newTokens, err := client.OAuth.RefreshToken(ctx, &avnologyid.RefreshTokenParams{
    RefreshToken: "rt_abc123...",
})
if err != nil {
    log.Fatal(err)
}

fmt.Println("New access token:", newTokens.AccessToken)
fmt.Println("New refresh token:", newTokens.RefreshToken) // rotated

err := client.OAuth.RevokeToken(ctx, &avnologyid.RevokeTokenParams{
    Token:         "rt_abc123...",
    TokenTypeHint: "refresh_token",
})

result, err := client.OAuth.IntrospectToken(ctx, &avnologyid.IntrospectTokenParams{
    Token: accessToken,
})
if err != nil {
    log.Fatal(err)
}

if !result.Active {
    fmt.Println("Token is expired or revoked")
    return
}

fmt.Println("User:", result.Sub)
fmt.Println("Scopes:", result.Scope)
fmt.Println("Expires:", time.Unix(result.Exp, 0))
fmt.Println("Org:", result.OrgID)

func authMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        authHeader := r.Header.Get("Authorization")
        if !strings.HasPrefix(authHeader, "Bearer ") {
            http.Error(w, "Missing bearer token", http.StatusUnauthorized)
            return
        }

        token := strings.TrimPrefix(authHeader, "Bearer ")
        result, err := client.OAuth.IntrospectToken(r.Context(), &avnologyid.IntrospectTokenParams{
            Token: token,
        })
        if err != nil || !result.Active {
            http.Error(w, "Invalid token", http.StatusUnauthorized)
            return
        }

        ctx := context.WithValue(r.Context(), "userID", result.Sub)
        ctx = context.WithValue(ctx, "scopes", strings.Split(result.Scope, " "))
        next.ServeHTTP(w, r.WithContext(ctx))
    })
}

claims, err := client.OAuth.VerifyToken(ctx, accessToken)
if err != nil {
    log.Println("Token verification failed:", err)
    return
}

fmt.Println("User:", claims.Sub)
fmt.Println("Email:", claims.Email)