stytch 10.22.0 → 10.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79f83098068aa5afdbecff54fe59173d6e1c4e0e9660204d4dbd045cbfcc1561
-  data.tar.gz: 14d9b1a5fd3dafb1e2d26b8d26cf9e06d27e1fa9c0eb7082d4c240cb87fbdf29
+  metadata.gz: cb709fad85473f219b4bf2d15da9c8381b117ba31a3f9dd3393a338ec1583323
+  data.tar.gz: 1d59d330089fe207f936e80950a00ab0f1152d3f08c2a62db2df864fe4972408
 SHA512:
-  metadata.gz: fdf4c8bfea414eeb01e5aecfdbfb4ecaadaf31d9b079021557eb2e722facd43b07bf405b4d9518f0f114f6cdf0b09871092fa6c56077a3790f4c525ca9d9f6b6
-  data.tar.gz: '0990e814940119ed3eedc3d6f3bf90ec407de943633ab635ec6064e4cfede76bc35b9342b3fdee24497d56d2bf7b81b23e851ded86dea3cc9775af31f112ef5e'
+  metadata.gz: 015bffaf59b053a43f58d5ab48f245bc24f7ba623ae498a6bcca502ed6023d278e03023154ddb4eb1d269386488831ccc03d30f0ed028817fe7b355e4df006ab
+  data.tar.gz: c5c4bd35f7da7a88da844c470238c6ec3c26dcc3e4ce3abfe874a9e936066b617cee4685019745b71a5ce969be35ab21a287245c1b9f93fcaa0602986980e15d

data/lib/stytch/b2b_client.rb

@@ -13,6 +13,7 @@ require_relative 'b2b_scim'
 require_relative 'b2b_sessions'
 require_relative 'b2b_sso'
 require_relative 'b2b_totps'
+require_relative 'connected_apps'
 require_relative 'fraud'
 require_relative 'm2m'
 require_relative 'project'
@@ -22,7 +23,7 @@ module StytchB2B
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
+    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -36,6 +37,7 @@ module StytchB2B
       rbac = StytchB2B::RBAC.new(@connection)
       @policy_cache = StytchB2B::PolicyCache.new(rbac_client: rbac)
 
+      @connected_app = Stytch::ConnectedApp.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
       @impersonation = StytchB2B::Impersonation.new(@connection)

data/lib/stytch/b2b_impersonation.rb

@@ -19,7 +19,7 @@ module StytchB2B
     # Authenticate an impersonation token to impersonate a. This endpoint requires an impersonation token that is not expired or previously used.
     # A Stytch session will be created for the impersonated member with a 60 minute duration. Impersonated sessions cannot be extended.
     #
-    # Prior to this step, you can generate an impersonation token by visiting the Stytch dashboard, viewing a member, and clicking the `Impersonate Member` button.
+    # Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a member, and clicking the `Impersonate Member` button.
     #
     # == Parameters:
     # impersonation_token::

data/lib/stytch/b2b_passwords.rb

@@ -24,10 +24,13 @@ module StytchB2B
 
     # This API allows you to check whether the user’s provided password is valid, and to provide feedback to the user on how to increase the strength of their password.
     #
-    # This endpoint adapts to your Project's password strength configuration. If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
+    # This endpoint adapts to your Project's password strength configuration.
+    # If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid if the strength score is >= 3.
+    # If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are considered valid if they meet the requirements that you've set with Stytch.
+    # You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard.
     #
     # ## Password feedback
-    # The zxcvbn_feedback and luds_feedback objects contains relevant fields for you to relay feedback to users that failed to create a strong enough password.
+    # The `zxcvbn_feedback` and `luds_feedback` objects contains relevant fields for you to relay feedback to users that failed to create a strong enough password.
     #
     # If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the feedback object will contain warning and suggestions for any password that does not meet the [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) strength requirements. You can return these strings directly to the user to help them craft a strong password.
     #
@@ -382,7 +385,7 @@ module StytchB2B
       # If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid
       # if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are
       # considered valid if they meet the requirements that you've set with Stytch.
-      # You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
+      # You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard.
       #
       # == Parameters:
       # organization_id::
@@ -774,7 +777,7 @@ module StytchB2B
       # If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid
       # if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are
       # considered valid if they meet the requirements that you've set with Stytch.
-      # You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
+      # You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard.
       #
       # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
       # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
@@ -976,7 +979,7 @@ module StytchB2B
         # If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid
         # if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are
         # considered valid if they meet the requirements that you've set with Stytch.
-        # You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
+        # You may update your password strength configuration on the [Passwords Policy page](https://stytch.com/dashboard/password-strength-config) in the Stytch Dashboard.
         #
         # == Parameters:
         # email_address::

data/lib/stytch/b2b_rbac.rb

@@ -20,7 +20,8 @@ module StytchB2B
     #
     # When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an extra request to Stytch. The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 minutes ago.
     #
-    # Resources and Roles can be created and managed within the [Dashboard](https://stytch.com/docs/dashboard/rbac). Additionally, [Role assignment](https://stytch.com/docs/b2b/guides/rbac/role-assignment) can be programmatically managed through certain Stytch API endpoints.
+    # Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/docs/dashboard/rbac) in the Dashboard.
+    # Additionally, [Role assignment](https://stytch.com/docs/b2b/guides/rbac/role-assignment) can be programmatically managed through certain Stytch API endpoints.
     #
     # Check out the [RBAC overview](https://stytch.com/docs/b2b/guides/rbac/overview) to learn more about Stytch's RBAC permissioning model.
     #

data/lib/stytch/b2b_sessions.rb

@@ -417,7 +417,96 @@ module StytchB2B
       post_request('/v1/b2b/sessions/exchange_access_token', request, headers)
     end
 
-    # Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing in your and create a Stytch Session. You will need to create the member before using this endpoint.
+    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens).  If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
+    #
+    # == Parameters:
+    # organization_id::
+    #   The organization ID that the session should be authenticated in.
+    #   The type of this field is +String+.
+    # profile_id::
+    #   The ID of the trusted auth token profile to use for attestation.
+    #   The type of this field is +String+.
+    # token::
+    #   The trusted auth token to authenticate.
+    #   The type of this field is +String+.
+    # session_duration_minutes::
+    #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
+    #   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
+    #   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
+    #
+    #   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
+    #
+    #   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes.
+    #
+    #   If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want
+    #   to use the Stytch session product, you can ignore the session fields in the response.
+    #   The type of this field is nilable +Integer+.
+    # session_custom_claims::
+    #   Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in
+    #   `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
+    #   delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored.
+    #   Total custom claims size cannot exceed four kilobytes.
+    #   The type of this field is nilable +object+.
+    # session_token::
+    #   The `session_token` for the session that you wish to add the trusted auth token authentication factor to.
+    #   The type of this field is nilable +String+.
+    # session_jwt::
+    #   The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to.
+    #   The type of this field is nilable +String+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # request_id::
+    #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+    #   The type of this field is +String+.
+    # member_id::
+    #   Globally unique UUID that identifies a specific Member.
+    #   The type of this field is +String+.
+    # member_session::
+    #   The [Session object](https://stytch.com/docs/b2b/api/session-object).
+    #   The type of this field is +MemberSession+ (+object+).
+    # session_token::
+    #   A secret token for a given Stytch Session.
+    #   The type of this field is +String+.
+    # session_jwt::
+    #   The JSON Web Token (JWT) for a given Stytch Session.
+    #   The type of this field is +String+.
+    # member::
+    #   The [Member object](https://stytch.com/docs/b2b/api/member-object)
+    #   The type of this field is +Member+ (+object+).
+    # organization::
+    #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
+    #   The type of this field is +Organization+ (+object+).
+    # status_code::
+    #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+    #   The type of this field is +Integer+.
+    def attest(
+      organization_id:,
+      profile_id:,
+      token:,
+      session_duration_minutes: nil,
+      session_custom_claims: nil,
+      session_token: nil,
+      session_jwt: nil
+    )
+      headers = {}
+      request = {
+        organization_id: organization_id,
+        profile_id: profile_id,
+        token: token
+      }
+      request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
+      request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
+      request[:session_token] = session_token unless session_token.nil?
+      request[:session_jwt] = session_jwt unless session_jwt.nil?
+
+      post_request('/v1/b2b/sessions/attest', request, headers)
+    end
+
+    # Migrate a session from an external OIDC compliant endpoint.
+    # Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. <!-- FIXME more specific dashboard link-->
+    # If the response contains a valid email address, Stytch will attempt to match that email address with an existing in your and create a Stytch Session.
+    # You will need to create the member before using this endpoint.
     #
     # == Parameters:
     # session_token::

