);\n readonly userManagement: UserManagement;\n readonly fga = new FGA(this);\n readonly widgets = new Widgets(this);\n readonly vault = new Vault(this);\n\n constructor(\n readonly key?: string,\n readonly options: WorkOSOptions = {},\n ) {\n if (!key) {\n this.key = getEnv('WORKOS_API_KEY');\n\n if (!this.key) {\n throw new NoApiKeyProvidedException();\n }\n }\n\n if (this.options.https === undefined) {\n this.options.https = true;\n }\n\n this.clientId = this.options.clientId;\n if (!this.clientId) {\n this.clientId = getEnv('WORKOS_CLIENT_ID');\n }\n\n const protocol: string = this.options.https ? 'https' : 'http';\n const apiHostname: string = this.options.apiHostname \|\| DEFAULT_HOSTNAME;\n const port: number \| undefined = this.options.port;\n this.baseURL = `${protocol}://${apiHostname}`;\n\n if (port) {\n this.baseURL = this.baseURL + `:${port}`;\n }\n\n this.webhooks = this.createWebhookClient();\n this.actions = this.createActionsClient();\n\n // Must initialize UserManagement after baseURL is configured\n this.userManagement = new UserManagement(this);\n\n const userAgent = this.createUserAgent(options);\n\n this.client = this.createHttpClient(options, userAgent);\n }\n\n private createUserAgent(options: WorkOSOptions): string {\n let userAgent: string = `workos-node/${VERSION}`;\n\n const { name: runtimeName, version: runtimeVersion } = getRuntimeInfo();\n userAgent += ` (${runtimeName}${runtimeVersion ? `/${runtimeVersion}` : ''})`;\n\n if (options.appInfo) {\n const { name, version } = options.appInfo;\n userAgent += ` ${name}: ${version}`;\n }\n\n return userAgent;\n }\n\n createWebhookClient() {\n return new Webhooks(this.getCryptoProvider());\n }\n\n createActionsClient() {\n return new Actions(this.getCryptoProvider());\n }\n\n getCryptoProvider(): CryptoProvider {\n return new SubtleCryptoProvider();\n }\n\n createHttpClient(options: WorkOSOptions, userAgent: string) {\n return new FetchHttpClient(this.baseURL, {\n ...options.config,\n timeout: options.timeout,\n headers: {\n ...options.config?.headers,\n Authorization: `Bearer ${this.key}`,\n 'User-Agent': userAgent,\n },\n }) as HttpClient;\n }\n\n get version() {\n return VERSION;\n }\n\n async post<Result = any, Entity = any>(\n path: string,\n entity: Entity,\n options: PostOptions = {},\n ): Promise<{ data: Result }> {\n const requestHeaders: Record<string, string> = {};\n\n if (options.idempotencyKey) {\n requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;\n }\n\n if (options.warrantToken) {\n requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;\n }\n\n let res: HttpClientResponseInterface;\n\n try {\n res = await this.client.post<Entity>(path, entity, {\n params: options.query,\n headers: requestHeaders,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n throw error;\n }\n\n try {\n return { data: await res.toJSON() };\n } catch (error) {\n await this.handleParseError(error, res);\n throw error;\n }\n }\n\n async get<Result = any>(\n path: string,\n options: GetOptions = {},\n ): Promise<{ data: Result }> {\n const requestHeaders: Record<string, string> = {};\n\n if (options.accessToken) {\n requestHeaders[HEADER_AUTHORIZATION] = `Bearer ${options.accessToken}`;\n }\n\n if (options.warrantToken) {\n requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;\n }\n\n let res: HttpClientResponseInterface;\n try {\n res = await this.client.get(path, {\n params: options.query,\n headers: requestHeaders,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n\n throw error;\n }\n\n try {\n return { data: await res.toJSON() };\n } catch (error) {\n await this.handleParseError(error, res);\n throw error;\n }\n }\n\n async put<Result = any, Entity = any>(\n path: string,\n entity: Entity,\n options: PutOptions = {},\n ): Promise<{ data: Result }> {\n const requestHeaders: Record<string, string> = {};\n\n if (options.idempotencyKey) {\n requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;\n }\n\n let res: HttpClientResponseInterface;\n\n try {\n res = await this.client.put<Entity>(path, entity, {\n params: options.query,\n headers: requestHeaders,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n\n throw error;\n }\n\n try {\n return { data: await res.toJSON() };\n } catch (error) {\n await this.handleParseError(error, res);\n throw error;\n }\n }\n\n async delete(path: string, query?: any): Promise<void> {\n try {\n await this.client.delete(path, {\n params: query,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n\n throw error;\n }\n }\n\n emitWarning(warning: string) {\n // tslint:disable-next-line:no-console\n console.warn(`WorkOS: ${warning}`);\n }\n\n private async handleParseError(\n error: unknown,\n res: HttpClientResponseInterface,\n ) {\n if (error instanceof SyntaxError) {\n const rawResponse = res.getRawResponse() as Response;\n const requestID = rawResponse.headers.get('X-Request-ID') ?? '';\n const rawStatus = rawResponse.status;\n const rawBody = await rawResponse.text();\n throw new ParseError({\n message: error.message,\n rawBody,\n rawStatus,\n requestID,\n });\n }\n }\n\n private handleHttpError({ path, error }: { path: string; error: unknown }) {\n if (!