workos 5.23.0__py3-none-any.whl → 5.26.0__py3-none-any.whl

workos/__about__.py

@@ -12,7 +12,7 @@ __package_name__ = "workos"
 
 __package_url__ = "https://github.com/workos-inc/workos-python"
 
-__version__ = "5.23.0"
+__version__ = "5.26.0"
 
 __author__ = "WorkOS"
 

workos/_base_client.py

@@ -11,6 +11,7 @@ from workos.directory_sync import DirectorySyncModule
 from workos.events import EventsModule
 from workos.mfa import MFAModule
 from workos.organizations import OrganizationsModule
+from workos.organization_domains import OrganizationDomainsModule
 from workos.passwordless import PasswordlessModule
 from workos.portal import PortalModule
 from workos.sso import SSOModule
@@ -88,6 +89,10 @@ class BaseClient(ClientConfiguration):
     @abstractmethod
     def organizations(self) -> OrganizationsModule: ...
 
+    @property
+    @abstractmethod
+    def organization_domains(self) -> OrganizationDomainsModule: ...
+
     @property
     @abstractmethod
     def passwordless(self) -> PasswordlessModule: ...

workos/async_client.py

@@ -7,6 +7,7 @@ from workos.events import AsyncEvents
 from workos.fga import FGAModule
 from workos.mfa import MFAModule
 from workos.organizations import AsyncOrganizations
+from workos.organization_domains import AsyncOrganizationDomains
 from workos.passwordless import PasswordlessModule
 from workos.portal import PortalModule
 from workos.sso import AsyncSSO
@@ -14,6 +15,7 @@ from workos.user_management import AsyncUserManagement
 from workos.utils.http_client import AsyncHTTPClient
 from workos.webhooks import WebhooksModule
 from workos.widgets import WidgetsModule
+from workos.vault import VaultModule
 
 
 class AsyncClient(BaseClient):
@@ -79,6 +81,14 @@ class AsyncClient(BaseClient):
             self._organizations = AsyncOrganizations(self._http_client)
         return self._organizations
 
+    @property
+    def organization_domains(self) -> AsyncOrganizationDomains:
+        if not getattr(self, "_organization_domains", None):
+            self._organization_domains = AsyncOrganizationDomains(
+                http_client=self._http_client, client_configuration=self
+            )
+        return self._organization_domains
+
     @property
     def passwordless(self) -> PasswordlessModule:
         raise NotImplementedError(
@@ -112,3 +122,9 @@ class AsyncClient(BaseClient):
         raise NotImplementedError(
             "Widgets APIs are not yet supported in the async client."
         )
+
+    @property
+    def vault(self) -> VaultModule:
+        raise NotImplementedError(
+            "Vault APIs are not yet supported in the async client."
+        )

workos/client.py

@@ -5,6 +5,7 @@ from workos.audit_logs import AuditLogs
 from workos.directory_sync import DirectorySync
 from workos.fga import FGA
 from workos.organizations import Organizations
+from workos.organization_domains import OrganizationDomains
 from workos.passwordless import Passwordless
 from workos.portal import Portal
 from workos.sso import SSO
@@ -14,6 +15,7 @@ from workos.events import Events
 from workos.user_management import UserManagement
 from workos.utils.http_client import SyncHTTPClient
 from workos.widgets import Widgets
+from workos.vault import Vault
 
 
 class SyncClient(BaseClient):
@@ -79,6 +81,14 @@ class SyncClient(BaseClient):
             self._organizations = Organizations(self._http_client)
         return self._organizations
 
+    @property
+    def organization_domains(self) -> OrganizationDomains:
+        if not getattr(self, "_organization_domains", None):
+            self._organization_domains = OrganizationDomains(
+                http_client=self._http_client, client_configuration=self
+            )
+        return self._organization_domains
+
     @property
     def passwordless(self) -> Passwordless:
         if not getattr(self, "_passwordless", None):
@@ -116,3 +126,9 @@ class SyncClient(BaseClient):
         if not getattr(self, "_widgets", None):
             self._widgets = Widgets(http_client=self._http_client)
         return self._widgets
+
+    @property
+    def vault(self) -> Vault:
+        if not getattr(self, "_vault", None):
+            self._vault = Vault(http_client=self._http_client)
+        return self._vault

workos/organization_domains.py

@@ -0,0 +1,179 @@
+from typing import Protocol
+from workos._client_configuration import ClientConfiguration
+from workos.types.organization_domains import OrganizationDomain
+from workos.typing.sync_or_async import SyncOrAsync
+from workos.utils.http_client import AsyncHTTPClient, SyncHTTPClient
+from workos.utils.request_helper import (
+    REQUEST_METHOD_DELETE,
+    REQUEST_METHOD_GET,
+    REQUEST_METHOD_POST,
+)
+
+
+class OrganizationDomainsModule(Protocol):
+    """Offers methods for managing organization domains."""
+
+    _client_configuration: ClientConfiguration
+
+    def get_organization_domain(
+        self, organization_domain_id: str
+    ) -> SyncOrAsync[OrganizationDomain]:
+        """Gets a single Organization Domain
+
+        Args:
+            organization_domain_id (str): Organization Domain unique identifier
+
+        Returns:
+            OrganizationDomain: Organization Domain response from WorkOS
+        """
+        ...
+
+    def create_organization_domain(
+        self,
+        organization_id: str,
+        domain: str,
+    ) -> SyncOrAsync[OrganizationDomain]:
+        """Creates an Organization Domain
+
+        Args:
+            organization_id (str): Organization unique identifier
+            domain (str): Domain to be added to the organization
+
+        Returns:
+            OrganizationDomain: Organization Domain response from WorkOS
+        """
+        ...
+
+    def verify_organization_domain(
+        self, organization_domain_id: str
+    ) -> SyncOrAsync[OrganizationDomain]:
+        """Verifies an Organization Domain
+
+        Args:
+            organization_domain_id (str): Organization Domain unique identifier
+
+        Returns:
+            OrganizationDomain: Organization Domain response from WorkOS
+        """
+        ...
+
+    def delete_organization_domain(
+        self, organization_domain_id: str
+    ) -> SyncOrAsync[None]:
+        """Deletes a single Organization Domain
+
+        Args:
+            organization_domain_id (str): Organization Domain unique identifier
+
+        Returns:
+            None
+        """
+        ...
+
+
+class OrganizationDomains:
+    """Offers methods for managing organization domains."""
+
+    _http_client: SyncHTTPClient
+    _client_configuration: ClientConfiguration
+
+    def __init__(
+        self,
+        http_client: SyncHTTPClient,
+        client_configuration: ClientConfiguration,
+    ):
+        self._http_client = http_client
+        self._client_configuration = client_configuration
+
+    def get_organization_domain(
+        self, organization_domain_id: str
+    ) -> OrganizationDomain:
+        response = self._http_client.request(
+            f"organization_domains/{organization_domain_id}",
+            method=REQUEST_METHOD_GET,
+        )
+
+        return OrganizationDomain.model_validate(response)
+
+    def create_organization_domain(
+        self,
+        organization_id: str,
+        domain: str,
+    ) -> OrganizationDomain:
+        response = self._http_client.request(
+            "organization_domains",
+            method=REQUEST_METHOD_POST,
+            json={"organization_id": organization_id, "domain": domain},
+        )
+
+        return OrganizationDomain.model_validate(response)
+
+    def verify_organization_domain(
+        self, organization_domain_id: str
+    ) -> OrganizationDomain:
+        response = self._http_client.request(
+            f"organization_domains/{organization_domain_id}/verify",
+            method=REQUEST_METHOD_POST,
+        )
+
+        return OrganizationDomain.model_validate(response)
+
+    def delete_organization_domain(self, organization_domain_id: str) -> None:
+        self._http_client.request(
+            f"organization_domains/{organization_domain_id}",
+            method=REQUEST_METHOD_DELETE,
+        )
+
+
+class AsyncOrganizationDomains:
+    """Offers async methods for managing organization domains."""
+
+    _http_client: AsyncHTTPClient
+    _client_configuration: ClientConfiguration
+
+    def __init__(
+        self,
+        http_client: AsyncHTTPClient,
+        client_configuration: ClientConfiguration,
+    ):
+        self._http_client = http_client
+        self._client_configuration = client_configuration
+
+    async def get_organization_domain(
+        self, organization_domain_id: str
+    ) -> OrganizationDomain:
+        response = await self._http_client.request(
+            f"organization_domains/{organization_domain_id}",
+            method=REQUEST_METHOD_GET,
+        )
+
+        return OrganizationDomain.model_validate(response)
+
+    async def create_organization_domain(
+        self,
+        organization_id: str,
+        domain: str,
+    ) -> OrganizationDomain:
+        response = await self._http_client.request(
+            "organization_domains",
+            method=REQUEST_METHOD_POST,
+            json={"organization_id": organization_id, "domain": domain},
+        )
+
+        return OrganizationDomain.model_validate(response)
+
+    async def verify_organization_domain(
+        self, organization_domain_id: str
+    ) -> OrganizationDomain:
+        response = await self._http_client.request(
+            f"organization_domains/{organization_domain_id}/verify",
+            method=REQUEST_METHOD_POST,
+        )
+
+        return OrganizationDomain.model_validate(response)
+
+    async def delete_organization_domain(self, organization_domain_id: str) -> None:
+        await self._http_client.request(
+            f"organization_domains/{organization_domain_id}",
+            method=REQUEST_METHOD_DELETE,
+        )

workos/types/events/event.py

@@ -38,7 +38,7 @@ from workos.types.events.organization_domain_verification_failed_payload import
 )
 from workos.types.events.session_created_payload import SessionCreatedPayload
 from workos.types.organizations.organization_common import OrganizationCommon
-from workos.types.organizations.organization_domain import OrganizationDomain
+from workos.types.organization_domains import OrganizationDomain
 from workos.types.roles.role import EventRole
 from workos.types.sso.connection import Connection
 from workos.types.user_management.email_verification import (
@@ -193,6 +193,18 @@ class OrganizationDomainVerifiedEvent(EventModel[OrganizationDomain]):
     event: Literal["organization_domain.verified"]
 
 
+class OrganizationDomainCreatedEvent(EventModel[OrganizationDomain]):
+    event: Literal["organization_domain.created"]
+
+
+class OrganizationDomainUpdatedEvent(EventModel[OrganizationDomain]):
+    event: Literal["organization_domain.updated"]
+
+
+class OrganizationDomainDeletedEvent(EventModel[OrganizationDomain]):
+    event: Literal["organization_domain.deleted"]
+
+
 class OrganizationMembershipCreatedEvent(EventModel[OrganizationMembership]):
     event: Literal["organization_membership.created"]
 
@@ -272,6 +284,9 @@ Event = Annotated[
         OrganizationCreatedEvent,
         OrganizationDeletedEvent,
         OrganizationUpdatedEvent,
+        OrganizationDomainCreatedEvent,
+        OrganizationDomainDeletedEvent,
+        OrganizationDomainUpdatedEvent,
         OrganizationDomainVerificationFailedEvent,
         OrganizationDomainVerifiedEvent,
         OrganizationMembershipCreatedEvent,

workos/types/events/event_model.py

@@ -37,7 +37,7 @@ from workos.types.events.organization_domain_verification_failed_payload import
 )
 from workos.types.events.session_created_payload import SessionCreatedPayload
 from workos.types.organizations.organization_common import OrganizationCommon
-from workos.types.organizations.organization_domain import OrganizationDomain
+from workos.types.organization_domains import OrganizationDomain
 from workos.types.roles.role import EventRole
 from workos.types.sso.connection import Connection
 from workos.types.user_management.email_verification import (

workos/types/events/event_type.py

@@ -36,6 +36,9 @@ EventType = Literal[
     "organization.updated",
     "organization_domain.verification_failed",
     "organization_domain.verified",
+    "organization_domain.created",
+    "organization_domain.deleted",
+    "organization_domain.updated",
     "organization_membership.created",
     "organization_membership.deleted",
     "organization_membership.updated",

workos/types/events/organization_domain_verification_failed_payload.py

@@ -1,6 +1,6 @@
 from typing import Literal
 from workos.types.workos_model import WorkOSModel
-from workos.types.organizations.organization_domain import OrganizationDomain
+from workos.types.organization_domains import OrganizationDomain
 from workos.typing.literals import LiteralOrUntyped
 
