stytch 10.28.0 → 10.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84042207ac59233533cc823e147225b53dfb242577ada92f7c371d91f0067346
-  data.tar.gz: 43abe43af046750571190adbb0aba08f2126c5781812385c7bf4cb88ee41871c
+  metadata.gz: 7acf63a684df206a833f253f48357c53529f4bc26570766b1d58336b22416006
+  data.tar.gz: 48c64a6a03cb92b287fe5ac5e07f5a1697cdd37423d2d2421a86ce59208c7c1c
 SHA512:
-  metadata.gz: 579d066dd8ebbda2724b7ff7824cd92686bdfecdabf10df8cf562f29a6025f24e814a746832838868c173800aac0399fac882cb52a5e281d5e776b99f4057796
-  data.tar.gz: 6dc2c0f7ae5a048d4bba0bebcf7a002f94afc7dee8d82f844147313920212814256b9aa1ad21d4cf6dbcd6396215e5213285494475e31b17aa4f47e01e75be65
+  metadata.gz: 7c7ae74e4f7d5fd3e50ad70789dbb5b55d81868e0992041aa8c5fe3be27a58dcc667ce2800a1667106ea1a595ff035cb409b84e7fe996af840a3e049428c9be7
+  data.tar.gz: 5b86b4ef7a588d67ca53ea6b93724cbf9c230b7e92548ba12bbcf8352557c177360ed13b1628effa11f1f7f8791445b29a557d0cf26536ddabdfe34f053b63cb

data/lib/stytch/b2b_client.rb

@@ -30,7 +30,7 @@ module StytchB2B
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps, :idp
+    attr_reader :connected_app, :discovery, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -43,11 +43,11 @@ module StytchB2B
 
       rbac = StytchB2B::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
-      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
 
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
+      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
       @impersonation = StytchB2B::Impersonation.new(@connection)
       @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
       @magic_links = StytchB2B::MagicLinks.new(@connection)

data/lib/stytch/b2b_idp.rb

@@ -1,37 +1,46 @@
 # frozen_string_literal: true
 
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 require 'jwt'
 require 'json/jwt'
 require_relative 'errors'
 require_relative 'request_helper'
-require_relative 'rbac_local'
 
 module StytchB2B
   class IDP
     include Stytch::RequestHelper
+    attr_reader :oauth
 
     def initialize(connection, project_id, policy_cache)
       @connection = connection
-      @project_id = project_id
+
+      @oauth = StytchB2B::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
-      @non_custom_claim_keys = [
-        'aud',
-        'exp',
-        'iat',
-        'iss',
-        'jti',
-        'nbf',
-        'sub',
-        'active',
-        'client_id',
-        'request_id',
-        'scope',
-        'status_code',
-        'token_type',
-        'https://stytch.com/organization'
-      ]
+      @project_id = project_id
+      @cache_last_update = 0
+      @jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        @cached_keys ||= begin
+          @cache_last_update = Time.now.to_i
+          keys = []
+          get_jwks(project_id: @project_id)['keys'].each do |r|
+            keys << r
+          end
+          { keys: keys }
+        end
+      end
     end
 
+    # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
+    # ADDIMPORT: require 'jwt'
+    # ADDIMPORT: require 'json/jwt'
+    # ADDIMPORT: require_relative 'errors'
+
     # Introspects a token JWT from an authorization code response.
     # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
     # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
@@ -105,7 +114,7 @@ module StytchB2B
 
       return nil unless jwt_response['active']
 
-      custom_claims = jwt_response.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      custom_claims = jwt_response.reject { |k, _| non_custom_claim_keys.include?(k) }
       organization_claim = jwt_response['https://stytch.com/organization']
       organization_id = organization_claim['organization_id']
       scope = jwt_response['scope']
@@ -183,17 +192,6 @@ module StytchB2B
       scope_claim = 'scope'
       organization_claim = 'https://stytch.com/organization'
 
