npm - authvital-sdk - Versions diffs - 0.1.1-dev.3.cefb119.0 - Mend

authvital-sdk 0.1.1-dev.3.cefb119.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/README.md +657 -0
package/dist/chunk-ETJ5ICJ7.mjs +412 -0
package/dist/chunk-FXVD4Y5G.js +412 -0
package/dist/chunk-JNEJMHGA.mjs +235 -0
package/dist/chunk-JPODZIZT.mjs +95 -0
package/dist/chunk-QPYBK2J4.js +235 -0
package/dist/chunk-R4OHZZQP.js +95 -0
package/dist/index.d.mts +615 -0
package/dist/index.d.ts +615 -0
package/dist/index.js +1299 -0
package/dist/index.mjs +1299 -0
package/dist/invitations-EFJA5C6L.mjs +22 -0
package/dist/invitations-LZHJ3AZY.js +22 -0
package/dist/oauth-K7E7OCWI.js +34 -0
package/dist/oauth-UAFXEKZ7.mjs +34 -0
package/dist/server.d.mts +2656 -0
package/dist/server.d.ts +2656 -0
package/dist/server.js +2915 -0
package/dist/server.mjs +2915 -0
package/dist/webhook-router-DdfXLtHa.d.mts +461 -0
package/dist/webhook-router-DdfXLtHa.d.ts +461 -0
package/package.json +71 -0

package/dist/server.d.mts ADDED Viewed

@@ -0,0 +1,2656 @@
+import { y as AuthVitalEventHandler, f as SubjectCreatedEvent, g as SubjectUpdatedEvent, h as SubjectDeletedEvent, i as SubjectDeactivatedEvent, M as MemberJoinedEvent, j as MemberLeftEvent, k as MemberRoleChangedEvent, A as AppAccessGrantedEvent, n as AppAccessRevokedEvent, p as AppAccessRoleChangedEvent } from './webhook-router-DdfXLtHa.mjs';
+export { o as AppAccessDeactivatedEvent, D as AppAccessEventHandler, K as IAppAccessEventHandler, F as IAuthVitalEventHandler, G as IInviteEventHandler, N as ILicenseEventHandler, J as IMemberEventHandler, H as ISubjectEventHandler, b as InviteAcceptedEvent, I as InviteCreatedEvent, c as InviteDeletedEvent, z as InviteEventHandler, d as InviteExpiredEvent, L as LicenseAssignedEvent, r as LicenseChangedEvent, E as LicenseEventHandler, q as LicenseRevokedEvent, m as MemberActivatedEvent, C as MemberEventHandler, l as MemberSuspendedEvent, x as SYNC_EVENT_TYPES, e as SubjectData, B as SubjectEventHandler, S as SyncEvent, a as SyncEventType, W as WebhookRouter, O as WebhookRouterOptions, P as WebhookVerifier, Q as WebhookVerifierOptions, v as isAppAccessEvent, s as isInviteEvent, w as isLicenseEvent, u as isMemberEvent, t as isSubjectEvent } from './webhook-router-DdfXLtHa.mjs';
+/**
+ * @authvital/sdk - JWT Validator
+ *
+ * Validates JWTs issued by AuthVital using JWKS (JSON Web Key Set).
+ * Automatically fetches keys from the IDP's well-known endpoint,
+ * handles caching, and supports key rotation.
+ *
+ * @example
+ * ```ts
+ * import { createJwtValidator } from '@authvital/sdk/server';
+ *
+ * const validator = createJwtValidator({
+ *   authVitalHost: process.env.AV_HOST,
+ * });
+ *
+ * // Validate a token
+ * const payload = await validator.validateToken(token);
+ *
+ * // Get public keys for manual verification
+ * const keys = await validator.getPublicKeys();
+ * ```
+ */
+interface JwtValidatorConfig {
+    /** AuthVital IDP URL (e.g., "https://auth.example.com") */
+    authVitalHost: string;
+    /** Cache TTL in seconds (default: 3600 = 1 hour) */
+    cacheTtl?: number;
+    /** Expected audience (client_id) - optional but recommended */
+    audience?: string;
+    /** Expected issuer - defaults to authVitalHost */
+    issuer?: string;
+}
+interface JwksKey {
+    kty: string;
+    kid: string;
+    use?: string;
+    alg?: string;
+    n?: string;
+    e?: string;
+    x5c?: string[];
+}
+interface Jwks {
+    keys: JwksKey[];
+}
+interface JwtHeader {
+    alg: string;
+    typ?: string;
+    kid?: string;
+}
+interface JwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+    [key: string]: unknown;
+}
+interface ValidateTokenResult {
+    valid: boolean;
+    payload?: JwtPayload;
+    error?: string;
+}
+/**
+ * JWT Validator for AuthVital tokens
+ *
+ * Fetches JWKS from the IDP, caches keys, and validates tokens.
+ * Handles key rotation automatically by refetching JWKS when a key is not found.
+ */
+declare class JwtValidator {
+    private config;
+    private jwksCache;
+    private jwksCacheTime;
+    private fetchPromise;
+    constructor(config: JwtValidatorConfig);
+    /**
+     * Get the JWKS URL for this IDP
+     */
+    getJwksUrl(): string;
+    /**
+     * Get the OpenID Configuration URL
+     */
+    getOpenIdConfigUrl(): string;
+    /**
+     * Fetch public keys from the JWKS endpoint
+     * Results are cached according to cacheTtl
+     */
+    getPublicKeys(forceRefresh?: boolean): Promise<Jwks>;
+    /**
+     * Fetch JWKS from the IDP
+     */
+    private fetchJwks;
+    /**
+     * Find a key by its ID (kid)
+     */
+    private findKey;
+    /**
+     * Decode a JWT without verification (to get header/payload)
+     */
+    decodeToken(token: string): {
+        header: JwtHeader;
+        payload: JwtPayload;
+    } | null;
+    /**
+     * Validate a JWT token
+     *
+     * @param token - The JWT to validate
+     * @returns Validation result with payload if valid
+     */
+    validateToken(token: string): Promise<ValidateTokenResult>;
+    /**
+     * Verify RS256 signature using Web Crypto API
+     */
+    private verifySignature;
+    /**
+     * Base64URL decode to string
+     */
+    private base64UrlDecode;
+    /**
+     * Base64URL decode to Uint8Array
+     */
+    private base64UrlDecodeToBuffer;
+    /**
+     * Clear the JWKS cache (useful for testing or forced refresh)
+     */
+    clearCache(): void;
+    /**
+     * Check if the JWT payload has a specific tenant permission
+     *
+     * @param payload - Decoded JWT payload
+     * @param permission - Permission to check (e.g., 'licenses:manage')
+     * @returns true if user has the permission (wildcards supported)
+     *
+     * @example
+     * ```ts
+     * const { user } = await validator.getCurrentUser(authHeader);
+     * if (validator.hasTenantPermission(user, 'licenses:manage')) {
+     *   // User can manage licenses
+     * }
+     * ```
+     */
+    hasTenantPermission(payload: JwtPayload, permission: string): boolean;
+    /**
+     * Check if the JWT payload has a specific app permission
+     *
+     * @param payload - Decoded JWT payload
+     * @param permission - Permission to check (e.g., 'projects:create')
+     * @returns true if user has the permission (wildcards supported)
+     *
+     * @example
+     * ```ts
+     * const { user } = await validator.getCurrentUser(authHeader);
+     * if (validator.hasAppPermission(user, 'projects:create')) {
+     *   // User can create projects
+     * }
+     * ```
+     */
+    hasAppPermission(payload: JwtPayload, permission: string): boolean;
+    /**
+     * Check if the JWT payload has a specific feature enabled
+     *
+     * This reads from the `license.features` array in the JWT.
+     * No API call needed - feature information is embedded in the token!
+     *
+     * @param payload - Decoded JWT payload
+     * @param featureKey - Feature to check (e.g., 'sso', 'audit_logs')
+     * @returns true if feature is enabled
+     *
+     * @example
+     * ```ts
+     * const { user } = await validator.getCurrentUser(authHeader);
+     * if (validator.hasFeature(user, 'sso')) {
+     *   // User's tenant has SSO enabled
+     * }
+     * ```
+     */
+    hasFeature(payload: JwtPayload, featureKey: string): boolean;
+    /**
+     * Get the license type from JWT payload
+     *
+     * @param payload - Decoded JWT payload
+     * @returns License type slug (e.g., 'pro', 'enterprise') or null
+     *
+     * @example
+     * ```ts
+     * const { user } = await validator.getCurrentUser(authHeader);
+     * const licenseType = validator.getLicenseType(user);
+     * if (licenseType === 'enterprise') {
+     *   // Show enterprise features
+     * }
+     * ```
+     */
+    getLicenseType(payload: JwtPayload): string | null;
+    /**
+     * Check if wildcard pattern matches permission
+     *
+     * @example
+     * - '*' matches everything
+     * - 'licenses:*' matches 'licenses:manage', 'licenses:view', etc.
+     * - 'licenses:manage' only matches 'licenses:manage'
+     */
+    private matchesWildcard;
+    /**
+     * Get the current user from an Authorization header.
+     * This is the helper for implementing `/api/auth/me` endpoints.
+     *
+     * - Does NOT call the IDP
+     * - Validates JWT signature using cached JWKS
+     * - Returns the decoded JWT payload
+     *
+     * @example
+     * ```ts
+     * const validator = createJwtValidator({ authVitalHost: process.env.AV_HOST });
+     *
+     * // GET /api/auth/me
+     * app.get('/api/auth/me', async (req, res) => {
+     *   const result = await validator.getCurrentUser(req.headers.authorization);
+     *
+     *   if (!result.authenticated) {
+     *     return res.status(401).json({ error: result.error });
+     *   }
+     *
+     *   res.json(result.user);
+     * });
+     * ```
+     */
+    getCurrentUser(authorizationHeader: string | null | undefined): Promise<GetCurrentUserResult$1>;
+}
+/**
+ * Create a JWT validator instance
+ *
+ * @example
+ * ```ts
+ * const validator = createJwtValidator({
+ *   authVitalHost: 'https://auth.example.com',
+ *   audience: 'my-client-id', // optional but recommended
+ * });
+ *
+ * const result = await validator.validateToken(token);
+ * if (result.valid) {
+ *   console.log('User:', result.payload.sub);
+ * }
+ * ```
+ */
+declare function createJwtValidator(config: JwtValidatorConfig): JwtValidator;
+interface GetCurrentUserResult$1 {
+    /** Whether the request is authenticated with a valid token */
+    authenticated: boolean;
+    /** The decoded JWT payload (user data) if authenticated */
+    user: JwtPayload | null;
+    /** Error message if authentication failed */
+    error?: string;
+}
+/**
+ * Extract and validate the current user from an Authorization header.
+ * This is the helper for implementing `/api/auth/me` endpoints.
+ *
+ * - Does NOT call the IDP
+ * - Validates JWT signature using cached JWKS (fetches if not cached)
+ * - Returns the decoded JWT payload
+ *
+ * @example
+ * ```ts
+ * import { getCurrentUser, createJwtValidator } from '@authvital/sdk/server';
+ *
+ * // Create a validator (typically once at startup)
+ * const validator = createJwtValidator({
+ *   authVitalHost: process.env.AV_HOST,
+ * });
+ *
+ * // GET /api/auth/me
+ * app.get('/api/auth/me', async (req, res) => {
+ *   const result = await getCurrentUser(req.headers.authorization, validator);
+ *
+ *   if (!result.authenticated) {
+ *     return res.status(401).json({ error: result.error });
+ *   }
+ *
+ *   // Return the decoded JWT claims (no IDP call!)
+ *   res.json(result.user);
+ * });
+ * ```
+ *
+ * @example Next.js API Route
+ * ```ts
+ * import { getCurrentUser, createJwtValidator } from '@authvital/sdk/server';
+ *
+ * const validator = createJwtValidator({ authVitalHost: process.env.AV_HOST });
+ *
+ * export async function GET(request: Request) {
+ *   const result = await getCurrentUser(
+ *     request.headers.get('authorization'),
+ *     validator
+ *   );
+ *
+ *   if (!result.authenticated) {
+ *     return Response.json({ error: result.error }, { status: 401 });
+ *   }
+ *
+ *   return Response.json(result.user);
+ * }
+ * ```
+ */
+declare function getCurrentUser(authorizationHeader: string | null | undefined, validator: JwtValidator): Promise<GetCurrentUserResult$1>;
+/**
+ * Convenience function that creates a validator and gets the current user in one call.
+ * Use this for simple cases; for better performance, create the validator once and reuse it.