(error instanceof HttpClientError)) {\n throw new Error(`Unexpected error: ${error}`, { cause: error });\n }\n\n const { response } = error as HttpClientError<WorkOSResponseError>;\n\n if (response) {\n const { status, data, headers } = response;\n\n const requestID = headers['X-Request-ID'] ?? '';\n const {\n code,\n error_description: errorDescription,\n error,\n errors,\n message,\n } = data;\n\n switch (status) {\n case 401: {\n throw new UnauthorizedException(requestID);\n }\n case 409: {\n throw new ConflictException({ requestID, message, error });\n }\n case 422: {\n throw new UnprocessableEntityException({\n code,\n errors,\n message,\n requestID,\n });\n }\n case 404: {\n throw new NotFoundException({\n code,\n message,\n path,\n requestID,\n });\n }\n case 429: {\n const retryAfter = headers.get('Retry-After');\n\n throw new RateLimitExceededException(\n data.message,\n requestID,\n retryAfter ? Number(retryAfter) : null,\n );\n }\n default: {\n if (error \|\| errorDescription) {\n throw new OauthException(\n status,\n requestID,\n error,\n errorDescription,\n data,\n );\n } else if (code && errors) {\n // Note: ideally this should be mapped directly with a `400` status code.\n // However, this would break existing logic for the `OauthException` exception.\n throw new BadRequestException({\n code,\n errors,\n message,\n requestID,\n });\n } else {\n throw new GenericServerException(\n status,\n data.message,\n data,\n requestID,\n );\n }\n }\n }\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6CA,MAAM,UAAU;AAEhB,MAAM,mBAAmB;AAEzB,MAAM,uBAAuB;AAC7B,MAAM,yBAAyB;AAC/B,MAAM,uBAAuB;AAE7B,IAAa,SAAb,MAAoB;CAClB,AAAS;CACT,AAAS;CACT,AAAS;CAET,AAAS;CACT,AAAS,UAAU,IAAI,QAAQ,KAAK;CACpC,AAAS,YAAY,IAAI,UAAU,KAAK;CACxC,AAAS,gBAAgB,IAAI,cAAc,KAAK;CAChD,AAAS,gBAAgB,IAAI,cAAc,KAAK;CAChD,AAAS,sBAAsB,IAAI,oBAAoB,KAAK;CAC5D,AAAS,eAAe,IAAI,aAAa,KAAK;CAC9C,AAAS,QAAQ,IAAI,MAAM,KAAK;CAChC,AAAS,SAAS,IAAI,OAAO,KAAK;CAClC,AAAS,MAAM,IAAI,IAAI,KAAK;CAC5B,AAAS;CACT,AAAS,MAAM,IAAI,IAAI,KAAK;CAC5B,AAAS,SAAS,IAAI,OAAO,KAAK;CAClC,AAAS;CACT,AAAS,MAAM,IAAI,IAAI,KAAK;CAC5B,AAAS,UAAU,IAAI,QAAQ,KAAK;CACpC,AAAS,QAAQ,IAAI,MAAM,KAAK;CAEhC,YACE,AAASA,KACT,AAASC,UAAyB,EAAE,EACpC;EAFS;EACA;AAET,MAAI,CAAC,KAAK;AACR,QAAK,MAAM,OAAO,iBAAiB;AAEnC,OAAI,CAAC,KAAK,IACR,OAAM,IAAI,2BAA2B;;AAIzC,MAAI,KAAK,QAAQ,UAAU,OACzB,MAAK,QAAQ,QAAQ;AAGvB,OAAK,WAAW,KAAK,QAAQ;AAC7B,MAAI,CAAC,KAAK,SACR,MAAK,WAAW,OAAO,mBAAmB;EAG5C,MAAMC,WAAmB,KAAK,QAAQ,QAAQ,UAAU;EACxD,MAAMC,cAAsB,KAAK,QAAQ,eAAe;EACxD,MAAMC,OAA2B,KAAK,QAAQ;AAC9C,OAAK,UAAU,GAAG,SAAS,KAAK;AAEhC,MAAI,KACF,MAAK,UAAU,KAAK,UAAU,IAAI;AAGpC,OAAK,WAAW,KAAK,qBAAqB;AAC1C,OAAK,UAAU,KAAK,qBAAqB;AAGzC,OAAK,iBAAiB,IAAI,eAAe,KAAK;EAE9C,MAAM,YAAY,KAAK,gBAAgB,QAAQ;AAE/C,OAAK,SAAS,KAAK,iBAAiB,SAAS,UAAU;;CAGzD,AAAQ,gBAAgB,SAAgC;EACtD,IAAIC,YAAoB,eAAe;EAEvC,MAAM,EAAE,MAAM,aAAa,SAAS,mBAAmB,gBAAgB;AACvE,eAAa,KAAK,cAAc,iBAAiB,IAAI,mBAAmB,GAAG;AAE3E,MAAI,QAAQ,SAAS;GACnB,MAAM,EAAE,MAAM,YAAY,QAAQ;AAClC,gBAAa,IAAI,KAAK,IAAI;;AAG5B,SAAO;;CAGT,sBAAsB;AACpB,SAAO,IAAI,SAAS,KAAK,mBAAmB,CAAC;;CAG/C,sBAAsB;AACpB,SAAO,IAAI,QAAQ,KAAK,mBAAmB,CAAC;;CAG9C,oBAAoC;AAClC,SAAO,IAAI,sBAAsB;;CAGnC,iBAAiB,SAAwB,WAAmB;AAC1D,SAAO,IAAI,gBAAgB,KAAK,SAAS;GACvC,GAAG,QAAQ;GACX,SAAS,QAAQ;GACjB,SAAS;IACP,GAAG,QAAQ,QAAQ;IACnB,eAAe,UAAU,KAAK;IAC9B,cAAc;IACf;GACF,CAAC;;CAGJ,IAAI,UAAU;AACZ,SAAO;;CAGT,MAAM,KACJ,MACA,QACA,UAAuB,EAAE,EACE;EAC3B,MAAMC,iBAAyC,EAAE;AAEjD,MAAI,QAAQ,eACV,gBAAe,0BAA0B,QAAQ;AAGnD,MAAI,QAAQ,aACV,gBAAe,wBAAwB,QAAQ;EAGjD,IAAIC;AAEJ,MAAI;AACF,SAAM,MAAM,KAAK,OAAO,KAAa,MAAM,QAAQ;IACjD,QAAQ,QAAQ;IAChB,SAAS;IACV,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AACrC,SAAM;;AAGR,MAAI;AACF,UAAO,EAAE,MAAM,MAAM,IAAI,QAAQ,EAAE;WAC5B,OAAO;AACd,SAAM,KAAK,iBAAiB,OAAO,IAAI;AACvC,SAAM;;;CAIV,MAAM,IACJ,MACA,UAAsB,EAAE,EACG;EAC3B,MAAMD,iBAAyC,EAAE;AAEjD,MAAI,QAAQ,YACV,gBAAe,wBAAwB,UAAU,QAAQ;AAG3D,MAAI,QAAQ,aACV,gBAAe,wBAAwB,QAAQ;EAGjD,IAAIC;AACJ,MAAI;AACF,SAAM,MAAM,KAAK,OAAO,IAAI,MAAM;IAChC,QAAQ,QAAQ;IAChB,SAAS;IACV,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AAErC,SAAM;;AAGR,MAAI;AACF,UAAO,EAAE,MAAM,MAAM,IAAI,QAAQ,EAAE;WAC5B,OAAO;AACd,SAAM,KAAK,iBAAiB,OAAO,IAAI;AACvC,SAAM;;;CAIV,MAAM,IACJ,MACA,QACA,UAAsB,EAAE,EACG;EAC3B,MAAMD,iBAAyC,EAAE;AAEjD,MAAI,QAAQ,eACV,gBAAe,0BAA0B,QAAQ;EAGnD,IAAIC;AAEJ,MAAI;AACF,SAAM,MAAM,KAAK,OAAO,IAAY,MAAM,QAAQ;IAChD,QAAQ,QAAQ;IAChB,SAAS;IACV,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AAErC,SAAM;;AAGR,MAAI;AACF,UAAO,EAAE,MAAM,MAAM,IAAI,QAAQ,EAAE;WAC5B,OAAO;AACd,SAAM,KAAK,iBAAiB,OAAO,IAAI;AACvC,SAAM;;;CAIV,MAAM,OAAO,MAAc,OAA4B;AACrD,MAAI;AACF,SAAM,KAAK,OAAO,OAAO,MAAM,EAC7B,QAAQ,OACT,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AAErC,SAAM;;;CAIV,YAAY,SAAiB;AAE3B,UAAQ,KAAK,WAAW,UAAU;;CAGpC,MAAc,iBACZ,OACA,KACA;AACA,MAAI,iBAAiB,aAAa;GAChC,MAAM,cAAc,IAAI,gBAAgB;GACxC,MAAM,YAAY,YAAY,QAAQ,IAAI,eAAe,IAAI;GAC7D,MAAM,YAAY,YAAY;GAC9B,MAAM,UAAU,MAAM,YAAY,MAAM;AACxC,SAAM,IAAI,WAAW;IACnB,SAAS,MAAM;IACf;IACA;IACA;IACD,CAAC;;;CAIN,AAAQ,gBAAgB,EAAE,MAAM,SAA2C;AACzE,MAAI,EAAE,iBAAiB,iBACrB,OAAM,IAAI,MAAM,qBAAqB,SAAS,EAAE,OAAO,OAAO,CAAC;EAGjE,MAAM,EAAE,aAAa;AAErB,MAAI,UAAU;GACZ,MAAM,EAAE,QAAQ,MAAM,YAAY;GAElC,MAAM,YAAY,QAAQ,mBAAmB;GAC7C,MAAM,EACJ,MACA,mBAAmB,kBACnB,gBACA,QACA,YACE;AAEJ,WAAQ,QAAR;IACE,KAAK,IACH,OAAM,IAAI,sBAAsB,UAAU;IAE5C,KAAK,IACH,OAAM,IAAI,kBAAkB;KAAE;KAAW;KAAS;KAAO,CAAC;IAE5D,KAAK,IACH,OAAM,IAAI,6BAA6B;KACrC;KACA;KACA;KACA;KACD,CAAC;IAEJ,KAAK,IACH,OAAM,IAAI,kBAAkB;KAC1B;KACA;KACA;KACA;KACD,CAAC;IAEJ,KAAK,KAAK;KACR,MAAM,aAAa,QAAQ,IAAI,cAAc;AAE7C,WAAM,IAAI,2BACR,KAAK,SACL,WACA,aAAa,OAAO,WAAW,GAAG,KACnC;;IAEH,QACE,KAAIC,WAAS,iBACX,OAAM,IAAI,eACR,QACA,WACAA,SACA,kBACA,KACD;aACQ,QAAQ,OAGjB,OAAM,IAAI,oBAAoB;KAC5B;KACA;KACA;KACA;KACD,CAAC;QAEF,OAAM,IAAI,uBACR,QACA,KAAK,SACL,MACA,UACD"}
1	+ {"version":3,"file":"workos.js","names":["protocol: string","apiHostname: string","port: number \| undefined","userAgent: string","headers: Record<string, string>","requestHeaders: Record<string, string>","res: HttpClientResponseInterface","error"],"sources":["../src/workos.ts"],"sourcesContent":["import {\n ApiKeyRequiredException,\n GenericServerException,\n NotFoundException,\n UnauthorizedException,\n UnprocessableEntityException,\n OauthException,\n RateLimitExceededException,\n} from './common/exceptions';\nimport { PKCE } from './pkce/pkce';\nimport {\n GetOptions,\n HttpClientResponseInterface,\n PostOptions,\n PutOptions,\n WorkOSOptions,\n WorkOSResponseError,\n} from './common/interfaces';\nimport { ApiKeys } from './api-keys/api-keys';\nimport { DirectorySync } from './directory-sync/directory-sync';\nimport { Events } from './events/events';\nimport { Organizations } from './organizations/organizations';\nimport { OrganizationDomains } from './organization-domains/organization-domains';\nimport { Passwordless } from './passwordless/passwordless';\nimport { Pipes } from './pipes/pipes';\nimport { Portal } from './portal/portal';\nimport { SSO } from './sso/sso';\nimport { Webhooks } from './webhooks/webhooks';\nimport { Mfa } from './mfa/mfa';\nimport { AuditLogs } from './audit-logs/audit-logs';\nimport { UserManagement } from './user-management/user-management';\nimport { FGA } from './fga/fga';\nimport { BadRequestException } from './common/exceptions/bad-request.exception';\nimport { FeatureFlags } from './feature-flags/feature-flags';\n\nimport { HttpClient, HttpClientError } from './common/net/http-client';\nimport { SubtleCryptoProvider } from './common/crypto/subtle-crypto-provider';\nimport { FetchHttpClient } from './common/net/fetch-client';\nimport { Widgets } from './widgets/widgets';\nimport { Actions } from './actions/actions';\nimport { Vault } from './vault/vault';\nimport { ConflictException } from './common/exceptions/conflict.exception';\nimport { CryptoProvider } from './common/crypto/crypto-provider';\nimport { ParseError } from './common/exceptions/parse-error';\nimport { getEnv } from './common/utils/env';\nimport { getRuntimeInfo } from './common/utils/runtime-info';\n\nconst VERSION = '8.0.0-rc.8';\n\nconst DEFAULT_HOSTNAME = 'api.workos.com';\n\nconst HEADER_AUTHORIZATION = 'Authorization';\nconst HEADER_IDEMPOTENCY_KEY = 'Idempotency-Key';\nconst HEADER_WARRANT_TOKEN = 'Warrant-Token';\n\nexport class WorkOS {\n readonly baseURL: string;\n readonly client: HttpClient;\n readonly clientId?: string;\n readonly key?: string;\n readonly options: WorkOSOptions;\n readonly pkce: PKCE;\n\n private readonly hasApiKey: boolean;\n\n readonly actions: Actions;\n readonly apiKeys = new ApiKeys(this);\n readonly auditLogs = new AuditLogs(this);\n readonly directorySync = new DirectorySync(this);\n readonly events = new Events(this);\n readonly featureFlags = new FeatureFlags(this);\n readonly fga = new FGA(this);\n readonly mfa = new Mfa(this);\n readonly organizations = new Organizations(this);\n readonly organizationDomains = new OrganizationDomains(this);\n readonly passwordless = new Passwordless(this);\n readonly pipes = new Pipes(this);\n readonly portal = new Portal(this);\n readonly sso = new SSO(this);\n readonly userManagement: UserManagement;\n readonly vault = new Vault(this);\n readonly webhooks: Webhooks;\n readonly widgets = new Widgets(this);\n\n /*\n Create a new WorkOS client.\n \n @param keyOrOptions - API key string, or options object\n * @param maybeOptions - Options when first argument is API key\n \n @example\n * // Server-side with API key (string)\n * const workos = new WorkOS('sk_...');\n \n @example\n * // Server-side with API key (object)\n * const workos = new WorkOS({ apiKey: 'sk_...', clientId: 'client_...' });\n \n @example\n * // PKCE/public client (no API key)\n * const workos = new WorkOS({ clientId: 'client_...' });\n /\n constructor(\n keyOrOptions?: string \| WorkOSOptions,\n maybeOptions?: WorkOSOptions,\n ) {\n if (typeof keyOrOptions === 'object') {\n this.key = keyOrOptions.apiKey;\n this.options = keyOrOptions;\n } else {\n this.key = keyOrOptions;\n this.options = maybeOptions ?? {};\n }\n\n if (!this.key) {\n this.key = getEnv('WORKOS_API_KEY');\n }\n\n this.hasApiKey = !!this.key;\n\n if (this.options.https === undefined) {\n this.options.https = true;\n }\n\n this.clientId = this.options.clientId;\n if (!this.clientId) {\n this.clientId = getEnv('WORKOS_CLIENT_ID');\n }\n\n if (!this.hasApiKey && !this.clientId) {\n throw new Error(\n 'WorkOS requires either an API key or a clientId. ' +\n 'For server-side: new WorkOS(\"sk_...\") or new WorkOS({ apiKey: \"sk_...\" }). ' +\n 'For PKCE/public clients: new WorkOS({ clientId: \"client_...\" })',\n );\n }\n\n const protocol: string = this.options.https ? 'https' : 'http';\n const apiHostname: string = this.options.apiHostname \|\| DEFAULT_HOSTNAME;\n const port: number \| undefined = this.options.port;\n this.baseURL = `${protocol}://${apiHostname}`;\n\n if (port) {\n this.baseURL = this.baseURL + `:${port}`;\n }\n\n this.pkce = new PKCE();\n\n this.webhooks = this.createWebhookClient();\n this.actions = this.createActionsClient();\n\n // Must initialize UserManagement after baseURL is configured\n this.userManagement = new UserManagement(this);\n\n const userAgent = this.createUserAgent(this.options);\n\n this.client = this.createHttpClient(this.options, userAgent);\n }\n\n private createUserAgent(options: WorkOSOptions): string {\n let userAgent: string = `workos-node/${VERSION}`;\n\n const { name: runtimeName, version: runtimeVersion } = getRuntimeInfo();\n userAgent += ` (${runtimeName}${runtimeVersion ? `/${runtimeVersion}` : ''})`;\n\n if (options.appInfo) {\n const { name, version } = options.appInfo;\n userAgent += ` ${name}: ${version}`;\n }\n\n return userAgent;\n }\n\n createWebhookClient() {\n return new Webhooks(this.getCryptoProvider());\n }\n\n createActionsClient() {\n return new Actions(this.getCryptoProvider());\n }\n\n getCryptoProvider(): CryptoProvider {\n return new SubtleCryptoProvider();\n }\n\n createHttpClient(options: WorkOSOptions, userAgent: string) {\n const headers: Record<string, string> = {\n 'User-Agent': userAgent,\n };\n\n const configHeaders = options.config?.headers;\n if (\n configHeaders &&\n typeof configHeaders === 'object' &&\n !Array.isArray(configHeaders) &&\n !(configHeaders instanceof Headers)\n ) {\n Object.assign(headers, configHeaders);\n }\n\n if (this.key) {\n headers['Authorization'] = `Bearer ${this.key}`;\n }\n\n return new FetchHttpClient(this.baseURL, {\n ...options.config,\n timeout: options.timeout,\n headers,\n }) as HttpClient;\n }\n\n get version() {\n return VERSION;\n }\n\n /\n Require API key for methods that need it.\n * @param methodName - Name of the method requiring API key (for error message)\n * @throws ApiKeyRequiredException if no API key was provided\n */\n requireApiKey(methodName: string): void {\n if (!this.hasApiKey) {\n throw new ApiKeyRequiredException(methodName);\n }\n }\n\n async post<Result = any, Entity = any>(\n path: string,\n entity: Entity,\n options: PostOptions = {},\n ): Promise<{ data: Result }> {\n if (!options.skipApiKeyCheck) {\n this.requireApiKey(path);\n }\n\n const requestHeaders: Record<string, string> = {};\n\n if (options.idempotencyKey) {\n requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;\n }\n\n if (options.warrantToken) {\n requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;\n }\n\n let res: HttpClientResponseInterface;\n\n try {\n res = await this.client.post<Entity>(path, entity, {\n params: options.query,\n headers: requestHeaders,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n throw error;\n }\n\n try {\n return { data: await res.toJSON() };\n } catch (error) {\n await this.handleParseError(error, res);\n throw error;\n }\n }\n\n async get<Result = any>(\n path: string,\n options: GetOptions = {},\n ): Promise<{ data: Result }> {\n if (!options.skipApiKeyCheck) {\n this.requireApiKey(path);\n }\n\n const requestHeaders: Record<string, string> = {};\n\n if (options.accessToken) {\n requestHeaders[HEADER_AUTHORIZATION] = `Bearer ${options.accessToken}`;\n }\n\n if (options.warrantToken) {\n requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;\n }\n\n let res: HttpClientResponseInterface;\n try {\n res = await this.client.get(path, {\n params: options.query,\n headers: requestHeaders,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n\n throw error;\n }\n\n try {\n return { data: await res.toJSON() };\n } catch (error) {\n await this.handleParseError(error, res);\n throw error;\n }\n }\n\n async put<Result = any, Entity = any>(\n path: string,\n entity: Entity,\n options: PutOptions = {},\n ): Promise<{ data: Result }> {\n if (!options.skipApiKeyCheck) {\n this.requireApiKey(path);\n }\n\n const requestHeaders: Record<string, string> = {};\n\n if (options.idempotencyKey) {\n requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;\n }\n\n let res: HttpClientResponseInterface;\n\n try {\n res = await this.client.put<Entity>(path, entity, {\n params: options.query,\n headers: requestHeaders,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n\n throw error;\n }\n\n try {\n return { data: await res.toJSON() };\n } catch (error) {\n await this.handleParseError(error, res);\n throw error;\n }\n }\n\n async delete(path: string, query?: any): Promise<void> {\n this.requireApiKey(path);\n\n try {\n await this.client.delete(path, {\n params: query,\n });\n } catch (error) {\n this.handleHttpError({ path, error });\n\n throw error;\n }\n }\n\n emitWarning(warning: string) {\n // tslint:disable-next-line:no-console\n console.warn(`WorkOS: ${warning}`);\n }\n\n private async handleParseError(\n error: unknown,\n res: HttpClientResponseInterface,\n ) {\n if (error instanceof SyntaxError) {\n const rawResponse = res.getRawResponse() as Response;\n const requestID = rawResponse.headers.get('X-Request-ID') ?? '';\n const rawStatus = rawResponse.status;\n const rawBody = await rawResponse.text();\n throw new ParseError({\n message: error.message,\n rawBody,\n rawStatus,\n requestID,\n });\n }\n }\n\n private handleHttpError({ path, error }: { path: string; error: unknown }) {\n if (!(error instanceof HttpClientError)) {\n throw new Error(`Unexpected error: ${error}`, { cause: error });\n }\n\n const { response } = error as HttpClientError<WorkOSResponseError>;\n\n if (response) {\n const { status, data, headers } = response;\n\n const requestID = headers['X-Request-ID'] ?? '';\n const {\n code,\n error_description: errorDescription,\n error,\n errors,\n message,\n } = data;\n\n switch (status) {\n case 401: {\n throw new UnauthorizedException(requestID);\n }\n case 409: {\n throw new ConflictException({ requestID, message, error });\n }\n case 422: {\n throw new UnprocessableEntityException({\n code,\n errors,\n message,\n requestID,\n });\n }\n case 404: {\n throw new NotFoundException({\n code,\n message,\n path,\n requestID,\n });\n }\n case 429: {\n const retryAfter = headers.get('Retry-After');\n\n throw new RateLimitExceededException(\n data.message,\n requestID,\n retryAfter ? Number(retryAfter) : null,\n );\n }\n default: {\n if (error \|\| errorDescription) {\n throw new OauthException(\n status,\n requestID,\n error,\n errorDescription,\n data,\n );\n } else if (code && errors) {\n // Note: ideally this should be mapped directly with a `400` status code.\n // However, this would break existing logic for the `OauthException` exception.\n throw new BadRequestException({\n code,\n errors,\n message,\n requestID,\n });\n } else {\n throw new GenericServerException(\n status,\n data.message,\n data,\n requestID,\n );\n }\n }\n }\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CA,MAAM,UAAU;AAEhB,MAAM,mBAAmB;AAEzB,MAAM,uBAAuB;AAC7B,MAAM,yBAAyB;AAC/B,MAAM,uBAAuB;AAE7B,IAAa,SAAb,MAAoB;CAClB,AAAS;CACT,AAAS;CACT,AAAS;CACT,AAAS;CACT,AAAS;CACT,AAAS;CAET,AAAiB;CAEjB,AAAS;CACT,AAAS,UAAU,IAAI,QAAQ,KAAK;CACpC,AAAS,YAAY,IAAI,UAAU,KAAK;CACxC,AAAS,gBAAgB,IAAI,cAAc,KAAK;CAChD,AAAS,SAAS,IAAI,OAAO,KAAK;CAClC,AAAS,eAAe,IAAI,aAAa,KAAK;CAC9C,AAAS,MAAM,IAAI,IAAI,KAAK;CAC5B,AAAS,MAAM,IAAI,IAAI,KAAK;CAC5B,AAAS,gBAAgB,IAAI,cAAc,KAAK;CAChD,AAAS,sBAAsB,IAAI,oBAAoB,KAAK;CAC5D,AAAS,eAAe,IAAI,aAAa,KAAK;CAC9C,AAAS,QAAQ,IAAI,MAAM,KAAK;CAChC,AAAS,SAAS,IAAI,OAAO,KAAK;CAClC,AAAS,MAAM,IAAI,IAAI,KAAK;CAC5B,AAAS;CACT,AAAS,QAAQ,IAAI,MAAM,KAAK;CAChC,AAAS;CACT,AAAS,UAAU,IAAI,QAAQ,KAAK;;;;;;;;;;;;;;;;;;;CAoBpC,YACE,cACA,cACA;AACA,MAAI,OAAO,iBAAiB,UAAU;AACpC,QAAK,MAAM,aAAa;AACxB,QAAK,UAAU;SACV;AACL,QAAK,MAAM;AACX,QAAK,UAAU,gBAAgB,EAAE;;AAGnC,MAAI,CAAC,KAAK,IACR,MAAK,MAAM,OAAO,iBAAiB;AAGrC,OAAK,YAAY,CAAC,CAAC,KAAK;AAExB,MAAI,KAAK,QAAQ,UAAU,OACzB,MAAK,QAAQ,QAAQ;AAGvB,OAAK,WAAW,KAAK,QAAQ;AAC7B,MAAI,CAAC,KAAK,SACR,MAAK,WAAW,OAAO,mBAAmB;AAG5C,MAAI,CAAC,KAAK,aAAa,CAAC,KAAK,SAC3B,OAAM,IAAI,MACR,oMAGD;EAGH,MAAMA,WAAmB,KAAK,QAAQ,QAAQ,UAAU;EACxD,MAAMC,cAAsB,KAAK,QAAQ,eAAe;EACxD,MAAMC,OAA2B,KAAK,QAAQ;AAC9C,OAAK,UAAU,GAAG,SAAS,KAAK;AAEhC,MAAI,KACF,MAAK,UAAU,KAAK,UAAU,IAAI;AAGpC,OAAK,OAAO,IAAI,MAAM;AAEtB,OAAK,WAAW,KAAK,qBAAqB;AAC1C,OAAK,UAAU,KAAK,qBAAqB;AAGzC,OAAK,iBAAiB,IAAI,eAAe,KAAK;EAE9C,MAAM,YAAY,KAAK,gBAAgB,KAAK,QAAQ;AAEpD,OAAK,SAAS,KAAK,iBAAiB,KAAK,SAAS,UAAU;;CAG9D,AAAQ,gBAAgB,SAAgC;EACtD,IAAIC,YAAoB,eAAe;EAEvC,MAAM,EAAE,MAAM,aAAa,SAAS,mBAAmB,gBAAgB;AACvE,eAAa,KAAK,cAAc,iBAAiB,IAAI,mBAAmB,GAAG;AAE3E,MAAI,QAAQ,SAAS;GACnB,MAAM,EAAE,MAAM,YAAY,QAAQ;AAClC,gBAAa,IAAI,KAAK,IAAI;;AAG5B,SAAO;;CAGT,sBAAsB;AACpB,SAAO,IAAI,SAAS,KAAK,mBAAmB,CAAC;;CAG/C,sBAAsB;AACpB,SAAO,IAAI,QAAQ,KAAK,mBAAmB,CAAC;;CAG9C,oBAAoC;AAClC,SAAO,IAAI,sBAAsB;;CAGnC,iBAAiB,SAAwB,WAAmB;EAC1D,MAAMC,UAAkC,EACtC,cAAc,WACf;EAED,MAAM,gBAAgB,QAAQ,QAAQ;AACtC,MACE,iBACA,OAAO,kBAAkB,YACzB,CAAC,MAAM,QAAQ,cAAc,IAC7B,EAAE,yBAAyB,SAE3B,QAAO,OAAO,SAAS,cAAc;AAGvC,MAAI,KAAK,IACP,SAAQ,mBAAmB,UAAU,KAAK;AAG5C,SAAO,IAAI,gBAAgB,KAAK,SAAS;GACvC,GAAG,QAAQ;GACX,SAAS,QAAQ;GACjB;GACD,CAAC;;CAGJ,IAAI,UAAU;AACZ,SAAO;;;;;;;CAQT,cAAc,YAA0B;AACtC,MAAI,CAAC,KAAK,UACR,OAAM,IAAI,wBAAwB,WAAW;;CAIjD,MAAM,KACJ,MACA,QACA,UAAuB,EAAE,EACE;AAC3B,MAAI,CAAC,QAAQ,gBACX,MAAK,cAAc,KAAK;EAG1B,MAAMC,iBAAyC,EAAE;AAEjD,MAAI,QAAQ,eACV,gBAAe,0BAA0B,QAAQ;AAGnD,MAAI,QAAQ,aACV,gBAAe,wBAAwB,QAAQ;EAGjD,IAAIC;AAEJ,MAAI;AACF,SAAM,MAAM,KAAK,OAAO,KAAa,MAAM,QAAQ;IACjD,QAAQ,QAAQ;IAChB,SAAS;IACV,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AACrC,SAAM;;AAGR,MAAI;AACF,UAAO,EAAE,MAAM,MAAM,IAAI,QAAQ,EAAE;WAC5B,OAAO;AACd,SAAM,KAAK,iBAAiB,OAAO,IAAI;AACvC,SAAM;;;CAIV,MAAM,IACJ,MACA,UAAsB,EAAE,EACG;AAC3B,MAAI,CAAC,QAAQ,gBACX,MAAK,cAAc,KAAK;EAG1B,MAAMD,iBAAyC,EAAE;AAEjD,MAAI,QAAQ,YACV,gBAAe,wBAAwB,UAAU,QAAQ;AAG3D,MAAI,QAAQ,aACV,gBAAe,wBAAwB,QAAQ;EAGjD,IAAIC;AACJ,MAAI;AACF,SAAM,MAAM,KAAK,OAAO,IAAI,MAAM;IAChC,QAAQ,QAAQ;IAChB,SAAS;IACV,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AAErC,SAAM;;AAGR,MAAI;AACF,UAAO,EAAE,MAAM,MAAM,IAAI,QAAQ,EAAE;WAC5B,OAAO;AACd,SAAM,KAAK,iBAAiB,OAAO,IAAI;AACvC,SAAM;;;CAIV,MAAM,IACJ,MACA,QACA,UAAsB,EAAE,EACG;AAC3B,MAAI,CAAC,QAAQ,gBACX,MAAK,cAAc,KAAK;EAG1B,MAAMD,iBAAyC,EAAE;AAEjD,MAAI,QAAQ,eACV,gBAAe,0BAA0B,QAAQ;EAGnD,IAAIC;AAEJ,MAAI;AACF,SAAM,MAAM,KAAK,OAAO,IAAY,MAAM,QAAQ;IAChD,QAAQ,QAAQ;IAChB,SAAS;IACV,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AAErC,SAAM;;AAGR,MAAI;AACF,UAAO,EAAE,MAAM,MAAM,IAAI,QAAQ,EAAE;WAC5B,OAAO;AACd,SAAM,KAAK,iBAAiB,OAAO,IAAI;AACvC,SAAM;;;CAIV,MAAM,OAAO,MAAc,OAA4B;AACrD,OAAK,cAAc,KAAK;AAExB,MAAI;AACF,SAAM,KAAK,OAAO,OAAO,MAAM,EAC7B,QAAQ,OACT,CAAC;WACK,OAAO;AACd,QAAK,gBAAgB;IAAE;IAAM;IAAO,CAAC;AAErC,SAAM;;;CAIV,YAAY,SAAiB;AAE3B,UAAQ,KAAK,WAAW,UAAU;;CAGpC,MAAc,iBACZ,OACA,KACA;AACA,MAAI,iBAAiB,aAAa;GAChC,MAAM,cAAc,IAAI,gBAAgB;GACxC,MAAM,YAAY,YAAY,QAAQ,IAAI,eAAe,IAAI;GAC7D,MAAM,YAAY,YAAY;GAC9B,MAAM,UAAU,MAAM,YAAY,MAAM;AACxC,SAAM,IAAI,WAAW;IACnB,SAAS,MAAM;IACf;IACA;IACA;IACD,CAAC;;;CAIN,AAAQ,gBAAgB,EAAE,MAAM,SAA2C;AACzE,MAAI,EAAE,iBAAiB,iBACrB,OAAM,IAAI,MAAM,qBAAqB,SAAS,EAAE,OAAO,OAAO,CAAC;EAGjE,MAAM,EAAE,aAAa;AAErB,MAAI,UAAU;GACZ,MAAM,EAAE,QAAQ,MAAM,YAAY;GAElC,MAAM,YAAY,QAAQ,mBAAmB;GAC7C,MAAM,EACJ,MACA,mBAAmB,kBACnB,gBACA,QACA,YACE;AAEJ,WAAQ,QAAR;IACE,KAAK,IACH,OAAM,IAAI,sBAAsB,UAAU;IAE5C,KAAK,IACH,OAAM,IAAI,kBAAkB;KAAE;KAAW;KAAS;KAAO,CAAC;IAE5D,KAAK,IACH,OAAM,IAAI,6BAA6B;KACrC;KACA;KACA;KACA;KACD,CAAC;IAEJ,KAAK,IACH,OAAM,IAAI,kBAAkB;KAC1B;KACA;KACA;KACA;KACD,CAAC;IAEJ,KAAK,KAAK;KACR,MAAM,aAAa,QAAQ,IAAI,cAAc;AAE7C,WAAM,IAAI,2BACR,KAAK,SACL,WACA,aAAa,OAAO,WAAW,GAAG,KACnC;;IAEH,QACE,KAAIC,WAAS,iBACX,OAAM,IAAI,eACR,QACA,WACAA,SACA,kBACA,KACD;aACQ,QAAQ,OAGjB,OAAM,IAAI,oBAAoB;KAC5B;KACA;KACA;KACA;KACD,CAAC;QAEF,OAAM,IAAI,uBACR,QACA,KAAK,SACL,MACA,UACD"}

package/package.json CHANGED Viewed

@@ -1,9 +1,9 @@
 {
-  "version": "8.0.0-rc.6",
+  "version": "8.0.0-rc.8",
   "name": "@workos-inc/node",
   "author": "WorkOS",
   "description": "A Node wrapper for the WorkOS API",
-  "homepage": "https://github.com/workos-inc/workos-node",
+  "homepage": "https://github.com/workos/workos-node",
   "license": "MIT",
   "keywords": [
     "workos"
@@ -21,10 +21,10 @@
   ],
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/workos-inc/workos-node.git"
+    "url": "git+https://github.com/workos/workos-node.git"
   },
   "bugs": {
-    "url": "https://github.com/workos-inc/workos-node/issues"
+    "url": "https://github.com/workos/workos-node/issues"
   },
   "scripts": {
     "clean": "rm -rf lib",
@@ -50,24 +50,18 @@
     "@babel/preset-env": "^7.26.9",
     "@babel/preset-typescript": "^7.27.0",
     "@eslint/js": "^9.37.0",
-    "@types/cookie": "^0.6.0",
-    "@types/glob": "^8.1.0",
     "@types/jest": "^30.0.0",
     "@types/node": "~20",
-    "@types/qs": "^6.14.0",
     "@typescript-eslint/parser": "^8.46.0",
     "babel-jest": "^30.2.0",
     "eslint": "^9.37.0",
     "eslint-plugin-jest": "^29.0.1",
     "eslint-plugin-n": "^17.23.1",
-    "glob": "^11.0.3",
     "jest": "30.2.0",
     "jest-environment-miniflare": "^2.14.2",
     "jest-fetch-mock": "^3.0.3",
     "miniflare": "^4.20251004.0",
-    "nock": "^14.0.10",
     "prettier": "^3.5.3",
-    "supertest": "^7.1.4",
     "ts-jest": "29.4.4",
     "tsdown": "^0.17.0",
     "tsx": "^4.20.6",
@@ -110,17 +104,6 @@
       },
       "default": "./lib/index.js"
     },
-    "./client": {
-      "import": {
-        "types": "./lib/index.client.d.ts",
-        "default": "./lib/index.client.js"
-      },
-      "require": {
-        "types": "./lib/index.client.d.cts",
-        "default": "./lib/index.client.cjs"
-      },
-      "default": "./lib/index.client.js"
-    },
     "./worker": {
       "import": {
         "types": "./lib/index.worker.d.ts",

package/lib/_virtual/rolldown_runtime.cjs DELETED Viewed

@@ -1,19 +0,0 @@
-//#region rolldown:runtime
-var __defProp = Object.defineProperty;
-var __export = (all, symbols) => {
-	let target = {};
-	for (var name in all) {
-		__defProp(target, name, {
-			get: all[name],
-			enumerable: true
-		});
-	}
-	if (symbols) {
-		__defProp(target, Symbol.toStringTag, { value: "Module" });
-	}
-	return target;
-};
-//#endregion
-exports.__export = __export;

package/lib/_virtual/rolldown_runtime.js DELETED Viewed

@@ -1,18 +0,0 @@
-//#region rolldown:runtime
-var __defProp = Object.defineProperty;
-var __export = (all, symbols) => {
-	let target = {};
-	for (var name in all) {
-		__defProp(target, name, {
-			get: all[name],
-			enumerable: true
-		});
-	}
-	if (symbols) {
-		__defProp(target, Symbol.toStringTag, { value: "Module" });
-	}
-	return target;
-};
-//#endregion
-export { __export };

package/lib/client/index.cjs DELETED Viewed

@@ -1,15 +0,0 @@
-const require_client_user_management = require('./user-management.cjs');
-const require_client_sso = require('./sso.cjs');
-Object.defineProperty(exports, 'sso', {
-  enumerable: true,
-  get: function () {
-    return require_client_sso.sso_exports;
-  }
-});
-Object.defineProperty(exports, 'userManagement', {
-  enumerable: true,
-  get: function () {
-    return require_client_user_management.user_management_exports;
-  }
-});

package/lib/client/index.d.cts DELETED Viewed

@@ -1,3 +0,0 @@
-import { AuthorizationURLOptions, LogoutURLOptions, user_management_d_exports } from "./user-management.cjs";
-import { SSOAuthorizationURLOptions, sso_d_exports } from "./sso.cjs";
-export { type LogoutURLOptions, type SSOAuthorizationURLOptions, type AuthorizationURLOptions as UserManagementAuthorizationURLOptions, sso_d_exports as sso, user_management_d_exports as userManagement };

package/lib/client/index.d.ts DELETED Viewed

@@ -1,3 +0,0 @@
-import { AuthorizationURLOptions, LogoutURLOptions, user_management_d_exports } from "./user-management.js";
-import { SSOAuthorizationURLOptions, sso_d_exports } from "./sso.js";
-export { type LogoutURLOptions, type SSOAuthorizationURLOptions, type AuthorizationURLOptions as UserManagementAuthorizationURLOptions, sso_d_exports as sso, user_management_d_exports as userManagement };

package/lib/client/index.js DELETED Viewed

@@ -1,4 +0,0 @@
-import { user_management_exports } from "./user-management.js";
-import { sso_exports } from "./sso.js";
-export { sso_exports as sso, user_management_exports as userManagement };

package/lib/client/sso.cjs DELETED Viewed

@@ -1,40 +0,0 @@
-const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
-const require_common_utils_query_string = require('../common/utils/query-string.cjs');
-//#region src/client/sso.ts
-var sso_exports = /* @__PURE__ */ require_rolldown_runtime.__export({ getAuthorizationUrl: () => getAuthorizationUrl });
-/**
-* Generates the authorization URL for SSO authentication.
-* Does not require an API key, suitable for OAuth client operations.
-*
-* @param options - SSO authorization URL options
-* @returns The authorization URL as a string
-* @throws Error if required arguments are missing
-*/
-function getAuthorizationUrl(options) {
-	const { connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri, state, baseURL = "https://api.workos.com" } = options;
-	if (!provider && !connection && !organization) throw new Error(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
-	return `${baseURL}/sso/authorize?${require_common_utils_query_string.toQueryString({
-		connection,
-		organization,
-		domain_hint: domainHint,
-		login_hint: loginHint,
-		provider,
-		provider_query_params: providerQueryParams,
-		provider_scopes: providerScopes,
-		client_id: clientId,
-		redirect_uri: redirectUri,
-		response_type: "code",
-		state
-	})}`;
-}
-//#endregion
-exports.getAuthorizationUrl = getAuthorizationUrl;
-Object.defineProperty(exports, 'sso_exports', {
-  enumerable: true,
-  get: function () {
-    return sso_exports;
-  }
-});
-//# sourceMappingURL=sso.cjs.map

