@zapier/zapier-sdk 0.50.0 → 0.51.0

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @zapier/zapier-sdk
 
+## 0.51.0
+
+### Minor Changes
+
+- ef1c97d: Default SDK auth to client credentials
+
+### Patch Changes
+
+- f5a734d: Updated the experimental Triggers notice in all three package READMEs to clarify that the feature is in closed beta, with a link to contact us for access.
+
 ## 0.50.0
 
 ### Minor Changes

package/README.md

@@ -1792,7 +1792,7 @@ const result = await zapier.updateTableRecords({
 
 ### Triggers (Experimental)
 
-> Experimental. Import from `"@zapier/zapier-sdk/experimental"` to use these methods. Methods and behavior may change, and availabilitiy may be limited to some users.
+> ⚠️ **Closed beta.** Import from `"@zapier/zapier-sdk/experimental"` to use these methods. Methods and behavior may change. [Contact us](https://npsup.zapier.app/contact-us?product=Zapier%20SDK) to request access.
 
 #### `ackTriggerInboxMessages` 🧪 _experimental_
 

package/dist/api/auth.d.ts

@@ -6,12 +6,7 @@
  */
 export declare function isJwt(token: string): boolean;
 export declare function getAuthorizationHeader(token: string): string;
-/**
- * Extract user IDs from JWT token
- * Decodes the JWT payload and extracts customuser_id and account_id
- * Handles nested JWTs for service tokens
- * Returns null values on any failure (silent-by-design)
- */
+/** Never throws — an auth decode error must not take down request telemetry. */
 export declare function extractUserIdsFromJwt(token: string): {
     customuser_id: number | null;
     account_id: number | null;

package/dist/api/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/api/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,wBAAgB,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW5C;AAaD,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAO5D;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG;IACpD,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAwCA"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/api/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,wBAAgB,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW5C;AAaD,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAO5D;AA8BD,gFAAgF;AAChF,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG;IACpD,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAmBA"}

package/dist/api/auth.js

@@ -33,38 +33,45 @@ export function getAuthorizationHeader(token) {
     // Default to Bearer for other token types
     return `Bearer ${token}`;
 }
-/**
- * Extract user IDs from JWT token
- * Decodes the JWT payload and extracts customuser_id and account_id
- * Handles nested JWTs for service tokens
- * Returns null values on any failure (silent-by-design)
- */
-export function extractUserIdsFromJwt(token) {
+// Handles nested service-JWT shape (`sub_type: "service"` with `njwt`). Lenient — falls back to outer payload on nested parse failure.
+function readJwtPayload(token) {
     const parts = parseJwt(token);
-    if (!parts) {
-        return { customuser_id: null, account_id: null };
-    }
+    if (!parts)
+        return null;
+    let payload;
     try {
-        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
-        let actualPayload = payload;
-        if (payload.sub_type === "service" && payload.njwt) {
-            const nestedParts = payload.njwt.split(".");
-            if (nestedParts.length === 3) {
-                actualPayload = JSON.parse(Buffer.from(nestedParts[1], "base64url").toString("utf-8"));
+        payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+    }
+    catch {
+        return null;
+    }
+    if (payload["sub_type"] === "service" &&
+        typeof payload["njwt"] === "string") {
+        const nestedParts = parseJwt(payload["njwt"]);
+        if (nestedParts) {
+            try {
+                return JSON.parse(Buffer.from(nestedParts[1], "base64url").toString("utf-8"));
+            }
+            catch {
+                // Fall through to outer payload.
             }
         }
-        const accountId = actualPayload["zap:acc"] != null
-            ? parseInt(String(actualPayload["zap:acc"]), 10)
-            : null;
-        const customUserId = actualPayload.sub_type === "customuser" && actualPayload.sub != null
-            ? parseInt(String(actualPayload.sub), 10)
-            : null;
-        return {
-            customuser_id: customUserId !== null && !isNaN(customUserId) ? customUserId : null,
-            account_id: accountId !== null && !isNaN(accountId) ? accountId : null,
-        };
     }
-    catch {
+    return payload;
+}
+/** Never throws — an auth decode error must not take down request telemetry. */
+export function extractUserIdsFromJwt(token) {
+    const payload = readJwtPayload(token);
+    if (!payload) {
         return { customuser_id: null, account_id: null };
     }
+    const accRaw = payload["zap:acc"];
+    const accountId = accRaw != null ? parseInt(String(accRaw), 10) : null;
+    const customUserId = payload["sub_type"] === "customuser" && payload["sub"] != null
+        ? parseInt(String(payload["sub"]), 10)
+        : null;
+    return {
+        customuser_id: customUserId !== null && !isNaN(customUserId) ? customUserId : null,
+        account_id: accountId !== null && !isNaN(accountId) ? accountId : null,
+    };
 }

