@zapier/zapier-sdk-cli 0.47.0 → 0.48.0

package/dist/login.cjs

@@ -1,12 +1,13 @@
 'use strict';
 
-var Conf = require('conf');
-var fs = require('fs');
 var jwt = require('jsonwebtoken');
 var crossKeychain = require('cross-keychain');
+var Conf = require('conf');
+var fs = require('fs');
 var crypto = require('crypto');
 var path = require('path');
 var lockfile = require('proper-lockfile');
+var zod = require('zod');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
@@ -28,8 +29,8 @@ function _interopNamespace(e) {
   return Object.freeze(n);
 }
 
-var Conf__default = /*#__PURE__*/_interopDefault(Conf);
 var jwt__namespace = /*#__PURE__*/_interopNamespace(jwt);
+var Conf__default = /*#__PURE__*/_interopDefault(Conf);
 var lockfile__namespace = /*#__PURE__*/_interopNamespace(lockfile);
 
 // src/login/index.ts
@@ -108,6 +109,30 @@ async function clearTokensFromKeychain({
     }
   });
 }
+var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+var config = null;
+function getConfig() {
+  if (!config) {
+    config = new Conf__default.default({ projectName: "zapier-sdk-cli" });
+    if (!config.has("login_storage_mode")) {
+      config.set(
+        "login_storage_mode",
+        fs.existsSync(config.path) ? "config" : "keychain"
+      );
+    }
+  }
+  return config;
+}
+function resetConfig() {
+  config = null;
+}
+
+// src/login/legacy-jwt.ts
+function clearLegacyJwtConfigKeys(config2) {
+  config2.delete("login_jwt");
+  config2.delete("login_refresh_token");
+  config2.delete("login_expires_at");
+}
 var SERVICE2 = "zapier-sdk-cache";
 var CONFIG_KEY = "cache";
 var LOCK_UPDATE_MS = 5e3;
@@ -235,6 +260,63 @@ function createCache() {
     }
   };
 }
+var SERVICE3 = "zapier-sdk-cli";
+var CREDENTIALS_KEY = "credentials";
+var REGISTRY_KEY = "credentialsRegistry";
+var CredentialsEntrySchema = zod.z.object({
+  name: zod.z.string(),
+  clientId: zod.z.string(),
+  createdAt: zod.z.number(),
+  scopes: zod.z.array(zod.z.string()),
+  baseUrl: zod.z.string()
+});
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl ?? DEFAULT_AUTH_BASE_URL;
+}
+function keychainAccount2(key) {
+  return crypto.createHash("sha256").update(key).digest("hex");
+}
+function buildKeychainKey(clientId, scopes, baseUrl) {
+  const sortedScopes = [...scopes].sort().join(",");
+  return `zapier-sdk/client-credentials-secret/${clientId}:${sortedScopes}:${baseUrl}`;
+}
+function findEntry(registry, name, baseUrl) {
+  return registry.find((e) => e.name === name && e.baseUrl === baseUrl);
+}
+function readRegistry() {
+  const stored = getConfig().get(REGISTRY_KEY);
+  if (!Array.isArray(stored)) return [];
+  return stored.flatMap((entry) => {
+    const result = CredentialsEntrySchema.safeParse(entry);
+    return result.success ? [result.data] : [];
+  });
+}
+function getActiveCredentials(options) {
+  const name = getConfig().get(CREDENTIALS_KEY);
+  if (!name) return void 0;
+  return findEntry(readRegistry(), name, normalizeBaseUrl(options?.baseUrl));
+}
+async function getStoredClientCredentials(options) {
+  const entry = options?.name ? findEntry(readRegistry(), options.name, normalizeBaseUrl(options.baseUrl)) : getActiveCredentials(options);
+  if (!entry) return void 0;
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  const clientSecret = await enqueue(async () => {
+    await getBackendInfo();
+    return crossKeychain.getPassword(SERVICE3, keychainAccount2(keychainKey));
+  });
+  if (!clientSecret) return void 0;
+  return {
+    type: "client_credentials",
+    clientId: entry.clientId,
+    clientSecret,
+    baseUrl: entry.baseUrl,
+    scope: [...entry.scopes].sort().join(" ")
+  };
+}
 
 // src/login/index.ts
 var ZapierAuthenticationError = class extends Error {
@@ -243,7 +325,6 @@ var ZapierAuthenticationError = class extends Error {
     this.name = "ZapierAuthenticationError";
   }
 };
-var config = null;
 var DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
 var TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 function createDebugLog(enabled) {
@@ -269,7 +350,6 @@ function getAuthClientId(clientId) {
   return clientId || DEFAULT_AUTH_CLIENT_ID;
 }
 var AUTH_MODE_HEADER = "X-Auth";
-var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
 function getAuthTokenUrl(options) {
   const authBaseUrl = options?.baseUrl || DEFAULT_AUTH_BASE_URL;
   return `${authBaseUrl}/oauth/token/`;
@@ -279,29 +359,16 @@ function getAuthAuthorizeUrl(options) {
   return `${authBaseUrl}/oauth/authorize/`;
 }
 function getPkceLoginConfig(options) {
+  const effectiveBaseUrl = options?.credentials?.baseUrl ?? options?.baseUrl;
   return {
     clientId: getAuthClientId(options?.credentials?.clientId),
-    tokenUrl: getAuthTokenUrl({ baseUrl: options?.credentials?.baseUrl }),
-    authorizeUrl: getAuthAuthorizeUrl({
-      baseUrl: options?.credentials?.baseUrl
-    })
+    tokenUrl: getAuthTokenUrl({ baseUrl: effectiveBaseUrl }),
+    authorizeUrl: getAuthAuthorizeUrl({ baseUrl: effectiveBaseUrl })
   };
 }
 var cachedLogin;
-function getConfig() {
-  if (!config) {
-    config = new Conf__default.default({ projectName: "zapier-sdk-cli" });
-    if (!config.has("login_storage_mode")) {
-      config.set(
-        "login_storage_mode",
-        fs.existsSync(config.path) ? "config" : "keychain"
-      );
-    }
-  }
-  return config;
-}
 function unloadConfig() {
-  config = null;
+  resetConfig();
   cachedLogin = void 0;
 }
 async function updateLogin(loginData, options = {}) {
@@ -574,9 +641,7 @@ async function logout(options = {}) {
   await clearTokensFromKeychain();
   const cfg = getConfig();
   cfg.set("login_storage_mode", mode);
-  cfg.delete("login_expires_at");
-  cfg.delete("login_jwt");
-  cfg.delete("login_refresh_token");
+  clearLegacyJwtConfigKeys(cfg);
   onEvent?.({
     type: "auth_logout",
     payload: { message: "Logged out successfully", operation: "logout" },
@@ -589,8 +654,11 @@ function getConfigPath() {
 }
 
 exports.AUTH_MODE_HEADER = AUTH_MODE_HEADER;
+exports.DEFAULT_AUTH_BASE_URL = DEFAULT_AUTH_BASE_URL;
 exports.ZapierAuthenticationError = ZapierAuthenticationError;
+exports.clearTokensFromKeychain = clearTokensFromKeychain;
 exports.createCache = createCache;
+exports.getActiveCredentials = getActiveCredentials;
 exports.getAuthAuthorizeUrl = getAuthAuthorizeUrl;
 exports.getAuthTokenUrl = getAuthTokenUrl;
 exports.getConfig = getConfig;
@@ -598,6 +666,7 @@ exports.getConfigPath = getConfigPath;
 exports.getLoggedInUser = getLoggedInUser;
 exports.getLoginStorageMode = getLoginStorageMode;
 exports.getPkceLoginConfig = getPkceLoginConfig;
+exports.getStoredClientCredentials = getStoredClientCredentials;
 exports.getToken = getToken;
 exports.logout = logout;
 exports.unloadConfig = unloadConfig;

package/dist/login.d.mts

@@ -1,4 +1,9 @@
 import Conf from 'conf';
+import { ClientCredentialsObject } from '@zapier/zapier-sdk';
+import { z } from 'zod';
+
+declare const DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+declare function getConfig(): Conf;
 
 /**
  * Default filesystem + OS keychain cache adapter for the SDK.
@@ -26,6 +31,27 @@ declare function createCache(): {
     withLock<T>(key: string, fn: () => Promise<T>): Promise<T>;
 };
 
