workos 5.23.0__py3-none-any.whl → 5.24.0__py3-none-any.whl

workos/__about__.py

@@ -12,7 +12,7 @@ __package_name__ = "workos"
 
 __package_url__ = "https://github.com/workos-inc/workos-python"
 
-__version__ = "5.23.0"
+__version__ = "5.24.0"
 
 __author__ = "WorkOS"
 

workos/async_client.py

@@ -14,6 +14,7 @@ from workos.user_management import AsyncUserManagement
 from workos.utils.http_client import AsyncHTTPClient
 from workos.webhooks import WebhooksModule
 from workos.widgets import WidgetsModule
+from workos.vault import VaultModule
 
 
 class AsyncClient(BaseClient):
@@ -112,3 +113,9 @@ class AsyncClient(BaseClient):
         raise NotImplementedError(
             "Widgets APIs are not yet supported in the async client."
         )
+
+    @property
+    def vault(self) -> VaultModule:
+        raise NotImplementedError(
+            "Vault APIs are not yet supported in the async client."
+        )

workos/client.py

@@ -14,6 +14,7 @@ from workos.events import Events
 from workos.user_management import UserManagement
 from workos.utils.http_client import SyncHTTPClient
 from workos.widgets import Widgets
+from workos.vault import Vault
 
 
 class SyncClient(BaseClient):
@@ -116,3 +117,9 @@ class SyncClient(BaseClient):
         if not getattr(self, "_widgets", None):
             self._widgets = Widgets(http_client=self._http_client)
         return self._widgets
+
+    @property
+    def vault(self) -> Vault:
+        if not getattr(self, "_vault", None):
+            self._vault = Vault(http_client=self._http_client)
+        return self._vault

workos/types/events/event.py

@@ -193,6 +193,18 @@ class OrganizationDomainVerifiedEvent(EventModel[OrganizationDomain]):
     event: Literal["organization_domain.verified"]
 
 
+class OrganizationDomainCreatedEvent(EventModel[OrganizationDomain]):
+    event: Literal["organization_domain.created"]
+
+
+class OrganizationDomainUpdatedEvent(EventModel[OrganizationDomain]):
+    event: Literal["organization_domain.updated"]
+
+
+class OrganizationDomainDeletedEvent(EventModel[OrganizationDomain]):
+    event: Literal["organization_domain.deleted"]
+
+
 class OrganizationMembershipCreatedEvent(EventModel[OrganizationMembership]):
     event: Literal["organization_membership.created"]
 
@@ -272,6 +284,9 @@ Event = Annotated[
         OrganizationCreatedEvent,
         OrganizationDeletedEvent,
         OrganizationUpdatedEvent,
+        OrganizationDomainCreatedEvent,
+        OrganizationDomainDeletedEvent,
+        OrganizationDomainUpdatedEvent,
         OrganizationDomainVerificationFailedEvent,
         OrganizationDomainVerifiedEvent,
         OrganizationMembershipCreatedEvent,

workos/types/events/event_type.py

@@ -36,6 +36,9 @@ EventType = Literal[
     "organization.updated",
     "organization_domain.verification_failed",
     "organization_domain.verified",
+    "organization_domain.created",
+    "organization_domain.deleted",
+    "organization_domain.updated",
     "organization_membership.created",
     "organization_membership.deleted",
     "organization_membership.updated",

workos/types/list_resource.py

@@ -33,6 +33,7 @@ from workos.types.mfa import AuthenticationFactor
 from workos.types.organizations import Organization
 from workos.types.sso import ConnectionWithDomains
 from workos.types.user_management import Invitation, OrganizationMembership, User
+from workos.types.vault import ObjectDigest
 from workos.types.workos_model import WorkOSModel
 from workos.utils.request_helper import DEFAULT_LIST_RESPONSE_LIMIT
 
@@ -51,6 +52,7 @@ ListableResource = TypeVar(
     AuthorizationResource,
     AuthorizationResourceType,
     User,
+    ObjectDigest,
     Warrant,
     WarrantQueryResult,
 )

workos/types/organizations/organization_domain.py

@@ -13,3 +13,6 @@ class OrganizationDomain(WorkOSModel):
     ] = None
     verification_strategy: Optional[LiteralOrUntyped[Literal["manual", "dns"]]] = None
     verification_token: Optional[str] = None
+    verification_prefix: Optional[str] = None
+    created_at: str
+    updated_at: str

workos/types/vault/__init__.py

@@ -0,0 +1,2 @@
+from .key import *
+from .object import *

workos/types/vault/key.py

@@ -0,0 +1,25 @@
+from typing import Dict
+from pydantic import BaseModel, RootModel
+from workos.types.workos_model import WorkOSModel
+
+
+class KeyContext(RootModel[Dict[str, str]]):
+    pass
+
+
+class DataKey(WorkOSModel):
+    id: str
+    key: str
+
+
+class DataKeyPair(WorkOSModel):
+    context: KeyContext
+    data_key: DataKey
+    encrypted_keys: str
+
+
+class DecodedKeys(BaseModel):
+    iv: bytes
+    tag: bytes
+    keys: str  # Base64-encoded string
+    ciphertext: bytes

workos/types/vault/object.py

@@ -0,0 +1,38 @@
+from typing import Optional
+
+from workos.types.workos_model import WorkOSModel
+from workos.types.vault import KeyContext
+
+
+class ObjectDigest(WorkOSModel):
+    id: str
+    name: str
+    updated_at: str
+
+
+class ObjectUpdateBy(WorkOSModel):
+    id: str
+    name: str
+
+
+class ObjectMetadata(WorkOSModel):
+    context: KeyContext
+    environment_id: str
+    id: str
+    key_id: str
+    updated_at: str
+    updated_by: ObjectUpdateBy
+    version_id: str
+
+
+class VaultObject(WorkOSModel):
+    id: str
+    metadata: ObjectMetadata
+    name: str
+    value: Optional[str] = None
+
+
+class ObjectVersion(WorkOSModel):
+    created_at: str
+    current_version: bool
+    id: str

workos/utils/crypto_provider.py

@@ -0,0 +1,39 @@
+import os
+from typing import Optional, Dict
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+
+
+class CryptoProvider:
+    def encrypt(
+        self, plaintext: bytes, key: bytes, iv: bytes, aad: Optional[bytes]
+    ) -> Dict[str, bytes]:
+        encryptor = Cipher(
+            algorithms.AES(key), modes.GCM(iv), backend=default_backend()
+        ).encryptor()
+
+        if aad:
+            encryptor.authenticate_additional_data(aad)
+
+        ciphertext = encryptor.update(plaintext) + encryptor.finalize()
+        return {"ciphertext": ciphertext, "iv": iv, "tag": encryptor.tag}
+
+    def decrypt(
+        self,
+        ciphertext: bytes,
+        key: bytes,
+        iv: bytes,
+        tag: bytes,
+        aad: Optional[bytes] = None,
+    ) -> bytes:
+        decryptor = Cipher(
+            algorithms.AES(key), modes.GCM(iv, tag), backend=default_backend()
+        ).decryptor()
+
+        if aad:
+            decryptor.authenticate_additional_data(aad)
+
+        return decryptor.update(ciphertext) + decryptor.finalize()
+
+    def random_bytes(self, n: int) -> bytes:
+        return os.urandom(n)