package/dist/api/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAGjB,MAAM,SAAS,CAAC;AA2jCjB,eAAO,MAAM,eAAe,GAAI,SAAS,gBAAgB,KAAG,SAW3D,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAGjB,MAAM,SAAS,CAAC;AA4jCjB,eAAO,MAAM,eAAe,GAAI,SAAS,gBAAgB,KAAG,SAW3D,CAAC"}

package/dist/api/client.js

@@ -625,8 +625,9 @@ class ZapierApiClient {
         }
         // Check if we have an auth token available
         const wasMissingAuthToken = options.authRequired &&
-            (await this.getAuthToken({ requiredScopes: options.requiredScopes })) ==
-                null;
+            (await this.getAuthToken({
+                requiredScopes: options.requiredScopes,
+            })) == null;
         const response = await this.fetch(path, {
             ...options,
             method,

package/dist/api/index.d.ts

@@ -8,7 +8,7 @@
 export type { ApiClient, ApiClientOptions, RequestOptions, PollOptions, DebugLogger, Action, Field, Choice, ActionExecutionResult, ActionField, ActionFieldChoice, NeedsRequest, NeedsResponse, Connection, ConnectionsResponse, Implementation, ImplementationsResponse, } from "./types";
 import type { ApiClient } from "./types";
 import type { Credentials } from "../types/credentials";
-export { isJwt, getAuthorizationHeader } from "./auth";
+export { isJwt, getAuthorizationHeader, extractUserIdsFromJwt } from "./auth";
 export { createDebugLogger, createDebugFetch } from "./debug";
 export { pollUntilComplete } from "./polling";
 export { createZapierApi } from "./client";

package/dist/api/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,YAAY,EAEV,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,WAAW,EAEX,MAAM,EACN,KAAK,EACL,MAAM,EACN,qBAAqB,EACrB,WAAW,EACX,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,UAAU,EACV,mBAAmB,EACnB,cAAc,EACd,uBAAuB,GACxB,MAAM,SAAS,CAAC;AAGjB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAIxD,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,MAAM,QAAQ,CAAC;AAGvD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAG9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAG9C,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAM3C,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,4CAA4C;IAC5C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC,GAAG,SAAS,CAsBZ"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,YAAY,EAEV,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,WAAW,EAEX,MAAM,EACN,KAAK,EACL,MAAM,EACN,qBAAqB,EACrB,WAAW,EACX,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,UAAU,EACV,mBAAmB,EACnB,cAAc,EACd,uBAAuB,GACxB,MAAM,SAAS,CAAC;AAGjB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAIxD,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,QAAQ,CAAC;AAG9E,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAG9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAG9C,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAM3C,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,4CAA4C;IAC5C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC,GAAG,SAAS,CAsBZ"}

package/dist/api/index.js

@@ -7,7 +7,7 @@
  */
 import { ZAPIER_BASE_URL } from "../constants";
 // Re-export authentication utilities
-export { isJwt, getAuthorizationHeader } from "./auth";
+export { isJwt, getAuthorizationHeader, extractUserIdsFromJwt } from "./auth";
 // Re-export debug utilities
 export { createDebugLogger, createDebugFetch } from "./debug";
 // Re-export polling utilities

