[v8] feat: add PKCE support for public clients; remove /client entry point

README.md

@@ -37,6 +37,60 @@ import { WorkOS } from '@workos-inc/node';
 const workos = new WorkOS('sk_1234');
 ```
 
+## Public Client Mode (Browser/Mobile/CLI)
+
+For apps that can't securely store secrets, initialize with just a client ID:
+
+```ts
+import { WorkOS } from '@workos-inc/node';
+
+const workos = new WorkOS({ clientId: 'client_...' }); // No API key needed
+
+// Generate auth URL with automatic PKCE
+const { url, codeVerifier } =
+  await workos.userManagement.getAuthorizationUrlWithPKCE({
+    provider: 'authkit',
+    redirectUri: 'myapp://callback',
+    clientId: 'client_...',
+  });
+
+// After user authenticates, exchange code for tokens
+const { accessToken, refreshToken } =
+  await workos.userManagement.authenticateWithCode({
+    code: authorizationCode,
+    codeVerifier,
+    clientId: 'client_...',
+  });
+```
+
+> [!IMPORTANT]
+> Store `codeVerifier` securely on-device between generating the auth URL and handling the callback. For mobile apps, use platform secure storage (iOS Keychain, Android Keystore). For CLI apps, consider OS credential storage. The verifier must survive app restarts during the auth flow.
+
+See the [AuthKit documentation](https://workos.com/docs/authkit) for details on PKCE authentication.
+
+### PKCE with Confidential Clients
+
+Server-side apps can also use PKCE alongside the client secret for defense in depth (recommended by OAuth 2.1):
+
+```ts
+const workos = new WorkOS('sk_...'); // With API key
+
+// Use PKCE even with API key for additional security
+const { url, codeVerifier } =
+  await workos.userManagement.getAuthorizationUrlWithPKCE({
+    provider: 'authkit',
+    redirectUri: 'https://example.com/callback',
+    clientId: 'client_...',
+  });
+
+// Both client_secret AND code_verifier will be sent
+const { accessToken } = await workos.userManagement.authenticateWithCode({
+  code: authorizationCode,
+  codeVerifier,
+  clientId: 'client_...',
+});
+```
+
 ## SDK Versioning
 
 For our SDKs WorkOS follows a Semantic Versioning ([SemVer](https://semver.org/)) process where all releases will have a version X.Y.Z (like 1.0.0) pattern wherein Z would be a bug fix (e.g., 1.0.1), Y would be a minor release (1.1.0) and X would be a major release (2.0.0). We permit any breaking changes to only be released in major versions and strongly recommend reading changelogs before making any major version upgrades.

package.json

@@ -57,6 +57,7 @@
     "@types/qs": "^6.14.0",
     "@typescript-eslint/parser": "^8.46.0",
     "babel-jest": "^30.2.0",
+    "baseline-browser-mapping": "^2.9.11",
     "eslint": "^9.37.0",
     "eslint-plugin-jest": "^29.0.1",
     "eslint-plugin-n": "^17.23.1",
@@ -110,17 +111,6 @@
       },
       "default": "./lib/index.js"
     },
-    "./client": {
-      "import": {
-        "types": "./lib/index.client.d.ts",
-        "default": "./lib/index.client.js"
-      },
-      "require": {
-        "types": "./lib/index.client.d.cts",
-        "default": "./lib/index.client.cjs"
-      },
-      "default": "./lib/index.client.js"
-    },
     "./worker": {
       "import": {
         "types": "./lib/index.worker.d.ts",