-      # Create a JWKS loader similar to other classes in the codebase
-      @cache_last_update = 0
-      jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        if @cached_keys.nil?
-          @cached_keys = get_jwks(project_id: @project_id)
-          @cache_last_update = Time.now.to_i
-        end
-        @cached_keys
-      end
-
       begin
         decoded_jwt = JWT.decode(
           access_token,
@@ -201,14 +199,14 @@ module StytchB2B
           true,
           {
             algorithms: ['RS256'],
-            jwks: jwks_loader,
+            jwks: @jwks_loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }
         )[0]
 
         generic_claims = decoded_jwt
-        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        custom_claims = generic_claims.reject { |k, _| non_custom_claim_keys.include?(k) }
         organization_claim_data = generic_claims[organization_claim]
         organization_id = organization_claim_data['organization_id']
         scope = generic_claims[scope_claim]
@@ -246,6 +244,27 @@ module StytchB2B
       end
     end
 
+    private
+
+    def non_custom_claim_keys
+      [
+        'aud',
+        'exp',
+        'iat',
+        'iss',
+        'jti',
+        'nbf',
+        'sub',
+        'active',
+        'client_id',
+        'request_id',
+        'scope',
+        'status_code',
+        'token_type',
+        'https://stytch.com/organization'
+      ]
+    end
+
     # Gets the JWKS for the project.
     #
     # == Parameters:
@@ -262,5 +281,226 @@ module StytchB2B
       request = request_with_query_params("/v1/b2b/sessions/jwks/#{project_id}", query_params)
       get_request(request, headers)
     end
+
+    # ENDMANUAL(IDP::introspect_token_network)
+
+    class OAuth
+      include Stytch::RequestHelper
+
+      def initialize(connection)
+        @connection = connection
+      end
+
+      # Initiates a request for authorization of a Connected App to access a Member's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request.
+      # This endpoint validates various fields (`scope`, `client_id`, `redirect_uri`, `prompt`, etc...) are correct and returns
+      # relevant information for rendering an OAuth Consent Screen.
+      #
+      # This endpoint returns:
+      # - A public representation of the Connected App requesting authorization
+      # - Whether _explicit_ consent must be granted before proceeding with the authorization
+      # - A list of scopes the Member has the ability to grant the Connected App
+      #
+      # Use this response to prompt the Member for consent (if necessary) before calling the [Submit OAuth Authorization](https://stytch.com/docs/b2b/api/connected-apps-oauth-authorize) endpoint.
+      #
+      # Exactly one of the following must be provided to identify the Member granting authorization:
+      # - `organization_id` + `member_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
+      #   The type of this field is nilable +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   A secret token for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The JSON Web Token (JWT) for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member.
+      #   The type of this field is +String+.
+      # member::
+      #   The [Member object](https://stytch.com/docs/b2b/api/member-object)
+      #   The type of this field is +Member+ (+object+).
+      # organization::
+      #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
+      #   The type of this field is +Organization+ (+object+).
+      # client::
+      #   (no documentation yet)
+      #   The type of this field is +ConnectedAppPublic+ (+object+).
+      # consent_required::
+      #   Whether the user must provide explicit consent for the authorization request.
+      #   The type of this field is +Boolean+.
+      # scope_results::
+      #   Details about each requested scope.
+      #   The type of this field is list of +ScopeResult+ (+object+).
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      def authorize_start(
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        scopes:,
+        organization_id: nil,
+        member_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil
+      )
+        headers = {}
+        request = {
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type,
+          scopes: scopes
+        }
+        request[:organization_id] = organization_id unless organization_id.nil?
+        request[:member_id] = member_id unless member_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+
+        post_request('/v1/b2b/idp/oauth/authorize/start', request, headers)
+      end
+
+      # Completes a request for authorization of a Connected App to access a Member's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the
+      # [Preflight Check](https://stytch.com/docs/b2b/api/connected-apps-oauth-authorize-start) API.
+      # Note that this endpoint takes in a few additional parameters the preflight check does not- `state`, `nonce`, and `code_challenge`.
+      #
+      # If the authorization was successful, the `redirect_uri` will contain a valid `authorization_code` embedded as a query parameter.
+      # If the authorization was unsuccessful, the `redirect_uri` will contain an OAuth2.1 `error_code`.
+      # In both cases, redirect the Member to the location for the response to be consumed by the Connected App.
+      #
+      # Exactly one of the following must be provided to identify the Member granting authorization:
+      # - `organization_id` + `member_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # consent_granted::
+      #   Indicates whether the user granted the requested scopes.
+      #   The type of this field is +Boolean+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
+      #   The type of this field is nilable +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   A secret token for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The JSON Web Token (JWT) for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      # state::
+      #   An opaque value used to maintain state between the request and callback.
+      #   The type of this field is nilable +String+.
+      # nonce::
+      #   A string used to associate a client session with an ID token to mitigate replay attacks.
+      #   The type of this field is nilable +String+.
+      # code_challenge::
+      #   A base64url encoded challenge derived from the code verifier for PKCE flows.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      # authorization_code::
+      #   A one-time use code that can be exchanged for tokens.
+      #   The type of this field is nilable +String+.
+      def authorize(
+        consent_granted:,
+        scopes:,
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        organization_id: nil,
+        member_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil,
+        state: nil,
+        nonce: nil,
+        code_challenge: nil
+      )
+        headers = {}
+        request = {
+          consent_granted: consent_granted,
+          scopes: scopes,
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type
+        }
+        request[:organization_id] = organization_id unless organization_id.nil?
+        request[:member_id] = member_id unless member_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+        request[:state] = state unless state.nil?
+        request[:nonce] = nonce unless nonce.nil?
+        request[:code_challenge] = code_challenge unless code_challenge.nil?
+
+        post_request('/v1/b2b/idp/oauth/authorize', request, headers)
+      end
+    end
   end
 end

