@workos-inc/node 8.8.0 → 8.9.0

package/lib/factory-DlHvKYOI.cjs

@@ -0,0 +1,4914 @@
+//#region src/common/crypto/crypto-provider.ts
+/**
+* Interface encapsulating the various crypto computations used by the library,
+* allowing pluggable underlying crypto implementations.
+*/
+var CryptoProvider = class {
+	encoder = new TextEncoder();
+};
+//#endregion
+//#region src/common/crypto/subtle-crypto-provider.ts
+/**
+* `CryptoProvider which uses the SubtleCrypto interface of the Web Crypto API.
+*
+* This only supports asynchronous operations.
+*/
+var SubtleCryptoProvider = class extends CryptoProvider {
+	subtleCrypto;
+	constructor(subtleCrypto) {
+		super();
+		this.subtleCrypto = subtleCrypto || crypto.subtle;
+	}
+	computeHMACSignature(_payload, _secret) {
+		throw new Error("SubleCryptoProvider cannot be used in a synchronous context.");
+	}
+	/** @override */
+	async computeHMACSignatureAsync(payload, secret) {
+		const encoder = new TextEncoder();
+		const key = await this.subtleCrypto.importKey("raw", encoder.encode(secret), {
+			name: "HMAC",
+			hash: { name: "SHA-256" }
+		}, false, ["sign"]);
+		const signatureBuffer = await this.subtleCrypto.sign("hmac", key, encoder.encode(payload));
+		const signatureBytes = new Uint8Array(signatureBuffer);
+		const signatureHexCodes = new Array(signatureBytes.length);
+		for (let i = 0; i < signatureBytes.length; i++) signatureHexCodes[i] = byteHexMapping[signatureBytes[i]];
+		return signatureHexCodes.join("");
+	}
+	/** @override */
+	async secureCompare(stringA, stringB) {
+		const bufferA = this.encoder.encode(stringA);
+		const bufferB = this.encoder.encode(stringB);
+		if (bufferA.length !== bufferB.length) return false;
+		const algorithm = {
+			name: "HMAC",
+			hash: "SHA-256"
+		};
+		const key = await crypto.subtle.generateKey(algorithm, false, ["sign", "verify"]);
+		const hmac = await crypto.subtle.sign(algorithm, key, bufferA);
+		return await crypto.subtle.verify(algorithm, key, hmac, bufferB);
+	}
+	async encrypt(plaintext, key, iv, aad) {
+		const actualIv = iv || crypto.getRandomValues(new Uint8Array(32));
+		const cryptoKey = await this.subtleCrypto.importKey("raw", key, { name: "AES-GCM" }, false, ["encrypt"]);
+		const encryptParams = {
+			name: "AES-GCM",
+			iv: actualIv
+		};
+		if (aad) encryptParams.additionalData = aad;
+		const encryptedData = await this.subtleCrypto.encrypt(encryptParams, cryptoKey, plaintext);
+		const encryptedBytes = new Uint8Array(encryptedData);
+		const tagStart = encryptedBytes.length - 16;
+		const tag = encryptedBytes.slice(tagStart);
+		return {
+			ciphertext: encryptedBytes.slice(0, tagStart),
+			iv: actualIv,
+			tag
+		};
+	}
+	async decrypt(ciphertext, key, iv, tag, aad) {
+		const combinedData = new Uint8Array(ciphertext.length + tag.length);
+		combinedData.set(ciphertext, 0);
+		combinedData.set(tag, ciphertext.length);
+		const cryptoKey = await this.subtleCrypto.importKey("raw", key, { name: "AES-GCM" }, false, ["decrypt"]);
+		const decryptParams = {
+			name: "AES-GCM",
+			iv
+		};
+		if (aad) decryptParams.additionalData = aad;
+		const decryptedData = await this.subtleCrypto.decrypt(decryptParams, cryptoKey, combinedData);
+		return new Uint8Array(decryptedData);
+	}
+	randomBytes(length) {
+		const bytes = new Uint8Array(length);
+		crypto.getRandomValues(bytes);
+		return bytes;
+	}
+	randomUUID() {
+		if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") return crypto.randomUUID();
+		const bytes = this.randomBytes(16);
+		bytes[6] = bytes[6] & 15 | 64;
+		bytes[8] = bytes[8] & 63 | 128;
+		const hex = Array.from(bytes, (b) => byteHexMapping[b]).join("");
+		return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+	}
+};
+const byteHexMapping = new Array(256);
+for (let i = 0; i < byteHexMapping.length; i++) byteHexMapping[i] = i.toString(16).padStart(2, "0");
+//#endregion
+//#region src/common/net/http-client.ts
+var HttpClient = class HttpClient {
+	MAX_RETRY_ATTEMPTS = 3;
+	BACKOFF_MULTIPLIER = 1.5;
+	MINIMUM_SLEEP_TIME_IN_MILLISECONDS = 500;
+	RETRY_STATUS_CODES = [
+		408,
+		500,
+		502,
+		504
+	];
+	constructor(baseURL, options) {
+		this.baseURL = baseURL;
+		this.options = options;
+	}
+	/** The HTTP client name used for diagnostics */
+	getClientName() {
+		throw new Error("getClientName not implemented");
+	}
+	addClientToUserAgent(userAgent) {
+		if (userAgent.indexOf(" ") > -1) return userAgent.replace(/\b\s/, `/${this.getClientName()} `);
+		else return userAgent += `/${this.getClientName()}`;
+	}
+	static getResourceURL(baseURL, path, params) {
+		const queryString = HttpClient.getQueryString(params);
+		return new URL([path, queryString].filter(Boolean).join("?"), baseURL).toString();
+	}
+	static getQueryString(queryObj) {
+		if (!queryObj) return void 0;
+		const sanitizedQueryObj = {};
+		Object.entries(queryObj).forEach(([param, value]) => {
+			if (value !== null && value !== void 0 && value !== "") sanitizedQueryObj[param] = value;
+		});
+		return new URLSearchParams(sanitizedQueryObj).toString();
+	}
+	static getContentTypeHeader(entity) {
+		if (entity instanceof URLSearchParams) return { "Content-Type": "application/x-www-form-urlencoded;charset=utf-8" };
+	}
+	static getBody(entity) {
+		if (entity === null || entity instanceof URLSearchParams) return entity;
+		return JSON.stringify(entity);
+	}
+	static isPathRetryable(path) {
+		return path.startsWith("/fga/") || path.startsWith("/vault/") || path.startsWith("/audit_logs/events");
+	}
+	getSleepTimeInMilliseconds(retryAttempt) {
+		return this.MINIMUM_SLEEP_TIME_IN_MILLISECONDS * Math.pow(this.BACKOFF_MULTIPLIER, retryAttempt) * (Math.random() + .5);
+	}
+	sleep = (retryAttempt) => new Promise((resolve) => setTimeout(resolve, this.getSleepTimeInMilliseconds(retryAttempt)));
+};
+var HttpClientResponse = class {
+	_statusCode;
+	_headers;
+	constructor(statusCode, headers) {
+		this._statusCode = statusCode;
+		this._headers = headers;
+	}
+	getStatusCode() {
+		return this._statusCode;
+	}
+	getHeaders() {
+		return this._headers;
+	}
+};
+var HttpClientError = class extends Error {
+	name = "HttpClientError";
+	message = "The request could not be completed.";
+	response;
+	constructor({ message, response }) {
+		super(message);
+		this.message = message;
+		this.response = response;
+	}
+};
+//#endregion
+//#region src/common/exceptions/parse-error.ts
+var ParseError = class extends Error {
+	name = "ParseError";
+	status = 500;
+	rawBody;
+	rawStatus;
+	requestID;
+	constructor({ message, rawBody, rawStatus, requestID }) {
+		super(message);
+		this.rawBody = rawBody;
+		this.rawStatus = rawStatus;
+		this.requestID = requestID;
+	}
+};
+//#endregion
+//#region src/common/net/fetch-client.ts
+const DEFAULT_FETCH_TIMEOUT = 6e4;
+var FetchHttpClient = class extends HttpClient {
+	_fetchFn;
+	constructor(baseURL, options, fetchFn) {
+		super(baseURL, options);
+		this.baseURL = baseURL;
+		this.options = options;
+		if (!fetchFn) {
+			if (!globalThis.fetch) throw new Error("Fetch function not defined in the global scope and no replacement was provided.");
+			fetchFn = globalThis.fetch;
+		}
+		this._fetchFn = fetchFn.bind(globalThis);
+	}
+	/** @override */
+	getClientName() {
+		return "fetch";
+	}
+	async get(path, options) {
+		const resourceURL = HttpClient.getResourceURL(this.baseURL, path, options.params);
+		if (HttpClient.isPathRetryable(path)) return await this.fetchRequestWithRetry(resourceURL, "GET", null, options.headers);
+		else return await this.fetchRequest(resourceURL, "GET", null, options.headers);
+	}
+	async post(path, entity, options) {
+		const resourceURL = HttpClient.getResourceURL(this.baseURL, path, options.params);
+		if (HttpClient.isPathRetryable(path)) return await this.fetchRequestWithRetry(resourceURL, "POST", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+		else return await this.fetchRequest(resourceURL, "POST", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+	}
+	async put(path, entity, options) {
+		const resourceURL = HttpClient.getResourceURL(this.baseURL, path, options.params);
+		if (HttpClient.isPathRetryable(path)) return await this.fetchRequestWithRetry(resourceURL, "PUT", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+		else return await this.fetchRequest(resourceURL, "PUT", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+	}
+	async patch(path, entity, options) {
+		const resourceURL = HttpClient.getResourceURL(this.baseURL, path, options.params);
+		if (HttpClient.isPathRetryable(path)) return await this.fetchRequestWithRetry(resourceURL, "PATCH", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+		else return await this.fetchRequest(resourceURL, "PATCH", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+	}
+	async delete(path, options) {
+		const resourceURL = HttpClient.getResourceURL(this.baseURL, path, options.params);
+		if (HttpClient.isPathRetryable(path)) return await this.fetchRequestWithRetry(resourceURL, "DELETE", null, options.headers);
+		else return await this.fetchRequest(resourceURL, "DELETE", null, options.headers);
+	}
+	async deleteWithBody(path, entity, options) {
+		const resourceURL = HttpClient.getResourceURL(this.baseURL, path, options.params);
+		if (HttpClient.isPathRetryable(path)) return await this.fetchRequestWithRetry(resourceURL, "DELETE", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+		else return await this.fetchRequest(resourceURL, "DELETE", HttpClient.getBody(entity), {
+			...HttpClient.getContentTypeHeader(entity),
+			...options.headers
+		});
+	}
+	async fetchRequest(url, method, body, headers) {
+		const requestBody = body || (method === "POST" || method === "PUT" || method === "PATCH" ? "" : void 0);
+		const { "User-Agent": userAgent } = this.options?.headers || {};
+		const timeout = this.options?.timeout ?? DEFAULT_FETCH_TIMEOUT;
+		const abortController = new AbortController();
+		const timeoutId = setTimeout(() => {
+			abortController?.abort();
+		}, timeout);
+		try {
+			const res = await this._fetchFn(url, {
+				method,
+				headers: {
+					Accept: "application/json, text/plain, */*",
+					"Content-Type": "application/json",
+					...this.options?.headers,
+					...headers,
+					"User-Agent": this.addClientToUserAgent((userAgent || "workos-node").toString())
+				},
+				body: requestBody,
+				signal: abortController?.signal
+			});
+			if (timeoutId) clearTimeout(timeoutId);
+			if (!res.ok) {
+				const requestID = res.headers.get("X-Request-ID") ?? "";
+				const rawBody = await res.text();
+				let responseJson;
+				try {
+					responseJson = JSON.parse(rawBody);
+				} catch (error) {
+					if (error instanceof SyntaxError) throw new ParseError({
+						message: error.message,
+						rawBody,
+						requestID,
+						rawStatus: res.status
+					});
+					throw error;
+				}
+				throw new HttpClientError({
+					message: res.statusText,
+					response: {
+						status: res.status,
+						headers: res.headers,
+						data: responseJson
+					}
+				});
+			}
+			return new FetchHttpClientResponse(res);
+		} catch (error) {
+			if (timeoutId) clearTimeout(timeoutId);
+			if (error instanceof Error && error.name === "AbortError") throw new HttpClientError({
+				message: `Request timeout after ${timeout}ms`,
+				response: {
+					status: 408,
+					headers: {},
+					data: { error: "Request timeout" }
+				}
+			});
+			throw error;
+		}
+	}
+	async fetchRequestWithRetry(url, method, body, headers) {
+		let response;
+		let retryAttempts = 1;
+		const makeRequest = async () => {
+			let requestError = null;
+			try {
+				response = await this.fetchRequest(url, method, body, headers);
+			} catch (e) {
+				requestError = e;
+			}
+			if (this.shouldRetryRequest(requestError, retryAttempts)) {
+				retryAttempts++;
+				await this.sleep(retryAttempts);
+				return makeRequest();
+			}
+			if (requestError != null) throw requestError;
+			return response;
+		};
+		return makeRequest();
+	}
+	shouldRetryRequest(requestError, retryAttempt) {
+		if (retryAttempt > this.MAX_RETRY_ATTEMPTS) return false;
+		if (requestError != null) {
+			if (requestError instanceof TypeError) return true;
+			if (requestError instanceof HttpClientError && this.RETRY_STATUS_CODES.includes(requestError.response.status)) return true;
+		}
+		return false;
+	}
+};
+var FetchHttpClientResponse = class FetchHttpClientResponse extends HttpClientResponse {
+	_res;
+	constructor(res) {
+		super(res.status, FetchHttpClientResponse._transformHeadersToObject(res.headers));
+		this._res = res;
+	}
+	getRawResponse() {
+		return this._res;
+	}
+	toJSON() {
+		return this._res.headers.get("content-type")?.includes("application/json") ? this._res.json() : null;
+	}
+	static _transformHeadersToObject(headers) {
+		const headersObj = {};
+		for (const entry of Object.entries(headers)) {
+			if (!Array.isArray(entry) || entry.length !== 2) throw new Error("Response objects produced by the fetch function given to FetchHttpClient do not have an iterable headers map. Response#headers should be an iterable object.");
+			headersObj[entry[0]] = entry[1];
+		}
+		return headersObj;
+	}
+};
+//#endregion
+//#region src/common/exceptions/api-key-required.exception.ts
+var ApiKeyRequiredException = class extends Error {
+	status = 403;
+	name = "ApiKeyRequiredException";
+	path;
+	constructor(path) {
+		super(`API key required for "${path}". For server-side apps, initialize with: new WorkOS("sk_..."). For browser/mobile/CLI apps, use authenticateWithCodeAndVerifier() and authenticateWithRefreshToken() which work without an API key.`);
+		this.path = path;
+	}
+};
+//#endregion
+//#region src/common/exceptions/generic-server.exception.ts
+var GenericServerException = class extends Error {
+	name = "GenericServerException";
+	message = "The request could not be completed.";
+	constructor(status, message, rawData, requestID) {
+		super();
+		this.status = status;
+		this.rawData = rawData;
+		this.requestID = requestID;
+		if (message) this.message = message;
+	}
+};
+//#endregion
+//#region src/common/exceptions/bad-request.exception.ts
+var BadRequestException = class extends Error {
+	status = 400;
+	name = "BadRequestException";
+	message = "Bad request";
+	code;
+	errors;
+	requestID;
+	constructor({ code, errors, message, requestID }) {
+		super();
+		this.requestID = requestID;
+		if (message) this.message = message;
+		if (code) this.code = code;
+		if (errors) this.errors = errors;
+	}
+};
+//#endregion
+//#region src/common/exceptions/no-api-key-provided.exception.ts
+var NoApiKeyProvidedException = class extends Error {
+	status = 500;
+	name = "NoApiKeyProvidedException";
+	message = "Missing API key. Pass it to the constructor (new WorkOS(\"sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU\")) or define it in the WORKOS_API_KEY environment variable.";
+};
+//#endregion
+//#region src/common/exceptions/not-found.exception.ts
+var NotFoundException = class extends Error {
+	status = 404;
+	name = "NotFoundException";
+	message;
+	code;
+	requestID;
+	constructor({ code, message, path, requestID }) {
+		super();
+		this.code = code;
+		this.message = message ?? `The requested path '${path}' could not be found.`;
+		this.requestID = requestID;
+	}
+};
+//#endregion
+//#region src/common/exceptions/oauth.exception.ts
+var OauthException = class extends Error {
+	name = "OauthException";
+	constructor(status, requestID, error, errorDescription, rawData) {
+		super();
+		this.status = status;
+		this.requestID = requestID;
+		this.error = error;
+		this.errorDescription = errorDescription;
+		this.rawData = rawData;
+		if (error && errorDescription) this.message = `Error: ${error}\nError Description: ${errorDescription}`;
+		else if (error) this.message = `Error: ${error}`;
+		else this.message = `An error has occurred.`;
+	}
+};
+//#endregion
+//#region src/common/exceptions/rate-limit-exceeded.exception.ts
+var RateLimitExceededException = class extends GenericServerException {
+	name = "RateLimitExceededException";
+	constructor(message, requestID, retryAfter) {
+		super(429, message, {}, requestID);
+		this.retryAfter = retryAfter;
+	}
+};
+//#endregion
+//#region src/common/exceptions/signature-verification.exception.ts
+var SignatureVerificationException = class extends Error {
+	name = "SignatureVerificationException";
+	constructor(message) {
+		super(message || "Signature verification failed.");
+	}
+};
+//#endregion
+//#region src/common/exceptions/unauthorized.exception.ts
+var UnauthorizedException = class extends Error {
+	status = 401;
+	name = "UnauthorizedException";
+	message;
+	constructor(requestID) {
+		super();
+		this.requestID = requestID;
+		this.message = `Could not authorize the request. Maybe your API key is invalid?`;
+	}
+};
+//#endregion
+//#region src/common/exceptions/unprocessable-entity.exception.ts
+var UnprocessableEntityException = class extends Error {
+	status = 422;
+	name = "UnprocessableEntityException";
+	message = "Unprocessable entity";
+	code;
+	requestID;
+	constructor({ code, errors, message, requestID }) {
+		super();
+		this.requestID = requestID;
+		if (message) this.message = message;
+		if (code) this.code = code;
+		if (errors) {
+			this.message = `The following ${errors.length === 1 ? "requirement" : "requirements"} must be met:\n`;
+			for (const { code } of errors) this.message = this.message.concat(`\t${code}\n`);
+		}
+	}
+};
+//#endregion
+//#region src/common/crypto/signature-provider.ts
+var SignatureProvider = class {
+	cryptoProvider;
+	constructor(cryptoProvider) {
+		this.cryptoProvider = cryptoProvider;
+	}
+	async verifyHeader({ payload, sigHeader, secret, tolerance = 18e4 }) {
+		const [timestamp, signatureHash] = this.getTimestampAndSignatureHash(sigHeader);
+		if (!signatureHash || Object.keys(signatureHash).length === 0) throw new SignatureVerificationException("No signature hash found with expected scheme v1");
+		if (parseInt(timestamp, 10) < Date.now() - tolerance) throw new SignatureVerificationException("Timestamp outside the tolerance zone");
+		const expectedSig = await this.computeSignature(timestamp, payload, secret);
+		if (await this.cryptoProvider.secureCompare(expectedSig, signatureHash) === false) throw new SignatureVerificationException("Signature hash does not match the expected signature hash for payload");
+		return true;
+	}
+	getTimestampAndSignatureHash(sigHeader) {
+		const [t, v1] = sigHeader.split(",");
+		if (typeof t === "undefined" || typeof v1 === "undefined") throw new SignatureVerificationException("Signature or timestamp missing");
+		const { 1: timestamp } = t.split("=");
+		const { 1: signatureHash } = v1.split("=");
+		return [timestamp, signatureHash];
+	}
+	async computeSignature(timestamp, payload, secret) {
+		payload = JSON.stringify(payload);
+		const signedPayload = `${timestamp}.${payload}`;
+		return await this.cryptoProvider.computeHMACSignatureAsync(signedPayload, secret);
+	}
+};
+//#endregion
+//#region src/common/utils/unreachable.ts
+/**
+* Indicates that code is unreachable.
+*
+* This can be used for exhaustiveness checks in situations where the compiler
+* would not otherwise check for exhaustiveness.
+*
+* If the determination that the code is unreachable proves incorrect, an
+* exception is thrown.
