@workos-inc/node 8.3.1 → 8.4.0

package/lib/api-keys-5t7nLnb5.d.cts

@@ -0,0 +1,780 @@
+import { t as CryptoProvider } from "./crypto-provider-EnxiazDt.cjs";
+import { t as Directory } from "./directory.interface-oSn1IaAq.cjs";
+import { t as DirectoryGroup } from "./directory-group.interface-Ds7hJJCb.cjs";
+import { t as PaginationOptions } from "./pagination-options.interface--3MwpP52.cjs";
+import { n as SerializedListDirectoriesOptions, t as ListDirectoriesOptions } from "./list-directories-options.interface-CcEf0ljy.cjs";
+import { t as ListDirectoryGroupsOptions } from "./list-groups-options.interface-DjW5LHiP.cjs";
+import { t as ListDirectoryUsersOptions } from "./list-directory-users-options.interface-ByCIBUjA.cjs";
+import { n as EnvironmentRoleList, t as EnvironmentRole } from "./environment-role.interface-D1iWLXE9.cjs";
+import { t as CreateEnvironmentRoleOptions } from "./create-environment-role-options.interface-D4HEg3bl.cjs";
+import { n as UpdateEnvironmentRoleOptions } from "./update-environment-role-options.interface-DmxJlvJj.cjs";
+import { t as SetEnvironmentRolePermissionsOptions } from "./set-environment-role-permissions-options.interface-BZKVKr61.cjs";
+import { t as AddEnvironmentRolePermissionOptions } from "./add-environment-role-permission-options.interface-DPQPMlMJ.cjs";
+import { t as OrganizationRole } from "./organization-role.interface-DXjTJ0Z5.cjs";
+import { t as CreateOrganizationRoleOptions } from "./create-organization-role-options.interface-Cl-_2QsZ.cjs";
+import { n as UpdateOrganizationRoleOptions } from "./update-organization-role-options.interface-DmZR0gHw.cjs";
+import { t as SetOrganizationRolePermissionsOptions } from "./set-organization-role-permissions-options.interface-B5ETA0fj.cjs";
+import { t as AddOrganizationRolePermissionOptions } from "./add-organization-role-permission-options.interface-DjcIZCA2.cjs";
+import { t as RemoveOrganizationRolePermissionOptions } from "./remove-organization-role-permission-options.interface-wLcPXpuW.cjs";
+import { n as PermissionList, t as Permission } from "./permission.interface-DUgNctyv.cjs";
+import { t as CreatePermissionOptions } from "./create-permission-options.interface-D-ZUSfo3.cjs";
+import { n as UpdatePermissionOptions } from "./update-permission-options.interface-BUmoAwcY.cjs";
+import { Bn as ProfileAndToken, Cn as CreateOrganizationApiKeyRequestOptions, Dn as SerializedListOrganizationMembershipsOptions, En as ListOrganizationMembershipsOptions, Hn as Profile, Ln as ListInvitationsOptions, Pn as OrganizationMembership, Rn as SerializedListInvitationsOptions, Sn as CreateOrganizationApiKeyOptions, Tn as ListUserFeatureFlagsOptions, Wn as DefaultCustomAttributes, Zn as Role, ct as Event, er as RoleList, kn as AuthorizationOrganizationMembershipList, n as CreateOrganizationRequestOptions, nr as ListPermissionsOptions, qn as DirectoryUserWithGroups, t as CreateOrganizationOptions, zn as ListAuthFactorsOptions } from "./index-BDMqzUe6.cjs";
+import { a as CreateAuthorizationResourceOptions, n as AuthorizationResourceList, t as AuthorizationResource, u as UpdateAuthorizationResourceOptions } from "./authorization-resource.interface-DIAEcvVn.cjs";
+import { t as ListAuthorizationResourcesOptions } from "./list-authorization-resources-options.interface-DGEUHL6V.cjs";
+import { t as GetAuthorizationResourceByExternalIdOptions } from "./get-authorization-resource-by-external-id-options.interface-Qnp6DQk8.cjs";
+import { t as UpdateAuthorizationResourceByExternalIdOptions } from "./update-authorization-resource-by-external-id-options.interface-VdkOB-85.cjs";
+import { t as DeleteAuthorizationResourceByExternalIdOptions } from "./delete-authorization-resource-by-external-id-options.interface-BvZqYnwY.cjs";
+import { t as DeleteAuthorizationResourceOptions } from "./delete-authorization-resource-options.interface-BADx9Ibk.cjs";
+import { i as AuthorizationCheckResult, t as AuthorizationCheckOptions } from "./authorization-resource-check.interface-BTZ0DC-5.cjs";
+import { t as ListResourcesForMembershipOptions } from "./list-resources-for-membership-options.interface-BxIdPPlj.cjs";
+import { t as ListMembershipsForResourceOptions } from "./list-memberships-for-resource-options.interface-DYjL4T-O.cjs";
+import { t as ListMembershipsForResourceByExternalIdOptions } from "./list-memberships-for-resource-by-external-id-options.interface-2SPYpjXz.cjs";
+import { n as RoleAssignmentList, t as RoleAssignment } from "./role-assignment.interface-ChR_OANy.cjs";
+import { t as ListRoleAssignmentsOptions } from "./list-role-assignments-options.interface-CitVe5-E.cjs";
+import { t as AssignRoleOptions } from "./assign-role-options.interface-EodzUpo8.cjs";
+import { n as RemoveRoleOptions } from "./remove-role-options.interface-C05Tjj04.cjs";
+import { t as RemoveRoleAssignmentOptions } from "./remove-role-assignment-options.interface-D0qpb2wr.cjs";
+import { n as SSOPKCEAuthorizationURLResult, t as SSOAuthorizationURLOptions } from "./authorization-url-options.interface-jpmqnJeg.cjs";
+import { t as Connection } from "./connection.interface-CYEbF9mD.cjs";
+import { t as GetProfileOptions } from "./get-profile-options.interface-BJLekz2p.cjs";
+import { t as GetProfileAndTokenOptions } from "./get-profile-and-token-options.interface-BTmM6245.cjs";
+import { n as SerializedListConnectionsOptions, t as ListConnectionsOptions } from "./list-connections-options.interface-DVXp4re1.cjs";
+import { t as UnknownRecord } from "./unknown-record.interface-KDwjwNHM.cjs";
