@workos-inc/node 9.3.0 → 10.0.0

package/lib/{factory-5S80C27h.cjs → factory-CKDJjzbQ.cjs}

@@ -99,6 +99,8 @@ for (let i = 0; i < byteHexMapping.length; i++) byteHexMapping[i] = i.toString(1
 //#endregion
 //#region src/common/net/http-client.ts
 var HttpClient = class HttpClient {
+	baseURL;
+	options;
 	MAX_RETRY_ATTEMPTS = 3;
 	BACKOFF_MULTIPLIER = 1.5;
 	MINIMUM_SLEEP_TIME_IN_MILLISECONDS = 500;
@@ -112,14 +114,6 @@ var HttpClient = class HttpClient {
 		this.baseURL = baseURL;
 		this.options = options;
 	}
-	/** The HTTP client name used for diagnostics */
-	getClientName() {
-		throw new Error("getClientName not implemented");
-	}
-	addClientToUserAgent(userAgent) {
-		if (userAgent.indexOf(" ") > -1) return userAgent.replace(/\b\s/, `/${this.getClientName()} `);
-		else return `${userAgent}/${this.getClientName()}`;
-	}
 	static getResourceURL(baseURL, path, params) {
 		const queryString = HttpClient.getQueryString(params);
 		return new URL([path, queryString].filter(Boolean).join("?"), baseURL).toString();
@@ -190,6 +184,8 @@ var ParseError = class extends Error {
 //#region src/common/net/fetch-client.ts
 const DEFAULT_FETCH_TIMEOUT = 6e4;
 var FetchHttpClient = class extends HttpClient {
+	baseURL;
+	options;
 	_fetchFn;
 	constructor(baseURL, options, fetchFn) {
 		super(baseURL, options);
@@ -201,10 +197,6 @@ var FetchHttpClient = class extends HttpClient {
 		}
 		this._fetchFn = fetchFn.bind(globalThis);
 	}
-	/** @override */
-	getClientName() {
-		return "fetch";
-	}
 	async get(path, options) {
 		const resourceURL = HttpClient.getResourceURL(this.baseURL, path, options.params);
 		if (HttpClient.isPathRetryable(path)) return await this.fetchRequestWithRetry(resourceURL, "GET", null, options.headers);
@@ -275,7 +267,7 @@ var FetchHttpClient = class extends HttpClient {
 					"Content-Type": "application/json",
 					...this.options?.headers,
 					...headers,
-					"User-Agent": this.addClientToUserAgent((userAgent || "workos-node").toString())
+					"User-Agent": (userAgent || "workos-node").toString()
 				},
 				body: requestBody,
 				signal: abortController?.signal
@@ -370,6 +362,19 @@ var FetchHttpClientResponse = class FetchHttpClientResponse extends HttpClientRe
 	}
 };
 //#endregion
+//#region src/common/crypto/decode-payload.ts
+function isBinaryPayload(payload) {
+	return ArrayBuffer.isView(payload) || Object.prototype.toString.call(payload) === "[object ArrayBuffer]";
+}
+function decodePayloadToString(payload) {
+	if (typeof payload === "string") return payload;
+	if (isBinaryPayload(payload)) {
+		const bytes = Object.prototype.toString.call(payload) === "[object ArrayBuffer]" ? new Uint8Array(payload) : payload;
+		return new TextDecoder("utf-8", { ignoreBOM: true }).decode(bytes);
+	}
+	return JSON.stringify(payload);
+}
+//#endregion
 //#region src/common/exceptions/api-key-required.exception.ts
 var ApiKeyRequiredException = class extends Error {
 	status = 403;
@@ -383,6 +388,9 @@ var ApiKeyRequiredException = class extends Error {
 //#endregion
 //#region src/common/exceptions/generic-server.exception.ts
 var GenericServerException = class extends Error {
+	status;
+	rawData;
+	requestID;
 	name = "GenericServerException";
 	message = "The request could not be completed.";
 	code;
@@ -417,6 +425,7 @@ function isAuthenticationErrorData(data) {
 	return getAuthenticationErrorCode(data) !== void 0;
 }
 var AuthenticationException = class extends GenericServerException {
+	rawData;
 	name = "AuthenticationException";
 	code;
 	pendingAuthenticationToken;
@@ -486,6 +495,11 @@ var NotFoundException = class extends Error {
 //#endregion
 //#region src/common/exceptions/oauth.exception.ts
 var OauthException = class extends Error {
+	status;
+	requestID;
+	error;
+	errorDescription;
+	rawData;
 	name = "OauthException";
 	constructor(status, requestID, error, errorDescription, rawData) {
 		super();
@@ -502,6 +516,7 @@ var OauthException = class extends Error {
 //#endregion
 //#region src/common/exceptions/rate-limit-exceeded.exception.ts
 var RateLimitExceededException = class extends GenericServerException {
+	retryAfter;
 	name = "RateLimitExceededException";
 	constructor(message, requestID, retryAfter) {
 		super(429, message, {}, requestID);
@@ -519,6 +534,7 @@ var SignatureVerificationException = class extends Error {
 //#endregion
 //#region src/common/exceptions/unauthorized.exception.ts
 var UnauthorizedException = class extends Error {
+	requestID;
 	status = 401;
 	name = "UnauthorizedException";
 	message;
@@ -542,7 +558,8 @@ var UnprocessableEntityException = class extends Error {
 		if (message) this.message = message;
 		if (code) this.code = code;
 		if (errors) {
-			this.message = `The following ${errors.length === 1 ? "requirement" : "requirements"} must be met:\n`;
+			const requirement = errors.length === 1 ? "requirement" : "requirements";
+			this.message = `The following ${requirement} must be met:\n`;
 			for (const { code } of errors) this.message = this.message.concat(`\t${code}\n`);
 		}
 	}
@@ -570,8 +587,7 @@ var SignatureProvider = class {
 		return [timestamp, signatureHash];
 	}
 	async computeSignature(timestamp, payload, secret) {
-		payload = JSON.stringify(payload);
-		const signedPayload = `${timestamp}.${payload}`;
+		const signedPayload = `${timestamp}.${decodePayloadToString(payload)}`;
 		return await this.cryptoProvider.computeHMACSignatureAsync(signedPayload, secret);
 	}
 };
@@ -716,6 +732,43 @@ const deserializeAuthenticationEvent = (authenticationEvent) => ({
 	userId: authenticationEvent.user_id
 });
 //#endregion
+//#region src/multi-factor-auth/serializers/totp.serializer.ts
+const deserializeTotp = (totp) => {
+	return {
+		issuer: totp.issuer,
+		user: totp.user
+	};
+};
+const deserializeTotpWithSecrets = (totp) => {
+	return {
+		issuer: totp.issuer,
+		user: totp.user,
+		qrCode: totp.qr_code,
+		secret: totp.secret,
+		uri: totp.uri
+	};
+};
+//#endregion
+//#region src/user-management/serializers/authentication-factor.serializer.ts
+const deserializeFactor$1 = (factor) => ({
+	object: factor.object,
+	id: factor.id,
+	createdAt: factor.created_at,
+	updatedAt: factor.updated_at,
+	type: factor.type,
+	totp: deserializeTotp(factor.totp),
+	userId: factor.user_id
+});
+const deserializeFactorWithSecrets$1 = (factor) => ({
+	object: factor.object,
+	id: factor.id,
+	createdAt: factor.created_at,
+	updatedAt: factor.updated_at,
+	type: factor.type,
+	totp: deserializeTotpWithSecrets(factor.totp),
+	userId: factor.user_id
+});
+//#endregion
 //#region src/user-management/serializers/oauth-tokens.serializer.ts
 const deserializeOauthTokens = (oauthTokens) => oauthTokens ? {
 	accessToken: oauthTokens.access_token,
@@ -794,43 +847,6 @@ const serializeEnrollAuthFactorOptions = (options) => ({
 	totp_secret: options.totpSecret
 });
 //#endregion
-//#region src/multi-factor-auth/serializers/totp.serializer.ts
-const deserializeTotp = (totp) => {
-	return {
-		issuer: totp.issuer,
-		user: totp.user
-	};
-};
-const deserializeTotpWithSecrets = (totp) => {
-	return {
-		issuer: totp.issuer,
-		user: totp.user,
-		qrCode: totp.qr_code,
-		secret: totp.secret,
-		uri: totp.uri
-	};
-};
-//#endregion
-//#region src/user-management/serializers/factor.serializer.ts
-const deserializeFactor$1 = (factor) => ({
-	object: factor.object,
-	id: factor.id,
-	createdAt: factor.created_at,
-	updatedAt: factor.updated_at,
-	type: factor.type,
-	totp: deserializeTotp(factor.totp),
-	userId: factor.user_id
-});
-const deserializeFactorWithSecrets$1 = (factor) => ({
-	object: factor.object,
-	id: factor.id,
-	createdAt: factor.created_at,
-	updatedAt: factor.updated_at,
-	type: factor.type,
-	totp: deserializeTotpWithSecrets(factor.totp),
-	userId: factor.user_id
-});
-//#endregion
 //#region src/user-management/serializers/invitation.serializer.ts
 const deserializeInvitation = (invitation) => ({
 	object: invitation.object,
@@ -1062,7 +1078,48 @@ var Actions = class {
 			tolerance
 		};
 		await this.verifyHeader(options);
-		return deserializeAction(payload);
+		return deserializeAction(typeof payload === "string" || isBinaryPayload(payload) ? JSON.parse(decodePayloadToString(payload)) : payload);
+	}
+};
+//#endregion
+//#region src/common/utils/pagination.ts
+var AutoPaginatable = class {
+	list;
+	apiCall;
+	object = "list";
+	options;
+	constructor(list, apiCall, options) {
+		this.list = list;
+		this.apiCall = apiCall;
+		this.options = options ?? {};
+	}
+	get data() {
+		return this.list.data;
+	}
+	get listMetadata() {
+		return this.list.listMetadata;
+	}
+	async *generatePages(params) {
+		const result = await this.apiCall({
+			...this.options,
+			limit: 100,
+			after: params.after
+		});
+		yield result.data;
+		if (result.listMetadata.after) {
+			await new Promise((resolve) => setTimeout(resolve, 350));
+			yield* this.generatePages({ after: result.listMetadata.after });
+		}
+	}
+	/**
+	* Automatically paginates over the list of results, returning the complete data set.
