feat!(generated): regenerate from spec (7 changes)

[workos-sdk-automation]

Summary

feat!(api_keys): Rename ApiKey models to Organization-scoped variants

• Renamed ApiKeyWithValue → OrganizationApiKeyWithValue
• Renamed ApiKeyWithValueOwner → OrganizationApiKeyWithValueOwner
• Updated list_organization_api_keys() return type from ApiKey to OrganizationApiKey
• Updated create_organization_api_key() return type from ApiKeyWithValue to OrganizationApiKeyWithValue
• Changed ApiKey.owner field type from ApiKeyOwner to raw value (breaking change in field deserialization)

feat(user_management): Add user API key management operations

• New operation list_user_api_keys() to list API keys for a user by organization
• New operation create_user_api_key() to create user-scoped API keys
• New model CreateUserApiKey for API key creation parameters
• New models UserApiKey, UserApiKeyWithValue, UserApiKeyOwner, UserApiKeyWithValueOwner for user API key responses
• New operation list_jwt_template() to fetch JWT template configuration

feat(directory_sync): Add name field to directory user models

• Added name field to DirectoryUser
• Added name field to DirectoryUserWithGroups
• Added name field to DsyncUserUpdatedData

feat(sso): Add name field to Profile model

• Added name field to Profile for SSO authentication response

feat!(authorization): Add user field to organization membership models

• Added user field (type User) to UserOrganizationMembership
• Added user field (type User) to OrganizationMembership
• Added user field (type User) to UserOrganizationMembershipBaseListData

feat(vault): Add BYOK key deletion event models

• New model VaultByokKeyDeleted for vault.byok_key.deleted event
• New model VaultByokKeyDeletedData with organization and key provider details
• New enum VaultByokKeyDeletedDataKeyProvider for AWS_KMS, GCP_KMS, AZURE_KEY_VAULT

fix(generated): Consolidate order enum definitions and add ADMIN_PORTAL actor source

• Created canonical ApiKeysOrder enum with NORMAL, DESC, ASC values
• All service order enums now alias ApiKeysOrder (e.g., ApplicationsOrder, AuditLogsOrder)
• Added ADMIN_PORTAL value to EventContextActorSource and all flag event actor source enums

Triggered by workos/openapi-spec@058a0a4

BEGIN_COMMIT_OVERRIDE
feat!(api_keys): Rename ApiKey models to Organization-scoped variants
feat(user_management): Add user API key management operations
feat(directory_sync): Add name field to directory user models
feat(sso): Add name field to Profile model
feat!(authorization): Add user field to organization membership models
feat(vault): Add BYOK key deletion event models
fix(generated): Consolidate order enum definitions and add ADMIN_PORTAL actor source
END_COMMIT_OVERRIDE

[greptile-apps]

Greptile Summary

This auto-generated PR renames ApiKey/ApiKeyWithValue to OrganizationApiKey/OrganizationApiKeyWithValue, adds user-scoped API key operations (list_user_api_keys, create_user_api_key), a list_jwt_template getter, new name fields on directory/SSO models, user fields on membership models, and vault BYOK key deletion event types. Two behavioral issues stand out:

• ApiKey.owner and ApiKeyCreatedData.owner now return a raw Hash instead of a typed object, silently breaking any caller that accesses owner.type or similar methods.
• list_user_api_keys defaults order: to "desc" (a non-nil string), which will always be serialized into the query string via .compact, unlike every other list method that defaults to nil.

Confidence Score: 3/5

Two P1 issues need resolution before merging: the owner type regression in ApiKey/ApiKeyCreatedData and the non-nil order default in list_user_api_keys.

Two P1 findings — a silent runtime break for any caller accessing api_key.owner.* methods, and an always-applied order=desc query param that overrides API defaults — prevent a clean merge. The rest of the generated changes are well-structured with matching tests.

lib/workos/api_keys/api_key.rb, lib/workos/api_keys/api_key_created_data.rb, and lib/workos/user_management.rb (the list_user_api_keys method)

Important Files Changed

Filename	Overview
lib/workos/api_keys/api_key.rb	Breaking change: owner field no longer deserialized into WorkOS::ApiKeyOwner; callers using .owner.type will get NoMethodError.
lib/workos/api_keys/api_key_created_data.rb	Same owner type regression as ApiKey — returns raw hash instead of typed ApiKeyCreatedDataOwner object, breaking the webhook event model.
lib/workos/user_management.rb	Adds list_user_api_keys, create_user_api_key, and list_jwt_template. list_user_api_keys has a non-nil order: "desc" default that will always be sent as a query param.
lib/workos/api_keys.rb	Renames return types to Organization-scoped variants; reorders methods with no logic changes beyond model substitution.
lib/workos/user_management/user_api_key_with_value.rb	New model with plaintext value field (raw API key secret); no redaction mechanism for logging.
lib/workos/api_keys/organization_api_key.rb	New model replacing ApiKey for organization list results; correctly uses typed OrganizationApiKeyOwner.
lib/workos/user_management/user_api_key.rb	New model for user-scoped API keys; correctly deserializes owner via UserApiKeyOwner.
lib/workos/types/api_keys_order.rb	New canonical order enum; all other *Order types now alias this, eliminating duplication.
lib/workos/vault/vault_byok_key_deleted.rb	New webhook event model for vault.byok_key.deleted; correctly delegates data and context to typed sub-models.
lib/workos/user_management/organization_membership.rb	Adds user field (typed as WorkOS::User) to OrganizationMembership.

Comments Outside Diff (1)

1. lib/workos/user_management/user_api_key_with_value.rb, line 43 (link)

   Raw API key secret stored in value field — ensure it is not logged

   @value holds the full plaintext API key returned only on creation. Per the project's logging policy, secrets must not appear in logs. If callers (or any middleware) log result.to_h, this value will be exposed. Consider overriding to_h / inspect to redact value, consistent with how other secrets are handled elsewhere in the SDK. The same concern applies to OrganizationApiKeyWithValue#value.

   Rule Used: Do not log sensitive fields like access_token, ref... (source)

_{Reviews (1): Last reviewed commit: "feat!(generated): regenerate from spec (..." | Re-trigger Greptile}

[greptile-apps]

Hardcoded "desc" order default differs from every other list method

Every other list method in this SDK (including list_organization_api_keys) defaults order: to nil, which means no order query param is sent and the API uses its own server-side default. Here, order: "desc" is a non-nil default, so .compact will not remove it and order=desc will always be appended to the request even when the caller never touches the parameter. If the API's true default is not "desc", or if a caller expects the API default to apply when they omit order:, they will silently get the wrong ordering.

[greptile-apps]

owner now returns a raw Hash, breaking the typed accessor contract

Previously @owner was deserialized as WorkOS::ApiKeyOwner.new(...), giving callers a typed object with named accessors (e.g. api_key.owner.type). After this change it returns the raw normalized Hash, so api_key.owner[:type] is now required. Any existing caller code that calls methods on owner will raise NoMethodError at runtime. The same regression is present in ApiKeyCreatedData (used in webhook events). The new OrganizationApiKey / OrganizationApiKeyWithValue correctly keep typed owner objects, making ApiKey and ApiKeyCreatedData inconsistent with the rest of the family.