workos/vault.py

@@ -0,0 +1,515 @@
+import base64
+from typing import Optional, Protocol, Sequence, Tuple
+from workos.types.vault import VaultObject, ObjectVersion, ObjectDigest, ObjectMetadata
+from workos.types.vault.key import DataKey, DataKeyPair, KeyContext, DecodedKeys
+from workos.types.list_resource import (
+    ListArgs,
+    ListMetadata,
+    ListPage,
+    WorkOSListResource,
+)
+from workos.utils.http_client import SyncHTTPClient
+from workos.utils.pagination_order import PaginationOrder
+from workos.utils.request_helper import (
+    DEFAULT_LIST_RESPONSE_LIMIT,
+    REQUEST_METHOD_DELETE,
+    REQUEST_METHOD_GET,
+    REQUEST_METHOD_POST,
+    REQUEST_METHOD_PUT,
+    RequestHelper,
+)
+from workos.utils.crypto_provider import CryptoProvider
+
+DEFAULT_RESPONSE_LIMIT = DEFAULT_LIST_RESPONSE_LIMIT
+
+VaultObjectList = WorkOSListResource[ObjectDigest, ListArgs, ListMetadata]
+
+
+class VaultModule(Protocol):
+    def read_object(self, *, object_id: str) -> VaultObject:
+        """
+        Get a Vault object with the value decrypted.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+        Returns:
+            VaultObject: A vault object with metadata, name and decrypted value.
+        """
+        ...
+
+    def list_objects(
+        self,
+        *,
+        limit: int = DEFAULT_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+    ) -> VaultObjectList:
+        """
+        Gets a list of encrypted Vault objects.
+
+        Kwargs:
+            limit (int): The maximum number of objects to return. (Optional)
+            before (str): A cursor to return resources before. (Optional)
+            after (str): A cursor to return resources after. (Optional)
+
+        Returns:
+            VaultObjectList: A list of vault objects with built-in pagination iterator.
+        """
+        ...
+
+    def list_object_versions(
+        self,
+        *,
+        object_id: str,
+    ) -> Sequence[ObjectVersion]:
+        """
+        Gets a list of versions for a specific Vault object.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+
+        Returns:
+            Sequence[ObjectVersion]: A list of object versions.
+        """
+        ...
+
+    def create_object(
+        self,
+        *,
+        name: str,
+        value: str,
+        key_context: KeyContext,
+    ) -> ObjectMetadata:
+        """
+        Create a new Vault encrypted object.
+
+        Kwargs:
+            name (str): The name of the object.
+            value (str): The value to encrypt and store.
+            key_context (KeyContext): A set of key-value dictionary pairs that determines which root keys to use when encrypting data.
+
+        Returns:
+            VaultObject: The created vault object.
+        """
+        ...
+
+    def update_object(
+        self,
+        *,
+        object_id: str,
+        value: str,
+        version_check: Optional[str] = None,
+    ) -> VaultObject:
+        """
+        Update an existing Vault object.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+            value (str): The new value to encrypt and store.
+            version_check (str): A version of the object to prevent clobbering of data during concurrent updates. (Optional)
+
+        Returns:
+            VaultObject: The updated vault object.
+        """
+        ...
+
+    def delete_object(
+        self,
+        *,
+        object_id: str,
+    ) -> None:
+        """
+        Permanently delete a Vault encrypted object. Warning: this cannont be undone.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+        """
+        ...
+
+    def create_data_key(self, *, key_context: KeyContext) -> DataKeyPair:
+        """
+        Generate a data key for local encryption based on the provided key context.
+        The encrypted data key MUST be stored by the application, as it cannot be retrieved after generation.
+
+        Kwargs:
+            key_context (KeyContext): A set of key-value dictionary pairs that determines which root keys to use when encrypting data.
+        """
+        ...
+
+    def decrypt_data_key(
+        self,
+        *,
+        keys: str,
+    ) -> DataKey:
+        """
+        Decrypt encrypted data keys that were previously generated by create_data_key.
+
+        This method takes the encrypted data key blob and uses the WorkOS Vault service
+        to decrypt it, returning the plaintext data key that can be used for local
+        encryption/decryption operations.
+
+        Kwargs:
+            keys (str): The base64-encoded encrypted data key blob returned by create_data_key.
+
+        Returns:
+            DataKey: The decrypted data key containing the key ID and the plaintext key material.
+        """
+        ...
+
+    def encrypt(
+        self,
+        *,
+        data: str,
+        key_context: KeyContext,
+        associated_data: Optional[str] = None,
+    ) -> str:
+        """
+        Encrypt data locally using AES-GCM with a data key derived from the provided context.
+
+        This method generates a new data key for each encryption operation, ensuring that