+import { n as AuthenticateWithCodeOptions } from "./authenticate-with-code-options.interface-H0yfsHxj.cjs";
+import { t as AuthenticateWithCodeAndVerifierOptions } from "./authenticate-with-code-and-verifier-options.interface-DW8HBYmR.cjs";
+import { n as AuthenticateWithEmailVerificationOptions } from "./authenticate-with-email-verification-options.interface-bntD5tLo.cjs";
+import { n as AuthenticateWithMagicAuthOptions } from "./authenticate-with-magic-auth-options.interface-DKiBkjxK.cjs";
+import { n as AuthenticateWithOrganizationSelectionOptions } from "./authenticate-with-organization-selection.interface-BjNOboud.cjs";
+import { n as AuthenticateWithPasswordOptions } from "./authenticate-with-password-options.interface-CBzERAqt.cjs";
+import { n as AuthenticateWithRefreshTokenOptions } from "./authenticate-with-refresh-token-options.interface-Bc0KcSmQ.cjs";
+import { t as User } from "./user.interface-CSksrToF.cjs";
+import { t as AuthenticationResponse } from "./authentication-response.interface-B5XOTdYu.cjs";
+import { a as AuthenticateWithSessionCookieSuccessResponse, i as AuthenticateWithSessionCookieOptions, n as AuthenticateWithSessionCookieFailedResponse, o as SessionCookieData } from "./authenticate-with-session-cookie.interface--Ugw1Meh.cjs";
+import { n as AuthenticateWithTotpOptions } from "./authenticate-with-totp-options.interface-CBZmKTjf.cjs";
+import { n as UserManagementAuthorizationURLOptions, t as PKCEAuthorizationURLResult } from "./authorization-url-options.interface-DbdK4xoe.cjs";
+import { t as CreateMagicAuthOptions } from "./create-magic-auth-options.interface-Ducd6OEm.cjs";
+import { t as CreateOrganizationMembershipOptions } from "./create-organization-membership-options.interface-Ce6O3qzL.cjs";
+import { t as CreatePasswordResetOptions } from "./create-password-reset-options.interface-_azhiyDG.cjs";
+import { t as CreateUserOptions } from "./create-user-options.interface-C5A9ZFXJ.cjs";
+import { t as EmailVerification } from "./email-verification.interface-DoXRDBkX.cjs";
+import { t as EnrollAuthFactorOptions } from "./enroll-auth-factor.interface-BsXY6399.cjs";
+import { r as FactorWithSecrets, t as Factor } from "./factor.interface-TCY5UjaZ.cjs";
+import { t as Identity } from "./identity.interface-BwHBiRFv.cjs";
+import { t as Invitation } from "./invitation.interface-BwZhU4Nq.cjs";
+import { n as SerializedListSessionsOptions, t as ListSessionsOptions } from "./list-sessions-options.interface-rRvxj4no.cjs";
+import { n as SerializedListUsersOptions, t as ListUsersOptions } from "./list-users-options.interface-BrZWq49H.cjs";
+import { t as LogoutURLOptions } from "./logout-url-options.interface-BOLd7ZRi.cjs";
+import { t as MagicAuth } from "./magic-auth.interface-DGn4_Ctk.cjs";
+import { t as PasswordReset } from "./password-reset.interface-5Hk5_t85.cjs";
+import { n as RefreshSessionResponse } from "./refresh-and-seal-session-data.interface-CfKqrf2N.cjs";
+import { t as ResendInvitationOptions } from "./resend-invitation-options.interface-5-DjRWwi.cjs";
+import { t as ResetPasswordOptions } from "./reset-password-options.interface-DR1PHcVr.cjs";
+import { t as RevokeSessionOptions } from "./revoke-session-options.interface-BW7f0pb7.cjs";
+import { t as SendInvitationOptions } from "./send-invitation-options.interface-DtIC4uoS.cjs";
+import { t as SendVerificationEmailOptions } from "./send-verification-email-options.interface-IMaY7OHw.cjs";
+import { n as Session } from "./session.interface-DEkXnpLu.cjs";
+import { n as UpdateOrganizationMembershipOptions } from "./update-organization-membership-options.interface-CBFTtRh2.cjs";
+import { n as UpdateUserOptions } from "./update-user-options.interface-CzrbRCX7.cjs";
+import { n as VerifyEmailOptions } from "./verify-email-options.interface-B8NOVqLy.cjs";
+import { t as CreateOrganizationDomainOptions } from "./create-organization-domain-options.interface-BA0FNfqD.cjs";
+import { t as OrganizationDomain } from "./organization-domain.interface-DCWcsWrJ.cjs";
+import { t as ApiKey } from "./api-key.interface-CiHEJPea.cjs";
+import { t as CreatedApiKey } from "./created-api-key.interface-Dskf-Dpu.cjs";
+import { t as ListOrganizationApiKeysOptions } from "./list-organization-api-keys-options.interface-DP6NjvYw.cjs";
+import { n as ValidateApiKeyOptions, r as ValidateApiKeyResponse } from "./validate-api-key.interface-D_WJOvPm.cjs";
+import { t as GetOptions } from "./get-options.interface-DoL0T9e1.cjs";
+import { t as List } from "./list.interface-BMsjwGOu.cjs";
+import { t as PatchOptions } from "./patch-options.interface-BAVaR96y.cjs";
+import { t as PostOptions } from "./post-options.interface-D8yUBVGr.cjs";
+import { t as PutOptions } from "./put-options.interface-JSNS5evI.cjs";
+import { t as WorkOSOptions } from "./workos-options.interface-PcLJpyIn.cjs";
+import { t as ListOrganizationFeatureFlagsOptions } from "./list-organization-feature-flags-options.interface-BuY-zNS_.cjs";
+import { t as ListOrganizationsOptions } from "./list-organizations-options.interface-CR5m7YfR.cjs";
+import { t as Organization } from "./organization.interface-qvSYAhMT.cjs";
+import { n as UpdateOrganizationOptions } from "./update-organization-options.interface-BiK4pXHm.cjs";
+import { t as Actions } from "./actions-Ci8wakLD.cjs";
+import { t as PKCE } from "./pkce-CkDcEdoo.cjs";
+import { t as AutoPaginatable } from "./pagination-DARFXAuP.cjs";
+import { t as ListEventOptions } from "./list-events-options.interface-DJVfXCA3.cjs";
+import { t as FeatureFlag } from "./feature-flag.interface-DDrAgky3.cjs";
