frameio 3.2.3 → 4.2.0

package/dist/cjs/api/types/index.d.ts

@@ -2,6 +2,13 @@ export * from "./Account.js";
 export * from "./AccountsResponse.js";
 export * from "./AccountUserRole.js";
 export * from "./AccountUserRolesResponse.js";
+export * from "./Action.js";
+export * from "./ActionCreateResponse.js";
+export * from "./ActionInclude.js";
+export * from "./ActionResponse.js";
+export * from "./ActionsWithIncludesResponse.js";
+export * from "./ActionWithIncludes.js";
+export * from "./ActionWithIncludesResponse.js";
 export * from "./AddAssetResponse.js";
 export * from "./Anchor.js";
 export * from "./AssetCommon.js";
@@ -60,6 +67,14 @@ export * from "./FoldersWithIncludesResponse.js";
 export * from "./FolderWithIncludes.js";
 export * from "./FolderWithIncludesResponse.js";
 export * from "./Forbidden.js";
+export * from "./GroupCommon.js";
+export * from "./GroupCommonWithIncludes.js";
+export * from "./GroupResponse.js";
+export * from "./GroupsInclude.js";
+export * from "./GroupsSort.js";
+export * from "./GroupsWithIncludesResponse.js";
+export * from "./GroupWithIncludes.js";
+export * from "./GroupWithIncludesResponse.js";
 export * from "./Include.js";
 export * from "./IncludeTotalCount.js";
 export * from "./IntegerValue.js";
@@ -114,6 +129,7 @@ export * from "./ShareResponse.js";
 export * from "./ShareReviewersResponse.js";
 export * from "./SharesResponse.js";
 export * from "./SingleUserValue.js";
+export * from "./SyncGroupWithIncludes.js";
 export * from "./TextDefinition.js";
 export * from "./TextDefinitionParams.js";
 export * from "./TextDefinitionWithIncludes.js";

package/dist/cjs/api/types/index.js

@@ -18,6 +18,13 @@ __exportStar(require("./Account.js"), exports);
 __exportStar(require("./AccountsResponse.js"), exports);
 __exportStar(require("./AccountUserRole.js"), exports);
 __exportStar(require("./AccountUserRolesResponse.js"), exports);
+__exportStar(require("./Action.js"), exports);
+__exportStar(require("./ActionCreateResponse.js"), exports);
+__exportStar(require("./ActionInclude.js"), exports);
+__exportStar(require("./ActionResponse.js"), exports);
+__exportStar(require("./ActionsWithIncludesResponse.js"), exports);
+__exportStar(require("./ActionWithIncludes.js"), exports);
+__exportStar(require("./ActionWithIncludesResponse.js"), exports);
 __exportStar(require("./AddAssetResponse.js"), exports);
 __exportStar(require("./Anchor.js"), exports);
 __exportStar(require("./AssetCommon.js"), exports);
@@ -76,6 +83,14 @@ __exportStar(require("./FoldersWithIncludesResponse.js"), exports);
 __exportStar(require("./FolderWithIncludes.js"), exports);
 __exportStar(require("./FolderWithIncludesResponse.js"), exports);
 __exportStar(require("./Forbidden.js"), exports);
+__exportStar(require("./GroupCommon.js"), exports);
+__exportStar(require("./GroupCommonWithIncludes.js"), exports);
+__exportStar(require("./GroupResponse.js"), exports);
+__exportStar(require("./GroupsInclude.js"), exports);
+__exportStar(require("./GroupsSort.js"), exports);
+__exportStar(require("./GroupsWithIncludesResponse.js"), exports);
+__exportStar(require("./GroupWithIncludes.js"), exports);
+__exportStar(require("./GroupWithIncludesResponse.js"), exports);
 __exportStar(require("./Include.js"), exports);
 __exportStar(require("./IncludeTotalCount.js"), exports);
 __exportStar(require("./IntegerValue.js"), exports);
@@ -130,6 +145,7 @@ __exportStar(require("./ShareResponse.js"), exports);
 __exportStar(require("./ShareReviewersResponse.js"), exports);
 __exportStar(require("./SharesResponse.js"), exports);
 __exportStar(require("./SingleUserValue.js"), exports);
+__exportStar(require("./SyncGroupWithIncludes.js"), exports);
 __exportStar(require("./TextDefinition.js"), exports);
 __exportStar(require("./TextDefinitionParams.js"), exports);
 __exportStar(require("./TextDefinitionWithIncludes.js"), exports);