+        the same plaintext will produce different ciphertext each time it's encrypted.
+        The encrypted data key is embedded in the result so it can be decrypted later.
+
+        Kwargs:
+            data (str): The plaintext data to encrypt.
+            key_context (KeyContext): A set of key-value dictionary pairs that determines which root keys to use when encrypting data.
+            associated_data (str): Additional authenticated data (AAD) that will be authenticated but not encrypted. (Optional)
+
+        Returns:
+            str: Base64-encoded encrypted data containing the IV, authentication tag, encrypted data key, and ciphertext.
+        """
+        ...
+
+    def decrypt(
+        self, *, encrypted_data: str, associated_data: Optional[str] = None
+    ) -> str:
+        """
+        Decrypt data that was previously encrypted using the encrypt method.
+
+        This method extracts the encrypted data key from the encrypted payload,
+        decrypts it using the WorkOS Vault service, and then uses the resulting
+        data key to decrypt the actual data using AES-GCM.
+
+        Kwargs:
+            encrypted_data (str): The base64-encoded encrypted data returned by the encrypt method.
+            associated_data (str): The same additional authenticated data (AAD) that was used during encryption, if any. (Optional)
+
+        Returns:
+            str: The original plaintext data.
+
+        Raises:
+            ValueError: If the encrypted_data format is invalid or if associated_data doesn't match what was used during encryption.
+            cryptography.exceptions.InvalidTag: If the authentication tag verification fails (data has been tampered with).
+        """
+        ...
+
+
+class Vault(VaultModule):
+    _http_client: SyncHTTPClient
+    _crypto_provider: CryptoProvider
+
+    def __init__(self, http_client: SyncHTTPClient):
+        self._http_client = http_client
+        self._crypto_provider = CryptoProvider()
+
+    def read_object(
+        self,
+        *,
+        object_id: str,
+    ) -> VaultObject:
+        if not object_id:
+            raise ValueError("Incomplete arguments: 'object_id' is a required argument")
+
+        response = self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_GET,
+        )
+
+        return VaultObject.model_validate(response)
+
+    def list_objects(
+        self,
+        *,
+        limit: int = DEFAULT_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+    ) -> VaultObjectList:
+        list_params: ListArgs = {
+            "limit": limit,
+            "before": before,
+            "after": after,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/kv",
+            method=REQUEST_METHOD_GET,
+            params=list_params,
+        )
+
+        # Ensure object field is present
+        response_dict = dict(response)
+        if "object" not in response_dict:
+            response_dict["object"] = "list"
+
+        return VaultObjectList(
+            list_method=self.list_objects,
+            list_args=list_params,
+            **ListPage[ObjectDigest](**response_dict).model_dump(),
+        )
+
+    def list_object_versions(
+        self,
+        *,
+        object_id: str,
+    ) -> Sequence[ObjectVersion]:
+        response = self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}/versions",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_GET,
+        )
+
+        return [
+            ObjectVersion.model_validate(version)
+            for version in response.get("data", [])
+        ]
+
+    def create_object(
+        self,
+        *,
+        name: str,
+        value: str,
+        key_context: KeyContext,
+    ) -> ObjectMetadata:
+        if not name or not value:
+            raise ValueError(
+                "Incomplete arguments: 'name' and 'value' are required arguments"
+            )
+
+        request_data = {
+            "name": name,
+            "value": value,
+            "key_context": key_context,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/kv",
+            method=REQUEST_METHOD_POST,
+            json=request_data,
+        )
+
+        return ObjectMetadata.model_validate(response)
+
+    def update_object(
+        self,
+        *,
+        object_id: str,
+        value: str,
+        version_check: Optional[str] = None,
+    ) -> VaultObject:
+        if not object_id:
+            raise ValueError("Incomplete arguments: 'object_id' is a required argument")
+
+        request_data = {
+            "value": value,
+        }
+        if version_check is not None:
+            request_data["version_check"] = version_check
+
+        response = self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_PUT,
+            json=request_data,
+        )
+
+        return VaultObject.model_validate(response)
+
+    def delete_object(
+        self,
+        *,
+        object_id: str,
+    ) -> None:
+        if not object_id:
+            raise ValueError("Incomplete arguments: 'object_id' is a required argument")
+