+	* Returns the first result if `options.limit` is passed to the first request.
+	*/
+	async autoPagination() {
+		if (this.options.limit) return this.data;
+		const results = [];
+		for await (const page of this.generatePages({ after: this.options.after })) results.push(...page);
+		return results;
 	}
 };
 //#endregion
@@ -1346,30 +1403,30 @@ const deserializeFeatureFlag = (featureFlag) => ({
 	updatedAt: featureFlag.updated_at
 });
 //#endregion
-//#region src/groups/serializers/add-group-organization-membership-options.serializer.ts
-const serializeAddGroupOrganizationMembershipOptions = (options) => ({ organization_membership_id: options.organizationMembershipId });
-//#endregion
-//#region src/groups/serializers/create-group-options.serializer.ts
-const serializeCreateGroupOptions = (options) => ({
-	name: options.name,
-	description: options.description
+//#region src/groups/serializers/create-group.serializer.ts
+const serializeCreateGroup = (model) => ({
+	name: model.name,
+	description: model.description ?? null
 });
 //#endregion
+//#region src/groups/serializers/create-group-membership.serializer.ts
+const serializeCreateGroupMembership = (model) => ({ organization_membership_id: model.organizationMembershipId });
+//#endregion
 //#region src/groups/serializers/group.serializer.ts
-const deserializeGroup = (group) => ({
-	object: group.object,
-	id: group.id,
-	organizationId: group.organization_id,
-	name: group.name,
-	description: group.description,
-	createdAt: group.created_at,
-	updatedAt: group.updated_at
-});
-//#endregion
-//#region src/groups/serializers/update-group-options.serializer.ts
-const serializeUpdateGroupOptions = (options) => ({
-	name: options.name,
-	description: options.description
+const deserializeGroup = (response) => ({
+	object: response.object,
+	id: response.id,
+	organizationId: response.organization_id,
+	name: response.name,
+	description: response.description ?? null,
+	createdAt: new Date(response.created_at),
+	updatedAt: new Date(response.updated_at)
+});
+//#endregion
+//#region src/groups/serializers/update-group.serializer.ts
+const serializeUpdateGroup = (model) => ({
+	name: model.name,
+	description: model.description ?? null
 });
 //#endregion
 //#region src/vault/serializers/vault-event.serializer.ts
@@ -1696,11 +1753,122 @@ const serializePaginationOptions = (options) => ({
 	...options.order && { order: options.order }
 });
 //#endregion
+//#region src/common/utils/fetch-and-deserialize.ts
+const setDefaultOptions = (options) => {
+	return {
+		...options,
+		order: options?.order || "desc"
+	};
+};
+const fetchAndDeserialize = async (workos, endpoint, deserializeFn, options, requestOptions) => {
+	const { data } = await workos.get(endpoint, {
+		query: setDefaultOptions(options),
+		...requestOptions
+	});
+	return deserializeList(data, deserializeFn);
+};
+//#endregion
+//#region src/webhooks/serializers/webhook-endpoint.serializer.ts
+const deserializeWebhookEndpoint = (response) => ({
+	object: response.object,
+	id: response.id,
+	endpointUrl: response.endpoint_url,
+	secret: response.secret,
+	status: response.status,
+	events: response.events,
+	createdAt: new Date(response.created_at),
+	updatedAt: new Date(response.updated_at)
+});
+//#endregion
+//#region src/webhooks/serializers/create-webhook-endpoint.serializer.ts
+const serializeCreateWebhookEndpoint = (model) => ({
+	endpoint_url: model.endpointUrl,
+	events: model.events
+});
+//#endregion
+//#region src/webhooks/serializers/update-webhook-endpoint.serializer.ts
+const serializeUpdateWebhookEndpoint = (model) => ({
+	endpoint_url: model.endpointUrl,
+	status: model.status,
+	events: model.events
+});
+//#endregion
 //#region src/webhooks/webhooks.ts
 var Webhooks = class {
-	signatureProvider;
-	constructor(cryptoProvider) {
-		this.signatureProvider = new SignatureProvider(cryptoProvider);
+	workos;
+	constructor(workos) {
+		this.workos = workos;
+	}
+	/**
+	* List Webhook Endpoints
+	*
+	* Get a list of all of your existing webhook endpoints.
+	* @param options - Pagination and filter options.
+	* @returns {Promise<AutoPaginatable<WebhookEndpoint, PaginationOptions>>}
+	*/
+	async listWebhookEndpoints(options) {
+		const paginationOptions = options;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/webhook_endpoints", deserializeWebhookEndpoint, paginationOptions), (params) => fetchAndDeserialize(this.workos, "/webhook_endpoints", deserializeWebhookEndpoint, params), paginationOptions);
+	}
+	/**
+	* Create a Webhook Endpoint
+	*
+	* Create a new webhook endpoint to receive event notifications.
+	* @param options - Object containing endpointUrl, events.
+	* @param options.endpointUrl - The HTTPS URL where webhooks will be sent.
+	* @example "https://example.com/webhooks"
+	* @param options.events - The events that the Webhook Endpoint is subscribed to.
+	* @example ["user.created","dsync.user.created"]
+	* @returns {Promise<WebhookEndpoint>}
+	* @throws {ConflictException} 409
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async createWebhookEndpoint(options) {
+		const payload = options;
+		const { data } = await this.workos.post("/webhook_endpoints", serializeCreateWebhookEndpoint(payload));
+		return deserializeWebhookEndpoint(data);
+	}
+	/**
+	* Update a Webhook Endpoint
+	*
+	* Update the properties of an existing webhook endpoint.
+	* @param options - The request body.
+	* @param options.id - Unique identifier of the Webhook Endpoint.
+	* @example "we_0123456789"
+	* @param options.endpointUrl - The HTTPS URL where webhooks will be sent.
+	* @example "https://example.com/webhooks"
+	* @param options.status - Whether the Webhook Endpoint is enabled or disabled.
+	* @example "enabled"
+	* @param options.events - The events that the Webhook Endpoint is subscribed to.
+	* @example ["user.created","dsync.user.created"]
+	* @returns {Promise<WebhookEndpoint>}
+	* @throws {NotFoundException} 404
+	* @throws {ConflictException} 409
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async updateWebhookEndpoint(options) {
+		const { id, ...payload } = options;
+		const { data } = await this.workos.patch(`/webhook_endpoints/${encodeURIComponent(id)}`, serializeUpdateWebhookEndpoint(payload));
+		return deserializeWebhookEndpoint(data);
+	}
+	/**
+	* Delete a Webhook Endpoint
+	*
+	* Delete an existing webhook endpoint.
+	* @param options - The request options.
+	* @param options.id - Unique identifier of the Webhook Endpoint.
+	* @example "we_0123456789"
+	* @returns {Promise<void>}
+	* @throws {NotFoundException} 404
+	*/
+	async deleteWebhookEndpoint(options) {
+		const { id } = options;
+		await this.workos.delete(`/webhook_endpoints/${encodeURIComponent(id)}`);
+	}
+	_signatureProvider;
+	get signatureProvider() {
+		if (!this._signatureProvider) this._signatureProvider = new SignatureProvider(this.workos.getCryptoProvider());
+		return this._signatureProvider;
 	}
 	get verifyHeader() {
 		return this.signatureProvider.verifyHeader.bind(this.signatureProvider);
@@ -1719,7 +1887,11 @@ var Webhooks = class {
 			tolerance
 		};
 		await this.verifyHeader(options);
-		return deserializeEvent(payload);
+		return deserializeEvent(this.parseVerifiedPayload(payload));
+	}
+	parseVerifiedPayload(payload) {
+		if (typeof payload === "object" && !isBinaryPayload(payload)) return payload;
+		return JSON.parse(decodePayloadToString(payload));
 	}
 };
 //#endregion
@@ -1773,45 +1945,6 @@ var PKCE = class {
 	}
 };
 //#endregion
-//#region src/common/utils/pagination.ts
-var AutoPaginatable = class {
-	object = "list";
-	options;
-	constructor(list, apiCall, options) {
-		this.list = list;
-		this.apiCall = apiCall;
-		this.options = options ?? {};
-	}
-	get data() {
-		return this.list.data;
-	}
-	get listMetadata() {
-		return this.list.listMetadata;
-	}
-	async *generatePages(params) {
-		const result = await this.apiCall({
-			...this.options,
-			limit: 100,
-			after: params.after
-		});
-		yield result.data;
-		if (result.listMetadata.after) {
-			await new Promise((resolve) => setTimeout(resolve, 350));
-			yield* this.generatePages({ after: result.listMetadata.after });
-		}
-	}
-	/**
-	* Automatically paginates over the list of results, returning the complete data set.
-	* Returns the first result if `options.limit` is passed to the first request.
