@workos-inc/node 8.6.0 → 8.7.0

package/lib/{user-management-DEOOSelF.cjs.map → user-management-CJj1rMco.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"user-management-DEOOSelF.cjs","names":["workos: WorkOS","getJose","CookieSession","deserializeUser","AutoPaginatable","fetchAndDeserialize","serializeListUsersOptions","serializeCreateUserOptions","serializeAuthenticateWithMagicAuthOptions","deserializeAuthenticationResponse","serializeAuthenticateWithPasswordOptions","serializeAuthenticateWithCodeOptions","serializeAuthenticateWithCodeAndVerifierOptions","serializeAuthenticateWithRefreshTokenPublicClientOptions","serializeAuthenticateWithRefreshTokenOptions","serializeAuthenticateWithTotpOptions","serializeAuthenticateWithEmailVerificationOptions","serializeAuthenticateWithOrganizationSelectionOptions","getEnv","AuthenticateWithSessionCookieFailureReason","unsealData","sealData","deserializeEmailVerification","deserializeMagicAuth","serializeCreateMagicAuthOptions","deserializePasswordReset","serializeCreatePasswordResetOptions","serializeResetPasswordOptions","serializeUpdateUserOptions","serializeEnrollAuthFactorOptions","deserializeFactorWithSecrets","deserializeChallenge","deserializeFactor","deserializeFeatureFlag","deserializeSession","serializeListSessionsOptions","deserializeIdentities","deserializeOrganizationMembership","serializeListOrganizationMembershipsOptions","serializeCreateOrganizationMembershipOptions","serializeUpdateOrganizationMembershipOptions","deserializeInvitation","serializeListInvitationsOptions","serializeSendInvitationOptions","serializeResendInvitationOptions","serializeRevokeSessionOptions","toQueryString"],"sources":["../src/user-management/user-management.ts"],"sourcesContent":["import { sealData, unsealData } from '../common/crypto/seal';\nimport { PaginationOptions } from '../common/interfaces/pagination-options.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { getEnv } from '../common/utils/env';\nimport { toQueryString } from '../common/utils/query-string';\nimport { Challenge, ChallengeResponse } from '../mfa/interfaces';\nimport { deserializeChallenge } from '../mfa/serializers';\nimport {\n  FeatureFlag,\n  FeatureFlagResponse,\n} from '../feature-flags/interfaces/feature-flag.interface';\nimport { deserializeFeatureFlag } from '../feature-flags/serializers';\nimport { WorkOS } from '../workos';\nimport {\n  AuthenticateWithCodeAndVerifierOptions,\n  AuthenticateWithCodeOptions,\n  AuthenticateWithMagicAuthOptions,\n  AuthenticateWithPasswordOptions,\n  AuthenticateWithRefreshTokenOptions,\n  AuthenticateWithSessionOptions,\n  AuthenticateWithTotpOptions,\n  AuthenticationResponse,\n  AuthenticationResponseResponse,\n  CreateMagicAuthOptions,\n  CreatePasswordResetOptions,\n  CreateUserOptions,\n  EmailVerification,\n  EmailVerificationResponse,\n  EnrollAuthFactorOptions,\n  ListAuthFactorsOptions,\n  ListSessionsOptions,\n  ListUsersOptions,\n  ListUserFeatureFlagsOptions,\n  LogoutURLOptions,\n  MagicAuth,\n  MagicAuthResponse,\n  PasswordReset,\n  PasswordResetResponse,\n  ResetPasswordOptions,\n  SendVerificationEmailOptions,\n  SerializedAuthenticateWithCodeAndVerifierOptions,\n  SerializedAuthenticateWithCodeOptions,\n  SerializedAuthenticateWithMagicAuthOptions,\n  SerializedAuthenticateWithPasswordOptions,\n  SerializedAuthenticateWithRefreshTokenOptions,\n  SerializedAuthenticateWithRefreshTokenPublicClientOptions,\n  SerializedAuthenticateWithTotpOptions,\n  SerializedCreateMagicAuthOptions,\n  SerializedCreatePasswordResetOptions,\n  SerializedCreateUserOptions,\n  SerializedListSessionsOptions,\n  SerializedListUsersOptions,\n  SerializedResetPasswordOptions,\n  SerializedVerifyEmailOptions,\n  Session,\n  SessionResponse,\n  UpdateUserOptions,\n  User,\n  UserResponse,\n  VerifyEmailOptions,\n} from './interfaces';\nimport {\n  AuthenticateWithEmailVerificationOptions,\n  SerializedAuthenticateWithEmailVerificationOptions,\n} from './interfaces/authenticate-with-email-verification-options.interface';\nimport {\n  AuthenticateWithOrganizationSelectionOptions,\n  SerializedAuthenticateWithOrganizationSelectionOptions,\n} from './interfaces/authenticate-with-organization-selection.interface';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieOptions,\n  AuthenticateWithSessionCookieSuccessResponse,\n  SessionCookieData,\n} from './interfaces/authenticate-with-session-cookie.interface';\nimport {\n  PKCEAuthorizationURLResult,\n  UserManagementAuthorizationURLOptions,\n} from './interfaces/authorization-url-options.interface';\nimport {\n  CreateOrganizationMembershipOptions,\n  SerializedCreateOrganizationMembershipOptions,\n} from './interfaces/create-organization-membership-options.interface';\nimport {\n  Factor,\n  FactorResponse,\n  FactorWithSecrets,\n  FactorWithSecretsResponse,\n} from './interfaces/factor.interface';\nimport { Identity, IdentityResponse } from './interfaces/identity.interface';\nimport {\n  Invitation,\n  InvitationResponse,\n} from './interfaces/invitation.interface';\nimport {\n  ListInvitationsOptions,\n  SerializedListInvitationsOptions,\n} from './interfaces/list-invitations-options.interface';\nimport {\n  ListOrganizationMembershipsOptions,\n  SerializedListOrganizationMembershipsOptions,\n} from './interfaces/list-organization-memberships-options.interface';\nimport {\n  OrganizationMembership,\n  OrganizationMembershipResponse,\n} from './interfaces/organization-membership.interface';\nimport {\n  RevokeSessionOptions,\n  SerializedRevokeSessionOptions,\n  serializeRevokeSessionOptions,\n} from './interfaces/revoke-session-options.interface';\nimport {\n  ResendInvitationOptions,\n  SerializedResendInvitationOptions,\n} from './interfaces/resend-invitation-options.interface';\nimport {\n  SendInvitationOptions,\n  SerializedSendInvitationOptions,\n} from './interfaces/send-invitation-options.interface';\nimport { SessionHandlerOptions } from './interfaces/session-handler-options.interface';\nimport {\n  SerializedUpdateOrganizationMembershipOptions,\n  UpdateOrganizationMembershipOptions,\n} from './interfaces/update-organization-membership-options.interface';\nimport {\n  deserializeAuthenticationResponse,\n  deserializeEmailVerification,\n  deserializeFactorWithSecrets,\n  deserializeMagicAuth,\n  deserializePasswordReset,\n  deserializeSession,\n  deserializeUser,\n  serializeAuthenticateWithCodeAndVerifierOptions,\n  serializeAuthenticateWithCodeOptions,\n  serializeAuthenticateWithMagicAuthOptions,\n  serializeAuthenticateWithPasswordOptions,\n  serializeAuthenticateWithRefreshTokenOptions,\n  serializeAuthenticateWithRefreshTokenPublicClientOptions,\n  serializeAuthenticateWithTotpOptions,\n  serializeCreateMagicAuthOptions,\n  serializeCreatePasswordResetOptions,\n  serializeCreateUserOptions,\n  serializeEnrollAuthFactorOptions,\n  serializeListSessionsOptions,\n  serializeResetPasswordOptions,\n  serializeUpdateUserOptions,\n} from './serializers';\nimport { serializeAuthenticateWithEmailVerificationOptions } from './serializers/authenticate-with-email-verification.serializer';\nimport { serializeAuthenticateWithOrganizationSelectionOptions } from './serializers/authenticate-with-organization-selection-options.serializer';\nimport { serializeCreateOrganizationMembershipOptions } from './serializers/create-organization-membership-options.serializer';\nimport { deserializeFactor } from './serializers/factor.serializer';\nimport { deserializeIdentities } from './serializers/identity.serializer';\nimport { deserializeInvitation } from './serializers/invitation.serializer';\nimport { serializeListInvitationsOptions } from './serializers/list-invitations-options.serializer';\nimport { serializeListOrganizationMembershipsOptions } from './serializers/list-organization-memberships-options.serializer';\nimport { serializeListUsersOptions } from './serializers/list-users-options.serializer';\nimport { serializeResendInvitationOptions } from './serializers/resend-invitation-options.serializer';\nimport { deserializeOrganizationMembership } from './serializers/organization-membership.serializer';\nimport { serializeSendInvitationOptions } from './serializers/send-invitation-options.serializer';\nimport { serializeUpdateOrganizationMembershipOptions } from './serializers/update-organization-membership-options.serializer';\nimport { CookieSession } from './session';\nimport { getJose } from '../utils/jose';\n\nexport class UserManagement {\n  private _jwks:\n    | ReturnType<typeof import('jose').createRemoteJWKSet>\n    | undefined;\n  public clientId: string | undefined;\n\n  constructor(private readonly workos: WorkOS) {\n    const { clientId } = workos.options;\n\n    this.clientId = clientId;\n  }\n\n  /**\n   * Resolve clientId from method options or fall back to constructor-provided value.\n   * @throws TypeError if clientId is not available from either source\n   */\n  private resolveClientId(clientId?: string): string {\n    const resolved = clientId ?? this.clientId;\n    if (!resolved) {\n      throw new TypeError(\n        'clientId is required. Provide it in method options or when initializing WorkOS.',\n      );\n    }\n    return resolved;\n  }\n\n  async getJWKS(): Promise<\n    ReturnType<typeof import('jose').createRemoteJWKSet> | undefined\n  > {\n    const { createRemoteJWKSet } = await getJose();\n    if (!this.clientId) {\n      return;\n    }\n\n    // Set the JWKS URL. This is used to verify if the JWT is still valid\n    this._jwks ??= createRemoteJWKSet(new URL(this.getJwksUrl(this.clientId)), {\n      cooldownDuration: 1000 * 60 * 5,\n    });\n\n    return this._jwks;\n  }\n\n  /**\n   * Loads a sealed session using the provided session data and cookie password.\n   *\n   * @param options - The options for loading the sealed session.\n   * @param options.sessionData - The sealed session data.\n   * @param options.cookiePassword - The password used to encrypt the session data.\n   * @returns The session class.\n   */\n  loadSealedSession(options: {\n    sessionData: string;\n    cookiePassword: string;\n  }): CookieSession {\n    return new CookieSession(this, options.sessionData, options.cookiePassword);\n  }\n\n  async getUser(userId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/${userId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async getUserByExternalId(externalId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/external_id/${externalId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async listUsers(\n    options?: ListUsersOptions,\n  ): Promise<AutoPaginatable<User, SerializedListUsersOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<UserResponse, User>(\n        this.workos,\n        '/user_management/users',\n        deserializeUser,\n        options ? serializeListUsersOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<UserResponse, User>(\n          this.workos,\n          '/user_management/users',\n          deserializeUser,\n          params,\n        ),\n      options ? serializeListUsersOptions(options) : undefined,\n    );\n  }\n\n  async createUser(payload: CreateUserOptions): Promise<User> {\n    const { data } = await this.workos.post<\n      UserResponse,\n      SerializedCreateUserOptions\n    >('/user_management/users', serializeCreateUserOptions(payload));\n\n    return deserializeUser(data);\n  }\n\n  async authenticateWithMagicAuth(\n    payload: AuthenticateWithMagicAuthOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithMagicAuthOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithMagicAuthOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithPassword(\n    payload: AuthenticateWithPasswordOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithPasswordOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithPasswordOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens.\n   *\n   * Auto-detects public vs confidential client mode:\n   * - If codeVerifier is provided: Uses PKCE flow (public client)\n   * - If no codeVerifier: Uses client_secret from API key (confidential client)\n   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n   *\n   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n   * in depth and provides additional CSRF protection on the authorization flow.\n   *\n   * @throws Error if neither codeVerifier nor API key is available\n   */\n  async authenticateWithCode(\n    payload: AuthenticateWithCodeOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, codeVerifier, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    // Validate codeVerifier is not an empty string (common mistake)\n    if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n      throw new TypeError(\n        'codeVerifier cannot be an empty string. ' +\n          'Generate a valid PKCE pair using workos.pkce.generate().',\n      );\n    }\n\n    const hasApiKey = !!this.workos.key;\n    const hasPKCE = !!codeVerifier;\n\n    if (!hasPKCE && !hasApiKey) {\n      throw new TypeError(\n        'authenticateWithCode requires either a codeVerifier (for public clients) ' +\n          'or an API key configured on the WorkOS instance (for confidential clients).',\n      );\n    }\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        codeVerifier,\n        clientSecret: hasApiKey ? this.workos.key : undefined,\n      }),\n      { skipApiKeyCheck: !hasApiKey },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens using PKCE (public client flow).\n   * Use this instead of authenticateWithCode() when the client cannot securely\n   * store a client_secret (browser, mobile, CLI, desktop apps).\n   *\n   * @param payload.clientId - Your WorkOS client ID\n   * @param payload.code - The authorization code from the OAuth callback\n   * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge\n   */\n  async authenticateWithCodeAndVerifier(\n    payload: AuthenticateWithCodeAndVerifierOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeAndVerifierOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeAndVerifierOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n      }),\n      { skipApiKeyCheck: true },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   * Automatically detects public client mode - if no API key is configured,\n   * omits client_secret from the request.\n   */\n  async authenticateWithRefreshToken(\n    payload: AuthenticateWithRefreshTokenOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n    const isPublicClient = !this.workos.key;\n\n    const body = isPublicClient\n      ? serializeAuthenticateWithRefreshTokenPublicClientOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n        })\n      : serializeAuthenticateWithRefreshTokenOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n          clientSecret: this.workos.key,\n        });\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      | SerializedAuthenticateWithRefreshTokenOptions\n      | SerializedAuthenticateWithRefreshTokenPublicClientOptions\n    >('/user_management/authenticate', body, {\n      skipApiKeyCheck: isPublicClient,\n    });\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithTotp(\n    payload: AuthenticateWithTotpOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithTotpOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithTotpOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithEmailVerification(\n    payload: AuthenticateWithEmailVerificationOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithEmailVerificationOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithEmailVerificationOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithOrganizationSelection(\n    payload: AuthenticateWithOrganizationSelectionOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithOrganizationSelectionOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithOrganizationSelectionOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithSessionCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: AuthenticateWithSessionCookieOptions): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const jwks = await this.getJWKS();\n\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    if (!sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    const session = await unsealData<SessionCookieData>(sessionData, {\n      password: cookiePassword,\n    });\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      user: session.user,\n      permissions,\n      entitlements,\n      featureFlags,\n      accessToken: session.accessToken,\n      authenticationMethod: session.authenticationMethod,\n    };\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const jwks = await this.getJWKS();\n    const { jwtVerify } = await getJose();\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n      // Network errors, crypto failures, etc. should propagate\n      if (\n        e instanceof Error &&\n        'code' in e &&\n        typeof e.code === 'string' &&\n        (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n      ) {\n        return false;\n      }\n      throw e;\n    }\n  }\n\n  private async prepareAuthenticationResponse({\n    authenticationResponse,\n    session,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    session?: AuthenticateWithSessionOptions;\n  }): Promise<AuthenticationResponse> {\n    if (session?.sealSession) {\n      if (!this.workos.key) {\n        throw new Error(\n          'Session sealing requires server-side usage with an API key. ' +\n            'Public clients should store tokens directly ' +\n            '(e.g., secure storage on mobile, keychain on desktop).',\n        );\n      }\n\n      return {\n        ...authenticationResponse,\n        sealedSession: await this.sealSessionDataFromAuthenticationResponse({\n          authenticationResponse,\n          cookiePassword: session.cookiePassword,\n        }),\n      };\n    }\n\n    return authenticationResponse;\n  }\n\n  private async sealSessionDataFromAuthenticationResponse({\n    authenticationResponse,\n    cookiePassword,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    cookiePassword?: string;\n  }): Promise<string> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      authenticationResponse.accessToken,\n    );\n\n    const sessionData: SessionCookieData = {\n      organizationId: organizationIdFromAccessToken,\n      user: authenticationResponse.user,\n      accessToken: authenticationResponse.accessToken,\n      refreshToken: authenticationResponse.refreshToken,\n      authenticationMethod: authenticationResponse.authenticationMethod,\n      impersonator: authenticationResponse.impersonator,\n    };\n\n    return sealData(sessionData, {\n      password: cookiePassword,\n    });\n  }\n\n  async getSessionFromCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: SessionHandlerOptions): Promise<SessionCookieData | undefined> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    if (sessionData) {\n      return unsealData<SessionCookieData>(sessionData, {\n        password: cookiePassword,\n      });\n    }\n\n    return undefined;\n  }\n\n  async getEmailVerification(\n    emailVerificationId: string,\n  ): Promise<EmailVerification> {\n    const { data } = await this.workos.get<EmailVerificationResponse>(\n      `/user_management/email_verification/${emailVerificationId}`,\n    );\n\n    return deserializeEmailVerification(data);\n  }\n\n  async sendVerificationEmail({\n    userId,\n  }: SendVerificationEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<{ user: UserResponse }>(\n      `/user_management/users/${userId}/email_verification/send`,\n      {},\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getMagicAuth(magicAuthId: string): Promise<MagicAuth> {\n    const { data } = await this.workos.get<MagicAuthResponse>(\n      `/user_management/magic_auth/${magicAuthId}`,\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async createMagicAuth(options: CreateMagicAuthOptions): Promise<MagicAuth> {\n    const { data } = await this.workos.post<\n      MagicAuthResponse,\n      SerializedCreateMagicAuthOptions\n    >(\n      '/user_management/magic_auth',\n      serializeCreateMagicAuthOptions({\n        ...options,\n      }),\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async verifyEmail({\n    code,\n    userId,\n  }: VerifyEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedVerifyEmailOptions\n    >(`/user_management/users/${userId}/email_verification/confirm`, {\n      code,\n    });\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getPasswordReset(passwordResetId: string): Promise<PasswordReset> {\n    const { data } = await this.workos.get<PasswordResetResponse>(\n      `/user_management/password_reset/${passwordResetId}`,\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async createPasswordReset(\n    options: CreatePasswordResetOptions,\n  ): Promise<PasswordReset> {\n    const { data } = await this.workos.post<\n      PasswordResetResponse,\n      SerializedCreatePasswordResetOptions\n    >(\n      '/user_management/password_reset',\n      serializeCreatePasswordResetOptions({\n        ...options,\n      }),\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async resetPassword(payload: ResetPasswordOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedResetPasswordOptions\n    >(\n      '/user_management/password_reset/confirm',\n      serializeResetPasswordOptions(payload),\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async updateUser(payload: UpdateUserOptions): Promise<User> {\n    const { data } = await this.workos.put<UserResponse>(\n      `/user_management/users/${payload.userId}`,\n      serializeUpdateUserOptions(payload),\n    );\n\n    return deserializeUser(data);\n  }\n\n  async enrollAuthFactor(payload: EnrollAuthFactorOptions): Promise<{\n    authenticationFactor: FactorWithSecrets;\n    authenticationChallenge: Challenge;\n  }> {\n    const { data } = await this.workos.post<{\n      authentication_factor: FactorWithSecretsResponse;\n      authentication_challenge: ChallengeResponse;\n    }>(\n      `/user_management/users/${payload.userId}/auth_factors`,\n      serializeEnrollAuthFactorOptions(payload),\n    );\n\n    return {\n      authenticationFactor: deserializeFactorWithSecrets(\n        data.authentication_factor,\n      ),\n      authenticationChallenge: deserializeChallenge(\n        data.authentication_challenge,\n      ),\n    };\n  }\n\n  async listAuthFactors(\n    options: ListAuthFactorsOptions,\n  ): Promise<AutoPaginatable<Factor, PaginationOptions>> {\n    const { userId, ...restOfOptions } = options;\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FactorResponse, Factor>(\n        this.workos,\n        `/user_management/users/${userId}/auth_factors`,\n        deserializeFactor,\n        restOfOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FactorResponse, Factor>(\n          this.workos,\n          `/user_management/users/${userId}/auth_factors`,\n          deserializeFactor,\n          params,\n        ),\n      restOfOptions,\n    );\n  }\n\n  async listUserFeatureFlags(\n    options: ListUserFeatureFlagsOptions,\n  ): Promise<AutoPaginatable<FeatureFlag>> {\n    const { userId, ...paginationOptions } = options;\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n        this.workos,\n        `/user_management/users/${userId}/feature-flags`,\n        deserializeFeatureFlag,\n        paginationOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n          this.workos,\n          `/user_management/users/${userId}/feature-flags`,\n          deserializeFeatureFlag,\n          params,\n        ),\n      paginationOptions,\n    );\n  }\n\n  async listSessions(\n    userId: string,\n    options?: ListSessionsOptions,\n  ): Promise<AutoPaginatable<Session, SerializedListSessionsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<SessionResponse, Session>(\n        this.workos,\n        `/user_management/users/${userId}/sessions`,\n        deserializeSession,\n        options ? serializeListSessionsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<SessionResponse, Session>(\n          this.workos,\n          `/user_management/users/${userId}/sessions`,\n          deserializeSession,\n          params,\n        ),\n      options ? serializeListSessionsOptions(options) : undefined,\n    );\n  }\n\n  async deleteUser(userId: string) {\n    await this.workos.delete(`/user_management/users/${userId}`);\n  }\n\n  async getUserIdentities(userId: string): Promise<Identity[]> {\n    if (!userId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'userId'.`);\n    }\n\n    const { data } = await this.workos.get<IdentityResponse[]>(\n      `/user_management/users/${userId}/identities`,\n    );\n\n    return deserializeIdentities(data);\n  }\n\n  async getOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.get<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async listOrganizationMemberships(\n    options: ListOrganizationMembershipsOptions,\n  ): Promise<\n    AutoPaginatable<\n      OrganizationMembership,\n      SerializedListOrganizationMembershipsOptions\n    >\n  > {\n    const serializedOptions =\n      serializeListOrganizationMembershipsOptions(options);\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<\n        OrganizationMembershipResponse,\n        OrganizationMembership\n      >(\n        this.workos,\n        '/user_management/organization_memberships',\n        deserializeOrganizationMembership,\n        serializedOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<\n          OrganizationMembershipResponse,\n          OrganizationMembership\n        >(\n          this.workos,\n          '/user_management/organization_memberships',\n          deserializeOrganizationMembership,\n          params,\n        ),\n      serializedOptions,\n    );\n  }\n\n  async createOrganizationMembership(\n    options: CreateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.post<\n      OrganizationMembershipResponse,\n      SerializedCreateOrganizationMembershipOptions\n    >(\n      '/user_management/organization_memberships',\n      serializeCreateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async updateOrganizationMembership(\n    organizationMembershipId: string,\n    options: UpdateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<\n      OrganizationMembershipResponse,\n      SerializedUpdateOrganizationMembershipOptions\n    >(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n      serializeUpdateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async deleteOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<void> {\n    await this.workos.delete(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n  }\n\n  async deactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/deactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async reactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/reactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async getInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/${invitationId}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async findInvitationByToken(invitationToken: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/by_token/${invitationToken}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async listInvitations(\n    options: ListInvitationsOptions,\n  ): Promise<AutoPaginatable<Invitation, SerializedListInvitationsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<InvitationResponse, Invitation>(\n        this.workos,\n        '/user_management/invitations',\n        deserializeInvitation,\n        options ? serializeListInvitationsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<InvitationResponse, Invitation>(\n          this.workos,\n          '/user_management/invitations',\n          deserializeInvitation,\n          params,\n        ),\n      options ? serializeListInvitationsOptions(options) : undefined,\n    );\n  }\n\n  async sendInvitation(payload: SendInvitationOptions): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedSendInvitationOptions\n    >(\n      '/user_management/invitations',\n      serializeSendInvitationOptions({\n        ...payload,\n      }),\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async acceptInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/accept`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/revoke`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async resendInvitation(\n    invitationId: string,\n    options?: ResendInvitationOptions,\n  ): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedResendInvitationOptions\n    >(\n      `/user_management/invitations/${invitationId}/resend`,\n      options ? serializeResendInvitationOptions(options) : {},\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeSession(payload: RevokeSessionOptions): Promise<void> {\n    await this.workos.post<void, SerializedRevokeSessionOptions>(\n      '/user_management/sessions/revoke',\n      serializeRevokeSessionOptions(payload),\n    );\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL.\n   *\n   * For public clients (browser, mobile, CLI), include PKCE parameters:\n   * - Generate PKCE using workos.pkce.generate()\n   * - Pass codeChallenge and codeChallengeMethod here\n   * - Store codeVerifier and pass to authenticateWithCode() later\n   *\n   * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.\n   */\n  getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string {\n    const {\n      connectionId,\n      codeChallenge,\n      codeChallengeMethod,\n      clientId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      state,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: codeChallenge,\n      code_challenge_method: codeChallengeMethod,\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    return `${this.workos.baseURL}/user_management/authorize?${query}`;\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL with automatic PKCE.\n   *\n   * This method generates PKCE parameters internally and returns them along with\n   * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)\n   * that cannot securely store a client secret.\n   *\n   * @returns Object containing url, state, and codeVerifier\n   *\n   * @example\n   * ```typescript\n   * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({\n   *   provider: 'authkit',\n   *   clientId: 'client_123',\n   *   redirectUri: 'myapp://callback',\n   * });\n   *\n   * // Store state and codeVerifier securely, then redirect user to url\n   * // After callback, exchange the code:\n   * const response = await workos.userManagement.authenticateWithCode({\n   *   code: authorizationCode,\n   *   codeVerifier,\n   *   clientId: 'client_123',\n   * });\n   * ```\n   */\n  async getAuthorizationUrlWithPKCE(\n    options: Omit<\n      UserManagementAuthorizationURLOptions,\n      'codeChallenge' | 'codeChallengeMethod' | 'state'\n    >,\n  ): Promise<PKCEAuthorizationURLResult> {\n    const {\n      clientId,\n      connectionId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    // Generate PKCE parameters\n    const pkce = await this.workos.pkce.generate();\n\n    // Generate secure random state\n    const state = this.workos.pkce.generateCodeVerifier(43);\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: pkce.codeChallenge,\n      code_challenge_method: 'S256',\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    const url = `${this.workos.baseURL}/user_management/authorize?${query}`;\n\n    return { url, state, codeVerifier: pkce.codeVerifier };\n  }\n\n  getLogoutUrl(options: LogoutURLOptions): string {\n    const { sessionId, returnTo } = options;\n\n    if (!sessionId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);\n    }\n\n    const url = new URL(\n      '/user_management/sessions/logout',\n      this.workos.baseURL,\n    );\n\n    url.searchParams.set('session_id', sessionId);\n    if (returnTo) {\n      url.searchParams.set('return_to', returnTo);\n    }\n\n    return url.toString();\n  }\n\n  getJwksUrl(clientId: string): string {\n    if (!clientId) {\n      throw new TypeError('clientId must be a valid clientId');\n    }\n\n    return `${this.workos.baseURL}/sso/jwks/${clientId}`;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsKA,IAAa,iBAAb,MAA4B;CAC1B,AAAQ;CAGR,AAAO;CAEP,YAAY,AAAiBA,QAAgB;EAAhB;EAC3B,MAAM,EAAE,aAAa,OAAO;AAE5B,OAAK,WAAW;;;;;;CAOlB,AAAQ,gBAAgB,UAA2B;EACjD,MAAM,WAAW,YAAY,KAAK;AAClC,MAAI,CAAC,SACH,OAAM,IAAI,UACR,kFACD;AAEH,SAAO;;CAGT,MAAM,UAEJ;EACA,MAAM,EAAE,uBAAuB,MAAMC,sBAAS;AAC9C,MAAI,CAAC,KAAK,SACR;AAIF,OAAK,UAAU,mBAAmB,IAAI,IAAI,KAAK,WAAW,KAAK,SAAS,CAAC,EAAE,EACzE,kBAAkB,MAAO,KAAK,GAC/B,CAAC;AAEF,SAAO,KAAK;;;;;;;;;;CAWd,kBAAkB,SAGA;AAChB,SAAO,IAAIC,8BAAc,MAAM,QAAQ,aAAa,QAAQ,eAAe;;CAG7E,MAAM,QAAQ,QAA+B;EAC3C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,SAC3B;AAED,SAAOC,wCAAgB,KAAK;;CAG9B,MAAM,oBAAoB,YAAmC;EAC3D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,sCAAsC,aACvC;AAED,SAAOA,wCAAgB,KAAK;;CAG9B,MAAM,UACJ,SAC4D;AAC5D,SAAO,IAAIC,mCACT,MAAMC,kDACJ,KAAK,QACL,0BACAF,yCACA,UAAUG,gEAA0B,QAAQ,GAAG,OAChD,GACA,WACCD,kDACE,KAAK,QACL,0BACAF,yCACA,OACD,EACH,UAAUG,gEAA0B,QAAQ,GAAG,OAChD;;CAGH,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0BC,kEAA2B,QAAQ,CAAC;AAEhE,SAAOJ,wCAAgB,KAAK;;CAG9B,MAAM,0BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAK,kGAA0C;GACxC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBC,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,yBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAC,+FAAyC;GACvC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBD,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;;;;;CAgBJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,cAAc,GAAG,qBAAqB;EACjE,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAGvD,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;AAGhC,MAAI,CAFY,CAAC,CAAC,gBAEF,CAAC,UACf,OAAM,IAAI,UACR,uJAED;EAGH,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAE,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV;GACA,cAAc,YAAY,KAAK,OAAO,MAAM;GAC7C,CAAC,EACF,EAAE,iBAAiB,CAAC,WAAW,CAChC;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBF,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;CAYJ,MAAM,gCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAG,+GAAgD;GAC9C,GAAG;GACH,UAAU;GACX,CAAC,EACF,EAAE,iBAAiB,MAAM,CAC1B;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBH,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;CAQJ,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EACvD,MAAM,iBAAiB,CAAC,KAAK,OAAO;EAEpC,MAAM,OAAO,iBACTI,kIAAyD;GACvD,GAAG;GACH,UAAU;GACX,CAAC,GACFC,wGAA6C;GAC3C,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC;EAEN,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCAAiC,MAAM,EACvC,iBAAiB,gBAClB,CAAC;AAEF,SAAO,KAAK,8BAA8B;GACxC,wBAAwBL,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAM,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBN,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,kCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAO,0GAAkD;GAChD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBP,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,sCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAQ,0HAAsD;GACpD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBR,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,8BAA8B,EAClC,aACA,iBAAiBS,mBAAO,yBAAyB,IAIjD;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAKhD,MAAI,CAFS,MAAM,KAAK,SAAS,CAG/B,OAAM,IAAI,MAAM,2CAA2C;EAG7D,MAAM,EAAE,cAAc,MAAMjB,sBAAS;AAErC,MAAI,CAAC,YACH,QAAO;GACL,eAAe;GACf,QACEkB,8FAA2C;GAC9C;EAGH,MAAM,UAAU,MAAMC,wBAA8B,aAAa,EAC/D,UAAU,gBACX,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd;GACA;GACA;GACA,aAAa,QAAQ;GACrB,sBAAsB,QAAQ;GAC/B;;CAGH,MAAc,WAAW,aAAuC;EAC9D,MAAM,OAAO,MAAM,KAAK,SAAS;EACjC,MAAM,EAAE,cAAc,MAAMlB,sBAAS;AACrC,MAAI,CAAC,KACH,OAAM,IAAI,MAAM,2CAA2C;AAG7D,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM;;;CAIV,MAAc,8BAA8B,EAC1C,wBACA,WAIkC;AAClC,MAAI,SAAS,aAAa;AACxB,OAAI,CAAC,KAAK,OAAO,IACf,OAAM,IAAI,MACR,iKAGD;AAGH,UAAO;IACL,GAAG;IACH,eAAe,MAAM,KAAK,0CAA0C;KAClE;KACA,gBAAgB,QAAQ;KACzB,CAAC;IACH;;AAGH,SAAO;;CAGT,MAAc,0CAA0C,EACtD,wBACA,kBAIkB;AAClB,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;EAGhD,MAAM,EAAE,cAAc,MAAMA,sBAAS;EAErC,MAAM,EAAE,QAAQ,kCAAkC,UAChD,uBAAuB,YACxB;AAWD,SAAOoB,sBATgC;GACrC,gBAAgB;GAChB,MAAM,uBAAuB;GAC7B,aAAa,uBAAuB;GACpC,cAAc,uBAAuB;GACrC,sBAAsB,uBAAuB;GAC7C,cAAc,uBAAuB;GACtC,EAE4B,EAC3B,UAAU,gBACX,CAAC;;CAGJ,MAAM,qBAAqB,EACzB,aACA,iBAAiBH,mBAAO,yBAAyB,IACe;AAChE,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAGhD,MAAI,YACF,QAAOE,wBAA8B,aAAa,EAChD,UAAU,gBACX,CAAC;;CAMN,MAAM,qBACJ,qBAC4B;EAC5B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,uCAAuC,sBACxC;AAED,SAAOE,mEAA6B,KAAK;;CAG3C,MAAM,sBAAsB,EAC1B,UACwD;EACxD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BAA0B,OAAO,2BACjC,EAAE,CACH;AAED,SAAO,EAAE,MAAMnB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,aAAa,aAAyC;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,+BAA+B,cAChC;AAED,SAAOoB,mDAAqB,KAAK;;CAGnC,MAAM,gBAAgB,SAAqD;EACzE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,+BACAC,6EAAgC,EAC9B,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,mDAAqB,KAAK;;CAGnC,MAAM,YAAY,EAChB,MACA,UAC8C;EAC9C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,OAAO,8BAA8B,EAC/D,MACD,CAAC;AAEF,SAAO,EAAE,MAAMpB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,iBAAiB,iBAAiD;EACtE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,mCAAmC,kBACpC;AAED,SAAOsB,2DAAyB,KAAK;;CAGvC,MAAM,oBACJ,SACwB;EACxB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,mCACAC,qFAAoC,EAClC,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,2DAAyB,KAAK;;CAGvC,MAAM,cAAc,SAAwD;EAC1E,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,2CACAE,wEAA8B,QAAQ,CACvC;AAED,SAAO,EAAE,MAAMxB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,QAAQ,UAClCyB,kEAA2B,QAAQ,CACpC;AAED,SAAOzB,wCAAgB,KAAK;;CAG9B,MAAM,iBAAiB,SAGpB;EACD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,0BAA0B,QAAQ,OAAO,gBACzC0B,+EAAiC,QAAQ,CAC1C;AAED,SAAO;GACL,sBAAsBC,uDACpB,KAAK,sBACN;GACD,yBAAyBC,kDACvB,KAAK,yBACN;GACF;;CAGH,MAAM,gBACJ,SACqD;EACrD,MAAM,EAAE,QAAQ,GAAG,kBAAkB;AACrC,SAAO,IAAI3B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,cACD,GACA,WACC3B,kDACE,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,OACD,EACH,cACD;;CAGH,MAAM,qBACJ,SACuC;EACvC,MAAM,EAAE,QAAQ,GAAG,sBAAsB;AAEzC,SAAO,IAAI5B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,kBACD,GACA,WACC5B,kDACE,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,OACD,EACH,kBACD;;CAGH,MAAM,aACJ,QACA,SACkE;AAClE,SAAO,IAAI7B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,UAAUC,sEAA6B,QAAQ,GAAG,OACnD,GACA,WACC9B,kDACE,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,OACD,EACH,UAAUC,sEAA6B,QAAQ,GAAG,OACnD;;CAGH,MAAM,WAAW,QAAgB;AAC/B,QAAM,KAAK,OAAO,OAAO,0BAA0B,SAAS;;CAG9D,MAAM,kBAAkB,QAAqC;AAC3D,MAAI,CAAC,OACH,OAAM,IAAI,UAAU,kDAAkD;EAGxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,OAAO,aAClC;AAED,SAAOC,kDAAsB,KAAK;;CAGpC,MAAM,0BACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,2BAC9C;AAED,SAAOC,6EAAkC,KAAK;;CAGhD,MAAM,4BACJ,SAMA;EACA,MAAM,oBACJC,qGAA4C,QAAQ;AAEtD,SAAO,IAAIlC,mCACT,MAAMC,kDAIJ,KAAK,QACL,6CACAgC,8EACA,kBACD,GACA,WACChC,kDAIE,KAAK,QACL,6CACAgC,8EACA,OACD,EACH,kBACD;;CAGH,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,6CACAE,uGAA6C,QAAQ,CACtD;AAED,SAAOF,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACA,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAIjC,6CAA6C,4BAC7CG,uGAA6C,QAAQ,CACtD;AAED,SAAOH,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACe;AACf,QAAM,KAAK,OAAO,OAChB,6CAA6C,2BAC9C;;CAGH,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,cAAc,cAA2C;EAC7D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gCAAgC,eACjC;AAED,SAAOI,oDAAsB,KAAK;;CAGpC,MAAM,sBAAsB,iBAA8C;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,yCAAyC,kBAC1C;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAIrC,mCACT,MAAMC,kDACJ,KAAK,QACL,gCACAoC,qDACA,UAAUC,4EAAgC,QAAQ,GAAG,OACtD,GACA,WACCrC,kDACE,KAAK,QACL,gCACAoC,qDACA,OACD,EACH,UAAUC,4EAAgC,QAAQ,GAAG,OACtD;;CAGH,MAAM,eAAe,SAAqD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCACAC,0EAA+B,EAC7B,GAAG,SACJ,CAAC,CACH;AAED,SAAOF,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBACJ,cACA,SACqB;EACrB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCAAgC,aAAa,UAC7C,UAAUG,8EAAiC,QAAQ,GAAG,EAAE,CACzD;AAED,SAAOH,oDAAsB,KAAK;;CAGpC,MAAM,cAAc,SAA8C;AAChE,QAAM,KAAK,OAAO,KAChB,oCACAI,uEAA8B,QAAQ,CACvC;;;;;;;;;;;;CAaH,oBAAoB,SAAwD;EAC1E,MAAM,EACJ,cACA,eACA,qBACA,UACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,OACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAGH,MAAM,QAAQC,mCAAc;GAC1B,eAAe;GACf,gBAAgB;GAChB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6B7D,MAAM,4BACJ,SAIqC;EACrC,MAAM,EACJ,UACA,cACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQA,mCAAc;GAC1B,eAAe;GACf,gBAAgB,KAAK;GACrB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,6BAA6B;GAElD;GAAO,cAAc,KAAK;GAAc;;CAGxD,aAAa,SAAmC;EAC9C,MAAM,EAAE,WAAW,aAAa;AAEhC,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,qDAAqD;EAG3E,MAAM,MAAM,IAAI,IACd,oCACA,KAAK,OAAO,QACb;AAED,MAAI,aAAa,IAAI,cAAc,UAAU;AAC7C,MAAI,SACF,KAAI,aAAa,IAAI,aAAa,SAAS;AAG7C,SAAO,IAAI,UAAU;;CAGvB,WAAW,UAA0B;AACnC,MAAI,CAAC,SACH,OAAM,IAAI,UAAU,oCAAoC;AAG1D,SAAO,GAAG,KAAK,OAAO,QAAQ,YAAY"}