+ *
+ * @example
+ * ```ts
+ * import { getCurrentUserFromConfig } from '@authvital/sdk/server';
+ *
+ * // GET /api/auth/me (simple one-liner)
+ * app.get('/api/auth/me', async (req, res) => {
+ *   const result = await getCurrentUserFromConfig(
+ *     req.headers.authorization,
+ *     { authVitalHost: process.env.AV_HOST }
+ *   );
+ *
+ *   if (!result.authenticated) {
+ *     return res.status(401).json({ error: result.error });
+ *   }
+ *
+ *   res.json(result.user);
+ * });
+ * ```
+ */
+declare function getCurrentUserFromConfig(authorizationHeader: string | null | undefined, config: JwtValidatorConfig): Promise<GetCurrentUserResult$1>;
+/**
+ * Express/Connect middleware factory for JWT validation
+ *
+ * @example
+ * ```ts
+ * import { createJwtMiddleware } from '@authvital/sdk/server';
+ *
+ * const requireAuth = createJwtMiddleware({
+ *   authVitalHost: process.env.AV_HOST,
+ * });
+ *
+ * app.get('/api/protected', requireAuth, (req, res) => {
+ *   console.log('User:', req.user);
+ *   res.json({ message: 'Hello!' });
+ * });
+ * ```
+ */
+declare function createJwtMiddleware(config: JwtValidatorConfig): (req: any, res: any, next: any) => Promise<any>;
+/**
+ * Create options for passport-jwt Strategy
+ *
+ * @example
+ * ```ts
+ * import { Strategy as JwtStrategy } from 'passport-jwt';
+ * import { createPassportJwtOptions } from '@authvital/sdk/server';
+ *
+ * const options = await createPassportJwtOptions({
+ *   authVitalHost: process.env.AV_HOST,
+ * });
+ *
+ * passport.use(new JwtStrategy(options, (payload, done) => {
+ *   // payload is the decoded JWT
+ *   done(null, payload);
+ * }));
+ * ```
+ */
+declare function createPassportJwtOptions(config: JwtValidatorConfig): Promise<{
+    jwtFromRequest: (req: any) => string | null;
+    secretOrKeyProvider: (req: any, rawJwt: any, done: any) => void;
+    issuer: string;
+    audience?: string;
+    algorithms: string[];
+}>;
+/**
+ * @authvital/sdk - Base Client
+ *
+ * Shared HTTP utilities, token management, and JWT validation for the AuthVital SDK.
+ * All namespaces extend from this base to access authenticated API calls.
+ */
+interface AuthVitalConfig {
+    /** AuthVital IDP URL (e.g., "https://auth.example.com") */
+    authVitalHost: string;
+    /** OAuth client_id for your application */
+    clientId: string;
+    /** OAuth client_secret for your application */
+    clientSecret: string;
+    /** JWKS cache TTL in seconds (default: 3600 = 1 hour) */
+    jwksCacheTtl?: number;
+    /** Expected audience for JWT validation (defaults to clientId) */
+    audience?: string;
+}
+interface GetCurrentUserResult {
+    /** Whether the request is authenticated with a valid token */
+    authenticated: boolean;
+    /** The decoded JWT payload (user data) if authenticated */
+    user: JwtPayload | null;
+    /** Error message if authentication failed */
+    error?: string;
+}
+interface ValidatedClaims {
+    /** User ID (sub claim) */
+    sub: string;
+    /** Tenant ID (tenant_id claim) - only present if token is tenant-scoped */
+    tenantId: string;
+    /** Tenant subdomain/slug (tenant_subdomain claim) */
+    tenantSubdomain?: string;
+    /** User's email (if email scope was requested) */
+    email?: string;
+    /** User's tenant roles (tenant_roles claim) */
+    tenant_roles?: string[];
+    /** Full JWT payload */
+    payload: JwtPayload;
+}
+type RequestLike = Request | {
+    headers: {
+        authorization?: string;
+        Authorization?: string;
+    };
+} | {
+    headers: Headers;
+} | {
+    headers: {
+        get: (name: string) => string | null;
+    };
+};
+/**
+ * Extract Authorization header from various request types
+ */
+declare function extractAuthorizationHeader(request: RequestLike): string | null;
+/**
+ * Append client_id query parameter to a URI
+ * Handles URIs that already have query params
+ */
+declare function appendClientIdToUri(uri: string | null, clientId: string): string | null;
+/**
+ * Base client with shared HTTP utilities and token management.
+ *
+ * Provides:
+ * - M2M token management (client_credentials flow)
+ * - Authenticated requests (forwarding user JWTs)
+ * - JWT validation and claims extraction
+ */
+declare class BaseClient {
+    readonly config: AuthVitalConfig;
+    readonly jwtValidator: JwtValidator;
+    private accessToken;
+    private tokenExpiresAt;
+    constructor(config: AuthVitalConfig);
+    /**
+     * Validate JWT from an incoming request and return the decoded user.
+     *
+     * - Extracts Authorization header from the request
+     * - Validates JWT signature using cached JWKS (public endpoint, no auth needed)
+     * - Returns decoded JWT payload
+     * - Does NOT call the IDP
+     *
+     * @example
+     * ```ts
+     * // Express
+     * app.get('/api/auth/me', async (req, res) => {
+     *   const { authenticated, user, error } = await authvital.getCurrentUser(req);
+     *   if (!authenticated) return res.status(401).json({ error });
+     *   res.json(user);
+     * });
+     * ```
+     */
+    getCurrentUser(request: RequestLike): Promise<GetCurrentUserResult>;
+    /**
+     * Validate the JWT from an incoming request and extract key claims.
+     *
+     * This is the recommended way to get user/tenant context for API calls.
+     * Throws an error if the token is invalid or missing required claims.
+     *
+     * @param request - The incoming HTTP request (Express, Next.js, Fetch API, etc.)
+     * @returns Validated claims including sub (userId) and tenantId
+     * @throws Error if token is invalid or missing tenant_id claim
+     *
+     * @example
+     * ```ts
+     * // Express
+     * app.get('/api/members', async (req, res) => {
+     *   const claims = await authvital.validateRequest(req);
+     *   const members = await authvital.memberships.listForApplication(claims);
+     *   res.json(members);
+     * });
+     * ```
+     */
+    validateRequest(request: RequestLike): Promise<ValidatedClaims>;
+    /**
+     * Get M2M access token (client_credentials flow)
+     *
+     * Returns cached token if still valid, otherwise fetches a new one.
+     */
+    getAccessToken(): Promise<string>;
+    /**
+     * Make an M2M authenticated request
+     *
+     * Uses client_credentials token for machine-to-machine calls.
+     */
+    request<T>(method: 'GET' | 'POST' | 'PUT' | 'DELETE', path: string, body?: unknown, isRetry?: boolean): Promise<T>;
+    /**
+     * Make an authenticated request using the JWT from the original request
+     *
+     * This version forwards the user's JWT token instead of using the
+     * M2M (client_credentials) token. Used for endpoints that require
+     * user context and validate tenant permissions.
+     *
+     * @param originalRequest - The incoming request with JWT
+     * @param method - HTTP method
+     * @param path - API path
+     * @param body - Request body (for POST/PUT)
+     * @returns Parsed response
+     * @throws Error if request fails or JWT is required
+     */
+    authenticatedRequest<T>(originalRequest: RequestLike, method: 'GET' | 'POST' | 'PUT' | 'DELETE', path: string, body?: unknown): Promise<T>;
+}
+/**
+ * @authvital/sdk - Sessions Namespace (Token Ghosting)
+ *
+ * Manage user sessions: list, revoke specific sessions, or logout everywhere.
+ */
+interface SessionInfo {
+    id: string;
+    createdAt: string;
+    expiresAt: string;
+    userAgent: string | null;
+    ipAddress: string | null;
+    tenant: string | null;
+}
+interface SessionsListResponse {
+    sessions: SessionInfo[];
+    count: number;
+}
+interface SessionRevokeResponse {
+    success: boolean;
+    message: string;
+}
+interface LogoutAllResponse {
+    success: boolean;
+    message: string;
+    count: number;
+}
+/**
+ * Creates the sessions namespace with all session management methods.
+ *
+ * @param client - The base client instance for making authenticated requests
+ * @returns Object containing all session methods
+ */
+declare function createSessionsNamespace(client: BaseClient): {
+    /**
+     * Get all active sessions for the authenticated user
+     *
+     * Returns a list of active sessions with metadata (device info, location, etc.).
+     * Useful for building "manage sessions" UI.
+     *
+     * @example
+     * ```ts
+     * app.get('/api/sessions', async (req, res) => {
+     *   const { sessions, count } = await authvital.sessions.list(req);
+     *   res.json(sessions);
+     * });
+     * ```
+     */
+    list: (request: RequestLike, options?: {
+        applicationId?: string;
+    }) => Promise<SessionsListResponse>;
+    /**
+     * Revoke a specific session by ID
+     *
+     * Call this from "manage sessions" UI to logout a specific device.
+     * User can only revoke their own sessions.
+     *
+     * @example
+     * ```ts
+     * app.post('/api/sessions/:id/revoke', async (req, res) => {
+     *   const result = await authvital.sessions.revoke(req, req.params.id);
+     *   res.json(result);
+     * });
+     * ```
+     */
+    revoke: (request: RequestLike, sessionId: string) => Promise<SessionRevokeResponse>;
+    /**
+     * Revoke ALL sessions for the authenticated user
+     *
+     * Call this when user clicks "logout everywhere".
+     * Revokes all active sessions, forcing re-authentication on all devices.
+     *
+     * @example
+     * ```ts
+     * app.post('/api/logout-all', async (req, res) => {
+     *   const result = await authvital.sessions.revokeAll(req);
+     *   res.json({ message: `Logged out of ${result.count} devices` });
+     * });
+     * ```
+     */
+    revokeAll: (request: RequestLike, options?: {
+        applicationId?: string;
+    }) => Promise<LogoutAllResponse>;
+    /**
+     * Logout current session
+     *
+     * Revokes the session associated with the current refresh token.
+     * Call this for normal logout.
+     *
+     * Note: For browser apps, prefer redirecting to /oauth/logout which
+     * handles cookie clearing automatically.
+     *
+     * @example
+     * ```ts
+     * app.post('/api/logout', async (req, res) => {
+     *   // Get refresh token from cookie or body
+     *   const refreshToken = req.cookies.refresh_token || req.body.refresh_token;
+     *   const result = await authvital.sessions.logout(refreshToken);
+     *   res.clearCookie('refresh_token');
+     *   res.json(result);
+     * });
+     * ```
+     */
+    logout: (refreshToken: string) => Promise<SessionRevokeResponse>;
+};
+type SessionsNamespace = ReturnType<typeof createSessionsNamespace>;
+/**
+ * @authvital/sdk - Server-Side Types
+ *
+ * Clean, well-organized type definitions for the AuthVital server SDK.
+ *
+ * ╔════════════════════════════════════════════════════════════════════════════╗
+ * ║  IMPORTANT: CANONICAL TYPE SYNCHRONIZATION                                  ║
+ * ╠════════════════════════════════════════════════════════════════════════════╣
+ * ║  The following types are COPIES of canonical definitions:                   ║
+ * ║                                                                             ║
+ * ║  - SubscriptionSummary                                                      ║
+ * ║  - SubscriptionStatusType                                                   ║
+ * ║  - MemberWithLicenses                                                       ║
+ * ║  - MembershipStatusType                                                     ║
+ * ║  - AvailableLicenseType                                                     ║
+ * ║  - TenantLicenseOverview                                                    ║
+ * ║                                                                             ║
+ * ║  SOURCE OF TRUTH: backend/src/common/types/licensing.types.ts               ║
+ * ║                                                                             ║
+ * ║  When updating these types, ALWAYS update the canonical source first,       ║
+ * ║  then sync changes here to maintain consistency.                            ║
+ * ╚════════════════════════════════════════════════════════════════════════════╝
+ */
+/**
+ * Subscription status values.
+ * @sync backend/src/common/types/licensing.types.ts
+ */
+type SubscriptionStatusType = 'ACTIVE' | 'TRIALING' | 'PAST_DUE' | 'CANCELED' | 'EXPIRED';
+/**
+ * Membership status values.
+ * @sync backend/src/common/types/licensing.types.ts
+ */
+type MembershipStatusType = 'ACTIVE' | 'INVITED' | 'SUSPENDED';
+/**
+ * Summary of a tenant's subscription (license inventory).
+ * @sync backend/src/common/types/licensing.types.ts
+ */
+interface SubscriptionSummary {
+    id: string;
+    applicationId: string;
+    applicationName: string;
+    licenseTypeId: string;
+    licenseTypeName: string;
+    licenseTypeSlug: string;
+    quantityPurchased: number;
+    quantityAssigned: number;
+    quantityAvailable: number;
+    status: SubscriptionStatusType;
+    currentPeriodEnd: string;
+    features: Record<string, boolean>;
+}
+/**
+ * A tenant member with their license assignments.