+*/
+const unreachable = (condition, message = `Entered unreachable code. Received '${condition}'.`) => {
+	throw new TypeError(message);
+};
+//#endregion
+//#region src/organization-domains/serializers/organization-domain.serializer.ts
+const deserializeOrganizationDomain = (organizationDomain) => ({
+	object: organizationDomain.object,
+	id: organizationDomain.id,
+	domain: organizationDomain.domain,
+	organizationId: organizationDomain.organization_id,
+	state: organizationDomain.state,
+	...organizationDomain.verification_token !== void 0 && { verificationToken: organizationDomain.verification_token },
+	verificationStrategy: organizationDomain.verification_strategy,
+	...organizationDomain.verification_prefix !== void 0 && { verificationPrefix: organizationDomain.verification_prefix },
+	createdAt: organizationDomain.created_at,
+	updatedAt: organizationDomain.updated_at
+});
+//#endregion
+//#region src/organizations/serializers/organization.serializer.ts
+const deserializeOrganization = (organization) => ({
+	object: organization.object,
+	id: organization.id,
+	name: organization.name,
+	allowProfilesOutsideOrganization: organization.allow_profiles_outside_organization,
+	domains: organization.domains.map(deserializeOrganizationDomain),
+	...typeof organization.stripe_customer_id === "undefined" ? void 0 : { stripeCustomerId: organization.stripe_customer_id },
+	createdAt: organization.created_at,
+	updatedAt: organization.updated_at,
+	externalId: organization.external_id ?? null,
+	metadata: organization.metadata ?? {}
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-code-options.serializer.ts
+const serializeAuthenticateWithCodeOptions = (options) => ({
+	grant_type: "authorization_code",
+	client_id: options.clientId,
+	client_secret: options.clientSecret,
+	code: options.code,
+	code_verifier: options.codeVerifier,
+	invitation_token: options.invitationToken,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-code-and-verifier-options.serializer.ts
+const serializeAuthenticateWithCodeAndVerifierOptions = (options) => ({
+	grant_type: "authorization_code",
+	client_id: options.clientId,
+	code: options.code,
+	code_verifier: options.codeVerifier,
+	invitation_token: options.invitationToken,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-magic-auth-options.serializer.ts
+const serializeAuthenticateWithMagicAuthOptions = (options) => ({
+	grant_type: "urn:workos:oauth:grant-type:magic-auth:code",
+	client_id: options.clientId,
+	client_secret: options.clientSecret,
+	code: options.code,
+	email: options.email,
+	invitation_token: options.invitationToken,
+	link_authorization_code: options.linkAuthorizationCode,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-password-options.serializer.ts
+const serializeAuthenticateWithPasswordOptions = (options) => ({
+	grant_type: "password",
+	client_id: options.clientId,
+	client_secret: options.clientSecret,
+	email: options.email,
+	password: options.password,
+	invitation_token: options.invitationToken,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-refresh-token.options.serializer.ts
+const serializeAuthenticateWithRefreshTokenOptions = (options) => ({
+	grant_type: "refresh_token",
+	client_id: options.clientId,
+	client_secret: options.clientSecret,
+	refresh_token: options.refreshToken,
+	organization_id: options.organizationId,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-refresh-token-public-client-options.serializer.ts
+const serializeAuthenticateWithRefreshTokenPublicClientOptions = (options) => ({
+	grant_type: "refresh_token",
+	client_id: options.clientId,
+	refresh_token: options.refreshToken,
+	organization_id: options.organizationId,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-totp-options.serializer.ts
+const serializeAuthenticateWithTotpOptions = (options) => ({
+	grant_type: "urn:workos:oauth:grant-type:mfa-totp",
+	client_id: options.clientId,
+	client_secret: options.clientSecret,
+	code: options.code,
+	authentication_challenge_id: options.authenticationChallengeId,
+	pending_authentication_token: options.pendingAuthenticationToken,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authentication-event.serializer.ts
+const deserializeAuthenticationEventSso = (sso) => ({
+	connectionId: sso.connection_id,
+	organizationId: sso.organization_id,
+	...sso.session_id !== void 0 && { sessionId: sso.session_id }
+});
+const deserializeAuthenticationEvent = (authenticationEvent) => ({
+	email: authenticationEvent.email,
+	...authenticationEvent.error !== void 0 && { error: authenticationEvent.error },
+	ipAddress: authenticationEvent.ip_address,
+	...authenticationEvent.sso !== void 0 && { sso: deserializeAuthenticationEventSso(authenticationEvent.sso) },
+	status: authenticationEvent.status,
+	type: authenticationEvent.type,
+	userAgent: authenticationEvent.user_agent,
+	userId: authenticationEvent.user_id
+});
+//#endregion
+//#region src/user-management/serializers/oauth-tokens.serializer.ts
+const deserializeOauthTokens = (oauthTokens) => oauthTokens ? {
+	accessToken: oauthTokens.access_token,
+	refreshToken: oauthTokens.refresh_token,
+	expiresAt: oauthTokens.expires_at,
+	scopes: oauthTokens.scopes
+} : void 0;
+//#endregion
+//#region src/user-management/serializers/user.serializer.ts
+const deserializeUser = (user) => ({
+	object: user.object,
+	id: user.id,
+	email: user.email,
+	emailVerified: user.email_verified,
+	firstName: user.first_name,
+	profilePictureUrl: user.profile_picture_url,
+	lastName: user.last_name,
+	lastSignInAt: user.last_sign_in_at,
+	locale: user.locale,
+	createdAt: user.created_at,
+	updatedAt: user.updated_at,
+	externalId: user.external_id ?? null,
+	metadata: user.metadata ?? {}
+});
+//#endregion
+//#region src/user-management/serializers/authentication-response.serializer.ts
+const deserializeAuthenticationResponse = (authenticationResponse) => {
+	const { user, organization_id, access_token, refresh_token, authentication_method, impersonator, oauth_tokens, ...rest } = authenticationResponse;
+	return {
+		user: deserializeUser(user),
+		organizationId: organization_id,
+		accessToken: access_token,
+		refreshToken: refresh_token,
+		impersonator,
+		authenticationMethod: authentication_method,
+		oauthTokens: deserializeOauthTokens(oauth_tokens),
+		...rest
+	};
+};
+//#endregion
+//#region src/user-management/serializers/create-magic-auth-options.serializer.ts
+const serializeCreateMagicAuthOptions = (options) => ({
+	email: options.email,
+	invitation_token: options.invitationToken
+});
+//#endregion
+//#region src/user-management/serializers/create-password-reset-options.serializer.ts
+const serializeCreatePasswordResetOptions = (options) => ({ email: options.email });
+//#endregion
+//#region src/user-management/serializers/email-verification.serializer.ts
+const deserializeEmailVerification = (emailVerification) => ({
+	object: emailVerification.object,
+	id: emailVerification.id,
+	userId: emailVerification.user_id,
+	email: emailVerification.email,
+	expiresAt: emailVerification.expires_at,
+	code: emailVerification.code,
+	createdAt: emailVerification.created_at,
+	updatedAt: emailVerification.updated_at
+});
+const deserializeEmailVerificationEvent = (emailVerification) => ({
+	object: emailVerification.object,
+	id: emailVerification.id,
+	userId: emailVerification.user_id,
+	email: emailVerification.email,
+	expiresAt: emailVerification.expires_at,
+	createdAt: emailVerification.created_at,
+	updatedAt: emailVerification.updated_at
+});
+//#endregion
+//#region src/user-management/serializers/enroll-auth-factor-options.serializer.ts
+const serializeEnrollAuthFactorOptions = (options) => ({
+	type: options.type,
+	totp_issuer: options.totpIssuer,
+	totp_user: options.totpUser,
+	totp_secret: options.totpSecret
+});
+//#endregion
+//#region src/mfa/serializers/totp.serializer.ts
+const deserializeTotp = (totp) => {
+	return {
+		issuer: totp.issuer,
+		user: totp.user
+	};
+};
+const deserializeTotpWithSecrets = (totp) => {
+	return {
+		issuer: totp.issuer,
+		user: totp.user,
+		qrCode: totp.qr_code,
+		secret: totp.secret,
+		uri: totp.uri
+	};
+};
+//#endregion
+//#region src/user-management/serializers/factor.serializer.ts
+const deserializeFactor$1 = (factor) => ({
+	object: factor.object,
+	id: factor.id,
+	createdAt: factor.created_at,
+	updatedAt: factor.updated_at,
+	type: factor.type,
+	totp: deserializeTotp(factor.totp),
+	userId: factor.user_id
+});
+const deserializeFactorWithSecrets$1 = (factor) => ({
+	object: factor.object,
+	id: factor.id,
+	createdAt: factor.created_at,
+	updatedAt: factor.updated_at,
+	type: factor.type,
+	totp: deserializeTotpWithSecrets(factor.totp),
+	userId: factor.user_id
+});
+//#endregion
+//#region src/user-management/serializers/invitation.serializer.ts
+const deserializeInvitation = (invitation) => ({
+	object: invitation.object,
+	id: invitation.id,
+	email: invitation.email,
+	state: invitation.state,
+	acceptedAt: invitation.accepted_at,
+	revokedAt: invitation.revoked_at,
+	expiresAt: invitation.expires_at,
+	organizationId: invitation.organization_id,
+	inviterUserId: invitation.inviter_user_id,
+	acceptedUserId: invitation.accepted_user_id,
+	token: invitation.token,
+	acceptInvitationUrl: invitation.accept_invitation_url,
+	createdAt: invitation.created_at,
+	updatedAt: invitation.updated_at
+});
+const deserializeInvitationEvent = (invitation) => ({
+	object: invitation.object,
+	id: invitation.id,
+	email: invitation.email,
+	state: invitation.state,
+	acceptedAt: invitation.accepted_at,
+	revokedAt: invitation.revoked_at,
+	expiresAt: invitation.expires_at,
+	organizationId: invitation.organization_id,
+	inviterUserId: invitation.inviter_user_id,
+	acceptedUserId: invitation.accepted_user_id,
+	createdAt: invitation.created_at,
+	updatedAt: invitation.updated_at
+});
+//#endregion
+//#region src/user-management/serializers/list-sessions-options.serializer.ts
+const serializeListSessionsOptions = (options) => ({ ...options });
+//#endregion
+//#region src/user-management/serializers/magic-auth.serializer.ts
+const deserializeMagicAuth = (magicAuth) => ({
+	object: magicAuth.object,
+	id: magicAuth.id,
+	userId: magicAuth.user_id,
+	email: magicAuth.email,
+	expiresAt: magicAuth.expires_at,
+	code: magicAuth.code,
+	createdAt: magicAuth.created_at,
+	updatedAt: magicAuth.updated_at
+});
+const deserializeMagicAuthEvent = (magicAuth) => ({
+	object: magicAuth.object,
+	id: magicAuth.id,
+	userId: magicAuth.user_id,
+	email: magicAuth.email,
+	expiresAt: magicAuth.expires_at,
+	createdAt: magicAuth.created_at,
+	updatedAt: magicAuth.updated_at
+});
+//#endregion
+//#region src/user-management/serializers/password-reset.serializer.ts
+const deserializePasswordReset = (passwordReset) => ({
+	object: passwordReset.object,
+	id: passwordReset.id,
+	userId: passwordReset.user_id,
+	email: passwordReset.email,
+	passwordResetToken: passwordReset.password_reset_token,
+	passwordResetUrl: passwordReset.password_reset_url,
+	expiresAt: passwordReset.expires_at,
+	createdAt: passwordReset.created_at
+});
+const deserializePasswordResetEvent = (passwordReset) => ({
+	object: passwordReset.object,
+	id: passwordReset.id,
+	userId: passwordReset.user_id,
+	email: passwordReset.email,
+	expiresAt: passwordReset.expires_at,
+	createdAt: passwordReset.created_at
+});
+//#endregion
+//#region src/user-management/serializers/reset-password-options.serializer.ts
+const serializeResetPasswordOptions = (options) => ({
+	token: options.token,
+	new_password: options.newPassword
+});
+//#endregion
+//#region src/user-management/serializers/session.serializer.ts
+const deserializeSession = (session) => ({
+	object: "session",
+	id: session.id,
+	userId: session.user_id,
+	ipAddress: session.ip_address,
+	userAgent: session.user_agent,
+	...session.organization_id !== void 0 && { organizationId: session.organization_id },
+	...session.impersonator !== void 0 && { impersonator: session.impersonator },
+	authMethod: session.auth_method,
+	status: session.status,
+	expiresAt: session.expires_at,
+	endedAt: session.ended_at,
+	createdAt: session.created_at,
+	updatedAt: session.updated_at
+});
+//#endregion
+//#region src/user-management/serializers/create-user-options.serializer.ts
+const serializeCreateUserOptions = (options) => ({
+	email: options.email,
+	password: options.password,
+	password_hash: options.passwordHash,
+	password_hash_type: options.passwordHashType,
+	first_name: options.firstName,
+	last_name: options.lastName,
+	email_verified: options.emailVerified,
+	external_id: options.externalId,
+	metadata: options.metadata
+});
+//#endregion
+//#region src/user-management/serializers/update-user-options.serializer.ts
+const serializeUpdateUserOptions = (options) => ({
+	email: options.email,
+	email_verified: options.emailVerified,
+	first_name: options.firstName,
+	last_name: options.lastName,
+	password: options.password,
+	password_hash: options.passwordHash,
+	password_hash_type: options.passwordHashType,
+	external_id: options.externalId,
+	locale: options.locale,
+	metadata: options.metadata
+});
+//#endregion
+//#region src/user-management/serializers/organization-membership.serializer.ts
+const deserializeOrganizationMembership = (organizationMembership) => ({
+	object: organizationMembership.object,
+	id: organizationMembership.id,
+	userId: organizationMembership.user_id,
+	organizationId: organizationMembership.organization_id,
+	organizationName: organizationMembership.organization_name,
+	status: organizationMembership.status,
+	directoryManaged: organizationMembership.directory_managed ?? false,
+	createdAt: organizationMembership.created_at,
+	updatedAt: organizationMembership.updated_at,
+	role: organizationMembership.role,
+	...organizationMembership.roles && { roles: organizationMembership.roles },
+	customAttributes: organizationMembership.custom_attributes ?? {}
+});
+const deserializeAuthorizationOrganizationMembership = (organizationMembership) => ({
+	object: organizationMembership.object,
+	id: organizationMembership.id,
+	userId: organizationMembership.user_id,
+	organizationId: organizationMembership.organization_id,
+	status: organizationMembership.status,
+	directoryManaged: organizationMembership.directory_managed ?? false,
+	createdAt: organizationMembership.created_at,
+	updatedAt: organizationMembership.updated_at,
+	customAttributes: organizationMembership.custom_attributes ?? {}
+});
+//#endregion
+//#region src/actions/serializers/action.serializer.ts
+const deserializeUserData = (userData) => {
+	return {
+		object: userData.object,
+		email: userData.email,
+		firstName: userData.first_name,
+		lastName: userData.last_name
+	};
+};
+const deserializeAction = (actionPayload) => {
+	switch (actionPayload.object) {
+		case "user_registration_action_context": return {
+			id: actionPayload.id,
+			object: actionPayload.object,
+			userData: deserializeUserData(actionPayload.user_data),
+			invitation: actionPayload.invitation ? deserializeInvitation(actionPayload.invitation) : void 0,
+			ipAddress: actionPayload.ip_address,
+			userAgent: actionPayload.user_agent,
+			deviceFingerprint: actionPayload.device_fingerprint
+		};
+		case "authentication_action_context": return {
+			id: actionPayload.id,
+			object: actionPayload.object,
+			user: deserializeUser(actionPayload.user),
+			organization: actionPayload.organization ? deserializeOrganization(actionPayload.organization) : void 0,
+			organizationMembership: actionPayload.organization_membership ? deserializeOrganizationMembership(actionPayload.organization_membership) : void 0,
+			ipAddress: actionPayload.ip_address,
+			userAgent: actionPayload.user_agent,
+			deviceFingerprint: actionPayload.device_fingerprint,
+			issuer: actionPayload.issuer
+		};
+	}
+};
+//#endregion
+//#region src/actions/actions.ts
+var Actions = class {
+	signatureProvider;
+	constructor(cryptoProvider) {
+		this.signatureProvider = new SignatureProvider(cryptoProvider);
+	}
+	get computeSignature() {
+		return this.signatureProvider.computeSignature.bind(this.signatureProvider);
+	}
+	get verifyHeader() {
+		return this.signatureProvider.verifyHeader.bind(this.signatureProvider);
+	}
+	serializeType(type) {
+		switch (type) {
+			case "authentication": return "authentication_action_response";
+			case "user_registration": return "user_registration_action_response";
+			default: return unreachable(type);
+		}
+	}
+	async signResponse(data, secret) {
+		let errorMessage;
+		const { verdict, type } = data;
+		if (verdict === "Deny" && data.errorMessage) errorMessage = data.errorMessage;
+		const responsePayload = {
+			timestamp: Date.now(),
+			verdict,
+			...verdict === "Deny" && data.errorMessage && { error_message: errorMessage }
+		};
+		return {
+			object: this.serializeType(type),
+			payload: responsePayload,
+			signature: await this.computeSignature(responsePayload.timestamp, responsePayload, secret)
+		};
+	}
+	async constructAction({ payload, sigHeader, secret, tolerance = 3e4 }) {
+		const options = {
+			payload,
+			sigHeader,
+			secret,
+			tolerance
+		};
+		await this.verifyHeader(options);
+		return deserializeAction(payload);
+	}
+};
+//#endregion
+//#region src/directory-sync/serializers/directory-group.serializer.ts
+const deserializeDirectoryGroup = (directoryGroup) => ({
+	id: directoryGroup.id,
+	idpId: directoryGroup.idp_id,
+	directoryId: directoryGroup.directory_id,
+	organizationId: directoryGroup.organization_id,
+	name: directoryGroup.name,
+	createdAt: directoryGroup.created_at,
+	updatedAt: directoryGroup.updated_at,
+	rawAttributes: directoryGroup.raw_attributes
+});
+const deserializeUpdatedEventDirectoryGroup = (directoryGroup) => ({
+	id: directoryGroup.id,
+	idpId: directoryGroup.idp_id,
+	directoryId: directoryGroup.directory_id,
+	organizationId: directoryGroup.organization_id,
+	name: directoryGroup.name,
+	createdAt: directoryGroup.created_at,
+	updatedAt: directoryGroup.updated_at,
+	rawAttributes: directoryGroup.raw_attributes,
+	previousAttributes: directoryGroup.previous_attributes
+});
+//#endregion
+//#region src/directory-sync/serializers/directory-user.serializer.ts
+const deserializeDirectoryUser = (directoryUser) => ({
+	object: directoryUser.object,
+	id: directoryUser.id,
+	directoryId: directoryUser.directory_id,
+	organizationId: directoryUser.organization_id,
+	rawAttributes: directoryUser.raw_attributes,
+	customAttributes: directoryUser.custom_attributes,
+	idpId: directoryUser.idp_id,
+	firstName: directoryUser.first_name,
+	email: directoryUser.email,
+	lastName: directoryUser.last_name,
+	state: directoryUser.state,
+	...directoryUser.role !== void 0 && { role: directoryUser.role },
+	...directoryUser.roles !== void 0 && { roles: directoryUser.roles },
+	createdAt: directoryUser.created_at,
+	updatedAt: directoryUser.updated_at
+});
+const deserializeDirectoryUserWithGroups = (directoryUserWithGroups) => ({
+	...deserializeDirectoryUser(directoryUserWithGroups),
+	groups: directoryUserWithGroups.groups.map(deserializeDirectoryGroup)
+});
+const deserializeUpdatedEventDirectoryUser = (directoryUser) => ({
+	object: "directory_user",
+	id: directoryUser.id,
+	directoryId: directoryUser.directory_id,
+	organizationId: directoryUser.organization_id,
+	rawAttributes: directoryUser.raw_attributes,
+	customAttributes: directoryUser.custom_attributes,
+	idpId: directoryUser.idp_id,
+	firstName: directoryUser.first_name,
+	email: directoryUser.email,
+	lastName: directoryUser.last_name,
+	state: directoryUser.state,
+	...directoryUser.role !== void 0 && { role: directoryUser.role },
+	...directoryUser.roles !== void 0 && { roles: directoryUser.roles },
+	createdAt: directoryUser.created_at,
+	updatedAt: directoryUser.updated_at,
+	previousAttributes: directoryUser.previous_attributes
+});
+//#endregion
+//#region src/directory-sync/serializers/directory.serializer.ts
+const deserializeDirectory = (directory) => ({
+	object: directory.object,
+	id: directory.id,
+	domain: directory.domain,
+	externalKey: directory.external_key,
+	name: directory.name,
+	organizationId: directory.organization_id,
+	state: deserializeDirectoryState(directory.state),
+	type: directory.type,
+	createdAt: directory.created_at,
+	updatedAt: directory.updated_at
+});
+const deserializeDirectoryState = (state) => {
+	if (state === "linked") return "active";
+	if (state === "unlinked") return "inactive";
+	return state;
+};
+const deserializeEventDirectory = (directory) => ({
+	object: directory.object,
+	id: directory.id,
+	externalKey: directory.external_key,
+	type: directory.type,
+	state: directory.state,
+	name: directory.name,
+	organizationId: directory.organization_id,
+	domains: directory.domains,
+	createdAt: directory.created_at,
+	updatedAt: directory.updated_at
+});
+const deserializeDeletedEventDirectory = (directory) => ({
+	object: directory.object,
+	id: directory.id,
+	type: directory.type,
+	state: directory.state,
+	name: directory.name,
+	organizationId: directory.organization_id,
+	createdAt: directory.created_at,
+	updatedAt: directory.updated_at
+});
+//#endregion
+//#region src/directory-sync/serializers/list-directories-options.serializer.ts
+const serializeListDirectoriesOptions = (options) => ({
+	organization_id: options.organizationId,
+	search: options.search,
+	limit: options.limit,
+	before: options.before,
+	after: options.after,
+	order: options.order
+});
+//#endregion
+//#region src/organizations/serializers/create-organization-options.serializer.ts
+const serializeCreateOrganizationOptions = (options) => ({
+	name: options.name,
+	domain_data: options.domainData,
+	external_id: options.externalId,
+	metadata: options.metadata
+});
+//#endregion
+//#region src/organizations/serializers/update-organization-options.serializer.ts
+const serializeUpdateOrganizationOptions = (options) => ({
+	name: options.name,
+	domain_data: options.domainData,
+	stripe_customer_id: options.stripeCustomerId,
+	external_id: options.externalId,
+	metadata: options.metadata
+});
+//#endregion
+//#region src/sso/serializers/connection.serializer.ts
+const deserializeConnection = (connection) => ({
+	object: connection.object,
+	id: connection.id,
+	...connection.organization_id !== void 0 && { organizationId: connection.organization_id },
+	name: connection.name,
+	type: connection.connection_type,
+	state: connection.state,
+	domains: connection.domains,
+	createdAt: connection.created_at,
+	updatedAt: connection.updated_at
+});
+//#endregion
+//#region src/sso/serializers/list-connections-options.serializer.ts
+const serializeListConnectionsOptions = (options) => ({
+	connection_type: options.connectionType,
+	domain: options.domain,
+	organization_id: options.organizationId,
+	limit: options.limit,
+	before: options.before,
+	after: options.after,
+	order: options.order
+});
+//#endregion
+//#region src/sso/serializers/profile.serializer.ts
+const deserializeProfile = (profile) => ({
+	id: profile.id,
+	idpId: profile.idp_id,
+	...profile.organization_id !== void 0 && { organizationId: profile.organization_id },
+	connectionId: profile.connection_id,
+	connectionType: profile.connection_type,
+	email: profile.email,
+	...profile.first_name !== void 0 && { firstName: profile.first_name },
+	...profile.last_name !== void 0 && { lastName: profile.last_name },
+	...profile.role !== void 0 && { role: profile.role },
+	...profile.roles !== void 0 && { roles: profile.roles },
+	...profile.groups !== void 0 && { groups: profile.groups },
+	...profile.custom_attributes !== void 0 && { customAttributes: profile.custom_attributes },
+	...profile.raw_attributes !== void 0 && { rawAttributes: profile.raw_attributes }
+});
+//#endregion
+//#region src/sso/serializers/profile-and-token.serializer.ts
+const deserializeProfileAndToken = (profileAndToken) => ({
+	accessToken: profileAndToken.access_token,
+	profile: deserializeProfile(profileAndToken.profile),
+	oauthTokens: deserializeOauthTokens(profileAndToken.oauth_tokens)
+});
+//#endregion
+//#region src/user-management/serializers/role.serializer.ts
+const deserializeRoleEvent = (role) => ({
+	object: "role",
+	slug: role.slug,
+	permissions: role.permissions,
+	createdAt: role.created_at,
+	updatedAt: role.updated_at
+});
+//#endregion
+//#region src/user-management/serializers/authentication-radar-risk-event-serializer.ts
+const deserializeAuthenticationRadarRiskDetectedEvent = (authenticationRadarRiskDetectedEvent) => ({