+{"version":3,"file":"user-management-CJj1rMco.cjs","names":["workos: WorkOS","getJose","CookieSession","deserializeUser","AutoPaginatable","fetchAndDeserialize","serializeListUsersOptions","serializeCreateUserOptions","serializeAuthenticateWithMagicAuthOptions","deserializeAuthenticationResponse","serializeAuthenticateWithPasswordOptions","serializeAuthenticateWithCodeOptions","serializeAuthenticateWithCodeAndVerifierOptions","serializeAuthenticateWithRefreshTokenPublicClientOptions","serializeAuthenticateWithRefreshTokenOptions","serializeAuthenticateWithTotpOptions","serializeAuthenticateWithEmailVerificationOptions","serializeAuthenticateWithOrganizationSelectionOptions","getEnv","AuthenticateWithSessionCookieFailureReason","unsealData","sealData","deserializeEmailVerification","deserializeMagicAuth","serializeCreateMagicAuthOptions","deserializePasswordReset","serializeCreatePasswordResetOptions","serializeResetPasswordOptions","serializeUpdateUserOptions","serializeEnrollAuthFactorOptions","deserializeFactorWithSecrets","deserializeChallenge","deserializeFactor","deserializeFeatureFlag","deserializeSession","serializeListSessionsOptions","deserializeIdentities","deserializeOrganizationMembership","serializeListOrganizationMembershipsOptions","serializeCreateOrganizationMembershipOptions","serializeUpdateOrganizationMembershipOptions","deserializeInvitation","serializeListInvitationsOptions","serializeSendInvitationOptions","serializeResendInvitationOptions","serializeRevokeSessionOptions","toQueryString"],"sources":["../src/user-management/user-management.ts"],"sourcesContent":["import { sealData, unsealData } from '../common/crypto/seal';\nimport { PaginationOptions } from '../common/interfaces/pagination-options.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { getEnv } from '../common/utils/env';\nimport { toQueryString } from '../common/utils/query-string';\nimport { Challenge, ChallengeResponse } from '../mfa/interfaces';\nimport { deserializeChallenge } from '../mfa/serializers';\nimport {\n  FeatureFlag,\n  FeatureFlagResponse,\n} from '../feature-flags/interfaces/feature-flag.interface';\nimport { deserializeFeatureFlag } from '../feature-flags/serializers';\nimport { WorkOS } from '../workos';\nimport {\n  AuthenticateWithCodeAndVerifierOptions,\n  AuthenticateWithCodeOptions,\n  AuthenticateWithMagicAuthOptions,\n  AuthenticateWithPasswordOptions,\n  AuthenticateWithRefreshTokenOptions,\n  AuthenticateWithSessionOptions,\n  AuthenticateWithTotpOptions,\n  AuthenticationResponse,\n  AuthenticationResponseResponse,\n  CreateMagicAuthOptions,\n  CreatePasswordResetOptions,\n  CreateUserOptions,\n  EmailVerification,\n  EmailVerificationResponse,\n  EnrollAuthFactorOptions,\n  ListAuthFactorsOptions,\n  ListSessionsOptions,\n  ListUsersOptions,\n  ListUserFeatureFlagsOptions,\n  LogoutURLOptions,\n  MagicAuth,\n  MagicAuthResponse,\n  PasswordReset,\n  PasswordResetResponse,\n  ResetPasswordOptions,\n  SendVerificationEmailOptions,\n  SerializedAuthenticateWithCodeAndVerifierOptions,\n  SerializedAuthenticateWithCodeOptions,\n  SerializedAuthenticateWithMagicAuthOptions,\n  SerializedAuthenticateWithPasswordOptions,\n  SerializedAuthenticateWithRefreshTokenOptions,\n  SerializedAuthenticateWithRefreshTokenPublicClientOptions,\n  SerializedAuthenticateWithTotpOptions,\n  SerializedCreateMagicAuthOptions,\n  SerializedCreatePasswordResetOptions,\n  SerializedCreateUserOptions,\n  SerializedListSessionsOptions,\n  SerializedListUsersOptions,\n  SerializedResetPasswordOptions,\n  SerializedVerifyEmailOptions,\n  Session,\n  SessionResponse,\n  UpdateUserOptions,\n  User,\n  UserResponse,\n  VerifyEmailOptions,\n} from './interfaces';\nimport {\n  AuthenticateWithEmailVerificationOptions,\n  SerializedAuthenticateWithEmailVerificationOptions,\n} from './interfaces/authenticate-with-email-verification-options.interface';\nimport {\n  AuthenticateWithOrganizationSelectionOptions,\n  SerializedAuthenticateWithOrganizationSelectionOptions,\n} from './interfaces/authenticate-with-organization-selection.interface';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieOptions,\n  AuthenticateWithSessionCookieSuccessResponse,\n  SessionCookieData,\n} from './interfaces/authenticate-with-session-cookie.interface';\nimport {\n  PKCEAuthorizationURLResult,\n  UserManagementAuthorizationURLOptions,\n} from './interfaces/authorization-url-options.interface';\nimport {\n  CreateOrganizationMembershipOptions,\n  SerializedCreateOrganizationMembershipOptions,\n} from './interfaces/create-organization-membership-options.interface';\nimport {\n  Factor,\n  FactorResponse,\n  FactorWithSecrets,\n  FactorWithSecretsResponse,\n} from './interfaces/factor.interface';\nimport { Identity, IdentityResponse } from './interfaces/identity.interface';\nimport {\n  Invitation,\n  InvitationResponse,\n} from './interfaces/invitation.interface';\nimport {\n  ListInvitationsOptions,\n  SerializedListInvitationsOptions,\n} from './interfaces/list-invitations-options.interface';\nimport {\n  ListOrganizationMembershipsOptions,\n  SerializedListOrganizationMembershipsOptions,\n} from './interfaces/list-organization-memberships-options.interface';\nimport {\n  OrganizationMembership,\n  OrganizationMembershipResponse,\n} from './interfaces/organization-membership.interface';\nimport {\n  RevokeSessionOptions,\n  SerializedRevokeSessionOptions,\n  serializeRevokeSessionOptions,\n} from './interfaces/revoke-session-options.interface';\nimport {\n  ResendInvitationOptions,\n  SerializedResendInvitationOptions,\n} from './interfaces/resend-invitation-options.interface';\nimport {\n  SendInvitationOptions,\n  SerializedSendInvitationOptions,\n} from './interfaces/send-invitation-options.interface';\nimport { SessionHandlerOptions } from './interfaces/session-handler-options.interface';\nimport {\n  SerializedUpdateOrganizationMembershipOptions,\n  UpdateOrganizationMembershipOptions,\n} from './interfaces/update-organization-membership-options.interface';\nimport {\n  deserializeAuthenticationResponse,\n  deserializeEmailVerification,\n  deserializeFactorWithSecrets,\n  deserializeMagicAuth,\n  deserializePasswordReset,\n  deserializeSession,\n  deserializeUser,\n  serializeAuthenticateWithCodeAndVerifierOptions,\n  serializeAuthenticateWithCodeOptions,\n  serializeAuthenticateWithMagicAuthOptions,\n  serializeAuthenticateWithPasswordOptions,\n  serializeAuthenticateWithRefreshTokenOptions,\n  serializeAuthenticateWithRefreshTokenPublicClientOptions,\n  serializeAuthenticateWithTotpOptions,\n  serializeCreateMagicAuthOptions,\n  serializeCreatePasswordResetOptions,\n  serializeCreateUserOptions,\n  serializeEnrollAuthFactorOptions,\n  serializeListSessionsOptions,\n  serializeResetPasswordOptions,\n  serializeUpdateUserOptions,\n} from './serializers';\nimport { serializeAuthenticateWithEmailVerificationOptions } from './serializers/authenticate-with-email-verification.serializer';\nimport { serializeAuthenticateWithOrganizationSelectionOptions } from './serializers/authenticate-with-organization-selection-options.serializer';\nimport { serializeCreateOrganizationMembershipOptions } from './serializers/create-organization-membership-options.serializer';\nimport { deserializeFactor } from './serializers/factor.serializer';\nimport { deserializeIdentities } from './serializers/identity.serializer';\nimport { deserializeInvitation } from './serializers/invitation.serializer';\nimport { serializeListInvitationsOptions } from './serializers/list-invitations-options.serializer';\nimport { serializeListOrganizationMembershipsOptions } from './serializers/list-organization-memberships-options.serializer';\nimport { serializeListUsersOptions } from './serializers/list-users-options.serializer';\nimport { serializeResendInvitationOptions } from './serializers/resend-invitation-options.serializer';\nimport { deserializeOrganizationMembership } from './serializers/organization-membership.serializer';\nimport { serializeSendInvitationOptions } from './serializers/send-invitation-options.serializer';\nimport { serializeUpdateOrganizationMembershipOptions } from './serializers/update-organization-membership-options.serializer';\nimport { CookieSession } from './session';\nimport { getJose } from '../utils/jose';\n\nexport class UserManagement {\n  private _jwks:\n    | ReturnType<typeof import('jose').createRemoteJWKSet>\n    | undefined;\n  public clientId: string | undefined;\n\n  constructor(private readonly workos: WorkOS) {\n    const { clientId } = workos.options;\n\n    this.clientId = clientId;\n  }\n\n  /**\n   * Resolve clientId from method options or fall back to constructor-provided value.\n   * @throws TypeError if clientId is not available from either source\n   */\n  private resolveClientId(clientId?: string): string {\n    const resolved = clientId ?? this.clientId;\n    if (!resolved) {\n      throw new TypeError(\n        'clientId is required. Provide it in method options or when initializing WorkOS.',\n      );\n    }\n    return resolved;\n  }\n\n  async getJWKS(): Promise<\n    ReturnType<typeof import('jose').createRemoteJWKSet> | undefined\n  > {\n    const { createRemoteJWKSet } = await getJose();\n    if (!this.clientId) {\n      return;\n    }\n\n    // Set the JWKS URL. This is used to verify if the JWT is still valid\n    this._jwks ??= createRemoteJWKSet(new URL(this.getJwksUrl(this.clientId)), {\n      cooldownDuration: 1000 * 60 * 5,\n    });\n\n    return this._jwks;\n  }\n\n  /**\n   * Loads a sealed session using the provided session data and cookie password.\n   *\n   * @param options - The options for loading the sealed session.\n   * @param options.sessionData - The sealed session data.\n   * @param options.cookiePassword - The password used to encrypt the session data.\n   * @returns The session class.\n   */\n  loadSealedSession(options: {\n    sessionData: string;\n    cookiePassword: string;\n  }): CookieSession {\n    return new CookieSession(this, options.sessionData, options.cookiePassword);\n  }\n\n  async getUser(userId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/${userId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async getUserByExternalId(externalId: string): Promise<User> {\n    const { data } = await this.workos.get<UserResponse>(\n      `/user_management/users/external_id/${externalId}`,\n    );\n\n    return deserializeUser(data);\n  }\n\n  async listUsers(\n    options?: ListUsersOptions,\n  ): Promise<AutoPaginatable<User, SerializedListUsersOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<UserResponse, User>(\n        this.workos,\n        '/user_management/users',\n        deserializeUser,\n        options ? serializeListUsersOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<UserResponse, User>(\n          this.workos,\n          '/user_management/users',\n          deserializeUser,\n          params,\n        ),\n      options ? serializeListUsersOptions(options) : undefined,\n    );\n  }\n\n  async createUser(payload: CreateUserOptions): Promise<User> {\n    const { data } = await this.workos.post<\n      UserResponse,\n      SerializedCreateUserOptions\n    >('/user_management/users', serializeCreateUserOptions(payload));\n\n    return deserializeUser(data);\n  }\n\n  async authenticateWithMagicAuth(\n    payload: AuthenticateWithMagicAuthOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithMagicAuthOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithMagicAuthOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithPassword(\n    payload: AuthenticateWithPasswordOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithPasswordOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithPasswordOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens.\n   *\n   * Auto-detects public vs confidential client mode:\n   * - If codeVerifier is provided: Uses PKCE flow (public client)\n   * - If no codeVerifier: Uses client_secret from API key (confidential client)\n   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n   *\n   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n   * in depth and provides additional CSRF protection on the authorization flow.\n   *\n   * @throws Error if neither codeVerifier nor API key is available\n   */\n  async authenticateWithCode(\n    payload: AuthenticateWithCodeOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, codeVerifier, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    // Validate codeVerifier is not an empty string (common mistake)\n    if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n      throw new TypeError(\n        'codeVerifier cannot be an empty string. ' +\n          'Generate a valid PKCE pair using workos.pkce.generate().',\n      );\n    }\n\n    const hasApiKey = !!this.workos.key;\n    const hasPKCE = !!codeVerifier;\n\n    if (!hasPKCE && !hasApiKey) {\n      throw new TypeError(\n        'authenticateWithCode requires either a codeVerifier (for public clients) ' +\n          'or an API key configured on the WorkOS instance (for confidential clients).',\n      );\n    }\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        codeVerifier,\n        clientSecret: hasApiKey ? this.workos.key : undefined,\n      }),\n      { skipApiKeyCheck: !hasApiKey },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Exchange an authorization code for tokens using PKCE (public client flow).\n   * Use this instead of authenticateWithCode() when the client cannot securely\n   * store a client_secret (browser, mobile, CLI, desktop apps).\n   *\n   * @param payload.clientId - Your WorkOS client ID\n   * @param payload.code - The authorization code from the OAuth callback\n   * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge\n   */\n  async authenticateWithCodeAndVerifier(\n    payload: AuthenticateWithCodeAndVerifierOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithCodeAndVerifierOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithCodeAndVerifierOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n      }),\n      { skipApiKeyCheck: true },\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   * Automatically detects public client mode - if no API key is configured,\n   * omits client_secret from the request.