workos 6.2.0 → 7.1.0

data/lib/workos/user_management.rb

@@ -1,1258 +1,1602 @@
 # frozen_string_literal: true
 
-require 'net/http'
-require 'uri'
+# This file is auto-generated by oagen. Do not edit.
 
-module WorkOS
-  # The UserManagement module provides convenience methods for working with the
-  # WorkOS User platform. You'll need a valid API key.
-  module UserManagement
-    autoload :Session, 'workos/user_management/session'
-
-    module Types
-      # The ProviderEnum is a declaration of a
-      # fixed set of values for User Management Providers.
-      class Provider
-        Apple = 'AppleOAuth'
-        GitHub = 'GitHubOAuth'
-        Google = 'GoogleOAuth'
-        Microsoft = 'MicrosoftOAuth'
-        AuthKit = 'authkit'
-
-        ALL = [Apple, GitHub, Google, Microsoft, AuthKit].freeze
-      end
-
-      # The AuthFactorType is a declaration of a
-      # fixed set of factor values to enroll
-      class AuthFactorType
-        Totp = 'totp'
+require "json"
 
-        ALL = [Totp].freeze
-      end
+module WorkOS
+  class UserManagement
+    def initialize(client)
+      @client = client
     end
 
-    class << self
-      include Client, Deprecation
-
-      PROVIDERS = WorkOS::UserManagement::Types::Provider::ALL
-      AUTH_FACTOR_TYPES = WorkOS::UserManagement::Types::AuthFactorType::ALL
-
-      # Load a sealed session
-      #
-      # @param [String] client_id The WorkOS client ID for the environment
-      # @param [String] session_data The sealed session data
-      # @param [String] cookie_password The password used to seal the session
-      # @param [Object] encryptor Optional custom encryptor that responds to #seal and #unseal
-      #
-      # @return WorkOS::Session
-      def load_sealed_session(client_id:, session_data:, cookie_password:, encryptor: nil)
-        WorkOS::Session.new(
-          user_management: self,
-          client_id: client_id,
-          session_data: session_data,
-          cookie_password: cookie_password,
-          encryptor: encryptor,
-        )
-      end
-
-      # Generate an OAuth 2.0 authorization URL that automatically directs a user
-      # to their Identity Provider.
-      #
-      # @param [String] redirect_uri The URI where users are directed
-      #  after completing the authentication step. Must match a
-      #  configured redirect URI on your WorkOS dashboard.
-      # @param [String] client_id This value can be obtained from the API Keys page in the WorkOS dashboard.
-      # @param [String] provider A provider name is used to initiate SSO using an
-      # OAuth-compatible provider. Only 'authkit', 'AppleOAuth', 'GitHubOAuth', 'GoogleOAuth',
-      # and 'MicrosoftOAuth' are supported.
-      # @param [String] connection_id The ID for a Connection configured on
-      #  WorkOS.
-      # @param [String] organization_id The organization_id selector is used to
-      # initiate SSO for an Organization.
-      # @param [String] state An arbitrary state object
-      #  that is preserved and available to the client in the response.
-      # @param [String] login_hint Can be used to pre-fill the username/email address
-      # field of the IdP sign-in page for the user, if you know their username ahead of time.
-      # @param [String] screen_hint Specify which AuthKit screen users should land on upon redirection
-      # (Only applicable when provider is 'authkit').
-      # @param [String] domain_hint Can be used to pre-fill the domain field when
-      # initiating authentication with Microsoft OAuth, or with a GoogleSAML connection type.
-      # @param [Array<String>] provider_scopes An array of additional OAuth scopes to request from the provider.
-      # @example
-      #   WorkOS::UserManagement.authorization_url(
-      #     connection_id: 'conn_123',
-      #     client_id: 'project_01DG5TGK363GRVXP3ZS40WNGEZ',
-      #     redirect_uri: 'https://your-app.com/callback',
-      #     state: {
-      #       next_page: '/docs'
-      #     }.to_s
-      #   )
-      #
-      #   => "https://api.workos.com/user_management/authorize?connection_id=conn_123" \
-      #      "&client_id=project_01DG5TGK363GRVXP3ZS40WNGEZ" \
-      #      "&redirect_uri=https%3A%2F%2Fyour-app.com%2Fcallback&" \
-      #      "response_type=code&state=%7B%3Anext_page%3D%3E%22%2Fdocs%22%7D"
-      #
-      # @return [String]
-      # rubocop:disable Metrics/ParameterLists
-      def authorization_url(
-        redirect_uri:,
-        client_id: nil,
-        domain_hint: nil,
-        login_hint: nil,
-        screen_hint: nil,
-        provider: nil,
-        connection_id: nil,
-        organization_id: nil,
-        state: '',
-        provider_scopes: nil
+    # Get JWKS
+    # @param client_id [String] Identifies the application making the request to the WorkOS server. You can obtain your client ID from the [API Keys](https://dashboard.workos.com/api-keys) page in the dashboard.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::JwksResponse]
+    def get_jwks(
+      client_id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/sso/jwks/#{WorkOS::Util.encode_path(client_id)}",
+        auth: true,
+        request_options: request_options
       )
+      result = WorkOS::JwksResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        validate_authorization_url_arguments(
-          provider: provider,
-          connection_id: connection_id,
-          organization_id: organization_id,
-        )
-
-        query = URI.encode_www_form({
-          client_id: client_id,
-          redirect_uri: redirect_uri,
-          response_type: 'code',
-          state: state,
-          domain_hint: domain_hint,
-          login_hint: login_hint,
-          screen_hint: screen_hint,
-          provider: provider,
-          connection_id: connection_id,
-          organization_id: organization_id,
-          provider_scopes: provider_scopes,
-        }.compact)
-
-        "https://#{WorkOS.config.api_hostname}/user_management/authorize?#{query}"
-      end
-      # rubocop:enable Metrics/ParameterLists
-
-      # Get a User
-      #
-      # @param [String] id The unique ID of the User.
-      #
-      # @return WorkOS::User
-      def get_user(id:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/users/#{id}",
-            auth: true,
-          ),
-        )
-
-        WorkOS::User.new(response.body)
-      end
-
-      # Retrieve a list of users.
-      #
-      # @param [Hash] options
-      # @option options [String] email Filter Users by their email.
-      # @option options [String] organization_id Filter Users by the organization they are members of.
-      # @option options [String] limit Maximum number of records to return.
-      # @option options [String] order The order in which to paginate records
-      # @option options [String] before Pagination cursor to receive records
-      #  before a provided User ID.
-      # @option options [String] after Pagination cursor to receive records
-      #  before a provided User ID.
-      #
-      # @return [WorkOS::User]
-      def list_users(options = {})
-        options[:order] ||= 'desc'
-        response = execute_request(
-          request: get_request(
-            path: '/user_management/users',
-            auth: true,
-            params: options,
-          ),
-        )
-
-        parsed_response = JSON.parse(response.body)
-
-        users = parsed_response['data'].map do |user|
-          ::WorkOS::User.new(user.to_json)
-        end
-
-        WorkOS::Types::ListStruct.new(
-          data: users,
-          list_metadata: parsed_response['list_metadata'],
-        )
-      end
-
-      # Create a user
-      #
-      # @param [String] email The email address of the user.
-      # @param [String] password The password to set for the user.
-      # @param [String] first_name The user's first name.
-      # @param [String] last_name The user's last name.
-      # @param [Boolean] email_verified Whether the user's email address was previously verified.
-      # @param [String] external_id The user's external ID.
-      # @param [String] password_hash The user's hashed password.
-      # @option [String] password_hash_type The algorithm originally used to hash the password.
-      #
-      # @return [WorkOS::User]
-      # rubocop:disable Metrics/ParameterLists
-      def create_user(
-        email:,
-        password: nil,
-        first_name: nil,
-        last_name: nil,
-        email_verified: nil,
-        external_id: nil,
-        password_hash: nil,
-        password_hash_type: nil
+    # Authenticate
+    # @param client_id [String] The client ID of the application.
+    # @param client_secret [String, nil] The client secret of the application.
+    # @param grant_type [String]
+    # @param code [String, nil] The authorization code received from the redirect.
+    # @param code_verifier [String, nil] The PKCE code verifier used to derive the code challenge passed to the authorization URL.
+    # @param invitation_token [String, nil] An invitation token to accept during authentication.
+    # @param ip_address [String, nil] The IP address of the user's request.
+    # @param device_id [String, nil] A unique identifier for the device.
+    # @param user_agent [String, nil] The user agent string from the user's browser.
+    # @param email [String, nil] The user's email address.
+    # @param password [String, nil] The user's password.
+    # @param refresh_token [String, nil] The refresh token to exchange for new tokens.
+    # @param organization_id [String, nil] The ID of the organization to scope the session to.
+    # @param pending_authentication_token [String, nil] The pending authentication token from a previous authentication attempt.
+    # @param authentication_challenge_id [String, nil] The ID of the MFA authentication challenge.
+    # @param device_code [String, nil] The device verification code.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthenticateResponse]
+    def create_authenticate(
+      client_id:,
+      grant_type:,
+      client_secret: nil,
+      code: nil,
+      code_verifier: nil,
+      invitation_token: nil,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      email: nil,
+      password: nil,
+      refresh_token: nil,
+      organization_id: nil,
+      pending_authentication_token: nil,
+      authentication_challenge_id: nil,
+      device_code: nil,
+      request_options: {}
+    )
+      body = {
+        "client_id" => client_id,
+        "client_secret" => client_secret,
+        "grant_type" => grant_type,
+        "code" => code,
+        "code_verifier" => code_verifier,
+        "invitation_token" => invitation_token,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent,
+        "email" => email,
+        "password" => password,
+        "refresh_token" => refresh_token,
+        "organization_id" => organization_id,
+        "pending_authentication_token" => pending_authentication_token,
+        "authentication_challenge_id" => authentication_challenge_id,
+        "device_code" => device_code
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        request = post_request(
-          path: '/user_management/users',
-          body: {
-            email: email,
-            password: password,
-            first_name: first_name,
-            last_name: last_name,
-            email_verified: email_verified,
-            external_id: external_id,
-            password_hash: password_hash,
-            password_hash_type: password_hash_type,
-          }.compact,
-          auth: true,
-        )
-
-        response = execute_request(request: request)
-
-        WorkOS::User.new(response.body)
-      end
+      result = WorkOS::AuthenticateResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Update a user
-      #
-      # @param [String] id of the user.
-      # @param [String] email of the user.
-      # @param [String] first_name The user's first name.
-      # @param [String] last_name The user's last name.
-      # @param [Boolean] email_verified Whether the user's email address was previously verified.
-      # @param [String] external_id The users's external ID
-      # @param [String] locale The user's locale.
-      # @param [String] password The user's password.
-      # @param [String] password_hash The user's hashed password.
-      # @option [String] password_hash_type The algorithm originally used to hash the password.
-      #  Valid values are bcrypt.
-      #
-      # @return [WorkOS::User]
-      def update_user(
-        id:,
-        email: :not_set,
-        first_name: :not_set,
-        last_name: :not_set,
-        email_verified: :not_set,
-        external_id: :not_set,
-        locale: :not_set,
-        password: :not_set,
-        password_hash: :not_set,
-        password_hash_type: :not_set
+    # Authenticate with password.
+    # @param email [String]
+    # @param password [String]
+    # @param invitation_token [String, nil]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_password(
+      email:,
+      password:,
+      invitation_token: nil,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "password",
+        "client_id" => @client.client_id,
+        "client_secret" => @client.api_key,
+        "email" => email,
+        "password" => password,
+        "invitation_token" => invitation_token,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        request = put_request(
-          path: "/user_management/users/#{id}",
-          body: {
-            email: email,
-            first_name: first_name,
-            last_name: last_name,
-            email_verified: email_verified,
-            external_id: external_id,
-            locale: locale,
-            password: password,
-            password_hash: password_hash,
-            password_hash_type: password_hash_type,
-          }.reject { |_, v| v == :not_set },
-          auth: true,
-        )
-
-        response = execute_request(request: request)
-
-        WorkOS::User.new(response.body)
-      end
-      # rubocop:enable Metrics/ParameterLists
-
-      # Delete a User
-      #
-      # @param [String] id The unique ID of the User.
-      #
-      # @return [Bool] - returns `true` if successful
-      def delete_user(id:)
-        response = execute_request(
-          request: delete_request(
-            path: "/user_management/users/#{id}",
-            auth: true,
-          ),
-        )
-
-        response.is_a? Net::HTTPSuccess
-      end
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-      # Authenticates user by email and password.
-      #
-      # @param [String] email The email address of the user.
-      # @param [String] password The password for the user.
-      # @param [String] client_id The WorkOS client ID for the environment
-      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
-      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
-      # @param [String] invitation_token The token of an Invitation, if required.
-      # @param [Hash] session An optional hash that determines whether the session should be sealed and
-      # the optional cookie password.
-      #
-      # @return WorkOS::AuthenticationResponse
-      # rubocop:disable Metrics/ParameterLists
-      def authenticate_with_password(
-        email:,
-        password:,
-        client_id:,
-        ip_address: nil,
-        user_agent: nil,
-        invitation_token: nil,
-        session: nil
+    # Authenticate with code.
+    # @param code [String]
+    # @param code_verifier [String, nil]
+    # @param invitation_token [String, nil]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_code(
+      code:,
+      code_verifier: nil,
+      invitation_token: nil,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "authorization_code",
+        "client_id" => @client.client_id,
+        "client_secret" => @client.api_key,
+        "code" => code,
+        "code_verifier" => code_verifier,
+        "invitation_token" => invitation_token,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        validate_session(session)
-
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/authenticate',
-            body: {
-              client_id: client_id,
-              client_secret: WorkOS.config.key!,
-              email: email,
-              password: password,
-              ip_address: ip_address,
-              user_agent: user_agent,
-              invitation_token: invitation_token,
-              grant_type: 'password',
-            },
-          ),
-        )
-
-        WorkOS::AuthenticationResponse.new(response.body, session)
-      end
-      # rubocop:enable Metrics/ParameterLists
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-      # Authenticate a user using OAuth or an organization's SSO connection.
-      #
-      # @param [String] code The authorization value which was passed back as a
-      # query parameter in the callback to the Redirect URI.
-      # @param [String] client_id The WorkOS client ID for the environment
-      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
-      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
-      # @param [String] invitation_token The token of an Invitation, if required.