+	authMethod: authenticationRadarRiskDetectedEvent.auth_method,
+	action: authenticationRadarRiskDetectedEvent.action,
+	control: authenticationRadarRiskDetectedEvent.control,
+	blocklistType: authenticationRadarRiskDetectedEvent.blocklist_type,
+	ipAddress: authenticationRadarRiskDetectedEvent.ip_address,
+	userAgent: authenticationRadarRiskDetectedEvent.user_agent,
+	userId: authenticationRadarRiskDetectedEvent.user_id,
+	email: authenticationRadarRiskDetectedEvent.email
+});
+//#endregion
+//#region src/api-keys/serializers/api-key.serializer.ts
+function deserializeApiKey(apiKey) {
+	return {
+		object: apiKey.object,
+		id: apiKey.id,
+		owner: apiKey.owner,
+		name: apiKey.name,
+		obfuscatedValue: apiKey.obfuscated_value,
+		lastUsedAt: apiKey.last_used_at,
+		permissions: apiKey.permissions,
+		createdAt: apiKey.created_at,
+		updatedAt: apiKey.updated_at
+	};
+}
+//#endregion
+//#region src/authorization/serializers/organization-role.serializer.ts
+const deserializeRole$1 = (role) => ({
+	object: role.object,
+	id: role.id,
+	name: role.name,
+	slug: role.slug,
+	description: role.description,
+	permissions: role.permissions,
+	resourceTypeSlug: role.resource_type_slug,
+	type: role.type,
+	createdAt: role.created_at,
+	updatedAt: role.updated_at
+});
+const deserializeOrganizationRole = (role) => ({
+	object: role.object,
+	id: role.id,
+	name: role.name,
+	slug: role.slug,
+	description: role.description,
+	permissions: role.permissions,
+	resourceTypeSlug: role.resource_type_slug,
+	type: "OrganizationRole",
+	createdAt: role.created_at,
+	updatedAt: role.updated_at
+});
+const deserializeOrganizationRoleEvent = (event) => ({
+	object: event.object,
+	organizationId: event.organization_id,
+	slug: event.slug,
+	name: event.name,
+	description: event.description,
+	resourceTypeSlug: event.resource_type_slug,
+	permissions: event.permissions,
+	createdAt: event.created_at,
+	updatedAt: event.updated_at
+});
+//#endregion
+//#region src/authorization/serializers/permission.serializer.ts
+const deserializePermission = (permission) => ({
+	object: permission.object,
+	id: permission.id,
+	slug: permission.slug,
+	name: permission.name,
+	description: permission.description,
+	resourceTypeSlug: permission.resource_type_slug,
+	system: permission.system,
+	createdAt: permission.created_at,
+	updatedAt: permission.updated_at
+});
+//#endregion
+//#region src/feature-flags/serializers/feature-flag.serializer.ts
+const deserializeFeatureFlag = (featureFlag) => ({
+	object: featureFlag.object,
+	id: featureFlag.id,
+	name: featureFlag.name,
+	slug: featureFlag.slug,
+	description: featureFlag.description,
+	tags: featureFlag.tags,
+	enabled: featureFlag.enabled,
+	defaultValue: featureFlag.default_value,
+	createdAt: featureFlag.created_at,
+	updatedAt: featureFlag.updated_at
+});
+//#endregion
+//#region src/common/serializers/event.serializer.ts
+const deserializeEvent = (event) => {
+	const eventBase = {
+		id: event.id,
+		createdAt: event.created_at,
+		context: event.context
+	};
+	switch (event.event) {
+		case "authentication.email_verification_succeeded":
+		case "authentication.magic_auth_failed":
+		case "authentication.magic_auth_succeeded":
+		case "authentication.mfa_succeeded":
+		case "authentication.oauth_failed":
+		case "authentication.oauth_succeeded":
+		case "authentication.passkey_failed":
+		case "authentication.passkey_succeeded":
+		case "authentication.password_failed":
+		case "authentication.password_succeeded":
+		case "authentication.sso_failed":
+		case "authentication.sso_succeeded": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeAuthenticationEvent(event.data)
+		};
+		case "authentication.radar_risk_detected": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeAuthenticationRadarRiskDetectedEvent(event.data)
+		};
+		case "connection.activated":
+		case "connection.deactivated":
+		case "connection.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeConnection(event.data)
+		};
+		case "dsync.activated": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeEventDirectory(event.data)
+		};
+		case "dsync.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeDeletedEventDirectory(event.data)
+		};
+		case "dsync.group.created":
+		case "dsync.group.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeDirectoryGroup(event.data)
+		};
+		case "dsync.group.updated": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeUpdatedEventDirectoryGroup(event.data)
+		};
+		case "dsync.group.user_added":
+		case "dsync.group.user_removed": return {
+			...eventBase,
+			event: event.event,
+			data: {
+				directoryId: event.data.directory_id,
+				user: deserializeDirectoryUser(event.data.user),
+				group: deserializeDirectoryGroup(event.data.group)
+			}
+		};
+		case "dsync.user.created":
+		case "dsync.user.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeDirectoryUser(event.data)
+		};
+		case "dsync.user.updated": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeUpdatedEventDirectoryUser(event.data)
+		};
+		case "email_verification.created": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeEmailVerificationEvent(event.data)
+		};
+		case "invitation.accepted":
+		case "invitation.created":
+		case "invitation.revoked":
+		case "invitation.resent": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeInvitationEvent(event.data)
+		};
+		case "magic_auth.created": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeMagicAuthEvent(event.data)
+		};
+		case "password_reset.created":
+		case "password_reset.succeeded": return {
+			...eventBase,
+			event: event.event,
+			data: deserializePasswordResetEvent(event.data)
+		};
+		case "user.created":
+		case "user.updated":
+		case "user.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeUser(event.data)
+		};
+		case "organization_membership.created":
+		case "organization_membership.deleted":
+		case "organization_membership.updated": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeOrganizationMembership(event.data)
+		};
+		case "role.created":
+		case "role.deleted":
+		case "role.updated": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeRoleEvent(event.data)
+		};
+		case "organization_role.created":
+		case "organization_role.updated":
+		case "organization_role.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeOrganizationRoleEvent(event.data)
+		};
+		case "permission.created":
+		case "permission.updated":
+		case "permission.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializePermission(event.data)
+		};
+		case "session.created":
+		case "session.revoked": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeSession(event.data)
+		};
+		case "organization.created":
+		case "organization.updated":
+		case "organization.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeOrganization(event.data)
+		};
+		case "organization_domain.verified":
+		case "organization_domain.verification_failed":
+		case "organization_domain.created":
+		case "organization_domain.updated":
+		case "organization_domain.deleted": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeOrganizationDomain(event.data)
+		};
+		case "api_key.created":
+		case "api_key.revoked": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeApiKey(event.data)
+		};
+		case "flag.created":
+		case "flag.updated":
+		case "flag.deleted":
+		case "flag.rule_updated": return {
+			...eventBase,
+			event: event.event,
+			data: deserializeFeatureFlag(event.data)
+		};
+	}
+};
+//#endregion
+//#region src/common/serializers/list.serializer.ts
+const deserializeList = (list, deserializer) => ({
+	object: "list",
+	data: list.data.map(deserializer),
+	listMetadata: list.list_metadata
+});
+//#endregion
+//#region src/common/serializers/pagination-options.serializer.ts
+const serializePaginationOptions = (options) => ({
+	...options.limit !== void 0 && { limit: options.limit },
+	...options.after && { after: options.after },
+	...options.before && { before: options.before },
+	...options.order && { order: options.order }
+});
+//#endregion
+//#region src/webhooks/webhooks.ts
+var Webhooks = class {
+	signatureProvider;
+	constructor(cryptoProvider) {
+		this.signatureProvider = new SignatureProvider(cryptoProvider);
+	}
+	get verifyHeader() {
+		return this.signatureProvider.verifyHeader.bind(this.signatureProvider);
+	}
+	get computeSignature() {
+		return this.signatureProvider.computeSignature.bind(this.signatureProvider);
+	}
+	get getTimestampAndSignatureHash() {
+		return this.signatureProvider.getTimestampAndSignatureHash.bind(this.signatureProvider);
+	}
+	async constructEvent({ payload, sigHeader, secret, tolerance = 18e4 }) {
+		const options = {
+			payload,
+			sigHeader,
+			secret,
+			tolerance
+		};
+		await this.verifyHeader(options);
+		return deserializeEvent(payload);
+	}
+};
+//#endregion
+//#region src/pkce/pkce.ts
+/**
+* PKCE (Proof Key for Code Exchange) utilities for OAuth 2.0 public clients.
+*
+* Implements RFC 7636 for secure authorization code exchange without a client secret.
+* Used by Electron apps, React Native/mobile apps, CLI tools, and other public clients.
+*/
+var PKCE = class {
+	/**
+	* Generate a cryptographically random code verifier.
+	*
+	* @param length - Length of verifier (43-128, default 43)
+	* @returns RFC 7636 compliant code verifier
+	*/
+	generateCodeVerifier(length = 43) {
+		if (length < 43 || length > 128) throw new RangeError(`Code verifier length must be between 43 and 128, got ${length}`);
+		const byteLength = Math.ceil(length * 3 / 4);
+		const randomBytes = new Uint8Array(byteLength);
+		crypto.getRandomValues(randomBytes);
+		return this.base64UrlEncode(randomBytes).slice(0, length);
+	}
+	/**
+	* Generate S256 code challenge from a verifier.
+	*
+	* @param verifier - The code verifier
+	* @returns Base64URL-encoded SHA256 hash
+	*/
+	async generateCodeChallenge(verifier) {
+		const data = new TextEncoder().encode(verifier);
+		const hash = await crypto.subtle.digest("SHA-256", data);
+		return this.base64UrlEncode(new Uint8Array(hash));
+	}
+	/**
+	* Generate a complete PKCE pair (verifier + challenge).
+	*
+	* @returns Code verifier, challenge, and method ('S256')
+	*/
+	async generate() {
+		const codeVerifier = this.generateCodeVerifier();
+		return {
+			codeVerifier,
+			codeChallenge: await this.generateCodeChallenge(codeVerifier),
+			codeChallengeMethod: "S256"
+		};
+	}
+	base64UrlEncode(buffer) {
+		return btoa(String.fromCharCode(...buffer)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+	}
+};
+//#endregion
+//#region src/api-keys/serializers/validate-api-key.serializer.ts
+function deserializeValidateApiKeyResponse(response) {
+	return { apiKey: response.api_key ? deserializeApiKey(response.api_key) : null };
+}
+//#endregion
+//#region src/api-keys/api-keys.ts
+var ApiKeys = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async validateApiKey(payload) {
+		const { data } = await this.workos.post("/api_keys/validations", payload);
+		return deserializeValidateApiKeyResponse(data);
+	}
+	async deleteApiKey(id) {
+		await this.workos.delete(`/api_keys/${id}`);
+	}
+};
+//#endregion
+//#region src/common/utils/pagination.ts
+var AutoPaginatable = class {
+	object = "list";
+	options;
+	constructor(list, apiCall, options) {
+		this.list = list;
+		this.apiCall = apiCall;
+		this.options = options ?? {};
+	}
+	get data() {
+		return this.list.data;
+	}
+	get listMetadata() {
+		return this.list.listMetadata;
+	}
+	async *generatePages(params) {
+		const result = await this.apiCall({
+			...this.options,
+			limit: 100,
+			after: params.after
+		});
+		yield result.data;
+		if (result.listMetadata.after) {
+			await new Promise((resolve) => setTimeout(resolve, 350));
+			yield* this.generatePages({ after: result.listMetadata.after });
+		}
+	}
+	/**
+	* Automatically paginates over the list of results, returning the complete data set.
+	* Returns the first result if `options.limit` is passed to the first request.
+	*/
+	async autoPagination() {
+		if (this.options.limit) return this.data;
+		const results = [];
+		for await (const page of this.generatePages({ after: this.options.after })) results.push(...page);
+		return results;
+	}
+};
+//#endregion
+//#region src/common/utils/fetch-and-deserialize.ts
+const setDefaultOptions = (options) => {
+	return {
+		...options,
+		order: options?.order || "desc"
+	};
+};
+const fetchAndDeserialize = async (workos, endpoint, deserializeFn, options, requestOptions) => {
+	const { data } = await workos.get(endpoint, {
+		query: setDefaultOptions(options),
+		...requestOptions
+	});
+	return deserializeList(data, deserializeFn);
+};
+//#endregion
+//#region src/directory-sync/directory-sync.ts
+var DirectorySync = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async listDirectories(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/directories", deserializeDirectory, options ? serializeListDirectoriesOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, "/directories", deserializeDirectory, params), options ? serializeListDirectoriesOptions(options) : void 0);
+	}
+	async getDirectory(id) {
+		const { data } = await this.workos.get(`/directories/${id}`);
+		return deserializeDirectory(data);
+	}
+	async deleteDirectory(id) {
+		await this.workos.delete(`/directories/${id}`);
+	}
+	async listGroups(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/directory_groups", deserializeDirectoryGroup, options), (params) => fetchAndDeserialize(this.workos, "/directory_groups", deserializeDirectoryGroup, params), options);
+	}
+	async listUsers(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/directory_users", deserializeDirectoryUserWithGroups, options), (params) => fetchAndDeserialize(this.workos, "/directory_users", deserializeDirectoryUserWithGroups, params), options);
+	}
+	async getUser(user) {
+		const { data } = await this.workos.get(`/directory_users/${user}`);
+		return deserializeDirectoryUserWithGroups(data);
+	}
+	async getGroup(group) {
+		const { data } = await this.workos.get(`/directory_groups/${group}`);
+		return deserializeDirectoryGroup(data);
+	}
+};
+//#endregion
+//#region src/events/serializers/list-event-options.serializer.ts
+const serializeListEventOptions = (options) => ({
+	events: options.events,
+	organization_id: options.organizationId,
+	range_start: options.rangeStart,
+	range_end: options.rangeEnd,
+	limit: options.limit,
+	after: options.after
+});
+//#endregion
+//#region src/events/events.ts
+var Events = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async listEvents(options) {
+		const { data } = await this.workos.get(`/events`, { query: options ? serializeListEventOptions(options) : void 0 });
+		return deserializeList(data, deserializeEvent);
+	}
+};
+//#endregion
+//#region src/roles/serializers/role.serializer.ts
+const deserializeRole = (role) => ({
+	object: role.object,
+	id: role.id,
+	name: role.name,
+	slug: role.slug,
+	description: role.description,
+	permissions: role.permissions,
+	type: role.type,
+	createdAt: role.created_at,
+	updatedAt: role.updated_at
+});
+//#endregion
+//#region src/api-keys/serializers/create-organization-api-key-options.serializer.ts
+function serializeCreateOrganizationApiKeyOptions(options) {
+	return {
+		name: options.name,
+		permissions: options.permissions
+	};
+}
+//#endregion
+//#region src/api-keys/serializers/created-api-key.serializer.ts
+function deserializeCreatedApiKey(apiKey) {
+	return {
+		object: apiKey.object,
+		id: apiKey.id,
+		owner: apiKey.owner,
+		name: apiKey.name,
+		obfuscatedValue: apiKey.obfuscated_value,
+		value: apiKey.value,
+		lastUsedAt: apiKey.last_used_at,
+		permissions: apiKey.permissions,
+		createdAt: apiKey.created_at,
+		updatedAt: apiKey.updated_at
+	};
+}
+//#endregion
+//#region src/organizations/organizations.ts
+var Organizations = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async listOrganizations(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/organizations", deserializeOrganization, options), (params) => fetchAndDeserialize(this.workos, "/organizations", deserializeOrganization, params), options);
+	}
+	async createOrganization(payload, requestOptions = {}) {
+		const { data } = await this.workos.post("/organizations", serializeCreateOrganizationOptions(payload), requestOptions);
+		return deserializeOrganization(data);
+	}
+	async deleteOrganization(id) {
+		await this.workos.delete(`/organizations/${id}`);
+	}
+	async getOrganization(id) {
+		const { data } = await this.workos.get(`/organizations/${id}`);
+		return deserializeOrganization(data);
+	}
+	async getOrganizationByExternalId(externalId) {
+		const { data } = await this.workos.get(`/organizations/external_id/${externalId}`);
+		return deserializeOrganization(data);
+	}
+	async updateOrganization(options) {
+		const { organization: organizationId, ...payload } = options;
+		const { data } = await this.workos.put(`/organizations/${organizationId}`, serializeUpdateOrganizationOptions(payload));
+		return deserializeOrganization(data);
+	}
+	async listOrganizationRoles(options) {
+		const { organizationId } = options;
+		const { data: response } = await this.workos.get(`/organizations/${organizationId}/roles`);
+		return {
+			object: "list",
+			data: response.data.map((role) => deserializeRole(role))
+		};
+	}
+	async listOrganizationFeatureFlags(options) {
+		const { organizationId, ...paginationOptions } = options;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, `/organizations/${organizationId}/feature-flags`, deserializeFeatureFlag, paginationOptions), (params) => fetchAndDeserialize(this.workos, `/organizations/${organizationId}/feature-flags`, deserializeFeatureFlag, params), paginationOptions);
+	}
+	async listOrganizationApiKeys(options) {
+		const { organizationId, ...paginationOptions } = options;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, `/organizations/${organizationId}/api_keys`, deserializeApiKey, paginationOptions), (params) => fetchAndDeserialize(this.workos, `/organizations/${organizationId}/api_keys`, deserializeApiKey, params), paginationOptions);
+	}
+	async createOrganizationApiKey(options, requestOptions = {}) {
+		const { organizationId } = options;
+		const { data } = await this.workos.post(`/organizations/${organizationId}/api_keys`, serializeCreateOrganizationApiKeyOptions(options), requestOptions);
+		return deserializeCreatedApiKey(data);
+	}
+};
+//#endregion
+//#region src/organization-domains/serializers/create-organization-domain-options.serializer.ts
+const serializeCreateOrganizationDomainOptions = (options) => ({
+	domain: options.domain,
+	organization_id: options.organizationId
+});
+//#endregion
+//#region src/organization-domains/organization-domains.ts
+var OrganizationDomains = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async get(id) {
+		const { data } = await this.workos.get(`/organization_domains/${id}`);
+		return deserializeOrganizationDomain(data);
+	}
+	async verify(id) {
+		const { data } = await this.workos.post(`/organization_domains/${id}/verify`, {});
+		return deserializeOrganizationDomain(data);
+	}
+	async create(payload) {
+		const { data } = await this.workos.post(`/organization_domains`, serializeCreateOrganizationDomainOptions(payload));
+		return deserializeOrganizationDomain(data);
+	}
+	async delete(id) {
+		await this.workos.delete(`/organization_domains/${id}`);
+	}
+};
+//#endregion
+//#region src/passwordless/serializers/passwordless-session.serializer.ts
+const deserializePasswordlessSession = (passwordlessSession) => ({
+	id: passwordlessSession.id,
+	email: passwordlessSession.email,
+	expiresAt: passwordlessSession.expires_at,
+	link: passwordlessSession.link,
+	object: passwordlessSession.object
+});
+//#endregion
+//#region src/passwordless/passwordless.ts
+var Passwordless = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async createSession({ redirectURI, expiresIn, ...options }) {
+		const { data } = await this.workos.post("/passwordless/sessions", {
+			...options,
+			redirect_uri: redirectURI,
+			expires_in: expiresIn
+		});
+		return deserializePasswordlessSession(data);
+	}
+	async sendSession(sessionId) {
+		const { data } = await this.workos.post(`/passwordless/sessions/${sessionId}/send`, {});
+		return data;
+	}
+};
+//#endregion
+//#region src/pipes/serializers/access-token.serializer.ts
+function deserializeAccessToken(serialized) {
+	return {
+		object: "access_token",
+		accessToken: serialized.access_token,
+		expiresAt: serialized.expires_at ? new Date(Date.parse(serialized.expires_at)) : null,
+		scopes: serialized.scopes,
+		missingScopes: serialized.missing_scopes
+	};
+}
+//#endregion
+//#region src/pipes/serializers/get-access-token.serializer.ts
+function serializeGetAccessTokenOptions(options) {
+	return {
+		user_id: options.userId,
+		organization_id: options.organizationId
+	};
+}
+function deserializeGetAccessTokenResponse(response) {
+	if (response.active) return {
+		active: true,
+		accessToken: deserializeAccessToken(response.access_token)
+	};
+	return {
+		active: false,
+		error: response.error
+	};
+}
+//#endregion
+//#region src/pipes/pipes.ts
+var Pipes = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async getAccessToken({ provider, ...options }) {
+		const { data } = await this.workos.post(`data-integrations/${provider}/token`, serializeGetAccessTokenOptions(options));
+		return deserializeGetAccessTokenResponse(data);
+	}
+};
+//#endregion
+//#region src/portal/portal.ts
+var Portal = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async generateLink({ intent, organization, returnUrl, successUrl }) {
+		const { data } = await this.workos.post("/portal/generate_link", {
+			intent,
+			organization,
+			return_url: returnUrl,
+			success_url: successUrl
+		});
+		return data;
+	}
+};
+//#endregion
+//#region src/common/utils/query-string.ts
+/**
+* Converts options to a query string.
+* - Arrays: scope=read&scope=write (repeat format)
+* - Objects: params[key]=value (bracket notation)
+* - Encoding: RFC1738 (space as +)
+* - Keys sorted alphabetically
+*/
+function toQueryString(options) {
+	const params = [];
+	const sortedKeys = Object.keys(options).sort((a, b) => a.localeCompare(b));
+	for (const key of sortedKeys) {
+		const value = options[key];
+		if (value === void 0) continue;
+		if (Array.isArray(value)) for (const item of value) params.push([key, String(item)]);
+		else if (typeof value === "object" && value !== null) {
+			const sortedSubKeys = Object.keys(value).sort((a, b) => a.localeCompare(b));
+			for (const subKey of sortedSubKeys) {
+				const subValue = value[subKey];
+				if (subValue !== void 0) params.push([`${key}[${subKey}]`, String(subValue)]);
+			}
+		} else params.push([key, String(value)]);
+	}
+	return params.map(([key, value]) => {
+		return `${encodeRFC1738(key)}=${encodeRFC1738(value)}`;
+	}).join("&");
+}
+function encodeRFC1738(str) {
+	return encodeURIComponent(str).replace(/%20/g, "+").replace(/[!'*]/g, (c) => "%" + c.charCodeAt(0).toString(16).toUpperCase());
+}
+//#endregion
+//#region src/sso/sso.ts
+var SSO = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async listConnections(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/connections", deserializeConnection, options ? serializeListConnectionsOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, "/connections", deserializeConnection, params), options ? serializeListConnectionsOptions(options) : void 0);
+	}
+	async deleteConnection(id) {
+		await this.workos.delete(`/connections/${id}`);
+	}
+	getAuthorizationUrl(options) {
+		const { codeChallenge, codeChallengeMethod, connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri, state } = options;
+		if (!provider && !connection && !organization) throw new TypeError(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
+		const query = toQueryString({
+			code_challenge: codeChallenge,
+			code_challenge_method: codeChallengeMethod,
+			connection,
+			organization,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			client_id: clientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state
+		});
+		return `${this.workos.baseURL}/sso/authorize?${query}`;
+	}
+	/**
+	* Generates an authorization URL with PKCE parameters automatically generated.
+	* Use this for public clients (CLI apps, Electron, mobile) that cannot
+	* securely store a client secret.
+	*
+	* @returns Object containing url, state, and codeVerifier
+	*
+	* @example
+	* ```typescript
+	* const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({
+	*   connection: 'conn_123',
+	*   clientId: 'client_123',
+	*   redirectUri: 'myapp://callback',
+	* });
+	*
+	* // Store state and codeVerifier securely, then redirect user to url
+	* // After callback, exchange the code:
+	* const { profile, accessToken } = await workos.sso.getProfileAndToken({
+	*   code: authorizationCode,
+	*   codeVerifier,
+	*   clientId: 'client_123',
+	* });
+	* ```
+	*/
+	async getAuthorizationUrlWithPKCE(options) {
+		const { connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri } = options;
+		if (!provider && !connection && !organization) throw new TypeError(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
+		const pkce = await this.workos.pkce.generate();
+		const state = this.workos.pkce.generateCodeVerifier(43);
+		const query = toQueryString({
+			code_challenge: pkce.codeChallenge,
+			code_challenge_method: "S256",
+			connection,
+			organization,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			client_id: clientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state
+		});
+		return {
+			url: `${this.workos.baseURL}/sso/authorize?${query}`,
+			state,
+			codeVerifier: pkce.codeVerifier
+		};
+	}
+	async getConnection(id) {
+		const { data } = await this.workos.get(`/connections/${id}`);
+		return deserializeConnection(data);
+	}
+	/**
+	* Exchange an authorization code for a profile and access token.
+	*
+	* Auto-detects public vs confidential client mode:
+	* - If codeVerifier is provided: Uses PKCE flow (public client)
+	* - If no codeVerifier: Uses client_secret from API key (confidential client)
+	* - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+	*
+	* Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+	* in depth and provides additional CSRF protection on the authorization flow.
+	*
+	* @throws Error if neither codeVerifier nor API key is available
+	*/
+	async getProfileAndToken({ code, clientId, codeVerifier }) {
+		if (codeVerifier !== void 0 && codeVerifier.trim() === "") throw new TypeError("codeVerifier cannot be an empty string. Generate a valid PKCE pair using workos.pkce.generate().");
+		const hasApiKey = !!this.workos.key;
+		const hasPKCE = !!codeVerifier;
+		if (!hasPKCE && !hasApiKey) throw new TypeError("getProfileAndToken requires either a codeVerifier (for public clients) or an API key configured on the WorkOS instance (for confidential clients).");
+		const form = new URLSearchParams({
+			client_id: clientId,
+			grant_type: "authorization_code",
+			code
+		});
+		if (hasPKCE) form.set("code_verifier", codeVerifier);
+		if (hasApiKey) form.set("client_secret", this.workos.key);
+		const { data } = await this.workos.post("/sso/token", form, { skipApiKeyCheck: !hasApiKey });
+		return deserializeProfileAndToken(data);
+	}
+	async getProfile({ accessToken }) {
+		const { data } = await this.workos.get("/sso/profile", { accessToken });
+		return deserializeProfile(data);
+	}
+};
+//#endregion
+//#region src/mfa/serializers/challenge.serializer.ts
+const deserializeChallenge = (challenge) => ({
+	object: challenge.object,
+	id: challenge.id,
+	createdAt: challenge.created_at,
+	updatedAt: challenge.updated_at,
+	expiresAt: challenge.expires_at,
+	code: challenge.code,
+	authenticationFactorId: challenge.authentication_factor_id
+});
+//#endregion
+//#region src/mfa/serializers/sms.serializer.ts
+const deserializeSms = (sms) => ({ phoneNumber: sms.phone_number });
+//#endregion
+//#region src/mfa/serializers/factor.serializer.ts
+const deserializeFactor = (factor) => ({
+	object: factor.object,
+	id: factor.id,
+	createdAt: factor.created_at,
+	updatedAt: factor.updated_at,
+	type: factor.type,
+	...factor.sms ? { sms: deserializeSms(factor.sms) } : {},
+	...factor.totp ? { totp: deserializeTotp(factor.totp) } : {}
+});
+const deserializeFactorWithSecrets = (factor) => ({
+	object: factor.object,
+	id: factor.id,
+	createdAt: factor.created_at,
+	updatedAt: factor.updated_at,
+	type: factor.type,
+	...factor.sms ? { sms: deserializeSms(factor.sms) } : {},
+	...factor.totp ? { totp: deserializeTotpWithSecrets(factor.totp) } : {}
+});
+//#endregion
+//#region src/mfa/serializers/verify-response.serializer.ts
+const deserializeVerifyResponse = (verifyResponse) => ({
+	challenge: deserializeChallenge(verifyResponse.challenge),
+	valid: verifyResponse.valid
+});
+//#endregion
+//#region src/mfa/mfa.ts
+var Mfa = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async deleteFactor(id) {
+		await this.workos.delete(`/auth/factors/${id}`);
+	}
+	async getFactor(id) {
+		const { data } = await this.workos.get(`/auth/factors/${id}`);
+		return deserializeFactor(data);
+	}
+	async enrollFactor(options) {
+		const { data } = await this.workos.post("/auth/factors/enroll", {
+			type: options.type,
+			...(() => {
+				switch (options.type) {
+					case "sms": return { phone_number: options.phoneNumber };
+					case "totp": return {
+						totp_issuer: options.issuer,
+						totp_user: options.user
+					};
+					default: return {};
+				}
+			})()
+		});
+		return deserializeFactorWithSecrets(data);
+	}
+	async challengeFactor(options) {
+		const { data } = await this.workos.post(`/auth/factors/${options.authenticationFactorId}/challenge`, { sms_template: "smsTemplate" in options ? options.smsTemplate : void 0 });
+		return deserializeChallenge(data);
+	}
+	async verifyChallenge(options) {
+		const { data } = await this.workos.post(`/auth/challenges/${options.authenticationChallengeId}/verify`, { code: options.code });
+		return deserializeVerifyResponse(data);
+	}
+};
+//#endregion
+//#region src/audit-logs/serializers/audit-log-export.serializer.ts
+const deserializeAuditLogExport = (auditLogExport) => ({
+	object: auditLogExport.object,
+	id: auditLogExport.id,
+	state: auditLogExport.state,
+	url: auditLogExport.url,
+	createdAt: auditLogExport.created_at,
+	updatedAt: auditLogExport.updated_at
+});
+//#endregion
+//#region src/audit-logs/serializers/audit-log-export-options.serializer.ts
+const serializeAuditLogExportOptions = (options) => ({
+	actions: options.actions,
+	actor_names: options.actorNames,
+	actor_ids: options.actorIds,
+	organization_id: options.organizationId,
+	range_end: options.rangeEnd.toISOString(),
+	range_start: options.rangeStart.toISOString(),
+	targets: options.targets
+});
+//#endregion
+//#region src/audit-logs/serializers/create-audit-log-event-options.serializer.ts
+const serializeCreateAuditLogEventOptions = (event) => ({
+	action: event.action,
+	version: event.version,
+	occurred_at: event.occurredAt.toISOString(),
+	actor: event.actor,
+	targets: event.targets,
+	context: {
+		location: event.context.location,
+		user_agent: event.context.userAgent
+	},
+	metadata: event.metadata
+});
+//#endregion
+//#region src/audit-logs/serializers/create-audit-log-schema-options.serializer.ts
+function serializeMetadata(metadata) {
+	if (!metadata) return {};
+	const serializedMetadata = {};
+	Object.keys(metadata).forEach((key) => {
+		serializedMetadata[key] = { type: metadata[key] };
+	});
+	return serializedMetadata;
+}
+const serializeCreateAuditLogSchemaOptions = (schema) => ({
+	actor: { metadata: {
+		type: "object",
+		properties: serializeMetadata(schema.actor?.metadata)
+	} },
+	targets: schema.targets.map((target) => {
+		return {
+			type: target.type,
+			metadata: target.metadata ? {
+				type: "object",
+				properties: serializeMetadata(target.metadata)
+			} : void 0
+		};
+	}),
+	metadata: schema.metadata ? {
+		type: "object",
+		properties: serializeMetadata(schema.metadata)
+	} : void 0
+});
+//#endregion
+//#region src/audit-logs/serializers/create-audit-log-schema.serializer.ts
+function deserializeMetadata(metadata) {
+	if (!metadata || !metadata.properties) return {};
+	const deserializedMetadata = {};
+	Object.keys(metadata.properties).forEach((key) => {
+		if (metadata.properties) deserializedMetadata[key] = metadata.properties[key].type;
+	});
+	return deserializedMetadata;
+}
+const deserializeAuditLogSchema = (auditLogSchema) => ({
+	object: auditLogSchema.object,
+	version: auditLogSchema.version,
+	targets: auditLogSchema.targets.map((target) => {
+		return {
+			type: target.type,
+			metadata: target.metadata ? deserializeMetadata(target.metadata) : void 0
+		};
+	}),
+	actor: { metadata: deserializeMetadata(auditLogSchema.actor?.metadata) },
+	metadata: auditLogSchema.metadata ? deserializeMetadata(auditLogSchema.metadata) : void 0,
+	createdAt: auditLogSchema.created_at
+});
+//#endregion
+//#region src/audit-logs/audit-logs.ts
+var AuditLogs = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async createEvent(organization, event, options = {}) {
+		const optionsWithIdempotency = {
+			...options,
+			idempotencyKey: options.idempotencyKey || `workos-node-${globalThis.crypto.randomUUID()}`
+		};
+		await this.workos.post("/audit_logs/events", {
+			event: serializeCreateAuditLogEventOptions(event),
+			organization_id: organization
+		}, optionsWithIdempotency);
+	}
+	async createExport(options) {
+		const { data } = await this.workos.post("/audit_logs/exports", serializeAuditLogExportOptions(options));
+		return deserializeAuditLogExport(data);
+	}
+	async getExport(auditLogExportId) {
+		const { data } = await this.workos.get(`/audit_logs/exports/${auditLogExportId}`);
+		return deserializeAuditLogExport(data);
+	}
+	async createSchema(schema, options = {}) {
+		const { data } = await this.workos.post(`/audit_logs/actions/${schema.action}/schemas`, serializeCreateAuditLogSchemaOptions(schema), options);
+		return deserializeAuditLogSchema(data);
+	}
+};
+//#endregion
+//#region node_modules/uint8array-extras/index.js
+const objectToString = Object.prototype.toString;
+const uint8ArrayStringified = "[object Uint8Array]";
+function isType(value, typeConstructor, typeStringified) {
+	if (!value) return false;
+	if (value.constructor === typeConstructor) return true;
+	return objectToString.call(value) === typeStringified;
+}
+function isUint8Array(value) {
+	return isType(value, Uint8Array, uint8ArrayStringified);
+}
+function assertUint8Array(value) {
+	if (!isUint8Array(value)) throw new TypeError(`Expected \`Uint8Array\`, got \`${typeof value}\``);
+}
+new globalThis.TextDecoder("utf8");
+function assertString(value) {
+	if (typeof value !== "string") throw new TypeError(`Expected \`string\`, got \`${typeof value}\``);
+}
+new globalThis.TextEncoder();
+function base64ToBase64Url(base64) {
+	return base64.replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/, "");
+}
+function base64UrlToBase64(base64url) {
+	const base64 = base64url.replaceAll("-", "+").replaceAll("_", "/");
+	const padding = (4 - base64.length % 4) % 4;
+	return base64 + "=".repeat(padding);
+}
+const MAX_BLOCK_SIZE = 65535;
+function uint8ArrayToBase64$1(array, { urlSafe = false } = {}) {
+	assertUint8Array(array);
+	let base64 = "";
+	for (let index = 0; index < array.length; index += MAX_BLOCK_SIZE) {
+		const chunk = array.subarray(index, index + MAX_BLOCK_SIZE);
+		base64 += globalThis.btoa(String.fromCodePoint.apply(void 0, chunk));
+	}
+	return urlSafe ? base64ToBase64Url(base64) : base64;
+}
+function base64ToUint8Array$1(base64String) {
+	assertString(base64String);
+	return Uint8Array.from(globalThis.atob(base64UrlToBase64(base64String)), (x) => x.codePointAt(0));
+}
+const byteToHexLookupTable = Array.from({ length: 256 }, (_, index) => index.toString(16).padStart(2, "0"));
+function uint8ArrayToHex(array) {
+	assertUint8Array(array);
+	let hexString = "";
+	for (let index = 0; index < array.length; index++) hexString += byteToHexLookupTable[array[index]];
+	return hexString;
+}
+//#endregion
+//#region node_modules/iron-webcrypto/index.js
+function losslessJsonStringify(data) {
+	try {
+		if (isJson(data)) {
+			let stringified = JSON.stringify(data);
+			if (stringified) return stringified;
+		}
+	} catch {}
+	throw Error("Data is not JSON serializable");
+}
+function jsonParse(string) {
+	try {
+		return JSON.parse(string);
+	} catch (err) {
+		throw Error("Failed parsing sealed object JSON: " + err.message);
+	}
+}
+function isJson(val) {
+	let stack = [], seen = /* @__PURE__ */ new WeakSet(), check = (val$1) => val$1 === null || typeof val$1 == "string" || typeof val$1 == "boolean" ? !0 : typeof val$1 == "number" ? Number.isFinite(val$1) : typeof val$1 == "object" ? seen.has(val$1) ? !0 : (seen.add(val$1), stack.push(val$1), !0) : !1;
+	if (!check(val)) return !1;
+	for (; stack.length;) {
+		let obj = stack.pop();
+		if (Array.isArray(obj)) {
+			let i$1 = obj.length;
+			for (; i$1--;) if (!check(obj[i$1])) return !1;
+			continue;
+		}
+		let proto = Reflect.getPrototypeOf(obj);
+		if (proto !== null && proto !== Object.prototype) return !1;
+		let keys = Reflect.ownKeys(obj), i = keys.length;
+		for (; i--;) {
+			let key = keys[i];
+			if (typeof key != "string" || Reflect.getOwnPropertyDescriptor(obj, key)?.enumerable === !1) return !1;
+			let val$1 = obj[key];
+			if (val$1 !== void 0 && !check(val$1)) return !1;
+		}
+	}
+	return !0;
+}
+const enc = /* @__PURE__ */ new TextEncoder(), dec = /* @__PURE__ */ new TextDecoder(), jsBase64Enabled = typeof Uint8Array.fromBase64 == "function" && typeof Uint8Array.prototype.toBase64 == "function" && typeof Uint8Array.prototype.toHex == "function";
+function b64ToU8(str) {
+	return jsBase64Enabled ? Uint8Array.fromBase64(str, { alphabet: "base64url" }) : base64ToUint8Array$1(str);
+}
+function u8ToB64(arr) {
+	return arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toBase64({
+		alphabet: "base64url",
+		omitPadding: !0
+	}) : uint8ArrayToBase64$1(arr, { urlSafe: !0 });
+}
+function u8ToHex(arr) {
+	return arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toHex() : uint8ArrayToHex(arr);
+}
+const defaults = /* @__PURE__ */ Object.freeze({
+	encryption: /* @__PURE__ */ Object.freeze({
+		algorithm: "aes-256-cbc",
+		saltBits: 256,
+		iterations: 1,
+		minPasswordlength: 32
+	}),
+	integrity: /* @__PURE__ */ Object.freeze({
+		algorithm: "sha256",
+		saltBits: 256,
+		iterations: 1,
+		minPasswordlength: 32
+	}),
+	ttl: 0,
+	timestampSkewSec: 60,
+	localtimeOffsetMsec: 0
+}), algorithms = /* @__PURE__ */ Object.freeze({
+	"aes-128-ctr": /* @__PURE__ */ Object.freeze({
+		keyBits: 128,
+		ivBits: 128,
+		name: "AES-CTR"
+	}),
+	"aes-256-cbc": /* @__PURE__ */ Object.freeze({
+		keyBits: 256,
+		ivBits: 128,
+		name: "AES-CBC"
+	}),
+	sha256: /* @__PURE__ */ Object.freeze({
+		keyBits: 256,
+		ivBits: void 0,
+		name: "SHA-256"
+	})
+}), macPrefix = "Fe26.2";
+function randomBits(bits) {
+	return crypto.getRandomValues(new Uint8Array(bits / 8));
+}
+async function generateKey(password, options) {
+	if (!password || !password.length) throw Error("Empty password");
+	if (!options || typeof options != "object") throw Error("Bad options");
+	let algorithm = algorithms[options.algorithm];
+	if (!algorithm) throw Error("Unknown algorithm: " + options.algorithm);
+	let isHmac = algorithm.name === "SHA-256", id = isHmac ? {
+		name: "HMAC",
+		hash: algorithm.name,
+		length: algorithm.keyBits
+	} : {
+		name: algorithm.name,
+		length: algorithm.keyBits
+	}, usages = isHmac ? ["sign", "verify"] : ["encrypt", "decrypt"], iv = options.iv || (algorithm.ivBits ? randomBits(algorithm.ivBits) : void 0);
+	if (typeof password == "string") {
+		if (password.length < options.minPasswordlength) throw Error("Password string too short (min " + options.minPasswordlength + " characters required)");
+		let salt = options.salt;
+		if (!salt) {
+			if (!options.saltBits) throw Error("Missing salt and saltBits options");
+			salt = u8ToHex(randomBits(options.saltBits));
+		}
+		let baseKey = await crypto.subtle.importKey("raw", enc.encode(password), "PBKDF2", !1, ["deriveKey"]), algorithm$1 = {
+			name: "PBKDF2",
+			salt: enc.encode(salt),
+			iterations: options.iterations,
+			hash: "SHA-1"
+		};
+		return {
+			key: await crypto.subtle.deriveKey(algorithm$1, baseKey, id, !1, usages),
+			iv,
+			salt
+		};
+	}
+	if (password.length < algorithm.keyBits / 8) throw Error("Key buffer (password) too small");
+	return {
+		key: await crypto.subtle.importKey("raw", password.slice(), id, !1, usages),
+		iv,
+		salt: ""
+	};
+}
+function getEncryptParams(algorithm, key, data) {
+	return [
+		algorithm === "aes-128-ctr" ? {
+			name: "AES-CTR",
+			counter: key.iv,
+			length: 128
+		} : {
+			name: "AES-CBC",
+			iv: key.iv
+		},
+		key.key,
+		typeof data == "string" ? enc.encode(data) : data.slice()
+	];
+}
+async function encrypt(password, options, data) {
+	let key = await generateKey(password, options), encrypted = await crypto.subtle.encrypt(...getEncryptParams(options.algorithm, key, data));
+	return {
+		encrypted: new Uint8Array(encrypted),
+		key
+	};
+}
+async function decrypt(password, options, data) {
+	let key = await generateKey(password, options), decrypted = await crypto.subtle.decrypt(...getEncryptParams(options.algorithm, key, data));
+	return dec.decode(decrypted);
+}
+async function hmacWithPassword(password, options, data) {
+	let key = await generateKey(password, options);
+	return {
+		digest: u8ToB64(await crypto.subtle.sign("HMAC", key.key, enc.encode(data))),
+		salt: key.salt
+	};
+}
+function normalizePassword(password) {
+	let normalized = typeof password == "string" || password instanceof Uint8Array ? {
+		encryption: password,
+		integrity: password
+	} : password && typeof password == "object" ? "secret" in password ? {
+		id: password.id,
+		encryption: password.secret,
+		integrity: password.secret
+	} : {
+		id: password.id,
+		encryption: password.encryption,
+		integrity: password.integrity
+	} : void 0;
+	if (!normalized || !normalized.encryption || normalized.encryption.length === 0 || !normalized.integrity || normalized.integrity.length === 0) throw Error("Empty password");
+	return normalized;
+}
+async function seal(object, password, options) {
+	let now = Date.now() + (options.localtimeOffsetMsec || 0), { id = "", encryption, integrity } = normalizePassword(password);
+	if (id && !/^\w+$/.test(id)) throw Error("Invalid password id");
+	let { encrypted, key } = await encrypt(encryption, options.encryption, (options.encode || losslessJsonStringify)(object)), expiration = options.ttl ? now + options.ttl : "", macBaseString = macPrefix + "*" + id + "*" + key.salt + "*" + u8ToB64(key.iv) + "*" + u8ToB64(encrypted) + "*" + expiration, mac = await hmacWithPassword(integrity, options.integrity, macBaseString);
+	return macBaseString + "*" + mac.salt + "*" + mac.digest;
+}
+async function unseal(sealed, password, options) {
+	let now = Date.now() + (options.localtimeOffsetMsec || 0), parts = sealed.split("*");
+	if (parts.length !== 8) throw Error("Incorrect number of sealed components");
+	let [prefix, passwordId, encryptionSalt, ivB64, encryptedB64, expiration, hmacSalt, hmacDigestB64] = parts;
+	if (prefix !== "Fe26.2") throw Error("Wrong mac prefix");
+	if (expiration) {
+		if (!/^[1-9]\d*$/.test(expiration)) throw Error("Invalid expiration");
+		if (Number.parseInt(expiration, 10) <= now - options.timestampSkewSec * 1e3) throw Error("Expired seal");
+	}
+	let pass;
+	if (typeof password == "string" || password instanceof Uint8Array) pass = password;
+	else if (typeof password == "object" && password) {
+		let passwordIdKey = passwordId || "default";
+		if (pass = password[passwordIdKey], !pass) throw Error("Cannot find password: " + passwordIdKey);
+	}
+	pass = normalizePassword(pass);
+	let key = await generateKey(pass.integrity, {
+		...options.integrity,
+		salt: hmacSalt
+	}), macBaseString = prefix + "*" + passwordId + "*" + encryptionSalt + "*" + ivB64 + "*" + encryptedB64 + "*" + expiration;
+	if (!await crypto.subtle.verify("HMAC", key.key, b64ToU8(hmacDigestB64), enc.encode(macBaseString))) throw Error("Bad hmac value");
+	let decryptedString = await decrypt(pass.encryption, {
+		...options.encryption,
+		salt: encryptionSalt,
+		iv: b64ToU8(ivB64)
+	}, b64ToU8(encryptedB64));
+	return (options.decode || jsonParse)(decryptedString);
+}
+//#endregion
+//#region src/common/crypto/seal.ts
+const VERSION_DELIMITER = "~";
+const CURRENT_MAJOR_VERSION = 2;
+function parseSeal(seal) {
+	const [sealWithoutVersion = "", tokenVersionAsString] = seal.split(VERSION_DELIMITER);
+	return {
+		sealWithoutVersion,
+		tokenVersion: tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10)
+	};
+}
+async function sealData(data, { password }) {
+	return `${await seal(data, {
+		id: "1",
+		secret: password
+	}, {
+		...defaults,
+		ttl: 0,
+		encode: JSON.stringify
+	})}${VERSION_DELIMITER}${CURRENT_MAJOR_VERSION}`;
+}
+async function unsealData(encryptedData, { password }) {
+	const { sealWithoutVersion, tokenVersion } = parseSeal(encryptedData);
+	const passwordMap = { 1: password };
+	let data;
+	try {
+		data = await unseal(sealWithoutVersion, passwordMap, {
+			...defaults,
+			ttl: 0
+		}) ?? {};
+	} catch (error) {
+		if (error instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components|Wrong mac prefix)/.test(error.message)) return {};
+		throw error;
+	}
+	if (tokenVersion === 2) return data;
+	else if (tokenVersion !== null) return data.persistent ?? data;
+	return data;
+}
+//#endregion
+//#region src/common/utils/env.ts
+let detectedRuntime = null;
+/**
+* Detect the current runtime environment.
