feat!(generated): regenerate from spec (7 changes)

[workos-sdk-automation]

Summary

feat!(api_keys): Restructure API key types for orgs and users

• Removed ApiKeyWithValue, ApiKeyList, ApiKeyWithValueOwner, and ApiKeyListListMetadata classes
• Added OrganizationApiKey, OrganizationApiKeyWithValue, OrganizationApiKeyOwner, UserApiKey, UserApiKeyWithValue, UserApiKeyOwner classes for type-specific API keys
• Changed ApiKey.owner field type, affecting all API key event classes (ApiKeyCreatedData, ApiKeyRevokedData)
• Updated ApiKeysService.ListOrganizationApiKeysAsync() and CreateOrganizationApiKeyAsync() response types to use OrganizationApiKey and OrganizationApiKeyWithValue

feat(user_management): Add user API key and JWT template operations

• Added ListApiKeysAsync() and CreateApiKeyAsync() methods to list and create API keys for users
• Added ListJWTTemplateAsync() method to retrieve the JWT template for the environment
• Added UserManagementListApiKeysOptions and UserManagementCreateApiKeyOptions request classes
• Added CreateUserApiKey request model for API key creation

feat(directory_sync): Add name field to directory user models

• Added name field to DirectoryUser class
• Added name field to DirectoryUserWithGroups class
• Added name field to DsyncUserUpdatedData class

feat!(user_management): Add user field to organization membership models

• Added required user field (User object) to OrganizationMembership class
• Added required user field (User object) to UserOrganizationMembership class
• Added required user field (User object) to UserOrganizationMembershipBaseListData class

feat(sso): Add name field to user profile

• Added name field to Profile class to expose the user's full name

feat(vault): Add BYOK key deleted event support

• Added VaultByokKeyDeleted event class for the vault.byok_key.deleted event
• Added VaultByokKeyDeletedData class containing organization ID and key provider information
• Added VaultByokKeyDeletedDataKeyProvider enum for external key provider types

feat(events): Add ADMIN_PORTAL event source

• Added AdminPortal value to EventContextActorSource enum
• Added AdminPortal value to FlagCreatedContextActorSource enum
• Added AdminPortal value to FlagDeletedContextActorSource enum
• Added AdminPortal value to FlagRuleUpdatedContextActorSource enum
• Added AdminPortal value to FlagUpdatedContextActorSource enum

Triggered by workos/openapi-spec@058a0a4

BEGIN_COMMIT_OVERRIDE
feat!(api_keys): Restructure API key types for orgs and users
feat(user_management): Add user API key and JWT template operations
feat(directory_sync): Add name field to directory user models
feat!(user_management): Add user field to organization membership models
feat(sso): Add name field to user profile
feat(vault): Add BYOK key deleted event support
feat(events): Add ADMIN_PORTAL event source
END_COMMIT_OVERRIDE

---

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

[greptile-apps]

Greptile Summary

This is a large auto-generated SDK update regenerated from the OpenAPI spec, covering seven distinct feature areas: org/user API key type restructuring, user API key and JWT template operations, directory user name fields, required user field on membership models, SSO profile name, vault BYOK key deleted event, and AdminPortal enum values.

• P1 – breaking type rename: VaultByokKeyVerificationCompletedData.KeyProvider silently switched from the now-deleted VaultByokKeyVerificationCompletedDataKeyProvider enum to VaultByokKeyDeletedDataKeyProvider. Consumers who pattern-match or reference the old type by name will get a compile error on upgrade.
• P2 – unreferenced entity: CreateUserApiKey is generated but never used; service methods accept UserManagementCreateApiKeyOptions instead, making CreateUserApiKey public API-surface dead code.
• P2 – naming: ListJWTTemplateAsync returns a single object, not a collection; GetJWTTemplateAsync would align with the existing UpdateJWTTemplateAsync naming.

Confidence Score: 3/5

Not safe to merge without addressing the silent breaking rename of VaultByokKeyVerificationCompletedData.KeyProvider's type

One P1 (unannounced breaking type rename on a public API surface) pulls the score below 4; the two P2s are minor but confirm this warrants another generator pass before release

src/WorkOS.net/Entities/VaultByokKeyVerificationCompletedData.cs — type of KeyProvider changed in a breaking, undocumented way

Important Files Changed

Filename	Overview
src/WorkOS.net/Entities/VaultByokKeyVerificationCompletedData.cs	Breaking type change: KeyProvider property renamed from VaultByokKeyVerificationCompletedDataKeyProvider to VaultByokKeyDeletedDataKeyProvider without documentation
src/WorkOS.net/Entities/CreateUserApiKey.cs	New entity class added but never referenced in service code; duplicates fields of UserManagementCreateApiKeyOptions
src/WorkOS.net/Services/UserManagement/UserManagementService.cs	Adds ListJWTTemplateAsync, ListApiKeysAsync, CreateApiKeyAsync for users; method naming of ListJWTTemplateAsync is inconsistent (should be GetJWTTemplateAsync)
src/WorkOS.net/Services/ApiKeys/ApiKeysService.cs	Return types updated from ApiKey/ApiKeyWithValue to OrganizationApiKey/OrganizationApiKeyWithValue; method reordering only, no logic changes
src/WorkOS.net/Entities/OrganizationApiKey.cs	New org-scoped API key entity; Owner property reuses ApiKeyCreatedDataOwner rather than a dedicated OrganizationApiKeyOwner type
src/WorkOS.net/Entities/UserApiKey.cs	New user-scoped API key entity with UserApiKeyOwner; structure mirrors OrganizationApiKey correctly
src/WorkOS.net/Client/Utilities/EventSchemaDiscriminatorConverter.cs	Adds vault.byok_key.deleted discriminator case mapping to new VaultByokKeyDeleted type
src/WorkOS.net/Enums/VaultByokKeyDeletedDataKeyProvider.cs	New enum consolidating key-provider values; also repurposed for VaultByokKeyVerificationCompletedData, removing the old VaultByokKeyVerificationCompletedDataKeyProvider enum
src/WorkOS.net/Entities/OrganizationMembership.cs	Adds required User field to OrganizationMembership and related membership types; test fixtures updated accordingly

Class Diagram

%%{init: {'theme': 'neutral'}}%%
classDiagram
    class OrganizationApiKey {
        +string Object
        +string Id
        +ApiKeyCreatedDataOwner Owner
        +string Name
        +string ObfuscatedValue
        +DateTimeOffset? LastUsedAt
        +List~string~ Permissions
        +DateTimeOffset CreatedAt
        +DateTimeOffset UpdatedAt
    }
    class OrganizationApiKeyWithValue {
        +string Value
    }
    OrganizationApiKey <|-- OrganizationApiKeyWithValue

    class UserApiKey {
        +string Object
        +string Id
        +UserApiKeyOwner Owner
        +string Name
        +string ObfuscatedValue
        +DateTimeOffset? LastUsedAt
        +List~string~ Permissions
        +DateTimeOffset CreatedAt
        +DateTimeOffset UpdatedAt
    }
    class UserApiKeyWithValue {
        +string Value
    }
    UserApiKey <|-- UserApiKeyWithValue

    class UserApiKeyOwner {
        +string Type
        +string Id
        +string OrganizationId
    }
    class ApiKeyCreatedDataOwner {
        +string Type
        +string Id
    }

    OrganizationApiKey --> ApiKeyCreatedDataOwner : Owner
    OrganizationApiKeyWithValue --> ApiKeyCreatedDataOwner : Owner
    UserApiKey --> UserApiKeyOwner : Owner
    UserApiKeyWithValue --> UserApiKeyOwner : Owner

    class VaultByokKeyDeleted {
        +VaultByokKeyDeletedData Data
        +EventContext? Context
    }
    class VaultByokKeyDeletedData {
        +string OrganizationId
        +VaultByokKeyDeletedDataKeyProvider KeyProvider
    }
    VaultByokKeyDeleted --> VaultByokKeyDeletedData

Loading

_{Reviews (1): Last reviewed commit: "feat!(generated): regenerate from spec (..." | Re-trigger Greptile}

[greptile-apps]

Breaking type rename on KeyProvider property

VaultByokKeyVerificationCompletedData.KeyProvider was previously typed as VaultByokKeyVerificationCompletedDataKeyProvider; that enum has been removed and the property now uses VaultByokKeyDeletedDataKeyProvider. Any consumer code that references the old type by name (e.g. case VaultByokKeyVerificationCompletedDataKeyProvider.AwsKms:) will fail to compile after upgrading — even though the enum values are identical. This is an unannounced breaking API-surface change not called out in the PR description, which only mentions VaultByokKeyDeletedDataKeyProvider as a new addition.

[greptile-apps]

CreateUserApiKey entity is unreferenced dead code

This class is not used anywhere in service or client code — UserManagementService.CreateApiKeyAsync accepts UserManagementCreateApiKeyOptions (which carries the same three fields: Name, OrganizationId, Permissions). CreateUserApiKey only appears in the generated manifest. Shipping a public class that mirrors a request-options class adds API-surface noise and may confuse consumers about which type to use when creating user API keys.

[greptile-apps]

ListJWTTemplateAsync name doesn't match the operation semantics

The method name starts with List, but the underlying call is GET /user_management/jwt_template and it returns a single JWTTemplateResponse, not a collection. The existing UpdateJWTTemplateAsync follows a <Verb>JWTTemplate pattern; a name like GetJWTTemplateAsync would be consistent with that pattern and avoid confusion with the auto-paging List*AutoPagingAsync helpers elsewhere in the service.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Owner typed as ApiKeyCreatedDataOwner instead of a dedicated org-owner type

OrganizationApiKey.Owner (and OrganizationApiKeyWithValue.Owner) is typed as ApiKeyCreatedDataOwner — a class originally scoped to event-data contexts. The PR description mentions adding OrganizationApiKeyOwner, but that class was never generated. While the JSON structure is currently identical (type, id), reusing the event-data owner type couples two separate API surfaces. If the org-owner shape diverges in a future spec change, it would require a breaking rename here.