+        self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_DELETE,
+        )
+
+    def create_data_key(self, *, key_context: KeyContext) -> DataKeyPair:
+        request_data = {
+            "context": key_context,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/keys/data-key",
+            method=REQUEST_METHOD_POST,
+            json=request_data,
+        )
+
+        return DataKeyPair.model_validate(
+            {
+                "context": response["context"],
+                "data_key": {"id": response["id"], "key": response["data_key"]},
+                "encrypted_keys": response["encrypted_keys"],
+            }
+        )
+
+    def decrypt_data_key(
+        self,
+        *,
+        keys: str,
+    ) -> DataKey:
+        request_data = {
+            "keys": keys,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/keys/decrypt",
+            method=REQUEST_METHOD_POST,
+            json=request_data,
+        )
+
+        return DataKey.model_validate(
+            {"id": response["id"], "key": response["data_key"]}
+        )
+
+    def encrypt(
+        self,
+        *,
+        data: str,
+        key_context: KeyContext,
+        associated_data: Optional[str] = None,
+    ) -> str:
+        key_pair = self.create_data_key(key_context=key_context)
+
+        key = self._base64_to_bytes(key_pair.data_key.key)
+        key_blob = self._base64_to_bytes(key_pair.encrypted_keys)
+        prefix_len_buffer = self._encode_u32(len(key_blob))
+        aad_buffer = associated_data.encode("utf-8") if associated_data else None
+        iv = self._crypto_provider.random_bytes(12)
+
+        result = self._crypto_provider.encrypt(
+            data.encode("utf-8"), key, iv, aad_buffer
+        )
+
+        combined = (
+            result["iv"]
+            + result["tag"]
+            + prefix_len_buffer
+            + key_blob
+            + result["ciphertext"]
+        )
+
+        return self._bytes_to_base64(combined)
+
+    def decrypt(
+        self, *, encrypted_data: str, associated_data: Optional[str] = None
+    ) -> str:
+        decoded = self._decode(encrypted_data)
+        data_key = self.decrypt_data_key(keys=decoded.keys)
+
+        key = self._base64_to_bytes(data_key.key)
+        aad_buffer = associated_data.encode("utf-8") if associated_data else None
+
+        decrypted_bytes = self._crypto_provider.decrypt(
+            ciphertext=decoded.ciphertext,
+            key=key,
+            iv=decoded.iv,
+            tag=decoded.tag,
+            aad=aad_buffer,
+        )
+
+        return decrypted_bytes.decode("utf-8")
+
+    def _base64_to_bytes(self, data: str) -> bytes:
+        return base64.b64decode(data)
+
+    def _bytes_to_base64(self, data: bytes) -> str:
+        return base64.b64encode(data).decode("utf-8")
+
+    def _encode_u32(self, value: int) -> bytes:
+        """
+        Encode a 32-bit unsigned integer as LEB128.
+
+        Returns:
+            bytes: LEB128-encoded representation of the input value.
+        """
+        if value < 0 or value > 0xFFFFFFFF:
+            raise ValueError("Value must be a 32-bit unsigned integer")
+
+        encoded = bytearray()
+        while True:
+            byte = value & 0x7F
+            value >>= 7
+            if value != 0:
+                byte |= 0x80  # Set continuation bit
+            encoded.append(byte)
+            if value == 0:
+                break
+
+        return bytes(encoded)
+
+    def _decode(self, encrypted_data_b64: str) -> DecodedKeys:
+        """
+        This function extracts IV, tag, keyBlobLength, keyBlob, and ciphertext
+        from a base64-encoded payload.
+        Encoding format: [IV][TAG][4B Length][keyBlob][ciphertext]
+        """
+        try:
+            payload = base64.b64decode(encrypted_data_b64)
+        except Exception as e:
+            raise ValueError("Base64 decoding failed") from e
+
+        iv = payload[0:12]
+        tag = payload[12:28]
+
+        try:
+            key_len, leb_len = self._decode_u32(payload[28:])
+        except Exception as e:
+            raise ValueError("Failed to decode key length") from e
+
+        keys_index = 28 + leb_len
+        keys_end = keys_index + key_len
+        keys_slice = payload[keys_index:keys_end]
+        keys = base64.b64encode(keys_slice).decode("utf-8")
+        ciphertext = payload[keys_end:]
+
+        return DecodedKeys(iv=iv, tag=tag, keys=keys, ciphertext=ciphertext)
+
+    def _decode_u32(self, buf: bytes) -> Tuple[int, int]:
+        """
+        Decode an unsigned LEB128-encoded 32-bit integer from bytes.
+
+        Returns:
+            (value, length_consumed)
+
+        Raises:
+            ValueError if decoding fails or overflows.
+        """
+        res = 0
+        bit = 0
+
+        for i, b in enumerate(buf):
+            if i > 4:
+                raise ValueError("LEB128 integer overflow (was more than 4 bytes)")
+
+            res |= (b & 0x7F) << (7 * bit)
+
+            if (b & 0x80) == 0:
+                return res, i + 1
+
+            bit += 1
+
+        raise ValueError("LEB128 integer not found")