+import { t as ListOrganizationRolesOptions } from "./list-organization-roles-options.interface-DmY9jVcp.cjs";
+import { t as PasswordlessSession } from "./passwordless-session.interface-DBPNZsQp.cjs";
+import { t as CreatePasswordlessSessionOptions } from "./create-passwordless-session-options.interface-BPq-a_ff.cjs";
+import { t as SendSessionResponse } from "./send-session-response.interface-Bu76CdzC.cjs";
+import { n as GetAccessTokenOptions, r as GetAccessTokenResponse } from "./get-access-token.interface-COCgEGF_.cjs";
+import { t as GeneratePortalLinkIntent } from "./generate-portal-link-intent.interface-BQMOkPft.cjs";
+import { t as Webhooks } from "./webhooks-DvyWO-Zh.cjs";
+import { t as ChallengeFactorOptions } from "./challenge-factor-options-1PMSJeef.cjs";
+import { t as Challenge } from "./challenge.interface-UNMAxHWR.cjs";
+import { t as EnrollFactorOptions } from "./enroll-factor-options-Dj9Vl-kp.cjs";
+import { r as FactorWithSecrets$1, t as Factor$1 } from "./factor.interface-DPOR4t5-.cjs";
+import { t as VerifyChallengeOptions } from "./verify-challenge-options-Cnd5QHmo.cjs";
+import { t as VerifyResponse } from "./verify-challenge-response-Cxjr42mg.cjs";
+import { t as AuditLogExportOptions } from "./audit-log-export-options.interface--M_PWQFX.cjs";
+import { t as AuditLogExport } from "./audit-log-export.interface-DD4KnnW3.cjs";
+import { i as CreateAuditLogEventRequestOptions, r as CreateAuditLogEventOptions } from "./create-audit-log-event-options.interface-BMImi3Ph.cjs";
+import { a as CreateAuditLogSchemaOptions, n as AuditLogSchema, o as CreateAuditLogSchemaRequestOptions } from "./create-audit-log-schema-options.interface-DEw2JEw9.cjs";
+import { t as SessionHandlerOptions } from "./session-handler-options.interface-DJRJes_5.cjs";
+import { c as ResourceInterface, g as UpdateResourceOptions, i as DeleteResourceOptions, l as ResourceOptions, m as SerializedListResourcesOptions, o as ListResourcesOptions, r as CreateResourceOptions, s as Resource, t as BatchWriteResourcesOptions } from "./resource.interface-D-MMSzFn.cjs";
+import { c as Warrant, i as SerializedListWarrantsOptions, n as ListWarrantsRequestOptions, t as ListWarrantsOptions, u as WriteWarrantOptions } from "./warrant.interface-DPnDplf7.cjs";
+import { i as CheckResult, n as CheckOptions, r as CheckRequestOptions, t as CheckBatchOptions } from "./check.interface-CiNYxsPC.cjs";
+import { a as SerializedQueryOptions, n as QueryRequestOptions, r as QueryResult, t as QueryOptions } from "./query.interface-BSHlqTYK.cjs";
+import { t as WarrantToken } from "./warrant-token.interface-NdVyFw9l.cjs";
+import { t as FgaPaginatable } from "./fga-paginatable-DYGgFxzL.cjs";
+import { t as AddFlagTargetOptions } from "./add-flag-target-options.interface-Bwr2zybt.cjs";
+import { t as ListFeatureFlagsOptions } from "./list-feature-flags-options.interface-BDzOTdye.cjs";
+import { t as RemoveFlagTargetOptions } from "./remove-flag-target-options.interface-BlZtU4Qf.cjs";
+import { t as HttpClient } from "./http-client-tGbZ0v6f.cjs";
+import { t as GetTokenOptions } from "./get-token-xmqdj8Zh.cjs";
+import { n as DataKeyPair, r as KeyContext, t as DataKey } from "./key.interface-DWikImzG.cjs";
+import { t as CreateDataKeyOptions } from "./create-data-key.interface-B-aytYEd.cjs";
+import { t as DecryptDataKeyOptions } from "./decrypt-data-key.interface-BuI1is1m.cjs";
+import { n as CreateObjectOptions } from "./create-object.interface-Bm7L0wKq.cjs";
+import { t as DeleteObjectOptions } from "./delete-object.interface-BJMqWLai.cjs";
+import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, t as ObjectDigest } from "./object.interface-C0gQ84EY.cjs";
+import { n as ReadObjectOptions } from "./read-object.interface-BwzjcSVm.cjs";
+import { n as UpdateObjectOptions } from "./update-object.interface-C8y9e8Lt.cjs";
+import * as jose0 from "jose";
+
+//#region src/directory-sync/directory-sync.d.ts
+declare class DirectorySync {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  listDirectories(options?: ListDirectoriesOptions): Promise<AutoPaginatable<Directory, SerializedListDirectoriesOptions>>;
+  getDirectory(id: string): Promise<Directory>;
+  deleteDirectory(id: string): Promise<void>;
+  listGroups(options: ListDirectoryGroupsOptions): Promise<AutoPaginatable<DirectoryGroup, ListDirectoryGroupsOptions>>;
+  listUsers<TCustomAttributes extends object = DefaultCustomAttributes>(options: ListDirectoryUsersOptions): Promise<AutoPaginatable<DirectoryUserWithGroups<TCustomAttributes>, ListDirectoryUsersOptions>>;
+  getUser<TCustomAttributes extends object = DefaultCustomAttributes>(user: string): Promise<DirectoryUserWithGroups<TCustomAttributes>>;
+  getGroup(group: string): Promise<DirectoryGroup>;
+}
+//#endregion
+//#region src/events/events.d.ts
+declare class Events {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  listEvents(options: ListEventOptions): Promise<List<Event>>;
+}
+//#endregion
+//#region src/organizations/organizations.d.ts
+declare class Organizations {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  listOrganizations(options?: ListOrganizationsOptions): Promise<AutoPaginatable<Organization, ListOrganizationsOptions>>;
+  createOrganization(payload: CreateOrganizationOptions, requestOptions?: CreateOrganizationRequestOptions): Promise<Organization>;
+  deleteOrganization(id: string): Promise<void>;
+  getOrganization(id: string): Promise<Organization>;
+  getOrganizationByExternalId(externalId: string): Promise<Organization>;
+  updateOrganization(options: UpdateOrganizationOptions): Promise<Organization>;
+  listOrganizationRoles(options: ListOrganizationRolesOptions): Promise<RoleList>;
+  listOrganizationFeatureFlags(options: ListOrganizationFeatureFlagsOptions): Promise<AutoPaginatable<FeatureFlag>>;
+  listOrganizationApiKeys(options: ListOrganizationApiKeysOptions): Promise<AutoPaginatable<ApiKey>>;
+  createOrganizationApiKey(options: CreateOrganizationApiKeyOptions, requestOptions?: CreateOrganizationApiKeyRequestOptions): Promise<CreatedApiKey>;
+}
+//#endregion
+//#region src/organization-domains/organization-domains.d.ts
+declare class OrganizationDomains {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  get(id: string): Promise<OrganizationDomain>;
+  verify(id: string): Promise<OrganizationDomain>;
+  create(payload: CreateOrganizationDomainOptions): Promise<OrganizationDomain>;
+  delete(id: string): Promise<void>;
+}
+//#endregion
+//#region src/passwordless/passwordless.d.ts
+declare class Passwordless {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  createSession({
+    redirectURI,
+    expiresIn,
+    ...options
+  }: CreatePasswordlessSessionOptions): Promise<PasswordlessSession>;
+  sendSession(sessionId: string): Promise<SendSessionResponse>;
+}
+//#endregion
+//#region src/pipes/pipes.d.ts
+declare class Pipes {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  getAccessToken({
+    provider,
+    ...options
+  }: GetAccessTokenOptions & {
+    provider: string;
+  }): Promise<GetAccessTokenResponse>;
+}
+//#endregion
+//#region src/portal/portal.d.ts
+declare class Portal {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  generateLink({
+    intent,
+    organization,
+    returnUrl,
+    successUrl
+  }: {
+    intent: GeneratePortalLinkIntent;
+    organization: string;
+    returnUrl?: string;
+    successUrl?: string;
+  }): Promise<{
+    link: string;
+  }>;
+}
+//#endregion
+//#region src/sso/sso.d.ts
+declare class SSO {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  listConnections(options?: ListConnectionsOptions): Promise<AutoPaginatable<Connection, SerializedListConnectionsOptions>>;
+  deleteConnection(id: string): Promise<void>;
+  getAuthorizationUrl(options: SSOAuthorizationURLOptions): string;
+  /**
+   * Generates an authorization URL with PKCE parameters automatically generated.
+   * Use this for public clients (CLI apps, Electron, mobile) that cannot
+   * securely store a client secret.
+   *
+   * @returns Object containing url, state, and codeVerifier
+   *
+   * @example
+   * ```typescript
+   * const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({
+   *   connection: 'conn_123',
+   *   clientId: 'client_123',
+   *   redirectUri: 'myapp://callback',
+   * });
+   *
+   * // Store state and codeVerifier securely, then redirect user to url
+   * // After callback, exchange the code:
+   * const { profile, accessToken } = await workos.sso.getProfileAndToken({
+   *   code: authorizationCode,
+   *   codeVerifier,
+   *   clientId: 'client_123',
+   * });
+   * ```
+   */
+  getAuthorizationUrlWithPKCE(options: Omit<SSOAuthorizationURLOptions, 'codeChallenge' | 'codeChallengeMethod' | 'state'>): Promise<SSOPKCEAuthorizationURLResult>;
+  getConnection(id: string): Promise<Connection>;
+  /**
+   * Exchange an authorization code for a profile and access token.
+   *
+   * Auto-detects public vs confidential client mode:
+   * - If codeVerifier is provided: Uses PKCE flow (public client)
+   * - If no codeVerifier: Uses client_secret from API key (confidential client)
+   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+   *
+   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+   * in depth and provides additional CSRF protection on the authorization flow.
+   *
+   * @throws Error if neither codeVerifier nor API key is available
+   */
+  getProfileAndToken<CustomAttributesType extends UnknownRecord = UnknownRecord>({
+    code,
+    clientId,
+    codeVerifier
+  }: GetProfileAndTokenOptions): Promise<ProfileAndToken<CustomAttributesType>>;
+  getProfile<CustomAttributesType extends UnknownRecord = UnknownRecord>({
+    accessToken
+  }: GetProfileOptions): Promise<Profile<CustomAttributesType>>;
+}
+//#endregion
+//#region src/mfa/mfa.d.ts
+declare class Mfa {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  deleteFactor(id: string): Promise<void>;
+  getFactor(id: string): Promise<Factor$1>;
+  enrollFactor(options: EnrollFactorOptions): Promise<FactorWithSecrets$1>;
+  challengeFactor(options: ChallengeFactorOptions): Promise<Challenge>;
+  verifyChallenge(options: VerifyChallengeOptions): Promise<VerifyResponse>;
+}
+//#endregion
+//#region src/audit-logs/audit-logs.d.ts
+declare class AuditLogs {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  createEvent(organization: string, event: CreateAuditLogEventOptions, options?: CreateAuditLogEventRequestOptions): Promise<void>;
+  createExport(options: AuditLogExportOptions): Promise<AuditLogExport>;
+  getExport(auditLogExportId: string): Promise<AuditLogExport>;
+  createSchema(schema: CreateAuditLogSchemaOptions, options?: CreateAuditLogSchemaRequestOptions): Promise<AuditLogSchema>;
+}
+//#endregion
+//#region src/user-management/session.d.ts
+type RefreshOptions = {
+  cookiePassword?: string;
+  organizationId?: string;
+};
+declare class CookieSession {
+  private userManagement;
+  private cookiePassword;
+  private sessionData;
+  constructor(userManagement: UserManagement, sessionData: string, cookiePassword: string);
+  /**
+   * Authenticates a user with a session cookie.