data/lib/stytch/b2b_organizations.rb

@@ -993,7 +993,7 @@ module StytchB2B
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.untrusted-metadata` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.untrusted-metadata` action on the `stytch.self` Resource.
       #   The type of this field is nilable +object+.
       # is_breakglass::
-      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
+      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
       #
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.is-breakglass` action on the `stytch.member` Resource.
       #   The type of this field is nilable +Boolean+.
@@ -1030,14 +1030,14 @@ module StytchB2B
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource.
       #   The type of this field is nilable +String+.
       # email_address::
-      #   Updates the Member's `email_address`, if provided.
+      #   Updates the Member's `email_address`, if provided. This will clear any existing passwords and require re-verification of the new email address.
       #         If a Member's email address is changed, other Members in the same Organization cannot use the old email address, although the Member may update back to their old email address.
       #         A Member's email address can only be useable again by other Members if the Member is deleted.
       #
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.email` action on the `stytch.member` Resource. Members cannot update their own email address.
       #   The type of this field is nilable +String+.
       # external_id::
-      #   An identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
+      #   An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
       #   The type of this field is nilable +String+.
       # unlink_email::
       #   If `unlink_email` is `true` and an `email_address` is provided, the Member's previous email will be deleted instead of retired. Defaults to `false`.
@@ -1135,12 +1135,14 @@ module StytchB2B
 
