create public API for methods that don't require an API key

Author: nicknisi

package.json

@@ -103,14 +103,14 @@
       "require": "./lib/cjs/index.cjs",
       "default": "./lib/esm/index.js"
     },
-    "./client": {
+    "./public": {
       "types": {
-        "require": "./lib/cjs/index.client.d.cts",
-        "import": "./lib/esm/index.client.d.ts"
+        "require": "./lib/cjs/index.public.d.cts",
+        "import": "./lib/esm/index.public.d.ts"
       },
-      "import": "./lib/esm/index.client.js",
-      "require": "./lib/cjs/index.client.cjs",
-      "default": "./lib/esm/index.client.js"
+      "import": "./lib/esm/index.public.js",
+      "require": "./lib/cjs/index.public.cjs",
+      "default": "./lib/esm/index.public.js"
     },
     "./worker": {
       "types": {

src/index.client.spec.ts src/index.public.spec.tssrc/index.client.spec.ts renamed to src/index.public.spec.ts

@@ -1,10 +1,10 @@
-import { WorkOS } from './index.client';
+import { WorkOS } from './index.public';
 
-describe('WorkOS Client', () => {
-  let workosClient: WorkOS;
+describe('WorkOS Public API', () => {
+  let workosPublic: WorkOS;
 
   beforeEach(() => {
-    workosClient = new WorkOS({
+    workosPublic = new WorkOS({
       clientId: 'client_123',
       apiHostname: 'api.workos.dev',
     });
@@ -15,7 +15,7 @@ describe('WorkOS Client', () => {
       expect(() => new WorkOS()).not.toThrow();
     });
 
-    it('should accept client configuration options', () => {
+    it('should accept public configuration options', () => {
       const client = new WorkOS({
         clientId: 'test_client',
         apiHostname: 'test.api.com',
@@ -30,43 +30,43 @@ describe('WorkOS Client', () => {
 
   describe('exposed services', () => {
     it('should expose webhooks service', () => {
-      expect(workosClient.webhooks).toBeDefined();
-      expect(workosClient.webhooks.verifyHeader).toBeDefined();
-      expect(workosClient.webhooks.computeSignature).toBeDefined();
-      expect(workosClient.webhooks.constructEvent).toBeDefined();
+      expect(workosPublic.webhooks).toBeDefined();
+      expect(workosPublic.webhooks.verifyHeader).toBeDefined();
+      expect(workosPublic.webhooks.computeSignature).toBeDefined();
+      expect(workosPublic.webhooks.constructEvent).toBeDefined();
     });
 
     it('should expose actions service', () => {
-      expect(workosClient.actions).toBeDefined();
-      expect(workosClient.actions.verifyHeader).toBeDefined();
-      expect(workosClient.actions.signResponse).toBeDefined();
-      expect(workosClient.actions.constructAction).toBeDefined();
+      expect(workosPublic.actions).toBeDefined();
+      expect(workosPublic.actions.verifyHeader).toBeDefined();
+      expect(workosPublic.actions.signResponse).toBeDefined();
+      expect(workosPublic.actions.constructAction).toBeDefined();
     });
 
     it('should expose client-safe user management methods', () => {
-      expect(workosClient.userManagement).toBeDefined();
+      expect(workosPublic.userManagement).toBeDefined();
       expect(
-        workosClient.userManagement.authenticateWithCodeAndVerifier,
+        workosPublic.userManagement.authenticateWithCodeAndVerifier,
       ).toBeDefined();
-      expect(workosClient.userManagement.getAuthorizationUrl).toBeDefined();
-      expect(workosClient.userManagement.getLogoutUrl).toBeDefined();
-      expect(workosClient.userManagement.getJwksUrl).toBeDefined();
+      expect(workosPublic.userManagement.getAuthorizationUrl).toBeDefined();
+      expect(workosPublic.userManagement.getLogoutUrl).toBeDefined();
+      expect(workosPublic.userManagement.getJwksUrl).toBeDefined();
     });
 
     it('should expose client-safe SSO methods', () => {
-      expect(workosClient.sso).toBeDefined();
-      expect(workosClient.sso.getAuthorizationUrl).toBeDefined();
+      expect(workosPublic.sso).toBeDefined();
+      expect(workosPublic.sso.getAuthorizationUrl).toBeDefined();
     });
 
     it('should expose version', () => {
-      expect(workosClient.version).toBeDefined();
-      expect(typeof workosClient.version).toBe('string');
+      expect(workosPublic.version).toBeDefined();
+      expect(typeof workosPublic.version).toBe('string');
     });
   });
 
   describe('method behavior', () => {
     it('should be able to call URL generation methods', () => {
-      const authUrl = workosClient.userManagement.getAuthorizationUrl({
+      const authUrl = workosPublic.userManagement.getAuthorizationUrl({
         clientId: 'client_123',
         redirectUri: 'https://example.com/callback',
         provider: 'GoogleOAuth',
@@ -78,12 +78,12 @@ describe('WorkOS Client', () => {
     });
 