-      # @param [Hash] session An optional hash that determines whether the session should be sealed and
-      # the optional cookie password.
-      #
-      # @return WorkOS::AuthenticationResponse
-      def authenticate_with_code(
-        code:,
-        client_id:,
-        ip_address: nil,
-        user_agent: nil,
-        invitation_token: nil,
-        session: nil
+    # Authenticate with refresh token.
+    # @param refresh_token [String]
+    # @param organization_id [String, nil]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_refresh_token(
+      refresh_token:,
+      organization_id: nil,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "refresh_token",
+        "client_id" => @client.client_id,
+        "client_secret" => @client.api_key,
+        "refresh_token" => refresh_token,
+        "organization_id" => organization_id,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        validate_session(session)
-
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/authenticate',
-            body: {
-              code: code,
-              client_id: client_id,
-              client_secret: WorkOS.config.key!,
-              ip_address: ip_address,
-              user_agent: user_agent,
-              invitation_token: invitation_token,
-              grant_type: 'authorization_code',
-            },
-          ),
-        )
-
-        WorkOS::AuthenticationResponse.new(response.body, session)
-      end
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-      # Authenticate a user using a refresh token.
-      #
-      # @param [String] refresh_token The refresh token previously obtained from a successful authentication call
-      # @param [String] client_id The WorkOS client ID for the environment
-      # @param [String] organization_id The organization to issue the new access token for. (Optional)
-      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
-      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
-      # @param [Hash] session An optional hash that determines whether the session should be sealed and
-      # the optional cookie password.
-      #
-      # @return WorkOS::RefreshAuthenticationResponse
-      def authenticate_with_refresh_token(
-        refresh_token:,
-        client_id:,
-        organization_id: nil,
-        ip_address: nil,
-        user_agent: nil,
-        session: nil
+    # Authenticate with magic auth.
+    # @param code [String]
+    # @param email [String]
+    # @param invitation_token [String, nil]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_magic_auth(
+      code:,
+      email:,
+      invitation_token: nil,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "urn:workos:oauth:grant-type:magic-auth:code",
+        "client_id" => @client.client_id,
+        "client_secret" => @client.api_key,
+        "code" => code,
+        "email" => email,
+        "invitation_token" => invitation_token,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        validate_session(session)
-
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/authenticate',
-            body: {
-              refresh_token: refresh_token,
-              client_id: client_id,
-              client_secret: WorkOS.config.key!,
-              ip_address: ip_address,
-              user_agent: user_agent,
-              grant_type: 'refresh_token',
-              organization_id: organization_id,
-            },
-          ),
-        )
-
-        WorkOS::RefreshAuthenticationResponse.new(response.body, session)
-      end
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-      # Authenticate user by Magic Auth Code.
-      #
-      # @param [String] code The one-time code that was emailed to the user.
-      # @param [String] email The email address of the user.
-      # @param [String] client_id The WorkOS client ID for the environment.
-      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
-      # @param [String] link_authorization_code Used to link an OAuth profile to an existing user,
-      # after having completed a Magic Code challenge.
-      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
-      # @param [String] invitation_token The token of an Invitation, if required.
-      # @param [Hash] session An optional hash that determines whether the session should be sealed and
-      # the optional cookie password.
-      #
-      # @return WorkOS::AuthenticationResponse
-      # rubocop:disable Metrics/ParameterLists
-      def authenticate_with_magic_auth(
-        code:,
-        email:,
-        client_id:,
-        ip_address: nil,
-        user_agent: nil,
-        link_authorization_code: nil,
-        invitation_token: nil,
-        session: nil
+    # Authenticate with email verification.
+    # @param code [String]
+    # @param pending_authentication_token [String]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_email_verification(
+      code:,
+      pending_authentication_token:,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "urn:workos:oauth:grant-type:email-verification:code",
+        "client_id" => @client.client_id,
+        "client_secret" => @client.api_key,
+        "code" => code,
+        "pending_authentication_token" => pending_authentication_token,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        validate_session(session)
-
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/authenticate',
-            body: {
-              code: code,
-              email: email,
-              client_id: client_id,
-              client_secret: WorkOS.config.key!,
-              ip_address: ip_address,
-              user_agent: user_agent,
-              grant_type: 'urn:workos:oauth:grant-type:magic-auth:code',
-              link_authorization_code: link_authorization_code,
-              invitation_token: invitation_token,
-            },
-          ),
-        )
-
-        WorkOS::AuthenticationResponse.new(response.body, session)
-      end
-      # rubocop:enable Metrics/ParameterLists
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-      # Authenticate a user into an organization they are a member of.
-      #
-      # @param [String] client_id The WorkOS client ID for the environment.
-      # @param [String] organization_id The organization ID the user selected to sign in to.
-      # @param [String] pending_authentication_token The pending authentication token
-      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
-      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
-      # @param [Hash] session An optional hash that determines whether the session should be sealed and
-      # the optional cookie password.
-      #
-      # @return WorkOS::AuthenticationResponse
-      def authenticate_with_organization_selection(
-        client_id:,
-        organization_id:,
-        pending_authentication_token:,
-        ip_address: nil,
-        user_agent: nil,
-        session: nil
+    # Authenticate with totp.
+    # @param code [String]
+    # @param pending_authentication_token [String]
+    # @param authentication_challenge_id [String]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_totp(
+      code:,
+      pending_authentication_token:,
+      authentication_challenge_id:,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "urn:workos:oauth:grant-type:mfa-totp",
+        "client_id" => @client.client_id,
+        "client_secret" => @client.api_key,
+        "code" => code,
+        "pending_authentication_token" => pending_authentication_token,
+        "authentication_challenge_id" => authentication_challenge_id,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        validate_session(session)
-
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/authenticate',
-            body: {
-              client_id: client_id,
-              client_secret: WorkOS.config.key!,
-              ip_address: ip_address,
-              user_agent: user_agent,
-              grant_type: 'urn:workos:oauth:grant-type:organization-selection',
-              organization_id: organization_id,
-              pending_authentication_token: pending_authentication_token,
-            },
-          ),
-        )
-
-        WorkOS::AuthenticationResponse.new(response.body, session)
-      end
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-      # Authenticate a user using TOTP.
-      #
-      # @param [String] code The one-time code that was emailed to the user.
-      # @param [String] client_id The WorkOS client ID for the environment
-      # @param [String] pending_authentication_token The pending authentication token
-      # from the initial authentication request.
-      # @param [String] authentication_challenge_id The authentication challenge ID for the
-      # authentication request.
-      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
-      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
-      # @param [Hash] session An optional hash that determines whether the session should be sealed and
-      # the optional cookie password.
-      #
-      # @return WorkOS::AuthenticationResponse
-      # rubocop:disable Metrics/ParameterLists
-      def authenticate_with_totp(
-        code:,
-        client_id:,
-        pending_authentication_token:,
-        authentication_challenge_id:,
-        ip_address: nil,
-        user_agent: nil,
-        session: nil
+    # Authenticate with organization selection.
+    # @param pending_authentication_token [String]
+    # @param organization_id [String]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_organization_selection(
+      pending_authentication_token:,
+      organization_id:,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "urn:workos:oauth:grant-type:organization-selection",
+        "client_id" => @client.client_id,
+        "client_secret" => @client.api_key,
+        "pending_authentication_token" => pending_authentication_token,
+        "organization_id" => organization_id,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        validate_session(session)
-
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/authenticate',
-            body: {
-              code: code,
-              client_id: client_id,
-              client_secret: WorkOS.config.key!,
-              pending_authentication_token: pending_authentication_token,
-              grant_type: 'urn:workos:oauth:grant-type:mfa-totp',
-              authentication_challenge_id: authentication_challenge_id,
-              ip_address: ip_address,
-              user_agent: user_agent,
-            },
-          ),
-        )
-
-        WorkOS::AuthenticationResponse.new(response.body, session)
-      end
-      # rubocop:enable Metrics/ParameterLists
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-      # Authenticate a user using Email Verification Code.
-      #
-      # @param [String] code The one-time code that was emailed to the user.
-      # @param [String] client_id The WorkOS client ID for the environment
-      # @param [String] pending_authentication_token The token returned from a failed email/password or OAuth
-      # authentication attempt due to an unverified email address.
-      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
-      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
-      # @param [Hash] session An optional hash that determines whether the session should be sealed and
-      # the optional cookie password.
-      #
-      # @return WorkOS::AuthenticationResponse
-      def authenticate_with_email_verification(
-        code:,
-        client_id:,
-        pending_authentication_token:,
-        ip_address: nil,
-        user_agent: nil,
-        session: nil
+    # Authenticate with device code.
+    # @param device_code [String]
+    # @param ip_address [String, nil]
+    # @param device_id [String, nil]
+    # @param user_agent [String, nil]
+    # @param request_options [Hash] Per-request overrides.
+    # @return [WorkOS::AuthenticateResponse]
+    def authenticate_with_device_code(
+      device_code:,
+      ip_address: nil,
+      device_id: nil,
+      user_agent: nil,
+      request_options: {}
+    )
+      body = {
+        "grant_type" => "urn:ietf:params:oauth:grant-type:device_code",
+        "client_id" => @client.client_id,
+        "device_code" => device_code,
+        "ip_address" => ip_address,
+        "device_id" => device_id,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authenticate",
+        auth: true,
+        body: body,
+        request_options: request_options
       )
-        validate_session(session)
-
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/authenticate',
-            body: {
-              code: code,
-              client_id: client_id,
-              pending_authentication_token: pending_authentication_token,
-              client_secret: WorkOS.config.key!,
-              grant_type: 'urn:workos:oauth:grant-type:email-verification:code',
-              ip_address: ip_address,
-              user_agent: user_agent,
-            },
-          ),
-        )
-
-        WorkOS::AuthenticationResponse.new(response.body, session)
-      end
-
-      # Get the logout URL for a session
-      #
-      # The user's browser should be navigated to this URL
-      #
-      # @param [String] session_id The session ID can be found in the `sid`
-      #   claim of the access token
-      # @param [String] return_to The URL to redirect the user to after logging out
-      #
-      # @return String
-      def get_logout_url(session_id:, return_to: nil)
-        params = { session_id: session_id }
-        params[:return_to] = return_to if return_to
-
-        URI::HTTPS.build(
-          host: WorkOS.config.api_hostname,
-          path: '/user_management/sessions/logout',
-          query: URI.encode_www_form(params),
-        ).to_s
-      end
-
-      # Revokes a session
-      #
-      # @param [String] session_id The session ID can be found in the `sid`
-      #   claim of the access token
-      def revoke_session(session_id:)
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/sessions/revoke',
-            body: {
-              session_id: session_id,
-            },
-            auth: true,
-          ),
-        )
-
-        response.is_a? Net::HTTPSuccess
-      end
-
-      # Get the JWKS URL
-      #
-      # The JWKS can be used to validate the access token returned upon successful authentication
-      #
-      # @param [String] client_id The WorkOS client ID for the environment
-      #
-      # @return String
-      def get_jwks_url(client_id)
-        URI::HTTPS.build(
-          host: WorkOS.config.api_hostname,
-          path: "/sso/jwks/#{client_id}",
-        ).to_s
-      end
-
-      # Gets a Magic Auth object
-      #
-      # @param [String] id The unique ID of the MagicAuth object.
-      #
-      # @return WorkOS::MagicAuth
-      def get_magic_auth(id:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/magic_auth/#{id}",
-            auth: true,
-          ),
-        )
-
-        WorkOS::MagicAuth.new(response.body)
-      end
-
-      # Creates a MagicAuth code
-      #
-      # @param [String] email The email address of the recipient.
-      # @param [String] invitation_token The token of an Invitation, if required.
-      #
-      # @return WorkOS::MagicAuth
-      def create_magic_auth(email:, invitation_token: nil)
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/magic_auth',
-            body: {
-              email: email,
-              invitation_token: invitation_token,
-            }.compact,
-            auth: true,
-          ),
-        )
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-        WorkOS::MagicAuth.new(response.body)
-      end
+    # Get device authorization URL
+    # @param client_id [String] The WorkOS client ID for your application.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::DeviceAuthorizationResponse]
+    def create_device(
+      client_id:,
+      request_options: {}
+    )
+      body = {
+        "client_id" => client_id
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/authorize/device",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::DeviceAuthorizationResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Create a one-time Magic Auth code and emails it to the user.
-      #
-      # @param [String] email The email address the one-time code will be sent to.
-      #
-      # @return Boolean
-      def send_magic_auth_code(email:)
-        warn_deprecation '`send_magic_auth_code` is deprecated.
-        Please use `create_magic_auth` instead. This method will be removed in a future major version.'
+    # Revoke Session
+    # @param session_id [String] The ID of the session to revoke. This can be extracted from the `sid` claim of the access token.
+    # @param return_to [String, nil] The URL to redirect the user to after session revocation.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def revoke_session(
+      session_id:,
+      return_to: nil,
+      request_options: {}
+    )
+      body = {
+        "session_id" => session_id,
+        "return_to" => return_to
+      }.compact
+      @client.request(
+        method: :post,
+        path: "/user_management/sessions/revoke",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      nil
+    end
 