-	*/
-	async autoPagination() {
-		if (this.options.limit) return this.data;
-		const results = [];
-		for await (const page of this.generatePages({ after: this.options.after })) results.push(...page);
-		return results;
-	}
-};
-//#endregion
 //#region src/api-keys/serializers/create-organization-api-key-options.serializer.ts
 function serializeCreateOrganizationApiKeyOptions(options) {
 	return {
@@ -1841,23 +1974,9 @@ function deserializeValidateApiKeyResponse(response) {
 	return { apiKey: response.api_key ? deserializeApiKey(response.api_key) : null };
 }
 //#endregion
-//#region src/common/utils/fetch-and-deserialize.ts
-const setDefaultOptions = (options) => {
-	return {
-		...options,
-		order: options?.order || "desc"
-	};
-};
-const fetchAndDeserialize = async (workos, endpoint, deserializeFn, options, requestOptions) => {
-	const { data } = await workos.get(endpoint, {
-		query: setDefaultOptions(options),
-		...requestOptions
-	});
-	return deserializeList(data, deserializeFn);
-};
-//#endregion
 //#region src/api-keys/api-keys.ts
 var ApiKeys = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -1927,8 +2046,362 @@ var ApiKeys = class {
 	}
 };
 //#endregion
+//#region src/connect/serializers/external-auth-complete-response.serializer.ts
+const deserializeExternalAuthCompleteResponse = (response) => ({ redirectUri: response.redirect_uri });
+//#endregion
+//#region src/connect/serializers/connect-application-redirect-uri.serializer.ts
+const deserializeConnectApplicationRedirectUri = (response) => ({
+	uri: response.uri,
+	default: response.default
+});
+//#endregion
+//#region src/connect/serializers/connect-application.serializer.ts
+const deserializeConnectApplication = (response) => {
+	switch (response.application_type) {
+		case "oauth": return {
+			object: response.object,
+			id: response.id,
+			clientId: response.client_id,
+			description: response.description,
+			name: response.name,
+			scopes: response.scopes,
+			createdAt: new Date(response.created_at),
+			updatedAt: new Date(response.updated_at),
+			applicationType: "oauth",
+			redirectUris: response.redirect_uris.map(deserializeConnectApplicationRedirectUri),
+			usesPkce: response.uses_pkce,
+			isFirstParty: response.is_first_party,
+			wasDynamicallyRegistered: response.was_dynamically_registered,
+			organizationId: response.organization_id
+		};
+		case "m2m": return {
+			object: response.object,
+			id: response.id,
+			clientId: response.client_id,
+			description: response.description,
+			name: response.name,
+			scopes: response.scopes,
+			createdAt: new Date(response.created_at),
+			updatedAt: new Date(response.updated_at),
+			applicationType: "m2m",
+			organizationId: response.organization_id
+		};
+		default: throw new Error(`Unknown application_type: ${response.application_type}`);
+	}
+};
+//#endregion
+//#region src/connect/serializers/application-credentials-list-item.serializer.ts
+const deserializeApplicationCredentialsListItem = (response) => ({
+	object: response.object,
+	id: response.id,
+	secretHint: response.secret_hint,
+	lastUsedAt: response.last_used_at != null ? new Date(response.last_used_at) : null,
+	createdAt: new Date(response.created_at),
+	updatedAt: new Date(response.updated_at)
+});
+//#endregion
+//#region src/connect/serializers/new-connect-application-secret.serializer.ts
+const deserializeNewConnectApplicationSecret = (response) => ({
+	object: response.object,
+	id: response.id,
+	secretHint: response.secret_hint,
+	lastUsedAt: response.last_used_at != null ? new Date(response.last_used_at) : null,
+	createdAt: new Date(response.created_at),
+	updatedAt: new Date(response.updated_at),
+	secret: response.secret
+});
+//#endregion
+//#region src/connect/serializers/user-object.serializer.ts
+const serializeUserObject = (model) => ({
+	id: model.id,
+	email: model.email,
+	first_name: model.firstName,
+	last_name: model.lastName,
+	metadata: model.metadata
+});
+//#endregion
+//#region src/connect/serializers/user-consent-option-choice.serializer.ts
+const serializeUserConsentOptionChoice = (model) => ({
+	value: model.value,
+	label: model.label
+});
+//#endregion
+//#region src/connect/serializers/user-consent-option.serializer.ts
+const serializeUserConsentOption = (model) => ({
+	claim: model.claim,
+	type: model.type,
+	label: model.label,
+	choices: model.choices.map(serializeUserConsentOptionChoice)
+});
+//#endregion
+//#region src/connect/serializers/user-management-login-request.serializer.ts
+const serializeUserManagementLoginRequest = (model) => ({
+	external_auth_id: model.externalAuthId,
+	user: serializeUserObject(model.user),
+	user_consent_options: model.userConsentOptions != null ? model.userConsentOptions.map(serializeUserConsentOption) : void 0
+});
+//#endregion
+//#region src/connect/serializers/redirect-uri-input.serializer.ts
+const serializeRedirectUriInput = (model) => ({
+	uri: model.uri,
+	default: model.default ?? null
+});
+//#endregion
+//#region src/connect/serializers/create-oauth-application.serializer.ts
+const serializeCreateOAuthApplication = (model) => ({
+	name: model.name,
+	application_type: model.applicationType,
+	description: model.description ?? null,
+	scopes: model.scopes ?? null,
+	redirect_uris: model.redirectUris != null ? model.redirectUris.map(serializeRedirectUriInput) : null,
+	uses_pkce: model.usesPkce ?? null,
+	is_first_party: model.isFirstParty,
+	organization_id: model.organizationId ?? null
+});
+//#endregion
+//#region src/connect/serializers/create-m2m-application.serializer.ts
+const serializeCreateM2MApplication = (model) => ({
+	name: model.name,
+	application_type: model.applicationType,
+	description: model.description ?? null,
+	scopes: model.scopes ?? null,
+	organization_id: model.organizationId
+});
+//#endregion
+//#region src/connect/serializers/update-oauth-application.serializer.ts
+const serializeUpdateOAuthApplication = (model) => ({
+	name: model.name,
+	description: model.description ?? null,
+	scopes: model.scopes ?? null,
+	redirect_uris: model.redirectUris != null ? model.redirectUris.map(serializeRedirectUriInput) : null
+});
+//#endregion
+//#region src/connect/serializers/create-application-secret.serializer.ts
+const serializeCreateApplicationSecret = (_model) => ({});
+//#endregion
+//#region src/connect/connect.ts
+const serializeListApplicationsOptions = (options) => {
+	const wire = {
+		limit: options.limit,
+		before: options.before,
+		after: options.after,
+		order: options.order
+	};
+	if (options.organizationId !== void 0) wire.organization_id = options.organizationId;
+	return wire;
+};
+var Connect = class {
+	workos;
+	constructor(workos) {
+		this.workos = workos;
+	}
+	/**
+	* Complete external authentication
+	*
+	* Completes an external authentication flow and returns control to AuthKit. This endpoint is used with [Standalone Connect](https://workos.com/docs/authkit/connect/standalone) to bridge your existing authentication system with the Connect OAuth API infrastructure.
+	*
+	* After successfully authenticating a user in your application, calling this endpoint will:
+	*
+	* - Create or update the user in AuthKit, using the given `id` as its `external_id`.
+	* - Return a `redirect_uri` your application should redirect to in order for AuthKit to complete the flow
+	*
+	* Users are automatically created or updated based on the `id` and `email` provided. If a user with the same `id` exists, their information is updated. Otherwise, a new user is created.
+	*
+	* If you provide a new `id` with an `email` that already belongs to an existing user, the request will fail with an error as email addresses are unique to a user.
+	* @param options - Object containing externalAuthId, user.
+	* @param options.externalAuthId - Identifier provided when AuthKit redirected to your login page.
+	* @example "ext_auth_01HXYZ123456789ABCDEFGHIJ"
+	* @param options.user - The user to create or update in AuthKit.
+	* @param options.userConsentOptions - Array of [User Consent Options](https://workos.com/docs/reference/workos-connect/standalone/user-consent-options) to store with the session.
+	* @returns {Promise<ExternalAuthCompleteResponse>}
+	* @throws {BadRequestException} 400
+	* @throws {NotFoundException} 404
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async completeOAuth2(options) {
+		const payload = options;
+		const { data } = await this.workos.post("/authkit/oauth2/complete", serializeUserManagementLoginRequest(payload));
+		return deserializeExternalAuthCompleteResponse(data);
+	}
+	/**
+	* List Connect Applications
+	*
+	* List all Connect Applications in the current environment with optional filtering.
+	* @param options - Pagination and filter options.
+	* @returns {Promise<AutoPaginatable<ConnectApplication, ListApplicationsOptions>>}
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async listApplications(options) {
+		const paginationOptions = options;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/connect/applications", deserializeConnectApplication, options ? serializeListApplicationsOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, "/connect/applications", deserializeConnectApplication, params), paginationOptions);
+	}
+	/**
+	* Create a Connect Application
+	*
+	* Create a new Connect Application. Supports both OAuth and Machine-to-Machine (M2M) application types.
+	* @param options - The request body.
+	* @returns {Promise<ConnectApplication>}
+	* @throws {NotFoundException} 404
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async createApplication(options) {
+		const payload = options;
+		const { data } = await this.workos.post("/connect/applications", (() => {
+			switch (payload.applicationType) {
+				case "oauth": return serializeCreateOAuthApplication(payload);
+				case "m2m": return serializeCreateM2MApplication(payload);
+				default: throw new Error(`Unknown applicationType: ${payload.applicationType}`);
+			}
+		})());
+		return deserializeConnectApplication(data);
+	}
+	/**
+	* Create oauth application.
+	* @param name - The name of the application.
+	* @param isFirstParty - Whether this is a first-party application. Third-party applications require an organization_id.
+	* @param description - A description for the application.
+	* @param scopes - The OAuth scopes granted to the application.
+	* @param redirectUris - Redirect URIs for the application.
+	* @param usesPkce - Whether the application uses PKCE (Proof Key for Code Exchange).
+	* @param organizationId - The organization ID this application belongs to. Required when is_first_party is false.