     it('should be able to call JWKS URL generation', () => {
-      const jwksUrl = workosClient.userManagement.getJwksUrl('client_123');
+      const jwksUrl = workosPublic.userManagement.getJwksUrl('client_123');
       expect(jwksUrl).toBe('https://api.workos.dev/sso/jwks/client_123');
     });
 
     it('should be able to call logout URL generation', () => {
-      const logoutUrl = workosClient.userManagement.getLogoutUrl({
+      const logoutUrl = workosPublic.userManagement.getLogoutUrl({
         sessionId: 'session_123',
         returnTo: 'https://example.com',
       });
@@ -93,7 +93,7 @@ describe('WorkOS Client', () => {
     });
 
     it('should be able to call SSO authorization URL generation', () => {
-      const authUrl = workosClient.sso.getAuthorizationUrl({
+      const authUrl = workosPublic.sso.getAuthorizationUrl({
         clientId: 'client_123',
         redirectUri: 'https://example.com/callback',
         provider: 'GoogleOAuth',
@@ -106,45 +106,45 @@ describe('WorkOS Client', () => {
 
   describe('server-only methods should not be exposed', () => {
     it('should not expose getUser on userManagement', () => {
-      expect((workosClient.userManagement as any).getUser).toBeUndefined();
+      expect((workosPublic.userManagement as any).getUser).toBeUndefined();
     });
 
     it('should not expose createUser on userManagement', () => {
-      expect((workosClient.userManagement as any).createUser).toBeUndefined();
+      expect((workosPublic.userManagement as any).createUser).toBeUndefined();
     });
 
     it('should not expose listUsers on userManagement', () => {
-      expect((workosClient.userManagement as any).listUsers).toBeUndefined();
+      expect((workosPublic.userManagement as any).listUsers).toBeUndefined();
     });
 
     it('should not expose updateUser on userManagement', () => {
-      expect((workosClient.userManagement as any).updateUser).toBeUndefined();
+      expect((workosPublic.userManagement as any).updateUser).toBeUndefined();
     });
 
     it('should not expose server-only authentication methods', () => {
       expect(
-        (workosClient.userManagement as any).authenticateWithPassword,
+        (workosPublic.userManagement as any).authenticateWithPassword,
       ).toBeUndefined();
       expect(
-        (workosClient.userManagement as any).authenticateWithMagicAuth,
+        (workosPublic.userManagement as any).authenticateWithMagicAuth,
       ).toBeUndefined();
       expect(
-        (workosClient.userManagement as any).authenticateWithRefreshToken,
+        (workosPublic.userManagement as any).authenticateWithRefreshToken,
       ).toBeUndefined();
     });
   });
 
   describe('type safety', () => {
     it('should provide proper TypeScript types for exposed methods', () => {
       // These should compile without errors
-      const authUrl: string = workosClient.userManagement.getAuthorizationUrl({
+      const authUrl: string = workosPublic.userManagement.getAuthorizationUrl({
         clientId: 'test',
         redirectUri: 'https://example.com',
         provider: 'GoogleOAuth',
       });
 
       const jwksUrl: string =
-        workosClient.userManagement.getJwksUrl('client_id');
+        workosPublic.userManagement.getJwksUrl('client_id');
 
       expect(typeof authUrl).toBe('string');
       expect(typeof jwksUrl).toBe('string');

src/index.client.ts src/index.public.tssrc/index.client.ts renamed to src/index.public.ts

@@ -1,16 +1,30 @@
 import { WorkOSBase } from './workos';
 import { WorkOSOptions } from './common/interfaces';
 
-interface WorkOSClientOptions {
+// Export public methods directly (new approach)
+export * as userManagement from './public/user-management';
+export * as sso from './public/sso';
+
+// Re-export types for convenience
+export type {
+  AuthorizationURLOptions as UserManagementAuthorizationURLOptions,
+  LogoutURLOptions,
+} from './public/user-management';
+
+export type { SSOAuthorizationURLOptions } from './public/sso';
+
+interface WorkOSPublicOptions {
   clientId?: string;
   apiHostname?: string;
   https?: boolean;
   port?: number;
 }
 
 /**
- * WorkOS client-safe SDK for browser environments.
+ * WorkOS public-safe SDK for browser environments.
  * Only exposes methods that are safe to use without API keys.
+ * @deprecated Use the direct method imports instead:
+ * import { userManagement, sso } from '@workos-inc/node/public';
  */
 export class WorkOS {
   private _base: WorkOSBase;
@@ -30,8 +44,8 @@ export class WorkOS {
   readonly webhooks: typeof WorkOSBase.prototype.webhooks;
   readonly actions: typeof WorkOSBase.prototype.actions;
 
-  constructor(options: WorkOSClientOptions = {}) {
-    // Convert client options to base WorkOS options format
+  constructor(options: WorkOSPublicOptions = {}) {
+    // Convert public options to base WorkOS options format
     const baseOptions: WorkOSOptions = {
       clientId: options.clientId,
       apiHostname: options.apiHostname,
@@ -42,7 +56,7 @@ export class WorkOS {
     // Create base instance without API key
     this._base = new WorkOSBase(undefined, baseOptions);
 
-    // Initialize client-safe service methods
+    // Initialize public-safe service methods
     this.userManagement = {
       authenticateWithCodeAndVerifier:
         this._base.userManagement.authenticateWithCodeAndVerifier.bind(
@@ -65,7 +79,7 @@ export class WorkOS {
       ),
     };
 
-    // These services are fully client-safe - expose entirely
+    // These services are fully public-safe - expose entirely
     this.webhooks = this._base.webhooks;
     this.actions = this._base.actions;
   }

src/public-exports.spec.ts

@@ -0,0 +1,49 @@
+import { userManagement, sso } from './index.public';
+
+describe('New Public Exports', () => {
+  describe('userManagement exports', () => {
+    it('exports getAuthorizationUrl function', () => {
+      expect(userManagement.getAuthorizationUrl).toBeDefined();
+      expect(typeof userManagement.getAuthorizationUrl).toBe('function');
+    });
+
+    it('exports getLogoutUrl function', () => {
+      expect(userManagement.getLogoutUrl).toBeDefined();
+      expect(typeof userManagement.getLogoutUrl).toBe('function');
+    });
+
+    it('exports getJwksUrl function', () => {
+      expect(userManagement.getJwksUrl).toBeDefined();
+      expect(typeof userManagement.getJwksUrl).toBe('function');
+    });
+
+    it('can generate authorization URL directly', () => {
+      const url = userManagement.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://app.com/callback',
+        provider: 'authkit',
+      });
+
+      expect(url).toContain('https://api.workos.com/user_management/authorize');
+      expect(url).toContain('client_id=client_123');
+    });
+  });
+
+  describe('sso exports', () => {
+    it('exports getAuthorizationUrl function', () => {
+      expect(sso.getAuthorizationUrl).toBeDefined();
+      expect(typeof sso.getAuthorizationUrl).toBe('function');
+    });
+
+    it('can generate SSO authorization URL directly', () => {
+      const url = sso.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://app.com/callback',
+        provider: 'GoogleOAuth',
+      });
+
+      expect(url).toContain('https://api.workos.com/sso/authorize');
+      expect(url).toContain('provider=GoogleOAuth');
+    });
+  });
+});

src/public/index.ts

@@ -0,0 +1,17 @@
+/**
+ * Public methods that can be safely used in without an API key.
+ */
+
+// User Management public methods and types
+export * as userManagement from './user-management';
+
+// SSO public methods and types
+export * as sso from './sso';
+
+// Re-export specific types for convenience
+export type {
+  AuthorizationURLOptions as UserManagementAuthorizationURLOptions,
+  LogoutURLOptions,
+} from './user-management';
+
+export type { SSOAuthorizationURLOptions } from './sso';

src/public/sso.ts

@@ -0,0 +1,62 @@
+import { toQueryString } from './utils';
+
+export interface SSOAuthorizationURLOptions {
+  clientId: string;
+  connection?: string;
+  organization?: string;
+  domainHint?: string;
+  loginHint?: string;
+  provider?: string;
+  providerQueryParams?: Record<string, string | boolean | number>;
+  providerScopes?: string[];
+  redirectUri: string;
+  state?: string;
+}
+
+/**
+ * Generates the authorization URL for SSO authentication.
+ * This method is safe to use in browser environments as it doesn't require an API key.
+ *
+ * @param options - SSO authorization URL options
+ * @returns The authorization URL as a string
+ * @throws Error if required arguments are missing
+ */
+export function getAuthorizationUrl(
+  options: SSOAuthorizationURLOptions & { baseURL?: string },
+): string {
+  const {
+    connection,
+    clientId,
+    domainHint,
+    loginHint,
+    organization,
+    provider,
+    providerQueryParams,
+    providerScopes,
+    redirectUri,
+    state,
+    baseURL = 'https://api.workos.com',
+  } = options;
+
+  if (!provider && !connection && !organization) {
+    throw new Error(
+      `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,
+    );
+  }
+
+  const query = toQueryString({
+    connection,
+    organization,
+    domain_hint: domainHint,
+    login_hint: loginHint,
+    provider,
+    provider_query_params: providerQueryParams,
+    provider_scopes: providerScopes,
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: 'code',
+    state,
+  });
+
+  return `${baseURL}/sso/authorize?${query}`;
+}