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/magic_auth/send',
-            body: {
-              email: email,
-            },
-            auth: true,
-          ),
-        )
+    # Create a CORS origin
+    # @param origin [String] The origin URL to allow for CORS requests.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::CORSOriginResponse]
+    def create_cors_origin(
+      origin:,
+      request_options: {}
+    )
+      body = {
+        "origin" => origin
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/cors_origins",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::CORSOriginResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        response.is_a? Net::HTTPSuccess
-      end
+    # Get an email verification code
+    # @param id [String] The ID of the email verification code.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::EmailVerification]
+    def get_email_verification(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/email_verification/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::EmailVerification.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Enroll a user into an authentication factor.
-      #
-      # @param [String] user_id The id for the user.
-      # @param [String] type The type of the factor to enroll. Only option available is totp.
-      # @param [String] totp_issuer For totp factors. Typically your application
-      #  or company name, this helps users distinguish between factors in authenticator apps.
-      # @param [String] totp_user For totp factors. Used as the account name in authenticator apps.
-      # @param [String] totp_secret For totp factors.  The Base32 encdoded secret key for the
-      # factor. Generated if not provided. (Optional)
-      #
-      # @return WorkOS::AuthenticationFactorAndChallenge
-      def enroll_auth_factor(user_id:, type:, totp_issuer: nil, totp_user: nil, totp_secret: nil)
-        validate_auth_factor_type(
-          type: type,
-        )
+    # Create a password reset token
+    # @param email [String] The email address of the user requesting a password reset.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::PasswordReset]
+    def reset_password(
+      email:,
+      request_options: {}
+    )
+      body = {
+        "email" => email
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/password_reset",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::PasswordReset.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        response = execute_request(
-          request: post_request(
-            path: "/user_management/users/#{user_id}/auth_factors",
-            body: {
-              type: type,
-              totp_issuer: totp_issuer,
-              totp_user: totp_user,
-              totp_secret: totp_secret,
-            }.compact,
-            auth: true,
-          ),
-        )
+    # Reset the password
+    # @param token [String] The password reset token.
+    # @param new_password [String] The new password to set for the user.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::ResetPasswordResponse]
+    def confirm_password_reset(
+      token:,
+      new_password:,
+      request_options: {}
+    )
+      body = {
+        "token" => token,
+        "new_password" => new_password
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/password_reset/confirm",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::ResetPasswordResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::AuthenticationFactorAndChallenge.new(response.body)
-      end
+    # Get a password reset token
+    # @param id [String] The ID of the password reset token.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::PasswordReset]
+    def get_password_reset(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/password_reset/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::PasswordReset.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Get all auth factors for a user
-      #
-      # @param [String] user_id The id for the user.
-      #
-      # @return WorkOS::ListStruct
-      def list_auth_factors(user_id:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/users/#{user_id}/auth_factors",
-            auth: true,
-          ),
+    # List users
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::UserManagementUsersOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param organization [String, nil] (deprecated) Filter users by the organization they are a member of. Deprecated in favor of `organization_id`.
+    # @param organization_id [String, nil] Filter users by the organization they are a member of.
+    # @param email [String, nil] Filter users by their email address.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::User>]
+    def list_users(
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      organization: nil,
+      organization_id: nil,
+      email: nil,
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order,
+        "organization" => organization,
+        "organization_id" => organization_id,
+        "email" => email
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/user_management/users",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_users(
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          organization: organization,
+          organization_id: organization_id,
+          email: email,
+          request_options: request_options
         )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::User,
+        filters: {before: before, limit: limit, order: order, organization: organization, organization_id: organization_id, email: email},
+        fetch_next: fetch_next
+      )
+    end
 
