kinde-oss
diff --git a/‎src/content/docs/workflows/example-workflows/existing-password-provided-workflow.mdx
Lines changed: 38 additions & 57 deletions b/‎src/content/docs/workflows/example-workflows/existing-password-provided-workflow.mdx
Lines changed: 38 additions & 57 deletions
diff --git a/‎src/content/docs/workflows/example-workflows/m2m-token-generation-workflow.mdx
Lines changed: 27 additions & 87 deletions b/‎src/content/docs/workflows/example-workflows/m2m-token-generation-workflow.mdx
Lines changed: 27 additions & 87 deletions
diff --git a/‎src/content/docs/workflows/example-workflows/new-password-provided-workflow.mdx
Lines changed: 39 additions & 40 deletions b/‎src/content/docs/workflows/example-workflows/new-password-provided-workflow.mdx
Lines changed: 39 additions & 40 deletions
@@ -17,95 +17,76 @@ This trigger fires after an existing password is entered in the sign-in flow.
 Security is at the heart of our technical decisions at Kinde, and keeping user passwords safe is a huge part of this. Therefore:
 
 - Any attempt to log the password out to the console in this workflow will be redacted
-- API calls can only be made from these workflows using the Kinde provided `secureFetch` method which secures the payload with an encryption key
+- API calls should only be made from these workflows using the Kinde provided [secureFetch](/workflows/bindings/secure-fetch-binding/) binding which secures the payload with an encryption key
 
 ## Example use cases
 
 ### Drip feed migration
 
-For gradual migrations to Kinde where you wish to check the password against an external database before creating the user in Kinde.
+For gradual migrations to Kinde where you wish to check the password against an external database before creating the user in Kinde and migrating their password. [See example code](https://github.com/kinde-starter-kits/workflow-examples/blob/main/existingPassword/dripFeedMigrationWorkflow.ts)
 
 ## Workflow code
 
-### The event object
+### Sample event object
 
 The main argument provided to your code is the Kinde workflow `event` object which has two keys `request` and `context`. This gives you access to the reason the workflow was triggered. Here's an example:
 
-```jsx
+```json
 {
-	"request": {},
-	"context": {
-		"domains": {
-			"kindeDomain": "https://example.kinde.com" // Your Kinde domain
-		},
-		"auth": {
-    			"provided email": x_provided_email, // the email provided by the user
-    			"password":"someSecurePassword", // the raw password
-    			"hashedPassword": "someHash", // the hashed password,
-     			"hasUserRecordInKinde":  false // whether the user exists already in Kinde
-   		},
-		"user": {
-			"id": "kp_1234566" // only provided in password reset flows as otherwise new user
-		}
-}
-```
-
-### Workflow settings
-
-```jsx
-export const workflowSettings = {
-  id: "verifyPassword",
-  name: "Verify password",
-  failurePolicy: {action: "stop"},
-  trigger: "user:existing_password_provided",
-  bindings: {
-    "kinde.secureFetch": {}, // Required for external API calls
-    "kinde.widget": {} // Required to invalidate the form
+  "request": {
+    "ip": "192.168.0.1",
+    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0"
+  },
+  "context": {
+    "domains": {
+      "kindeDomain": "https://example.kinde.com" // Your Kinde domain
+    },
+    "auth": {
+      "providedEmail": "[email protected]", // the email provided by the user
+      "password": "someSecurePassword", // the raw password
+      "hashedPassword": "someHash", // the hashed password,
+      "hasUserRecordInKinde": false // whether the user exists already in Kinde
+    },
+    "user": {
+      "id": "kp_1234566" // only provided in password reset flows as otherwise new user
+    },
+    "workflow": {
+      "trigger": "user:existing_password_provided"
+    }
   }
-};
+}
 ```
 
 ### Secure fetch binding
 
-When an API call is made using `kinde.secureFetch()` the body is automatically encrypted with the active encryption key for the workflow. This can be generated under **Workflow > Encryption keys**.
-
-You will need to use the same encryption key in your own code to decrypt the payload on arrival. This ensures secure transfer of the password.
-
-We handle the encryption for you so your code might look like:
-
-```jsx
-const response = await kinde.secureFetch(`<YOUR_EXTERNAL_PASSWORD_DATABASE_ENDPOINT`, {
-        method: 'POST',
-        responseFormat: 'json',
-        headers: {
-            'content-type': 'application/json'
-        body: {
-      	email: event.context.auth.providedEmail,
-      	password: event.context.auth.password
-    }
-    });
-```
+We recommend you use the [secureFetch](/workflows/bindings/secure-fetch-binding/) binding to make API calls from your workflow if they include sensitive data like passwords.
 
 ### Widget binding
 
 The `kinde.widget` binding gives you access to the Kinde widget, which is the central form on the page. In this case the form with the two password fields.
 
 It exposes a method for invalidating a form field `invalidateFormField`
 
-```jsx
+```js
 kinde.widget.invalidateFormField(fieldName, message);
 ```
 