+declare const CredentialsEntrySchema: z.ZodObject<{
+    name: z.ZodString;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    scopes: z.ZodArray<z.ZodString>;
+    baseUrl: z.ZodString;
+}, z.core.$strip>;
+type CredentialsEntry = z.infer<typeof CredentialsEntrySchema>;
+declare function getActiveCredentials(options?: {
+    baseUrl?: string;
+}): CredentialsEntry | undefined;
+declare function getStoredClientCredentials(options?: {
+    name?: string;
+    baseUrl?: string;
+}): Promise<ClientCredentialsObject | undefined>;
+
+type DebugLog = (message: string, data?: unknown) => void;
+declare function clearTokensFromKeychain({ debugLog, }?: {
+    debugLog?: DebugLog;
+}): Promise<void>;
+
 /**
  * Zapier SDK CLI Login Package
  *
@@ -91,12 +117,13 @@ interface PkceLoginConfig {
 /**
  * Gets all configuration needed for the PKCE login flow.
  * Credentials should have baseUrl already resolved by SDK.
+ * baseUrl is a fallback used when credentials carry no baseUrl of their own.
  */
 declare function getPkceLoginConfig(options?: {
     credentials?: PkceCredentials;
+    baseUrl?: string;
 }): PkceLoginConfig;
 type LoginStorageMode = "keychain" | "config";
-declare function getConfig(): Conf;
 /**
  * Drops the cached Conf instance so the next getConfig() call re-initializes
  * from disk (including re-running the pre-existing file detection).
@@ -141,4 +168,4 @@ declare function logout(options?: Pick<AuthOptions, "onEvent">): Promise<void>;
  */
 declare function getConfigPath(): string;
 
-export { AUTH_MODE_HEADER, type AuthOptions, type LoginData, type LoginStorageMode, type PkceCredentials, type PkceLoginConfig, ZapierAuthenticationError, createCache, getAuthAuthorizeUrl, getAuthTokenUrl, getConfig, getConfigPath, getLoggedInUser, getLoginStorageMode, getPkceLoginConfig, getToken, logout, unloadConfig, updateLogin };
+export { AUTH_MODE_HEADER, type AuthOptions, DEFAULT_AUTH_BASE_URL, type LoginData, type LoginStorageMode, type PkceCredentials, type PkceLoginConfig, ZapierAuthenticationError, clearTokensFromKeychain, createCache, getActiveCredentials, getAuthAuthorizeUrl, getAuthTokenUrl, getConfig, getConfigPath, getLoggedInUser, getLoginStorageMode, getPkceLoginConfig, getStoredClientCredentials, getToken, logout, unloadConfig, updateLogin };

package/dist/login.d.ts

@@ -1,4 +1,9 @@
 import Conf from 'conf';
+import { ClientCredentialsObject } from '@zapier/zapier-sdk';
+import { z } from 'zod';
+
+declare const DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+declare function getConfig(): Conf;
 
 /**
  * Default filesystem + OS keychain cache adapter for the SDK.
@@ -26,6 +31,27 @@ declare function createCache(): {
     withLock<T>(key: string, fn: () => Promise<T>): Promise<T>;
 };
 
+declare const CredentialsEntrySchema: z.ZodObject<{
+    name: z.ZodString;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    scopes: z.ZodArray<z.ZodString>;
+    baseUrl: z.ZodString;
+}, z.core.$strip>;
+type CredentialsEntry = z.infer<typeof CredentialsEntrySchema>;
+declare function getActiveCredentials(options?: {
+    baseUrl?: string;
+}): CredentialsEntry | undefined;
+declare function getStoredClientCredentials(options?: {
+    name?: string;
+    baseUrl?: string;
+}): Promise<ClientCredentialsObject | undefined>;
+
+type DebugLog = (message: string, data?: unknown) => void;
+declare function clearTokensFromKeychain({ debugLog, }?: {
+    debugLog?: DebugLog;
+}): Promise<void>;
+
 /**
  * Zapier SDK CLI Login Package
  *
@@ -91,12 +117,13 @@ interface PkceLoginConfig {
 /**
  * Gets all configuration needed for the PKCE login flow.
  * Credentials should have baseUrl already resolved by SDK.
+ * baseUrl is a fallback used when credentials carry no baseUrl of their own.
  */
 declare function getPkceLoginConfig(options?: {
     credentials?: PkceCredentials;
+    baseUrl?: string;
 }): PkceLoginConfig;
 type LoginStorageMode = "keychain" | "config";
-declare function getConfig(): Conf;
 /**
  * Drops the cached Conf instance so the next getConfig() call re-initializes
  * from disk (including re-running the pre-existing file detection).
@@ -141,4 +168,4 @@ declare function logout(options?: Pick<AuthOptions, "onEvent">): Promise<void>;
  */
 declare function getConfigPath(): string;
 