       # Reactivates a deleted Member's status and its associated email status (if applicable) to active, specified by `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified email where their `email_address_verified` is `true`.
       #
+      # Note that this endpoint does not accept an `external_id`. The Stytch `member_id` must be provided.
+      #
       # == Parameters:
       # organization_id::
       #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # member_id::
-      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
+      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value.
       #   The type of this field is +String+.
       #
       # == Returns:
@@ -1292,7 +1294,7 @@ module StytchB2B
       #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
       #   The type of this field is +String+.
       # members::
-      #   An array of [Member objects](member-object).
+      #   An array of [Member objects](https://stytch.com/docs/b2b/api/member-object).
       #   The type of this field is list of +Member+ (+object+).
       # results_metadata::
       #   The search `results_metadata` object contains metadata relevant to your specific query like `total` and `next_cursor`.
@@ -1658,7 +1660,7 @@ module StytchB2B
       #   Flag for whether or not to save a Member as `pending` or `active` in Stytch. It defaults to false. If true, new Members will be created with status `pending` in Stytch's backend. Their status will remain `pending` and they will continue to receive signup email templates for every Email Magic Link until that Member authenticates and becomes `active`. If false, new Members will be created with status `active`.
       #   The type of this field is nilable +Boolean+.
       # is_breakglass::
-      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
+      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
       #   The type of this field is nilable +Boolean+.
       # mfa_phone_number::
       #   The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
@@ -1671,7 +1673,7 @@ module StytchB2B
       #    for more information about role assignment.
       #   The type of this field is nilable list of +String+.
       # external_id::
-      #   An identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
+      #   An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
       #   The type of this field is nilable +String+.
       #
       # == Returns:

data/lib/stytch/b2b_passwords.rb

@@ -51,8 +51,8 @@ module StytchB2B
     #   The type of this field is +String+.
     # valid_password::
     #   Returns `true` if the password passes our password validation. We offer two validation options,
-    #   [zxcvbn](https://stytch.com/docs/passwords#strength-requirements) is the default option which offers a high level of sophistication.
-    #   We also offer [LUDS](https://stytch.com/docs/passwords#strength-requirements). If an email address is included in the call we also
+    #   [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication.
+    #   We also offer [LUDS](https://stytch.com/docs/b2b/guides/passwords/strength-policy). If an email address is included in the call we also
     #   require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/)
     #   The type of this field is +Boolean+.
     # score::
@@ -73,10 +73,10 @@ module StytchB2B
     #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
     #   The type of this field is +Integer+.
     # luds_feedback::
-    #   Feedback for how to improve the password's strength using [luds](https://stytch.com/docs/passwords#strength-requirements).
+    #   Feedback for how to improve the password's strength using [luds](https://stytch.com/docs/guides/passwords/strength-policy).
     #   The type of this field is nilable +LudsFeedback+ (+object+).
     # zxcvbn_feedback::
-    #   Feedback for how to improve the password's strength using [zxcvbn](https://stytch.com/docs/passwords#strength-requirements).
+    #   Feedback for how to improve the password's strength using [zxcvbn](https://stytch.com/docs/b2b/guides/passwords/strength-policy).
     #   The type of this field is nilable +ZxcvbnFeedback+ (+object+).
     def strength_check(
       password:,
@@ -91,6 +91,9 @@ module StytchB2B
       post_request('/v1/b2b/passwords/strength_check', request, headers)
     end
 
+    #
+    # **Warning:** This endpoint marks the Member's email address as verified. Do **not** use this endpoint unless the user has already verified their email address in your application.
+    #
     # Adds an existing password to a Member's email that doesn't have a password yet.
     #
     # We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
@@ -161,7 +164,7 @@ module StytchB2B
     #    the user owns the phone number in question.
     #   The type of this field is nilable +Boolean+.
     # external_id::
-    #   If a new member is created, this will set an identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored.
+    #   If a new member is created, this will set an identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored.
     #   The type of this field is nilable +String+.
     #
     # == Returns:
@@ -229,7 +232,7 @@ module StytchB2B
 
     # Authenticate a member with their email address and password. This endpoint verifies that the member has a password currently set, and that the entered password is correct.
     #
-    # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
+    # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policy) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
     #
     # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
@@ -950,7 +953,7 @@ module StytchB2B
 