package/lib/client/sso.cjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"sso.cjs","names":["toQueryString"],"sources":["../../src/client/sso.ts"],"sourcesContent":["import { toQueryString } from '../common/utils/query-string';\nimport type { SSOAuthorizationURLOptions as BaseSSOAuthorizationURLOptions } from '../sso/interfaces';\n\n// Extend the base options to include baseURL for internal use\nexport type SSOAuthorizationURLOptions = BaseSSOAuthorizationURLOptions & {\n baseURL?: string;\n};\n\n/**\n * Generates the authorization URL for SSO authentication.\n * Does not require an API key, suitable for OAuth client operations.\n *\n * @param options - SSO authorization URL options\n * @returns The authorization URL as a string\n * @throws Error if required arguments are missing\n */\nexport function getAuthorizationUrl(\n options: SSOAuthorizationURLOptions,\n): string {\n const {\n connection,\n clientId,\n domainHint,\n loginHint,\n organization,\n provider,\n providerQueryParams,\n providerScopes,\n redirectUri,\n state,\n baseURL = 'https://api.workos.com',\n } = options;\n\n if (!provider && !connection && !organization) {\n throw new Error(\n `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n );\n }\n\n const query = toQueryString({\n connection,\n organization,\n domain_hint: domainHint,\n login_hint: loginHint,\n provider,\n provider_query_params: providerQueryParams,\n provider_scopes: providerScopes,\n client_id: clientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n state,\n });\n\n return `${baseURL}/sso/authorize?${query}`;\n}\n"],"mappings":";;;;;;;;;;;;;AAgBA,SAAgB,oBACd,SACQ;CACR,MAAM,EACJ,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,aACA,OACA,UAAU,6BACR;AAEJ,KAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,MACR,8FACD;AAiBH,QAAO,GAAG,QAAQ,iBAdJA,gDAAc;EAC1B;EACA;EACA,aAAa;EACb,YAAY;EACZ;EACA,uBAAuB;EACvB,iBAAiB;EACjB,WAAW;EACX,cAAc;EACd,eAAe;EACf;EACD,CAAC"}

package/lib/client/sso.d.cts DELETED Viewed

@@ -1,21 +0,0 @@
-import { SSOAuthorizationURLOptions as SSOAuthorizationURLOptions$1 } from "../sso/interfaces/authorization-url-options.interface.cjs";
-//#region src/client/sso.d.ts
-declare namespace sso_d_exports {
-  export { SSOAuthorizationURLOptions, getAuthorizationUrl };
-}
-type SSOAuthorizationURLOptions = SSOAuthorizationURLOptions$1 & {
-  baseURL?: string;
-};
-/**
- * Generates the authorization URL for SSO authentication.
- * Does not require an API key, suitable for OAuth client operations.
- *
- * @param options - SSO authorization URL options
- * @returns The authorization URL as a string
- * @throws Error if required arguments are missing
- */
-declare function getAuthorizationUrl(options: SSOAuthorizationURLOptions): string;
-//#endregion
-export { SSOAuthorizationURLOptions, getAuthorizationUrl, sso_d_exports };
-//# sourceMappingURL=sso.d.cts.map

package/lib/client/sso.d.ts DELETED Viewed

@@ -1,21 +0,0 @@
-import { SSOAuthorizationURLOptions as SSOAuthorizationURLOptions$1 } from "../sso/interfaces/authorization-url-options.interface.js";
-//#region src/client/sso.d.ts
-declare namespace sso_d_exports {
-  export { SSOAuthorizationURLOptions, getAuthorizationUrl };
-}
-type SSOAuthorizationURLOptions = SSOAuthorizationURLOptions$1 & {
-  baseURL?: string;
-};
-/**
- * Generates the authorization URL for SSO authentication.
- * Does not require an API key, suitable for OAuth client operations.
- *
- * @param options - SSO authorization URL options
- * @returns The authorization URL as a string
- * @throws Error if required arguments are missing
- */
-declare function getAuthorizationUrl(options: SSOAuthorizationURLOptions): string;
-//#endregion
-export { SSOAuthorizationURLOptions, getAuthorizationUrl, sso_d_exports };
-//# sourceMappingURL=sso.d.ts.map

package/lib/client/sso.js DELETED Viewed

@@ -1,34 +0,0 @@
-import { __export } from "../_virtual/rolldown_runtime.js";
-import { toQueryString } from "../common/utils/query-string.js";
-//#region src/client/sso.ts
-var sso_exports = /* @__PURE__ */ __export({ getAuthorizationUrl: () => getAuthorizationUrl });
-/**
-* Generates the authorization URL for SSO authentication.
-* Does not require an API key, suitable for OAuth client operations.
-*
-* @param options - SSO authorization URL options
-* @returns The authorization URL as a string
-* @throws Error if required arguments are missing
-*/
-function getAuthorizationUrl(options) {
-	const { connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri, state, baseURL = "https://api.workos.com" } = options;
-	if (!provider && !connection && !organization) throw new Error(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
-	return `${baseURL}/sso/authorize?${toQueryString({
-		connection,
-		organization,
-		domain_hint: domainHint,
-		login_hint: loginHint,
-		provider,
-		provider_query_params: providerQueryParams,
-		provider_scopes: providerScopes,
-		client_id: clientId,
-		redirect_uri: redirectUri,
-		response_type: "code",
-		state
-	})}`;
-}
-//#endregion
-export { getAuthorizationUrl, sso_exports };
-//# sourceMappingURL=sso.js.map

package/lib/client/sso.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"sso.js","names":[],"sources":["../../src/client/sso.ts"],"sourcesContent":["import { toQueryString } from '../common/utils/query-string';\nimport type { SSOAuthorizationURLOptions as BaseSSOAuthorizationURLOptions } from '../sso/interfaces';\n\n// Extend the base options to include baseURL for internal use\nexport type SSOAuthorizationURLOptions = BaseSSOAuthorizationURLOptions & {\n baseURL?: string;\n};\n\n/**\n * Generates the authorization URL for SSO authentication.\n * Does not require an API key, suitable for OAuth client operations.\n *\n * @param options - SSO authorization URL options\n * @returns The authorization URL as a string\n * @throws Error if required arguments are missing\n */\nexport function getAuthorizationUrl(\n options: SSOAuthorizationURLOptions,\n): string {\n const {\n connection,\n clientId,\n domainHint,\n loginHint,\n organization,\n provider,\n providerQueryParams,\n providerScopes,\n redirectUri,\n state,\n baseURL = 'https://api.workos.com',\n } = options;\n\n if (!provider && !connection && !organization) {\n throw new Error(\n `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n );\n }\n\n const query = toQueryString({\n connection,\n organization,\n domain_hint: domainHint,\n login_hint: loginHint,\n provider,\n provider_query_params: providerQueryParams,\n provider_scopes: providerScopes,\n client_id: clientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n state,\n });\n\n return `${baseURL}/sso/authorize?${query}`;\n}\n"],"mappings":";;;;;;;;;;;;;AAgBA,SAAgB,oBACd,SACQ;CACR,MAAM,EACJ,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,aACA,OACA,UAAU,6BACR;AAEJ,KAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,MACR,8FACD;AAiBH,QAAO,GAAG,QAAQ,iBAdJ,cAAc;EAC1B;EACA;EACA,aAAa;EACb,YAAY;EACZ;EACA,uBAAuB;EACvB,iBAAiB;EACjB,WAAW;EACX,cAAc;EACd,eAAe;EACf;EACD,CAAC"}

package/lib/client/user-management.cjs DELETED Viewed

@@ -1,80 +0,0 @@
-const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
-const require_common_utils_query_string = require('../common/utils/query-string.cjs');
-//#region src/client/user-management.ts
-var user_management_exports = /* @__PURE__ */ require_rolldown_runtime.__export({
-	getAuthorizationUrl: () => getAuthorizationUrl,
-	getJwksUrl: () => getJwksUrl,
-	getLogoutUrl: () => getLogoutUrl
-});
-/**
-* Generates the authorization URL for OAuth client authentication.
-* Suitable for PKCE flows and other OAuth client operations that don't require an API key.
-*
-* @param options - Authorization URL options
-* @returns The authorization URL as a string
-* @throws TypeError if required arguments are missing
-*/
-function getAuthorizationUrl(options) {
-	const { connectionId, codeChallenge, codeChallengeMethod, clientId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, state, screenHint, baseURL = "https://api.workos.com" } = options;
-	if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
-	if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
-	return `${baseURL}/user_management/authorize?${require_common_utils_query_string.toQueryString({
-		connection_id: connectionId,
-		code_challenge: codeChallenge,
-		code_challenge_method: codeChallengeMethod,
-		organization_id: organizationId,
-		domain_hint: domainHint,
-		login_hint: loginHint,
-		provider,
-		provider_query_params: providerQueryParams,
-		provider_scopes: providerScopes,
-		prompt,
-		client_id: clientId,
-		redirect_uri: redirectUri,
-		response_type: "code",
-		state,
-		screen_hint: screenHint
-	})}`;
-}
-/**
-* Generates the logout URL for ending a user session.
-* This method is safe to use in browser environments as it doesn't require an API key.
-*
-* @param options - Logout URL options
-* @returns The logout URL as a string
-* @throws TypeError if sessionId is not provided
-*/
-function getLogoutUrl(options) {
-	const { sessionId, returnTo, baseURL = "https://api.workos.com" } = options;
-	if (!sessionId) throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);
-	const url = new URL("/user_management/sessions/logout", baseURL);
-	url.searchParams.set("session_id", sessionId);
-	if (returnTo) url.searchParams.set("return_to", returnTo);
-	return url.toString();
-}
-/**
-* Gets the JWKS (JSON Web Key Set) URL for a given client ID.
-* Does not require an API key, returns the public JWKS endpoint.
-*
-* @param clientId - The WorkOS client ID
-* @param baseURL - Optional base URL for the API (defaults to https://api.workos.com)
-* @returns The JWKS URL as a string
-* @throws TypeError if clientId is not provided
-*/
-function getJwksUrl(clientId, baseURL = "https://api.workos.com") {
-	if (!clientId) throw new TypeError("clientId must be a valid clientId");
-	return `${baseURL}/sso/jwks/${clientId}`;
-}
-//#endregion
-exports.getAuthorizationUrl = getAuthorizationUrl;
-exports.getJwksUrl = getJwksUrl;
-exports.getLogoutUrl = getLogoutUrl;
-Object.defineProperty(exports, 'user_management_exports', {
-  enumerable: true,
-  get: function () {
-    return user_management_exports;
-  }
-});
-//# sourceMappingURL=user-management.cjs.map

package/lib/client/user-management.cjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"user-management.cjs","names":["toQueryString"],"sources":["../../src/client/user-management.ts"],"sourcesContent":["import { toQueryString } from '../common/utils/query-string';\n\n// Re-export necessary interfaces for client use\nexport interface AuthorizationURLOptions {\n clientId: string;\n codeChallenge?: string;\n codeChallengeMethod?: 'S256';\n connectionId?: string;\n organizationId?: string;\n domainHint?: string;\n loginHint?: string;\n provider?: string;\n providerQueryParams?: Record<string, string | boolean | number>;\n providerScopes?: string[];\n prompt?: string;\n redirectUri: string;\n state?: string;\n screenHint?: 'sign-up' | 'sign-in';\n}\n\nexport interface LogoutURLOptions {\n sessionId: string;\n returnTo?: string;\n}\n\n/**\n * Generates the authorization URL for OAuth client authentication.\n * Suitable for PKCE flows and other OAuth client operations that don't require an API key.\n *\n * @param options - Authorization URL options\n * @returns The authorization URL as a string\n * @throws TypeError if required arguments are missing\n */\nexport function getAuthorizationUrl(\n options: AuthorizationURLOptions & { baseURL?: string },\n): string {\n const {\n connectionId,\n codeChallenge,\n codeChallengeMethod,\n clientId,\n domainHint,\n loginHint,\n organizationId,\n provider,\n providerQueryParams,\n providerScopes,\n prompt,\n redirectUri,\n state,\n screenHint,\n baseURL = 'https://api.workos.com',\n } = options;\n\n if (!provider && !connectionId && !organizationId) {\n throw new TypeError(\n `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n );\n }\n\n if (provider !== 'authkit' && screenHint) {\n throw new TypeError(\n `'screenHint' is only supported for 'authkit' provider`,\n );\n }\n\n const query = toQueryString({\n connection_id: connectionId,\n code_challenge: codeChallenge,\n code_challenge_method: codeChallengeMethod,\n organization_id: organizationId,\n domain_hint: domainHint,\n login_hint: loginHint,\n provider,\n provider_query_params: providerQueryParams,\n provider_scopes: providerScopes,\n prompt,\n client_id: clientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n state,\n screen_hint: screenHint,\n });\n\n return `${baseURL}/user_management/authorize?${query}`;\n}\n\n/**\n * Generates the logout URL for ending a user session.\n * This method is safe to use in browser environments as it doesn't require an API key.\n *\n * @param options - Logout URL options\n * @returns The logout URL as a string\n * @throws TypeError if sessionId is not provided\n */\nexport function getLogoutUrl(\n options: LogoutURLOptions & { baseURL?: string },\n): string {\n const { sessionId, returnTo, baseURL = 'https://api.workos.com' } = options;\n\n if (!sessionId) {\n throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);\n }\n\n const url = new URL('/user_management/sessions/logout', baseURL);\n\n url.searchParams.set('session_id', sessionId);\n if (returnTo) {\n url.searchParams.set('return_to', returnTo);\n }\n\n return url.toString();\n}\n\n/**\n * Gets the JWKS (JSON Web Key Set) URL for a given client ID.\n * Does not require an API key, returns the public JWKS endpoint.\n *\n * @param clientId - The WorkOS client ID\n * @param baseURL - Optional base URL for the API (defaults to https://api.workos.com)\n * @returns The JWKS URL as a string\n * @throws TypeError if clientId is not provided\n */\nexport function getJwksUrl(\n clientId: string,\n baseURL = 'https://api.workos.com',\n): string {\n if (!clientId) {\n throw new TypeError('clientId must be a valid clientId');\n }\n\n return `${baseURL}/sso/jwks/${clientId}`;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAiCA,SAAgB,oBACd,SACQ;CACR,MAAM,EACJ,cACA,eACA,qBACA,UACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,OACA,YACA,UAAU,6BACR;AAEJ,KAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,KAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;AAqBH,QAAO,GAAG,QAAQ,6BAlBJA,gDAAc;EAC1B,eAAe;EACf,gBAAgB;EAChB,uBAAuB;EACvB,iBAAiB;EACjB,aAAa;EACb,YAAY;EACZ;EACA,uBAAuB;EACvB,iBAAiB;EACjB;EACA,WAAW;EACX,cAAc;EACd,eAAe;EACf;EACA,aAAa;EACd,CAAC;;;;;;;;;;AAaJ,SAAgB,aACd,SACQ;CACR,MAAM,EAAE,WAAW,UAAU,UAAU,6BAA6B;AAEpE,KAAI,CAAC,UACH,OAAM,IAAI,UAAU,qDAAqD;CAG3E,MAAM,MAAM,IAAI,IAAI,oCAAoC,QAAQ;AAEhE,KAAI,aAAa,IAAI,cAAc,UAAU;AAC7C,KAAI,SACF,KAAI,aAAa,IAAI,aAAa,SAAS;AAG7C,QAAO,IAAI,UAAU;;;;;;;;;;;AAYvB,SAAgB,WACd,UACA,UAAU,0BACF;AACR,KAAI,CAAC,SACH,OAAM,IAAI,UAAU,oCAAoC;AAG1D,QAAO,GAAG,QAAQ,YAAY"}