@workos-inc/node 8.5.0 → 8.7.0

package/lib/user-management/serializers/reset-password-options.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as serializeResetPasswordOptions } from "../../reset-password-options.serializer-B9Dv28B5.cjs";
+import { t as serializeResetPasswordOptions } from "../../reset-password-options.serializer-B-yKukZL.cjs";
 export { serializeResetPasswordOptions };

package/lib/user-management/serializers/role.serializer.d.cts

@@ -1,4 +1,4 @@
-import { er as RoleEvent, tr as RoleEventResponse } from "../../index-BIw0X_SV.cjs";
+import { lr as RoleEvent, ur as RoleEventResponse } from "../../index-zd2lGEmr.cjs";
 
 //#region src/user-management/serializers/role.serializer.d.ts
 declare const deserializeRoleEvent: (role: RoleEventResponse) => RoleEvent;

package/lib/user-management/serializers/session.serializer.cjs

@@ -1,3 +1,3 @@
-const require_session_serializer = require('../../session.serializer-Dmj9Hm3q.cjs');
+const require_session_serializer = require('../../session.serializer-B63NxvRH.cjs');
 
 exports.deserializeSession = require_session_serializer.deserializeSession;

package/lib/user-management/serializers/session.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as deserializeSession } from "../../session.serializer-BL-7BJfq.cjs";
+import { t as deserializeSession } from "../../session.serializer-Cw08JZKf.cjs";
 export { deserializeSession };

package/lib/user-management/serializers/session.serializer.js

@@ -5,8 +5,8 @@ const deserializeSession = (session) => ({
 	userId: session.user_id,
 	ipAddress: session.ip_address,
 	userAgent: session.user_agent,
-	organizationId: session.organization_id,
-	impersonator: session.impersonator,
+	...session.organization_id !== void 0 && { organizationId: session.organization_id },
+	...session.impersonator !== void 0 && { impersonator: session.impersonator },
 	authMethod: session.auth_method,
 	status: session.status,
 	expiresAt: session.expires_at,

package/lib/user-management/serializers/session.serializer.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.serializer.js","names":[],"sources":["../../../src/user-management/serializers/session.serializer.ts"],"sourcesContent":["import { Session, SessionResponse } from '../interfaces';\n\nexport const deserializeSession = (session: SessionResponse): Session => ({\n  object: 'session',\n  id: session.id,\n  userId: session.user_id,\n  ipAddress: session.ip_address,\n  userAgent: session.user_agent,\n  organizationId: session.organization_id,\n  impersonator: session.impersonator,\n  authMethod: session.auth_method,\n  status: session.status,\n  expiresAt: session.expires_at,\n  endedAt: session.ended_at,\n  createdAt: session.created_at,\n  updatedAt: session.updated_at,\n});\n"],"mappings":";AAEA,MAAa,sBAAsB,aAAuC;CACxE,QAAQ;CACR,IAAI,QAAQ;CACZ,QAAQ,QAAQ;CAChB,WAAW,QAAQ;CACnB,WAAW,QAAQ;CACnB,gBAAgB,QAAQ;CACxB,cAAc,QAAQ;CACtB,YAAY,QAAQ;CACpB,QAAQ,QAAQ;CAChB,WAAW,QAAQ;CACnB,SAAS,QAAQ;CACjB,WAAW,QAAQ;CACnB,WAAW,QAAQ;CACpB"}
+{"version":3,"file":"session.serializer.js","names":[],"sources":["../../../src/user-management/serializers/session.serializer.ts"],"sourcesContent":["import { Session, SessionResponse } from '../interfaces';\n\nexport const deserializeSession = (session: SessionResponse): Session => ({\n  object: 'session',\n  id: session.id,\n  userId: session.user_id,\n  ipAddress: session.ip_address,\n  userAgent: session.user_agent,\n  ...(session.organization_id !== undefined && {\n    organizationId: session.organization_id,\n  }),\n  ...(session.impersonator !== undefined && {\n    impersonator: session.impersonator,\n  }),\n  authMethod: session.auth_method,\n  status: session.status,\n  expiresAt: session.expires_at,\n  endedAt: session.ended_at,\n  createdAt: session.created_at,\n  updatedAt: session.updated_at,\n});\n"],"mappings":";AAEA,MAAa,sBAAsB,aAAuC;CACxE,QAAQ;CACR,IAAI,QAAQ;CACZ,QAAQ,QAAQ;CAChB,WAAW,QAAQ;CACnB,WAAW,QAAQ;CACnB,GAAI,QAAQ,oBAAoB,UAAa,EAC3C,gBAAgB,QAAQ,iBACzB;CACD,GAAI,QAAQ,iBAAiB,UAAa,EACxC,cAAc,QAAQ,cACvB;CACD,YAAY,QAAQ;CACpB,QAAQ,QAAQ;CAChB,WAAW,QAAQ;CACnB,SAAS,QAAQ;CACjB,WAAW,QAAQ;CACnB,WAAW,QAAQ;CACpB"}

package/lib/user-management/serializers/update-user-options.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as serializeUpdateUserOptions } from "../../update-user-options.serializer-DCtFirLd.cjs";
+import { t as serializeUpdateUserOptions } from "../../update-user-options.serializer-C7da_R08.cjs";
 export { serializeUpdateUserOptions };

package/lib/user-management/serializers/update-user-password-options.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as serializeUpdateUserPasswordOptions } from "../../update-user-password-options.serializer-CCVVrUCy.cjs";
+import { t as serializeUpdateUserPasswordOptions } from "../../update-user-password-options.serializer-D67Lr4m1.cjs";
 export { serializeUpdateUserPasswordOptions };

package/lib/user-management/serializers/user.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as deserializeUser } from "../../user.serializer-B8Yr_r6n.cjs";
+import { t as deserializeUser } from "../../user.serializer-BFpDaajW.cjs";
 export { deserializeUser };

package/lib/user-management/session.d.cts

@@ -1,2 +1,2 @@
-import { g as CookieSession } from "../api-keys-OJfN1xfX.cjs";
+import { g as CookieSession } from "../api-keys-FoD7rQEa.cjs";
 export { CookieSession };

package/lib/user-management/user-management.cjs

@@ -1,5 +1,5 @@
 require('../jose-BhyqkBqW.cjs');
 require('../session-Beigw6Nc.cjs');
-const require_user_management = require('../user-management-CTQFnn4h.cjs');
+const require_user_management = require('../user-management-CJj1rMco.cjs');
 
 exports.UserManagement = require_user_management.UserManagement;

package/lib/user-management/user-management.d.cts

@@ -1,2 +1,2 @@
-import { h as UserManagement } from "../api-keys-OJfN1xfX.cjs";
+import { h as UserManagement } from "../api-keys-FoD7rQEa.cjs";
 export { UserManagement };

package/lib/user-management/user-management.d.ts

@@ -39,8 +39,8 @@ import { Session } from "./interfaces/session.interface.js";
 import { UpdateOrganizationMembershipOptions } from "./interfaces/update-organization-membership-options.interface.js";
 import { UpdateUserOptions } from "./interfaces/update-user-options.interface.js";
 import { VerifyEmailOptions } from "./interfaces/verify-email-options.interface.js";
-import { AutoPaginatable } from "../common/utils/pagination.js";
 import { FeatureFlag } from "../feature-flags/interfaces/feature-flag.interface.js";
+import { AutoPaginatable } from "../common/utils/pagination.js";
 import { Challenge } from "../mfa/interfaces/challenge.interface.js";
 import { SessionHandlerOptions } from "./interfaces/session-handler-options.interface.js";
 import { CookieSession } from "./session.js";

package/lib/user-management/user-management.js

@@ -22,8 +22,8 @@ import { deserializeSession } from "./serializers/session.serializer.js";
 import { serializeCreateUserOptions } from "./serializers/create-user-options.serializer.js";
 import { serializeUpdateUserOptions } from "./serializers/update-user-options.serializer.js";
 import { deserializeOrganizationMembership } from "./serializers/organization-membership.serializer.js";
-import { fetchAndDeserialize } from "../common/utils/fetch-and-deserialize.js";
 import { deserializeFeatureFlag } from "../feature-flags/serializers/feature-flag.serializer.js";
+import { fetchAndDeserialize } from "../common/utils/fetch-and-deserialize.js";
 import { toQueryString } from "../common/utils/query-string.js";
 import { deserializeChallenge } from "../mfa/serializers/challenge.serializer.js";
 import { sealData, unsealData } from "../common/crypto/seal.js";

package/lib/{user-management-CTQFnn4h.cjs → user-management-CJj1rMco.cjs}

@@ -18,12 +18,12 @@ const require_list_sessions_options_serializer = require('./list-sessions-option
 const require_magic_auth_serializer = require('./magic-auth.serializer-By4HyvgZ.cjs');
 const require_password_reset_serializer = require('./password-reset.serializer-D8Kbnirv.cjs');
 const require_reset_password_options_serializer = require('./reset-password-options.serializer-6VTahIzL.cjs');
-const require_session_serializer = require('./session.serializer-Dmj9Hm3q.cjs');
+const require_session_serializer = require('./session.serializer-B63NxvRH.cjs');
 const require_create_user_options_serializer = require('./create-user-options.serializer-CphvVoaV.cjs');
 const require_update_user_options_serializer = require('./update-user-options.serializer-H11lRdjH.cjs');
 const require_organization_membership_serializer = require('./organization-membership.serializer-CgjS5BwK.cjs');
-const require_fetch_and_deserialize = require('./fetch-and-deserialize-Ba2wR4ur.cjs');
-const require_feature_flag_serializer = require('./feature-flag.serializer-Cs7qjKgp.cjs');
+const require_feature_flag_serializer = require('./feature-flag.serializer-DqXUiZd4.cjs');
+const require_fetch_and_deserialize = require('./fetch-and-deserialize-wAuupni3.cjs');
 const require_query_string = require('./query-string-DJDFy7sp.cjs');
 const require_challenge_serializer = require('./challenge.serializer-B3MYXnw3.cjs');
 const require_seal = require('./seal-BDnUayLx.cjs');
@@ -536,4 +536,4 @@ Object.defineProperty(exports, 'UserManagement', {
     return UserManagement;
   }
 });
-//# sourceMappingURL=user-management-CTQFnn4h.cjs.map
+//# sourceMappingURL=user-management-CJj1rMco.cjs.map