+* This function checks for various runtime environments such as Node.js, Deno, Bun, Cloudflare Workers, Fastly, and Edge Light.
+* It returns a string representing the detected runtime and caches the result for future calls.
+* @returns The detected runtime environment as a string.
+*/
+function detectRuntime() {
+	if (detectedRuntime) return detectedRuntime;
+	const global = globalThis;
+	if (typeof process !== "undefined" && process.release?.name === "node") detectedRuntime = "node";
+	else if (typeof global.Deno !== "undefined") detectedRuntime = "deno";
+	else if (typeof navigator !== "undefined" && navigator.userAgent?.includes("Bun")) detectedRuntime = "bun";
+	else if (typeof navigator !== "undefined" && navigator.userAgent?.includes("Cloudflare")) detectedRuntime = "cloudflare";
+	else if (typeof global !== "undefined" && "fastly" in global) detectedRuntime = "fastly";
+	else if (typeof global !== "undefined" && "EdgeRuntime" in global) detectedRuntime = "edge-light";
+	else detectedRuntime = "other";
+	return detectedRuntime;
+}
+function getEnvironmentVariable(key) {
+	const runtime = detectRuntime();
+	const global = globalThis;
+	try {
+		switch (runtime) {
+			case "node":
+			case "bun":
+			case "edge-light": return process.env[key];
+			case "deno": return global.Deno.env.get(key);
+			case "cloudflare": return global.env?.[key] ?? global[key];
+			case "fastly": return global[key];
+			default: return process?.env?.[key] ?? global.env?.[key] ?? global[key];
+		}
+	} catch {
+		return;
+	}
+}
+/**
+* Get an environment variable value, trying to access it in different runtimes.
+* @param key - The name of the environment variable.
+* @param defaultValue - The default value to return if the variable is not found.
+* @return The value of the environment variable or the default value.
+*/
+function getEnv(key, defaultValue) {
+	return getEnvironmentVariable(key) ?? defaultValue;
+}
+//#endregion
+//#region src/user-management/interfaces/authenticate-with-session-cookie.interface.ts
+let AuthenticateWithSessionCookieFailureReason = /* @__PURE__ */ function(AuthenticateWithSessionCookieFailureReason) {
+	AuthenticateWithSessionCookieFailureReason["INVALID_JWT"] = "invalid_jwt";
+	AuthenticateWithSessionCookieFailureReason["INVALID_SESSION_COOKIE"] = "invalid_session_cookie";
+	AuthenticateWithSessionCookieFailureReason["NO_SESSION_COOKIE_PROVIDED"] = "no_session_cookie_provided";
+	return AuthenticateWithSessionCookieFailureReason;
+}({});
+//#endregion
+//#region src/user-management/interfaces/revoke-session-options.interface.ts
+const serializeRevokeSessionOptions = (options) => ({ session_id: options.sessionId });
+//#endregion
+//#region src/user-management/serializers/authenticate-with-email-verification.serializer.ts
+const serializeAuthenticateWithEmailVerificationOptions = (options) => ({
+	grant_type: "urn:workos:oauth:grant-type:email-verification:code",
+	client_id: options.clientId,
+	client_secret: options.clientSecret,
+	pending_authentication_token: options.pendingAuthenticationToken,
+	code: options.code,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/authenticate-with-organization-selection-options.serializer.ts
+const serializeAuthenticateWithOrganizationSelectionOptions = (options) => ({
+	grant_type: "urn:workos:oauth:grant-type:organization-selection",
+	client_id: options.clientId,
+	client_secret: options.clientSecret,
+	pending_authentication_token: options.pendingAuthenticationToken,
+	organization_id: options.organizationId,
+	ip_address: options.ipAddress,
+	user_agent: options.userAgent
+});
+//#endregion
+//#region src/user-management/serializers/create-organization-membership-options.serializer.ts
+const serializeCreateOrganizationMembershipOptions = (options) => ({
+	organization_id: options.organizationId,
+	user_id: options.userId,
+	role_slug: options.roleSlug,
+	role_slugs: options.roleSlugs
+});
+//#endregion
+//#region src/user-management/serializers/identity.serializer.ts
+const deserializeIdentities = (identities) => {
+	return identities.map((identity) => {
+		return {
+			idpId: identity.idp_id,
+			type: identity.type,
+			provider: identity.provider
+		};
+	});
+};
+//#endregion
+//#region src/user-management/serializers/list-invitations-options.serializer.ts
+const serializeListInvitationsOptions = (options) => ({
+	email: options.email,
+	organization_id: options.organizationId,
+	limit: options.limit,
+	before: options.before,
+	after: options.after,
+	order: options.order
+});
+//#endregion
+//#region src/user-management/serializers/list-organization-memberships-options.serializer.ts
+const serializeListOrganizationMembershipsOptions = (options) => ({
+	user_id: options.userId,
+	organization_id: options.organizationId,
+	statuses: options.statuses?.join(","),
+	limit: options.limit,
+	before: options.before,
+	after: options.after,
+	order: options.order
+});
+//#endregion
+//#region src/user-management/serializers/list-users-options.serializer.ts
+const serializeListUsersOptions = (options) => ({
+	email: options.email,
+	organization_id: options.organizationId,
+	limit: options.limit,
+	before: options.before,
+	after: options.after,
+	order: options.order
+});
+//#endregion
+//#region src/user-management/serializers/resend-invitation-options.serializer.ts
+const serializeResendInvitationOptions = (options) => ({ locale: options.locale });
+//#endregion
+//#region src/user-management/interfaces/refresh-and-seal-session-data.interface.ts
+let RefreshSessionFailureReason = /* @__PURE__ */ function(RefreshSessionFailureReason) {
+	RefreshSessionFailureReason["INVALID_SESSION_COOKIE"] = "invalid_session_cookie";
+	RefreshSessionFailureReason["NO_SESSION_COOKIE_PROVIDED"] = "no_session_cookie_provided";
+	RefreshSessionFailureReason["INVALID_GRANT"] = "invalid_grant";
+	RefreshSessionFailureReason["MFA_ENROLLMENT"] = "mfa_enrollment";
+	RefreshSessionFailureReason["SSO_REQUIRED"] = "sso_required";
+	return RefreshSessionFailureReason;
+}({});
+//#endregion
+//#region src/user-management/serializers/send-invitation-options.serializer.ts
+const serializeSendInvitationOptions = (options) => ({
+	email: options.email,
+	organization_id: options.organizationId,
+	expires_in_days: options.expiresInDays,
+	inviter_user_id: options.inviterUserId,
+	role_slug: options.roleSlug,
+	locale: options.locale
+});
+//#endregion
+//#region src/user-management/serializers/update-organization-membership-options.serializer.ts
+const serializeUpdateOrganizationMembershipOptions = (options) => ({
+	role_slug: options.roleSlug,
+	role_slugs: options.roleSlugs
+});
+//#endregion
+//#region src/utils/jose.ts
+let _josePromise;
+/**
+* Dynamically imports the jose library using import() to support Node.js 20.0-20.18.
+*
+* The jose library is ESM-only and cannot be loaded via require() in Node.js versions
+* before 20.19.0. This wrapper uses dynamic import() which works in both ESM and CJS
+* across all Node.js 20+ versions.
+*
+* This workaround can be removed when Node.js 20 reaches end-of-life (April 2026),
+* at which point we can bump to Node.js 22+ and use direct imports.
+*
+* @returns Promise that resolves to the jose module
+*/
+function getJose() {
+	return _josePromise ??= Promise.resolve().then(() => require("./webapi-DoOhnR2U.cjs"));
+}
+//#endregion
+//#region src/user-management/session.ts
+var CookieSession = class {
+	userManagement;
+	cookiePassword;
+	sessionData;
+	constructor(userManagement, sessionData, cookiePassword) {
+		if (!cookiePassword) throw new Error("cookiePassword is required");
+		this.userManagement = userManagement;
+		this.cookiePassword = cookiePassword;
+		this.sessionData = sessionData;
+	}
+	/**
+	* Authenticates a user with a session cookie.
+	*
+	* @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.
+	*/
+	async authenticate() {
+		if (!this.sessionData) return {
+			authenticated: false,
+			reason: AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
+		};
+		const session = await unsealData(this.sessionData, { password: this.cookiePassword });
+		if (!session.accessToken) return {
+			authenticated: false,
+			reason: AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+		};
+		if (!await this.isValidJwt(session.accessToken)) return {
+			authenticated: false,
+			reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT
+		};
+		const { decodeJwt } = await getJose();
+		const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(session.accessToken);
+		return {
+			authenticated: true,
+			sessionId,
+			organizationId,
+			role,
+			roles,
+			permissions,
+			entitlements,
+			featureFlags,
+			user: session.user,
+			authenticationMethod: session.authenticationMethod,
+			impersonator: session.impersonator,
+			accessToken: session.accessToken
+		};
+	}
+	/**
+	* Refreshes the user's session.
+	*
+	* @param options - Optional options for refreshing the session.
+	* @param options.cookiePassword - The password to use for the new session cookie.
+	* @param options.organizationId - The organization ID to use for the new session cookie.
+	* @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.
+	*/
+	async refresh(options = {}) {
+		const { decodeJwt } = await getJose();
+		const session = await unsealData(this.sessionData, { password: this.cookiePassword });
+		if (!session.refreshToken || !session.user) return {
+			authenticated: false,
+			reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE
+		};
+		const { org_id: organizationIdFromAccessToken } = decodeJwt(session.accessToken);
+		try {
+			const cookiePassword = options.cookiePassword ?? this.cookiePassword;
+			const authenticationResponse = await this.userManagement.authenticateWithRefreshToken({
+				clientId: this.userManagement.clientId,
+				refreshToken: session.refreshToken,
+				organizationId: options.organizationId ?? organizationIdFromAccessToken,
+				session: {
+					sealSession: true,
+					cookiePassword
+				}
+			});
+			if (options.cookiePassword) this.cookiePassword = options.cookiePassword;
+			this.sessionData = authenticationResponse.sealedSession;
+			const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(authenticationResponse.accessToken);
+			return {
+				authenticated: true,
+				sealedSession: authenticationResponse.sealedSession,
+				session: authenticationResponse,
+				authenticationMethod: authenticationResponse.authenticationMethod,
+				sessionId,
+				organizationId,
+				role,
+				roles,
+				permissions,
+				entitlements,
+				featureFlags,
+				user: session.user,
+				impersonator: session.impersonator
+			};
+		} catch (error) {
+			if (error instanceof OauthException && (error.error === RefreshSessionFailureReason.INVALID_GRANT || error.error === RefreshSessionFailureReason.MFA_ENROLLMENT || error.error === RefreshSessionFailureReason.SSO_REQUIRED)) return {
+				authenticated: false,
+				reason: error.error
+			};
+			throw error;
+		}
+	}
+	/**
+	* Gets the URL to redirect the user to for logging out.
+	*
+	* @returns The URL to redirect the user to for logging out.
+	*/
+	async getLogoutUrl({ returnTo } = {}) {
+		const authenticationResponse = await this.authenticate();
+		if (!authenticationResponse.authenticated) {
+			const { reason } = authenticationResponse;
+			throw new Error(`Failed to extract session ID for logout URL: ${reason}`);
+		}
+		return this.userManagement.getLogoutUrl({
+			sessionId: authenticationResponse.sessionId,
+			returnTo
+		});
+	}
+	async isValidJwt(accessToken) {
+		const { jwtVerify } = await getJose();
+		const jwks = await this.userManagement.getJWKS();
+		if (!jwks) throw new Error("Missing client ID. Did you provide it when initializing WorkOS?");
+		try {
+			await jwtVerify(accessToken, jwks);
+			return true;
+		} catch (e) {
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
+		}
+	}
+};
+//#endregion
+//#region src/user-management/user-management.ts
+var UserManagement = class {
+	_jwks;
+	clientId;
+	constructor(workos) {
+		this.workos = workos;
+		const { clientId } = workos.options;
+		this.clientId = clientId;
+	}
+	/**
+	* Resolve clientId from method options or fall back to constructor-provided value.
+	* @throws TypeError if clientId is not available from either source
+	*/
+	resolveClientId(clientId) {
+		const resolved = clientId ?? this.clientId;
+		if (!resolved) throw new TypeError("clientId is required. Provide it in method options or when initializing WorkOS.");
+		return resolved;
+	}
+	async getJWKS() {
+		const { createRemoteJWKSet } = await getJose();
+		if (!this.clientId) return;
+		this._jwks ??= createRemoteJWKSet(new URL(this.getJwksUrl(this.clientId)), { cooldownDuration: 1e3 * 60 * 5 });
+		return this._jwks;
+	}
+	/**
+	* Loads a sealed session using the provided session data and cookie password.
+	*
+	* @param options - The options for loading the sealed session.
+	* @param options.sessionData - The sealed session data.
+	* @param options.cookiePassword - The password used to encrypt the session data.
+	* @returns The session class.
+	*/
+	loadSealedSession(options) {
+		return new CookieSession(this, options.sessionData, options.cookiePassword);
+	}
+	async getUser(userId) {
+		const { data } = await this.workos.get(`/user_management/users/${userId}`);
+		return deserializeUser(data);
+	}
+	async getUserByExternalId(externalId) {
+		const { data } = await this.workos.get(`/user_management/users/external_id/${externalId}`);
+		return deserializeUser(data);
+	}
+	async listUsers(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/user_management/users", deserializeUser, options ? serializeListUsersOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, "/user_management/users", deserializeUser, params), options ? serializeListUsersOptions(options) : void 0);
+	}
+	async createUser(payload) {
+		const { data } = await this.workos.post("/user_management/users", serializeCreateUserOptions(payload));
+		return deserializeUser(data);
+	}
+	async authenticateWithMagicAuth(payload) {
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithMagicAuthOptions({
+			...remainingPayload,
+			clientId: resolvedClientId,
+			clientSecret: this.workos.key
+		}));
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	async authenticateWithPassword(payload) {
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithPasswordOptions({
+			...remainingPayload,
+			clientId: resolvedClientId,
+			clientSecret: this.workos.key
+		}));
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	/**
+	* Exchange an authorization code for tokens.
+	*
+	* Auto-detects public vs confidential client mode:
+	* - If codeVerifier is provided: Uses PKCE flow (public client)
+	* - If no codeVerifier: Uses client_secret from API key (confidential client)
+	* - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+	*
+	* Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+	* in depth and provides additional CSRF protection on the authorization flow.
+	*
+	* @throws Error if neither codeVerifier nor API key is available
+	*/
+	async authenticateWithCode(payload) {
+		const { session, clientId, codeVerifier, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (codeVerifier !== void 0 && codeVerifier.trim() === "") throw new TypeError("codeVerifier cannot be an empty string. Generate a valid PKCE pair using workos.pkce.generate().");
+		const hasApiKey = !!this.workos.key;
+		if (!!!codeVerifier && !hasApiKey) throw new TypeError("authenticateWithCode requires either a codeVerifier (for public clients) or an API key configured on the WorkOS instance (for confidential clients).");
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeOptions({
+			...remainingPayload,
+			clientId: resolvedClientId,
+			codeVerifier,
+			clientSecret: hasApiKey ? this.workos.key : void 0
+		}), { skipApiKeyCheck: !hasApiKey });
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	/**
+	* Exchange an authorization code for tokens using PKCE (public client flow).
+	* Use this instead of authenticateWithCode() when the client cannot securely
+	* store a client_secret (browser, mobile, CLI, desktop apps).
+	*
+	* @param payload.clientId - Your WorkOS client ID
+	* @param payload.code - The authorization code from the OAuth callback
+	* @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge
+	*/
+	async authenticateWithCodeAndVerifier(payload) {
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeAndVerifierOptions({
+			...remainingPayload,
+			clientId: resolvedClientId
+		}), { skipApiKeyCheck: true });
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	/**
+	* Refresh an access token using a refresh token.
+	* Automatically detects public client mode - if no API key is configured,
+	* omits client_secret from the request.
+	*/
+	async authenticateWithRefreshToken(payload) {
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const isPublicClient = !this.workos.key;
+		const body = isPublicClient ? serializeAuthenticateWithRefreshTokenPublicClientOptions({
+			...remainingPayload,
+			clientId: resolvedClientId
+		}) : serializeAuthenticateWithRefreshTokenOptions({
+			...remainingPayload,
+			clientId: resolvedClientId,
+			clientSecret: this.workos.key
+		});
+		const { data } = await this.workos.post("/user_management/authenticate", body, { skipApiKeyCheck: isPublicClient });
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	async authenticateWithTotp(payload) {
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithTotpOptions({
+			...remainingPayload,
+			clientId: resolvedClientId,
+			clientSecret: this.workos.key
+		}));
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	async authenticateWithEmailVerification(payload) {
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithEmailVerificationOptions({
+			...remainingPayload,
+			clientId: resolvedClientId,
+			clientSecret: this.workos.key
+		}));
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	async authenticateWithOrganizationSelection(payload) {
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithOrganizationSelectionOptions({
+			...remainingPayload,
+			clientId: resolvedClientId,
+			clientSecret: this.workos.key
+		}));
+		return this.prepareAuthenticationResponse({
+			authenticationResponse: deserializeAuthenticationResponse(data),
+			session
+		});
+	}
+	async authenticateWithSessionCookie({ sessionData, cookiePassword = getEnv("WORKOS_COOKIE_PASSWORD") }) {
+		if (!cookiePassword) throw new Error("Cookie password is required");
+		if (!await this.getJWKS()) throw new Error("Must provide clientId to initialize JWKS");
+		const { decodeJwt } = await getJose();
+		if (!sessionData) return {
+			authenticated: false,
+			reason: AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
+		};
+		const session = await unsealData(sessionData, { password: cookiePassword });
+		if (!session.accessToken) return {
+			authenticated: false,
+			reason: AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+		};
+		if (!await this.isValidJwt(session.accessToken)) return {
+			authenticated: false,
+			reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT
+		};
+		const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(session.accessToken);
+		return {
+			authenticated: true,
+			sessionId,
+			organizationId,
+			role,
+			roles,
+			user: session.user,
+			permissions,
+			entitlements,
+			featureFlags,
+			accessToken: session.accessToken,
+			authenticationMethod: session.authenticationMethod
+		};
+	}
+	async isValidJwt(accessToken) {
+		const jwks = await this.getJWKS();
+		const { jwtVerify } = await getJose();
+		if (!jwks) throw new Error("Must provide clientId to initialize JWKS");
+		try {
+			await jwtVerify(accessToken, jwks);
+			return true;
+		} catch (e) {
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
+		}
+	}
+	async prepareAuthenticationResponse({ authenticationResponse, session }) {
+		if (session?.sealSession) {
+			if (!this.workos.key) throw new Error("Session sealing requires server-side usage with an API key. Public clients should store tokens directly (e.g., secure storage on mobile, keychain on desktop).");
+			return {
+				...authenticationResponse,
+				sealedSession: await this.sealSessionDataFromAuthenticationResponse({
+					authenticationResponse,
+					cookiePassword: session.cookiePassword
+				})
+			};
+		}
+		return authenticationResponse;
+	}
+	async sealSessionDataFromAuthenticationResponse({ authenticationResponse, cookiePassword }) {
+		if (!cookiePassword) throw new Error("Cookie password is required");
+		const { decodeJwt } = await getJose();
+		const { org_id: organizationIdFromAccessToken } = decodeJwt(authenticationResponse.accessToken);
+		return sealData({
+			organizationId: organizationIdFromAccessToken,
+			user: authenticationResponse.user,
+			accessToken: authenticationResponse.accessToken,
+			refreshToken: authenticationResponse.refreshToken,
+			authenticationMethod: authenticationResponse.authenticationMethod,
+			impersonator: authenticationResponse.impersonator
+		}, { password: cookiePassword });
+	}
+	async getSessionFromCookie({ sessionData, cookiePassword = getEnv("WORKOS_COOKIE_PASSWORD") }) {
+		if (!cookiePassword) throw new Error("Cookie password is required");
+		if (sessionData) return unsealData(sessionData, { password: cookiePassword });
+	}
+	async getEmailVerification(emailVerificationId) {
+		const { data } = await this.workos.get(`/user_management/email_verification/${emailVerificationId}`);
+		return deserializeEmailVerification(data);
+	}
+	async sendVerificationEmail({ userId }) {
+		const { data } = await this.workos.post(`/user_management/users/${userId}/email_verification/send`, {});
+		return { user: deserializeUser(data.user) };
+	}
+	async getMagicAuth(magicAuthId) {
+		const { data } = await this.workos.get(`/user_management/magic_auth/${magicAuthId}`);
+		return deserializeMagicAuth(data);
+	}
+	async createMagicAuth(options) {
+		const { data } = await this.workos.post("/user_management/magic_auth", serializeCreateMagicAuthOptions({ ...options }));
+		return deserializeMagicAuth(data);
+	}
+	async verifyEmail({ code, userId }) {
+		const { data } = await this.workos.post(`/user_management/users/${userId}/email_verification/confirm`, { code });
+		return { user: deserializeUser(data.user) };
+	}
+	async getPasswordReset(passwordResetId) {
+		const { data } = await this.workos.get(`/user_management/password_reset/${passwordResetId}`);
+		return deserializePasswordReset(data);
+	}
+	async createPasswordReset(options) {
+		const { data } = await this.workos.post("/user_management/password_reset", serializeCreatePasswordResetOptions({ ...options }));
+		return deserializePasswordReset(data);
+	}
+	async resetPassword(payload) {
+		const { data } = await this.workos.post("/user_management/password_reset/confirm", serializeResetPasswordOptions(payload));
+		return { user: deserializeUser(data.user) };
+	}
+	async updateUser(payload) {
+		const { data } = await this.workos.put(`/user_management/users/${payload.userId}`, serializeUpdateUserOptions(payload));
+		return deserializeUser(data);
+	}
+	async enrollAuthFactor(payload) {
+		const { data } = await this.workos.post(`/user_management/users/${payload.userId}/auth_factors`, serializeEnrollAuthFactorOptions(payload));
+		return {
+			authenticationFactor: deserializeFactorWithSecrets$1(data.authentication_factor),
+			authenticationChallenge: deserializeChallenge(data.authentication_challenge)
+		};
+	}
+	async listAuthFactors(options) {
+		const { userId, ...restOfOptions } = options;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, `/user_management/users/${userId}/auth_factors`, deserializeFactor$1, restOfOptions), (params) => fetchAndDeserialize(this.workos, `/user_management/users/${userId}/auth_factors`, deserializeFactor$1, params), restOfOptions);
+	}
+	async listUserFeatureFlags(options) {
+		const { userId, ...paginationOptions } = options;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, `/user_management/users/${userId}/feature-flags`, deserializeFeatureFlag, paginationOptions), (params) => fetchAndDeserialize(this.workos, `/user_management/users/${userId}/feature-flags`, deserializeFeatureFlag, params), paginationOptions);
+	}
+	async listSessions(userId, options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, `/user_management/users/${userId}/sessions`, deserializeSession, options ? serializeListSessionsOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, `/user_management/users/${userId}/sessions`, deserializeSession, params), options ? serializeListSessionsOptions(options) : void 0);
+	}
+	async deleteUser(userId) {
+		await this.workos.delete(`/user_management/users/${userId}`);
+	}
+	async getUserIdentities(userId) {
+		if (!userId) throw new TypeError(`Incomplete arguments. Need to specify 'userId'.`);
+		const { data } = await this.workos.get(`/user_management/users/${userId}/identities`);
+		return deserializeIdentities(data);
+	}
+	async getOrganizationMembership(organizationMembershipId) {
+		const { data } = await this.workos.get(`/user_management/organization_memberships/${organizationMembershipId}`);
+		return deserializeOrganizationMembership(data);
+	}
+	async listOrganizationMemberships(options) {
+		const serializedOptions = serializeListOrganizationMembershipsOptions(options);
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/user_management/organization_memberships", deserializeOrganizationMembership, serializedOptions), (params) => fetchAndDeserialize(this.workos, "/user_management/organization_memberships", deserializeOrganizationMembership, params), serializedOptions);
+	}
+	async createOrganizationMembership(options) {
+		const { data } = await this.workos.post("/user_management/organization_memberships", serializeCreateOrganizationMembershipOptions(options));
+		return deserializeOrganizationMembership(data);
+	}
+	async updateOrganizationMembership(organizationMembershipId, options) {
+		const { data } = await this.workos.put(`/user_management/organization_memberships/${organizationMembershipId}`, serializeUpdateOrganizationMembershipOptions(options));
+		return deserializeOrganizationMembership(data);
+	}
+	async deleteOrganizationMembership(organizationMembershipId) {
+		await this.workos.delete(`/user_management/organization_memberships/${organizationMembershipId}`);
+	}
+	async deactivateOrganizationMembership(organizationMembershipId) {
+		const { data } = await this.workos.put(`/user_management/organization_memberships/${organizationMembershipId}/deactivate`, {});
+		return deserializeOrganizationMembership(data);
+	}
+	async reactivateOrganizationMembership(organizationMembershipId) {
+		const { data } = await this.workos.put(`/user_management/organization_memberships/${organizationMembershipId}/reactivate`, {});
+		return deserializeOrganizationMembership(data);
+	}
+	async getInvitation(invitationId) {
+		const { data } = await this.workos.get(`/user_management/invitations/${invitationId}`);
+		return deserializeInvitation(data);
+	}
+	async findInvitationByToken(invitationToken) {
+		const { data } = await this.workos.get(`/user_management/invitations/by_token/${invitationToken}`);
+		return deserializeInvitation(data);
+	}
+	async listInvitations(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/user_management/invitations", deserializeInvitation, options ? serializeListInvitationsOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, "/user_management/invitations", deserializeInvitation, params), options ? serializeListInvitationsOptions(options) : void 0);
+	}
+	async sendInvitation(payload) {
+		const { data } = await this.workos.post("/user_management/invitations", serializeSendInvitationOptions({ ...payload }));
+		return deserializeInvitation(data);
+	}
+	async acceptInvitation(invitationId) {
+		const { data } = await this.workos.post(`/user_management/invitations/${invitationId}/accept`, null);
+		return deserializeInvitation(data);
+	}
+	async revokeInvitation(invitationId) {
+		const { data } = await this.workos.post(`/user_management/invitations/${invitationId}/revoke`, null);
+		return deserializeInvitation(data);
+	}
+	async resendInvitation(invitationId, options) {
+		const { data } = await this.workos.post(`/user_management/invitations/${invitationId}/resend`, options ? serializeResendInvitationOptions(options) : {});
+		return deserializeInvitation(data);
+	}
+	async revokeSession(payload) {
+		await this.workos.post("/user_management/sessions/revoke", serializeRevokeSessionOptions(payload));
+	}
+	/**
+	* Generate an OAuth 2.0 authorization URL.
