feat!(generated): regenerate from spec (5 changes)

[workos-sdk-automation]

Summary

feat!(api_keys): Refactor API keys for org and user ownership

• Removed ApiKeyWithValue and ApiKeyList models; replaced with OrganizationApiKey and UserApiKey families
• Changed ApiKey.owner field type from ApiKeyOwner to organization-only variant
• Renamed organization API key methods to clarify ownership: listOrganizationApiKeys(), createOrganizationApiKey()
• Added user API key support: listUserApiKeys(), createUserApiKey() in UserManagement service

feat!(user_management): Add user field to membership models and API key management

• Added required user field to UserOrganizationMembership and OrganizationMembership models
• Added required name field to Profile model
• New listJWTTemplate() method to retrieve JWT template
• New listUserApiKeys() and createUserApiKey() methods for user API key management
• Added CreateUserApiKey model for request payloads

feat(directory_sync): Add name field to directory user models

• Added optional name field to DirectoryUser and DirectoryUserWithGroups models
• Updated DsyncUserUpdatedData to include name field

feat(webhooks): Add support for BYOK key deletion events

• Added VaultByokKeyDeleted and VaultByokKeyDeletedData event models
• Added VaultByokKeyDeletedDataKeyProvider enum
• Added ADMIN_PORTAL value to multiple event actor source enums (EventContextActorSource, FlagCreatedContextActorSource, etc.)

feat(authentication): Add admin_portal actor source to auth events

• Added ADMIN_PORTAL value to EventContextActorSource enum
• Added ADMIN_PORTAL value to FlagCreatedContextActorSource enum
• Added ADMIN_PORTAL value to FlagDeletedContextActorSource enum
• Added ADMIN_PORTAL value to FlagRuleUpdatedContextActorSource enum
• Added ADMIN_PORTAL value to FlagUpdatedContextActorSource enum

Triggered by workos/openapi-spec@058a0a4

BEGIN_COMMIT_OVERRIDE
feat!(api_keys): Refactor API keys for org and user ownership
feat!(user_management): Add user field to membership models and API key management
feat(directory_sync): Add name field to directory user models
feat(webhooks): Add support for BYOK key deletion events
feat(authentication): Add admin_portal actor source to auth events
END_COMMIT_OVERRIDE

[greptile-apps]

Greptile Summary

This is an auto-generated SDK regeneration from an updated OpenAPI spec, introducing org-vs-user-owned API key resource families (OrganizationApiKey*, UserApiKey*), new listUserApiKeys/createUserApiKey methods on UserManagement, a required user field on membership models, and a VaultByokKeyDeleted webhook event. A broad sweep of URL path construction is also upgraded from PHP string interpolation to rawurlencode() across every service class, which is a meaningful correctness improvement.

Confidence Score: 4/5

Safe to merge; only P2 style findings, no functional defects.

All findings are P2 (naming inconsistency on listJWTTemplate, unused CreateUserApiKey model). The rawurlencode hardening, new resource models, fixture updates, and test coverage are all consistent and correct.

lib/Service/UserManagement.php (listJWTTemplate naming), lib/Resource/CreateUserApiKey.php (unused in service layer)

Important Files Changed

Filename	Overview
lib/Service/UserManagement.php	Adds listUserApiKeys/createUserApiKey methods and listJWTTemplate; applies rawurlencode to all path parameters. Minor naming inconsistency on listJWTTemplate (returns single item, not a list).
lib/Service/ApiKeys.php	Replaces ApiKey/ApiKeyWithValue with OrganizationApiKey/OrganizationApiKeyWithValue; moves createValidation/deleteApiKey below new methods; adds rawurlencode to all path segments.
lib/Resource/CreateUserApiKey.php	New DTO for user API key creation payload; correct structure but not referenced from the service layer (body is built inline instead).
lib/Resource/OrganizationMembership.php	Adds required (non-nullable) user: User field; fromArray correctly reads $data['user'] and fixtures updated to match.
lib/Resource/UserOrganizationMembership.php	Same pattern as OrganizationMembership — required user: User field added consistently with updated fixtures.
lib/Resource/OrganizationApiKey.php	New resource replacing the old generic ApiKey; clean implementation with proper nullable DateTimeImmutable for lastUsedAt.
lib/Resource/UserApiKeyWithValue.php	New resource for user-owned API keys with value; includes the raw value field only returned at creation time — correctly modeled.
lib/Resource/VaultByokKeyDeleted.php	New event model for BYOK key deletion; follows existing event model conventions correctly.
lib/Resource/Profile.php	Adds optional name field (nullable, no default, consistent with firstName/lastName pattern); fromArray uses null-coalescing correctly.
tests/Service/UserManagementTest.php	Adds tests for listJWTTemplate, listUserApiKeys, and createUserApiKey; all assertions cover method, path, and body fields correctly.
tests/Service/ApiKeysTest.php	Updated fixtures and type assertions to use OrganizationApiKey* variants; createValidation/deleteApiKey tests preserved and reordered.

Sequence Diagram

sequenceDiagram
    participant C as Client Code
    participant UM as UserManagement Service
    participant AK as ApiKeys Service
    participant API as WorkOS API

    C->>UM: listUserApiKeys(userId, organizationId?)
    UM->>API: GET /user_management/users/{userId}/api_keys
    API-->>UM: PaginatedResponse UserApiKey
    UM-->>C: PaginatedResponse UserApiKey

    C->>UM: createUserApiKey(userId, name, organizationId)
    UM->>API: POST /user_management/users/{userId}/api_keys
    API-->>UM: UserApiKeyWithValue (includes raw value)
    UM-->>C: UserApiKeyWithValue

    C->>AK: listOrganizationApiKeys(organizationId)
    AK->>API: GET /organizations/{organizationId}/api_keys
    API-->>AK: PaginatedResponse OrganizationApiKey
    AK-->>C: PaginatedResponse OrganizationApiKey

    C->>AK: createOrganizationApiKey(organizationId, name)
    AK->>API: POST /organizations/{organizationId}/api_keys
    API-->>AK: OrganizationApiKeyWithValue (includes raw value)
    AK-->>C: OrganizationApiKeyWithValue

    C->>UM: listJWTTemplate()
    UM->>API: GET /user_management/jwt_template
    API-->>UM: JWTTemplateResponse
    UM-->>C: JWTTemplateResponse

Loading

_{Reviews (1): Last reviewed commit: "feat!(generated): regenerate from spec (..." | Re-trigger Greptile}

[greptile-apps]

listJWTTemplate name implies a collection but returns a single object

The method is named listJWTTemplate and its docblock says "Get JWT template", yet it returns a single \WorkOS\Resource\JWTTemplateResponse (not a paginated list or array). The list* prefix is used throughout this SDK for paginated endpoints (e.g. listOrganizationApiKeys, listUserApiKeys). Since this is auto-generated, it's worth raising with the spec owners to rename to getJWTTemplate for consistency and clarity.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

CreateUserApiKey model is never referenced by the service layer

CreateUserApiKey is generated as a DTO for the create-user-API-key request payload, but UserManagement::createUserApiKey() builds the request body inline with an array_filter([...]) call rather than using this model. The model is dead code from the service's perspective — no SDK method constructs or accepts a CreateUserApiKey instance. If intended only for consumers who want a typed serialization object, it should be consistent with how createOrganizationApiKey is handled (which also has no corresponding model). Worth flagging to the spec/generator team for alignment.