package/dist/cjs/index.d.ts

@@ -4,3 +4,7 @@ export { FrameioClient } from "./Client.js";
 export { FrameioEnvironment } from "./environments.js";
 export { FrameioError, FrameioTimeoutError } from "./errors/index.js";
 export * from "./exports.js";
+export { ServerToServerAuth, WebAppAuth, SPAAuth, NativeAppAuth } from "./oauth";
+export type { ServerToServerAuthOptions, WebAppAuthOptions, SPAAuthOptions, NativeAppAuthOptions, AuthorizationUrlResult, BaseAuthOptions, Logger, TokenResponse, ExportedTokens, OnTokenRefreshed, } from "./oauth";
+export { FrameioAuthError, AuthenticationError, TokenExpiredError, NetworkError, RateLimitError, PKCEError, ConfigurationError, } from "./oauth";
+export { noopLogger, DEFAULT_IMS_BASE_URL, buildImsUrls } from "./oauth";

package/dist/cjs/index.js

@@ -36,7 +36,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.FrameioTimeoutError = exports.FrameioError = exports.FrameioEnvironment = exports.FrameioClient = exports.Frameio = void 0;
+exports.buildImsUrls = exports.DEFAULT_IMS_BASE_URL = exports.noopLogger = exports.ConfigurationError = exports.PKCEError = exports.RateLimitError = exports.NetworkError = exports.TokenExpiredError = exports.AuthenticationError = exports.FrameioAuthError = exports.NativeAppAuth = exports.SPAAuth = exports.WebAppAuth = exports.ServerToServerAuth = exports.FrameioTimeoutError = exports.FrameioError = exports.FrameioEnvironment = exports.FrameioClient = exports.Frameio = void 0;
 exports.Frameio = __importStar(require("./api/index.js"));
 var Client_js_1 = require("./Client.js");
 Object.defineProperty(exports, "FrameioClient", { enumerable: true, get: function () { return Client_js_1.FrameioClient; } });
@@ -46,3 +46,23 @@ var index_js_1 = require("./errors/index.js");
 Object.defineProperty(exports, "FrameioError", { enumerable: true, get: function () { return index_js_1.FrameioError; } });
 Object.defineProperty(exports, "FrameioTimeoutError", { enumerable: true, get: function () { return index_js_1.FrameioTimeoutError; } });
 __exportStar(require("./exports.js"), exports);
+// Auth flows
+var oauth_1 = require("./oauth");
+Object.defineProperty(exports, "ServerToServerAuth", { enumerable: true, get: function () { return oauth_1.ServerToServerAuth; } });
+Object.defineProperty(exports, "WebAppAuth", { enumerable: true, get: function () { return oauth_1.WebAppAuth; } });
+Object.defineProperty(exports, "SPAAuth", { enumerable: true, get: function () { return oauth_1.SPAAuth; } });
+Object.defineProperty(exports, "NativeAppAuth", { enumerable: true, get: function () { return oauth_1.NativeAppAuth; } });
+// Auth errors
+var oauth_2 = require("./oauth");
+Object.defineProperty(exports, "FrameioAuthError", { enumerable: true, get: function () { return oauth_2.FrameioAuthError; } });
+Object.defineProperty(exports, "AuthenticationError", { enumerable: true, get: function () { return oauth_2.AuthenticationError; } });
+Object.defineProperty(exports, "TokenExpiredError", { enumerable: true, get: function () { return oauth_2.TokenExpiredError; } });
+Object.defineProperty(exports, "NetworkError", { enumerable: true, get: function () { return oauth_2.NetworkError; } });
+Object.defineProperty(exports, "RateLimitError", { enumerable: true, get: function () { return oauth_2.RateLimitError; } });
+Object.defineProperty(exports, "PKCEError", { enumerable: true, get: function () { return oauth_2.PKCEError; } });
+Object.defineProperty(exports, "ConfigurationError", { enumerable: true, get: function () { return oauth_2.ConfigurationError; } });
+// Auth utilities
+var oauth_3 = require("./oauth");
+Object.defineProperty(exports, "noopLogger", { enumerable: true, get: function () { return oauth_3.noopLogger; } });
+Object.defineProperty(exports, "DEFAULT_IMS_BASE_URL", { enumerable: true, get: function () { return oauth_3.DEFAULT_IMS_BASE_URL; } });
+Object.defineProperty(exports, "buildImsUrls", { enumerable: true, get: function () { return oauth_3.buildImsUrls; } });