 

workos/types/list_resource.py

@@ -33,6 +33,7 @@ from workos.types.mfa import AuthenticationFactor
 from workos.types.organizations import Organization
 from workos.types.sso import ConnectionWithDomains
 from workos.types.user_management import Invitation, OrganizationMembership, User
+from workos.types.vault import ObjectDigest
 from workos.types.workos_model import WorkOSModel
 from workos.utils.request_helper import DEFAULT_LIST_RESPONSE_LIMIT
 
@@ -51,6 +52,7 @@ ListableResource = TypeVar(
     AuthorizationResource,
     AuthorizationResourceType,
     User,
+    ObjectDigest,
     Warrant,
     WarrantQueryResult,
 )

workos/types/organization_domains/__init__.py

@@ -0,0 +1 @@
+from .organization_domain import *

workos/types/{organizations → organization_domains}/organization_domain.py

@@ -13,3 +13,6 @@ class OrganizationDomain(WorkOSModel):
     ] = None
     verification_strategy: Optional[LiteralOrUntyped[Literal["manual", "dns"]]] = None
     verification_token: Optional[str] = None
+    verification_prefix: Optional[str] = None
+    created_at: str
+    updated_at: str

workos/types/organizations/__init__.py

@@ -1,4 +1,6 @@
 from .domain_data_input import *
 from .organization_common import *
-from .organization_domain import *
 from .organization import *
+
+# re-exported for backwards compatibility, can be removed after version 6.0.0
+from workos.types.organization_domains import OrganizationDomain

workos/types/organizations/organization.py

@@ -2,7 +2,7 @@ from dataclasses import field
 from typing import Optional, Sequence
 from workos.types.metadata import Metadata
 from workos.types.organizations.organization_common import OrganizationCommon
-from workos.types.organizations.organization_domain import OrganizationDomain
+from workos.types.organization_domains import OrganizationDomain
 
 
 class Organization(OrganizationCommon):

workos/types/organizations/organization_common.py

@@ -1,6 +1,6 @@
 from typing import Literal, Sequence
 from workos.types.workos_model import WorkOSModel
-from workos.types.organizations.organization_domain import OrganizationDomain
+from workos.types.organization_domains import OrganizationDomain
 
 
 class OrganizationCommon(WorkOSModel):

workos/types/vault/__init__.py

@@ -0,0 +1,2 @@
+from .key import *
+from .object import *

workos/types/vault/key.py

@@ -0,0 +1,25 @@
+from typing import Dict
+from pydantic import BaseModel, RootModel
+from workos.types.workos_model import WorkOSModel
+
+
+class KeyContext(RootModel[Dict[str, str]]):
+    pass
+
+
+class DataKey(WorkOSModel):
+    id: str
+    key: str
+
+
+class DataKeyPair(WorkOSModel):
+    context: KeyContext
+    data_key: DataKey
+    encrypted_keys: str
+
+
+class DecodedKeys(BaseModel):
+    iv: bytes
+    tag: bytes
+    keys: str  # Base64-encoded string
+    ciphertext: bytes

workos/types/vault/object.py

@@ -0,0 +1,38 @@
+from typing import Optional
+
+from workos.types.workos_model import WorkOSModel
+from workos.types.vault import KeyContext
+
+
+class ObjectDigest(WorkOSModel):
+    id: str
+    name: str
+    updated_at: str
+
+
+class ObjectUpdateBy(WorkOSModel):
+    id: str
+    name: str
+
+
+class ObjectMetadata(WorkOSModel):
+    context: KeyContext
+    environment_id: str
+    id: str
+    key_id: str
+    updated_at: str
+    updated_by: ObjectUpdateBy
+    version_id: str
+
+
+class VaultObject(WorkOSModel):
+    id: str
+    metadata: ObjectMetadata
+    name: str
+    value: Optional[str] = None
+
+
+class ObjectVersion(WorkOSModel):
+    created_at: str
+    current_version: bool
+    id: str

workos/types/webhooks/webhook.py

@@ -38,7 +38,7 @@ from workos.types.events.organization_domain_verification_failed_payload import
 )
 from workos.types.events.session_created_payload import SessionCreatedPayload
 from workos.types.organizations.organization_common import OrganizationCommon
-from workos.types.organizations.organization_domain import OrganizationDomain
+from workos.types.organization_domains import OrganizationDomain
 from workos.types.roles.role import EventRole
 from workos.types.sso.connection import Connection
 from workos.types.user_management.email_verification import (

workos/utils/crypto_provider.py

@@ -0,0 +1,39 @@
+import os
+from typing import Optional, Dict
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+
+
+class CryptoProvider:
+    def encrypt(
+        self, plaintext: bytes, key: bytes, iv: bytes, aad: Optional[bytes]
+    ) -> Dict[str, bytes]:
+        encryptor = Cipher(
+            algorithms.AES(key), modes.GCM(iv), backend=default_backend()
+        ).encryptor()
+
+        if aad:
+            encryptor.authenticate_additional_data(aad)
+
+        ciphertext = encryptor.update(plaintext) + encryptor.finalize()
+        return {"ciphertext": ciphertext, "iv": iv, "tag": encryptor.tag}
+
+    def decrypt(
+        self,
+        ciphertext: bytes,
+        key: bytes,
+        iv: bytes,
+        tag: bytes,
+        aad: Optional[bytes] = None,
+    ) -> bytes:
+        decryptor = Cipher(
+            algorithms.AES(key), modes.GCM(iv, tag), backend=default_backend()
+        ).decryptor()
+
+        if aad:
+            decryptor.authenticate_additional_data(aad)
+
+        return decryptor.update(ciphertext) + decryptor.finalize()
+
+    def random_bytes(self, n: int) -> bytes:
+        return os.urandom(n)

workos/vault.py

@@ -0,0 +1,515 @@
+import base64
+from typing import Optional, Protocol, Sequence, Tuple
+from workos.types.vault import VaultObject, ObjectVersion, ObjectDigest, ObjectMetadata
+from workos.types.vault.key import DataKey, DataKeyPair, KeyContext, DecodedKeys
+from workos.types.list_resource import (
+    ListArgs,
+    ListMetadata,
+    ListPage,
+    WorkOSListResource,
+)
+from workos.utils.http_client import SyncHTTPClient
+from workos.utils.pagination_order import PaginationOrder
+from workos.utils.request_helper import (
+    DEFAULT_LIST_RESPONSE_LIMIT,
+    REQUEST_METHOD_DELETE,
+    REQUEST_METHOD_GET,
+    REQUEST_METHOD_POST,
+    REQUEST_METHOD_PUT,
+    RequestHelper,
+)
+from workos.utils.crypto_provider import CryptoProvider
+
+DEFAULT_RESPONSE_LIMIT = DEFAULT_LIST_RESPONSE_LIMIT
+
+VaultObjectList = WorkOSListResource[ObjectDigest, ListArgs, ListMetadata]
+
+
+class VaultModule(Protocol):
+    def read_object(self, *, object_id: str) -> VaultObject:
+        """
+        Get a Vault object with the value decrypted.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+        Returns:
+            VaultObject: A vault object with metadata, name and decrypted value.
+        """
+        ...
+
+    def list_objects(
+        self,
+        *,
+        limit: int = DEFAULT_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+    ) -> VaultObjectList:
+        """
+        Gets a list of encrypted Vault objects.
+
+        Kwargs:
+            limit (int): The maximum number of objects to return. (Optional)
+            before (str): A cursor to return resources before. (Optional)
+            after (str): A cursor to return resources after. (Optional)
+
+        Returns:
+            VaultObjectList: A list of vault objects with built-in pagination iterator.
+        """
+        ...
+
+    def list_object_versions(
+        self,
+        *,
+        object_id: str,
+    ) -> Sequence[ObjectVersion]:
+        """
+        Gets a list of versions for a specific Vault object.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+
+        Returns:
+            Sequence[ObjectVersion]: A list of object versions.
+        """
+        ...
+
+    def create_object(
+        self,
+        *,
+        name: str,
+        value: str,
+        key_context: KeyContext,
+    ) -> ObjectMetadata:
+        """
+        Create a new Vault encrypted object.
+
+        Kwargs:
+            name (str): The name of the object.
+            value (str): The value to encrypt and store.
+            key_context (KeyContext): A set of key-value dictionary pairs that determines which root keys to use when encrypting data.
+
+        Returns:
+            VaultObject: The created vault object.
+        """
+        ...
+
+    def update_object(
+        self,
+        *,
+        object_id: str,
+        value: str,
+        version_check: Optional[str] = None,
+    ) -> VaultObject:
+        """
+        Update an existing Vault object.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+            value (str): The new value to encrypt and store.
+            version_check (str): A version of the object to prevent clobbering of data during concurrent updates. (Optional)
+
+        Returns:
+            VaultObject: The updated vault object.
+        """
+        ...
+
+    def delete_object(
+        self,
+        *,
+        object_id: str,
+    ) -> None:
+        """
+        Permanently delete a Vault encrypted object. Warning: this cannont be undone.
+
+        Kwargs:
+            object_id (str): The unique identifier for the object.
+        """
+        ...
+
+    def create_data_key(self, *, key_context: KeyContext) -> DataKeyPair:
+        """
+        Generate a data key for local encryption based on the provided key context.
+        The encrypted data key MUST be stored by the application, as it cannot be retrieved after generation.
+
+        Kwargs:
+            key_context (KeyContext): A set of key-value dictionary pairs that determines which root keys to use when encrypting data.
+        """
+        ...
+
+    def decrypt_data_key(
+        self,
+        *,
+        keys: str,
+    ) -> DataKey:
+        """
+        Decrypt encrypted data keys that were previously generated by create_data_key.
+
+        This method takes the encrypted data key blob and uses the WorkOS Vault service
+        to decrypt it, returning the plaintext data key that can be used for local
+        encryption/decryption operations.
+
+        Kwargs:
+            keys (str): The base64-encoded encrypted data key blob returned by create_data_key.
+
+        Returns:
+            DataKey: The decrypted data key containing the key ID and the plaintext key material.
+        """
+        ...
+
+    def encrypt(
+        self,
+        *,
+        data: str,
+        key_context: KeyContext,
+        associated_data: Optional[str] = None,
+    ) -> str:
+        """
+        Encrypt data locally using AES-GCM with a data key derived from the provided context.
+
+        This method generates a new data key for each encryption operation, ensuring that
+        the same plaintext will produce different ciphertext each time it's encrypted.
+        The encrypted data key is embedded in the result so it can be decrypted later.
+
+        Kwargs:
+            data (str): The plaintext data to encrypt.
+            key_context (KeyContext): A set of key-value dictionary pairs that determines which root keys to use when encrypting data.
+            associated_data (str): Additional authenticated data (AAD) that will be authenticated but not encrypted. (Optional)
+
+        Returns:
+            str: Base64-encoded encrypted data containing the IV, authentication tag, encrypted data key, and ciphertext.
+        """
+        ...
+
+    def decrypt(
+        self, *, encrypted_data: str, associated_data: Optional[str] = None
+    ) -> str:
+        """
+        Decrypt data that was previously encrypted using the encrypt method.
+
+        This method extracts the encrypted data key from the encrypted payload,
+        decrypts it using the WorkOS Vault service, and then uses the resulting
+        data key to decrypt the actual data using AES-GCM.
+
+        Kwargs:
+            encrypted_data (str): The base64-encoded encrypted data returned by the encrypt method.
+            associated_data (str): The same additional authenticated data (AAD) that was used during encryption, if any. (Optional)
+
+        Returns:
+            str: The original plaintext data.
+
+        Raises:
+            ValueError: If the encrypted_data format is invalid or if associated_data doesn't match what was used during encryption.
+            cryptography.exceptions.InvalidTag: If the authentication tag verification fails (data has been tampered with).
+        """
+        ...
+
+
+class Vault(VaultModule):
+    _http_client: SyncHTTPClient
+    _crypto_provider: CryptoProvider
+
+    def __init__(self, http_client: SyncHTTPClient):
+        self._http_client = http_client
+        self._crypto_provider = CryptoProvider()
+
+    def read_object(
+        self,
+        *,
+        object_id: str,
+    ) -> VaultObject:
+        if not object_id:
+            raise ValueError("Incomplete arguments: 'object_id' is a required argument")
+
+        response = self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_GET,
+        )
+
+        return VaultObject.model_validate(response)
+
+    def list_objects(
+        self,
+        *,
+        limit: int = DEFAULT_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+    ) -> VaultObjectList:
+        list_params: ListArgs = {
+            "limit": limit,
+            "before": before,
+            "after": after,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/kv",
+            method=REQUEST_METHOD_GET,
+            params=list_params,
+        )
+
+        # Ensure object field is present
+        response_dict = dict(response)
+        if "object" not in response_dict:
+            response_dict["object"] = "list"
+
+        return VaultObjectList(
+            list_method=self.list_objects,
+            list_args=list_params,
+            **ListPage[ObjectDigest](**response_dict).model_dump(),
+        )
+
+    def list_object_versions(
+        self,
+        *,
+        object_id: str,
+    ) -> Sequence[ObjectVersion]:
+        response = self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}/versions",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_GET,
+        )
+
+        return [
+            ObjectVersion.model_validate(version)
+            for version in response.get("data", [])
+        ]
+
+    def create_object(
+        self,
+        *,
+        name: str,
+        value: str,
+        key_context: KeyContext,
+    ) -> ObjectMetadata:
+        if not name or not value:
+            raise ValueError(
+                "Incomplete arguments: 'name' and 'value' are required arguments"
+            )
+
+        request_data = {
+            "name": name,
+            "value": value,
+            "key_context": key_context,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/kv",
+            method=REQUEST_METHOD_POST,
+            json=request_data,
+        )
+
+        return ObjectMetadata.model_validate(response)
+
+    def update_object(
+        self,
+        *,
+        object_id: str,
+        value: str,
+        version_check: Optional[str] = None,
+    ) -> VaultObject:
+        if not object_id:
+            raise ValueError("Incomplete arguments: 'object_id' is a required argument")
+
+        request_data = {
+            "value": value,
+        }
+        if version_check is not None:
+            request_data["version_check"] = version_check
+
+        response = self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_PUT,
+            json=request_data,
+        )
+
+        return VaultObject.model_validate(response)
+
+    def delete_object(
+        self,
+        *,
+        object_id: str,
+    ) -> None:
+        if not object_id:
+            raise ValueError("Incomplete arguments: 'object_id' is a required argument")
+
+        self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/{object_id}",
+                object_id=object_id,
+            ),
+            method=REQUEST_METHOD_DELETE,
+        )
+
+    def create_data_key(self, *, key_context: KeyContext) -> DataKeyPair:
+        request_data = {
+            "context": key_context,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/keys/data-key",
+            method=REQUEST_METHOD_POST,
+            json=request_data,
+        )
+
+        return DataKeyPair.model_validate(
+            {
+                "context": response["context"],
+                "data_key": {"id": response["id"], "key": response["data_key"]},
+                "encrypted_keys": response["encrypted_keys"],
+            }
+        )
+
+    def decrypt_data_key(
+        self,
+        *,
+        keys: str,
+    ) -> DataKey:
+        request_data = {
+            "keys": keys,
+        }
+
+        response = self._http_client.request(
+            "vault/v1/keys/decrypt",
+            method=REQUEST_METHOD_POST,
+            json=request_data,
+        )
+
+        return DataKey.model_validate(
+            {"id": response["id"], "key": response["data_key"]}
+        )
+
+    def encrypt(
+        self,
+        *,
+        data: str,
+        key_context: KeyContext,
+        associated_data: Optional[str] = None,
+    ) -> str:
+        key_pair = self.create_data_key(key_context=key_context)
+
+        key = self._base64_to_bytes(key_pair.data_key.key)
+        key_blob = self._base64_to_bytes(key_pair.encrypted_keys)
+        prefix_len_buffer = self._encode_u32(len(key_blob))
+        aad_buffer = associated_data.encode("utf-8") if associated_data else None
+        iv = self._crypto_provider.random_bytes(12)
+
+        result = self._crypto_provider.encrypt(
+            data.encode("utf-8"), key, iv, aad_buffer
+        )
+
+        combined = (
+            result["iv"]
+            + result["tag"]
+            + prefix_len_buffer
+            + key_blob
+            + result["ciphertext"]
+        )
+
+        return self._bytes_to_base64(combined)
+
+    def decrypt(
+        self, *, encrypted_data: str, associated_data: Optional[str] = None
+    ) -> str:
+        decoded = self._decode(encrypted_data)
+        data_key = self.decrypt_data_key(keys=decoded.keys)
+
+        key = self._base64_to_bytes(data_key.key)
+        aad_buffer = associated_data.encode("utf-8") if associated_data else None
+
+        decrypted_bytes = self._crypto_provider.decrypt(
+            ciphertext=decoded.ciphertext,
+            key=key,
+            iv=decoded.iv,
+            tag=decoded.tag,
+            aad=aad_buffer,
+        )
+
+        return decrypted_bytes.decode("utf-8")
+
+    def _base64_to_bytes(self, data: str) -> bytes:
+        return base64.b64decode(data)
+
+    def _bytes_to_base64(self, data: bytes) -> str:
+        return base64.b64encode(data).decode("utf-8")
+
+    def _encode_u32(self, value: int) -> bytes:
+        """
+        Encode a 32-bit unsigned integer as LEB128.
+
+        Returns:
+            bytes: LEB128-encoded representation of the input value.
+        """
+        if value < 0 or value > 0xFFFFFFFF:
+            raise ValueError("Value must be a 32-bit unsigned integer")
+
+        encoded = bytearray()
+        while True:
+            byte = value & 0x7F
+            value >>= 7
+            if value != 0:
+                byte |= 0x80  # Set continuation bit
+            encoded.append(byte)
+            if value == 0:
+                break
+
+        return bytes(encoded)
+
+    def _decode(self, encrypted_data_b64: str) -> DecodedKeys:
+        """
+        This function extracts IV, tag, keyBlobLength, keyBlob, and ciphertext
+        from a base64-encoded payload.
+        Encoding format: [IV][TAG][4B Length][keyBlob][ciphertext]
+        """
+        try:
+            payload = base64.b64decode(encrypted_data_b64)
+        except Exception as e:
+            raise ValueError("Base64 decoding failed") from e
+
+        iv = payload[0:12]
+        tag = payload[12:28]
+
+        try:
+            key_len, leb_len = self._decode_u32(payload[28:])
+        except Exception as e:
+            raise ValueError("Failed to decode key length") from e
+
+        keys_index = 28 + leb_len
+        keys_end = keys_index + key_len
+        keys_slice = payload[keys_index:keys_end]
+        keys = base64.b64encode(keys_slice).decode("utf-8")
+        ciphertext = payload[keys_end:]
+
+        return DecodedKeys(iv=iv, tag=tag, keys=keys, ciphertext=ciphertext)
+
+    def _decode_u32(self, buf: bytes) -> Tuple[int, int]:
+        """
+        Decode an unsigned LEB128-encoded 32-bit integer from bytes.
+
+        Returns:
+            (value, length_consumed)
+
+        Raises:
+            ValueError if decoding fails or overflows.
+        """
+        res = 0
+        bit = 0
+
+        for i, b in enumerate(buf):
+            if i > 4:
+                raise ValueError("LEB128 integer overflow (was more than 4 bytes)")
+
+            res |= (b & 0x7F) << (7 * bit)
+
+            if (b & 0x80) == 0:
+                return res, i + 1
+
+            bit += 1
+
+        raise ValueError("LEB128 integer not found")

{workos-5.23.0.dist-info → workos-5.26.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.23.0
+Version: 5.26.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

{workos-5.23.0.dist-info → workos-5.26.0.dist-info}/RECORD

@@ -1,15 +1,16 @@
-workos/__about__.py,sha256=gPnfGwbokmJccKOueu0QsNoiFGUYhHwOVX1_mLa4xzw,406
+workos/__about__.py,sha256=XjdHlLqPEJ0a5evP3CCUorp0ckGip4qzzY2V8gM6xXg,406
 workos/__init__.py,sha256=hOdbO_MJCvpLx8EbRjQg-fvFAB-glJmrmxUZK8kWG0k,167
-workos/_base_client.py,sha256=t69Nb3zxo3wygI3JtbPdZMGvIuRPsZx_xZANC5K8dn8,3429
+workos/_base_client.py,sha256=YWLXBpd0YeID3WKYZkKa4l9ZuB9e6HgdLmPKZIzXsME,3599
 workos/_client_configuration.py,sha256=g3eXhtrEMN6CW0hZ5uHb2PmLurXjyBkWZeQYMPeJD6s,222
-workos/async_client.py,sha256=ezl6pO2I2eGZnq0jrqD7-C7JKfvBqrsqq4T0cbYndPE,3756
+workos/async_client.py,sha256=c_lP7y49k3FEx0S6We8PrEw3PhTkD0VHyHJaKgc51HU,4358
 workos/audit_logs.py,sha256=bYoAoNO4FRSaT34UxiVkgTXCVH8givcS2YGhH_9O3NA,3983
-workos/client.py,sha256=ESweUKW2ju5dPGFCTUMxjVYgh2txoZ3ZVbxy81i0JcI,3747
+workos/client.py,sha256=hIm87iNtKfwQ93H5aRXnhTqUJIOzUEG1GX0jdLBLAYc,4345
 workos/directory_sync.py,sha256=6Z1gHz1LWNy56EtkXwNm6jhRRcvsJ7ASeDLy_Q1oKM0,14601
 workos/events.py,sha256=b4JIzMbd5LlVtpOMKVojC70RCHAgmLN3nJ62_2U0GwI,3892
 workos/exceptions.py,sha256=eoy-T4We98HKZn0UZu33fPzhm4DwafzwLeg3juhC6FE,1732
 workos/fga.py,sha256=qjZrdkXKwJDLVTMMrOADxyXRDkswto4kGIdtTjtS3hw,21008
 workos/mfa.py,sha256=J8eOr4ZEmK0TPFKD7pabSalgCFCyg3XJY1stu28_8Vw,6862
+workos/organization_domains.py,sha256=um-dm54SIs2Kd2FxqxVjIlynlenAG9NamQmNVUGOQ0k,5464
 workos/organizations.py,sha256=ugPRhwN8cN2O6qOCf7wj8Wus-oeRKXlNe2642PSl_n4,12266
 workos/passwordless.py,sha256=NGXDoxomBkrIml8-VHXH1HvCFMqotQ-YhRobUQXpVZs,3203
 workos/portal.py,sha256=lzf3fnOor4AyVdHCHMuJzVSpAC9LWWdC5sZIRtCsb0c,2443
@@ -17,10 +18,11 @@ workos/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 workos/session.py,sha256=CVada-nKRFv9m2-mcghR5VBOguGU76iDCDgQlksOOrQ,11912
 workos/sso.py,sha256=ZBC3y-IRmxG0jPd0BOj7s7XQkXJoTLUg1fx-h3Gfy4g,13541
 workos/user_management.py,sha256=qy21HxYVO40xo7TvCGVxvGWdYIFHZTVnUJTpCQIN2ko,77113
+workos/vault.py,sha256=SJXr3nJ03qJFuf30FjevMD6LLlDNX3MGaKlYGgICRRE,15657
 workos/webhooks.py,sha256=CuwBxh6va9VZFVSXOknveGt6CCGDF3em07a-J12DbXI,4790
 workos/widgets.py,sha256=bfbR0hQOHZabbgGL2ekD5sY1sjiUoWBTdrBd_a6WmBc,1721
 workos/types/__init__.py,sha256=aYScTXq5jOyp0AYvdWffaj5-zdDuNtCCJtbzt5GM19k,267
-workos/types/list_resource.py,sha256=MLfmtevGVpwb38EurJiD5NO-H5mADEp4DitZMiacSO0,6508
+workos/types/list_resource.py,sha256=6N9OoaFsWPCXEX9plVONODxed-Yx6RaX1ga1b15ENIA,6570
 workos/types/metadata.py,sha256=uUqDkGJGyFY3H4JZObSiCfn4jKBue5CBhOqv79TI1n0,52
 workos/types/workos_model.py,sha256=bV_p3baadcUJOU_7f6ysZ6KXhpt3E_93spuZnfJs9vc,735
 workos/types/audit_logs/__init__.py,sha256=daPn8wAVEnlM1fCpOsy3dVZV_0YEp8bA1T_nhk5-pU8,211
@@ -45,11 +47,11 @@ workos/types/events/directory_group_with_previous_attributes.py,sha256=13VLNhdJZ