\n   */\n  async authenticateWithRefreshToken(\n    payload: AuthenticateWithRefreshTokenOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n    const isPublicClient = !this.workos.key;\n\n    const body = isPublicClient\n      ? serializeAuthenticateWithRefreshTokenPublicClientOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n        })\n      : serializeAuthenticateWithRefreshTokenOptions({\n          ...remainingPayload,\n          clientId: resolvedClientId,\n          clientSecret: this.workos.key,\n        });\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      | SerializedAuthenticateWithRefreshTokenOptions\n      | SerializedAuthenticateWithRefreshTokenPublicClientOptions\n    >('/user_management/authenticate', body, {\n      skipApiKeyCheck: isPublicClient,\n    });\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithTotp(\n    payload: AuthenticateWithTotpOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithTotpOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithTotpOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithEmailVerification(\n    payload: AuthenticateWithEmailVerificationOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithEmailVerificationOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithEmailVerificationOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithOrganizationSelection(\n    payload: AuthenticateWithOrganizationSelectionOptions,\n  ): Promise<AuthenticationResponse> {\n    const { session, clientId, ...remainingPayload } = payload;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    const { data } = await this.workos.post<\n      AuthenticationResponseResponse,\n      SerializedAuthenticateWithOrganizationSelectionOptions\n    >(\n      '/user_management/authenticate',\n      serializeAuthenticateWithOrganizationSelectionOptions({\n        ...remainingPayload,\n        clientId: resolvedClientId,\n        clientSecret: this.workos.key,\n      }),\n    );\n\n    return this.prepareAuthenticationResponse({\n      authenticationResponse: deserializeAuthenticationResponse(data),\n      session,\n    });\n  }\n\n  async authenticateWithSessionCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: AuthenticateWithSessionCookieOptions): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const jwks = await this.getJWKS();\n\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    if (!sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    const session = await unsealData<SessionCookieData>(sessionData, {\n      password: cookiePassword,\n    });\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      user: session.user,\n      permissions,\n      entitlements,\n      featureFlags,\n      accessToken: session.accessToken,\n      authenticationMethod: session.authenticationMethod,\n    };\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const jwks = await this.getJWKS();\n    const { jwtVerify } = await getJose();\n    if (!jwks) {\n      throw new Error('Must provide clientId to initialize JWKS');\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n      // Network errors, crypto failures, etc. should propagate\n      if (\n        e instanceof Error &&\n        'code' in e &&\n        typeof e.code === 'string' &&\n        (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n      ) {\n        return false;\n      }\n      throw e;\n    }\n  }\n\n  private async prepareAuthenticationResponse({\n    authenticationResponse,\n    session,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    session?: AuthenticateWithSessionOptions;\n  }): Promise<AuthenticationResponse> {\n    if (session?.sealSession) {\n      if (!this.workos.key) {\n        throw new Error(\n          'Session sealing requires server-side usage with an API key. ' +\n            'Public clients should store tokens directly ' +\n            '(e.g., secure storage on mobile, keychain on desktop).',\n        );\n      }\n\n      return {\n        ...authenticationResponse,\n        sealedSession: await this.sealSessionDataFromAuthenticationResponse({\n          authenticationResponse,\n          cookiePassword: session.cookiePassword,\n        }),\n      };\n    }\n\n    return authenticationResponse;\n  }\n\n  private async sealSessionDataFromAuthenticationResponse({\n    authenticationResponse,\n    cookiePassword,\n  }: {\n    authenticationResponse: AuthenticationResponse;\n    cookiePassword?: string;\n  }): Promise<string> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      authenticationResponse.accessToken,\n    );\n\n    const sessionData: SessionCookieData = {\n      organizationId: organizationIdFromAccessToken,\n      user: authenticationResponse.user,\n      accessToken: authenticationResponse.accessToken,\n      refreshToken: authenticationResponse.refreshToken,\n      authenticationMethod: authenticationResponse.authenticationMethod,\n      impersonator: authenticationResponse.impersonator,\n    };\n\n    return sealData(sessionData, {\n      password: cookiePassword,\n    });\n  }\n\n  async getSessionFromCookie({\n    sessionData,\n    cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n  }: SessionHandlerOptions): Promise<SessionCookieData | undefined> {\n    if (!cookiePassword) {\n      throw new Error('Cookie password is required');\n    }\n\n    if (sessionData) {\n      return unsealData<SessionCookieData>(sessionData, {\n        password: cookiePassword,\n      });\n    }\n\n    return undefined;\n  }\n\n  async getEmailVerification(\n    emailVerificationId: string,\n  ): Promise<EmailVerification> {\n    const { data } = await this.workos.get<EmailVerificationResponse>(\n      `/user_management/email_verification/${emailVerificationId}`,\n    );\n\n    return deserializeEmailVerification(data);\n  }\n\n  async sendVerificationEmail({\n    userId,\n  }: SendVerificationEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<{ user: UserResponse }>(\n      `/user_management/users/${userId}/email_verification/send`,\n      {},\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getMagicAuth(magicAuthId: string): Promise<MagicAuth> {\n    const { data } = await this.workos.get<MagicAuthResponse>(\n      `/user_management/magic_auth/${magicAuthId}`,\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async createMagicAuth(options: CreateMagicAuthOptions): Promise<MagicAuth> {\n    const { data } = await this.workos.post<\n      MagicAuthResponse,\n      SerializedCreateMagicAuthOptions\n    >(\n      '/user_management/magic_auth',\n      serializeCreateMagicAuthOptions({\n        ...options,\n      }),\n    );\n\n    return deserializeMagicAuth(data);\n  }\n\n  async verifyEmail({\n    code,\n    userId,\n  }: VerifyEmailOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedVerifyEmailOptions\n    >(`/user_management/users/${userId}/email_verification/confirm`, {\n      code,\n    });\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async getPasswordReset(passwordResetId: string): Promise<PasswordReset> {\n    const { data } = await this.workos.get<PasswordResetResponse>(\n      `/user_management/password_reset/${passwordResetId}`,\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async createPasswordReset(\n    options: CreatePasswordResetOptions,\n  ): Promise<PasswordReset> {\n    const { data } = await this.workos.post<\n      PasswordResetResponse,\n      SerializedCreatePasswordResetOptions\n    >(\n      '/user_management/password_reset',\n      serializeCreatePasswordResetOptions({\n        ...options,\n      }),\n    );\n\n    return deserializePasswordReset(data);\n  }\n\n  async resetPassword(payload: ResetPasswordOptions): Promise<{ user: User }> {\n    const { data } = await this.workos.post<\n      { user: UserResponse },\n      SerializedResetPasswordOptions\n    >(\n      '/user_management/password_reset/confirm',\n      serializeResetPasswordOptions(payload),\n    );\n\n    return { user: deserializeUser(data.user) };\n  }\n\n  async updateUser(payload: UpdateUserOptions): Promise<User> {\n    const { data } = await this.workos.put<UserResponse>(\n      `/user_management/users/${payload.userId}`,\n      serializeUpdateUserOptions(payload),\n    );\n\n    return deserializeUser(data);\n  }\n\n  async enrollAuthFactor(payload: EnrollAuthFactorOptions): Promise<{\n    authenticationFactor: FactorWithSecrets;\n    authenticationChallenge: Challenge;\n  }> {\n    const { data } = await this.workos.post<{\n      authentication_factor: FactorWithSecretsResponse;\n      authentication_challenge: ChallengeResponse;\n    }>(\n      `/user_management/users/${payload.userId}/auth_factors`,\n      serializeEnrollAuthFactorOptions(payload),\n    );\n\n    return {\n      authenticationFactor: deserializeFactorWithSecrets(\n        data.authentication_factor,\n      ),\n      authenticationChallenge: deserializeChallenge(\n        data.authentication_challenge,\n      ),\n    };\n  }\n\n  async listAuthFactors(\n    options: ListAuthFactorsOptions,\n  ): Promise<AutoPaginatable<Factor, PaginationOptions>> {\n    const { userId, ...restOfOptions } = options;\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FactorResponse, Factor>(\n        this.workos,\n        `/user_management/users/${userId}/auth_factors`,\n        deserializeFactor,\n        restOfOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FactorResponse, Factor>(\n          this.workos,\n          `/user_management/users/${userId}/auth_factors`,\n          deserializeFactor,\n          params,\n        ),\n      restOfOptions,\n    );\n  }\n\n  async listUserFeatureFlags(\n    options: ListUserFeatureFlagsOptions,\n  ): Promise<AutoPaginatable<FeatureFlag>> {\n    const { userId, ...paginationOptions } = options;\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n        this.workos,\n        `/user_management/users/${userId}/feature-flags`,\n        deserializeFeatureFlag,\n        paginationOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n          this.workos,\n          `/user_management/users/${userId}/feature-flags`,\n          deserializeFeatureFlag,\n          params,\n        ),\n      paginationOptions,\n    );\n  }\n\n  async listSessions(\n    userId: string,\n    options?: ListSessionsOptions,\n  ): Promise<AutoPaginatable<Session, SerializedListSessionsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<SessionResponse, Session>(\n        this.workos,\n        `/user_management/users/${userId}/sessions`,\n        deserializeSession,\n        options ? serializeListSessionsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<SessionResponse, Session>(\n          this.workos,\n          `/user_management/users/${userId}/sessions`,\n          deserializeSession,\n          params,\n        ),\n      options ? serializeListSessionsOptions(options) : undefined,\n    );\n  }\n\n  async deleteUser(userId: string) {\n    await this.workos.delete(`/user_management/users/${userId}`);\n  }\n\n  async getUserIdentities(userId: string): Promise<Identity[]> {\n    if (!userId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'userId'.`);\n    }\n\n    const { data } = await this.workos.get<IdentityResponse[]>(\n      `/user_management/users/${userId}/identities`,\n    );\n\n    return deserializeIdentities(data);\n  }\n\n  async getOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.get<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async listOrganizationMemberships(\n    options: ListOrganizationMembershipsOptions,\n  ): Promise<\n    AutoPaginatable<\n      OrganizationMembership,\n      SerializedListOrganizationMembershipsOptions\n    >\n  > {\n    const serializedOptions =\n      serializeListOrganizationMembershipsOptions(options);\n\n    return new AutoPaginatable(\n      await fetchAndDeserialize<\n        OrganizationMembershipResponse,\n        OrganizationMembership\n      >(\n        this.workos,\n        '/user_management/organization_memberships',\n        deserializeOrganizationMembership,\n        serializedOptions,\n      ),\n      (params) =>\n        fetchAndDeserialize<\n          OrganizationMembershipResponse,\n          OrganizationMembership\n        >(\n          this.workos,\n          '/user_management/organization_memberships',\n          deserializeOrganizationMembership,\n          params,\n        ),\n      serializedOptions,\n    );\n  }\n\n  async createOrganizationMembership(\n    options: CreateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.post<\n      OrganizationMembershipResponse,\n      SerializedCreateOrganizationMembershipOptions\n    >(\n      '/user_management/organization_memberships',\n      serializeCreateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async updateOrganizationMembership(\n    organizationMembershipId: string,\n    options: UpdateOrganizationMembershipOptions,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<\n      OrganizationMembershipResponse,\n      SerializedUpdateOrganizationMembershipOptions\n    >(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n      serializeUpdateOrganizationMembershipOptions(options),\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async deleteOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<void> {\n    await this.workos.delete(\n      `/user_management/organization_memberships/${organizationMembershipId}`,\n    );\n  }\n\n  async deactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/deactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async reactivateOrganizationMembership(\n    organizationMembershipId: string,\n  ): Promise<OrganizationMembership> {\n    const { data } = await this.workos.put<OrganizationMembershipResponse>(\n      `/user_management/organization_memberships/${organizationMembershipId}/reactivate`,\n      {},\n    );\n\n    return deserializeOrganizationMembership(data);\n  }\n\n  async getInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/${invitationId}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async findInvitationByToken(invitationToken: string): Promise<Invitation> {\n    const { data } = await this.workos.get<InvitationResponse>(\n      `/user_management/invitations/by_token/${invitationToken}`,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async listInvitations(\n    options: ListInvitationsOptions,\n  ): Promise<AutoPaginatable<Invitation, SerializedListInvitationsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<InvitationResponse, Invitation>(\n        this.workos,\n        '/user_management/invitations',\n        deserializeInvitation,\n        options ? serializeListInvitationsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<InvitationResponse, Invitation>(\n          this.workos,\n          '/user_management/invitations',\n          deserializeInvitation,\n          params,\n        ),\n      options ? serializeListInvitationsOptions(options) : undefined,\n    );\n  }\n\n  async sendInvitation(payload: SendInvitationOptions): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedSendInvitationOptions\n    >(\n      '/user_management/invitations',\n      serializeSendInvitationOptions({\n        ...payload,\n      }),\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async acceptInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/accept`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeInvitation(invitationId: string): Promise<Invitation> {\n    const { data } = await this.workos.post<InvitationResponse, any>(\n      `/user_management/invitations/${invitationId}/revoke`,\n      null,\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async resendInvitation(\n    invitationId: string,\n    options?: ResendInvitationOptions,\n  ): Promise<Invitation> {\n    const { data } = await this.workos.post<\n      InvitationResponse,\n      SerializedResendInvitationOptions\n    >(\n      `/user_management/invitations/${invitationId}/resend`,\n      options ? serializeResendInvitationOptions(options) : {},\n    );\n\n    return deserializeInvitation(data);\n  }\n\n  async revokeSession(payload: RevokeSessionOptions): Promise<void> {\n    await this.workos.post<void, SerializedRevokeSessionOptions>(\n      '/user_management/sessions/revoke',\n      serializeRevokeSessionOptions(payload),\n    );\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL.\n   *\n   * For public clients (browser, mobile, CLI), include PKCE parameters:\n   * - Generate PKCE using workos.pkce.generate()\n   * - Pass codeChallenge and codeChallengeMethod here\n   * - Store codeVerifier and pass to authenticateWithCode() later\n   *\n   * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.\n   */\n  getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string {\n    const {\n      connectionId,\n      codeChallenge,\n      codeChallengeMethod,\n      clientId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      state,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: codeChallenge,\n      code_challenge_method: codeChallengeMethod,\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    return `${this.workos.baseURL}/user_management/authorize?${query}`;\n  }\n\n  /**\n   * Generate an OAuth 2.0 authorization URL with automatic PKCE.\n   *\n   * This method generates PKCE parameters internally and returns them along with\n   * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)\n   * that cannot securely store a client secret.\n   *\n   * @returns Object containing url, state, and codeVerifier\n   *\n   * @example\n   * ```typescript\n   * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({\n   *   provider: 'authkit',\n   *   clientId: 'client_123',\n   *   redirectUri: 'myapp://callback',\n   * });\n   *\n   * // Store state and codeVerifier securely, then redirect user to url\n   * // After callback, exchange the code:\n   * const response = await workos.userManagement.authenticateWithCode({\n   *   code: authorizationCode,\n   *   codeVerifier,\n   *   clientId: 'client_123',\n   * });\n   * ```\n   */\n  async getAuthorizationUrlWithPKCE(\n    options: Omit<\n      UserManagementAuthorizationURLOptions,\n      'codeChallenge' | 'codeChallengeMethod' | 'state'\n    >,\n  ): Promise<PKCEAuthorizationURLResult> {\n    const {\n      clientId,\n      connectionId,\n      domainHint,\n      loginHint,\n      organizationId,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      prompt,\n      redirectUri,\n      screenHint,\n    } = options;\n    const resolvedClientId = this.resolveClientId(clientId);\n\n    if (!provider && !connectionId && !organizationId) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n      );\n    }\n\n    if (provider !== 'authkit' && screenHint) {\n      throw new TypeError(\n        `'screenHint' is only supported for 'authkit' provider`,\n      );\n    }\n\n    // Generate PKCE parameters\n    const pkce = await this.workos.pkce.generate();\n\n    // Generate secure random state\n    const state = this.workos.pkce.generateCodeVerifier(43);\n\n    const query = toQueryString({\n      connection_id: connectionId,\n      code_challenge: pkce.codeChallenge,\n      code_challenge_method: 'S256',\n      organization_id: organizationId,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      prompt,\n      client_id: resolvedClientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n      screen_hint: screenHint,\n    });\n\n    const url = `${this.workos.baseURL}/user_management/authorize?${query}`;\n\n    return { url, state, codeVerifier: pkce.codeVerifier };\n  }\n\n  getLogoutUrl(options: LogoutURLOptions): string {\n    const { sessionId, returnTo } = options;\n\n    if (!sessionId) {\n      throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);\n    }\n\n    const url = new URL(\n      '/user_management/sessions/logout',\n      this.workos.baseURL,\n    );\n\n    url.searchParams.set('session_id', sessionId);\n    if (returnTo) {\n      url.searchParams.set('return_to', returnTo);\n    }\n\n    return url.toString();\n  }\n\n  getJwksUrl(clientId: string): string {\n    if (!clientId) {\n      throw new TypeError('clientId must be a valid clientId');\n    }\n\n    return `${this.workos.baseURL}/sso/jwks/${clientId}`;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsKA,IAAa,iBAAb,MAA4B;CAC1B,AAAQ;CAGR,AAAO;CAEP,YAAY,AAAiBA,QAAgB;EAAhB;EAC3B,MAAM,EAAE,aAAa,OAAO;AAE5B,OAAK,WAAW;;;;;;CAOlB,AAAQ,gBAAgB,UAA2B;EACjD,MAAM,WAAW,YAAY,KAAK;AAClC,MAAI,CAAC,SACH,OAAM,IAAI,UACR,kFACD;AAEH,SAAO;;CAGT,MAAM,UAEJ;EACA,MAAM,EAAE,uBAAuB,MAAMC,sBAAS;AAC9C,MAAI,CAAC,KAAK,SACR;AAIF,OAAK,UAAU,mBAAmB,IAAI,IAAI,KAAK,WAAW,KAAK,SAAS,CAAC,EAAE,EACzE,kBAAkB,MAAO,KAAK,GAC/B,CAAC;AAEF,SAAO,KAAK;;;;;;;;;;CAWd,kBAAkB,SAGA;AAChB,SAAO,IAAIC,8BAAc,MAAM,QAAQ,aAAa,QAAQ,eAAe;;CAG7E,MAAM,QAAQ,QAA+B;EAC3C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,SAC3B;AAED,SAAOC,wCAAgB,KAAK;;CAG9B,MAAM,oBAAoB,YAAmC;EAC3D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,sCAAsC,aACvC;AAED,SAAOA,wCAAgB,KAAK;;CAG9B,MAAM,UACJ,SAC4D;AAC5D,SAAO,IAAIC,mCACT,MAAMC,kDACJ,KAAK,QACL,0BACAF,yCACA,UAAUG,gEAA0B,QAAQ,GAAG,OAChD,GACA,WACCD,kDACE,KAAK,QACL,0BACAF,yCACA,OACD,EACH,UAAUG,gEAA0B,QAAQ,GAAG,OAChD;;CAGH,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0BC,kEAA2B,QAAQ,CAAC;AAEhE,SAAOJ,wCAAgB,KAAK;;CAG9B,MAAM,0BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAK,kGAA0C;GACxC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBC,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,yBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAC,+FAAyC;GACvC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBD,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;;;;;CAgBJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,cAAc,GAAG,qBAAqB;EACjE,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAGvD,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;AAGhC,MAAI,CAFY,CAAC,CAAC,gBAEF,CAAC,UACf,OAAM,IAAI,UACR,uJAED;EAGH,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAE,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV;GACA,cAAc,YAAY,KAAK,OAAO,MAAM;GAC7C,CAAC,EACF,EAAE,iBAAiB,CAAC,WAAW,CAChC;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBF,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;CAYJ,MAAM,gCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAG,+GAAgD;GAC9C,GAAG;GACH,UAAU;GACX,CAAC,EACF,EAAE,iBAAiB,MAAM,CAC1B;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBH,6EAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;CAQJ,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EACvD,MAAM,iBAAiB,CAAC,KAAK,OAAO;EAEpC,MAAM,OAAO,iBACTI,kIAAyD;GACvD,GAAG;GACH,UAAU;GACX,CAAC,GACFC,wGAA6C;GAC3C,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC;EAEN,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCAAiC,MAAM,EACvC,iBAAiB,gBAClB,CAAC;AAEF,SAAO,KAAK,8BAA8B;GACxC,wBAAwBL,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAM,uFAAqC;GACnC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBN,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,kCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAO,0GAAkD;GAChD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBP,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,sCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACAQ,0HAAsD;GACpD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwBR,6EAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,8BAA8B,EAClC,aACA,iBAAiBS,mBAAO,yBAAyB,IAIjD;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAKhD,MAAI,CAFS,MAAM,KAAK,SAAS,CAG/B,OAAM,IAAI,MAAM,2CAA2C;EAG7D,MAAM,EAAE,cAAc,MAAMjB,sBAAS;AAErC,MAAI,CAAC,YACH,QAAO;GACL,eAAe;GACf,QACEkB,8FAA2C;GAC9C;EAGH,MAAM,UAAU,MAAMC,wBAA8B,aAAa,EAC/D,UAAU,gBACX,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd;GACA;GACA;GACA,aAAa,QAAQ;GACrB,sBAAsB,QAAQ;GAC/B;;CAGH,MAAc,WAAW,aAAuC;EAC9D,MAAM,OAAO,MAAM,KAAK,SAAS;EACjC,MAAM,EAAE,cAAc,MAAMlB,sBAAS;AACrC,MAAI,CAAC,KACH,OAAM,IAAI,MAAM,2CAA2C;AAG7D,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM;;;CAIV,MAAc,8BAA8B,EAC1C,wBACA,WAIkC;AAClC,MAAI,SAAS,aAAa;AACxB,OAAI,CAAC,KAAK,OAAO,IACf,OAAM,IAAI,MACR,iKAGD;AAGH,UAAO;IACL,GAAG;IACH,eAAe,MAAM,KAAK,0CAA0C;KAClE;KACA,gBAAgB,QAAQ;KACzB,CAAC;IACH;;AAGH,SAAO;;CAGT,MAAc,0CAA0C,EACtD,wBACA,kBAIkB;AAClB,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;EAGhD,MAAM,EAAE,cAAc,MAAMA,sBAAS;EAErC,MAAM,EAAE,QAAQ,kCAAkC,UAChD,uBAAuB,YACxB;AAWD,SAAOoB,sBATgC;GACrC,gBAAgB;GAChB,MAAM,uBAAuB;GAC7B,aAAa,uBAAuB;GACpC,cAAc,uBAAuB;GACrC,sBAAsB,uBAAuB;GAC7C,cAAc,uBAAuB;GACtC,EAE4B,EAC3B,UAAU,gBACX,CAAC;;CAGJ,MAAM,qBAAqB,EACzB,aACA,iBAAiBH,mBAAO,yBAAyB,IACe;AAChE,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAGhD,MAAI,YACF,QAAOE,wBAA8B,aAAa,EAChD,UAAU,gBACX,CAAC;;CAMN,MAAM,qBACJ,qBAC4B;EAC5B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,uCAAuC,sBACxC;AAED,SAAOE,mEAA6B,KAAK;;CAG3C,MAAM,sBAAsB,EAC1B,UACwD;EACxD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BAA0B,OAAO,2BACjC,EAAE,CACH;AAED,SAAO,EAAE,MAAMnB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,aAAa,aAAyC;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,+BAA+B,cAChC;AAED,SAAOoB,mDAAqB,KAAK;;CAGnC,MAAM,gBAAgB,SAAqD;EACzE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,+BACAC,6EAAgC,EAC9B,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,mDAAqB,KAAK;;CAGnC,MAAM,YAAY,EAChB,MACA,UAC8C;EAC9C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,OAAO,8BAA8B,EAC/D,MACD,CAAC;AAEF,SAAO,EAAE,MAAMpB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,iBAAiB,iBAAiD;EACtE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,mCAAmC,kBACpC;AAED,SAAOsB,2DAAyB,KAAK;;CAGvC,MAAM,oBACJ,SACwB;EACxB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,mCACAC,qFAAoC,EAClC,GAAG,SACJ,CAAC,CACH;AAED,SAAOD,2DAAyB,KAAK;;CAGvC,MAAM,cAAc,SAAwD;EAC1E,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,2CACAE,wEAA8B,QAAQ,CACvC;AAED,SAAO,EAAE,MAAMxB,wCAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,QAAQ,UAClCyB,kEAA2B,QAAQ,CACpC;AAED,SAAOzB,wCAAgB,KAAK;;CAG9B,MAAM,iBAAiB,SAGpB;EACD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,0BAA0B,QAAQ,OAAO,gBACzC0B,+EAAiC,QAAQ,CAC1C;AAED,SAAO;GACL,sBAAsBC,uDACpB,KAAK,sBACN;GACD,yBAAyBC,kDACvB,KAAK,yBACN;GACF;;CAGH,MAAM,gBACJ,SACqD;EACrD,MAAM,EAAE,QAAQ,GAAG,kBAAkB;AACrC,SAAO,IAAI3B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,cACD,GACA,WACC3B,kDACE,KAAK,QACL,0BAA0B,OAAO,gBACjC2B,6CACA,OACD,EACH,cACD;;CAGH,MAAM,qBACJ,SACuC;EACvC,MAAM,EAAE,QAAQ,GAAG,sBAAsB;AAEzC,SAAO,IAAI5B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,kBACD,GACA,WACC5B,kDACE,KAAK,QACL,0BAA0B,OAAO,iBACjC4B,wDACA,OACD,EACH,kBACD;;CAGH,MAAM,aACJ,QACA,SACkE;AAClE,SAAO,IAAI7B,mCACT,MAAMC,kDACJ,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,UAAUC,sEAA6B,QAAQ,GAAG,OACnD,GACA,WACC9B,kDACE,KAAK,QACL,0BAA0B,OAAO,YACjC6B,+CACA,OACD,EACH,UAAUC,sEAA6B,QAAQ,GAAG,OACnD;;CAGH,MAAM,WAAW,QAAgB;AAC/B,QAAM,KAAK,OAAO,OAAO,0BAA0B,SAAS;;CAG9D,MAAM,kBAAkB,QAAqC;AAC3D,MAAI,CAAC,OACH,OAAM,IAAI,UAAU,kDAAkD;EAGxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,OAAO,aAClC;AAED,SAAOC,kDAAsB,KAAK;;CAGpC,MAAM,0BACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,2BAC9C;AAED,SAAOC,6EAAkC,KAAK;;CAGhD,MAAM,4BACJ,SAMA;EACA,MAAM,oBACJC,qGAA4C,QAAQ;AAEtD,SAAO,IAAIlC,mCACT,MAAMC,kDAIJ,KAAK,QACL,6CACAgC,8EACA,kBACD,GACA,WACChC,kDAIE,KAAK,QACL,6CACAgC,8EACA,OACD,EACH,kBACD;;CAGH,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,6CACAE,uGAA6C,QAAQ,CACtD;AAED,SAAOF,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACA,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAIjC,6CAA6C,4BAC7CG,uGAA6C,QAAQ,CACtD;AAED,SAAOH,6EAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACe;AACf,QAAM,KAAK,OAAO,OAChB,6CAA6C,2BAC9C;;CAGH,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAOA,6EAAkC,KAAK;;CAGhD,MAAM,cAAc,cAA2C;EAC7D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gCAAgC,eACjC;AAED,SAAOI,oDAAsB,KAAK;;CAGpC,MAAM,sBAAsB,iBAA8C;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,yCAAyC,kBAC1C;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAIrC,mCACT,MAAMC,kDACJ,KAAK,QACL,gCACAoC,qDACA,UAAUC,4EAAgC,QAAQ,GAAG,OACtD,GACA,WACCrC,kDACE,KAAK,QACL,gCACAoC,qDACA,OACD,EACH,UAAUC,4EAAgC,QAAQ,GAAG,OACtD;;CAGH,MAAM,eAAe,SAAqD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCACAC,0EAA+B,EAC7B,GAAG,SACJ,CAAC,CACH;AAED,SAAOF,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAOA,oDAAsB,KAAK;;CAGpC,MAAM,iBACJ,cACA,SACqB;EACrB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCAAgC,aAAa,UAC7C,UAAUG,8EAAiC,QAAQ,GAAG,EAAE,CACzD;AAED,SAAOH,oDAAsB,KAAK;;CAGpC,MAAM,cAAc,SAA8C;AAChE,QAAM,KAAK,OAAO,KAChB,oCACAI,uEAA8B,QAAQ,CACvC;;;;;;;;;;;;CAaH,oBAAoB,SAAwD;EAC1E,MAAM,EACJ,cACA,eACA,qBACA,UACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,OACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAGH,MAAM,QAAQC,mCAAc;GAC1B,eAAe;GACf,gBAAgB;GAChB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6B7D,MAAM,4BACJ,SAIqC;EACrC,MAAM,EACJ,UACA,cACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQA,mCAAc;GAC1B,eAAe;GACf,gBAAgB,KAAK;GACrB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,6BAA6B;GAElD;GAAO,cAAc,KAAK;GAAc;;CAGxD,aAAa,SAAmC;EAC9C,MAAM,EAAE,WAAW,aAAa;AAEhC,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,qDAAqD;EAG3E,MAAM,MAAM,IAAI,IACd,oCACA,KAAK,OAAO,QACb;AAED,MAAI,aAAa,IAAI,cAAc,UAAU;AAC7C,MAAI,SACF,KAAI,aAAa,IAAI,aAAa,SAAS;AAG7C,SAAO,IAAI,UAAU;;CAGvB,WAAW,UAA0B;AACnC,MAAI,CAAC,SACH,OAAM,IAAI,UAAU,oCAAoC;AAG1D,SAAO,GAAG,KAAK,OAAO,QAAQ,YAAY"}

