stytch 10.25.0 → 10.27.0

data/lib/stytch/b2b_sessions.rb

@@ -57,7 +57,7 @@ module StytchB2B
     #
     # == Parameters:
     # organization_id::
-    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     # member_id::
     #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
@@ -164,7 +164,7 @@ module StytchB2B
     #   The type of this field is +Integer+.
     # verdict::
     #   If an `authorization_check` is provided in the request and the check succeeds, this field will return
-    #   the complete list of Roles that gave the Member permission to perform the specified action on the specified Resource.
+    #   information about why the Member was granted permission.
     #   The type of this field is nilable +AuthorizationVerdict+ (+object+).
     def authenticate(
       session_token: nil,
@@ -248,7 +248,7 @@ module StytchB2B
     #
     # == Parameters:
     # organization_id::
-    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     # session_token::
     #   The `session_token` belonging to the member that you wish to associate the email with.
@@ -417,7 +417,7 @@ module StytchB2B
       post_request('/v1/b2b/sessions/exchange_access_token', request, headers)
     end
 
-    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens).  If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
+    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens).  If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
     #
     # == Parameters:
     # organization_id::
@@ -504,7 +504,7 @@ module StytchB2B
     end
 
     # Migrate a session from an external OIDC compliant endpoint.
-    # Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. <!-- FIXME more specific dashboard link-->
+    # Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard/migrations), and then perform a lookup using the `session_token`.
     # If the response contains a valid email address, Stytch will attempt to match that email address with an existing Member in your Organization and create a Stytch Session.
     # You will need to create the member before using this endpoint.
     #
@@ -513,7 +513,7 @@ module StytchB2B
     #   The authorization token Stytch will pass in to the external userinfo endpoint.
     #   The type of this field is +String+.
     # organization_id::
-    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     # session_duration_minutes::
     #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,

data/lib/stytch/b2b_sso.rb

@@ -63,7 +63,7 @@ module StytchB2B
     #
     # == Parameters:
     # organization_id::
-    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     #
     # == Returns:
@@ -101,7 +101,7 @@ module StytchB2B
     #
     # == Parameters:
     # organization_id::
-    #   The organization ID that the SSO connection belongs to. You may also use the organization_slug here as a convenience.
+    #   The organization ID that the SSO connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     # connection_id::
     #   The ID of the SSO connection. SAML, OIDC, and External connection IDs can be provided.
@@ -307,7 +307,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # display_name::
       #   A human-readable display name for the connection.
@@ -368,7 +368,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # connection_id::
       #   Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
@@ -548,7 +548,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # display_name::
       #   A human-readable display name for the connection.
@@ -598,7 +598,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # connection_id::
       #   Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
@@ -711,7 +711,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # connection_id::
       #   Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
@@ -755,7 +755,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   The organization ID that the SAML connection belongs to. You may also use the organization_slug here as a convenience.
+      #   The organization ID that the SAML connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # connection_id::
       #   The ID of the SAML connection.
@@ -839,7 +839,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # external_organization_id::
       #   Globally unique UUID that identifies a different Organization within your Project.
@@ -897,7 +897,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # connection_id::
       #   Globally unique UUID that identifies a specific External SSO Connection.

data/lib/stytch/b2b_totps.rb

@@ -18,11 +18,13 @@ module StytchB2B
 
     # Create a new TOTP instance for a Member. The Member can use the authenticator application of their choice to scan the QR code or enter the secret.
     #
-    # Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the Member ID passed.
+    # If the Member already has an active MFA factor, then passing an intermediate session token, session token, or session JWT with the existing MFA factor on it is required to prevent bypassing MFA.
+    #
+    # Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must match the `member_id` passed.
     #
     # == Parameters:
     # organization_id::
-    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     # member_id::
     #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
@@ -94,7 +96,7 @@ module StytchB2B
     #
     # == Parameters:
     # organization_id::
-    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     # member_id::
     #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
@@ -200,7 +202,7 @@ module StytchB2B
     #
     # == Parameters:
     # organization_id::
-    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+    #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
     #   The type of this field is +String+.
     # member_id::
     #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.

data/lib/stytch/client.rb

@@ -1,8 +1,15 @@
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 # frozen_string_literal: true
 
 require_relative 'connected_apps'
 require_relative 'crypto_wallets'
 require_relative 'fraud'
+require_relative 'idp'
 require_relative 'impersonation'
 require_relative 'm2m'
 require_relative 'magic_links'
@@ -10,6 +17,8 @@ require_relative 'oauth'
 require_relative 'otps'
 require_relative 'passwords'
 require_relative 'project'
+require_relative 'rbac'
+require_relative 'rbac_local'
 require_relative 'sessions'
 require_relative 'totps'
 require_relative 'users'
@@ -19,7 +28,7 @@ module Stytch
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :sessions, :totps, :users, :webauthn
+    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn, :idp
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -30,6 +39,10 @@ module Stytch
 
       create_connection(&block)
 
+      rbac = Stytch::RBAC.new(@connection)
+      @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
+      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
+
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
@@ -40,7 +53,8 @@ module Stytch
       @otps = Stytch::OTPs.new(@connection)
       @passwords = Stytch::Passwords.new(@connection)
       @project = Stytch::Project.new(@connection)
-      @sessions = Stytch::Sessions.new(@connection, @project_id)
+      @rbac = Stytch::RBAC.new(@connection)
+      @sessions = Stytch::Sessions.new(@connection, @project_id, @policy_cache)
       @totps = Stytch::TOTPs.new(@connection)
       @users = Stytch::Users.new(@connection)
       @webauthn = Stytch::WebAuthn.new(@connection)

data/lib/stytch/fraud.rb

@@ -28,14 +28,17 @@ module Stytch
         @connection = connection
       end
 
-      # Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. Learn more about the different fingerprint types and verdicts in our [DFP guide](https://stytch.com/docs/fraud/guides/device-fingerprinting/overview).
+      # Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function.
+      # Learn more about the different fingerprint types and verdicts in our [DFP guide](https://stytch.com/docs/fraud/guides/device-fingerprinting/overview).
       #
-      # Make a decision based on the returned `verdict`:
+      # You can make a decision based on the recommended `verdict` in the response:
       # * `ALLOW` - This is a known valid device grouping or device profile that is part of the default `ALLOW` listed set of known devices by Stytch. This grouping is made up of  verified device profiles that match the characteristics of known/authentic traffic origins.
       # * `BLOCK` - This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action in question.
       # * `CHALLENGE` - This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action to proceed.
       #
-      # If the `telemetry_id` is not found, we will return a 404 `telemetry_id_not_found` [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). We recommend treating 404 errors as a `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections by generating fake telemetry IDs.
+      # If the `telemetry_id` is expired or not found, this endpoint returns a 404 `telemetry_id_not_found` [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found).
+      # We recommend treating 404 errors as a `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections.
+      # See [Attacker-controlled telemetry IDs](https://stytch.com/docs/fraud/guides/device-fingerprinting/integration-steps/test-your-integration#attacker-controlled-telemetry-ids) for more information.
       #
       # == Parameters:
       # telemetry_id::

data/lib/stytch/idp.rb

@@ -0,0 +1,251 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'json/jwt'
+require_relative 'errors'
+require_relative 'request_helper'
+require_relative 'rbac_local'
+
+module Stytch
+  class IDP
+    include Stytch::RequestHelper
+
+    def initialize(connection, project_id, policy_cache)
+      @connection = connection
+      @project_id = project_id
+      @policy_cache = policy_cache
+      @non_custom_claim_keys = %w[
+        aud
+        exp
+        iat
+        iss
+        jti
+        nbf
+        sub
+        active
+        client_id
+        request_id
+        scope
+        status_code
+        token_type
+      ]
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # client_id::
+    #   The ID of the client.
+    #   The type of this field is +String+.
+    # client_secret::
+    #   The secret of the client.
+    #   The type of this field is nilable +String+.
+    # token_type_hint::
+    #   A hint on what the token contains. Valid fields are 'access_token' and 'refresh_token'.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    def introspect_token_network(
+      token:,
+      client_id:,
+      client_secret: nil,
+      token_type_hint: 'access_token',
+      authorization_check: nil
+    )
+      headers = {}
+      data = {
+        'token' => token,
+        'client_id' => client_id,
+        'token_type_hint' => token_type_hint
+      }
+      data['client_secret'] = client_secret unless client_secret.nil?
+
+      url = @connection.url_prefix + '/v1/oauth2/introspect'
+      res = post_request(url, data, headers)
+
+      jwt_response = res
+      return nil unless jwt_response['active']
+
+      custom_claims = res.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      scope = jwt_response['scope']
+
+      if authorization_check
+        @policy_cache.perform_scope_authorization_check(
+          token_scopes: scope.split,
+          authorization_check: authorization_check
+        )
+      end
+
+      {
+        'subject' => jwt_response['sub'],
+        'scope' => jwt_response['scope'],
+        'audience' => jwt_response['aud'],
+        'expires_at' => jwt_response['exp'],
+        'issued_at' => jwt_response['iat'],
+        'issuer' => jwt_response['iss'],
+        'not_before' => jwt_response['nbf'],
+        'token_type' => jwt_response['token_type'],
+        'custom_claims' => custom_claims
+      }
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # access_token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    def introspect_access_token_local(
+      access_token:,
+      authorization_check: nil
+    )
+      scope_claim = 'scope'
+
+      # Create a JWKS loader similar to other classes in the codebase
+      @cache_last_update = 0
+      jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        if @cached_keys.nil?
+          @cached_keys = get_jwks(project_id: @project_id)
+          @cache_last_update = Time.now.to_i
+        end
+        @cached_keys
+      end
+
+      begin
+        decoded_jwt = JWT.decode(
+          access_token,
+          nil,
+          true,
+          {
+            algorithms: ['RS256'],
+            jwks: jwks_loader,
+            iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
+            aud: @project_id
+          }
+        )[0]
+
+        generic_claims = decoded_jwt
+        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        scope = generic_claims[scope_claim]
+
+        if authorization_check
+          @policy_cache.perform_scope_authorization_check(
+            token_scopes: scope.split,
+            authorization_check: authorization_check
+          )
+        end
+
+        {
+          'subject' => generic_claims['sub'],
+          'scope' => generic_claims[scope_claim],
+          'audience' => generic_claims['aud'],
+          'expires_at' => generic_claims['exp'],
+          'issued_at' => generic_claims['iat'],
+          'issuer' => generic_claims['iss'],
+          'not_before' => generic_claims['nbf'],
+          'token_type' => 'access_token',
+          'custom_claims' => custom_claims
+        }
+      rescue JWT::InvalidIssuerError
+        raise Stytch::JWTInvalidIssuerError
+      rescue JWT::InvalidAudError
+        raise Stytch::JWTInvalidAudienceError
+      rescue JWT::ExpiredSignature
+        raise Stytch::JWTExpiredSignatureError
+      rescue JWT::IncorrectAlgorithm
+        raise Stytch::JWTIncorrectAlgorithmError
+      rescue JWT::DecodeError
+        nil
+      end
+    end
+
+    # Gets the JWKS for the project.
+    #
+    # == Parameters:
+    # project_id::
+    #   The ID of the project.
+    #   The type of this field is +String+.
+    #
+    # == Returns:
+    # The JWKS for the project.
+    #   The type of this field is +Hash+.
+    def get_jwks(project_id:)
+      headers = {}
+      query_params = {}
+      request = request_with_query_params("/v1/sessions/jwks/#{project_id}", query_params)
+      get_request(request, headers)
+    end
+  end
+end

data/lib/stytch/otps.rb

@@ -130,7 +130,7 @@ module Stytch
       # ### Cost to send SMS OTP
       # Before configuring SMS or WhatsApp OTPs, please review how Stytch [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
       #
-      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account.
+      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and [add credit card details](https://stytch.com/dashboard/settings/billing) to your account.
       #
       # Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
       #
@@ -212,7 +212,7 @@ module Stytch
       # ### Cost to send SMS OTP
       # Before configuring SMS or WhatsApp OTPs, please review how Stytch [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
       #
-      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account.
+      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and [add credit card details](https://stytch.com/dashboard/settings/billing) to your account.
       #
       # Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
       #

data/lib/stytch/passwords.rb

@@ -116,7 +116,7 @@ module Stytch
 
     # Authenticate a user with their email address and password. This endpoint verifies that the user has a password currently set, and that the entered password is correct. There are two instances where the endpoint will return a `reset_password` error even if they enter their previous password:
     #
-    # **One:** The user’s credentials appeared in the HaveIBeenPwned dataset. We force a password reset to ensure that the user is the legitimate owner of the email address, and not a malicious actor abusing the compromised credentials.
+    # **One:** The user's credentials appeared in the HaveIBeenPwned dataset. We force a password reset to ensure that the user is the legitimate owner of the email address, and not a malicious actor abusing the compromised credentials.
     #
     # **Two:** A user that has previously authenticated with email/password uses a passwordless authentication method tied to the same email address (e.g. Magic Links, Google OAuth) for the first time. Any subsequent email/password authentication attempt will result in this error. We force a password reset in this instance in order to safely deduplicate the account by email address, without introducing the risk of a pre-hijack account takeover attack.
     #
@@ -408,7 +408,7 @@ module Stytch
       # login_redirect_url::
       #   The URL Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be a route in your application which will run `oauth.authenticate` (see below) and finish the login.
       #
-      #   The URL must be configured as a Login URL in the [Redirect URL page](https://stytch.com/docs/dashboard/redirect-urls). If the field is not specified, the default Login URL will be used.
+      #   The URL must be configured as a Login URL in the [Redirect URL page](https://stytch.com/dashboard/redirect-urls). If the field is not specified, the default Login URL will be used.
       #   The type of this field is nilable +String+.
       # locale::
       #   Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
@@ -462,7 +462,7 @@ module Stytch
         post_request('/v1/passwords/email/reset/start', request, headers)
       end
 
-      # Reset the user’s password and authenticate them. This endpoint checks that the magic link `token` is valid, hasn’t expired, or already been used – and can optionally require additional security settings, such as the IP address and user agent matching the initial reset request.
+      # Reset the user's password and authenticate them. This endpoint checks that the magic link `token` is valid, hasn't expired, or already been used – and can optionally require additional security settings, such as the IP address and user agent matching the initial reset request.
       #
       # The provided password needs to meet our password strength requirements, which can be checked in advance with the password strength endpoint. If the token and password are accepted, the password is securely stored for future authentication and the user is authenticated.
       #
@@ -572,7 +572,7 @@ module Stytch
         @connection = connection
       end
 
-      # Reset the User’s password using their existing password.
+      # Reset the User's password using their existing password.
       #
       # Note that a successful password reset via an existing password will revoke all active sessions for the `user_id`.
       #

data/lib/stytch/rbac.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
+require_relative 'request_helper'
+
+module Stytch
+  class RBAC
+    include Stytch::RequestHelper
+
+    def initialize(connection)
+      @connection = connection
+    end
+
+    # Get the active RBAC Policy for your current Stytch Project. An RBAC Policy is the canonical document that stores all defined Resources and Roles within your RBAC permissioning model.
+    #
+    # When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an extra request to Stytch.
+    # The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 minutes ago.
+    #
+    # Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the Dashboard.
+    # Additionally, [Role assignment](https://stytch.com/docs/guides/rbac/role-assignment) can be programmatically managed through certain Stytch API endpoints.
+    #
+    # Check out the [RBAC overview](https://stytch.com/docs/guides/rbac/overview) to learn more about Stytch's RBAC permissioning model.
+    #
+    # == Parameters:
+    #
+    # == Returns:
+    # An object with the following fields:
+    # request_id::
+    #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+    #   The type of this field is +String+.
+    # status_code::
+    #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+    #   The type of this field is +Integer+.
+    # policy::
+    #   The RBAC Policy document that contains all defined Roles and Resources – which are managed in the [Dashboard](https://stytch.com/dashboard/rbac). Read more about these entities and how they work in our [RBAC overview](https://stytch.com/docs/guides/rbac/overview).
+    #   The type of this field is nilable +Policy+ (+object+).
+    def policy
+      headers = {}
+      query_params = {}
+      request = request_with_query_params('/v1/rbac/policy', query_params)
+      get_request(request, headers)
+    end
+  end
+end