data/lib/stytch/client.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'connected_apps'
 require_relative 'crypto_wallets'
 require_relative 'fraud'
 require_relative 'impersonation'
@@ -18,7 +19,7 @@ module Stytch
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :sessions, :totps, :users, :webauthn
+    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :sessions, :totps, :users, :webauthn
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -29,6 +30,7 @@ module Stytch
 
       create_connection(&block)
 
+      @connected_app = Stytch::ConnectedApp.new(@connection)
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
       @impersonation = Stytch::Impersonation.new(@connection)

data/lib/stytch/connected_apps.rb

@@ -0,0 +1,372 @@
+# frozen_string_literal: true
+
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
+require_relative 'request_helper'
+
+module Stytch
+  class ConnectedApp
+    include Stytch::RequestHelper
+    attr_reader :clients
+
+    def initialize(connection)
+      @connection = connection
+
+      @clients = Stytch::ConnectedApp::Clients.new(@connection)
+    end
+
+    class Clients
+      include Stytch::RequestHelper
+      attr_reader :secrets
+
+      def initialize(connection)
+        @connection = connection
+
+        @secrets = Stytch::ConnectedApp::Clients::Secrets.new(@connection)
+      end
+
+      # Retrieve details of a specific Connected App by `client_id`.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_app::
+      #   The Connected App affected by this operation.
+      #   The type of this field is +ConnectedApp+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def get(
+        client_id:
+      )
+        headers = {}
+        query_params = {}
+        request = request_with_query_params("/v1/connected_apps/clients/#{client_id}", query_params)
+        get_request(request, headers)
+      end
+
+      # Updates mutable fields of a Connected App. Cannot update Client Type, Client ID, or Secrets.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the client.
+      #   The type of this field is +String+.
+      # client_name::
+      #   A human-readable name for the client.
+      #   The type of this field is nilable +String+.
+      # client_description::
+      #   A human-readable description for the client.
+      #   The type of this field is nilable +String+.
+      # redirect_urls::
+      #   Array of redirect URI values for use in OAuth Authorization flows.
+      #   The type of this field is nilable list of +String+.
+      # full_access_allowed::
+      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
+      #   The type of this field is nilable +Boolean+.
+      # access_token_expiry_minutes::
+      #   The number of minutes before the access token expires. The default is 60 minutes.
+      #   The type of this field is nilable +Integer+.
+      # access_token_custom_audience::
+      #   The custom audience for the access token.
+      #   The type of this field is nilable +String+.
+      # access_token_template_content::
+      #   The content of the access token custom claims template. The template must be a valid JSON object.
+      #   The type of this field is nilable +String+.
+      # post_logout_redirect_urls::
+      #   Array of redirect URI values for use in OIDC Logout flows.
+      #   The type of this field is nilable list of +String+.
+      # logo_url::
+      #   The logo URL of the Connected App, if any.
+      #   The type of this field is nilable +String+.
+      # bypass_consent_for_offline_access::
+      #   Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.
+      #   The type of this field is nilable +Boolean+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_app::
+      #   The Connected App affected by this operation.
+      #   The type of this field is +ConnectedApp+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def update(
+        client_id:,
+        client_name: nil,
+        client_description: nil,
+        redirect_urls: nil,
+        full_access_allowed: nil,
+        access_token_expiry_minutes: nil,
+        access_token_custom_audience: nil,
+        access_token_template_content: nil,
+        post_logout_redirect_urls: nil,
+        logo_url: nil,
+        bypass_consent_for_offline_access: nil
+      )
+        headers = {}
+        request = {}
+        request[:client_name] = client_name unless client_name.nil?
+        request[:client_description] = client_description unless client_description.nil?
+        request[:redirect_urls] = redirect_urls unless redirect_urls.nil?
+        request[:full_access_allowed] = full_access_allowed unless full_access_allowed.nil?
+        request[:access_token_expiry_minutes] = access_token_expiry_minutes unless access_token_expiry_minutes.nil?
+        request[:access_token_custom_audience] = access_token_custom_audience unless access_token_custom_audience.nil?
+        request[:access_token_template_content] = access_token_template_content unless access_token_template_content.nil?