       # Authenticate an email/password combination in the discovery flow. This authenticate flow is only valid for cross-org passwords use cases, and is not tied to a specific organization.
       #
-      # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
+      # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policy) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
       #
       # If successful, this endpoint will create a new intermediate session and return a list of discovered organizations that can be session exchanged into.
       #

data/lib/stytch/b2b_sessions.rb

@@ -436,15 +436,15 @@ module StytchB2B
     # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens).  If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
     #
     # == Parameters:
-    # organization_id::
-    #   The organization ID that the session should be authenticated in.
-    #   The type of this field is +String+.
     # profile_id::
     #   The ID of the trusted auth token profile to use for attestation.
     #   The type of this field is +String+.
     # token::
-    #   The trusted auth token to authenticate.
+    #   The trusted auth token to authenticate. The token must have an organization ID claim if JIT provisioning is enabled.
     #   The type of this field is +String+.
+    # organization_id::
+    #   The organization ID that the session should be authenticated in. Must be provided if the trusted auth token does not have an organization ID claim.
+    #   The type of this field is nilable +String+.
     # session_duration_minutes::
     #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
     #   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
@@ -503,9 +503,9 @@ module StytchB2B
     #   If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes.
     #   The type of this field is nilable +DeviceInfo+ (+object+).
     def attest(
-      organization_id:,
       profile_id:,
       token:,
+      organization_id: nil,
       session_duration_minutes: nil,
       session_custom_claims: nil,
       session_token: nil,
@@ -514,10 +514,10 @@ module StytchB2B
     )
       headers = {}
       request = {
-        organization_id: organization_id,
         profile_id: profile_id,
         token: token
       }
+      request[:organization_id] = organization_id unless organization_id.nil?
       request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
       request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
       request[:session_token] = session_token unless session_token.nil?

data/lib/stytch/b2b_sso.rb

@@ -546,6 +546,25 @@ module StytchB2B
         end
       end
 
+      class DeleteEncryptionPrivateKeyRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
       include Stytch::RequestHelper
 
       def initialize(connection)
@@ -656,6 +675,9 @@ module StytchB2B
       # idp_initiated_auth_disabled::
       #   Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled).
       #   The type of this field is nilable +Boolean+.
+      # saml_encryption_private_key::
+      #   A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported.
+      #   The type of this field is nilable +String+.
       #
       # == Returns:
       # An object with the following fields:
@@ -687,6 +709,7 @@ module StytchB2B
         nameid_format: nil,
         alternative_acs_url: nil,
         idp_initiated_auth_disabled: nil,
+        saml_encryption_private_key: nil,
         method_options: nil
       )
         headers = {}
@@ -705,6 +728,7 @@ module StytchB2B
         request[:nameid_format] = nameid_format unless nameid_format.nil?
         request[:alternative_acs_url] = alternative_acs_url unless alternative_acs_url.nil?
         request[:idp_initiated_auth_disabled] = idp_initiated_auth_disabled unless idp_initiated_auth_disabled.nil?
+        request[:saml_encryption_private_key] = saml_encryption_private_key unless saml_encryption_private_key.nil?
 
         put_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}", request, headers)
       end
@@ -796,6 +820,44 @@ module StytchB2B
         headers = headers.merge(method_options.to_headers) unless method_options.nil?
         delete_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}/verification_certificates/#{certificate_id}", headers)
       end
+
+      # Delete a SAML encryption private key.
+      #
+      # == Parameters:
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
+      #   The type of this field is +String+.
+      # connection_id::
+      #   Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
+      #   The type of this field is +String+.
+      # private_key_id::
+      #   The ID of the encryption private key to be deleted.
+      #   The type of this field is +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # private_key_id::
+      #   The ID of the encryption private key.
+      #   The type of this field is +String+.
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::SAML::DeleteEncryptionPrivateKeyRequestOptions+ object which will modify the headers sent in the HTTP request.
+      def delete_encryption_private_key(
+        organization_id:,
+        connection_id:,
+        private_key_id:,
+        method_options: nil
+      )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
+        delete_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}/encryption_private_keys/#{private_key_id}", headers)
+      end
     end
 
     class External

data/lib/stytch/client.rb

@@ -28,7 +28,7 @@ module Stytch
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn, :idp
+    attr_reader :connected_app, :crypto_wallets, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -41,11 +41,11 @@ module Stytch
 
       rbac = Stytch::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
-      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
 