{workos-5.23.0.dist-info → workos-5.24.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.23.0
+Version: 5.24.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

{workos-5.23.0.dist-info → workos-5.24.0.dist-info}/RECORD

@@ -1,10 +1,10 @@
-workos/__about__.py,sha256=gPnfGwbokmJccKOueu0QsNoiFGUYhHwOVX1_mLa4xzw,406
+workos/__about__.py,sha256=1NsUDPAjsrwknBlghnN-xITmyO39Ieog8l72kRbopYw,406
 workos/__init__.py,sha256=hOdbO_MJCvpLx8EbRjQg-fvFAB-glJmrmxUZK8kWG0k,167
 workos/_base_client.py,sha256=t69Nb3zxo3wygI3JtbPdZMGvIuRPsZx_xZANC5K8dn8,3429
 workos/_client_configuration.py,sha256=g3eXhtrEMN6CW0hZ5uHb2PmLurXjyBkWZeQYMPeJD6s,222
-workos/async_client.py,sha256=ezl6pO2I2eGZnq0jrqD7-C7JKfvBqrsqq4T0cbYndPE,3756
+workos/async_client.py,sha256=JTZwKTN7YqPEScXPh-RmBHCs_glPo2LLfMHXhyBJuak,3957
 workos/audit_logs.py,sha256=bYoAoNO4FRSaT34UxiVkgTXCVH8givcS2YGhH_9O3NA,3983
-workos/client.py,sha256=ESweUKW2ju5dPGFCTUMxjVYgh2txoZ3ZVbxy81i0JcI,3747
+workos/client.py,sha256=jvqccyHJWf302ugopj9mt-IidkWBt_r8jihP0IZ4RUI,3959
 workos/directory_sync.py,sha256=6Z1gHz1LWNy56EtkXwNm6jhRRcvsJ7ASeDLy_Q1oKM0,14601
 workos/events.py,sha256=b4JIzMbd5LlVtpOMKVojC70RCHAgmLN3nJ62_2U0GwI,3892
 workos/exceptions.py,sha256=eoy-T4We98HKZn0UZu33fPzhm4DwafzwLeg3juhC6FE,1732
@@ -17,10 +17,11 @@ workos/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 workos/session.py,sha256=CVada-nKRFv9m2-mcghR5VBOguGU76iDCDgQlksOOrQ,11912
 workos/sso.py,sha256=ZBC3y-IRmxG0jPd0BOj7s7XQkXJoTLUg1fx-h3Gfy4g,13541
 workos/user_management.py,sha256=qy21HxYVO40xo7TvCGVxvGWdYIFHZTVnUJTpCQIN2ko,77113
+workos/vault.py,sha256=SJXr3nJ03qJFuf30FjevMD6LLlDNX3MGaKlYGgICRRE,15657
 workos/webhooks.py,sha256=CuwBxh6va9VZFVSXOknveGt6CCGDF3em07a-J12DbXI,4790
 workos/widgets.py,sha256=bfbR0hQOHZabbgGL2ekD5sY1sjiUoWBTdrBd_a6WmBc,1721
 workos/types/__init__.py,sha256=aYScTXq5jOyp0AYvdWffaj5-zdDuNtCCJtbzt5GM19k,267
-workos/types/list_resource.py,sha256=MLfmtevGVpwb38EurJiD5NO-H5mADEp4DitZMiacSO0,6508
+workos/types/list_resource.py,sha256=6N9OoaFsWPCXEX9plVONODxed-Yx6RaX1ga1b15ENIA,6570
 workos/types/metadata.py,sha256=uUqDkGJGyFY3H4JZObSiCfn4jKBue5CBhOqv79TI1n0,52
 workos/types/workos_model.py,sha256=bV_p3baadcUJOU_7f6ysZ6KXhpt3E_93spuZnfJs9vc,735