+        request[:post_logout_redirect_urls] = post_logout_redirect_urls unless post_logout_redirect_urls.nil?
+        request[:logo_url] = logo_url unless logo_url.nil?
+        request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
+
+        put_request("/v1/connected_apps/clients/#{client_id}", request, headers)
+      end
+
+      # Deletes a Connected App.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the client.
+      #   The type of this field is +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   (no documentation yet)
+      #   The type of this field is +String+.
+      # client_id::
+      #   The ID of the client.
+      #   The type of this field is +String+.
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      def delete(
+        client_id:
+      )
+        headers = {}
+        delete_request("/v1/connected_apps/clients/#{client_id}", headers)
+      end
+
+      # Search for Connected Apps. Supports cursor-based pagination. Specific filters coming soon.
+      #
+      # == Parameters:
+      # cursor::
+      #   The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null.
+      #   The type of this field is nilable +String+.
+      # limit::
+      #   The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field.
+      #   The type of this field is nilable +Integer+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_apps::
+      #   (no documentation yet)
+      #   The type of this field is list of +ConnectedApp+ (+object+).
+      # results_metadata::
+      #   The search `results_metadata` object contains metadata relevant to your specific query like total and `next_cursor`.
+      #   The type of this field is +ResultsMetadata+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def search(
+        cursor: nil,
+        limit: nil
+      )
+        headers = {}
+        request = {}
+        request[:cursor] = cursor unless cursor.nil?
+        request[:limit] = limit unless limit.nil?
+
+        post_request('/v1/connected_apps/clients/search', request, headers)
+      end
+
+      # Creates a new Connected App. If the Connected App `client_type` is `first_party` or `third_party` a `client_secret` is returned.
+      #
+      # **Important:** This is the only time you will be able to view the generated `client_secret` in the API response. Stytch stores a hash of the `client_secret` and cannot recover the value if lost. Be sure to persist the `client_secret` in a secure location. If the `client_secret` is lost, you will need to trigger a secret rotation flow to receive another one.
+      #
+      # == Parameters:
+      # client_type::
+      #   The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`.
+      #   The type of this field is +CreateRequestClientType+ (string enum).
+      # redirect_urls::
+      #   Array of redirect URI values for use in OAuth Authorization flows.
+      #   The type of this field is list of +String+.
+      # full_access_allowed::
+      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
+      #   The type of this field is +Boolean+.
+      # post_logout_redirect_urls::
+      #   Array of redirect URI values for use in OIDC Logout flows.
+      #   The type of this field is list of +String+.
+      # client_name::
+      #   A human-readable name for the client.
+      #   The type of this field is nilable +String+.
+      # client_description::
+      #   A human-readable description for the client.
+      #   The type of this field is nilable +String+.
+      # access_token_expiry_minutes::
+      #   The number of minutes before the access token expires. The default is 60 minutes.
+      #   The type of this field is nilable +Integer+.
+      # access_token_custom_audience::
+      #   The custom audience for the access token.
+      #   The type of this field is nilable +String+.
+      # access_token_template_content::
+      #   The content of the access token custom claims template. The template must be a valid JSON object.
+      #   The type of this field is nilable +String+.
+      # logo_url::
+      #   The logo URL of the Connected App, if any.
+      #   The type of this field is nilable +String+.
+      # bypass_consent_for_offline_access::
+      #   Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.
+      #   The type of this field is nilable +Boolean+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_app::
+      #   The Connected App created by this API call.
+      #   The type of this field is +ConnectedAppWithClientSecret+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def create(
+        client_type:,
+        redirect_urls:,
+        full_access_allowed:,
+        post_logout_redirect_urls:,
+        client_name: nil,
+        client_description: nil,
+        access_token_expiry_minutes: nil,
+        access_token_custom_audience: nil,
+        access_token_template_content: nil,
+        logo_url: nil,
+        bypass_consent_for_offline_access: nil
+      )
+        headers = {}
+        request = {
+          client_type: client_type,