package/dist/api/schemas.d.ts

@@ -66,13 +66,13 @@ export declare const ActionSchema: z.ZodObject<{
     id: z.ZodOptional<z.ZodString>;
     type: z.ZodEnum<{
         filter: "filter";
+        write: "write";
         read: "read";
         read_bulk: "read_bulk";
         run: "run";
         search: "search";
         search_and_write: "search_and_write";
         search_or_write: "search_or_write";
-        write: "write";
     }>;
     key: z.ZodString;
     name: z.ZodString;
@@ -314,13 +314,13 @@ export declare const ImplementationSchema: z.ZodObject<{
         id: z.ZodOptional<z.ZodString>;
         type: z.ZodEnum<{
             filter: "filter";
+            write: "write";
             read: "read";
             read_bulk: "read_bulk";
             run: "run";
             search: "search";
             search_and_write: "search_and_write";
             search_or_write: "search_or_write";
-            write: "write";
         }>;
         key: z.ZodString;
         name: z.ZodString;
@@ -356,13 +356,13 @@ export declare const ImplementationsResponseSchema: z.ZodObject<{
             id: z.ZodOptional<z.ZodString>;
             type: z.ZodEnum<{
                 filter: "filter";
+                write: "write";
                 read: "read";
                 read_bulk: "read_bulk";
                 run: "run";
                 search: "search";
                 search_and_write: "search_and_write";
                 search_or_write: "search_or_write";
-                write: "write";
             }>;
             key: z.ZodString;
             name: z.ZodString;

package/dist/auth.d.ts

@@ -9,7 +9,7 @@
  * @zapier/zapier-sdk-cli package (imported via its `./login` subpath).
  */
 import type { EventCallback } from "./types/events";
-import type { Credentials } from "./types/credentials";
+import type { Credentials, ClientCredentialsObject } from "./types/credentials";
 import { type ZapierCache } from "./cache";
 export type { ZapierCache, ZapierCacheEntry, ZapierCacheSetOptions, } from "./cache";
 export { createMemoryCache } from "./cache";
@@ -74,7 +74,18 @@ interface CliLoginOptions {
     };
     debug?: boolean;
 }
-type CliLoginModule = typeof import("@zapier/zapier-sdk-cli/login");
+type CliLoginModule = typeof import("@zapier/zapier-sdk-cli/login") & {
+    getActiveCredentials?: (options?: {
+        baseUrl?: string;
+    }) => {
+        clientId: string;
+        scopes: string[];
+        baseUrl?: string;
+    } | undefined;
+    getStoredClientCredentials?: (options?: {
+        baseUrl?: string;
+    }) => Promise<ClientCredentialsObject | undefined>;
+};
 /**
  * Inject an already-loaded CLI login module so the SDK skips its dynamic import.
  * This guarantees CLI and SDK share the same module instance in the same process.

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,KAAK,EAAE,WAAW,EAAuB,MAAM,qBAAqB,CAAC;AAG5E,OAAO,EAAqB,KAAK,WAAW,EAAE,MAAM,SAAS,CAAC;AAG9D,YAAY,EACV,WAAW,EACX,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAG5C,YAAY,EACV,QAAQ,EACR,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,aAAa,GACd,MAAM,gBAAgB,CAAC;AAGxB,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAE7B;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,4CAA4C;IAC5C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,gDAAgD;IAChD,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB;;;;;OAKG;IACH,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AA8BD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAItC;AAqCD;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAWhB;AAiID;;GAEG;AACH,UAAU,eAAe;IACvB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;IAChC,WAAW,CAAC,EAAE;QACZ,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAGD,KAAK,cAAc,GAAG,cAAc,8BAA8B,CAAC,CAAC;AA6BpE;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI,CAE3D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,GAAG,SAAS,CAGzD;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAK7B;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAmB7B;AA2GD;;;;GAIG;AACH,wBAAsB,0BAA0B,CAAC,OAAO,EAAE;IACxD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAehB"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,KAAK,EACV,WAAW,EAEX,uBAAuB,EACxB,MAAM,qBAAqB,CAAC;AAK7B,OAAO,EAAqB,KAAK,WAAW,EAAE,MAAM,SAAS,CAAC;AAG9D,YAAY,EACV,WAAW,EACX,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAG5C,YAAY,EACV,QAAQ,EACR,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,aAAa,GACd,MAAM,gBAAgB,CAAC;AAGxB,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAE7B;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,4CAA4C;IAC5C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,gDAAgD;IAChD,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB;;;;;OAKG;IACH,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AA8BD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAItC;AAgDD;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAWhB;AAiID;;GAEG;AACH,UAAU,eAAe;IACvB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;IAChC,WAAW,CAAC,EAAE;QACZ,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAGD,KAAK,cAAc,GAAG,cAAc,8BAA8B,CAAC,GAAG;IACpE,oBAAoB,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE;QAChC,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,KAAK;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS,CAAC;IAC3E,0BAA0B,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE;QACtC,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,KAAK,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC,CAAC;CACpD,CAAC;AA6BF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI,CAE3D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,GAAG,SAAS,CAGzD;AA2BD;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAK7B;AA+DD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA4B7B;AAqHD;;;;GAIG;AACH,wBAAsB,0BAA0B,CAAC,OAAO,EAAE;IACxD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAehB"}