-        parsed_response = JSON.parse(response.body)
-
-        auth_factors = parsed_response['data'].map do |auth_factor|
-          ::WorkOS::Factor.new(auth_factor.to_json)
+    # Create a user
+    # @param email [String] The email address of the user.
+    # @param first_name [String, nil] The first name of the user.
+    # @param last_name [String, nil] The last name of the user.
+    # @param email_verified [Boolean, nil] Whether the user's email has been verified.
+    # @param metadata [Hash{String => String}, nil] Object containing metadata key/value pairs associated with the user.
+    # @param external_id [String, nil] The external ID of the user.
+    # @param password [String, nil] The password to set for the user. Mutually exclusive with `password_hash` and `password_hash_type`.
+    # @param password_hash [String, nil] The hashed password to set for the user. Required with `password_hash_type`. Mutually exclusive with `password`.
+    # @param password_hash_type [WorkOS::Types::CreateUserPasswordHashType, nil] The algorithm originally used to hash the password, used when providing a `password_hash`. Required with `password_hash`. Mutually exclusive with `password`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::User]
+    def create_user(
+      email:,
+      first_name: nil,
+      last_name: nil,
+      email_verified: nil,
+      metadata: nil,
+      external_id: nil,
+      password: nil,
+      password_hash: nil,
+      password_hash_type: nil,
+      request_options: {}
+    )
+      body = {
+        "email" => email,
+        "first_name" => first_name,
+        "last_name" => last_name,
+        "email_verified" => email_verified,
+        "metadata" => metadata,
+        "external_id" => external_id,
+        "password" => password,
+        "password_hash" => password_hash,
+        "password_hash_type" => password_hash_type
+      }.compact
+      if password
+        case password[:type]
+        when "plaintext"
+          body["password"] = password[:password]
+        when "hashed"
+          body["password_hash"] = password[:password_hash]
+          body["password_hash_type"] = password[:password_hash_type]
         end
-
-        WorkOS::Types::ListStruct.new(
-          data: auth_factors,
-          list_metadata: parsed_response['list_metadata'],
-        )
       end
+      response = @client.request(
+        method: :post,
+        path: "/user_management/users",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::User.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Get all sessions for a user
-      #
-      # @param [String] user_id The id for the user.
-      # @param [Hash] options
-      # @option options [String] limit Maximum number of records to return.
-      # @option options [String] order The order in which to paginate records
-      # @option options [String] before Pagination cursor to receive records
-      #  before a provided Session ID.
-      # @option options [String] after Pagination cursor to receive records
-      #  after a provided Session ID.
-      #
-      # @return [WorkOS::Types::ListStruct<WorkOS::UserManagement::Session>]
-      def list_sessions(user_id:, options: {})
-        options[:order] ||= 'desc'
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/users/#{user_id}/sessions",
-            auth: true,
-            params: options,
-          ),
-        )
+    # Get a user by external ID
+    # @param external_id [String] The external ID of the user.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::User]
+    def get_user_by_external_id(
+      external_id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/users/external_id/#{WorkOS::Util.encode_path(external_id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::User.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        parsed_response = JSON.parse(response.body)
+    # Get a user
+    # @param id [String] The unique ID of the user.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::User]
+    def get_user(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::User.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        sessions = parsed_response['data'].map do |session|
-          ::WorkOS::UserManagement::Session.new(session.to_json)
+    # Update a user
+    # @param id [String] The unique ID of the user.
+    # @param email [String, nil] The email address of the user.
+    # @param first_name [String, nil] The first name of the user.
+    # @param last_name [String, nil] The last name of the user.
+    # @param email_verified [Boolean, nil] Whether the user's email has been verified.
+    # @param metadata [Hash{String => String}, nil] Object containing metadata key/value pairs associated with the user.
+    # @param external_id [String, nil] The external ID of the user.
+    # @param locale [String, nil] The user's preferred locale.
+    # @param password [String, nil] The password to set for the user. Mutually exclusive with `password_hash` and `password_hash_type`.
+    # @param password_hash [String, nil] The hashed password to set for the user. Required with `password_hash_type`. Mutually exclusive with `password`.
+    # @param password_hash_type [WorkOS::Types::UpdateUserPasswordHashType, nil] The algorithm originally used to hash the password, used when providing a `password_hash`. Required with `password_hash`. Mutually exclusive with `password`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::User]
+    def update_user(
+      id:,
+      email: nil,
+      first_name: nil,
+      last_name: nil,
+      email_verified: nil,
+      metadata: nil,
+      external_id: nil,
+      locale: nil,
+      password: nil,
+      password_hash: nil,
+      password_hash_type: nil,
+      request_options: {}
+    )
+      body = {
+        "email" => email,
+        "first_name" => first_name,
+        "last_name" => last_name,
+        "email_verified" => email_verified,
+        "metadata" => metadata,
+        "external_id" => external_id,
+        "locale" => locale,
+        "password" => password,
+        "password_hash" => password_hash,
+        "password_hash_type" => password_hash_type
+      }.compact
+      if password
+        case password[:type]
+        when "plaintext"
+          body["password"] = password[:password]
+        when "hashed"
+          body["password_hash"] = password[:password_hash]
+          body["password_hash_type"] = password[:password_hash_type]
         end
-
-        WorkOS::Types::ListStruct.new(
-          data: sessions,
-          list_metadata: parsed_response['list_metadata'],
-        )
       end
+      response = @client.request(
+        method: :put,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::User.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Gets an email verification object
-      #
-      # @param [String] id The unique ID of the EmailVerification object.
-      #
-      # @return WorkOS::EmailVerification
-      def get_email_verification(id:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/email_verification/#{id}",
-            auth: true,
-          ),
-        )
-
-        WorkOS::EmailVerification.new(response.body)
-      end
-
-      # Sends a verification email to the provided user.
-      #
-      # @param [String] user_id The unique ID of the User whose email address will be verified.
-      #
-      # @return WorkOS::UserResponse
-      def send_verification_email(user_id:)
-        response = execute_request(
-          request: post_request(
-            path: "/user_management/users/#{user_id}/email_verification/send",
-            auth: true,
-          ),
-        )
-
-        WorkOS::UserResponse.new(response.body)
-      end
-
-      # Verifiy user email using one-time code that was sent to the user.
-      #
-      # @param [String] user_id The unique ID of the User whose email address will be verified.
-      # @param [String] code The one-time code emailed to the user.
-      #
-      # @return WorkOS::UserResponse
-      def verify_email(user_id:, code:)
-        response = execute_request(
-          request: post_request(
-            path: "/user_management/users/#{user_id}/email_verification/confirm",
-            body: {
-              code: code,
-            },
-            auth: true,
-          ),
-        )
-
-        WorkOS::UserResponse.new(response.body)
-      end
-
-      # Gets a password reset object
-      #
-      # @param [String] id The unique ID of the PasswordReset object.
-      #
-      # @return WorkOS::PasswordReset
-      def get_password_reset(id:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/password_reset/#{id}",
-            auth: true,
-          ),
-        )
-
-        WorkOS::PasswordReset.new(response.body)
-      end
-
-      # Creates a password reset token
-      #
-      # @param [String] email The email address of the user.
-      #
-      # @return WorkOS::PasswordReset
-      def create_password_reset(email:)
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/password_reset',
-            body: {
-              email: email,
-            },
-            auth: true,
-          ),
-        )
-
-        WorkOS::PasswordReset.new(response.body)
-      end
-
-      # Create a password reset challenge and emails a password reset link to a user.
-      #
-      # @param [String] email The email of the user that wishes to reset their password.
-      # @param [String] password_reset_url The URL that will be linked to in the email.
-      #
-      # @return [Bool] - returns `true` if successful
-      def send_password_reset_email(email:, password_reset_url:)
-        warn_deprecation '`send_password_reset_email` is deprecated.
-        Please use `create_password_reset` instead. This method will be removed in a future major version.'
-
-        request = post_request(
-          path: '/user_management/password_reset/send',
-          body: {
-            email: email,
-            password_reset_url: password_reset_url,
-          },
-          auth: true,
-        )
-
-        response = execute_request(request: request)
-
-        response.is_a? Net::HTTPSuccess
-      end
-
-      # Reset user password using token that was sent to the user.
-      #
-      # @param [String] token The token that was sent to the user.
-      # @param [String] new_password The new password to set for the user.
-      #
-      # @return WorkOS::User
-      def reset_password(token:, new_password:)
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/password_reset/confirm',
-            body: {
-              token: token,
-              new_password: new_password,
-            },
-            auth: true,
-          ),
-        )
-
-        WorkOS::UserResponse.new(response.body).user
-      end
+    # Delete a user
+    # @param id [String] The unique ID of the user.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def delete_user(
+      id:,
+      request_options: {}
+    )
+      @client.request(
+        method: :delete,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      nil
+    end
 
-      # Get an Organization Membership
-      #
-      # @param [String] id The unique ID of the Organization Membership.
-      #
-      # @return WorkOS::OrganizationMembership
-      def get_organization_membership(id:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/organization_memberships/#{id}",
-            auth: true,
-          ),
-        )
+    # Confirm email change
+    # @param id [String] The unique ID of the user.
+    # @param code [String] The one-time code used to confirm the email change.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::EmailChangeConfirmation]
+    def confirm_email_change(
+      id:,
+      code:,
+      request_options: {}
+    )
+      body = {
+        "code" => code
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_change/confirm",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::EmailChangeConfirmation.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::OrganizationMembership.new(response.body)
-      end
+    # Send email change code
+    # @param id [String] The unique ID of the user.
+    # @param new_email [String] The new email address to change to.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::EmailChange]
+    def send_email_change(
+      id:,
+      new_email:,
+      request_options: {}
+    )
+      body = {
+        "new_email" => new_email
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_change/send",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::EmailChange.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Retrieve a list of Organization Memberships.
-      #
-      # @param [Hash] options
-      # @option options [String] user_id The ID of the User.
-      # @option options [String] organization_id Filter memberships by the organization they are members of.
-      # @option options [Array<String>] statuses Filter memberships by status.
-      # @option options [String] limit Maximum number of records to return.
-      # @option options [String] order The order in which to paginate records
-      # @option options [String] before Pagination cursor to receive records
-      #  before a provided User ID.
-      # @option options [String] after Pagination cursor to receive records
-      #  before a provided User ID.
-      #
-      # @return [WorkOS::OrganizationMembership]
-      def list_organization_memberships(options = {})
-        options[:order] ||= 'desc'
-        response = execute_request(
-          request: get_request(
-            path: '/user_management/organization_memberships',
-            auth: true,
-            params: options,
-          ),
-        )
+    # Verify email
+    # @param id [String] The ID of the user.
+    # @param code [String] The one-time email verification code.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::VerifyEmailResponse]
+    def verify_email(
+      id:,
+      code:,
+      request_options: {}
+    )
+      body = {
+        "code" => code
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_verification/confirm",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::VerifyEmailResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        parsed_response = JSON.parse(response.body)
+    # Send verification email
+    # @param id [String] The ID of the user.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::SendVerificationEmailResponse]
+    def send_verification_email(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :post,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_verification/send",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::SendVerificationEmailResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        organization_memberships = parsed_response['data'].map do |organization_membership|
-          ::WorkOS::OrganizationMembership.new(organization_membership.to_json)
-        end
+    # Get user identities
+    # @param id [String] The unique ID of the user.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [Array<WorkOS::UserIdentitiesGetItem>]
+    def get_user_identities(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/identities",
+        auth: true,
+        request_options: request_options
+      )
+      parsed = JSON.parse(response.body)
+      (parsed || []).map { |item| WorkOS::UserIdentitiesGetItem.new(item) }
+    end
 
-        WorkOS::Types::ListStruct.new(
-          data: organization_memberships,
-          list_metadata: parsed_response['list_metadata'],
+    # List sessions
+    # @param id [String] The ID of the user.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::UserManagementUsersOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserSessionsListItem>]
+    def list_sessions(
+      id:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/sessions",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_sessions(
+          id: id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
         )
-      end
-
-      # Create an Organization Membership
-      #
-      # @param [String] user_id The ID of the User.
-      # @param [String] organization_id The ID of the Organization to which the user belongs to.
-      # @param [String] role_slug The slug of the role to grant to this membership. (Optional)
-      # @param [Array<String>] role_slugs Array of role slugs to assign to this membership. (Optional)
-      #
-      # @return [WorkOS::OrganizationMembership]
-      def create_organization_membership(user_id:, organization_id:, role_slug: nil, role_slugs: nil)
-        raise ArgumentError, 'Cannot specify both role_slug and role_slugs' if role_slug && role_slugs
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::UserSessionsListItem,
+        filters: {id: id, before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
 
-        body = {
-          user_id: user_id,
+    # List invitations
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::UserManagementInvitationsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param organization_id [String, nil] The ID of the [organization](https://workos.com/docs/reference/organization) that the recipient will join.
+    # @param email [String, nil] The email address of the recipient.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserInvite>]
+    def list_invitations(
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      organization_id: nil,
+      email: nil,
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order,
+        "organization_id" => organization_id,
+        "email" => email
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/user_management/invitations",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_invitations(
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
           organization_id: organization_id,
-        }
-
-        body[:role_slugs] = role_slugs if role_slugs
-        body[:role_slug] = role_slug if role_slug
-
-        request = post_request(
-          path: '/user_management/organization_memberships',
-          body: body.compact,
-          auth: true,
-        )
-
-        response = execute_request(request: request)
-
-        WorkOS::OrganizationMembership.new(response.body)
-      end
-
-      # Update an Organization Membership
-      #
-      # @param [String] id The ID of the Organization Membership.
-      # @param [String] role_slug The slug of the role to grant to this membership. (Optional)
-      # @param [Array<String>] role_slugs Array of role slugs to assign to this membership. (Optional)
-      #
-      # @return [WorkOS::OrganizationMembership]
-      def update_organization_membership(id:, role_slug: nil, role_slugs: nil)
-        raise ArgumentError, 'Cannot specify both role_slug and role_slugs' if role_slug && role_slugs
-
-        body = { id: id }
-
-        body[:role_slugs] = role_slugs if role_slugs
-        body[:role_slug] = role_slug if role_slug
-
-        request = put_request(
-          path: "/user_management/organization_memberships/#{id}",
-          body: body.compact,
-          auth: true,
-        )
-
-        response = execute_request(request: request)
-
-        WorkOS::OrganizationMembership.new(response.body)
-      end
-
-      # Delete an Organization Membership
-      #
-      # @param [String] id The unique ID of the Organization Membership.
-      #
-      # @return [Bool] - returns `true` if successful
-      def delete_organization_membership(id:)
-        response = execute_request(
-          request: delete_request(
-            path: "/user_management/organization_memberships/#{id}",
-            auth: true,
-          ),
+          email: email,
+          request_options: request_options
         )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::UserInvite,
+        filters: {before: before, limit: limit, order: order, organization_id: organization_id, email: email},
+        fetch_next: fetch_next
+      )
+    end
 