-export { AUTH_MODE_HEADER, type AuthOptions, type LoginData, type LoginStorageMode, type PkceCredentials, type PkceLoginConfig, ZapierAuthenticationError, createCache, getAuthAuthorizeUrl, getAuthTokenUrl, getConfig, getConfigPath, getLoggedInUser, getLoginStorageMode, getPkceLoginConfig, getToken, logout, unloadConfig, updateLogin };
+export { AUTH_MODE_HEADER, type AuthOptions, DEFAULT_AUTH_BASE_URL, type LoginData, type LoginStorageMode, type PkceCredentials, type PkceLoginConfig, ZapierAuthenticationError, clearTokensFromKeychain, createCache, getActiveCredentials, getAuthAuthorizeUrl, getAuthTokenUrl, getConfig, getConfigPath, getLoggedInUser, getLoginStorageMode, getPkceLoginConfig, getStoredClientCredentials, getToken, logout, unloadConfig, updateLogin };

package/dist/login.mjs

@@ -1,10 +1,11 @@
-import Conf from 'conf';
-import { mkdirSync, existsSync, writeFileSync } from 'fs';
 import * as jwt from 'jsonwebtoken';
 import { deletePassword, setPassword, getKeyring, getPassword } from 'cross-keychain';
+import Conf from 'conf';
+import { existsSync, mkdirSync, writeFileSync } from 'fs';
 import { createHash } from 'crypto';
 import { dirname } from 'path';
 import * as lockfile from 'proper-lockfile';
+import { z } from 'zod';
 
 // src/login/index.ts
 var SERVICE = "zapier-sdk-cli";
@@ -82,6 +83,30 @@ async function clearTokensFromKeychain({
     }
   });
 }
+var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+var config = null;
+function getConfig() {
+  if (!config) {
+    config = new Conf({ projectName: "zapier-sdk-cli" });
+    if (!config.has("login_storage_mode")) {
+      config.set(
+        "login_storage_mode",
+        existsSync(config.path) ? "config" : "keychain"
+      );
+    }
+  }
+  return config;
+}
+function resetConfig() {
+  config = null;
+}
+
+// src/login/legacy-jwt.ts
+function clearLegacyJwtConfigKeys(config2) {
+  config2.delete("login_jwt");
+  config2.delete("login_refresh_token");
+  config2.delete("login_expires_at");
+}
 var SERVICE2 = "zapier-sdk-cache";
 var CONFIG_KEY = "cache";
 var LOCK_UPDATE_MS = 5e3;
@@ -209,6 +234,63 @@ function createCache() {
     }
   };
 }
+var SERVICE3 = "zapier-sdk-cli";
+var CREDENTIALS_KEY = "credentials";
+var REGISTRY_KEY = "credentialsRegistry";
+var CredentialsEntrySchema = z.object({
+  name: z.string(),
+  clientId: z.string(),
+  createdAt: z.number(),
+  scopes: z.array(z.string()),
+  baseUrl: z.string()
+});
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl ?? DEFAULT_AUTH_BASE_URL;
+}
+function keychainAccount2(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+function buildKeychainKey(clientId, scopes, baseUrl) {
+  const sortedScopes = [...scopes].sort().join(",");
+  return `zapier-sdk/client-credentials-secret/${clientId}:${sortedScopes}:${baseUrl}`;
+}
+function findEntry(registry, name, baseUrl) {
+  return registry.find((e) => e.name === name && e.baseUrl === baseUrl);
+}
+function readRegistry() {
+  const stored = getConfig().get(REGISTRY_KEY);
+  if (!Array.isArray(stored)) return [];
+  return stored.flatMap((entry) => {
+    const result = CredentialsEntrySchema.safeParse(entry);
+    return result.success ? [result.data] : [];
+  });
+}
+function getActiveCredentials(options) {
+  const name = getConfig().get(CREDENTIALS_KEY);
+  if (!name) return void 0;
+  return findEntry(readRegistry(), name, normalizeBaseUrl(options?.baseUrl));
+}
+async function getStoredClientCredentials(options) {
+  const entry = options?.name ? findEntry(readRegistry(), options.name, normalizeBaseUrl(options.baseUrl)) : getActiveCredentials(options);
+  if (!entry) return void 0;
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  const clientSecret = await enqueue(async () => {
+    await getBackendInfo();
+    return getPassword(SERVICE3, keychainAccount2(keychainKey));
+  });
+  if (!clientSecret) return void 0;
+  return {
+    type: "client_credentials",
+    clientId: entry.clientId,
+    clientSecret,
+    baseUrl: entry.baseUrl,
+    scope: [...entry.scopes].sort().join(" ")
+  };
+}
 