+ * @sync backend/src/common/types/licensing.types.ts
+ */
+interface MemberWithLicenses {
+    user: {
+        id: string;
+        email: string | null;
+        givenName: string | null;
+        familyName: string | null;
+    };
+    membership: {
+        id: string;
+        status: MembershipStatusType;
+    };
+    licenses: Array<{
+        id: string;
+        applicationId: string;
+        applicationName: string;
+        licenseTypeId: string;
+        licenseTypeName: string;
+        licenseTypeSlug: string;
+        assignedAt: string;
+    }>;
+}
+/**
+ * A license type available for provisioning.
+ * @sync backend/src/common/types/licensing.types.ts
+ */
+interface AvailableLicenseType {
+    id: string;
+    name: string;
+    slug: string;
+    description: string | null;
+    applicationId: string;
+    applicationName: string;
+    features: Record<string, boolean>;
+    displayOrder: number;
+    hasSubscription: boolean;
+    existingSubscription?: {
+        id: string;
+        quantityPurchased: number;
+        quantityAssigned: number;
+    };
+}
+/**
+ * Full license overview for a tenant.
+ * @sync backend/src/common/types/licensing.types.ts
+ */
+interface TenantLicenseOverview {
+    tenantId: string;
+    subscriptions: SubscriptionSummary[];
+    totalSeatsOwned: number;
+    totalSeatsAssigned: number;
+}
+interface AuthVitalClientConfig {
+    /** AuthVital server URL (e.g., https://auth.yourapp.com) */
+    authVitalHost: string;
+    /** OAuth client_id for your application */
+    clientId: string;
+    /** OAuth client_secret for your application */
+    clientSecret: string;
+    /** Optional: Scopes to request (default: 'system:admin') */
+    scope?: string;
+}
+interface OAuthFlowConfig {
+    /** AuthVital server URL */
+    authVitalHost: string;
+    /** OAuth client_id */
+    clientId: string;
+    /** OAuth client_secret (optional for public clients) */
+    clientSecret?: string;
+    /** OAuth redirect URI */
+    redirectUri: string;
+    /** OAuth scopes */
+    scope?: string;
+}
+interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    refresh_token?: string;
+    id_token?: string;
+    scope?: string;
+}
+/**
+ * License information included in JWT
+ */
+interface JwtLicenseInfo {
+    /** License type slug (e.g., "pro", "enterprise") */
+    type: string;
+    /** License type display name */
+    name: string;
+    /** Enabled feature keys */
+    features: string[];
+}
+/**
+ * Enhanced JWT payload with OIDC standard claims
+ *
+ * This represents the decoded JWT token contents from AuthVital.
+ * Claims are included based on requested OAuth scopes.
+ */
+interface EnhancedJwtPayload {
+    /** Subject (user ID) */
+    sub: string;
+    /** Audience (client ID) */
+    aud: string | string[];
+    /** Issuer (AuthVital URL) */
+    iss: string;
+    /** Issued at (unix timestamp) */
+    iat: number;
+    /** Expiration (unix timestamp) */
+    exp: number;
+    /** Unique handle - OIDC: preferred_username */
+    preferred_username?: string;
+    /** Full display name - OIDC: name */
+    name?: string;
+    /** First name - OIDC: given_name */
+    given_name?: string;
+    /** Last name - OIDC: family_name */
+    family_name?: string;
+    /** Middle name(s) - OIDC: middle_name */
+    middle_name?: string;
+    /** Casual name - OIDC: nickname */
+    nickname?: string;
+    /** Profile picture URL - OIDC: picture */
+    picture?: string;
+    /** Personal URL - OIDC: website */
+    website?: string;
+    /** Gender identity - OIDC: gender */
+    gender?: string;
+    /** Birth date (YYYY-MM-DD) - OIDC: birthdate */
+    birthdate?: string;
+    /** IANA timezone - OIDC: zoneinfo */
+    zoneinfo?: string;
+    /** Language/region - OIDC: locale */
+    locale?: string;
+    /** Last profile update (unix timestamp) - OIDC: updated_at */
+    updated_at?: number;
+    /** Email address - OIDC: email */
+    email?: string;
+    /** Whether email is verified - OIDC: email_verified */
+    email_verified?: boolean;
+    /** Phone number (E.164) - OIDC: phone_number */
+    phone_number?: string;
+    /** Whether phone is verified - OIDC: phone_number_verified */
+    phone_number_verified?: boolean;
+    /** Current tenant ID (when token is tenant-scoped) */
+    tenant_id?: string;
+    /** Tenant subdomain */
+    tenant_subdomain?: string;
+    /** Tenant-level roles (from TenantRole) */
+    tenant_roles?: string[];
+    /** Tenant-level permissions */
+    tenant_permissions?: string[];
+    /** Application-specific roles (from Role) */
+    app_roles?: string[];
+    /** Application-specific permissions */
+    app_permissions?: string[];
+    /** Groups the user belongs to in the current tenant */
+    groups?: string[];
+    /** License info for current app */
+    license?: JwtLicenseInfo;
+    /** Granted scopes */
+    scope?: string;
+    [key: string]: unknown;
+}
+interface InvitationResponse {
+    /** The user's ID (sub claim in JWT) */
+    sub: string;
+    /** When the invitation expires */
+    expiresAt: string;
+}
+interface PendingInvitation {
+    id: string;
+    email: string;
+    role: string;
+    expiresAt: string;
+    createdAt: string;
+    invitedBy: {
+        id: string;
+        email: string | null;
+        givenName: string | null;
+        familyName: string | null;
+    } | null;
+}
+interface PendingInvitationsResponse {
+    tenantId: string;
+    tenantName: string;
+    invitations: PendingInvitation[];
+    totalCount: number;
+}
+interface SendInvitationParams {
+    email: string;
+    /** User's first name (used if creating new user) */
+    givenName?: string;
+    /** User's last name (used if creating new user) */
+    familyName?: string;
+    /**
+     * Tenant role ID to assign when invitation is accepted.
+     * Required. Get available role IDs from `authvital.memberships.getTenantRoles()`.
+     */
+    roleId: string;
+    expiresInDays?: number;
+    /** Application clientId - determines redirect URL after acceptance */
+    clientId?: string;
+}
+interface ResendInvitationParams {
+    invitationId: string;
+    expiresInDays?: number;
+}
+interface RevokeInvitationResponse {
+    success: boolean;
+    message: string;
+}
+interface MembershipUser {
+    id: string;
+    email: string | null;
+    givenName: string | null;
+    familyName: string | null;
+}
+interface MembershipRole {
+    id: string;
+    name: string;
+    slug: string;
+    applicationId: string;
+    applicationName: string;
+}
+interface TenantMembership {
+    id: string;
+    status: string;
+    joinedAt: string | null;
+    createdAt: string;
+    user: MembershipUser;
+    roles: MembershipRole[];
+}
+interface TenantMembershipsResponse {
+    tenantId: string;
+    tenantName: string;
+    tenantSlug: string;
+    initiateLoginUri: string | null;
+    memberships: TenantMembership[];
+    totalCount: number;
+}
+interface ApplicationMembership {
+    id: string;
+    status: string;
+    joinedAt: string | null;
+    createdAt: string;
+    user: MembershipUser;
+    tenant: {
+        id: string;
+        name: string;
+        slug: string;
+        initiateLoginUri: string | null;
+    };
+    roles: MembershipRole[];
+}
+interface ApplicationMembershipsResponse {
+    applicationId: string;
+    applicationName: string;
+    clientId: string;
+    memberships: ApplicationMembership[];
+    totalCount: number;
+}
+interface ValidateMembershipResponse {
+    isMember: boolean;
+    membership: {
+        id: string;
+        status: string;
+        joinedAt: string | null;
+    } | null;
+}
+interface UserTenantMembership {
+    id: string;
+    status: string;
+    joinedAt: string | null;
+    createdAt: string;
+    tenant: {
+        id: string;
+        name: string;
+        slug: string;
+        initiateLoginUri: string | null;
+    };
+    roles: MembershipRole[];
+}
+interface UserTenantsResponse {
+    userId: string;
+    memberships: UserTenantMembership[];
+    totalCount: number;
+}
+interface TenantRoleDefinition {
+    id: string;
+    name: string;
+    slug: string;
+    description: string | null;
+    isSystem: boolean;
+    permissions: string[];
+}
+interface TenantRolesResponse {
+    roles: TenantRoleDefinition[];
+}
+interface ApplicationRoleDefinition {
+    id: string;
+    name: string;
+    slug: string;
+    description: string | null;
+    isSystem: boolean;
+    permissions: string[];
+}
+interface ApplicationRolesResponse {
+    applicationId: string;
+    applicationName: string;
+    clientId: string;
+    roles: ApplicationRoleDefinition[];
+}
+interface SetMemberRoleResponse {
+    success: boolean;
+    message: string;
+    role: {
+        id: string;
+        name: string;
+        slug: string;
+    };
+}
+interface CheckPermissionParams {
+    userId: string;
+    tenantId: string;
+    permission: string;
+}
+interface CheckPermissionResult {
+    allowed: boolean;
+    reason?: string;
+}
+interface CheckPermissionsParams {
+    userId: string;
+    tenantId: string;
+    permissions: string[];
+}
+interface CheckPermissionsResult {
+    results: Record<string, boolean>;
+    allAllowed: boolean;
+}
+interface UserPermissions {
+    permissions: string[];
+    roles: Array<{
+        id: string;
+        name: string;
+        slug: string;
+    }>;
+}
+/**
+ * Result of checking a quota
+ */
+interface QuotaCheckResult {
+    /** Whether the action is allowed */
+    allowed: boolean;
+    /** Current usage count */
+    currentUsage?: number;
+    /** The limit */
+    limit?: number;
+    /** Reason if not allowed */
+    reason?: string;
+    /** Whether this would trigger overage billing */
+    wouldTriggerOverage?: boolean;
+    /** The overage price ID if applicable */
+    overagePriceId?: string | null;
+}
+/**
+ * Result of checking a feature flag
+ */
+interface FeatureCheckResult {
+    /** Whether the feature is enabled */
+    hasAccess: boolean;
+    /** The license type slug */
+    licenseType: string | null;
+    /** Reason if not enabled */
+    reason?: string;
+}
+/**
+ * User's license assignment info
+ */
+interface UserLicenseAssignment {
+    id: string;
+    userId: string;
+    applicationId: string;
+    applicationName: string;
+    licenseTypeId: string;
+    licenseTypeName: string;
+    licenseTypeSlug: string;
+    features: Record<string, boolean>;
+    assignedAt: string;
+    assignedById?: string;
+}
+/**
+ * Parameters for granting a license (M2M)
+ */
+interface GrantLicenseParams {
+    tenantId: string;
+    userId: string;
+    applicationId: string;
+    licenseTypeId: string;
+}
+/**
+ * Parameters for revoking a license (M2M)
+ */
+interface RevokeLicenseParams {
+    tenantId: string;
+    userId: string;
+    applicationId: string;
+}
+/**
+ * Parameters for changing license type (M2M)
+ */
+interface ChangeLicenseTypeParams {
+    tenantId: string;
+    userId: string;
+    applicationId: string;
+    newLicenseTypeId: string;
+}
+/**
+ * Bulk grant license result
+ */
+interface BulkGrantLicenseResult {
+    userId: string;
+    applicationId: string;
+    success: boolean;
+    error?: string;
+}
+/**
+ * Bulk revoke license result
+ */
+interface BulkRevokeLicenseResult {
+    revokedCount: number;
+    failures: Array<{
+        userId: string;
+        applicationId: string;
+        error: string;
+    }>;
+}
+/**
+ * Main AuthVital SDK client.