package/lib/{user.serializer-B8Yr_r6n.d.cts → user.serializer-BFpDaajW.d.cts}

@@ -4,4 +4,4 @@ import { n as UserResponse, t as User } from "./user.interface-CSksrToF.cjs";
 declare const deserializeUser: (user: UserResponse) => User;
 //#endregion
 export { deserializeUser as t };
-//# sourceMappingURL=user.serializer-B8Yr_r6n.d.cts.map
+//# sourceMappingURL=user.serializer-BFpDaajW.d.cts.map

package/lib/{validate-api-key.serializer-DJMNSZRi.d.cts → validate-api-key.serializer-D5zYUCcH.d.cts}

@@ -4,4 +4,4 @@ import { r as ValidateApiKeyResponse, t as SerializedValidateApiKeyResponse } fr
 declare function deserializeValidateApiKeyResponse(response: SerializedValidateApiKeyResponse): ValidateApiKeyResponse;
 //#endregion
 export { deserializeValidateApiKeyResponse as t };
-//# sourceMappingURL=validate-api-key.serializer-DJMNSZRi.d.cts.map
+//# sourceMappingURL=validate-api-key.serializer-D5zYUCcH.d.cts.map

package/lib/vault/interfaces/index.d.cts

@@ -1,11 +1,11 @@
-import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-DWikImzG.cjs";
-import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../create-data-key.interface-B-aytYEd.cjs";
-import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../decrypt-data-key.interface-BuI1is1m.cjs";
-import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-Bm7L0wKq.cjs";
-import { t as DeleteObjectOptions } from "../../delete-object.interface-BJMqWLai.cjs";
-import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../list-object-versions.interface-BIpsoYSF.cjs";
-import { t as ObjectDigestResponse } from "../../list-objects.interface-5d1Vw7Kl.cjs";
-import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-C0gQ84EY.cjs";
-import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-bYptR15L.cjs";
-import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-C8y9e8Lt.cjs";
+import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-YLV_plqn.cjs";
+import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../create-data-key.interface-CfdPFOII.cjs";
+import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../decrypt-data-key.interface-COPJw2aD.cjs";
+import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-BEWdAoAU.cjs";
+import { t as DeleteObjectOptions } from "../../delete-object.interface-C9gnNWU-.cjs";
+import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../list-object-versions.interface-CbrhRrmz.cjs";
+import { t as ObjectDigestResponse } from "../../list-objects.interface-CtunUutg.cjs";
+import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-Do9xg7Zv.cjs";
+import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-iqgpJxLj.cjs";
+import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-EhYczOkX.cjs";
 export { CreateDataKeyOptions, CreateDataKeyResponse, CreateObjectEntity, CreateObjectOptions, DataKey, DataKeyPair, DecryptDataKeyOptions, DecryptDataKeyResponse, DeleteObjectOptions, KeyContext, ListObjectVersionsResponse, ObjectDigest, ObjectDigestResponse, ObjectMetadata, ObjectUpdateBy, ObjectVersion, ObjectVersionResponse, ReadObjectMetadataResponse, ReadObjectOptions, ReadObjectResponse, UpdateObjectEntity, UpdateObjectOptions, VaultObject };

package/lib/vault/interfaces/key/create-data-key.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../../create-data-key.interface-B-aytYEd.cjs";
+import { n as CreateDataKeyResponse, t as CreateDataKeyOptions } from "../../../create-data-key.interface-CfdPFOII.cjs";
 export { CreateDataKeyOptions, CreateDataKeyResponse };

package/lib/vault/interfaces/key/decrypt-data-key.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../../decrypt-data-key.interface-BuI1is1m.cjs";
+import { n as DecryptDataKeyResponse, t as DecryptDataKeyOptions } from "../../../decrypt-data-key.interface-COPJw2aD.cjs";
 export { DecryptDataKeyOptions, DecryptDataKeyResponse };

package/lib/vault/interfaces/key.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-DWikImzG.cjs";
+import { n as DataKeyPair, r as KeyContext, t as DataKey } from "../../key.interface-YLV_plqn.cjs";
 export { DataKey, DataKeyPair, KeyContext };

package/lib/vault/interfaces/object/create-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../../create-object.interface-Bm7L0wKq.cjs";
+import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../../create-object.interface-BEWdAoAU.cjs";
 export { CreateObjectEntity, CreateObjectOptions };

package/lib/vault/interfaces/object/delete-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { t as DeleteObjectOptions } from "../../../delete-object.interface-BJMqWLai.cjs";
+import { t as DeleteObjectOptions } from "../../../delete-object.interface-C9gnNWU-.cjs";
 export { DeleteObjectOptions };

package/lib/vault/interfaces/object/list-object-versions.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../../list-object-versions.interface-BIpsoYSF.cjs";
+import { n as ObjectVersionResponse, t as ListObjectVersionsResponse } from "../../../list-object-versions.interface-CbrhRrmz.cjs";
 export { ListObjectVersionsResponse, ObjectVersionResponse };

package/lib/vault/interfaces/object/list-objects.interface.d.cts

@@ -1,2 +1,2 @@
-import { t as ObjectDigestResponse } from "../../../list-objects.interface-5d1Vw7Kl.cjs";
+import { t as ObjectDigestResponse } from "../../../list-objects.interface-CtunUutg.cjs";
 export { ObjectDigestResponse };

package/lib/vault/interfaces/object/read-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../../read-object.interface-bYptR15L.cjs";
+import { n as ReadObjectOptions, r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../../read-object.interface-iqgpJxLj.cjs";
 export { ReadObjectMetadataResponse, ReadObjectOptions, ReadObjectResponse };

package/lib/vault/interfaces/object/update-object.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../../update-object.interface-C8y9e8Lt.cjs";
+import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../../update-object.interface-EhYczOkX.cjs";
 export { UpdateObjectEntity, UpdateObjectOptions };

package/lib/vault/interfaces/object.interface.d.cts

@@ -1,2 +1,2 @@
-import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-C0gQ84EY.cjs";
+import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, r as ObjectUpdateBy, t as ObjectDigest } from "../../object.interface-Do9xg7Zv.cjs";
 export { ObjectDigest, ObjectMetadata, ObjectUpdateBy, ObjectVersion, VaultObject };

package/lib/vault/serializers/vault-key.serializer.d.cts

@@ -1,6 +1,6 @@
-import { n as DataKeyPair, t as DataKey } from "../../key.interface-DWikImzG.cjs";
-import { n as CreateDataKeyResponse } from "../../create-data-key.interface-B-aytYEd.cjs";
-import { n as DecryptDataKeyResponse } from "../../decrypt-data-key.interface-BuI1is1m.cjs";
+import { n as DataKeyPair, t as DataKey } from "../../key.interface-YLV_plqn.cjs";
+import { n as CreateDataKeyResponse } from "../../create-data-key.interface-CfdPFOII.cjs";
+import { n as DecryptDataKeyResponse } from "../../decrypt-data-key.interface-COPJw2aD.cjs";
 
 //#region src/vault/serializers/vault-key.serializer.d.ts
 declare const deserializeCreateDataKeyResponse: (key: CreateDataKeyResponse) => DataKeyPair;

package/lib/vault/serializers/vault-object.serializer.d.cts

@@ -1,10 +1,10 @@
-import { n as ListResponse, t as List } from "../../list.interface-D2Q6nKBO.cjs";
-import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-Bm7L0wKq.cjs";
-import { t as ListObjectVersionsResponse } from "../../list-object-versions.interface-BIpsoYSF.cjs";
-import { t as ObjectDigestResponse } from "../../list-objects.interface-5d1Vw7Kl.cjs";
-import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, t as ObjectDigest } from "../../object.interface-C0gQ84EY.cjs";
-import { r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-bYptR15L.cjs";
-import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-C8y9e8Lt.cjs";
+import { n as ListResponse, t as List } from "../../list.interface-I2r4xhuH.cjs";
+import { n as CreateObjectOptions, t as CreateObjectEntity } from "../../create-object.interface-BEWdAoAU.cjs";
+import { t as ListObjectVersionsResponse } from "../../list-object-versions.interface-CbrhRrmz.cjs";
+import { t as ObjectDigestResponse } from "../../list-objects.interface-CtunUutg.cjs";
+import { a as VaultObject, i as ObjectVersion, n as ObjectMetadata, t as ObjectDigest } from "../../object.interface-Do9xg7Zv.cjs";
+import { r as ReadObjectResponse, t as ReadObjectMetadataResponse } from "../../read-object.interface-iqgpJxLj.cjs";
+import { n as UpdateObjectOptions, t as UpdateObjectEntity } from "../../update-object.interface-EhYczOkX.cjs";
 
 //#region src/vault/serializers/vault-object.serializer.d.ts
 declare const deserializeObjectMetadata: (metadata: ReadObjectMetadataResponse) => ObjectMetadata;

package/lib/vault/vault.d.cts

@@ -1,2 +1,2 @@
-import { r as Vault } from "../api-keys-CSDwj0TW.cjs";
+import { r as Vault } from "../api-keys-FoD7rQEa.cjs";
 export { Vault };

package/lib/{verify-challenge-options-Cnd5QHmo.d.cts → verify-challenge-options-CkbCUSJv.d.cts}

@@ -5,4 +5,4 @@ interface VerifyChallengeOptions {
 }
 //#endregion
 export { VerifyChallengeOptions as t };
-//# sourceMappingURL=verify-challenge-options-Cnd5QHmo.d.cts.map
+//# sourceMappingURL=verify-challenge-options-CkbCUSJv.d.cts.map

package/lib/{verify-challenge-response-Cxjr42mg.d.cts → verify-challenge-response-Dlb5HPTC.d.cts}

@@ -1,4 +1,4 @@
-import { n as ChallengeResponse, t as Challenge } from "./challenge.interface-UNMAxHWR.cjs";
+import { n as ChallengeResponse, t as Challenge } from "./challenge.interface-Dm34-dD_.cjs";
 
 //#region src/mfa/interfaces/verify-challenge-response.d.ts
 interface VerifyResponse {
@@ -11,4 +11,4 @@ interface VerifyResponseResponse {
 }
 //#endregion
 export { VerifyResponseResponse as n, VerifyResponse as t };
-//# sourceMappingURL=verify-challenge-response-Cxjr42mg.d.cts.map
+//# sourceMappingURL=verify-challenge-response-Dlb5HPTC.d.cts.map

package/lib/{verify-response.serializer-l6VbQpg3.d.cts → verify-response.serializer-CFug_fb9.d.cts}

@@ -1,7 +1,7 @@
-import { n as VerifyResponseResponse, t as VerifyResponse } from "./verify-challenge-response-Cxjr42mg.cjs";
+import { n as VerifyResponseResponse, t as VerifyResponse } from "./verify-challenge-response-Dlb5HPTC.cjs";
 
 //#region src/mfa/serializers/verify-response.serializer.d.ts
 declare const deserializeVerifyResponse: (verifyResponse: VerifyResponseResponse) => VerifyResponse;
 //#endregion
 export { deserializeVerifyResponse as t };
-//# sourceMappingURL=verify-response.serializer-l6VbQpg3.d.cts.map
+//# sourceMappingURL=verify-response.serializer-CFug_fb9.d.cts.map

package/lib/{warning.interface-D8U1ON2d.d.cts → warning.interface-9qt63wBc.d.cts}

@@ -10,4 +10,4 @@ interface MissingContextKeysWarning extends BaseWarning {
 type Warning = BaseWarning | MissingContextKeysWarning;
 //#endregion
 export { MissingContextKeysWarning as n, Warning as r, BaseWarning as t };
-//# sourceMappingURL=warning.interface-D8U1ON2d.d.cts.map
+//# sourceMappingURL=warning.interface-9qt63wBc.d.cts.map

package/lib/{warrant-op.enum-2bx2ed9X.d.cts → warrant-op.enum-CYwLWhRz.d.cts}

@@ -5,4 +5,4 @@ declare enum WarrantOp {
 }
 //#endregion
 export { WarrantOp as t };
-//# sourceMappingURL=warrant-op.enum-2bx2ed9X.d.cts.map
+//# sourceMappingURL=warrant-op.enum-CYwLWhRz.d.cts.map

package/lib/{warrant-token.interface-NdVyFw9l.d.cts → warrant-token.interface-BhaSf4pQ.d.cts}

@@ -7,4 +7,4 @@ interface WarrantTokenResponse {
 }
 //#endregion
 export { WarrantTokenResponse as n, WarrantToken as t };
-//# sourceMappingURL=warrant-token.interface-NdVyFw9l.d.cts.map
+//# sourceMappingURL=warrant-token.interface-BhaSf4pQ.d.cts.map

package/lib/{warrant-token.serializer-DPrcN4qY.d.cts → warrant-token.serializer-ron-g41a.d.cts}

@@ -1,7 +1,7 @@
-import { n as WarrantTokenResponse, t as WarrantToken } from "./warrant-token.interface-NdVyFw9l.cjs";
+import { n as WarrantTokenResponse, t as WarrantToken } from "./warrant-token.interface-BhaSf4pQ.cjs";
 
 //#region src/fga/serializers/warrant-token.serializer.d.ts
 declare const deserializeWarrantToken: (warrantToken: WarrantTokenResponse) => WarrantToken;
 //#endregion
 export { deserializeWarrantToken as t };
-//# sourceMappingURL=warrant-token.serializer-DPrcN4qY.d.cts.map
+//# sourceMappingURL=warrant-token.serializer-ron-g41a.d.cts.map

package/lib/{warrant.interface-DgQN4yxm.d.cts → warrant.interface-5GMD1PlN.d.cts}

@@ -1,6 +1,6 @@
-import { t as GetOptions } from "./get-options.interface-DoL0T9e1.cjs";
-import { c as ResourceInterface, l as ResourceOptions } from "./resource.interface-DSxkG9Jg.cjs";
-import { t as WarrantOp } from "./warrant-op.enum-2bx2ed9X.cjs";
+import { t as GetOptions } from "./get-options.interface-BsU2gWu0.cjs";
+import { c as ResourceInterface, l as ResourceOptions } from "./resource.interface-DdilIYi7.cjs";
+import { t as WarrantOp } from "./warrant-op.enum-CYwLWhRz.cjs";
 
 //#region src/fga/interfaces/warrant.interface.d.ts
 interface ListWarrantsOptions {
@@ -68,4 +68,4 @@ interface WarrantResponse {
 }
 //#endregion
 export { SerializedSubject as a, Warrant as c, SerializedListWarrantsOptions as i, WarrantResponse as l, ListWarrantsRequestOptions as n, SerializedWriteWarrantOptions as o, PolicyContext as r, Subject as s, ListWarrantsOptions as t, WriteWarrantOptions as u };
-//# sourceMappingURL=warrant.interface-DgQN4yxm.d.cts.map
+//# sourceMappingURL=warrant.interface-5GMD1PlN.d.cts.map

package/lib/{warrant.serializer-BX6Tonfl.d.cts → warrant.serializer-OpTafbUe.d.cts}

@@ -1,7 +1,7 @@
-import { c as Warrant, l as WarrantResponse } from "./warrant.interface-DgQN4yxm.cjs";
+import { c as Warrant, l as WarrantResponse } from "./warrant.interface-5GMD1PlN.cjs";
 
 //#region src/fga/serializers/warrant.serializer.d.ts
 declare const deserializeWarrant: (warrant: WarrantResponse) => Warrant;
 //#endregion
 export { deserializeWarrant as t };
-//# sourceMappingURL=warrant.serializer-BX6Tonfl.d.cts.map
+//# sourceMappingURL=warrant.serializer-OpTafbUe.d.cts.map

package/lib/webhooks/webhooks.cjs

@@ -1,3 +1,3 @@
-const require_webhooks = require('../webhooks-DX8LtZMD.cjs');
+const require_webhooks = require('../webhooks-wNAbF-1o.cjs');
 
 exports.Webhooks = require_webhooks.Webhooks;

package/lib/webhooks/webhooks.d.cts

@@ -1,2 +1,2 @@
-import { t as Webhooks } from "../webhooks-2-hbZwWC.cjs";
+import { t as Webhooks } from "../webhooks-D2t2W-Z_.cjs";
 export { Webhooks };

package/lib/{webhooks-2-hbZwWC.d.cts → webhooks-D2t2W-Z_.d.cts}

@@ -1,5 +1,5 @@
 import { t as CryptoProvider } from "./crypto-provider-EnxiazDt.cjs";
-import { ct as Event } from "./index-DYVTG9fR.cjs";
+import { ct as Event } from "./index-zd2lGEmr.cjs";
 
 //#region src/webhooks/webhooks.d.ts
 declare class Webhooks {
@@ -32,4 +32,4 @@ declare class Webhooks {
 }
 //#endregion
 export { Webhooks as t };
-//# sourceMappingURL=webhooks-2-hbZwWC.d.cts.map
+//# sourceMappingURL=webhooks-D2t2W-Z_.d.cts.map

package/lib/{webhooks-DX8LtZMD.cjs → webhooks-wNAbF-1o.cjs}

@@ -1,4 +1,4 @@
-const require_event_serializer = require('./event.serializer-Cn5xAuN9.cjs');
+const require_event_serializer = require('./event.serializer-DQe8qLHH.cjs');
 const require_signature_provider = require('./signature-provider-DBHzmT8N.cjs');
 
 //#region src/webhooks/webhooks.ts
@@ -35,4 +35,4 @@ Object.defineProperty(exports, 'Webhooks', {
     return Webhooks;
   }
 });
-//# sourceMappingURL=webhooks-DX8LtZMD.cjs.map
+//# sourceMappingURL=webhooks-wNAbF-1o.cjs.map

package/lib/{webhooks-DX8LtZMD.cjs.map → webhooks-wNAbF-1o.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"webhooks-DX8LtZMD.cjs","names":["SignatureProvider","deserializeEvent"],"sources":["../src/webhooks/webhooks.ts"],"sourcesContent":["import { deserializeEvent } from '../common/serializers';\nimport { Event, EventResponse } from '../common/interfaces';\nimport { SignatureProvider } from '../common/crypto/signature-provider';\nimport { CryptoProvider } from '../common/crypto/crypto-provider';\n\nexport class Webhooks {\n  private signatureProvider: SignatureProvider;\n\n  constructor(cryptoProvider: CryptoProvider) {\n    this.signatureProvider = new SignatureProvider(cryptoProvider);\n  }\n\n  get verifyHeader() {\n    return this.signatureProvider.verifyHeader.bind(this.signatureProvider);\n  }\n\n  get computeSignature() {\n    return this.signatureProvider.computeSignature.bind(this.signatureProvider);\n  }\n\n  get getTimestampAndSignatureHash() {\n    return this.signatureProvider.getTimestampAndSignatureHash.bind(\n      this.signatureProvider,\n    );\n  }\n\n  async constructEvent({\n    payload,\n    sigHeader,\n    secret,\n    tolerance = 180000,\n  }: {\n    payload: Record<string, unknown>;\n    sigHeader: string;\n    secret: string;\n    tolerance?: number;\n  }): Promise<Event> {\n    const options = { payload, sigHeader, secret, tolerance };\n    await this.verifyHeader(options);\n\n    const webhookPayload = payload as unknown as EventResponse;\n\n    return deserializeEvent(webhookPayload);\n  }\n}\n"],"mappings":";;;;AAKA,IAAa,WAAb,MAAsB;CACpB,AAAQ;CAER,YAAY,gBAAgC;AAC1C,OAAK,oBAAoB,IAAIA,6CAAkB,eAAe;;CAGhE,IAAI,eAAe;AACjB,SAAO,KAAK,kBAAkB,aAAa,KAAK,KAAK,kBAAkB;;CAGzE,IAAI,mBAAmB;AACrB,SAAO,KAAK,kBAAkB,iBAAiB,KAAK,KAAK,kBAAkB;;CAG7E,IAAI,+BAA+B;AACjC,SAAO,KAAK,kBAAkB,6BAA6B,KACzD,KAAK,kBACN;;CAGH,MAAM,eAAe,EACnB,SACA,WACA,QACA,YAAY,QAMK;EACjB,MAAM,UAAU;GAAE;GAAS;GAAW;GAAQ;GAAW;AACzD,QAAM,KAAK,aAAa,QAAQ;AAIhC,SAAOC,0CAFgB,QAEgB"}
+{"version":3,"file":"webhooks-wNAbF-1o.cjs","names":["SignatureProvider","deserializeEvent"],"sources":["../src/webhooks/webhooks.ts"],"sourcesContent":["import { deserializeEvent } from '../common/serializers';\nimport { Event, EventResponse } from '../common/interfaces';\nimport { SignatureProvider } from '../common/crypto/signature-provider';\nimport { CryptoProvider } from '../common/crypto/crypto-provider';\n\nexport class Webhooks {\n  private signatureProvider: SignatureProvider;\n\n  constructor(cryptoProvider: CryptoProvider) {\n    this.signatureProvider = new SignatureProvider(cryptoProvider);\n  }\n\n  get verifyHeader() {\n    return this.signatureProvider.verifyHeader.bind(this.signatureProvider);\n  }\n\n  get computeSignature() {\n    return this.signatureProvider.computeSignature.bind(this.signatureProvider);\n  }\n\n  get getTimestampAndSignatureHash() {\n    return this.signatureProvider.getTimestampAndSignatureHash.bind(\n      this.signatureProvider,\n    );\n  }\n\n  async constructEvent({\n    payload,\n    sigHeader,\n    secret,\n    tolerance = 180000,\n  }: {\n    payload: Record<string, unknown>;\n    sigHeader: string;\n    secret: string;\n    tolerance?: number;\n  }): Promise<Event> {\n    const options = { payload, sigHeader, secret, tolerance };\n    await this.verifyHeader(options);\n\n    const webhookPayload = payload as unknown as EventResponse;\n\n    return deserializeEvent(webhookPayload);\n  }\n}\n"],"mappings":";;;;AAKA,IAAa,WAAb,MAAsB;CACpB,AAAQ;CAER,YAAY,gBAAgC;AAC1C,OAAK,oBAAoB,IAAIA,6CAAkB,eAAe;;CAGhE,IAAI,eAAe;AACjB,SAAO,KAAK,kBAAkB,aAAa,KAAK,KAAK,kBAAkB;;CAGzE,IAAI,mBAAmB;AACrB,SAAO,KAAK,kBAAkB,iBAAiB,KAAK,KAAK,kBAAkB;;CAG7E,IAAI,+BAA+B;AACjC,SAAO,KAAK,kBAAkB,6BAA6B,KACzD,KAAK,kBACN;;CAGH,MAAM,eAAe,EACnB,SACA,WACA,QACA,YAAY,QAMK;EACjB,MAAM,UAAU;GAAE;GAAS;GAAW;GAAQ;GAAW;AACzD,QAAM,KAAK,aAAa,QAAQ;AAIhC,SAAOC,0CAFgB,QAEgB"}

package/lib/widgets/interfaces/get-token.d.cts

@@ -1,2 +1,2 @@
-import { a as WidgetScope, i as SerializedGetTokenOptions, n as GetTokenResponse, o as deserializeGetTokenResponse, r as GetTokenResponseResponse, s as serializeGetTokenOptions, t as GetTokenOptions } from "../../get-token-xmqdj8Zh.cjs";
+import { a as WidgetScope, i as SerializedGetTokenOptions, n as GetTokenResponse, o as deserializeGetTokenResponse, r as GetTokenResponseResponse, s as serializeGetTokenOptions, t as GetTokenOptions } from "../../get-token-YoisQSFe.cjs";
 export { GetTokenOptions, GetTokenResponse, GetTokenResponseResponse, SerializedGetTokenOptions, WidgetScope, deserializeGetTokenResponse, serializeGetTokenOptions };

package/lib/widgets/widgets.d.cts

@@ -1,2 +1,2 @@
-import { f as Widgets } from "../api-keys-CSDwj0TW.cjs";
+import { f as Widgets } from "../api-keys-FoD7rQEa.cjs";
 export { Widgets };