stytch 10.23.0 → 10.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e2fb08700aeee0c0840e48859d8dc235da8d2aaf781645d76b257d72478d84ac
-  data.tar.gz: b76a0da30460f7973558c2c7b6fa134af9c67df528e6b9e90e5780f444145260
+  metadata.gz: 2f2f709cf39fcc571c655a577f0846ef68c7767d4aeace2f2ea71f3d85781018
+  data.tar.gz: afc3c7c5ce1dd327d2c5ab25f1b130eb25c355207bd8a15ac9db2c986b3f7eda
 SHA512:
-  metadata.gz: 3e05a4ca1b82b877382db1ff2e98ae9d2687c82e4a0f1d084b2ea8c7e52ea5abc5da17e450378a353e9c5f300e890da5e02f1a8c4931f5506df098b89c2affc1
-  data.tar.gz: 6ad571d7bbf7d452d20e742dbf340836b0c5cb68ae1e6ddce55022c5ef19a431a71a4d32d6053f573f2487f1d0132b3876332681bed627f0e593009149b4745d
+  metadata.gz: 9e1391f4ed96c281b6303f26532211f75332ce36fa012eba7629d2d2c6982b8fae6366778cff1b54a6b847e7893dac7926080e387893acb6d4efdd0a1029fb5c
+  data.tar.gz: 94b8e29c50c8901bdb605e729de1440deaf73682d53e1da186862267a77bf7fc6545f63aec865fc25b61273da56d2c348b40d811e7b5690315158593bad5c49c

data/lib/stytch/b2b_client.rb

@@ -13,6 +13,7 @@ require_relative 'b2b_scim'
 require_relative 'b2b_sessions'
 require_relative 'b2b_sso'
 require_relative 'b2b_totps'
+require_relative 'connected_apps'
 require_relative 'fraud'
 require_relative 'm2m'
 require_relative 'project'
@@ -22,7 +23,7 @@ module StytchB2B
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
+    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -36,6 +37,7 @@ module StytchB2B
       rbac = StytchB2B::RBAC.new(@connection)
       @policy_cache = StytchB2B::PolicyCache.new(rbac_client: rbac)
 
+      @connected_app = Stytch::ConnectedApp.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
       @impersonation = StytchB2B::Impersonation.new(@connection)

data/lib/stytch/b2b_discovery.rb

@@ -29,7 +29,7 @@ module StytchB2B
 
       # Exchange an Intermediate Session for a fully realized [Member Session](https://stytch.com/docs/b2b/api/session-object) for the [Organization](https://stytch.com/docs/b2b/api/organization-object) that the user wishes to log into.
       #
-      # This endpoint can be used to accept invites and into a new Organization on the basis of the user's email domain or OAuth tenant.
+      # This endpoint can be used to accept invites and JIT Provision into a new Organization on the basis of the user's email domain or OAuth tenant.
       #
       # If the user **has** already satisfied the authentication requirements of the Organization they are trying to exchange into and logged in with a method that verifies their email address, this API will return `member_authenticated: true` and a `session_token` and `session_jwt`.
       #
@@ -69,7 +69,7 @@ module StytchB2B
       #   Total custom claims size cannot exceed four kilobytes.
       #   The type of this field is nilable +object+.
       # locale::
-      #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+      #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
       #
       # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
       #
@@ -144,7 +144,7 @@ module StytchB2B
         @connection = connection
       end
 
-      # This endpoint allows you to exchange the `intermediate_session_token` returned when the user successfully completes a authentication flow to create a new
+      # This endpoint allows you to exchange the `intermediate_session_token` returned when the user successfully completes a Discovery authentication flow to create a new
       # [Organization](https://stytch.com/docs/b2b/api/organization-object) and [Member](https://stytch.com/docs/b2b/api/member-object) and log the user in. If the user wants to log into an existing Organization, use the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) instead.
       #
       # Stytch **requires that users verify their email address** prior to creating a new Organization in order to prevent Account Takeover (ATO) attacks and phishing.

data/lib/stytch/b2b_impersonation.rb

@@ -16,14 +16,14 @@ module StytchB2B
       @connection = connection
     end
 
-    # Authenticate an impersonation token to impersonate a. This endpoint requires an impersonation token that is not expired or previously used.
+    # Authenticate an impersonation token to impersonate a Member. This endpoint requires an impersonation token that is not expired or previously used.
     # A Stytch session will be created for the impersonated member with a 60 minute duration. Impersonated sessions cannot be extended.
     #
     # Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a member, and clicking the `Impersonate Member` button.
     #
     # == Parameters:
     # impersonation_token::
-    #   The User Impersonation token to authenticate.
+    #   The Member Impersonation token to authenticate. Expires in 5 minutes by default.
     #   The type of this field is +String+.
     #
     # == Returns:

data/lib/stytch/b2b_magic_links.rb

@@ -20,10 +20,10 @@ module StytchB2B
       @discovery = StytchB2B::MagicLinks::Discovery.new(@connection)
     end
 
-    # Authenticate a with a Magic Link. This endpoint requires a Magic Link token that is not expired or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`.
+    # Authenticate a Member with a Magic Link. This endpoint requires a Magic Link token that is not expired or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`.
     # Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
     #
-    # If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+    # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp),
     # or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete the MFA step and acquire a full member session.
     # The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one.
@@ -67,7 +67,7 @@ module StytchB2B
     #   Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
     # locale::
-    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #
@@ -277,7 +277,7 @@ module StytchB2B
         post_request('/v1/b2b/magic_links/email/login_or_signup', request, headers)
       end
 
-      # Send an invite email to a new to join an. The Member will be created with an `invited` status until they successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. Sending invites to already `active` Members will return an error.
+      # Send an invite email to a new Member to join an Organization. The Member will be created with an `invited` status until they successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. Sending invites to already `active` Members will return an error.
       #
       # The magic link invite will be valid for 1 week.
       #

data/lib/stytch/b2b_oauth.rb

@@ -19,9 +19,9 @@ module StytchB2B
       @discovery = StytchB2B::OAuth::Discovery.new(@connection)
     end
 
-    # Authenticate a given a `token`. This endpoint verifies that the member completed the flow by verifying that the token is valid and hasn't expired.  Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
+    # Authenticate a Member given a `token`. This endpoint verifies that the member completed the OAuth flow by verifying that the token is valid and hasn't expired.  Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
     #
-    # If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+    # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
     # The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one.
     # The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
@@ -65,7 +65,7 @@ module StytchB2B
     #   A base64url encoded one time secret used to validate that the request starts and ends on the same device.
     #   The type of this field is nilable +String+.
     # locale::
-    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #
@@ -165,7 +165,7 @@ module StytchB2B
         @connection = connection
       end
 
-      # Authenticates the Discovery token and exchanges it for an Intermediate
+      # Authenticates the Discovery OAuth token and exchanges it for an Intermediate
       # Session Token. Intermediate Session Tokens can be used for various Discovery login flows and are valid for 10 minutes.
       #
       # == Parameters:

data/lib/stytch/b2b_organizations.rb

@@ -95,7 +95,7 @@ module StytchB2B
       @members = StytchB2B::Organizations::Members.new(@connection)
     end
 
-    # Creates an. An `organization_name` and a unique `organization_slug` are required.
+    # Creates an Organization. An `organization_name` and a unique `organization_slug` are required.
     #
     # By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` will be set to `OPTIONAL` if no Organization authentication settings are explicitly defined in the request.
     #
@@ -291,7 +291,7 @@ module StytchB2B
       post_request('/v1/b2b/organizations', request, headers)
     end
 
-    # Returns an specified by `organization_id`.
+    # Returns an Organization specified by `organization_id`.
     #
     # == Parameters:
     # organization_id::
@@ -318,7 +318,7 @@ module StytchB2B
       get_request(request, headers)
     end
 
-    # Updates an specified by `organization_id`. An Organization must always have at least one auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members.
+    # Updates an Organization specified by `organization_id`. An Organization must always have at least one auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members.
     #
     # *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors.
     #
@@ -567,7 +567,7 @@ module StytchB2B
       put_request("/v1/b2b/organizations/#{organization_id}", request, headers)
     end
 
-    # Deletes an specified by `organization_id`. All Members of the Organization will also be deleted.
+    # Deletes an Organization specified by `organization_id`. All Members of the Organization will also be deleted.
     #
     # == Parameters:
     # organization_id::
@@ -886,6 +886,25 @@ module StytchB2B
         end
       end
 
+      class StartEmailUpdateRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
       class GetConnectedAppsRequestOptions
         # Optional authorization object.
         # Pass in an active Stytch Member session token or session JWT and the request
@@ -934,7 +953,7 @@ module StytchB2B
         @connected_apps = StytchB2B::Organizations::Members::ConnectedApps.new(@connection)
       end
 
-      # Updates a specified by `organization_id` and `member_id`.
+      # Updates a Member specified by `organization_id` and `member_id`.
       #
       # == Parameters:
       # organization_id::
@@ -1067,7 +1086,7 @@ module StytchB2B
         put_request("/v1/b2b/organizations/#{organization_id}/members/#{member_id}", request, headers)
       end
 
-      # Deletes a specified by `organization_id` and `member_id`.
+      # Deletes a Member specified by `organization_id` and `member_id`.
       #
       # == Parameters:
       # organization_id::
@@ -1101,7 +1120,7 @@ module StytchB2B
         delete_request("/v1/b2b/organizations/#{organization_id}/members/#{member_id}", headers)
       end
 
-      # Reactivates a deleted's status and its associated email status (if applicable) to active, specified by `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified email where their `email_address_verified` is `true`.
+      # Reactivates a deleted Member's status and its associated email status (if applicable) to active, specified by `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified email where their `email_address_verified` is `true`.
       #
       # == Parameters:
       # organization_id::
@@ -1143,7 +1162,7 @@ module StytchB2B
         put_request("/v1/b2b/organizations/#{organization_id}/members/#{member_id}/reactivate", request, headers)
       end
 
-      # Delete a's MFA phone number.
+      # Delete a Member's MFA phone number.
       #
       # To change a Member's phone number, you must first call this endpoint to delete the existing phone number.
       #
@@ -1290,7 +1309,9 @@ module StytchB2B
         post_request('/v1/b2b/organizations/members/search', request, headers)
       end
 
-      # Delete a's password.
+      # Delete a Member's password.
+      #
+      # This endpoint only works for Organization-scoped passwords. For cross-org password Projects, use [Require Password Reset By Email](https://stytch.com/docs/b2b/api/passwords-require-reset-by-email) instead.
       #
       # == Parameters:
       # organization_id::
@@ -1408,7 +1429,7 @@ module StytchB2B
         get_request(request, headers)
       end
 
-      # Unlinks a retired email address from a specified by their `organization_id` and `member_id`. The email address
+      # Unlinks a retired email address from a Member specified by their `organization_id` and `member_id`. The email address
       # to be retired can be identified in the request body by either its `email_id`, its `email_address`, or both. If using
       # both identifiers they must refer to the same email.
       #
@@ -1421,7 +1442,6 @@ module StytchB2B
       # A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email
       # addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be viewed
       # on the [Member object](https://stytch.com/docs/b2b/api/member-object).
-      #  %}
       #
       # == Parameters:
       # organization_id::
@@ -1476,6 +1496,86 @@ module StytchB2B
         post_request("/v1/b2b/organizations/#{organization_id}/members/#{member_id}/unlink_retired_email", request, headers)
       end
 
+      # Starts a self-serve email update for a Member specified by their `organization_id` and `member_id`.
+      # To perform a self-serve update, members must be active and have an active, verified email address.
+      #
+      # The new email address must meet the following requirements:
+      #
+      # - Must not be in use by another member (retired emails count as used until they are [unlinked](https://stytch.com/docs/b2b/api/unlink-retired-member-email))
+      # - Must not be updating for another member (i.e. two members cannot attempt to update to the same email at once)
+      #
+      # The member will receive an Email Magic Link that expires in 5 minutes. If they do not verify their new email address in that timeframe, the email
+      # will be freed up for other members to use.
+      #
+      # == Parameters:
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   The type of this field is +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
+      #   The type of this field is +String+.
+      # email_address::
+      #   The email address of the Member.
+      #   The type of this field is +String+.
+      # login_redirect_url::
+      #   The URL that the Member clicks from the login Email Magic Link. This URL should be an endpoint in the backend server that
+      #   verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login
+      #   redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned.
+      #   The type of this field is nilable +String+.
+      # locale::
+      #   Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
+      #
+      # Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
+      #
+      # Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
+      #
+      #   The type of this field is nilable +StartEmailUpdateRequestLocale+ (string enum).
+      # login_template_id::
+      #   Use a custom template for login emails. By default, it will use your default email template. The template must be from Stytch's
+      # built-in customizations or a custom HTML email for Magic Links - Login.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member.
+      #   The type of this field is +String+.
+      # member::
+      #   The [Member object](https://stytch.com/docs/b2b/api/member-object)
+      #   The type of this field is +Member+ (+object+).
+      # organization::
+      #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
+      #   The type of this field is +Organization+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::Organizations::Members::StartEmailUpdateRequestOptions+ object which will modify the headers sent in the HTTP request.
+      def start_email_update(
+        organization_id:,
+        member_id:,
+        email_address:,
+        login_redirect_url: nil,
+        locale: nil,
+        login_template_id: nil,
+        method_options: nil
+      )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
+        request = {
+          email_address: email_address
+        }
+        request[:login_redirect_url] = login_redirect_url unless login_redirect_url.nil?
+        request[:locale] = locale unless locale.nil?
+        request[:login_template_id] = login_template_id unless login_template_id.nil?
+
+        post_request("/v1/b2b/organizations/#{organization_id}/members/#{member_id}/start_email_update", request, headers)
+      end
+
       # Member Get Connected Apps retrieves a list of Connected Apps with which the Member has successfully completed an
       # authorization flow.
       # If the Member revokes a Connected App's access (e.g. via the Revoke Connected App endpoint) then the Connected App will
@@ -1516,7 +1616,7 @@ module StytchB2B
         get_request(request, headers)
       end
 
-      # Creates a. An `organization_id` and `email_address` are required.
+      # Creates a Member. An `organization_id` and `email_address` are required.
       #
       # == Parameters:
       # organization_id::

data/lib/stytch/b2b_otp.rb

@@ -27,7 +27,7 @@ module StytchB2B
         @connection = connection
       end
 
-      # Send a One-Time Passcode (OTP) to a's phone number.
+      # Send a One-Time Passcode (OTP) to a Member's phone number.
       #
       # If the Member already has a phone number, the `mfa_phone_number` field is not needed; the endpoint will send an OTP to the number associated with the Member.
       # If the Member does not have a phone number, the endpoint will send an OTP to the `mfa_phone_number` provided and link the `mfa_phone_number` with the Member.
@@ -45,7 +45,7 @@ module StytchB2B
       #
       # Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
       #
-      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
+      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account.
       #
       # == Parameters:
       # organization_id::
@@ -128,7 +128,7 @@ module StytchB2B
       # such as [email magic link authenticate](https://stytch.com/docs/b2b/api/authenticate-magic-link),
       # or upon successful calls to discovery authenticate methods, such as [email magic link discovery authenticate](https://stytch.com/docs/b2b/api/authenticate-discovery-magic-link).
       #
-      # If the's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the's `mfa_enrolled` status to `true` if it is not already `true`.
+      # If the Organization's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the Member's `mfa_enrolled` status to `true` if it is not already `true`.
       # If the Organization's MFA policy is `OPTIONAL`, the Member's MFA enrollment can be toggled by passing in a value for the `set_mfa_enrollment` field.
       # The Member's MFA enrollment can also be toggled through the [Update Member](https://stytch.com/docs/b2b/api/update-member) endpoint.
       #
@@ -324,11 +324,11 @@ module StytchB2B
         post_request('/v1/b2b/otps/email/login_or_signup', request, headers)
       end
 
-      # Authenticate a with a one-time passcode (OTP). This endpoint requires an OTP that is not expired or previously used.
+      # Authenticate a Member with a one-time passcode (OTP). This endpoint requires an OTP that is not expired or previously used.
       # OTPs have a default expiry of 10 minutes. If the Member’s status is `pending` or `invited`, they will be updated to `active`.
       # Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
       #
-      # If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+      # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
       # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp),
       # or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete the MFA step and acquire a full member session.
       # The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one.

data/lib/stytch/b2b_passwords.rb

@@ -231,7 +231,7 @@ module StytchB2B
     #
     # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
     #
-    # If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+    # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
     # The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
     #
@@ -272,7 +272,7 @@ module StytchB2B
     #   Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
     # locale::
-    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #
@@ -471,7 +471,7 @@ module StytchB2B
         post_request('/v1/b2b/passwords/email/reset/start', request, headers)
       end
 
-      # Reset the's password and authenticate them. This endpoint checks that the password reset token is valid, hasn’t expired, or already been used.
+      # Reset the Member's password and authenticate them. This endpoint checks that the password reset token is valid, hasn’t expired, or already been used.
       #
       # The provided password needs to meet our password strength requirements, which can be checked in advance with the password strength endpoint. If the token and password are accepted, the password is securely stored for future authentication and the user is authenticated.
       #
@@ -522,7 +522,7 @@ module StytchB2B
       #   Total custom claims size cannot exceed four kilobytes.
       #   The type of this field is nilable +object+.
       # locale::
-      #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+      #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
       #
       # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
       #
@@ -608,6 +608,8 @@ module StytchB2B
 
       # Require a password be reset by the associated email address. This endpoint is only functional for cross-org password use cases.
       #
+      # If there are is only one active Member using the associated email address in the Project, the password will be deleted.
+      #
       # == Parameters:
       # email_address::
       #   The email address of the Member to start the email reset process for.
@@ -661,7 +663,7 @@ module StytchB2B
         @connection = connection
       end
 
-      # Reset the's password using their existing session. The endpoint will error if the session does not contain an authentication factor that has been issued within the last 5 minutes. Either `session_token` or `session_jwt` should be provided.
+      # Reset the Member's password using their existing session. The endpoint will error if the session does not contain an authentication factor that has been issued within the last 5 minutes. Either `session_token` or `session_jwt` should be provided.
       #
       # Note that a successful password reset via an existing session will revoke all active sessions for the `member_id`, except for the one used during the reset flow.
       #
@@ -771,7 +773,7 @@ module StytchB2B
         @connection = connection
       end
 
-      # Reset the’s password using their existing password.
+      # Reset the member’s password using their existing password.
       #
       # This endpoint adapts to your Project's password strength configuration.
       # If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid
@@ -825,7 +827,7 @@ module StytchB2B
       #   Total custom claims size cannot exceed four kilobytes.
       #   The type of this field is nilable +object+.
       # locale::
-      #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+      #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
       #
       # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
       #

data/lib/stytch/b2b_recovery_codes.rb

@@ -16,7 +16,7 @@ module StytchB2B
       @connection = connection
     end
 
-    # Allows a to complete an MFA flow by consuming a recovery code. This consumes the recovery code and returns a session token that can be used to authenticate the Member.
+    # Allows a Member to complete an MFA flow by consuming a recovery code. This consumes the recovery code and returns a session token that can be used to authenticate the Member.
     #
     # == Parameters:
     # organization_id::
@@ -110,7 +110,7 @@ module StytchB2B
       post_request('/v1/b2b/recovery_codes/recover', request, headers)
     end
 
-    # Returns a's full set of active recovery codes.
+    # Returns a Member's full set of active recovery codes.
     #
     # == Parameters:
     # organization_id::
@@ -150,7 +150,7 @@ module StytchB2B
       get_request(request, headers)
     end
 
-    # Rotate a's recovery codes. This invalidates all existing recovery codes and generates a new set of recovery codes.
+    # Rotate a Member's recovery codes. This invalidates all existing recovery codes and generates a new set of recovery codes.
     #
     # == Parameters:
     # organization_id::

data/lib/stytch/b2b_sessions.rb

@@ -91,7 +91,7 @@ module StytchB2B
     #
     # You may provide a JWT that needs to be refreshed and is expired according to its `exp` claim. A new JWT will be returned if both the signature and the underlying Session are still valid. See our [How to use Stytch Session JWTs](https://stytch.com/docs/b2b/guides/sessions/resources/using-jwts) guide for more information.
     #
-    # If an `authorization_check` object is passed in, this method will also check if the Member is authorized to perform the given action on the given Resource in the specified. A is authorized if their Member Session contains a Role, assigned [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate permissions.
+    # If an `authorization_check` object is passed in, this method will also check if the Member is authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if their Member Session contains a Role, assigned [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate permissions.
     # In addition, the `organization_id` passed in the authorization check must match the Member's Organization.
     #
     # If the Member is not authorized to perform the specified action on the specified Resource, or if the
@@ -229,9 +229,9 @@ module StytchB2B
       post_request('/v1/b2b/sessions/revoke', request, headers)
     end
 
-    # Use this endpoint to exchange a's existing session for another session in a different. This can be used to accept an invite, but not to create a new member via domain matching.
+    # Use this endpoint to exchange a Member's existing session for another session in a different Organization. This can be used to accept an invite, but not to create a new member via domain matching.
     #
-    # To create a new member via email domain, use the [Exchange Intermediate Session](https://stytch.com/docs/b2b/api/exchange-intermediate-session) flow instead.
+    # To create a new member via email domain JIT Provisioning, use the [Exchange Intermediate Session](https://stytch.com/docs/b2b/api/exchange-intermediate-session) flow instead.
     #
     # If the user **has** already satisfied the authentication requirements of the Organization they are trying to switch into, this API will return `member_authenticated: true` and a `session_token` and `session_jwt`.
     #
@@ -275,7 +275,7 @@ module StytchB2B
     #   Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
     # locale::
-    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #
@@ -505,7 +505,7 @@ module StytchB2B
 
     # Migrate a session from an external OIDC compliant endpoint.
     # Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. <!-- FIXME more specific dashboard link-->
-    # If the response contains a valid email address, Stytch will attempt to match that email address with an existing in your and create a Stytch Session.
+    # If the response contains a valid email address, Stytch will attempt to match that email address with an existing Member in your Organization and create a Stytch Session.
     # You will need to create the member before using this endpoint.
     #
     # == Parameters:

data/lib/stytch/b2b_sso.rb

@@ -137,7 +137,7 @@ module StytchB2B
     # If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
     # To link this authentication event to an existing Stytch session, include either the `session_token` or `session_jwt` param.
     #
-    # If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+    # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp),
     # or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete the MFA step and acquire a full member session.
     # The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
@@ -176,7 +176,7 @@ module StytchB2B
     #   Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
     # locale::
-    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #

data/lib/stytch/b2b_totps.rb

@@ -16,7 +16,7 @@ module StytchB2B
       @connection = connection
     end
 
-    # Create a new TOTP instance for a. The Member can use the authenticator application of their choice to scan the QR code or enter the secret.
+    # Create a new TOTP instance for a Member. The Member can use the authenticator application of their choice to scan the QR code or enter the secret.
     #
     # Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the Member ID passed.
     #
@@ -196,7 +196,7 @@ module StytchB2B
       post_request('/v1/b2b/totp/authenticate', request, headers)
     end
 
-    # Migrate an existing TOTP instance for a. Recovery codes are not required and will be minted for the Member if not provided.
+    # Migrate an existing TOTP instance for a Member. Recovery codes are not required and will be minted for the Member if not provided.
     #
     # == Parameters:
     # organization_id::

data/lib/stytch/client.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'connected_apps'
 require_relative 'crypto_wallets'
 require_relative 'fraud'
 require_relative 'impersonation'
@@ -18,7 +19,7 @@ module Stytch
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :sessions, :totps, :users, :webauthn
+    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :sessions, :totps, :users, :webauthn
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -29,6 +30,7 @@ module Stytch
 
       create_connection(&block)
 
+      @connected_app = Stytch::ConnectedApp.new(@connection)
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
       @impersonation = Stytch::Impersonation.new(@connection)

data/lib/stytch/connected_apps.rb

@@ -0,0 +1,372 @@
+# frozen_string_literal: true
+
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
+require_relative 'request_helper'
+
+module Stytch
+  class ConnectedApp
+    include Stytch::RequestHelper
+    attr_reader :clients
+
+    def initialize(connection)
+      @connection = connection
+
+      @clients = Stytch::ConnectedApp::Clients.new(@connection)
+    end
+
+    class Clients
+      include Stytch::RequestHelper
+      attr_reader :secrets
+
+      def initialize(connection)
+        @connection = connection
+
+        @secrets = Stytch::ConnectedApp::Clients::Secrets.new(@connection)
+      end
+
+      # Retrieve details of a specific Connected App by `client_id`.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_app::
+      #   The Connected App affected by this operation.
+      #   The type of this field is +ConnectedApp+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def get(
+        client_id:
+      )
+        headers = {}
+        query_params = {}
+        request = request_with_query_params("/v1/connected_apps/clients/#{client_id}", query_params)
+        get_request(request, headers)
+      end
+
+      # Updates mutable fields of a Connected App. Cannot update Client Type, Client ID, or Secrets.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the client.
+      #   The type of this field is +String+.
+      # client_name::
+      #   A human-readable name for the client.
+      #   The type of this field is nilable +String+.
+      # client_description::
+      #   A human-readable description for the client.
+      #   The type of this field is nilable +String+.
+      # redirect_urls::
+      #   Array of redirect URI values for use in OAuth Authorization flows.
+      #   The type of this field is nilable list of +String+.
+      # full_access_allowed::
+      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
+      #   The type of this field is nilable +Boolean+.
+      # access_token_expiry_minutes::
+      #   The number of minutes before the access token expires. The default is 60 minutes.
+      #   The type of this field is nilable +Integer+.
+      # access_token_custom_audience::
+      #   The custom audience for the access token.
+      #   The type of this field is nilable +String+.
+      # access_token_template_content::
+      #   The content of the access token custom claims template. The template must be a valid JSON object.
+      #   The type of this field is nilable +String+.
+      # post_logout_redirect_urls::
+      #   Array of redirect URI values for use in OIDC Logout flows.
+      #   The type of this field is nilable list of +String+.
+      # logo_url::
+      #   The logo URL of the Connected App, if any.
+      #   The type of this field is nilable +String+.
+      # bypass_consent_for_offline_access::
+      #   Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.
+      #   The type of this field is nilable +Boolean+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_app::
+      #   The Connected App affected by this operation.
+      #   The type of this field is +ConnectedApp+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def update(
+        client_id:,
+        client_name: nil,
+        client_description: nil,
+        redirect_urls: nil,
+        full_access_allowed: nil,
+        access_token_expiry_minutes: nil,
+        access_token_custom_audience: nil,
+        access_token_template_content: nil,
+        post_logout_redirect_urls: nil,
+        logo_url: nil,
+        bypass_consent_for_offline_access: nil
+      )
+        headers = {}
+        request = {}
+        request[:client_name] = client_name unless client_name.nil?
+        request[:client_description] = client_description unless client_description.nil?
+        request[:redirect_urls] = redirect_urls unless redirect_urls.nil?
+        request[:full_access_allowed] = full_access_allowed unless full_access_allowed.nil?
+        request[:access_token_expiry_minutes] = access_token_expiry_minutes unless access_token_expiry_minutes.nil?
+        request[:access_token_custom_audience] = access_token_custom_audience unless access_token_custom_audience.nil?
+        request[:access_token_template_content] = access_token_template_content unless access_token_template_content.nil?
+        request[:post_logout_redirect_urls] = post_logout_redirect_urls unless post_logout_redirect_urls.nil?
+        request[:logo_url] = logo_url unless logo_url.nil?
+        request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
+
+        put_request("/v1/connected_apps/clients/#{client_id}", request, headers)
+      end
+
+      # Deletes a Connected App.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the client.
+      #   The type of this field is +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   (no documentation yet)
+      #   The type of this field is +String+.
+      # client_id::
+      #   The ID of the client.
+      #   The type of this field is +String+.
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      def delete(
+        client_id:
+      )
+        headers = {}
+        delete_request("/v1/connected_apps/clients/#{client_id}", headers)
+      end
+
+      # Search for Connected Apps. Supports cursor-based pagination. Specific filters coming soon.
+      #
+      # == Parameters:
+      # cursor::
+      #   The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null.
+      #   The type of this field is nilable +String+.
+      # limit::
+      #   The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field.
+      #   The type of this field is nilable +Integer+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_apps::
+      #   (no documentation yet)
+      #   The type of this field is list of +ConnectedApp+ (+object+).
+      # results_metadata::
+      #   The search `results_metadata` object contains metadata relevant to your specific query like total and `next_cursor`.
+      #   The type of this field is +ResultsMetadata+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def search(
+        cursor: nil,
+        limit: nil
+      )
+        headers = {}
+        request = {}
+        request[:cursor] = cursor unless cursor.nil?
+        request[:limit] = limit unless limit.nil?
+
+        post_request('/v1/connected_apps/clients/search', request, headers)
+      end
+
+      # Creates a new Connected App. If the Connected App `client_type` is `first_party` or `third_party` a `client_secret` is returned.
+      #
+      # **Important:** This is the only time you will be able to view the generated `client_secret` in the API response. Stytch stores a hash of the `client_secret` and cannot recover the value if lost. Be sure to persist the `client_secret` in a secure location. If the `client_secret` is lost, you will need to trigger a secret rotation flow to receive another one.
+      #
+      # == Parameters:
+      # client_type::
+      #   The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`.
+      #   The type of this field is +CreateRequestClientType+ (string enum).
+      # redirect_urls::
+      #   Array of redirect URI values for use in OAuth Authorization flows.
+      #   The type of this field is list of +String+.
+      # full_access_allowed::
+      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
+      #   The type of this field is +Boolean+.
+      # post_logout_redirect_urls::
+      #   Array of redirect URI values for use in OIDC Logout flows.
+      #   The type of this field is list of +String+.
+      # client_name::
+      #   A human-readable name for the client.
+      #   The type of this field is nilable +String+.
+      # client_description::
+      #   A human-readable description for the client.
+      #   The type of this field is nilable +String+.
+      # access_token_expiry_minutes::
+      #   The number of minutes before the access token expires. The default is 60 minutes.
+      #   The type of this field is nilable +Integer+.
+      # access_token_custom_audience::
+      #   The custom audience for the access token.
+      #   The type of this field is nilable +String+.
+      # access_token_template_content::
+      #   The content of the access token custom claims template. The template must be a valid JSON object.
+      #   The type of this field is nilable +String+.
+      # logo_url::
+      #   The logo URL of the Connected App, if any.
+      #   The type of this field is nilable +String+.
+      # bypass_consent_for_offline_access::
+      #   Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.
+      #   The type of this field is nilable +Boolean+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # connected_app::
+      #   The Connected App created by this API call.
+      #   The type of this field is +ConnectedAppWithClientSecret+ (+object+).
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      def create(
+        client_type:,
+        redirect_urls:,
+        full_access_allowed:,
+        post_logout_redirect_urls:,
+        client_name: nil,
+        client_description: nil,
+        access_token_expiry_minutes: nil,
+        access_token_custom_audience: nil,
+        access_token_template_content: nil,
+        logo_url: nil,
+        bypass_consent_for_offline_access: nil
+      )
+        headers = {}
+        request = {
+          client_type: client_type,
+          redirect_urls: redirect_urls,
+          full_access_allowed: full_access_allowed,
+          post_logout_redirect_urls: post_logout_redirect_urls
+        }
+        request[:client_name] = client_name unless client_name.nil?
+        request[:client_description] = client_description unless client_description.nil?
+        request[:access_token_expiry_minutes] = access_token_expiry_minutes unless access_token_expiry_minutes.nil?
+        request[:access_token_custom_audience] = access_token_custom_audience unless access_token_custom_audience.nil?
+        request[:access_token_template_content] = access_token_template_content unless access_token_template_content.nil?
+        request[:logo_url] = logo_url unless logo_url.nil?
+        request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
+
+        post_request('/v1/connected_apps/clients', request, headers)
+      end
+
+      class Secrets
+        include Stytch::RequestHelper
+
+        def initialize(connection)
+          @connection = connection
+        end
+
+        # Initiate the rotation of a Connected App client secret. After this endpoint is called, both the client's `client_secret` and `next_client_secret` will be valid. To complete the secret rotation flow, update all usages of `client_secret` to `next_client_secret` and call the Rotate Secret Endpoint to complete the flow.
+        # Secret rotation can be cancelled using the Cancel Secret Rotation endpoint.
+        #
+        # **Important:** This is the only time you will be able to view the generated `next_client_secret` in the API response. Stytch stores a hash of the `next_client_secret` and cannot recover the value if lost. Be sure to persist the `next_client_secret` in a secure location. If the `next_client_secret` is lost, you will need to trigger a secret rotation flow to receive another one.
+        #
+        # == Parameters:
+        # client_id::
+        #   The ID of the client.
+        #   The type of this field is +String+.
+        #
+        # == Returns:
+        # An object with the following fields:
+        # request_id::
+        #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+        #   The type of this field is +String+.
+        # connected_app::
+        #   The Connected App affected by this operation.
+        #   The type of this field is +ConnectedAppWithNextClientSecret+ (+object+).
+        # status_code::
+        #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+        #   The type of this field is +Integer+.
+        def rotate_start(
+          client_id:
+        )
+          headers = {}
+          request = {}
+
+          post_request("/v1/connected_apps/clients/#{client_id}/secrets/rotate/start", request, headers)
+        end
+
+        # Cancel the rotation of a Connected App client secret started with the Start Secret Rotation Endpoint. After this endpoint is called, the client's `next_client_secret` is discarded and only the original `client_secret` will be valid.
+        #
+        # == Parameters:
+        # client_id::
+        #   The ID of the client.
+        #   The type of this field is +String+.
+        #
+        # == Returns:
+        # An object with the following fields:
+        # request_id::
+        #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+        #   The type of this field is +String+.
+        # connected_app::
+        #   The Connected App affected by this operation.
+        #   The type of this field is +ConnectedApp+ (+object+).
+        # status_code::
+        #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+        #   The type of this field is +Integer+.
+        def rotate_cancel(
+          client_id:
+        )
+          headers = {}
+          request = {}
+
+          post_request("/v1/connected_apps/clients/#{client_id}/secrets/rotate/cancel", request, headers)
+        end
+
+        # Complete the rotation of a Connected App client secret started with the Rotate Secret Start Endpoint.
+        # After this endpoint is called, the client's `next_client_secret` becomes its `client_secret` and the previous `client_secret` will no longer be valid.
+        #
+        # == Parameters:
+        # client_id::
+        #   The ID of the client.
+        #   The type of this field is +String+.
+        #
+        # == Returns:
+        # An object with the following fields:
+        # request_id::
+        #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+        #   The type of this field is +String+.
+        # connected_app::
+        #   The Connected App affected by this operation.
+        #   The type of this field is +ConnectedApp+ (+object+).
+        # status_code::
+        #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+        #   The type of this field is +Integer+.
+        def rotate(
+          client_id:
+        )
+          headers = {}
+          request = {}
+
+          post_request("/v1/connected_apps/clients/#{client_id}/secrets/rotate", request, headers)
+        end
+      end
+    end
+  end
+end