+	* @returns {Promise<ConnectApplication>}
+	*/
+	async createOAuthApplication(name, isFirstParty, description, scopes, redirectUris, usesPkce, organizationId) {
+		const body = {
+			application_type: "oauth",
+			name,
+			is_first_party: isFirstParty
+		};
+		if (description !== void 0) body.description = description;
+		if (scopes !== void 0) body.scopes = scopes;
+		if (redirectUris !== void 0) body.redirect_uris = redirectUris;
+		if (usesPkce !== void 0) body.uses_pkce = usesPkce;
+		if (organizationId !== void 0) body.organization_id = organizationId;
+		const { data } = await this.workos.post("/connect/applications", body);
+		return deserializeConnectApplication(data);
+	}
+	/**
+	* Create m2m application.
+	* @param name - The name of the application.
+	* @param organizationId - The organization ID this application belongs to.
+	* @param description - A description for the application.
+	* @param scopes - The OAuth scopes granted to the application.
+	* @returns {Promise<ConnectApplication>}
+	*/
+	async createM2MApplication(name, organizationId, description, scopes) {
+		const body = {
+			application_type: "m2m",
+			name,
+			organization_id: organizationId
+		};
+		if (description !== void 0) body.description = description;
+		if (scopes !== void 0) body.scopes = scopes;
+		const { data } = await this.workos.post("/connect/applications", body);
+		return deserializeConnectApplication(data);
+	}
+	/**
+	* Get a Connect Application
+	*
+	* Retrieve details for a specific Connect Application by ID or client ID.
+	* @param options - The request options.
+	* @param options.id - The application ID or client ID of the Connect Application.
+	* @example "conn_app_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<ConnectApplication>}
+	* @throws {NotFoundException} 404
+	*/
+	async getApplication(options) {
+		const { id } = options;
+		const { data } = await this.workos.get(`/connect/applications/${encodeURIComponent(id)}`);
+		return deserializeConnectApplication(data);
+	}
+	/**
+	* Update a Connect Application
+	*
+	* Update an existing Connect Application. For OAuth applications, you can update redirect URIs. For all applications, you can update the name, description, and scopes.
+	* @param options - The request body.
+	* @param options.id - The application ID or client ID of the Connect Application.
+	* @example "conn_app_01HXYZ123456789ABCDEFGHIJ"
+	* @param options.name - The name of the application.
+	* @example "My Application"
+	* @param options.description - A description for the application.
+	* @example "An application for managing user access"
+	* @param options.scopes - The OAuth scopes granted to the application.
+	* @example ["openid","profile","email"]
+	* @param options.redirectUris - Updated redirect URIs for the application. OAuth applications only.
+	* @example [{"uri":"https://example.com/callback","default":true}]
+	* @returns {Promise<ConnectApplication>}
+	* @throws {NotFoundException} 404
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async updateApplication(options) {
+		const { id, ...payload } = options;
+		const { data } = await this.workos.put(`/connect/applications/${encodeURIComponent(id)}`, serializeUpdateOAuthApplication(payload));
+		return deserializeConnectApplication(data);
+	}
+	/**
+	* Delete a Connect Application
+	*
+	* Delete an existing Connect Application.
+	* @param options - The request options.
+	* @param options.id - The application ID or client ID of the Connect Application.
+	* @example "conn_app_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<void>}
+	* @throws {NotFoundException} 404
+	*/
+	async deleteApplication(options) {
+		const { id } = options;
+		await this.workos.delete(`/connect/applications/${encodeURIComponent(id)}`);
+	}
+	/**
+	* List Client Secrets for a Connect Application
+	*
+	* List all client secrets associated with a Connect Application.
+	* @param options - The request options.
+	* @param options.id - The application ID or client ID of the Connect Application.
+	* @example "conn_app_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<ApplicationCredentialsListItem[]>}
+	* @throws {NotFoundException} 404
+	*/
+	async listApplicationClientSecrets(options) {
+		const { id } = options;
+		const { data } = await this.workos.get(`/connect/applications/${encodeURIComponent(id)}/client_secrets`);
+		return data.map(deserializeApplicationCredentialsListItem);
+	}
+	/**
+	* Create a new client secret for a Connect Application
+	*
+	* Create new secrets for a Connect Application.
+	* @param options - The request body.
+	* @param options.id - The application ID or client ID of the Connect Application.
+	* @example "conn_app_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<NewConnectApplicationSecret>}
+	* @throws {NotFoundException} 404
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async createApplicationClientSecret(options) {
+		const { id, ...payload } = options;
+		const { data } = await this.workos.post(`/connect/applications/${encodeURIComponent(id)}/client_secrets`, serializeCreateApplicationSecret(payload));
+		return deserializeNewConnectApplicationSecret(data);
+	}
+	/**
+	* Delete a Client Secret
+	*
+	* Delete (revoke) an existing client secret.
+	* @param options - The request options.
+	* @param options.id - The unique ID of the client secret.
+	* @example "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q"
+	* @returns {Promise<void>}
+	* @throws {NotFoundException} 404
+	*/
+	async deleteClientSecret(options) {
+		const { id } = options;
+		await this.workos.delete(`/connect/client_secrets/${encodeURIComponent(id)}`);
+	}
+};
+//#endregion
 //#region src/directory-sync/directory-sync.ts
 var DirectorySync = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2050,6 +2523,7 @@ const serializeListEventOptions = (options) => ({
 //#endregion
 //#region src/events/events.ts
 var Events = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2070,6 +2544,7 @@ var Events = class {
 //#endregion
 //#region src/organizations/organizations.ts
 var Organizations = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2172,6 +2647,7 @@ const serializeCreateOrganizationDomainOptions = (options) => ({
 //#endregion
 //#region src/organization-domains/organization-domains.ts
 var OrganizationDomains = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2247,6 +2723,7 @@ const deserializePasswordlessSession = (passwordlessSession) => ({
 //#endregion
 //#region src/passwordless/passwordless.ts
 var Passwordless = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2295,17 +2772,140 @@ function deserializeGetAccessTokenResponse(response) {
 //#endregion
 //#region src/pipes/pipes.ts
 var Pipes = class {
+	workos;
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async getAccessToken({ provider, ...options }) {
+		const { data } = await this.workos.post(`data-integrations/${provider}/token`, serializeGetAccessTokenOptions(options));
+		return deserializeGetAccessTokenResponse(data);
+	}
+};
+//#endregion
+//#region src/radar/serializers/radar-standalone-response.serializer.ts
+const deserializeRadarStandaloneResponse = (response) => ({
+	verdict: response.verdict,
+	reason: response.reason,
+	attemptId: response.attempt_id,
+	control: response.control,
+	blocklistType: response.blocklist_type
+});
+//#endregion
+//#region src/radar/serializers/radar-list-entry-already-present-response.serializer.ts
+const deserializeRadarListEntryAlreadyPresentResponse = (response) => ({ message: response.message });
+//#endregion
+//#region src/radar/serializers/radar-standalone-assess-request.serializer.ts
+const serializeRadarStandaloneAssessRequest = (model) => ({
+	ip_address: model.ipAddress,
+	user_agent: model.userAgent,
+	email: model.email,
+	auth_method: model.authMethod,
+	action: model.action
+});
+//#endregion
+//#region src/radar/serializers/radar-standalone-update-radar-attempt-request.serializer.ts
+const serializeRadarStandaloneUpdateRadarAttemptRequest = (model) => ({
+	challenge_status: model.challengeStatus,
+	attempt_status: model.attemptStatus
+});
+//#endregion
+//#region src/radar/serializers/radar-standalone-update-radar-list-request.serializer.ts
+const serializeRadarStandaloneUpdateRadarListRequest = (model) => ({ entry: model.entry });
+//#endregion
+//#region src/radar/serializers/radar-standalone-delete-radar-list-entry-request.serializer.ts
+const serializeRadarStandaloneDeleteRadarListEntryRequest = (model) => ({ entry: model.entry });
+//#endregion
+//#region src/radar/radar.ts
+var Radar = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
-	async getAccessToken({ provider, ...options }) {
-		const { data } = await this.workos.post(`data-integrations/${provider}/token`, serializeGetAccessTokenOptions(options));
-		return deserializeGetAccessTokenResponse(data);
+	/**
+	* Create an attempt
+	*
+	* Assess a request for risk using the Radar engine and receive a verdict.
+	* @param options - Object containing ipAddress, userAgent, email, authMethod, action.
+	* @param options.ipAddress - The IP address of the request to assess.
+	* @example "49.78.240.97"
+	* @param options.userAgent - The user agent string of the request to assess.
+	* @example "Mozilla/5.0"
+	* @param options.email - The email address of the user making the request.
+	* @example "user@example.com"
+	* @param options.authMethod - The authentication method being used.
+	* @example "Password"
+	* @param options.action - The action being performed.
+	* @example "sign-in"
+	* @returns {Promise<RadarStandaloneResponse>}
+	* @throws {BadRequestException} 400
+	*/
+	async createAttempt(options) {
+		const payload = options;
+		const { data } = await this.workos.post("/radar/attempts", serializeRadarStandaloneAssessRequest(payload));
+		return deserializeRadarStandaloneResponse(data);
+	}
+	/**
+	* Update a Radar attempt
+	*
+	* You may optionally inform Radar that an authentication attempt or challenge was successful using this endpoint. Some Radar controls depend on tracking recent successful attempts, such as impossible travel.
+	* @param options - The request body.
+	* @param options.id - The unique identifier of the Radar attempt to update.
+	* @example "radar_att_01HZBC6N1EB1ZY7KG32X"
+	* @param options.challengeStatus - Set to `"success"` to mark the challenge as completed.
+	* @example "success"
+	* @param options.attemptStatus - Set to `"success"` to mark the authentication attempt as successful.
+	* @example "success"
+	* @returns {Promise<void>}
+	* @throws {BadRequestException} 400
+	* @throws {NotFoundException} 404
+	*/
+	async updateAttempt(options) {
+		const { id, ...payload } = options;
+		await this.workos.put(`/radar/attempts/${encodeURIComponent(id)}`, serializeRadarStandaloneUpdateRadarAttemptRequest(payload));
+	}
+	/**
+	* Add an entry to a Radar list
+	*
+	* Add an entry to a Radar list.
+	* @param options - Object containing entry.
+	* @param options.type - The type of the Radar list (e.g. ip_address, domain, email).
+	* @example "ip_address"
+	* @param options.action - The list action indicating whether to add the entry to the allow or block list.
+	* @example "block"
+	* @param options.entry - The value to add to the list. Must match the format of the list type (e.g. a valid IP address for `ip_address`, a valid email for `email`).
+	* @example "198.51.100.42"
+	* @returns {Promise<RadarListEntryAlreadyPresentResponse>}
+	* @throws {BadRequestException} 400
+	*/
+	async addListEntry(options) {
+		const { type, action, ...payload } = options;
+		const { data } = await this.workos.post(`/radar/lists/${encodeURIComponent(type)}/${encodeURIComponent(action)}`, serializeRadarStandaloneUpdateRadarListRequest(payload));
+		return deserializeRadarListEntryAlreadyPresentResponse(data);
+	}
+	/**
+	* Remove an entry from a Radar list
+	*
+	* Remove an entry from a Radar list.
+	* @param options - Object containing entry.
+	* @param options.type - The type of the Radar list (e.g. ip_address, domain, email).
+	* @example "ip_address"
+	* @param options.action - The list action indicating whether to remove the entry from the allow or block list.
+	* @example "block"
+	* @param options.entry - The value to remove from the list. Must match an existing entry.
+	* @example "198.51.100.42"
+	* @returns {Promise<void>}
+	* @throws {BadRequestException} 400
+	* @throws {NotFoundException} 404
+	*/
+	async removeListEntry(options) {
+		const { type, action, ...payload } = options;
+		await this.workos.deleteWithBody(`/radar/lists/${encodeURIComponent(type)}/${encodeURIComponent(action)}`, serializeRadarStandaloneDeleteRadarListEntryRequest(payload));
 	}
 };
 //#endregion
 //#region src/admin-portal/admin-portal.ts
 var AdminPortal = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2369,6 +2969,7 @@ function encodeRFC1738(str) {
 //#endregion
 //#region src/sso/sso.ts
 var SSO = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2571,6 +3172,7 @@ const deserializeVerifyResponse = (verifyResponse) => ({
 //#endregion
 //#region src/multi-factor-auth/multi-factor-auth.ts
 var MultiFactorAuth = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -2772,6 +3374,7 @@ const deserializeAuditLogSchema = (auditLogSchema) => ({
 //#endregion
 //#region src/audit-logs/audit-logs.ts
 var AuditLogs = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -3323,7 +3926,7 @@ let _josePromise;
 * @returns Promise that resolves to the jose module
 */
 function getJose() {
-	return _josePromise ??= Promise.resolve().then(() => require("./webapi-N7c2LUJd.cjs"));
+	return _josePromise ??= Promise.resolve().then(() => require("./webapi-lTzmUixq.cjs"));
 }
 //#endregion
 //#region src/user-management/session.ts
@@ -3345,16 +3948,16 @@ var CookieSession = class {
 	async authenticate() {
 		if (!this.sessionData) return {
 			authenticated: false,
-			reason: AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
+			reason: "no_session_cookie_provided"
 		};
 		const session = await unsealData(this.sessionData, { password: this.cookiePassword });
 		if (!session.accessToken) return {
 			authenticated: false,
-			reason: AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+			reason: "invalid_session_cookie"
 		};
 		if (!await this.isValidJwt(session.accessToken)) return {
 			authenticated: false,
-			reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT
+			reason: "invalid_jwt"
 		};
 		const { decodeJwt } = await getJose();
 		const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(session.accessToken);
@@ -3386,15 +3989,15 @@ var CookieSession = class {
 		const session = await unsealData(this.sessionData, { password: this.cookiePassword });
 		if (!session.refreshToken || !session.user) return {
 			authenticated: false,
-			reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE
+			reason: "invalid_session_cookie"
 		};
-		const { org_id: organizationIdFromAccessToken } = decodeJwt(session.accessToken);
+		const { org_id: organizationIdFromUserManagementAccessToken } = decodeJwt(session.accessToken);
 		try {
 			const cookiePassword = options.cookiePassword ?? this.cookiePassword;
 			const authenticationResponse = await this.userManagement.authenticateWithRefreshToken({
 				clientId: this.userManagement.clientId,
 				refreshToken: session.refreshToken,
-				organizationId: options.organizationId ?? organizationIdFromAccessToken,
+				organizationId: options.organizationId ?? organizationIdFromUserManagementAccessToken,
 				session: {
 					sealSession: true,
 					cookiePassword
@@ -3419,7 +4022,7 @@ var CookieSession = class {
 				impersonator: session.impersonator
 			};
 		} catch (error) {
-			if (error instanceof OauthException && (error.error === RefreshSessionFailureReason.INVALID_GRANT || error.error === RefreshSessionFailureReason.MFA_ENROLLMENT || error.error === RefreshSessionFailureReason.SSO_REQUIRED)) return {
+			if (error instanceof OauthException && (error.error === "invalid_grant" || error.error === "mfa_enrollment" || error.error === "sso_required")) return {
 				authenticated: false,
 				reason: error.error
 			};
@@ -3458,6 +4061,7 @@ var CookieSession = class {
 //#endregion
 //#region src/user-management/user-management.ts
 var UserManagement = class {
+	workos;
 	_jwks;
 	clientId;
 	constructor(workos) {
@@ -3694,16 +4298,16 @@ var UserManagement = class {
 		const { decodeJwt } = await getJose();
 		if (!sessionData) return {
 			authenticated: false,
-			reason: AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
+			reason: "no_session_cookie_provided"
 		};
 		const session = await unsealData(sessionData, { password: cookiePassword });
 		if (!session.accessToken) return {
 			authenticated: false,
-			reason: AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+			reason: "invalid_session_cookie"
 		};
 		if (!await this.isValidJwt(session.accessToken)) return {
 			authenticated: false,
-			reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT
+			reason: "invalid_jwt"
 		};
 		const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(session.accessToken);
 		return {
@@ -4238,6 +4842,7 @@ var InMemoryStore = class {
 //#endregion
 //#region src/feature-flags/evaluator.ts
 var Evaluator = class {
+	store;
 	constructor(store) {
 		this.store = store;
 	}
@@ -4273,6 +4878,7 @@ const INITIAL_RETRY_MS = 1e3;
 const MAX_RETRY_MS = 6e4;
 const BACKOFF_MULTIPLIER = 2;
 var FeatureFlagsRuntimeClient = class extends eventemitter3.EventEmitter {
+	workos;
 	store;
 	evaluator;
 	pollingIntervalMs;
@@ -4455,6 +5061,7 @@ var FeatureFlagsRuntimeClient = class extends eventemitter3.EventEmitter {
 //#endregion
 //#region src/feature-flags/feature-flags.ts
 var FeatureFlags = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -4577,45 +5184,164 @@ var FeatureFlags = class {
 //#endregion
 //#region src/groups/groups.ts
 var Groups = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
-	async createGroup(options) {
-		const { organizationId, ...payload } = options;
-		const { data } = await this.workos.post(`/organizations/${organizationId}/groups`, serializeCreateGroupOptions(payload));
-		return deserializeGroup(data);
+	/**
+	* List Group members
+	*
+	* Get a list of organization memberships in a group.
+	* @param options - Pagination and filter options.
+	* @param options.organizationId - Unique identifier of the Organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @param options.groupId - Unique identifier of the Group.
+	* @example "group_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<AutoPaginatable<AuthorizationOrganizationMembership>>}
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	*/
+	async listOrganizationMemberships(options) {
+		const { organizationId, groupId, ...paginationOptions } = options;
+		const endpoint = `/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}/organization-memberships`;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, endpoint, deserializeAuthorizationOrganizationMembership, paginationOptions), (params) => fetchAndDeserialize(this.workos, endpoint, deserializeAuthorizationOrganizationMembership, params), paginationOptions);
 	}
+	/**
+	* List groups
+	*
+	* Get a paginated list of groups within an organization.
+	* @param options - Pagination and filter options.
+	* @param options.organizationId - The ID of the organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @returns {Promise<AutoPaginatable<Group, PaginationOptions>>}
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	*/
 	async listGroups(options) {
 		const { organizationId, ...paginationOptions } = options;
-		return new AutoPaginatable(await fetchAndDeserialize(this.workos, `/organizations/${organizationId}/groups`, deserializeGroup, paginationOptions), (params) => fetchAndDeserialize(this.workos, `/organizations/${organizationId}/groups`, deserializeGroup, params), paginationOptions);
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, `/organizations/${encodeURIComponent(organizationId)}/groups`, deserializeGroup, paginationOptions), (params) => fetchAndDeserialize(this.workos, `/organizations/${encodeURIComponent(organizationId)}/groups`, deserializeGroup, params), paginationOptions);
+	}
+	/**
+	* Create a group
+	*
+	* Create a new group within an organization.
+	* @param options - Object containing name.
+	* @param options.organizationId - The ID of the organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @param options.name - The name of the Group.
+	* @example "Engineering"
+	* @param options.description - An optional description of the Group.
+	* @example "The engineering team"
+	* @returns {Promise<Group>}
+	* @throws {BadRequestException} 400
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async createGroup(options) {
+		const { organizationId, ...payload } = options;
+		const { data } = await this.workos.post(`/organizations/${encodeURIComponent(organizationId)}/groups`, serializeCreateGroup(payload));
+		return deserializeGroup(data);
 	}
+	/**
+	* Get a group
+	*
+	* Retrieve a group by its ID within an organization.