+ *
+ * Extends BaseClient with namespaced APIs for:
+ * - Invitations (send, list, resend, revoke)
+ * - Memberships (list, validate, roles)
+ * - Permissions (check, list)
+ * - Entitlements (quotas, features)
+ * - Licenses (grant, revoke, check)
+ * - Sessions (list, revoke, logout)
+ */
+declare class AuthVital extends BaseClient {
+    readonly invitations: {
+        send: (request: RequestLike, params: Omit<SendInvitationParams, "tenantId">) => Promise<InvitationResponse>;
+        listPending: (request: RequestLike) => Promise<PendingInvitationsResponse>;
+        resend: (request: RequestLike, params: ResendInvitationParams) => Promise<{
+            expiresAt: string;
+        }>;
+        revoke: (request: RequestLike, invitationId: string) => Promise<RevokeInvitationResponse>;
+    };
+    readonly memberships: {
+        listForTenant: (request: RequestLike, options?: {
+            status?: "ACTIVE" | "INVITED" | "SUSPENDED";
+            includeRoles?: boolean;
+            appendClientId?: boolean;
+        }) => Promise<TenantMembershipsResponse>;
+        listForApplication: (request: RequestLike, options?: {
+            status?: "ACTIVE" | "INVITED" | "SUSPENDED";
+            appendClientId?: boolean;
+        }) => Promise<ApplicationMembershipsResponse>;
+        validate: (request: RequestLike) => Promise<ValidateMembershipResponse>;
+        listTenantsForUser: (request: RequestLike, options?: {
+            status?: "ACTIVE" | "INVITED" | "SUSPENDED";
+            includeRoles?: boolean;
+            appendClientId?: boolean;
+        }) => Promise<UserTenantsResponse>;
+        getTenantRoles: () => Promise<TenantRolesResponse>;
+        getApplicationRoles: () => Promise<ApplicationRolesResponse>;
+        setMemberRole: (request: RequestLike, membershipId: string, roleSlug: string) => Promise<SetMemberRoleResponse>;
+    };
+    readonly permissions: {
+        check: (request: RequestLike, permission: string) => Promise<CheckPermissionResult>;
+        checkMany: (request: RequestLike, permissions: string[]) => Promise<CheckPermissionsResult>;
+        list: (request: RequestLike) => Promise<UserPermissions>;
+    };
+    readonly entitlements: {
+        canPerform: (request: RequestLike, featureKey: string, _options?: {
+            appScope?: string;
+            incrementCount?: number;
+        }) => Promise<QuotaCheckResult>;
+        decrementUsage: (request: RequestLike, featureKey: string, options?: {
+            appScope?: string;
+            by?: number;
+        }) => Promise<{
+            newUsage: number;
+        }>;
+    };
+    readonly licenses: {
+        getTenantOverview: (tenantId: string) => Promise<TenantLicenseOverview>;
+        getUserLicenses: (tenantId: string, userId: string) => Promise<UserLicenseAssignment[]>;
+        getTenantSubscriptions: (tenantId: string) => Promise<SubscriptionSummary[]>;
+        getMembersWithLicenses: (tenantId: string) => Promise<MemberWithLicenses[]>;
+        getAvailableLicenseTypes: (tenantId: string) => Promise<AvailableLicenseType[]>;
+        grantToUser: (params: GrantLicenseParams) => Promise<UserLicenseAssignment>;
+        revokeFromUser: (params: RevokeLicenseParams) => Promise<void>;
+        changeUserType: (params: ChangeLicenseTypeParams) => Promise<UserLicenseAssignment>;
+        grantBulk: (assignments: GrantLicenseParams[]) => Promise<BulkGrantLicenseResult[]>;
+        revokeBulk: (revocations: RevokeLicenseParams[]) => Promise<BulkRevokeLicenseResult>;
+        grant: (request: RequestLike, options: {
+            userId?: string;
+            applicationId: string;
+            licenseTypeId: string;
+        }) => Promise<LicenseGrantResponse>;
+        revoke: (request: RequestLike, options: {
+            userId?: string;
+            applicationId: string;
+        }) => Promise<LicenseRevokeResponse>;
+        changeType: (request: RequestLike, options: {
+            userId?: string;
+            applicationId: string;
+            newLicenseTypeId: string;
+        }) => Promise<LicenseRevokeResponse>;
+        listForUser: (request: RequestLike, userId?: string) => Promise<UserLicenseListItem[]>;
+        check: (request: RequestLike, userId: string | undefined, applicationId: string) => Promise<LicenseCheckResponse>;
+        hasFeature: (request: RequestLike, userId: string | undefined, applicationId: string, featureKey: string) => Promise<LicenseFeatureResponse>;
+        getAppLicensedUsers: (request: RequestLike, applicationId: string) => Promise<LicensedUser[]>;
+        countLicensedUsers: (request: RequestLike, applicationId: string) => Promise<{
+            count: number;
+        }>;
+        getUserLicenseType: (request: RequestLike, userId: string | undefined, applicationId: string) => Promise<string | null>;
+        getHolders: (request: RequestLike, applicationId: string) => Promise<LicenseHolder[]>;
+        getAuditLog: (request: RequestLike, options?: {
+            userId?: string;
+            applicationId?: string;
+            limit?: number;
+            offset?: number;
+        }) => Promise<LicenseAuditLogResponse>;
+        getUsageOverview: (request: RequestLike) => Promise<UsageOverviewResponse>;
+        getUsageTrends: (request: RequestLike, days?: number) => Promise<UsageTrendEntry[]>;
+    };
+    readonly sessions: {
+        list: (request: RequestLike, options?: {
+            applicationId?: string;
+        }) => Promise<SessionsListResponse>;
+        revoke: (request: RequestLike, sessionId: string) => Promise<SessionRevokeResponse>;
+        revokeAll: (request: RequestLike, options?: {
+            applicationId?: string;
+        }) => Promise<LogoutAllResponse>;
+        logout: (refreshToken: string) => Promise<SessionRevokeResponse>;
+    };
+    /**
+     * Check tenant permission from JWT (no API call)
+     * Returns true if user has the specified tenant permission.
+     *
+     * Reads from the `tenant_permissions` claim in the JWT.
+     * Wildcards are supported (e.g., `licenses:*` matches `licenses:manage`).
+     *
+     * @example
+     * ```ts
+     * if (await authvital.hasTenantPermission(req, 'licenses:manage')) {
+     *   // User can manage licenses - show admin UI
+     * }
+     * ```
+     */
+    hasTenantPermission(request: RequestLike, permission: string): Promise<boolean>;
+    /**
+     * Check app permission from JWT (no API call)
+     * Returns true if user has the specified app permission.
+     *
+     * Reads from the `app_permissions` claim in the JWT.
+     *
+     * @example
+     * ```ts
+     * if (await authvital.hasAppPermission(req, 'projects:create')) {
+     *   // User can create projects
+     * }
+     * ```
+     */
+    hasAppPermission(request: RequestLike, permission: string): Promise<boolean>;
+    /**
+     * Check feature from JWT license claim (no API call)
+     * Returns true if the feature is enabled in the user's license.
+     *
+     * Reads from the `license.features` array in the JWT.
+     *
+     * @example
+     * ```ts
+     * if (await authvital.hasFeatureFromJwt(req, 'sso')) {
+     *   // User's tenant has SSO enabled
+     * }
+     * ```
+     */
+    hasFeatureFromJwt(request: RequestLike, featureKey: string): Promise<boolean>;
+    /**
+     * Get license type from JWT (no API call)
+     * Returns the license type slug (e.g., 'pro', 'enterprise') or null.
+     *
+     * Reads from the `license.type` claim in the JWT.
+     *
+     * @example
+     * ```ts
+     * const licenseType = await authvital.getLicenseTypeFromJwt(req);
+     * if (licenseType === 'enterprise') {
+     *   // Show enterprise features
+     * }
+     * ```
+     */
+    getLicenseTypeFromJwt(request: RequestLike): Promise<string | null>;
+    /**
+     * Get all tenant permissions from JWT (no API call)
+     * Returns the array of tenant permissions granted to the user.
+     *
+     * @example
+     * ```ts
+     * const permissions = await authvital.getTenantPermissions(req);
+     * console.log(permissions); // ['licenses:view', 'members:invite', ...]
+     * ```
+     */
+    getTenantPermissions(request: RequestLike): Promise<string[]>;
+    /**
+     * Get all app permissions from JWT (no API call)
+     * Returns the array of app permissions granted to the user.
+     *
+     * @example
+     * ```ts
+     * const permissions = await authvital.getAppPermissions(req);
+     * console.log(permissions); // ['projects:create', 'datasets:read', ...]
+     * ```
+     */
+    getAppPermissions(request: RequestLike): Promise<string[]>;
+    /**
+     * Get all tenant roles from JWT (no API call)
+     * Returns the array of tenant role slugs for the user.
+     *
+     * @example
+     * ```ts
+     * const roles = await authvital.getTenantRoles(req);
+     * console.log(roles); // ['owner', 'admin']
+     * ```
+     */
+    getTenantRoles(request: RequestLike): Promise<string[]>;
+    /**
+     * Get all app roles from JWT (no API call)
+     * Returns the array of app role slugs for the user.
+     *
+     * @example
+     * ```ts
+     * const roles = await authvital.getAppRoles(req);
+     * console.log(roles); // ['editor', 'viewer']
+     * ```
+     */
+    getAppRoles(request: RequestLike): Promise<string[]>;
+    /**
+     * Get URL for tenant members management page
+     * Extracts tenantId from the request JWT
+     */
+    getMembersUrl(req: RequestLike): Promise<string>;
+    /**
+     * Get URL for tenant applications management page
+     * Extracts tenantId from the request JWT
+     */
+    getApplicationsUrl(req: RequestLike): Promise<string>;
+    /**
+     * Get URL for tenant settings page
+     * Extracts tenantId from the request JWT
+     */
+    getSettingsUrl(req: RequestLike): Promise<string>;
+    /**
+     * Get URL for tenant overview page
+     * Extracts tenantId from the request JWT
+     */
+    getOverviewUrl(req: RequestLike): Promise<string>;
+    /**
+     * Get URL for user account settings page
+     * (Does not require tenantId)
+     */
+    getAccountSettingsUrl(): string;
+    /**
+     * Get all management URLs at once
+     * Extracts tenantId from the request JWT
+     *
+     * @example
+     * ```typescript
+     * const urls = await authvital.getManagementUrls(req);
+     * res.json({ urls });
+     * // {
+     * //   overview: 'https://auth.example.com/tenant/abc/overview',
+     * //   members: 'https://auth.example.com/tenant/abc/members',
+     * //   applications: 'https://auth.example.com/tenant/abc/applications',
+     * //   settings: 'https://auth.example.com/tenant/abc/settings',
+     * //   accountSettings: 'https://auth.example.com/account/settings',
+     * // }
+     * ```
+     */
+    getManagementUrls(req: RequestLike): Promise<{
+        overview: string;
+        members: string;
+        applications: string;
+        settings: string;
+        accountSettings: string;
+    }>;
+}
+/**
+ * Create an AuthVital client instance.
+ *
+ * Configure once at startup, use everywhere.
+ *
+ * @example
+ * ```ts
+ * // lib/authvital.ts
+ * import { createAuthVital } from '@authvital/sdk/server';
+ *
+ * export const authvital = createAuthVital({
+ *   authVitalHost: process.env.AV_HOST!,
+ *   clientId: process.env.AV_CLIENT_ID!,
+ *   clientSecret: process.env.AV_CLIENT_SECRET!,
+ * });
+ *
+ * // Then use it anywhere:
+ * import { authvital } from '@/lib/authvital';
+ *
+ * // Validate JWT from request (uses cached JWKS, no IDP auth needed)
+ * const { user } = await authvital.getCurrentUser(request);
+ *
+ * // M2M calls (uses client_credentials automatically)
+ * const members = await authvital.memberships.listForTenant('tenant-123');
+ * ```
+ */
+declare function createAuthVital(config: AuthVitalConfig): AuthVital;
+/**
+ * @authvital/sdk - Invitations Namespace
+ *
+ * Manage tenant invitations: send, list pending, resend, and revoke.
+ */
+/**
+ * Creates the invitations namespace with all invitation-related methods.
+ *
+ * @param client - The base client instance for making authenticated requests
+ * @returns Object containing all invitation methods
+ */
+declare function createInvitationsNamespace(client: BaseClient): {
+    /**
+     * Send an invitation to join a tenant
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     * If a user with this email already exists, uses that user.
+     * If not, creates a new user with the provided details.
+     * Returns only the user's sub (ID) and invitation expiry for security.