package/lib/{user-management-CTQFnn4h.cjs.map → user-management-CJj1rMco.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"user-management-CTQFnn4h.cjs","names":["workos: WorkOS","getJose","CookieSession","deserializeUser","AutoPaginatable","fetchAndDeserialize","serializeListUsersOptions","serializeCreateUserOptions","serializeAuthenticateWithMagicAuthOptions","deserializeAuthenticationResponse","serializeAuthenticateWithPasswordOptions","serializeAuthenticateWithCodeOptions","serializeAuthenticateWithCodeAndVerifierOptions","serializeAuthenticateWithRefreshTokenPublicClientOptions","serializeAuthenticateWithRefreshTokenOptions","serializeAuthenticateWithTotpOptions","serializeAuthenticateWithEmailVerificationOptions","serializeAuthenticateWithOrganizationSelectionOptions","getEnv","AuthenticateWithSessionCookieFailureReason","unsealData","sealData","deserializeEmailVerification","deserializeMagicAuth","serializeCreateMagicAuthOptions","deserializePasswordReset","serializeCreatePasswordResetOptions","serializeResetPasswordOptions","serializeUpdateUserOptions","serializeEnrollAuthFactorOptions","deserializeFactorWithSecrets","deserializeChallenge","deserializeFactor","deserializeFeatureFlag","deserializeSession","serializeListSessionsOptions","deserializeIdentities","deserializeOrganizationMembership","serializeListOrganizationMembershipsOptions","serializeCreateOrganizationMembershipOptions","serializeUpdateOrganizationMembershipOptions","deserializeInvitation","serializeListInvitationsOptions","serializeSendInvitationOptions","serializeResendInvitationOptions","serializeRevokeSessionOptions","toQueryString"],"sources":["../src/user-management/user-management.ts"],"sourcesContent":["import { sealData, unsealData } from '../common/crypto/seal';\nimport { PaginationOptions } from '../common/interfaces/pagination-options.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { getEnv } from '../common/utils/env';\nimport { toQueryString } from '../common/utils/query-string';\nimport { Challenge, ChallengeResponse } from '../mfa/interfaces';\nimport { deserializeChallenge } from '../mfa/serializers';\nimport {\n  FeatureFlag,\n  FeatureFlagResponse,\n} from '../feature-flags/interfaces/feature-flag.interface';\nimport { deserializeFeatureFlag } from '../feature-flags/serializers';\nimport { WorkOS } from '../workos';\nimport {\n  AuthenticateWithCodeAndVerifierOptions,\n  AuthenticateWithCodeOptions,\n  AuthenticateWithMagicAuthOptions,\n  AuthenticateWithPasswordOptions,\n  AuthenticateWithRefreshTokenOptions,\n  AuthenticateWithSessionOptions,\n  AuthenticateWithTotpOptions,\n  AuthenticationResponse,\n  AuthenticationResponseResponse,\n  CreateMagicAuthOptions,\n  CreatePasswordResetOptions,\n  CreateUserOptions,\n  EmailVerification,\n  EmailVerificationResponse,\n  EnrollAuthFactorOptions,\n  ListAuthFactorsOptions,\n  ListSessionsOptions,\n  ListUsersOptions,\n  ListUserFeatureFlagsOptions,\n  LogoutURLOptions,\n  MagicAuth,\n  MagicAuthResponse,\n  PasswordReset,\n  PasswordResetResponse,\n  ResetPasswordOptions,\n  SendVerificationEmailOptions,\n  SerializedAuthenticateWithCodeAndVerifierOptions,\n  SerializedAuthenticateWithCodeOptions,\n  SerializedAuthenticateWithMagicAuthOptions,\n  SerializedAuthenticateWithPasswordOptions,\n  SerializedAuthenticateWithRefreshTokenOptions,\n  SerializedAuthenticateWithRefreshTokenPublicClientOptions,\n  SerializedAuthenticateWithTotpOptions,\n  SerializedCreateMagicAuthOptions,\n  SerializedCreatePasswordResetOptions,\n  SerializedCreateUserOptions,\n  SerializedListSessionsOptions,\n  SerializedListUsersOptions,\n  SerializedResetPasswordOptions,\n  SerializedVerifyEmailOptions,\n  Session,\n  SessionResponse,\n  UpdateUserOptions,\n  User,\n  UserResponse,\n  VerifyEmailOptions,\n} from './interfaces';\nimport {\n  AuthenticateWithEmailVerificationOptions,\n  SerializedAuthenticateWithEmailVerificationOptions,\n} from './interfaces/authenticate-with-email-verification-options.interface';\nimport {\n  AuthenticateWithOrganizationSelectionOptions,\n  SerializedAuthenticateWithOrganizationSelectionOptions,\n} from './interfaces/authenticate-with-organization-selection.interface';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieOptions,\n  AuthenticateWithSessionCookieSuccessResponse,\n  SessionCookieData,\n} from './interfaces/authenticate-with-session-cookie.interface';\nimport {\n  PKCEAuthorizationURLResult,\n  UserManagementAuthorizationURLOptions,\n} from './interfaces/authorization-url-options.interface';\nimport {\n  CreateOrganizationMembershipOptions,\n  SerializedCreateOrganizationMembershipOptions,\n} from './interfaces/create-organization-membership-options.interface';\nimport {\n  Factor,\n  FactorResponse,\n  FactorWithSecrets,\n  FactorWithSecretsResponse,\n} from './interfaces/factor.interface';\nimport { Identity, IdentityResponse } from './interfaces/identity.interface';\nimport {\n  Invitation,\n  InvitationResponse,\n} from './interfaces/invitation.interface';\nimport {\n  ListInvitationsOptions,\n  SerializedListInvitationsOptions,\n} from './interfaces/list-invitations-options.interface';\nimport {\n  ListOrganizationMembershipsOptions,\n  SerializedListOrganizationMembershipsOptions,\n} from './interfaces/list-organization-memberships-options.interface';\nimport {\n  OrganizationMembership,\n  OrganizationMembershipResponse,\n} from './interfaces/organization-membership.interface';\nimport {\n  RevokeSessionOptions,\n  SerializedRevokeSessionOptions,\n  serializeRevokeSessionOptions,\n} from './interfaces/revoke-session-options.interface';\nimport {\n  ResendInvitationOptions,\n  SerializedResendInvitationOptions,\n} from './interfaces/resend-invitation-options.interface';\nimport {\n  SendInvitationOptions,\n  SerializedSendInvitationOptions,\n} from './interfaces/send-invitation-options.interface';\nimport { SessionHandlerOptions } from './interfaces/session-handler-options.interface';\nimport {\n  SerializedUpdateOrganizationMembershipOptions,\n  UpdateOrganizationMembershipOptions,\n} from './interfaces/update-organization-membership-options.interface';\nimport {\n  deserializeAuthenticationResponse,\n  deserializeEmailVerification,\n  deserializeFactorWithSecrets,\n  deserializeMagicAuth,\n  deserializePasswordReset,\n  deserializeSession,\n  deserializeUser,\n  serializeAuthenticateWithCodeAndVerifierOptions,\n  serializeAuthenticateWithCodeOptions,\n  serializeAuthenticateWithMagicAuthOptions,\n  serializeAuthenticateWithPasswordOptions,\n  serializeAuthenticateWithRefreshTokenOptions,\n  serializeAuthenticateWithRefreshTokenPublicClientOptions,\n  serializeAuthenticateWithTotpOptions,\n  serializeCreateMagicAuthOptions,\n  serializeCreatePasswordResetOptions,\n  serializeCreateUserOptions,\n  serializeEnrollAuthFactorOptions,\n  serializeListSessionsOptions,\n  serializeResetPasswordOptions,\n  serializeUpdateUserOptions,\n} from './serializers';\nimport { serializeAuthenticateWithEmailVerificationOptions } from './serializers/authenticate-with-email-verification.serializer';\nimport { serializeAuthenticateWithOrganizationSelectionOptions } from './serializers/authenticate-with-organization-selection-options.serializer';\nimport { serializeCreateOrganizationMembershipOptions } from './serializers/create-organization-membership-options.serializer';\nimport { deserializeFactor } from './serializers/factor.serializer';\nimport { deserializeIdentities } from './serializers/identity.serializer';\nimport { deserializeInvitation } from './serializers/invitation.serializer';\nimport { serializeListInvitationsOptions } from './serializers/list-invitations-options.serializer';\nimport { serializeListOrganizationMembershipsOptions } from './serializers/list-organization-memberships-options.serializer';\nimport { serializeListUsersOptions } from './serializers/list-users-options.serializer';\nimport { serializeResendInvitationOptions } from './serializers/resend-invitation-options.serializer';\nimport { deserializeOrganizationMembership } from './serializers/organization-membership.serializer';\nimport { serializeSendInvitationOptions } from './serializers/send-invitation-options.serializer';\nimport { serializeUpdateOrganizationMembershipOptions } from './serializers/update-organization-membership-options.serializer';\nimport { CookieSession } from './session';\nimport { getJose } from '../utils/jose';\n\nexport class UserManagement {\n  private _jwks:\n    | ReturnType<typeof import('jose').createRemoteJWKSet>\n    | undefined;\n  public clientId: string | undefined;\n\n  constructor(private readonly workos: WorkOS) {\n    const { clientId } = workos.options;\n\n    this.clientId = clientId;\n  }\n\n  /**\n   * Resolve clientId from method options or fall back to constructor-provided value.\n   * @throws TypeError if clientId is not available from either source\n   */\n  private resolveClientId(clientId?: string): string {\n    const resolved = clientId ?? this.clientId;\n    if (!resolved) {\n      throw new TypeError(\n        'clientId is required. Provide it in method options or when initializing WorkOS.',\n      );\n    }\n    return resolved;\n  }\n\n  async getJWKS(): Promise<\n    ReturnType<typeof import('jose').createRemoteJWKSet> | undefined\n  > {\n    const { createRemoteJWKSet } = await getJose();\n    if (!this.clientId) {\n      return;\n    }\n\n    // Set the JWKS URL. This is used to verify if the JWT is still valid\n    this._jwks ??= createRemoteJWKSet(new URL(this.getJwksUrl(this.clientId)), {\n      cooldownDuration: 1000 * 60 * 5,\n    });\n\n    return this._jwks;\n  }\n\n  /**\n   * Loads a sealed session using the provided session data and cookie password.\n   *\n   * @param options - The options for loading the sealed session.\n   * @param options.sessionData - The sealed session data.\n   * @param options.cookiePassword - The password used to encrypt the session data.\n   * @returns The session class.\n   */\n  loadSealedSession(options: {\n    sessionData: string;\n    cookiePassword: string;\n  }): CookieSession {\n    return new CookieSession(this, options.sessionData, options.cookiePassword);\n  }\n\n  async getUser(userId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/${userId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async getUserByExternalId(externalId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/external_id/${externalId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async listUsers(\n    options?: ListUsersOptions,\n  ): Promise<AutoPaginatable<User, SerializedListUsersOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<UserResponse, User>(\n        this.workos,\n        '/user_management/users',\n        deserializeUser,\n        options ? serializeListUsersOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<UserResponse, User>(\n          this.workos,\n          '/user_management/users',\n          deserializeUser,\n          params,\n        ),\n      options ? serializeListUsersOptions(options) : undefined,\n    );\n  }\n\n  async createUser(payload: CreateUserOptions): Promise<User> {\n    const { data } = await this.workos.post<\n      UserResponse,\n      SerializedCreateUserOptions\n    >('/user_management/users', serializeCreateUserOptions(payload));\n\n    return deserializeUser(data);\n  }\n\n  async authenticateWithMagicAuth(\n    payload: AuthenticateWithMagicAuthOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithMagicAuthOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithMagicAuthOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithPassword(\n    payload: AuthenticateWithPasswordOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithPasswordOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithPasswordOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens.\n   *\n   * Auto-detects public vs confidential client mode:\n   * - If codeVerifier is provided: Uses PKCE flow (public client)\n   * - If no codeVerifier: Uses client_secret from API key (confidential client)\n   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n   *\n   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n   * in depth and provides additional CSRF protection on the authorization flow.\n   *\n   * @throws Error if neither codeVerifier nor API key is available\n   */\n  async authenticateWithCode(\n    payload: AuthenticateWithCodeOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, codeVerifier, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    // Validate codeVerifier is not an empty string (common mistake)\n    if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n      throw new TypeError(\n        'codeVerifier cannot be an empty string. ' +\n          'Generate a valid PKCE pair using workos.pkce.generate().',\n      );\n    }\n\n    const hasApiKey = !!this.workos.key;\n    const hasPKCE = !!codeVerifier;\n\n    if (!hasPKCE && !hasApiKey) {\n      throw new TypeError(\n        'authenticateWithCode requires either a codeVerifier (for public clients) ' +\n          'or an API key configured on the WorkOS instance (for confidential clients).',\n      );\n    }\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        codeVerifier,\n        clientSecret: hasApiKey ? this.workos.key : undefined,\n      }),\n      { skipApiKeyCheck: !hasApiKey },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens using PKCE (public client flow).\n   * Use this instead of authenticateWithCode() when the client cannot securely\n   * store a client_secret (browser, mobile, CLI, desktop apps).\n   *\n   * @param payload.clientId - Your WorkOS client ID\n   * @param payload.code - The authorization code from the OAuth callback\n   * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge\n   */\n  async authenticateWithCodeAndVerifier(\n    payload: AuthenticateWithCodeAndVerifierOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeAndVerifierOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeAndVerifierOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n      }),\n      { skipApiKeyCheck: true },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   * Automatically detects public client mode - if no API key is configured,\n   * omits client_secret from the request.