add client-only export

Author: nicknisi

package.json

@@ -103,6 +103,15 @@
       "require": "./lib/cjs/index.cjs",
       "default": "./lib/esm/index.js"
     },
+    "./client": {
+      "types": {
+        "require": "./lib/cjs/index.client.d.cts",
+        "import": "./lib/esm/index.client.d.ts"
+      },
+      "import": "./lib/esm/index.client.js",
+      "require": "./lib/cjs/index.client.cjs",
+      "default": "./lib/esm/index.client.js"
+    },
     "./worker": {
       "types": {
         "require": "./lib/cjs/index.worker.d.cts",

src/index.client.spec.ts

@@ -0,0 +1,153 @@
+import { WorkOS } from './index.client';
+
+describe('WorkOS Client', () => {
+  let workosClient: WorkOS;
+
+  beforeEach(() => {
+    workosClient = new WorkOS({
+      clientId: 'client_123',
+      apiHostname: 'api.workos.dev',
+    });
+  });
+
+  describe('instantiation', () => {
+    it('should instantiate without requiring an API key', () => {
+      expect(() => new WorkOS()).not.toThrow();
+    });
+
+    it('should accept client configuration options', () => {
+      const client = new WorkOS({
+        clientId: 'test_client',
+        apiHostname: 'test.api.com',
+        https: false,
+        port: 3000,
+      });
+
+      expect(client).toBeDefined();
+      expect(client.version).toBeDefined();
+    });
+  });
+
+  describe('exposed services', () => {
+    it('should expose webhooks service', () => {
+      expect(workosClient.webhooks).toBeDefined();
+      expect(workosClient.webhooks.verifyHeader).toBeDefined();
+      expect(workosClient.webhooks.computeSignature).toBeDefined();
+      expect(workosClient.webhooks.constructEvent).toBeDefined();
+    });
+
+    it('should expose actions service', () => {
+      expect(workosClient.actions).toBeDefined();
+      expect(workosClient.actions.verifyHeader).toBeDefined();
+      expect(workosClient.actions.signResponse).toBeDefined();
+      expect(workosClient.actions.constructAction).toBeDefined();
+    });
+
+    it('should expose client-safe user management methods', () => {
+      expect(workosClient.userManagement).toBeDefined();
+      expect(
+        workosClient.userManagement.authenticateWithCodeAndVerifier,
+      ).toBeDefined();
+      expect(workosClient.userManagement.getAuthorizationUrl).toBeDefined();
+      expect(workosClient.userManagement.getLogoutUrl).toBeDefined();
+      expect(workosClient.userManagement.getJwksUrl).toBeDefined();
+    });
+
+    it('should expose client-safe SSO methods', () => {
+      expect(workosClient.sso).toBeDefined();
+      expect(workosClient.sso.getAuthorizationUrl).toBeDefined();
+    });
+
+    it('should expose version', () => {
+      expect(workosClient.version).toBeDefined();
+      expect(typeof workosClient.version).toBe('string');
+    });
+  });
+
+  describe('method behavior', () => {
+    it('should be able to call URL generation methods', () => {
+      const authUrl = workosClient.userManagement.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://example.com/callback',
+        provider: 'GoogleOAuth',
+      });
+
+      expect(authUrl).toContain('api.workos.dev');
+      expect(authUrl).toContain('client_id=client_123');
+      expect(authUrl).toContain('provider=GoogleOAuth');
+    });
+
+    it('should be able to call JWKS URL generation', () => {
+      const jwksUrl = workosClient.userManagement.getJwksUrl('client_123');
+      expect(jwksUrl).toBe('https://api.workos.dev/sso/jwks/client_123');
+    });
+
+    it('should be able to call logout URL generation', () => {
+      const logoutUrl = workosClient.userManagement.getLogoutUrl({
+        sessionId: 'session_123',
+        returnTo: 'https://example.com',
+      });
+
+      expect(logoutUrl).toContain('api.workos.dev');
+      expect(logoutUrl).toContain('session_id=session_123');
+    });
+
+    it('should be able to call SSO authorization URL generation', () => {
+      const authUrl = workosClient.sso.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://example.com/callback',
+        provider: 'GoogleOAuth',
+      });
+
+      expect(authUrl).toContain('api.workos.dev');
+      expect(authUrl).toContain('client_id=client_123');
+    });
+  });
+
+  describe('server-only methods should not be exposed', () => {
+    it('should not expose getUser on userManagement', () => {
+      expect((workosClient.userManagement as any).getUser).toBeUndefined();
+    });
+
+    it('should not expose createUser on userManagement', () => {
+      expect((workosClient.userManagement as any).createUser).toBeUndefined();
+    });
+
+    it('should not expose listUsers on userManagement', () => {
+      expect((workosClient.userManagement as any).listUsers).toBeUndefined();
+    });
+
+    it('should not expose updateUser on userManagement', () => {
+      expect((workosClient.userManagement as any).updateUser).toBeUndefined();
+    });
+
+    it('should not expose server-only authentication methods', () => {
+      expect(
+        (workosClient.userManagement as any).authenticateWithPassword,
+      ).toBeUndefined();
+      expect(
+        (workosClient.userManagement as any).authenticateWithMagicAuth,
+      ).toBeUndefined();
+      expect(
+        (workosClient.userManagement as any).authenticateWithRefreshToken,
+      ).toBeUndefined();
+    });
+  });
+
+  describe('type safety', () => {
+    it('should provide proper TypeScript types for exposed methods', () => {
+      // These should compile without errors
+      const authUrl: string = workosClient.userManagement.getAuthorizationUrl({
+        clientId: 'test',
+        redirectUri: 'https://example.com',
+        provider: 'GoogleOAuth',
+      });
+
+      const jwksUrl: string =
+        workosClient.userManagement.getJwksUrl('client_id');
+
+      expect(typeof authUrl).toBe('string');
+      expect(typeof jwksUrl).toBe('string');
+    });
+  });
+});

