@workos-inc/node 8.0.0-rc.7 → 8.0.0-rc.8

package/lib/user-management/user-management.d.cts

@@ -10,7 +10,7 @@ import { User } from "./interfaces/user.interface.cjs";
 import { AuthenticationResponse } from "./interfaces/authentication-response.interface.cjs";
 import { AuthenticateWithSessionCookieFailedResponse, AuthenticateWithSessionCookieOptions, AuthenticateWithSessionCookieSuccessResponse, SessionCookieData } from "./interfaces/authenticate-with-session-cookie.interface.cjs";
 import { AuthenticateWithTotpOptions } from "./interfaces/authenticate-with-totp-options.interface.cjs";
-import { UserManagementAuthorizationURLOptions } from "./interfaces/authorization-url-options.interface.cjs";
+import { PKCEAuthorizationURLResult, UserManagementAuthorizationURLOptions } from "./interfaces/authorization-url-options.interface.cjs";
 import { CreateMagicAuthOptions } from "./interfaces/create-magic-auth-options.interface.cjs";
 import { CreateOrganizationMembershipOptions } from "./interfaces/create-organization-membership-options.interface.cjs";
 import { CreatePasswordResetOptions } from "./interfaces/create-password-reset-options.interface.cjs";
@@ -27,6 +27,7 @@ import { ListOrganizationMembershipsOptions, SerializedListOrganizationMembershi
 import { ListSessionsOptions, SerializedListSessionsOptions } from "./interfaces/list-sessions-options.interface.cjs";
 import { ListUserFeatureFlagsOptions } from "./interfaces/list-user-feature-flags-options.interface.cjs";
 import { ListUsersOptions, SerializedListUsersOptions } from "./interfaces/list-users-options.interface.cjs";
+import { LogoutURLOptions } from "./interfaces/logout-url-options.interface.cjs";
 import { MagicAuth } from "./interfaces/magic-auth.interface.cjs";
 import { PasswordReset } from "./interfaces/password-reset.interface.cjs";
 import { ResetPasswordOptions } from "./interfaces/reset-password-options.interface.cjs";
@@ -40,7 +41,6 @@ import { VerifyEmailOptions } from "./interfaces/verify-email-options.interface.
 import { AutoPaginatable } from "../common/utils/pagination.cjs";
 import { FeatureFlag } from "../feature-flags/interfaces/feature-flag.interface.cjs";
 import { Challenge } from "../mfa/interfaces/challenge.interface.cjs";
-import { LogoutURLOptions } from "../client/user-management.cjs";
 import { SessionHandlerOptions } from "./interfaces/session-handler-options.interface.cjs";
 import { CookieSession } from "./session.cjs";
 import { WorkOS } from "../workos.cjs";
@@ -52,6 +52,11 @@ declare class UserManagement {
   private _jwks;
   clientId: string | undefined;
   constructor(workos: WorkOS);
+  /**
+   * Resolve clientId from method options or fall back to constructor-provided value.
+   * @throws TypeError if clientId is not available from either source
+   */
+  private resolveClientId;
   getJWKS(): Promise<ReturnType<typeof jose0.createRemoteJWKSet> | undefined>;
   /**
    * Loads a sealed session using the provided session data and cookie password.
@@ -71,8 +76,35 @@ declare class UserManagement {
   createUser(payload: CreateUserOptions): Promise<User>;
   authenticateWithMagicAuth(payload: AuthenticateWithMagicAuthOptions): Promise<AuthenticationResponse>;
   authenticateWithPassword(payload: AuthenticateWithPasswordOptions): Promise<AuthenticationResponse>;
+  /**
+   * Exchange an authorization code for tokens.
+   *
+   * Auto-detects public vs confidential client mode:
+   * - If codeVerifier is provided: Uses PKCE flow (public client)
+   * - If no codeVerifier: Uses client_secret from API key (confidential client)
+   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+   *
+   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+   * in depth and provides additional CSRF protection on the authorization flow.
+   *
+   * @throws Error if neither codeVerifier nor API key is available
+   */
   authenticateWithCode(payload: AuthenticateWithCodeOptions): Promise<AuthenticationResponse>;
+  /**
+   * Exchange an authorization code for tokens using PKCE (public client flow).
