@allservices/sdk-server
v5.0.0
Published
Node-only server utilities for the AllServices API: webhook verification.
Maintainers
linkstccReadme
@allservices/sdk-server
Node-only server utilities for the AllServices API: webhook verification, server-side client, admin operations, and Next.js RSC + Server Action helpers.
Status: alpha. Public API may change between minors until
1.0.0. Node 22+.
The exports map declares "browser": null on every entry, so importing this package from a browser bundle fails at build time. This is the primary security boundary.
Install
pnpm add @allservices/sdk-server @allservices/sdk-core @allservices/contractsWebhook verification
import {
verifyWebhookSignature,
constructEvent,
createWebhookHandler,
} from '@allservices/sdk-server';
const result = verifyWebhookSignature({
payload: rawBodyBuffer,
signature: req.headers['x-allservices-signature'],
timestamp: req.headers['x-allservices-timestamp'],
secret: [process.env.WEBHOOK_SECRET_V1, process.env.WEBHOOK_SECRET_V2],
});
if (!result.valid) {
return res.status(401).end(result.reason);
}
const event = constructEvent(rawBodyBuffer, signatureHeader, timestampHeader, secret);
const handle = createWebhookHandler({
'license.activated': async (e) => {
/* ... */
},
'license.revoked': async (e) => {
/* ... */
},
});
await handle(event);The signature scheme is HMAC-SHA256 over ${timestamp}.${payload} with a 5-minute timestamp tolerance and constant-time comparison. Multi-secret support is for rotating webhook secrets without downtime.
Server client
import { createServerClient } from '@allservices/sdk-server';
const client = createServerClient();
const licenses = await client.licensing.list();Refuses to construct in browser environments. Reads bearerToken from ALLSERVICES_PAT and region from ALLSERVICES_REGION (eu or na) by default.
Admin operations
import { createServerClient } from '@allservices/sdk-server';
import { LicensingAdminClient } from '@allservices/sdk-server';
const client = createServerClient();
const admin = new LicensingAdminClient(client);
await admin.setLicenseState(licenseId, { state: 'suspended', reason: 'fraud' });Operator endpoints under /v1/licensing/operator/* are exposed only here, never in @allservices/sdk-react — they require operator permissions and are not appropriate for browser bundles.
RSC + Server Actions
// app/dashboard/page.tsx
import { dehydrate, HydrationBoundary, QueryClient } from '@tanstack/react-query';
import { prefetchQuery } from '@allservices/sdk-server';
export default async function Page() {
const queryClient = new QueryClient();
await prefetchQuery(queryClient, {
queryKey: ['licenses'],
queryFn: () => createServerClient().licensing.list(),
});
return (
<HydrationBoundary state={dehydrate(queryClient)}>
<LicenseList />
</HydrationBoundary>
);
}// app/actions/redeem.ts
'use server';
import { z } from 'zod';
import { action } from '@allservices/sdk-server';
import { createServerClient } from '@allservices/sdk-server';
export const redeemLicense = action(z.object({ code: z.string().min(1) }), async ({ code }) =>
createServerClient().licensing.redeem({ code }),
);Documentation
See the main README.
License
UNLICENSED — internal AllServices use only.