+	*
+	* For public clients (browser, mobile, CLI), include PKCE parameters:
+	* - Generate PKCE using workos.pkce.generate()
+	* - Pass codeChallenge and codeChallengeMethod here
+	* - Store codeVerifier and pass to authenticateWithCode() later
+	*
+	* Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.
+	*/
+	getAuthorizationUrl(options) {
+		const { claimNonce, connectionId, codeChallenge, codeChallengeMethod, clientId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, state, screenHint } = options;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
+		if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
+		const query = toQueryString({
+			claim_nonce: claimNonce,
+			connection_id: connectionId,
+			code_challenge: codeChallenge,
+			code_challenge_method: codeChallengeMethod,
+			organization_id: organizationId,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			prompt,
+			client_id: resolvedClientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state,
+			screen_hint: screenHint
+		});
+		return `${this.workos.baseURL}/user_management/authorize?${query}`;
+	}
+	/**
+	* Generate an OAuth 2.0 authorization URL with automatic PKCE.
+	*
+	* This method generates PKCE parameters internally and returns them along with
+	* the authorization URL. Use this for public clients (CLI apps, Electron, mobile)
+	* that cannot securely store a client secret.
+	*
+	* @returns Object containing url, state, and codeVerifier
+	*
+	* @example
+	* ```typescript
+	* const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
+	*   provider: 'authkit',
+	*   clientId: 'client_123',
+	*   redirectUri: 'myapp://callback',
+	* });
+	*
+	* // Store state and codeVerifier securely, then redirect user to url
+	* // After callback, exchange the code:
+	* const response = await workos.userManagement.authenticateWithCode({
+	*   code: authorizationCode,
+	*   codeVerifier,
+	*   clientId: 'client_123',
+	* });
+	* ```
+	*/
+	async getAuthorizationUrlWithPKCE(options) {
+		const { clientId, connectionId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, screenHint } = options;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
+		if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
+		const pkce = await this.workos.pkce.generate();
+		const state = this.workos.pkce.generateCodeVerifier(43);
+		const query = toQueryString({
+			connection_id: connectionId,
+			code_challenge: pkce.codeChallenge,
+			code_challenge_method: "S256",
+			organization_id: organizationId,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			prompt,
+			client_id: resolvedClientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state,
+			screen_hint: screenHint
+		});
+		return {
+			url: `${this.workos.baseURL}/user_management/authorize?${query}`,
+			state,
+			codeVerifier: pkce.codeVerifier
+		};
+	}
+	getLogoutUrl(options) {
+		const { sessionId, returnTo } = options;
+		if (!sessionId) throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);
+		const url = new URL("/user_management/sessions/logout", this.workos.baseURL);
+		url.searchParams.set("session_id", sessionId);
+		if (returnTo) url.searchParams.set("return_to", returnTo);
+		return url.toString();
+	}
+	getJwksUrl(clientId) {
+		if (!clientId) throw new TypeError("clientId must be a valid clientId");
+		return `${this.workos.baseURL}/sso/jwks/${clientId}`;
+	}
+};
+//#endregion
+//#region src/fga/interfaces/check-op.enum.ts
+let CheckOp = /* @__PURE__ */ function(CheckOp) {
+	CheckOp["AllOf"] = "all_of";
+	CheckOp["AnyOf"] = "any_of";
+	return CheckOp;
+}({});
+//#endregion
+//#region src/fga/utils/interface-check.ts
+function isSubject(resource) {
+	return Object.prototype.hasOwnProperty.call(resource, "resourceType") && Object.prototype.hasOwnProperty.call(resource, "resourceId");
+}
+function isResourceInterface(resource) {
+	return !!resource && typeof resource === "object" && "getResouceType" in resource && "getResourceId" in resource;
+}
+//#endregion
+//#region src/fga/serializers/check-options.serializer.ts
+const serializeCheckOptions = (options) => ({
+	op: options.op,
+	checks: options.checks.map(serializeCheckWarrantOptions),
+	debug: options.debug
+});
+const serializeCheckBatchOptions = (options) => ({
+	op: "batch",
+	checks: options.checks.map(serializeCheckWarrantOptions),
+	debug: options.debug
+});
+const serializeCheckWarrantOptions = (warrant) => {
+	return {
+		resource_type: isResourceInterface(warrant.resource) ? warrant.resource.getResourceType() : warrant.resource.resourceType,
+		resource_id: isResourceInterface(warrant.resource) ? warrant.resource.getResourceId() : warrant.resource.resourceId ? warrant.resource.resourceId : "",
+		relation: warrant.relation,
+		subject: isSubject(warrant.subject) ? {
+			resource_type: warrant.subject.resourceType,
+			resource_id: warrant.subject.resourceId
+		} : {
+			resource_type: warrant.subject.getResourceType(),
+			resource_id: warrant.subject.getResourceId()
+		},
+		context: warrant.context ?? {}
+	};
+};
+const deserializeDecisionTreeNode = (response) => {
+	return {
+		check: {
+			resource: {
+				resourceType: response.check.resource_type,
+				resourceId: response.check.resource_id
+			},
+			relation: response.check.relation,
+			subject: {
+				resourceType: response.check.subject.resource_type,
+				resourceId: response.check.subject.resource_id
+			},
+			context: response.check.context
+		},
+		policy: response.policy,
+		decision: response.decision,
+		processingTime: response.processing_time,
+		children: response.children.map(deserializeDecisionTreeNode)
+	};
+};
+//#endregion
+//#region src/fga/interfaces/check.interface.ts
+const CHECK_RESULT_AUTHORIZED = "authorized";
+var CheckResult = class {
+	result;
+	isImplicit;
+	warrantToken;
+	debugInfo;
+	warnings;
+	constructor(json) {
+		this.result = json.result;
+		this.isImplicit = json.is_implicit;
+		this.warrantToken = json.warrant_token;
+		this.debugInfo = json.debug_info ? {
+			processingTime: json.debug_info.processing_time,
+			decisionTree: deserializeDecisionTreeNode(json.debug_info.decision_tree)
+		} : void 0;
+		this.warnings = json.warnings;
+	}
+	isAuthorized() {
+		return this.result === CHECK_RESULT_AUTHORIZED;
+	}
+};
+//#endregion
+//#region src/fga/interfaces/resource-op.enum.ts
+let ResourceOp = /* @__PURE__ */ function(ResourceOp) {
+	ResourceOp["Create"] = "create";
+	ResourceOp["Delete"] = "delete";
+	return ResourceOp;
+}({});
+//#endregion
+//#region src/fga/interfaces/warrant-op.enum.ts
+let WarrantOp = /* @__PURE__ */ function(WarrantOp) {
+	WarrantOp["Create"] = "create";
+	WarrantOp["Delete"] = "delete";
+	return WarrantOp;
+}({});
+//#endregion
+//#region src/fga/serializers/create-resource-options.serializer.ts
+const serializeCreateResourceOptions$1 = (options) => ({
+	resource_type: isResourceInterface(options.resource) ? options.resource.getResourceType() : options.resource.resourceType,
+	resource_id: isResourceInterface(options.resource) ? options.resource.getResourceId() : options.resource.resourceId ? options.resource.resourceId : "",
+	meta: options.meta
+});
+//#endregion
+//#region src/fga/serializers/delete-resource-options.serializer.ts
+const serializeDeleteResourceOptions = (options) => ({
+	resource_type: isResourceInterface(options) ? options.getResourceType() : options.resourceType,
+	resource_id: isResourceInterface(options) ? options.getResourceId() : options.resourceId ? options.resourceId : ""
+});
+//#endregion
+//#region src/fga/serializers/batch-write-resources-options.serializer.ts
+const serializeBatchWriteResourcesOptions = (options) => {
+	let serializedResources = [];
+	if (options.op === ResourceOp.Create) serializedResources = options.resources.map((options) => serializeCreateResourceOptions$1(options));
+	else if (options.op === ResourceOp.Delete) serializedResources = options.resources.map((options) => serializeDeleteResourceOptions(options));
+	return {
+		op: options.op,
+		resources: serializedResources
+	};
+};
+//#endregion
+//#region src/fga/serializers/list-resources-options.serializer.ts
+const serializeListResourceOptions = (options) => ({
+	resource_type: options.resourceType,
+	search: options.search,
+	limit: options.limit,
+	before: options.before,
+	after: options.after,
+	order: options.order
+});
+//#endregion
+//#region src/fga/serializers/list-warrants-options.serializer.ts
+const serializeListWarrantsOptions = (options) => ({
+	resource_type: options.resourceType,
+	resource_id: options.resourceId,
+	relation: options.relation,
+	subject_type: options.subjectType,
+	subject_id: options.subjectId,
+	subject_relation: options.subjectRelation,
+	limit: options.limit,
+	after: options.after
+});
+//#endregion
+//#region src/fga/serializers/query-options.serializer.ts
+const serializeQueryOptions = (options) => ({
+	q: options.q,
+	context: JSON.stringify(options.context),
+	limit: options.limit,
+	before: options.before,
+	after: options.after,
+	order: options.order
+});
+//#endregion
+//#region src/fga/serializers/query-result.serializer.ts
+const deserializeQueryResult = (queryResult) => ({
+	resourceType: queryResult.resource_type,
+	resourceId: queryResult.resource_id,
+	relation: queryResult.relation,
+	warrant: {
+		resourceType: queryResult.warrant.resource_type,
+		resourceId: queryResult.warrant.resource_id,
+		relation: queryResult.warrant.relation,
+		subject: {
+			resourceType: queryResult.warrant.subject.resource_type,
+			resourceId: queryResult.warrant.subject.resource_id,
+			relation: queryResult.warrant.subject.relation
+		}
+	},
+	isImplicit: queryResult.is_implicit,
+	meta: queryResult.meta
+});
+//#endregion
+//#region src/fga/serializers/resource.serializer.ts
+const deserializeResource = (response) => ({
+	resourceType: response.resource_type,
+	resourceId: response.resource_id,
+	meta: response.meta
+});
+const deserializeBatchWriteResourcesResponse = (response) => {
+	return response.data.map((resource) => deserializeResource(resource));
+};
+//#endregion
+//#region src/fga/serializers/warrant-token.serializer.ts
+const deserializeWarrantToken = (warrantToken) => ({ warrantToken: warrantToken.warrant_token });
+//#endregion
+//#region src/fga/serializers/warrant.serializer.ts
+const deserializeWarrant = (warrant) => ({
+	resourceType: warrant.resource_type,
+	resourceId: warrant.resource_id,
+	relation: warrant.relation,
+	subject: {
+		resourceType: warrant.subject.resource_type,
+		resourceId: warrant.subject.resource_id,
+		relation: warrant.subject.relation
+	},
+	policy: warrant.policy
+});
+//#endregion
+//#region src/fga/serializers/write-warrant-options.serializer.ts
+const serializeWriteWarrantOptions = (warrant) => ({
+	op: warrant.op,
+	resource_type: isResourceInterface(warrant.resource) ? warrant.resource.getResourceType() : warrant.resource.resourceType,
+	resource_id: isResourceInterface(warrant.resource) ? warrant.resource.getResourceId() : warrant.resource.resourceId ? warrant.resource.resourceId : "",
+	relation: warrant.relation,
+	subject: isSubject(warrant.subject) ? {
+		resource_type: warrant.subject.resourceType,
+		resource_id: warrant.subject.resourceId
+	} : {
+		resource_type: warrant.subject.getResourceType(),
+		resource_id: warrant.subject.getResourceId()
+	},
+	policy: warrant.policy
+});
+//#endregion
+//#region src/fga/serializers/list.serializer.ts
+const deserializeFGAList = (response, deserializeFn) => ({
+	object: "list",
+	data: response.data.map(deserializeFn),
+	listMetadata: response.list_metadata,
+	warnings: response.warnings
+});
+//#endregion
+//#region src/fga/utils/fga-paginatable.ts
+var FgaPaginatable = class extends AutoPaginatable {
+	list;
+	constructor(list, apiCall, options) {
+		super(list, apiCall, options);
+		this.list = list;
+	}
+	get warnings() {
+		return this.list.warnings;
+	}
+};
+//#endregion
+//#region src/fga/utils/fetch-and-deserialize-list.ts
+const fetchAndDeserializeFGAList = async (workos, endpoint, deserializeFn, options, requestOptions) => {
+	const { data: response } = await workos.get(endpoint, {
+		query: options,
+		...requestOptions
+	});
+	return deserializeFGAList(response, deserializeFn);
+};
+//#endregion
+//#region src/fga/fga.ts
+/**
+* @deprecated The FGA module is deprecated. Use the Authorization module instead.
