diff --git a/stytch/b2b/api/discovery_intermediate_sessions.py b/stytch/b2b/api/discovery_intermediate_sessions.py index e1a98fac..596d9306 100644 --- a/stytch/b2b/api/discovery_intermediate_sessions.py +++ b/stytch/b2b/api/discovery_intermediate_sessions.py @@ -51,29 +51,11 @@ def exchange( Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -123,29 +105,11 @@ async def exchange_async( Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/discovery_organizations.py b/stytch/b2b/api/discovery_organizations.py index 88f2638c..e8ecfdfe 100644 --- a/stytch/b2b/api/discovery_organizations.py +++ b/stytch/b2b/api/discovery_organizations.py @@ -79,103 +79,70 @@ def create( Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - organization_name: The name of the Organization. If the name is not specified, a default name will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization name will be generated based on the name portion of the email. Otherwise, the organization name will be generated based on the email domain. - organization_slug: The unique URL slug of the Organization. A minimum of two characters is required. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. If the slug is not specified, a default slug will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization slug will be generated based on the name portion of the email. Otherwise, the organization slug will be generated based on the email domain. - organization_external_id: An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. - organization_logo_url: The image URL of the Organization logo. - - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - sso_jit_provisioning: The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: - - `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. - - `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. - - `NOT_ALLOWED` – disable JIT provisioning via SSO. - + `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. + `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. + `NOT_ALLOWED` – disable JIT provisioning via SSO. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - email_allowed_domains: An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. - - - Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. - email_jit_provisioning: The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. - + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. + `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. - email_invites: The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: - - `ALL_ALLOWED` – any new Member can be invited to join via email. - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. - - `NOT_ALLOWED` – disable email invites. - + `ALL_ALLOWED` – any new Member can be invited to join via email. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. + `NOT_ALLOWED` – disable email invites. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. - auth_methods: The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. - The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. - + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - mfa_policy: The setting that controls the MFA policy for all Members in the Organization. The accepted values are: - - `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. - - `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. - + `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. + `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. - rbac_email_implicit_role_assignments: Implicit role assignments based off of email domains. - For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the - associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. + For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the + associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) + for more information about role assignment. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. - mfa_methods: The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. - The list's accepted values are: `sms_otp` and `totp`. - + The list's accepted values are: `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: - - `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. - + `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. + `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no first party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no first party Connected Apps are permitted. - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no third party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no third party Connected Apps are permitted. - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -299,103 +266,70 @@ async def create_async( Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - organization_name: The name of the Organization. If the name is not specified, a default name will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization name will be generated based on the name portion of the email. Otherwise, the organization name will be generated based on the email domain. - organization_slug: The unique URL slug of the Organization. A minimum of two characters is required. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. If the slug is not specified, a default slug will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization slug will be generated based on the name portion of the email. Otherwise, the organization slug will be generated based on the email domain. - organization_external_id: An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. - organization_logo_url: The image URL of the Organization logo. - - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - sso_jit_provisioning: The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: - - `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. - - `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. - - `NOT_ALLOWED` – disable JIT provisioning via SSO. - + `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. + `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. + `NOT_ALLOWED` – disable JIT provisioning via SSO. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - email_allowed_domains: An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. - - - Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. - email_jit_provisioning: The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. - + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. + `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. - email_invites: The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: - - `ALL_ALLOWED` – any new Member can be invited to join via email. - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. - - `NOT_ALLOWED` – disable email invites. - + `ALL_ALLOWED` – any new Member can be invited to join via email. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. + `NOT_ALLOWED` – disable email invites. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. - auth_methods: The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. - The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. - + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - mfa_policy: The setting that controls the MFA policy for all Members in the Organization. The accepted values are: - - `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. - - `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. - + `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. + `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. - rbac_email_implicit_role_assignments: Implicit role assignments based off of email domains. - For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the - associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. + For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the + associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) + for more information about role assignment. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. - mfa_methods: The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. - The list's accepted values are: `sms_otp` and `totp`. - + The list's accepted values are: `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: - - `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. - + `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. + `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no first party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no first party Connected Apps are permitted. - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no third party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no third party Connected Apps are permitted. - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -489,8 +423,8 @@ def list( Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -527,8 +461,8 @@ async def list_async( Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} diff --git a/stytch/b2b/api/idp_oauth.py b/stytch/b2b/api/idp_oauth.py index 5a8ae553..29e6295d 100644 --- a/stytch/b2b/api/idp_oauth.py +++ b/stytch/b2b/api/idp_oauth.py @@ -55,14 +55,14 @@ def authorize_start( One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow. Fields: - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the member after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - scopes: An array of scopes requested by the client. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. """ # noqa headers: Dict[str, str] = {} @@ -121,14 +121,14 @@ async def authorize_start_async( One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow. Fields: - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the member after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - scopes: An array of scopes requested by the client. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. """ # noqa headers: Dict[str, str] = {} @@ -189,20 +189,20 @@ def authorize( One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow. Fields: - - consent_granted: Indicates whether the user granted the requested scopes. + - consent_granted: Indicates whether the member granted the requested scopes. - scopes: An array of scopes requested by the client. - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the member after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - prompt: Space separated list that specifies how the Authorization Server should prompt the member for reauthentication and consent. Only `consent` is supported today. - state: An opaque value used to maintain state between the request and callback. - nonce: A string used to associate a client session with an ID token to mitigate replay attacks. - - code_challenge: A base64url encoded challenge derived from the code verifier for PKCE flows. - - resources: (no documentation yet) + - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. + - resources: A list of RBAC resources that define what entities can be accessed or modified, used in authorization policies. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -271,20 +271,20 @@ async def authorize_async( One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow. Fields: - - consent_granted: Indicates whether the user granted the requested scopes. + - consent_granted: Indicates whether the member granted the requested scopes. - scopes: An array of scopes requested by the client. - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the member after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - prompt: Space separated list that specifies how the Authorization Server should prompt the member for reauthentication and consent. Only `consent` is supported today. - state: An opaque value used to maintain state between the request and callback. - nonce: A string used to associate a client session with an ID token to mitigate replay attacks. - - code_challenge: A base64url encoded challenge derived from the code verifier for PKCE flows. - - resources: (no documentation yet) + - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. + - resources: A list of RBAC resources that define what entities can be accessed or modified, used in authorization policies. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/b2b/api/impersonation.py b/stytch/b2b/api/impersonation.py index 7cbb62c7..80a18307 100644 --- a/stytch/b2b/api/impersonation.py +++ b/stytch/b2b/api/impersonation.py @@ -31,7 +31,7 @@ def authenticate( Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a member, and clicking the `Impersonate Member` button. Fields: - - impersonation_token: The Member Impersonation token to authenticate. Expires in 5 minutes by default. + - impersonation_token: The impersonation token to authenticate. Expires in 5 minutes by default. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -52,7 +52,7 @@ async def authenticate_async( Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a member, and clicking the `Impersonate Member` button. Fields: - - impersonation_token: The Member Impersonation token to authenticate. Expires in 5 minutes by default. + - impersonation_token: The impersonation token to authenticate. Expires in 5 minutes by default. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/b2b/api/magic_links.py b/stytch/b2b/api/magic_links.py index 94efe7a9..164bc3bb 100644 --- a/stytch/b2b/api/magic_links.py +++ b/stytch/b2b/api/magic_links.py @@ -62,35 +62,15 @@ def authenticate( Fields: - magic_links_token: The Email Magic Link token to authenticate. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - session_token: Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. - If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if - both `session_token` and `session_jwt` are provided. - - session_jwt: Reuse an existing session instead of creating a new one. If you provide a `session_jwt`, Stytch will update the session. If the `session_jwt` - and `magic_links_token` belong to different Members, the `session_jwt` will be ignored. This endpoint will error if both `session_token` and `session_jwt` - are provided. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -144,35 +124,15 @@ async def authenticate_async( Fields: - magic_links_token: The Email Magic Link token to authenticate. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - session_token: Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. - If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if - both `session_token` and `session_jwt` are provided. - - session_jwt: Reuse an existing session instead of creating a new one. If you provide a `session_jwt`, Stytch will update the session. If the `session_jwt` - and `magic_links_token` belong to different Members, the `session_jwt` will be ignored. This endpoint will error if both `session_token` and `session_jwt` - are provided. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/magic_links_email.py b/stytch/b2b/api/magic_links_email.py index 567b952d..60bfd9e7 100644 --- a/stytch/b2b/api/magic_links_email.py +++ b/stytch/b2b/api/magic_links_email.py @@ -51,27 +51,20 @@ def login_or_signup( The magic link is valid for 60 minutes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - - login_redirect_url: The URL that the Member clicks from the login Email Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login - redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. + - login_redirect_url: The URL that Members are redirected to upon clicking the Email Magic Link. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - signup_redirect_url: The URL the Member clicks from the signup Email Magic Link. This URL should be an endpoint in the backend server that verifies - the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default sign-up redirect URL - that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. + the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default sign-up redirect URL + that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - pkce_code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Login. - - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Signup. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. + - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - login_expiration_minutes: The expiration time, in minutes, for a login Email Magic Link. If not authenticated within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). - - signup_expiration_minutes: The expiration time, in minutes, for a signup Email Magic Link. If not authenticated within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). + - login_expiration_minutes: Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - signup_expiration_minutes: Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -117,27 +110,20 @@ async def login_or_signup_async( The magic link is valid for 60 minutes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - - login_redirect_url: The URL that the Member clicks from the login Email Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login - redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. + - login_redirect_url: The URL that Members are redirected to upon clicking the Email Magic Link. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - signup_redirect_url: The URL the Member clicks from the signup Email Magic Link. This URL should be an endpoint in the backend server that verifies - the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default sign-up redirect URL - that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. + the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default sign-up redirect URL + that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - pkce_code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Login. - - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Signup. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. + - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - login_expiration_minutes: The expiration time, in minutes, for a login Email Magic Link. If not authenticated within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). - - signup_expiration_minutes: The expiration time, in minutes, for a signup Email Magic Link. If not authenticated within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). + - login_expiration_minutes: Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - signup_expiration_minutes: Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -189,28 +175,21 @@ def invite( To revoke an existing invite, use the [Delete Member](https://stytch.com/docs/b2b/api/delete-member) endpoint. This will both delete the invited Member from the target Organization and revoke all existing invite emails. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - invite_redirect_url: The URL that the Member clicks from the invite Email Magic Link. This URL should be an endpoint in the backend server that verifies - the request by querying Stytch's authenticate endpoint and finishes the invite flow. If this value is not passed, the default `invite_redirect_url` - that you set in your Dashboard is used. If you have not set a default `invite_redirect_url`, an error is returned. + the request by querying Stytch's authenticate endpoint and finishes the invite flow. If this value is not passed, the default `invite_redirect_url` + that you set in your Dashboard is used. If you have not set a default `invite_redirect_url`, an error is returned. - invited_by_member_id: The `member_id` of the Member who sends the invite. - name: The name of the Member. - - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. - - invite_template_id: Use a custom template for invite emails. By default, it will use your default email template. The template must be a template - using our built-in customizations or a custom HTML email for Magic Links - Invite. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - invite_template_id: Use a custom template for invite emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Invite. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - roles: Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. - - invite_expiration_minutes: The expiration time, in minutes, for an invite email. If not accepted within this time frame, the invite will need to be resent. Defaults to 10080 (1 week) with a minimum of 5 and a maximum of 10080. + - roles: Roles to explicitly assign to this Member. + - invite_expiration_minutes: Set the expiration for the invite, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -266,28 +245,21 @@ async def invite_async( To revoke an existing invite, use the [Delete Member](https://stytch.com/docs/b2b/api/delete-member) endpoint. This will both delete the invited Member from the target Organization and revoke all existing invite emails. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - invite_redirect_url: The URL that the Member clicks from the invite Email Magic Link. This URL should be an endpoint in the backend server that verifies - the request by querying Stytch's authenticate endpoint and finishes the invite flow. If this value is not passed, the default `invite_redirect_url` - that you set in your Dashboard is used. If you have not set a default `invite_redirect_url`, an error is returned. + the request by querying Stytch's authenticate endpoint and finishes the invite flow. If this value is not passed, the default `invite_redirect_url` + that you set in your Dashboard is used. If you have not set a default `invite_redirect_url`, an error is returned. - invited_by_member_id: The `member_id` of the Member who sends the invite. - name: The name of the Member. - - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. - - invite_template_id: Use a custom template for invite emails. By default, it will use your default email template. The template must be a template - using our built-in customizations or a custom HTML email for Magic Links - Invite. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - invite_template_id: Use a custom template for invite emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Invite. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - roles: Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. - - invite_expiration_minutes: The expiration time, in minutes, for an invite email. If not accepted within this time frame, the invite will need to be resent. Defaults to 10080 (1 week) with a minimum of 5 and a maximum of 10080. + - roles: Roles to explicitly assign to this Member. + - invite_expiration_minutes: Set the expiration for the invite, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). """ # noqa headers: Dict[str, str] = {} if method_options is not None: diff --git a/stytch/b2b/api/magic_links_email_discovery.py b/stytch/b2b/api/magic_links_email_discovery.py index 4cba0bf0..62800287 100644 --- a/stytch/b2b/api/magic_links_email_discovery.py +++ b/stytch/b2b/api/magic_links_email_discovery.py @@ -38,17 +38,13 @@ def send( Fields: - email_address: The email address of the Member. - discovery_redirect_url: The URL that the end user clicks from the discovery Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default - discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. + verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default + discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. - pkce_code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - login_template_id: Use a custom template for discovery emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Login. + - login_template_id: Use a custom template for discovery emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - discovery_expiration_minutes: The expiration time, in minutes, for an discovery magic link email. If not accepted within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). """ # noqa headers: Dict[str, str] = {} @@ -84,17 +80,13 @@ async def send_async( Fields: - email_address: The email address of the Member. - discovery_redirect_url: The URL that the end user clicks from the discovery Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default - discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. + verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default + discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. - pkce_code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - login_template_id: Use a custom template for discovery emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Login. + - login_template_id: Use a custom template for discovery emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - discovery_expiration_minutes: The expiration time, in minutes, for an discovery magic link email. If not accepted within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/oauth.py b/stytch/b2b/api/oauth.py index f92c241c..4531a315 100644 --- a/stytch/b2b/api/oauth.py +++ b/stytch/b2b/api/oauth.py @@ -54,32 +54,16 @@ def authenticate( We're actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth provider that is not currently supported. Fields: - - oauth_token: The token to authenticate. - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - oauth_token: The OAuth token from the `?token=` query parameter in the URL. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -135,32 +119,16 @@ async def authenticate_async( We're actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth provider that is not currently supported. Fields: - - oauth_token: The token to authenticate. - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - oauth_token: The OAuth token from the `?token=` query parameter in the URL. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa diff --git a/stytch/b2b/api/oauth_discovery.py b/stytch/b2b/api/oauth_discovery.py index ab54be29..7edafc3a 100644 --- a/stytch/b2b/api/oauth_discovery.py +++ b/stytch/b2b/api/oauth_discovery.py @@ -34,11 +34,12 @@ def authenticate( Session Token. Intermediate Session Tokens can be used for various Discovery login flows and are valid for 10 minutes. Fields: - - discovery_oauth_token: The Discovery OAuth token to authenticate. - - session_token: (no documentation yet) - - session_duration_minutes: (no documentation yet) - - session_jwt: (no documentation yet) - - session_custom_claims: (no documentation yet) + - discovery_oauth_token: The discovery OAuth token from the `?token=` query parameter in the URL. This token is used to authenticate a Member via OAuth in a Discovery flow. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. """ # noqa headers: Dict[str, str] = {} @@ -73,11 +74,12 @@ async def authenticate_async( Session Token. Intermediate Session Tokens can be used for various Discovery login flows and are valid for 10 minutes. Fields: - - discovery_oauth_token: The Discovery OAuth token to authenticate. - - session_token: (no documentation yet) - - session_duration_minutes: (no documentation yet) - - session_jwt: (no documentation yet) - - session_custom_claims: (no documentation yet) + - discovery_oauth_token: The discovery OAuth token from the `?token=` query parameter in the URL. This token is used to authenticate a Member via OAuth in a Discovery flow. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/organizations.py b/stytch/b2b/api/organizations.py index fd683158..15b20b6c 100644 --- a/stytch/b2b/api/organizations.py +++ b/stytch/b2b/api/organizations.py @@ -85,89 +85,69 @@ def create( Fields: - organization_name: The name of the Organization. Must be between 1 and 128 characters in length. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource. - organization_slug: The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. - organization_logo_url: The image URL of the Organization logo. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - organization_external_id: An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. - sso_jit_provisioning: The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: - - `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. - - `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. - - `NOT_ALLOWED` – disable JIT provisioning via SSO. - + `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. + `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. + `NOT_ALLOWED` – disable JIT provisioning via SSO. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - email_allowed_domains: An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. - - - Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. - email_jit_provisioning: The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. - + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. + `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. - email_invites: The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: - - `ALL_ALLOWED` – any new Member can be invited to join via email. - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. - - `NOT_ALLOWED` – disable email invites. - + `ALL_ALLOWED` – any new Member can be invited to join via email. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. + `NOT_ALLOWED` – disable email invites. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. - auth_methods: The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. - The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. - + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - mfa_policy: The setting that controls the MFA policy for all Members in the Organization. The accepted values are: - - `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. - - `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. - + `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. + `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. - rbac_email_implicit_role_assignments: Implicit role assignments based off of email domains. - For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the - associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. + For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the + associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) + for more information about role assignment. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. - mfa_methods: The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. - The list's accepted values are: `sms_otp` and `totp`. - + The list's accepted values are: `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: - - `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. - + `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. + `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". - - claimed_email_domains: A list of email domains that are claimed by the Organization. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. + - claimed_email_domains: An array of email domains that have been claimed by this Organization. When a domain is claimed, only this Organization can invite or JIT provision Members with email addresses on that domain. - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no first party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no first party Connected Apps are permitted. - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no third party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no third party Connected Apps are permitted. - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. """ # noqa headers: Dict[str, str] = {} @@ -271,89 +251,69 @@ async def create_async( Fields: - organization_name: The name of the Organization. Must be between 1 and 128 characters in length. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource. - organization_slug: The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. - organization_logo_url: The image URL of the Organization logo. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - organization_external_id: An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. - sso_jit_provisioning: The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: - - `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. - - `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. - - `NOT_ALLOWED` – disable JIT provisioning via SSO. - + `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. + `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. + `NOT_ALLOWED` – disable JIT provisioning via SSO. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - email_allowed_domains: An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. - - - Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. - email_jit_provisioning: The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. - + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. + `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. - email_invites: The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: - - `ALL_ALLOWED` – any new Member can be invited to join via email. - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. - - `NOT_ALLOWED` – disable email invites. - + `ALL_ALLOWED` – any new Member can be invited to join via email. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. + `NOT_ALLOWED` – disable email invites. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. - auth_methods: The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. - The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. - + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - mfa_policy: The setting that controls the MFA policy for all Members in the Organization. The accepted values are: - - `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. - - `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. - + `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. + `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. - rbac_email_implicit_role_assignments: Implicit role assignments based off of email domains. - For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the - associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. + For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the + associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) + for more information about role assignment. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. - mfa_methods: The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. - The list's accepted values are: `sms_otp` and `totp`. - + The list's accepted values are: `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: - - `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. - + `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. + `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". - - claimed_email_domains: A list of email domains that are claimed by the Organization. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. + - claimed_email_domains: An array of email domains that have been claimed by this Organization. When a domain is claimed, only this Organization can invite or JIT provision Members with email addresses on that domain. - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no first party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no first party Connected Apps are permitted. - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no third party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no third party Connected Apps are permitted. - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. """ # noqa headers: Dict[str, str] = {} @@ -425,7 +385,7 @@ def get( """Returns an Organization specified by `organization_id`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -443,7 +403,7 @@ async def get_async( """Returns an Organization specified by `organization_id`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -494,130 +454,78 @@ def update( *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - organization_name: The name of the Organization. Must be between 1 and 128 characters in length. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource. - organization_slug: The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. - organization_logo_url: The image URL of the Organization logo. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - If a session header is passed into the request, this field may **not** be passed into the request. You cannot - update trusted metadata when acting as a Member. + If a session header is passed into the request, this field may **not** be passed into the request. You cannot + update trusted metadata when acting as a Member. - organization_external_id: An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. - sso_default_connection_id: The default connection used for SSO when there are multiple active connections. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-sso-connection` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-sso-connection` action on the `stytch.organization` Resource. - sso_jit_provisioning: The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: - - `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. - - `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. - - `NOT_ALLOWED` – disable JIT provisioning via SSO. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. + `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. + `NOT_ALLOWED` – disable JIT provisioning via SSO. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - sso_jit_provisioning_allowed_connections: An array of `connection_id`s that reference [SAML Connection objects](https://stytch.com/docs/b2b/api/saml-connection-object). - Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. + Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - email_allowed_domains: An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. - - - Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. + Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. - email_jit_provisioning: The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. + `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. - email_invites: The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: - - `ALL_ALLOWED` – any new Member can be invited to join via email. - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. - - `NOT_ALLOWED` – disable email invites. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – any new Member can be invited to join via email. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. + `NOT_ALLOWED` – disable email invites. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. - auth_methods: The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. - The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - mfa_policy: The setting that controls the MFA policy for all Members in the Organization. The accepted values are: - - `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. - - `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. + `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. + `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. - rbac_email_implicit_role_assignments: Implicit role assignments based off of email domains. - For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the - associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. + For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the + associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) + for more information about role assignment. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. - mfa_methods: The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. - The list's accepted values are: `sms_otp` and `totp`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. + The list's accepted values are: `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: - - `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. + `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. + `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. - - claimed_email_domains: A list of email domains that are claimed by the Organization. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. + - claimed_email_domains: An array of email domains that have been claimed by this Organization. When a domain is claimed, only this Organization can invite or JIT provision Members with email addresses on that domain. - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no first party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no first party Connected Apps are permitted. - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no third party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no third party Connected Apps are permitted. - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. """ # noqa headers: Dict[str, str] = {} @@ -732,130 +640,78 @@ async def update_async( *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - organization_name: The name of the Organization. Must be between 1 and 128 characters in length. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource. - organization_slug: The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. - organization_logo_url: The image URL of the Organization logo. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - If a session header is passed into the request, this field may **not** be passed into the request. You cannot - update trusted metadata when acting as a Member. + If a session header is passed into the request, this field may **not** be passed into the request. You cannot + update trusted metadata when acting as a Member. - organization_external_id: An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. - sso_default_connection_id: The default connection used for SSO when there are multiple active connections. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-sso-connection` action on the `stytch.organization` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-sso-connection` action on the `stytch.organization` Resource. - sso_jit_provisioning: The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: - - `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. - - `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. - - `NOT_ALLOWED` – disable JIT provisioning via SSO. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. + `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. + `NOT_ALLOWED` – disable JIT provisioning via SSO. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - sso_jit_provisioning_allowed_connections: An array of `connection_id`s that reference [SAML Connection objects](https://stytch.com/docs/b2b/api/saml-connection-object). - Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. + Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - email_allowed_domains: An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. - - - Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. + Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. - email_jit_provisioning: The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. + `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. - email_invites: The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: - - `ALL_ALLOWED` – any new Member can be invited to join via email. - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. - - `NOT_ALLOWED` – disable email invites. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – any new Member can be invited to join via email. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. + `NOT_ALLOWED` – disable email invites. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. - auth_methods: The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. - The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - mfa_policy: The setting that controls the MFA policy for all Members in the Organization. The accepted values are: - - `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. - - `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. + `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. + `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. - rbac_email_implicit_role_assignments: Implicit role assignments based off of email domains. - For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the - associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. + For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the + associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) + for more information about role assignment. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. - mfa_methods: The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. - The list's accepted values are: `sms_otp` and `totp`. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. + The list's accepted values are: `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: - - `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. - - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. + `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. + `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. - - claimed_email_domains: A list of email domains that are claimed by the Organization. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. + - claimed_email_domains: An array of email domains that have been claimed by this Organization. When a domain is claimed, only this Organization can invite or JIT provision Members with email addresses on that domain. - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no first party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no first party Connected Apps are permitted. - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no third party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no third party Connected Apps are permitted. - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. """ # noqa headers: Dict[str, str] = {} @@ -938,7 +794,7 @@ def delete( """Deletes an Organization specified by `organization_id`. All Members of the Organization will also be deleted. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -959,7 +815,7 @@ async def delete_async( """Deletes an Organization specified by `organization_id`. All Members of the Organization will also be deleted. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -979,14 +835,14 @@ def search( query: Optional[Union[SearchQuery, Dict[str, Any]]] = None, ) -> SearchResponse: """ - **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute. + **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary depending on query complexity and the endpoint has restrictive rate limits. Search across your Organizations. Returns an array of Organization objects. Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all Organizations with no filtering applied. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -1008,14 +864,14 @@ async def search_async( query: Optional[SearchQuery] = None, ) -> SearchResponse: """ - **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute. + **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary depending on query complexity and the endpoint has restrictive rate limits. Search across your Organizations. Returns an array of Organization objects. Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all Organizations with no filtering applied. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -1034,6 +890,11 @@ def metrics( self, organization_id: str, ) -> MetricsResponse: + """Retrieve metrics about an Organization. + + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { "organization_id": organization_id, @@ -1049,6 +910,11 @@ async def metrics_async( self, organization_id: str, ) -> MetricsResponse: + """Retrieve metrics about an Organization. + + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { "organization_id": organization_id, @@ -1072,7 +938,7 @@ def connected_apps( or `third_party_connected_apps_allowed_type` policies. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -1099,7 +965,7 @@ async def connected_apps_async( or `third_party_connected_apps_allowed_type` policies. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -1125,7 +991,7 @@ def get_connected_app( authorization with the App. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connected_app_id: The ID of the Connected App. """ # noqa headers: Dict[str, str] = {} @@ -1154,7 +1020,7 @@ async def get_connected_app_async( authorization with the App. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connected_app_id: The ID of the Connected App. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/organizations_members.py b/stytch/b2b/api/organizations_members.py index 779cb3a9..25716ae4 100644 --- a/stytch/b2b/api/organizations_members.py +++ b/stytch/b2b/api/organizations_members.py @@ -82,49 +82,26 @@ def update( """Updates a Member specified by `organization_id` and `member_id`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - name: The name of the Member. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.name` action on the `stytch.self` Resource. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - If a session header is passed into the request, this field may **not** be passed into the request. You cannot - update trusted metadata when acting as a Member. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.untrusted-metadata` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.untrusted-metadata` action on the `stytch.self` Resource. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - is_breakglass: Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.is-breakglass` action on the `stytch.member` Resource. - mfa_phone_number: Sets the Member's phone number. Throws an error if the Member already has a phone number. To change the Member's phone number, use the [Delete member phone number endpoint](https://stytch.com/docs/b2b/api/delete-member-mfa-phone-number) to delete the Member's existing phone number first. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.mfa-phone` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.mfa-phone` action on the `stytch.self` Resource. - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.mfa-phone` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.mfa-phone` action on the `stytch.self` Resource. - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-enrolled` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.mfa-enrolled` action on the `stytch.self` Resource. - roles: Roles to explicitly assign to this Member. - Will completely replace any existing explicitly assigned roles. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. - - If a Role is removed from a Member, and the Member is also implicitly assigned this Role from an SSO connection - or an SSO group, we will by default revoke any existing sessions for the Member that contain any SSO - authentication factors with the affected connection ID. You can preserve these sessions by passing in the - `preserve_existing_sessions` parameter with a value of `true`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.roles` action on the `stytch.member` Resource. - preserve_existing_sessions: Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned - by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO - authentication factors with the affected SSO connection IDs will be revoked. + by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO + authentication factors with the affected SSO connection IDs will be revoked. - default_mfa_method: The Member's default MFA method. This value is used to determine which secondary MFA method to use in the case of multiple methods registered for a Member. The current possible values are `sms_otp` and `totp`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource. - email_address: Updates the Member's `email_address`, if provided. This will clear any existing passwords and require re-verification of the new email address. - If a Member's email address is changed, other Members in the same Organization cannot use the old email address, although the Member may update back to their old email address. - A Member's email address can only be useable again by other Members if the Member is deleted. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.email` action on the `stytch.member` Resource. Members cannot update their own email address. + If a Member's email address is changed, other Members in the same Organization cannot use the old email address, although the Member may update back to their old email address. + A Member's email address can only be useable again by other Members if the Member is deleted. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.email` action on the `stytch.member` Resource. Members cannot update their own email address. - external_id: An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. - unlink_email: If `unlink_email` is `true` and an `email_address` is provided, the Member's previous email will be deleted instead of retired. Defaults to `false`. """ # noqa @@ -187,49 +164,26 @@ async def update_async( """Updates a Member specified by `organization_id` and `member_id`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - name: The name of the Member. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.name` action on the `stytch.self` Resource. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - If a session header is passed into the request, this field may **not** be passed into the request. You cannot - update trusted metadata when acting as a Member. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.untrusted-metadata` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.untrusted-metadata` action on the `stytch.self` Resource. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - is_breakglass: Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.is-breakglass` action on the `stytch.member` Resource. - mfa_phone_number: Sets the Member's phone number. Throws an error if the Member already has a phone number. To change the Member's phone number, use the [Delete member phone number endpoint](https://stytch.com/docs/b2b/api/delete-member-mfa-phone-number) to delete the Member's existing phone number first. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.mfa-phone` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.mfa-phone` action on the `stytch.self` Resource. - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.mfa-phone` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.mfa-phone` action on the `stytch.self` Resource. - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-enrolled` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.mfa-enrolled` action on the `stytch.self` Resource. - roles: Roles to explicitly assign to this Member. - Will completely replace any existing explicitly assigned roles. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. - - If a Role is removed from a Member, and the Member is also implicitly assigned this Role from an SSO connection - or an SSO group, we will by default revoke any existing sessions for the Member that contain any SSO - authentication factors with the affected connection ID. You can preserve these sessions by passing in the - `preserve_existing_sessions` parameter with a value of `true`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.roles` action on the `stytch.member` Resource. - preserve_existing_sessions: Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned - by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO - authentication factors with the affected SSO connection IDs will be revoked. + by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO + authentication factors with the affected SSO connection IDs will be revoked. - default_mfa_method: The Member's default MFA method. This value is used to determine which secondary MFA method to use in the case of multiple methods registered for a Member. The current possible values are `sms_otp` and `totp`. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource. - email_address: Updates the Member's `email_address`, if provided. This will clear any existing passwords and require re-verification of the new email address. - If a Member's email address is changed, other Members in the same Organization cannot use the old email address, although the Member may update back to their old email address. - A Member's email address can only be useable again by other Members if the Member is deleted. - - If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.email` action on the `stytch.member` Resource. Members cannot update their own email address. + If a Member's email address is changed, other Members in the same Organization cannot use the old email address, although the Member may update back to their old email address. + A Member's email address can only be useable again by other Members if the Member is deleted. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.email` action on the `stytch.member` Resource. Members cannot update their own email address. - external_id: An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. - unlink_email: If `unlink_email` is `true` and an `email_address` is provided, the Member's previous email will be deleted instead of retired. Defaults to `false`. """ # noqa @@ -280,8 +234,8 @@ def delete( """Deletes a Member specified by `organization_id` and `member_id`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -306,8 +260,8 @@ async def delete_async( """Deletes a Member specified by `organization_id` and `member_id`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -334,8 +288,8 @@ def reactivate( Note that this endpoint does not accept an `external_id`. The Stytch `member_id` must be provided. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -363,8 +317,8 @@ async def reactivate_async( Note that this endpoint does not accept an `external_id`. The Stytch `member_id` must be provided. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -396,8 +350,8 @@ def delete_mfa_phone_number( and calling the [OTP SMS send](https://stytch.com/docs/b2b/api/otp-sms-send) endpoint, then calling the [OTP SMS Authenticate](https://stytch.com/docs/b2b/api/authenticate-otp-sms) endpoint. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -431,8 +385,8 @@ async def delete_mfa_phone_number_async( and calling the [OTP SMS send](https://stytch.com/docs/b2b/api/otp-sms-send) endpoint, then calling the [OTP SMS Authenticate](https://stytch.com/docs/b2b/api/authenticate-otp-sms) endpoint. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -462,8 +416,8 @@ def delete_totp( Existing Member Sessions that include the TOTP authentication factor will not be revoked if the registration is deleted, and MFA will not be enforced until the Member logs in again. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -492,8 +446,8 @@ async def delete_totp_async( Existing Member Sessions that include the TOTP authentication factor will not be revoked if the registration is deleted, and MFA will not be enforced until the Member logs in again. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -518,7 +472,7 @@ def search( method_options: Optional[SearchRequestOptions] = None, ) -> SearchResponse: """ - **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute. + **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary depending on query complexity and the endpoint has restrictive rate limits. Search for Members within specified Organizations. An array with at least one `organization_id` is required. Submitting an empty `query` returns all non-deleted Members within the specified Organizations. @@ -526,9 +480,9 @@ def search( Fields: - organization_ids: An array of organization_ids. At least one value is required. - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all Members with no filtering applied. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -556,7 +510,7 @@ async def search_async( method_options: Optional[SearchRequestOptions] = None, ) -> SearchResponse: """ - **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/minute. + **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary depending on query complexity and the endpoint has restrictive rate limits. Search for Members within specified Organizations. An array with at least one `organization_id` is required. Submitting an empty `query` returns all non-deleted Members within the specified Organizations. @@ -564,9 +518,9 @@ async def search_async( Fields: - organization_ids: An array of organization_ids. At least one value is required. - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all Members with no filtering applied. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -596,8 +550,8 @@ def delete_password( This endpoint only works for Organization-scoped passwords. For cross-org password Projects, use [Require Password Reset By Email](https://stytch.com/docs/b2b/api/passwords-require-reset-by-email) instead. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_password_id: Globally unique UUID that identifies a Member's password. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_password_id: The unique identifier for a Member's password. Each Member can have only one password at a time. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -625,8 +579,8 @@ async def delete_password_async( This endpoint only works for Organization-scoped passwords. For cross-org password Projects, use [Require Password Reset By Email](https://stytch.com/docs/b2b/api/passwords-require-reset-by-email) instead. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_password_id: Globally unique UUID that identifies a Member's password. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_password_id: The unique identifier for a Member's password. Each Member can have only one password at a time. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -651,8 +605,8 @@ def dangerously_get( """Get a Member by `member_id`. This endpoint does not require an `organization_id`, enabling you to get members across organizations. This is a dangerous operation. Incorrect use may open you up to indirect object reference (IDOR) attacks. We recommend using the [Get Member](https://stytch.com/docs/b2b/api/get-member) API instead. Fields: - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. - - include_deleted: Whether to include deleted Members in the response. Defaults to false. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - include_deleted: If set to `true`, the response will include deleted Members. If set to `false` or not provided, only active Members will be returned. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -675,8 +629,8 @@ async def dangerously_get_async( """Get a Member by `member_id`. This endpoint does not require an `organization_id`, enabling you to get members across organizations. This is a dangerous operation. Incorrect use may open you up to indirect object reference (IDOR) attacks. We recommend using the [Get Member](https://stytch.com/docs/b2b/api/get-member) API instead. Fields: - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. - - include_deleted: Whether to include deleted Members in the response. Defaults to false. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - include_deleted: If set to `true`, the response will include deleted Members. If set to `false` or not provided, only active Members will be returned. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -702,8 +656,8 @@ def oidc_providers( access token automatically. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -732,8 +686,8 @@ async def oidc_providers_async( access token automatically. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -774,9 +728,9 @@ def unlink_retired_email( on the [Member object](https://stytch.com/docs/b2b/api/member-object). Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - email_id: The globally unique UUID of a Member's email. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - email_id: The unique ID of a specific email address. - email_address: The email address of the Member. """ # noqa headers: Dict[str, str] = {} @@ -821,9 +775,9 @@ async def unlink_retired_email_async( on the [Member object](https://stytch.com/docs/b2b/api/member-object). Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - email_id: The globally unique UUID of a Member's email. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - email_id: The unique ID of a specific email address. - email_address: The email address of the Member. """ # noqa headers: Dict[str, str] = {} @@ -874,20 +828,14 @@ def start_email_update( If using Email OTP Codes, you should invoke the [Authenticate Email OTP Code](https://stytch.com/docs/b2b/api/authenticate-email-otp) endpoint as normal to complete the flow. Make sure to pass the new email address to the endpoint. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - email_address: The new email address for the Member. - - login_redirect_url: The URL that the Member clicks from the login Email Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login - redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - email_address: The email address of the Member. + - login_redirect_url: The URL that Members are redirected to upon clicking the Email Magic Link. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Login. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - delivery_method: The method that should be used to verify a member's new email address. The options are `EMAIL_MAGIC_LINK` or `EMAIL_OTP`. This field is optional, if no value is provided, `EMAIL_MAGIC_LINK` will be used. """ # noqa headers: Dict[str, str] = {} @@ -941,20 +889,14 @@ async def start_email_update_async( If using Email OTP Codes, you should invoke the [Authenticate Email OTP Code](https://stytch.com/docs/b2b/api/authenticate-email-otp) endpoint as normal to complete the flow. Make sure to pass the new email address to the endpoint. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - email_address: The new email address for the Member. - - login_redirect_url: The URL that the Member clicks from the login Email Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login - redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - email_address: The email address of the Member. + - login_redirect_url: The URL that Members are redirected to upon clicking the Email Magic Link. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be from Stytch's - built-in customizations or a custom HTML email for Magic Links - Login. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - delivery_method: The method that should be used to verify a member's new email address. The options are `EMAIL_MAGIC_LINK` or `EMAIL_OTP`. This field is optional, if no value is provided, `EMAIL_MAGIC_LINK` will be used. """ # noqa headers: Dict[str, str] = {} @@ -994,8 +936,8 @@ def get_connected_apps( App policy changes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -1025,8 +967,8 @@ async def get_connected_apps_async( App policy changes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -1061,19 +1003,16 @@ def create( """Creates a Member. An `organization_id` and `email_address` are required. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - name: The name of the Member. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - create_member_as_pending: Flag for whether or not to save a Member as `pending` or `active` in Stytch. It defaults to false. If true, new Members will be created with status `pending` in Stytch's backend. Their status will remain `pending` and they will continue to receive signup email templates for every Email Magic Link until that Member authenticates and becomes `active`. If false, new Members will be created with status `active`. - is_breakglass: Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details. - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`. - - roles: Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. + - roles: Roles to explicitly assign to this Member. - external_id: An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. """ # noqa headers: Dict[str, str] = {} @@ -1126,19 +1065,16 @@ async def create_async( """Creates a Member. An `organization_id` and `email_address` are required. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - name: The name of the Member. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - create_member_as_pending: Flag for whether or not to save a Member as `pending` or `active` in Stytch. It defaults to false. If true, new Members will be created with status `pending` in Stytch's backend. Their status will remain `pending` and they will continue to receive signup email templates for every Email Magic Link until that Member authenticates and becomes `active`. If false, new Members will be created with status `active`. - is_breakglass: Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details. - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`. - - roles: Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. + - roles: Roles to explicitly assign to this Member. - external_id: An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. """ # noqa headers: Dict[str, str] = {} @@ -1182,8 +1118,8 @@ def get( """Get a Member by `member_id` or `email_address`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - email_address: The email address of the Member. """ # noqa headers: Dict[str, str] = {} @@ -1210,8 +1146,8 @@ async def get_async( """Get a Member by `member_id` or `email_address`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - email_address: The email address of the Member. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/organizations_members_connected_apps.py b/stytch/b2b/api/organizations_members_connected_apps.py index 2d0ad68b..ecee6ede 100644 --- a/stytch/b2b/api/organizations_members_connected_apps.py +++ b/stytch/b2b/api/organizations_members_connected_apps.py @@ -36,8 +36,8 @@ def revoke( Connected App. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - connected_app_id: The ID of the Connected App. """ # noqa headers: Dict[str, str] = {} @@ -68,8 +68,8 @@ async def revoke_async( Connected App. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - connected_app_id: The ID of the Connected App. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/organizations_members_oauth_providers.py b/stytch/b2b/api/organizations_members_oauth_providers.py index ae37b3bc..f2c6b47d 100644 --- a/stytch/b2b/api/organizations_members_oauth_providers.py +++ b/stytch/b2b/api/organizations_members_oauth_providers.py @@ -44,8 +44,8 @@ def google( [Start Google OAuth flow](https://stytch.com/docs/b2b/api/oauth-google-start) endpoint. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -80,8 +80,8 @@ async def google_async( [Start Google OAuth flow](https://stytch.com/docs/b2b/api/oauth-google-start) endpoint. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -110,8 +110,8 @@ def microsoft( access token automatically. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -140,8 +140,8 @@ async def microsoft_async( access token automatically. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -168,8 +168,8 @@ def slack( issued access token and ID token from the identity provider. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -193,8 +193,8 @@ async def slack_async( issued access token and ID token from the identity provider. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -220,8 +220,8 @@ def hubspot( access token automatically. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -250,8 +250,8 @@ async def hubspot_async( access token automatically. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -280,8 +280,8 @@ def github( tokens after very long periods of inactivity. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} @@ -310,8 +310,8 @@ async def github_async( tokens after very long periods of inactivity. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - include_refresh_token: Whether to return the refresh token Stytch has stored for the OAuth Provider. Defaults to false. **Important:** If your application exchanges the refresh token, Stytch may not be able to automatically refresh access tokens in the future. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/otp_email.py b/stytch/b2b/api/otp_email.py index 719b29ab..48c05ffd 100644 --- a/stytch/b2b/api/otp_email.py +++ b/stytch/b2b/api/otp_email.py @@ -47,16 +47,13 @@ def login_or_signup( The OTP is valid for 10 minutes. Only the most recently sent OTP is valid: when an OTP is sent, all OTPs previously sent to the same email address are invalidated, even if unused or unexpired. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Signup. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - login_expiration_minutes: The expiration time, in minutes, for a login OTP email to a Member. If not authenticated within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15. - signup_expiration_minutes: The expiration time, in minutes, for a signup OTP email to a Member. If not authenticated within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15. """ # noqa @@ -95,16 +92,13 @@ async def login_or_signup_async( The OTP is valid for 10 minutes. Only the most recently sent OTP is valid: when an OTP is sent, all OTPs previously sent to the same email address are invalidated, even if unused or unexpired. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Signup. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - login_expiration_minutes: The expiration time, in minutes, for a login OTP email to a Member. If not authenticated within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15. - signup_expiration_minutes: The expiration time, in minutes, for a signup OTP email to a Member. If not authenticated within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15. """ # noqa @@ -154,32 +148,18 @@ def authenticate( If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - code: The code to authenticate. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -233,32 +213,18 @@ async def authenticate_async( If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - code: The code to authenticate. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/otp_email_discovery.py b/stytch/b2b/api/otp_email_discovery.py index 4fec8892..4f62f01f 100644 --- a/stytch/b2b/api/otp_email_discovery.py +++ b/stytch/b2b/api/otp_email_discovery.py @@ -38,12 +38,9 @@ def send( - email_address: The email address to start the discovery flow for. - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - discovery_expiration_minutes: The expiration time, in minutes, for a discovery OTP email. If not accepted within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15. + - discovery_expiration_minutes: The expiration time, in minutes, for an discovery magic link email. If not accepted within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -73,12 +70,9 @@ async def send_async( - email_address: The email address to start the discovery flow for. - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - discovery_expiration_minutes: The expiration time, in minutes, for a discovery OTP email. If not accepted within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15. + - discovery_expiration_minutes: The expiration time, in minutes, for an discovery magic link email. If not accepted within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/b2b/api/otp_sms.py b/stytch/b2b/api/otp_sms.py index 8e6147ab..8ae3b41d 100644 --- a/stytch/b2b/api/otp_sms.py +++ b/stytch/b2b/api/otp_sms.py @@ -58,18 +58,15 @@ def send( __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - mfa_phone_number: The phone number to send the OTP to. If the Member already has a phone number, this argument is not needed. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -124,18 +121,15 @@ async def send_async( __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - mfa_phone_number: The phone number to send the OTP to. If the Member already has a phone number, this argument is not needed. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -191,33 +185,19 @@ def authenticate( Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a duration of 60 minutes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - code: The code to authenticate. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - set_mfa_enrollment: Optionally sets the Member’s MFA enrollment status upon a successful authentication. If the Organization’s MFA policy is `REQUIRED_FOR_ALL`, this field will be ignored. If this field is not passed in, the Member’s `mfa_enrolled` boolean will not be affected. The options are: - - `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. - - `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. - - - set_default_mfa: (no documentation yet) + `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. + `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. + - set_default_mfa: If passed will set the authenticated method to the default MFA method. Completing an MFA authentication flow for the first time for a Member will implicitly set the method to the default MFA method. This option can be used to update the default MFA method if multiple are being used. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -281,33 +261,19 @@ async def authenticate_async( Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a duration of 60 minutes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - code: The code to authenticate. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - set_mfa_enrollment: Optionally sets the Member’s MFA enrollment status upon a successful authentication. If the Organization’s MFA policy is `REQUIRED_FOR_ALL`, this field will be ignored. If this field is not passed in, the Member’s `mfa_enrolled` boolean will not be affected. The options are: - - `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. - - `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. - - - set_default_mfa: (no documentation yet) + `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. + `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. + - set_default_mfa: If passed will set the authenticated method to the default MFA method. Completing an MFA authentication flow for the first time for a Member will implicitly set the method to the default MFA method. This option can be used to update the default MFA method if multiple are being used. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/passwords.py b/stytch/b2b/api/passwords.py index a13b3de2..fa90d0f3 100644 --- a/stytch/b2b/api/passwords.py +++ b/stytch/b2b/api/passwords.py @@ -79,7 +79,7 @@ def strength_check( If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), the feedback object will contain a collection of fields that the user failed or passed. You'll want to prompt the user to create a password that meets all requirements that they failed. Fields: - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - email_address: The email address of the Member. """ # noqa headers: Dict[str, str] = {} @@ -113,7 +113,7 @@ async def strength_check_async( If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), the feedback object will contain a collection of fields that the user failed or passed. You'll want to prompt the user to create a password that meets all requirements that they failed. Fields: - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - email_address: The email address of the Member. """ # noqa headers: Dict[str, str] = {} @@ -163,33 +163,24 @@ def migrate( - email_address: The email address of the Member. - hash: The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string. - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, `sha_512`, and `pbkdf_2` are supported. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - md_5_config: Optional parameters for MD-5 hash types. - - argon_2_config: Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied. - - sha_1_config: Optional parameters for SHA-1 hash types. - - sha_512_config: Optional parameters for SHA-512 hash types. - - scrypt_config: Required parameters if the scrypt is not provided in a **PHC encoded form**. - - pbkdf_2_config: Required additional parameters for PBKDF2 hash keys. Note that we use the SHA-256 by default, please contact [support@stytch.com](mailto:support@stytch.com) if you use another hashing function. - - name: The name of the Member. Each field in the name object is optional. - - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - md_5_config: Configuration parameters for MD5 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - argon_2_config: Configuration parameters for Argon2 password hashing when migrating passwords. This includes settings like memory cost, time cost, and parallelism. + - sha_1_config: Configuration parameters for SHA-1 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - sha_512_config: Configuration parameters for SHA-512 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - scrypt_config: Required parameters if the scrypt is not provided in a [PHC encoded form](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md#phc-string-format). + - pbkdf_2_config: Configuration parameters for PBKDF2 password hashing when migrating passwords. This includes settings like iteration count and the underlying hash function. + - name: The name of the Member. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - roles: Roles to explicitly assign to this Member. - Will completely replace any existing explicitly assigned roles. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. - - If a Role is removed from a Member, and the Member is also implicitly assigned this Role from an SSO connection - or an SSO group, we will by default revoke any existing sessions for the Member that contain any SSO - authentication factors with the affected connection ID. You can preserve these sessions by passing in the - `preserve_existing_sessions` parameter with a value of `true`. - preserve_existing_sessions: Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned - by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO - authentication factors with the affected SSO connection IDs will be revoked. + by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO + authentication factors with the affected SSO connection IDs will be revoked. - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). - - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field. This flag should only be set if you can attest that - the user owns the phone number in question. - - external_id: If a new member is created, this will set an identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored. + - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that + the user owns the phone number in question. + - external_id: An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -287,33 +278,24 @@ async def migrate_async( - email_address: The email address of the Member. - hash: The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string. - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, `sha_512`, and `pbkdf_2` are supported. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - md_5_config: Optional parameters for MD-5 hash types. - - argon_2_config: Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied. - - sha_1_config: Optional parameters for SHA-1 hash types. - - sha_512_config: Optional parameters for SHA-512 hash types. - - scrypt_config: Required parameters if the scrypt is not provided in a **PHC encoded form**. - - pbkdf_2_config: Required additional parameters for PBKDF2 hash keys. Note that we use the SHA-256 by default, please contact [support@stytch.com](mailto:support@stytch.com) if you use another hashing function. - - name: The name of the Member. Each field in the name object is optional. - - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - md_5_config: Configuration parameters for MD5 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - argon_2_config: Configuration parameters for Argon2 password hashing when migrating passwords. This includes settings like memory cost, time cost, and parallelism. + - sha_1_config: Configuration parameters for SHA-1 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - sha_512_config: Configuration parameters for SHA-512 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - scrypt_config: Required parameters if the scrypt is not provided in a [PHC encoded form](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md#phc-string-format). + - pbkdf_2_config: Configuration parameters for PBKDF2 password hashing when migrating passwords. This includes settings like iteration count and the underlying hash function. + - name: The name of the Member. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - roles: Roles to explicitly assign to this Member. - Will completely replace any existing explicitly assigned roles. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. - - If a Role is removed from a Member, and the Member is also implicitly assigned this Role from an SSO connection - or an SSO group, we will by default revoke any existing sessions for the Member that contain any SSO - authentication factors with the affected connection ID. You can preserve these sessions by passing in the - `preserve_existing_sessions` parameter with a value of `true`. - preserve_existing_sessions: Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned - by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO - authentication factors with the affected SSO connection IDs will be revoked. + by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO + authentication factors with the affected SSO connection IDs will be revoked. - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). - - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field. This flag should only be set if you can attest that - the user owns the phone number in question. - - external_id: If a new member is created, this will set an identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored. + - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that + the user owns the phone number in question. + - external_id: An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -399,34 +381,18 @@ def authenticate( If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -478,34 +444,18 @@ async def authenticate_async( If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - email_address: The email address of the Member. - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/passwords_discovery.py b/stytch/b2b/api/passwords_discovery.py index c98c3686..ba81ee4b 100644 --- a/stytch/b2b/api/passwords_discovery.py +++ b/stytch/b2b/api/passwords_discovery.py @@ -39,7 +39,7 @@ def authenticate( If successful, this endpoint will create a new intermediate session and return a list of discovered organizations that can be session exchanged into. Fields: - - email_address: The email address of the Member. + - email_address: The email address. - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. """ # noqa headers: Dict[str, str] = {} @@ -64,7 +64,7 @@ async def authenticate_async( If successful, this endpoint will create a new intermediate session and return a list of discovered organizations that can be session exchanged into. Fields: - - email_address: The email address of the Member. + - email_address: The email address. - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/passwords_discovery_email.py b/stytch/b2b/api/passwords_discovery_email.py index 9b0daebd..ef63a626 100644 --- a/stytch/b2b/api/passwords_discovery_email.py +++ b/stytch/b2b/api/passwords_discovery_email.py @@ -44,24 +44,25 @@ def reset_start( You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard. Fields: - - email_address: The email address of the Member to start the email reset process for. - - reset_password_redirect_url: The URL that the Member clicks from the reset password link. This URL should be an endpoint in the backend server that verifies the request by querying - Stytch's authenticate endpoint and finishes the reset password flow. If this value is not passed, the default `reset_password_redirect_url` that you set in your Dashboard is used. - If you have not set a default `reset_password_redirect_url`, an error is returned. + - email_address: The email address. + - reset_password_redirect_url: The url that the user clicks from the password reset email to finish the reset password flow. + This should be a url that your app receives and parses before showing your app's reset password page. + After the user submits a new password to your app, it should send an API request to complete the password reset process. + If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. + If you have not set a default reset password redirect URL, an error is returned. - discovery_redirect_url: The URL that the end user clicks from the discovery Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default - discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. - - reset_password_template_id: Use a custom template for reset password emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Reset Password. - - reset_password_expiration_minutes: Sets a time limit after which the email link to reset the member's password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes. - - pkce_code_challenge: (no documentation yet) + verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default + discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. + - reset_password_template_id: Use a custom template for password reset emails. By default, it will use your default email template. + The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. + - reset_password_expiration_minutes: Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. + The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - pkce_code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - verify_email_template_id: Use a custom template for verification emails sent during password reset flows. When cross-organization passwords are enabled for your Project, this template will be used the first time a user sets a password via a - password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. + password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -110,24 +111,25 @@ async def reset_start_async( You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard. Fields: - - email_address: The email address of the Member to start the email reset process for. - - reset_password_redirect_url: The URL that the Member clicks from the reset password link. This URL should be an endpoint in the backend server that verifies the request by querying - Stytch's authenticate endpoint and finishes the reset password flow. If this value is not passed, the default `reset_password_redirect_url` that you set in your Dashboard is used. - If you have not set a default `reset_password_redirect_url`, an error is returned. + - email_address: The email address. + - reset_password_redirect_url: The url that the user clicks from the password reset email to finish the reset password flow. + This should be a url that your app receives and parses before showing your app's reset password page. + After the user submits a new password to your app, it should send an API request to complete the password reset process. + If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. + If you have not set a default reset password redirect URL, an error is returned. - discovery_redirect_url: The URL that the end user clicks from the discovery Magic Link. This URL should be an endpoint in the backend server that - verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default - discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. - - reset_password_template_id: Use a custom template for reset password emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Reset Password. - - reset_password_expiration_minutes: Sets a time limit after which the email link to reset the member's password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes. - - pkce_code_challenge: (no documentation yet) + verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default + discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned. + - reset_password_template_id: Use a custom template for password reset emails. By default, it will use your default email template. + The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. + - reset_password_expiration_minutes: Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. + The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - pkce_code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - verify_email_template_id: Use a custom template for verification emails sent during password reset flows. When cross-organization passwords are enabled for your Project, this template will be used the first time a user sets a password via a - password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. + password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -169,9 +171,9 @@ def reset( Resetting a password will start an intermediate session and return a list of discovered organizations the session can be exchanged into. Fields: - - password_reset_token: The password reset token to authenticate. + - password_reset_token: The password reset token from the `?token=` query parameter in the password reset URL. - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - pkce_code_verifier: (no documentation yet) + - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -198,9 +200,9 @@ async def reset_async( Resetting a password will start an intermediate session and return a list of discovered organizations the session can be exchanged into. Fields: - - password_reset_token: The password reset token to authenticate. + - password_reset_token: The password reset token from the `?token=` query parameter in the password reset URL. - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - pkce_code_verifier: (no documentation yet) + - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/b2b/api/passwords_email.py b/stytch/b2b/api/passwords_email.py index 9c2131bd..465daeb7 100644 --- a/stytch/b2b/api/passwords_email.py +++ b/stytch/b2b/api/passwords_email.py @@ -49,25 +49,24 @@ def reset_start( You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - email_address: The email address of the Member to start the email reset process for. - - reset_password_redirect_url: The URL that the Member clicks from the reset password link. This URL should be an endpoint in the backend server that verifies the request by querying - Stytch's authenticate endpoint and finishes the reset password flow. If this value is not passed, the default `reset_password_redirect_url` that you set in your Dashboard is used. - If you have not set a default `reset_password_redirect_url`, an error is returned. - - reset_password_expiration_minutes: Sets a time limit after which the email link to reset the member's password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - email_address: The email address of the Member. + - reset_password_redirect_url: The url that the user clicks from the password reset email to finish the reset password flow. + This should be a url that your app receives and parses before showing your app's reset password page. + After the user submits a new password to your app, it should send an API request to complete the password reset process. + If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. + If you have not set a default reset password redirect URL, an error is returned. + - reset_password_expiration_minutes: Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. + The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - login_redirect_url: The URL that Members are redirected to upon clicking the "Log in without password" button in password reset emails. - - After Members are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the Member in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned. + - login_redirect_url: The URL that Members are redirected to upon clicking the Email Magic Link. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - reset_password_template_id: Use a custom template for reset password emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Reset Password. + - reset_password_template_id: Use a custom template for password reset emails. By default, it will use your default email template. + The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. - verify_email_template_id: Use a custom template for verification emails sent during password reset flows. When cross-organization passwords are enabled for your Project, this template will be used the first time a user sets a password via a - password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. + password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -116,25 +115,24 @@ async def reset_start_async( You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - email_address: The email address of the Member to start the email reset process for. - - reset_password_redirect_url: The URL that the Member clicks from the reset password link. This URL should be an endpoint in the backend server that verifies the request by querying - Stytch's authenticate endpoint and finishes the reset password flow. If this value is not passed, the default `reset_password_redirect_url` that you set in your Dashboard is used. - If you have not set a default `reset_password_redirect_url`, an error is returned. - - reset_password_expiration_minutes: Sets a time limit after which the email link to reset the member's password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - email_address: The email address of the Member. + - reset_password_redirect_url: The url that the user clicks from the password reset email to finish the reset password flow. + This should be a url that your app receives and parses before showing your app's reset password page. + After the user submits a new password to your app, it should send an API request to complete the password reset process. + If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. + If you have not set a default reset password redirect URL, an error is returned. + - reset_password_expiration_minutes: Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. + The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - login_redirect_url: The URL that Members are redirected to upon clicking the "Log in without password" button in password reset emails. - - After Members are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the Member in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned. + - login_redirect_url: The URL that Members are redirected to upon clicking the Email Magic Link. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - reset_password_template_id: Use a custom template for reset password emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Reset Password. + - reset_password_template_id: Use a custom template for password reset emails. By default, it will use your default email template. + The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. - verify_email_template_id: Use a custom template for verification emails sent during password reset flows. When cross-organization passwords are enabled for your Project, this template will be used the first time a user sets a password via a - password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. + password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -188,38 +186,18 @@ def reset( Note that a successful password reset by email will revoke all active sessions for the `member_id`. Fields: - - password_reset_token: The password reset token to authenticate. - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_token: Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. - If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if - both `session_token` and `session_jwt` are provided. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: Reuse an existing session instead of creating a new one. If you provide a `session_jwt`, Stytch will update the session. If the `session_jwt` - and `magic_links_token` belong to different Members, the `session_jwt` will be ignored. This endpoint will error if both `session_token` and `session_jwt` - are provided. + - password_reset_token: The password reset token from the `?token=` query parameter in the password reset URL. + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - session_token: Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -274,38 +252,18 @@ async def reset_async( Note that a successful password reset by email will revoke all active sessions for the `member_id`. Fields: - - password_reset_token: The password reset token to authenticate. - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_token: Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. - If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if - both `session_token` and `session_jwt` are provided. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: Reuse an existing session instead of creating a new one. If you provide a `session_jwt`, Stytch will update the session. If the `session_jwt` - and `magic_links_token` belong to different Members, the `session_jwt` will be ignored. This endpoint will error if both `session_token` and `session_jwt` - are provided. + - password_reset_token: The password reset token from the `?token=` query parameter in the password reset URL. + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - session_token: Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -346,9 +304,9 @@ def require_reset( If there are is only one active Member using the associated email address in the Project, the password will be deleted. Fields: - - email_address: The email address of the Member to start the email reset process for. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - email_address: The email address of the Member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -377,9 +335,9 @@ async def require_reset_async( If there are is only one active Member using the associated email address in the Project, the password will be deleted. Fields: - - email_address: The email address of the Member to start the email reset process for. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - email_address: The email address of the Member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: diff --git a/stytch/b2b/api/passwords_existing_password.py b/stytch/b2b/api/passwords_existing_password.py index 0da65cf1..15463963 100644 --- a/stytch/b2b/api/passwords_existing_password.py +++ b/stytch/b2b/api/passwords_existing_password.py @@ -55,33 +55,17 @@ def reset( Fields: - email_address: The email address of the Member. - - existing_password: The Member's current password that they supplied. - - new_password: The Member's elected new password. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - existing_password: The user's existing password. + - new_password: The new password for the user. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -139,33 +123,17 @@ async def reset_async( Fields: - email_address: The email address of the Member. - - existing_password: The Member's current password that they supplied. - - new_password: The Member's elected new password. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - existing_password: The user's existing password. + - new_password: The new password for the user. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/passwords_session.py b/stytch/b2b/api/passwords_session.py index e20efec6..139b7e8e 100644 --- a/stytch/b2b/api/passwords_session.py +++ b/stytch/b2b/api/passwords_session.py @@ -37,30 +37,16 @@ def reset( Note that a successful password reset via an existing session will revoke all active sessions for the `member_id`, except for the one used during the reset flow. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the member this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -101,30 +87,16 @@ async def reset_async( Note that a successful password reset via an existing session will revoke all active sessions for the `member_id`, except for the one used during the reset flow. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - password: The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - password: The password for the Member. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the member this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/recovery_codes.py b/stytch/b2b/api/recovery_codes.py index 961134e1..bd53d8d7 100644 --- a/stytch/b2b/api/recovery_codes.py +++ b/stytch/b2b/api/recovery_codes.py @@ -40,26 +40,15 @@ def recover( """Allows a Member to complete an MFA flow by consuming a recovery code. This consumes the recovery code and returns a session token that can be used to authenticate the Member. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - recovery_code: The recovery code generated by a secondary MFA method. This code is used to authenticate in place of the secondary MFA method if that method as a backup. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - recovery_code: The recovery code generated by a secondary MFA method. This code is used to authenticate in place of the secondary MFA method as a backup - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -100,26 +89,15 @@ async def recover_async( """Allows a Member to complete an MFA flow by consuming a recovery code. This consumes the recovery code and returns a session token that can be used to authenticate the Member. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - recovery_code: The recovery code generated by a secondary MFA method. This code is used to authenticate in place of the secondary MFA method if that method as a backup. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - recovery_code: The recovery code generated by a secondary MFA method. This code is used to authenticate in place of the secondary MFA method as a backup - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -153,8 +131,8 @@ def get( """Returns a Member's full set of active recovery codes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -176,8 +154,8 @@ async def get_async( """Returns a Member's full set of active recovery codes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -199,8 +177,8 @@ def rotate( """Rotate a Member's recovery codes. This invalidates all existing recovery codes and generates a new set of recovery codes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -220,8 +198,8 @@ async def rotate_async( """Rotate a Member's recovery codes. This invalidates all existing recovery codes and generates a new set of recovery codes. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/b2b/api/scim_connection.py b/stytch/b2b/api/scim_connection.py index a3a3962c..cd8c7709 100644 --- a/stytch/b2b/api/scim_connection.py +++ b/stytch/b2b/api/scim_connection.py @@ -55,10 +55,11 @@ def update( """Update a SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. - display_name: A human-readable display name for the connection. - - identity_provider: (no documentation yet) + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. - scim_group_implicit_role_assignments: An array of SCIM group implicit role assignments. Each object in the array must contain a `group_id` and a `role_id`. """ # noqa headers: Dict[str, str] = {} @@ -98,10 +99,11 @@ async def update_async( """Update a SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. - display_name: A human-readable display name for the connection. - - identity_provider: (no documentation yet) + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. - scim_group_implicit_role_assignments: An array of SCIM group implicit role assignments. Each object in the array must contain a `group_id` and a `role_id`. """ # noqa headers: Dict[str, str] = {} @@ -136,7 +138,7 @@ def delete( """Deletes a SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -162,7 +164,7 @@ async def delete_async( """Deletes a SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -188,7 +190,7 @@ def rotate_start( """Start a SCIM token rotation. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -215,7 +217,7 @@ async def rotate_start_async( """Start a SCIM token rotation. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -242,7 +244,7 @@ def rotate_complete( """Completes a SCIM token rotation. This will complete the current token rotation process and update the active token to be the new token supplied in the [start SCIM token rotation](https://stytch.com/docs/b2b/api/scim-rotate-token-start) response. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -269,7 +271,7 @@ async def rotate_complete_async( """Completes a SCIM token rotation. This will complete the current token rotation process and update the active token to be the new token supplied in the [start SCIM token rotation](https://stytch.com/docs/b2b/api/scim-rotate-token-start) response. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -296,7 +298,7 @@ def rotate_cancel( """Cancel a SCIM token rotation. This will cancel the current token rotation process, keeping the original token active. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -323,7 +325,7 @@ async def rotate_cancel_async( """Cancel a SCIM token rotation. This will cancel the current token rotation process, keeping the original token active. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa headers: Dict[str, str] = {} @@ -352,10 +354,10 @@ def get_groups( """Gets a paginated list of all SCIM Groups associated with a given Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -386,10 +388,10 @@ async def get_groups_async( """Gets a paginated list of all SCIM Groups associated with a given Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -419,9 +421,10 @@ def create( """Create a new SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - display_name: A human-readable display name for the connection. - - identity_provider: (no documentation yet) + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -448,9 +451,10 @@ async def create_async( """Create a new SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - display_name: A human-readable display name for the connection. - - identity_provider: (no documentation yet) + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -475,7 +479,7 @@ def get( """Get SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -496,7 +500,7 @@ async def get_async( """Get SCIM Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: diff --git a/stytch/b2b/api/sessions.py b/stytch/b2b/api/sessions.py index bf746abf..89dd1b76 100644 --- a/stytch/b2b/api/sessions.py +++ b/stytch/b2b/api/sessions.py @@ -57,8 +57,8 @@ def get( """Retrieves all active Sessions for a Member. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -78,8 +78,8 @@ async def get_async( """Retrieves all active Sessions for a Member. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -111,35 +111,15 @@ def authenticate( Otherwise, the response will contain a list of Roles that satisfied the authorization check. Fields: - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - authorization_check: If an `authorization_check` object is passed in, this endpoint will also check if the Member is - authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if - their Member Session contains a Role, assigned - [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate permissions. - In addition, the `organization_id` passed in the authorization check must match the Member's Organization. - - The Roles on the Member Session may differ from the Roles you see on the Member object - Roles that are implicitly - assigned by SSO connection or SSO group will only be valid for a Member Session if there is at least one authentication - factor on the Member Session from the specified SSO connection. - - If the Member is not authorized to perform the specified action on the specified Resource, or if the - `organization_id` does not match the Member's Organization, a 403 error will be thrown. - Otherwise, the response will contain a list of Roles that satisfied the authorization check. + authorized to perform the given action on the given Resource. A Member is authorized if they are assigned a Role with adequate permissions. + If the Member is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. + Otherwise, the response will contain a list of Roles that satisfied the authorization check. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -182,35 +162,15 @@ async def authenticate_async( Otherwise, the response will contain a list of Roles that satisfied the authorization check. Fields: - - session_token: A secret token for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - authorization_check: If an `authorization_check` object is passed in, this endpoint will also check if the Member is - authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if - their Member Session contains a Role, assigned - [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate permissions. - In addition, the `organization_id` passed in the authorization check must match the Member's Organization. - - The Roles on the Member Session may differ from the Roles you see on the Member object - Roles that are implicitly - assigned by SSO connection or SSO group will only be valid for a Member Session if there is at least one authentication - factor on the Member Session from the specified SSO connection. - - If the Member is not authorized to perform the specified action on the specified Resource, or if the - `organization_id` does not match the Member's Organization, a 403 error will be thrown. - Otherwise, the response will contain a list of Roles that satisfied the authorization check. + authorized to perform the given action on the given Resource. A Member is authorized if they are assigned a Role with adequate permissions. + If the Member is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. + Otherwise, the response will contain a list of Roles that satisfied the authorization check. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -244,10 +204,10 @@ def revoke( """Revoke a Session and immediately invalidate all its tokens. To revoke a specific Session, pass either the `member_session_id`, `session_token`, or `session_jwt`. To revoke all Sessions for a Member, pass the `member_id`. Fields: - - member_session_id: Globally unique UUID that identifies a specific Session in the Stytch API. The `member_session_id` is critical to perform operations on an Session, so be sure to preserve this value. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. + - member_session_id: Globally unique UUID that identifies a specific Session in the Stytch API. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -277,10 +237,10 @@ async def revoke_async( """Revoke a Session and immediately invalidate all its tokens. To revoke a specific Session, pass either the `member_session_id`, `session_token`, or `session_jwt`. To revoke all Sessions for a Member, pass the `member_id`. Fields: - - member_session_id: Globally unique UUID that identifies a specific Session in the Stytch API. The `member_session_id` is critical to perform operations on an Session, so be sure to preserve this value. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. + - member_session_id: Globally unique UUID that identifies a specific Session in the Stytch API. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -327,31 +287,13 @@ def exchange( The `session_duration_minutes` and `session_custom_claims` parameters will be ignored. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_token: The `session_token` belonging to the member that you wish to associate the email with. - - session_jwt: The `session_jwt` belonging to the member that you wish to associate the email with. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -403,31 +345,13 @@ async def exchange_async( The `session_duration_minutes` and `session_custom_claims` parameters will be ignored. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_token: The `session_token` belonging to the member that you wish to associate the email with. - - session_jwt: The `session_jwt` belonging to the member that you wish to associate the email with. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -469,20 +393,9 @@ def exchange_access_token( Fields: - access_token: The access token to exchange for a Stytch Session. Must be granted the `full_access` scope. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -518,20 +431,9 @@ async def exchange_access_token_async( Fields: - access_token: The access token to exchange for a Stytch Session. Must be granted the `full_access` scope. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -566,22 +468,11 @@ def attest( - profile_id: The ID of the trusted auth token profile to use for attestation. - token: The trusted auth token to authenticate. The token must have an organization ID claim if JIT provisioning is enabled. - organization_id: The organization ID that the session should be authenticated in. Must be provided if the trusted auth token does not have an organization ID claim. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - session_token: The `session_token` for the session that you wish to add the trusted auth token authentication factor to. - - session_jwt: The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to. + - session_jwt: The JSON Web Token (JWT) for the session that you wish to add the trusted auth token authentication factor to. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -623,22 +514,11 @@ async def attest_async( - profile_id: The ID of the trusted auth token profile to use for attestation. - token: The trusted auth token to authenticate. The token must have an organization ID claim if JIT provisioning is enabled. - organization_id: The organization ID that the session should be authenticated in. Must be provided if the trusted auth token does not have an organization ID claim. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - session_token: The `session_token` for the session that you wish to add the trusted auth token authentication factor to. - - session_jwt: The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to. + - session_jwt: The JSON Web Token (JWT) for the session that you wish to add the trusted auth token authentication factor to. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -676,22 +556,11 @@ def migrate( You will need to create the member before using this endpoint. Fields: - - session_token: The authorization token Stytch will pass in to the external userinfo endpoint. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -720,22 +589,11 @@ async def migrate_async( You will need to create the member before using this endpoint. Fields: - - session_token: The authorization token Stytch will pass in to the external userinfo endpoint. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/b2b/api/sso.py b/stytch/b2b/api/sso.py index 12df949e..84ed80ae 100644 --- a/stytch/b2b/api/sso.py +++ b/stytch/b2b/api/sso.py @@ -54,7 +54,7 @@ def get_connections( """Get all SSO Connections owned by the organization. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -75,7 +75,7 @@ async def get_connections_async( """Get all SSO Connections owned by the organization. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -97,8 +97,8 @@ def delete_connection( """Delete an existing SSO connection. Fields: - - organization_id: The organization ID that the SSO connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: The ID of the SSO connection. SAML, OIDC, and External connection IDs can be provided. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -123,8 +123,8 @@ async def delete_connection_async( """Delete an existing SSO connection. Fields: - - organization_id: The organization ID that the SSO connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: The ID of the SSO connection. SAML, OIDC, and External connection IDs can be provided. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -166,32 +166,16 @@ def authenticate( If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step. Fields: - - sso_token: The token to authenticate. + - sso_token: The SSO token from the `?token=` query parameter in the URL. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - session_token: The `session_token` belonging to the member that you wish to associate the email with. - - session_jwt: The `session_jwt` belonging to the member that you wish to associate the email with. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -246,32 +230,16 @@ async def authenticate_async( If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step. Fields: - - sso_token: The token to authenticate. + - sso_token: The SSO token from the `?token=` query parameter in the URL. - pkce_code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - - session_token: The `session_token` belonging to the member that you wish to associate the email with. - - session_jwt: The `session_jwt` belonging to the member that you wish to associate the email with. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. - - locale: If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode. - - Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - - Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - intermediate_session_token: Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa diff --git a/stytch/b2b/api/sso_external.py b/stytch/b2b/api/sso_external.py index 87864504..85d89e92 100644 --- a/stytch/b2b/api/sso_external.py +++ b/stytch/b2b/api/sso_external.py @@ -49,12 +49,12 @@ def create_connection( """Create a new External SSO Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - external_organization_id: Globally unique UUID that identifies a different Organization within your Project. - external_connection_id: Globally unique UUID that identifies a specific SSO connection configured for a different Organization in your Project. - display_name: A human-readable display name for the connection. - - connection_implicit_role_assignments: (no documentation yet) - - group_implicit_role_assignments: (no documentation yet) + - connection_implicit_role_assignments: An array of role assignments that are automatically applied to Members when they authenticate via this external SSO connection. Each entry must include a `role_id`. + - group_implicit_role_assignments: An array of role assignments based on group membership from the external SSO connection. Members that authenticate with specific groups will automatically be assigned the associated roles. Each entry must include a `group` and `role_id`. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -98,12 +98,12 @@ async def create_connection_async( """Create a new External SSO Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - external_organization_id: Globally unique UUID that identifies a different Organization within your Project. - external_connection_id: Globally unique UUID that identifies a specific SSO connection configured for a different Organization in your Project. - display_name: A human-readable display name for the connection. - - connection_implicit_role_assignments: (no documentation yet) - - group_implicit_role_assignments: (no documentation yet) + - connection_implicit_role_assignments: An array of role assignments that are automatically applied to Members when they authenticate via this external SSO connection. Each entry must include a `role_id`. + - group_implicit_role_assignments: An array of role assignments based on group membership from the external SSO connection. Members that authenticate with specific groups will automatically be assigned the associated roles. Each entry must include a `group` and `role_id`. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -146,16 +146,16 @@ def update_connection( """Updates an existing External SSO connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific External SSO Connection. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - display_name: A human-readable display name for the connection. - external_connection_implicit_role_assignments: All Members who log in with this External connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Implicit role assignments are not supported for External connections if the underlying SSO connection is an OIDC connection. - external_group_implicit_role_assignments: Defines the names of the groups - that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and - belongs to the specified group, they will be granted the associated Role. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments to an external connection, you must add a "groups" key to the underlying SAML connection's - `attribute_mapping`. Make sure that the SAML connection IdP is configured to correctly send the group information. Implicit role assignments are not supported - for External connections if the underlying SSO connection is an OIDC connection. + that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and + belongs to the specified group, they will be granted the associated Role. See the + [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments to an external connection, you must add a "groups" key to the underlying SAML connection's + `attribute_mapping`. Make sure that the SAML connection IdP is configured to correctly send the group information. Implicit role assignments are not supported + for External connections if the underlying SSO connection is an OIDC connection. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -199,16 +199,16 @@ async def update_connection_async( """Updates an existing External SSO connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific External SSO Connection. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - display_name: A human-readable display name for the connection. - external_connection_implicit_role_assignments: All Members who log in with this External connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Implicit role assignments are not supported for External connections if the underlying SSO connection is an OIDC connection. - external_group_implicit_role_assignments: Defines the names of the groups - that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and - belongs to the specified group, they will be granted the associated Role. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments to an external connection, you must add a "groups" key to the underlying SAML connection's - `attribute_mapping`. Make sure that the SAML connection IdP is configured to correctly send the group information. Implicit role assignments are not supported - for External connections if the underlying SSO connection is an OIDC connection. + that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and + belongs to the specified group, they will be granted the associated Role. See the + [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments to an external connection, you must add a "groups" key to the underlying SAML connection's + `attribute_mapping`. Make sure that the SAML connection IdP is configured to correctly send the group information. Implicit role assignments are not supported + for External connections if the underlying SSO connection is an OIDC connection. """ # noqa headers: Dict[str, str] = {} if method_options is not None: diff --git a/stytch/b2b/api/sso_oidc.py b/stytch/b2b/api/sso_oidc.py index e86eef88..2b078b57 100644 --- a/stytch/b2b/api/sso_oidc.py +++ b/stytch/b2b/api/sso_oidc.py @@ -40,10 +40,9 @@ def create_connection( """Create a new OIDC Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - display_name: A human-readable display name for the connection. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. """ # noqa headers: Dict[str, str] = {} @@ -71,10 +70,9 @@ async def create_connection_async( """Create a new OIDC Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - display_name: A human-readable display name for the connection. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. """ # noqa headers: Dict[str, str] = {} @@ -131,10 +129,10 @@ def update_connection( * `jwks_url` Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - display_name: A human-readable display name for the connection. - - client_id: The OAuth2.0 client ID used to authenticate login attempts. This will be provided by the IdP. + - client_id: The ID of the client. - client_secret: The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided by the IdP. - issuer: A case-sensitive `https://` URL that uniquely identifies the IdP. This will be provided by the IdP. - authorization_url: The location of the URL that starts an OAuth login at the IdP. This will be provided by the IdP. @@ -142,10 +140,9 @@ def update_connection( - userinfo_url: The location of the IDP's [UserInfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). This will be provided by the IdP. - jwks_url: The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be provided by the IdP. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. - custom_scopes: Include a space-separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, e.g. the spaces must be expressed as %20. - - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. + - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined Member attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -220,10 +217,10 @@ async def update_connection_async( * `jwks_url` Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - display_name: A human-readable display name for the connection. - - client_id: The OAuth2.0 client ID used to authenticate login attempts. This will be provided by the IdP. + - client_id: The ID of the client. - client_secret: The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided by the IdP. - issuer: A case-sensitive `https://` URL that uniquely identifies the IdP. This will be provided by the IdP. - authorization_url: The location of the URL that starts an OAuth login at the IdP. This will be provided by the IdP. @@ -231,10 +228,9 @@ async def update_connection_async( - userinfo_url: The location of the IDP's [UserInfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). This will be provided by the IdP. - jwks_url: The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be provided by the IdP. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. - custom_scopes: Include a space-separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, e.g. the spaces must be expressed as %20. - - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. + - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined Member attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. """ # noqa headers: Dict[str, str] = {} if method_options is not None: diff --git a/stytch/b2b/api/sso_saml.py b/stytch/b2b/api/sso_saml.py index ab4a19c6..7be0e0d4 100644 --- a/stytch/b2b/api/sso_saml.py +++ b/stytch/b2b/api/sso_saml.py @@ -50,10 +50,9 @@ def create_connection( """Create a new SAML Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - display_name: A human-readable display name for the connection. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. """ # noqa headers: Dict[str, str] = {} @@ -81,10 +80,9 @@ async def create_connection_async( """Create a new SAML Connection. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - display_name: A human-readable display name for the connection. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. """ # noqa headers: Dict[str, str] = {} @@ -138,29 +136,28 @@ def update_connection( * `x509_certificate` Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. - - idp_entity_id: A globally unique name for the IdP. This will be provided by the IdP. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - idp_entity_id: The entity ID for the identity provider's SAML configuration. This is a unique identifier for the identity provider, typically a URL. - display_name: A human-readable display name for the connection. - - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. + - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined Member attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. - x509_certificate: A certificate that Stytch will use to verify the sign-in assertion sent by the IdP, in [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) format. See our [X509 guide](https://stytch.com/docs/b2b/api/saml-certificates) for more info. - idp_sso_url: The URL for which assertions for login requests will be sent. This will be provided by the IdP. - saml_connection_implicit_role_assignments: All Members who log in with this SAML connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. - saml_group_implicit_role_assignments: Defines the names of the SAML groups - that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and - belongs to the specified SAML group, they will be granted the associated Role. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's - `attribute_mapping`. Make sure that your IdP is configured to correctly send the group information. + that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and + belongs to the specified SAML group, they will be granted the associated Role. See the + [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's + `attribute_mapping`. Make sure that your IdP is configured to correctly send the group information. - alternative_audience_uri: An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. - signing_private_key: A PKCS1 format RSA private key used for signing SAML requests. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported. When provided, Stytch will generate a new x509 certificate from this key and return it in the signing_certificates array. - nameid_format: The NameID format the SAML Connection expects to use. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. - alternative_acs_url: An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info. - idp_initiated_auth_disabled: Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled). - saml_encryption_private_key: A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported. - - allow_gateway_callback: (no documentation yet) + - allow_gateway_callback: If set to `true`, the SAML connection will allow gateway callback URLs. This is typically used for advanced integration scenarios. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -246,29 +243,28 @@ async def update_connection_async( * `x509_certificate` Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. - - idp_entity_id: A globally unique name for the IdP. This will be provided by the IdP. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - idp_entity_id: The entity ID for the identity provider's SAML configuration. This is a unique identifier for the identity provider, typically a URL. - display_name: A human-readable display name for the connection. - - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. + - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined Member attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. - x509_certificate: A certificate that Stytch will use to verify the sign-in assertion sent by the IdP, in [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) format. See our [X509 guide](https://stytch.com/docs/b2b/api/saml-certificates) for more info. - idp_sso_url: The URL for which assertions for login requests will be sent. This will be provided by the IdP. - saml_connection_implicit_role_assignments: All Members who log in with this SAML connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. - saml_group_implicit_role_assignments: Defines the names of the SAML groups - that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and - belongs to the specified SAML group, they will be granted the associated Role. See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's - `attribute_mapping`. Make sure that your IdP is configured to correctly send the group information. + that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and + belongs to the specified SAML group, they will be granted the associated Role. See the + [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's + `attribute_mapping`. Make sure that your IdP is configured to correctly send the group information. - alternative_audience_uri: An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info. - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. - Specifying a known provider allows Stytch to handle any provider-specific logic. - signing_private_key: A PKCS1 format RSA private key used for signing SAML requests. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported. When provided, Stytch will generate a new x509 certificate from this key and return it in the signing_certificates array. - nameid_format: The NameID format the SAML Connection expects to use. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. - alternative_acs_url: An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info. - idp_initiated_auth_disabled: Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled). - saml_encryption_private_key: A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported. - - allow_gateway_callback: (no documentation yet) + - allow_gateway_callback: If set to `true`, the SAML connection will allow gateway callback URLs. This is typically used for advanced integration scenarios. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -336,9 +332,9 @@ def update_by_url( * `attribute_mapping` (must be supplied using [Update SAML Connection](update-saml-connection)) Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. - - metadata_url: A URL that points to the IdP metadata. This will be provided by the IdP. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - metadata_url: The URL of the SAML identity provider's metadata document. This XML document contains the configuration details for the identity provider, including certificates and endpoints. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -371,9 +367,9 @@ async def update_by_url_async( * `attribute_mapping` (must be supplied using [Update SAML Connection](update-saml-connection)) Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. - - metadata_url: A URL that points to the IdP metadata. This will be provided by the IdP. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - metadata_url: The URL of the SAML identity provider's metadata document. This XML document contains the configuration details for the identity provider, including certificates and endpoints. """ # noqa headers: Dict[str, str] = {} if method_options is not None: @@ -402,8 +398,8 @@ def delete_verification_certificate( You may need to do this when rotating certificates from your IdP, since Stytch allows a maximum of 5 certificates per connection. There must always be at least one certificate per active connection. Fields: - - organization_id: The organization ID that the SAML connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: The ID of the SAML connection. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - certificate_id: The ID of the certificate to be deleted. """ # noqa headers: Dict[str, str] = {} @@ -436,8 +432,8 @@ async def delete_verification_certificate_async( You may need to do this when rotating certificates from your IdP, since Stytch allows a maximum of 5 certificates per connection. There must always be at least one certificate per active connection. Fields: - - organization_id: The organization ID that the SAML connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: The ID of the SAML connection. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - certificate_id: The ID of the certificate to be deleted. """ # noqa headers: Dict[str, str] = {} @@ -468,8 +464,8 @@ def delete_encryption_private_key( """Delete a SAML encryption private key. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - private_key_id: The ID of the encryption private key to be deleted. """ # noqa headers: Dict[str, str] = {} @@ -500,8 +496,8 @@ async def delete_encryption_private_key_async( """Delete a SAML encryption private key. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - private_key_id: The ID of the encryption private key to be deleted. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/b2b/api/totps.py b/stytch/b2b/api/totps.py index 830e65cb..488804bb 100644 --- a/stytch/b2b/api/totps.py +++ b/stytch/b2b/api/totps.py @@ -41,12 +41,12 @@ def create( Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must match the `member_id` passed. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - expiration_minutes: The expiration for the TOTP registration. If the newly created TOTP registration is not authenticated within this time frame the member will have to restart the registration flow. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 1440. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - expiration_minutes: The expiration for the TOTP instance. If the newly created TOTP is not authenticated within this time frame the TOTP will be unusable. Defaults to 1440 (1 day) with a minimum of 5 and a maximum of 1440. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -82,12 +82,12 @@ async def create_async( Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must match the `member_id` passed. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. - - expiration_minutes: The expiration for the TOTP registration. If the newly created TOTP registration is not authenticated within this time frame the member will have to restart the registration flow. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 1440. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - expiration_minutes: The expiration for the TOTP instance. If the newly created TOTP is not authenticated within this time frame the TOTP will be unusable. Defaults to 1440 (1 day) with a minimum of 5 and a maximum of 1440. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -124,32 +124,18 @@ def authenticate( """Authenticate a Member provided TOTP. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - code: The code to authenticate. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - set_mfa_enrollment: Optionally sets the Member’s MFA enrollment status upon a successful authentication. If the Organization’s MFA policy is `REQUIRED_FOR_ALL`, this field will be ignored. If this field is not passed in, the Member’s `mfa_enrolled` boolean will not be affected. The options are: - - `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. - - `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. - + `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. + `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. - set_default_mfa: If passed will set the authenticated method to the default MFA method. Completing an MFA authentication flow for the first time for a Member will implicitly set the method to the default MFA method. This option can be used to update the default MFA method if multiple are being used. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -197,32 +183,18 @@ async def authenticate_async( """Authenticate a Member provided TOTP. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - code: The code to authenticate. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want - to use the Stytch session product, you can ignore the session fields in the response. - - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in - `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To - delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. - Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you do not wish to use Stytch's session product, you can ignore the session fields in the response. + - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - set_mfa_enrollment: Optionally sets the Member’s MFA enrollment status upon a successful authentication. If the Organization’s MFA policy is `REQUIRED_FOR_ALL`, this field will be ignored. If this field is not passed in, the Member’s `mfa_enrolled` boolean will not be affected. The options are: - - `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. - - `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. - + `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. + `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization. - set_default_mfa: If passed will set the authenticated method to the default MFA method. Completing an MFA authentication flow for the first time for a Member will implicitly set the method to the default MFA method. This option can be used to update the default MFA method if multiple are being used. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -263,10 +235,10 @@ def migrate( """Migrate an existing TOTP instance for a Member. Recovery codes are not required and will be minted for the Member if not provided. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - secret: The TOTP secret key shared between the authenticator app and the server used to generate TOTP codes. - - recovery_codes: An existing set of recovery codes to be imported into Stytch to be used to authenticate in place of the secondary MFA method. + - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -290,10 +262,10 @@ async def migrate_async( """Migrate an existing TOTP instance for a Member. Recovery codes are not required and will be minted for the Member if not provided. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - secret: The TOTP secret key shared between the authenticator app and the server used to generate TOTP codes. - - recovery_codes: An existing set of recovery codes to be imported into Stytch to be used to authenticate in place of the secondary MFA method. + - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/b2b/models/discovery.py b/stytch/b2b/models/discovery.py index 397f4e9b..2ba49f0a 100644 --- a/stytch/b2b/models/discovery.py +++ b/stytch/b2b/models/discovery.py @@ -18,9 +18,9 @@ class Membership(pydantic.BaseModel): """ Fields: - - type: Either `active_member`, `pending_member`, `invited_member`, `eligible_to_join_by_email_domain`, or `eligible_to_join_by_oauth_tenant` - - details: An object containing additional metadata about the membership, if available. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) if one already exists, or null if one does not. + - type: The type of membership relationship between the member and the discovered organization. Indicates whether the member is already a member, eligible to join, or has pending access requirements. + - details: Additional contextual information or metadata providing further details about the response or error. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. """ # noqa type: str @@ -31,11 +31,11 @@ class Membership(pydantic.BaseModel): class DiscoveredOrganization(pydantic.BaseModel): """ Fields: - - member_authenticated: Indicates whether the Member has all of the factors needed to fully authenticate to this Organization. If false, the Member may need to complete an MFA step or complete a different primary authentication flow. See the `primary_required` and `mfa_required` fields for more details on each. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - membership: Information about the membership. - - primary_required: Information about the primary authentication requirements of the Organization. - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - membership: A member's organizational membership record containing their role, status, and association details. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. """ # noqa member_authenticated: bool diff --git a/stytch/b2b/models/discovery_intermediate_sessions.py b/stytch/b2b/models/discovery_intermediate_sessions.py index faef811e..6c5402ce 100644 --- a/stytch/b2b/models/discovery_intermediate_sessions.py +++ b/stytch/b2b/models/discovery_intermediate_sessions.py @@ -30,17 +30,17 @@ class ExchangeRequestLocale(str, enum.Enum): class ExchangeResponse(ResponseBase): """Response type for `IntermediateSessions.exchange`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - intermediate_session_token: The returned Intermediate Session Token is identical to the one that was originally passed in to the request. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: Information about the primary authentication requirements of the Organization. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str diff --git a/stytch/b2b/models/discovery_organizations.py b/stytch/b2b/models/discovery_organizations.py index 062d1862..44d259c3 100644 --- a/stytch/b2b/models/discovery_organizations.py +++ b/stytch/b2b/models/discovery_organizations.py @@ -34,18 +34,14 @@ class ListResponse(ResponseBase): Fields: - email_address: The email address. - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details. - - Note that Organizations will only appear here under any of the following conditions: - 1. The end user is already a Member of the Organization. - 2. The end user is invited to the Organization. - 3. The end user can join the Organization because: - - a) The Organization allows JIT provisioning. - - b) The Organizations' allowed domains list contains the Member's email domain. - - c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). - - organization_id_hint: If the intermediate session token is associated with a specific Organization, that Organization ID will be returned here. The Organization ID will be null if the intermediate session token was generated by a email magic link discovery or OAuth discovery flow. If a session token or session JWT is provided, the Organization ID hint will be null. + Note that Organizations will only appear here under any of the following conditions: + 1. The end user is already a Member of the Organization. + 2. The end user is invited to the Organization. + 3. The end user can join the Organization because: + a) The Organization allows JIT provisioning. + b) The Organizations' allowed domains list contains the Member's email domain. + c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). + - organization_id_hint: A hint suggesting which organization the user should authenticate with, used in discovery flows. """ # noqa email_address: str @@ -56,17 +52,17 @@ class ListResponse(ResponseBase): class CreateResponse(ResponseBase): """Response type for `Organizations.create`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - intermediate_session_token: The returned Intermediate Session Token is identical to the one that was originally passed in to the request. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: Information about the primary authentication requirements of the Organization. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str diff --git a/stytch/b2b/models/idp_oauth.py b/stytch/b2b/models/idp_oauth.py index edbc6d75..3109919b 100644 --- a/stytch/b2b/models/idp_oauth.py +++ b/stytch/b2b/models/idp_oauth.py @@ -17,8 +17,8 @@ class AuthorizeResponse(ResponseBase): """Response type for `OAuth.authorize`. Fields: - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - - authorization_code: A one-time use code that can be exchanged for tokens. + - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - authorization_code: An OAuth authorization code that can be exchanged for access and refresh tokens. """ # noqa redirect_uri: str @@ -28,12 +28,12 @@ class AuthorizeResponse(ResponseBase): class AuthorizeStartResponse(ResponseBase): """Response type for `OAuth.authorize_start`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - client: (no documentation yet) + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - client: An OAuth client or connected application object. - consent_required: Whether the user must provide explicit consent for the authorization request. - - scope_results: Details about each requested scope. + - scope_results: Details about which requested scopes were granted or denied during OAuth authorization. """ # noqa member_id: str diff --git a/stytch/b2b/models/impersonation.py b/stytch/b2b/models/impersonation.py index 903fd6e9..db905b30 100644 --- a/stytch/b2b/models/impersonation.py +++ b/stytch/b2b/models/impersonation.py @@ -17,16 +17,16 @@ class AuthenticateResponse(ResponseBase): """Response type for `Impersonation.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - intermediate_session_token: Successfully authenticating an impersonation token will never result in an intermediate session. If the token is valid, a full session will be created. - - member_authenticated: The member will always be fully authenticated if an impersonation token is successfully authenticated. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object) for the impersonated Member. - - mfa_required: MFA will not be required when authenticating impersonation tokens. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. """ # noqa member_id: str diff --git a/stytch/b2b/models/magic_links.py b/stytch/b2b/models/magic_links.py index d0a01c4a..5ec3217c 100644 --- a/stytch/b2b/models/magic_links.py +++ b/stytch/b2b/models/magic_links.py @@ -26,20 +26,20 @@ class AuthenticateRequestLocale(str, enum.Enum): class AuthenticateResponse(ResponseBase): """Response type for `MagicLinks.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - method_id: The email or device involved in the authentication. - - reset_sessions: This field is deprecated. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - intermediate_session_token: The returned Intermediate Session Token contains an Email Magic Link factor associated with the Member's email address. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: (no documentation yet) - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - method_id: The unique identifier for a specific authentication method instance (e.g., an email ID, password, TOTP, or phone number). + - reset_sessions: Deprecated: this field is no longer in use. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str diff --git a/stytch/b2b/models/magic_links_discovery.py b/stytch/b2b/models/magic_links_discovery.py index d81f65fa..ec528863 100644 --- a/stytch/b2b/models/magic_links_discovery.py +++ b/stytch/b2b/models/magic_links_discovery.py @@ -16,19 +16,15 @@ class AuthenticateResponse(ResponseBase): """Response type for `Discovery.authenticate`. Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - email_address: The email address. + - email_address: The email address of the Member. - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details. - - Note that Organizations will only appear here under any of the following conditions: - 1. The end user is already a Member of the Organization. - 2. The end user is invited to the Organization. - 3. The end user can join the Organization because: - - a) The Organization allows JIT provisioning. - - b) The Organizations' allowed domains list contains the Member's email domain. - - c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). + Note that Organizations will only appear here under any of the following conditions: + 1. The end user is already a Member of the Organization. + 2. The end user is invited to the Organization. + 3. The end user can join the Organization because: + a) The Organization allows JIT provisioning. + b) The Organizations' allowed domains list contains the Member's email domain. + c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). """ # noqa intermediate_session_token: str diff --git a/stytch/b2b/models/magic_links_email.py b/stytch/b2b/models/magic_links_email.py index a7c36bb1..bbbcb165 100644 --- a/stytch/b2b/models/magic_links_email.py +++ b/stytch/b2b/models/magic_links_email.py @@ -49,9 +49,9 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class InviteResponse(ResponseBase): """Response type for `Email.invite`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -62,10 +62,10 @@ class InviteResponse(ResponseBase): class LoginOrSignupResponse(ResponseBase): """Response type for `Email.login_or_signup`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member_created: A flag indicating `true` if a new Member object was created and `false` if the Member object already existed. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member_created: A boolean indicating whether a new member was created during the authentication flow (true) or an existing member was authenticated (false). + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str diff --git a/stytch/b2b/models/mfa.py b/stytch/b2b/models/mfa.py index 9f82a760..277e40e2 100644 --- a/stytch/b2b/models/mfa.py +++ b/stytch/b2b/models/mfa.py @@ -14,8 +14,8 @@ class MemberOptions(pydantic.BaseModel): """ Fields: - - mfa_phone_number: The Member's MFA phone number. - - totp_registration_id: The Member's MFA TOTP registration ID. + - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). + - totp_registration_id: The unique identifier for the TOTP registration, linking a member to their authenticator app. """ # noqa mfa_phone_number: str diff --git a/stytch/b2b/models/oauth.py b/stytch/b2b/models/oauth.py index 5391f36d..f710b79f 100644 --- a/stytch/b2b/models/oauth.py +++ b/stytch/b2b/models/oauth.py @@ -33,11 +33,11 @@ class AuthenticateRequestLocale(str, enum.Enum): class ProviderValues(pydantic.BaseModel): """ Fields: - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. + - scopes: An array of scopes requested by the client. - access_token: The `access_token` that you may use to access the User's data in the provider's API. - - refresh_token: The `refresh_token` that you may use to obtain a new `access_token` for the User within the provider's API. - - expires_at: (no documentation yet) - - id_token: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens are returned from OAuth providers that conform to the [OpenID Connect](https://openid.net/foundation/) specification, which is based on OAuth. + - refresh_token: An OAuth refresh token that can be used to obtain new access tokens without requiring re-authentication. + - expires_at: The timestamp indicating when the session, token, lock, or other resource will expire. + - id_token: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens are returned from OAuth providers that conform to the OpenID Connect specification, which is based on OAuth """ # noqa scopes: List[str] @@ -50,24 +50,22 @@ class ProviderValues(pydantic.BaseModel): class AuthenticateResponse(ResponseBase): """Response type for `OAuth.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - reset_sessions: This field is deprecated. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - intermediate_session_token: The returned Intermediate Session Token contains an OAuth factor associated with the Member's email address. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - provider_values: The `provider_values` object lists relevant identifiers, values, and scopes for a given OAuth provider. For example this object will include a provider's `access_token` that you can use to access the provider's API for a given user. - - Note that these values will vary based on the OAuth provider in question, e.g. `id_token` is only returned by Microsoft. Google One Tap does not return access tokens or refresh tokens. - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: Information about the primary authentication requirements of the Organization. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - reset_sessions: Deprecated: this field is no longer in use. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - provider_values: Values or configuration settings specific to an identity provider. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str diff --git a/stytch/b2b/models/oauth_discovery.py b/stytch/b2b/models/oauth_discovery.py index e3d60ae1..0ac46062 100644 --- a/stytch/b2b/models/oauth_discovery.py +++ b/stytch/b2b/models/oauth_discovery.py @@ -16,23 +16,19 @@ class AuthenticateResponse(ResponseBase): """Response type for `Discovery.authenticate`. Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - email_address: The email address. + - email_address: The email address of the Member. - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details. - - Note that Organizations will only appear here under any of the following conditions: - 1. The end user is already a Member of the Organization. - 2. The end user is invited to the Organization. - 3. The end user can join the Organization because: - - a) The Organization allows JIT provisioning. - - b) The Organizations' allowed domains list contains the Member's email domain. - - c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - provider_tenant_id: The tenant ID returned by the OAuth provider. This is typically used to identify an organization or group within the provider's domain. For example, in HubSpot this is a Hub ID, in Slack this is the Workspace ID, and in GitHub this is an organization ID. This field will only be populated if exactly one tenant ID is returned from a successful OAuth authentication and developers should prefer `provider_tenant_ids` over this since it accounts for the possibility of an OAuth provider yielding multiple tenant IDs. - - provider_tenant_ids: All tenant IDs returned by the OAuth provider. These is typically used to identify organizations or groups within the provider's domain. For example, in HubSpot this is a Hub ID, in Slack this is the Workspace ID, and in GitHub this is an organization ID. Some OAuth providers do not return tenant IDs, some providers are guaranteed to return one, and some may return multiple. This field will always be populated if at least one tenant ID was returned from the OAuth provider and developers should prefer this field over `provider_tenant_id`. - - full_name: The full name of the authenticated end user, if available. + Note that Organizations will only appear here under any of the following conditions: + 1. The end user is already a Member of the Organization. + 2. The end user is invited to the Organization. + 3. The end user can join the Organization because: + a) The Organization allows JIT provisioning. + b) The Organizations' allowed domains list contains the Member's email domain. + c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - provider_tenant_id: The identifier of the tenant within a multi-tenant OAuth provider (e.g., Microsoft tenant ID, Slack workspace ID). + - provider_tenant_ids: A list of tenant IDs within a multi-tenant OAuth provider that the member has access to. + - full_name: The member's full name including first and last name. """ # noqa intermediate_session_token: str diff --git a/stytch/b2b/models/organizations.py b/stytch/b2b/models/organizations.py index 1350064b..11401761 100644 --- a/stytch/b2b/models/organizations.py +++ b/stytch/b2b/models/organizations.py @@ -49,10 +49,10 @@ class UpdateRequestThirdPartyConnectedAppsAllowedType(str, enum.Enum): class ActiveSCIMConnection(pydantic.BaseModel): """ Fields: - - connection_id: The ID of the SCIM connection. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - display_name: A human-readable display name for the connection. - - bearer_token_last_four: (no documentation yet) - - bearer_token_expires_at: (no documentation yet) + - bearer_token_last_four: The last four characters of the SCIM bearer token, used for identification without exposing the full token. + - bearer_token_expires_at: The timestamp when the SCIM bearer token will expire. """ # noqa connection_id: str @@ -64,9 +64,10 @@ class ActiveSCIMConnection(pydantic.BaseModel): class ActiveSSOConnection(pydantic.BaseModel): """ Fields: - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. + - connection_id: Globally unique UUID that identifies a specific SSO connection. - display_name: A human-readable display name for the connection. - - identity_provider: (no documentation yet) + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. """ # noqa connection_id: str @@ -109,17 +110,8 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class EmailImplicitRoleAssignment(pydantic.BaseModel): """ Fields: - - domain: Email domain that grants the specified Role. - - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable. - - Reserved `role_id`s that are predefined by Stytch include: - - * `stytch_member` - * `stytch_admin` - - Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation. - - + - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. + - role_id: The unique identifier for an RBAC role. """ # noqa domain: str @@ -145,10 +137,10 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class GithubProviderInfo(pydantic.BaseModel): """ Fields: - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - provider_tenant_ids: All tenant IDs returned by the OAuth provider. These is typically used to identify organizations or groups within the provider's domain. For example, in HubSpot this is a Hub ID, in Slack this is the Workspace ID, and in GitHub this is an organization ID. Some OAuth providers do not return tenant IDs, some providers are guaranteed to return one, and some may return multiple. This field will always be populated if at least one tenant ID was returned from the OAuth provider and developers should prefer this field over `provider_tenant_id`. - - access_token: The `access_token` that you may use to access the User's data in the provider's API. - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - provider_tenant_ids: A list of tenant IDs within a multi-tenant OAuth provider that the member has access to. + - access_token: The access token to exchange for a Stytch Session. Must be granted the `full_access` scope. + - scopes: An array of scopes requested by the client. """ # noqa provider_subject: str @@ -160,12 +152,12 @@ class GithubProviderInfo(pydantic.BaseModel): class HubspotProviderInfo(pydantic.BaseModel): """ Fields: - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - provider_tenant_id: The tenant ID returned by the OAuth provider. This is typically used to identify an organization or group within the provider's domain. For example, in HubSpot this is a Hub ID, in Slack this is the Workspace ID, and in GitHub this is an organization ID. This field will only be populated if exactly one tenant ID is returned from a successful OAuth authentication and developers should prefer `provider_tenant_ids` over this since it accounts for the possibility of an OAuth provider yielding multiple tenant IDs. - - access_token: The `access_token` that you may use to access the User's data in the provider's API. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - provider_tenant_id: The identifier of the tenant within a multi-tenant OAuth provider (e.g., Microsoft tenant ID, Slack workspace ID). + - access_token: The `access_token` that you may use to access the Member's data in the provider's API for B2B organization authentication flows. - access_token_expires_in: The number of seconds until the access token expires. - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. - - refresh_token: The `refresh_token` that you may use to obtain a new `access_token` for the User within the provider's API. + - scopes: An array of scopes requested by the client. + - refresh_token: An OAuth refresh token that can be used to obtain new access tokens without requiring re-authentication. """ # noqa provider_subject: str @@ -183,8 +175,8 @@ class MemberConnectedApp(pydantic.BaseModel): - name: The name of the Connected App. - description: A description of the Connected App. - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. - - scopes_granted: The scopes granted to the Connected App at the completion of the last authorization flow. - - logo_url: The logo URL of the Connected App, if any. + - scopes_granted: The list of OAuth scopes that were actually granted to the access token, which may be a subset of requested scopes. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. """ # noqa connected_app_id: str @@ -198,60 +190,8 @@ class MemberConnectedApp(pydantic.BaseModel): class MemberRoleSource(pydantic.BaseModel): """ Fields: - - type: The type of role assignment. The possible values are: - - `direct_assignment` – an explicitly assigned Role. - - Directly assigned roles can be updated by passing in the `roles` argument to the - [Update Member](https://stytch.com/docs/b2b/api/update-member) endpoint. - - `email_assignment` – an implicit Role granted by the Member's email domain, regardless of their login method. - - Email implicit role assignments can be updated by passing in the `rbac_email_implicit_role_assignments` argument to - the [Update Organization](https://stytch.com/docs/b2b/api/update-organization) endpoint. - - `sso_connection` – an implicit Role granted by the Member's SSO connection. This is currently only available - for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this - role assignment will appear in the list. However, for authorization check purposes (in - [sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint that enforces RBAC with session - headers), the Member will only be granted the Role if their session contains an authentication factor with the - specified SAML connection. - - SAML connection implicit role assignments can be updated by passing in the - `saml_connection_implicit_role_assignments` argument to the - [Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint. - - `sso_connection_group` – an implicit Role granted by the Member's SSO connection and group. This is currently only - available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given - connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, - for authorization check purposes (in [sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint - that enforces RBAC with session headers), the Member will only be granted the role if their session contains an - authentication factor with the specified SAML connection. - - SAML group implicit role assignments can be updated by passing in the `saml_group_implicit_role_assignments` - argument to the [Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint. - - `scim_connection_group` – an implicit Role granted by the Member's SCIM connection and group. If the Member has - a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. - - SCIM group implicit role assignments can be updated by passing in the `scim_group_implicit_role_assignments` - argument to the [Update SCIM connection](https://stytch.com/docs/b2b/api/update-scim-connection) endpoint. - - - details: An object containing additional metadata about the source assignment. The fields will vary depending - on the role assignment type as follows: - - `direct_assignment` – no additional details. - - `email_assignment` – will contain the email domain that granted the assignment. - - `sso_connection` – will contain the `connection_id` of the SAML connection that granted the assignment. - - `sso_connection_group` – will contain the `connection_id` of the SAML connection and the name of the `group` - that granted the assignment. - - `scim_connection_group` – will contain the `connection_id` of the SAML connection and the `group_id` - that granted the assignment. - + - type: The source type that describes how a member received their role assignment, such as direct assignment, group inheritance, or SSO connection implicit role mapping. + - details: Additional contextual information or metadata providing further details about the response or error. """ # noqa type: str @@ -261,17 +201,8 @@ class MemberRoleSource(pydantic.BaseModel): class MemberRole(pydantic.BaseModel): """ Fields: - - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable. - - Reserved `role_id`s that are predefined by Stytch include: - - * `stytch_member` - * `stytch_admin` - - Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation. - - - - sources: A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member's email domain. + - role_id: The unique identifier for an RBAC role. + - sources: The list of authentication sources or methods used to establish the current session or identity. """ # noqa role_id: str @@ -281,11 +212,11 @@ class MemberRole(pydantic.BaseModel): class OAuthRegistration(pydantic.BaseModel): """ Fields: - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - member_oauth_registration_id: The unique ID of an OAuth registration. - - profile_picture_url: If available, the `profile_picture_url` is a URL of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Google profile picture. - - locale: If available, the `locale` is the Member's locale set in the OAuth identity provider that the user has authenticated with. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - member_oauth_registration_id: The unique identifier linking a member to their OAuth provider registration. + - profile_picture_url: The URL of the member's profile picture, typically retrieved from OAuth providers. + - locale: If available, the locale set in the OAuth identity provider. """ # noqa provider_type: str @@ -298,13 +229,13 @@ class OAuthRegistration(pydantic.BaseModel): class OIDCProviderInfo(pydantic.BaseModel): """ Fields: - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - id_token: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens are returned from OAuth providers that conform to the [OpenID Connect](https://openid.net/foundation/) specification, which is based on OAuth. - - access_token: The `access_token` that you may use to access the User's data in the provider's API. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - id_token: An OpenID Connect ID token containing identity claims about the authenticated user. + - access_token: The access token to exchange for a Stytch Session. Must be granted the `full_access` scope. - access_token_expires_in: The number of seconds until the access token expires. - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. - - refresh_token: The `refresh_token` that you may use to obtain a new `access_token` for the User within the provider's API. + - scopes: An array of scopes requested by the client. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - refresh_token: An OAuth refresh token that can be used to obtain new access tokens without requiring re-authentication. """ # noqa provider_subject: str @@ -319,94 +250,81 @@ class OIDCProviderInfo(pydantic.BaseModel): class Organization(pydantic.BaseModel): """ Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - organization_name: The name of the Organization. Must be between 1 and 128 characters in length. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource. - organization_logo_url: The image URL of the Organization logo. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource. - organization_slug: The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. - sso_jit_provisioning: The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: - - `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. - - `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. - - `NOT_ALLOWED` – disable JIT provisioning via SSO. - + `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. + `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. + `NOT_ALLOWED` – disable JIT provisioning via SSO. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. - sso_jit_provisioning_allowed_connections: An array of `connection_id`s that reference [SAML Connection objects](https://stytch.com/docs/b2b/api/saml-connection-object). - Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`. - - sso_active_connections: An array of active [SAML Connection references](https://stytch.com/docs/b2b/api/saml-connection-object) or [OIDC Connection references](https://stytch.com/docs/b2b/api/oidc-connection-object). + Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource. + - sso_active_connections: A list of currently active SSO connections configured for the organization. - email_allowed_domains: An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. - - - Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource. - email_jit_provisioning: The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. - + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. + `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource. - email_invites: The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: - - `ALL_ALLOWED` – any new Member can be invited to join via email. - - `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. - - `NOT_ALLOWED` – disable email invites. - + `ALL_ALLOWED` – any new Member can be invited to join via email. + `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. + `NOT_ALLOWED` – disable email invites. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource. - auth_methods: The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. - The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. - - - mfa_policy: (no documentation yet) + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. + - mfa_policy: The setting that controls the MFA policy for all Members in the Organization. The accepted values are: + `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. + `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource. - rbac_email_implicit_role_assignments: Implicit role assignments based off of email domains. - For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the - associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) - for more information about role assignment. + For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the + associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) + for more information about role assignment. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource. - mfa_methods: The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: - - `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. - - `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. - + `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. + `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. - The list's accepted values are: `sms_otp` and `totp`. - + The list's accepted values are: `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource. - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: - - `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. - - `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. - - - claimed_email_domains: (no documentation yet) + `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. + `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource. + - claimed_email_domains: An array of email domains that have been claimed by this Organization. When a domain is claimed, only this Organization can invite or JIT provision Members with email addresses on that domain. - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no first party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no first party Connected Apps are permitted. - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: - - `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. - - `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. - - `NOT_ALLOWED` – no third party Connected Apps are permitted. - + `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. + `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members. + `NOT_ALLOWED` – no third party Connected Apps are permitted. - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - created_at: The timestamp of the Organization's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - updated_at: The timestamp of when the Organization was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - organization_external_id: A unique identifier for the organization. + - created_at: The timestamp indicating when the resource was created. + - updated_at: The timestamp indicating when the resource was last updated. + - organization_external_id: An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. - sso_default_connection_id: The default connection used for SSO when there are multiple active connections. - - scim_active_connection: An active [SCIM Connection references](https://stytch.com/docs/b2b/api/scim-connection-object). + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-sso-connection` action on the `stytch.organization` Resource. + - scim_active_connection: The currently active SCIM connection for the organization. - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource. """ # noqa organization_id: str @@ -441,6 +359,15 @@ class Organization(pydantic.BaseModel): class OrganizationConnectedApp(pydantic.BaseModel): + """ + Fields: + - connected_app_id: The ID of the Connected App. + - name: The name of the Connected App. + - description: A description of the Connected App. + - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + """ # noqa + connected_app_id: str name: str description: str @@ -451,8 +378,8 @@ class OrganizationConnectedApp(pydantic.BaseModel): class OrganizationConnectedAppActiveMember(pydantic.BaseModel): """ Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - granted_scopes: Scopes that were granted at the completion of the last authorization flow. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - granted_scopes: OAuth scopes that were granted during authorization. """ # noqa member_id: str @@ -462,8 +389,8 @@ class OrganizationConnectedAppActiveMember(pydantic.BaseModel): class ResultsMetadata(pydantic.BaseModel): """ Fields: - - total: The total number of results returned by your search query. If totals have been disabled for your Stytch Workspace to improve search performance, the value will always be -1. - - next_cursor: The `next_cursor` string is returned when your search result contains more than one page of results. This value is passed into your next search call in the `cursor` field. + - total: The total count of items or results in a paginated response or collection. + - next_cursor: A cursor value for fetching the next page of paginated results. """ # noqa total: int @@ -473,7 +400,7 @@ class ResultsMetadata(pydantic.BaseModel): class RetiredEmail(pydantic.BaseModel): """ Fields: - - email_id: The globally unique UUID of a Member's email. + - email_id: The unique ID of a specific email address. - email_address: The email address of the Member. """ # noqa @@ -484,10 +411,10 @@ class RetiredEmail(pydantic.BaseModel): class SCIMRegistration(pydantic.BaseModel): """ Fields: - - connection_id: The ID of the SCIM connection. - - registration_id: The unique ID of a SCIM Registration. - - external_id: The ID of the member given by the identity provider. - - scim_attributes: An object for storing SCIM attributes brought over from the identity provider. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - registration_id: The unique identifier for an authentication method registration (e.g., OAuth, SSO, SCIM). + - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. + - scim_attributes: Attributes from the SCIM identity provider, following the SCIM 2.0 schema. """ # noqa connection_id: str @@ -499,10 +426,10 @@ class SCIMRegistration(pydantic.BaseModel): class SSORegistration(pydantic.BaseModel): """ Fields: - - connection_id: Globally unique UUID that identifies a specific SSO `connection_id` for a Member. - - external_id: The ID of the member given by the identity provider. - - registration_id: The unique ID of an SSO Registration. - - sso_attributes: An object for storing SSO attributes brought over from the identity provider. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. + - registration_id: The unique identifier for an authentication method registration (e.g., OAuth, SSO, SCIM). + - sso_attributes: Attributes and claims received from the SSO identity provider during authentication. """ # noqa connection_id: str @@ -514,48 +441,34 @@ class SSORegistration(pydantic.BaseModel): class Member(pydantic.BaseModel): """ Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. - - member_id: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. - email_address: The email address of the Member. - - status: The status of the Member. The possible values are: `pending`, `invited`, `active`, or `deleted`. + - status: The status of the entity. - name: The name of the Member. - - sso_registrations: An array of registered [SAML Connection](https://stytch.com/docs/b2b/api/saml-connection-object) or [OIDC Connection](https://stytch.com/docs/b2b/api/oidc-connection-object) objects the Member has authenticated with. + - sso_registrations: A list of SSO registrations linking the member to external identity providers. - is_breakglass: Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details. - - member_password_id: Globally unique UUID that identifies a Member's password. - - oauth_registrations: A list of OAuth registrations for this member. - - email_address_verified: Whether or not the Member's email address is verified. - - mfa_phone_number_verified: Whether or not the Member's phone number is verified. - - is_admin: Whether or not the Member has the `stytch_admin` Role. This Role is automatically granted to Members - who create an Organization through the [discovery flow](https://stytch.com/docs/b2b/api/create-organization-via-discovery). See the - [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role. - - totp_registration_id: (no documentation yet) - - retired_email_addresses: - A list of retired email addresses for this member. - A previously active email address can be marked as retired in one of two ways: - - It's replaced with a new primary email address during an explicit Member update. - - A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the - Member's primary email address and the old primary email address is retired. - - A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email - addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked - using the [Unlink Retired Email endpoint](https://stytch.com/docs/b2b/api/unlink-retired-member-email). - - - is_locked: (no documentation yet) + - member_password_id: The unique identifier for a Member's password. Each Member can have only one password at a time. + - oauth_registrations: A list of OAuth provider registrations linked to the member account. + - email_address_verified: A boolean indicating whether the member's email address has been verified. + - mfa_phone_number_verified: A boolean indicating whether the member's MFA phone number has been verified. + - is_admin: A boolean indicating whether the member has admin privileges (deprecated, use RBAC roles instead). + - totp_registration_id: The unique identifier for the TOTP registration, linking a member to their authenticator app. + - retired_email_addresses: A list of previous email addresses that are no longer the member's primary email but remain in history. + - is_locked: A boolean indicating whether the member's account is currently locked. - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`. - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). - - default_mfa_method: (no documentation yet) - - roles: Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. - See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. + - default_mfa_method: The Member's default MFA method. This value is used to determine which secondary MFA method to use in the case of multiple methods registered for a Member. The current possible values are `sms_otp` and `totp`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource. + - roles: Explicit or implicit Roles assigned to this Member. - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data. - - untrusted_metadata: An arbitrary JSON object of application-specific data. These fields can be edited directly by the - frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) - for complete field behavior details. - - created_at: The timestamp of the Member's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - updated_at: The timestamp of when the Member was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - scim_registration: A scim member registration, referencing a [SCIM Connection](https://stytch.com/docs/b2b/api/scim-connection-object) object in use for the Member creation. - - external_id: The ID of the member given by the identity provider. - - lock_created_at: (no documentation yet) - - lock_expires_at: (no documentation yet) + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - created_at: The timestamp indicating when the resource was created. + - updated_at: The timestamp indicating when the resource was last updated. + - scim_registration: A SCIM registration object linking the member to their SCIM identity. + - external_id: An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. + - lock_created_at: The timestamp when the member's account was locked due to security concerns or policy violations. + - lock_expires_at: The timestamp when the member's account lock will automatically expire. """ # noqa organization_id: str @@ -590,11 +503,7 @@ class Member(pydantic.BaseModel): class SearchQuery(pydantic.BaseModel): """ Fields: - - operator: The action to perform on the operands. The accepted values are: - - `AND` – all the operand values provided must match. - - `OR` – **[DEPRECATED]** the operator will return any matches to at least one of the operand values you supply. This parameter is retained for legacy use cases only and is no longer supported. We strongly recommend breaking down complex queries into multiple search queries instead. + - operator: The action to perform on the operands, either `AND` or `OR`. - operands: An array of operand objects that contains all of the filters and values to apply to your search query. """ # noqa @@ -605,12 +514,12 @@ class SearchQuery(pydantic.BaseModel): class SlackProviderInfo(pydantic.BaseModel): """ Fields: - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - provider_tenant_id: The tenant ID returned by the OAuth provider. This is typically used to identify an organization or group within the provider's domain. For example, in HubSpot this is a Hub ID, in Slack this is the Workspace ID, and in GitHub this is an organization ID. This field will only be populated if exactly one tenant ID is returned from a successful OAuth authentication and developers should prefer `provider_tenant_ids` over this since it accounts for the possibility of an OAuth provider yielding multiple tenant IDs. - - access_token: The `access_token` that you may use to access the User's data in the provider's API. - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. - - bot_access_token: The `access_token` that you may use to access data as a bot application in Slack. Use in conjunction with `bot_scopes`. - - bot_scopes: The scopes that the bot application has access to in Slack. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - provider_tenant_id: The identifier of the tenant within a multi-tenant OAuth provider (e.g., Microsoft tenant ID, Slack workspace ID). + - access_token: The access token to exchange for a Stytch Session. Must be granted the `full_access` scope. + - scopes: An array of scopes requested by the client. + - bot_access_token: An access token for bot or automation purposes, particularly for Slack integrations. + - bot_scopes: OAuth scopes granted to a bot access token, particularly for Slack integrations. """ # noqa provider_subject: str @@ -640,7 +549,7 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class ConnectedAppsResponse(ResponseBase): """Response type for `Organizations.connected_apps`. Fields: - - connected_apps: (no documentation yet) + - connected_apps: A list of connected applications that the member or organization has authorized. """ # noqa connected_apps: List[OrganizationConnectedApp] @@ -649,7 +558,7 @@ class ConnectedAppsResponse(ResponseBase): class CreateResponse(ResponseBase): """Response type for `Organizations.create`. Fields: - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa organization: Organization @@ -658,7 +567,7 @@ class CreateResponse(ResponseBase): class DeleteResponse(ResponseBase): """Response type for `Organizations.delete`. Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. """ # noqa organization_id: str @@ -671,8 +580,8 @@ class GetConnectedAppResponse(ResponseBase): - name: The name of the Connected App. - description: A description of the Connected App. - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. - - active_members: Details about Members who has installed a Connected App. - - logo_url: (no documentation yet) + - active_members: A list of active members who have authorized a connected application. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. """ # noqa connected_app_id: str @@ -686,21 +595,26 @@ class GetConnectedAppResponse(ResponseBase): class GetResponse(ResponseBase): """Response type for `Organizations.get`. Fields: - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa organization: Organization class MetricsResponse(ResponseBase): + """Response type for `Organizations.metrics`. + Fields: + - member_count: The total number of members in the organization. + """ # noqa + member_count: int class SearchResponse(ResponseBase): """Response type for `Organizations.search`. Fields: - - organizations: An array of [Organization objects](https://stytch.com/docs/b2b/api/organization-object). - - results_metadata: The search `results_metadata` object contains metadata relevant to your specific query like `total` and `next_cursor`. + - organizations: A list of Organization objects or IDs. + - results_metadata: Metadata about paginated search results, including total count and cursor for fetching the next page. """ # noqa organizations: List[Organization] @@ -710,7 +624,7 @@ class SearchResponse(ResponseBase): class UpdateResponse(ResponseBase): """Response type for `Organizations.update`. Fields: - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa organization: Organization diff --git a/stytch/b2b/models/organizations_members.py b/stytch/b2b/models/organizations_members.py index 08ee9d1f..f45225b4 100644 --- a/stytch/b2b/models/organizations_members.py +++ b/stytch/b2b/models/organizations_members.py @@ -213,9 +213,9 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class CreateResponse(ResponseBase): """Response type for `Members.create`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -226,9 +226,9 @@ class CreateResponse(ResponseBase): class DeleteMFAPhoneNumberResponse(ResponseBase): """Response type for `Members.delete_mfa_phone_number`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -239,9 +239,9 @@ class DeleteMFAPhoneNumberResponse(ResponseBase): class DeletePasswordResponse(ResponseBase): """Response type for `Members.delete_password`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -252,7 +252,7 @@ class DeletePasswordResponse(ResponseBase): class DeleteResponse(ResponseBase): """Response type for `Members.delete`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. """ # noqa member_id: str @@ -261,9 +261,9 @@ class DeleteResponse(ResponseBase): class DeleteTOTPResponse(ResponseBase): """Response type for `Members.delete_totp`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -274,7 +274,7 @@ class DeleteTOTPResponse(ResponseBase): class GetConnectedAppsResponse(ResponseBase): """Response type for `Members.get_connected_apps`. Fields: - - connected_apps: An array of Connected Apps with which the Member has successfully completed an authorization flow. + - connected_apps: A list of connected applications that the member or organization has authorized. """ # noqa connected_apps: List[MemberConnectedApp] @@ -283,9 +283,9 @@ class GetConnectedAppsResponse(ResponseBase): class GetResponse(ResponseBase): """Response type for `Members.dangerously_get`, `Members.get`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -296,7 +296,7 @@ class GetResponse(ResponseBase): class OIDCProvidersResponse(ResponseBase): """Response type for `Members.oidc_providers`. Fields: - - registrations: A list of tokens the member is registered with. + - registrations: A list of authentication method registrations (e.g., OAuth, SSO, TOTP) associated with the member. """ # noqa registrations: List[OIDCProviderInfo] @@ -305,9 +305,9 @@ class OIDCProvidersResponse(ResponseBase): class ReactivateResponse(ResponseBase): """Response type for `Members.reactivate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -318,9 +318,9 @@ class ReactivateResponse(ResponseBase): class SearchResponse(ResponseBase): """Response type for `Members.search`. Fields: - - members: An array of [Member objects](https://stytch.com/docs/b2b/api/member-object). - - results_metadata: The search `results_metadata` object contains metadata relevant to your specific query like `total` and `next_cursor`. - - organizations: A map from `organization_id` to [Organization object](https://stytch.com/docs/b2b/api/organization-object). The map only contains the Organizations that the Members belongs to. + - members: A list of Member objects in the organization. + - results_metadata: Metadata about paginated search results, including total count and cursor for fetching the next page. + - organizations: A list of Organization objects or IDs. """ # noqa members: List[Member] @@ -331,9 +331,9 @@ class SearchResponse(ResponseBase): class StartEmailUpdateResponse(ResponseBase): """Response type for `Members.start_email_update`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -344,10 +344,10 @@ class StartEmailUpdateResponse(ResponseBase): class UnlinkRetiredEmailResponse(ResponseBase): """Response type for `Members.unlink_retired_email`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -359,9 +359,9 @@ class UnlinkRetiredEmailResponse(ResponseBase): class UpdateResponse(ResponseBase): """Response type for `Members.update`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str diff --git a/stytch/b2b/models/organizations_members_oauth_providers.py b/stytch/b2b/models/organizations_members_oauth_providers.py index efd73936..cebe29f8 100644 --- a/stytch/b2b/models/organizations_members_oauth_providers.py +++ b/stytch/b2b/models/organizations_members_oauth_providers.py @@ -19,8 +19,8 @@ class GithubResponse(ResponseBase): """Response type for `OAuthProviders.github`. Fields: - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - registrations: A list of tokens the member is registered with. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - registrations: A list of authentication method registrations (e.g., OAuth, SSO, TOTP) associated with the member. """ # noqa provider_type: str @@ -30,13 +30,13 @@ class GithubResponse(ResponseBase): class GoogleResponse(ResponseBase): """Response type for `OAuthProviders.google`. Fields: - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - id_token: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens are returned from OAuth providers that conform to the [OpenID Connect](https://openid.net/foundation/) specification, which is based on OAuth. - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. - - access_token: The `access_token` that you may use to access the User's data in the provider's API. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - id_token: An OpenID Connect ID token containing identity claims about the authenticated user. + - scopes: An array of scopes requested by the client. + - access_token: The `access_token` that you may use to access the Member's data in the provider's API for B2B organization authentication flows. - access_token_expires_in: The number of seconds until the access token expires. - - refresh_token: The `refresh_token` that you may use to obtain a new `access_token` for the User within the provider's API. + - refresh_token: An OAuth refresh token that can be used to obtain new access tokens without requiring re-authentication. """ # noqa provider_type: str @@ -51,8 +51,8 @@ class GoogleResponse(ResponseBase): class HubspotResponse(ResponseBase): """Response type for `OAuthProviders.hubspot`. Fields: - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - registrations: A list of tokens the member is registered with. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - registrations: A list of authentication method registrations (e.g., OAuth, SSO, TOTP) associated with the member. """ # noqa provider_type: str @@ -62,13 +62,13 @@ class HubspotResponse(ResponseBase): class MicrosoftResponse(ResponseBase): """Response type for `OAuthProviders.microsoft`. Fields: - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - access_token: The `access_token` that you may use to access the User's data in the provider's API. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - access_token: The `access_token` that you may use to access the Member's data in the provider's API for B2B organization authentication flows. - access_token_expires_in: The number of seconds until the access token expires. - - id_token: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens are returned from OAuth providers that conform to the [OpenID Connect](https://openid.net/foundation/) specification, which is based on OAuth. - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. - - refresh_token: The `refresh_token` that you may use to obtain a new `access_token` for the User within the provider's API. + - id_token: An OpenID Connect ID token containing identity claims about the authenticated user. + - scopes: An array of scopes requested by the client. + - refresh_token: An OAuth refresh token that can be used to obtain new access tokens without requiring re-authentication. """ # noqa provider_type: str @@ -83,8 +83,8 @@ class MicrosoftResponse(ResponseBase): class SlackResponse(ResponseBase): """Response type for `OAuthProviders.slack`. Fields: - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc. - - registrations: A list of tokens the member is registered with. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - registrations: A list of authentication method registrations (e.g., OAuth, SSO, TOTP) associated with the member. """ # noqa provider_type: str diff --git a/stytch/b2b/models/otp_email.py b/stytch/b2b/models/otp_email.py index 291bc349..9999e61c 100644 --- a/stytch/b2b/models/otp_email.py +++ b/stytch/b2b/models/otp_email.py @@ -33,19 +33,19 @@ class LoginOrSignupRequestLocale(str, enum.Enum): class AuthenticateResponse(ResponseBase): """Response type for `Email.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - method_id: The email or device involved in the authentication. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - method_id: The unique identifier for a specific authentication method instance (e.g., an email ID, password, TOTP, or phone number). + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: (no documentation yet) - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -66,10 +66,10 @@ class AuthenticateResponse(ResponseBase): class LoginOrSignupResponse(ResponseBase): """Response type for `Email.login_or_signup`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member_created: A flag indicating `true` if a new Member object was created and `false` if the Member object already existed. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member_created: A boolean indicating whether a new member was created during the authentication flow (true) or an existing member was authenticated (false). + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str diff --git a/stytch/b2b/models/otp_email_discovery.py b/stytch/b2b/models/otp_email_discovery.py index 4a26b793..81165c8a 100644 --- a/stytch/b2b/models/otp_email_discovery.py +++ b/stytch/b2b/models/otp_email_discovery.py @@ -24,19 +24,15 @@ class AuthenticateResponse(ResponseBase): """Response type for `Discovery.authenticate`. Fields: - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - email_address: The email address. + - email_address: The email address of the Member. - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details. - - Note that Organizations will only appear here under any of the following conditions: - 1. The end user is already a Member of the Organization. - 2. The end user is invited to the Organization. - 3. The end user can join the Organization because: - - a) The Organization allows JIT provisioning. - - b) The Organizations' allowed domains list contains the Member's email domain. - - c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). + Note that Organizations will only appear here under any of the following conditions: + 1. The end user is already a Member of the Organization. + 2. The end user is invited to the Organization. + 3. The end user can join the Organization because: + a) The Organization allows JIT provisioning. + b) The Organizations' allowed domains list contains the Member's email domain. + c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). """ # noqa intermediate_session_token: str diff --git a/stytch/b2b/models/otp_sms.py b/stytch/b2b/models/otp_sms.py index 7acf65ba..279a7fd8 100644 --- a/stytch/b2b/models/otp_sms.py +++ b/stytch/b2b/models/otp_sms.py @@ -29,13 +29,13 @@ class SendRequestLocale(str, enum.Enum): class AuthenticateResponse(ResponseBase): """Response type for `Sms.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -50,9 +50,9 @@ class AuthenticateResponse(ResponseBase): class SendResponse(ResponseBase): """Response type for `Sms.send`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str diff --git a/stytch/b2b/models/passwords.py b/stytch/b2b/models/passwords.py index c20e0eb1..c4de00cb 100644 --- a/stytch/b2b/models/passwords.py +++ b/stytch/b2b/models/passwords.py @@ -43,11 +43,9 @@ class LudsFeedback(pydantic.BaseModel): - has_lower_case: For LUDS validation, whether the password contains at least one lowercase letter. - has_upper_case: For LUDS validation, whether the password contains at least one uppercase letter. - has_digit: For LUDS validation, whether the password contains at least one digit. - - has_symbol: For LUDS validation, whether the password contains at least one symbol. Any UTF8 character outside of a-z or A-Z may count as a valid symbol. - - missing_complexity: For LUDS validation, the number of complexity requirements that are missing from the password. - Check the complexity fields to see which requirements are missing. - - missing_characters: For LUDS validation, this is the required length of the password that you've set minus the length of the password being checked. - The user will need to add this many characters to the password to make it valid. + - has_symbol: For LUDS validation, whether the password contains at least one symbol. Any UTF8 character outside of a-z, A-Z, or 0-9 is considered a symbol. + - missing_complexity: For LUDS validation, the number of complexity requirements that are missing from the password. Check the complexity fields to see which requirements are missing. + - missing_characters: For LUDS validation, this is the required length of the password that you've set minus the length of the password being checked. The user will need to add this many characters to the password to make it valid. """ # noqa has_lower_case: bool @@ -61,8 +59,8 @@ class LudsFeedback(pydantic.BaseModel): class ZxcvbnFeedback(pydantic.BaseModel): """ Fields: - - warning: For zxcvbn validation, contains an end user consumable warning if the password is valid but not strong enough. - - suggestions: For zxcvbn validation, contains end user consumable suggestions on how to improve the strength of the password. + - warning: A warning message providing additional context or alerting to potential issues. + - suggestions: A list of suggested improvements or recommendations, typically for password strength or security policies. """ # noqa warning: str @@ -72,18 +70,18 @@ class ZxcvbnFeedback(pydantic.BaseModel): class AuthenticateResponse(ResponseBase): """Response type for `Passwords.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - intermediate_session_token: The returned Intermediate Session Token contains a password factor associated with the Member. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. Password factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: Information about the primary authentication requirements of the Organization. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -103,10 +101,10 @@ class AuthenticateResponse(ResponseBase): class MigrateResponse(ResponseBase): """Response type for `Passwords.migrate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member_created: A flag indicating `true` if a new Member object was created and `false` if the Member object already existed. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member_created: A boolean indicating whether a new member was created during the authentication flow (true) or an existing member was authenticated (false). + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -118,18 +116,13 @@ class MigrateResponse(ResponseBase): class StrengthCheckResponse(ResponseBase): """Response type for `Passwords.strength_check`. Fields: - - valid_password: Returns `true` if the password passes our password validation. We offer two validation options, - [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication. - We also offer [LUDS](https://stytch.com/docs/b2b/guides/passwords/strength-policy). If an email address is included in the call we also - require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/) - - score: The score of the password determined by [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between 1 and 4, a 3 or greater is required to pass validation. - - breached_password: Returns `true` if the password has been breached. Powered by [HaveIBeenPwned](https://haveibeenpwned.com/). + - valid_password: A boolean indicating whether the provided password is valid. + - score: A numerical score representing the strength or quality of a password. Values will be between 1 and 4, a 3 or greater is required to pass `zxcvbn` validation. + - breached_password: A boolean indicating whether the password has been found in known data breaches. - strength_policy: The strength policy type enforced, either `zxcvbn` or `luds`. - - breach_detection_on_create: Will return `true` if breach detection will be evaluated. By default this option is enabled. - This option can be disabled by contacting [support@stytch.com](mailto:support@stytch.com?subject=Password%20strength%20configuration). - If this value is false then `breached_password` will always be `false` as well. - - luds_feedback: Feedback for how to improve the password's strength using [luds](https://stytch.com/docs/guides/passwords/strength-policy). - - zxcvbn_feedback: Feedback for how to improve the password's strength using [zxcvbn](https://stytch.com/docs/b2b/guides/passwords/strength-policy). + - breach_detection_on_create: A boolean flag to enable checking passwords against breach databases during creation. + - luds_feedback: Feedback from the LUDS (leaked username database) password strength checker. + - zxcvbn_feedback: Feedback from the zxcvbn password strength estimation algorithm, providing suggestions for improvement. """ # noqa valid_password: bool diff --git a/stytch/b2b/models/passwords_discovery.py b/stytch/b2b/models/passwords_discovery.py index 7afde542..21398bf5 100644 --- a/stytch/b2b/models/passwords_discovery.py +++ b/stytch/b2b/models/passwords_discovery.py @@ -16,19 +16,15 @@ class AuthenticateResponse(ResponseBase): """Response type for `Discovery.authenticate`. Fields: - email_address: The email address. - - intermediate_session_token: The returned Intermediate Session Token contains a password factor associated with the Member. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. Password factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details. - - Note that Organizations will only appear here under any of the following conditions: - 1. The end user is already a Member of the Organization. - 2. The end user is invited to the Organization. - 3. The end user can join the Organization because: - - a) The Organization allows JIT provisioning. - - b) The Organizations' allowed domains list contains the Member's email domain. - - c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). + Note that Organizations will only appear here under any of the following conditions: + 1. The end user is already a Member of the Organization. + 2. The end user is invited to the Organization. + 3. The end user can join the Organization because: + a) The Organization allows JIT provisioning. + b) The Organizations' allowed domains list contains the Member's email domain. + c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). """ # noqa email_address: str diff --git a/stytch/b2b/models/passwords_discovery_email.py b/stytch/b2b/models/passwords_discovery_email.py index a30073a2..4750a22b 100644 --- a/stytch/b2b/models/passwords_discovery_email.py +++ b/stytch/b2b/models/passwords_discovery_email.py @@ -15,20 +15,16 @@ class ResetResponse(ResponseBase): """Response type for `Email.reset`. Fields: - - intermediate_session_token: The returned Intermediate Session Token contains a password factor associated with the Member. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. Password factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - email_address: The email address. - discovered_organizations: An array of `discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](https://stytch.com/docs/b2b/api/discovered-organization-object) for complete details. - - Note that Organizations will only appear here under any of the following conditions: - 1. The end user is already a Member of the Organization. - 2. The end user is invited to the Organization. - 3. The end user can join the Organization because: - - a) The Organization allows JIT provisioning. - - b) The Organizations' allowed domains list contains the Member's email domain. - - c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). + Note that Organizations will only appear here under any of the following conditions: + 1. The end user is already a Member of the Organization. + 2. The end user is invited to the Organization. + 3. The end user can join the Organization because: + a) The Organization allows JIT provisioning. + b) The Organizations' allowed domains list contains the Member's email domain. + c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks). """ # noqa intermediate_session_token: str diff --git a/stytch/b2b/models/passwords_email.py b/stytch/b2b/models/passwords_email.py index 2a32d4ff..0a717f7a 100644 --- a/stytch/b2b/models/passwords_email.py +++ b/stytch/b2b/models/passwords_email.py @@ -52,9 +52,9 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class RequireResetResponse(ResponseBase): """Response type for `Email.require_reset`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: Optional[str] = None @@ -65,19 +65,19 @@ class RequireResetResponse(ResponseBase): class ResetResponse(ResponseBase): """Response type for `Email.reset`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member_email_id: Globally unique UUID that identifies a member's email - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - intermediate_session_token: The returned Intermediate Session Token contains a password factor associated with the Member. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. Password factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: Information about the primary authentication requirements of the Organization. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member_email_id: The unique identifier for a member's email address. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -98,9 +98,9 @@ class ResetResponse(ResponseBase): class ResetStartResponse(ResponseBase): """Response type for `Email.reset_start`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member_email_id: Globally unique UUID that identifies a member's email - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member_email_id: The unique identifier for a member's email address. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. """ # noqa member_id: str diff --git a/stytch/b2b/models/passwords_existing_password.py b/stytch/b2b/models/passwords_existing_password.py index dd924c66..41d42fcb 100644 --- a/stytch/b2b/models/passwords_existing_password.py +++ b/stytch/b2b/models/passwords_existing_password.py @@ -26,17 +26,17 @@ class ResetRequestLocale(str, enum.Enum): class ResetResponse(ResponseBase): """Response type for `ExistingPassword.reset`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - intermediate_session_token: The returned Intermediate Session Token contains a password factor associated with the Member. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. Password factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: Information about the primary authentication requirements of the Organization. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str diff --git a/stytch/b2b/models/passwords_session.py b/stytch/b2b/models/passwords_session.py index d4cbe713..92a8a9e0 100644 --- a/stytch/b2b/models/passwords_session.py +++ b/stytch/b2b/models/passwords_session.py @@ -26,16 +26,16 @@ class ResetRequestLocale(str, enum.Enum): class ResetResponse(ResponseBase): """Response type for `Sessions.reset`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str diff --git a/stytch/b2b/models/rbac.py b/stytch/b2b/models/rbac.py index 7cbf33f8..61d75e55 100644 --- a/stytch/b2b/models/rbac.py +++ b/stytch/b2b/models/rbac.py @@ -16,61 +16,9 @@ class PolicyResource(pydantic.BaseModel): """ Fields: - - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. - - A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. These include: - - * `stytch.organization` - * `stytch.member` - * `stytch.sso` - * `stytch.self` - - Check out the [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation. - - - - description: The description of the RBAC Resource. - - actions: A list of all possible actions for a provided Resource. - - Reserved `actions` that are predefined by Stytch include: - - * `*` - * For the `stytch.organization` Resource: - * `update.info.name` - * `update.info.slug` - * `update.info.untrusted_metadata` - * `update.info.email_jit_provisioning` - * `update.info.logo_url` - * `update.info.email_invites` - * `update.info.allowed_domains` - * `update.info.default_sso_connection` - * `update.info.sso_jit_provisioning` - * `update.info.mfa_policy` - * `update.info.implicit_roles` - * `delete` - * For the `stytch.member` Resource: - * `create` - * `update.info.name` - * `update.info.untrusted_metadata` - * `update.info.mfa-phone` - * `update.info.delete.mfa-phone` - * `update.settings.is-breakglass` - * `update.settings.mfa_enrolled` - * `update.settings.roles` - * `search` - * `delete` - * For the `stytch.sso` Resource: - * `create` - * `update` - * `delete` - * For the `stytch.self` Resource: - * `update.info.name` - * `update.info.untrusted_metadata` - * `update.info.mfa-phone` - * `update.info.delete.mfa-phone` - * `update.info.delete.password` - * `update.settings.mfa_enrolled` - * `delete` - + - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. + - description: A human-readable description of the RBAC resource, role, or scope that explains its purpose and permissions. + - actions: An array of actions that can be performed on the given resource. """ # noqa resource_id: str @@ -81,19 +29,8 @@ class PolicyResource(pydantic.BaseModel): class PolicyRolePermission(pydantic.BaseModel): """ Fields: - - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. - - A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. These include: - - * `stytch.organization` - * `stytch.member` - * `stytch.sso` - * `stytch.self` - - Check out the [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation. - - - - actions: A list of permitted actions the Scope is required to take with the provided Resource. You can use `*` as a wildcard to require a Scope permission to use all possible actions related to the Resource. + - resource_id: The identifier of a specific resource within an RBAC authorization check. + - actions: An array of specific actions that can be performed on the RBAC resource within the authorization policy framework. You can use `*` as a wildcard to require a Scope permission to use all possible actions related to the Resource. """ # noqa resource_id: str @@ -103,18 +40,9 @@ class PolicyRolePermission(pydantic.BaseModel): class PolicyRole(pydantic.BaseModel): """ Fields: - - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable. - - Reserved `role_id`s that are predefined by Stytch include: - - * `stytch_member` - * `stytch_admin` - - Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation. - - - - description: The description of the RBAC Role. - - permissions: A list of permissions that link a [Resource](https://stytch.com/docs/b2b/api/rbac-resource-object) to a list of actions. + - role_id: The unique identifier for an RBAC role. + - description: An optional description for the rule. + - permissions: A list of RBAC permissions defining specific actions that can be performed on resources. """ # noqa role_id: str @@ -123,11 +51,24 @@ class PolicyRole(pydantic.BaseModel): class PolicyScopePermission(pydantic.BaseModel): + """ + Fields: + - resource_id: The identifier of a specific resource within an RBAC authorization check. + - actions: An array of actions that can be performed on the given resource. + """ # noqa + resource_id: str actions: List[str] class PolicyScope(pydantic.BaseModel): + """ + Fields: + - scope: A space-separated string of OAuth scopes defining requested permissions. + - description: An optional description for the rule. + - permissions: A list of RBAC permissions defining specific actions that can be performed on resources. + """ # noqa + scope: str description: str permissions: List[PolicyScopePermission] @@ -136,9 +77,10 @@ class PolicyScope(pydantic.BaseModel): class Policy(pydantic.BaseModel): """ Fields: - - roles: An array of [Role objects](https://stytch.com/docs/b2b/api/rbac-role-object). - - resources: An array of [Resource objects](https://stytch.com/docs/b2b/api/rbac-resource-object). - - scopes: (no documentation yet) + - roles: Roles to explicitly assign to this Member. + See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - resources: A list of RBAC resources that define what entities can be accessed or modified, used in authorization policies. + - scopes: An array of scopes available in the policy. """ # noqa roles: List[PolicyRole] @@ -149,7 +91,7 @@ class Policy(pydantic.BaseModel): class PolicyResponse(ResponseBase): """Response type for `RBAC.policy`. Fields: - - policy: The RBAC Policy document that contains all defined Roles and Resources – which are managed in the [Dashboard](https://stytch.com/dashboard/rbac). Read more about these entities and how they work in our [RBAC overview](https://stytch.com/docs/b2b/guides/rbac/overview). + - policy: The RBAC Policy document that contains all defined Roles and Resources. """ # noqa policy: Optional[Policy] = None diff --git a/stytch/b2b/models/recovery_codes.py b/stytch/b2b/models/recovery_codes.py index aabb8ee3..481bded0 100644 --- a/stytch/b2b/models/recovery_codes.py +++ b/stytch/b2b/models/recovery_codes.py @@ -17,10 +17,10 @@ class GetResponse(ResponseBase): """Response type for `RecoveryCodes.get`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - recovery_codes: An array of recovery codes that can be used to recover a Member's account. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. """ # noqa member_id: str @@ -32,14 +32,14 @@ class GetResponse(ResponseBase): class RecoverResponse(ResponseBase): """Response type for `RecoveryCodes.recover`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - recovery_codes_remaining: The number of recovery codes remaining for a Member. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - recovery_codes_remaining: The number of unused backup recovery codes available for MFA account recovery. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -55,10 +55,10 @@ class RecoverResponse(ResponseBase): class RotateResponse(ResponseBase): """Response type for `RecoveryCodes.rotate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - recovery_codes: An array of recovery codes that can be used to recover a Member's account. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. """ # noqa member_id: str diff --git a/stytch/b2b/models/scim.py b/stytch/b2b/models/scim.py index 413ac7eb..f2174aca 100644 --- a/stytch/b2b/models/scim.py +++ b/stytch/b2b/models/scim.py @@ -13,6 +13,18 @@ class Address(pydantic.BaseModel): + """ + Fields: + - formatted: A fully formatted string representation of a SCIM attribute, such as a complete mailing address. + - street_address: The street address component of a SCIM user's address attribute. + - locality: The city or locality component of a SCIM user's address attribute. + - region: The region component of a SCIM user's address attribute (state/province). + - postal_code: The postal code or ZIP code component of a SCIM user's address attribute. + - country: The country component of a SCIM user's address attribute or a country code. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + formatted: str street_address: str locality: str @@ -24,35 +36,79 @@ class Address(pydantic.BaseModel): class Email(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + value: str type: str primary: bool class Entitlement(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + value: str type: str primary: bool class Group(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - display: A human-readable display string for a SCIM attribute or reference. + """ # noqa + value: str display: str class IMs(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + value: str type: str primary: bool class Manager(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - ref: A reference identifier pointing to another resource or entity. + - display_name: A human-readable display name for the connection. + """ # noqa + value: str ref: str display_name: str class EnterpriseExtension(pydantic.BaseModel): + """ + Fields: + - employee_number: The SCIM user's employee number or identifier within the organization. + - cost_center: The cost center or budget code associated with a SCIM user for organizational accounting purposes. + - division: The SCIM user's division within the organization hierarchy. + - department: The SCIM user's department within the organization. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - manager: The manager or supervisor of a SCIM user, typically containing an ID reference to another user. + """ # noqa + employee_number: str cost_center: str division: str @@ -62,6 +118,16 @@ class EnterpriseExtension(pydantic.BaseModel): class Name(pydantic.BaseModel): + """ + Fields: + - formatted: A fully formatted string representation of a SCIM attribute, such as a complete mailing address. + - family_name: The family name (last name or surname) of a SCIM user. + - given_name: The given name (first name) of a SCIM user. + - middle_name: The middle name of a SCIM user. + - honorific_prefix: The honorific prefix (e.g., Mr., Ms., Mx., Dr.) for a SCIM user's name. + - honorific_suffix: The honorific suffix (e.g., Jr., Sr., PhD) for a SCIM user's name. + """ # noqa + formatted: str family_name: str given_name: str @@ -71,18 +137,39 @@ class Name(pydantic.BaseModel): class PhoneNumber(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + value: str type: str primary: bool class Photo(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + value: str type: str primary: bool class Role(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + value: str type: str primary: bool @@ -91,9 +178,9 @@ class Role(pydantic.BaseModel): class SCIMGroup(pydantic.BaseModel): """ Fields: - - group_id: Stytch-issued, globally unique UUID that identifies a specific SCIM Group. The entity `id` in the SCIM specification is issued by the Service Provider (SP) and returned to the Identity Provider (IdP) to store and use for uniquely identify and updating the Group moving forward. - - group_name: The displayName of the SCIM group, sent from the Identity Provider (IdP). - - organization_id: Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. + - group_id: The unique identifier for a SCIM or authorization group. + - group_name: The name of a SCIM or authorization group. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. - connection_id: The ID of the SCIM connection. """ # noqa @@ -104,12 +191,35 @@ class SCIMGroup(pydantic.BaseModel): class SCIMGroupImplicitRoleAssignments(pydantic.BaseModel): + """ + Fields: + - role_id: The unique identifier for an RBAC role. + - group_id: The unique identifier for a SCIM or authorization group. + - group_name: The name of a SCIM or authorization group. + """ # noqa + role_id: str group_id: str group_name: str class SCIMConnection(pydantic.BaseModel): + """ + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: The ID of the SCIM connection. + - status: The status of the entity. + - display_name: A human-readable display name for the connection. + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. + - base_url: The base URL for the API endpoint or service. + - bearer_token_last_four: The last four characters of the SCIM bearer token, used for identification without exposing the full token. + - scim_group_implicit_role_assignments: An array of SCIM group implicit role assignments. Each object in the array must contain a `group_id` and a `role_id`. + - next_bearer_token_last_four: The last four characters of the next SCIM bearer token during rotation. + - bearer_token_expires_at: The timestamp when the SCIM bearer token will expire. + - next_bearer_token_expires_at: The expiration timestamp for the next SCIM bearer token during rotation. + """ # noqa + organization_id: str connection_id: str status: str @@ -124,6 +234,22 @@ class SCIMConnection(pydantic.BaseModel): class SCIMConnectionWithNextToken(pydantic.BaseModel): + """ + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: The ID of the SCIM connection. + - status: The status of the entity. + - display_name: A human-readable display name for the connection. + - base_url: The base URL for the API endpoint or service. + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. + - bearer_token_last_four: The last four characters of the SCIM bearer token, used for identification without exposing the full token. + - next_bearer_token: The next SCIM bearer token to be used after rotation is complete. + - scim_group_implicit_role_assignments: An array of SCIM group implicit role assignments. Each object in the array must contain a `group_id` and a `role_id`. + - bearer_token_expires_at: The timestamp when the SCIM bearer token will expire. + - next_bearer_token_expires_at: The expiration timestamp for the next SCIM bearer token during rotation. + """ # noqa + organization_id: str connection_id: str status: str @@ -138,6 +264,20 @@ class SCIMConnectionWithNextToken(pydantic.BaseModel): class SCIMConnectionWithToken(pydantic.BaseModel): + """ + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: The ID of the SCIM connection. + - status: The status of the entity. + - display_name: A human-readable display name for the connection. + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. + - base_url: The base URL for the API endpoint or service. + - bearer_token: A bearer token used for SCIM API authentication. + - scim_group_implicit_role_assignments: An array of SCIM group implicit role assignments. Each object in the array must contain a `group_id` and a `role_id`. + - bearer_token_expires_at: The timestamp when the SCIM bearer token will expire. + """ # noqa + organization_id: str connection_id: str status: str @@ -150,12 +290,49 @@ class SCIMConnectionWithToken(pydantic.BaseModel): class X509Certificate(pydantic.BaseModel): + """ + Fields: + - value: A generic value field containing data specific to the context. + - type: The type or category of the resource, method, or entity. + - primary: Boolean flag indicating whether this is the primary instance of a multi-valued SCIM attribute (e.g., primary email, primary phone number). + """ # noqa + value: str type: str primary: bool class SCIMAttributes(pydantic.BaseModel): + """ + Fields: + - user_name: The username or SCIM userName field used for identification. + - id: The unique identifier for the resource. + - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. + - active: A boolean indicating whether the resource is currently active. + - groups: A list of groups the member belongs to, used for access control and role assignment. + - display_name: A human-readable display name for the connection. + - nick_name: A nickname or informal name for the user. + - profile_url: The URL of the member's profile on an external service. + - user_type: The type or category of user (e.g., admin, standard, guest). + - title: A title or heading for display purposes. + - preferred_language: The user's preferred language for communications and UI. + - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. + Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. + Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! + - timezone: The timezone of the user or organization (e.g., 'America/New_York'). + - emails: An array of email objects for the User. + - phone_numbers: An array of phone number objects linked to the User. + - addresses: Physical addresses associated with the user (SCIM field). + - ims: Instant messaging addresses for the user (SCIM field). + - photos: A list of photo URLs associated with the user's profile. + - entitlements: Entitlements or permissions granted to the member or application. + - roles: Roles to explicitly assign to this Member. + See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - x509certificates: X.509 certificates used for SAML authentication and signature verification. + - name: The `name` of the WebAuthn registration or Passkey. + - enterprise_extension: Enterprise-specific SCIM schema extensions. + """ # noqa + user_name: str id: str external_id: str diff --git a/stytch/b2b/models/scim_connection.py b/stytch/b2b/models/scim_connection.py index d7126b95..28dadcd2 100644 --- a/stytch/b2b/models/scim_connection.py +++ b/stytch/b2b/models/scim_connection.py @@ -183,7 +183,7 @@ class CreateResponse(ResponseBase): class DeleteResponse(ResponseBase): """Response type for `Connection.delete`. Fields: - - connection_id: The `connection_id` that was deleted as part of the delete request. + - connection_id: The ID of the SCIM connection. """ # noqa connection_id: str @@ -203,7 +203,7 @@ class GetGroupsResponse(ResponseBase): class GetResponse(ResponseBase): """Response type for `Connection.get`. Fields: - - connection: A [SCIM Connection](https://stytch.com/docs/b2b/api/scim-connection-object) connection belonging to the organization (currently limited to one). + - connection: The `SCIM Connection` object affected by this API call. See the [SCIM Connection Object](https://stytch.com/docs/b2b/api/scim-connection-object) for complete response field details. """ # noqa connection: Optional[SCIMConnection] = None @@ -239,7 +239,7 @@ class RotateStartResponse(ResponseBase): class UpdateResponse(ResponseBase): """Response type for `Connection.update`. Fields: - - connection: The `SAML Connection` object affected by this API call. See the [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object) for complete response field details. + - connection: The `SCIM Connection` object affected by this API call. See the [SCIM Connection Object](https://stytch.com/docs/b2b/api/scim-connection-object) for complete response field details. """ # noqa connection: Optional[SCIMConnection] = None diff --git a/stytch/b2b/models/sessions.py b/stytch/b2b/models/sessions.py index d932ebb1..fa31ff58 100644 --- a/stytch/b2b/models/sessions.py +++ b/stytch/b2b/models/sessions.py @@ -34,20 +34,9 @@ class ExchangeRequestLocale(str, enum.Enum): class AuthorizationCheck(pydantic.BaseModel): """ Fields: - - organization_id: Globally unique UUID that identifies a specific Organization. The Organization's ID must match the Member's Organization - - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. - - A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. These include: - - * `stytch.organization` - * `stytch.member` - * `stytch.sso` - * `stytch.self` - - Check out the [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation. - - - - action: An action to take on a Resource. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - resource_id: The identifier of a specific resource within an RBAC authorization check. + - action: The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW` (This is a known valid device grouping or device profile that is part of the default ALLOW listed set of known devices by Stytch), `BLOCK` (This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action), `CHALLENGE` (This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action), or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule. """ # noqa organization_id: str @@ -58,7 +47,7 @@ class AuthorizationCheck(pydantic.BaseModel): class AuthorizationVerdict(pydantic.BaseModel): """ Fields: - - authorized: Whether the Member was authorized to perform the specified action on the specified Resource. Always true if the request succeeds. + - authorized: Whether the actor was authorized to perform the specified action on the specified Resource. Always true if the request succeeds. - granting_roles: The complete list of Roles that gave the Member permission to perform the specified action on the specified Resource. """ # noqa @@ -69,16 +58,17 @@ class AuthorizationVerdict(pydantic.BaseModel): class MemberSession(pydantic.BaseModel): """ Fields: - - member_session_id: Globally unique UUID that identifies a specific Session. - - member_id: Globally unique UUID that identifies a specific Member. - - started_at: The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - last_accessed_at: The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - expires_at: The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - authentication_factors: An array of different authentication factors that comprise a Session. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - roles: (no documentation yet) + - member_session_id: Globally unique UUID that identifies a specific Session in the Stytch API. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - started_at: The timestamp when the session or process was initiated. + - last_accessed_at: The timestamp when the session was last accessed or refreshed. + - expires_at: The timestamp indicating when the session, token, lock, or other resource will expire. + - authentication_factors: A list of authentication factors used during the session, including type, timestamp, and delivery method. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - roles: Explicit or implicit Roles assigned to this Member. - organization_slug: The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. - - custom_claims: The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource. + - custom_claims: A JSON object containing custom claims to include in tokens or sessions. """ # noqa member_session_id: str @@ -96,7 +86,9 @@ class MemberSession(pydantic.BaseModel): class PrimaryRequired(pydantic.BaseModel): """ Fields: - - allowed_auth_methods: Details the auth method that the member must also complete to fulfill the primary authentication requirements of the Organization. For example, a value of `[magic_link]` indicates that the Member must also complete a magic link authentication step. If you have an intermediate session token, you must pass it into that primary authentication step. + - allowed_auth_methods: An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. + The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. + When setting this field, if a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource. """ # noqa allowed_auth_methods: List[str] @@ -121,13 +113,13 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class AttestResponse(ResponseBase): """Response type for `Sessions.attest`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -142,13 +134,12 @@ class AttestResponse(ResponseBase): class AuthenticateResponse(ResponseBase): """Response type for `Sessions.authenticate`. Fields: - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - verdict: If an `authorization_check` is provided in the request and the check succeeds, this field will return - information about why the Member was granted permission. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - verdict: The result of an authorization check, indicating whether the member is authorized to perform the requested action. """ # noqa member_session: MemberSession @@ -162,13 +153,13 @@ class AuthenticateResponse(ResponseBase): class ExchangeAccessTokenResponse(ResponseBase): """Response type for `Sessions.exchange_access_token`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -183,17 +174,17 @@ class ExchangeAccessTokenResponse(ResponseBase): class ExchangeResponse(ResponseBase): """Response type for `Sessions.exchange`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - intermediate_session_token: The returned Intermediate Session Token contains any Email Magic Link or OAuth factors from the original member session that are valid for the target Organization. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: Information about the primary authentication requirements of the Organization. - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -212,7 +203,7 @@ class ExchangeResponse(ResponseBase): class GetJWKSResponse(ResponseBase): """Response type for `Sessions.get_jwks`. Fields: - - keys: The list of JWKs associated with the project. + - keys: Cryptographic keys used for signing, encryption, or verification. """ # noqa keys: List[JWK] @@ -221,7 +212,7 @@ class GetJWKSResponse(ResponseBase): class GetResponse(ResponseBase): """Response type for `Sessions.get`. Fields: - - member_sessions: An array of [Session objects](https://stytch.com/docs/b2b/api/session-object). + - member_sessions: A list of active sessions for the member. """ # noqa member_sessions: List[MemberSession] @@ -230,12 +221,12 @@ class GetResponse(ResponseBase): class MigrateResponse(ResponseBase): """Response type for `Sessions.migrate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. """ # noqa member_id: str diff --git a/stytch/b2b/models/sso.py b/stytch/b2b/models/sso.py index c27232a8..4ae14f65 100644 --- a/stytch/b2b/models/sso.py +++ b/stytch/b2b/models/sso.py @@ -32,6 +32,11 @@ class AuthenticateRequestLocale(str, enum.Enum): class ConnectionImplicitRoleAssignment(pydantic.BaseModel): + """ + Fields: + - role_id: The unique identifier for an RBAC role. + """ # noqa + role_id: str @@ -52,6 +57,13 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class EncryptionPrivateKey(pydantic.BaseModel): + """ + Fields: + - private_key_id: The ID of the encryption private key to be deleted. + - private_key: A private cryptographic key used for signing or decryption. + - created_at: The timestamp indicating when the resource was created. + """ # noqa + private_key_id: str private_key: str created_at: Optional[datetime.datetime] = None @@ -74,11 +86,34 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class GroupImplicitRoleAssignment(pydantic.BaseModel): + """ + Fields: + - role_id: The unique identifier for an RBAC role. + - group: A group object from an identity provider (SCIM, SAML, OIDC) used for role-based access control and provisioning. + """ # noqa + role_id: str group: str class Connection(pydantic.BaseModel): + """ + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - external_organization_id: Globally unique UUID that identifies a different Organization within your Project. + - external_connection_id: Globally unique UUID that identifies a specific SSO connection configured for a different Organization in your Project. + - display_name: A human-readable display name for the connection. + - status: The status of the entity. + - external_connection_implicit_role_assignments: All Members who log in with this External connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Implicit role assignments are not supported for External connections if the underlying SSO connection is an OIDC connection. + - external_group_implicit_role_assignments: Defines the names of the groups + that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and + belongs to the specified group, they will be granted the associated Role. See the + [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments to an external connection, you must add a "groups" key to the underlying SAML connection's + `attribute_mapping`. Make sure that the SAML connection IdP is configured to correctly send the group information. Implicit role assignments are not supported + for External connections if the underlying SSO connection is an OIDC connection. + """ # noqa + organization_id: str connection_id: str external_organization_id: str @@ -92,6 +127,26 @@ class Connection(pydantic.BaseModel): class OIDCConnection(pydantic.BaseModel): + """ + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - status: The status of the entity. + - display_name: A human-readable display name for the connection. + - redirect_url: The URL to redirect the user to after completing an authentication flow. + - client_id: The ID of the client. + - client_secret: The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided by the IdP. + - issuer: A case-sensitive `https://` URL that uniquely identifies the IdP. This will be provided by the IdP. + - authorization_url: The location of the URL that starts an OAuth login at the IdP. This will be provided by the IdP. + - token_url: The location of the URL that issues OAuth2.0 access tokens and OIDC ID tokens. This will be provided by the IdP. + - userinfo_url: The location of the IDP's [UserInfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). This will be provided by the IdP. + - jwks_url: The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be provided by the IdP. + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. + - custom_scopes: Include a space-separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, e.g. the spaces must be expressed as %20. + - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined Member attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. + """ # noqa + organization_id: str connection_id: str status: str @@ -110,15 +165,36 @@ class OIDCConnection(pydantic.BaseModel): class SAMLConnectionImplicitRoleAssignment(pydantic.BaseModel): + """ + Fields: + - role_id: The unique identifier for an RBAC role. + """ # noqa + role_id: str class SAMLGroupImplicitRoleAssignment(pydantic.BaseModel): + """ + Fields: + - role_id: The unique identifier for an RBAC role. + - group: A group object from an identity provider (SCIM, SAML, OIDC) used for role-based access control and provisioning. + """ # noqa + role_id: str group: str class X509Certificate(pydantic.BaseModel): + """ + Fields: + - certificate_id: The ID of the certificate to be deleted. + - certificate: An X.509 certificate used for cryptographic operations and verification. + - issuer: A case-sensitive `https://` URL that uniquely identifies the IdP. This will be provided by the IdP. + - created_at: The timestamp indicating when the resource was created. + - expires_at: The timestamp indicating when the session, token, lock, or other resource will expire. + - updated_at: The timestamp indicating when the resource was last updated. + """ # noqa + certificate_id: str certificate: str issuer: str @@ -128,6 +204,35 @@ class X509Certificate(pydantic.BaseModel): class SAMLConnection(pydantic.BaseModel): + """ + Fields: + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - connection_id: Globally unique UUID that identifies a specific SSO connection. + - status: The status of the entity. + - idp_entity_id: The entity ID for the identity provider's SAML configuration. This is a unique identifier for the identity provider, typically a URL. + - display_name: A human-readable display name for the connection. + - idp_sso_url: The URL for which assertions for login requests will be sent. This will be provided by the IdP. + - acs_url: The Assertion Consumer Service (ACS) URL where SAML responses are sent. + - audience_uri: The expected audience URI for SAML authentication, typically the SP entity ID. + - signing_certificates: Certificates used for signing SAML assertions or other cryptographic operations. + - verification_certificates: Certificates used to verify digital signatures in SAML responses. + - encryption_private_keys: Private keys used for encryption operations. + - saml_connection_implicit_role_assignments: All Members who log in with this SAML connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. + - saml_group_implicit_role_assignments: Defines the names of the SAML groups + that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and + belongs to the specified SAML group, they will be granted the associated Role. See the + [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's + `attribute_mapping`. Make sure that your IdP is configured to correctly send the group information. + - alternative_audience_uri: An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info. + - identity_provider: Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`. + Specifying a known provider allows Stytch to handle any provider-specific logic. + - nameid_format: The NameID format the SAML Connection expects to use. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. + - alternative_acs_url: An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info. + - idp_initiated_auth_disabled: Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled). + - allow_gateway_callback: If set to `true`, the SAML connection will allow gateway callback URLs. This is typically used for advanced integration scenarios. + - attribute_mapping: An object that represents the attributes used to identify a Member. This object will map the IdP-defined Member attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`. + """ # noqa + organization_id: str connection_id: str status: str @@ -155,19 +260,19 @@ class SAMLConnection(pydantic.BaseModel): class AuthenticateResponse(ResponseBase): """Response type for `SSO.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - organization_id: Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - reset_session: This field is deprecated. - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - intermediate_session_token: The returned Intermediate Session Token contains an SSO factor associated with the Member. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. SSO factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints. - - member_authenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - mfa_required: Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. - - primary_required: (no documentation yet) - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - organization_id: Globally unique UUID that identifies a specific Organization. When making API calls, you may also use the organization_slug or organization_external_id as a convenience. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - reset_session: A boolean flag indicating whether to invalidate the current session. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - intermediate_session_token: The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. + - member_authenticated: A boolean indicating whether the member has been fully authenticated (true) or if additional steps like MFA are still required (false). + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - mfa_required: An object indicating whether multi-factor authentication is required, and which MFA methods are available to complete the authentication flow. + - primary_required: An object indicating that a primary authentication factor is required, containing the list of allowed authentication methods. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -188,7 +293,7 @@ class AuthenticateResponse(ResponseBase): class DeleteConnectionResponse(ResponseBase): """Response type for `SSO.delete_connection`. Fields: - - connection_id: The `connection_id` that was deleted as part of the delete request. + - connection_id: Globally unique UUID that identifies a specific SSO connection. """ # noqa connection_id: str @@ -197,9 +302,9 @@ class DeleteConnectionResponse(ResponseBase): class GetConnectionsResponse(ResponseBase): """Response type for `SSO.get_connections`. Fields: - - saml_connections: The list of [SAML Connections](https://stytch.com/docs/b2b/api/saml-connection-object) owned by this organization. - - oidc_connections: The list of [OIDC Connections](https://stytch.com/docs/b2b/api/oidc-connection-object) owned by this organization. - - external_connections: The list of [External Connections](https://stytch.com/docs/b2b/api/external-connection-object) owned by this organization. + - saml_connections: A list of SAML SSO connections configured for the organization. + - oidc_connections: A list of OIDC SSO connections configured for the organization. + - external_connections: A list of external SSO or identity provider connections. """ # noqa saml_connections: List[SAMLConnection] diff --git a/stytch/b2b/models/sso_external.py b/stytch/b2b/models/sso_external.py index a1ea828d..e12729ee 100644 --- a/stytch/b2b/models/sso_external.py +++ b/stytch/b2b/models/sso_external.py @@ -50,7 +50,7 @@ def add_headers(self, headers: Dict[str, str]) -> Dict[str, str]: class CreateConnectionResponse(ResponseBase): """Response type for `External.create_connection`. Fields: - - connection: The `External Connection` object affected by this API call. See the [External Connection Object](https://stytch.com/docs/b2b/api/external-connection-object) for complete response field details. + - connection: An SSO or SCIM connection object containing configuration details for enterprise identity providers. """ # noqa connection: Optional[Connection] = None @@ -59,7 +59,7 @@ class CreateConnectionResponse(ResponseBase): class UpdateConnectionResponse(ResponseBase): """Response type for `External.update_connection`. Fields: - - connection: The `External Connection` object affected by this API call. See the [External Connection Object](https://stytch.com/docs/b2b/api/external-connection-object) for complete response field details. + - connection: An SSO or SCIM connection object containing configuration details for enterprise identity providers. """ # noqa connection: Optional[Connection] = None diff --git a/stytch/b2b/models/sso_saml.py b/stytch/b2b/models/sso_saml.py index d6e8ddd6..38e7eea3 100644 --- a/stytch/b2b/models/sso_saml.py +++ b/stytch/b2b/models/sso_saml.py @@ -144,7 +144,7 @@ class CreateConnectionResponse(ResponseBase): class DeleteEncryptionPrivateKeyResponse(ResponseBase): """Response type for `SAML.delete_encryption_private_key`. Fields: - - private_key_id: The ID of the encryption private key. + - private_key_id: The ID of the encryption private key to be deleted. """ # noqa private_key_id: str @@ -153,7 +153,7 @@ class DeleteEncryptionPrivateKeyResponse(ResponseBase): class DeleteVerificationCertificateResponse(ResponseBase): """Response type for `SAML.delete_verification_certificate`. Fields: - - certificate_id: The ID of the certificate that was deleted. + - certificate_id: The ID of the certificate to be deleted. """ # noqa certificate_id: str diff --git a/stytch/b2b/models/totps.py b/stytch/b2b/models/totps.py index 87d64569..01d97e48 100644 --- a/stytch/b2b/models/totps.py +++ b/stytch/b2b/models/totps.py @@ -17,13 +17,13 @@ class AuthenticateResponse(ResponseBase): """Response type for `TOTPs.authenticate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - member_session: The [Session object](https://stytch.com/docs/b2b/api/session-object). - - member_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - session_token: The `session_token` associated with a Member's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a Member's existing Session. + - member_session: The MemberSession object containing details about an active authenticated session, including timing information, authentication factors used, and associated roles. + - member_device: Information about the device used by the member for authentication, including device type, fingerprints, and location data. """ # noqa member_id: str @@ -38,13 +38,13 @@ class AuthenticateResponse(ResponseBase): class CreateResponse(ResponseBase): """Response type for `TOTPs.create`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - totp_registration_id: The unique ID for a TOTP instance. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - totp_registration_id: The unique identifier for the TOTP registration, linking a member to their authenticator app. - secret: The TOTP secret key shared between the authenticator app and the server used to generate TOTP codes. - - qr_code: The QR code image encoded in base64. - - recovery_codes: An array of recovery codes that can be used to recover a Member's account. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). + - qr_code: A base64-encoded QR code image. + - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. """ # noqa member_id: str @@ -59,11 +59,11 @@ class CreateResponse(ResponseBase): class MigrateResponse(ResponseBase): """Response type for `TOTPs.migrate`. Fields: - - member_id: Globally unique UUID that identifies a specific Member. - - member: The [Member object](https://stytch.com/docs/b2b/api/member-object) - - organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object). - - totp_registration_id: The unique ID for a TOTP instance. - - recovery_codes: An array of recovery codes that can be used to recover a Member's account. + - member_id: Globally unique UUID that identifies a specific Member. When making API calls, you may use an `external_id` in place of the `member_id` if one is set for the member. + - member: The Member object representing a user within a B2B organization, containing their profile information, authentication methods, roles, and registration details. + - organization: The Organization object containing details about the B2B organization, including settings for SSO, authentication methods, MFA policies, and member management. + - totp_registration_id: The unique identifier for the TOTP registration, linking a member to their authenticator app. + - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. """ # noqa member_id: str diff --git a/stytch/consumer/api/connected_apps_clients.py b/stytch/consumer/api/connected_apps_clients.py index d0e11b1e..9c5abbc3 100644 --- a/stytch/consumer/api/connected_apps_clients.py +++ b/stytch/consumer/api/connected_apps_clients.py @@ -41,7 +41,7 @@ def get( """Retrieve details of a specific Connected App by `client_id`. Fields: - - client_id: The ID of the Connected App client. + - client_id: The ID of the client. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -59,7 +59,7 @@ async def get_async( """Retrieve details of a specific Connected App by `client_id`. Fields: - - client_id: The ID of the Connected App client. + - client_id: The ID of the client. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -91,13 +91,13 @@ def update( - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - redirect_urls: Array of redirect URI values for use in OAuth Authorization flows. - - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. - - access_token_expiry_minutes: The number of minutes before the access token expires. The default is 60 minutes. - - access_token_custom_audience: The custom audience for the access token. - - access_token_template_content: The content of the access token custom claims template. The template must be a valid JSON object. - - post_logout_redirect_urls: Array of redirect URI values for use in OIDC Logout flows. - - logo_url: The logo URL of the Connected App, if any. - - bypass_consent_for_offline_access: Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. + - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this client can be exchanged for a full Stytch Session. + - access_token_expiry_minutes: The number of minutes until the access token expires. + - access_token_custom_audience: A custom audience (aud) claim value to include in the generated access token JWT. + - access_token_template_content: A template string defining the structure and custom claims to include in generated access tokens. + - post_logout_redirect_urls: A list of allowed URLs to which users can be redirected after logging out. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + - bypass_consent_for_offline_access: A boolean flag indicating whether to skip the consent screen when requesting offline_access scope for refresh tokens. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -151,13 +151,13 @@ async def update_async( - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - redirect_urls: Array of redirect URI values for use in OAuth Authorization flows. - - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. - - access_token_expiry_minutes: The number of minutes before the access token expires. The default is 60 minutes. - - access_token_custom_audience: The custom audience for the access token. - - access_token_template_content: The content of the access token custom claims template. The template must be a valid JSON object. - - post_logout_redirect_urls: Array of redirect URI values for use in OIDC Logout flows. - - logo_url: The logo URL of the Connected App, if any. - - bypass_consent_for_offline_access: Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. + - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this client can be exchanged for a full Stytch Session. + - access_token_expiry_minutes: The number of minutes until the access token expires. + - access_token_custom_audience: A custom audience (aud) claim value to include in the generated access token JWT. + - access_token_template_content: A template string defining the structure and custom claims to include in generated access tokens. + - post_logout_redirect_urls: A list of allowed URLs to which users can be redirected after logging out. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + - bypass_consent_for_offline_access: A boolean flag indicating whether to skip the consent screen when requesting offline_access scope for refresh tokens. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -234,8 +234,8 @@ def search( """Search for Connected Apps. Supports cursor-based pagination. Specific filters coming soon. Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -256,8 +256,8 @@ async def search_async( """Search for Connected Apps. Supports cursor-based pagination. Specific filters coming soon. Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -293,13 +293,13 @@ def create( - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - redirect_urls: Array of redirect URI values for use in OAuth Authorization flows. - - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. - - access_token_expiry_minutes: The number of minutes before the access token expires. The default is 60 minutes. - - access_token_custom_audience: The custom audience for the access token. - - access_token_template_content: The content of the access token custom claims template. The template must be a valid JSON object. - - post_logout_redirect_urls: Array of redirect URI values for use in OIDC Logout flows. - - logo_url: The logo URL of the Connected App, if any. - - bypass_consent_for_offline_access: Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. + - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this client can be exchanged for a full Stytch Session. + - access_token_expiry_minutes: The number of minutes until the access token expires. + - access_token_custom_audience: A custom audience (aud) claim value to include in the generated access token JWT. + - access_token_template_content: A template string defining the structure and custom claims to include in generated access tokens. + - post_logout_redirect_urls: A list of allowed URLs to which users can be redirected after logging out. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + - bypass_consent_for_offline_access: A boolean flag indicating whether to skip the consent screen when requesting offline_access scope for refresh tokens. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -355,13 +355,13 @@ async def create_async( - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - redirect_urls: Array of redirect URI values for use in OAuth Authorization flows. - - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. - - access_token_expiry_minutes: The number of minutes before the access token expires. The default is 60 minutes. - - access_token_custom_audience: The custom audience for the access token. - - access_token_template_content: The content of the access token custom claims template. The template must be a valid JSON object. - - post_logout_redirect_urls: Array of redirect URI values for use in OIDC Logout flows. - - logo_url: The logo URL of the Connected App, if any. - - bypass_consent_for_offline_access: Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. + - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this client can be exchanged for a full Stytch Session. + - access_token_expiry_minutes: The number of minutes until the access token expires. + - access_token_custom_audience: A custom audience (aud) claim value to include in the generated access token JWT. + - access_token_template_content: A template string defining the structure and custom claims to include in generated access tokens. + - post_logout_redirect_urls: A list of allowed URLs to which users can be redirected after logging out. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + - bypass_consent_for_offline_access: A boolean flag indicating whether to skip the consent screen when requesting offline_access scope for refresh tokens. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/crypto_wallets.py b/stytch/consumer/api/crypto_wallets.py index d5e75589..faa5aff9 100644 --- a/stytch/consumer/api/crypto_wallets.py +++ b/stytch/consumer/api/crypto_wallets.py @@ -43,10 +43,10 @@ def authenticate_start( Fields: - crypto_wallet_type: The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type. - - crypto_wallet_address: The crypto wallet address to authenticate. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - crypto_wallet_address: The blockchain address of the cryptocurrency wallet used for Web3 authentication. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - siwe_params: The parameters for a Sign In With Ethereum (SIWE) message. May only be passed if the `crypto_wallet_type` is `ethereum`. """ # noqa headers: Dict[str, str] = {} @@ -87,10 +87,10 @@ async def authenticate_start_async( Fields: - crypto_wallet_type: The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type. - - crypto_wallet_address: The crypto wallet address to authenticate. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - crypto_wallet_address: The blockchain address of the cryptocurrency wallet used for Web3 authentication. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - siwe_params: The parameters for a Sign In With Ethereum (SIWE) message. May only be passed if the `crypto_wallet_type` is `ethereum`. """ # noqa headers: Dict[str, str] = {} @@ -128,22 +128,13 @@ def authenticate( Fields: - crypto_wallet_type: The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type. - - crypto_wallet_address: The crypto wallet address to authenticate. - - signature: The signature from the message challenge. + - crypto_wallet_address: The blockchain address of the cryptocurrency wallet used for Web3 authentication. + - signature: A cryptographic signature used to verify the authenticity of a message or token. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -182,22 +173,13 @@ async def authenticate_async( Fields: - crypto_wallet_type: The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type. - - crypto_wallet_address: The crypto wallet address to authenticate. - - signature: The signature from the message challenge. + - crypto_wallet_address: The blockchain address of the cryptocurrency wallet used for Web3 authentication. + - signature: A cryptographic signature used to verify the authenticity of a message or token. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/debug.py b/stytch/consumer/api/debug.py index d1fc0bc5..b6689c06 100644 --- a/stytch/consumer/api/debug.py +++ b/stytch/consumer/api/debug.py @@ -24,6 +24,10 @@ def __init__( def whoami( self, ) -> WhoamiResponse: + """A debugging endpoint that returns basic information about the caller's Project. + + Fields: + """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -34,6 +38,10 @@ def whoami( async def whoami_async( self, ) -> WhoamiResponse: + """A debugging endpoint that returns basic information about the caller's Project. + + Fields: + """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} diff --git a/stytch/consumer/api/fraud_rules.py b/stytch/consumer/api/fraud_rules.py index cbba3ac0..a81ac1a4 100644 --- a/stytch/consumer/api/fraud_rules.py +++ b/stytch/consumer/api/fraud_rules.py @@ -48,13 +48,13 @@ def set( - Among equivalent size blocks, `BLOCK` takes precedence over `CHALLENGE`, which takes precedence over `ALLOW`. For example, if an `ip_address` overlaps with two `cidr_block` rules with blocks of the same size that return `CHALLENGE` and `ALLOW`, the rule match verdict will be `CHALLENGE`. Fields: - - action: The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW`, `BLOCK`, `CHALLENGE`, or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule. - - visitor_id: The visitor ID we want to set a rule for. Only one identifier can be specified in the request. - - browser_id: The browser ID we want to set a rule for. Only one identifier can be specified in the request. - - visitor_fingerprint: The visitor fingerprint we want to set a rule for. Only one identifier can be specified in the request. - - browser_fingerprint: The browser fingerprint we want to set a rule for. Only one identifier can be specified in the request. - - hardware_fingerprint: The hardware fingerprint we want to set a rule for. Only one identifier can be specified in the request. - - network_fingerprint: The network fingerprint we want to set a rule for. Only one identifier can be specified in the request. + - action: The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW` (This is a known valid device grouping or device profile that is part of the default ALLOW listed set of known devices by Stytch), `BLOCK` (This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action), `CHALLENGE` (This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action), or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule. + - visitor_id: The cookie stored on the user's device that uniquely identifies them. See the Device Fingerprinting documentation for more details on the visitor_id. + - browser_id: Combination of VisitorID and NetworkFingerprint to create a clear identifier of a browser. + - visitor_fingerprint: Cookie-less way of identifying a unique user. + - browser_fingerprint: Combination of signals to identify a browser and its specific version. + - hardware_fingerprint: Combinations of signals to identify an operating system and architecture. + - network_fingerprint: Combination of signals associated with a specific network commonly known as TLS fingerprinting. - expires_in_minutes: The number of minutes until this rule expires. If no `expires_in_minutes` is specified, then the rule is kept permanently. - description: An optional description for the rule. - cidr_block: The CIDR block we want to set a rule for. You may pass either an IP address or a CIDR block. The CIDR block prefix must be between 16 and 32, inclusive. If an end user's IP address is within this CIDR block, this rule will be applied. Only one identifier can be specified in the request. @@ -118,13 +118,13 @@ async def set_async( - Among equivalent size blocks, `BLOCK` takes precedence over `CHALLENGE`, which takes precedence over `ALLOW`. For example, if an `ip_address` overlaps with two `cidr_block` rules with blocks of the same size that return `CHALLENGE` and `ALLOW`, the rule match verdict will be `CHALLENGE`. Fields: - - action: The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW`, `BLOCK`, `CHALLENGE`, or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule. - - visitor_id: The visitor ID we want to set a rule for. Only one identifier can be specified in the request. - - browser_id: The browser ID we want to set a rule for. Only one identifier can be specified in the request. - - visitor_fingerprint: The visitor fingerprint we want to set a rule for. Only one identifier can be specified in the request. - - browser_fingerprint: The browser fingerprint we want to set a rule for. Only one identifier can be specified in the request. - - hardware_fingerprint: The hardware fingerprint we want to set a rule for. Only one identifier can be specified in the request. - - network_fingerprint: The network fingerprint we want to set a rule for. Only one identifier can be specified in the request. + - action: The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW` (This is a known valid device grouping or device profile that is part of the default ALLOW listed set of known devices by Stytch), `BLOCK` (This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action), `CHALLENGE` (This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action), or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule. + - visitor_id: The cookie stored on the user's device that uniquely identifies them. See the Device Fingerprinting documentation for more details on the visitor_id. + - browser_id: Combination of VisitorID and NetworkFingerprint to create a clear identifier of a browser. + - visitor_fingerprint: Cookie-less way of identifying a unique user. + - browser_fingerprint: Combination of signals to identify a browser and its specific version. + - hardware_fingerprint: Combinations of signals to identify an operating system and architecture. + - network_fingerprint: Combination of signals associated with a specific network commonly known as TLS fingerprinting. - expires_in_minutes: The number of minutes until this rule expires. If no `expires_in_minutes` is specified, then the rule is kept permanently. - description: An optional description for the rule. - cidr_block: The CIDR block we want to set a rule for. You may pass either an IP address or a CIDR block. The CIDR block prefix must be between 16 and 32, inclusive. If an end user's IP address is within this CIDR block, this rule will be applied. Only one identifier can be specified in the request. diff --git a/stytch/consumer/api/idp_oauth.py b/stytch/consumer/api/idp_oauth.py index f91bbb4e..5d056077 100644 --- a/stytch/consumer/api/idp_oauth.py +++ b/stytch/consumer/api/idp_oauth.py @@ -54,13 +54,13 @@ def authorize_start( One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/api/connected-app-access-token-exchange) flow. Fields: - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - scopes: An array of scopes requested by the client. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. """ # noqa headers: Dict[str, str] = {} @@ -116,13 +116,13 @@ async def authorize_start_async( One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/api/connected-app-access-token-exchange) flow. Fields: - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - scopes: An array of scopes requested by the client. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. """ # noqa headers: Dict[str, str] = {} @@ -182,17 +182,17 @@ def authorize( Fields: - consent_granted: Indicates whether the user granted the requested scopes. - scopes: An array of scopes requested by the client. - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. - state: An opaque value used to maintain state between the request and callback. - nonce: A string used to associate a client session with an ID token to mitigate replay attacks. - - code_challenge: A base64url encoded challenge derived from the code verifier for PKCE flows. - - resources: (no documentation yet) + - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. + - resources: A list of RBAC resources that define what entities can be accessed or modified, used in authorization policies. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -260,17 +260,17 @@ async def authorize_async( Fields: - consent_granted: Indicates whether the user granted the requested scopes. - scopes: An array of scopes requested by the client. - - client_id: The ID of the Connected App client. - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - client_id: The ID of the client. + - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - response_type: The OAuth 2.0 response type. For authorization code flows this value is `code`. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - prompt: Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today. - state: An opaque value used to maintain state between the request and callback. - nonce: A string used to associate a client session with an ID token to mitigate replay attacks. - - code_challenge: A base64url encoded challenge derived from the code verifier for PKCE flows. - - resources: (no documentation yet) + - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. + - resources: A list of RBAC resources that define what entities can be accessed or modified, used in authorization policies. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/impersonation.py b/stytch/consumer/api/impersonation.py index 0b642318..dc3a567c 100644 --- a/stytch/consumer/api/impersonation.py +++ b/stytch/consumer/api/impersonation.py @@ -31,7 +31,7 @@ def authenticate( Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a user, and clicking the `Impersonate User` button. Fields: - - impersonation_token: The User Impersonation token to authenticate. Expires in 5 minutes by default. + - impersonation_token: The impersonation token to authenticate. Expires in 5 minutes by default. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -52,7 +52,7 @@ async def authenticate_async( Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a user, and clicking the `Impersonate User` button. Fields: - - impersonation_token: The User Impersonation token to authenticate. Expires in 5 minutes by default. + - impersonation_token: The impersonation token to authenticate. Expires in 5 minutes by default. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/m2m_clients.py b/stytch/consumer/api/m2m_clients.py index 24070225..9903132f 100644 --- a/stytch/consumer/api/m2m_clients.py +++ b/stytch/consumer/api/m2m_clients.py @@ -85,8 +85,8 @@ def search( - `scopes`: Search for clients assigned a specific scope Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} @@ -116,8 +116,8 @@ async def search_async( - `scopes`: Search for clients assigned a specific scope Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} @@ -151,9 +151,9 @@ def update( - client_id: The ID of the client. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: The status of the client - either `active` or `inactive`. + - status: The status of the entity. - scopes: An array of scopes assigned to the client. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -192,9 +192,9 @@ async def update_async( - client_id: The ID of the client. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: The status of the client - either `active` or `inactive`. + - status: The status of the entity. - scopes: An array of scopes assigned to the client. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -272,11 +272,11 @@ def create( Fields: - scopes: An array of scopes assigned to the client. - - client_id: If provided, the ID of the client to create. If not provided, Stytch will generate this value for you. The `client_id` must be unique within your project. - - client_secret: If provided, the stored secret of the client to create. If not provided, Stytch will generate this value for you. If provided, the `client_secret` must be at least 8 characters long and pass entropy requirements. + - client_id: The ID of the client. + - client_secret: If provided, the stored secret of the client to create. If not provided, Stytch will generate this value for you. If provided, this must be at least 8 chasracters long and pass entropy requirements. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -312,11 +312,11 @@ async def create_async( Fields: - scopes: An array of scopes assigned to the client. - - client_id: If provided, the ID of the client to create. If not provided, Stytch will generate this value for you. The `client_id` must be unique within your project. - - client_secret: If provided, the stored secret of the client to create. If not provided, Stytch will generate this value for you. If provided, the `client_secret` must be at least 8 characters long and pass entropy requirements. + - client_id: The ID of the client. + - client_secret: If provided, the stored secret of the client to create. If not provided, Stytch will generate this value for you. If provided, this must be at least 8 chasracters long and pass entropy requirements. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/magic_links.py b/stytch/consumer/api/magic_links.py index 952b0145..7ad7d74e 100644 --- a/stytch/consumer/api/magic_links.py +++ b/stytch/consumer/api/magic_links.py @@ -47,27 +47,14 @@ def authenticate( """Authenticate a User given a Magic Link. This endpoint verifies that the Magic Link token is valid, hasn't expired or been previously used, and any optional security settings such as IP match or user agent match are satisfied. Fields: - - token: The Magic Link `token` from the `?token=` query parameter in the URL. - - The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` - - In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail. + - token: The Magic Link token from the `?token=` query parameter in the URL that you'll include in your contact method of choice, e.g. email or SMS. The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - options: Specify optional security settings. + - options: Configuration options or parameters for the request or resource. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -113,27 +100,14 @@ async def authenticate_async( """Authenticate a User given a Magic Link. This endpoint verifies that the Magic Link token is valid, hasn't expired or been previously used, and any optional security settings such as IP match or user agent match are satisfied. Fields: - - token: The Magic Link `token` from the `?token=` query parameter in the URL. - - The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` - - In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail. + - token: The Magic Link token from the `?token=` query parameter in the URL that you'll include in your contact method of choice, e.g. email or SMS. The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - options: Specify optional security settings. + - options: Configuration options or parameters for the request or resource. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -178,8 +152,8 @@ def create( **Note:** Authenticating an Embeddable Magic Link token will **not** result in any of the Stytch User's factors (email address or phone number) being marked as verified, as Stytch cannot confirm where the user received the token. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. - - expiration_minutes: Set the expiration for the Magic Link `token` in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - expiration_minutes: Set the expiration for the Magic Link token in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. """ # noqa headers: Dict[str, str] = {} @@ -211,8 +185,8 @@ async def create_async( **Note:** Authenticating an Embeddable Magic Link token will **not** result in any of the Stytch User's factors (email address or phone number) being marked as verified, as Stytch cannot confirm where the user received the token. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. - - expiration_minutes: Set the expiration for the Magic Link `token` in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - expiration_minutes: Set the expiration for the Magic Link token in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/magic_links_email.py b/stytch/consumer/api/magic_links_email.py index 44403b1a..afba17e5 100644 --- a/stytch/consumer/api/magic_links_email.py +++ b/stytch/consumer/api/magic_links_email.py @@ -56,23 +56,20 @@ def send( The user is emailed a magic link which redirects them to the provided [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect the `token` from the URL query parameters, and call [Authenticate magic link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication. Fields: - - email: The email address of the User to send the Magic Link to. - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Login. + - email: The email address of the end user. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - login_magic_link_url: The URL the end user clicks from the login Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and log in the User. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - signup_magic_link_url: The URL the end user clicks from the sign-up Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and sign-up the User. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - login_expiration_minutes: Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - signup_expiration_minutes: Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. - - session_token: The `session_token` of the user to associate the email with. - - session_jwt: The `session_jwt` of the user to associate the email with. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. """ # noqa headers: Dict[str, str] = {} @@ -135,23 +132,20 @@ async def send_async( The user is emailed a magic link which redirects them to the provided [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect the `token` from the URL query parameters, and call [Authenticate magic link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication. Fields: - - email: The email address of the User to send the Magic Link to. - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Login. + - email: The email address of the end user. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - login_magic_link_url: The URL the end user clicks from the login Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and log in the User. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned. - signup_magic_link_url: The URL the end user clicks from the sign-up Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and sign-up the User. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - login_expiration_minutes: Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - signup_expiration_minutes: Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. - - session_token: The `session_token` of the user to associate the email with. - - session_jwt: The `session_jwt` of the user to associate the email with. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. """ # noqa headers: Dict[str, str] = {} @@ -214,21 +208,18 @@ def login_or_create( - signup_magic_link_url: The URL the end user clicks from the sign-up Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and sign-up the User. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - login_expiration_minutes: Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - signup_expiration_minutes: Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Login. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -286,21 +277,18 @@ async def login_or_create_async( - signup_magic_link_url: The URL the end user clicks from the sign-up Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and sign-up the User. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - login_expiration_minutes: Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - signup_expiration_minutes: Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Login. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic Links - Login. - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -351,20 +339,17 @@ def invite( The User is emailed a Magic Link which redirects them to the provided [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect the `token` from the URL query parameters and call [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication. Fields: - - email: The email address of the User to send the invite Magic Link to. + - email: The email address of the end user. - invite_template_id: Use a custom template for invite emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Invite. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - name: The name of the user. Each field in the name object is optional. + - name: The name of the User. - invite_magic_link_url: The URL the end user clicks from the Email Magic Link. This should be a URL that your app receives and parses and subsequently sends an API request to authenticate the Magic Link and log in the User. If this value is not passed, the default invite redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - - invite_expiration_minutes: Set the expiration for the email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - invite_expiration_minutes: Set the expiration for the invite, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -411,20 +396,17 @@ async def invite_async( The User is emailed a Magic Link which redirects them to the provided [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect the `token` from the URL query parameters and call [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication. Fields: - - email: The email address of the User to send the invite Magic Link to. + - email: The email address of the end user. - invite_template_id: Use a custom template for invite emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Invite. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - name: The name of the user. Each field in the name object is optional. + - name: The name of the User. - invite_magic_link_url: The URL the end user clicks from the Email Magic Link. This should be a URL that your app receives and parses and subsequently sends an API request to authenticate the Magic Link and log in the User. If this value is not passed, the default invite redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned. - - invite_expiration_minutes: Set the expiration for the email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + - invite_expiration_minutes: Set the expiration for the invite, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -460,7 +442,7 @@ def revoke_invite( """Revoke a pending invite based on the `email` provided. Fields: - - email: The email of the user. + - email: The email address of the end user. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -478,7 +460,7 @@ async def revoke_invite_async( """Revoke a pending invite based on the `email` provided. Fields: - - email: The email of the user. + - email: The email address of the end user. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/oauth.py b/stytch/consumer/api/oauth.py index 0ef97010..abda5cf2 100644 --- a/stytch/consumer/api/oauth.py +++ b/stytch/consumer/api/oauth.py @@ -38,9 +38,9 @@ def attach( Fields: - provider: The OAuth provider's name. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID of a specific User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -74,9 +74,9 @@ async def attach_async( Fields: - provider: The OAuth provider's name. - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID of a specific User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -106,25 +106,12 @@ def authenticate( """Authenticate a User given a `token`. This endpoint verifies that the user completed the OAuth flow by verifying that the token is valid and hasn't expired. To initiate a Stytch session for the user while authenticating their OAuth token, include `session_duration_minutes`; a session with the identity provider, e.g. Google or Facebook, will always be initiated upon successful authentication. Fields: - - token: The OAuth `token` from the `?token=` query parameter in the URL. - - The redirect URL will look like `https://example.com/authenticate?stytch_token_type=oauth&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` - - In the redirect URL, the `stytch_token_type` will be `oauth`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail. - - session_token: Reuse an existing session instead of creating a new one. If you provide us with a `session_token`, then we'll update the session represented by this session token with this OAuth factor. If this `session_token` belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: Reuse an existing session instead of creating a new one. If you provide us with a `session_jwt`, then we'll update the session represented by this JWT with this OAuth factor. If this `session_jwt` belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided. + - token: The OAuth `token` from the `?token=` query parameter in the URL. In the redirect URL, the `stytch_token_type` will be `oauth`. + - session_token: The `session_token` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa @@ -162,25 +149,12 @@ async def authenticate_async( """Authenticate a User given a `token`. This endpoint verifies that the user completed the OAuth flow by verifying that the token is valid and hasn't expired. To initiate a Stytch session for the user while authenticating their OAuth token, include `session_duration_minutes`; a session with the identity provider, e.g. Google or Facebook, will always be initiated upon successful authentication. Fields: - - token: The OAuth `token` from the `?token=` query parameter in the URL. - - The redirect URL will look like `https://example.com/authenticate?stytch_token_type=oauth&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` - - In the redirect URL, the `stytch_token_type` will be `oauth`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail. - - session_token: Reuse an existing session instead of creating a new one. If you provide us with a `session_token`, then we'll update the session represented by this session token with this OAuth factor. If this `session_token` belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: Reuse an existing session instead of creating a new one. If you provide us with a `session_jwt`, then we'll update the session represented by this JWT with this OAuth factor. If this `session_jwt` belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided. + - token: The OAuth `token` from the `?token=` query parameter in the URL. In the redirect URL, the `stytch_token_type` will be `oauth`. + - session_token: The `session_token` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa diff --git a/stytch/consumer/api/otp.py b/stytch/consumer/api/otp.py index c849b22b..ee581e5f 100644 --- a/stytch/consumer/api/otp.py +++ b/stytch/consumer/api/otp.py @@ -10,7 +10,7 @@ from stytch.consumer.api.otp_email import Email from stytch.consumer.api.otp_sms import Sms -from stytch.consumer.api.otp_whatsapp import Whatsapp +from stytch.consumer.api.otp_whatsapp import WhatsApp from stytch.consumer.models.attribute import Attributes from stytch.consumer.models.magic_links import Options from stytch.consumer.models.otp import AuthenticateResponse @@ -30,7 +30,7 @@ def __init__( sync_client=self.sync_client, async_client=self.async_client, ) - self.whatsapp = Whatsapp( + self.whatsapp = WhatsApp( api_base=self.api_base, sync_client=self.sync_client, async_client=self.async_client, @@ -61,19 +61,10 @@ def authenticate( - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - options: Specify optional security settings. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -122,19 +113,10 @@ async def authenticate_async( - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - options: Specify optional security settings. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/otp_email.py b/stytch/consumer/api/otp_email.py index cc36b614..252b01ef 100644 --- a/stytch/consumer/api/otp_email.py +++ b/stytch/consumer/api/otp_email.py @@ -48,20 +48,17 @@ def send( Collect the OTP which was delivered to the user. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `email_id` found in the response as the `method_id`. Fields: - - email: The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - email: The email address of the end user. + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. - - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Sign-up. + - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Signup. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -111,20 +108,17 @@ async def send_async( Collect the OTP which was delivered to the user. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `email_id` found in the response as the `method_id`. Fields: - - email: The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - email: The email address of the end user. + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. - - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Sign-up. + - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Signup. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -170,22 +164,19 @@ def login_or_create( Collect the OTP which was delivered to the User. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - email: The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - email: The email address of the end user. + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Login. - - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. + - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Signup. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -227,22 +218,19 @@ async def login_or_create_async( Collect the OTP which was delivered to the User. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - email: The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - email: The email address of the end user. + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Login. - - signup_template_id: Use a custom template for sign-up emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Magic links - Sign-up. + - login_template_id: Use a custom template for login emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Login. + - signup_template_id: Use a custom template for signup emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for OTP - Signup. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/otp_sms.py b/stytch/consumer/api/otp_sms.py index 1b9e535a..aabd2159 100644 --- a/stytch/consumer/api/otp_sms.py +++ b/stytch/consumer/api/otp_sms.py @@ -57,18 +57,15 @@ def send( Collect the OTP which was delivered to the user. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -123,18 +120,15 @@ async def send_async( Collect the OTP which was delivered to the user. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -181,20 +175,17 @@ def login_or_create( Collect the OTP which was delivered to the User. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -237,20 +228,17 @@ async def login_or_create_async( Collect the OTP which was delivered to the User. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/otp_whatsapp.py b/stytch/consumer/api/otp_whatsapp.py index 12fdd273..59a994e5 100644 --- a/stytch/consumer/api/otp_whatsapp.py +++ b/stytch/consumer/api/otp_whatsapp.py @@ -19,7 +19,7 @@ from stytch.core.http.client import AsyncClient, SyncClient -class Whatsapp: +class WhatsApp: def __init__( self, api_base: ApiBase, sync_client: SyncClient, async_client: AsyncClient ) -> None: @@ -53,18 +53,15 @@ def send( Collect the OTP which was delivered to the user. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -115,18 +112,15 @@ async def send_async( Collect the OTP which was delivered to the user. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -169,20 +163,17 @@ def login_or_create( Collect the OTP which was delivered to the User. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -221,20 +212,17 @@ async def login_or_create_async( Collect the OTP which was delivered to the User. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`. Fields: - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. - - expiration_minutes: Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - expiration_minutes: The expiration for the one-time passcode, in minutes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/passwords.py b/stytch/consumer/api/passwords.py index a4e7c165..6f849bf7 100644 --- a/stytch/consumer/api/passwords.py +++ b/stytch/consumer/api/passwords.py @@ -74,21 +74,12 @@ def create( Fields: - email: The email address of the end user. - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - name: The name of the user. Each field in the name object is optional. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - name: The name of the User. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -135,21 +126,12 @@ async def create_async( Fields: - email: The email address of the end user. - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - name: The name of the user. Each field in the name object is optional. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - name: The name of the User. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -196,19 +178,10 @@ def authenticate( - email: The email address of the end user. - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -253,19 +226,10 @@ async def authenticate_async( - email: The email address of the end user. - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -380,24 +344,23 @@ def migrate( - email: The email address of the end user. - hash: The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string. - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, `sha_512`, and `pbkdf_2` are supported. - - md_5_config: Optional parameters for MD-5 hash types. - - argon_2_config: Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied. - - sha_1_config: Optional parameters for SHA-1 hash types. - - sha_512_config: Optional parameters for SHA-512 hash types. + - md_5_config: Configuration parameters for MD5 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - argon_2_config: Configuration parameters for Argon2 password hashing when migrating passwords. This includes settings like memory cost, time cost, and parallelism. + - sha_1_config: Configuration parameters for SHA-1 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - sha_512_config: Configuration parameters for SHA-512 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. - scrypt_config: Required parameters if the scrypt is not provided in a [PHC encoded form](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md#phc-string-format). - - pbkdf_2_config: Required additional parameters for PBKDF2 hash keys. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - pbkdf_2_config: Configuration parameters for PBKDF2 password hashing when migrating passwords. This includes settings like iteration count and the underlying hash function. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - set_email_verified: Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously - deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question. - - - name: The name of the user. Each field in the name object is optional. - - phone_number: The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). + deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question. + - name: The name of the User. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that - the user owns the phone number in question. + the user owns the phone number in question. - external_id: If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. - - roles: Roles to explicitly assign to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - roles: Roles to explicitly assign to this Member. + See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -484,24 +447,23 @@ async def migrate_async( - email: The email address of the end user. - hash: The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string. - hash_type: The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon_2id`, `md_5`, `sha_1`, `sha_512`, and `pbkdf_2` are supported. - - md_5_config: Optional parameters for MD-5 hash types. - - argon_2_config: Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied. - - sha_1_config: Optional parameters for SHA-1 hash types. - - sha_512_config: Optional parameters for SHA-512 hash types. + - md_5_config: Configuration parameters for MD5 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - argon_2_config: Configuration parameters for Argon2 password hashing when migrating passwords. This includes settings like memory cost, time cost, and parallelism. + - sha_1_config: Configuration parameters for SHA-1 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. + - sha_512_config: Configuration parameters for SHA-512 password hashing when migrating passwords. This includes settings like whether a prepended salt was used. - scrypt_config: Required parameters if the scrypt is not provided in a [PHC encoded form](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md#phc-string-format). - - pbkdf_2_config: Required additional parameters for PBKDF2 hash keys. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - pbkdf_2_config: Configuration parameters for PBKDF2 password hashing when migrating passwords. This includes settings like iteration count and the underlying hash function. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - set_email_verified: Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously - deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question. - - - name: The name of the user. Each field in the name object is optional. - - phone_number: The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). + deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question. + - name: The name of the User. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that - the user owns the phone number in question. + the user owns the phone number in question. - external_id: If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. - - roles: Roles to explicitly assign to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - roles: Roles to explicitly assign to this Member. + See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { diff --git a/stytch/consumer/api/passwords_email.py b/stytch/consumer/api/passwords_email.py index 39903b1d..270cf6f5 100644 --- a/stytch/consumer/api/passwords_email.py +++ b/stytch/consumer/api/passwords_email.py @@ -41,27 +41,23 @@ def reset_start( """Initiates a password reset for the email address provided. This will trigger an email to be sent to the address, containing a magic link that will allow them to set a new password and authenticate. Fields: - - email: The email of the User that requested the password reset. + - email: The email address of the end user. - reset_password_redirect_url: The url that the user clicks from the password reset email to finish the reset password flow. - This should be a url that your app receives and parses before showing your app's reset password page. - After the user submits a new password to your app, it should send an API request to complete the password reset process. - If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. - If you have not set a default reset password redirect URL, an error is returned. + This should be a url that your app receives and parses before showing your app's reset password page. + After the user submits a new password to your app, it should send an API request to complete the password reset process. + If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. + If you have not set a default reset password redirect URL, an error is returned. - reset_password_expiration_minutes: Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. - The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - login_redirect_url: The URL that Users are redirected to upon clicking the "Log in without password" button in password reset emails. - - After Users are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the User in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned. + - login_redirect_url: The URL that Users are redirected to upon clicking the Email Magic Link. + After Users are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the User in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - reset_password_template_id: Use a custom template for password reset emails. By default, it will use your default email template. - The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. + The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -104,27 +100,23 @@ async def reset_start_async( """Initiates a password reset for the email address provided. This will trigger an email to be sent to the address, containing a magic link that will allow them to set a new password and authenticate. Fields: - - email: The email of the User that requested the password reset. + - email: The email address of the end user. - reset_password_redirect_url: The url that the user clicks from the password reset email to finish the reset password flow. - This should be a url that your app receives and parses before showing your app's reset password page. - After the user submits a new password to your app, it should send an API request to complete the password reset process. - If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. - If you have not set a default reset password redirect URL, an error is returned. + This should be a url that your app receives and parses before showing your app's reset password page. + After the user submits a new password to your app, it should send an API request to complete the password reset process. + If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. + If you have not set a default reset password redirect URL, an error is returned. - reset_password_expiration_minutes: Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. - The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). + The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins). - code_challenge: A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - login_redirect_url: The URL that Users are redirected to upon clicking the "Log in without password" button in password reset emails. - - After Users are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the User in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned. + - login_redirect_url: The URL that Users are redirected to upon clicking the Email Magic Link. + After Users are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the User in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned. - locale: Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. - Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. - Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! - - reset_password_template_id: Use a custom template for password reset emails. By default, it will use your default email template. - The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. + The template must be a template using our built-in customizations or a custom HTML email for Passwords - Password reset. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -173,27 +165,14 @@ def reset( Note that a successful password reset by email will revoke all active sessions for the `user_id`. Fields: - - token: The Passwords `token` from the `?token=` query parameter in the URL. - - In the redirect URL, the `stytch_token_type` will be `login` or `reset_password`. - - See examples and read more about redirect URLs [here](https://stytch.com/docs/workspace-management/redirect-urls). + - token: The Passwords `token` from the `?token=` query parameter in the URL. In the redirect URL, the `stytch_token_type` will be `reset_password`. - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - options: Specify optional security settings. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. @@ -246,27 +225,14 @@ async def reset_async( Note that a successful password reset by email will revoke all active sessions for the `user_id`. Fields: - - token: The Passwords `token` from the `?token=` query parameter in the URL. - - In the redirect URL, the `stytch_token_type` will be `login` or `reset_password`. - - See examples and read more about redirect URLs [here](https://stytch.com/docs/workspace-management/redirect-urls). + - token: The Passwords `token` from the `?token=` query parameter in the URL. In the redirect URL, the `stytch_token_type` will be `reset_password`. - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - code_verifier: A base64url encoded one time secret used to validate that the request starts and ends on the same device. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - options: Specify optional security settings. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. diff --git a/stytch/consumer/api/passwords_existing_password.py b/stytch/consumer/api/passwords_existing_password.py index f95641c4..7b688305 100644 --- a/stytch/consumer/api/passwords_existing_password.py +++ b/stytch/consumer/api/passwords_existing_password.py @@ -41,19 +41,10 @@ def reset( - existing_password: The user's existing password. - new_password: The new password for the user. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -97,19 +88,10 @@ async def reset_async( - existing_password: The user's existing password. - new_password: The new password for the user. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/passwords_session.py b/stytch/consumer/api/passwords_session.py index fc5d7a35..52c75937 100644 --- a/stytch/consumer/api/passwords_session.py +++ b/stytch/consumer/api/passwords_session.py @@ -37,19 +37,10 @@ def reset( Fields: - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -87,19 +78,10 @@ async def reset_async( Fields: - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. - session_token: The `session_token` associated with a User's existing Session. - - session_jwt: The `session_jwt` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/project.py b/stytch/consumer/api/project.py index df1389db..9c977c20 100644 --- a/stytch/consumer/api/project.py +++ b/stytch/consumer/api/project.py @@ -24,6 +24,10 @@ def __init__( def metrics( self, ) -> MetricsResponse: + """Retrieve metrics related to the Project. + + Fields: + """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -34,6 +38,10 @@ def metrics( async def metrics_async( self, ) -> MetricsResponse: + """Retrieve metrics related to the Project. + + Fields: + """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} diff --git a/stytch/consumer/api/sessions.py b/stytch/consumer/api/sessions.py index 6a791595..92fdd663 100644 --- a/stytch/consumer/api/sessions.py +++ b/stytch/consumer/api/sessions.py @@ -52,7 +52,7 @@ def get( """List all active Sessions for a given `user_id`. All timestamps are formatted according to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. Fields: - - user_id: The `user_id` to get active Sessions for. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -70,7 +70,7 @@ async def get_async( """List all active Sessions for a given `user_id`. All timestamps are formatted according to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. Fields: - - user_id: The `user_id` to get active Sessions for. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -94,17 +94,15 @@ def authenticate( You may provide a JWT that needs to be refreshed and is expired according to its `exp` claim. A new JWT will be returned if both the signature and the underlying Session are still valid. See our [How to use Stytch Session JWTs](https://stytch.com/docs/guides/sessions/using-jwts) guide for more information. Fields: - - session_token: The session token to authenticate. - - session_duration_minutes: Set the session lifetime to be this many minutes from now; minimum of 5 and a maximum of 527040 minutes (366 days). Note that a successful authentication will continue to extend the session this many minutes. - - session_jwt: The JWT to authenticate. You may provide a JWT that has expired according to its `exp` claim and needs to be refreshed. If the signature is valid and the underlying session is still active then Stytch will return a new JWT. + - session_token: The `session_token` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - authorization_check: If an `authorization_check` object is passed in, this endpoint will also check if the User is - authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with adequate permissions. - - If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. - Otherwise, the response will contain a list of Roles that satisfied the authorization check. + authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with adequate permissions. + If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. + Otherwise, the response will contain a list of Roles that satisfied the authorization check. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -140,17 +138,15 @@ async def authenticate_async( You may provide a JWT that needs to be refreshed and is expired according to its `exp` claim. A new JWT will be returned if both the signature and the underlying Session are still valid. See our [How to use Stytch Session JWTs](https://stytch.com/docs/guides/sessions/using-jwts) guide for more information. Fields: - - session_token: The session token to authenticate. - - session_duration_minutes: Set the session lifetime to be this many minutes from now; minimum of 5 and a maximum of 527040 minutes (366 days). Note that a successful authentication will continue to extend the session this many minutes. - - session_jwt: The JWT to authenticate. You may provide a JWT that has expired according to its `exp` claim and needs to be refreshed. If the signature is valid and the underlying session is still active then Stytch will return a new JWT. + - session_token: The `session_token` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - authorization_check: If an `authorization_check` object is passed in, this endpoint will also check if the User is - authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with adequate permissions. - - If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. - Otherwise, the response will contain a list of Roles that satisfied the authorization check. + authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with adequate permissions. + If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. + Otherwise, the response will contain a list of Roles that satisfied the authorization check. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -182,9 +178,9 @@ def revoke( """Revoke a Session, immediately invalidating all of its session tokens. You can revoke a session in three ways: using its ID, or using one of its session tokens, or one of its JWTs. This endpoint requires exactly one of those to be included in the request. It will return an error if multiple are present. Fields: - - session_id: The `session_id` to revoke. - - session_token: The session token to revoke. - - session_jwt: A JWT for the session to revoke. + - session_id: Globally unique UUID that identifies a specific Session in the Stytch API. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -208,9 +204,9 @@ async def revoke_async( """Revoke a Session, immediately invalidating all of its session tokens. You can revoke a session in three ways: using its ID, or using one of its session tokens, or one of its JWTs. This endpoint requires exactly one of those to be included in the request. It will return an error if multiple are present. Fields: - - session_id: The `session_id` to revoke. - - session_token: The session token to revoke. - - session_jwt: A JWT for the session to revoke. + - session_id: Globally unique UUID that identifies a specific Session in the Stytch API. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -235,19 +231,10 @@ def migrate( """Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing User and create a Stytch Session. You will need to create the user before using this endpoint. Fields: - - session_token: The authorization token Stytch will pass in to the external userinfo endpoint. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_token: The `session_token` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -275,19 +262,10 @@ async def migrate_async( """Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing User and create a Stytch Session. You will need to create the user before using this endpoint. Fields: - - session_token: The authorization token Stytch will pass in to the external userinfo endpoint. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_token: The `session_token` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -321,18 +299,9 @@ def exchange_access_token( Fields: - access_token: The access token to exchange for a Stytch Session. Must be granted the `full_access` scope. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -366,18 +335,9 @@ async def exchange_access_token_async( Fields: - access_token: The access token to exchange for a Stytch Session. Must be granted the `full_access` scope. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -466,20 +426,11 @@ def attest( Fields: - profile_id: The ID of the trusted auth token profile to use for attestation. - token: The trusted auth token to authenticate. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - - session_token: The `session_token` for the session that you wish to add the trusted auth token authentication factor to. - - session_jwt: The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -517,20 +468,11 @@ async def attest_async( Fields: - profile_id: The ID of the trusted auth token profile to use for attestation. - token: The trusted auth token to authenticate. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - - session_token: The `session_token` for the session that you wish to add the trusted auth token authentication factor to. - - session_jwt: The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/totps.py b/stytch/consumer/api/totps.py index d58abe7e..da5e4434 100644 --- a/stytch/consumer/api/totps.py +++ b/stytch/consumer/api/totps.py @@ -34,7 +34,7 @@ def create( """Create a new TOTP instance for a user. The user can use the authenticator application of their choice to scan the QR code or enter the secret. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - expiration_minutes: The expiration for the TOTP instance. If the newly created TOTP is not authenticated within this time frame the TOTP will be unusable. Defaults to 1440 (1 day) with a minimum of 5 and a maximum of 1440. """ # noqa headers: Dict[str, str] = {} @@ -56,7 +56,7 @@ async def create_async( """Create a new TOTP instance for a user. The user can use the authenticator application of their choice to scan the QR code or enter the secret. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - expiration_minutes: The expiration for the TOTP instance. If the newly created TOTP is not authenticated within this time frame the TOTP will be unusable. Defaults to 1440 (1 day) with a minimum of 5 and a maximum of 1440. """ # noqa headers: Dict[str, str] = {} @@ -83,22 +83,13 @@ def authenticate( """Authenticate a TOTP code entered by a user. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - totp_code: The TOTP code to authenticate. The TOTP code should consist of 6 digits. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -134,22 +125,13 @@ async def authenticate_async( """Authenticate a TOTP code entered by a user. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - totp_code: The TOTP code to authenticate. The TOTP code should consist of 6 digits. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -179,7 +161,7 @@ def recovery_codes( """Retrieve the recovery codes for a TOTP instance tied to a User. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -197,7 +179,7 @@ async def recovery_codes_async( """Retrieve the recovery codes for a TOTP instance tied to a User. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -221,22 +203,13 @@ def recover( """Authenticate a recovery code for a TOTP instance. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - recovery_code: The recovery code to authenticate. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -272,22 +245,13 @@ async def recover_async( """Authenticate a recovery code for a TOTP instance. Fields: - - user_id: The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - recovery_code: The recovery code to authenticate. - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/users.py b/stytch/consumer/api/users.py index 549ea533..d1727d5f 100644 --- a/stytch/consumer/api/users.py +++ b/stytch/consumer/api/users.py @@ -57,19 +57,18 @@ def create( Fields: - email: The email address of the end user. - - name: The name of the user. Each field in the name object is optional. - - attributes: (no documentation yet) - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. + - name: The name of the User. + - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. - - roles: Roles to explicitly assign to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - roles: An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -114,19 +113,18 @@ async def create_async( Fields: - email: The email address of the end user. - - name: The name of the user. Each field in the name object is optional. - - attributes: (no documentation yet) - - phone_number: The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail. + - name: The name of the User. + - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). - create_user_as_pending: Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. - If true, users will be saved with status pending in Stytch's backend until authenticated. - If false, users will be created as active. An example usage of - a true flag would be to require users to verify their phone by entering the OTP code before creating - an account for them. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + If true, users will be saved with status pending in Stytch's backend until authenticated. + If false, users will be created as active. An example usage of + a true flag would be to require users to verify their phone by entering the OTP code before creating + an account for them. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. - - roles: Roles to explicitly assign to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - roles: An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = {} @@ -162,7 +160,7 @@ def get( """Get information about a specific User. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -180,7 +178,7 @@ async def get_async( """Get information about a specific User. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -198,7 +196,7 @@ def search( query: Optional[Union[SearchUsersQuery, Dict[str, Any]]] = None, ) -> SearchResponse: """ - **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 150 requests/minute. + **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary depending on query complexity and the endpoint has restrictive rate limits. Search for Users within your Stytch Project. @@ -211,8 +209,8 @@ def search( [This Github repository](https://github.com/stytchauth/stytch-node-export-users) contains a utility that leverages the Search Users endpoint to export all of your User data to a CSV or JSON file. Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} @@ -235,7 +233,7 @@ async def search_async( query: Optional[SearchUsersQuery] = None, ) -> SearchResponse: """ - **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from ~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 150 requests/minute. + **Warning**: This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary depending on query complexity and the endpoint has restrictive rate limits. Search for Users within your Stytch Project. @@ -248,8 +246,8 @@ async def search_async( [This Github repository](https://github.com/stytchauth/stytch-node-export-users) contains a utility that leverages the Search Users endpoint to export all of your User data to a CSV or JSON file. Fields: - - cursor: The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. - - limit: The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. + - cursor: The `cursor` field allows you to paginate through your results. If your query returns more than the size of the page, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null. + - limit: The number of search results to return per page. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field. - query: The optional query object contains the operator, i.e. `AND` or `OR`, and the operands that will filter your results. Only an operator is required. If you include no operands, no filtering will be applied. If you include no query object, it will return all results with no filtering applied. """ # noqa headers: Dict[str, str] = {} @@ -280,14 +278,13 @@ def update( **Note:** In order to add a new email address or phone number to an existing User object, pass the new email address or phone number into the respective `/send` endpoint for the authentication method of your choice. If you specify the existing User's `user_id` while calling the `/send` endpoint, the new, unverified email address or phone number will be added to the existing User object. If the user successfully authenticates within 5 minutes of the `/send` request, the new email address or phone number will be marked as verified and remain permanently on the existing Stytch User. Otherwise, it will be removed from the User object, and any subsequent login requests using that phone number will create a new User. We require this process to guard against an account takeover vulnerability. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. - - name: The name of the user. Each field in the name object is optional. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - name: The name of the User. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. - - roles: Roles to explicitly assign to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - roles: An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -327,14 +324,13 @@ async def update_async( **Note:** In order to add a new email address or phone number to an existing User object, pass the new email address or phone number into the respective `/send` endpoint for the authentication method of your choice. If you specify the existing User's `user_id` while calling the `/send` endpoint, the new, unverified email address or phone number will be added to the existing User object. If the user successfully authenticates within 5 minutes of the `/send` request, the new email address or phone number will be marked as verified and remain permanently on the existing Stytch User. Otherwise, it will be removed from the User object, and any subsequent login requests using that phone number will create a new User. We require this process to guard against an account takeover vulnerability. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. - - name: The name of the user. Each field in the name object is optional. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - name: The name of the User. - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. - - roles: Roles to explicitly assign to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - roles: An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -374,9 +370,9 @@ def exchange_primary_factor( Use this endpoint with caution as it performs an admin level action. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_address: The email address to exchange to. - - phone_number: The phone number to exchange to. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -408,9 +404,9 @@ async def exchange_primary_factor_async( Use this endpoint with caution as it performs an admin level action. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_address: The email address to exchange to. - - phone_number: The phone number to exchange to. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -432,7 +428,7 @@ def delete( """Delete a User from Stytch. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -450,7 +446,7 @@ async def delete_async( """Delete a User from Stytch. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -468,7 +464,7 @@ def delete_email( """Delete an email from a User. Fields: - - email_id: The `email_id` to be deleted. + - email_id: The unique ID of a specific email address. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -486,7 +482,7 @@ async def delete_email_async( """Delete an email from a User. Fields: - - email_id: The `email_id` to be deleted. + - email_id: The unique ID of a specific email address. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -504,7 +500,7 @@ def delete_phone_number( """Delete a phone number from a User. Fields: - - phone_id: The `phone_id` to be deleted. + - phone_id: The unique ID for the phone number. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -522,7 +518,7 @@ async def delete_phone_number_async( """Delete a phone number from a User. Fields: - - phone_id: The `phone_id` to be deleted. + - phone_id: The unique ID for the phone number. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -540,7 +536,7 @@ def delete_webauthn_registration( """Delete a WebAuthn registration from a User. Fields: - - webauthn_registration_id: The `webauthn_registration_id` to be deleted. + - webauthn_registration_id: Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -562,7 +558,7 @@ async def delete_webauthn_registration_async( """Delete a WebAuthn registration from a User. Fields: - - webauthn_registration_id: The `webauthn_registration_id` to be deleted. + - webauthn_registration_id: Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -628,7 +624,7 @@ def delete_totp( """Delete a TOTP from a User. Fields: - - totp_id: The `totp_id` to be deleted. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -646,7 +642,7 @@ async def delete_totp_async( """Delete a TOTP from a User. Fields: - - totp_id: The `totp_id` to be deleted. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -664,7 +660,7 @@ def delete_crypto_wallet( """Delete a crypto wallet from a User. Fields: - - crypto_wallet_id: The `crypto_wallet_id` to be deleted. + - crypto_wallet_id: The unique identifier for a cryptocurrency wallet registration. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -682,7 +678,7 @@ async def delete_crypto_wallet_async( """Delete a crypto wallet from a User. Fields: - - crypto_wallet_id: The `crypto_wallet_id` to be deleted. + - crypto_wallet_id: The unique identifier for a cryptocurrency wallet registration. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -700,7 +696,7 @@ def delete_password( """Delete a password from a User. Fields: - - password_id: The `password_id` to be deleted. + - password_id: The unique identifier for a password associated with a member or user. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -718,7 +714,7 @@ async def delete_password_async( """Delete a password from a User. Fields: - - password_id: The `password_id` to be deleted. + - password_id: The unique identifier for a password associated with a member or user. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -736,7 +732,7 @@ def delete_oauth_registration( """Delete an OAuth registration from a User. Fields: - - oauth_user_registration_id: The `oauth_user_registration_id` to be deleted. + - oauth_user_registration_id: The unique identifier for the OAuth provider registration linking the user to their provider account. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -758,7 +754,7 @@ async def delete_oauth_registration_async( """Delete an OAuth registration from a User. Fields: - - oauth_user_registration_id: The `oauth_user_registration_id` to be deleted. + - oauth_user_registration_id: The unique identifier for the OAuth provider registration linking the user to their provider account. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -781,7 +777,7 @@ def connected_apps( no longer be returned in the response. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -802,7 +798,7 @@ async def connected_apps_async( no longer be returned in the response. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -823,7 +819,7 @@ def revoke( Connected App. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - connected_app_id: The ID of the Connected App. """ # noqa headers: Dict[str, str] = {} @@ -848,7 +844,7 @@ async def revoke_async( Connected App. Fields: - - user_id: The unique ID of a specific User. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - connected_app_id: The ID of the Connected App. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/api/webauthn.py b/stytch/consumer/api/webauthn.py index cdf825bd..eb420709 100644 --- a/stytch/consumer/api/webauthn.py +++ b/stytch/consumer/api/webauthn.py @@ -49,16 +49,15 @@ def register_start( If you are not using the [webauthn-json](https://github.com/github/webauthn-json) library, the `public_key_credential_creation_options` will need to be converted to a suitable public key by unmarshalling the JSON, base64 decoding the user ID field, and converting user ID and the challenge fields into an array buffer. Fields: - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the user. - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. - user_agent: The user agent of the client. - - authenticator_type: The requested authenticator type of the Passkey or WebAuthn device. The two valid values are platform and cross-platform. If no value passed, we assume both values are allowed. - - return_passkey_credential_options: If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `residentKey` set to `"required"` and `userVerification` set to `"preferred"`. - - - override_id: (no documentation yet) - - override_name: (no documentation yet) - - override_display_name: (no documentation yet) - - use_base64_url_encoding: (no documentation yet) + - authenticator_type: The requested authenticator type of the Passkey or WebAuthn device. The two valid values are `platform` and `cross-platform`. If no value passed, we assume both values are allowed. + - return_passkey_credential_options: If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `userVerification` set to `"preferred"`. + - override_id: The ID field override for specifying custom identifiers. + - override_name: The name field override for customizing display values. + - override_display_name: The display name override for customizing how names are shown to users. + - use_base64_url_encoding: A boolean flag indicating whether to use base64url encoding instead of standard base64. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -107,16 +106,15 @@ async def register_start_async( If you are not using the [webauthn-json](https://github.com/github/webauthn-json) library, the `public_key_credential_creation_options` will need to be converted to a suitable public key by unmarshalling the JSON, base64 decoding the user ID field, and converting user ID and the challenge fields into an array buffer. Fields: - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the user. - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. - user_agent: The user agent of the client. - - authenticator_type: The requested authenticator type of the Passkey or WebAuthn device. The two valid values are platform and cross-platform. If no value passed, we assume both values are allowed. - - return_passkey_credential_options: If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `residentKey` set to `"required"` and `userVerification` set to `"preferred"`. - - - override_id: (no documentation yet) - - override_name: (no documentation yet) - - override_display_name: (no documentation yet) - - use_base64_url_encoding: (no documentation yet) + - authenticator_type: The requested authenticator type of the Passkey or WebAuthn device. The two valid values are `platform` and `cross-platform`. If no value passed, we assume both values are allowed. + - return_passkey_credential_options: If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `userVerification` set to `"preferred"`. + - override_id: The ID field override for specifying custom identifiers. + - override_name: The name field override for customizing display values. + - override_display_name: The display name override for customizing how names are shown to users. + - use_base64_url_encoding: A boolean flag indicating whether to use base64url encoding instead of standard base64. """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -159,22 +157,12 @@ def register( If the [webauthn-json](https://github.com/github/webauthn-json) library's `create()` method was used, the response can be passed directly to the [register endpoint](https://stytch.com/docs/api/webauthn-register). If not, some fields (the client data and the attestation object) from the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential) response will need to be converted from array buffers to strings and marshalled into JSON. Fields: - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the user. - public_key_credential: The response of the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential). - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -212,22 +200,12 @@ async def register_async( If the [webauthn-json](https://github.com/github/webauthn-json) library's `create()` method was used, the response can be passed directly to the [register endpoint](https://stytch.com/docs/api/webauthn-register). If not, some fields (the client data and the attestation object) from the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential) response will need to be converted from array buffers to strings and marshalled into JSON. Fields: - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the user. - public_key_credential: The response of the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential). - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -266,9 +244,8 @@ def authenticate_start( Fields: - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - return_passkey_credential_options: If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `userVerification` set to `"preferred"`. - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -301,9 +278,8 @@ async def authenticate_start_async( Fields: - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - return_passkey_credential_options: If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `userVerification` set to `"preferred"`. - """ # noqa headers: Dict[str, str] = {} data: Dict[str, Any] = { @@ -336,19 +312,10 @@ def authenticate( Fields: - public_key_credential: The response of the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential). - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -386,19 +353,10 @@ async def authenticate_async( Fields: - public_key_credential: The response of the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential). - session_token: The `session_token` associated with a User's existing Session. - - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, - returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of - five minutes regardless of the underlying session duration, and will need to be refreshed over time. - - This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). - - If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. - - If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. - - session_jwt: The `session_jwt` associated with a User's existing Session. + - session_duration_minutes: Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session_custom_claims: Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. - - Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. + Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes. - telemetry_id: If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature. """ # noqa headers: Dict[str, str] = {} @@ -470,7 +428,7 @@ def list_credentials( """List the public key credentials of the WebAuthn Registrations or Passkeys registered to a specific User. Fields: - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. """ # noqa headers: Dict[str, str] = {} @@ -491,7 +449,7 @@ async def list_credentials_async( """List the public key credentials of the WebAuthn Registrations or Passkeys registered to a specific User. Fields: - - user_id: The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. """ # noqa headers: Dict[str, str] = {} diff --git a/stytch/consumer/models/attribute.py b/stytch/consumer/models/attribute.py index f6320fe9..c2713656 100644 --- a/stytch/consumer/models/attribute.py +++ b/stytch/consumer/models/attribute.py @@ -15,7 +15,7 @@ class Attributes(pydantic.BaseModel): """ Fields: - ip_address: The IP address of the user. - - user_agent: The user agent of the User. + - user_agent: The user agent of the user's browser. """ # noqa ip_address: Optional[str] = None diff --git a/stytch/consumer/models/connected_apps.py b/stytch/consumer/models/connected_apps.py index c3a095a9..370f7e81 100644 --- a/stytch/consumer/models/connected_apps.py +++ b/stytch/consumer/models/connected_apps.py @@ -14,22 +14,22 @@ class ConnectedApp(pydantic.BaseModel): """ Fields: - - client_id: The ID of the Connected App client. + - client_id: The ID of the client. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: (no documentation yet) - - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. + - status: The status of the entity. + - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this client can be exchanged for a full Stytch Session. - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. - redirect_urls: Array of redirect URI values for use in OAuth Authorization flows. - - access_token_expiry_minutes: (no documentation yet) - - access_token_template_content: (no documentation yet) - - post_logout_redirect_urls: Array of redirect URI values for use in OIDC Logout flows. - - bypass_consent_for_offline_access: Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. - - client_secret_last_four: The last four characters of the client secret. - - next_client_secret_last_four: The last four characters of the `next_client_secret`. Null if no `next_client_secret` exists. - - access_token_custom_audience: (no documentation yet) - - logo_url: The logo URL of the Connected App, if any. - - client_id_metadata_url: (no documentation yet) + - access_token_expiry_minutes: The number of minutes until the access token expires. + - access_token_template_content: A template string defining the structure and custom claims to include in generated access tokens. + - post_logout_redirect_urls: A list of allowed URLs to which users can be redirected after logging out. + - bypass_consent_for_offline_access: A boolean flag indicating whether to skip the consent screen when requesting offline_access scope for refresh tokens. + - client_secret_last_four: The last four characters of the current client secret, used for identification without exposing the full secret. + - next_client_secret_last_four: The last four characters of the next client secret, used during secret rotation. + - access_token_custom_audience: A custom audience (aud) claim value to include in the generated access token JWT. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + - client_id_metadata_url: The URL of the OAuth client metadata endpoint for dynamic client configuration. """ # noqa client_id: str @@ -51,6 +51,15 @@ class ConnectedApp(pydantic.BaseModel): class ConnectedAppPublic(pydantic.BaseModel): + """ + Fields: + - client_id: The ID of the client. + - client_name: A human-readable name for the client. + - client_description: A human-readable description for the client. + - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + """ # noqa + client_id: str client_name: str client_description: str @@ -61,23 +70,23 @@ class ConnectedAppPublic(pydantic.BaseModel): class ConnectedAppWithClientSecret(pydantic.BaseModel): """ Fields: - - client_id: The ID of the Connected App client. + - client_id: The ID of the client. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: (no documentation yet) - - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. + - status: The status of the entity. + - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this client can be exchanged for a full Stytch Session. - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. - redirect_urls: Array of redirect URI values for use in OAuth Authorization flows. - - access_token_expiry_minutes: (no documentation yet) - - access_token_template_content: (no documentation yet) - - post_logout_redirect_urls: Array of redirect URI values for use in OIDC Logout flows. - - bypass_consent_for_offline_access: Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. - - client_secret_last_four: The last four characters of the client secret. - - next_client_secret_last_four: The last four characters of the `next_client_secret`. Null if no `next_client_secret` exists. - - client_secret: The secret of the Connected App client. **Required for confidential clients** - - access_token_custom_audience: (no documentation yet) - - logo_url: The logo URL of the Connected App, if any. - - client_id_metadata_url: (no documentation yet) + - access_token_expiry_minutes: The number of minutes until the access token expires. + - access_token_template_content: A template string defining the structure and custom claims to include in generated access tokens. + - post_logout_redirect_urls: A list of allowed URLs to which users can be redirected after logging out. + - bypass_consent_for_offline_access: A boolean flag indicating whether to skip the consent screen when requesting offline_access scope for refresh tokens. + - client_secret_last_four: The last four characters of the current client secret, used for identification without exposing the full secret. + - next_client_secret_last_four: The last four characters of the next client secret, used during secret rotation. + - client_secret: The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided by the IdP. + - access_token_custom_audience: A custom audience (aud) claim value to include in the generated access token JWT. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + - client_id_metadata_url: The URL of the OAuth client metadata endpoint for dynamic client configuration. """ # noqa client_id: str @@ -102,23 +111,23 @@ class ConnectedAppWithClientSecret(pydantic.BaseModel): class ConnectedAppWithNextClientSecret(pydantic.BaseModel): """ Fields: - - client_id: The ID of the Connected App client. + - client_id: The ID of the client. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: (no documentation yet) - - client_secret_last_four: The last four characters of the client secret. - - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. + - status: The status of the entity. + - client_secret_last_four: The last four characters of the current client secret, used for identification without exposing the full secret. + - full_access_allowed: Valid for first party clients only. If `true`, an authorization token granted to this client can be exchanged for a full Stytch Session. - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. - redirect_urls: Array of redirect URI values for use in OAuth Authorization flows. - - next_client_secret: (no documentation yet) - - access_token_expiry_minutes: (no documentation yet) - - access_token_template_content: (no documentation yet) - - post_logout_redirect_urls: Array of redirect URI values for use in OIDC Logout flows. - - bypass_consent_for_offline_access: Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. - - next_client_secret_last_four: The last four characters of the `next_client_secret`. Null if no `next_client_secret` exists. - - access_token_custom_audience: (no documentation yet) - - logo_url: The logo URL of the Connected App, if any. - - client_id_metadata_url: (no documentation yet) + - next_client_secret: The next client secret to be used after secret rotation is complete. **Important:** this is the only time you will be able to view the `client_secret`. Be sure to persist its value in a secure location. If the `client_secret` is lost, you will need to trigger a secret rotation flow to receive another one. + - access_token_expiry_minutes: The number of minutes until the access token expires. + - access_token_template_content: A template string defining the structure and custom claims to include in generated access tokens. + - post_logout_redirect_urls: A list of allowed URLs to which users can be redirected after logging out. + - bypass_consent_for_offline_access: A boolean flag indicating whether to skip the consent screen when requesting offline_access scope for refresh tokens. + - next_client_secret_last_four: The last four characters of the next client secret, used during secret rotation. + - access_token_custom_audience: A custom audience (aud) claim value to include in the generated access token JWT. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. + - client_id_metadata_url: The URL of the OAuth client metadata endpoint for dynamic client configuration. """ # noqa client_id: str @@ -143,8 +152,8 @@ class ConnectedAppWithNextClientSecret(pydantic.BaseModel): class ResultsMetadata(pydantic.BaseModel): """ Fields: - - total: The total number of results returned by your search query. If totals have been disabled for your Stytch Workspace to improve search performance, the value will always be -1. - - next_cursor: The `next_cursor` string is returned when your search result contains more than one page of results. This value is passed into your next search call in the `cursor` field. + - total: The total count of items or results in a paginated response or collection. + - next_cursor: A cursor value for fetching the next page of paginated results. """ # noqa total: int diff --git a/stytch/consumer/models/connected_apps_clients.py b/stytch/consumer/models/connected_apps_clients.py index 47924c9f..8e585a37 100644 --- a/stytch/consumer/models/connected_apps_clients.py +++ b/stytch/consumer/models/connected_apps_clients.py @@ -27,7 +27,7 @@ class CreateRequestClientType(str, enum.Enum): class CreateResponse(ResponseBase): """Response type for `Clients.create`. Fields: - - connected_app: The Connected App created by this API call. + - connected_app: The Connected App affected by this operation. """ # noqa connected_app: ConnectedAppWithClientSecret @@ -54,8 +54,8 @@ class GetResponse(ResponseBase): class SearchResponse(ResponseBase): """Response type for `Clients.search`. Fields: - - connected_apps: (no documentation yet) - - results_metadata: The search `results_metadata` object contains metadata relevant to your specific query like total and `next_cursor`. + - connected_apps: A list of connected applications that the member or organization has authorized. + - results_metadata: Metadata about paginated search results, including total count and cursor for fetching the next page. """ # noqa connected_apps: List[ConnectedApp] diff --git a/stytch/consumer/models/crypto_wallets.py b/stytch/consumer/models/crypto_wallets.py index 00282991..a7d6bf49 100644 --- a/stytch/consumer/models/crypto_wallets.py +++ b/stytch/consumer/models/crypto_wallets.py @@ -22,12 +22,12 @@ class SIWEParams(pydantic.BaseModel): Fields: - domain: Only required if `siwe_params` is passed. The domain that is requesting the crypto wallet signature. Must be an RFC 3986 authority. - uri: Only required if `siwe_params` is passed. An RFC 3986 URI referring to the resource that is the subject of the signing. - - resources: A list of information or references to information the user wishes to have resolved as part of authentication. Every resource must be an RFC 3986 URI. + - resources: A list of information or references to information the user wishes to have resolved as part of authentication. Every resource must be an RFC 3986 URI. - chain_id: The EIP-155 Chain ID to which the session is bound. Defaults to 1. Must be the string representation of an integer between 1 and 9,223,372,036,854,775,771, inclusive. - statement: A human-readable ASCII assertion that the user will sign. The statement may only include reserved, unreserved, or space characters according to RFC 3986 definitions, and must not contain other forms of whitespace such as newlines, tabs, and carriage returns. - - issued_at: The time when the message was generated. Defaults to the current time. All timestamps in our API conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - not_before: The time when the signed authentication message will become valid. Defaults to the current time. All timestamps in our API conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - message_request_id: A system-specific identifier that may be used to uniquely refer to the sign-in request. The `message_request_id` must be a valid pchar according to RFC 3986 definitions. + - issued_at: The timestamp when a token or credential was issued. + - not_before: The timestamp before which a token or credential should not be accepted. + - message_request_id: A system-specific identifier that may be used to uniquely refer to the sign-in request. This must be a valid pchar according to RFC 3986 definitions. """ # noqa domain: str @@ -43,9 +43,9 @@ class SIWEParams(pydantic.BaseModel): class AuthenticateStartResponse(ResponseBase): """Response type for `CryptoWallets.authenticate_start`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - challenge: A challenge string to be signed by the wallet in order to prove ownership. - - user_created: In `login_or_create` endpoints, this field indicates whether or not a User was just created. + - user_created: A boolean indicating whether a new user was created as part of the authentication flow (true) or an existing user was authenticated (false). """ # noqa user_id: str @@ -59,8 +59,8 @@ class SIWEParamsResponse(ResponseBase): - domain: The domain that requested the crypto wallet signature. - uri: An RFC 3986 URI referring to the resource that is the subject of the signing. - chain_id: The EIP-155 Chain ID to which the session is bound. - - resources: A list of information or references to information the user wishes to have resolved as part of authentication. Every resource must be an RFC 3986 URI. - - issued_at: The time when the message was generated. All timestamps in our API conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - resources: A list of RBAC resources that define what entities can be accessed or modified, used in authorization policies. + - issued_at: The timestamp when a token or credential was issued. - message_request_id: A system-specific identifier that may be used to uniquely refer to the sign-in request. """ # noqa @@ -75,16 +75,13 @@ class SIWEParamsResponse(ResponseBase): class AuthenticateResponse(ResponseBase): """Response type for `CryptoWallets.authenticate`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - siwe_params: The parameters of the Sign In With Ethereum (SIWE) message that was signed. - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - siwe_params: The parameters for a Sign In With Ethereum (SIWE) message. May only be passed if the `crypto_wallet_type` is `ethereum`. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str diff --git a/stytch/consumer/models/debug.py b/stytch/consumer/models/debug.py index 1f2c39f0..5d817353 100644 --- a/stytch/consumer/models/debug.py +++ b/stytch/consumer/models/debug.py @@ -10,5 +10,11 @@ class WhoamiResponse(ResponseBase): + """Response type for `Debug.whoami`. + Fields: + - project_id: The caller's project ID. + - name: The name of the project that made this API call. + """ # noqa + project_id: str name: str diff --git a/stytch/consumer/models/device_history.py b/stytch/consumer/models/device_history.py index 7a4c3009..0c79dc36 100644 --- a/stytch/consumer/models/device_history.py +++ b/stytch/consumer/models/device_history.py @@ -15,9 +15,9 @@ class DeviceAttributeDetails(pydantic.BaseModel): """ Fields: - - is_new: Whether this `ip_geo_country` has been seen before for this user. - - first_seen_at: When this `ip_geo_country` was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - last_seen_at: When this `ip_geo_country` was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - is_new: Whether this device attribute has been seen before for this user. + - first_seen_at: When this device attribute was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - last_seen_at: When this device attribute was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. """ # noqa is_new: bool @@ -28,14 +28,14 @@ class DeviceAttributeDetails(pydantic.BaseModel): class DeviceInfo(pydantic.BaseModel): """ Fields: - - visitor_id: The `visitor_id` (a unique identifier) of the user's device. See the [Device Fingerprinting documentation](https://stytch.com/docs/fraud/guides/device-fingerprinting/fingerprints) for more details on the `visitor_id`. - - visitor_id_details: Information about the `visitor_id`. - - ip_address: The IP address of the user's device. - - ip_address_details: Information about the `ip_address`. - - ip_geo_city: The city where the IP address is located. - - ip_geo_region: The region where the IP address is located. - - ip_geo_country: The country code where the IP address is located. - - ip_geo_country_details: Information about the `ip_geo_country`. + - visitor_id: The cookie stored on the user's device that uniquely identifies them. See the Device Fingerprinting documentation for more details on the visitor_id. + - visitor_id_details: Detailed information about the visitor ID used for fraud detection and device tracking. + - ip_address: The IP address from which the request originated. + - ip_address_details: Detailed information about the IP address including geolocation and ISP data. + - ip_geo_city: The city name derived from the IP address. + - ip_geo_region: The geographic region derived from the IP address. + - ip_geo_country: The country code derived from the IP address. + - ip_geo_country_details: Detailed country information derived from the IP address geolocation. """ # noqa visitor_id: str diff --git a/stytch/consumer/models/fraud.py b/stytch/consumer/models/fraud.py index bf10a058..3d6becb9 100644 --- a/stytch/consumer/models/fraud.py +++ b/stytch/consumer/models/fraud.py @@ -79,7 +79,7 @@ class Fingerprints(pydantic.BaseModel): - hardware_fingerprint: Combinations of signals to identify an operating system and architecture. - browser_fingerprint: Combination of signals to identify a browser and its specific version. - visitor_fingerprint: Cookie-less way of identifying a unique user. - - visitor_id: The cookie stored on the user's device that uniquely identifies them. + - visitor_id: The cookie stored on the user's device that uniquely identifies them. See the Device Fingerprinting documentation for more details on the visitor_id. - browser_id: Combination of VisitorID and NetworkFingerprint to create a clear identifier of a browser. """ # noqa @@ -120,11 +120,11 @@ class Metadata(pydantic.BaseModel): class NetworkProperties(pydantic.BaseModel): """ Fields: - - ip_address: The IP address of the client. - - asn: Information about the network's ASN (Autonomous System Number). - - ip_geolocation: Information about the geolocation of the user's IP address. - - is_proxy: Whether the user is using a proxy. - - is_vpn: Whether the user is using a VPN. + - ip_address: The IP address from which the request originated. + - asn: The Autonomous System Number of the user's network. + - ip_geolocation: Geographic location data derived from the IP address. + - is_proxy: A boolean indicating whether the request came through a proxy server. + - is_vpn: A boolean indicating whether the request originated from a VPN or proxy network. """ # noqa ip_address: str @@ -137,8 +137,8 @@ class NetworkProperties(pydantic.BaseModel): class Properties(pydantic.BaseModel): """ Fields: - - network_properties: (no documentation yet) - - browser_properties: (no documentation yet) + - network_properties: Network properties including IP address, ASN information, geolocation, and proxy/VPN detection. + - browser_properties: Browser properties including user agent and other browser-specific information. """ # noqa network_properties: NetworkProperties @@ -148,21 +148,21 @@ class Properties(pydantic.BaseModel): class Rule(pydantic.BaseModel): """ Fields: - - rule_type: The rule type. The possible values are `VISITOR_ID`, `BROWSER_ID`, `VISITOR_FINGERPRINT`, `BROWSER_FINGERPRINT`, `HARDWARE_FINGERPRINT`, `NETWORK_FINGERPRINT`, `CIDR_BLOCK`, `ASN`, or `COUNTRY_CODE`. - - action: The action (`ALLOW`, `BLOCK`, or `CHALLENGE`) that will be returned for this rule. - - created_at: The time when the rule was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - visitor_id: The visitor ID that a rule was set for. - - browser_id: The browser ID that a rule was set for. - - visitor_fingerprint: The visitor fingerprint that a rule was set for. - - browser_fingerprint: The browser fingerprint that a rule was set for. - - hardware_fingerprint: The hardware fingerprint that a rule was set for. - - network_fingerprint: The network fingerprint that a rule was set for. + - rule_type: The rule type. The possible values are `VISITOR_ID`, `BROWSER_ID`, `VISITOR_FINGERPRINT`, `BROWSER_FINGERPRINT`,`HARDWARE_FINGERPRINT`, `NETWORK_FINGERPRINT`, `CIDR_BLOCK`, `ASN`, or `COUNTRY_CODE`. + - action: The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW` (This is a known valid device grouping or device profile that is part of the default ALLOW listed set of known devices by Stytch), `BLOCK` (This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action), `CHALLENGE` (This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action), or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule. + - created_at: The timestamp indicating when the resource was created. + - visitor_id: The cookie stored on the user's device that uniquely identifies them. See the Device Fingerprinting documentation for more details on the visitor_id. + - browser_id: Combination of VisitorID and NetworkFingerprint to create a clear identifier of a browser. + - visitor_fingerprint: Cookie-less way of identifying a unique user. + - browser_fingerprint: Combination of signals to identify a browser and its specific version. + - hardware_fingerprint: Combinations of signals to identify an operating system and architecture. + - network_fingerprint: Combination of signals associated with a specific network commonly known as TLS fingerprinting. - cidr_block: The CIDR block that a rule was set for. If an end user's IP address is within this CIDR block, this rule will be applied. - - country_code: The country code that a rule was set for. - - asn: The ASN that a rule was set for. - - description: A description for the rule. - - expires_at: The timestamp when the rule expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - last_updated_at: The time when the rule was last updated. Will be null if the rule has never been updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - country_code: The country code we want to set a rule for. The country code must be a valid ISO 3166-1 alpha-2 code. You may not set `ALLOW` rules for country codes. Only one identifier can be specified in the request. + - asn: The Autonomous System Number of the user's network. + - description: An optional description for the rule. + - expires_at: The timestamp when the rule expires. + - last_updated_at: The timestamp when the resource was last updated. """ # noqa rule_type: RuleType @@ -185,10 +185,10 @@ class Rule(pydantic.BaseModel): class VerdictReasonAction(pydantic.BaseModel): """ Fields: - - verdict_reason: The verdict reason. + - verdict_reason: A human-readable explanation of why an authorization decision was made. - default_action: The default action returned for the specified verdict reason in a fingerprint lookup when no overrides are specified. - override_action: If not null, this action will be returned for the specified verdict reason in a fingerprint lookup, in place of the default action. - - override_created_at: The time when the override was created, if one exists. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - override_created_at: The time when the override was created, if one exists. - override_description: A description of the override, if one exists. """ # noqa @@ -202,7 +202,7 @@ class VerdictReasonAction(pydantic.BaseModel): class VerdictReasonOverride(pydantic.BaseModel): """ Fields: - - verdict_reason: The verdict reason that was overridden. + - verdict_reason: A human-readable explanation of why an authorization decision was made. - override_action: The action that was applied for the given verdict reason. """ # noqa @@ -213,14 +213,10 @@ class VerdictReasonOverride(pydantic.BaseModel): class Verdict(pydantic.BaseModel): """ Fields: - - action: The suggested action based on the fingerprint review. The available actions are: - * `ALLOW` - This is a known valid device grouping or device profile that is part of the default ALLOW listed set of known devices by Stytch. This grouping is made up of verified device profiles that match the characteristics of known/authentic traffic origins - * `BLOCK` - This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action in question - * `CHALLENGE` - This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action to proceed - - - reasons: A set of contextual clues to inform why a `CHALLENGE` or `BLOCK` action was suggested. For a list of possible Reasons, see [Warning Flags (Verdict Reasons)](https://stytch.com/docs/docs/fraud/guides/device-fingerprinting/reference/warning-flags-verdict-reasons). - - detected_device_type: The operating system and architecture that took the fingerprint. - - is_authentic_device: The assessment of whether this is an authentic device. It will be false if hardware or browser deception is detected. + - action: The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW` (This is a known valid device grouping or device profile that is part of the default ALLOW listed set of known devices by Stytch), `BLOCK` (This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action), `CHALLENGE` (This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action), or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule. + - reasons: A set of contextual clues to inform why a `CHALLENGE` or `BLOCK` action was suggested. For a list of possible reasons, see [Warning Flags (Verdict Reasons)](https://stytch.com/docs/docs/fraud/guides/device-fingerprinting/reference/warning-flags-verdict-reasons). + - detected_device_type: The operating system and architecture tha took the fingerprint. + - is_authentic_device: A boolean indicating whether the device has been verified as authentic and trustworthy. It will be false if hardware or browser deception is detected. - verdict_reason_overrides: A list of verdict reason overrides that were applied, if any. - rule_match_type: The type of rule match that was applied (e.g. `VISITOR_ID`), if any. This field will only be present if there is a `RULE_MATCH` reason in the list of verdict reasons. - rule_match_identifier: The rule that was applied (e.g. a specific visitor ID value), if any. This field will only be present if there is a `RULE_MATCH` reason in the list of verdict reasons. diff --git a/stytch/consumer/models/fraud_fingerprint.py b/stytch/consumer/models/fraud_fingerprint.py index 527b7877..df3ca247 100644 --- a/stytch/consumer/models/fraud_fingerprint.py +++ b/stytch/consumer/models/fraud_fingerprint.py @@ -17,11 +17,11 @@ class LookupResponse(ResponseBase): """Response type for `Fingerprint.lookup`. Fields: - telemetry_id: The telemetry ID associated with the fingerprint getting looked up. - - fingerprints: A Stytch fingerprint consists of the following identifiers: - - verdict: The metadata associated with each fingerprint + - fingerprints: Device fingerprints used to uniquely identify and track devices for fraud detection. + - verdict: The metadata associated with each fingerprint. - external_metadata: External identifiers that you wish to associate with the given telemetry ID. You will be able to search for fingerprint results by these identifiers in the DFP analytics dashboard. External metadata fields may not exceed 65 characters. They may only contain alphanumerics and the characters `_` `-` `+` `.` or `@`. - - created_at: The time when the fingerprint was taken. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - expires_at: The timestamp when the fingerprint expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - created_at: The time when the fingerprint was taken. + - expires_at: The timestamp when the fingerprint expires. - properties: Additional information about the user's browser and network. - raw_signals: The raw device attributes, such as screen size, that were collected by the Device Fingerprinting product to generate the fingerprints and verdict. You must be specifically enabled for the raw signals feature to see this field. You can find documentation for the specific fields in the [guides](https://stytch.com/docs/fraud/guides/device-fingerprinting/reference/raw-signals). """ # noqa diff --git a/stytch/consumer/models/fraud_rules.py b/stytch/consumer/models/fraud_rules.py index dfd07d63..dba7f42b 100644 --- a/stytch/consumer/models/fraud_rules.py +++ b/stytch/consumer/models/fraud_rules.py @@ -16,8 +16,8 @@ class ListResponse(ResponseBase): """Response type for `Rules.list`. Fields: - - next_cursor: The `next_cursor` string is returned when your result contains more than one page of results. This value is passed into your next request in the `cursor` field. - - rules: A list of rules for the project + - next_cursor: A cursor value for fetching the next page of paginated results. + - rules: A list of authorization or validation rules to be evaluated. """ # noqa next_cursor: str @@ -34,7 +34,7 @@ class SetResponse(ResponseBase): - browser_fingerprint: The browser fingerprint that a rule was set for. - hardware_fingerprint: The hardware fingerprint that a rule was set for. - network_fingerprint: The network fingerprint that a rule was set for. - - expires_at: The timestamp when the rule expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - expires_at: The timestamp when the rule expires. - cidr_block: The CIDR block that a rule was set for. If an end user's IP address is within this CIDR block, this rule will be applied. - country_code: The country code that a rule was set for. - asn: The ASN that a rule was set for. diff --git a/stytch/consumer/models/fraud_verdict_reasons.py b/stytch/consumer/models/fraud_verdict_reasons.py index 196f51ca..8a97316b 100644 --- a/stytch/consumer/models/fraud_verdict_reasons.py +++ b/stytch/consumer/models/fraud_verdict_reasons.py @@ -23,7 +23,7 @@ class OverrideRequestAction(str, enum.Enum): class ListResponse(ResponseBase): """Response type for `VerdictReasons.list`. Fields: - - verdict_reason_actions: Information about verdict reasons and any overrides that were set on them. + - verdict_reason_actions: Actions associated with different authorization verdict reasons. """ # noqa verdict_reason_actions: List[VerdictReasonAction] @@ -32,7 +32,7 @@ class ListResponse(ResponseBase): class OverrideResponse(ResponseBase): """Response type for `VerdictReasons.override`. Fields: - - verdict_reason_action: Information about the verdict reason override that was just set. + - verdict_reason_action: Information about verdict reasons and any overrides set on them. """ # noqa verdict_reason_action: VerdictReasonAction diff --git a/stytch/consumer/models/idp_oauth.py b/stytch/consumer/models/idp_oauth.py index 67e0c4f5..691fa756 100644 --- a/stytch/consumer/models/idp_oauth.py +++ b/stytch/consumer/models/idp_oauth.py @@ -17,8 +17,8 @@ class AuthorizeResponse(ResponseBase): """Response type for `OAuth.authorize`. Fields: - - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. - - authorization_code: A one-time use code that can be exchanged for tokens. + - redirect_uri: The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant. + - authorization_code: An OAuth authorization code that can be exchanged for access and refresh tokens. """ # noqa redirect_uri: str @@ -28,11 +28,11 @@ class AuthorizeResponse(ResponseBase): class AuthorizeStartResponse(ResponseBase): """Response type for `OAuth.authorize_start`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. - - client: (no documentation yet) + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. + - client: An OAuth client or connected application object. - consent_required: Whether the user must provide explicit consent for the authorization request. - - scope_results: Details about each requested scope. + - scope_results: Details about which requested scopes were granted or denied during OAuth authorization. """ # noqa user_id: str diff --git a/stytch/consumer/models/impersonation.py b/stytch/consumer/models/impersonation.py index 5bde5063..babf5ffa 100644 --- a/stytch/consumer/models/impersonation.py +++ b/stytch/consumer/models/impersonation.py @@ -16,14 +16,11 @@ class AuthenticateResponse(ResponseBase): """Response type for `Impersonation.authenticate`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - """ # noqa user_id: str diff --git a/stytch/consumer/models/m2m.py b/stytch/consumer/models/m2m.py index 8cabdea2..238a1561 100644 --- a/stytch/consumer/models/m2m.py +++ b/stytch/consumer/models/m2m.py @@ -25,11 +25,11 @@ class M2MClient(pydantic.BaseModel): - client_id: The ID of the client. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: The status of the client - either `active` or `inactive`. + - status: The status of the entity. - scopes: An array of scopes assigned to the client. - - client_secret_last_four: The last four characters of the client secret. - - trusted_metadata: An arbitrary JSON object for storing application-specific data. - - next_client_secret_last_four: The last four characters of the `next_client_secret`. Null if no `next_client_secret` exists. + - client_secret_last_four: The last four characters of the current client secret, used for identification without exposing the full secret. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - next_client_secret_last_four: The last four characters of the next client secret, used during secret rotation. """ # noqa client_id: str @@ -46,14 +46,14 @@ class M2MClientWithClientSecret(pydantic.BaseModel): """ Fields: - client_id: The ID of the client. - - client_secret: The secret of the client. **Important:** this is the only time you will be able to view the `client_secret`. Be sure to persist the `client_secret` in a secure location. If the `client_secret` is lost, you will need to trigger a secret rotation flow to receive another one. + - client_secret: The secret of the client. **Important:** this is the only time you will be able to view the `client_secret`. Be sure to persist its value in a secure location. If the `client_secret` is lost, you will need to trigger a secret rotation flow to receive another one. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: The status of the client - either `active` or `inactive`. + - status: The status of the entity. - scopes: An array of scopes assigned to the client. - - client_secret_last_four: The last four characters of the client secret. - - trusted_metadata: An arbitrary JSON object for storing application-specific data. - - next_client_secret_last_four: The last four characters of the `next_client_secret`. Null if no `next_client_secret` exists. + - client_secret_last_four: The last four characters of the current client secret, used for identification without exposing the full secret. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - next_client_secret_last_four: The last four characters of the next client secret, used during secret rotation. """ # noqa client_id: str @@ -71,14 +71,14 @@ class M2MClientWithNextClientSecret(pydantic.BaseModel): """ Fields: - client_id: The ID of the client. - - next_client_secret: The newly created secret that's next in rotation for the client. **Important:** this is the only time you will be able to view the `next_client_secret`. Be sure to persist the `next_client_secret` in a secure location. If the `next_client_secret` is lost, you will need to trigger a secret rotation flow to receive another one. + - next_client_secret: The next client secret to be used after secret rotation is complete. **Important:** this is the only time you will be able to view the `client_secret`. Be sure to persist its value in a secure location. If the `client_secret` is lost, you will need to trigger a secret rotation flow to receive another one. - client_name: A human-readable name for the client. - client_description: A human-readable description for the client. - - status: The status of the client - either `active` or `inactive`. + - status: The status of the entity. - scopes: An array of scopes assigned to the client. - - client_secret_last_four: The last four characters of the client secret. - - trusted_metadata: An arbitrary JSON object for storing application-specific data. - - next_client_secret_last_four: The last four characters of the `next_client_secret`. Null if no `next_client_secret` exists. + - client_secret_last_four: The last four characters of the current client secret, used for identification without exposing the full secret. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - next_client_secret_last_four: The last four characters of the next client secret, used during secret rotation. """ # noqa client_id: str @@ -95,12 +95,8 @@ class M2MClientWithNextClientSecret(pydantic.BaseModel): class M2MSearchQuery(pydantic.BaseModel): """ Fields: - - operator: The action to perform on the operands. The accepted value are: - - `AND` – all the operand values provided must match. - - `OR` – the operator will return any matches to at least one of the operand values you supply. - - operands: An array of operand objects that contains all of the filters and values to apply to your search search query. + - operator: The action to perform on the operands, either `AND` or `OR`. + - operands: An array of operand objects that contains all of the filters and values to apply to your search query. """ # noqa operator: M2MSearchQueryOperator @@ -110,8 +106,8 @@ class M2MSearchQuery(pydantic.BaseModel): class ResultsMetadata(pydantic.BaseModel): """ Fields: - - total: The total number of results returned by your search query. If totals have been disabled for your Stytch Workspace to improve search performance, the value will always be -1. - - next_cursor: The `next_cursor` string is returned when your search result contains more than one page of results. This value is passed into your next search call in the `cursor` field. + - total: The total count of items or results in a paginated response or collection. + - next_cursor: A cursor value for fetching the next page of paginated results. """ # noqa total: int diff --git a/stytch/consumer/models/m2m_clients.py b/stytch/consumer/models/m2m_clients.py index 13c9962c..14dd74f6 100644 --- a/stytch/consumer/models/m2m_clients.py +++ b/stytch/consumer/models/m2m_clients.py @@ -25,7 +25,7 @@ class UpdateRequestStatus(str, enum.Enum): class CreateResponse(ResponseBase): """Response type for `Clients.create`. Fields: - - m2m_client: The M2M Client created by this API call. + - m2m_client: A machine-to-machine (M2M) client object used for service-to-service authentication. """ # noqa m2m_client: M2MClientWithClientSecret @@ -43,7 +43,7 @@ class DeleteResponse(ResponseBase): class GetResponse(ResponseBase): """Response type for `Clients.get`. Fields: - - m2m_client: The M2M Client affected by this operation. + - m2m_client: A machine-to-machine (M2M) client object used for service-to-service authentication. """ # noqa m2m_client: M2MClient @@ -52,8 +52,8 @@ class GetResponse(ResponseBase): class SearchResponse(ResponseBase): """Response type for `Clients.search`. Fields: - - m2m_clients: An array of M2M Clients that match your search query. - - results_metadata: The search `results_metadata` object contains metadata relevant to your specific query like total and `next_cursor`. + - m2m_clients: A list of machine-to-machine (M2M) clients for service authentication. + - results_metadata: Metadata about paginated search results, including total count and cursor for fetching the next page. """ # noqa m2m_clients: List[M2MClient] @@ -63,7 +63,7 @@ class SearchResponse(ResponseBase): class UpdateResponse(ResponseBase): """Response type for `Clients.update`. Fields: - - m2m_client: The M2M Client affected by this operation. + - m2m_client: A machine-to-machine (M2M) client object used for service-to-service authentication. """ # noqa m2m_client: M2MClient diff --git a/stytch/consumer/models/m2m_clients_secrets.py b/stytch/consumer/models/m2m_clients_secrets.py index 13c6d737..8e1c000b 100644 --- a/stytch/consumer/models/m2m_clients_secrets.py +++ b/stytch/consumer/models/m2m_clients_secrets.py @@ -13,7 +13,7 @@ class RotateCancelResponse(ResponseBase): """Response type for `Secrets.rotate_cancel`. Fields: - - m2m_client: The M2M Client affected by this operation. + - m2m_client: A machine-to-machine (M2M) client object used for service-to-service authentication. """ # noqa m2m_client: M2MClient @@ -22,7 +22,7 @@ class RotateCancelResponse(ResponseBase): class RotateResponse(ResponseBase): """Response type for `Secrets.rotate`. Fields: - - m2m_client: The M2M Client affected by this operation. + - m2m_client: A machine-to-machine (M2M) client object used for service-to-service authentication. """ # noqa m2m_client: M2MClient @@ -31,7 +31,7 @@ class RotateResponse(ResponseBase): class RotateStartResponse(ResponseBase): """Response type for `Secrets.rotate_start`. Fields: - - m2m_client: The M2M Client affected by this operation. + - m2m_client: A machine-to-machine (M2M) client object used for service-to-service authentication. """ # noqa m2m_client: M2MClientWithNextClientSecret diff --git a/stytch/consumer/models/magic_links.py b/stytch/consumer/models/magic_links.py index 37ed4442..70973a38 100644 --- a/stytch/consumer/models/magic_links.py +++ b/stytch/consumer/models/magic_links.py @@ -30,17 +30,14 @@ class Options(pydantic.BaseModel): class AuthenticateResponse(ResponseBase): """Response type for `MagicLinks.authenticate`. Fields: - - user_id: The unique ID of the affected User. - - method_id: The `email_id` or `phone_id` involved in the given authentication. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - method_id: The unique identifier for a specific authentication method instance (e.g., an email ID, password, TOTP, or phone number). + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - reset_sessions: Indicates if all other of the User's Sessions need to be reset. You should check this field if you aren't using Stytch's Session product. If you are using Stytch's Session product, we revoke the User's other sessions for you. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -56,8 +53,8 @@ class AuthenticateResponse(ResponseBase): class CreateResponse(ResponseBase): """Response type for `MagicLinks.create`. Fields: - - user_id: The unique ID of the affected User. - - token: The Magic Link `token` that you'll include in your contact method of choice, e.g. email or SMS. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - token: The Magic Link token from the `?token=` query parameter in the URL that you'll include in your contact method of choice, e.g. email or SMS. The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail. """ # noqa user_id: str diff --git a/stytch/consumer/models/magic_links_email.py b/stytch/consumer/models/magic_links_email.py index 8f094696..ad5c086c 100644 --- a/stytch/consumer/models/magic_links_email.py +++ b/stytch/consumer/models/magic_links_email.py @@ -35,7 +35,7 @@ class SendRequestLocale(str, enum.Enum): class InviteResponse(ResponseBase): """Response type for `Email.invite`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. """ # noqa @@ -46,9 +46,9 @@ class InviteResponse(ResponseBase): class LoginOrCreateResponse(ResponseBase): """Response type for `Email.login_or_create`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. - - user_created: In `login_or_create` endpoints, this field indicates whether or not a User was just created. + - user_created: A boolean indicating whether a new user was created as part of the authentication flow (true) or an existing user was authenticated (false). """ # noqa user_id: str @@ -65,7 +65,7 @@ class RevokeInviteResponse(ResponseBase): class SendResponse(ResponseBase): """Response type for `Email.send`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. """ # noqa diff --git a/stytch/consumer/models/oauth.py b/stytch/consumer/models/oauth.py index d3af2559..61207459 100644 --- a/stytch/consumer/models/oauth.py +++ b/stytch/consumer/models/oauth.py @@ -22,9 +22,9 @@ class ProviderValues(pydantic.BaseModel): Fields: - access_token: The `access_token` that you may use to access the User's data in the provider's API. - refresh_token: The `refresh_token` that you may use to obtain a new `access_token` for the User within the provider's API. - - id_token: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens are returned from OAuth providers that conform to the [OpenID Connect](https://openid.net/foundation/) specification, which is based on OAuth. - - scopes: The OAuth scopes included for a given provider. See each provider's section above to see which scopes are included by default and how to add custom scopes. - - expires_at: The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. + - id_token: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens are returned from OAuth providers that conform to the OpenID Connect specification, which is based on OAuth + - scopes: The OAuth scopes included for a given provider. + - expires_at: The timestamp indicating when the session, token, lock, or other resource will expire. """ # noqa access_token: str @@ -46,22 +46,17 @@ class AttachResponse(ResponseBase): class AuthenticateResponse(ResponseBase): """Response type for `OAuth.authenticate`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols. - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - provider_values: The `provider_values` object lists relevant identifiers, values, and scopes for a given OAuth provider. For example this object will include a provider's `access_token` that you can use to access the provider's API for a given user. - - Note that these values will vary based on the OAuth provider in question, e.g. `id_token` is only returned by OIDC compliant identity providers. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - provider_values: Values or configuration settings specific to an identity provider. + - user: The `user` object affected by this API call. - reset_sessions: Indicates if all other of the User's Sessions need to be reset. You should check this field if you aren't using Stytch's Session product. If you are using Stytch's Session product, we revoke the User's other sessions for you. - - oauth_user_registration_id: The unique ID for an OAuth registration. - - user_session: A `Session` object. For backwards compatibility reasons, the session from an OAuth authenticate call is labeled as `user_session`, but is otherwise just a standard stytch `Session` object. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - oauth_user_registration_id: The unique identifier for the OAuth provider registration linking the user to their provider account. + - user_session: A session object for consumer (B2C) users. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str diff --git a/stytch/consumer/models/otp.py b/stytch/consumer/models/otp.py index aaf4aa19..d1df1020 100644 --- a/stytch/consumer/models/otp.py +++ b/stytch/consumer/models/otp.py @@ -17,17 +17,14 @@ class AuthenticateResponse(ResponseBase): """Response type for `OTPs.authenticate`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - method_id: The `email_id` or `phone_id` involved in the given authentication. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - reset_sessions: Indicates if all other of the User's Sessions need to be reset. You should check this field if you aren't using Stytch's Session product. If you are using Stytch's Session product, we revoke the User's other sessions for you. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str diff --git a/stytch/consumer/models/otp_email.py b/stytch/consumer/models/otp_email.py index 07b88110..da316bae 100644 --- a/stytch/consumer/models/otp_email.py +++ b/stytch/consumer/models/otp_email.py @@ -28,9 +28,9 @@ class SendRequestLocale(str, enum.Enum): class LoginOrCreateResponse(ResponseBase): """Response type for `Email.login_or_create`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. - - user_created: In `login_or_create` endpoints, this field indicates whether or not a User was just created. + - user_created: A boolean indicating whether a new user was created as part of the authentication flow (true) or an existing user was authenticated (false). """ # noqa user_id: str @@ -41,7 +41,7 @@ class LoginOrCreateResponse(ResponseBase): class SendResponse(ResponseBase): """Response type for `Email.send`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. """ # noqa diff --git a/stytch/consumer/models/otp_sms.py b/stytch/consumer/models/otp_sms.py index dd952f8a..ca639eb4 100644 --- a/stytch/consumer/models/otp_sms.py +++ b/stytch/consumer/models/otp_sms.py @@ -36,9 +36,9 @@ class SendRequestLocale(str, enum.Enum): class LoginOrCreateResponse(ResponseBase): """Response type for `Sms.login_or_create`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - phone_id: The unique ID for the phone number. - - user_created: In `login_or_create` endpoints, this field indicates whether or not a User was just created. + - user_created: A boolean indicating whether a new user was created as part of the authentication flow (true) or an existing user was authenticated (false). """ # noqa user_id: str @@ -49,7 +49,7 @@ class LoginOrCreateResponse(ResponseBase): class SendResponse(ResponseBase): """Response type for `Sms.send`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - phone_id: The unique ID for the phone number. """ # noqa diff --git a/stytch/consumer/models/otp_whatsapp.py b/stytch/consumer/models/otp_whatsapp.py index dd10369f..09a36d87 100644 --- a/stytch/consumer/models/otp_whatsapp.py +++ b/stytch/consumer/models/otp_whatsapp.py @@ -34,11 +34,11 @@ class SendRequestLocale(str, enum.Enum): class LoginOrCreateResponse(ResponseBase): - """Response type for `Whatsapp.login_or_create`. + """Response type for `WhatsApp.login_or_create`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - phone_id: The unique ID for the phone number. - - user_created: In `login_or_create` endpoints, this field indicates whether or not a User was just created. + - user_created: A boolean indicating whether a new user was created as part of the authentication flow (true) or an existing user was authenticated (false). """ # noqa user_id: str @@ -47,9 +47,9 @@ class LoginOrCreateResponse(ResponseBase): class SendResponse(ResponseBase): - """Response type for `Whatsapp.send`. + """Response type for `WhatsApp.send`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - phone_id: The unique ID for the phone number. """ # noqa diff --git a/stytch/consumer/models/passwords.py b/stytch/consumer/models/passwords.py index 6900ef65..f0cc287a 100644 --- a/stytch/consumer/models/passwords.py +++ b/stytch/consumer/models/passwords.py @@ -32,7 +32,7 @@ class MigrateRequestHashType(str, enum.Enum): class Argon2Config(pydantic.BaseModel): """ Fields: - - salt: The salt value. + - salt: The base64-encoded salt value. - iteration_amount: The iteration amount. - memory: The memory in kibibytes. - threads: The thread value, also known as the parallelism factor. @@ -52,7 +52,7 @@ class LUDSRequirements(pydantic.BaseModel): - has_lower_case: For LUDS validation, whether the password contains at least one lowercase letter. - has_upper_case: For LUDS validation, whether the password contains at least one uppercase letter. - has_digit: For LUDS validation, whether the password contains at least one digit. - - has_symbol: For LUDS validation, whether the password contains at least one symbol. Any UTF8 character outside of a-z or A-Z may count as a valid symbol. + - has_symbol: For LUDS validation, whether the password contains at least one symbol. Any UTF8 character outside of a-z, A-Z, or 0-9 is considered a symbol. - missing_complexity: For LUDS validation, the number of complexity requirements that are missing from the password. Check the complexity fields to see which requirements are missing. - missing_characters: For LUDS validation, this is the required length of the password that you've set minus the length of the password being checked. The user will need to add this many characters to the password to make it valid. """ # noqa @@ -92,10 +92,10 @@ class MD5Config(pydantic.BaseModel): class PBKDF2Config(pydantic.BaseModel): """ Fields: - - salt: The salt value, which should be in a base64 encoded string form. + - salt: The base64-encoded salt value. - iteration_amount: The iteration amount. - key_length: The key length, also known as the hash length. - - algorithm: The algorithm that was used to generate the HMAC hash. Accepted values are "sha512" and sha256". Defaults to sha256. + - algorithm: The algorithm that was used to generate the HMAC hash. Accepted values are `sha512` and `sha256`. Defaults to sha256. """ # noqa salt: str @@ -129,9 +129,8 @@ class SHA512Config(pydantic.BaseModel): class ScryptConfig(pydantic.BaseModel): """ Fields: - - salt: The salt value, which should be in a base64 encoded string form. - - n_parameter: The N value, also known as the iterations count. It must be a power of two greater than 1 and less than 262,145. - If your application's N parameter is larger than 262,144, please reach out to [support@stytch.com](mailto:support@stytch.com) + - salt: The base64-encoded salt value. + - n_parameter: The N value, also known as the iterations count. It must be a power of two greater than 1 and less than 262,145. If your application's N parameter is larger than 262,144, please reach out to support@stytch.com - r_parameter: The r parameter, also known as the block size. - p_parameter: The p parameter, also known as the parallelism factor. - key_length: The key length, also known as the hash length. @@ -147,15 +146,12 @@ class ScryptConfig(pydantic.BaseModel): class AuthenticateResponse(ResponseBase): """Response type for `Passwords.authenticate`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -169,16 +165,13 @@ class AuthenticateResponse(ResponseBase): class CreateResponse(ResponseBase): """Response type for `Passwords.create`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -193,10 +186,10 @@ class CreateResponse(ResponseBase): class MigrateResponse(ResponseBase): """Response type for `Passwords.migrate`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. - - user_created: In `login_or_create` endpoints, this field indicates whether or not a User was just created. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_created: A boolean indicating whether a new user was created as part of the authentication flow (true) or an existing user was authenticated (false). + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -208,12 +201,12 @@ class MigrateResponse(ResponseBase): class StrengthCheckResponse(ResponseBase): """Response type for `Passwords.strength_check`. Fields: - - valid_password: Returns `true` if the password passes our password validation. We offer two validation options, [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication. We also offer [LUDS](https://stytch.com/docs/guides/passwords/strength-policy). If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/). - - score: The score of the password determined by [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between 1 and 4, a 3 or greater is required to pass validation. - - breached_password: Returns `true` if the password has been breached. Powered by [HaveIBeenPwned](https://haveibeenpwned.com/). + - valid_password: A boolean indicating whether the provided password is valid. + - score: A numerical score representing the strength or quality of a password. Values will be between 1 and 4, a 3 or greater is required to pass `zxcvbn` validation. + - breached_password: A boolean indicating whether the password has been found in known data breaches. - strength_policy: The strength policy type enforced, either `zxcvbn` or `luds`. - - breach_detection_on_create: Will return `true` if breach detection will be evaluated. By default this option is enabled. This option can be disabled by contacting [support@stytch.com](mailto:support@stytch.com?subject=Password%20strength%20configuration). If this value is `false` then `breached_password` will always be `false` as well. - - feedback: Feedback for how to improve the password's strength [HaveIBeenPwned](https://haveibeenpwned.com/). + - breach_detection_on_create: A boolean flag to enable checking passwords against breach databases during creation. + - feedback: Feedback for how to improve the password's strength. """ # noqa valid_password: bool diff --git a/stytch/consumer/models/passwords_email.py b/stytch/consumer/models/passwords_email.py index 5723e08a..9d8979b3 100644 --- a/stytch/consumer/models/passwords_email.py +++ b/stytch/consumer/models/passwords_email.py @@ -25,15 +25,12 @@ class ResetStartRequestLocale(str, enum.Enum): class ResetResponse(ResponseBase): """Response type for `Email.reset`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -47,7 +44,7 @@ class ResetResponse(ResponseBase): class ResetStartResponse(ResponseBase): """Response type for `Email.reset_start`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. """ # noqa diff --git a/stytch/consumer/models/passwords_existing_password.py b/stytch/consumer/models/passwords_existing_password.py index dfe1264f..f881070d 100644 --- a/stytch/consumer/models/passwords_existing_password.py +++ b/stytch/consumer/models/passwords_existing_password.py @@ -17,15 +17,12 @@ class ResetResponse(ResponseBase): """Response type for `ExistingPassword.reset`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str diff --git a/stytch/consumer/models/passwords_session.py b/stytch/consumer/models/passwords_session.py index 2e664694..96a590b6 100644 --- a/stytch/consumer/models/passwords_session.py +++ b/stytch/consumer/models/passwords_session.py @@ -17,15 +17,12 @@ class ResetResponse(ResponseBase): """Response type for `Sessions.reset`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str diff --git a/stytch/consumer/models/project.py b/stytch/consumer/models/project.py index 71cbfe34..367c1922 100644 --- a/stytch/consumer/models/project.py +++ b/stytch/consumer/models/project.py @@ -28,5 +28,11 @@ class ProjectMetric(pydantic.BaseModel): class MetricsResponse(ResponseBase): + """Response type for `Project.metrics`. + Fields: + - project_id: The project ID related to the returned metrics. + - metrics: Metrics and analytics data about the resource. + """ # noqa + project_id: str metrics: List[ProjectMetric] diff --git a/stytch/consumer/models/rbac.py b/stytch/consumer/models/rbac.py index ceee362f..5ad8de47 100644 --- a/stytch/consumer/models/rbac.py +++ b/stytch/consumer/models/rbac.py @@ -16,12 +16,9 @@ class PolicyResource(pydantic.BaseModel): """ Fields: - - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. - - A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. - - - description: The description of the RBAC Resource. - - actions: A list of all possible actions for a provided Resource. + - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. + - description: A human-readable description of the RBAC resource, role, or scope that explains its purpose and permissions. + - actions: An array of actions that can be performed on the given resource. """ # noqa resource_id: str @@ -32,11 +29,8 @@ class PolicyResource(pydantic.BaseModel): class PolicyRolePermission(pydantic.BaseModel): """ Fields: - - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. - - A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. - - - actions: A list of permitted actions the Role is authorized to take with the provided Resource. You can use `*` as a wildcard to grant a Role permission to use all possible actions related to the Resource. + - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. + - actions: An array of actions that can be performed on the given resource. """ # noqa resource_id: str @@ -46,13 +40,9 @@ class PolicyRolePermission(pydantic.BaseModel): class PolicyRole(pydantic.BaseModel): """ Fields: - - role_id: The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable. - - The `stytch_user` `role_id` is predefined by Stytch. - Check out the [RBAC guide](https://stytch.com/docs/guides/rbac/overview) for a more detailed explanation. - - - description: The description of the RBAC Role. - - permissions: A list of permissions that link a [Resource](https://stytch.com/docs/api/rbac-resource-object) to a list of actions. + - role_id: The unique identifier for an RBAC role. + - description: A human-readable description of the RBAC resource, role, or scope that explains its purpose and permissions. + - permissions: A list of RBAC permissions defining specific actions that can be performed on resources. """ # noqa role_id: str @@ -61,11 +51,24 @@ class PolicyRole(pydantic.BaseModel): class PolicyScopePermission(pydantic.BaseModel): + """ + Fields: + - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. + - actions: An array of actions that can be performed on the given resource. + """ # noqa + resource_id: str actions: List[str] class PolicyScope(pydantic.BaseModel): + """ + Fields: + - scope: A space-separated string of OAuth scopes defining requested permissions. + - description: A human-readable description of the RBAC resource, role, or scope that explains its purpose and permissions. + - permissions: A list of RBAC permissions defining specific actions that can be performed on resources. + """ # noqa + scope: str description: str permissions: List[PolicyScopePermission] @@ -75,8 +78,8 @@ class Policy(pydantic.BaseModel): """ Fields: - roles: An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). - - resources: An array of [Resource objects](https://stytch.com/docs/api/rbac-resource-object). - - scopes: (no documentation yet) + - resources: A list of RBAC resources that define what entities can be accessed or modified, used in authorization policies. + - scopes: An array of scopes available in the policy. """ # noqa roles: List[PolicyRole] @@ -87,7 +90,7 @@ class Policy(pydantic.BaseModel): class PolicyResponse(ResponseBase): """Response type for `RBAC.policy`. Fields: - - policy: The RBAC Policy document that contains all defined Roles and Resources – which are managed in the [Dashboard](https://stytch.com/dashboard/rbac). Read more about these entities and how they work in our [RBAC overview](https://stytch.com/docs/guides/rbac/overview). + - policy: The RBAC Policy document that contains all defined Roles and Resources. """ # noqa policy: Optional[Policy] = None diff --git a/stytch/consumer/models/sessions.py b/stytch/consumer/models/sessions.py index e87f0968..be8f0d47 100644 --- a/stytch/consumer/models/sessions.py +++ b/stytch/consumer/models/sessions.py @@ -83,12 +83,26 @@ class AuthenticationFactorType(str, enum.Enum): class AmazonOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class AppleOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -97,7 +111,7 @@ class AppleOAuthFactor(pydantic.BaseModel): class AuthenticatorAppFactor(pydantic.BaseModel): """ Fields: - - totp_id: Globally unique UUID that identifies a TOTP instance. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. """ # noqa totp_id: str @@ -106,11 +120,8 @@ class AuthenticatorAppFactor(pydantic.BaseModel): class AuthorizationCheck(pydantic.BaseModel): """ Fields: - - resource_id: A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. - - A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources with reserved `resource_id`s. - - - action: An action to take on a Resource. + - resource_id: The identifier of a specific resource within an RBAC authorization check. + - action: An RBAC action that defines what operation is being performed on a resource (e.g., read, write, delete). """ # noqa resource_id: str @@ -120,8 +131,8 @@ class AuthorizationCheck(pydantic.BaseModel): class AuthorizationVerdict(pydantic.BaseModel): """ Fields: - - authorized: Whether the User was authorized to perform the specified action on the specified Resource. Always true if the request succeeds. - - granting_roles: The complete list of Roles that gave the User permission to perform the specified action on the specified Resource. + - authorized: Whether the actor was authorized to perform the specified action on the specified Resource. Always true if the request succeeds. + - granting_roles: The complete list of Roles that gave the Member permission to perform the specified action on the specified Resource. """ # noqa authorized: bool @@ -129,28 +140,61 @@ class AuthorizationVerdict(pydantic.BaseModel): class BiometricFactor(pydantic.BaseModel): + """ + Fields: + - biometric_registration_id: The `biometric_registration_id` to be deleted. + """ # noqa + biometric_registration_id: str class BitbucketOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class CoinbaseOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class CryptoWalletFactor(pydantic.BaseModel): + """ + Fields: + - crypto_wallet_id: The unique identifier for a cryptocurrency wallet registration. + - crypto_wallet_address: The blockchain address of the cryptocurrency wallet used for Web3 authentication. + - crypto_wallet_type: The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type. + """ # noqa + crypto_wallet_id: str crypto_wallet_address: str crypto_wallet_type: str class DiscordOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -159,8 +203,8 @@ class DiscordOAuthFactor(pydantic.BaseModel): class EmailFactor(pydantic.BaseModel): """ Fields: - - email_id: The globally unique UUID of the Member's email. - - email_address: The email address of the Member. + - email_id: The unique ID of a specific email address. + - email_address: The email address to exchange to. """ # noqa email_id: str @@ -172,18 +216,39 @@ class EmbeddableMagicLinkFactor(pydantic.BaseModel): class FacebookOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class FigmaOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class GitLabOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -192,7 +257,7 @@ class GitLabOAuthFactor(pydantic.BaseModel): class GithubOAuthExchangeFactor(pydantic.BaseModel): """ Fields: - - email_id: The globally unique UUID of the Member's email. + - email_id: The unique ID of a specific email address. """ # noqa email_id: str @@ -201,9 +266,9 @@ class GithubOAuthExchangeFactor(pydantic.BaseModel): class GithubOAuthFactor(pydantic.BaseModel): """ Fields: - - id: The unique ID of an OAuth registration. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - email_id: The globally unique UUID of the Member's email. + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. """ # noqa id: str @@ -214,7 +279,7 @@ class GithubOAuthFactor(pydantic.BaseModel): class GoogleOAuthExchangeFactor(pydantic.BaseModel): """ Fields: - - email_id: The globally unique UUID of the Member's email. + - email_id: The unique ID of a specific email address. """ # noqa email_id: str @@ -223,9 +288,9 @@ class GoogleOAuthExchangeFactor(pydantic.BaseModel): class GoogleOAuthFactor(pydantic.BaseModel): """ Fields: - - id: The unique ID of an OAuth registration. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - email_id: The globally unique UUID of the Member's email. + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. """ # noqa id: str @@ -236,7 +301,7 @@ class GoogleOAuthFactor(pydantic.BaseModel): class HubspotOAuthExchangeFactor(pydantic.BaseModel): """ Fields: - - email_id: The globally unique UUID of the Member's email. + - email_id: The unique ID of a specific email address. """ # noqa email_id: str @@ -245,9 +310,9 @@ class HubspotOAuthExchangeFactor(pydantic.BaseModel): class HubspotOAuthFactor(pydantic.BaseModel): """ Fields: - - id: The unique ID of an OAuth registration. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - email_id: The globally unique UUID of the Member's email. + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. """ # noqa id: str @@ -258,7 +323,7 @@ class HubspotOAuthFactor(pydantic.BaseModel): class ImpersonatedFactor(pydantic.BaseModel): """ Fields: - - impersonator_id: For impersonated sessions initiated via the Stytch Dashboard, the `impersonator_id` will be the impersonator's Stytch Dashboard `member_id`. + - impersonator_id: For impersonated sessions initiated via the Stytch Dashboard, the impersonator_id will be the impersonator's Stytch Dashboard member_id. - impersonator_email_address: The email address of the impersonator. """ # noqa @@ -267,6 +332,13 @@ class ImpersonatedFactor(pydantic.BaseModel): class InstagramOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -285,6 +357,13 @@ class JWK(pydantic.BaseModel): class LinkedInOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -293,9 +372,9 @@ class LinkedInOAuthFactor(pydantic.BaseModel): class MicrosoftOAuthFactor(pydantic.BaseModel): """ Fields: - - id: The unique ID of an OAuth registration. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - email_id: The globally unique UUID of the Member's email. + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. """ # noqa id: str @@ -306,7 +385,7 @@ class MicrosoftOAuthFactor(pydantic.BaseModel): class OAuthAccessTokenExchangeFactor(pydantic.BaseModel): """ Fields: - - client_id: The ID of the Connected App client. + - client_id: The ID of the client. """ # noqa client_id: str @@ -315,9 +394,9 @@ class OAuthAccessTokenExchangeFactor(pydantic.BaseModel): class OIDCSSOFactor(pydantic.BaseModel): """ Fields: - - id: The unique ID of an SSO Registration. - - provider_id: Globally unique UUID that identifies a specific OIDC Connection. - - external_id: The ID of the member given by the identity provider. + - id: The unique identifier for the resource. + - provider_id: The unique identifier for an identity provider configuration. + - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. """ # noqa id: str @@ -328,8 +407,8 @@ class OIDCSSOFactor(pydantic.BaseModel): class PhoneNumberFactor(pydantic.BaseModel): """ Fields: - - phone_id: The globally unique UUID of the Member's phone number. - - phone_number: The phone number of the Member. + - phone_id: The unique ID for the phone number. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). """ # noqa phone_id: str @@ -343,9 +422,9 @@ class RecoveryCodeFactor(pydantic.BaseModel): class SAMLSSOFactor(pydantic.BaseModel): """ Fields: - - id: The unique ID of an SSO Registration. - - provider_id: Globally unique UUID that identifies a specific SAML Connection. - - external_id: The ID of the member given by the identity provider. + - id: The unique identifier for the resource. + - provider_id: The unique identifier for an identity provider configuration. + - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. """ # noqa id: str @@ -354,12 +433,26 @@ class SAMLSSOFactor(pydantic.BaseModel): class SalesforceOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class ShopifyOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -368,7 +461,7 @@ class ShopifyOAuthFactor(pydantic.BaseModel): class SlackOAuthExchangeFactor(pydantic.BaseModel): """ Fields: - - email_id: The globally unique UUID of the Member's email. + - email_id: The unique ID of a specific email address. """ # noqa email_id: str @@ -377,9 +470,9 @@ class SlackOAuthExchangeFactor(pydantic.BaseModel): class SlackOAuthFactor(pydantic.BaseModel): """ Fields: - - id: The unique ID of an OAuth registration. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in OAuth protocols. - - email_id: The globally unique UUID of the Member's email. + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. """ # noqa id: str @@ -388,24 +481,52 @@ class SlackOAuthFactor(pydantic.BaseModel): class SnapchatOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class SpotifyOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class SteamOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class TikTokOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -421,24 +542,52 @@ class TrustedAuthTokenFactor(pydantic.BaseModel): class TwitchOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class TwitterOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None class WebAuthnFactor(pydantic.BaseModel): + """ + Fields: + - webauthn_registration_id: Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration. + - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. + - user_agent: The user agent of the client. + """ # noqa + webauthn_registration_id: str domain: str user_agent: Optional[str] = None class YahooOAuthFactor(pydantic.BaseModel): + """ + Fields: + - id: The unique identifier for the resource. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - email_id: The unique ID of a specific email address. + """ # noqa + id: str provider_subject: str email_id: Optional[str] = None @@ -447,84 +596,52 @@ class YahooOAuthFactor(pydantic.BaseModel): class AuthenticationFactor(pydantic.BaseModel): """ Fields: - - type: The type of authentication factor. The possible values are: `email_otp`, `impersonated`, `imported`, - `magic_link`, `oauth`, `otp`, `password`, `recovery_codes`, `sso`, `trusted_auth_token`, or `totp`. - - delivery_method: The method that was used to deliver the authentication factor. The possible values depend on the `type`: - - `email_otp` – Only `email`. - - `impersonated` – Only `impersonation`. - - `imported` – Only `imported_auth0`. - - `magic_link` – Only `email`. - - `oauth` – The delivery method is determined by the specific OAuth provider used. The possible values are `oauth_google`, `oauth_microsoft`, `oauth_hubspot`, `oauth_slack`, or `oauth_github`. - - In addition, you may see an 'exchange' delivery method when a non-email-verifying OAuth factor originally authenticated in one organization is exchanged for a factor in another organization. - This can happen during authentication flows such as [session exchange](https://stytch.com/docs/b2b/api/exchange-session). - The non-email-verifying OAuth providers are Hubspot, Slack, and Github. - Google is also considered non-email-verifying when the HD claim is empty. - The possible exchange values are `oauth_exchange_google`, `oauth_exchange_hubspot`, `oauth_exchange_slack`, or `oauth_exchange_github`. - - The final possible value is `oauth_access_token_exchange`, if this factor came from an [access token exchange flow](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange). - - `otp` – Only `sms`. - - `password` – Only `knowledge`. - - `recovery_codes` – Only `recovery_code`. - - `sso` – Either `sso_saml` or `sso_oidc`. - - `trusted_auth_token` – Only `trusted_token_exchange`. - - `totp` – Only `authenticator_app`. - - - last_authenticated_at: The timestamp when the factor was last authenticated. - - created_at: The timestamp when the factor was initially authenticated. - - updated_at: The timestamp when the factor was last updated. - - email_factor: Information about the email factor, if one is present. - - phone_number_factor: Information about the phone number factor, if one is present. - - google_oauth_factor: Information about the Google OAuth factor, if one is present. - - microsoft_oauth_factor: Information about the Microsoft OAuth factor, if one is present. - - apple_oauth_factor: (no documentation yet) - - webauthn_factor: (no documentation yet) - - authenticator_app_factor: Information about the TOTP-backed Authenticator App factor, if one is present. - - github_oauth_factor: Information about the Github OAuth factor, if one is present. - - recovery_code_factor: (no documentation yet) - - facebook_oauth_factor: (no documentation yet) - - crypto_wallet_factor: (no documentation yet) - - amazon_oauth_factor: (no documentation yet) - - bitbucket_oauth_factor: (no documentation yet) - - coinbase_oauth_factor: (no documentation yet) - - discord_oauth_factor: (no documentation yet) - - figma_oauth_factor: (no documentation yet) - - git_lab_oauth_factor: (no documentation yet) - - instagram_oauth_factor: (no documentation yet) - - linked_in_oauth_factor: (no documentation yet) - - shopify_oauth_factor: (no documentation yet) - - slack_oauth_factor: Information about the Slack OAuth factor, if one is present. - - snapchat_oauth_factor: (no documentation yet) - - spotify_oauth_factor: (no documentation yet) - - steam_oauth_factor: (no documentation yet) - - tik_tok_oauth_factor: (no documentation yet) - - twitch_oauth_factor: (no documentation yet) - - twitter_oauth_factor: (no documentation yet) - - embeddable_magic_link_factor: (no documentation yet) - - biometric_factor: (no documentation yet) - - saml_sso_factor: Information about the SAML SSO factor, if one is present. - - oidc_sso_factor: Information about the OIDC SSO factor, if one is present. - - salesforce_oauth_factor: (no documentation yet) - - yahoo_oauth_factor: (no documentation yet) - - hubspot_oauth_factor: Information about the Hubspot OAuth factor, if one is present. - - slack_oauth_exchange_factor: Information about the Slack OAuth Exchange factor, if one is present. - - hubspot_oauth_exchange_factor: Information about the Hubspot OAuth Exchange factor, if one is present. - - github_oauth_exchange_factor: Information about the Github OAuth Exchange factor, if one is present. - - google_oauth_exchange_factor: Information about the Google OAuth Exchange factor, if one is present. - - impersonated_factor: Information about the impersonated factor, if one is present. - - oauth_access_token_exchange_factor: Information about the access token exchange factor, if one is present. - - trusted_auth_token_factor: Information about the trusted auth token factor, if one is present. + - type: The type or category of the resource, method, or entity. + - delivery_method: The method that should be used to verify a member's new email address. The options are `EMAIL_MAGIC_LINK` or `EMAIL_OTP`. This field is optional, if no value is provided, `EMAIL_MAGIC_LINK` will be used. + - last_authenticated_at: The timestamp when the member last successfully authenticated. + - created_at: The timestamp indicating when the resource was created. + - updated_at: The timestamp indicating when the resource was last updated. + - email_factor: An authentication factor object representing email-based authentication (magic links or OTP). + - phone_number_factor: An authentication factor object representing SMS-based phone number authentication. + - google_oauth_factor: An authentication factor object representing Google OAuth authentication. + - microsoft_oauth_factor: An authentication factor object representing Microsoft OAuth authentication. + - apple_oauth_factor: An authentication factor object representing Apple OAuth authentication. + - webauthn_factor: An authentication factor object representing WebAuthn/passkey authentication. + - authenticator_app_factor: An authentication factor object representing TOTP authenticator app authentication. + - github_oauth_factor: An authentication factor object representing GitHub OAuth authentication. + - recovery_code_factor: An authentication factor object representing recovery code authentication. + - facebook_oauth_factor: An authentication factor object representing Facebook OAuth authentication. + - crypto_wallet_factor: An authentication factor object representing Web3 cryptocurrency wallet authentication. + - amazon_oauth_factor: An authentication factor object representing Amazon OAuth authentication. + - bitbucket_oauth_factor: An authentication factor object representing Bitbucket OAuth authentication. + - coinbase_oauth_factor: An authentication factor object representing Coinbase OAuth authentication. + - discord_oauth_factor: An authentication factor object representing Discord OAuth authentication. + - figma_oauth_factor: An authentication factor object representing Figma OAuth authentication. + - git_lab_oauth_factor: An authentication factor object representing GitLab OAuth authentication. + - instagram_oauth_factor: An authentication factor object representing Instagram OAuth authentication. + - linked_in_oauth_factor: An authentication factor object representing LinkedIn OAuth authentication. + - shopify_oauth_factor: An authentication factor object representing Shopify OAuth authentication. + - slack_oauth_factor: An authentication factor object representing Slack OAuth authentication. + - snapchat_oauth_factor: An authentication factor object representing Snapchat OAuth authentication. + - spotify_oauth_factor: An authentication factor object representing Spotify OAuth authentication. + - steam_oauth_factor: An authentication factor object representing Steam OAuth authentication. + - tik_tok_oauth_factor: An authentication factor object representing TikTok OAuth authentication. + - twitch_oauth_factor: An authentication factor object representing Twitch OAuth authentication. + - twitter_oauth_factor: An authentication factor object representing Twitter OAuth authentication. + - embeddable_magic_link_factor: An authentication factor object representing embeddable magic link authentication. + - biometric_factor: An authentication factor object representing biometric authentication (fingerprint, face, etc.). + - saml_sso_factor: An authentication factor object representing SAML SSO authentication. + - oidc_sso_factor: An authentication factor object representing OIDC (OpenID Connect) SSO authentication. + - salesforce_oauth_factor: An authentication factor object representing Salesforce OAuth authentication. + - yahoo_oauth_factor: An authentication factor object representing Yahoo OAuth authentication. + - hubspot_oauth_factor: An authentication factor object representing HubSpot OAuth authentication. + - slack_oauth_exchange_factor: An authentication factor object representing Slack OAuth token exchange authentication. + - hubspot_oauth_exchange_factor: An authentication factor object representing HubSpot OAuth token exchange. + - github_oauth_exchange_factor: An authentication factor object representing GitHub OAuth token exchange. + - google_oauth_exchange_factor: An authentication factor object representing Google OAuth token exchange. + - impersonated_factor: An authentication factor object indicating that authentication was performed via impersonation. + - oauth_access_token_exchange_factor: An authentication factor object representing OAuth access token exchange. + - trusted_auth_token_factor: An authentication factor object representing authentication via a trusted third-party token. """ # noqa type: AuthenticationFactorType @@ -578,15 +695,16 @@ class AuthenticationFactor(pydantic.BaseModel): class Session(pydantic.BaseModel): """ Fields: - - session_id: A unique identifier for a specific Session. - - user_id: The unique ID of the affected User. - - authentication_factors: An array of different authentication factors that comprise a Session. - - roles: (no documentation yet) - - started_at: The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - last_accessed_at: The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - expires_at: The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - attributes: Provided attributes help with fraud detection. - - custom_claims: The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call. + - session_id: Globally unique UUID that identifies a specific Session in the Stytch API. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - authentication_factors: A list of authentication factors used during the session, including type, timestamp, and delivery method. + - roles: Roles to explicitly assign to this Member. + See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. + - started_at: The timestamp when the session or process was initiated. + - last_accessed_at: The timestamp when the session was last accessed or refreshed. + - expires_at: The timestamp indicating when the session, token, lock, or other resource will expire. + - attributes: Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application. + - custom_claims: A JSON object containing custom claims to include in tokens or sessions. """ # noqa session_id: str @@ -603,15 +721,12 @@ class Session(pydantic.BaseModel): class AttestResponse(ResponseBase): """Response type for `Sessions.attest`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -626,14 +741,10 @@ class AuthenticateResponse(ResponseBase): """Response type for `Sessions.authenticate`. Fields: - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. - - verdict: If an `authorization_check` is provided in the request and the check succeeds, this field will return - information about why the User was granted permission. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. + - verdict: The result of an authorization check, indicating whether the member is authorized to perform the requested action. """ # noqa session: Session @@ -646,15 +757,12 @@ class AuthenticateResponse(ResponseBase): class ExchangeAccessTokenResponse(ResponseBase): """Response type for `Sessions.exchange_access_token`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -668,7 +776,7 @@ class ExchangeAccessTokenResponse(ResponseBase): class GetJWKSResponse(ResponseBase): """Response type for `Sessions.get_jwks`. Fields: - - keys: The list of JWKs associated with the project. + - keys: Cryptographic keys used for signing, encryption, or verification. """ # noqa keys: List[JWK] @@ -677,7 +785,7 @@ class GetJWKSResponse(ResponseBase): class GetResponse(ResponseBase): """Response type for `Sessions.get`. Fields: - - sessions: An array of [Session objects](https://stytch.com/docs/api/session-object). + - sessions: A list of session objects. """ # noqa sessions: List[Session] @@ -686,15 +794,12 @@ class GetResponse(ResponseBase): class MigrateResponse(ResponseBase): """Response type for `Sessions.migrate`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str diff --git a/stytch/consumer/models/totps.py b/stytch/consumer/models/totps.py index 4f43429c..95dc27ce 100644 --- a/stytch/consumer/models/totps.py +++ b/stytch/consumer/models/totps.py @@ -19,8 +19,8 @@ class TOTP(pydantic.BaseModel): """ Fields: - - totp_id: The unique ID for a TOTP instance. - - verified: The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. + - verified: A boolean indicating whether this contact method has been successfully authenticated by the User. - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. """ # noqa @@ -32,16 +32,13 @@ class TOTP(pydantic.BaseModel): class AuthenticateResponse(ResponseBase): """Response type for `TOTPs.authenticate`. Fields: - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - totp_id: The unique ID for a TOTP instance. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -56,12 +53,12 @@ class AuthenticateResponse(ResponseBase): class CreateResponse(ResponseBase): """Response type for `TOTPs.create`. Fields: - - totp_id: The unique ID for a TOTP instance. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. - secret: The TOTP secret key shared between the authenticator app and the server used to generate TOTP codes. - - qr_code: The QR code image encoded in base64. + - qr_code: A base64-encoded QR code image. - recovery_codes: The recovery codes used to authenticate the user without an authenticator app. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. - - user_id: The unique ID of the affected User. + - user: The `user` object affected by this API call. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa totp_id: str @@ -75,16 +72,13 @@ class CreateResponse(ResponseBase): class RecoverResponse(ResponseBase): """Response type for `TOTPs.recover`. Fields: - - totp_id: The unique ID for a TOTP instance. - - user_id: The unique ID of the affected User. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa totp_id: str @@ -99,8 +93,8 @@ class RecoverResponse(ResponseBase): class RecoveryCodesResponse(ResponseBase): """Response type for `TOTPs.recovery_codes`. Fields: - - user_id: The unique ID of the affected User. - - totps: An array containing a list of all TOTP instances (along with their recovery codes) for a given User in the Stytch API. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - totps: An array containing a list of all TOTP instances for a given User. """ # noqa user_id: str diff --git a/stytch/consumer/models/users.py b/stytch/consumer/models/users.py index 2557ac6c..9cbfe2ed 100644 --- a/stytch/consumer/models/users.py +++ b/stytch/consumer/models/users.py @@ -23,8 +23,8 @@ class SearchUsersQueryOperator(str, enum.Enum): class BiometricRegistration(pydantic.BaseModel): """ Fields: - - biometric_registration_id: The unique ID for a biometric registration. - - verified: The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User. + - biometric_registration_id: The `biometric_registration_id` to be deleted. + - verified: A boolean indicating whether this contact method has been successfully authenticated by the User. """ # noqa biometric_registration_id: str @@ -34,10 +34,10 @@ class BiometricRegistration(pydantic.BaseModel): class CryptoWallet(pydantic.BaseModel): """ Fields: - - crypto_wallet_id: The unique ID for a crypto wallet - - crypto_wallet_address: The actual blockchain address of the User's crypto wallet. - - crypto_wallet_type: The blockchain that the User's crypto wallet operates on, e.g. Ethereum, Solana, etc. - - verified: The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User. + - crypto_wallet_id: The unique identifier for a cryptocurrency wallet registration. + - crypto_wallet_address: The blockchain address of the cryptocurrency wallet used for Web3 authentication. + - crypto_wallet_type: The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type. + - verified: A boolean indicating whether this contact method has been successfully authenticated by the User. """ # noqa crypto_wallet_id: str @@ -50,8 +50,8 @@ class Email(pydantic.BaseModel): """ Fields: - email_id: The unique ID of a specific email address. - - email: The email address. - - verified: The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User. + - email: The email address of the end user. + - verified: A boolean indicating whether this contact method has been successfully authenticated by the User. """ # noqa email_id: str @@ -62,9 +62,9 @@ class Email(pydantic.BaseModel): class Name(pydantic.BaseModel): """ Fields: - - first_name: The first name of the user. - - middle_name: The middle name(s) of the user. - - last_name: The last name of the user. + - first_name: The user's first name. + - middle_name: The user's middle name. + - last_name: The user's last name. """ # noqa first_name: Optional[str] = None @@ -75,11 +75,11 @@ class Name(pydantic.BaseModel): class OAuthProvider(pydantic.BaseModel): """ Fields: - - provider_type: Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc. - - provider_subject: The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols. - - profile_picture_url: If available, the `profile_picture_url` is a url of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture. - - locale: If available, the `locale` is the User's locale set in the OAuth identity provider that the user has authenticated with. - - oauth_user_registration_id: The unique ID for an OAuth registration. + - provider_type: The type of OAuth provider (e.g., google, microsoft, slack, github, hubspot) used for authentication. + - provider_subject: The unique identifier for the user in the identity provider's system, used to link external provider accounts to Stytch members. + - profile_picture_url: The URL of the member's profile picture, typically retrieved from OAuth providers. + - locale: If available, the locale set in the OAuth identity provider. + - oauth_user_registration_id: The unique identifier for the OAuth provider registration linking the user to their provider account. """ # noqa provider_type: str @@ -92,8 +92,8 @@ class OAuthProvider(pydantic.BaseModel): class Password(pydantic.BaseModel): """ Fields: - - password_id: The unique ID of a specific password - - requires_reset: Indicates whether this password requires a password reset + - password_id: The unique identifier for a password associated with a member or user. + - requires_reset: Boolean flag indicating whether a password must be reset before the user can authenticate. """ # noqa password_id: str @@ -104,8 +104,8 @@ class PhoneNumber(pydantic.BaseModel): """ Fields: - phone_id: The unique ID for the phone number. - - phone_number: The phone number. - - verified: The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User. + - phone_number: The phone number in E.164 format (i.e. +1XXXXXXXXXX). + - verified: A boolean indicating whether this contact method has been successfully authenticated by the User. """ # noqa phone_id: str @@ -116,8 +116,8 @@ class PhoneNumber(pydantic.BaseModel): class ResultsMetadata(pydantic.BaseModel): """ Fields: - - total: The total number of results returned by your search query. If totals have been disabled for your Stytch Workspace to improve search performance, the value will always be -1. - - next_cursor: The `next_cursor` string is returned when your search result contains more than one page of results. This value is passed into your next search call in the `cursor` field. + - total: The total count of items or results in a paginated response or collection. + - next_cursor: A cursor value for fetching the next page of paginated results. """ # noqa total: int @@ -127,12 +127,8 @@ class ResultsMetadata(pydantic.BaseModel): class SearchUsersQuery(pydantic.BaseModel): """ Fields: - - operator: The action to perform on the operands. The accepted values are: - - `AND` – all the operand values provided must match. - - `OR` – **[DEPRECATED]** the operator will return any matches to at least one of the operand values you supply. This parameter is retained for legacy use cases only and is no longer supported. We strongly recommend breaking down complex queries into multiple search queries instead. - - operands: An array of operand objects that contains all of the filters and values to apply to your search search query. + - operator: The action to perform on the operands, either `AND` or `OR`. + - operands: An array of operand objects that contains all of the filters and values to apply to your search query. """ # noqa operator: SearchUsersQueryOperator @@ -142,8 +138,8 @@ class SearchUsersQuery(pydantic.BaseModel): class TOTP(pydantic.BaseModel): """ Fields: - - totp_id: The unique ID for a TOTP instance. - - verified: The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User. + - totp_id: The unique identifier for the TOTP (Time-based One-Time Password) registration. + - verified: A boolean indicating whether this contact method has been successfully authenticated by the User. """ # noqa totp_id: str @@ -154,11 +150,11 @@ class UserConnectedApp(pydantic.BaseModel): """ Fields: - connected_app_id: The ID of the Connected App. - - name: The name of the Connected App. - - description: A description of the Connected App. + - name: The `name` of the WebAuthn registration or Passkey. + - description: An optional description for the rule. - client_type: The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. - - scopes_granted: The scopes granted to the Connected App at the completion of the last authorization flow. - - logo_url: The logo URL of the Connected App, if any. + - scopes_granted: The list of OAuth scopes that were actually granted to the access token, which may be a subset of requested scopes. + - logo_url: The URL of the logo image for the organization, SSO connection, or connected application. """ # noqa connected_app_id: str @@ -172,12 +168,12 @@ class UserConnectedApp(pydantic.BaseModel): class WebAuthnRegistration(pydantic.BaseModel): """ Fields: - - webauthn_registration_id: The unique ID for the Passkey or WebAuthn registration. - - domain: The `domain` on which Passkey or WebAuthn registration was started. This will be the domain of your app. - - user_agent: The user agent of the User. - - verified: The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User. - - authenticator_type: The `authenticator_type` string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference. - - name: The `name` of the Passkey or WebAuthn registration. + - webauthn_registration_id: Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration. + - domain: The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`. + - user_agent: The user agent of the client. + - verified: A boolean indicating whether this contact method has been successfully authenticated by the User. + - authenticator_type: The requested authenticator type of the Passkey or WebAuthn device. The two valid values are `platform` and `cross-platform`. If no value passed, we assume both values are allowed. + - name: The `name` of the WebAuthn registration or Passkey. """ # noqa webauthn_registration_id: str @@ -191,26 +187,25 @@ class WebAuthnRegistration(pydantic.BaseModel): class User(pydantic.BaseModel): """ Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - emails: An array of email objects for the User. - - status: The status of the User. The possible values are `pending` and `active`. + - status: The status of the entity. - phone_numbers: An array of phone number objects linked to the User. - - webauthn_registrations: An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API. + - webauthn_registrations: An array that contains a list of all Passkey or WebAuthn registrations for a given User. - providers: An array of OAuth `provider` objects linked to the User. - - totps: An array containing a list of all TOTP instances for a given User in the Stytch API. - - crypto_wallets: An array contains a list of all crypto wallets for a given User in the Stytch API. - - biometric_registrations: An array that contains a list of all biometric registrations for a given User in the Stytch API. - - is_locked: (no documentation yet) - - roles: Roles assigned to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. - - name: The name of the User. Each field in the `name` object is optional. - - created_at: The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - password: The password object is returned for users with a password. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - external_id: (no documentation yet) - - lock_created_at: (no documentation yet) - - lock_expires_at: (no documentation yet) + - totps: An array containing a list of all TOTP instances for a given User. + - crypto_wallets: An array of crypto wallet objects linked to the User. + - biometric_registrations: A list of biometric registration objects for a given User. + - is_locked: A boolean indicating whether the user's account is currently locked. + - roles: An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). + - name: The name of the User. + - created_at: The timestamp indicating when the resource was created. + - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. + - lock_created_at: The timestamp when the user's account was locked due to security concerns or policy violations. + - lock_expires_at: The timestamp when the user's account lock will automatically expire. """ # noqa user_id: str @@ -237,7 +232,7 @@ class User(pydantic.BaseModel): class ConnectedAppsResponse(ResponseBase): """Response type for `Users.connected_apps`. Fields: - - connected_apps: An array of Connected Apps with which the User has successfully completed an authorization flow. + - connected_apps: A list of connected applications that the member or organization has authorized. """ # noqa connected_apps: List[UserConnectedApp] @@ -246,11 +241,11 @@ class ConnectedAppsResponse(ResponseBase): class CreateResponse(ResponseBase): """Response type for `Users.create`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - email_id: The unique ID of a specific email address. - - status: The status of the User. The possible values are `pending` and `active`. + - status: The status of the entity. - phone_id: The unique ID for the phone number. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -263,8 +258,8 @@ class CreateResponse(ResponseBase): class DeleteBiometricRegistrationResponse(ResponseBase): """Response type for `Users.delete_biometric_registration`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -274,8 +269,8 @@ class DeleteBiometricRegistrationResponse(ResponseBase): class DeleteCryptoWalletResponse(ResponseBase): """Response type for `Users.delete_crypto_wallet`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -285,8 +280,8 @@ class DeleteCryptoWalletResponse(ResponseBase): class DeleteEmailResponse(ResponseBase): """Response type for `Users.delete_email`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -296,8 +291,8 @@ class DeleteEmailResponse(ResponseBase): class DeleteOAuthRegistrationResponse(ResponseBase): """Response type for `Users.delete_oauth_registration`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -307,8 +302,8 @@ class DeleteOAuthRegistrationResponse(ResponseBase): class DeletePasswordResponse(ResponseBase): """Response type for `Users.delete_password`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -318,8 +313,8 @@ class DeletePasswordResponse(ResponseBase): class DeletePhoneNumberResponse(ResponseBase): """Response type for `Users.delete_phone_number`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -329,7 +324,7 @@ class DeletePhoneNumberResponse(ResponseBase): class DeleteResponse(ResponseBase): """Response type for `Users.delete`. Fields: - - user_id: The unique ID of the deleted User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. """ # noqa user_id: str @@ -338,8 +333,8 @@ class DeleteResponse(ResponseBase): class DeleteTOTPResponse(ResponseBase): """Response type for `Users.delete_totp`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -349,8 +344,8 @@ class DeleteTOTPResponse(ResponseBase): class DeleteWebAuthnRegistrationResponse(ResponseBase): """Response type for `Users.delete_webauthn_registration`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -360,8 +355,8 @@ class DeleteWebAuthnRegistrationResponse(ResponseBase): class ExchangePrimaryFactorResponse(ResponseBase): """Response type for `Users.exchange_primary_factor`. Fields: - - user_id: The unique ID of the affected User. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str @@ -371,26 +366,25 @@ class ExchangePrimaryFactorResponse(ResponseBase): class GetResponse(ResponseBase): """Response type for `Users.get`. Fields: - - user_id: The unique ID of the returned User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - emails: An array of email objects for the User. - - status: The status of the User. The possible values are `pending` and `active`. + - status: The status of the entity. - phone_numbers: An array of phone number objects linked to the User. - - webauthn_registrations: An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API. + - webauthn_registrations: An array that contains a list of all Passkey or WebAuthn registrations for a given User. - providers: An array of OAuth `provider` objects linked to the User. - - totps: An array containing a list of all TOTP instances for a given User in the Stytch API. - - crypto_wallets: An array contains a list of all crypto wallets for a given User in the Stytch API. - - biometric_registrations: An array that contains a list of all biometric registrations for a given User in the Stytch API. - - is_locked: (no documentation yet) - - roles: Roles assigned to this User. - See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment. - - name: The name of the User. Each field in the `name` object is optional. - - created_at: The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. - - password: The password object is returned for users with a password. - - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. - - external_id: (no documentation yet) - - lock_created_at: (no documentation yet) - - lock_expires_at: (no documentation yet) + - totps: An array containing a list of all TOTP instances for a given User. + - crypto_wallets: An array of crypto wallet objects linked to the User. + - biometric_registrations: A list of biometric registration objects for a given User. + - is_locked: A boolean indicating whether the user's account is currently locked. + - roles: An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). + - name: The name of the User. + - created_at: The timestamp indicating when the resource was created. + - password: The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. + - trusted_metadata: An arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - untrusted_metadata: An arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details. + - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. + - lock_created_at: The timestamp when the user's account was locked due to security concerns or policy violations. + - lock_expires_at: The timestamp when the user's account lock will automatically expire. """ # noqa user_id: str @@ -423,8 +417,8 @@ class RevokeResponse(ResponseBase): class SearchResponse(ResponseBase): """Response type for `Users.search`. Fields: - - results: An array of results that match your search query. - - results_metadata: The search `results_metadata` object contains metadata relevant to your specific query like total and `next_cursor`. + - results: A list of result objects returned from a search or list operation. + - results_metadata: Metadata about paginated search results, including total count and cursor for fetching the next page. """ # noqa results: List[User] @@ -434,11 +428,11 @@ class SearchResponse(ResponseBase): class UpdateResponse(ResponseBase): """Response type for `Users.update`. Fields: - - user_id: The unique ID of the updated User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - emails: An array of email objects for the User. - phone_numbers: An array of phone number objects linked to the User. - - crypto_wallets: An array contains a list of all crypto wallets for a given User in the Stytch API. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - crypto_wallets: An array of crypto wallet objects linked to the User. + - user: The `user` object affected by this API call. """ # noqa user_id: str diff --git a/stytch/consumer/models/webauthn.py b/stytch/consumer/models/webauthn.py index 56d29eaa..ebb61aff 100644 --- a/stytch/consumer/models/webauthn.py +++ b/stytch/consumer/models/webauthn.py @@ -19,10 +19,10 @@ class WebAuthnCredential(pydantic.BaseModel): """ Fields: - - credential_id: The unique, public ID of the WebAuthn credential. - - webauthn_registration_id: The unique ID for the Passkey or WebAuthn registration. - - type: The type of the WebAuthn credential. Examples include `public-key`. - - public_key: The public key for the WebAuthn credential in base64 format. + - credential_id: The unique identifier for a WebAuthn credential or passkey. + - webauthn_registration_id: Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration. + - type: The type or category of the resource, method, or entity. + - public_key: A public cryptographic key (in base64 format) used for signature verification or encryption. """ # noqa credential_id: str @@ -34,16 +34,13 @@ class WebAuthnCredential(pydantic.BaseModel): class AuthenticateResponse(ResponseBase): """Response type for `WebAuthn.authenticate`. Fields: - - user_id: The unique ID of the affected User. - - webauthn_registration_id: The unique ID for the Passkey or WebAuthn registration. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - webauthn_registration_id: Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -58,8 +55,8 @@ class AuthenticateResponse(ResponseBase): class AuthenticateStartResponse(ResponseBase): """Response type for `WebAuthn.authenticate_start`. Fields: - - user_id: The unique ID of the affected User. - - public_key_credential_request_options: Options used for Passkey or WebAuthn authentication. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - public_key_credential_request_options: Credential request options for authenticating with WebAuthn or passkeys. """ # noqa user_id: str @@ -78,16 +75,13 @@ class ListCredentialsResponse(ResponseBase): class RegisterResponse(ResponseBase): """Response type for `WebAuthn.register`. Fields: - - user_id: The unique ID of the affected User. - - webauthn_registration_id: The unique ID for the Passkey or WebAuthn registration. - - session_token: A secret token for a given Stytch Session. - - session_jwt: The JSON Web Token (JWT) for a given Stytch Session. - - user: (no documentation yet) + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. + - webauthn_registration_id: Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration. + - session_token: The `session_token` associated with a User's existing Session. + - session_jwt: The JSON Web Token (JWT) associated with a User's existing Session. + - user: The `user` object affected by this API call. - session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response. - - See [Session object](https://stytch.com/docs/api/session-object) for complete response fields. - - - user_device: If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes. + - user_device: If a valid `telemetry_id` was passed in the request and the Fingerprint Lookup API returned results, this field will contain information about the user's device attributes. """ # noqa user_id: str @@ -102,7 +96,7 @@ class RegisterResponse(ResponseBase): class RegisterStartResponse(ResponseBase): """Response type for `WebAuthn.register_start`. Fields: - - user_id: The unique ID of the affected User. + - user_id: The unique ID for a User. When making API calls, you may use an `external_id` in place of the `user_id` if one is set for the User. - public_key_credential_creation_options: Options used for Passkey or WebAuthn registration. """ # noqa