src/index.client.ts

@@ -0,0 +1,76 @@
+import { WorkOSBase } from './workos';
+import { WorkOSOptions } from './common/interfaces';
+
+interface WorkOSClientOptions {
+  clientId?: string;
+  apiHostname?: string;
+  https?: boolean;
+  port?: number;
+}
+
+/**
+ * WorkOS client-safe SDK for browser environments.
+ * Only exposes methods that are safe to use without API keys.
+ */
+export class WorkOS {
+  private _base: WorkOSBase;
+
+  // Client-safe services
+  readonly userManagement: {
+    authenticateWithCodeAndVerifier: typeof WorkOSBase.prototype.userManagement.authenticateWithCodeAndVerifier;
+    getAuthorizationUrl: typeof WorkOSBase.prototype.userManagement.getAuthorizationUrl;
+    getLogoutUrl: typeof WorkOSBase.prototype.userManagement.getLogoutUrl;
+    getJwksUrl: typeof WorkOSBase.prototype.userManagement.getJwksUrl;
+  };
+
+  readonly sso: {
+    getAuthorizationUrl: typeof WorkOSBase.prototype.sso.getAuthorizationUrl;
+  };
+
+  readonly webhooks: typeof WorkOSBase.prototype.webhooks;
+  readonly actions: typeof WorkOSBase.prototype.actions;
+
+  constructor(options: WorkOSClientOptions = {}) {
+    // Convert client options to base WorkOS options format
+    const baseOptions: WorkOSOptions = {
+      clientId: options.clientId,
+      apiHostname: options.apiHostname,
+      https: options.https,
+      port: options.port,
+    };
+
+    // Create base instance without API key
+    this._base = new WorkOSBase(undefined, baseOptions);
+
+    // Initialize client-safe service methods
+    this.userManagement = {
+      authenticateWithCodeAndVerifier:
+        this._base.userManagement.authenticateWithCodeAndVerifier.bind(
+          this._base.userManagement,
+        ),
+      getAuthorizationUrl: this._base.userManagement.getAuthorizationUrl.bind(
+        this._base.userManagement,
+      ),
+      getLogoutUrl: this._base.userManagement.getLogoutUrl.bind(
+        this._base.userManagement,
+      ),
+      getJwksUrl: this._base.userManagement.getJwksUrl.bind(
+        this._base.userManagement,
+      ),
+    };
+
+    this.sso = {
+      getAuthorizationUrl: this._base.sso.getAuthorizationUrl.bind(
+        this._base.sso,
+      ),
+    };
+
+    // These services are fully client-safe - expose entirely
+    this.webhooks = this._base.webhooks;
+    this.actions = this._base.actions;
+  }
+
+  get version() {
+    return this._base.version;
+  }
+}

src/workos.ts

@@ -48,38 +48,35 @@ const HEADER_AUTHORIZATION = 'Authorization';
 const HEADER_IDEMPOTENCY_KEY = 'Idempotency-Key';
 const HEADER_WARRANT_TOKEN = 'Warrant-Token';
 