package/dist/auth.js

@@ -9,6 +9,8 @@
  * @zapier/zapier-sdk-cli package (imported via its `./login` subpath).
  */
 import { isClientCredentials, isPkceCredentials } from "./types/credentials";
+import { ZapierAuthenticationError } from "./types/errors";
+import { emitOnce } from "./utils/telemetry";
 import { resolveCredentials, getClientIdFromCredentials } from "./credentials";
 import { createMemoryCache } from "./cache";
 const DEFAULT_AUTH_BASE_URL = "https://zapier.com";
@@ -61,8 +63,10 @@ async function resolveCache(options) {
     if (cliLogin?.createCache) {
         try {
             const cache = cliLogin.createCache();
-            cachedDefaultCache = cache;
-            return cache;
+            if (cache) {
+                cachedDefaultCache = cache;
+                return cache;
+            }
         }
         catch {
             // Fall through to in-memory if the CLI provider can't be constructed.
@@ -77,6 +81,12 @@ function entryIsValid(entry) {
         return true;
     return entry.expiresAt > Date.now() + TOKEN_EXPIRATION_BUFFER_MS;
 }
+async function readCachedToken(cacheKey, cache) {
+    const cached = await cache.get(cacheKey);
+    if (cached && entryIsValid(cached))
+        return cached.value;
+    return undefined;
+}
 /**
  * Invalidate the cached token for a given client_credentials identity.
  * Called on 401 so the next request re-exchanges. Clears both the
@@ -227,6 +237,23 @@ export function isCliLoginAvailable() {
         return undefined;
     return cachedCliLogin !== false;
 }
+function emitAuthResolved(onEvent, mechanism) {
+    if (onEvent) {
+        emitOnce(onEvent, {
+            type: "auth_resolved",
+            payload: { mechanism },
+            timestamp: Date.now(),
+        });
+    }
+}
+async function getActiveCredentialsFromCli(baseUrl) {
+    const cliLogin = await getCliLogin();
+    return cliLogin?.getActiveCredentials?.({ baseUrl });
+}
+async function getStoredClientCredentialsFromCli(baseUrl) {
+    const cliLogin = await getCliLogin();
+    return cliLogin?.getStoredClientCredentials?.({ baseUrl });
+}
 /**
  * Attempts to get a token from the CLI login package.
  *
@@ -239,6 +266,47 @@ export async function getTokenFromCliLogin(options) {
         return undefined;
     return await cliLogin.getToken(options);
 }
+async function tryStoredClientCredentialToken(options) {
+    const activeCredential = await getActiveCredentialsFromCli(options.baseUrl);
+    if (!activeCredential)
+        return undefined;
+    const resolvedBaseUrl = activeCredential.baseUrl || options.baseUrl || DEFAULT_AUTH_BASE_URL;
+    const mergedScopes = mergeScopes(activeCredential.scopes.join(" "), options.requiredScopes);
+    const cacheKey = buildCacheKey({
+        clientId: activeCredential.clientId,
+        scopes: mergedScopes,
+        baseUrl: resolvedBaseUrl,
+    });
+    const cache = await resolveCache(options);
+    const pending = pendingExchanges.get(cacheKey);
+    if (pending)
+        return pending;
+    const cached = await readCachedToken(cacheKey, cache);
+    if (cached !== undefined) {
+        if (options.debug)
+            console.log(`[auth] Using cached token (clientId: ${activeCredential.clientId})`);
+        emitAuthResolved(options.onEvent, "client_credentials");
+        return cached;
+    }
+    const storedCredential = await getStoredClientCredentialsFromCli(resolvedBaseUrl);
+    if (!storedCredential) {
+        // Active credential pointer exists but the keychain secret is missing.
+        // Falling back to JWT would silently downgrade a migrated user; surface