 workos/types/audit_logs/__init__.py,sha256=daPn8wAVEnlM1fCpOsy3dVZV_0YEp8bA1T_nhk5-pU8,211
@@ -45,9 +46,9 @@ workos/types/events/directory_group_with_previous_attributes.py,sha256=13VLNhdJZ
 workos/types/events/directory_payload.py,sha256=tRo3f9g8VoYertSUPAR25iGDyGLr2Dtb2mTkl73PAeA,503
 workos/types/events/directory_payload_with_legacy_fields.py,sha256=jk9nLmRqgllVkBG4EU3uTgcDOhCNptHgCh93U7aBAYE,1005
 workos/types/events/directory_user_with_previous_attributes.py,sha256=PhnO3WakBxAvnlOGf0UB0bvoppUYlwLyU-g9X_pPdko,244
-workos/types/events/event.py,sha256=OZfsPNDD46-6wWcnAE2HkT5Lt23vGj3o8wz7XfQE2vY,9344
+workos/types/events/event.py,sha256=PDUTGaYlxwMkVKRhj82XMVxfrYzpWVlkQRCRNq-mxlM,9830
 workos/types/events/event_model.py,sha256=r5B_lZ7QXgoI7SGyQF7xNaEEE-ATMRet83pMYYJANuo,3735
-workos/types/events/event_type.py,sha256=jzZ5rlYXKmrHzbnymeMiIqmVF7i1Yvp76zqkCYl6Puo,1585
+workos/types/events/event_type.py,sha256=NIVHMahETiKeFJfZGi-ptHQH7czmRY4tChnuMU0OxWw,1690
 workos/types/events/list_filters.py,sha256=P04zmRynx9VPqNX_MBXA-3KA6flPZJogtIUqTI7w9Eg,305
 workos/types/events/organization_domain_verification_failed_payload.py,sha256=26reKTFxdriOo6fF6MVkYx0s867E-bproKTbwLZcUpE,483
 workos/types/events/previous_attributes.py,sha256=DxolwLwzcnG8r_W6rh5BT29iDfSVsIELvRYJ0NCrNn0,72
@@ -70,7 +71,7 @@ workos/types/organizations/domain_data_input.py,sha256=BW3iYswF-b2SXip7jwPkmlZhg
 workos/types/organizations/list_filters.py,sha256=u-TsEEMVI8IvPvxn_9--k6iYDs4T64RHTY_HY0Fvwlw,179
 workos/types/organizations/organization.py,sha256=GNs7Mf4-B4NpKSsE4uD9106kG6e6yz2EImdgSw9X310,533
 workos/types/organizations/organization_common.py,sha256=HFrXwia3xV6KkAAfW6zyMcjxXrznv82hFajHVHZdhpM,350
-workos/types/organizations/organization_domain.py,sha256=gFumod8dBtTLxmAlD83UuF_96B8lSjwsgwr_OOpvxOY,528
+workos/types/organizations/organization_domain.py,sha256=PkmdVVQi6h94xHWLJt0SFGgiGEVoyxwiPD-WwQ1naWs,614
 workos/types/passwordless/__init__.py,sha256=ZP_XIcGUKXsATb--bfesnsFFbbvg3WYzgqRC_qvW0rw,77
 workos/types/passwordless/passwordless_session.py,sha256=izmTI5F7qvBdoVodaXP7fnYo_XodG-ygyYTPrCEObTM,293
 workos/types/passwordless/passwordless_session_type.py,sha256=ltZAV8KFiYDVcxpVt5Hcdc089tB5VETYaa9X6E7Mvoo,75
@@ -101,6 +102,9 @@ workos/types/user_management/screen_hint.py,sha256=DnPgvjRK-20i82v3YPzggna1rc6yO
