stytchauth · logan-stytch · Nov 3, 2025 · Nov 3, 2025
@@ -168,6 +168,7 @@ def authorize(
         state: Optional[str] = None,
         nonce: Optional[str] = None,
         code_challenge: Optional[str] = None,
+        resources: Optional[List[str]] = None,
     ) -> AuthorizeResponse:
         """Completes a request for authorization of a Connected App to access a Member's account.
 
@@ -201,6 +202,7 @@ def authorize(
           - state: An opaque value used to maintain state between the request and callback.
           - nonce: A string used to associate a client session with an ID token to mitigate replay attacks.
           - code_challenge: A base64url encoded challenge derived from the code verifier for PKCE flows.
+          - resources: (no documentation yet)
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -226,6 +228,8 @@ def authorize(
             data["nonce"] = nonce
         if code_challenge is not None:
             data["code_challenge"] = code_challenge
+        if resources is not None:
+            data["resources"] = resources
 
         url = self.api_base.url_for("/v1/b2b/idp/oauth/authorize", data)
         res = self.sync_client.post(url, data, headers)
@@ -246,6 +250,7 @@ async def authorize_async(
         state: Optional[str] = None,
         nonce: Optional[str] = None,
         code_challenge: Optional[str] = None,
+        resources: Optional[List[str]] = None,
     ) -> AuthorizeResponse:
         """Completes a request for authorization of a Connected App to access a Member's account.
 
@@ -279,6 +284,7 @@ async def authorize_async(
           - state: An opaque value used to maintain state between the request and callback.
           - nonce: A string used to associate a client session with an ID token to mitigate replay attacks.
           - code_challenge: A base64url encoded challenge derived from the code verifier for PKCE flows.
+          - resources: (no documentation yet)
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -304,6 +310,8 @@ async def authorize_async(
             data["nonce"] = nonce
         if code_challenge is not None:
             data["code_challenge"] = code_challenge
+        if resources is not None:
+            data["resources"] = resources
 
         url = self.api_base.url_for("/v1/b2b/idp/oauth/authorize", data)
         res = await self.async_client.post(url, data, headers)

@@ -979,7 +979,7 @@ def search(
         query: Optional[Union[SearchQuery, Dict[str, Any]]] = None,
     ) -> SearchResponse:
         """
-        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/second.
+        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute.
 
         Search across your Organizations. Returns an array of Organization objects.
 
@@ -1008,7 +1008,7 @@ async def search_async(
         query: Optional[SearchQuery] = None,
     ) -> SearchResponse:
         """
-        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/second.
+        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute.
 
         Search across your Organizations. Returns an array of Organization objects.
 

@@ -518,7 +518,7 @@ def search(
         method_options: Optional[SearchRequestOptions] = None,
     ) -> SearchResponse:
         """
-        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/second.
+        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute.
 
         Search for Members within specified Organizations. An array with at least one `organization_id` is required. Submitting an empty `query` returns all non-deleted Members within the specified Organizations.
 
@@ -556,7 +556,7 @@ async def search_async(
         method_options: Optional[SearchRequestOptions] = None,
     ) -> SearchResponse:
         """
-        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/second.
+        **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute.
 
         Search for Members within specified Organizations. An array with at least one `organization_id` is required. Submitting an empty `query` returns all non-deleted Members within the specified Organizations.
 

@@ -25,6 +25,7 @@
     PBKDF2Config,
     ScryptConfig,
     SHA1Config,
+    SHA512Config,
 )
 from stytch.core.api_base import ApiBase
 from stytch.core.http.client import AsyncClient, SyncClient
@@ -135,6 +136,7 @@ def migrate(
         md_5_config: Optional[Union[MD5Config, Dict[str, Any]]] = None,
         argon_2_config: Optional[Union[Argon2Config, Dict[str, Any]]] = None,
         sha_1_config: Optional[Union[SHA1Config, Dict[str, Any]]] = None,
+        sha_512_config: Optional[Union[SHA512Config, Dict[str, Any]]] = None,
         scrypt_config: Optional[Union[ScryptConfig, Dict[str, Any]]] = None,
         pbkdf_2_config: Optional[Union[PBKDF2Config, Dict[str, Any]]] = None,
         name: Optional[str] = None,
@@ -151,7 +153,7 @@ def migrate(
 
         Adds an existing password to a Member's email that doesn't have a password yet.
 
-        We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
+        We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, SHA-512, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
 
         The Member's email will be marked as verified when you use this endpoint.
 
@@ -160,11 +162,12 @@ def migrate(
         Fields:
           - email_address: The email address of the Member.
           - hash: The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string.
-          - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, and `pbkdf_2` are supported.
+          - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, `sha_512`, and `pbkdf_2` are supported.
           - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
           - md_5_config: Optional parameters for MD-5 hash types.
           - argon_2_config: Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied.
           - sha_1_config: Optional parameters for SHA-1 hash types.
+          - sha_512_config: Optional parameters for SHA-512 hash types.
           - scrypt_config: Required parameters if the scrypt is not provided in a **PHC encoded form**.
           - pbkdf_2_config: Required additional parameters for PBKDF2 hash keys. Note that we use the SHA-256 by default, please contact [support@stytch.com](mailto:support@stytch.com) if you use another hashing function.
           - name: The name of the Member. Each field in the name object is optional.
@@ -209,6 +212,12 @@ def migrate(
             data["sha_1_config"] = (
                 sha_1_config if isinstance(sha_1_config, dict) else sha_1_config.dict()
             )
+        if sha_512_config is not None:
+            data["sha_512_config"] = (
+                sha_512_config
+                if isinstance(sha_512_config, dict)
+                else sha_512_config.dict()
+            )
         if scrypt_config is not None:
             data["scrypt_config"] = (
                 scrypt_config
@@ -251,6 +260,7 @@ async def migrate_async(
         md_5_config: Optional[MD5Config] = None,
         argon_2_config: Optional[Argon2Config] = None,
         sha_1_config: Optional[SHA1Config] = None,
+        sha_512_config: Optional[SHA512Config] = None,
         scrypt_config: Optional[ScryptConfig] = None,
         pbkdf_2_config: Optional[PBKDF2Config] = None,
         name: Optional[str] = None,
@@ -267,7 +277,7 @@ async def migrate_async(
 
         Adds an existing password to a Member's email that doesn't have a password yet.
 
-        We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
+        We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, SHA-512, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
 
         The Member's email will be marked as verified when you use this endpoint.
 
@@ -276,11 +286,12 @@ async def migrate_async(
         Fields:
           - email_address: The email address of the Member.
           - hash: The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string.
-          - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, and `pbkdf_2` are supported.
+          - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, `sha_512`, and `pbkdf_2` are supported.
           - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
           - md_5_config: Optional parameters for MD-5 hash types.
           - argon_2_config: Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied.
           - sha_1_config: Optional parameters for SHA-1 hash types.
+          - sha_512_config: Optional parameters for SHA-512 hash types.
           - scrypt_config: Required parameters if the scrypt is not provided in a **PHC encoded form**.
           - pbkdf_2_config: Required additional parameters for PBKDF2 hash keys. Note that we use the SHA-256 by default, please contact [support@stytch.com](mailto:support@stytch.com) if you use another hashing function.
           - name: The name of the Member. Each field in the name object is optional.
@@ -325,6 +336,12 @@ async def migrate_async(
             data["sha_1_config"] = (
                 sha_1_config if isinstance(sha_1_config, dict) else sha_1_config.dict()
             )
+        if sha_512_config is not None:
+            data["sha_512_config"] = (
+                sha_512_config
+                if isinstance(sha_512_config, dict)
+                else sha_512_config.dict()
+            )
         if scrypt_config is not None:
             data["scrypt_config"] = (
                 scrypt_config

@@ -29,6 +29,30 @@ class CreateRequestThirdPartyConnectedAppsAllowedType(str, enum.Enum):
     NOT_ALLOWED = "NOT_ALLOWED"
 
 
+class ListResponse(ResponseBase):
+    """Response type for `Organizations.list`.
+    Fields:
+      - email_address: The email address.
+      - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details.
+
+      Note that Organizations will only appear here under any of the following conditions:
+      1. The end user is already a Member of the Organization.
+      2. The end user is invited to the Organization.
+      3. The end user can join the Organization because:
+
+          a) The Organization allows JIT provisioning.
+
+          b) The Organizations' allowed domains list contains the Member's email domain.
+
+          c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks).
+      - organization_id_hint: If the intermediate session token is associated with a specific Organization, that Organization ID will be returned here. The Organization ID will be null if the intermediate session token was generated by a email magic link discovery or OAuth discovery flow. If a session token or session JWT is provided, the Organization ID hint will be null.
+    """  # noqa
+
+    email_address: str
+    discovered_organizations: List[DiscoveredOrganization]
+    organization_id_hint: Optional[str] = None
+
+
 class CreateResponse(ResponseBase):
     """Response type for `Organizations.create`.
     Fields:
@@ -56,27 +80,3 @@ class CreateResponse(ResponseBase):
     mfa_required: Optional[MfaRequired] = None
     primary_required: Optional[PrimaryRequired] = None
     member_device: Optional[DeviceInfo] = None
-
-
-class ListResponse(ResponseBase):
-    """Response type for `Organizations.list`.
-    Fields:
-      - email_address: The email address.
-      - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details.
-
-      Note that Organizations will only appear here under any of the following conditions:
-      1. The end user is already a Member of the Organization.
-      2. The end user is invited to the Organization.
-      3. The end user can join the Organization because:
-
-          a) The Organization allows JIT provisioning.
-
-          b) The Organizations' allowed domains list contains the Member's email domain.
-
-          c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks).
-      - organization_id_hint: If the intermediate session token is associated with a specific Organization, that Organization ID will be returned here. The Organization ID will be null if the intermediate session token was generated by a email magic link discovery or OAuth discovery flow. If a session token or session JWT is provided, the Organization ID hint will be null.
-    """  # noqa
-
-    email_address: str
-    discovered_organizations: List[DiscoveredOrganization]
-    organization_id_hint: Optional[str] = None
@@ -31,6 +31,7 @@ class MigrateRequestHashType(str, enum.Enum):
     ARGON_2I = "argon_2i"
     ARGON_2ID = "argon_2id"
     SHA_1 = "sha_1"
+    SHA_512 = "sha_512"
     SCRYPT = "scrypt"
     PHPASS = "phpass"
     PBKDF_2 = "pbkdf_2"

@@ -104,13 +104,6 @@ class SCIMGroup(pydantic.BaseModel):
 
 
 class SCIMGroupImplicitRoleAssignments(pydantic.BaseModel):
-    """
-    Fields:
-      - role_id: The ID of the role.
-      - group_id: The ID of the group.
-      - group_name: (no documentation yet)
-    """  # noqa
-
     role_id: str
     group_id: str
     group_name: str

@@ -32,20 +32,6 @@ class AuthenticateRequestLocale(str, enum.Enum):
 
 
 class ConnectionImplicitRoleAssignment(pydantic.BaseModel):
-    """
-    Fields:
-      - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
-
-      Reserved `role_id`s that are predefined by Stytch include:
-
-      * `stytch_member`
-      * `stytch_admin`
-
-      Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.
-
-
-    """  # noqa
-
     role_id: str
 
 
@@ -88,21 +74,6 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]:
 
 
 class GroupImplicitRoleAssignment(pydantic.BaseModel):
-    """
-    Fields:
-      - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
-
-      Reserved `role_id`s that are predefined by Stytch include:
-
-      * `stytch_member`
-      * `stytch_admin`
-
-      Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.
-
-
-      - group: The name of the group that grants the specified role assignment.
-    """  # noqa
-
     role_id: str
     group: str
 
@@ -139,39 +110,10 @@ class OIDCConnection(pydantic.BaseModel):
 
 
 class SAMLConnectionImplicitRoleAssignment(pydantic.BaseModel):
-    """
-    Fields:
-      - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
-
-      Reserved `role_id`s that are predefined by Stytch include:
-
-      * `stytch_member`
-      * `stytch_admin`
-
-      Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.
-
-
-    """  # noqa
-
     role_id: str
 
 
 class SAMLGroupImplicitRoleAssignment(pydantic.BaseModel):
-    """
-    Fields:
-      - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
-
-      Reserved `role_id`s that are predefined by Stytch include:
-
-      * `stytch_member`
-      * `stytch_admin`
-
-      Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.
-
-
-      - group: The name of the group that grants the specified role assignment.
-    """  # noqa
-
     role_id: str
     group: str