+        // the broken state so they re-run login to recreate the secret.
+        await invalidateCachedToken({
+            clientId: activeCredential.clientId,
+            scopes: activeCredential.scopes,
+            baseUrl: resolvedBaseUrl,
+            cache: options.cache,
+        });
+        throw new ZapierAuthenticationError(`Stored client credential is missing its secret (clientId: ${activeCredential.clientId}). Run \`zapier-sdk login\` to recreate it.`);
+    }
+    if (options.debug)
+        console.log(`[auth] Using stored client credential (clientId: ${storedCredential.clientId})`);
+    const token = await resolveAuthTokenFromCredentials(storedCredential, options);
+    emitAuthResolved(options.onEvent, "client_credentials");
+    return token;
+}
 /**
  * Resolves an auth token from wherever it can be found.
  *
@@ -265,19 +333,28 @@ export async function resolveAuthToken(options = {}) {
     if (credentials !== undefined) {
         return resolveAuthTokenFromCredentials(credentials, options);
     }
-    // No credentials from options or env, try CLI login for stored token
-    return getTokenFromCliLogin({
+    const storedToken = await tryStoredClientCredentialToken(options);
+    if (storedToken !== undefined)
+        return storedToken;
+    if (options.debug) {
+        console.log("[auth] Using JWT (no stored client credential found)");
+    }
+    const jwtToken = await getTokenFromCliLogin({
         onEvent: options.onEvent,
         fetch: options.fetch,
         debug: options.debug,
     });
+    if (jwtToken !== undefined) {
+        emitAuthResolved(options.onEvent, "jwt");
+    }
+    return jwtToken;
 }
 /**
  * Resolve an auth token from resolved credentials.
  */
 async function resolveAuthTokenFromCredentials(credentials, options) {
-    // String credentials are used directly as tokens
     if (typeof credentials === "string") {
+        emitAuthResolved(options.onEvent, "token");
         return credentials;
     }
     // Client credentials: exchange + cache through a pluggable cache
@@ -299,9 +376,12 @@ async function resolveAuthTokenFromCredentials(credentials, options) {
         });
         const cache = await resolveCache(options);
         // Fast-path read
-        const cached = await cache.get(cacheKey);
-        if (cached && entryIsValid(cached)) {
-            return cached.value;
+        const cached = await readCachedToken(cacheKey, cache);
+        if (cached !== undefined) {
+            if (options.debug) {
+                console.log(`[auth] Using cached token (clientId: ${clientId})`);
+            }
+            return cached;
         }
         // In-process dedup
         const pending = pendingExchanges.get(cacheKey);
@@ -312,9 +392,13 @@ async function resolveAuthTokenFromCredentials(credentials, options) {
         // cache under the lock and uses the first's token instead of firing
         // another exchange.
         const runLocked = async () => {
-            const recheck = await cache.get(cacheKey);
-            if (recheck && entryIsValid(recheck))
-                return recheck.value;
+            const recheck = await readCachedToken(cacheKey, cache);
+            if (recheck !== undefined) {
+                if (options.debug) {
+                    console.log(`[auth] Using cached token (clientId: ${clientId}, locked recheck)`);
+                }
+                return recheck;
+            }
             const { accessToken, expiresIn } = await exchangeClientCredentials({
                 clientId: credentials.clientId,
                 clientSecret: credentials.clientSecret,