+	* @param options - The request options.
+	* @param options.organizationId - The ID of the organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @param options.groupId - The ID of the group.
+	* @example "group_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<Group>}
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	*/
 	async getGroup(options) {
 		const { organizationId, groupId } = options;
-		const { data } = await this.workos.get(`/organizations/${organizationId}/groups/${groupId}`);
+		const { data } = await this.workos.get(`/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}`);
 		return deserializeGroup(data);
 	}
+	/**
+	* Update a group
+	*
+	* Update an existing group. Only the fields provided in the request body will be updated.
+	* @param options - The request body.
+	* @param options.organizationId - The ID of the organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @param options.groupId - The ID of the group.
+	* @example "group_01HXYZ123456789ABCDEFGHIJ"
+	* @param options.name - The name of the Group.
+	* @example "Engineering"
+	* @param options.description - An optional description of the Group.
+	* @example "The engineering team"
+	* @returns {Promise<Group>}
+	* @throws {BadRequestException} 400
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	* @throws {UnprocessableEntityException} 422
+	*/
 	async updateGroup(options) {
 		const { organizationId, groupId, ...payload } = options;
-		const { data } = await this.workos.patch(`/organizations/${organizationId}/groups/${groupId}`, serializeUpdateGroupOptions(payload));
+		const { data } = await this.workos.patch(`/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}`, serializeUpdateGroup(payload));
 		return deserializeGroup(data);
 	}
+	/**
+	* Delete a group
+	*
+	* Delete a group from an organization.
+	* @param options - The request options.
+	* @param options.organizationId - The ID of the organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @param options.groupId - The ID of the group.
+	* @example "group_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<void>}
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	*/
 	async deleteGroup(options) {
 		const { organizationId, groupId } = options;
-		await this.workos.delete(`/organizations/${organizationId}/groups/${groupId}`);
+		await this.workos.delete(`/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}`);
 	}
+	/**
+	* Add a member to a Group
+	*
+	* Add an organization membership to a group.
+	* @param options - Object containing organizationMembershipId.
+	* @param options.organizationId - Unique identifier of the Organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @param options.groupId - Unique identifier of the Group.
+	* @example "group_01HXYZ123456789ABCDEFGHIJ"
+	* @param options.organizationMembershipId - The ID of the Organization Membership to add to the group.
+	* @example "om_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<Group>}
+	* @throws {BadRequestException} 400
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	* @throws {UnprocessableEntityException} 422
+	*/
 	async addOrganizationMembership(options) {
 		const { organizationId, groupId, ...payload } = options;
-		const { data } = await this.workos.post(`/organizations/${organizationId}/groups/${groupId}/organization-memberships`, serializeAddGroupOrganizationMembershipOptions(payload));
+		const { data } = await this.workos.post(`/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}/organization-memberships`, serializeCreateGroupMembership(payload));
 		return deserializeGroup(data);
 	}
-	async listOrganizationMemberships(options) {
-		const { organizationId, groupId, ...paginationOptions } = options;
-		const endpoint = `/organizations/${organizationId}/groups/${groupId}/organization-memberships`;
-		return new AutoPaginatable(await fetchAndDeserialize(this.workos, endpoint, deserializeAuthorizationOrganizationMembership, paginationOptions), (params) => fetchAndDeserialize(this.workos, endpoint, deserializeAuthorizationOrganizationMembership, params), paginationOptions);
-	}
+	/**
+	* Remove a member from a Group
+	*
+	* Remove an organization membership from a group.
+	* @param options - The request options.
+	* @param options.organizationId - Unique identifier of the Organization.
+	* @example "org_01EHWNCE74X7JSDV0X3SZ3KJNY"
+	* @param options.groupId - Unique identifier of the Group.
+	* @example "group_01HXYZ123456789ABCDEFGHIJ"
+	* @param options.omId - Unique identifier of the Organization Membership.
+	* @example "om_01HXYZ123456789ABCDEFGHIJ"
+	* @returns {Promise<void>}
+	* @throws {AuthorizationException} 403
+	* @throws {NotFoundException} 404
+	*/
 	async removeOrganizationMembership(options) {
 		const { organizationId, groupId, organizationMembershipId } = options;
-		await this.workos.delete(`/organizations/${organizationId}/groups/${groupId}/organization-memberships/${organizationMembershipId}`);
+		await this.workos.delete(`/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}/organization-memberships/${encodeURIComponent(organizationMembershipId)}`);
 	}
 };
 //#endregion
@@ -4629,6 +5355,7 @@ const deserializeGetTokenResponse = (data) => ({ token: data.token });
 //#endregion
 //#region src/widgets/widgets.ts
 var Widgets = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -4751,7 +5478,6 @@ const serializeListAuthorizationResourcesOptions = (options) => ({
 	...options.parentResourceId && { parent_resource_id: options.parentResourceId },
 	...options.parentResourceTypeSlug && { parent_resource_type_slug: options.parentResourceTypeSlug },
 	...options.parentExternalId && { parent_external_id: options.parentExternalId },
-	...options.search && { search: options.search },
 	...serializePaginationOptions(options)
 });
 //#endregion
@@ -4837,6 +5563,7 @@ const serializeListEffectivePermissionsOptions = (options) => ({ ...serializePag
 //#endregion
 //#region src/authorization/authorization.ts
 var Authorization = class {
+	workos;
 	constructor(workos) {
 		this.workos = workos;
 	}
@@ -5698,6 +6425,105 @@ function hasContinuationBit(byte) {
 	return (byte & CONTINUATION_BIT) !== 0;
 }
 //#endregion
+//#region src/vault/serializers/create-data-key-response.serializer.ts
+const deserializeCreateDataKeyResponse = (response) => ({
+	context: response.context,
+	dataKey: response.data_key,
+	encryptedKeys: response.encrypted_keys,
+	id: response.id
+});
+//#endregion
+//#region src/vault/serializers/decrypt-response.serializer.ts
+const deserializeDecryptResponse = (response) => ({
+	dataKey: response.data_key,
+	id: response.id
+});
+//#endregion
+//#region src/vault/serializers/actor.serializer.ts
+const deserializeActor = (response) => ({
+	id: response.id,
+	name: response.name
+});
+//#endregion
+//#region src/vault/serializers/object-metadata.serializer.ts
+const deserializeObjectMetadata = (response) => ({
+	context: response.context,
+	environmentId: response.environment_id,
+	id: response.id,
+	keyId: response.key_id,
+	updatedAt: new Date(response.updated_at),
+	updatedBy: deserializeActor(response.updated_by),
+	versionId: response.version_id ?? null
+});
+//#endregion
+//#region src/vault/serializers/vault-object.serializer.ts
+const deserializeVaultObject = (response) => ({
+	id: response.id,
+	metadata: deserializeObjectMetadata(response.metadata),
+	name: response.name,
+	value: response.value
+});
+//#endregion
+//#region src/vault/serializers/object-without-value.serializer.ts
+const deserializeObjectWithoutValue = (response) => ({
+	id: response.id,
+	metadata: deserializeObjectMetadata(response.metadata),
+	name: response.name
+});
+//#endregion
+//#region src/vault/serializers/object-version.serializer.ts
+const deserializeObjectVersion = (response) => ({
+	createdAt: new Date(response.created_at),
+	currentVersion: response.current_version,
+	etag: response.etag ?? "",
+	id: response.id,
+	size: response.size ?? 0
+});
+//#endregion
+//#region src/vault/serializers/list-metadata.serializer.ts
+const deserializeListMetadata = (response) => ({
+	after: response.after ?? null,
+	before: response.before ?? null
+});
+//#endregion
+//#region src/vault/serializers/version-list-response.serializer.ts
+const deserializeVersionListResponse = (response) => ({
+	data: response.data.map(deserializeObjectVersion),
+	listMetadata: deserializeListMetadata(response.list_metadata)
+});
+//#endregion
+//#region src/vault/serializers/object-summary.serializer.ts
+const deserializeObjectSummary = (response) => ({
+	id: response.id,
+	name: response.name,
+	updatedAt: response.updated_at != null ? new Date(response.updated_at) : null
+});
+//#endregion
+//#region src/vault/serializers/create-data-key-request.serializer.ts
+const serializeCreateDataKeyRequest = (model) => ({ context: model.context });
+//#endregion
+//#region src/vault/serializers/decrypt-request.serializer.ts
+const serializeDecryptRequest = (model) => ({ keys: model.keys });
+//#endregion
+//#region src/vault/serializers/rekey-request.serializer.ts
+const serializeRekeyRequest = (model) => ({
+	context: model.context,
+	encrypted_keys: model.encryptedKeys
+});
+//#endregion
+//#region src/vault/serializers/create-object-request.serializer.ts
+const serializeCreateObjectRequest = (model) => ({
+	key_context: model.keyContext,
+	name: model.name,
+	value: model.value
+});
+//#endregion