package/dist/cjs/oauth/BaseAuth.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Base class for all authentication flows.
+ *
+ * Provides shared token management methods: `getToken`, `revoke`,
+ * `exportTokens`, `importTokens`, and the internal `_storeTokens` helper.
+ *
+ * Also consolidates shared constructor options and initialization logic.
+ */
+import type { Logger } from "./logger";
+import { TokenManager, type ExportedTokens, type OnTokenRefreshed, type TokenResponse } from "./TokenManager";
+/** Default fallback when Adobe IMS doesn't return expires_in. */
+export declare const DEFAULT_EXPIRES_IN = 86400;
+/** Options shared by all auth flow constructors. */
+export interface BaseAuthOptions {
+    clientId: string;
+    scopes?: string;
+    /** IMS base URL for staging/alternative environments. Default: production. */
+    imsBaseUrl?: string;
+    /** Custom fetch implementation (for proxy, TLS, etc.). */
+    fetch?: typeof fetch;
+    onTokenRefreshed?: OnTokenRefreshed;
+    /** HTTP request timeout in milliseconds. Default: 30000. */
+    timeout?: number;
+    /** Maximum retries for transient failures. Default: 2. */
+    maxRetries?: number;
+    /** Seconds before expiry to trigger proactive refresh. Default: 60. */
+    refreshBuffer?: number;
+    /** Logger instance for diagnostic output. */
+    logger?: Logger;
+}
+export declare abstract class BaseAuth {
+    protected readonly _clientId: string;
+    protected readonly _clientSecret: string | undefined;
+    protected readonly _tokenManager: TokenManager;
+    protected readonly _timeout: number;
+    protected readonly _logger: Logger;
+    protected readonly _maxRetries: number;
+    protected readonly _revokeUrl: string;
+    protected readonly _authorizeUrl: string;
+    protected readonly _tokenUrl: string;
+    protected readonly _fetch?: typeof fetch;
+    constructor(options: BaseAuthOptions, clientSecret?: string);
+    /**
+     * Subclasses implement this to perform the actual token refresh.
+     * For S2S this re-fetches via client_credentials; for WebApp/SPA
+     * this uses the stored refresh_token.
+     */
+    protected abstract _refresh(): Promise<TokenResponse>;
+    /** Return a valid access token, refreshing if necessary. */
+    getToken(): Promise<string>;
+    /**
+     * Revoke the current access and refresh tokens in parallel.
+     *
+     * Access token revocation may take time to propagate server-side,
+     * but refresh token revocation takes effect immediately.
+     */
+    revoke(): Promise<void>;
+    /** Export current token state for persistence. */
+    exportTokens(): ExportedTokens;
+    /** Restore token state from a previously exported object. */
+    importTokens(data: ExportedTokens): void;
+    /** Update the token manager from an Adobe IMS response. */
+    protected _storeTokens(result: TokenResponse): void;
+    /** Send a token request with the shared options. */
+    protected _tokenRequest(data: Record<string, string>): Promise<TokenResponse>;
+}

package/dist/cjs/oauth/BaseAuth.js

@@ -0,0 +1,113 @@
+"use strict";
+/**
+ * Base class for all authentication flows.
+ *
+ * Provides shared token management methods: `getToken`, `revoke`,
+ * `exportTokens`, `importTokens`, and the internal `_storeTokens` helper.
+ *
+ * Also consolidates shared constructor options and initialization logic.
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BaseAuth = exports.DEFAULT_EXPIRES_IN = void 0;
+const http_1 = require("./http");
+const errors_1 = require("./errors");
+const logger_1 = require("./logger");
+const TokenManager_1 = require("./TokenManager");
+/** Default fallback when Adobe IMS doesn't return expires_in. */
+exports.DEFAULT_EXPIRES_IN = 86400;
+class BaseAuth {
+    constructor(options, clientSecret) {
+        var _a, _b, _c, _d;
+        if (!options.clientId) {
+            throw new errors_1.ConfigurationError("clientId is required");
+        }
+        this._clientId = options.clientId;
+        this._clientSecret = clientSecret;
+        this._timeout = (_a = options.timeout) !== null && _a !== void 0 ? _a : http_1.DEFAULT_TIMEOUT;
+        this._maxRetries = (_b = options.maxRetries) !== null && _b !== void 0 ? _b : http_1.DEFAULT_MAX_RETRIES;
+        this._logger = (_c = options.logger) !== null && _c !== void 0 ? _c : logger_1.noopLogger;
+        this._fetch = options.fetch;
+        const urls = (0, http_1.buildImsUrls)((_d = options.imsBaseUrl) !== null && _d !== void 0 ? _d : http_1.DEFAULT_IMS_BASE_URL);
+        this._authorizeUrl = urls.authorizeUrl;
+        this._tokenUrl = urls.tokenUrl;
+        this._revokeUrl = urls.revokeUrl;
+        this._tokenManager = new TokenManager_1.TokenManager({
+            refreshFunc: () => this._refresh(),
+            refreshBuffer: options.refreshBuffer,
+            onTokenRefreshed: options.onTokenRefreshed,
+            logger: this._logger,
+        });
+    }
+    // ------------------------------------------------------------------
+    // Public API (shared by all flows)
+    // ------------------------------------------------------------------
+    /** Return a valid access token, refreshing if necessary. */
+    getToken() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this._tokenManager.getToken();
+        });
+    }
+    /**
+     * Revoke the current access and refresh tokens in parallel.
+     *
+     * Access token revocation may take time to propagate server-side,
+     * but refresh token revocation takes effect immediately.
+     */
+    revoke() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const revokeOpts = {
+                timeout: this._timeout,
+                logger: this._logger,
+                revokeUrl: this._revokeUrl,
+                fetch: this._fetch,
+            };
+            const accessToken = this._tokenManager.accessToken;
+            const refreshToken = this._tokenManager.refreshTokenValue;
+            const revocations = [];
+            if (accessToken) {
+                revocations.push((0, http_1.revokeRequest)(accessToken, this._clientId, this._clientSecret, revokeOpts));
+            }
+            if (refreshToken) {
+                revocations.push((0, http_1.revokeRequest)(refreshToken, this._clientId, this._clientSecret, revokeOpts));
+            }
+            yield Promise.all(revocations);
+            this._tokenManager.clear();
+        });
+    }
+    /** Export current token state for persistence. */
+    exportTokens() {
+        return this._tokenManager.exportTokens();
+    }
+    /** Restore token state from a previously exported object. */
+    importTokens(data) {
+        this._tokenManager.importTokens(data);
+    }
+    // ------------------------------------------------------------------
+    // Helpers
+    // ------------------------------------------------------------------
+    /** Update the token manager from an Adobe IMS response. */
+    _storeTokens(result) {
+        var _a;
+        this._tokenManager.setTokens(result.access_token, (_a = result.expires_in) !== null && _a !== void 0 ? _a : exports.DEFAULT_EXPIRES_IN, result.refresh_token);
+    }
+    /** Send a token request with the shared options. */
+    _tokenRequest(data) {
+        return (0, http_1.tokenRequest)(data, {
+            timeout: this._timeout,
+            maxRetries: this._maxRetries,
+            logger: this._logger,
+            tokenUrl: this._tokenUrl,
+            fetch: this._fetch,
+        });
+    }
+}
+exports.BaseAuth = BaseAuth;