+     *
+     * @example
+     * ```ts
+     * // First, get the role ID from available roles
+     * const { roles } = await authvital.memberships.getTenantRoles();
+     * const adminRole = roles.find(r => r.slug === 'admin');
+     *
+     * const { sub, expiresAt } = await authvital.invitations.send(request, {
+     *   email: 'newuser@example.com',
+     *   givenName: 'John',
+     *   familyName: 'Doe',
+     *   roleId: adminRole?.id,  // Use role ID, not slug
+     * });
+     * // sub = user's ID (can be used in your app's database)
+     * // expiresAt = when the invitation expires
+     * ```
+     */
+    send: (request: RequestLike, params: Omit<SendInvitationParams, "tenantId">) => Promise<InvitationResponse>;
+    /**
+     * Get all pending invitations for a tenant
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     *
+     * @example
+     * ```ts
+     * const { invitations, totalCount } = await authvital.invitations.listPending(request);
+     * ```
+     */
+    listPending: (request: RequestLike) => Promise<PendingInvitationsResponse>;
+    /**
+     * Resend an invitation (generates new token, extends expiry)
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     * Returns the new expiration date
+     *
+     * @example
+     * ```ts
+     * const { expiresAt } = await authvital.invitations.resend(request, {
+     *   invitationId: 'inv-123',
+     *   expiresInDays: 7,
+     * });
+     * ```
+     */
+    resend: (request: RequestLike, params: ResendInvitationParams) => Promise<{
+        expiresAt: string;
+    }>;
+    /**
+     * Revoke an invitation
+     *
+     * @example
+     * ```ts
+     * await authvital.invitations.revoke(request, 'inv-123');
+     * ```
+     */
+    revoke: (request: RequestLike, invitationId: string) => Promise<RevokeInvitationResponse>;
+};
+type InvitationsNamespace = ReturnType<typeof createInvitationsNamespace>;
+/**
+ * @authvital/sdk - Memberships Namespace
+ *
+ * Manage tenant and application memberships, roles, and user access.
+ */
+/**
+ * Creates the memberships namespace with all membership-related methods.
+ *
+ * @param client - The base client instance for making authenticated requests
+ * @returns Object containing all membership methods
+ */
+declare function createMembershipsNamespace(client: BaseClient): {
+    /**
+     * Get all memberships for the authenticated user's tenant
+     *
+     * Automatically validates JWT and uses tenantId from it.
+     *
+     * @param request - The incoming HTTP request
+     * @param options - Optional filters and configuration
+     *
+     * @example
+     * ```ts
+     * app.get('/api/team', async (req, res) => {
+     *   const members = await authvital.memberships.listForTenant(req, {
+     *     status: 'ACTIVE',
+     *   });
+     *   res.json(members);
+     * });
+     * ```
+     */
+    listForTenant: (request: RequestLike, options?: {
+        status?: "ACTIVE" | "INVITED" | "SUSPENDED";
+        includeRoles?: boolean;
+        /** Append client_id to initiateLoginUri using SDK's configured clientId */
+        appendClientId?: boolean;
+    }) => Promise<TenantMembershipsResponse>;
+    /**
+     * Get all memberships for your application in the authenticated user's tenant
+     *
+     * Automatically uses clientId from SDK config and tenantId from the validated JWT.
+     *
+     * @param request - The incoming HTTP request
+     * @param options - Optional filters and configuration
+     *
+     * @example
+     * ```ts
+     * app.get('/api/members', async (req, res) => {
+     *   const { memberships } = await authvital.memberships.listForApplication(req);
+     *   res.json(memberships);
+     * });
+     * ```
+     */
+    listForApplication: (request: RequestLike, options?: {
+        status?: "ACTIVE" | "INVITED" | "SUSPENDED";
+        /** Append client_id to each tenant's initiateLoginUri using SDK's configured clientId */
+        appendClientId?: boolean;
+    }) => Promise<ApplicationMembershipsResponse>;
+    /**
+     * Validate that the authenticated user is a member of their tenant
+     *
+     * @param request - The incoming HTTP request
+     */
+    validate: (request: RequestLike) => Promise<ValidateMembershipResponse>;
+    /**
+     * Get all tenants for the authenticated user
+     *
+     * Returns all tenants the user is a member of, with optional role information.
+     *
+     * @param request - The incoming HTTP request
+     * @param options - Optional filters and configuration
+     *
+     * @example
+     * ```ts
+     * app.get('/api/my-tenants', async (req, res) => {
+     *   const result = await authvital.memberships.listTenantsForUser(req, {
+     *     status: 'ACTIVE',
+     *     appendClientId: true,
+     *   });
+     *   res.json(result.memberships);
+     * });
+     * ```
+     */
+    listTenantsForUser: (request: RequestLike, options?: {
+        status?: "ACTIVE" | "INVITED" | "SUSPENDED";
+        includeRoles?: boolean;
+        /** Append client_id to each tenant's initiateLoginUri using SDK's configured clientId */
+        appendClientId?: boolean;
+    }) => Promise<UserTenantsResponse>;
+    /**
+     * Get all available tenant roles (IDP-level)
+     *
+     * Returns the role definitions (owner, admin, member, etc.) that can be
+     * assigned to memberships. These are instance-wide, not tenant-specific.
+     * Use this to populate a role picker dropdown.
+     *
+     * @example
+     * ```ts
+     * app.get('/api/roles', async (req, res) => {
+     *   const { roles } = await authvital.memberships.getTenantRoles();
+     *   res.json(roles);
+     *   // [{ slug: 'owner', name: 'Owner', ... }, { slug: 'admin', ... }, ...]
+     * });
+     * ```
+     */
+    getTenantRoles: () => Promise<TenantRolesResponse>;
+    /**
+     * Get all roles for your application
+     *
+     * Returns the role definitions (admin, editor, viewer, etc.) specific to
+     * your application. Uses the clientId from SDK config automatically.
+     * Use this to populate a role picker for invite flows or role assignment.
+     *
+     * NOTE: These are APPLICATION-specific roles, different from tenant roles
+     * (owner/admin/member). Application roles are used for fine-grained
+     * permissions within your app.
+     *
+     * @example
+     * ```ts
+     * app.get('/api/app-roles', async (req, res) => {
+     *   const { roles } = await authvital.memberships.getApplicationRoles();
+     *   res.json(roles);
+     *   // [{ slug: 'admin', name: 'Admin', permissions: [...] }, ...]
+     * });
+     *
+     * // Use in invite flow:
+     * const { roles } = await authvital.memberships.getApplicationRoles();
+     * const editorRole = roles.find(r => r.slug === 'editor');
+     * await authvital.invitations.send(request, {
+     *   email: 'user@example.com',
+     *   roleId: editorRole?.id,
+     * });
+     * ```
+     */
+    getApplicationRoles: () => Promise<ApplicationRolesResponse>;
+    /**
+     * Set a member's tenant role (replaces any existing roles)
+     *
+     * Performs a pre-flight check using the caller's JWT to catch obvious
+     * permission violations before calling the IDP. The IDP then does the
+     * full authoritative check (e.g., admin can't demote an owner).
+     *
+     * Role hierarchy: owner > admin > member
+     * - Owners can change anyone's role
+     * - Admins can change admins and members, but cannot touch owners or promote to owner
+     * - Members cannot change roles
+     *
+     * @param request - The incoming HTTP request (used to read caller's JWT)
+     * @param membershipId - The membership to update
+     * @param roleSlug - The role slug to set (e.g., 'admin', 'member', 'owner')
+     *
+     * @example
+     * ```ts
+     * app.put('/api/team/:membershipId/role', async (req, res) => {
+     *   const result = await authvital.memberships.setMemberRole(
+     *     req,
+     *     req.params.membershipId,
+     *     req.body.role, // e.g., 'admin'
+     *   );
+     *   res.json(result.role); // { id, name, slug }
+     * });
+     * ```
+     */
+    setMemberRole: (request: RequestLike, membershipId: string, roleSlug: string) => Promise<SetMemberRoleResponse>;
+};
+type MembershipsNamespace = ReturnType<typeof createMembershipsNamespace>;
+/**
+ * @authvital/sdk - Permissions Namespace
+ *
+ * Check and list user permissions for tenant-scoped operations.
+ */
+/**
+ * Creates the permissions namespace with all permission-related methods.
+ *
+ * @param client - The base client instance for making authenticated requests
+ * @returns Object containing all permission methods
+ */
+declare function createPermissionsNamespace(client: BaseClient): {
+    /**
+     * Check if the authenticated user has a specific permission
+     *
+     * @param request - The incoming HTTP request
+     * @param permission - The permission to check (e.g., 'users:write')
+     *
+     * @example
+     * ```ts
+     * app.post('/api/users', async (req, res) => {
+     *   const { allowed } = await authvital.permissions.check(req, 'users:write');
+     *   if (!allowed) return res.status(403).json({ error: 'Forbidden' });
+     *   // ... create user
+     * });
+     * ```
+     */
+    check: (request: RequestLike, permission: string) => Promise<CheckPermissionResult>;
+    /**
+     * Check multiple permissions at once for the authenticated user
+     *
+     * @param request - The incoming HTTP request
+     * @param permissions - Array of permissions to check
+     *
+     * @example
+     * ```ts
+     * const { results } = await authvital.permissions.checkMany(req, ['users:read', 'users:write']);
+     * // results = { 'users:read': true, 'users:write': false }
+     * ```
+     */
+    checkMany: (request: RequestLike, permissions: string[]) => Promise<CheckPermissionsResult>;
+    /**
+     * Get all permissions for the authenticated user
+     *
+     * @param request - The incoming HTTP request
+     *
+     * @example
+     * ```ts
+     * app.get('/api/my-permissions', async (req, res) => {
+     *   const perms = await authvital.permissions.list(req);
+     *   res.json(perms);
+     * });
+     * ```
+     */
+    list: (request: RequestLike) => Promise<UserPermissions>;
+};
+type PermissionsNamespace = ReturnType<typeof createPermissionsNamespace>;
+/**
+ * @authvital/sdk - Entitlements Namespace (The Gatekeeper 🛡️)
+ *
+ * Check quotas, features, and entitlements for tenant-scoped operations.
+ */
+/**
+ * Creates the entitlements namespace with all entitlement-related methods.
+ *
+ * @param client - The base client instance for making authenticated requests
+ * @returns Object containing all entitlement methods
+ */
+declare function createEntitlementsNamespace(client: BaseClient): {
+    /**
+     * Check if a quota-based action is allowed
+     *
+     * This is the main "gatekeeper" function. Use it before any quota-consuming action.
+     *
+     * @param request - The incoming HTTP request
+     * @param featureKey - The quota to check (e.g., 'seats', 'projects')
+     * @param options - Optional: appScope and incrementCount
+     *
+     * @example
+     * ```ts
+     * // Before adding a team member
+     * const check = await authvital.entitlements.canPerform(req, 'seats');
+     * if (!check.allowed) {
+     *   return res.status(403).json({ error: check.reason });
+     * }
+     * // Add the member...
+     * await authvital.entitlements.incrementUsage(req, 'seats');
+     * ```
+     */
+    canPerform: (request: RequestLike, featureKey: string, _options?: {
+        appScope?: string;
+        incrementCount?: number;
+    }) => Promise<QuotaCheckResult>;
+    /**
+     * Decrement usage for a quota (call after removing resource)
+     *
+     * @param request - The incoming HTTP request
+     * @param featureKey - The quota to decrement (e.g., 'seats')
+     * @param options - Optional: appScope and amount to decrement by
+     *
+     * @example
+     * ```ts
+     * // After removing a team member
+     * await authvital.entitlements.decrementUsage(req, 'seats');
+     * ```
+     */
+    decrementUsage: (request: RequestLike, featureKey: string, options?: {
+        appScope?: string;
+        by?: number;
+    }) => Promise<{
+        newUsage: number;
+    }>;
+};
+type EntitlementsNamespace = ReturnType<typeof createEntitlementsNamespace>;
+/**
+ * @authvital/sdk - License Types
+ *
+ * Shared types for the licenses namespace.
+ */
+interface LicenseGrantResponse {
+    assignmentId: string;
+    message: string;
+}
+interface LicenseRevokeResponse {
+    message: string;
+}
+interface LicenseCheckResponse {
+    hasLicense: boolean;
+    licenseType: string | null;
+    features?: string[];
+}
+interface LicenseFeatureResponse {
+    hasFeature: boolean;
+}
+interface LicensedUser {
+    id: string;
+    userId: string;
+    email: string;
+    licenseType: string;
+}
+interface LicenseHolder {
+    userId: string;
+    userEmail: string;
+    userName?: string;
+    licenseTypeId: string;
+    licenseTypeName: string;
+    assignedAt: string;
+}
+interface LicenseAuditLogEntry {
+    id: string;
+    userId: string;
+    userEmail: string;
+    userName?: string;
+    applicationId: string;
+    applicationName: string;
+    licenseTypeId: string;
+    licenseTypeName: string;
+    action: 'GRANTED' | 'REVOKED' | 'CHANGED';
+    previousLicenseTypeName?: string;
+    performedBy: string;
+    performedAt?: string;
+    reason?: string;
+}
+interface LicenseAuditLogResponse {
+    entries: LicenseAuditLogEntry[];
+    total: number;
+    limit: number;
+    offset: number;
+}
+interface UsageOverviewResponse {
+    tenantId: string;
+    applications: Array<{
+        applicationId: string;
+        applicationName: string;
+        licenseTypeName: string;
+        totalSeats: number;
+        seatsAssigned: number;
+        seatsAvailable: number;
+        utilizationPercentage: number;
+    }>;
+    totalSeatsAcrossAllApps: number;
+    totalSeatsAssigned: number;
+    overallUtilization: number;
+    hasOverage: boolean;
+    overageApplications: string[];
+}
+interface UsageTrendEntry {
+    date: string;
+    seatsAssigned: number;
+    seatsAvailable: number;
+    utilizationPercentage: number;
+}
+interface UserLicenseListItem {
+    id: string;
+    licenseTypeId: string;
+    licenseTypeName: string;
+    licenseTypeSlug: string;
+    applicationId: string;
+    applicationName: string;
+    assignedAt: string;
+}
+/**
+ * Creates the licenses namespace with all license-related methods.