+//#region src/vault/serializers/update-object-request.serializer.ts
+const serializeUpdateObjectRequest = (model) => ({
+	value: model.value,
+	version_check: model.versionCheck ?? null
+});
+//#endregion
 //#region src/common/utils/base64.ts
 /**
 * Cross-runtime compatible base64 encoding/decoding utilities
@@ -5727,127 +6553,235 @@ function uint8ArrayToBase64(bytes) {
 	else throw new Error("No base64 encoding implementation available");
 }
 //#endregion
-//#region src/vault/serializers/vault-key.serializer.ts
-const deserializeCreateDataKeyResponse = (key) => ({
-	context: key.context,
-	dataKey: {
-		key: key.data_key,
-		id: key.id
-	},
-	encryptedKeys: key.encrypted_keys
-});
-const deserializeDecryptDataKeyResponse = (key) => ({
-	key: key.data_key,
-	id: key.id
-});
-//#endregion
-//#region src/vault/serializers/vault-object.serializer.ts
-const deserializeObjectMetadata = (metadata) => ({
-	context: metadata.context,
-	environmentId: metadata.environment_id,
-	id: metadata.id,
-	keyId: metadata.key_id,
-	updatedAt: new Date(Date.parse(metadata.updated_at)),
-	updatedBy: metadata.updated_by,
-	versionId: metadata.version_id
-});
-const deserializeObject = (object) => ({
-	id: object.id,
-	name: object.name,
-	...object.value !== void 0 && { value: object.value },
-	metadata: deserializeObjectMetadata(object.metadata)
-});
-const deserializeObjectDigest = (digest) => ({
-	id: digest.id,
-	name: digest.name,
-	updatedAt: new Date(Date.parse(digest.updated_at))
-});
-const deserializeListObjects = (list) => ({
-	object: "list",
-	data: list.data.map(deserializeObjectDigest),
-	listMetadata: {
-		...list.list_metadata.after !== void 0 && { after: list.list_metadata.after },
-		...list.list_metadata.before !== void 0 && { before: list.list_metadata.before }
-	}
-});
-const desrializeListObjectVersions = (list) => list.data.map(deserializeObjectVersion);
-const deserializeObjectVersion = (version) => ({
-	createdAt: new Date(Date.parse(version.created_at)),
-	currentVersion: version.current_version,
-	id: version.id
-});
-const serializeCreateObjectEntity = (options) => ({
-	name: options.name,
-	value: options.value,
-	key_context: options.context
-});
-const serializeUpdateObjectEntity = (options) => ({
-	value: options.value,
-	version_check: options.versionCheck
-});
-//#endregion
 //#region src/vault/vault.ts
+const serializeListObjectsOptions = (options) => {
+	const wire = {
+		limit: options.limit,
+		before: options.before,
+		after: options.after,
+		order: options.order
+	};
+	if (options.search !== void 0) wire.search = options.search;
+	if (options.updatedAfter !== void 0) wire.updated_after = options.updatedAfter;
+	return wire;
+};
 var Vault = class {
-	cryptoProvider;
+	workos;
 	constructor(workos) {
 		this.workos = workos;
-		this.cryptoProvider = workos.getCryptoProvider();
 	}
-	decode(payload) {
-		const inputData = base64ToUint8Array(payload);
-		const iv = new Uint8Array(inputData.subarray(0, 12));
-		const tag = new Uint8Array(inputData.subarray(12, 28));
-		const { value: keyLen, nextIndex } = decodeUInt32(inputData, 28);
+	async readObjectByName(options) {
+		const name = typeof options === "string" ? options : options.name;
+		const { data } = await this.workos.get(`/vault/v1/kv/name/${encodeURIComponent(name)}`);
+		return deserializeVaultObject(data);
+	}
+	/**
+	* Create a data key
+	*
+	* Generate an isolated encryption key for local encryption operations.
+	* @param options - Object containing context.
+	* @param options.context - Map of values used to determine the encryption key.
+	* @example {"organization_id":"org_01K8ZYT4AWJ6XP0E0S8CTBHE3P"}
+	* @returns {Promise<DataKeyPair>}
+	* @throws {BadRequestException} 400
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async createDataKey(options) {
+		const payload = options;
+		const { data } = await this.workos.post("/vault/v1/keys/data-key", serializeCreateDataKeyRequest(payload));
+		const result = deserializeCreateDataKeyResponse(data);
 		return {
-			iv,
-			tag,
-			keys: uint8ArrayToBase64(inputData.subarray(nextIndex, nextIndex + keyLen)),
-			ciphertext: new Uint8Array(inputData.subarray(nextIndex + keyLen))
+			context: result.context,
+			dataKey: {
+				key: result.dataKey,
+				id: result.id
+			},
+			encryptedKeys: result.encryptedKeys
 		};
 	}
-	async createObject(options) {
-		const { data } = await this.workos.post(`/vault/v1/kv`, serializeCreateObjectEntity(options));
-		return deserializeObjectMetadata(data);
+	/**
+	* Decrypt a data key
+	*
+	* Decrypt a previously encrypted data key from WorkOS Vault.
+	* @param options - Object containing keys.
+	* @param options.keys - Base64-encoded encrypted data key to decrypt.
+	* @example "V09TLkVLTS52MQBiZjUxY2NlYy03OGI0LTUyMDAtYjM4My0zNTczMGU3MWVmNjEBATEBJGJmNjVlMzI2LTQzYTAtNGIyMC04OGM0LTA3ZmYzZGU1NDM0YwF0YmY2NWUzMjYtNDNhMC00YjIwLTg4YzQtMDdmZjNkZTU0MzRj"
+	* @returns {Promise<DataKey>}
+	* @throws {BadRequestException} 400
+	*/
+	async decryptDataKey(options) {
+		const payload = options;
+		const { data } = await this.workos.post("/vault/v1/keys/decrypt", serializeDecryptRequest(payload));
+		const result = deserializeDecryptResponse(data);
+		return {
+			key: result.dataKey,
+			id: result.id
+		};
+	}
+	/**
+	* Re-encrypt a data key
+	*
+	* Decrypt an existing data key and re-encrypt it under a new key context.
+	* @param options - Object containing context, encryptedKeys.
+	* @param options.context - Map of values used to determine the new encryption key.
+	* @example {"organization_id":"org_01K8ZYT4AWJ6XP0E0S8CTBHE3P"}
+	* @param options.encryptedKeys - Base64-encoded encrypted data key blob to re-encrypt.
+	* @example "V09TLkVLTS52MQBiZjUxY2NlYy03OGI0LTUyMDAtYjM4My0zNTczMGU3MWVmNjEBATEBJGJmNjVlMzI2LTQzYTAtNGIyMC04OGM0LTA3ZmYzZGU1NDM0YwF0YmY2NWUzMjYtNDNhMC00YjIwLTg4YzQtMDdmZjNkZTU0MzRj"
+	* @returns {Promise<CreateDataKeyResponse>}
+	* @throws {BadRequestException} 400
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async createRekey(options) {
+		const payload = options;
+		const { data } = await this.workos.post("/vault/v1/keys/rekey", serializeRekeyRequest(payload));
+		return deserializeCreateDataKeyResponse(data);
 	}
+	/**
+	* List objects
+	*
+	* List all encrypted objects with cursor-based pagination.
+	* @param options - Pagination and filter options.
+	* @returns {Promise<AutoPaginatable<ObjectSummary, PaginationOptions>>}
+	* @throws {BadRequestException} 400
+	*/
 	async listObjects(options) {
-		const url = new URL("/vault/v1/kv", this.workos.baseURL);
-		if (options?.after) url.searchParams.set("after", options.after);
-		if (options?.before) url.searchParams.set("before", options.before);
-		if (options?.limit) url.searchParams.set("limit", options.limit.toString());
-		if (options?.order) url.searchParams.set("order", options.order);
-		const { data } = await this.workos.get(url.toString());
-		return deserializeListObjects(data);
+		const paginationOptions = options;
+		return new AutoPaginatable(await fetchAndDeserialize(this.workos, "/vault/v1/kv", deserializeObjectSummary, options ? serializeListObjectsOptions(options) : void 0), (params) => fetchAndDeserialize(this.workos, "/vault/v1/kv", deserializeObjectSummary, params), paginationOptions);
 	}
-	async listObjectVersions(options) {
-		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}/versions`);
-		return desrializeListObjectVersions(data);
+	/**
+	* Create an object
+	*
+	* Encrypt and store a new key-value object.
+	* @param options - Object containing keyContext, name, value.
+	* @param options.keyContext - Map of values used to determine the encryption key.
+	* @example {"organization_id":"org_01K8ZYT4AWJ6XP0E0S8CTBHE3P"}
+	* @param options.name - Unique name for the object.
+	* @example "my-secret"
+	* @param options.value - Plaintext data to encrypt and store.
+	* @example "s3cr3t-v4lu3"
+	* @returns {Promise<ObjectMetadata>}
+	* @throws {BadRequestException} 400
+	* @throws {ConflictException} 409
+	* @throws {UnprocessableEntityException} 422
+	*/
+	async createObject(options) {
+		const payload = options;
+		const requestPayload = {
+			...payload,
+			keyContext: payload.context
+		};
+		const { data } = await this.workos.post("/vault/v1/kv", serializeCreateObjectRequest(requestPayload));
+		return deserializeObjectMetadata(data);
 	}
+	/**
+	* Read an object by ID
+	*
+	* Fetch and decrypt an object by its unique identifier.
+	* @param options - The request options.
+	* @param options.id - Unique identifier of the object.
+	* @example "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+	* @returns {Promise<VaultObject>}
+	* @throws {BadRequestException} 400
+	* @throws {NotFoundException} 404
+	*/
 	async readObject(options) {
-		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}`);
-		return deserializeObject(data);
+		const { id } = options;
+		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(id)}`);
+		return deserializeVaultObject(data);
+	}
+	/**
+	* Update an object
+	*
+	* Update the value of an existing encrypted object.
+	* @param options - Object containing value.
+	* @param options.id - Unique identifier of the object.
+	* @example "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+	* @param options.value - New plaintext value.
+	* @example "upd4t3d-v4lu3"
+	* @param options.versionCheck - ID of the expected current version for optimistic locking.
+	* @example "c3d4e5f6-7890-abcd-ef12-34567890abcd"
+	* @returns {Promise<VaultObject>}
+	* @throws {BadRequestException} 400
+	* @throws {ConflictException} 409
+	*/
+	async updateObject(options) {
+		const { id, ...payload } = options;
+		const { data } = await this.workos.put(`/vault/v1/kv/${encodeURIComponent(id)}`, serializeUpdateObjectRequest(payload));
+		return {
+			...deserializeObjectWithoutValue(data),
+			value: void 0
+		};
 	}
-	async readObjectByName(name) {
-		const { data } = await this.workos.get(`/vault/v1/kv/name/${encodeURIComponent(name)}`);
-		return deserializeObject(data);
+	/**
+	* Delete an object
+	*
+	* Delete an encrypted object.
+	* @param options - Additional query options.
+	* @param options.id - Unique identifier of the object.
+	* @example "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+	* @param options.versionCheck - Expected current version for optimistic locking.
+	* @example "c3d4e5f6-7890-abcd-ef12-34567890abcd"
+	* @returns {Promise<void>}
+	* @throws {NotFoundException} 404
+	* @throws {ConflictException} 409
+	*/
+	async deleteObject(options) {
+		const { id } = options;
+		await this.workos.delete(`/vault/v1/kv/${encodeURIComponent(id)}`, { query: { ...options.versionCheck !== void 0 && { version_check: options.versionCheck } } });
 	}
+	/**
+	* Describe an object
+	*
+	* Fetch metadata for an object without decrypting it.
+	* @param options - The request options.
+	* @param options.id - Unique identifier of the object.
+	* @example "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+	* @returns {Promise<VaultObject>}
+	* @throws {BadRequestException} 400
+	* @throws {NotFoundException} 404
+	*/
 	async describeObject(options) {
-		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}/metadata`);
-		return deserializeObject(data);
-	}
-	async updateObject(options) {
-		const { data } = await this.workos.put(`/vault/v1/kv/${encodeURIComponent(options.id)}`, serializeUpdateObjectEntity(options));
-		return deserializeObject(data);
+		const { id } = options;
+		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(id)}/metadata`);
+		return {
+			...deserializeObjectWithoutValue(data),
+			value: void 0
+		};
 	}
-	async deleteObject(options) {
-		return this.workos.delete(`/vault/v1/kv/${encodeURIComponent(options.id)}`);
+	/**
+	* List object versions
+	*
+	* Retrieve all versions for a specific object.
+	* @param options - The request options.
+	* @param options.id - Unique identifier of the object.
+	* @example "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+	* @returns {Promise<ObjectVersion[]>}
+	* @throws {BadRequestException} 400
+	* @throws {NotFoundException} 404
+	*/
+	async listObjectVersions(options) {
+		const { id } = options;
+		const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(id)}/versions`);
+		return deserializeVersionListResponse(data).data;
 	}
-	async createDataKey(options) {
-		const { data } = await this.workos.post(`/vault/v1/keys/data-key`, options);
-		return deserializeCreateDataKeyResponse(data);
+	decode(payload) {
+		const inputData = base64ToUint8Array(payload);
+		const iv = new Uint8Array(inputData.subarray(0, 12));
+		const tag = new Uint8Array(inputData.subarray(12, 28));
+		const { value: keyLen, nextIndex } = decodeUInt32(inputData, 28);
+		return {
+			iv,
+			tag,
+			keys: uint8ArrayToBase64(inputData.subarray(nextIndex, nextIndex + keyLen)),
+			ciphertext: new Uint8Array(inputData.subarray(nextIndex + keyLen))
+		};
 	}
-	async decryptDataKey(options) {
-		const { data } = await this.workos.post(`/vault/v1/keys/decrypt`, options);
-		return deserializeDecryptDataKeyResponse(data);
+	async decrypt(encryptedData, associatedData) {
+		const decoded = this.decode(encryptedData);
+		const key = base64ToUint8Array((await this.decryptDataKey({ keys: decoded.keys })).key);
+		const aadBuffer = associatedData ? new TextEncoder().encode(associatedData) : void 0;
+		const decrypted = await this.workos.getCryptoProvider().decrypt(decoded.ciphertext, key, decoded.iv, decoded.tag, aadBuffer);
+		return new TextDecoder().decode(decrypted);
 	}
 	async encrypt(data, context, associatedData) {
 		const keyPair = await this.createDataKey({ context });
@@ -5856,8 +6790,9 @@ var Vault = class {
 		const keyBlob = base64ToUint8Array(keyPair.encryptedKeys);
 		const prefixLenBuffer = encodeUInt32(keyBlob.length);
 		const aadBuffer = associatedData ? encoder.encode(associatedData) : void 0;
-		const iv = this.cryptoProvider.randomBytes(12);
-		const { ciphertext, iv: resultIv, tag } = await this.cryptoProvider.encrypt(encoder.encode(data), key, iv, aadBuffer);
+		const cryptoProvider = this.workos.getCryptoProvider();
+		const iv = cryptoProvider.randomBytes(12);
+		const { ciphertext, iv: resultIv, tag } = await cryptoProvider.encrypt(encoder.encode(data), key, iv, aadBuffer);
 		const resultArray = new Uint8Array(resultIv.length + tag.length + prefixLenBuffer.length + keyBlob.length + ciphertext.length);
 		let offset = 0;
 		resultArray.set(resultIv, offset);
@@ -5871,60 +6806,10 @@ var Vault = class {
 		resultArray.set(ciphertext, offset);
 		return uint8ArrayToBase64(resultArray);
 	}
-	async decrypt(encryptedData, associatedData) {
-		const decoded = this.decode(encryptedData);
-		const key = base64ToUint8Array((await this.decryptDataKey({ keys: decoded.keys })).key);
-		const encoder = new TextEncoder();
-		const aadBuffer = associatedData ? encoder.encode(associatedData) : void 0;
-		const decrypted = await this.cryptoProvider.decrypt(decoded.ciphertext, key, decoded.iv, decoded.tag, aadBuffer);
-		return new TextDecoder().decode(decrypted);
-	}
 };
 //#endregion
-//#region src/common/utils/runtime-info.ts
-/**
-* Get runtime information including name and version.
-* Safely extracts version information for different JavaScript runtimes.
-* @returns RuntimeInfo object with name and optional version
-*/
-function getRuntimeInfo() {
-	const name = detectRuntime();
-	let version;
-	try {
-		switch (name) {
-			case "node":
-				version = typeof process !== "undefined" ? process.version : void 0;
-				break;
-			case "deno":
-				version = globalThis.Deno?.version?.deno;
-				break;
-			case "bun":
-				version = globalThis.Bun?.version || extractBunVersionFromUserAgent();
-				break;
-			default:
-				version = void 0;
-				break;
-		}
-	} catch {
-		version = void 0;
-	}
-	return {
-		name,
-		version
-	};
-}
-/**
-* Extract Bun version from navigator.userAgent as fallback.
-* @returns Bun version string or undefined
-*/
-function extractBunVersionFromUserAgent() {
-	try {
-		if (typeof navigator !== "undefined" && navigator.userAgent) return navigator.userAgent.match(/Bun\/(\d+\.\d+\.\d+)/)?.[1];
-	} catch {}
-}
-//#endregion
 //#region package.json
-var version = "9.3.0";
+var version = "10.0.0";
 //#endregion
 //#region src/workos.ts
 const DEFAULT_HOSTNAME = "api.workos.com";
@@ -5945,6 +6830,7 @@ var WorkOS = class {
 	auditLogs = new AuditLogs(this);
 	authorization = new Authorization(this);
 	directorySync = new DirectorySync(this);
+	connect = new Connect(this);
 	events = new Events(this);
 	featureFlags = new FeatureFlags(this);
 	groups = new Groups(this);
@@ -5953,6 +6839,7 @@ var WorkOS = class {
 	organizationDomains = new OrganizationDomains(this);
 	passwordless = new Passwordless(this);
 	pipes = new Pipes(this);
+	radar = new Radar(this);
 	adminPortal = new AdminPortal(this);
 	sso = new SSO(this);
 	userManagement;
@@ -6003,18 +6890,11 @@ var WorkOS = class {
 		const userAgent = this.createUserAgent(this.options);
 		this.client = this.createHttpClient(this.options, userAgent);
 	}
-	createUserAgent(options) {
-		let userAgent = `workos-node/${version}`;
-		const { name: runtimeName, version: runtimeVersion } = getRuntimeInfo();
-		userAgent += ` (${runtimeName}${runtimeVersion ? `/${runtimeVersion}` : ""})`;
-		if (options.appInfo) {
-			const { name, version } = options.appInfo;
-			userAgent += ` ${name}: ${version}`;
-		}
-		return userAgent;
+	createUserAgent(_options) {
+		return `workos-node/${version}`;
 	}
 	createWebhookClient() {
-		return new Webhooks(this.getCryptoProvider());
+		return new Webhooks(this);
 	}
 	createActionsClient() {
 		return new Actions(this.getCryptoProvider());
@@ -6481,12 +7361,24 @@ Object.defineProperty(exports, "createWorkOS", {
 		return createWorkOS;
 	}
 });
+Object.defineProperty(exports, "deserializeGetTokenResponse", {
+	enumerable: true,
+	get: function() {
+		return deserializeGetTokenResponse;
+	}
+});
 Object.defineProperty(exports, "isAuthenticationErrorData", {
 	enumerable: true,
 	get: function() {
 		return isAuthenticationErrorData;
 	}
 });
+Object.defineProperty(exports, "serializeGetTokenOptions", {
+	enumerable: true,
+	get: function() {
+		return serializeGetTokenOptions;
+	}
+});
 Object.defineProperty(exports, "serializeRevokeSessionOptions", {
 	enumerable: true,
 	get: function() {
@@ -6494,4 +7386,4 @@ Object.defineProperty(exports, "serializeRevokeSessionOptions", {
 	}
 });
 
-//# sourceMappingURL=factory-5S80C27h.cjs.map
+//# sourceMappingURL=factory-CKDJjzbQ.cjs.map