package/dist/cjs/oauth/NativeAppAuth.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Native App authentication (authorization_code + PKCE).
+ *
+ * Use for desktop and mobile applications with custom URI schemes
+ * or loopback redirects.
+ */
+import { SPAAuth, type SPAAuthOptions } from "./SPAAuth";
+export type NativeAppAuthOptions = SPAAuthOptions;
+/**
+ * Authenticate native (desktop / mobile) apps using PKCE.
+ *
+ * Functionally identical to {@link SPAAuth} but allows custom URI scheme
+ * redirect URIs (e.g. `adobe+<hash>://callback`, `myapp://callback`).
+ *
+ * The parent {@link SPAAuth} validates that `http://` redirect URIs only
+ * target loopback addresses, which is also the correct behavior for native
+ * apps. Custom URI schemes and `https://` are always allowed.
+ *
+ * @example
+ * ```ts
+ * const auth = new NativeAppAuth({
+ *   clientId: '...',
+ *   redirectUri: 'myapp://callback',
+ * });
+ * const { url, codeVerifier } = await auth.getAuthorizationUrl({ state: 'random' });
+ * // open system browser to url ...
+ * await auth.exchangeCode({ code: 'CODE', codeVerifier });
+ * const client = new FrameioClient({ token: () => auth.getToken() });
+ * ```
+ */
+export declare class NativeAppAuth extends SPAAuth {
+}

package/dist/cjs/oauth/NativeAppAuth.js

@@ -0,0 +1,35 @@
+"use strict";
+/**
+ * Native App authentication (authorization_code + PKCE).
+ *
+ * Use for desktop and mobile applications with custom URI schemes
+ * or loopback redirects.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NativeAppAuth = void 0;
+const SPAAuth_1 = require("./SPAAuth");
+/**
+ * Authenticate native (desktop / mobile) apps using PKCE.
+ *
+ * Functionally identical to {@link SPAAuth} but allows custom URI scheme
+ * redirect URIs (e.g. `adobe+<hash>://callback`, `myapp://callback`).
+ *
+ * The parent {@link SPAAuth} validates that `http://` redirect URIs only
+ * target loopback addresses, which is also the correct behavior for native
+ * apps. Custom URI schemes and `https://` are always allowed.
+ *
+ * @example
+ * ```ts
+ * const auth = new NativeAppAuth({
+ *   clientId: '...',
+ *   redirectUri: 'myapp://callback',
+ * });
+ * const { url, codeVerifier } = await auth.getAuthorizationUrl({ state: 'random' });
+ * // open system browser to url ...
+ * await auth.exchangeCode({ code: 'CODE', codeVerifier });
+ * const client = new FrameioClient({ token: () => auth.getToken() });
+ * ```
+ */
+class NativeAppAuth extends SPAAuth_1.SPAAuth {
+}
+exports.NativeAppAuth = NativeAppAuth;

package/dist/cjs/oauth/SPAAuth.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Single Page App authentication (authorization_code + PKCE).
+ *
+ * Use for browser-based apps that cannot store a client secret.
+ */
+import { BaseAuth, type BaseAuthOptions } from "./BaseAuth";
+import type { TokenResponse } from "./TokenManager";
+/** Returned by `getAuthorizationUrl` — contains the URL and PKCE verifier. */
+export interface AuthorizationUrlResult {
+    url: string;
+    codeVerifier: string;
+}
+export type SPAAuthOptions = BaseAuthOptions & {
+    redirectUri: string;
+};
+export declare class SPAAuth extends BaseAuth {
+    protected readonly _redirectUri: string;
+    protected readonly _scopes: string;
+    constructor(options: SPAAuthOptions);
+    /**
+     * Build the Adobe IMS authorization URL with PKCE challenge.
+     *
+     * @returns Object with `url` and `codeVerifier` (store the verifier for exchange).
+     */
+    getAuthorizationUrl(options: {
+        state: string;
+    }): Promise<AuthorizationUrlResult>;
+    /**
+     * Exchange an authorization code + PKCE verifier for tokens.
+     */
+    exchangeCode(options: {
+        code: string;
+        codeVerifier: string;
+    }): Promise<TokenResponse>;
+    /** Manually trigger a token refresh. */
+    refresh(): Promise<TokenResponse>;
+    protected _refresh(): Promise<TokenResponse>;
+}

package/dist/cjs/oauth/SPAAuth.js

@@ -0,0 +1,96 @@
+"use strict";
+/**
+ * Single Page App authentication (authorization_code + PKCE).
+ *
+ * Use for browser-based apps that cannot store a client secret.
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SPAAuth = void 0;
+const BaseAuth_1 = require("./BaseAuth");
+const errors_1 = require("./errors");
+const http_1 = require("./http");
+const pkce_1 = require("./pkce");
+const validation_1 = require("./validation");
+class SPAAuth extends BaseAuth_1.BaseAuth {
+    constructor(options) {
+        var _a;
+        if (!options.redirectUri) {
+            throw new errors_1.ConfigurationError("redirectUri is required");
+        }
+        (0, validation_1.validateRedirectUriScheme)(options.redirectUri);
+        super(options);
+        this._redirectUri = options.redirectUri;
+        this._scopes = (_a = options.scopes) !== null && _a !== void 0 ? _a : http_1.DEFAULT_SCOPES;
+    }
+    /**
+     * Build the Adobe IMS authorization URL with PKCE challenge.
+     *
+     * @returns Object with `url` and `codeVerifier` (store the verifier for exchange).
+     */
+    getAuthorizationUrl(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const codeVerifier = (0, pkce_1.generateCodeVerifier)();
+            const codeChallenge = yield (0, pkce_1.generateCodeChallenge)(codeVerifier);
+            const params = new URLSearchParams({
+                client_id: this._clientId,
+                redirect_uri: this._redirectUri,
+                scope: this._scopes,
+                response_type: "code",
+                state: options.state,
+                code_challenge: codeChallenge,
+                code_challenge_method: "S256",
+            });
+            return {
+                url: `${this._authorizeUrl}?${params.toString()}`,
+                codeVerifier,
+            };
+        });
+    }
+    /**
+     * Exchange an authorization code + PKCE verifier for tokens.
+     */
+    exchangeCode(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._tokenRequest({
+                grant_type: "authorization_code",
+                client_id: this._clientId,
+                code: options.code,
+                redirect_uri: this._redirectUri,
+                code_verifier: options.codeVerifier,
+            });
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    /** Manually trigger a token refresh. */
+    refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._refresh();
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    _refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const refreshTok = this._tokenManager.refreshTokenValue;
+            if (!refreshTok) {
+                throw new errors_1.ConfigurationError("No refresh token available. Call exchangeCode() first.");
+            }
+            return this._tokenRequest({
+                grant_type: "refresh_token",
+                client_id: this._clientId,
+                refresh_token: refreshTok,
+            });
+        });
+    }
+}
+exports.SPAAuth = SPAAuth;

package/dist/cjs/oauth/ServerToServerAuth.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Server-to-Server authentication (client_credentials grant).
+ *
+ * Use for backend services and scripts with no user interaction.
+ */
+import { BaseAuth, type BaseAuthOptions } from "./BaseAuth";
+import type { TokenResponse } from "./TokenManager";
+export interface ServerToServerAuthOptions extends BaseAuthOptions {
+    clientSecret: string;
+}
+export declare class ServerToServerAuth extends BaseAuth {
+    private readonly _scopes;
+    constructor(options: ServerToServerAuthOptions);
+    /** Explicitly fetch a new access token. */
+    authenticate(): Promise<TokenResponse>;
+    protected _refresh(): Promise<TokenResponse>;
+}

package/dist/cjs/oauth/ServerToServerAuth.js

@@ -0,0 +1,49 @@
+"use strict";
+/**
+ * Server-to-Server authentication (client_credentials grant).
+ *
+ * Use for backend services and scripts with no user interaction.
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServerToServerAuth = void 0;
+const BaseAuth_1 = require("./BaseAuth");
+const errors_1 = require("./errors");
+const http_1 = require("./http");
+class ServerToServerAuth extends BaseAuth_1.BaseAuth {
+    constructor(options) {
+        var _a;
+        if (!options.clientSecret) {
+            throw new errors_1.ConfigurationError("clientSecret is required");
+        }
+        super(options, options.clientSecret);
+        this._scopes = (_a = options.scopes) !== null && _a !== void 0 ? _a : http_1.S2S_SCOPES;
+    }
+    /** Explicitly fetch a new access token. */
+    authenticate() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._refresh();
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    _refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this._tokenRequest({
+                grant_type: "client_credentials",
+                client_id: this._clientId,
+                client_secret: this._clientSecret,
+                scope: this._scopes,
+            });
+        });
+    }
+}
+exports.ServerToServerAuth = ServerToServerAuth;

package/dist/cjs/oauth/TokenManager.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Token lifecycle manager — the core of frameio-auth-sdk.
+ *
+ * Stores access/refresh tokens, checks expiry with a configurable buffer,
+ * and coordinates async-safe automatic refresh.
+ */
+import type { Logger } from "./logger";
+/** Shape returned by refresh functions and token endpoints. */
+export interface TokenResponse {
+    access_token: string;
+    expires_in: number;
+    refresh_token?: string;
+    token_type?: string;
+    scope?: string;
+}
+/** Serialised token state for persistence. */
+export interface ExportedTokens {
+    access_token: string | null;
+    refresh_token: string | null;
+    expires_at: number;
+}
+/** A function that performs the actual token refresh / fetch. */
+export type RefreshFunction = () => Promise<TokenResponse>;
+/** Optional callback fired after every successful token refresh. */
+export type OnTokenRefreshed = (tokens: ExportedTokens) => void;
+export interface TokenManagerOptions {
+    refreshFunc: RefreshFunction;
+    /** Seconds before actual expiry to trigger proactive refresh. Default: 60. */
+    refreshBuffer?: number;
+    /** Called after every successful refresh. */
+    onTokenRefreshed?: OnTokenRefreshed;
+    /** Logger instance for diagnostic output. */
+    logger?: Logger;
+}
+/**
+ * Manages token storage, expiry detection, and auto-refresh.
+ *
+ * Pass `manager.getToken` (bound) to the Frame.io SDK:
+ * ```ts
+ * const client = new FrameioClient({ token: () => auth.getToken() });
+ * ```
+ */
+export declare class TokenManager {
+    private _refreshFunc;
+    private _refreshBuffer;
+    private _onTokenRefreshed?;
+    private _logger;
+    private _accessToken;
+    private _refreshToken;
+    private _expiresAt;
+    /** In-flight refresh promise for deduplication. */
+    private _refreshPromise;
+    /** Set by clear() to prevent an in-flight refresh from restoring tokens. */
+    private _revoked;
+    constructor(options: TokenManagerOptions);
+    /**
+     * Return a valid access token, refreshing if necessary.
+     *
+     * Safe to call concurrently — only one refresh request will fire.
+     */
+    getToken(): Promise<string>;
+    get accessToken(): string | null;
+    get refreshTokenValue(): string | null;
+    get expiresAt(): number;
+    get isExpired(): boolean;
+    /**
+     * Manually set token data (e.g. after initial code exchange).
+     */
+    setTokens(accessToken: string, expiresIn: number, refreshToken?: string): void;
+    /** Export current token state for persistence. */
+    exportTokens(): ExportedTokens;
+    /** Restore token state from a previously exported object. */
+    importTokens(data: ExportedTokens): void;
+    /** Clear all stored tokens and cancel any in-flight refresh. */
+    clear(): void;
+    private _isTokenValid;
+    /**
+     * Async-safe refresh: if a refresh is already in flight, await the
+     * existing promise instead of firing a second request.
+     */
+    private _doRefresh;
+    private _executeRefresh;
+}