+ *
+ * Combines:
+ * - User-scoped operations (JWT auth): grant, revoke, check, etc.
+ * - Admin operations (M2M): tenant overview, bulk operations, etc.
+ *
+ * @param client - The base client instance for making authenticated requests
+ * @returns Object containing all license methods
+ */
+declare function createLicensesNamespace(client: BaseClient): {
+    getTenantOverview: (tenantId: string) => Promise<TenantLicenseOverview>;
+    getUserLicenses: (tenantId: string, userId: string) => Promise<UserLicenseAssignment[]>;
+    getTenantSubscriptions: (tenantId: string) => Promise<SubscriptionSummary[]>;
+    getMembersWithLicenses: (tenantId: string) => Promise<MemberWithLicenses[]>;
+    getAvailableLicenseTypes: (tenantId: string) => Promise<AvailableLicenseType[]>;
+    grantToUser: (params: GrantLicenseParams) => Promise<UserLicenseAssignment>;
+    revokeFromUser: (params: RevokeLicenseParams) => Promise<void>;
+    changeUserType: (params: ChangeLicenseTypeParams) => Promise<UserLicenseAssignment>;
+    grantBulk: (assignments: GrantLicenseParams[]) => Promise<BulkGrantLicenseResult[]>;
+    revokeBulk: (revocations: RevokeLicenseParams[]) => Promise<BulkRevokeLicenseResult>;
+    grant: (request: RequestLike, options: {
+        userId?: string;
+        applicationId: string;
+        licenseTypeId: string;
+    }) => Promise<LicenseGrantResponse>;
+    revoke: (request: RequestLike, options: {
+        userId?: string;
+        applicationId: string;
+    }) => Promise<LicenseRevokeResponse>;
+    changeType: (request: RequestLike, options: {
+        userId?: string;
+        applicationId: string;
+        newLicenseTypeId: string;
+    }) => Promise<LicenseRevokeResponse>;
+    listForUser: (request: RequestLike, userId?: string) => Promise<UserLicenseListItem[]>;
+    check: (request: RequestLike, userId: string | undefined, applicationId: string) => Promise<LicenseCheckResponse>;
+    hasFeature: (request: RequestLike, userId: string | undefined, applicationId: string, featureKey: string) => Promise<LicenseFeatureResponse>;
+    getAppLicensedUsers: (request: RequestLike, applicationId: string) => Promise<LicensedUser[]>;
+    countLicensedUsers: (request: RequestLike, applicationId: string) => Promise<{
+        count: number;
+    }>;
+    getUserLicenseType: (request: RequestLike, userId: string | undefined, applicationId: string) => Promise<string | null>;
+    getHolders: (request: RequestLike, applicationId: string) => Promise<LicenseHolder[]>;
+    getAuditLog: (request: RequestLike, options?: {
+        userId?: string;
+        applicationId?: string;
+        limit?: number;
+        offset?: number;
+    }) => Promise<LicenseAuditLogResponse>;
+    getUsageOverview: (request: RequestLike) => Promise<UsageOverviewResponse>;
+    getUsageTrends: (request: RequestLike, days?: number) => Promise<UsageTrendEntry[]>;
+};
+type LicensesNamespace = ReturnType<typeof createLicensesNamespace>;
+/**
+ * @authvital/sdk - Server-Side OAuth Flow
+ *
+ * Utilities for implementing OAuth 2.0 Authorization Code Flow with PKCE
+ * on your backend. Use this when you need to handle OAuth callbacks server-side.
+ *
+ * @example
+ * ```ts
+ * import { OAuthFlow } from '@authvital/sdk/server';
+ *
+ * const oauth = new OAuthFlow({
+ *   authVitalHost: process.env.AV_HOST,
+ *   clientId: process.env.AV_CLIENT_ID,
+ *   clientSecret: process.env.AV_CLIENT_SECRET,
+ *   redirectUri: 'https://myapp.com/api/auth/callback',
+ * });
+ *
+ * // GET /api/auth/login
+ * app.get('/api/auth/login', (req, res) => {
+ *   const { authorizeUrl, state, codeVerifier } = oauth.startFlow();
+ *   req.session.oauthState = state;
+ *   req.session.codeVerifier = codeVerifier;
+ *   res.redirect(authorizeUrl);
+ * });
+ *
+ * // GET /api/auth/callback
+ * app.get('/api/auth/callback', async (req, res) => {
+ *   const tokens = await oauth.handleCallback(
+ *     req.query.code,
+ *     req.query.state,
+ *     req.session.oauthState,
+ *     req.session.codeVerifier
+ *   );
+ *   req.session.accessToken = tokens.access_token;
+ *   res.redirect('/dashboard');
+ * });
+ * ```
+ */
+/**
+ * Generate a cryptographically secure code verifier
+ */
+declare function generateCodeVerifier(): string;
+/**
+ * Generate code challenge from verifier (S256 method)
+ */
+declare function generateCodeChallenge(verifier: string): string;
+/**
+ * Generate both PKCE values at once
+ */
+declare function generatePKCE(): {
+    codeVerifier: string;
+    codeChallenge: string;
+};
+/**
+ * Payload structure for OAuth state parameter
+ * Contains CSRF nonce and optional app-specific state
+ */
+interface StatePayload {
+    csrf: string;
+    appState?: string;
+}
+/**
+ * Generate a secure random state for CSRF protection
+ */
+declare function generateState(): string;
+/**
+ * Encode state payload as base64url JSON
+ * Used to pass both CSRF nonce and app-specific state through OAuth flow
+ *
+ * @param csrf - CSRF nonce for security
+ * @param appState - Optional app-specific state (e.g., return URL)
+ */
+declare function encodeState(csrf: string, appState?: string): string;
+/**
+ * Decode state payload from base64url JSON
+ * Returns null if decoding fails (invalid format)
+ *
+ * @param state - The encoded state string from OAuth callback
+ */
+declare function decodeState(state: string): StatePayload | null;
+/**
+ * Encode state with embedded verifier (for stateless mode)
+ * Format: {csrf}:{base64url_verifier}
+ *
+ * Use this if you don't want to store state server-side.
+ */
+declare function encodeStateWithVerifier(csrf: string, codeVerifier: string): string;
+/**
+ * Decode state to extract CSRF and verifier
+ */
+declare function decodeStateWithVerifier(state: string): {
+    csrf: string;
+    codeVerifier: string;
+} | null;
+interface AuthorizeUrlParams {
+    authVitalHost: string;
+    clientId: string;
+    redirectUri: string;
+    state: string;
+    codeChallenge: string;
+    scope?: string;
+    nonce?: string;
+}
+/**
+ * Build the OAuth authorize URL
+ */
+declare function buildAuthorizeUrl(params: AuthorizeUrlParams): string;
+interface TokenExchangeParams {
+    authVitalHost: string;
+    clientId: string;
+    clientSecret?: string;
+    code: string;
+    codeVerifier: string;
+    redirectUri: string;
+}
+/**
+ * Exchange authorization code for tokens (SERVER-TO-SERVER)
+ */
+declare function exchangeCodeForTokens(params: TokenExchangeParams): Promise<TokenResponse>;
+interface RefreshTokenParams {
+    authVitalHost: string;
+    clientId: string;
+    clientSecret?: string;
+    refreshToken: string;
+}
+/**
+ * Refresh access token using refresh token (SERVER-TO-SERVER)
+ */
+declare function refreshAccessToken(params: RefreshTokenParams): Promise<TokenResponse>;
+/**
+ * Decode JWT payload (without verification - for extracting claims only)
+ */
+declare function decodeJwt<T = Record<string, unknown>>(token: string): T | null;
+/**
+ * Helper class for managing the OAuth flow server-side
+ */
+declare class OAuthFlow {
+    private config;
+    constructor(config: OAuthFlowConfig);
+    /**
+     * Start the OAuth flow - generates PKCE, state, and authorize URL
+     *
+     * @param options.appState - Optional app-specific state to pass through OAuth (e.g., return URL)
+     */
+    startFlow(options?: {
+        appState?: string;
+    }): {
+        authorizeUrl: string;
+        state: string;
+        codeVerifier: string;
+        codeChallenge: string;
+    };
+    /**
+     * Handle the OAuth callback - verify state and exchange code for tokens
+     *
+     * @param code - Authorization code from callback
+     * @param receivedState - State parameter from callback URL
+     * @param expectedState - State that was stored when starting the flow
+     * @param codeVerifier - PKCE code verifier that was stored when starting the flow
+     * @returns Token response with optional appState that was passed through
+     * @throws Error if state doesn't match (CSRF) or token exchange fails
+     */
+    handleCallback(code: string, receivedState: string, expectedState: string, codeVerifier: string): Promise<TokenResponse & {
+        appState?: string;
+    }>;
+    /**
+     * Refresh tokens using refresh token
+     */
+    refreshTokens(refreshToken: string): Promise<TokenResponse>;
+}
+/**
+ * @authvital/sdk - Server-Side URL Builders
+ *
+ * Simple URL builders for landing pages, emails, and other non-OAuth contexts.
+ * Use these when you just need a link to the AuthVital login/signup page
+ * WITHOUT the full PKCE ceremony.
+ *
+ * For full OAuth flows with PKCE, use OAuthFlow from './oauth-flow' instead.
+ *
+ * @example
+ * ```ts
+ * import { getSignupUrl, getLoginUrl } from '@authvital/sdk/server';
+ *
+ * // For a "Get Started" button on your landing page
+ * const signupLink = getSignupUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   redirectUri: 'https://app.myapp.com/dashboard',
+ * });
+ *
+ * // For an email CTA
+ * const loginLink = getLoginUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ * });
+ * ```
+ */
+interface AuthUrlOptions {
+    /** AuthVital server URL (e.g., https://auth.myapp.com) */
+    authVitalHost: string;
+    /** OAuth client_id for your application */
+    clientId: string;
+    /** Optional: Where to redirect after auth completes */
+    redirectUri?: string;
+}
+interface SignupUrlOptions extends AuthUrlOptions {
+    /** Optional: Pre-fill the email field */
+    email?: string;
+    /** Optional: Invitation token (for accepting team invites) */
+    inviteToken?: string;
+}
+interface LoginUrlOptions extends AuthUrlOptions {
+    /** Optional: Pre-fill the email field */
+    email?: string;
+    /** Optional: Hint for which tenant to log into */
+    tenantHint?: string;
+}
+/**
+ * Build a signup URL for landing pages, emails, etc.
+ *
+ * This is a simple redirect - NOT a full OAuth flow.
+ * AuthVital will handle the OAuth redirect internally after signup.
+ *
+ * @example
+ * ```ts
+ * // Basic signup link
+ * const url = getSignupUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ * });
+ *
+ * // With redirect after signup
+ * const url = getSignupUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   redirectUri: 'https://app.myapp.com/onboarding',
+ * });
+ *
+ * // With pre-filled email (e.g., from waitlist)
+ * const url = getSignupUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   email: 'user@example.com',
+ * });
+ *
+ * // For team invite acceptance
+ * const url = getSignupUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   inviteToken: 'abc123',
+ * });
+ * ```
+ */
+declare function getSignupUrl(options: SignupUrlOptions): string;
+/**
+ * Build a login URL for landing pages, emails, etc.
+ *
+ * This is a simple redirect - NOT a full OAuth flow.
+ * AuthVital will handle the OAuth redirect internally after login.
+ *
+ * @example
+ * ```ts
+ * // Basic login link
+ * const url = getLoginUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ * });
+ *
+ * // With redirect after login
+ * const url = getLoginUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   redirectUri: 'https://app.myapp.com/dashboard',
+ * });
+ *
+ * // With tenant hint (for multi-tenant apps)
+ * const url = getLoginUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   tenantHint: 'acme-corp',
+ * });
+ * ```
+ */
+declare function getLoginUrl(options: LoginUrlOptions): string;
+/**
+ * Build a password reset URL.
+ *
+ * @example
+ * ```ts
+ * const url = getPasswordResetUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   email: 'user@example.com',
+ * });
+ * ```
+ */
+declare function getPasswordResetUrl(options: AuthUrlOptions & {
+    email?: string;
+}): string;
+/**
+ * Build an invite acceptance URL.
