Flows
Aggregator of HTTP flows that don’t belong on the AuthClient main surface. One thin method per auth-server endpoint, all wired through the client’s Transport + SessionStore.
Endpoint map (auth-server/internal/api/routes/routes.go):
- password reset / change → /auth/password/*
- email verification → /auth/verify-email*
- 2FA enroll / enable / off → /auth/2fa/*
- sessions list / terminate → /auth/sessions*
- my apps / my orgs → /me/apps, /me/orgs
- SSO providers / url / etc → /auth/sso/*
- admin → /admin/*, /auth/check-email, /auth/admin/set-password
- validate (server-side) → /auth/validate
Methods
setupTwoFactor()
function setupTwoFactor(): arrayReturns
array<string,mixed>
listSessions()
function listSessions(): arrayReturns
array<string,mixed>
myApps()
function myApps(): arrayReturns
array<string,mixed>
myOrgs()
function myOrgs(): arrayReturns
array<string,mixed>
startSso()
function startSso( string $provider, string $redirectUrl, ?string $organizationId = null, ?string $inviteCode = null,): arrayStep 1: get the provider auth URL. Stores a PKCE verifier per state.
Returns
array{auth_url:string,state:string,code_verifier:string}
completeSso()
function completeSso(string $provider, string $code, string $state): AuthResponseStep 2/3: complete the SSO callback. The server returns either {auth_code, expires_in} (PKCE branch) or {user, tokens, …}. We handle both — when PKCE auth_code is returned we POST /auth/sso/exchange with the stored verifier and persist the resulting tokens.
ssoProviders()
function ssoProviders(): arrayReturns
array<string,mixed>
validateTokenRemote()
function validateTokenRemote(string $token): arrayValidate a token at the server (fallback when shared secret unavailable).
Returns
array<string,mixed>
lookupUsers()
function lookupUsers( array $emails = [], array $ids = [], ?string $serviceToken = null,): arrayBulk user lookup (system_admin / super_admin only).
Parameters
$emails—list<string>$ids—list<string>
Returns
array<string,mixed>
bulkImport()
function bulkImport(array $users, array $opts = [], ?string $serviceToken = null): arrayBulk-import users with pre-hashed passwords (system_admin only).
Hashes are stored verbatim — bcrypt values verify on the normal login path immediately, so existing passwords keep working with no reset. The server upserts idempotently by (namespace, email) and returns a per-row status + the resulting uid, so the caller can backfill its own foreign key (e.g. a local users.ven_user_id). Max 500 rows per request.
Parameters
$users—list<array<string,mixed>>· Each row: {email, password_hash, hash_algo?, first_name?, last_name?, namespace_tags?, metadata?}.$opts—array{app_code?:string,default_namespace?:string,update?:bool}
Returns
array<string,mixed> {created, updated, skipped, errored, rows[]}
registerPermissions()
function registerPermissions( string $service, array $permissions, ?string $serviceToken = null,): arrayRegister a service’s permission catalog slice (system_admin only).
Parameters
$permissions—list<array<string,mixed>>
Returns
array<string,mixed>
clientCredentialsGrant()
function clientCredentialsGrant( string $clientId, string $clientSecret, array $scopes = [],): arrayExchange client credentials for a service-principal access token (POST /oauth/token). Returns the raw {access_token, token_type, expires_in, expires_at, scope} envelope.
Parameters
$scopes—list<string>
Returns
array<string,mixed>
pkceVerifier()
function pkceVerifier(): stringRFC 7636 §4.1 — 43..128 chars of unreserved URL-safe random.
pkceChallenge()
function pkceChallenge(string $verifier): stringRFC 7636 §4.2 — BASE64URL(SHA256(verifier)).