 workos/types/events/directory_payload.py,sha256=tRo3f9g8VoYertSUPAR25iGDyGLr2Dtb2mTkl73PAeA,503
 workos/types/events/directory_payload_with_legacy_fields.py,sha256=jk9nLmRqgllVkBG4EU3uTgcDOhCNptHgCh93U7aBAYE,1005
 workos/types/events/directory_user_with_previous_attributes.py,sha256=PhnO3WakBxAvnlOGf0UB0bvoppUYlwLyU-g9X_pPdko,244
-workos/types/events/event.py,sha256=OZfsPNDD46-6wWcnAE2HkT5Lt23vGj3o8wz7XfQE2vY,9344
-workos/types/events/event_model.py,sha256=r5B_lZ7QXgoI7SGyQF7xNaEEE-ATMRet83pMYYJANuo,3735
-workos/types/events/event_type.py,sha256=jzZ5rlYXKmrHzbnymeMiIqmVF7i1Yvp76zqkCYl6Puo,1585
+workos/types/events/event.py,sha256=4E-71v38J1Udt0qFz9k17V6HmNj9Lgz-mmS-524ysIs,9817
+workos/types/events/event_model.py,sha256=TuCRgjgTWnTvwL3NTR9FBGuF7WO34OhsbtMGKss5QKA,3722
+workos/types/events/event_type.py,sha256=NIVHMahETiKeFJfZGi-ptHQH7czmRY4tChnuMU0OxWw,1690
 workos/types/events/list_filters.py,sha256=P04zmRynx9VPqNX_MBXA-3KA6flPZJogtIUqTI7w9Eg,305
-workos/types/events/organization_domain_verification_failed_payload.py,sha256=26reKTFxdriOo6fF6MVkYx0s867E-bproKTbwLZcUpE,483
+workos/types/events/organization_domain_verification_failed_payload.py,sha256=b4wX8HVbL9Nx6fCjOXkZg9eLc-Bv6YqAjMap1f7UvFc,470
 workos/types/events/previous_attributes.py,sha256=DxolwLwzcnG8r_W6rh5BT29iDfSVsIELvRYJ0NCrNn0,72
 workos/types/events/session_created_payload.py,sha256=F4eKjmetgyRIluNBDUmB2OXq8hDWEVjALJ4rrT2IHJs,462
 workos/types/fga/__init__.py,sha256=mVb3gvhvK93PAosSgO1RlNmxYX4zIxVDcZZQ8Jyejuw,151
@@ -65,12 +67,13 @@ workos/types/mfa/authentication_challenge_verification_response.py,sha256=5HxsMJ
 workos/types/mfa/authentication_factor.py,sha256=92Cq9MLwBUXfowzCv2u9ZnoH9tVgDm16jjmelN7BOGs,2021
 workos/types/mfa/authentication_factor_totp_and_challenge_response.py,sha256=Ix_DqF7eQ-x6Up8C_0wzvAXXyDY876nobRuiXXL8nbc,541
 workos/types/mfa/enroll_authentication_factor_type.py,sha256=l_w4co5BdmfglII5YAQiyL-kdAw8KiiOsYaDhn8lGWE,227
-workos/types/organizations/__init__.py,sha256=tS8oObLGCyk2QnaMtoaaGKoLbbzSylL_8qovsPF6Rqc,131
+workos/types/organization_domains/__init__.py,sha256=fpNRKfzZ0p1FybwQG4L-YY12nFPTCJjD4j60OJI5fXE,35
+workos/types/organization_domains/organization_domain.py,sha256=PkmdVVQi6h94xHWLJt0SFGgiGEVoyxwiPD-WwQ1naWs,614
+workos/types/organizations/__init__.py,sha256=uE2qD2MOebPs-_BerqenTqmu4I4DI5-CKIY_M8BGwDY,240
 workos/types/organizations/domain_data_input.py,sha256=BW3iYswF-b2SXip7jwPkmlZhgLReS_VyzUlU8PD4xdw,161
 workos/types/organizations/list_filters.py,sha256=u-TsEEMVI8IvPvxn_9--k6iYDs4T64RHTY_HY0Fvwlw,179
-workos/types/organizations/organization.py,sha256=GNs7Mf4-B4NpKSsE4uD9106kG6e6yz2EImdgSw9X310,533
-workos/types/organizations/organization_common.py,sha256=HFrXwia3xV6KkAAfW6zyMcjxXrznv82hFajHVHZdhpM,350
-workos/types/organizations/organization_domain.py,sha256=gFumod8dBtTLxmAlD83UuF_96B8lSjwsgwr_OOpvxOY,528
+workos/types/organizations/organization.py,sha256=oVGg-C0blizg7aGVeRTr3vvTRvrn_WPzwaV-LvbQxRo,520
+workos/types/organizations/organization_common.py,sha256=lelq-Id9AGSmosFprFAET_QyXmYR0wHX9-XMsOTEr7s,337