+ *
+ * Use this when sending team invitation emails.
+ *
+ * @example
+ * ```ts
+ * const url = getInviteAcceptUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   clientId: 'my-app',
+ *   inviteToken: 'abc123xyz',
+ * });
+ * ```
+ */
+declare function getInviteAcceptUrl(options: AuthUrlOptions & {
+    inviteToken: string;
+}): string;
+interface LogoutUrlOptions {
+    /** AuthVital server URL (e.g., https://auth.myapp.com) */
+    authVitalHost: string;
+    /** Optional: Where to redirect after logout completes. If not provided, shows IDP's logged-out page. */
+    postLogoutRedirectUri?: string;
+}
+/**
+ * Build a logout URL that clears the IDP session.
+ *
+ * Use this when logging out users - it will clear both your app's
+ * cookies AND the IDP session.
+ *
+ * @example
+ * ```ts
+ * // In your logout endpoint - show IDP's logged out page:
+ * const logoutUrl = getLogoutUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ * });
+ * res.redirect(logoutUrl);
+ *
+ * // Or redirect back to your app after logout:
+ * const logoutUrl = getLogoutUrl({
+ *   authVitalHost: 'https://auth.myapp.com',
+ *   postLogoutRedirectUri: 'https://myapp.com/',
+ * });
+ * ```
+ */
+declare function getLogoutUrl(options: LogoutUrlOptions): string;
+/**
+ * Get URL for user account settings page (standalone version)
+ *
+ * RECOMMENDED: Use authvital.getAccountSettingsUrl() instead for consistency.
+ * This standalone function is for cases where you don't have an AuthVital client.
+ *
+ * @example
+ * ```typescript
+ * const url = getAccountSettingsUrl(authVitalHost);
+ * // Returns: https://auth.example.com/account/settings
+ * ```
+ */
+declare function getAccountSettingsUrl(authVitalHost: string): string;
+/**
+ * @authvital/sdk - Prisma Schema Snippets
+ *
+ * Copy these model definitions into your schema.prisma file.
+ * The sync handler expects these exact field names.
+ */
+declare const IDENTITY_SCHEMA = "\n// =============================================================================\n// AUTHVITAL IDENTITY (synced from IDP)\n// =============================================================================\n// Copy this into your schema.prisma and customize as needed.\n// The sync handler only touches these base fields.\n\nmodel Identity {\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // CORE IDENTITY (synced from AuthVital - OIDC Standard Claims)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  id                String    @id                      // AuthVital subject ID (sub claim)\n  username          String?   @unique                  // Unique handle (@janesmith)\n  displayName       String?   @map(\"display_name\")     // Full name (OIDC: name)\n  givenName         String?   @map(\"given_name\")       // First name\n  familyName        String?   @map(\"family_name\")      // Last name\n  middleName        String?   @map(\"middle_name\")      // Middle name(s)\n  nickname          String?                            // Casual name\n  pictureUrl        String?   @map(\"picture_url\")      // Profile picture URL\n  website           String?                            // Personal URL\n  gender            String?                            // Gender identity\n  birthdate         String?                            // YYYY-MM-DD\n  zoneinfo          String?                            // IANA timezone\n  locale            String?                            // Language (e.g., en-US)\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // EMAIL SCOPE (OIDC Standard)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  email             String?   @unique\n  emailVerified     Boolean   @default(false) @map(\"email_verified\")\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // PHONE SCOPE (OIDC Standard)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  phone             String?   @unique\n  phoneVerified     Boolean   @default(false) @map(\"phone_verified\")\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // TENANT CONTEXT (for multi-tenant apps)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  tenantId          String?   @map(\"tenant_id\")        // Current tenant ID\n  appRole           String?   @map(\"app_role\")         // Role slug (e.g., \"admin\")\n  groups            String[]  @default([])             // Group slugs in tenant\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // STATUS\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  isActive          Boolean   @default(true) @map(\"is_active\")       // IDP-level: can user log in at all?\n  hasAppAccess      Boolean   @default(true) @map(\"has_app_access\")  // App-level: does user have access to THIS app?\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // SYNC METADATA\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  syncedAt          DateTime  @default(now()) @map(\"synced_at\")\n  createdAt         DateTime  @default(now()) @map(\"created_at\")\n  updatedAt         DateTime  @updatedAt @map(\"updated_at\")\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // RELATIONS\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  sessions          IdentitySession[]\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // ADD YOUR APP-SPECIFIC RELATIONS BELOW\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // profile         UserProfile?\n  // posts           Post[]\n  \n  @@index([tenantId])\n  @@index([email])\n  @@index([username])\n  @@map(\"av_identities\")\n}\n";
+declare const IDENTITY_SESSION_SCHEMA = "\n// =============================================================================\n// AUTHVITAL IDENTITY SESSION (optional - for session management)\n// =============================================================================\n\nmodel IdentitySession {\n  id              String    @id @default(cuid())\n  identityId      String    @map(\"identity_id\")\n  identity        Identity  @relation(fields: [identityId], references: [id], onDelete: Cascade)\n  \n  authSessionId   String?   @map(\"auth_session_id\")   // AuthVital session ID\n  deviceInfo      String?   @map(\"device_info\")       // Parsed device info\n  ipAddress       String?   @map(\"ip_address\")\n  userAgent       String?   @map(\"user_agent\")\n  \n  createdAt       DateTime  @default(now()) @map(\"created_at\")\n  lastActiveAt    DateTime  @default(now()) @map(\"last_active_at\")\n  expiresAt       DateTime  @map(\"expires_at\")\n  revokedAt       DateTime? @map(\"revoked_at\")\n  \n  @@index([identityId])\n  @@index([authSessionId])\n  @@map(\"av_identity_sessions\")\n}\n";
+/**
+ * Combined schema snippet - both models together
+ */
+declare const FULL_SCHEMA = "\n// =============================================================================\n// AUTHVITAL IDENTITY (synced from IDP)\n// =============================================================================\n// Copy this into your schema.prisma and customize as needed.\n// The sync handler only touches these base fields.\n\nmodel Identity {\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // CORE IDENTITY (synced from AuthVital - OIDC Standard Claims)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  id                String    @id                      // AuthVital subject ID (sub claim)\n  username          String?   @unique                  // Unique handle (@janesmith)\n  displayName       String?   @map(\"display_name\")     // Full name (OIDC: name)\n  givenName         String?   @map(\"given_name\")       // First name\n  familyName        String?   @map(\"family_name\")      // Last name\n  middleName        String?   @map(\"middle_name\")      // Middle name(s)\n  nickname          String?                            // Casual name\n  pictureUrl        String?   @map(\"picture_url\")      // Profile picture URL\n  website           String?                            // Personal URL\n  gender            String?                            // Gender identity\n  birthdate         String?                            // YYYY-MM-DD\n  zoneinfo          String?                            // IANA timezone\n  locale            String?                            // Language (e.g., en-US)\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // EMAIL SCOPE (OIDC Standard)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  email             String?   @unique\n  emailVerified     Boolean   @default(false) @map(\"email_verified\")\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // PHONE SCOPE (OIDC Standard)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  phone             String?   @unique\n  phoneVerified     Boolean   @default(false) @map(\"phone_verified\")\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // TENANT CONTEXT (for multi-tenant apps)\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  tenantId          String?   @map(\"tenant_id\")        // Current tenant ID\n  appRole           String?   @map(\"app_role\")         // Role slug (e.g., \"admin\")\n  groups            String[]  @default([])             // Group slugs in tenant\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // STATUS\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  isActive          Boolean   @default(true) @map(\"is_active\")       // IDP-level: can user log in at all?\n  hasAppAccess      Boolean   @default(true) @map(\"has_app_access\")  // App-level: does user have access to THIS app?\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // SYNC METADATA\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  syncedAt          DateTime  @default(now()) @map(\"synced_at\")\n  createdAt         DateTime  @default(now()) @map(\"created_at\")\n  updatedAt         DateTime  @updatedAt @map(\"updated_at\")\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // RELATIONS\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  sessions          IdentitySession[]\n  \n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // ADD YOUR APP-SPECIFIC RELATIONS BELOW\n  // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n  // profile         UserProfile?\n  // posts           Post[]\n  \n  @@index([tenantId])\n  @@index([email])\n  @@index([username])\n  @@map(\"av_identities\")\n}\n\n\n\n// =============================================================================\n// AUTHVITAL IDENTITY SESSION (optional - for session management)\n// =============================================================================\n\nmodel IdentitySession {\n  id              String    @id @default(cuid())\n  identityId      String    @map(\"identity_id\")\n  identity        Identity  @relation(fields: [identityId], references: [id], onDelete: Cascade)\n  \n  authSessionId   String?   @map(\"auth_session_id\")   // AuthVital session ID\n  deviceInfo      String?   @map(\"device_info\")       // Parsed device info\n  ipAddress       String?   @map(\"ip_address\")\n  userAgent       String?   @map(\"user_agent\")\n  \n  createdAt       DateTime  @default(now()) @map(\"created_at\")\n  lastActiveAt    DateTime  @default(now()) @map(\"last_active_at\")\n  expiresAt       DateTime  @map(\"expires_at\")\n  revokedAt       DateTime? @map(\"revoked_at\")\n  \n  @@index([identityId])\n  @@index([authSessionId])\n  @@map(\"av_identity_sessions\")\n}\n";
+/**
+ * Print the schema to console (for easy copy-paste)
+ */
+declare function printSchema(): void;
+/**
+ * @authvital/sdk - Identity Sync Types
+ *
+ * TypeScript types matching the Prisma schema snippets.
+ * Use these for type-safe operations with synced identities.
+ *
+ * Follows OIDC Standard Claims:
+ * - Profile Scope: name, given_name, family_name, etc.
+ * - Email Scope: email, email_verified
+ * - Phone Scope: phone_number, phone_number_verified
+ */
+/**
+ * Base identity fields synced from AuthVital (OIDC-compliant)
+ */
+interface IdentityBase {
+    /** AuthVital subject ID (sub claim in JWT) */
+    id: string;
+    /** Unique handle (e.g., @janesmith) - OIDC: preferred_username */
+    username: string | null;
+    /** Full display name - OIDC: name */
+    displayName: string | null;
+    /** First name - OIDC: given_name */
+    givenName: string | null;
+    /** Last name - OIDC: family_name */
+    familyName: string | null;
+    /** Middle name(s) - OIDC: middle_name */
+    middleName: string | null;
+    /** Casual name - OIDC: nickname */
+    nickname: string | null;
+    /** Profile picture URL - OIDC: picture */
+    pictureUrl: string | null;
+    /** Personal/professional URL - OIDC: website */
+    website: string | null;
+    /** Gender identity - OIDC: gender */
+    gender: string | null;
+    /** Birth date in YYYY-MM-DD format - OIDC: birthdate */
+    birthdate: string | null;
+    /** IANA timezone (e.g., America/New_York) - OIDC: zoneinfo */
+    zoneinfo: string | null;
+    /** Language/region (e.g., en-US) - OIDC: locale */
+    locale: string | null;
+    /** Identity's email address - OIDC: email */
+    email: string | null;
+    /** Whether email is verified - OIDC: email_verified */
+    emailVerified: boolean;
+    /** Phone number in E.164 format - OIDC: phone_number */
+    phone: string | null;
+    /** Whether phone is verified - OIDC: phone_number_verified */
+    phoneVerified: boolean;
+    /** Current tenant ID (for multi-tenant apps) */
+    tenantId: string | null;
+    /** Role slug from app_roles claim */
+    appRole: string | null;
+    /** Group slugs in current tenant */
+    groups: string[];
+    /**
+     * Whether the identity is active at the IDP level.
+     * When false, user cannot log into ANY app - all sessions invalidated.
+     * Set via subject.deactivated event.
+     */
+    isActive: boolean;
+    /**
+     * Whether the identity has access to THIS specific app.
+     * When false, user can still log into other apps, just not this one.
+     * Set via app_access.granted/revoked events.