+   *
+   * @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.
+   */
+  authenticate(): Promise<AuthenticateWithSessionCookieSuccessResponse | AuthenticateWithSessionCookieFailedResponse>;
+  /**
+   * Refreshes the user's session.
+   *
+   * @param options - Optional options for refreshing the session.
+   * @param options.cookiePassword - The password to use for the new session cookie.
+   * @param options.organizationId - The organization ID to use for the new session cookie.
+   * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.
+   */
+  refresh(options?: RefreshOptions): Promise<RefreshSessionResponse>;
+  /**
+   * Gets the URL to redirect the user to for logging out.
+   *
+   * @returns The URL to redirect the user to for logging out.
+   */
+  getLogoutUrl({
+    returnTo
+  }?: {
+    returnTo?: string;
+  }): Promise<string>;
+  private isValidJwt;
+}
+//#endregion
+//#region src/user-management/user-management.d.ts
+declare class UserManagement {
+  private readonly workos;
+  private _jwks;
+  clientId: string | undefined;
+  constructor(workos: WorkOS);
+  /**
+   * Resolve clientId from method options or fall back to constructor-provided value.
+   * @throws TypeError if clientId is not available from either source
+   */
+  private resolveClientId;
+  getJWKS(): Promise<ReturnType<typeof jose0.createRemoteJWKSet> | undefined>;
+  /**
+   * Loads a sealed session using the provided session data and cookie password.
+   *
+   * @param options - The options for loading the sealed session.
+   * @param options.sessionData - The sealed session data.
+   * @param options.cookiePassword - The password used to encrypt the session data.
+   * @returns The session class.
+   */
+  loadSealedSession(options: {
+    sessionData: string;
+    cookiePassword: string;
+  }): CookieSession;
+  getUser(userId: string): Promise<User>;
+  getUserByExternalId(externalId: string): Promise<User>;
+  listUsers(options?: ListUsersOptions): Promise<AutoPaginatable<User, SerializedListUsersOptions>>;
+  createUser(payload: CreateUserOptions): Promise<User>;
+  authenticateWithMagicAuth(payload: AuthenticateWithMagicAuthOptions): Promise<AuthenticationResponse>;
+  authenticateWithPassword(payload: AuthenticateWithPasswordOptions): Promise<AuthenticationResponse>;
+  /**
+   * Exchange an authorization code for tokens.
+   *
+   * Auto-detects public vs confidential client mode:
+   * - If codeVerifier is provided: Uses PKCE flow (public client)
+   * - If no codeVerifier: Uses client_secret from API key (confidential client)
+   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+   *
+   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+   * in depth and provides additional CSRF protection on the authorization flow.
+   *
+   * @throws Error if neither codeVerifier nor API key is available
+   */
+  authenticateWithCode(payload: AuthenticateWithCodeOptions): Promise<AuthenticationResponse>;
+  /**
+   * Exchange an authorization code for tokens using PKCE (public client flow).
+   * Use this instead of authenticateWithCode() when the client cannot securely
+   * store a client_secret (browser, mobile, CLI, desktop apps).
+   *
+   * @param payload.clientId - Your WorkOS client ID
+   * @param payload.code - The authorization code from the OAuth callback
+   * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge
+   */
+  authenticateWithCodeAndVerifier(payload: AuthenticateWithCodeAndVerifierOptions): Promise<AuthenticationResponse>;
+  /**
+   * Refresh an access token using a refresh token.
+   * Automatically detects public client mode - if no API key is configured,
+   * omits client_secret from the request.
+   */
+  authenticateWithRefreshToken(payload: AuthenticateWithRefreshTokenOptions): Promise<AuthenticationResponse>;
+  authenticateWithTotp(payload: AuthenticateWithTotpOptions): Promise<AuthenticationResponse>;
+  authenticateWithEmailVerification(payload: AuthenticateWithEmailVerificationOptions): Promise<AuthenticationResponse>;
+  authenticateWithOrganizationSelection(payload: AuthenticateWithOrganizationSelectionOptions): Promise<AuthenticationResponse>;
+  authenticateWithSessionCookie({
+    sessionData,
+    cookiePassword
+  }: AuthenticateWithSessionCookieOptions): Promise<AuthenticateWithSessionCookieSuccessResponse | AuthenticateWithSessionCookieFailedResponse>;
+  private isValidJwt;
+  private prepareAuthenticationResponse;
+  private sealSessionDataFromAuthenticationResponse;
+  getSessionFromCookie({
+    sessionData,
+    cookiePassword
+  }: SessionHandlerOptions): Promise<SessionCookieData | undefined>;
+  getEmailVerification(emailVerificationId: string): Promise<EmailVerification>;
+  sendVerificationEmail({
+    userId
+  }: SendVerificationEmailOptions): Promise<{
+    user: User;
+  }>;
+  getMagicAuth(magicAuthId: string): Promise<MagicAuth>;
+  createMagicAuth(options: CreateMagicAuthOptions): Promise<MagicAuth>;
+  verifyEmail({
+    code,
+    userId
+  }: VerifyEmailOptions): Promise<{
+    user: User;
+  }>;
+  getPasswordReset(passwordResetId: string): Promise<PasswordReset>;
+  createPasswordReset(options: CreatePasswordResetOptions): Promise<PasswordReset>;
+  resetPassword(payload: ResetPasswordOptions): Promise<{
+    user: User;
+  }>;
+  updateUser(payload: UpdateUserOptions): Promise<User>;
+  enrollAuthFactor(payload: EnrollAuthFactorOptions): Promise<{
+    authenticationFactor: FactorWithSecrets;
+    authenticationChallenge: Challenge;
+  }>;
+  listAuthFactors(options: ListAuthFactorsOptions): Promise<AutoPaginatable<Factor, PaginationOptions>>;
+  listUserFeatureFlags(options: ListUserFeatureFlagsOptions): Promise<AutoPaginatable<FeatureFlag>>;