 // src/login/index.ts
 var ZapierAuthenticationError = class extends Error {
@@ -217,7 +299,6 @@ var ZapierAuthenticationError = class extends Error {
     this.name = "ZapierAuthenticationError";
   }
 };
-var config = null;
 var DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
 var TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 function createDebugLog(enabled) {
@@ -243,7 +324,6 @@ function getAuthClientId(clientId) {
   return clientId || DEFAULT_AUTH_CLIENT_ID;
 }
 var AUTH_MODE_HEADER = "X-Auth";
-var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
 function getAuthTokenUrl(options) {
   const authBaseUrl = options?.baseUrl || DEFAULT_AUTH_BASE_URL;
   return `${authBaseUrl}/oauth/token/`;
@@ -253,29 +333,16 @@ function getAuthAuthorizeUrl(options) {
   return `${authBaseUrl}/oauth/authorize/`;
 }
 function getPkceLoginConfig(options) {
+  const effectiveBaseUrl = options?.credentials?.baseUrl ?? options?.baseUrl;
   return {
     clientId: getAuthClientId(options?.credentials?.clientId),
-    tokenUrl: getAuthTokenUrl({ baseUrl: options?.credentials?.baseUrl }),
-    authorizeUrl: getAuthAuthorizeUrl({
-      baseUrl: options?.credentials?.baseUrl
-    })
+    tokenUrl: getAuthTokenUrl({ baseUrl: effectiveBaseUrl }),
+    authorizeUrl: getAuthAuthorizeUrl({ baseUrl: effectiveBaseUrl })
   };
 }
 var cachedLogin;
-function getConfig() {
-  if (!config) {
-    config = new Conf({ projectName: "zapier-sdk-cli" });
-    if (!config.has("login_storage_mode")) {
-      config.set(
-        "login_storage_mode",
-        existsSync(config.path) ? "config" : "keychain"
-      );
-    }
-  }
-  return config;
-}
 function unloadConfig() {
-  config = null;
+  resetConfig();
   cachedLogin = void 0;
 }
 async function updateLogin(loginData, options = {}) {
@@ -548,9 +615,7 @@ async function logout(options = {}) {
   await clearTokensFromKeychain();
   const cfg = getConfig();
   cfg.set("login_storage_mode", mode);
-  cfg.delete("login_expires_at");
-  cfg.delete("login_jwt");
-  cfg.delete("login_refresh_token");
+  clearLegacyJwtConfigKeys(cfg);
   onEvent?.({
     type: "auth_logout",
     payload: { message: "Logged out successfully", operation: "logout" },
@@ -562,4 +627,4 @@ function getConfigPath() {
   return cfg.path;
 }
 
-export { AUTH_MODE_HEADER, ZapierAuthenticationError, createCache, getAuthAuthorizeUrl, getAuthTokenUrl, getConfig, getConfigPath, getLoggedInUser, getLoginStorageMode, getPkceLoginConfig, getToken, logout, unloadConfig, updateLogin };
+export { AUTH_MODE_HEADER, DEFAULT_AUTH_BASE_URL, ZapierAuthenticationError, clearTokensFromKeychain, createCache, getActiveCredentials, getAuthAuthorizeUrl, getAuthTokenUrl, getConfig, getConfigPath, getLoggedInUser, getLoginStorageMode, getPkceLoginConfig, getStoredClientCredentials, getToken, logout, unloadConfig, updateLogin };

package/dist/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@zapier/zapier-sdk-cli",
-    "version": "0.47.0",
+    "version": "0.48.0",
     "description": "Command line interface for Zapier SDK",
     "main": "dist/index.cjs",
     "module": "dist/index.mjs",

package/dist/src/login/config.d.ts

@@ -0,0 +1,4 @@
+import Conf from "conf";
+export declare const DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+export declare function getConfig(): Conf;
+export declare function resetConfig(): void;

package/dist/src/login/config.js

@@ -0,0 +1,21 @@
+import Conf from "conf";
+import { existsSync } from "fs";
+export const DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+let config = null;
+export function getConfig() {
+    if (!config) {
+        // Conf does not create the file until the first set() call.
+        config = new Conf({ projectName: "zapier-sdk-cli" });
+        // If the config file already exists but has no cache mode marker, an older
+        // SDK version created it. Set the marker to "config" so the login flow will
+        // prompt the user to upgrade to keychain cache. Otherwise, stamp "keychain"
+        // so that any future writes to the config don't leave it unmarked.
+        if (!config.has("login_storage_mode")) {
+            config.set("login_storage_mode", existsSync(config.path) ? "config" : "keychain");
+        }
+    }
+    return config;
+}
+export function resetConfig() {
+    config = null;
+}

package/dist/src/login/credentials-revoke.d.ts

@@ -0,0 +1,13 @@
+import { type ApiClient } from "@zapier/zapier-sdk";
+import { type CredentialsEntry } from "./credentials-store";
+export type LogoutEventEmitter = (event: {
+    type: string;
+    payload: Record<string, unknown>;
+    timestamp: number;
+}) => void;
+export declare function emitAuthLogout(onEvent: LogoutEventEmitter | undefined): void;
+export declare function revokeCredentials({ api, credentials, onEvent, }: {
+    api: ApiClient;
+    credentials: CredentialsEntry;
+    onEvent?: LogoutEventEmitter;
+}): Promise<void>;

package/dist/src/login/credentials-revoke.js

@@ -0,0 +1,48 @@
+import { invalidateCachedToken } from "@zapier/zapier-sdk";
+import { clearLegacyJwtState } from "./legacy-jwt";
+import { deleteStoredClientCredentials, } from "./credentials-store";
+import { withRetry } from "../utils/retry";
+export function emitAuthLogout(onEvent) {
+    onEvent?.({
+        type: "auth_logout",
+        payload: { message: "Logged out successfully", operation: "logout" },
+        timestamp: Date.now(),
+    });
+}
+function isNotFoundError(err) {
+    return (typeof err === "object" &&
+        err !== null &&
+        "statusCode" in err &&
+        err.statusCode === 404);
+}
+// Re-login flows pass no emitter so credential rotation stays silent.
+export async function revokeCredentials({ api, credentials, onEvent, }) {
+    await withRetry({
+        action: async () => {
+            try {
+                await api.delete(`/api/v0/client-credentials/${credentials.clientId}`, undefined, { authRequired: true, requiredScopes: ["credentials"] });
+            }
+            catch (err) {
+                if (isNotFoundError(err))
+                    return;
+                throw err;
+            }
+        },
+    });
+    try {
+        await deleteStoredClientCredentials({
+            name: credentials.name,
+            baseUrl: credentials.baseUrl,
+        });
+    }
+    catch (err) {
+        console.warn("[revokeCredentials] Local store cleanup failed:", err);
+    }
+    await clearLegacyJwtState();
+    await invalidateCachedToken({
+        clientId: credentials.clientId,
+        scopes: credentials.scopes,
+        baseUrl: credentials.baseUrl,
+    });
+    emitAuthLogout(onEvent);
+}

package/dist/src/login/credentials-store.d.ts

@@ -0,0 +1,33 @@
+import type { ClientCredentialsObject } from "@zapier/zapier-sdk";
+import { z } from "zod";
+declare const CredentialsEntrySchema: z.ZodObject<{
+    name: z.ZodString;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    scopes: z.ZodArray<z.ZodString>;
+    baseUrl: z.ZodString;
+}, z.core.$strip>;
+export type CredentialsEntry = z.infer<typeof CredentialsEntrySchema>;
+export declare function getActiveCredentials(options?: {
+    baseUrl?: string;
+}): CredentialsEntry | undefined;
+export declare function storeClientCredentials({ name, clientId, clientSecret, scopes, baseUrl, }: {
+    name: string;
+    clientId: string;
+    clientSecret: string;
+    scopes: string[];
+    baseUrl?: string;
+}): Promise<void>;
+export declare function credentialsNameExists({ name, baseUrl, }: {
+    name: string;
+    baseUrl?: string;
+}): boolean;
+export declare function getStoredClientCredentials(options?: {
+    name?: string;
+    baseUrl?: string;
+}): Promise<ClientCredentialsObject | undefined>;
+export declare function deleteStoredClientCredentials({ name, baseUrl, }: {
+    name: string;
+    baseUrl?: string;
+}): Promise<void>;
+export {};