+* @see src/authorization/authorization.ts
+*/
+var FGA = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async check(checkOptions, options = {}) {
+		const { data } = await this.workos.post(`/fga/v1/check`, serializeCheckOptions(checkOptions), options);
+		return new CheckResult(data);
+	}
+	async checkBatch(checkOptions, options = {}) {
+		const { data } = await this.workos.post(`/fga/v1/check`, serializeCheckBatchOptions(checkOptions), options);
+		return data.map((checkResult) => new CheckResult(checkResult));
+	}
+	async createResource(resource) {
+		const { data } = await this.workos.post("/fga/v1/resources", serializeCreateResourceOptions$1(resource));
+		return deserializeResource(data);
+	}
+	async getResource(resource) {
+		const resourceType = isResourceInterface(resource) ? resource.getResourceType() : resource.resourceType;
+		const resourceId = isResourceInterface(resource) ? resource.getResourceId() : resource.resourceId;
+		const { data } = await this.workos.get(`/fga/v1/resources/${resourceType}/${resourceId}`);
+		return deserializeResource(data);
+	}
+	async listResources(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/fga/v1/resources", deserializeResource, options ? serializeListResourceOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, "/fga/v1/resources", deserializeResource, params), options ? serializeListResourceOptions(options) : void 0);
+	}
+	async updateResource(options) {
+		const resourceType = isResourceInterface(options.resource) ? options.resource.getResourceType() : options.resource.resourceType;
+		const resourceId = isResourceInterface(options.resource) ? options.resource.getResourceId() : options.resource.resourceId;
+		const { data } = await this.workos.put(`/fga/v1/resources/${resourceType}/${resourceId}`, { meta: options.meta });
+		return deserializeResource(data);
+	}
+	async deleteResource(resource) {
+		const resourceType = isResourceInterface(resource) ? resource.getResourceType() : resource.resourceType;
+		const resourceId = isResourceInterface(resource) ? resource.getResourceId() : resource.resourceId;
+		await this.workos.delete(`/fga/v1/resources/${resourceType}/${resourceId}`);
+	}
+	async batchWriteResources(options) {
+		const { data } = await this.workos.post("/fga/v1/resources/batch", serializeBatchWriteResourcesOptions(options));
+		return deserializeBatchWriteResourcesResponse(data);
+	}
+	async writeWarrant(options) {
+		const { data } = await this.workos.post("/fga/v1/warrants", serializeWriteWarrantOptions(options));
+		return deserializeWarrantToken(data);
+	}
+	async batchWriteWarrants(options) {
+		const { data: warrantToken } = await this.workos.post("/fga/v1/warrants", options.map(serializeWriteWarrantOptions));
+		return deserializeWarrantToken(warrantToken);
+	}
+	async listWarrants(options, requestOptions) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/fga/v1/warrants", deserializeWarrant, options ? serializeListWarrantsOptions(options) : void 0, requestOptions), (params) => fetchAndDeserialize(this.workos, "/fga/v1/warrants", deserializeWarrant, params, requestOptions), options ? serializeListWarrantsOptions(options) : void 0);
+	}
+	async query(options, requestOptions = {}) {
+		return new FgaPaginatable(await fetchAndDeserializeFGAList(this.workos, "/fga/v1/query", deserializeQueryResult, serializeQueryOptions(options), requestOptions), (params) => fetchAndDeserializeFGAList(this.workos, "/fga/v1/query", deserializeQueryResult, params, requestOptions), serializeQueryOptions(options));
+	}
+};
+//#endregion
+//#region src/feature-flags/feature-flags.ts
+var FeatureFlags = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async listFeatureFlags(options) {
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/feature-flags", deserializeFeatureFlag, options), (params) => fetchAndDeserialize(this.workos, "/feature-flags", deserializeFeatureFlag, params), options);
+	}
+	async getFeatureFlag(slug) {
+		const { data } = await this.workos.get(`/feature-flags/${slug}`);
+		return deserializeFeatureFlag(data);
+	}
+	async enableFeatureFlag(slug) {
+		const { data } = await this.workos.put(`/feature-flags/${slug}/enable`, {});
+		return deserializeFeatureFlag(data);
+	}
+	async disableFeatureFlag(slug) {
+		const { data } = await this.workos.put(`/feature-flags/${slug}/disable`, {});
+		return deserializeFeatureFlag(data);
+	}
+	async addFlagTarget(options) {
+		const { slug, targetId } = options;
+		await this.workos.post(`/feature-flags/${slug}/targets/${targetId}`, {});
+	}
+	async removeFlagTarget(options) {
+		const { slug, targetId } = options;
+		await this.workos.delete(`/feature-flags/${slug}/targets/${targetId}`);
+	}
+};
+//#endregion
+//#region src/widgets/interfaces/get-token.ts
+const serializeGetTokenOptions = (options) => ({
+	organization_id: options.organizationId,
+	user_id: options.userId,
+	scopes: options.scopes
+});
+const deserializeGetTokenResponse = (data) => ({ token: data.token });
+//#endregion
+//#region src/widgets/widgets.ts
+var Widgets = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async getToken(payload) {
+		const { data } = await this.workos.post("/widgets/token", serializeGetTokenOptions(payload));
+		return deserializeGetTokenResponse(data).token;
+	}
+};
+//#endregion
+//#region src/authorization/serializers/environment-role.serializer.ts
+const deserializeEnvironmentRole = (role) => ({
+	object: role.object,
+	id: role.id,
+	name: role.name,
+	slug: role.slug,
+	description: role.description,
+	permissions: role.permissions,
+	resourceTypeSlug: role.resource_type_slug,
+	type: role.type,
+	createdAt: role.created_at,
+	updatedAt: role.updated_at
+});
+//#endregion
+//#region src/authorization/serializers/create-environment-role-options.serializer.ts
+const serializeCreateEnvironmentRoleOptions = (options) => ({
+	slug: options.slug,
+	name: options.name,
+	description: options.description,
+	resource_type_slug: options.resourceTypeSlug
+});
+//#endregion
+//#region src/authorization/serializers/update-environment-role-options.serializer.ts
+const serializeUpdateEnvironmentRoleOptions = (options) => ({
+	name: options.name,
+	description: options.description
+});
+//#endregion
+//#region src/authorization/serializers/create-organization-role-options.serializer.ts
+const serializeCreateOrganizationRoleOptions = (options) => ({
+	slug: options.slug,
+	name: options.name,
+	description: options.description
+});
+//#endregion
+//#region src/authorization/serializers/update-organization-role-options.serializer.ts
+const serializeUpdateOrganizationRoleOptions = (options) => ({
+	name: options.name,
+	description: options.description
+});
+//#endregion
+//#region src/authorization/serializers/create-permission-options.serializer.ts
+const serializeCreatePermissionOptions = (options) => ({
+	slug: options.slug,
+	name: options.name,
+	description: options.description,
+	resource_type_slug: options.resourceTypeSlug
+});
+//#endregion
+//#region src/authorization/serializers/update-permission-options.serializer.ts
+const serializeUpdatePermissionOptions = (options) => ({
+	name: options.name,
+	description: options.description
+});
+//#endregion
+//#region src/authorization/serializers/authorization-resource.serializer.ts
+const deserializeAuthorizationResource = (resource) => ({
+	object: resource.object,
+	id: resource.id,
+	externalId: resource.external_id,
+	name: resource.name,
+	description: resource.description,
+	resourceTypeSlug: resource.resource_type_slug,
+	organizationId: resource.organization_id,
+	parentResourceId: resource.parent_resource_id,
+	createdAt: resource.created_at,
+	updatedAt: resource.updated_at
+});
+//#endregion
+//#region src/authorization/serializers/create-authorization-resource-options.serializer.ts
+const serializeCreateResourceOptions = (options) => ({
+	organization_id: options.organizationId,
+	resource_type_slug: options.resourceTypeSlug,
+	external_id: options.externalId,
+	name: options.name,
+	...options.description !== void 0 && { description: options.description },
+	..."parentResourceId" in options && { parent_resource_id: options.parentResourceId },
+	..."parentResourceExternalId" in options && {
+		parent_resource_external_id: options.parentResourceExternalId,
+		parent_resource_type_slug: options.parentResourceTypeSlug
+	}
+});
+//#endregion
+//#region src/authorization/serializers/update-authorization-resource-options.serializer.ts
+const serializeUpdateResourceOptions = (options) => ({
+	...options.name !== void 0 && { name: options.name },
+	...options.description !== void 0 && { description: options.description }
+});
+//#endregion
+//#region src/authorization/serializers/update-authorization-resource-by-external-id-options.serializer.ts
+const serializeUpdateResourceByExternalIdOptions = (options) => ({
+	...options.name !== void 0 && { name: options.name },
+	...options.description !== void 0 && { description: options.description }
+});
+//#endregion
+//#region src/authorization/serializers/list-authorization-resources-options.serializer.ts
+const serializeListAuthorizationResourcesOptions = (options) => ({
+	...options.organizationId && { organization_id: options.organizationId },
+	...options.resourceTypeSlug && { resource_type_slug: options.resourceTypeSlug },
+	...options.parentResourceId && { parent_resource_id: options.parentResourceId },
+	...options.parentResourceTypeSlug && { parent_resource_type_slug: options.parentResourceTypeSlug },
+	...options.parentExternalId && { parent_external_id: options.parentExternalId },
+	...options.search && { search: options.search },
+	...serializePaginationOptions(options)
+});
+//#endregion
+//#region src/authorization/serializers/authorization-check-options.serializer.ts
+const serializeAuthorizationCheckOptions = (options) => ({
+	permission_slug: options.permissionSlug,
+	..."resourceId" in options && { resource_id: options.resourceId },
+	..."resourceExternalId" in options && {
+		resource_external_id: options.resourceExternalId,
+		resource_type_slug: options.resourceTypeSlug
+	}
+});
+//#endregion
+//#region src/authorization/serializers/list-resources-for-membership-options.serializer.ts
+const serializeListResourcesForMembershipOptions = (options) => ({
+	permission_slug: options.permissionSlug,
+	...serializePaginationOptions(options),
+	..."parentResourceId" in options && { parent_resource_id: options.parentResourceId },
+	..."parentResourceExternalId" in options && {
+		parent_resource_type_slug: options.parentResourceTypeSlug,
+		parent_resource_external_id: options.parentResourceExternalId
+	}
+});
+//#endregion
+//#region src/authorization/serializers/list-memberships-for-resource-options.serializer.ts
+const serializeListMembershipsForResourceOptions = (options) => ({
+	permission_slug: options.permissionSlug,
+	...options.assignment && { assignment: options.assignment },
+	...serializePaginationOptions(options)
+});
+//#endregion
+//#region src/authorization/serializers/role-assignment.serializer.ts
+const deserializeRoleAssignment = (response) => ({
+	object: response.object,
+	id: response.id,
+	role: response.role,
+	resource: {
+		id: response.resource.id,
+		externalId: response.resource.external_id,
+		resourceTypeSlug: response.resource.resource_type_slug
+	},
+	createdAt: response.created_at,
+	updatedAt: response.updated_at
+});
+//#endregion
+//#region src/authorization/serializers/assign-role-options.serializer.ts
+const serializeAssignRoleOptions = (options) => ({
+	role_slug: options.roleSlug,
+	..."resourceId" in options && { resource_id: options.resourceId },
+	..."resourceExternalId" in options && {
+		resource_external_id: options.resourceExternalId,
+		resource_type_slug: options.resourceTypeSlug
+	}
+});
+//#endregion
+//#region src/authorization/serializers/remove-role-options.serializer.ts
+const serializeRemoveRoleOptions = (options) => ({
+	role_slug: options.roleSlug,
+	..."resourceId" in options && { resource_id: options.resourceId },
+	..."resourceExternalId" in options && {
+		resource_external_id: options.resourceExternalId,
+		resource_type_slug: options.resourceTypeSlug
+	}
+});
+//#endregion
+//#region src/authorization/authorization.ts
+var Authorization = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async createEnvironmentRole(options) {
+		const { data } = await this.workos.post("/authorization/roles", serializeCreateEnvironmentRoleOptions(options));
+		return deserializeEnvironmentRole(data);
+	}
+	async listEnvironmentRoles() {
+		const { data } = await this.workos.get("/authorization/roles");
+		return {
+			object: "list",
+			data: data.data.map(deserializeEnvironmentRole)
+		};
+	}
+	async getEnvironmentRole(slug) {
+		const { data } = await this.workos.get(`/authorization/roles/${slug}`);
+		return deserializeEnvironmentRole(data);
+	}
+	async updateEnvironmentRole(slug, options) {
+		const { data } = await this.workos.patch(`/authorization/roles/${slug}`, serializeUpdateEnvironmentRoleOptions(options));
+		return deserializeEnvironmentRole(data);
+	}
+	async setEnvironmentRolePermissions(slug, options) {
+		const { data } = await this.workos.put(`/authorization/roles/${slug}/permissions`, { permissions: options.permissions });
+		return deserializeEnvironmentRole(data);
+	}
+	async addEnvironmentRolePermission(slug, options) {
+		const { data } = await this.workos.post(`/authorization/roles/${slug}/permissions`, { slug: options.permissionSlug });
+		return deserializeEnvironmentRole(data);
+	}
+	async createOrganizationRole(organizationId, options) {
+		const { data } = await this.workos.post(`/authorization/organizations/${organizationId}/roles`, serializeCreateOrganizationRoleOptions(options));
+		return deserializeOrganizationRole(data);
+	}
+	async listOrganizationRoles(organizationId) {
+		const { data } = await this.workos.get(`/authorization/organizations/${organizationId}/roles`);
+		return {
+			object: "list",
+			data: data.data.map(deserializeRole$1)
+		};
+	}
+	async getOrganizationRole(organizationId, slug) {
+		const { data } = await this.workos.get(`/authorization/organizations/${organizationId}/roles/${slug}`);
+		return deserializeRole$1(data);
+	}
+	async updateOrganizationRole(organizationId, slug, options) {
+		const { data } = await this.workos.patch(`/authorization/organizations/${organizationId}/roles/${slug}`, serializeUpdateOrganizationRoleOptions(options));
+		return deserializeOrganizationRole(data);
+	}
+	async deleteOrganizationRole(organizationId, slug) {
+		await this.workos.delete(`/authorization/organizations/${organizationId}/roles/${slug}`);
+	}
+	async setOrganizationRolePermissions(organizationId, slug, options) {
+		const { data } = await this.workos.put(`/authorization/organizations/${organizationId}/roles/${slug}/permissions`, { permissions: options.permissions });
+		return deserializeOrganizationRole(data);
+	}
+	async addOrganizationRolePermission(organizationId, slug, options) {
+		const { data } = await this.workos.post(`/authorization/organizations/${organizationId}/roles/${slug}/permissions`, { slug: options.permissionSlug });
+		return deserializeOrganizationRole(data);
+	}
+	async removeOrganizationRolePermission(organizationId, slug, options) {
+		await this.workos.delete(`/authorization/organizations/${organizationId}/roles/${slug}/permissions/${options.permissionSlug}`);
+	}
+	async createPermission(options) {
+		const { data } = await this.workos.post("/authorization/permissions", serializeCreatePermissionOptions(options));
+		return deserializePermission(data);
+	}
+	async listPermissions(options) {
+		const { data } = await this.workos.get("/authorization/permissions", { query: options });
+		return {
+			object: "list",
+			data: data.data.map(deserializePermission),
+			listMetadata: {
+				before: data.list_metadata.before,
+				after: data.list_metadata.after
+			}
+		};
+	}
+	async getPermission(slug) {
+		const { data } = await this.workos.get(`/authorization/permissions/${slug}`);
+		return deserializePermission(data);
+	}
+	async updatePermission(slug, options) {
+		const { data } = await this.workos.patch(`/authorization/permissions/${slug}`, serializeUpdatePermissionOptions(options));
+		return deserializePermission(data);
+	}
+	async deletePermission(slug) {
+		await this.workos.delete(`/authorization/permissions/${slug}`);
+	}
+	async getResource(resourceId) {
+		const { data } = await this.workos.get(`/authorization/resources/${resourceId}`);
+		return deserializeAuthorizationResource(data);
+	}
+	async createResource(options) {
+		const { data } = await this.workos.post("/authorization/resources", serializeCreateResourceOptions(options));
+		return deserializeAuthorizationResource(data);
+	}
+	async updateResource(options) {
+		const { data } = await this.workos.patch(`/authorization/resources/${options.resourceId}`, serializeUpdateResourceOptions(options));
+		return deserializeAuthorizationResource(data);
+	}
+	async deleteResource(options) {
+		const { resourceId, cascadeDelete } = options;
+		const query = cascadeDelete !== void 0 ? { cascade_delete: cascadeDelete.toString() } : void 0;
+		await this.workos.delete(`/authorization/resources/${resourceId}`, query);
+	}
+	async listResources(options = {}) {
+		const { data } = await this.workos.get("/authorization/resources", { query: serializeListAuthorizationResourcesOptions(options) });
+		return {
+			object: "list",
+			data: data.data.map(deserializeAuthorizationResource),
+			listMetadata: {
+				before: data.list_metadata.before,
+				after: data.list_metadata.after
+			}
+		};
+	}
+	async getResourceByExternalId(options) {
+		const { organizationId, resourceTypeSlug, externalId } = options;
+		const { data } = await this.workos.get(`/authorization/organizations/${organizationId}/resources/${resourceTypeSlug}/${externalId}`);
+		return deserializeAuthorizationResource(data);
+	}
+	async updateResourceByExternalId(options) {
+		const { organizationId, resourceTypeSlug, externalId } = options;
+		const { data } = await this.workos.patch(`/authorization/organizations/${organizationId}/resources/${resourceTypeSlug}/${externalId}`, serializeUpdateResourceByExternalIdOptions(options));
+		return deserializeAuthorizationResource(data);
+	}
+	async deleteResourceByExternalId(options) {
+		const { organizationId, resourceTypeSlug, externalId, cascadeDelete } = options;
+		const query = cascadeDelete !== void 0 ? { cascade_delete: cascadeDelete.toString() } : void 0;
+		await this.workos.delete(`/authorization/organizations/${organizationId}/resources/${resourceTypeSlug}/${externalId}`, query);
+	}
+	async check(options) {
+		const { data } = await this.workos.post(`/authorization/organization_memberships/${options.organizationMembershipId}/check`, serializeAuthorizationCheckOptions(options));
+		return data;
+	}
+	async listRoleAssignments(options) {
+		const { organizationMembershipId, ...queryOptions } = options;
+		const { data } = await this.workos.get(`/authorization/organization_memberships/${organizationMembershipId}/role_assignments`, { query: queryOptions });
+		return {
+			object: "list",
+			data: data.data.map(deserializeRoleAssignment),
+			listMetadata: {
+				before: data.list_metadata.before,
+				after: data.list_metadata.after
+			}
+		};
+	}
+	async assignRole(options) {
+		const { data } = await this.workos.post(`/authorization/organization_memberships/${options.organizationMembershipId}/role_assignments`, serializeAssignRoleOptions(options));
+		return deserializeRoleAssignment(data);
+	}
+	async removeRole(options) {
+		await this.workos.deleteWithBody(`/authorization/organization_memberships/${options.organizationMembershipId}/role_assignments`, serializeRemoveRoleOptions(options));
+	}
+	async removeRoleAssignment(options) {
+		await this.workos.delete(`/authorization/organization_memberships/${options.organizationMembershipId}/role_assignments/${options.roleAssignmentId}`);
+	}
+	async listResourcesForMembership(options) {
+		const { organizationMembershipId } = options;
+		const { data } = await this.workos.get(`/authorization/organization_memberships/${organizationMembershipId}/resources`, { query: serializeListResourcesForMembershipOptions(options) });
+		return {
+			object: "list",
+			data: data.data.map(deserializeAuthorizationResource),
+			listMetadata: {
+				before: data.list_metadata.before,
+				after: data.list_metadata.after
+			}
+		};
+	}
+	async listMembershipsForResource(options) {
+		const { resourceId } = options;
+		const { data } = await this.workos.get(`/authorization/resources/${resourceId}/organization_memberships`, { query: serializeListMembershipsForResourceOptions(options) });
+		return {
+			object: "list",
+			data: data.data.map(deserializeAuthorizationOrganizationMembership),
+			listMetadata: {
+				before: data.list_metadata.before,
+				after: data.list_metadata.after
+			}
+		};
+	}
+	async listMembershipsForResourceByExternalId(options) {
+		const { organizationId, resourceTypeSlug, externalId } = options;
+		const { data } = await this.workos.get(`/authorization/organizations/${organizationId}/resources/${resourceTypeSlug}/${externalId}/organization_memberships`, { query: serializeListMembershipsForResourceOptions(options) });
+		return {
+			object: "list",
+			data: data.data.map(deserializeAuthorizationOrganizationMembership),
+			listMetadata: {
+				before: data.list_metadata.before,
+				after: data.list_metadata.after
+			}
+		};
+	}
+};
+//#endregion
+//#region src/common/utils/leb128.ts
+/**
+* LEB128 (Little Endian Base 128) encoding for unsigned 32-bit integers.
+* Variable-length encoding: each byte stores 7 bits of data, bit 7 is continuation flag.
+*/
+const MAX_UINT32 = 4294967295;
+const CONTINUATION_BIT = 128;
+const DATA_BITS_MASK = 127;
+const DATA_BITS_PER_BYTE = 7;
+const MAX_BYTES_FOR_UINT32 = 5;
+/**
+* Encodes an unsigned 32-bit integer into LEB128 format.
+*
+* @param value - Unsigned 32-bit integer (0 to 4,294,967,295)
+* @returns Encoded bytes (1-5 bytes depending on value)
+*/
+function encodeUInt32(value) {
+	validateUInt32(value);
+	if (value === 0) return new Uint8Array([0]);
+	const bytes = [];
+	do {
+		let byte = value & DATA_BITS_MASK;
+		value >>>= DATA_BITS_PER_BYTE;
+		if (value !== 0) byte |= CONTINUATION_BIT;
+		bytes.push(byte);
+	} while (value !== 0);
+	return new Uint8Array(bytes);
+}
+/**
+* Decodes an unsigned 32-bit integer from LEB128 format.
+*
+* @param data - Buffer containing LEB128 encoded data
+* @param offset - Starting position in buffer (default: 0)
+* @returns Decoded value and index after last byte read
+*/
+function decodeUInt32(data, offset = 0) {
+	validateOffset(data, offset);
+	let result = 0;
+	let shift = 0;
+	let index = offset;
+	let bytesRead = 0;
+	while (index < data.length) {
+		const byte = data[index++];
+		bytesRead++;
+		if (bytesRead > MAX_BYTES_FOR_UINT32) throw new Error("LEB128 sequence exceeds maximum length for uint32");
+		result |= (byte & DATA_BITS_MASK) << shift;
+		if (!hasContinuationBit(byte)) return {
+			value: result >>> 0,
+			nextIndex: index
+		};
+		shift += DATA_BITS_PER_BYTE;
+	}
+	throw new Error("Truncated LEB128 encoding");
+}
+function validateUInt32(value) {
+	if (!Number.isFinite(value)) throw new Error("Value must be a finite number");
+	if (!Number.isInteger(value)) throw new Error("Value must be an integer");
+	if (value < 0) throw new Error("Value must be non-negative");
+	if (value > MAX_UINT32) throw new Error(`Value must not exceed ${MAX_UINT32} (MAX_UINT32)`);
+}
+function validateOffset(data, offset) {
+	if (offset < 0 || offset >= data.length) throw new Error(`Offset ${offset} is out of bounds (buffer length: ${data.length})`);
+}
+function hasContinuationBit(byte) {
+	return (byte & CONTINUATION_BIT) !== 0;
+}
+//#endregion
+//#region src/common/utils/base64.ts
+/**
+* Cross-runtime compatible base64 encoding/decoding utilities
+* that work in both Node.js and browser environments
+*/
+/**
+* Converts a base64 string to a Uint8Array
+*/
+function base64ToUint8Array(base64) {
+	if (typeof atob === "function") {
+		const binary = atob(base64);
+		const bytes = new Uint8Array(binary.length);
+		for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+		return bytes;
+	} else if (typeof Buffer !== "undefined") return new Uint8Array(Buffer.from(base64, "base64"));
+	else throw new Error("No base64 decoding implementation available");
+}
+/**
+* Converts a Uint8Array to a base64 string
+*/
+function uint8ArrayToBase64(bytes) {
+	if (typeof btoa === "function") {
+		let binary = "";
+		for (let i = 0; i < bytes.byteLength; i++) binary += String.fromCharCode(bytes[i]);
+		return btoa(binary);
+	} else if (typeof Buffer !== "undefined") return Buffer.from(bytes).toString("base64");
+	else throw new Error("No base64 encoding implementation available");
+}
+//#endregion
+//#region src/vault/serializers/vault-key.serializer.ts
+const deserializeCreateDataKeyResponse = (key) => ({
+	context: key.context,
+	dataKey: {
+		key: key.data_key,
+		id: key.id
+	},
+	encryptedKeys: key.encrypted_keys
+});
+const deserializeDecryptDataKeyResponse = (key) => ({
+	key: key.data_key,
+	id: key.id
+});
+//#endregion
+//#region src/vault/serializers/vault-object.serializer.ts
+const deserializeObjectMetadata = (metadata) => ({
+	context: metadata.context,
+	environmentId: metadata.environment_id,
+	id: metadata.id,
+	keyId: metadata.key_id,
+	updatedAt: new Date(Date.parse(metadata.updated_at)),
+	updatedBy: metadata.updated_by,
+	versionId: metadata.version_id
+});
+const deserializeObject = (object) => ({
+	id: object.id,
+	name: object.name,
+	...object.value !== void 0 && { value: object.value },
+	metadata: deserializeObjectMetadata(object.metadata)
+});
+const deserializeObjectDigest = (digest) => ({
+	id: digest.id,
+	name: digest.name,
+	updatedAt: new Date(Date.parse(digest.updated_at))
+});
+const deserializeListObjects = (list) => ({
+	object: "list",
+	data: list.data.map(deserializeObjectDigest),
+	listMetadata: {
+		...list.list_metadata.after !== void 0 && { after: list.list_metadata.after },
+		...list.list_metadata.before !== void 0 && { before: list.list_metadata.before }
+	}
+});
+const desrializeListObjectVersions = (list) => list.data.map(deserializeObjectVersion);
+const deserializeObjectVersion = (version) => ({
+	createdAt: new Date(Date.parse(version.created_at)),
+	currentVersion: version.current_version,
+	id: version.id
+});
+const serializeCreateObjectEntity = (options) => ({
+	name: options.name,
+	value: options.value,
+	key_context: options.context
+});
+const serializeUpdateObjectEntity = (options) => ({
+	value: options.value,
+	version_check: options.versionCheck
+});
+//#endregion
+//#region src/vault/vault.ts
+var Vault = class {
+	cryptoProvider;
+	constructor(workos) {
+		this.workos = workos;
+		this.cryptoProvider = workos.getCryptoProvider();
+	}
+	decode(payload) {
+		const inputData = base64ToUint8Array(payload);
+		const iv = new Uint8Array(inputData.subarray(0, 12));
+		const tag = new Uint8Array(inputData.subarray(12, 28));
+		const { value: keyLen, nextIndex } = decodeUInt32(inputData, 28);
+		return {
+			iv,
+			tag,
+			keys: uint8ArrayToBase64(inputData.subarray(nextIndex, nextIndex + keyLen)),
+			ciphertext: new Uint8Array(inputData.subarray(nextIndex + keyLen))
+		};
+	}
+	async createObject(options) {
+		const { data } = await this.workos.post(`/vault/v1/kv`, serializeCreateObjectEntity(options));
+		return deserializeObjectMetadata(data);
+	}
+	async listObjects(options) {
+		const url = new URL("/vault/v1/kv", this.workos.baseURL);
+		if (options?.after) url.searchParams.set("after", options.after);
+		if (options?.limit) url.searchParams.set("limit", options.limit.toString());
+		const { data } = await this.workos.get(url.toString());
+		return deserializeListObjects(data);
+	}
+	async listObjectVersions(options) {
+		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}/versions`);
+		return desrializeListObjectVersions(data);
+	}
+	async readObject(options) {
+		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}`);
+		return deserializeObject(data);
+	}
+	async readObjectByName(name) {
+		const { data } = await this.workos.get(`/vault/v1/kv/name/${encodeURIComponent(name)}`);
+		return deserializeObject(data);
+	}
+	async describeObject(options) {
+		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}/metadata`);
+		return deserializeObject(data);
+	}
+	async updateObject(options) {
+		const { data } = await this.workos.put(`/vault/v1/kv/${encodeURIComponent(options.id)}`, serializeUpdateObjectEntity(options));
+		return deserializeObject(data);
+	}
+	async deleteObject(options) {
+		return this.workos.delete(`/vault/v1/kv/${encodeURIComponent(options.id)}`);
+	}
+	async createDataKey(options) {
+		const { data } = await this.workos.post(`/vault/v1/keys/data-key`, options);
+		return deserializeCreateDataKeyResponse(data);
+	}
+	async decryptDataKey(options) {
+		const { data } = await this.workos.post(`/vault/v1/keys/decrypt`, options);
+		return deserializeDecryptDataKeyResponse(data);
+	}
+	async encrypt(data, context, associatedData) {
+		const keyPair = await this.createDataKey({ context });
+		const encoder = new TextEncoder();
+		const key = base64ToUint8Array(keyPair.dataKey.key);
+		const keyBlob = base64ToUint8Array(keyPair.encryptedKeys);
+		const prefixLenBuffer = encodeUInt32(keyBlob.length);
+		const aadBuffer = associatedData ? encoder.encode(associatedData) : void 0;
+		const iv = this.cryptoProvider.randomBytes(12);
+		const { ciphertext, iv: resultIv, tag } = await this.cryptoProvider.encrypt(encoder.encode(data), key, iv, aadBuffer);
+		const resultArray = new Uint8Array(resultIv.length + tag.length + prefixLenBuffer.length + keyBlob.length + ciphertext.length);
+		let offset = 0;
+		resultArray.set(resultIv, offset);
+		offset += resultIv.length;
+		resultArray.set(tag, offset);
+		offset += tag.length;
+		resultArray.set(new Uint8Array(prefixLenBuffer), offset);
+		offset += prefixLenBuffer.length;
+		resultArray.set(keyBlob, offset);
+		offset += keyBlob.length;
+		resultArray.set(ciphertext, offset);
+		return uint8ArrayToBase64(resultArray);
+	}
+	async decrypt(encryptedData, associatedData) {
+		const decoded = this.decode(encryptedData);
+		const key = base64ToUint8Array((await this.decryptDataKey({ keys: decoded.keys })).key);
+		const encoder = new TextEncoder();
+		const aadBuffer = associatedData ? encoder.encode(associatedData) : void 0;
+		const decrypted = await this.cryptoProvider.decrypt(decoded.ciphertext, key, decoded.iv, decoded.tag, aadBuffer);
+		return new TextDecoder().decode(decrypted);
+	}
+};
+//#endregion
+//#region src/common/exceptions/conflict.exception.ts
+var ConflictException = class extends Error {
+	status = 409;
+	name = "ConflictException";
+	requestID;
+	constructor({ error, message, requestID }) {
+		super();
+		this.requestID = requestID;
+		if (message) this.message = message;
+		else if (error) this.message = `Error: ${error}`;
+		else this.message = `An conflict has occurred on the server.`;
+	}
+};
+//#endregion
+//#region src/common/utils/runtime-info.ts
+/**
+* Get runtime information including name and version.