+          redirect_urls: redirect_urls,
+          full_access_allowed: full_access_allowed,
+          post_logout_redirect_urls: post_logout_redirect_urls
+        }
+        request[:client_name] = client_name unless client_name.nil?
+        request[:client_description] = client_description unless client_description.nil?
+        request[:access_token_expiry_minutes] = access_token_expiry_minutes unless access_token_expiry_minutes.nil?
+        request[:access_token_custom_audience] = access_token_custom_audience unless access_token_custom_audience.nil?
+        request[:access_token_template_content] = access_token_template_content unless access_token_template_content.nil?
+        request[:logo_url] = logo_url unless logo_url.nil?
+        request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
+
+        post_request('/v1/connected_apps/clients', request, headers)
+      end
+
+      class Secrets
+        include Stytch::RequestHelper
+
+        def initialize(connection)
+          @connection = connection
+        end
+
+        # Initiate the rotation of a Connected App client secret. After this endpoint is called, both the client's `client_secret` and `next_client_secret` will be valid. To complete the secret rotation flow, update all usages of `client_secret` to `next_client_secret` and call the Rotate Secret Endpoint to complete the flow.
+        # Secret rotation can be cancelled using the Cancel Secret Rotation endpoint.
+        #
+        # **Important:** This is the only time you will be able to view the generated `next_client_secret` in the API response. Stytch stores a hash of the `next_client_secret` and cannot recover the value if lost. Be sure to persist the `next_client_secret` in a secure location. If the `next_client_secret` is lost, you will need to trigger a secret rotation flow to receive another one.
+        #
+        # == Parameters:
+        # client_id::
+        #   The ID of the client.
+        #   The type of this field is +String+.
+        #
+        # == Returns:
+        # An object with the following fields:
+        # request_id::
+        #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+        #   The type of this field is +String+.
+        # connected_app::
+        #   The Connected App affected by this operation.
+        #   The type of this field is +ConnectedAppWithNextClientSecret+ (+object+).
+        # status_code::
+        #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+        #   The type of this field is +Integer+.
+        def rotate_start(
+          client_id:
+        )
+          headers = {}
+          request = {}
+
+          post_request("/v1/connected_apps/clients/#{client_id}/secrets/rotate/start", request, headers)
+        end
+
+        # Cancel the rotation of a Connected App client secret started with the Start Secret Rotation Endpoint. After this endpoint is called, the client's `next_client_secret` is discarded and only the original `client_secret` will be valid.
+        #
+        # == Parameters:
+        # client_id::
+        #   The ID of the client.
+        #   The type of this field is +String+.
+        #
+        # == Returns:
+        # An object with the following fields:
+        # request_id::
+        #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+        #   The type of this field is +String+.
+        # connected_app::
+        #   The Connected App affected by this operation.
+        #   The type of this field is +ConnectedApp+ (+object+).
+        # status_code::
+        #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+        #   The type of this field is +Integer+.
+        def rotate_cancel(
+          client_id:
+        )
+          headers = {}
+          request = {}
+
+          post_request("/v1/connected_apps/clients/#{client_id}/secrets/rotate/cancel", request, headers)
+        end
+
+        # Complete the rotation of a Connected App client secret started with the Rotate Secret Start Endpoint.
+        # After this endpoint is called, the client's `next_client_secret` becomes its `client_secret` and the previous `client_secret` will no longer be valid.
+        #
+        # == Parameters:
+        # client_id::
+        #   The ID of the client.
+        #   The type of this field is +String+.
+        #
+        # == Returns:
+        # An object with the following fields:
+        # request_id::
+        #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+        #   The type of this field is +String+.
+        # connected_app::
+        #   The Connected App affected by this operation.
+        #   The type of this field is +ConnectedApp+ (+object+).
+        # status_code::
+        #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+        #   The type of this field is +Integer+.
+        def rotate(
+          client_id:
+        )
+          headers = {}
+          request = {}
+
+          post_request("/v1/connected_apps/clients/#{client_id}/secrets/rotate", request, headers)
+        end
+      end
+    end
+  end
+end

data/lib/stytch/impersonation.rb

@@ -19,7 +19,7 @@ module Stytch
     # Authenticate an impersonation token to impersonate a User. This endpoint requires an impersonation token that is not expired or previously used.
     # A Stytch session will be created for the impersonated user with a 60 minute duration. Impersonated sessions cannot be extended.
     #
-    # Prior to this step, you can generate an impersonation token by visiting the Stytch dashboard, viewing a user, and clicking the `Impersonate User` button.
+    # Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a user, and clicking the `Impersonate User` button.
     #
     # == Parameters:
     # impersonation_token::

data/lib/stytch/passwords.rb

@@ -201,7 +201,7 @@ module Stytch
 
     # This API allows you to check whether or not the user’s provided password is valid, and to provide feedback to the user on how to increase the strength of their password.
     #
-    # This endpoint adapts to your Project's password strength configuration. If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
+    # This endpoint adapts to your Project's password strength configuration. If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration in the [Stytch Dashboard](https://stytch.com/dashboard/password-strength-config).
     #
     #
     # ### Password feedback
@@ -293,9 +293,9 @@ module Stytch
     #   The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.
     #   The type of this field is nilable +object+.
     # set_email_verified::
-    #   Whether to set the user's email as verified. This is a dangerous field. Incorrect use may lead to users getting erroneously
-    #                 deduplicated into one user object. This flag should only be set if you can attest that the user owns the email address in question.
-    #                 Access to this field is restricted. To enable it, please send us a note at support@stytch.com.
+    #   Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously
+    #                 deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question.
+    #
     #   The type of this field is nilable +Boolean+.
     # name::
     #   The name of the user. Each field in the name object is optional.
@@ -304,12 +304,15 @@ module Stytch
     #   The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
     #   The type of this field is nilable +String+.
     # set_phone_number_verified::
-    #   Whether to set the user's phone number as verified. This is a dangerous field. This flag should only be set if you can attest that
-    #    the user owns the phone number in question. Access to this field is restricted. To enable it, please send us a note at support@stytch.com.
+    #   Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that
+    #    the user owns the phone number in question.
     #   The type of this field is nilable +Boolean+.
     # external_id::
     #   If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.
     #   The type of this field is nilable +String+.
+    # roles::
+    #   (no documentation yet)
+    #   The type of this field is nilable list of +String+.
     #
     # == Returns:
     # An object with the following fields:
@@ -346,7 +349,8 @@ module Stytch
       name: nil,
       phone_number: nil,
       set_phone_number_verified: nil,
-      external_id: nil
+      external_id: nil,
+      roles: nil
     )
       headers = {}
       request = {
@@ -366,6 +370,7 @@ module Stytch
       request[:phone_number] = phone_number unless phone_number.nil?
       request[:set_phone_number_verified] = set_phone_number_verified unless set_phone_number_verified.nil?
       request[:external_id] = external_id unless external_id.nil?
+      request[:roles] = roles unless roles.nil?
 
       post_request('/v1/passwords/migrate', request, headers)
     end

data/lib/stytch/sessions.rb

@@ -326,6 +326,85 @@ module Stytch
       get_request(request, headers)
     end
 
+    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
+    #
+    # == Parameters:
+    # profile_id::
+    #   The ID of the trusted auth token profile to use for attestation.
+    #   The type of this field is +String+.
+    # token::
+    #   The trusted auth token to authenticate.
+    #   The type of this field is +String+.
+    # session_duration_minutes::
+    #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
+    #   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
+    #   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
+    #
+    #   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
+    #
+    #   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes.
+    #
+    #   If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created.
+    #   The type of this field is nilable +Integer+.
+    # session_custom_claims::
+    #   Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value.
+    #
+    #   Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.
+    #   The type of this field is nilable +object+.
+    # session_token::
+    #   The `session_token` for the session that you wish to add the trusted auth token authentication factor to.
+    #   The type of this field is nilable +String+.
+    # session_jwt::
+    #   The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to.
+    #   The type of this field is nilable +String+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # request_id::
+    #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+    #   The type of this field is +String+.
+    # user_id::
+    #   The unique ID of the affected User.
+    #   The type of this field is +String+.
+    # session_token::
+    #   A secret token for a given Stytch Session.
+    #   The type of this field is +String+.
+    # session_jwt::
+    #   The JSON Web Token (JWT) for a given Stytch Session.
+    #   The type of this field is +String+.
+    # user::
+    #   The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details.
+    #   The type of this field is +User+ (+object+).
+    # status_code::
+    #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+    #   The type of this field is +Integer+.
+    # session::
+    #   If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response.
+    #
+    #   See [Session object](https://stytch.com/docs/api/session-object) for complete response fields.
+    #
+    #   The type of this field is nilable +Session+ (+object+).
+    def attest(
+      profile_id:,
+      token:,
+      session_duration_minutes: nil,
+      session_custom_claims: nil,
+      session_token: nil,
+      session_jwt: nil
+    )
+      headers = {}
+      request = {
+        profile_id: profile_id,
+        token: token
+      }
+      request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
+      request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
+      request[:session_token] = session_token unless session_token.nil?
+      request[:session_jwt] = session_jwt unless session_jwt.nil?
+
+      post_request('/v1/sessions/attest', request, headers)
+    end
+
     # MANUAL(Sessions::authenticate_jwt)(SERVICE_METHOD)
     # ADDIMPORT: require 'jwt'
     # ADDIMPORT: require 'json/jwt'

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.22.0'
+  VERSION = '10.24.0'
 end

data/lib/stytch/webauthn.rb

@@ -50,6 +50,9 @@ module Stytch
     # override_display_name::
     #   (no documentation yet)
     #   The type of this field is nilable +String+.
+    # use_base64_url_encoding::
+    #   (no documentation yet)
+    #   The type of this field is nilable +Boolean+.
     #
     # == Returns:
     # An object with the following fields:
@@ -73,7 +76,8 @@ module Stytch
       return_passkey_credential_options: nil,
       override_id: nil,
       override_name: nil,
-      override_display_name: nil
+      override_display_name: nil,
+      use_base64_url_encoding: nil
     )
       headers = {}
       request = {
@@ -86,6 +90,7 @@ module Stytch
       request[:override_id] = override_id unless override_id.nil?
       request[:override_name] = override_name unless override_name.nil?
       request[:override_display_name] = override_display_name unless override_display_name.nil?
+      request[:use_base64_url_encoding] = use_base64_url_encoding unless use_base64_url_encoding.nil?
 
       post_request('/v1/webauthn/register/start', request, headers)
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.22.0
+  version: 10.24.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-06-24 00:00:00.000000000 Z
+date: 2025-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -139,6 +139,7 @@ files:
 - lib/stytch/b2b_sso.rb
 - lib/stytch/b2b_totps.rb
 - lib/stytch/client.rb
+- lib/stytch/connected_apps.rb
 - lib/stytch/crypto_wallets.rb
 - lib/stytch/errors.rb
 - lib/stytch/fraud.rb