SDK Reference

Verify credentials and fetch the calling Application. Use this as your SDK smoke test — if it returns, your secret key is good and you're pointed at the right ReliPay deployment.

Create a new end-user in the calling Application via email + password. Returns the user and a JWT to use for subsequent per-user calls (e.g. `getCurrentUser(token)`).

Authenticate an existing end-user with email + password.

Exchange an MFA challenge token + TOTP/backup code for a real session. Use after `signIn` (or OAuth callback) returns `mfaRequired: true`.

Request a magic-link sign-in email. Enumeration-safe: same response shape whether the email exists or not. When the Application has email transport configured, the link is sent and `magicLinkToken` is null; otherwise the raw token is returned for you to forward.

Consume a magic-link token. Returns `SignInOutcome` — branch on `mfaRequired` before reading `accessToken`. For MFA-enrolled users the response carries `mfaChallengeToken` and you must complete via `mfaVerify(...)`.

Begin a passkey authentication ceremony. Returns the WebAuthn options to forward to the browser (`navigator.credentials.get(...)`) along with `expectedChallenge` — bind the challenge to your session and pass both back via `verifyPasskeyAuthentication(...)`.

Complete a passkey authentication. Returns the same `SignInOutcome` shape as `signIn` — but passkeys are themselves a strong factor, so `mfaRequired` will always be `false` in practice.

Begin a passkey registration ceremony for an authenticated user. Forward `options` to `navigator.credentials.create(...)`; store `expectedChallenge` in session; POST both back via `verifyPasskeyRegistration(...)`.

List the user's registered passkeys.

Remove a passkey. Returns `{deleted: false}` if the row doesn't belong to this user.

Resolve the end-user behind a presented access token.

Exchange a refresh token for a fresh {access, refresh} pair. The presented refresh is revoked atomically — call this **once** and store the new `refreshToken` from the response immediately.

Revoke a refresh token. Idempotent — no-op for unknown tokens. The access token paired with this refresh remains valid until its short (15 min) expiry; for true "log out everywhere" semantics, also clear the access token from your client.

Request a password-reset token for an email. Always succeeds — never tells you whether the email exists. **You must email the returned `resetToken` to the user**: ReliPay does not send email.

Consume a reset token + set a new password. Single-use. On success, every refresh token for the user is revoked.

Authenticated password change. Pass the user's *current* access token. On success, every refresh token for the user is revoked — other devices are signed out.

Revoke every refresh token for the calling user. "Sign out of all devices." The caller's access token remains valid until 15-min expiry — clear it client-side for full logout.

Send (or re-send) an email-verification link to the current user. If email transport is configured on the Application, ReliPay sends the email and `verificationToken` is null. Otherwise the raw token is returned for the caller to forward via their own provider.

Consume an email-verification token. Single-use, 24-hour lifetime. Marks `emailVerified: true` on the user record. Cross-Application tokens are refused with `EMAIL_VERIFICATION_TOKEN_WRONG_APPLICATION`.

List the current user's active sessions (live refresh tokens), newest first. Each carries the User-Agent + IP captured at issue time and an `id` you can pass to `revokeSession(...)`.

Revoke one session by id. Idempotent — `{ revoked: false }` if it isn't this user's.

MFA enrollment status for the current user, plus the Application's policy.

Begin TOTP enrollment: mints a secret (as an `otpauthUrl` for the QR) and 10 single-show backup codes. **Not enrolled until `confirmMfaSetup(...)`.** Only SHA-256 hashes of the backup codes are stored — show them once.

Confirm enrollment by submitting the current 6-digit TOTP code.

Verify a TOTP or backup code as a step-up check (does NOT issue a session). Backup codes are single-use — consumed on success. Returns `{ ok }`.

Disable MFA for the current user.

Get the provider authorization URL to redirect the browser to. Pass an unguessable `state` and verify it on return before calling `completeOAuth`.

Exchange the provider `code` for a ReliPay session. Returns a `SignInOutcome` — branch on `mfaRequired` before reading `accessToken`. Verify the `state` CSRF value yourself before calling.

List the OAuth providers linked to the current user.

Begin linking a provider to the *currently authenticated* user.

Complete an OAuth link — attaches the provider identity to the current user. Refuses on unverified provider emails (account-takeover guard) or when the provider account already belongs to a different user.

Remove a linked provider. Refuses with `OAUTH_UNLINK_WOULD_LOCK_OUT` (409) if it would leave the account with no way to sign in.

List the calling Application's active plans. Public — pricing pages typically render straight from this. Application API key only; no user JWT needed.

Fetch the current end-user's active subscription, or `null` if they have none. Returns the most recent ACTIVE / PENDING / PAST_DUE row.

Start a hosted-checkout session. Returns the URL to redirect the user to and the local PENDING Subscription row. Subscription activation happens via the provider's webhook — not synchronously here.

Validate a coupon for the current user against a plan, *without* applying it. Render "$50 off" on a pricing page before submit.

List the billing providers configured + enabled for this Application, in the order the geo router would prefer them. Forward the end-user's `country` (ISO 3166-1 alpha-2) when you have it — the panel/SDK will surface India-specific providers (Razorpay) for IN-country users, etc.

Current spendable balance for an end-user (0 if they've never held credits).

Deduct credits from an end-user. Throws `RelipayError` with `code: "CREDITS_INSUFFICIENT"` (HTTP 402) when the balance is too low.

Recent ledger entries for an end-user, newest first.

Verify a license key + record an activation for this machine. Call once at app startup; you'll get a deterministic body (`ok=false` for invalid licenses — never an HTTP error — so your software can loop on the result without try/catch noise).

Create an organization; the calling user becomes the OWNER.

List organizations the calling user belongs to, with their role.

Fetch one organization the caller belongs to.

Update org name / metadata. OWNER + ADMIN only.

List members of an organization the caller belongs to.

Invite a user. Returns the raw token ONCE — surface via your own email/share channel. OWNER + ADMIN only.

Revoke a pending invitation. OWNER + ADMIN only. Idempotent.

Change a member's role. OWNER manages anyone; ADMIN manages MEMBER only. Last-OWNER guard refuses demoting the only OWNER.

Remove a member (or self). Refuses removing the last OWNER.

Self-leave. Refuses leaving as the last OWNER.

Accept an organization invitation by raw token. Refuses cross- Application invitations. Idempotent if the caller is already a member.

Record a usage event against a named meter. `quantity` can be negative to credit back (e.g. refunds). `occurredAt` defaults to server time; pass an ISO string when ingesting historical events.

Sum recorded quantity for a meter, optionally bounded by a time window and/or scoped to one end-user. Use to drive in-app "you've used X of your Y quota this month" displays.

Fetch the current end-user given an access token. Returns null on USER_TOKEN_INVALID so callers can render signed-out state without try/catch noise.