\n   */\n  async authenticateWithRefreshToken(\n    payload: AuthenticateWithRefreshTokenOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n    const isPublicClient = !this.workos.key;\n\n    const body = isPublicClient\n      ? serializeAuthenticateWithRefreshTokenPublicClientOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n        })\n      : serializeAuthenticateWithRefreshTokenOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n          clientSecret: this.workos.key,\n        });\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      | SerializedAuthenticateWithRefreshTokenOptions\n      | SerializedAuthenticateWithRefreshTokenPublicClientOptions\n    >('/user_management/authenticate', body, {\n      skipApiKeyCheck: isPublicClient,\n    });\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithTotp(\n    payload: AuthenticateWithTotpOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithTotpOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithTotpOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithEmailVerification(\n    payload: AuthenticateWithEmailVerificationOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithEmailVerificationOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithEmailVerificationOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithOrganizationSelection(\n    payload: AuthenticateWithOrganizationSelectionOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithOrganizationSelectionOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithOrganizationSelectionOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithSessionCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: AuthenticateWithSessionCookieOptions): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const jwks = await this.getJWKS();\n\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    if (!sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    const session = await unsealData<SessionCookieData>(sessionData, {\n      password: cookiePassword,\n    });\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      user: session.user,\n      permissions,\n      entitlements,\n      featureFlags,\n      accessToken: session.accessToken,\n      authenticationMethod: session.authenticationMethod,\n    };\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const jwks = await this.getJWKS();\n    const { jwtVerify } = await getJose();\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n      // Network errors, crypto failures, etc. should propagate\n      if (\n        e instanceof Error &&\n        'code' in e &&\n        typeof e.code === 'string' &&\n        (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n      ) {\n        return false;\n      }\n      throw e;\n    }\n  }\n\n  private async prepareAuthenticationResponse({\n    authenticationResponse,\n    session,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    session?: AuthenticateWithSessionOptions;\n  }): Promise<AuthenticationResponse> {\n    if (session?.sealSession) {\n      if (!this.workos.key) {\n        throw new Error(\n          'Session sealing requires server-side usage with an API key. ' +\n            'Public clients should store tokens directly ' +\n            '(e.g., secure storage on mobile, keychain on desktop).',\n        );\n      }\n\n      return {\n        ...authenticationResponse,\n        sealedSession: await this.sealSessionDataFromAuthenticationResponse({\n          authenticationResponse,\n          cookiePassword: session.cookiePassword,\n        }),\n      };\n    }\n\n    return authenticationResponse;\n  }\n\n  private async sealSessionDataFromAuthenticationResponse({\n    authenticationResponse,\n    cookiePassword,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    cookiePassword?: string;\n  }): Promise<string> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      authenticationResponse.accessToken,\n    );\n\n    const sessionData: SessionCookieData = {\n      organizationId: organizationIdFromAccessToken,\n      user: authenticationResponse.user,\n      accessToken: authenticationResponse.accessToken,\n      refreshToken: authenticationResponse.refreshToken,\n      authenticationMethod: authenticationResponse.authenticationMethod,\n      impersonator: authenticationResponse.impersonator,\n    };\n\n    return sealData(sessionData, {\n      password: cookiePassword,\n    });\n  }\n\n  async getSessionFromCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: SessionHandlerOptions): Promise<SessionCookieData | undefined> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    if (sessionData) {\n      return unsealData<SessionCookieData>(sessionData, {\n        password: cookiePassword,\n      });\n    }\n\n    return undefined;\n  }\n\n  async getEmailVerification(\n    emailVerificationId: string,\n  ): Promise<EmailVerification> {\n    const { data } = await this.workos.get<EmailVerificationResponse>(\n      `/user_management/email_verification/${emailVerificationId}`,\n    );\n\n    return deserializeEmailVerification(data);\n  }\n\n  async sendVerificationEmail({\n    userId,\n  }: SendVerificationEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<{ user: UserResponse }>(\n      `/user_management/users/${userId}/email_verification/send`,\n      {},\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getMagicAuth(magicAuthId: string): Promise<MagicAuth> {\n    const { data } = await this.workos.get<MagicAuthResponse>(\n      `/user_management/magic_auth/${magicAuthId}`,\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async createMagicAuth(options: CreateMagicAuthOptions): Promise<MagicAuth> {\n    const { data } = await this.workos.post<\n      MagicAuthResponse,\n      SerializedCreateMagicAuthOptions\n    >(\n      '/user_management/magic_auth',\n      serializeCreateMagicAuthOptions({\n        ...options,\n      }),\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async verifyEmail({\n    code,\n    userId,\n  }: VerifyEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedVerifyEmailOptions\n    >(`/user_management/users/${userId}/email_verification/confirm`, {\n      code,\n    });\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getPasswordReset(passwordResetId: string): Promise<PasswordReset> {\n    const { data } = await this.workos.get<PasswordResetResponse>(\n      `/user_management/password_reset/${passwordResetId}`,\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async createPasswordReset(\n    options: CreatePasswordResetOptions,\n  ): Promise<PasswordReset> {\n    const { data } = await this.workos.post<\n      PasswordResetResponse,\n      SerializedCreatePasswordResetOptions\n    >(\n      '/user_management/password_reset',\n      serializeCreatePasswordResetOptions({\n        ...options,\n      }),\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async resetPassword(payload: ResetPasswordOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedResetPasswordOptions\n    >(\n      '/user_management/password_reset/confirm',\n      serializeResetPasswordOptions(payload),\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async updateUser(payload: UpdateUserOptions): Promise<User> {\n    const { data } = await this.workos.put<UserResponse>(\n      `/user_management/users/${payload.userId}`,\n      serializeUpdateUserOptions(payload),\n    );\n\n    return deserializeUser(data);\n  }\n\n  async enrollAuthFactor(payload: EnrollAuthFactorOptions): Promise<{\n    authenticationFactor: FactorWithSecrets;\n    authenticationChallenge: Challenge;\n  }> {\n    const { data } = await this.workos.post<{\n      authentication_factor: FactorWithSecretsResponse;\n      authentication_challenge: ChallengeResponse;\n    }>(\n      `/user_management/users/${payload.userId}/auth_factors`,\n      serializeEnrollAuthFactorOptions(payload),\n    );\n\n    return {\n      authenticationFactor: deserializeFactorWithSecrets(\n        data.authentication_factor,\n      ),\n      authenticationChallenge: deserializeChallenge(\n        data.authentication_challenge,\n      ),\n    };\n  }\n\n  async listAuthFactors(\n    options: ListAuthFactorsOptions,\n  ): Promise<AutoPaginatable<Factor, PaginationOptions>> {\n    const { userId, ...restOfOptions } = options;\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FactorResponse, Factor>(\n        this.workos,\n        `/user_management/users/${userId}/auth_factors`,\n        deserializeFactor,\n        restOfOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FactorResponse, Factor>(\n          this.workos,\n          `/user_management/users/${userId}/auth_factors`,\n          deserializeFactor,\n          params,\n        ),\n      restOfOptions,\n    );\n  }\n\n  async listUserFeatureFlags(\n    options: ListUserFeatureFlagsOptions,\n  ): Promise<AutoPaginatable<FeatureFlag>> {\n    const { userId, ...paginationOptions } = options;\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n        this.workos,\n        `/user_management/users/${userId}/feature-flags`,\n        deserializeFeatureFlag,\n        paginationOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n          this.workos,\n          `/user_management/users/${userId}/feature-flags`,\n          deserializeFeatureFlag,\n          params,\n        ),\n      paginationOptions,\n    );\n  }\n\n  async listSessions(\n    userId: string,\n    options?: ListSessionsOptions,\n  ): Promise<AutoPaginatable<Session, SerializedListSessionsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<SessionResponse, Session>(\n        this.workos,\n        `/user_management/users/${userId}/sessions`,\n        deserializeSession,\n        options ? serializeListSessionsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<SessionResponse, Session>(\n          this.workos,\n          `/user_management/users/${userId}/sessions`,\n          deserializeSession,\n          params,\n        ),\n      options ? serializeListSessionsOptions(options) : undefined,\n    );\n  }\n\n  async deleteUser(userId: string) {\n    await this.workos.delete(`/user_management/users/${userId}`);\n  }\n\n  async getUserIdentities(userId: string): Promise<Identity[]> {\n    if (!userId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'userId'.`);\n    }\n\n    const { data } = await this.workos.get<IdentityResponse[]>(\n      `/user_management/users/${userId}/identities`,\n    );\n\n    return deserializeIdentities(data);\n  }\n\n  async getOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.get<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async listOrganizationMemberships(\n    options: ListOrganizationMembershipsOptions,\n  ): Promise<\n    AutoPaginatable<\n      OrganizationMembership,\n      SerializedListOrganizationMembershipsOptions\n    >\n  > {\n    const serializedOptions =\n      serializeListOrganizationMembershipsOptions(options);\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<\n        OrganizationMembershipResponse,\n        OrganizationMembership\n      >(\n        this.workos,\n        '/user_management/organization_memberships',\n        deserializeOrganizationMembership,\n        serializedOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<\n          OrganizationMembershipResponse,\n          OrganizationMembership\n        >(\n          this.workos,\n          '/user_management/organization_memberships',\n          deserializeOrganizationMembership,\n          params,\n        ),\n      serializedOptions,\n    );\n  }\n\n  async createOrganizationMembership(\n    options: CreateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.post<\n      OrganizationMembershipResponse,\n      SerializedCreateOrganizationMembershipOptions\n    >(\n      '/user_management/organization_memberships',\n      serializeCreateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async updateOrganizationMembership(\n    organizationMembershipId: string,\n    options: UpdateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<\n      OrganizationMembershipResponse,\n      SerializedUpdateOrganizationMembershipOptions\n    >(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n      serializeUpdateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async deleteOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<void> {\n    await this.workos.delete(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n  }\n\n  async deactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/deactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async reactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/reactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async getInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/${invitationId}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async findInvitationByToken(invitationToken: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/by_token/${invitationToken}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async listInvitations(\n    options: ListInvitationsOptions,\n  ): Promise<AutoPaginatable<Invitation, SerializedListInvitationsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<InvitationResponse, Invitation>(\n        this.workos,\n        '/user_management/invitations',\n        deserializeInvitation,\n        options ? serializeListInvitationsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<InvitationResponse, Invitation>(\n          this.workos,\n          '/user_management/invitations',\n          deserializeInvitation,\n          params,\n        ),\n      options ? serializeListInvitationsOptions(options) : undefined,\n    );\n  }\n\n  async sendInvitation(payload: SendInvitationOptions): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedSendInvitationOptions\n    >(\n      '/user_management/invitations',\n      serializeSendInvitationOptions({\n        ...payload,\n      }),\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async acceptInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/accept`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/revoke`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async resendInvitation(\n    invitationId: string,\n    options?: ResendInvitationOptions,\n  ): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedResendInvitationOptions\n    >(\n      `/user_management/invitations/${invitationId}/resend`,\n      options ? serializeResendInvitationOptions(options) : {},\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeSession(payload: RevokeSessionOptions): Promise<void> {\n    await this.workos.post<void, SerializedRevokeSessionOptions>(\n      '/user_management/sessions/revoke',\n      serializeRevokeSessionOptions(payload),\n    );\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL.\n   *\n   * For public clients (browser, mobile, CLI), include PKCE parameters:\n   * - Generate PKCE using workos.pkce.generate()\n   * - Pass codeChallenge and codeChallengeMethod here\n   * - Store codeVerifier and pass to authenticateWithCode() later\n   *\n   * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.\n   */\n  getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string {\n    const {\n      connectionId,\n      codeChallenge,\n      codeChallengeMethod,\n      clientId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      state,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: codeChallenge,\n      code_challenge_method: codeChallengeMethod,\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    return `${this.workos.baseURL}/user_management/authorize?${query}`;\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL with automatic PKCE.\n   *\n   * This method generates PKCE parameters internally and returns them along with\n   * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)\n   * that cannot securely store a client secret.\n   *\n   * @returns Object containing url, state, and codeVerifier\n   *\n   * @example\n   * ```typescript\n   * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({\n   *   provider: 'authkit',\n   *   clientId: 'client_123',\n   *   redirectUri: 'myapp://callback',\n   * });\n   *\n   * // Store state and codeVerifier securely, then redirect user to url\n   * // After callback, exchange the code:\n   * const response = await workos.userManagement.authenticateWithCode({\n   *   code: authorizationCode,\n   *   codeVerifier,\n   *   clientId: 'client_123',\n   * });\n   * ```\n   */\n  async getAuthorizationUrlWithPKCE(\n    options: Omit<\n      UserManagementAuthorizationURLOptions,\n      'codeChallenge' | 'codeChallengeMethod' | 'state'\n    >,\n  ): Promise<PKCEAuthorizationURLResult> {\n    const {\n      clientId,\n      connectionId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    // Generate PKCE parameters\n    const pkce = await this.workos.pkce.generate();\n\n    // Generate secure random state\n    const state = this.workos.pkce.generateCodeVerifier(43);\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: pkce.codeChallenge,\n      code_challenge_method: 'S256',\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    const url = `${this.workos.baseURL}/user_management/authorize?