+   * Use this instead of authenticateWithCode() when the client cannot securely
+   * store a client_secret (browser, mobile, CLI, desktop apps).
+   *
+   * @param payload.clientId - Your WorkOS client ID
+   * @param payload.code - The authorization code from the OAuth callback
+   * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge
+   */
   authenticateWithCodeAndVerifier(payload: AuthenticateWithCodeAndVerifierOptions): Promise<AuthenticationResponse>;
+  /**
+   * Refresh an access token using a refresh token.
+   * Automatically detects public client mode - if no API key is configured,
+   * omits client_secret from the request.
+   */
   authenticateWithRefreshToken(payload: AuthenticateWithRefreshTokenOptions): Promise<AuthenticationResponse>;
   authenticateWithTotp(payload: AuthenticateWithTotpOptions): Promise<AuthenticationResponse>;
   authenticateWithEmailVerification(payload: AuthenticateWithEmailVerificationOptions): Promise<AuthenticationResponse>;
@@ -132,7 +164,44 @@ declare class UserManagement {
   revokeInvitation(invitationId: string): Promise<Invitation>;
   resendInvitation(invitationId: string): Promise<Invitation>;
   revokeSession(payload: RevokeSessionOptions): Promise<void>;
+  /**
+   * Generate an OAuth 2.0 authorization URL.
+   *
+   * For public clients (browser, mobile, CLI), include PKCE parameters:
+   * - Generate PKCE using workos.pkce.generate()
+   * - Pass codeChallenge and codeChallengeMethod here
+   * - Store codeVerifier and pass to authenticateWithCode() later
+   *
+   * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.
+   */
   getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string;
+  /**
+   * Generate an OAuth 2.0 authorization URL with automatic PKCE.
+   *
+   * This method generates PKCE parameters internally and returns them along with
+   * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)
+   * that cannot securely store a client secret.
+   *
+   * @returns Object containing url, state, and codeVerifier
+   *
+   * @example
+   * ```typescript
+   * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
+   *   provider: 'authkit',
+   *   clientId: 'client_123',
+   *   redirectUri: 'myapp://callback',
+   * });
+   *
+   * // Store state and codeVerifier securely, then redirect user to url
+   * // After callback, exchange the code:
+   * const response = await workos.userManagement.authenticateWithCode({
+   *   code: authorizationCode,
+   *   codeVerifier,
+   *   clientId: 'client_123',
+   * });
+   * ```
+   */
+  getAuthorizationUrlWithPKCE(options: Omit<UserManagementAuthorizationURLOptions, 'codeChallenge' | 'codeChallengeMethod' | 'state'>): Promise<PKCEAuthorizationURLResult>;
   getLogoutUrl(options: LogoutURLOptions): string;
   getJwksUrl(clientId: string): string;
 }

package/lib/user-management/user-management.d.ts

@@ -10,7 +10,7 @@ import { User } from "./interfaces/user.interface.js";
 import { AuthenticationResponse } from "./interfaces/authentication-response.interface.js";
 import { AuthenticateWithSessionCookieFailedResponse, AuthenticateWithSessionCookieOptions, AuthenticateWithSessionCookieSuccessResponse, SessionCookieData } from "./interfaces/authenticate-with-session-cookie.interface.js";
 import { AuthenticateWithTotpOptions } from "./interfaces/authenticate-with-totp-options.interface.js";
-import { UserManagementAuthorizationURLOptions } from "./interfaces/authorization-url-options.interface.js";
+import { PKCEAuthorizationURLResult, UserManagementAuthorizationURLOptions } from "./interfaces/authorization-url-options.interface.js";
 import { CreateMagicAuthOptions } from "./interfaces/create-magic-auth-options.interface.js";
 import { CreateOrganizationMembershipOptions } from "./interfaces/create-organization-membership-options.interface.js";
 import { CreatePasswordResetOptions } from "./interfaces/create-password-reset-options.interface.js";
@@ -27,6 +27,7 @@ import { ListOrganizationMembershipsOptions, SerializedListOrganizationMembershi
 import { ListSessionsOptions, SerializedListSessionsOptions } from "./interfaces/list-sessions-options.interface.js";
 import { ListUserFeatureFlagsOptions } from "./interfaces/list-user-feature-flags-options.interface.js";
 import { ListUsersOptions, SerializedListUsersOptions } from "./interfaces/list-users-options.interface.js";
+import { LogoutURLOptions } from "./interfaces/logout-url-options.interface.js";
 import { MagicAuth } from "./interfaces/magic-auth.interface.js";
 import { PasswordReset } from "./interfaces/password-reset.interface.js";
 import { ResetPasswordOptions } from "./interfaces/reset-password-options.interface.js";
@@ -40,7 +41,6 @@ import { VerifyEmailOptions } from "./interfaces/verify-email-options.interface.
 import { AutoPaginatable } from "../common/utils/pagination.js";
 import { FeatureFlag } from "../feature-flags/interfaces/feature-flag.interface.js";
 import { Challenge } from "../mfa/interfaces/challenge.interface.js";
-import { LogoutURLOptions } from "../client/user-management.js";
 import { SessionHandlerOptions } from "./interfaces/session-handler-options.interface.js";
 import { CookieSession } from "./session.js";
 import { WorkOS } from "../workos.js";
@@ -52,6 +52,11 @@ declare class UserManagement {
   private _jwks;
   clientId: string | undefined;
   constructor(workos: WorkOS);
+  /**
+   * Resolve clientId from method options or fall back to constructor-provided value.
+   * @throws TypeError if clientId is not available from either source
+   */
+  private resolveClientId;
   getJWKS(): Promise<ReturnType<typeof jose0.createRemoteJWKSet> | undefined>;
   /**
    * Loads a sealed session using the provided session data and cookie password.
@@ -71,8 +76,35 @@ declare class UserManagement {
   createUser(payload: CreateUserOptions): Promise<User>;
   authenticateWithMagicAuth(payload: AuthenticateWithMagicAuthOptions): Promise<AuthenticationResponse>;
   authenticateWithPassword(payload: AuthenticateWithPasswordOptions): Promise<AuthenticationResponse>;
+  /**
+   * Exchange an authorization code for tokens.
+   *
+   * Auto-detects public vs confidential client mode:
+   * - If codeVerifier is provided: Uses PKCE flow (public client)
+   * - If no codeVerifier: Uses client_secret from API key (confidential client)
+   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+   *
+   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+   * in depth and provides additional CSRF protection on the authorization flow.
+   *
+   * @throws Error if neither codeVerifier nor API key is available
+   */
   authenticateWithCode(payload: AuthenticateWithCodeOptions): Promise<AuthenticationResponse>;
+  /**
+   * Exchange an authorization code for tokens using PKCE (public client flow).
+   * Use this instead of authenticateWithCode() when the client cannot securely
+   * store a client_secret (browser, mobile, CLI, desktop apps).
+   *
+   * @param payload.clientId - Your WorkOS client ID
+   * @param payload.code - The authorization code from the OAuth callback
+   * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge
+   */
   authenticateWithCodeAndVerifier(payload: AuthenticateWithCodeAndVerifierOptions): Promise<AuthenticationResponse>;
+  /**
+   * Refresh an access token using a refresh token.
+   * Automatically detects public client mode - if no API key is configured,
+   * omits client_secret from the request.
+   */
   authenticateWithRefreshToken(payload: AuthenticateWithRefreshTokenOptions): Promise<AuthenticationResponse>;
   authenticateWithTotp(payload: AuthenticateWithTotpOptions): Promise<AuthenticationResponse>;
   authenticateWithEmailVerification(payload: AuthenticateWithEmailVerificationOptions): Promise<AuthenticationResponse>;
@@ -132,7 +164,44 @@ declare class UserManagement {
   revokeInvitation(invitationId: string): Promise<Invitation>;
   resendInvitation(invitationId: string): Promise<Invitation>;
   revokeSession(payload: RevokeSessionOptions): Promise<void>;
+  /**
+   * Generate an OAuth 2.0 authorization URL.
+   *
+   * For public clients (browser, mobile, CLI), include PKCE parameters:
+   * - Generate PKCE using workos.pkce.generate()
+   * - Pass codeChallenge and codeChallengeMethod here
+   * - Store codeVerifier and pass to authenticateWithCode() later
+   *
+   * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.
+   */
   getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string;
+  /**
+   * Generate an OAuth 2.0 authorization URL with automatic PKCE.
+   *
+   * This method generates PKCE parameters internally and returns them along with
+   * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)
+   * that cannot securely store a client secret.
+   *
+   * @returns Object containing url, state, and codeVerifier
+   *
+   * @example
+   * ```typescript
+   * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
+   *   provider: 'authkit',
+   *   clientId: 'client_123',
+   *   redirectUri: 'myapp://callback',
+   * });
+   *
+   * // Store state and codeVerifier securely, then redirect user to url
+   * // After callback, exchange the code:
+   * const response = await workos.userManagement.authenticateWithCode({
+   *   code: authorizationCode,
+   *   codeVerifier,
+   *   clientId: 'client_123',
+   * });
+   * ```
+   */
+  getAuthorizationUrlWithPKCE(options: Omit<UserManagementAuthorizationURLOptions, 'codeChallenge' | 'codeChallengeMethod' | 'state'>): Promise<PKCEAuthorizationURLResult>;
   getLogoutUrl(options: LogoutURLOptions): string;
   getJwksUrl(clientId: string): string;
 }

package/lib/user-management/user-management.js

@@ -1,9 +1,10 @@
-import { getAuthorizationUrl, getJwksUrl, getLogoutUrl } from "../client/user-management.js";
+import { AutoPaginatable } from "../common/utils/pagination.js";
 import { serializeAuthenticateWithCodeOptions } from "./serializers/authenticate-with-code-options.serializer.js";
 import { serializeAuthenticateWithCodeAndVerifierOptions } from "./serializers/authenticate-with-code-and-verifier-options.serializer.js";
 import { serializeAuthenticateWithMagicAuthOptions } from "./serializers/authenticate-with-magic-auth-options.serializer.js";
 import { serializeAuthenticateWithPasswordOptions } from "./serializers/authenticate-with-password-options.serializer.js";
 import { serializeAuthenticateWithRefreshTokenOptions } from "./serializers/authenticate-with-refresh-token.options.serializer.js";
+import { serializeAuthenticateWithRefreshTokenPublicClientOptions } from "./serializers/authenticate-with-refresh-token-public-client-options.serializer.js";
 import { serializeAuthenticateWithTotpOptions } from "./serializers/authenticate-with-totp-options.serializer.js";
 import { deserializeUser } from "./serializers/user.serializer.js";
 import { deserializeAuthenticationResponse } from "./serializers/authentication-response.serializer.js";
@@ -21,9 +22,9 @@ import { deserializeSession } from "./serializers/session.serializer.js";
 import { serializeCreateUserOptions } from "./serializers/create-user-options.serializer.js";
 import { serializeUpdateUserOptions } from "./serializers/update-user-options.serializer.js";
 import { deserializeOrganizationMembership } from "./serializers/organization-membership.serializer.js";
-import { AutoPaginatable } from "../common/utils/pagination.js";
 import { fetchAndDeserialize } from "../common/utils/fetch-and-deserialize.js";
 import { deserializeFeatureFlag } from "../feature-flags/serializers/feature-flag.serializer.js";
+import { toQueryString } from "../common/utils/query-string.js";
 import { deserializeChallenge } from "../mfa/serializers/challenge.serializer.js";
 import { sealData, unsealData } from "../common/crypto/seal.js";
 import { getEnv } from "../common/utils/env.js";
@@ -50,6 +51,15 @@ var UserManagement = class {
 		const { clientId } = workos.options;
 		this.clientId = clientId;
 	}
+	/**
+	* Resolve clientId from method options or fall back to constructor-provided value.
+	* @throws TypeError if clientId is not available from either source
+	*/
+	resolveClientId(clientId) {
+		const resolved = clientId ?? this.clientId;
+		if (!resolved) throw new TypeError("clientId is required. Provide it in method options or when initializing WorkOS.");
+		return resolved;
+	}
 	async getJWKS() {
 		const { createRemoteJWKSet } = await getJose();
 		if (!this.clientId) return;
@@ -83,9 +93,11 @@ var UserManagement = class {
 		return deserializeUser(data);
 	}
 	async authenticateWithMagicAuth(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithMagicAuthOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -94,9 +106,11 @@ var UserManagement = class {
 		});
 	}
 	async authenticateWithPassword(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithPasswordOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -104,40 +118,86 @@ var UserManagement = class {
 			session
 		});
 	}
+	/**
+	* Exchange an authorization code for tokens.
+	*
+	* Auto-detects public vs confidential client mode:
+	* - If codeVerifier is provided: Uses PKCE flow (public client)
+	* - If no codeVerifier: Uses client_secret from API key (confidential client)
+	* - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+	*
+	* Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+	* in depth and provides additional CSRF protection on the authorization flow.
+	*
+	* @throws Error if neither codeVerifier nor API key is available
+	*/
 	async authenticateWithCode(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, codeVerifier, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (codeVerifier !== void 0 && codeVerifier.trim() === "") throw new TypeError("codeVerifier cannot be an empty string. Generate a valid PKCE pair using workos.pkce.generate().");
+		const hasApiKey = !!this.workos.key;
+		if (!!!codeVerifier && !hasApiKey) throw new TypeError("authenticateWithCode requires either a codeVerifier (for public clients) or an API key configured on the WorkOS instance (for confidential clients).");
 		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeOptions({
 			...remainingPayload,
-			clientSecret: this.workos.key
-		}));
+			clientId: resolvedClientId,
+			codeVerifier,
+			clientSecret: hasApiKey ? this.workos.key : void 0
+		}), { skipApiKeyCheck: !hasApiKey });
 		return this.prepareAuthenticationResponse({
 			authenticationResponse: deserializeAuthenticationResponse(data),
 			session
 		});
 	}
+	/**
+	* Exchange an authorization code for tokens using PKCE (public client flow).
+	* Use this instead of authenticateWithCode() when the client cannot securely
+	* store a client_secret (browser, mobile, CLI, desktop apps).
+	*
+	* @param payload.clientId - Your WorkOS client ID
+	* @param payload.code - The authorization code from the OAuth callback
+	* @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge
+	*/
 	async authenticateWithCodeAndVerifier(payload) {
-		const { session, ...remainingPayload } = payload;
-		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeAndVerifierOptions(remainingPayload));
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeAndVerifierOptions({
+			...remainingPayload,
+			clientId: resolvedClientId
+		}), { skipApiKeyCheck: true });
 		return this.prepareAuthenticationResponse({
 			authenticationResponse: deserializeAuthenticationResponse(data),
 			session
 		});
 	}
+	/**
+	* Refresh an access token using a refresh token.
+	* Automatically detects public client mode - if no API key is configured,
+	* omits client_secret from the request.
+	*/
 	async authenticateWithRefreshToken(payload) {
-		const { session, ...remainingPayload } = payload;
-		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithRefreshTokenOptions({
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const isPublicClient = !this.workos.key;
+		const body = isPublicClient ? serializeAuthenticateWithRefreshTokenPublicClientOptions({
+			...remainingPayload,
+			clientId: resolvedClientId
+		}) : serializeAuthenticateWithRefreshTokenOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
-		}));
+		});
+		const { data } = await this.workos.post("/user_management/authenticate", body, { skipApiKeyCheck: isPublicClient });
 		return this.prepareAuthenticationResponse({
 			authenticationResponse: deserializeAuthenticationResponse(data),
 			session
 		});
 	}
 	async authenticateWithTotp(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithTotpOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -146,9 +206,11 @@ var UserManagement = class {
 		});
 	}
 	async authenticateWithEmailVerification(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithEmailVerificationOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -157,9 +219,11 @@ var UserManagement = class {
 		});
 	}
 	async authenticateWithOrganizationSelection(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithOrganizationSelectionOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -207,17 +271,21 @@ var UserManagement = class {
 			await jwtVerify(accessToken, jwks);
 			return true;
 		} catch (e) {
-			return false;
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
 		}
 	}
 	async prepareAuthenticationResponse({ authenticationResponse, session }) {
-		if (session?.sealSession) return {
-			...authenticationResponse,
-			sealedSession: await this.sealSessionDataFromAuthenticationResponse({
-				authenticationResponse,
-				cookiePassword: session.cookiePassword
-			})
-		};
+		if (session?.sealSession) {
+			if (!this.workos.key) throw new Error("Session sealing requires server-side usage with an API key. Public clients should store tokens directly (e.g., secure storage on mobile, keychain on desktop).");
+			return {
+				...authenticationResponse,
+				sealedSession: await this.sealSessionDataFromAuthenticationResponse({
+					authenticationResponse,
+					cookiePassword: session.cookiePassword
+				})
+			};
+		}
 		return authenticationResponse;
 	}
 	async sealSessionDataFromAuthenticationResponse({ authenticationResponse, cookiePassword }) {
@@ -356,20 +424,107 @@ var UserManagement = class {
 	async revokeSession(payload) {
 		await this.workos.post("/user_management/sessions/revoke", serializeRevokeSessionOptions(payload));
 	}
+	/**
+	* Generate an OAuth 2.0 authorization URL.
+	*
+	* For public clients (browser, mobile, CLI), include PKCE parameters:
+	* - Generate PKCE using workos.pkce.generate()
+	* - Pass codeChallenge and codeChallengeMethod here
+	* - Store codeVerifier and pass to authenticateWithCode() later
+	*
+	* Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.
+	*/
 	getAuthorizationUrl(options) {
-		return getAuthorizationUrl({
-			...options,
-			baseURL: this.workos.baseURL
+		const { connectionId, codeChallenge, codeChallengeMethod, clientId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, state, screenHint } = options;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
+		if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
+		const query = toQueryString({
+			connection_id: connectionId,
+			code_challenge: codeChallenge,
+			code_challenge_method: codeChallengeMethod,
+			organization_id: organizationId,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			prompt,
+			client_id: resolvedClientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state,
+			screen_hint: screenHint
 		});
+		return `${this.workos.baseURL}/user_management/authorize?${query}`;
 	}
-	getLogoutUrl(options) {
-		return getLogoutUrl({
-			...options,
-			baseURL: this.workos.baseURL
+	/**
+	* Generate an OAuth 2.0 authorization URL with automatic PKCE.
+	*
+	* This method generates PKCE parameters internally and returns them along with
+	* the authorization URL. Use this for public clients (CLI apps, Electron, mobile)
+	* that cannot securely store a client secret.
+	*
+	* @returns Object containing url, state, and codeVerifier
+	*
+	* @example
+	* ```typescript
+	* const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
+	*   provider: 'authkit',
+	*   clientId: 'client_123',
+	*   redirectUri: 'myapp://callback',
+	* });
+	*
+	* // Store state and codeVerifier securely, then redirect user to url
+	* // After callback, exchange the code:
+	* const response = await workos.userManagement.authenticateWithCode({
+	*   code: authorizationCode,
+	*   codeVerifier,
+	*   clientId: 'client_123',
+	* });
+	* ```
+	*/
+	async getAuthorizationUrlWithPKCE(options) {
+		const { clientId, connectionId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, screenHint } = options;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
+		if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
+		const pkce = await this.workos.pkce.generate();
+		const state = this.workos.pkce.generateCodeVerifier(43);
+		const query = toQueryString({
+			connection_id: connectionId,
+			code_challenge: pkce.codeChallenge,
+			code_challenge_method: "S256",
+			organization_id: organizationId,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			prompt,
+			client_id: resolvedClientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state,
+			screen_hint: screenHint
 		});
+		return {
+			url: `${this.workos.baseURL}/user_management/authorize?${query}`,
+			state,
+			codeVerifier: pkce.codeVerifier
+		};
+	}
+	getLogoutUrl(options) {
+		const { sessionId, returnTo } = options;
+		if (!sessionId) throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);
+		const url = new URL("/user_management/sessions/logout", this.workos.baseURL);
+		url.searchParams.set("session_id", sessionId);
+		if (returnTo) url.searchParams.set("return_to", returnTo);
+		return url.toString();
 	}
 	getJwksUrl(clientId) {
-		return getJwksUrl(clientId, this.workos.baseURL);
+		if (!clientId) throw new TypeError("clientId must be a valid clientId");
+		return `${this.workos.baseURL}/sso/jwks/${clientId}`;
 	}
 };