 workos/types/passwordless/__init__.py,sha256=ZP_XIcGUKXsATb--bfesnsFFbbvg3WYzgqRC_qvW0rw,77
 workos/types/passwordless/passwordless_session.py,sha256=izmTI5F7qvBdoVodaXP7fnYo_XodG-ygyYTPrCEObTM,293
 workos/types/passwordless/passwordless_session_type.py,sha256=ltZAV8KFiYDVcxpVt5Hcdc089tB5VETYaa9X6E7Mvoo,75
@@ -101,8 +104,11 @@ workos/types/user_management/screen_hint.py,sha256=DnPgvjRK-20i82v3YPzggna1rc6yO
 workos/types/user_management/session.py,sha256=pyINOo_a53rxtZ-gGYOZziNHoZzc7s56evKgVAPIgMo,1390
 workos/types/user_management/user.py,sha256=aXRHsLXnQbXWBPRTdAP9Ym_-D9hjmrp_E4PTPi1gF1s,603
 workos/types/user_management/user_management_provider_type.py,sha256=UEjtcs9oeDvL9248bFy8nRfzutA6aBfhVMuMByG0qsM,145
+workos/types/vault/__init__.py,sha256=krBuIl8luysrtDf9-b8KTkXOHDOaSsOR-Aao6Wlil0Q,41
+workos/types/vault/key.py,sha256=x30XBplSj9AviDDAB8MdpcULbZvvo2sUzi8RCmZQKxU,453
+workos/types/vault/object.py,sha256=-rk4KovS3eT8T8L3JltYUS0cd2Rg1JKcAX9SOaZO3D8,664
 workos/types/webhooks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-workos/types/webhooks/webhook.py,sha256=IIDhlGTwiNm3xEncSk-OYm0EZsxwXmxDT5_jKx_Bt60,9523
+workos/types/webhooks/webhook.py,sha256=v0Z7Z1eMnjCMR8iWm2KNECv-8nwPdTB8gTZCVfFP0O0,9510
 workos/types/webhooks/webhook_model.py,sha256=v7Hgtzt0nW_5RaYoB_QGVfElhdjySuG3F1BFjoid36w,404
 workos/types/webhooks/webhook_payload.py,sha256=GXt31KtyBM-ji5K5p4dBnu46Gh8adQWTq0ye5USB_6g,68
 workos/types/widgets/__init__.py,sha256=z2Tdlj_bJsRZeJRh4SOFX58PvJdf0LjKnYhrQX1fpME,65
@@ -115,11 +121,12 @@ workos/typing/untyped_literal.py,sha256=wf48_6kZJ-AN3-V2gLC_y5k2tnUvgGnhn89HsfOK
 workos/typing/webhooks.py,sha256=8GhUnrlGrgQbknh32tVtHxeR8FsXsJesW94CtZiB-_4,534
 workos/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 workos/utils/_base_http_client.py,sha256=KqRHUaDJUfXGxhu6UHLfZVkIBikcvrUZYhm9GBSByB4,7410
+workos/utils/crypto_provider.py,sha256=QeQSR4t9xLlb90kEfl8onVUsf1yCkYq0EjFTxK0mUlk,1182
 workos/utils/http_client.py,sha256=TM5yMFFExmAE8D2Z43-5O301tRbnylLG0aXO0isGorE,6197
 workos/utils/pagination_order.py,sha256=_-et1DDJLG0czarTU7op4W6RA0V1f85GNsUgtyRU55Q,70
 workos/utils/request_helper.py,sha256=NaO16qPPbSNnCeE0fiNKYb8gM-dK_okYVJbLGrEGXz8,793
-workos-5.23.0.dist-info/LICENSE,sha256=mU--WL1JzelH2tXpKVoOlpud4cpqKSRTtdArCvYZmb4,1063
-workos-5.23.0.dist-info/METADATA,sha256=6axcTXs8vYKZ4CLs32aIC1znvQQGb0If40EnWk30_fk,4187
-workos-5.23.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-workos-5.23.0.dist-info/top_level.txt,sha256=ZFskIfue1Tw-JwjyIXRvdsAl9i0DX9VbqmgICXV84Sk,7
-workos-5.23.0.dist-info/RECORD,,
+workos-5.26.0.dist-info/LICENSE,sha256=mU--WL1JzelH2tXpKVoOlpud4cpqKSRTtdArCvYZmb4,1063
+workos-5.26.0.dist-info/METADATA,sha256=MohK6HHQVDsilcCLtEwsSRF_ufiHMGCe1puhiVakL60,4187
+workos-5.26.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+workos-5.26.0.dist-info/top_level.txt,sha256=ZFskIfue1Tw-JwjyIXRvdsAl9i0DX9VbqmgICXV84Sk,7
+workos-5.26.0.dist-info/RECORD,,