${query}`;\n\n    return { url, state, codeVerifier: pkce.codeVerifier };\n  }\n\n  getLogoutUrl(options: LogoutURLOptions): string {\n    const { sessionId, returnTo } = options;\n\n    if (!sessionId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);\n    }\n\n    const url = new URL(\n      '/user_management/sessions/logout',\n      this.workos.baseURL,\n    );\n\n    url.searchParams.set('session_id', sessionId);\n    if (returnTo) {\n      url.searchParams.set('return_to', returnTo);\n    }\n\n    return url.toString();\n  }\n\n  getJwksUrl(clientId: string): string {\n    if (!clientId) {\n      throw new TypeError('clientId must be a valid clientId');\n    }\n\n    return `${this.workos.baseURL}/sso/jwks/${clientId}`;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsKA,IAAa,iBAAb,MAA4B;CAC1B,AAAQ;CAGR,AAAO;CAEP,YAAY,AAAiBA,QAAgB;EAAhB;EAC3B,MAAM,EAAE,aAAa,OAAO;AAE5B,OAAK,WAAW;;;;;;CAOlB,AAAQ,gBAAgB,UAA2B;EACjD,MAAM,WAAW,YAAY,KAAK;AAClC,MAAI,CAAC,SACH,OAAM,IAAI,UACR,kFACD;AAEH,SAAO;;CAGT,MAAM,UAEJ;EACA,MAAM,EAAE,uBAAuB,MAAMC,sBAAS;AAC9C,MAAI,CAAC,KAAK,SACR;AAIF,OAAK,UAAU,mBAAmB,IAAI,IAAI,KAAK,WAAW,KAAK,SAAS,CAAC,EAAE,EACzE,kBAAkB,MAAO,KAAK,GAC/B,CAAC;AAEF,SAAO,KAAK;;;;;;;;;;CAWd,kBAAkB,SAGA;AAChB,SAAO,IAAIC,8BAAc,MAAM,QAAQ,aAAa,QAAQ,eAAe;;CAG7E,MAAM,QAAQ,QAA+B;EAC3C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,SAC3B;AAED,SAAOC,wCAAgB,KAAK;;CAG9B,MAAM,oBAAoB,YAAmC;EAC3D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,sCAAsC,aACvC;AAED,SAAOA,wCAAgB,KAAK;;CAG9B,MAAM,UACJ,SAC4D;AAC5D,SAAO,IAAIC,mCACT,MAAMC,kDACJ,KAAK,QACL,0BACAF,yCACA,UAAUG,gEAA0B,QAAQ,GAAG,OAChD,GACA,WACCD,kDACE,KAAK,QACL,0BACAF,yCACA,OACD,EACH,UAAUG,gEAA0B,QAAQ,GAAG,OAChD;;CAGH,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0BC,kEAA2B,QAAQ,CAAC;AAEhE,SAAOJ,wCAAgB,KAAK;;CAG9B,MAAM,0BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAK,kGAA0C;GACxC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBC,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,yBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAC,+FAAyC;GACvC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBD,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;;;;;CAgBJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,cAAc,GAAG,qBAAqB;EACjE,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAGvD,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;AAGhC,MAAI,CAFY,CAAC,CAAC,gBAEF,CAAC,UACf,OAAM,IAAI,UACR,uJAED;EAGH,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAE,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV;GACA,cAAc,YAAY,KAAK,OAAO,MAAM;GAC7C,CAAC,EACF,EAAE,iBAAiB,CAAC,WAAW,CAChC;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBF,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;CAYJ,MAAM,gCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAG,+GAAgD;GAC9C,GAAG;GACH,UAAU;GACX,CAAC,EACF,EAAE,iBAAiB,MAAM,CAC1B;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBH,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;CAQJ,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EACvD,MAAM,iBAAiB,CAAC,KAAK,OAAO;EAEpC,MAAM,OAAO,iBACTI,kIAAyD;GACvD,GAAG;GACH,UAAU;GACX,CAAC,GACFC,wGAA6C;GAC3C,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC;EAEN,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCAAiC,MAAM,EACvC,iBAAiB,gBAClB,CAAC;AAEF,SAAO,KAAK,8BAA8B;GACxC,wBAAwBL,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAM,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBN,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,kCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAO,0GAAkD;GAChD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBP,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,sCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAQ,0HAAsD;GACpD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBR,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,8BAA8B,EAClC,aACA,iBAAiBS,mBAAO,yBAAyB,IAIjD;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAKhD,MAAI,CAFS,MAAM,KAAK,SAAS,CAG/B,OAAM,IAAI,MAAM,2CAA2C;EAG7D,MAAM,EAAE,cAAc,MAAMjB,sBAAS;AAErC,MAAI,CAAC,YACH,QAAO;GACL,eAAe;GACf,QACEkB,8FAA2C;GAC9C;EAGH,MAAM,UAAU,MAAMC,wBAA8B,aAAa,EAC/D,UAAU,gBACX,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd;GACA;GACA;GACA,aAAa,QAAQ;GACrB,sBAAsB,QAAQ;GAC/B;;CAGH,MAAc,WAAW,aAAuC;EAC9D,MAAM,OAAO,MAAM,KAAK,SAAS;EACjC,MAAM,EAAE,cAAc,MAAMlB,sBAAS;AACrC,MAAI,CAAC,KACH,OAAM,IAAI,MAAM,2CAA2C;AAG7D,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM;;;CAIV,MAAc,8BAA8B,EAC1C,wBACA,WAIkC;AAClC,MAAI,SAAS,aAAa;AACxB,OAAI,CAAC,KAAK,OAAO,IACf,OAAM,IAAI,MACR,iKAGD;AAGH,UAAO;IACL,GAAG;IACH,eAAe,MAAM,KAAK,0CAA0C;KAClE;KACA,gBAAgB,QAAQ;KACzB,CAAC;IACH;;AAGH,SAAO;;CAGT,MAAc,0CAA0C,EACtD,wBACA,kBAIkB;AAClB,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;EAGhD,MAAM,EAAE,cAAc,MAAMA,sBAAS;EAErC,MAAM,EAAE,QAAQ,kCAAkC,UAChD,uBAAuB,YACxB;AAWD,SAAOoB,sBATgC;GACrC,gBAAgB;GAChB,MAAM,uBAAuB;GAC7B,aAAa,uBAAuB;GACpC,cAAc,uBAAuB;GACrC,sBAAsB,uBAAuB;GAC7C,cAAc,uBAAuB;GACtC,EAE4B,EAC3B,UAAU,gBACX,CAAC;;CAGJ,MAAM,qBAAqB,EACzB,aACA,iBAAiBH,mBAAO,yBAAyB,IACe;AAChE,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAGhD,MAAI,YACF,QAAOE,wBAA8B,aAAa,EAChD,UAAU,gBACX,CAAC;;CAMN,MAAM,qBACJ,qBAC4B;EAC5B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,uCAAuC,sBACxC;AAED,SAAOE,mEAA6B,KAAK;;CAG3C,MAAM,sBAAsB,EAC1B,UACwD;EACxD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BAA0B,OAAO,2BACjC,EAAE,CACH;AAED,SAAO,EAAE,MAAMnB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,aAAa,aAAyC;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,+BAA+B,cAChC;AAED,SAAOoB,mDAAqB,KAAK;;CAGnC,MAAM,gBAAgB,SAAqD;EACzE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,+BACAC,6EAAgC,EAC9B,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,mDAAqB,KAAK;;CAGnC,MAAM,YAAY,EAChB,MACA,UAC8C;EAC9C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,OAAO,8BAA8B,EAC/D,MACD,CAAC;AAEF,SAAO,EAAE,MAAMpB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,iBAAiB,iBAAiD;EACtE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,mCAAmC,kBACpC;AAED,SAAOsB,2DAAyB,KAAK;;CAGvC,MAAM,oBACJ,SACwB;EACxB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,mCACAC,qFAAoC,EAClC,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,2DAAyB,KAAK;;CAGvC,MAAM,cAAc,SAAwD;EAC1E,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,2CACAE,wEAA8B,QAAQ,CACvC;AAED,SAAO,EAAE,MAAMxB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,QAAQ,UAClCyB,kEAA2B,QAAQ,CACpC;AAED,SAAOzB,wCAAgB,KAAK;;CAG9B,MAAM,iBAAiB,SAGpB;EACD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,0BAA0B,QAAQ,OAAO,gBACzC0B,+EAAiC,QAAQ,CAC1C;AAED,SAAO;GACL,sBAAsBC,uDACpB,KAAK,sBACN;GACD,yBAAyBC,kDACvB,KAAK,yBACN;GACF;;CAGH,MAAM,gBACJ,SACqD;EACrD,MAAM,EAAE,QAAQ,GAAG,kBAAkB;AACrC,SAAO,IAAI3B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,cACD,GACA,WACC3B,kDACE,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,OACD,EACH,cACD;;CAGH,MAAM,qBACJ,SACuC;EACvC,MAAM,EAAE,QAAQ,GAAG,sBAAsB;AAEzC,SAAO,IAAI5B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,kBACD,GACA,WACC5B,kDACE,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,OACD,EACH,kBACD;;CAGH,MAAM,aACJ,QACA,SACkE;AAClE,SAAO,IAAI7B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,UAAUC,sEAA6B,QAAQ,GAAG,OACnD,GACA,WACC9B,kDACE,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,OACD,EACH,UAAUC,sEAA6B,QAAQ,GAAG,OACnD;;CAGH,MAAM,WAAW,QAAgB;AAC/B,QAAM,KAAK,OAAO,OAAO,0BAA0B,SAAS;;CAG9D,MAAM,kBAAkB,QAAqC;AAC3D,MAAI,CAAC,OACH,OAAM,IAAI,UAAU,kDAAkD;EAGxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,OAAO,aAClC;AAED,SAAOC,kDAAsB,KAAK;;CAGpC,MAAM,0BACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,2BAC9C;AAED,SAAOC,6EAAkC,KAAK;;CAGhD,MAAM,4BACJ,SAMA;EACA,MAAM,oBACJC,qGAA4C,QAAQ;AAEtD,SAAO,IAAIlC,mCACT,MAAMC,kDAIJ,KAAK,QACL,6CACAgC,8EACA,kBACD,GACA,WACChC,kDAIE,KAAK,QACL,6CACAgC,8EACA,OACD,EACH,kBACD;;CAGH,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,6CACAE,uGAA6C,QAAQ,CACtD;AAED,SAAOF,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACA,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAIjC,6CAA6C,4BAC7CG,uGAA6C,QAAQ,CACtD;AAED,SAAOH,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACe;AACf,QAAM,KAAK,OAAO,OAChB,6CAA6C,2BAC9C;;CAGH,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,cAAc,cAA2C;EAC7D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gCAAgC,eACjC;AAED,SAAOI,oDAAsB,KAAK;;CAGpC,MAAM,sBAAsB,iBAA8C;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,yCAAyC,kBAC1C;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAIrC,mCACT,MAAMC,kDACJ,KAAK,QACL,gCACAoC,qDACA,UAAUC,4EAAgC,QAAQ,GAAG,OACtD,GACA,WACCrC,kDACE,KAAK,QACL,gCACAoC,qDACA,OACD,EACH,UAAUC,4EAAgC,QAAQ,GAAG,OACtD;;CAGH,MAAM,eAAe,SAAqD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCACAC,0EAA+B,EAC7B,GAAG,SACJ,CAAC,CACH;AAED,SAAOF,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBACJ,cACA,SACqB;EACrB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCAAgC,aAAa,UAC7C,UAAUG,8EAAiC,QAAQ,GAAG,EAAE,CACzD;AAED,SAAOH,oDAAsB,KAAK;;CAGpC,MAAM,cAAc,SAA8C;AAChE,QAAM,KAAK,OAAO,KAChB,oCACAI,uEAA8B,QAAQ,CACvC;;;;;;;;;;;;CAaH,oBAAoB,SAAwD;EAC1E,MAAM,EACJ,cACA,eACA,qBACA,UACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,OACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAGH,MAAM,QAAQC,mCAAc;GAC1B,eAAe;GACf,gBAAgB;GAChB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6B7D,MAAM,4BACJ,SAIqC;EACrC,MAAM,EACJ,UACA,cACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQA,mCAAc;GAC1B,eAAe;GACf,gBAAgB,KAAK;GACrB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,6BAA6B;GAElD;GAAO,cAAc,KAAK;GAAc;;CAGxD,aAAa,SAAmC;EAC9C,MAAM,EAAE,WAAW,aAAa;AAEhC,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,qDAAqD;EAG3E,MAAM,MAAM,IAAI,IACd,oCACA,KAAK,OAAO,QACb;AAED,MAAI,aAAa,IAAI,cAAc,UAAU;AAC7C,MAAI,SACF,KAAI,aAAa,IAAI,aAAa,SAAS;AAG7C,SAAO,IAAI,UAAU;;CAGvB,WAAW,UAA0B;AACnC,MAAI,CAAC,SACH,OAAM,IAAI,UAAU,oCAAoC;AAG1D,SAAO,GAAG,KAAK,OAAO,QAAQ,YAAY"}
+{"version":3,"file":"user-management-CJj1rMco.cjs","names":["workos: WorkOS","getJose","CookieSession","deserializeUser","AutoPaginatable","fetchAndDeserialize","serializeListUsersOptions","serializeCreateUserOptions","serializeAuthenticateWithMagicAuthOptions","deserializeAuthenticationResponse","serializeAuthenticateWithPasswordOptions","serializeAuthenticateWithCodeOptions","serializeAuthenticateWithCodeAndVerifierOptions","serializeAuthenticateWithRefreshTokenPublicClientOptions","serializeAuthenticateWithRefreshTokenOptions","serializeAuthenticateWithTotpOptions","serializeAuthenticateWithEmailVerificationOptions","serializeAuthenticateWithOrganizationSelectionOptions","getEnv","AuthenticateWithSessionCookieFailureReason","unsealData","sealData","deserializeEmailVerification","deserializeMagicAuth","serializeCreateMagicAuthOptions","deserializePasswordReset","serializeCreatePasswordResetOptions","serializeResetPasswordOptions","serializeUpdateUserOptions","serializeEnrollAuthFactorOptions","deserializeFactorWithSecrets","deserializeChallenge","deserializeFactor","deserializeFeatureFlag","deserializeSession","serializeListSessionsOptions","deserializeIdentities","deserializeOrganizationMembership","serializeListOrganizationMembershipsOptions","serializeCreateOrganizationMembershipOptions","serializeUpdateOrganizationMembershipOptions","deserializeInvitation","serializeListInvitationsOptions","serializeSendInvitationOptions","serializeResendInvitationOptions","serializeRevokeSessionOptions","toQueryString"],"sources":["../src/user-management/user-management.ts"],"sourcesContent":["import { sealData, unsealData } from '../common/crypto/seal';\nimport { PaginationOptions } from '../common/interfaces/pagination-options.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { getEnv } from '../common/utils/env';\nimport { toQueryString } from '../common/utils/query-string';\nimport { Challenge, ChallengeResponse } from '../mfa/interfaces';\nimport { deserializeChallenge } from '../mfa/serializers';\nimport {\n  FeatureFlag,\n  FeatureFlagResponse,\n} from '../feature-flags/interfaces/feature-flag.interface';\nimport { deserializeFeatureFlag } from '../feature-flags/serializers';\nimport { WorkOS } from '../workos';\nimport {\n  AuthenticateWithCodeAndVerifierOptions,\n  AuthenticateWithCodeOptions,\n  AuthenticateWithMagicAuthOptions,\n  AuthenticateWithPasswordOptions,\n  AuthenticateWithRefreshTokenOptions,\n  AuthenticateWithSessionOptions,\n  AuthenticateWithTotpOptions,\n  AuthenticationResponse,\n  AuthenticationResponseResponse,\n  CreateMagicAuthOptions,\n  CreatePasswordResetOptions,\n  CreateUserOptions,\n  EmailVerification,\n  EmailVerificationResponse,\n  EnrollAuthFactorOptions,\n  ListAuthFactorsOptions,\n  ListSessionsOptions,\n  ListUsersOptions,\n  ListUserFeatureFlagsOptions,\n  LogoutURLOptions,\n  MagicAuth,\n  MagicAuthResponse,\n  PasswordReset,\n  PasswordResetResponse,\n  ResetPasswordOptions,\n  SendVerificationEmailOptions,\n  SerializedAuthenticateWithCodeAndVerifierOptions,\n  SerializedAuthenticateWithCodeOptions,\n  SerializedAuthenticateWithMagicAuthOptions,\n  SerializedAuthenticateWithPasswordOptions,\n  SerializedAuthenticateWithRefreshTokenOptions,\n  SerializedAuthenticateWithRefreshTokenPublicClientOptions,\n  SerializedAuthenticateWithTotpOptions,\n  SerializedCreateMagicAuthOptions,\n  SerializedCreatePasswordResetOptions,\n  SerializedCreateUserOptions,\n  SerializedListSessionsOptions,\n  SerializedListUsersOptions,\n  SerializedResetPasswordOptions,\n  SerializedVerifyEmailOptions,\n  Session,\n  SessionResponse,\n  UpdateUserOptions,\n  User,\n  UserResponse,\n  VerifyEmailOptions,\n} from './interfaces';\nimport {\n  AuthenticateWithEmailVerificationOptions,\n  SerializedAuthenticateWithEmailVerificationOptions,\n} from './interfaces/authenticate-with-email-verification-options.interface';\nimport {\n  AuthenticateWithOrganizationSelectionOptions,\n  SerializedAuthenticateWithOrganizationSelectionOptions,\n} from './interfaces/authenticate-with-organization-selection.interface';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieOptions,\n  AuthenticateWithSessionCookieSuccessResponse,\n  SessionCookieData,\n} from './interfaces/authenticate-with-session-cookie.interface';\nimport {\n  PKCEAuthorizationURLResult,\n  UserManagementAuthorizationURLOptions,\n} from './interfaces/authorization-url-options.interface';\nimport {\n  CreateOrganizationMembershipOptions,\n  SerializedCreateOrganizationMembershipOptions,\n} from './interfaces/create-organization-membership-options.interface';\nimport {\n  Factor,\n  FactorResponse,\n  FactorWithSecrets,\n  FactorWithSecretsResponse,\n} from './interfaces/factor.interface';\nimport { Identity, IdentityResponse } from './interfaces/identity.interface';\nimport {\n  Invitation,\n  InvitationResponse,\n} from './interfaces/invitation.interface';\nimport {\n  ListInvitationsOptions,\n  SerializedListInvitationsOptions,\n} from './interfaces/list-invitations-options.interface';\nimport {\n  ListOrganizationMembershipsOptions,\n  SerializedListOrganizationMembershipsOptions,\n} from './interfaces/list-organization-memberships-options.interface';\nimport {\n  OrganizationMembership,\n  OrganizationMembershipResponse,\n} from './interfaces/organization-membership.interface';\nimport {\n  RevokeSessionOptions,\n  SerializedRevokeSessionOptions,\n  serializeRevokeSessionOptions,\n} from './interfaces/revoke-session-options.interface';\nimport {\n  ResendInvitationOptions,\n  SerializedResendInvitationOptions,\n} from './interfaces/resend-invitation-options.interface';\nimport {\n  SendInvitationOptions,\n  SerializedSendInvitationOptions,\n} from './interfaces/send-invitation-options.interface';\nimport { SessionHandlerOptions } from './interfaces/session-handler-options.interface';\nimport {\n  SerializedUpdateOrganizationMembershipOptions,\n  UpdateOrganizationMembershipOptions,\n} from './interfaces/update-organization-membership-options.interface';\nimport {\n  deserializeAuthenticationResponse,\n  deserializeEmailVerification,\n  deserializeFactorWithSecrets,\n  deserializeMagicAuth,\n  deserializePasswordReset,\n  deserializeSession,\n  deserializeUser,\n  serializeAuthenticateWithCodeAndVerifierOptions,\n  serializeAuthenticateWithCodeOptions,\n  serializeAuthenticateWithMagicAuthOptions,\n  serializeAuthenticateWithPasswordOptions,\n  serializeAuthenticateWithRefreshTokenOptions,\n  serializeAuthenticateWithRefreshTokenPublicClientOptions,\n  serializeAuthenticateWithTotpOptions,\n  serializeCreateMagicAuthOptions,\n  serializeCreatePasswordResetOptions,\n  serializeCreateUserOptions,\n  serializeEnrollAuthFactorOptions,\n  serializeListSessionsOptions,\n  serializeResetPasswordOptions,\n  serializeUpdateUserOptions,\n} from './serializers';\nimport { serializeAuthenticateWithEmailVerificationOptions } from './serializers/authenticate-with-email-verification.serializer';\nimport { serializeAuthenticateWithOrganizationSelectionOptions } from './serializers/authenticate-with-organization-selection-options.serializer';\nimport { serializeCreateOrganizationMembershipOptions } from './serializers/create-organization-membership-options.serializer';\nimport { deserializeFactor } from './serializers/factor.serializer';\nimport { deserializeIdentities } from './serializers/identity.serializer';\nimport { deserializeInvitation } from './serializers/invitation.serializer';\nimport { serializeListInvitationsOptions } from './serializers/list-invitations-options.serializer';\nimport { serializeListOrganizationMembershipsOptions } from './serializers/list-organization-memberships-options.serializer';\nimport { serializeListUsersOptions } from './serializers/list-users-options.serializer';\nimport { serializeResendInvitationOptions } from './serializers/resend-invitation-options.serializer';\nimport { deserializeOrganizationMembership } from './serializers/organization-membership.serializer';\nimport { serializeSendInvitationOptions } from './serializers/send-invitation-options.serializer';\nimport { serializeUpdateOrganizationMembershipOptions } from './serializers/update-organization-membership-options.serializer';\nimport { CookieSession } from './session';\nimport { getJose } from '../utils/jose';\n\nexport class UserManagement {\n  private _jwks:\n    | ReturnType<typeof import('jose').createRemoteJWKSet>\n    | undefined;\n  public clientId: string | undefined;\n\n  constructor(private readonly workos: WorkOS) {\n    const { clientId } = workos.options;\n\n    this.clientId = clientId;\n  }\n\n  /**\n   * Resolve clientId from method options or fall back to constructor-provided value.