+     */
+    hasAppAccess: boolean;
+    /** Last sync timestamp */
+    syncedAt: Date;
+    /** When the identity was first synced */
+    createdAt: Date;
+    /** Last update timestamp - OIDC: updated_at (as unix timestamp in JWT) */
+    updatedAt: Date;
+}
+/**
+ * Identity for creation (id required, others optional)
+ */
+interface IdentityCreate {
+    id: string;
+    username?: string | null;
+    displayName?: string | null;
+    givenName?: string | null;
+    familyName?: string | null;
+    middleName?: string | null;
+    nickname?: string | null;
+    pictureUrl?: string | null;
+    website?: string | null;
+    gender?: string | null;
+    birthdate?: string | null;
+    zoneinfo?: string | null;
+    locale?: string | null;
+    email?: string | null;
+    emailVerified?: boolean;
+    phone?: string | null;
+    phoneVerified?: boolean;
+    tenantId?: string | null;
+    appRole?: string | null;
+    groups?: string[];
+    isActive?: boolean;
+    hasAppAccess?: boolean;
+}
+/**
+ * Identity for updates (all fields optional)
+ */
+interface IdentityUpdate {
+    username?: string | null;
+    displayName?: string | null;
+    givenName?: string | null;
+    familyName?: string | null;
+    middleName?: string | null;
+    nickname?: string | null;
+    pictureUrl?: string | null;
+    website?: string | null;
+    gender?: string | null;
+    birthdate?: string | null;
+    zoneinfo?: string | null;
+    locale?: string | null;
+    email?: string | null;
+    emailVerified?: boolean;
+    phone?: string | null;
+    phoneVerified?: boolean;
+    tenantId?: string | null;
+    appRole?: string | null;
+    groups?: string[];
+    isActive?: boolean;
+    hasAppAccess?: boolean;
+    syncedAt?: Date;
+}
+/**
+ * Identity session fields
+ */
+interface IdentitySessionBase {
+    id: string;
+    identityId: string;
+    /** AuthVital's session ID (for linking) */
+    authSessionId: string | null;
+    /** Parsed device info (e.g., "Chrome on macOS") */
+    deviceInfo: string | null;
+    /** Client IP address */
+    ipAddress: string | null;
+    /** Raw user agent string */
+    userAgent: string | null;
+    /** When the session was created */
+    createdAt: Date;
+    /** Last activity timestamp */
+    lastActiveAt: Date;
+    /** When the session expires */
+    expiresAt: Date;
+    /** When the session was revoked (null if active) */
+    revokedAt: Date | null;
+}
+/**
+ * Session for creation
+ */
+interface IdentitySessionCreate {
+    identityId: string;
+    authSessionId?: string | null;
+    deviceInfo?: string | null;
+    ipAddress?: string | null;
+    userAgent?: string | null;
+    expiresAt: Date;
+}
+/**
+ * Session for updates
+ */
+interface IdentitySessionUpdate {
+    lastActiveAt?: Date;
+    revokedAt?: Date | null;
+    deviceInfo?: string | null;
+}
+/**
+ * Options for session cleanup
+ */
+interface SessionCleanupOptions {
+    /** Delete sessions expired more than X days ago (default: 30) */
+    expiredOlderThanDays?: number;
+    /** Also delete revoked sessions (default: false - keeps for audit) */
+    deleteRevoked?: boolean;
+    /** Dry run - log what would be deleted without deleting (default: false) */
+    dryRun?: boolean;
+}
+/**
+ * Result of cleanup operation
+ */
+interface SessionCleanupResult {
+    /** Number of sessions deleted (or would be deleted in dry run) */
+    deletedCount: number;
+    /** Whether this was a dry run */
+    dryRun: boolean;
+}
+/**
+ * Minimal Prisma client interface for the sync handler
+ *
+ * This allows the sync handler to work with any Prisma client
+ * that has the expected identity and identitySession models.
+ */
+interface PrismaClientLike {
+    identity: {
+        upsert: (args: {
+            where: {
+                id: string;
+            };
+            create: IdentityCreate;
+            update: IdentityUpdate;
+        }) => Promise<unknown>;
+        update: (args: {
+            where: {
+                id: string;
+            };
+            data: IdentityUpdate;
+        }) => Promise<unknown>;
+        delete: (args: {
+            where: {
+                id: string;
+            };
+        }) => Promise<unknown>;
+    };
+    identitySession: {
+        deleteMany: (args: {
+            where: {
+                OR?: Array<Record<string, unknown>>;
+                expiresAt?: {
+                    lt: Date;
+                };
+                revokedAt?: {
+                    not: null;
+                } | {
+                    lt: Date;
+                };
+            };
+        }) => Promise<{
+            count: number;
+        }>;
+    };
+}
+/**
+ * Function that resolves a Prisma client for a given tenant
+ * Used for tenant-isolated database architectures
+ */
+type PrismaClientResolver = (tenantId: string) => PrismaClientLike | Promise<PrismaClientLike>;
+/**
+ * Either a direct Prisma client (shared DB) or a resolver function (tenant-isolated DBs)
+ */
+type PrismaClientOrResolver = PrismaClientLike | PrismaClientResolver;
+/**
+ * @authvital/sdk - Identity Sync Handler
+ *
+ * Pre-built webhook handler that syncs AuthVital identities to your local database.
+ * Supports all OIDC standard claims.
+ *
+ * @example Single database (shared or single-tenant)
+ * ```typescript
+ * import { IdentitySyncHandler, WebhookRouter } from '@authvital/sdk/server';
+ * import { prisma } from './prisma';
+ *
+ * const handler = new IdentitySyncHandler(prisma);
+ * const router = new WebhookRouter({ handler });
+ * ```
+ *
+ * @example Tenant-isolated databases
+ * ```typescript
+ * import { IdentitySyncHandler, WebhookRouter } from '@authvital/sdk/server';
+ * import { getTenantPrisma } from './db';
+ *
+ * // Pass a resolver function that returns the correct client per tenant
+ * const handler = new IdentitySyncHandler((tenantId) => getTenantPrisma(tenantId));
+ * const router = new WebhookRouter({ handler });
+ * ```
+ */
+/**
+ * Pre-built webhook handler for syncing identities from AuthVital
+ *
+ * Supports two modes:
+ * 1. **Shared DB**: Pass a single Prisma client
+ * 2. **Tenant-isolated DBs**: Pass a resolver function that returns the client per tenant
+ *
+ * Handles:
+ * - subject.created → Creates identity in local DB
+ * - subject.updated → Updates identity in local DB
+ * - subject.deleted → Deletes identity from local DB
+ * - subject.deactivated → Marks identity as inactive
+ * - member.joined → Updates identity's tenant context
+ * - member.left → Clears identity's tenant context
+ * - member.role_changed → Updates identity's tenant role
+ * - app_access.granted → Updates identity's app role
+ * - app_access.revoked → Clears identity's app role
+ * - app_access.role_changed → Updates identity's app role
+ */
+declare class IdentitySyncHandler extends AuthVitalEventHandler {
+    private readonly prismaOrResolver;
+    private readonly isResolver;
+    /**
+     * Create a new identity sync handler
+     *
+     * @param prismaOrResolver - Either a Prisma client (shared DB) or a resolver function (tenant-isolated DBs)
+     *
+     * @example Shared database
+     * ```typescript
+     * new IdentitySyncHandler(prisma)
+     * ```
+     *
+     * @example Tenant-isolated databases
+     * ```typescript
+     * new IdentitySyncHandler((tenantId) => getTenantPrisma(tenantId))
+     * ```
+     */
+    constructor(prismaOrResolver: PrismaClientOrResolver);
+    /**
+     * Get the Prisma client for the given tenant
+     * - Shared DB mode: Returns the single client (tenantId ignored)
+     * - Tenant-isolated mode: Calls resolver with tenantId
+     */
+    private getClient;
+    onSubjectCreated(event: SubjectCreatedEvent): Promise<void>;
+    onSubjectUpdated(event: SubjectUpdatedEvent): Promise<void>;
+    onSubjectDeleted(event: SubjectDeletedEvent): Promise<void>;
+    onSubjectDeactivated(event: SubjectDeactivatedEvent): Promise<void>;
+    onMemberJoined(event: MemberJoinedEvent): Promise<void>;
+    onMemberLeft(event: MemberLeftEvent): Promise<void>;
+    onMemberRoleChanged(event: MemberRoleChangedEvent): Promise<void>;
+    onAppAccessGranted(event: AppAccessGrantedEvent): Promise<void>;
+    onAppAccessRevoked(event: AppAccessRevokedEvent): Promise<void>;
+    onAppAccessRoleChanged(event: AppAccessRoleChangedEvent): Promise<void>;
+}
+/**
+ * @authvital/sdk - Session Cleanup Utility
+ *
+ * Optional utility for cleaning up expired/revoked sessions.
+ * Call this on a schedule (cron job) or manually.
+ *
+ * @example
+ * ```typescript
+ * import { cleanupSessions } from '@authvital/sdk/server';
+ * import { prisma } from './prisma';
+ *
+ * // Run daily via cron
+ * await cleanupSessions(prisma, {
+ *   expiredOlderThanDays: 30,
+ *   deleteRevoked: false, // Keep revoked for audit trail
+ * });
+ * ```
+ */
+/**
+ * Clean up expired and optionally revoked sessions
+ *
+ * @param prisma - Prisma client instance
+ * @param options - Cleanup configuration
+ * @returns Result with count of deleted sessions
+ */
+declare function cleanupSessions(prisma: PrismaClientLike, options?: SessionCleanupOptions): Promise<SessionCleanupResult>;
+/**
+ * Get raw SQL for session cleanup (for use with pg_cron or similar)
+ *
+ * @param options - Cleanup configuration
+ * @returns SQL statement string
+ */
+declare function getCleanupSQL(options?: SessionCleanupOptions): string;
+export { AppAccessGrantedEvent, AppAccessRevokedEvent, AppAccessRoleChangedEvent, type ApplicationMembership, type ApplicationMembershipsResponse, type ApplicationRoleDefinition, type ApplicationRolesResponse, type AuthUrlOptions, AuthVital, type AuthVitalClientConfig, type AuthVitalConfig, AuthVitalEventHandler, type AuthorizeUrlParams, type AvailableLicenseType, BaseClient, type CheckPermissionParams, type CheckPermissionResult, type CheckPermissionsParams, type CheckPermissionsResult, type EnhancedJwtPayload, type EntitlementsNamespace, FULL_SCHEMA, type FeatureCheckResult, type GetCurrentUserResult, IDENTITY_SCHEMA, IDENTITY_SESSION_SCHEMA, type IdentityBase, type IdentityCreate, type IdentitySessionBase, type IdentitySessionCreate, type IdentitySessionUpdate, IdentitySyncHandler, type IdentityUpdate, type InvitationResponse, type InvitationsNamespace, type Jwks, type JwksKey, type JwtHeader, type JwtLicenseInfo, type JwtPayload, JwtValidator, type JwtValidatorConfig, type LicenseAuditLogEntry, type LicenseAuditLogResponse, type LicenseCheckResponse, type LicenseFeatureResponse, type LicenseGrantResponse, type LicenseHolder, type LicenseRevokeResponse, type LicensedUser, type LicensesNamespace, type LoginUrlOptions, type LogoutUrlOptions, MemberJoinedEvent, MemberLeftEvent, MemberRoleChangedEvent, type MemberWithLicenses, type MembershipRole, type MembershipStatusType, type MembershipUser, type MembershipsNamespace, OAuthFlow, type OAuthFlowConfig, type PendingInvitation, type PendingInvitationsResponse, type PermissionsNamespace, type PrismaClientLike, type PrismaClientOrResolver, type PrismaClientResolver, type RefreshTokenParams, type RequestLike, type ResendInvitationParams, type RevokeInvitationResponse, type SendInvitationParams, type SessionCleanupOptions, type SessionCleanupResult, type SessionsNamespace, type SetMemberRoleResponse, type SignupUrlOptions, type StatePayload, SubjectCreatedEvent, SubjectDeactivatedEvent, SubjectDeletedEvent, SubjectUpdatedEvent, type SubscriptionStatusType, type SubscriptionSummary, type TenantLicenseOverview, type TenantMembership, type TenantMembershipsResponse, type TenantRoleDefinition, type TenantRolesResponse, type TokenExchangeParams, type TokenResponse, type UsageOverviewResponse, type UsageTrendEntry, type UserLicenseListItem, type UserPermissions, type UserTenantMembership, type UserTenantsResponse, type ValidateMembershipResponse, type ValidateTokenResult, type ValidatedClaims, appendClientIdToUri, buildAuthorizeUrl, cleanupSessions, createAuthVital, createEntitlementsNamespace, createInvitationsNamespace, createJwtMiddleware, createJwtValidator, createLicensesNamespace, createMembershipsNamespace, createPassportJwtOptions, createPermissionsNamespace, createSessionsNamespace, decodeJwt, decodeState, decodeStateWithVerifier, encodeState, encodeStateWithVerifier, exchangeCodeForTokens, extractAuthorizationHeader, generateCodeChallenge, generateCodeVerifier, generatePKCE, generateState, getAccountSettingsUrl, getCleanupSQL, getCurrentUser, getCurrentUserFromConfig, getInviteAcceptUrl, getLoginUrl, getLogoutUrl, getPasswordResetUrl, getSignupUrl, printSchema, refreshAccessToken };