data/lib/stytch/impersonation.rb

@@ -23,7 +23,7 @@ module Stytch
     #
     # == Parameters:
     # impersonation_token::
-    #   The User Impersonation token to authenticate.
+    #   The User Impersonation token to authenticate. Expires in 5 minutes by default.
     #   The type of this field is +String+.
     #
     # == Returns:

data/lib/stytch/otps.rb

@@ -130,7 +130,7 @@ module Stytch
       # ### Cost to send SMS OTP
       # Before configuring SMS or WhatsApp OTPs, please review how Stytch [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
       #
-      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
+      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account.
       #
       # Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
       #
@@ -212,7 +212,7 @@ module Stytch
       # ### Cost to send SMS OTP
       # Before configuring SMS or WhatsApp OTPs, please review how Stytch [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
       #
-      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
+      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account.
       #
       # Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
       #

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.23.0'
+  VERSION = '10.25.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.23.0
+  version: 10.25.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-07-07 00:00:00.000000000 Z
+date: 2025-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -139,6 +139,7 @@ files:
 - lib/stytch/b2b_sso.rb
 - lib/stytch/b2b_totps.rb
 - lib/stytch/client.rb
+- lib/stytch/connected_apps.rb
 - lib/stytch/crypto_wallets.rb
 - lib/stytch/errors.rb
 - lib/stytch/fraud.rb