 Example
 
-```jsx
-const isMinCharacters = context.auth.Password.length >= 50;
-
-kinde.widget.invalidateFormField("p_password", "Nope");
+```js
+if (!isUserPasswordValid) {
+  kinde.widget.invalidateFormField("p_password", "User or password not found");
+}
 ```
 
-The field names for this workflow are
+The field names for the widget binding in this workflow are:
 
 | Field name   | Description        |
 | ------------ | ------------------ |
 | `p_password` | The password field |
+
+### Example workflows
+
+See examples on GitHub:
+
+[Drip feed migration](https://github.com/kinde-starter-kits/workflow-examples/blob/main/existingPassword/dripFeedMigrationWorkflow.ts) - Shows how to check a password against an external database before creating the user in Kinde.
@@ -26,103 +26,43 @@ You may want to add additional custom claims to the M2M token before it is deliv
 
 ### Correlate an M2M application with an organization or user
 
-If you want, you can use M2M applications similar to API keys to enable access to various endpoints and tie them to an organization or user. For example, you add the organization code as a [custom property](/properties/work-with-properties/manage-properties/) on the M2M application, then fetch any data you’d like to include in the token.
+If you want, you can use M2M applications similar to API keys to enable access to various endpoints and tie them to an organization or user. For example, you add the organization code as a [custom property](/properties/work-with-properties/manage-properties/) on the M2M application, then fetch any data you’d like to include in the token. [See example code](https://github.com/kinde-starter-kits/workflow-examples/blob/main/m2mToken/mapOrgToM2MApplicationWorkflow.ts)
 
 ## Workflow code
 
-### The event object
-
-The main argument provided to your code is the Kinde workflow `event` object which has two keys `request` and `context`. This gives you access to the reason the workflow was triggered. Here's an example:
-
-````jsx
-{
-	"request": {
-		"auth": {
-			"audience": ["<EXAMPLE_API>"]
-		},
-		"ip": "192.168.0.1"
-	},
-	"context": {
-		"domains": {
-			"kindeDomain": "https://example.kinde.com" // Your Kinde domain
-		},
-		"application": {
-				"clientId": "299627bd8bfa493f8b17e6aec8ebfb86" // the M2M application ID
-		},
-		"workflow": {
-				"trigger": "m2m:token_generation"
-		}
-}
-
-### Workflow settings
-
-```jsx
-export const workflowSettings = {
-  id: "m2mTokenGeneration",
-  name: "M2M custom claims",
-  failurePolicy: {
-    action: "stop",
-  },
-  trigger: "m2m:token_generation",
-  bindings: {
-	  "kinde.m2mToken": {}, // required to modify M2M access token
-    "kinde.fetch": {}, // Required for external API calls
-    "kinde.env": {}, // required to access your environment variables
-    url: {}, // required for url params
-  },
-};
-````
-
 ### M2M token binding
 
-The `kinde.m2mToken` binding is used to modify claims in the generated access token.
+The [kinde.m2mToken](/workflows/bindings/m2m-token-binding/) binding is used to modify claims in the generated access token.
 
-### A simple example
+### Sample event object
 
-```jsx
-kinde.m2mToken.setCustomClaim("hello", "world");
-```
-
-### An advanced example using Kinde API to correlate an organization to an M2M application.
-
-```jsx
-import {createKindeAPI} from "@kinde/infrastructure";
+The main argument provided to your code is the Kinde workflow `event` object which has two keys `request` and `context`. This gives you access to the reason the workflow was triggered. Here's an example:
 
-export const workflowSettings = {
-  id: "m2mTokenGeneration",
-  name: "M2M custom claims",
-  failurePolicy: {
-    action: "stop"
+```json
+{
+  "request": {
+    "auth": {
+      "audience": ["<EXAMPLE_API>"],
+      "scope": ["read:users"]
+    },
+    "ip": "192.168.0.1"
   },
-  trigger: "m2m:token_generation",
-  bindings: {
-    "kinde.m2mToken": {}, // required to modify M2M access token
-    "kinde.fetch": {}, // Required for external API calls
-    "kinde.env": {}, // required to access your environment variables
-    url: {} // required for url params
+  "context": {
+    "domains": {
+      "kindeDomain": "https://example.kinde.com" // Your Kinde domain
+    },
+    "application": {
+      "clientId": "299627bd8bfa493f8b17e6aec8ebfb86" // the M2M application ID
+    },
+    "workflow": {
+      "trigger": "m2m:token_generation"
+    }
   }
-};
-
-export default async function handleM2M(event) {
-  // Get a token for Kinde management API
-  const kindeAPI = await createKindeAPI(event);
-
-  // Call Kinde applications properties API
-  const {data} = await kindeAPI.get({
-    endpoint: `applications/${event.context.application.clientId}/properties`
-  });
-  const {appProperties} = data;
+}
+```
 
-  // Get the org code property to make the correlation
-  const orgCode = appProperties.find((prop) => prop.key === "org_code");
+### Example workflows
 
-  // Get org data from Kinde management API
-  const {data: org} = await kindeAPI.get({
-    endpoint: `organization?code=${orgCode.value}`
-  });
+See examples on GitHub:
 
-  // Use the data to set the org data on the M2M token
-  kinde.m2mToken.setCustomClaim("orgName", org.name);
-  kinde.m2mToken.setCustomClaim("orgCode", org.code);
-}
-```
+[Map M2M applications to organizations](https://github.com/kinde-starter-kits/workflow-examples/blob/main/m2mToken/mapOrgToM2MApplicationWorkflow.ts) - Shows how to map M2M applications to organizations. Useful if using Kinde for B2B API key management
@@ -17,7 +17,7 @@ This trigger fires after a new password is entered in either the sign-up flow or
 Security is at the heart of our technical decisions at Kinde, and keeping user passwords safe is a huge part of this. Therefore:
 
 - Any attempt to log the password out to the console in this workflow will be redacted
-- API calls can only be made from these workflows using the Kinde provided `secureFetch` method which secures the payload with an encryption key
+- API calls should only be made from these workflows using the Kinde provided [secureFetch](/workflows/bindings/secure-fetch-binding/) binding which secures the payload with an encryption key
 
 ## Example use cases
 
@@ -29,23 +29,26 @@ As a baseline, Kinde runs the following password checks:
 - The password is at least 8 characters long
 - The password does not exist in the 1,000,000 most common passwords
 
-With this workflow you can add your own custom code to run additional checks, for example if your business requires a specific mix of upper / lower case characters, or inclusion of special characters.
+With this workflow you can add your own custom code to run additional checks, for example if your business requires a specific mix of upper / lower case characters, or inclusion of special characters. [See example code](https://github.com/kinde-starter-kits/workflow-examples/blob/main/existingPassword/customPasswordValidationWorkflow.ts)
 
-### Sync password with an external system
+### Sync password updates with an external system
 
 For gradual migrations to Kinde where several apps are in play (e.g. a mobile application and a web application), you might want to migrate web users first and mobile app users later. If users have access to both applications, then password resets on the web application would not be persisted to the legacy mobile app password store.
 
-With this workflow you can securely send the password to your mobile app system in order to keep them in sync.
+With this workflow you can securely send the password to your mobile app system in order to keep them in sync. [See example code](https://github.com/kinde-starter-kits/workflow-examples/blob/main/newPassword/securelySyncPasswordWorkflow.ts)
 
 ## Workflow code
 
-### The event object
+### Sample event object
 
 The main argument provided to your code is the Kinde workflow `event` object which has two keys `request` and `context`. This gives you access to the reason the workflow was triggered. Here's an example:
 
-```jsx
+```json
 {
-	"request": {},
+	"request": {
+        "ip": "192.168.0.1",
+        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0"
+    },
 	"context": {
 		"domains": {
 			"kindeDomain": "https://example.kinde.com" // Your Kinde domain
@@ -54,63 +57,59 @@ The main argument provided to your code is the Kinde workflow `event` object whi
 			"firstPassword": "someSecurePassword", // the first password entered
 			"secondPassword": "someSecurePassword", // password match field
 			"newPasswordReason": "reset" | "initial" // whether it is registration or reset
-		}
+		},
 		"user": {
-				"id": "kp_1234566" // only provided in password reset flows as otherwise new user
+				"id": "kp_1234566", // only provided in password reset flows as otherwise new user
 				"email": "[email protected]" // the email provided
+		},
+		"workflow": {
+			"trigger": "user:new_password_provided"
 		}
+	}
 }
 ```
 
-### Workflow settings
-
-```jsx
-export const workflowSettings = {
-  id: "passwordReset",
-  name: "Reset password",
-  failurePolicy: {
-    action: "stop"
-  },
-  trigger: "user:new_password_provided",
-  bindings: {
-    "kinde.secureFetch": {}, // Required for external API calls
-    "kinde.widget": {} // Required to invalidate the form
-  }
-};
-```
+## Bindings
 
 ### Secure fetch binding
 
-When an API call is made using `kinde.secureFetch()` the body is automatically encrypted with the active encryption key for the workflow. This can be generated under **Workflow > Encryption keys**.
-
-You will need to use the same encryption key in your own code to decrypt the payload on arrival. This ensures secure transfer of the password.
-
-We handle the encryption for you so your code might look like:
+We recommend you use the [secureFetch](/workflows/bindings/secure-fetch-binding/) binding to make API calls from your workflow if they include sensitive data like passwords.
 
 ### Widget binding
 
 The `kinde.widget` binding gives you access to the Kinde widget which is the central form on the page. In this case the form with the two password fields.
 
 It exposes a method for invalidating a form field `invalidateFormField`.
 
-```jsx
+```js
 kinde.widget.invalidateFormField(fieldName, message);
 ```
 
 Example
 
-```jsx
+```js
 const isMinCharacters = context.auth.firstPassword.length >= 50;
 
-kinde.widget.invalidateFormField(
-  "p_first_password",
-  "Provide a password at least 50 characters long"
-);
+if (!isMinCharacters) {
+  kinde.widget.invalidateFormField(
+    "p_first_password",
+    "Provide a password at least 50 characters long"
+  );
+}
+
 ```
 
-The field names for this workflow are
+The field names for the widget binding in this workflow are:
 
-| Field name     | Description                                                                              |
-| -------------- | ---------------------------------------------------------------------------------------- |
-| `p_first_password` | The first password field                                                                 |
+| Field name          | Description                                                                              |
+| ------------------- | ---------------------------------------------------------------------------------------- |
+| `p_first_password`  | The first password field                                                                 |
 | `p_second_password` | The second password field, typically to check it matches the first to help prevent typos |
+
+### Example workflows
+
+See examples on GitHub:
+
+- [Sync passwords to another system](https://github.com/kinde-starter-kits/workflow-examples/blob/main/newPassword/securelySyncPasswordWorkflow.ts) - Use encryption keys to securely keep passwords in sync between systems.
+- [Custom password validation](https://github.com/kinde-starter-kits/workflow-examples/blob/main/newPassword/customPasswordValidationWorkflow.ts) - Shows how to validate a password against your own rules.
+