 workos/types/user_management/session.py,sha256=pyINOo_a53rxtZ-gGYOZziNHoZzc7s56evKgVAPIgMo,1390
 workos/types/user_management/user.py,sha256=aXRHsLXnQbXWBPRTdAP9Ym_-D9hjmrp_E4PTPi1gF1s,603
 workos/types/user_management/user_management_provider_type.py,sha256=UEjtcs9oeDvL9248bFy8nRfzutA6aBfhVMuMByG0qsM,145
+workos/types/vault/__init__.py,sha256=krBuIl8luysrtDf9-b8KTkXOHDOaSsOR-Aao6Wlil0Q,41
+workos/types/vault/key.py,sha256=x30XBplSj9AviDDAB8MdpcULbZvvo2sUzi8RCmZQKxU,453
+workos/types/vault/object.py,sha256=-rk4KovS3eT8T8L3JltYUS0cd2Rg1JKcAX9SOaZO3D8,664
 workos/types/webhooks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 workos/types/webhooks/webhook.py,sha256=IIDhlGTwiNm3xEncSk-OYm0EZsxwXmxDT5_jKx_Bt60,9523
 workos/types/webhooks/webhook_model.py,sha256=v7Hgtzt0nW_5RaYoB_QGVfElhdjySuG3F1BFjoid36w,404
@@ -115,11 +119,12 @@ workos/typing/untyped_literal.py,sha256=wf48_6kZJ-AN3-V2gLC_y5k2tnUvgGnhn89HsfOK
 workos/typing/webhooks.py,sha256=8GhUnrlGrgQbknh32tVtHxeR8FsXsJesW94CtZiB-_4,534
 workos/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 workos/utils/_base_http_client.py,sha256=KqRHUaDJUfXGxhu6UHLfZVkIBikcvrUZYhm9GBSByB4,7410
+workos/utils/crypto_provider.py,sha256=QeQSR4t9xLlb90kEfl8onVUsf1yCkYq0EjFTxK0mUlk,1182
 workos/utils/http_client.py,sha256=TM5yMFFExmAE8D2Z43-5O301tRbnylLG0aXO0isGorE,6197
 workos/utils/pagination_order.py,sha256=_-et1DDJLG0czarTU7op4W6RA0V1f85GNsUgtyRU55Q,70
 workos/utils/request_helper.py,sha256=NaO16qPPbSNnCeE0fiNKYb8gM-dK_okYVJbLGrEGXz8,793
-workos-5.23.0.dist-info/LICENSE,sha256=mU--WL1JzelH2tXpKVoOlpud4cpqKSRTtdArCvYZmb4,1063
-workos-5.23.0.dist-info/METADATA,sha256=6axcTXs8vYKZ4CLs32aIC1znvQQGb0If40EnWk30_fk,4187
-workos-5.23.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-workos-5.23.0.dist-info/top_level.txt,sha256=ZFskIfue1Tw-JwjyIXRvdsAl9i0DX9VbqmgICXV84Sk,7
-workos-5.23.0.dist-info/RECORD,,
+workos-5.24.0.dist-info/LICENSE,sha256=mU--WL1JzelH2tXpKVoOlpud4cpqKSRTtdArCvYZmb4,1063
+workos-5.24.0.dist-info/METADATA,sha256=7uWspjP8xJKGOnVXxi5BPXCpCwQAGy1pUQlrWMGVMPg,4187
+workos-5.24.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+workos-5.24.0.dist-info/top_level.txt,sha256=ZFskIfue1Tw-JwjyIXRvdsAl9i0DX9VbqmgICXV84Sk,7
+workos-5.24.0.dist-info/RECORD,,