+* Safely extracts version information for different JavaScript runtimes.
+* @returns RuntimeInfo object with name and optional version
+*/
+function getRuntimeInfo() {
+	const name = detectRuntime();
+	let version;
+	try {
+		switch (name) {
+			case "node":
+				version = typeof process !== "undefined" ? process.version : void 0;
+				break;
+			case "deno":
+				version = globalThis.Deno?.version?.deno;
+				break;
+			case "bun":
+				version = globalThis.Bun?.version || extractBunVersionFromUserAgent();
+				break;
+			default:
+				version = void 0;
+				break;
+		}
+	} catch {
+		version = void 0;
+	}
+	return {
+		name,
+		version
+	};
+}
+/**
+* Extract Bun version from navigator.userAgent as fallback.
+* @returns Bun version string or undefined
+*/
+function extractBunVersionFromUserAgent() {
+	try {
+		if (typeof navigator !== "undefined" && navigator.userAgent) return navigator.userAgent.match(/Bun\/(\d+\.\d+\.\d+)/)?.[1];
+	} catch {}
+}
+//#endregion
+//#region package.json
+var version = "8.9.0";
+//#endregion
+//#region src/workos.ts
+const DEFAULT_HOSTNAME = "api.workos.com";
+const HEADER_AUTHORIZATION = "Authorization";
+const HEADER_IDEMPOTENCY_KEY = "Idempotency-Key";
+const HEADER_WARRANT_TOKEN = "Warrant-Token";
+var WorkOS = class {
+	baseURL;
+	client;
+	clientId;
+	key;
+	options;
+	pkce;
+	hasApiKey;
+	actions;
+	apiKeys = new ApiKeys(this);
+	auditLogs = new AuditLogs(this);
+	authorization = new Authorization(this);
+	directorySync = new DirectorySync(this);
+	events = new Events(this);
+	featureFlags = new FeatureFlags(this);
+	fga = new FGA(this);
+	mfa = new Mfa(this);
+	organizations = new Organizations(this);
+	organizationDomains = new OrganizationDomains(this);
+	passwordless = new Passwordless(this);
+	pipes = new Pipes(this);
+	portal = new Portal(this);
+	sso = new SSO(this);
+	userManagement;
+	vault = new Vault(this);
+	webhooks;
+	widgets = new Widgets(this);
+	/**
+	* Create a new WorkOS client.
+	*
+	* @param keyOrOptions - API key string, or options object
+	* @param maybeOptions - Options when first argument is API key
+	*
+	* @example
+	* // Server-side with API key (string)
+	* const workos = new WorkOS('sk_...');
+	*
+	* @example
+	* // Server-side with API key (object)
+	* const workos = new WorkOS({ apiKey: 'sk_...', clientId: 'client_...' });
+	*
+	* @example
+	* // PKCE/public client (no API key)
+	* const workos = new WorkOS({ clientId: 'client_...' });
+	*/
+	constructor(keyOrOptions, maybeOptions) {
+		if (typeof keyOrOptions === "object") {
+			this.key = keyOrOptions.apiKey;
+			this.options = keyOrOptions;
+		} else {
+			this.key = keyOrOptions;
+			this.options = maybeOptions ?? {};
+		}
+		if (!this.key) this.key = getEnv("WORKOS_API_KEY");
+		this.hasApiKey = !!this.key;
+		if (this.options.https === void 0) this.options.https = true;
+		this.clientId = this.options.clientId;
+		if (!this.clientId) this.clientId = getEnv("WORKOS_CLIENT_ID");
+		if (!this.hasApiKey && !this.clientId) throw new Error("WorkOS requires either an API key or a clientId. For server-side: new WorkOS(\"sk_...\") or new WorkOS({ apiKey: \"sk_...\" }). For PKCE/public clients: new WorkOS({ clientId: \"client_...\" })");
+		const protocol = this.options.https ? "https" : "http";
+		const apiHostname = this.options.apiHostname || DEFAULT_HOSTNAME;
+		const port = this.options.port;
+		this.baseURL = `${protocol}://${apiHostname}`;
+		if (port) this.baseURL = this.baseURL + `:${port}`;
+		this.pkce = new PKCE();
+		this.webhooks = this.createWebhookClient();
+		this.actions = this.createActionsClient();
+		this.userManagement = new UserManagement(this);
+		const userAgent = this.createUserAgent(this.options);
+		this.client = this.createHttpClient(this.options, userAgent);
+	}
+	createUserAgent(options) {
+		let userAgent = `workos-node/${version}`;
+		const { name: runtimeName, version: runtimeVersion } = getRuntimeInfo();
+		userAgent += ` (${runtimeName}${runtimeVersion ? `/${runtimeVersion}` : ""})`;
+		if (options.appInfo) {
+			const { name, version } = options.appInfo;
+			userAgent += ` ${name}: ${version}`;
+		}
+		return userAgent;
+	}
+	createWebhookClient() {
+		return new Webhooks(this.getCryptoProvider());
+	}
+	createActionsClient() {
+		return new Actions(this.getCryptoProvider());
+	}
+	getCryptoProvider() {
+		return new SubtleCryptoProvider();
+	}
+	createHttpClient(options, userAgent) {
+		const headers = { "User-Agent": userAgent };
+		const configHeaders = options.config?.headers;
+		if (configHeaders && typeof configHeaders === "object" && !Array.isArray(configHeaders) && !(configHeaders instanceof Headers)) Object.assign(headers, configHeaders);
+		if (this.key) headers["Authorization"] = `Bearer ${this.key}`;
+		return new FetchHttpClient(this.baseURL, {
+			...options.config,
+			timeout: options.timeout,
+			headers
+		});
+	}
+	get version() {
+		return version;
+	}
+	/**
+	* Require API key for methods that need it.
+	* @param methodName - Name of the method requiring API key (for error message)
+	* @throws ApiKeyRequiredException if no API key was provided
+	*/
+	requireApiKey(methodName) {
+		if (!this.hasApiKey) throw new ApiKeyRequiredException(methodName);
+	}
+	async post(path, entity, options = {}) {
+		if (!options.skipApiKeyCheck) this.requireApiKey(path);
+		const requestHeaders = {};
+		if (options.idempotencyKey) requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;
+		if (options.warrantToken) requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;
+		let res;
+		try {
+			res = await this.client.post(path, entity, {
+				params: options.query,
+				headers: requestHeaders
+			});
+		} catch (error) {
+			this.handleHttpError({
+				path,
+				error
+			});
+			throw error;
+		}
+		try {
+			return { data: await res.toJSON() };
+		} catch (error) {
+			await this.handleParseError(error, res);
+			throw error;
+		}
+	}
+	async get(path, options = {}) {
+		if (!options.skipApiKeyCheck) this.requireApiKey(path);
+		const requestHeaders = {};
+		if (options.accessToken) requestHeaders[HEADER_AUTHORIZATION] = `Bearer ${options.accessToken}`;
+		if (options.warrantToken) requestHeaders[HEADER_WARRANT_TOKEN] = options.warrantToken;
+		let res;
+		try {
+			res = await this.client.get(path, {
+				params: options.query,
+				headers: requestHeaders
+			});
+		} catch (error) {
+			this.handleHttpError({
+				path,
+				error
+			});
+			throw error;
+		}
+		try {
+			return { data: await res.toJSON() };
+		} catch (error) {
+			await this.handleParseError(error, res);
+			throw error;
+		}
+	}
+	async put(path, entity, options = {}) {
+		if (!options.skipApiKeyCheck) this.requireApiKey(path);
+		const requestHeaders = {};
+		if (options.idempotencyKey) requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;
+		let res;
+		try {
+			res = await this.client.put(path, entity, {
+				params: options.query,
+				headers: requestHeaders
+			});
+		} catch (error) {
+			this.handleHttpError({
+				path,
+				error
+			});
+			throw error;
+		}
+		try {
+			return { data: await res.toJSON() };
+		} catch (error) {
+			await this.handleParseError(error, res);
+			throw error;
+		}
+	}
+	async patch(path, entity, options = {}) {
+		if (!options.skipApiKeyCheck) this.requireApiKey(path);
+		const requestHeaders = {};
+		if (options.idempotencyKey) requestHeaders[HEADER_IDEMPOTENCY_KEY] = options.idempotencyKey;
+		let res;
+		try {
+			res = await this.client.patch(path, entity, {
+				params: options.query,
+				headers: requestHeaders
+			});
+		} catch (error) {
+			this.handleHttpError({
+				path,
+				error
+			});
+			throw error;
+		}
+		try {
+			return { data: await res.toJSON() };
+		} catch (error) {
+			await this.handleParseError(error, res);
+			throw error;
+		}
+	}
+	async delete(path, query) {
+		this.requireApiKey(path);
+		try {
+			await this.client.delete(path, { params: query });
+		} catch (error) {
+			this.handleHttpError({
+				path,
+				error
+			});
+			throw error;
+		}
+	}
+	async deleteWithBody(path, entity) {
+		this.requireApiKey(path);
+		try {
+			await this.client.deleteWithBody(path, entity, {});
+		} catch (error) {
+			this.handleHttpError({
+				path,
+				error
+			});
+			throw error;
+		}
+	}
+	emitWarning(warning) {
+		console.warn(`WorkOS: ${warning}`);
+	}
+	async handleParseError(error, res) {
+		if (error instanceof SyntaxError) {
+			const rawResponse = res.getRawResponse();
+			const requestID = rawResponse.headers.get("X-Request-ID") ?? "";
+			const rawStatus = rawResponse.status;
+			const rawBody = await rawResponse.text();
+			throw new ParseError({
+				message: error.message,
+				rawBody,
+				rawStatus,
+				requestID
+			});
+		}
+	}
+	handleHttpError({ path, error }) {
+		if (!(error instanceof HttpClientError)) throw new Error(`Unexpected error: ${error}`, { cause: error });
+		const { response } = error;
+		if (response) {
+			const { status, data, headers } = response;
+			const requestID = headers["X-Request-ID"] ?? "";
+			const { code, error_description: errorDescription, error, errors, message } = data;
+			switch (status) {
+				case 401: throw new UnauthorizedException(requestID);
+				case 409: throw new ConflictException({
+					requestID,
+					message,
+					error
+				});
+				case 422: throw new UnprocessableEntityException({
+					code,
+					errors,
+					message,
+					requestID
+				});
+				case 404: throw new NotFoundException({
+					code,
+					message,
+					path,
+					requestID
+				});
+				case 429: {
+					const retryAfter = headers.get("Retry-After");
+					throw new RateLimitExceededException(data.message, requestID, retryAfter ? Number(retryAfter) : null);
+				}
+				default: if (error || errorDescription) throw new OauthException(status, requestID, error, errorDescription, data);
+				else if (code && errors) throw new BadRequestException({
+					code,
+					errors,
+					message,
+					requestID
+				});
+				else throw new GenericServerException(status, data.message, data, requestID);
+			}
+		}
+	}
+};
+//#endregion
+//#region src/organizations/interfaces/domain-data.interface.ts
+let DomainDataState = /* @__PURE__ */ function(DomainDataState) {
+	DomainDataState["Verified"] = "verified";
+	DomainDataState["Pending"] = "pending";
+	return DomainDataState;
+}({});
+//#endregion
+//#region src/organization-domains/interfaces/organization-domain.interface.ts
+let OrganizationDomainState = /* @__PURE__ */ function(OrganizationDomainState) {
+	OrganizationDomainState["Verified"] = "verified";
+	OrganizationDomainState["Pending"] = "pending";
+	OrganizationDomainState["Failed"] = "failed";
+	return OrganizationDomainState;
+}({});
+let OrganizationDomainVerificationStrategy = /* @__PURE__ */ function(OrganizationDomainVerificationStrategy) {
+	OrganizationDomainVerificationStrategy["Dns"] = "dns";
+	OrganizationDomainVerificationStrategy["Manual"] = "manual";
+	return OrganizationDomainVerificationStrategy;
+}({});
+//#endregion
+//#region src/portal/interfaces/generate-portal-link-intent.interface.ts
+let GeneratePortalLinkIntent = /* @__PURE__ */ function(GeneratePortalLinkIntent) {
+	GeneratePortalLinkIntent["AuditLogs"] = "audit_logs";
+	GeneratePortalLinkIntent["DomainVerification"] = "domain_verification";
+	GeneratePortalLinkIntent["DSync"] = "dsync";
+	GeneratePortalLinkIntent["LogStreams"] = "log_streams";
+	GeneratePortalLinkIntent["SSO"] = "sso";
+	GeneratePortalLinkIntent["CertificateRenewal"] = "certificate_renewal";
+	GeneratePortalLinkIntent["BringYourOwnKey"] = "bring_your_own_key";
+	return GeneratePortalLinkIntent;
+}({});
+//#endregion
+//#region src/sso/interfaces/connection-type.enum.ts
+let ConnectionType = /* @__PURE__ */ function(ConnectionType) {
+	ConnectionType["ADFSSAML"] = "ADFSSAML";
+	ConnectionType["AdpOidc"] = "AdpOidc";
+	ConnectionType["AppleOAuth"] = "AppleOAuth";
+	ConnectionType["Auth0SAML"] = "Auth0SAML";
+	ConnectionType["AzureSAML"] = "AzureSAML";
+	ConnectionType["CasSAML"] = "CasSAML";
+	ConnectionType["ClassLinkSAML"] = "ClassLinkSAML";
+	ConnectionType["CloudflareSAML"] = "CloudflareSAML";
+	ConnectionType["CyberArkSAML"] = "CyberArkSAML";
+	ConnectionType["DuoSAML"] = "DuoSAML";
+	ConnectionType["GenericOIDC"] = "GenericOIDC";
+	ConnectionType["GenericSAML"] = "GenericSAML";
+	ConnectionType["GitHubOAuth"] = "GitHubOAuth";
+	ConnectionType["GoogleOAuth"] = "GoogleOAuth";
+	ConnectionType["GoogleSAML"] = "GoogleSAML";
+	ConnectionType["JumpCloudSAML"] = "JumpCloudSAML";
+	ConnectionType["KeycloakSAML"] = "KeycloakSAML";
+	ConnectionType["LastPassSAML"] = "LastPassSAML";
+	ConnectionType["LoginGovOidc"] = "LoginGovOidc";
+	ConnectionType["MagicLink"] = "MagicLink";
+	ConnectionType["MicrosoftOAuth"] = "MicrosoftOAuth";
+	ConnectionType["MiniOrangeSAML"] = "MiniOrangeSAML";
+	ConnectionType["NetIqSAML"] = "NetIqSAML";
+	ConnectionType["OktaSAML"] = "OktaSAML";
+	ConnectionType["OneLoginSAML"] = "OneLoginSAML";
+	ConnectionType["OracleSAML"] = "OracleSAML";
+	ConnectionType["PingFederateSAML"] = "PingFederateSAML";
+	ConnectionType["PingOneSAML"] = "PingOneSAML";
+	ConnectionType["RipplingSAML"] = "RipplingSAML";
+	ConnectionType["SalesforceOAuth"] = "SalesforceOAuth";
+	ConnectionType["SalesforceSAML"] = "SalesforceSAML";
+	ConnectionType["ShibbolethGenericSAML"] = "ShibbolethGenericSAML";
+	ConnectionType["ShibbolethSAML"] = "ShibbolethSAML";
+	ConnectionType["SimpleSamlPhpSAML"] = "SimpleSamlPhpSAML";
+	ConnectionType["VMwareSAML"] = "VMwareSAML";
+	return ConnectionType;
+}({});
+//#endregion
+//#region src/factory.ts
+function createWorkOS(options) {
+	return new WorkOS(options);
+}
+//#endregion
+Object.defineProperty(exports, "Actions", {
+	enumerable: true,
+	get: function() {
+		return Actions;
+	}
+});
+Object.defineProperty(exports, "ApiKeyRequiredException", {
+	enumerable: true,
+	get: function() {
+		return ApiKeyRequiredException;
+	}
+});
+Object.defineProperty(exports, "AuthenticateWithSessionCookieFailureReason", {
+	enumerable: true,
+	get: function() {
+		return AuthenticateWithSessionCookieFailureReason;
+	}
+});
+Object.defineProperty(exports, "AutoPaginatable", {
+	enumerable: true,
+	get: function() {
+		return AutoPaginatable;
+	}
+});
+Object.defineProperty(exports, "BadRequestException", {
+	enumerable: true,
+	get: function() {
+		return BadRequestException;
+	}
+});
+Object.defineProperty(exports, "CheckOp", {
+	enumerable: true,
+	get: function() {
+		return CheckOp;
+	}
+});
+Object.defineProperty(exports, "CheckResult", {
+	enumerable: true,
+	get: function() {
+		return CheckResult;
+	}
+});
+Object.defineProperty(exports, "ConnectionType", {
+	enumerable: true,
+	get: function() {
+		return ConnectionType;
+	}
+});
+Object.defineProperty(exports, "CookieSession", {
+	enumerable: true,
+	get: function() {
+		return CookieSession;
+	}
+});
+Object.defineProperty(exports, "DomainDataState", {
+	enumerable: true,
+	get: function() {
+		return DomainDataState;
+	}
+});
+Object.defineProperty(exports, "FetchHttpClient", {
+	enumerable: true,
+	get: function() {
+		return FetchHttpClient;
+	}
+});
+Object.defineProperty(exports, "GeneratePortalLinkIntent", {
+	enumerable: true,
+	get: function() {
+		return GeneratePortalLinkIntent;
+	}
+});
+Object.defineProperty(exports, "GenericServerException", {
+	enumerable: true,
+	get: function() {
+		return GenericServerException;
+	}
+});
+Object.defineProperty(exports, "NoApiKeyProvidedException", {
+	enumerable: true,
+	get: function() {
+		return NoApiKeyProvidedException;
+	}
+});
+Object.defineProperty(exports, "NotFoundException", {
+	enumerable: true,
+	get: function() {
+		return NotFoundException;
+	}
+});
+Object.defineProperty(exports, "OauthException", {
+	enumerable: true,
+	get: function() {
+		return OauthException;
+	}
+});
+Object.defineProperty(exports, "OrganizationDomainState", {
+	enumerable: true,
+	get: function() {
+		return OrganizationDomainState;
+	}
+});
+Object.defineProperty(exports, "OrganizationDomainVerificationStrategy", {
+	enumerable: true,
+	get: function() {
+		return OrganizationDomainVerificationStrategy;
+	}
+});
+Object.defineProperty(exports, "PKCE", {
+	enumerable: true,
+	get: function() {
+		return PKCE;
+	}
+});
+Object.defineProperty(exports, "RateLimitExceededException", {
+	enumerable: true,
+	get: function() {
+		return RateLimitExceededException;
+	}
+});
+Object.defineProperty(exports, "RefreshSessionFailureReason", {
+	enumerable: true,
+	get: function() {
+		return RefreshSessionFailureReason;
+	}
+});
+Object.defineProperty(exports, "ResourceOp", {
+	enumerable: true,
+	get: function() {
+		return ResourceOp;
+	}
+});
+Object.defineProperty(exports, "SignatureVerificationException", {
+	enumerable: true,
+	get: function() {
+		return SignatureVerificationException;
+	}
+});
+Object.defineProperty(exports, "SubtleCryptoProvider", {
+	enumerable: true,
+	get: function() {
+		return SubtleCryptoProvider;
+	}
+});
+Object.defineProperty(exports, "UnauthorizedException", {
+	enumerable: true,
+	get: function() {
+		return UnauthorizedException;
+	}
+});
+Object.defineProperty(exports, "UnprocessableEntityException", {
+	enumerable: true,
+	get: function() {
+		return UnprocessableEntityException;
+	}
+});
+Object.defineProperty(exports, "WarrantOp", {
+	enumerable: true,
+	get: function() {
+		return WarrantOp;
+	}
+});
+Object.defineProperty(exports, "Webhooks", {
+	enumerable: true,
+	get: function() {
+		return Webhooks;
+	}
+});
+Object.defineProperty(exports, "WorkOS", {
+	enumerable: true,
+	get: function() {
+		return WorkOS;
+	}
+});
+Object.defineProperty(exports, "createWorkOS", {
+	enumerable: true,
+	get: function() {
+		return createWorkOS;
+	}
+});
+Object.defineProperty(exports, "serializeRevokeSessionOptions", {
+	enumerable: true,
+	get: function() {
+		return serializeRevokeSessionOptions;
+	}
+});
+
+//# sourceMappingURL=factory-DlHvKYOI.cjs.map