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
+      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
       @impersonation = Stytch::Impersonation.new(@connection)
       @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
       @magic_links = Stytch::MagicLinks.new(@connection)

data/lib/stytch/connected_apps.rb

@@ -202,21 +202,18 @@ module Stytch
       # client_type::
       #   The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`.
       #   The type of this field is +CreateRequestClientType+ (string enum).
-      # redirect_urls::
-      #   Array of redirect URI values for use in OAuth Authorization flows.
-      #   The type of this field is list of +String+.
-      # full_access_allowed::
-      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
-      #   The type of this field is +Boolean+.
-      # post_logout_redirect_urls::
-      #   Array of redirect URI values for use in OIDC Logout flows.
-      #   The type of this field is list of +String+.
       # client_name::
       #   A human-readable name for the client.
       #   The type of this field is nilable +String+.
       # client_description::
       #   A human-readable description for the client.
       #   The type of this field is nilable +String+.
+      # redirect_urls::
+      #   Array of redirect URI values for use in OAuth Authorization flows.
+      #   The type of this field is nilable list of +String+.
+      # full_access_allowed::
+      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
+      #   The type of this field is nilable +Boolean+.
       # access_token_expiry_minutes::
       #   The number of minutes before the access token expires. The default is 60 minutes.
       #   The type of this field is nilable +Integer+.
@@ -226,6 +223,9 @@ module Stytch
       # access_token_template_content::
       #   The content of the access token custom claims template. The template must be a valid JSON object.
       #   The type of this field is nilable +String+.
+      # post_logout_redirect_urls::
+      #   Array of redirect URI values for use in OIDC Logout flows.
+      #   The type of this field is nilable list of +String+.
       # logo_url::
       #   The logo URL of the Connected App, if any.
       #   The type of this field is nilable +String+.
@@ -246,29 +246,29 @@ module Stytch
       #   The type of this field is +Integer+.
       def create(
         client_type:,
-        redirect_urls:,
-        full_access_allowed:,
-        post_logout_redirect_urls:,
         client_name: nil,
         client_description: nil,
+        redirect_urls: nil,
+        full_access_allowed: nil,
         access_token_expiry_minutes: nil,
         access_token_custom_audience: nil,
         access_token_template_content: nil,
+        post_logout_redirect_urls: nil,
         logo_url: nil,
         bypass_consent_for_offline_access: nil
       )
         headers = {}
         request = {
-          client_type: client_type,
-          redirect_urls: redirect_urls,
-          full_access_allowed: full_access_allowed,
-          post_logout_redirect_urls: post_logout_redirect_urls
+          client_type: client_type
         }
         request[:client_name] = client_name unless client_name.nil?
         request[:client_description] = client_description unless client_description.nil?
+        request[:redirect_urls] = redirect_urls unless redirect_urls.nil?
+        request[:full_access_allowed] = full_access_allowed unless full_access_allowed.nil?
         request[:access_token_expiry_minutes] = access_token_expiry_minutes unless access_token_expiry_minutes.nil?
         request[:access_token_custom_audience] = access_token_custom_audience unless access_token_custom_audience.nil?
         request[:access_token_template_content] = access_token_template_content unless access_token_template_content.nil?
+        request[:post_logout_redirect_urls] = post_logout_redirect_urls unless post_logout_redirect_urls.nil?
         request[:logo_url] = logo_url unless logo_url.nil?
         request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
 

data/lib/stytch/idp.rb

@@ -1,36 +1,46 @@
 # frozen_string_literal: true
 
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 require 'jwt'
 require 'json/jwt'
 require_relative 'errors'
 require_relative 'request_helper'
-require_relative 'rbac_local'
 
 module Stytch
   class IDP
     include Stytch::RequestHelper
+    attr_reader :oauth
 
     def initialize(connection, project_id, policy_cache)
       @connection = connection
-      @project_id = project_id
+
+      @oauth = Stytch::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
-      @non_custom_claim_keys = %w[
-        aud
-        exp
-        iat
-        iss
-        jti
-        nbf
-        sub
-        active
-        client_id
-        request_id
-        scope
-        status_code
-        token_type
-      ]
+      @project_id = project_id
+      @cache_last_update = 0
+      @jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        @cached_keys ||= begin
+          @cache_last_update = Time.now.to_i
+          keys = []
+          get_jwks(project_id: @project_id)['keys'].each do |r|
+            keys << r
+          end
+          { keys: keys }
+        end
+      end
     end
 