-export class WorkOS {
+export class WorkOSBase {
   readonly baseURL: string;
   readonly client: HttpClient;
   readonly clientId?: string;
 
   readonly actions: Actions;
-  readonly auditLogs = new AuditLogs(this);
-  readonly directorySync = new DirectorySync(this);
-  readonly organizations = new Organizations(this);
-  readonly organizationDomains = new OrganizationDomains(this);
-  readonly passwordless = new Passwordless(this);
-  readonly portal = new Portal(this);
-  readonly sso = new SSO(this);
+  readonly auditLogs: AuditLogs;
+  readonly directorySync: DirectorySync;
+  readonly organizations: Organizations;
+  readonly organizationDomains: OrganizationDomains;
+  readonly passwordless: Passwordless;
+  readonly portal: Portal;
+  readonly sso: SSO;
   readonly webhooks: Webhooks;
-  readonly mfa = new Mfa(this);
-  readonly events = new Events(this);
+  readonly mfa: Mfa;
+  readonly events: Events;
   readonly userManagement: UserManagement;
-  readonly fga = new FGA(this);
-  readonly widgets = new Widgets(this);
-  readonly vault = new Vault(this);
+  readonly fga: FGA;
+  readonly widgets: Widgets;
+  readonly vault: Vault;
 
   constructor(
     readonly key?: string,
     readonly options: WorkOSOptions = {},
   ) {
     if (!key) {
       this.key = getEnv('WORKOS_API_KEY');
-
-      if (!this.key) {
-        throw new NoApiKeyProvidedException();
-      }
     }
+    // Note: Don't throw here - let subclasses decide validation policy
 
     if (this.options.https === undefined) {
       this.options.https = true;
@@ -107,6 +104,20 @@ export class WorkOS {
       userAgent += ` ${name}: ${version}`;
     }
 
+    // Initialize all service clients
+    this.auditLogs = new AuditLogs(this);
+    this.directorySync = new DirectorySync(this);
+    this.organizations = new Organizations(this);
+    this.organizationDomains = new OrganizationDomains(this);
+    this.passwordless = new Passwordless(this);
+    this.portal = new Portal(this);
+    this.sso = new SSO(this);
+    this.mfa = new Mfa(this);
+    this.events = new Events(this);
+    this.fga = new FGA(this);
+    this.widgets = new Widgets(this);
+    this.vault = new Vault(this);
+
     this.webhooks = this.createWebhookClient();
     this.actions = this.createActionsClient();
 
@@ -129,13 +140,26 @@ export class WorkOS {
   }
 
   createHttpClient(options: WorkOSOptions, userAgent: string) {
+    const headers: Record<string, string> = {
+      'User-Agent': userAgent,
+    };
+
+    // Add existing headers if they exist
+    if (options.config?.headers) {
+      const existingHeaders = new Headers(options.config.headers);
+      existingHeaders.forEach((value, key) => {
+        headers[key] = value;
+      });
+    }
+
+    // Only add Authorization header if we have an API key
+    if (this.key) {
+      headers.Authorization = `Bearer ${this.key}`;
+    }
+
     return new FetchHttpClient(this.baseURL, {
       ...options.config,
-      headers: {
-        ...options.config?.headers,
-        Authorization: `Bearer ${this.key}`,
-        'User-Agent': userAgent,
-      },
+      headers,
     }) as HttpClient;
   }
 
@@ -361,3 +385,20 @@ export class WorkOS {
     }
   }
 }
+
+export class WorkOS extends WorkOSBase {
+  constructor(
+    key?: string,
+    readonly options: WorkOSOptions = {},
+  ) {
+    if (!key) {
+      key = getEnv('WORKOS_API_KEY');
+
+      if (!key) {
+        throw new NoApiKeyProvidedException();
+      }
+    }
+
+    super(key, options);
+  }
+}