\n   * @throws TypeError if clientId is not available from either source\n   */\n  private resolveClientId(clientId?: string): string {\n    const resolved = clientId ?? this.clientId;\n    if (!resolved) {\n      throw new TypeError(\n        'clientId is required. Provide it in method options or when initializing WorkOS.',\n      );\n    }\n    return resolved;\n  }\n\n  async getJWKS(): Promise<\n    ReturnType<typeof import('jose').createRemoteJWKSet> | undefined\n  > {\n    const { createRemoteJWKSet } = await getJose();\n    if (!this.clientId) {\n      return;\n    }\n\n    // Set the JWKS URL. This is used to verify if the JWT is still valid\n    this._jwks ??= createRemoteJWKSet(new URL(this.getJwksUrl(this.clientId)), {\n      cooldownDuration: 1000 * 60 * 5,\n    });\n\n    return this._jwks;\n  }\n\n  /**\n   * Loads a sealed session using the provided session data and cookie password.\n   *\n   * @param options - The options for loading the sealed session.\n   * @param options.sessionData - The sealed session data.\n   * @param options.cookiePassword - The password used to encrypt the session data.\n   * @returns The session class.\n   */\n  loadSealedSession(options: {\n    sessionData: string;\n    cookiePassword: string;\n  }): CookieSession {\n    return new CookieSession(this, options.sessionData, options.cookiePassword);\n  }\n\n  async getUser(userId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/${userId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async getUserByExternalId(externalId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/external_id/${externalId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async listUsers(\n    options?: ListUsersOptions,\n  ): Promise<AutoPaginatable<User, SerializedListUsersOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<UserResponse, User>(\n        this.workos,\n        '/user_management/users',\n        deserializeUser,\n        options ? serializeListUsersOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<UserResponse, User>(\n          this.workos,\n          '/user_management/users',\n          deserializeUser,\n          params,\n        ),\n      options ? serializeListUsersOptions(options) : undefined,\n    );\n  }\n\n  async createUser(payload: CreateUserOptions): Promise<User> {\n    const { data } = await this.workos.post<\n      UserResponse,\n      SerializedCreateUserOptions\n    >('/user_management/users', serializeCreateUserOptions(payload));\n\n    return deserializeUser(data);\n  }\n\n  async authenticateWithMagicAuth(\n    payload: AuthenticateWithMagicAuthOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithMagicAuthOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithMagicAuthOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithPassword(\n    payload: AuthenticateWithPasswordOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithPasswordOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithPasswordOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens.\n   *\n   * Auto-detects public vs confidential client mode:\n   * - If codeVerifier is provided: Uses PKCE flow (public client)\n   * - If no codeVerifier: Uses client_secret from API key (confidential client)\n   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n   *\n   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n   * in depth and provides additional CSRF protection on the authorization flow.\n   *\n   * @throws Error if neither codeVerifier nor API key is available\n   */\n  async authenticateWithCode(\n    payload: AuthenticateWithCodeOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, codeVerifier, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    // Validate codeVerifier is not an empty string (common mistake)\n    if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n      throw new TypeError(\n        'codeVerifier cannot be an empty string. ' +\n          'Generate a valid PKCE pair using workos.pkce.generate().',\n      );\n    }\n\n    const hasApiKey = !!this.workos.key;\n    const hasPKCE = !!codeVerifier;\n\n    if (!hasPKCE && !hasApiKey) {\n      throw new TypeError(\n        'authenticateWithCode requires either a codeVerifier (for public clients) ' +\n          'or an API key configured on the WorkOS instance (for confidential clients).',\n      );\n    }\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        codeVerifier,\n        clientSecret: hasApiKey ? this.workos.key : undefined,\n      }),\n      { skipApiKeyCheck: !hasApiKey },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens using PKCE (public client flow).\n   * Use this instead of authenticateWithCode() when the client cannot securely\n   * store a client_secret (browser, mobile, CLI, desktop apps).\n   *\n   * @param payload.clientId - Your WorkOS client ID\n   * @param payload.code - The authorization code from the OAuth callback\n   * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge\n   */\n  async authenticateWithCodeAndVerifier(\n    payload: AuthenticateWithCodeAndVerifierOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeAndVerifierOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeAndVerifierOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n      }),\n      { skipApiKeyCheck: true },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   * Automatically detects public client mode - if no API key is configured,\n   * omits client_secret from the request.\n   */\n  async authenticateWithRefreshToken(\n    payload: AuthenticateWithRefreshTokenOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n    const isPublicClient = !this.workos.key;\n\n    const body = isPublicClient\n      ? serializeAuthenticateWithRefreshTokenPublicClientOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n        })\n      : serializeAuthenticateWithRefreshTokenOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n          clientSecret: this.workos.key,\n        });\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      | SerializedAuthenticateWithRefreshTokenOptions\n      | SerializedAuthenticateWithRefreshTokenPublicClientOptions\n    >('/user_management/authenticate', body, {\n      skipApiKeyCheck: isPublicClient,\n    });\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithTotp(\n    payload: AuthenticateWithTotpOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithTotpOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithTotpOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithEmailVerification(\n    payload: AuthenticateWithEmailVerificationOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithEmailVerificationOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithEmailVerificationOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithOrganizationSelection(\n    payload: AuthenticateWithOrganizationSelectionOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithOrganizationSelectionOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithOrganizationSelectionOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithSessionCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: AuthenticateWithSessionCookieOptions): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const jwks = await this.getJWKS();\n\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    if (!sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    const session = await unsealData<SessionCookieData>(sessionData, {\n      password: cookiePassword,\n    });\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      user: session.user,\n      permissions,\n      entitlements,\n      featureFlags,\n      accessToken: session.accessToken,\n      authenticationMethod: session.authenticationMethod,\n    };\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const jwks = await this.getJWKS();\n    const { jwtVerify } = await getJose();\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n      // Network errors, crypto failures, etc. should propagate\n      if (\n        e instanceof Error &&\n        'code' in e &&\n        typeof e.code === 'string' &&\n        (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n      ) {\n        return false;\n      }\n      throw e;\n    }\n  }\n\n  private async prepareAuthenticationResponse({\n    authenticationResponse,\n    session,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    session?: AuthenticateWithSessionOptions;\n  }): Promise<AuthenticationResponse> {\n    if (session?.sealSession) {\n      if (!this.workos.key) {\n        throw new Error(\n          'Session sealing requires server-side usage with an API key. ' +\n            'Public clients should store tokens directly ' +\n            '(e.g., secure storage on mobile, keychain on desktop).',\n        );\n      }\n\n      return {\n        ...authenticationResponse,\n        sealedSession: await this.sealSessionDataFromAuthenticationResponse({\n          authenticationResponse,\n          cookiePassword: session.cookiePassword,\n        }),\n      };\n    }\n\n    return authenticationResponse;\n  }\n\n  private async sealSessionDataFromAuthenticationResponse({\n    authenticationResponse,\n    cookiePassword,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    cookiePassword?: string;\n  }): Promise<string> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      authenticationResponse.accessToken,\n    );\n\n    const sessionData: SessionCookieData = {\n      organizationId: organizationIdFromAccessToken,\n      user: authenticationResponse.user,\n      accessToken: authenticationResponse.accessToken,\n      refreshToken: authenticationResponse.refreshToken,\n      authenticationMethod: authenticationResponse.authenticationMethod,\n      impersonator: authenticationResponse.impersonator,\n    };\n\n    return sealData(sessionData, {\n      password: cookiePassword,\n    });\n  }\n\n  async getSessionFromCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: SessionHandlerOptions): Promise<SessionCookieData | undefined> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    if (sessionData) {\n      return unsealData<SessionCookieData>(sessionData, {\n        password: cookiePassword,\n      });\n    }\n\n    return undefined;\n  }\n\n  async getEmailVerification(\n    emailVerificationId: string,\n  ): Promise<EmailVerification> {\n    const { data } = await this.workos.get<EmailVerificationResponse>(\n      `/user_management/email_verification/${emailVerificationId}`,\n    );\n\n    return deserializeEmailVerification(data);\n  }\n\n  async sendVerificationEmail({\n    userId,\n  }: SendVerificationEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<{ user: UserResponse }>(\n      `/user_management/users/${userId}/email_verification/send`,\n      {},\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getMagicAuth(magicAuthId: string): Promise<MagicAuth> {\n    const { data } = await this.workos.get<MagicAuthResponse>(\n      `/user_management/magic_auth/${magicAuthId}`,\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async createMagicAuth(options: CreateMagicAuthOptions): Promise<MagicAuth> {\n    const { data } = await this.workos.post<\n      MagicAuthResponse,\n      SerializedCreateMagicAuthOptions\n    >(\n      '/user_management/magic_auth',\n      serializeCreateMagicAuthOptions({\n        ...options,\n      }),\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async verifyEmail({\n    code,\n    userId,\n  }: VerifyEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedVerifyEmailOptions\n    >(`/user_management/users/${userId}/email_verification/confirm`, {\n      code,\n    });\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getPasswordReset(passwordResetId: string): Promise<PasswordReset> {\n    const { data } = await this.workos.get<PasswordResetResponse>(\n      `/user_management/password_reset/${passwordResetId}`,\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async createPasswordReset(\n    options: CreatePasswordResetOptions,\n  ): Promise<PasswordReset> {\n    const { data } = await this.workos.post<\n      PasswordResetResponse,\n      SerializedCreatePasswordResetOptions\n    >(\n      '/user_management/password_reset',\n      serializeCreatePasswordResetOptions({\n        ...options,\n      }),\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async resetPassword(payload: ResetPasswordOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedResetPasswordOptions\n    >(\n      '/user_management/password_reset/confirm',\n      serializeResetPasswordOptions(payload),\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async updateUser(payload: UpdateUserOptions): Promise<User> {\n    const { data } = await this.workos.put<UserResponse>(\n      `/user_management/users/${payload.userId}`,\n      serializeUpdateUserOptions(payload),\n    );\n\n    return deserializeUser(data);\n  }\n\n  async enrollAuthFactor(payload: EnrollAuthFactorOptions): Promise<{\n    authenticationFactor: FactorWithSecrets;\n    authenticationChallenge: Challenge;\n  }> {\n    const { data } = await this.workos.post<{\n      authentication_factor: FactorWithSecretsResponse;\n      authentication_challenge: ChallengeResponse;\n    }>(\n      `/user_management/users/${payload.userId}/auth_factors`,\n      serializeEnrollAuthFactorOptions(payload),\n    );\n\n    return {\n      authenticationFactor: deserializeFactorWithSecrets(\n        data.authentication_factor,\n      ),\n      authenticationChallenge: deserializeChallenge(\n        data.authentication_challenge,\n      ),\n    };\n  }\n\n  async listAuthFactors(\n    options: ListAuthFactorsOptions,\n  ): Promise<AutoPaginatable<Factor, PaginationOptions>> {\n    const { userId, ...restOfOptions } = options;\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FactorResponse, Factor>(\n        this.workos,\n        `/user_management/users/${userId}/auth_factors`,\n        deserializeFactor,\n        restOfOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FactorResponse, Factor>(\n          this.workos,\n          `/user_management/users/${userId}/auth_factors`,\n          deserializeFactor,\n          params,\n        ),\n      restOfOptions,\n    );\n  }\n\n  async listUserFeatureFlags(\n    options: ListUserFeatureFlagsOptions,\n  ): Promise<AutoPaginatable<FeatureFlag>> {\n    const { userId, ...paginationOptions } = options;\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n        this.workos,\n        `/user_management/users/${userId}/feature-flags`,\n        deserializeFeatureFlag,\n        paginationOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n          this.workos,\n          `/user_management/users/${userId}/feature-flags`,\n          deserializeFeatureFlag,\n          params,\n        ),\n      paginationOptions,\n    );\n  }\n\n  async listSessions(\n    userId: string,\n    options?: ListSessionsOptions,\n  ): Promise<AutoPaginatable<Session, SerializedListSessionsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<SessionResponse, Session>(\n        this.workos,\n        `/user_management/users/${userId}/sessions`,\n        deserializeSession,\n        options ? serializeListSessionsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<SessionResponse, Session>(\n          this.workos,\n          `/user_management/users/${userId}/sessions`,\n          deserializeSession,\n          params,\n        ),\n      options ? serializeListSessionsOptions(options) : undefined,\n    );\n  }\n\n  async deleteUser(userId: string) {\n    await this.workos.delete(`/user_management/users/${userId}`);\n  }\n\n  async getUserIdentities(userId: string): Promise<Identity[]> {\n    if (!userId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'userId'.`);\n    }\n\n    const { data } = await this.workos.get<IdentityResponse[]>(\n      `/user_management/users/${userId}/identities`,\n    );\n\n    return deserializeIdentities(data);\n  }\n\n  async getOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.get<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async listOrganizationMemberships(\n    options: ListOrganizationMembershipsOptions,\n  ): Promise<\n    AutoPaginatable<\n      OrganizationMembership,\n      SerializedListOrganizationMembershipsOptions\n    >\n  > {\n    const serializedOptions =\n      serializeListOrganizationMembershipsOptions(options);\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<\n        OrganizationMembershipResponse,\n        OrganizationMembership\n      >(\n        this.workos,\n        '/user_management/organization_memberships',\n        deserializeOrganizationMembership,\n        serializedOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<\n          OrganizationMembershipResponse,\n          OrganizationMembership\n        >(\n          this.workos,\n          '/user_management/organization_memberships',\n          deserializeOrganizationMembership,\n          params,\n        ),\n      serializedOptions,\n    );\n  }\n\n  async createOrganizationMembership(\n    options: CreateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.post<\n      OrganizationMembershipResponse,\n      SerializedCreateOrganizationMembershipOptions\n    >(\n      '/user_management/organization_memberships',\n      serializeCreateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async updateOrganizationMembership(\n    organizationMembershipId: string,\n    options: UpdateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<\n      OrganizationMembershipResponse,\n      SerializedUpdateOrganizationMembershipOptions\n    >(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n      serializeUpdateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async deleteOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<void> {\n    await this.workos.delete(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n  }\n\n  async deactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/deactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async reactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/reactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async getInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/${invitationId}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async findInvitationByToken(invitationToken: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/by_token/${invitationToken}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async listInvitations(\n    options: ListInvitationsOptions,\n  ): Promise<AutoPaginatable<Invitation, SerializedListInvitationsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<InvitationResponse, Invitation>(\n        this.workos,\n        '/user_management/invitations',\n        deserializeInvitation,\n        options ? serializeListInvitationsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<InvitationResponse, Invitation>(\n          this.workos,\n          '/user_management/invitations',\n          deserializeInvitation,\n          params,\n        ),\n      options ? serializeListInvitationsOptions(options) : undefined,\n    );\n  }\n\n  async sendInvitation(payload: SendInvitationOptions): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedSendInvitationOptions\n    >(\n      '/user_management/invitations',\n      serializeSendInvitationOptions({\n        ...payload,\n      }),\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async acceptInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/accept`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/revoke`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async resendInvitation(\n    invitationId: string,\n    options?: ResendInvitationOptions,\n  ): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedResendInvitationOptions\n    >(\n      `/user_management/invitations/${invitationId}/resend`,\n      options ? serializeResendInvitationOptions(options) : {},\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeSession(payload: RevokeSessionOptions): Promise<void> {\n    await this.workos.post<void, SerializedRevokeSessionOptions>(\n      '/user_management/sessions/revoke',\n      serializeRevokeSessionOptions(payload),\n    );\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL.\n   *\n   * For public clients (browser, mobile, CLI), include PKCE parameters:\n   * - Generate PKCE using workos.pkce.generate()\n   * - Pass codeChallenge and codeChallengeMethod here\n   * - Store codeVerifier and pass to authenticateWithCode() later\n   *\n   * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.\n   */\n  getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string {\n    const {\n      connectionId,\n      codeChallenge,\n      codeChallengeMethod,\n      clientId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      state,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: codeChallenge,\n      code_challenge_method: codeChallengeMethod,\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    return `${this.workos.baseURL}/user_management/authorize?${query}`;\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL with automatic PKCE.\n   *\n   * This method generates PKCE parameters internally and returns them along with\n   * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)\n   * that cannot securely store a client secret.\n   *\n   * @returns Object containing url, state, and codeVerifier\n   *\n   * @example\n   * ```typescript\n   * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({\n   *   provider: 'authkit',\n   *   clientId: 'client_123',\n   *   redirectUri: 'myapp://callback',\n   * });\n   *\n   * // Store state and codeVerifier securely, then redirect user to url\n   * // After callback, exchange the code:\n   * const response = await workos.userManagement.authenticateWithCode({\n   *   code: authorizationCode,\n   *   codeVerifier,\n   *   clientId: 'client_123',\n   * });\n   * ```\n   */\n  async getAuthorizationUrlWithPKCE(\n    options: Omit<\n      UserManagementAuthorizationURLOptions,\n      'codeChallenge' | 'codeChallengeMethod' | 'state'\n    >,\n  ): Promise<PKCEAuthorizationURLResult> {\n    const {\n      clientId,\n      connectionId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    // Generate PKCE parameters\n    const pkce = await this.workos.pkce.generate();\n\n    // Generate secure random state\n    const state = this.workos.pkce.generateCodeVerifier(43);\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: pkce.codeChallenge,\n      code_challenge_method: 'S256',\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    const url = `${this.workos.baseURL}/user_management/authorize?${query}`;\n\n    return { url, state, codeVerifier: pkce.codeVerifier };\n  }\n\n  getLogoutUrl(options: LogoutURLOptions): string {\n    const { sessionId, returnTo } = options;\n\n    if (!sessionId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);\n    }\n\n    const url = new URL(\n      '/user_management/sessions/logout',\n      this.workos.baseURL,\n    );\n\n    url.searchParams.set('session_id', sessionId);\n    if (returnTo) {\n      url.searchParams.set('return_to', returnTo);\n    }\n\n    return url.toString();\n  }\n\n  getJwksUrl(clientId: string): string {\n    if (!clientId) {\n      throw new TypeError('clientId must be a valid clientId');\n    }\n\n    return `${this.workos.baseURL}/sso/jwks/${clientId}`;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsKA,IAAa,iBAAb,MAA4B;CAC1B,AAAQ;CAGR,AAAO;CAEP,YAAY,AAAiBA,QAAgB;EAAhB;EAC3B,MAAM,EAAE,aAAa,OAAO;AAE5B,OAAK,WAAW;;;;;;CAOlB,AAAQ,gBAAgB,UAA2B;EACjD,MAAM,WAAW,YAAY,KAAK;AAClC,MAAI,CAAC,SACH,OAAM,IAAI,UACR,kFACD;AAEH,SAAO;;CAGT,MAAM,UAEJ;EACA,MAAM,EAAE,uBAAuB,MAAMC,sBAAS;AAC9C,MAAI,CAAC,KAAK,SACR;AAIF,OAAK,UAAU,mBAAmB,IAAI,IAAI,KAAK,WAAW,KAAK,SAAS,CAAC,EAAE,EACzE,kBAAkB,MAAO,KAAK,GAC/B,CAAC;AAEF,SAAO,KAAK;;;;;;;;;;CAWd,kBAAkB,SAGA;AAChB,SAAO,IAAIC,8BAAc,MAAM,QAAQ,aAAa,QAAQ,eAAe;;CAG7E,MAAM,QAAQ,QAA+B;EAC3C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,SAC3B;AAED,SAAOC,wCAAgB,KAAK;;CAG9B,MAAM,oBAAoB,YAAmC;EAC3D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,sCAAsC,aACvC;AAED,SAAOA,wCAAgB,KAAK;;CAG9B,MAAM,UACJ,SAC4D;AAC5D,SAAO,IAAIC,mCACT,MAAMC,kDACJ,KAAK,QACL,0BACAF,yCACA,UAAUG,gEAA0B,QAAQ,GAAG,OAChD,GACA,WACCD,kDACE,KAAK,QACL,0BACAF,yCACA,OACD,EACH,UAAUG,gEAA0B,QAAQ,GAAG,OAChD;;CAGH,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0BC,kEAA2B,QAAQ,CAAC;AAEhE,SAAOJ,wCAAgB,KAAK;;CAG9B,MAAM,0BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAK,kGAA0C;GACxC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBC,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,yBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAC,+FAAyC;GACvC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBD,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;;;;;CAgBJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,cAAc,GAAG,qBAAqB;EACjE,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAGvD,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;AAGhC,MAAI,CAFY,CAAC,CAAC,gBAEF,CAAC,UACf,OAAM,IAAI,UACR,uJAED;EAGH,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAE,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV;GACA,cAAc,YAAY,KAAK,OAAO,MAAM;GAC7C,CAAC,EACF,EAAE,iBAAiB,CAAC,WAAW,CAChC;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBF,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;CAYJ,MAAM,gCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAG,+GAAgD;GAC9C,GAAG;GACH,UAAU;GACX,CAAC,EACF,EAAE,iBAAiB,MAAM,CAC1B;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBH,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;CAQJ,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EACvD,MAAM,iBAAiB,CAAC,KAAK,OAAO;EAEpC,MAAM,OAAO,iBACTI,kIAAyD;GACvD,GAAG;GACH,UAAU;GACX,CAAC,GACFC,wGAA6C;GAC3C,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC;EAEN,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCAAiC,MAAM,EACvC,iBAAiB,gBAClB,CAAC;AAEF,SAAO,KAAK,8BAA8B;GACxC,wBAAwBL,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAM,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBN,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,kCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAO,0GAAkD;GAChD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBP,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,sCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAQ,0HAAsD;GACpD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBR,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,8BAA8B,EAClC,aACA,iBAAiBS,mBAAO,yBAAyB,IAIjD;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAKhD,MAAI,CAFS,MAAM,KAAK,SAAS,CAG/B,OAAM,IAAI,MAAM,2CAA2C;EAG7D,MAAM,EAAE,cAAc,MAAMjB,sBAAS;AAErC,MAAI,CAAC,YACH,QAAO;GACL,eAAe;GACf,QACEkB,8FAA2C;GAC9C;EAGH,MAAM,UAAU,MAAMC,wBAA8B,aAAa,EAC/D,UAAU,gBACX,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd;GACA;GACA;GACA,aAAa,QAAQ;GACrB,sBAAsB,QAAQ;GAC/B;;CAGH,MAAc,WAAW,aAAuC;EAC9D,MAAM,OAAO,MAAM,KAAK,SAAS;EACjC,MAAM,EAAE,cAAc,MAAMlB,sBAAS;AACrC,MAAI,CAAC,KACH,OAAM,IAAI,MAAM,2CAA2C;AAG7D,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM;;;CAIV,MAAc,8BAA8B,EAC1C,wBACA,WAIkC;AAClC,MAAI,SAAS,aAAa;AACxB,OAAI,CAAC,KAAK,OAAO,IACf,OAAM,IAAI,MACR,iKAGD;AAGH,UAAO;IACL,GAAG;IACH,eAAe,MAAM,KAAK,0CAA0C;KAClE;KACA,gBAAgB,QAAQ;KACzB,CAAC;IACH;;AAGH,SAAO;;CAGT,MAAc,0CAA0C,EACtD,wBACA,kBAIkB;AAClB,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;EAGhD,MAAM,EAAE,cAAc,MAAMA,sBAAS;EAErC,MAAM,EAAE,QAAQ,kCAAkC,UAChD,uBAAuB,YACxB;AAWD,SAAOoB,sBATgC;GACrC,gBAAgB;GAChB,MAAM,uBAAuB;GAC7B,aAAa,uBAAuB;GACpC,cAAc,uBAAuB;GACrC,sBAAsB,uBAAuB;GAC7C,cAAc,uBAAuB;GACtC,EAE4B,EAC3B,UAAU,gBACX,CAAC;;CAGJ,MAAM,qBAAqB,EACzB,aACA,iBAAiBH,mBAAO,yBAAyB,IACe;AAChE,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAGhD,MAAI,YACF,QAAOE,wBAA8B,aAAa,EAChD,UAAU,gBACX,CAAC;;CAMN,MAAM,qBACJ,qBAC4B;EAC5B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,uCAAuC,sBACxC;AAED,SAAOE,mEAA6B,KAAK;;CAG3C,MAAM,sBAAsB,EAC1B,UACwD;EACxD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BAA0B,OAAO,2BACjC,EAAE,CACH;AAED,SAAO,EAAE,MAAMnB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,aAAa,aAAyC;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,+BAA+B,cAChC;AAED,SAAOoB,mDAAqB,KAAK;;CAGnC,MAAM,gBAAgB,SAAqD;EACzE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,+BACAC,6EAAgC,EAC9B,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,mDAAqB,KAAK;;CAGnC,MAAM,YAAY,EAChB,MACA,UAC8C;EAC9C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,OAAO,8BAA8B,EAC/D,MACD,CAAC;AAEF,SAAO,EAAE,MAAMpB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,iBAAiB,iBAAiD;EACtE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,mCAAmC,kBACpC;AAED,SAAOsB,2DAAyB,KAAK;;CAGvC,MAAM,oBACJ,SACwB;EACxB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,mCACAC,qFAAoC,EAClC,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,2DAAyB,KAAK;;CAGvC,MAAM,cAAc,SAAwD;EAC1E,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,2CACAE,wEAA8B,QAAQ,CACvC;AAED,SAAO,EAAE,MAAMxB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,QAAQ,UAClCyB,kEAA2B,QAAQ,CACpC;AAED,SAAOzB,wCAAgB,KAAK;;CAG9B,MAAM,iBAAiB,SAGpB;EACD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,0BAA0B,QAAQ,OAAO,gBACzC0B,+EAAiC,QAAQ,CAC1C;AAED,SAAO;GACL,sBAAsBC,uDACpB,KAAK,sBACN;GACD,yBAAyBC,kDACvB,KAAK,yBACN;GACF;;CAGH,MAAM,gBACJ,SACqD;EACrD,MAAM,EAAE,QAAQ,GAAG,kBAAkB;AACrC,SAAO,IAAI3B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,cACD,GACA,WACC3B,kDACE,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,OACD,EACH,cACD;;CAGH,MAAM,qBACJ,SACuC;EACvC,MAAM,EAAE,QAAQ,GAAG,sBAAsB;AAEzC,SAAO,IAAI5B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,kBACD,GACA,WACC5B,kDACE,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,OACD,EACH,kBACD;;CAGH,MAAM,aACJ,QACA,SACkE;AAClE,SAAO,IAAI7B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,UAAUC,sEAA6B,QAAQ,GAAG,OACnD,GACA,WACC9B,kDACE,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,OACD,EACH,UAAUC,sEAA6B,QAAQ,GAAG,OACnD;;CAGH,MAAM,WAAW,QAAgB;AAC/B,QAAM,KAAK,OAAO,OAAO,0BAA0B,SAAS;;CAG9D,MAAM,kBAAkB,QAAqC;AAC3D,MAAI,CAAC,OACH,OAAM,IAAI,UAAU,kDAAkD;EAGxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,OAAO,aAClC;AAED,SAAOC,kDAAsB,KAAK;;CAGpC,MAAM,0BACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,2BAC9C;AAED,SAAOC,6EAAkC,KAAK;;CAGhD,MAAM,4BACJ,SAMA;EACA,MAAM,oBACJC,qGAA4C,QAAQ;AAEtD,SAAO,IAAIlC,mCACT,MAAMC,kDAIJ,KAAK,QACL,6CACAgC,8EACA,kBACD,GACA,WACChC,kDAIE,KAAK,QACL,6CACAgC,8EACA,OACD,EACH,kBACD;;CAGH,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,6CACAE,uGAA6C,QAAQ,CACtD;AAED,SAAOF,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACA,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAIjC,6CAA6C,4BAC7CG,uGAA6C,QAAQ,CACtD;AAED,SAAOH,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACe;AACf,QAAM,KAAK,OAAO,OAChB,6CAA6C,2BAC9C;;CAGH,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,cAAc,cAA2C;EAC7D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gCAAgC,eACjC;AAED,SAAOI,oDAAsB,KAAK;;CAGpC,MAAM,sBAAsB,iBAA8C;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,yCAAyC,kBAC1C;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAIrC,mCACT,MAAMC,kDACJ,KAAK,QACL,gCACAoC,qDACA,UAAUC,4EAAgC,QAAQ,GAAG,OACtD,GACA,WACCrC,kDACE,KAAK,QACL,gCACAoC,qDACA,OACD,EACH,UAAUC,4EAAgC,QAAQ,GAAG,OACtD;;CAGH,MAAM,eAAe,SAAqD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCACAC,0EAA+B,EAC7B,GAAG,SACJ,CAAC,CACH;AAED,SAAOF,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBACJ,cACA,SACqB;EACrB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCAAgC,aAAa,UAC7C,UAAUG,8EAAiC,QAAQ,GAAG,EAAE,CACzD;AAED,SAAOH,oDAAsB,KAAK;;CAGpC,MAAM,cAAc,SAA8C;AAChE,QAAM,KAAK,OAAO,KAChB,oCACAI,uEAA8B,QAAQ,CACvC;;;;;;;;;;;;CAaH,oBAAoB,SAAwD;EAC1E,MAAM,EACJ,cACA,eACA,qBACA,UACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,OACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAGH,MAAM,QAAQC,mCAAc;GAC1B,eAAe;GACf,gBAAgB;GAChB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6B7D,MAAM,4BACJ,SAIqC;EACrC,MAAM,EACJ,UACA,cACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQA,mCAAc;GAC1B,eAAe;GACf,gBAAgB,KAAK;GACrB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,6BAA6B;GAElD;GAAO,cAAc,KAAK;GAAc;;CAGxD,aAAa,SAAmC;EAC9C,MAAM,EAAE,WAAW,aAAa;AAEhC,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,qDAAqD;EAG3E,MAAM,MAAM,IAAI,IACd,oCACA,KAAK,OAAO,QACb;AAED,MAAI,aAAa,IAAI,cAAc,UAAU;AAC7C,MAAI,SACF,KAAI,aAAa,IAAI,aAAa,SAAS;AAG7C,SAAO,IAAI,UAAU;;CAGvB,WAAW,UAA0B;AACnC,MAAI,CAAC,SACH,OAAM,IAAI,UAAU,oCAAoC;AAG1D,SAAO,GAAG,KAAK,OAAO,QAAQ,YAAY"}

package/lib/{user.serializer-B8Yr_r6n.d.cts → user.serializer-BFpDaajW.d.cts}

@@ -4,4 +4,4 @@ import { n as UserResponse, t as User } from "./user.interface-CSksrToF.cjs";
 declare const deserializeUser: (user: UserResponse) => User;
 //#endregion
 export { deserializeUser as t };
-//# sourceMappingURL=user.serializer-B8Yr_r6n.d.cts.map
+//# sourceMappingURL=user.serializer-BFpDaajW.d.cts.map

package/lib/{validate-api-key.serializer-DJMNSZRi.d.cts → validate-api-key.serializer-D5zYUCcH.d.cts}

@@ -4,4 +4,4 @@ import { r as ValidateApiKeyResponse, t as SerializedValidateApiKeyResponse } fr
 declare function deserializeValidateApiKeyResponse(response: SerializedValidateApiKeyResponse): ValidateApiKeyResponse;
 //#endregion
 export { deserializeValidateApiKeyResponse as t };
-//# sourceMappingURL=validate-api-key.serializer-DJMNSZRi.d.cts.map
+//# sourceMappingURL=validate-api-key.serializer-D5zYUCcH.d.cts.map

package/lib/vault/interfaces/index.d.cts

@@ -1,11 +1,11 @@
-import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-DWikImzG.cjs";
-import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../create-data-key.interface-B-aytYEd.cjs";
-import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../decrypt-data-key.interface-BuI1is1m.cjs";
-import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-Bm7L0wKq.cjs";
-import { t as DeleteObjectOptions } from "../../delete-object.interface-BJMqWLai.cjs";
-import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../list-object-versions.interface-BIpsoYSF.cjs";
-import { t as ObjectDigestResponse } from "../../list-objects.interface-5d1Vw7Kl.cjs";
-import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-C0gQ84EY.cjs";
-import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-BwzjcSVm.cjs";
-import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-C8y9e8Lt.cjs";
+import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-YLV_plqn.cjs";
+import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../create-data-key.interface-CfdPFOII.cjs";
+import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../decrypt-data-key.interface-COPJw2aD.cjs";
+import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-BEWdAoAU.cjs";
+import { t as DeleteObjectOptions } from "../../delete-object.interface-C9gnNWU-.cjs";
+import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../list-object-versions.interface-CbrhRrmz.cjs";
+import { t as ObjectDigestResponse } from "../../list-objects.interface-CtunUutg.cjs";
+import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-Do9xg7Zv.cjs";
+import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-iqgpJxLj.cjs";
+import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-EhYczOkX.cjs";
 export { CreateDataKeyOptions, CreateDataKeyResponse, CreateObjectEntity, CreateObjectOptions, DataKey, DataKeyPair, DecryptDataKeyOptions, DecryptDataKeyResponse, DeleteObjectOptions, KeyContext, ListObjectVersionsResponse, ObjectDigest, ObjectDigestResponse, ObjectMetadata, ObjectUpdateBy, ObjectVersion, ObjectVersionResponse, ReadObjectMetadataResponse, ReadObjectOptions, ReadObjectResponse, UpdateObjectEntity, UpdateObjectOptions, VaultObject };

package/lib/vault/interfaces/key/create-data-key.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../../create-data-key.interface-B-aytYEd.cjs";
+import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../../create-data-key.interface-CfdPFOII.cjs";
 export { CreateDataKeyOptions, CreateDataKeyResponse };

package/lib/vault/interfaces/key/decrypt-data-key.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../../decrypt-data-key.interface-BuI1is1m.cjs";
+import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../../decrypt-data-key.interface-COPJw2aD.cjs";
 export { DecryptDataKeyOptions, DecryptDataKeyResponse };

package/lib/vault/interfaces/key.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-DWikImzG.cjs";
+import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-YLV_plqn.cjs";
 export { DataKey, DataKeyPair, KeyContext };

package/lib/vault/interfaces/object/create-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../../create-object.interface-Bm7L0wKq.cjs";
+import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../../create-object.interface-BEWdAoAU.cjs";
 export { CreateObjectEntity, CreateObjectOptions };

package/lib/vault/interfaces/object/delete-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { t as DeleteObjectOptions } from "../../../delete-object.interface-BJMqWLai.cjs";
+import { t as DeleteObjectOptions } from "../../../delete-object.interface-C9gnNWU-.cjs";
 export { DeleteObjectOptions };

package/lib/vault/interfaces/object/list-object-versions.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../../list-object-versions.interface-BIpsoYSF.cjs";
+import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../../list-object-versions.interface-CbrhRrmz.cjs";
 export { ListObjectVersionsResponse, ObjectVersionResponse };

package/lib/vault/interfaces/object/list-objects.interface.d.cts

@@ -1,2 +1,2 @@
-import { t as ObjectDigestResponse } from "../../../list-objects.interface-5d1Vw7Kl.cjs";
+import { t as ObjectDigestResponse } from "../../../list-objects.interface-CtunUutg.cjs";
 export { ObjectDigestResponse };

package/lib/vault/interfaces/object/read-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../../read-object.interface-BwzjcSVm.cjs";
+import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../../read-object.interface-iqgpJxLj.cjs";
 export { ReadObjectMetadataResponse, ReadObjectOptions, ReadObjectResponse };

package/lib/vault/interfaces/object/read-object.interface.d.ts

@@ -18,7 +18,7 @@ interface ReadObjectResponse {
   id: string;
   metadata: ReadObjectMetadataResponse;
   name: string;
-  value: string;
+  value?: string;
 }
 //#endregion
 export { ReadObjectMetadataResponse, ReadObjectOptions, ReadObjectResponse };

package/lib/vault/interfaces/object/update-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../../update-object.interface-C8y9e8Lt.cjs";
+import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../../update-object.interface-EhYczOkX.cjs";
 export { UpdateObjectEntity, UpdateObjectOptions };

package/lib/vault/interfaces/object.interface.d.cts

@@ -1,2 +1,2 @@
-import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-C0gQ84EY.cjs";
+import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-Do9xg7Zv.cjs";
 export { ObjectDigest, ObjectMetadata, ObjectUpdateBy, ObjectVersion, VaultObject };

package/lib/vault/serializers/vault-key.serializer.d.cts

@@ -1,6 +1,6 @@
-import { n as DataKeyPair, t as DataKey } from "../../key.interface-DWikImzG.cjs";
-import { n as CreateDataKeyResponse } from "../../create-data-key.interface-B-aytYEd.cjs";
-import { n as DecryptDataKeyResponse } from "../../decrypt-data-key.interface-BuI1is1m.cjs";
+import { n as DataKeyPair, t as DataKey } from "../../key.interface-YLV_plqn.cjs";
+import { n as CreateDataKeyResponse } from "../../create-data-key.interface-CfdPFOII.cjs";
+import { n as DecryptDataKeyResponse } from "../../decrypt-data-key.interface-COPJw2aD.cjs";
 
 //#region src/vault/serializers/vault-key.serializer.d.ts
 declare const deserializeCreateDataKeyResponse: (key: CreateDataKeyResponse) => DataKeyPair;

package/lib/vault/serializers/vault-object.serializer.cjs

@@ -1,4 +1,4 @@
-const require_vault_object_serializer = require('../../vault-object.serializer-CwmJwCnO.cjs');
+const require_vault_object_serializer = require('../../vault-object.serializer-Cx7rAuca.cjs');
 
 exports.deserializeListObjects = require_vault_object_serializer.deserializeListObjects;
 exports.deserializeObject = require_vault_object_serializer.deserializeObject;

package/lib/vault/serializers/vault-object.serializer.d.cts

@@ -1,10 +1,10 @@
-import { n as ListResponse, t as List } from "../../list.interface-BMsjwGOu.cjs";
-import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-Bm7L0wKq.cjs";
-import { t as ListObjectVersionsResponse } from "../../list-object-versions.interface-BIpsoYSF.cjs";
-import { t as ObjectDigestResponse } from "../../list-objects.interface-5d1Vw7Kl.cjs";
-import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, t as ObjectDigest } from "../../object.interface-C0gQ84EY.cjs";
-import { r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-BwzjcSVm.cjs";
-import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-C8y9e8Lt.cjs";
+import { n as ListResponse, t as List } from "../../list.interface-I2r4xhuH.cjs";
+import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-BEWdAoAU.cjs";
+import { t as ListObjectVersionsResponse } from "../../list-object-versions.interface-CbrhRrmz.cjs";
+import { t as ObjectDigestResponse } from "../../list-objects.interface-CtunUutg.cjs";
+import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, t as ObjectDigest } from "../../object.interface-Do9xg7Zv.cjs";
+import { r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-iqgpJxLj.cjs";
+import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-EhYczOkX.cjs";
 
 //#region src/vault/serializers/vault-object.serializer.d.ts
 declare const deserializeObjectMetadata: (metadata: ReadObjectMetadataResponse) => ObjectMetadata;

package/lib/vault/serializers/vault-object.serializer.js

@@ -11,7 +11,7 @@ const deserializeObjectMetadata = (metadata) => ({
 const deserializeObject = (object) => ({
 	id: object.id,
 	name: object.name,
-	value: object.value,
+	...object.value !== void 0 && { value: object.value },
 	metadata: deserializeObjectMetadata(object.metadata)
 });
 const deserializeObjectDigest = (digest) => ({
@@ -23,8 +23,8 @@ const deserializeListObjects = (list) => ({
 	object: "list",
 	data: list.data.map(deserializeObjectDigest),
 	listMetadata: {
-		after: list.list_metadata.after ?? void 0,
-		before: list.list_metadata.before ?? void 0
+		...list.list_metadata.after !== void 0 && { after: list.list_metadata.after },
+		...list.list_metadata.before !== void 0 && { before: list.list_metadata.before }
 	}
 });
 const desrializeListObjectVersions = (list) => list.data.map(deserializeObjectVersion);

package/lib/vault/serializers/vault-object.serializer.js.map

@@ -1 +1 @@
-{"version":3,"file":"vault-object.serializer.js","names":[],"sources":["../../../src/vault/serializers/vault-object.serializer.ts"],"sourcesContent":["import { List, ListResponse } from '../../common/interfaces';\nimport {\n  ReadObjectMetadataResponse,\n  ReadObjectResponse,\n  UpdateObjectOptions,\n  UpdateObjectEntity,\n  ObjectMetadata,\n  VaultObject,\n  ObjectVersionResponse,\n  ObjectVersion,\n  CreateObjectOptions,\n  CreateObjectEntity,\n  ObjectDigestResponse,\n  ObjectDigest,\n  ListObjectVersionsResponse,\n} from '../interfaces';\n\nexport const deserializeObjectMetadata = (\n  metadata: ReadObjectMetadataResponse,\n): ObjectMetadata => ({\n  context: metadata.context,\n  environmentId: metadata.environment_id,\n  id: metadata.id,\n  keyId: metadata.key_id,\n  updatedAt: new Date(Date.parse(metadata.updated_at)),\n  updatedBy: metadata.updated_by,\n  versionId: metadata.version_id,\n});\n\nexport const deserializeObject = (object: ReadObjectResponse): VaultObject => ({\n  id: object.id,\n  name: object.name,\n  value: object.value,\n  metadata: deserializeObjectMetadata(object.metadata),\n});\n\nconst deserializeObjectDigest = (\n  digest: ObjectDigestResponse,\n): ObjectDigest => ({\n  id: digest.id,\n  name: digest.name,\n  updatedAt: new Date(Date.parse(digest.updated_at)),\n});\n\nexport const deserializeListObjects = (\n  list: ListResponse<ObjectDigestResponse>,\n): List<ObjectDigest> => ({\n  object: 'list',\n  data: list.data.map(deserializeObjectDigest),\n  listMetadata: {\n    after: list.list_metadata.after ?? undefined,\n    before: list.list_metadata.before ?? undefined,\n  },\n});\n\nexport const desrializeListObjectVersions = (\n  list: ListObjectVersionsResponse,\n): ObjectVersion[] => list.data.map(deserializeObjectVersion);\n\nconst deserializeObjectVersion = (\n  version: ObjectVersionResponse,\n): ObjectVersion => ({\n  createdAt: new Date(Date.parse(version.created_at)),\n  currentVersion: version.current_version,\n  id: version.id,\n});\n\nexport const serializeCreateObjectEntity = (\n  options: CreateObjectOptions,\n): CreateObjectEntity => ({\n  name: options.name,\n  value: options.value,\n  key_context: options.context,\n});\n\nexport const serializeUpdateObjectEntity = (\n  options: UpdateObjectOptions,\n): UpdateObjectEntity => ({\n  value: options.value,\n  version_check: options.versionCheck,\n});\n"],"mappings":";AAiBA,MAAa,6BACX,cACoB;CACpB,SAAS,SAAS;CAClB,eAAe,SAAS;CACxB,IAAI,SAAS;CACb,OAAO,SAAS;CAChB,WAAW,IAAI,KAAK,KAAK,MAAM,SAAS,WAAW,CAAC;CACpD,WAAW,SAAS;CACpB,WAAW,SAAS;CACrB;AAED,MAAa,qBAAqB,YAA6C;CAC7E,IAAI,OAAO;CACX,MAAM,OAAO;CACb,OAAO,OAAO;CACd,UAAU,0BAA0B,OAAO,SAAS;CACrD;AAED,MAAM,2BACJ,YACkB;CAClB,IAAI,OAAO;CACX,MAAM,OAAO;CACb,WAAW,IAAI,KAAK,KAAK,MAAM,OAAO,WAAW,CAAC;CACnD;AAED,MAAa,0BACX,UACwB;CACxB,QAAQ;CACR,MAAM,KAAK,KAAK,IAAI,wBAAwB;CAC5C,cAAc;EACZ,OAAO,KAAK,cAAc,SAAS;EACnC,QAAQ,KAAK,cAAc,UAAU;EACtC;CACF;AAED,MAAa,gCACX,SACoB,KAAK,KAAK,IAAI,yBAAyB;AAE7D,MAAM,4BACJ,aACmB;CACnB,WAAW,IAAI,KAAK,KAAK,MAAM,QAAQ,WAAW,CAAC;CACnD,gBAAgB,QAAQ;CACxB,IAAI,QAAQ;CACb;AAED,MAAa,+BACX,aACwB;CACxB,MAAM,QAAQ;CACd,OAAO,QAAQ;CACf,aAAa,QAAQ;CACtB;AAED,MAAa,+BACX,aACwB;CACxB,OAAO,QAAQ;CACf,eAAe,QAAQ;CACxB"}
+{"version":3,"file":"vault-object.serializer.js","names":[],"sources":["../../../src/vault/serializers/vault-object.serializer.ts"],"sourcesContent":["import { List, ListResponse } from '../../common/interfaces';\nimport {\n  ReadObjectMetadataResponse,\n  ReadObjectResponse,\n  UpdateObjectOptions,\n  UpdateObjectEntity,\n  ObjectMetadata,\n  VaultObject,\n  ObjectVersionResponse,\n  ObjectVersion,\n  CreateObjectOptions,\n  CreateObjectEntity,\n  ObjectDigestResponse,\n  ObjectDigest,\n  ListObjectVersionsResponse,\n} from '../interfaces';\n\nexport const deserializeObjectMetadata = (\n  metadata: ReadObjectMetadataResponse,\n): ObjectMetadata => ({\n  context: metadata.context,\n  environmentId: metadata.environment_id,\n  id: metadata.id,\n  keyId: metadata.key_id,\n  updatedAt: new Date(Date.parse(metadata.updated_at)),\n  updatedBy: metadata.updated_by,\n  versionId: metadata.version_id,\n});\n\nexport const deserializeObject = (object: ReadObjectResponse): VaultObject => ({\n  id: object.id,\n  name: object.name,\n  ...(object.value !== undefined && { value: object.value }),\n  metadata: deserializeObjectMetadata(object.metadata),\n});\n\nconst deserializeObjectDigest = (\n  digest: ObjectDigestResponse,\n): ObjectDigest => ({\n  id: digest.id,\n  name: digest.name,\n  updatedAt: new Date(Date.parse(digest.updated_at)),\n});\n\nexport const deserializeListObjects = (\n  list: ListResponse<ObjectDigestResponse>,\n): List<ObjectDigest> => ({\n  object: 'list',\n  data: list.data.map(deserializeObjectDigest),\n  listMetadata: {\n    ...(list.list_metadata.after !== undefined && {\n      after: list.list_metadata.after,\n    }),\n    ...(list.list_metadata.before !== undefined && {\n      before: list.list_metadata.before,\n    }),\n  },\n});\n\nexport const desrializeListObjectVersions = (\n  list: ListObjectVersionsResponse,\n): ObjectVersion[] => list.data.map(deserializeObjectVersion);\n\nconst deserializeObjectVersion = (\n  version: ObjectVersionResponse,\n): ObjectVersion => ({\n  createdAt: new Date(Date.parse(version.created_at)),\n  currentVersion: version.current_version,\n  id: version.id,\n});\n\nexport const serializeCreateObjectEntity = (\n  options: CreateObjectOptions,\n): CreateObjectEntity => ({\n  name: options.name,\n  value: options.value,\n  key_context: options.context,\n});\n\nexport const serializeUpdateObjectEntity = (\n  options: UpdateObjectOptions,\n): UpdateObjectEntity => ({\n  value: options.value,\n  version_check: options.versionCheck,\n});\n"],"mappings":";AAiBA,MAAa,6BACX,cACoB;CACpB,SAAS,SAAS;CAClB,eAAe,SAAS;CACxB,IAAI,SAAS;CACb,OAAO,SAAS;CAChB,WAAW,IAAI,KAAK,KAAK,MAAM,SAAS,WAAW,CAAC;CACpD,WAAW,SAAS;CACpB,WAAW,SAAS;CACrB;AAED,MAAa,qBAAqB,YAA6C;CAC7E,IAAI,OAAO;CACX,MAAM,OAAO;CACb,GAAI,OAAO,UAAU,UAAa,EAAE,OAAO,OAAO,OAAO;CACzD,UAAU,0BAA0B,OAAO,SAAS;CACrD;AAED,MAAM,2BACJ,YACkB;CAClB,IAAI,OAAO;CACX,MAAM,OAAO;CACb,WAAW,IAAI,KAAK,KAAK,MAAM,OAAO,WAAW,CAAC;CACnD;AAED,MAAa,0BACX,UACwB;CACxB,QAAQ;CACR,MAAM,KAAK,KAAK,IAAI,wBAAwB;CAC5C,cAAc;EACZ,GAAI,KAAK,cAAc,UAAU,UAAa,EAC5C,OAAO,KAAK,cAAc,OAC3B;EACD,GAAI,KAAK,cAAc,WAAW,UAAa,EAC7C,QAAQ,KAAK,cAAc,QAC5B;EACF;CACF;AAED,MAAa,gCACX,SACoB,KAAK,KAAK,IAAI,yBAAyB;AAE7D,MAAM,4BACJ,aACmB;CACnB,WAAW,IAAI,KAAK,KAAK,MAAM,QAAQ,WAAW,CAAC;CACnD,gBAAgB,QAAQ;CACxB,IAAI,QAAQ;CACb;AAED,MAAa,+BACX,aACwB;CACxB,MAAM,QAAQ;CACd,OAAO,QAAQ;CACf,aAAa,QAAQ;CACtB;AAED,MAAa,+BACX,aACwB;CACxB,OAAO,QAAQ;CACf,eAAe,QAAQ;CACxB"}

package/lib/vault/vault.cjs

@@ -1,3 +1,3 @@
-const require_vault = require('../vault-tqn3i5Ms.cjs');
+const require_vault = require('../vault-BR8gbCEq.cjs');
 
 exports.Vault = require_vault.Vault;