+    # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
+    # ADDIMPORT: require 'jwt'
+    # ADDIMPORT: require 'json/jwt'
+    # ADDIMPORT: require_relative 'errors'
+
     # Introspects a token JWT from an authorization code response.
     # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
     # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
@@ -102,7 +112,7 @@ module Stytch
       jwt_response = res
       return nil unless jwt_response['active']
 
-      custom_claims = res.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      custom_claims = res.reject { |k, _| non_custom_claim_keys.include?(k) }
       scope = jwt_response['scope']
 
       if authorization_check
@@ -171,18 +181,6 @@ module Stytch
       authorization_check: nil
     )
       scope_claim = 'scope'
-
-      # Create a JWKS loader similar to other classes in the codebase
-      @cache_last_update = 0
-      jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        if @cached_keys.nil?
-          @cached_keys = get_jwks(project_id: @project_id)
-          @cache_last_update = Time.now.to_i
-        end
-        @cached_keys
-      end
-
       begin
         decoded_jwt = JWT.decode(
           access_token,
@@ -190,14 +188,14 @@ module Stytch
           true,
           {
             algorithms: ['RS256'],
-            jwks: jwks_loader,
+            jwks: @jwks_loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }
         )[0]
 
         generic_claims = decoded_jwt
-        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        custom_claims = generic_claims.reject { |k, _| non_custom_claim_keys.include?(k) }
         scope = generic_claims[scope_claim]
 