-        response.is_a? Net::HTTPSuccess
-      end
+    # Send an invitation
+    # @param email [String] The email address of the recipient.
+    # @param organization_id [String, nil] The ID of the [organization](https://workos.com/docs/reference/organization) that the recipient will join.
+    # @param role_slug [String, nil] The [role](https://workos.com/docs/authkit/roles) that the recipient will receive when they join the organization in the invitation.
+    # @param expires_in_days [Integer, nil] How many days the invitations will be valid for. Must be between 1 and 30 days. Defaults to 7 days if not specified.
+    # @param inviter_user_id [String, nil] The ID of the [user](https://workos.com/docs/reference/authkit/user) who invites the recipient. The invitation email will mention the name of this user.
+    # @param locale [WorkOS::Types::CreateUserInviteOptionsLocale, nil] The locale to use when rendering the invitation email. See [supported locales](https://workos.com/docs/authkit/hosted-ui/localization).
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::UserInvite]
+    def send_invitation(
+      email:,
+      organization_id: nil,
+      role_slug: nil,
+      expires_in_days: nil,
+      inviter_user_id: nil,
+      locale: nil,
+      request_options: {}
+    )
+      body = {
+        "email" => email,
+        "organization_id" => organization_id,
+        "role_slug" => role_slug,
+        "expires_in_days" => expires_in_days,
+        "inviter_user_id" => inviter_user_id,
+        "locale" => locale
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/invitations",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::UserInvite.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Deactivate an Organization Membership
-      #
-      # @param [String] id The unique ID of the Organization Membership.
-      #
-      # @return WorkOS::OrganizationMembership
-      def deactivate_organization_membership(id:)
-        response = execute_request(
-          request: put_request(
-            path: "/user_management/organization_memberships/#{id}/deactivate",
-            auth: true,
-          ),
-        )
+    # Find an invitation by token
+    # @param token [String] The token used to accept the invitation.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::UserInvite]
+    def find_invitation_by_token(
+      token:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/invitations/by_token/#{WorkOS::Util.encode_path(token)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::UserInvite.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::OrganizationMembership.new(response.body)
-      end
+    # Get an invitation
+    # @param id [String] The unique ID of the invitation.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::UserInvite]
+    def get_invitation(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::UserInvite.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Reactivate an Organization Membership
-      #
-      # @param [String] id The unique ID of the Organization Membership.
-      #
-      # @return WorkOS::OrganizationMembership
-      def reactivate_organization_membership(id:)
-        response = execute_request(
-          request: put_request(
-            path: "/user_management/organization_memberships/#{id}/reactivate",
-            auth: true,
-          ),
-        )
+    # Accept an invitation
+    # @param id [String] The unique ID of the invitation.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Invitation]
+    def accept_invitation(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :post,
+        path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}/accept",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::Invitation.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::OrganizationMembership.new(response.body)
-      end
+    # Resend an invitation
+    # @param id [String] The unique ID of the invitation.
+    # @param locale [WorkOS::Types::ResendUserInviteOptionsLocale, nil] The locale to use when rendering the invitation email. See [supported locales](https://workos.com/docs/authkit/hosted-ui/localization).
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::UserInvite]
+    def resend_invitation(
+      id:,
+      locale: nil,
+      request_options: {}
+    )
+      body = {
+        "locale" => locale
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}/resend",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::UserInvite.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Gets an Invitation
-      #
-      # @param [String] id The unique ID of the Invitation.
-      #
-      # @return WorkOS::Invitation
-      def get_invitation(id:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/invitations/#{id}",
-            auth: true,
-          ),
-        )
+    # Revoke an invitation
+    # @param id [String] The unique ID of the invitation.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Invitation]
+    def revoke_invitation(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :post,
+        path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}/revoke",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::Invitation.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::Invitation.new(response.body)
-      end
+    # Update JWT template
+    # @param content [String] The JWT template content as a Liquid template string.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::JWTTemplateResponse]
+    def update_jwt_template(
+      content:,
+      request_options: {}
+    )
+      body = {
+        "content" => content
+      }.compact
+      response = @client.request(
+        method: :put,
+        path: "/user_management/jwt_template",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::JWTTemplateResponse.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Finds an Invitation by Token
-      #
-      # @param [String] token The token of the Invitation.
-      #
-      # @return WorkOS::Invitation
-      def find_invitation_by_token(token:)
-        response = execute_request(
-          request: get_request(
-            path: "/user_management/invitations/by_token/#{token}",
-            auth: true,
-          ),
-        )
+    # Create a Magic Auth code
+    # @param email [String] The email address to send the magic code to.
+    # @param invitation_token [String, nil] The invitation token to associate with this magic code.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::MagicAuth]
+    def create_magic_auth(
+      email:,
+      invitation_token: nil,
+      request_options: {}
+    )
+      body = {
+        "email" => email,
+        "invitation_token" => invitation_token
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/magic_auth",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::MagicAuth.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::Invitation.new(response.body)
-      end
+    # Get Magic Auth code details
+    # @param id [String] The unique ID of the Magic Auth code.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::MagicAuth]
+    def get_magic_auth(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/magic_auth/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::MagicAuth.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Retrieve a list of invitations.
-      #
-      # @param [Hash] options
-      # @option options [String] email The email address of a recipient.
-      # @option options [String] organization_id The ID of the Organization that the recipient was invited to join.
-      # @option options [String] limit Maximum number of records to return.
-      # @option options [String] order The order in which to paginate records
-      # @option options [String] before Pagination cursor to receive records
-      #  before a provided User ID.
-      # @option options [String] after Pagination cursor to receive records
-      #  before a provided User ID.
-      #
-      # @return [WorkOS::Invitation]
-      def list_invitations(options = {})
-        options[:order] ||= 'desc'
-        response = execute_request(
-          request: get_request(
-            path: '/user_management/invitations',
-            auth: true,
-            params: options,
-          ),
+    # List organization memberships
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::UserManagementOrganizationMembershipOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param organization_id [String, nil] The ID of the [organization](https://workos.com/docs/reference/organization) which the user belongs to.
+    # @param statuses [Array<WorkOS::Types::UserManagementOrganizationMembershipStatuses>, nil] Filter by the status of the organization membership. Array including any of `active`, `inactive`, or `pending`.
+    # @param user_id [String, nil] The ID of the [user](https://workos.com/docs/reference/authkit/user).
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembership>]
+    def list_organization_memberships(
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      organization_id: nil,
+      statuses: nil,
+      user_id: nil,
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order,
+        "organization_id" => organization_id,
+        "statuses" => statuses,
+        "user_id" => user_id
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/user_management/organization_memberships",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_organization_memberships(
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          organization_id: organization_id,
+          statuses: statuses,
+          user_id: user_id,
+          request_options: request_options
         )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::UserOrganizationMembership,
+        filters: {before: before, limit: limit, order: order, organization_id: organization_id, statuses: statuses, user_id: user_id},
+        fetch_next: fetch_next
+      )
+    end
 
-        parsed_response = JSON.parse(response.body)
-
-        invitations = parsed_response['data'].map do |invitation|
-          ::WorkOS::Invitation.new(invitation.to_json)
+    # Create an organization membership
+    # @param user_id [String] The ID of the [user](https://workos.com/docs/reference/authkit/user).
+    # @param organization_id [String] The ID of the [organization](https://workos.com/docs/reference/organization) which the user belongs to.
+    # @param role_slug [String, nil] A single role identifier. Defaults to `member` or the explicit default role. Mutually exclusive with `role_slugs`.
+    # @param role_slugs [Array<String>, nil] An array of role identifiers. Limited to one role when Multiple Roles is disabled. Mutually exclusive with `role_slug`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::OrganizationMembership]
+    def create_organization_membership(
+      user_id:,
+      organization_id:,
+      role_slug: nil,
+      role_slugs: nil,
+      role: nil,
+      request_options: {}
+    )
+      body = {
+        "user_id" => user_id,
+        "organization_id" => organization_id,
+        "role_slug" => role_slug,
+        "role_slugs" => role_slugs
+      }.compact
+      if role
+        case role[:type]
+        when "single"
+          body["role_slug"] = role[:role_slug]
+        when "multiple"
+          body["role_slugs"] = role[:role_slugs]
         end
-
-        WorkOS::Types::ListStruct.new(
-          data: invitations,
-          list_metadata: parsed_response['list_metadata'],
-        )
       end
+      response = @client.request(
+        method: :post,
+        path: "/user_management/organization_memberships",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::OrganizationMembership.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Sends an Invitation to a recipient.
-      #
-      # @param [String] email The email address of the recipient.
-      # @param [String] organization_id The ID of the Organization to which the recipient is being invited.
-      # @param [Integer] expires_in_days The number of days the invitations will be valid for.
-      # Must be between 1 and 30, defaults to 7 if not specified.
-      # @param [String] inviter_user_id The ID of the User sending the invitation.
-      # @param [String] role_slug The slug of the role to assign to the user upon invitation.
-      #
-      # @return WorkOS::Invitation
-      def send_invitation(email:, organization_id: nil, expires_in_days: nil, inviter_user_id: nil, role_slug: nil)
-        response = execute_request(
-          request: post_request(
-            path: '/user_management/invitations',
-            body: {
-              email: email,
-              organization_id: organization_id,
-              expires_in_days: expires_in_days,
-              inviter_user_id: inviter_user_id,
-              role_slug: role_slug,
-            }.compact,
-            auth: true,
-          ),
-        )
+    # Get an organization membership
+    # @param id [String] The unique ID of the organization membership.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::UserOrganizationMembership]
+    def get_organization_membership(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/user_management/organization_memberships/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::UserOrganizationMembership.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::Invitation.new(response.body)
+    # Update an organization membership
+    # @param id [String] The unique ID of the organization membership.
+    # @param role_slug [String, nil] A single role identifier. Defaults to `member` or the explicit default role. Mutually exclusive with `role_slugs`.
+    # @param role_slugs [Array<String>, nil] An array of role identifiers. Limited to one role when Multiple Roles is disabled. Mutually exclusive with `role_slug`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::UserOrganizationMembership]
+    def update_organization_membership(
+      id:,
+      role_slug: nil,
+      role_slugs: nil,
+      role: nil,
+      request_options: {}
+    )
+      body = {
+        "role_slug" => role_slug,
+        "role_slugs" => role_slugs
+      }.compact
+      if role
+        case role[:type]
+        when "single"
+          body["role_slug"] = role[:role_slug]
+        when "multiple"
+          body["role_slugs"] = role[:role_slugs]
+        end
       end
+      response = @client.request(
+        method: :put,
+        path: "/user_management/organization_memberships/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::UserOrganizationMembership.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Accepts an existing Invitation.
-      #
-      # @param [String] id The unique ID of the Invitation.
-      #
-      # @return WorkOS::Invitation
-      def accept_invitation(id:)
-        request = post_request(
-          path: "/user_management/invitations/#{id}/accept",
-          auth: true,
-        )
-
-        response = execute_request(request: request)
-
-        WorkOS::Invitation.new(response.body)
-      end
+    # Delete an organization membership
+    # @param id [String] The unique ID of the organization membership.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def delete_organization_membership(
+      id:,
+      request_options: {}
+    )
+      @client.request(
+        method: :delete,
+        path: "/user_management/organization_memberships/#{WorkOS::Util.encode_path(id)}",
+        auth: true,
+        request_options: request_options
+      )
+      nil
+    end
 
-      # Revokes an existing Invitation.
-      #
-      # @param [String] id The unique ID of the Invitation.
-      #
-      # @return WorkOS::Invitation
-      def revoke_invitation(id:)
-        request = post_request(
-          path: "/user_management/invitations/#{id}/revoke",
-          auth: true,
-        )
+    # Deactivate an organization membership
+    # @param id [String] The unique ID of the organization membership.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::OrganizationMembership]
+    def deactivate_organization_membership(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :put,
+        path: "/user_management/organization_memberships/#{WorkOS::Util.encode_path(id)}/deactivate",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::OrganizationMembership.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        response = execute_request(request: request)
+    # Reactivate an organization membership
+    # @param id [String] The unique ID of the organization membership.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::UserOrganizationMembership]
+    def reactivate_organization_membership(
+      id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :put,
+        path: "/user_management/organization_memberships/#{WorkOS::Util.encode_path(id)}/reactivate",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::UserOrganizationMembership.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-        WorkOS::Invitation.new(response.body)
-      end
+    # Create a redirect URI
+    # @param uri [String] The redirect URI to create.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::RedirectUri]
+    def create_redirect_uri(
+      uri:,
+      request_options: {}
+    )
+      body = {
+        "uri" => uri
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/user_management/redirect_uris",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::RedirectUri.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
 
-      # Resends an existing Invitation.
-      #
-      # @param [String] id The unique ID of the Invitation.
-      #
-      # @return WorkOS::Invitation
-      def resend_invitation(id:)
-        request = post_request(
-          path: "/user_management/invitations/#{id}/resend",
-          auth: true,
+    # List authorized applications
+    # @param user_id [String] The ID of the user.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::UserManagementUsersAuthorizedApplicationsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizedConnectApplicationListData>]
+    def list_user_authorized_applications(
+      user_id:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(user_id)}/authorized_applications",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_user_authorized_applications(
+          user_id: user_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
         )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::AuthorizedConnectApplicationListData,
+        filters: {user_id: user_id, before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
 
-        response = execute_request(request: request)
-
-        WorkOS::Invitation.new(response.body)
-      end
-
-      private
+    # Delete an authorized application
+    # @param application_id [String] The ID or client ID of the application.
+    # @param user_id [String] The ID of the user.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def delete_user_authorized_application(
+      application_id:,
+      user_id:,
+      request_options: {}
+    )
+      @client.request(
+        method: :delete,
+        path: "/user_management/users/#{WorkOS::Util.encode_path(user_id)}/authorized_applications/#{WorkOS::Util.encode_path(application_id)}",
+        auth: true,
+        request_options: request_options
+      )
+      nil
+    end
 
-      def validate_session(session)
-        return unless session && (session[:seal_session] == true) && session[:cookie_password].nil?
+    # @oagen-ignore-start — non-spec helpers (hand-maintained)
+    # H13 — Build the JWKS URL for a given client_id (no HTTP call).
+    # Pair with #get_jwks (generated) to fetch the keyset.
+    def get_jwks_url(client_id: nil)
+      cid = client_id || @client.client_id
+      raise ArgumentError, "client_id is required" if cid.nil? || cid.empty?
+      base = @client.base_url
+      URI.join(base, "/sso/jwks/#{WorkOS::Util.encode_path(cid)}").to_s
+    end
 
-        raise ArgumentError, 'cookie_password is required when sealing session'
-      end
+    # H09 — Build an AuthKit authorization URL (client-side, no HTTP call).
+    # Overrides the generated get_authorization_url which hits the API.
+    def get_authorization_url(redirect_uri:, client_id: nil, provider: nil, connection_id: nil,
+      organization_id: nil, domain_hint: nil, login_hint: nil,
+      state: nil, screen_hint: nil, code_challenge: nil,
+      code_challenge_method: nil, prompt: nil, **)
+      cid = client_id || @client.client_id
+      raise ArgumentError, "client_id is required (set on Client or pass explicitly)" if cid.nil? || cid.empty?
+      raise ArgumentError, "provider, connection_id, or organization_id required" if provider.nil? && connection_id.nil? && organization_id.nil?
+      params = {
+        "client_id" => cid,
+        "redirect_uri" => redirect_uri,
+        "response_type" => "code",
+        "provider" => provider,
+        "connection_id" => connection_id,
+        "organization_id" => organization_id,
+        "domain_hint" => domain_hint,
+        "login_hint" => login_hint,
+        "state" => state,
+        "screen_hint" => screen_hint,
+        "code_challenge" => code_challenge,
+        "code_challenge_method" => code_challenge_method,
+        "prompt" => prompt
+      }.compact
+      build_url("/user_management/authorize", params)
+    end
 
-      def validate_authorization_url_arguments(
-        provider:,
-        connection_id:,
-        organization_id:
+    # H10 — AuthKit authorization URL with auto-generated PKCE + state.
+    # Returns [url, code_verifier, state].
+    def get_authorization_url_with_pkce(redirect_uri:, client_id: nil, **opts)
+      pair = WorkOS::PKCE.generate_pair
+      state = opts.delete(:state) || WorkOS::PKCE.generate_code_verifier
+      url = get_authorization_url(
+        redirect_uri: redirect_uri,
+        client_id: client_id,
+        state: state,
+        code_challenge: pair[:code_challenge],
+        code_challenge_method: "S256",
+        **opts
       )
-        if [provider, connection_id, organization_id].all?(&:nil?)
-          raise ArgumentError, 'Either connection ID, organization ID,' \
-            ' or provider is required.'
-        end
+      [url, pair[:code_verifier], state]
+    end
 
-        return unless provider && !PROVIDERS.include?(provider)
+    # H11 — Exchange a code for tokens with PKCE support (public client; no secret).
+    # NOTE: Unlike the other authenticate_with_* helpers, this does NOT delegate to
+    # create_authenticate because PKCE is a public-client flow that requires
+    # auth: false (no Bearer token / API key in the Authorization header).
+    def authenticate_with_code_pkce(code:, code_verifier:, client_id: nil, ip_address: nil, user_agent: nil, request_options: {})
+      cid = client_id || @client.client_id
+      raise ArgumentError, "client_id is required" if cid.nil? || cid.empty?
+      body = {
+        "grant_type" => "authorization_code",
+        "client_id" => cid,
+        "code" => code,
+        "code_verifier" => code_verifier,
+        "ip_address" => ip_address,
+        "user_agent" => user_agent
+      }.compact
+      response = @client.request(method: :post, path: "/user_management/authenticate", auth: false, body: body, request_options: request_options)
+      WorkOS::AuthenticateResponse.new(response.body)
+    end
 
-        raise ArgumentError, "#{provider} is not a valid value." \
-          " `provider` must be in #{PROVIDERS}"
-      end
+    # H12 — Initiate the OAuth 2.0 device authorization flow.
+    # @return [WorkOS::DeviceAuthorizationResponse]
+    def authorize_device(client_id: nil, request_options: {})
+      cid = client_id || @client.client_id
+      raise ArgumentError, "client_id is required" if cid.nil? || cid.empty?
+      body = {"client_id" => cid}
+      response = @client.request(method: :post, path: "/oauth2/device_authorization", auth: false, body: body, request_options: request_options)
+      WorkOS::DeviceAuthorizationResponse.new(response.body)
+    end
 
-      def validate_auth_factor_type(
-        type:
-      )
-        return if AUTH_FACTOR_TYPES.include?(type)
+    # H12 device-code → token exchange is provided by the generated
+    # `authenticate_with_device_code` method (wraps /user_management/authenticate);
+    # no hand-maintained override is needed here.
+
+    # Build the AuthKit logout redirect URL (client-side, no HTTP call).
+    # @param session_id [String] The session ID (from the `sid` claim of the access token).
+    # @param return_to [String, nil] URL to redirect the user to after session revocation.
+    # @return [String]
+    def get_logout_url(session_id:, return_to: nil)
+      params = {"session_id" => session_id}
+      params["return_to"] = return_to if return_to
+      build_url("/user_management/sessions/logout", params)
+    end
 
-        raise ArgumentError, "#{type} is not a valid value." \
-          " `type` must be in #{AUTH_FACTOR_TYPES}"
-      end
+    private
+
+    def build_url(path, params)
+      base = @client.base_url
+      uri = URI.join(base, path)
+      uri.query = URI.encode_www_form(params)
+      uri.to_s
     end
+    # @oagen-ignore-end
   end
-  # rubocop:enable Metrics/ModuleLength
 end