+  listSessions(userId: string, options?: ListSessionsOptions): Promise<AutoPaginatable<Session, SerializedListSessionsOptions>>;
+  deleteUser(userId: string): Promise<void>;
+  getUserIdentities(userId: string): Promise<Identity[]>;
+  getOrganizationMembership(organizationMembershipId: string): Promise<OrganizationMembership>;
+  listOrganizationMemberships(options: ListOrganizationMembershipsOptions): Promise<AutoPaginatable<OrganizationMembership, SerializedListOrganizationMembershipsOptions>>;
+  createOrganizationMembership(options: CreateOrganizationMembershipOptions): Promise<OrganizationMembership>;
+  updateOrganizationMembership(organizationMembershipId: string, options: UpdateOrganizationMembershipOptions): Promise<OrganizationMembership>;
+  deleteOrganizationMembership(organizationMembershipId: string): Promise<void>;
+  deactivateOrganizationMembership(organizationMembershipId: string): Promise<OrganizationMembership>;
+  reactivateOrganizationMembership(organizationMembershipId: string): Promise<OrganizationMembership>;
+  getInvitation(invitationId: string): Promise<Invitation>;
+  findInvitationByToken(invitationToken: string): Promise<Invitation>;
+  listInvitations(options: ListInvitationsOptions): Promise<AutoPaginatable<Invitation, SerializedListInvitationsOptions>>;
+  sendInvitation(payload: SendInvitationOptions): Promise<Invitation>;
+  acceptInvitation(invitationId: string): Promise<Invitation>;
+  revokeInvitation(invitationId: string): Promise<Invitation>;
+  resendInvitation(invitationId: string, options?: ResendInvitationOptions): Promise<Invitation>;
+  revokeSession(payload: RevokeSessionOptions): Promise<void>;
+  /**
+   * Generate an OAuth 2.0 authorization URL.
+   *
+   * For public clients (browser, mobile, CLI), include PKCE parameters:
+   * - Generate PKCE using workos.pkce.generate()
+   * - Pass codeChallenge and codeChallengeMethod here
+   * - Store codeVerifier and pass to authenticateWithCode() later
+   *
+   * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.
+   */
+  getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string;
+  /**
+   * Generate an OAuth 2.0 authorization URL with automatic PKCE.
+   *
+   * This method generates PKCE parameters internally and returns them along with
+   * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)
+   * that cannot securely store a client secret.
+   *
+   * @returns Object containing url, state, and codeVerifier
+   *
+   * @example
+   * ```typescript
+   * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
+   *   provider: 'authkit',
+   *   clientId: 'client_123',
+   *   redirectUri: 'myapp://callback',
+   * });
+   *
+   * // Store state and codeVerifier securely, then redirect user to url
+   * // After callback, exchange the code:
+   * const response = await workos.userManagement.authenticateWithCode({
+   *   code: authorizationCode,
+   *   codeVerifier,
+   *   clientId: 'client_123',
+   * });
+   * ```
+   */
+  getAuthorizationUrlWithPKCE(options: Omit<UserManagementAuthorizationURLOptions, 'codeChallenge' | 'codeChallengeMethod' | 'state'>): Promise<PKCEAuthorizationURLResult>;
+  getLogoutUrl(options: LogoutURLOptions): string;
+  getJwksUrl(clientId: string): string;
+}
+//#endregion
+//#region src/fga/fga.d.ts
+/**
+ * @deprecated The FGA module is deprecated. Use the Authorization module instead.
+ * @see src/authorization/authorization.ts
+ */
+declare class FGA {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  check(checkOptions: CheckOptions, options?: CheckRequestOptions): Promise<CheckResult>;
+  checkBatch(checkOptions: CheckBatchOptions, options?: CheckRequestOptions): Promise<CheckResult[]>;
+  createResource(resource: CreateResourceOptions): Promise<Resource>;
+  getResource(resource: ResourceInterface | ResourceOptions): Promise<Resource>;
+  listResources(options?: ListResourcesOptions): Promise<AutoPaginatable<Resource, SerializedListResourcesOptions>>;
+  updateResource(options: UpdateResourceOptions): Promise<Resource>;
+  deleteResource(resource: DeleteResourceOptions): Promise<void>;
+  batchWriteResources(options: BatchWriteResourcesOptions): Promise<Resource[]>;
+  writeWarrant(options: WriteWarrantOptions): Promise<WarrantToken>;
+  batchWriteWarrants(options: WriteWarrantOptions[]): Promise<WarrantToken>;
+  listWarrants(options?: ListWarrantsOptions, requestOptions?: ListWarrantsRequestOptions): Promise<AutoPaginatable<Warrant, SerializedListWarrantsOptions>>;
+  query(options: QueryOptions, requestOptions?: QueryRequestOptions): Promise<FgaPaginatable<QueryResult, SerializedQueryOptions>>;
+}
+//#endregion
+//#region src/feature-flags/feature-flags.d.ts
+declare class FeatureFlags {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  listFeatureFlags(options?: ListFeatureFlagsOptions): Promise<AutoPaginatable<FeatureFlag>>;
+  getFeatureFlag(slug: string): Promise<FeatureFlag>;
+  enableFeatureFlag(slug: string): Promise<FeatureFlag>;
+  disableFeatureFlag(slug: string): Promise<FeatureFlag>;
+  addFlagTarget(options: AddFlagTargetOptions): Promise<void>;
+  removeFlagTarget(options: RemoveFlagTargetOptions): Promise<void>;
+}
+//#endregion
+//#region src/widgets/widgets.d.ts
+declare class Widgets {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  getToken(payload: GetTokenOptions): Promise<string>;
+}
+//#endregion
+//#region src/authorization/authorization.d.ts
+declare class Authorization {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  createEnvironmentRole(options: CreateEnvironmentRoleOptions): Promise<EnvironmentRole>;
+  listEnvironmentRoles(): Promise<EnvironmentRoleList>;
+  getEnvironmentRole(slug: string): Promise<EnvironmentRole>;
+  updateEnvironmentRole(slug: string, options: UpdateEnvironmentRoleOptions): Promise<EnvironmentRole>;
+  setEnvironmentRolePermissions(slug: string, options: SetEnvironmentRolePermissionsOptions): Promise<EnvironmentRole>;
+  addEnvironmentRolePermission(slug: string, options: AddEnvironmentRolePermissionOptions): Promise<EnvironmentRole>;
+  createOrganizationRole(organizationId: string, options: CreateOrganizationRoleOptions): Promise<OrganizationRole>;
+  listOrganizationRoles(organizationId: string): Promise<RoleList>;
+  getOrganizationRole(organizationId: string, slug: string): Promise<Role>;
+  updateOrganizationRole(organizationId: string, slug: string, options: UpdateOrganizationRoleOptions): Promise<OrganizationRole>;
+  deleteOrganizationRole(organizationId: string, slug: string): Promise<void>;
+  setOrganizationRolePermissions(organizationId: string, slug: string, options: SetOrganizationRolePermissionsOptions): Promise<OrganizationRole>;
+  addOrganizationRolePermission(organizationId: string, slug: string, options: AddOrganizationRolePermissionOptions): Promise<OrganizationRole>;
+  removeOrganizationRolePermission(organizationId: string, slug: string, options: RemoveOrganizationRolePermissionOptions): Promise<void>;
+  createPermission(options: CreatePermissionOptions): Promise<Permission>;
+  listPermissions(options?: ListPermissionsOptions): Promise<PermissionList>;
+  getPermission(slug: string): Promise<Permission>;
+  updatePermission(slug: string, options: UpdatePermissionOptions): Promise<Permission>;
+  deletePermission(slug: string): Promise<void>;
+  getResource(resourceId: string): Promise<AuthorizationResource>;
+  createResource(options: CreateAuthorizationResourceOptions): Promise<AuthorizationResource>;
+  updateResource(options: UpdateAuthorizationResourceOptions): Promise<AuthorizationResource>;
+  deleteResource(options: DeleteAuthorizationResourceOptions): Promise<void>;
+  listResources(options?: ListAuthorizationResourcesOptions): Promise<AuthorizationResourceList>;
+  getResourceByExternalId(options: GetAuthorizationResourceByExternalIdOptions): Promise<AuthorizationResource>;
+  updateResourceByExternalId(options: UpdateAuthorizationResourceByExternalIdOptions): Promise<AuthorizationResource>;
+  deleteResourceByExternalId(options: DeleteAuthorizationResourceByExternalIdOptions): Promise<void>;
+  check(options: AuthorizationCheckOptions): Promise<AuthorizationCheckResult>;
+  listRoleAssignments(options: ListRoleAssignmentsOptions): Promise<RoleAssignmentList>;
+  assignRole(options: AssignRoleOptions): Promise<RoleAssignment>;
+  removeRole(options: RemoveRoleOptions): Promise<void>;
+  removeRoleAssignment(options: RemoveRoleAssignmentOptions): Promise<void>;
+  listResourcesForMembership(options: ListResourcesForMembershipOptions): Promise<AuthorizationResourceList>;
+  listMembershipsForResource(options: ListMembershipsForResourceOptions): Promise<AuthorizationOrganizationMembershipList>;
+  listMembershipsForResourceByExternalId(options: ListMembershipsForResourceByExternalIdOptions): Promise<AuthorizationOrganizationMembershipList>;
+}
+//#endregion
+//#region src/factory.d.ts
+/**
+ * Method names available without API key - single source of truth.
+ * Add new public methods here to expose them on PublicUserManagement.
+ */
+type PublicUserManagementMethods = 'getAuthorizationUrl' | 'getAuthorizationUrlWithPKCE' | 'authenticateWithCode' | 'authenticateWithCodeAndVerifier' | 'authenticateWithRefreshToken' | 'getLogoutUrl' | 'getJwksUrl';
+/**
+ * SSO method names available without API key.
+ */
+type PublicSSOMethods = 'getAuthorizationUrl' | 'getAuthorizationUrlWithPKCE' | 'getProfileAndToken';
+/**
+ * Subset of UserManagement methods available without an API key.
+ * Used by public clients (browser, mobile, CLI, desktop apps).
+ */
+type PublicUserManagement = Pick<UserManagement, PublicUserManagementMethods>;
+/**
+ * Subset of SSO methods available without an API key.
+ */
+type PublicSSO = Pick<SSO, PublicSSOMethods>;
+/**
+ * WorkOS client for public/PKCE-only usage.
+ * Returned when initialized with only clientId (no API key).
+ *
+ * For browser, mobile, CLI, and desktop applications that cannot
+ * securely store an API key.
+ */
+interface PublicWorkOS {
+  readonly baseURL: string;
+  readonly clientId: string;
+  readonly pkce: PKCE;
+  readonly userManagement: PublicUserManagement;
+  readonly sso: PublicSSO;
+}
+/**
+ * Options for creating a public client (PKCE-only, no API key).
+ */
+interface PublicClientOptions extends Omit<WorkOSOptions, 'apiKey'> {
+  clientId: string;
+  /** Discriminant: ensures TypeScript selects PublicWorkOS overload when apiKey is absent */
+  apiKey?: never;
+}
+/**
+ * Options for creating a confidential client (with API key).
+ */
+interface ConfidentialClientOptions extends WorkOSOptions {
+  apiKey: string;
+}
+/**
+ * Create a type-safe WorkOS client.
+ *
+ * Returns a narrowed `PublicWorkOS` type when only `clientId` is provided,
+ * ensuring compile-time safety for public client usage. Returns the full
+ * `WorkOS` type when an API key is provided.
+ *
+ * Unlike the `WorkOS` constructor, this factory does NOT read from
+ * environment variables. Pass credentials explicitly for predictable types.
+ *
+ * @example
+ * // Public client (browser, mobile, CLI) - returns PublicWorkOS
+ * const workos = createWorkOS({ clientId: 'client_123' });
+ * await workos.userManagement.getAuthorizationUrlWithPKCE({...}); // OK
+ * workos.userManagement.listUsers(); // TypeScript error!
+ *
+ * @example
+ * // Confidential client (server) - returns full WorkOS
+ * const workos = createWorkOS({
+ *   apiKey: process.env.WORKOS_API_KEY!,
+ *   clientId: 'client_123'
+ * });
+ * await workos.userManagement.listUsers(); // OK
+ */
+declare function createWorkOS(options: PublicClientOptions): PublicWorkOS;
+declare function createWorkOS(options: ConfidentialClientOptions): WorkOS;
+//#endregion
+//#region src/index.worker.d.ts
+declare class WorkOSWorker extends WorkOS {
+  /** @override */
+  createHttpClient(options: WorkOSOptions, userAgent: string): HttpClient;
+  /** @override */
+  createWebhookClient(): Webhooks;
+  getCryptoProvider(): CryptoProvider;
+  /** @override */
+  createActionsClient(): Actions;
+  /** @override */
+  emitWarning(warning: string): void;
+}
+//#endregion
+//#region src/vault/vault.d.ts
+declare class Vault {
+  private readonly workos;
+  private cryptoProvider;
+  constructor(workos: WorkOS);
+  private decode;
+  createObject(options: CreateObjectOptions): Promise<ObjectMetadata>;
+  listObjects(options?: PaginationOptions | undefined): Promise<List<ObjectDigest>>;
+  listObjectVersions(options: ReadObjectOptions): Promise<ObjectVersion[]>;
+  readObject(options: ReadObjectOptions): Promise<VaultObject>;
+  readObjectByName(name: string): Promise<VaultObject>;
+  describeObject(options: ReadObjectOptions): Promise<VaultObject>;
+  updateObject(options: UpdateObjectOptions): Promise<VaultObject>;
+  deleteObject(options: DeleteObjectOptions): Promise<void>;
+  createDataKey(options: CreateDataKeyOptions): Promise<DataKeyPair>;
+  decryptDataKey(options: DecryptDataKeyOptions): Promise<DataKey>;
+  encrypt(data: string, context: KeyContext, associatedData?: string): Promise<string>;
+  decrypt(encryptedData: string, associatedData?: string): Promise<string>;
+}
+//#endregion
+//#region src/workos.d.ts
+declare class WorkOS {
+  readonly baseURL: string;
+  readonly client: HttpClient;
+  readonly clientId?: string;
+  readonly key?: string;
+  readonly options: WorkOSOptions;
+  readonly pkce: PKCE;
+  private readonly hasApiKey;
+  readonly actions: Actions;
+  readonly apiKeys: ApiKeys;
+  readonly auditLogs: AuditLogs;
+  readonly authorization: Authorization;
+  readonly directorySync: DirectorySync;
+  readonly events: Events;
+  readonly featureFlags: FeatureFlags;
+  readonly fga: FGA;
+  readonly mfa: Mfa;
+  readonly organizations: Organizations;
+  readonly organizationDomains: OrganizationDomains;
+  readonly passwordless: Passwordless;
+  readonly pipes: Pipes;
+  readonly portal: Portal;
+  readonly sso: SSO;
+  readonly userManagement: UserManagement;
+  readonly vault: Vault;
+  readonly webhooks: Webhooks;
+  readonly widgets: Widgets;
+  /**
+   * Create a new WorkOS client.
+   *
+   * @param keyOrOptions - API key string, or options object
+   * @param maybeOptions - Options when first argument is API key
+   *
+   * @example
+   * // Server-side with API key (string)
+   * const workos = new WorkOS('sk_...');
+   *
+   * @example
+   * // Server-side with API key (object)
+   * const workos = new WorkOS({ apiKey: 'sk_...', clientId: 'client_...' });
+   *
+   * @example
+   * // PKCE/public client (no API key)
+   * const workos = new WorkOS({ clientId: 'client_...' });
+   */
+  constructor(keyOrOptions?: string | WorkOSOptions, maybeOptions?: WorkOSOptions);
+  private createUserAgent;
+  createWebhookClient(): Webhooks;
+  createActionsClient(): Actions;
+  getCryptoProvider(): CryptoProvider;
+  createHttpClient(options: WorkOSOptions, userAgent: string): HttpClient;
+  get version(): string;
+  /**
+   * Require API key for methods that need it.
+   * @param methodName - Name of the method requiring API key (for error message)
+   * @throws ApiKeyRequiredException if no API key was provided
+   */
+  requireApiKey(methodName: string): void;
+  post<Result = any, Entity = any>(path: string, entity: Entity, options?: PostOptions): Promise<{
+    data: Result;
+  }>;
+  get<Result = any>(path: string, options?: GetOptions): Promise<{
+    data: Result;
+  }>;
+  put<Result = any, Entity = any>(path: string, entity: Entity, options?: PutOptions): Promise<{
+    data: Result;
+  }>;
+  patch<Result = any, Entity = any>(path: string, entity: Entity, options?: PatchOptions): Promise<{
+    data: Result;
+  }>;
+  delete(path: string, query?: any): Promise<void>;
+  deleteWithBody<Entity = any>(path: string, entity: Entity): Promise<void>;
+  emitWarning(warning: string): void;
+  private handleParseError;
+  private handleHttpError;
+}
+//#endregion
+//#region src/api-keys/api-keys.d.ts
+declare class ApiKeys {
+  private readonly workos;
+  constructor(workos: WorkOS);
+  validateApiKey(payload: ValidateApiKeyOptions): Promise<ValidateApiKeyResponse>;
+  deleteApiKey(id: string): Promise<void>;
+}
+//#endregion
+export { OrganizationDomains as C, DirectorySync as E, Passwordless as S, Events as T, AuditLogs as _, ConfidentialClientOptions as a, Portal as b, PublicUserManagement as c, Authorization as d, Widgets as f, CookieSession as g, UserManagement as h, WorkOSWorker as i, PublicWorkOS as l, FGA as m, WorkOS as n, PublicClientOptions as o, FeatureFlags as p, Vault as r, PublicSSO as s, ApiKeys as t, createWorkOS as u, Mfa as v, Organizations as w, Pipes as x, SSO as y };
+//# sourceMappingURL=api-keys-5t7nLnb5.d.cts.map