         if authorization_check
@@ -231,6 +229,26 @@ module Stytch
       end
     end
 
+    private
+
+    def non_custom_claim_keys
+      %w[
+        aud
+        exp
+        iat
+        iss
+        jti
+        nbf
+        sub
+        active
+        client_id
+        request_id
+        scope
+        status_code
+        token_type
+      ]
+    end
+
     # Gets the JWKS for the project.
     #
     # == Parameters:
@@ -247,5 +265,213 @@ module Stytch
       request = request_with_query_params("/v1/sessions/jwks/#{project_id}", query_params)
       get_request(request, headers)
     end
+
+    # ENDMANUAL(IDP::introspect_token_network)
+
+    class OAuth
+      include Stytch::RequestHelper
+
+      def initialize(connection)
+        @connection = connection
+      end
+
+      # Initiates a request for authorization of a Connected App to access a User's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request.
+      # This endpoint validates various fields (`scope`, `client_id`, `redirect_uri`, `prompt`, etc...) are correct and returns
+      # relevant information for rendering an OAuth Consent Screen.
+      #
+      # This endpoint returns:
+      # - A public representation of the Connected App requesting authorization
+      # - Whether _explicit_ user consent must be granted before proceeding with the authorization
+      # - A list of scopes the user has the ability to grant the Connected App
+      #
+      # Use this response to prompt the user for consent (if necessary) before calling the [Submit OAuth Authorization](https://stytch.com/docs/api/connected-apps-oauth-authorize) endpoint.
+      #
+      # Exactly one of the following must be provided to identify the user granting authorization:
+      # - `user_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the user's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # user_id::
+      #   The unique ID of a specific User. You may use an `external_id` here if one is set for the user.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   The `session_token` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The `session_jwt` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # user_id::
+      #   The unique ID of the affected User.
+      #   The type of this field is +String+.
+      # user::
+      #   The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details.
+      #   The type of this field is +User+ (+object+).
+      # client::
+      #   (no documentation yet)
+      #   The type of this field is +ConnectedAppPublic+ (+object+).
+      # consent_required::
+      #   Whether the user must provide explicit consent for the authorization request.
+      #   The type of this field is +Boolean+.
+      # scope_results::
+      #   Details about each requested scope.
+      #   The type of this field is list of +ScopeResult+ (+object+).
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      def authorize_start(
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        scopes:,
+        user_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil
+      )
+        headers = {}
+        request = {
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type,
+          scopes: scopes
+        }
+        request[:user_id] = user_id unless user_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+
+        post_request('/v1/idp/oauth/authorize/start', request, headers)
+      end
+
+      # Completes a request for authorization of a Connected App to access a User's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the
+      # [Preflight Check](https://stytch.com/docs/api/connected-apps-oauth-authorize-start) API.
+      # Note that this endpoint takes in a few additional parameters the preflight check does not- `state`, `nonce`, and `code_challenge`.
+      #
+      # If the authorization was successful, the `redirect_uri` will contain a valid `authorization_code` embedded as a query parameter.
+      # If the authorization was unsuccessful, the `redirect_uri` will contain an OAuth2.1 `error_code`.
+      # In both cases, redirect the user to the location for the response to be consumed by the Connected App.
+      #
+      # Exactly one of the following must be provided to identify the user granting authorization:
+      # - `user_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the user's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # consent_granted::
+      #   Indicates whether the user granted the requested scopes.
+      #   The type of this field is +Boolean+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # user_id::
+      #   The unique ID of a specific User. You may use an `external_id` here if one is set for the user.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   The `session_token` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The `session_jwt` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      # state::
+      #   An opaque value used to maintain state between the request and callback.
+      #   The type of this field is nilable +String+.
+      # nonce::
+      #   A string used to associate a client session with an ID token to mitigate replay attacks.
+      #   The type of this field is nilable +String+.
+      # code_challenge::
+      #   A base64url encoded challenge derived from the code verifier for PKCE flows.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      # authorization_code::
+      #   A one-time use code that can be exchanged for tokens.
+      #   The type of this field is nilable +String+.
+      def authorize(
+        consent_granted:,
+        scopes:,
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        user_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil,
+        state: nil,
+        nonce: nil,
+        code_challenge: nil
+      )
+        headers = {}
+        request = {
+          consent_granted: consent_granted,
+          scopes: scopes,
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type
+        }
+        request[:user_id] = user_id unless user_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+        request[:state] = state unless state.nil?
+        request[:nonce] = nonce unless nonce.nil?
+        request[:code_challenge] = code_challenge unless code_challenge.nil?
+
+        post_request('/v1/idp/oauth/authorize', request, headers)
+      end
+    end
   end
 end

data/lib/stytch/passwords.rb

@@ -242,7 +242,7 @@ module Stytch
     #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
     #   The type of this field is +String+.
     # valid_password::
-    #   Returns `true` if the password passes our password validation. We offer two validation options, [zxcvbn](https://stytch.com/docs/passwords#strength-requirements) is the default option which offers a high level of sophistication. We also offer [LUDS](https://stytch.com/docs/passwords#strength-requirements). If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
+    #   Returns `true` if the password passes our password validation. We offer two validation options, [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication. We also offer [LUDS](https://stytch.com/docs/guides/passwords/strength-policy). If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
     #   The type of this field is +Boolean+.
     # score::
     #   The score of the password determined by [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between 1 and 4, a 3 or greater is required to pass validation.
@@ -327,7 +327,8 @@ module Stytch
     #   If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.
     #   The type of this field is nilable +String+.
     # roles::
-    #   (no documentation yet)
+    #   Roles to explicitly assign to this User.
+    #    See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
     #   The type of this field is nilable list of +String+.
     #
     # == Returns:

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.28.0'
+  VERSION = '10.30.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.28.0
+  version: 10.30.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-12 00:00:00.000000000 Z
+date: 2025-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday