stytch 10.29.0 → 10.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9837d4362966d389505ea7b235379cb635e2dc5eda22537dac31e8ec0f6e1bcd
-  data.tar.gz: 72ba0b2c7af66364d677ed6ae70ed3278a0375e40e6a4f00dbbe912d31407cdf
+  metadata.gz: 7acf63a684df206a833f253f48357c53529f4bc26570766b1d58336b22416006
+  data.tar.gz: 48c64a6a03cb92b287fe5ac5e07f5a1697cdd37423d2d2421a86ce59208c7c1c
 SHA512:
-  metadata.gz: 3e359e41dc088a10f7174b2f72df1c3f552a82e92df50b5dd5c7b7e6cb7f6e053e3fc6a3b42f518ca66bd663d930957ece13c53b3a3ff4ddbaef788edad5ce5b
-  data.tar.gz: ea6fb4ed455954c907ed1d8d34cdb09057de8485037b3474b16ecdab6edfc50241737805a879a22d15c6ecbe9d63ad69532483e88605b1b58d378d0d8f201ad2
+  metadata.gz: 7c7ae74e4f7d5fd3e50ad70789dbb5b55d81868e0992041aa8c5fe3be27a58dcc667ce2800a1667106ea1a595ff035cb409b84e7fe996af840a3e049428c9be7
+  data.tar.gz: 5b86b4ef7a588d67ca53ea6b93724cbf9c230b7e92548ba12bbcf8352557c177360ed13b1628effa11f1f7f8791445b29a557d0cf26536ddabdfe34f053b63cb

data/lib/stytch/b2b_organizations.rb

@@ -993,7 +993,7 @@ module StytchB2B
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.untrusted-metadata` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.untrusted-metadata` action on the `stytch.self` Resource.
       #   The type of this field is nilable +object+.
       # is_breakglass::
-      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
+      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
       #
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.is-breakglass` action on the `stytch.member` Resource.
       #   The type of this field is nilable +Boolean+.
@@ -1037,7 +1037,7 @@ module StytchB2B
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.email` action on the `stytch.member` Resource. Members cannot update their own email address.
       #   The type of this field is nilable +String+.
       # external_id::
-      #   An identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
+      #   An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
       #   The type of this field is nilable +String+.
       # unlink_email::
       #   If `unlink_email` is `true` and an `email_address` is provided, the Member's previous email will be deleted instead of retired. Defaults to `false`.
@@ -1135,12 +1135,14 @@ module StytchB2B
 
       # Reactivates a deleted Member's status and its associated email status (if applicable) to active, specified by `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified email where their `email_address_verified` is `true`.
       #
+      # Note that this endpoint does not accept an `external_id`. The Stytch `member_id` must be provided.
+      #
       # == Parameters:
       # organization_id::
       #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # member_id::
-      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
+      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value.
       #   The type of this field is +String+.
       #
       # == Returns:
@@ -1292,7 +1294,7 @@ module StytchB2B
       #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
       #   The type of this field is +String+.
       # members::
-      #   An array of [Member objects](member-object).
+      #   An array of [Member objects](https://stytch.com/docs/b2b/api/member-object).
       #   The type of this field is list of +Member+ (+object+).
       # results_metadata::
       #   The search `results_metadata` object contains metadata relevant to your specific query like `total` and `next_cursor`.
@@ -1658,7 +1660,7 @@ module StytchB2B
       #   Flag for whether or not to save a Member as `pending` or `active` in Stytch. It defaults to false. If true, new Members will be created with status `pending` in Stytch's backend. Their status will remain `pending` and they will continue to receive signup email templates for every Email Magic Link until that Member authenticates and becomes `active`. If false, new Members will be created with status `active`.
       #   The type of this field is nilable +Boolean+.
       # is_breakglass::
-      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
+      #   Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
       #   The type of this field is nilable +Boolean+.
       # mfa_phone_number::
       #   The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
@@ -1671,7 +1673,7 @@ module StytchB2B
       #    for more information about role assignment.
       #   The type of this field is nilable list of +String+.
       # external_id::
-      #   An identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
+      #   An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
       #   The type of this field is nilable +String+.
       #
       # == Returns:

data/lib/stytch/b2b_passwords.rb

@@ -51,8 +51,8 @@ module StytchB2B
     #   The type of this field is +String+.
     # valid_password::
     #   Returns `true` if the password passes our password validation. We offer two validation options,
-    #   [zxcvbn](https://stytch.com/docs/passwords#strength-requirements) is the default option which offers a high level of sophistication.
-    #   We also offer [LUDS](https://stytch.com/docs/passwords#strength-requirements). If an email address is included in the call we also
+    #   [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication.
+    #   We also offer [LUDS](https://stytch.com/docs/b2b/guides/passwords/strength-policy). If an email address is included in the call we also
     #   require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/)
     #   The type of this field is +Boolean+.
     # score::
@@ -73,10 +73,10 @@ module StytchB2B
     #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
     #   The type of this field is +Integer+.
     # luds_feedback::
-    #   Feedback for how to improve the password's strength using [luds](https://stytch.com/docs/passwords#strength-requirements).
+    #   Feedback for how to improve the password's strength using [luds](https://stytch.com/docs/guides/passwords/strength-policy).
     #   The type of this field is nilable +LudsFeedback+ (+object+).
     # zxcvbn_feedback::
-    #   Feedback for how to improve the password's strength using [zxcvbn](https://stytch.com/docs/passwords#strength-requirements).
+    #   Feedback for how to improve the password's strength using [zxcvbn](https://stytch.com/docs/b2b/guides/passwords/strength-policy).
     #   The type of this field is nilable +ZxcvbnFeedback+ (+object+).
     def strength_check(
       password:,
@@ -91,6 +91,9 @@ module StytchB2B
       post_request('/v1/b2b/passwords/strength_check', request, headers)
     end
 
+    #
+    # **Warning:** This endpoint marks the Member's email address as verified. Do **not** use this endpoint unless the user has already verified their email address in your application.
+    #
     # Adds an existing password to a Member's email that doesn't have a password yet.
     #
     # We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
@@ -161,7 +164,7 @@ module StytchB2B
     #    the user owns the phone number in question.
     #   The type of this field is nilable +Boolean+.
     # external_id::
-    #   If a new member is created, this will set an identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored.
+    #   If a new member is created, this will set an identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored.
     #   The type of this field is nilable +String+.
     #
     # == Returns:
@@ -229,7 +232,7 @@ module StytchB2B
 
     # Authenticate a member with their email address and password. This endpoint verifies that the member has a password currently set, and that the entered password is correct.
     #
-    # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
+    # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policy) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
     #
     # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
@@ -950,7 +953,7 @@ module StytchB2B
 
       # Authenticate an email/password combination in the discovery flow. This authenticate flow is only valid for cross-org passwords use cases, and is not tied to a specific organization.
       #
-      # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
+      # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policy) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
       #
       # If successful, this endpoint will create a new intermediate session and return a list of discovered organizations that can be session exchanged into.
       #

data/lib/stytch/b2b_sessions.rb

@@ -440,10 +440,10 @@ module StytchB2B
     #   The ID of the trusted auth token profile to use for attestation.
     #   The type of this field is +String+.
     # token::
-    #   The trusted auth token to authenticate.
+    #   The trusted auth token to authenticate. The token must have an organization ID claim if JIT provisioning is enabled.
     #   The type of this field is +String+.
     # organization_id::
-    #   The organization ID that the session should be authenticated in.
+    #   The organization ID that the session should be authenticated in. Must be provided if the trusted auth token does not have an organization ID claim.
     #   The type of this field is nilable +String+.
     # session_duration_minutes::
     #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,

data/lib/stytch/b2b_sso.rb

@@ -546,6 +546,25 @@ module StytchB2B
         end
       end
 
+      class DeleteEncryptionPrivateKeyRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
       include Stytch::RequestHelper
 
       def initialize(connection)
@@ -656,6 +675,9 @@ module StytchB2B
       # idp_initiated_auth_disabled::
       #   Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled).
       #   The type of this field is nilable +Boolean+.
+      # saml_encryption_private_key::
+      #   A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported.
+      #   The type of this field is nilable +String+.
       #
       # == Returns:
       # An object with the following fields:
@@ -687,6 +709,7 @@ module StytchB2B
         nameid_format: nil,
         alternative_acs_url: nil,
         idp_initiated_auth_disabled: nil,
+        saml_encryption_private_key: nil,
         method_options: nil
       )
         headers = {}
@@ -705,6 +728,7 @@ module StytchB2B
         request[:nameid_format] = nameid_format unless nameid_format.nil?
         request[:alternative_acs_url] = alternative_acs_url unless alternative_acs_url.nil?
         request[:idp_initiated_auth_disabled] = idp_initiated_auth_disabled unless idp_initiated_auth_disabled.nil?
+        request[:saml_encryption_private_key] = saml_encryption_private_key unless saml_encryption_private_key.nil?
 
         put_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}", request, headers)
       end
@@ -796,6 +820,44 @@ module StytchB2B
         headers = headers.merge(method_options.to_headers) unless method_options.nil?
         delete_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}/verification_certificates/#{certificate_id}", headers)
       end
+
+      # Delete a SAML encryption private key.
+      #
+      # == Parameters:
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
+      #   The type of this field is +String+.
+      # connection_id::
+      #   Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
+      #   The type of this field is +String+.
+      # private_key_id::
+      #   The ID of the encryption private key to be deleted.
+      #   The type of this field is +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # private_key_id::
+      #   The ID of the encryption private key.
+      #   The type of this field is +String+.
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::SAML::DeleteEncryptionPrivateKeyRequestOptions+ object which will modify the headers sent in the HTTP request.
+      def delete_encryption_private_key(
+        organization_id:,
+        connection_id:,
+        private_key_id:,
+        method_options: nil
+      )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
+        delete_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}/encryption_private_keys/#{private_key_id}", headers)
+      end
     end
 
     class External

data/lib/stytch/connected_apps.rb

@@ -202,21 +202,18 @@ module Stytch
       # client_type::
       #   The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`.
       #   The type of this field is +CreateRequestClientType+ (string enum).
-      # redirect_urls::
-      #   Array of redirect URI values for use in OAuth Authorization flows.
-      #   The type of this field is list of +String+.
-      # full_access_allowed::
-      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
-      #   The type of this field is +Boolean+.
-      # post_logout_redirect_urls::
-      #   Array of redirect URI values for use in OIDC Logout flows.
-      #   The type of this field is list of +String+.
       # client_name::
       #   A human-readable name for the client.
       #   The type of this field is nilable +String+.
       # client_description::
       #   A human-readable description for the client.
       #   The type of this field is nilable +String+.
+      # redirect_urls::
+      #   Array of redirect URI values for use in OAuth Authorization flows.
+      #   The type of this field is nilable list of +String+.
+      # full_access_allowed::
+      #   Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session.
+      #   The type of this field is nilable +Boolean+.
       # access_token_expiry_minutes::
       #   The number of minutes before the access token expires. The default is 60 minutes.
       #   The type of this field is nilable +Integer+.
@@ -226,6 +223,9 @@ module Stytch
       # access_token_template_content::
       #   The content of the access token custom claims template. The template must be a valid JSON object.
       #   The type of this field is nilable +String+.
+      # post_logout_redirect_urls::
+      #   Array of redirect URI values for use in OIDC Logout flows.
+      #   The type of this field is nilable list of +String+.
       # logo_url::
       #   The logo URL of the Connected App, if any.
       #   The type of this field is nilable +String+.
@@ -246,29 +246,29 @@ module Stytch
       #   The type of this field is +Integer+.
       def create(
         client_type:,
-        redirect_urls:,
-        full_access_allowed:,
-        post_logout_redirect_urls:,
         client_name: nil,
         client_description: nil,
+        redirect_urls: nil,
+        full_access_allowed: nil,
         access_token_expiry_minutes: nil,
         access_token_custom_audience: nil,
         access_token_template_content: nil,
+        post_logout_redirect_urls: nil,
         logo_url: nil,
         bypass_consent_for_offline_access: nil
       )
         headers = {}
         request = {
-          client_type: client_type,
-          redirect_urls: redirect_urls,
-          full_access_allowed: full_access_allowed,
-          post_logout_redirect_urls: post_logout_redirect_urls
+          client_type: client_type
         }
         request[:client_name] = client_name unless client_name.nil?
         request[:client_description] = client_description unless client_description.nil?
+        request[:redirect_urls] = redirect_urls unless redirect_urls.nil?
+        request[:full_access_allowed] = full_access_allowed unless full_access_allowed.nil?
         request[:access_token_expiry_minutes] = access_token_expiry_minutes unless access_token_expiry_minutes.nil?
         request[:access_token_custom_audience] = access_token_custom_audience unless access_token_custom_audience.nil?
         request[:access_token_template_content] = access_token_template_content unless access_token_template_content.nil?
+        request[:post_logout_redirect_urls] = post_logout_redirect_urls unless post_logout_redirect_urls.nil?
         request[:logo_url] = logo_url unless logo_url.nil?
         request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
 

data/lib/stytch/passwords.rb

@@ -242,7 +242,7 @@ module Stytch
     #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
     #   The type of this field is +String+.
     # valid_password::
-    #   Returns `true` if the password passes our password validation. We offer two validation options, [zxcvbn](https://stytch.com/docs/passwords#strength-requirements) is the default option which offers a high level of sophistication. We also offer [LUDS](https://stytch.com/docs/passwords#strength-requirements). If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
+    #   Returns `true` if the password passes our password validation. We offer two validation options, [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication. We also offer [LUDS](https://stytch.com/docs/guides/passwords/strength-policy). If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
     #   The type of this field is +Boolean+.
     # score::
     #   The score of the password determined by [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between 1 and 4, a 3 or greater is required to pass validation.

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.29.0'
+  VERSION = '10.30.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.29.0
+  version: 10.30.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-14 00:00:00.000000000 Z
+date: 2025-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday