@auth0/auth0-spa-js 2.17.1 → 2.18.1

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.17.1",
+  "version": "2.18.1",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",
@@ -23,7 +23,7 @@
     }
   },
   "dependencies": {
-    "@auth0/auth0-auth-js": "1.5.0",
+    "@auth0/auth0-auth-js": "1.6.0",
     "browser-tabs-lock": "1.3.0",
     "dpop": "2.1.1",
     "es-cookie": "1.3.2"
@@ -54,9 +54,10 @@
     "publish:cdn": "ccu --trace"
   },
   "devDependencies": {
-    "@auth0/component-cdn-uploader": "^2.4.2",
+    "@auth0/component-cdn-uploader": "^3.0.0",
     "@babel/core": "^7.28.5",
     "@babel/preset-env": "^7.28.5",
+    "@babel/preset-typescript": "^7.28.5",
     "@rollup/plugin-babel": "^6.1.0",
     "@rollup/plugin-commonjs": "^21.1.0",
     "@rollup/plugin-node-resolve": "^16.0.3",

package/src/Auth0Client.ts

@@ -378,6 +378,57 @@ export class Auth0Client {
     }
   }
 
+  /**
+   * Extracts the session transfer token from the current URL query parameters
+   * for Native to Web SSO flows.
+   *
+   * @param paramName The query parameter name to extract from the URL
+   * @returns The session transfer token if present, undefined otherwise
+   */
+  private _extractSessionTransferToken(paramName: string): string | undefined {
+    const params = new URLSearchParams(window.location.search);
+    return params.get(paramName) || undefined;
+  }
+
+  /**
+   * Clears the session transfer token from the current URL using the History API.
+   * This prevents the token from being re-sent on subsequent authentication requests,
+   * which is important since session transfer tokens are typically single-use.
+   *
+   * @param paramName The query parameter name to remove from the URL
+   */
+  private _clearSessionTransferTokenFromUrl(paramName: string): void {
+    try {
+      const url = new URL(window.location.href);
+      if (url.searchParams.has(paramName)) {
+        url.searchParams.delete(paramName);
+        window.history.replaceState({}, '', url.toString());
+      }
+    } catch {
+      // Silently fail if URL manipulation isn't possible
+    }
+  }
+
+  /**
+   * Applies the session transfer token from the URL to the authorization parameters
+   * if configured and not already provided.
+   *
+   * @param authorizationParams The authorization parameters to enhance
+   * @returns The authorization parameters with session_transfer_token added if applicable
+   */
+  private _applySessionTransferToken(
+    authorizationParams: AuthorizationParams
+  ): AuthorizationParams {
+    const paramName = this.options.sessionTransferTokenQueryParamName;
+    if (!paramName || authorizationParams.session_transfer_token) {
+      return authorizationParams;
+    }
+    const token = this._extractSessionTransferToken(paramName);
+    if (!token) return authorizationParams;
+    this._clearSessionTransferTokenFromUrl(paramName);
+    return { ...authorizationParams, session_transfer_token: token };
+  }
+
   private async _prepareAuthorizeUrl(
     authorizationParams: AuthorizationParams,
     authorizeOptions?: Partial<AuthorizeOptions>,
@@ -463,21 +514,26 @@ export class Auth0Client {
       }
     }
 
+    const authorizationParams = this._applySessionTransferToken(options.authorizationParams || {});
+
     const params = await this._prepareAuthorizeUrl(
-      options.authorizationParams || {},
+      authorizationParams,
       { response_mode: 'web_message' },
       window.location.origin
     );
 
     config.popup.location.href = params.url;
 
-    const codeResult = await runPopup({
-      ...config,
-      timeoutInSeconds:
-        config.timeoutInSeconds ||
-        this.options.authorizeTimeoutInSeconds ||
-        DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS
-    });
+    const codeResult = await runPopup(
+      {
+        ...config,
+        timeoutInSeconds:
+          config.timeoutInSeconds ||
+          this.options.authorizeTimeoutInSeconds ||
+          DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS
+      },
+      new URL(params.url).origin
+    );
 
     if (params.state !== codeResult.state) {
       throw new GenericError('state_mismatch', 'Invalid state');
@@ -553,8 +609,10 @@ export class Auth0Client {
       urlOptions.authorizationParams?.organization ||
       this.options.authorizationParams.organization;
 
+    const authorizationParams = this._applySessionTransferToken(urlOptions.authorizationParams || {});
+
     const { url, ...transaction } = await this._prepareAuthorizeUrl(
-      urlOptions.authorizationParams || {}
+      authorizationParams
     );
 
     this.transactionManager.create<LoginTransaction>({

package/src/global.ts

@@ -113,6 +113,15 @@ export interface AuthorizationParams {
    */
   redirect_uri?: string;
 
+  /**
+   * Session transfer token from a native application for Native to Web SSO.
+   * When `sessionTransferTokenQueryParamName` is set, this is automatically
+   * extracted from the specified URL query parameter if present.
+   *
+   * @see https://auth0.com/docs/authenticate/single-sign-on/native-to-web
+   */
+  session_transfer_token?: string;
+
   /**
    * If you need to send custom parameters to the Authorization Server,
    * make sure to use the original parameter name.
@@ -324,6 +333,41 @@ export interface Auth0ClientOptions {
    * defined by Auth0 or custom parameters that you define.
   */
   authorizationParams?: ClientAuthorizationParams;
+
+  /**
+   * Query parameter name to extract the session transfer token from for Native to Web SSO.
+   *
+   * When set, the SDK automatically extracts the token from the specified URL query
+   * parameter and includes it as `session_transfer_token` in authorization requests.
+   * This enables seamless single sign-on when users transition from a native mobile
+   * application to a web application.
+   *
+   * After extraction, the token is automatically removed from the URL using
+   * `window.history.replaceState()` to prevent accidental reuse on subsequent
+   * authentication requests.
+   *
+   * **Default:** `undefined` (feature disabled)
+   *
+   * **Common values:**
+   * - `'session_transfer_token'` - Standard parameter name
+   * - `'stt'` - Shortened version
+   * - Custom parameter name of your choice
+   *
+   * Set to `undefined` to disable automatic extraction if you prefer to handle
+   * session transfer tokens manually.
+   *
+   * @example
+   * ```js
+   * const auth0 = await createAuth0Client({
+   *   domain: '<AUTH0_DOMAIN>',
+   *   clientId: '<AUTH0_CLIENT_ID>',
+   *   sessionTransferTokenQueryParamName: 'session_transfer_token'
+   * });
+   * ```
+   *
+   * @see https://auth0.com/docs/authenticate/single-sign-on/native-to-web
+   */
+  sessionTransferTokenQueryParamName?: string;
 }
 
 /**

package/src/index.ts

@@ -58,16 +58,19 @@ export type {
 } from './mfa';
 
 export {
-  ICache,
   LocalStorageCache,
   InMemoryCache,
+  CacheKey
+} from './cache';
+
+export type {
+  ICache,
   Cacheable,
   DecodedToken,
   CacheEntry,
   WrappedCacheEntry,
   KeyManifestEntry,
   MaybePromise,
-  CacheKey,
   CacheKeyData
 } from './cache';
 
@@ -79,4 +82,4 @@ export type {
 
 export { MyAccountApiError } from './MyAccountApiClient';
 
-export { CustomTokenExchangeOptions } from './TokenExchange';
+export type { CustomTokenExchangeOptions } from './TokenExchange';

package/src/utils.ts

@@ -97,7 +97,7 @@ export const openPopup = (url: string) => {
   );
 };
 
-export const runPopup = (config: PopupConfigOptions) => {
+export const runPopup = (config: PopupConfigOptions, eventOrigin: string) => {
   return new Promise<AuthenticationResult>((resolve, reject) => {
     let popupEventListener: (e: MessageEvent) => void;
 
@@ -118,6 +118,7 @@ export const runPopup = (config: PopupConfigOptions) => {
     }, (config.timeoutInSeconds || DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1000);
 
     popupEventListener = function (e: MessageEvent) {
+      if (e.origin !== eventOrigin) return;
       if (!e.data || e.data.type !== 'authorization_response') {
         return;
       }
@@ -149,11 +150,16 @@ export const getCrypto = () => {
 export const createRandomString = () => {
   const charset =
     '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.';
+  const validMax = 256 - (256 % charset.length);
   let random = '';
-  const randomValues = Array.from(
-    getCrypto().getRandomValues(new Uint8Array(43))
-  );
-  randomValues.forEach(v => (random += charset[v % charset.length]));
+  while (random.length < 43) {
+    const bytes = getCrypto().getRandomValues(new Uint8Array(43 - random.length));
+    for (const byte of bytes) {
+      if (random.length < 43 && byte < validMax) {
+        random += charset[byte % charset.length];
+      }
+    }
+  }
   return random;
 };
 

package/src/version.ts

@@ -1 +1 @@
-export default '2.17.1';
+export default '2.18.1';

package/dist/typings/Auth0Client.d.ts

@@ -1,415 +0,0 @@
-import { Auth0ClientOptions, RedirectLoginOptions, PopupLoginOptions, PopupConfigOptions, RedirectLoginResult, GetTokenSilentlyOptions, GetTokenWithPopupOptions, LogoutOptions, User, IdToken, GetTokenSilentlyVerboseResponse, TokenEndpointResponse, ConnectAccountRedirectResult, RedirectConnectAccountOptions, ClientConfiguration } from './global';
-import { CustomTokenExchangeOptions } from './TokenExchange';
-import { Dpop } from './dpop/dpop';
-import { Fetcher, type FetcherConfig, type CustomFetchMinimalOutput } from './fetcher';
-import { MfaApiClient } from './mfa';
-/**
- * Auth0 SDK for Single Page Applications using [Authorization Code Grant Flow with PKCE](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce).
- */
-export declare class Auth0Client {
-    private readonly transactionManager;
-    private readonly cacheManager;
-    private readonly lockManager;
-    private readonly domainUrl;
-    private readonly tokenIssuer;
-    private readonly scope;
-    private readonly cookieStorage;
-    private readonly dpop;
-    private readonly sessionCheckExpiryDays;
-    private readonly orgHintCookieName;
-    private readonly isAuthenticatedCookieName;
-    private readonly nowProvider;
-    private readonly httpTimeoutMs;
-    private readonly options;
-    private readonly userCache;
-    private readonly myAccountApi;
-    /**
-     * MFA API client for multi-factor authentication operations.
-     *
-     * Provides methods for:
-     * - Listing enrolled authenticators
-     * - Enrolling new authenticators (OTP, SMS, Voice, Push, Email)
-     * - Initiating MFA challenges
-     * - Verifying MFA challenges
-     */
-    readonly mfa: MfaApiClient;
-    private worker?;
-    private readonly authJsClient;
-    private readonly defaultOptions;
-    constructor(options: Auth0ClientOptions);
-    /**
-     * Returns a readonly copy of the initialization configuration.
-     *
-     * @returns An object containing domain and clientId
-     *
-     * @example
-     * ```typescript
-     * const auth0 = new Auth0Client({
-     *   domain: 'tenant.auth0.com',
-     *   clientId: 'abc123'
-     * });
-     *
-     * const config = auth0.getConfiguration();
-     * // { domain: 'tenant.auth0.com', clientId: 'abc123' }
-     * ```
-     */
-    getConfiguration(): Readonly<ClientConfiguration>;
-    private _url;
-    private _authorizeUrl;
-    private _verifyIdToken;
-    private _processOrgHint;
-    private _prepareAuthorizeUrl;
-    /**
-     * ```js
-     * try {
-     *  await auth0.loginWithPopup(options);
-     * } catch(e) {
-     *  if (e instanceof PopupCancelledError) {
-     *    // Popup was closed before login completed
-     *  }
-     * }
-     * ```
-     *
-     * Opens a popup with the `/authorize` URL using the parameters
-     * provided as arguments. Random and secure `state` and `nonce`
-     * parameters will be auto-generated. If the response is successful,
-     * results will be valid according to their expiration times.
-     *
-     * IMPORTANT: This method has to be called from an event handler
-     * that was started by the user like a button click, for example,
-     * otherwise the popup will be blocked in most browsers.
-     *
-     * @param options
-     * @param config
-     */
-    loginWithPopup(options?: PopupLoginOptions, config?: PopupConfigOptions): Promise<void>;
-    /**
-     * ```js
-     * const user = await auth0.getUser();
-     * ```
-     *
-     * Returns the user information if available (decoded
-     * from the `id_token`).
-     *
-     * @typeparam TUser The type to return, has to extend {@link User}.
-     */
-    getUser<TUser extends User>(): Promise<TUser | undefined>;
-    /**
-     * ```js
-     * const claims = await auth0.getIdTokenClaims();
-     * ```
-     *
-     * Returns all claims from the id_token if available.
-     */
-    getIdTokenClaims(): Promise<IdToken | undefined>;
-    /**
-     * ```js
-     * await auth0.loginWithRedirect(options);
-     * ```
-     *
-     * Performs a redirect to `/authorize` using the parameters
-     * provided as arguments. Random and secure `state` and `nonce`
-     * parameters will be auto-generated.
-     *
-     * @param options
-     */
-    loginWithRedirect<TAppState = any>(options?: RedirectLoginOptions<TAppState>): Promise<void>;
-    /**
-     * After the browser redirects back to the callback page,
-     * call `handleRedirectCallback` to handle success and error
-     * responses from Auth0. If the response is successful, results
-     * will be valid according to their expiration times.
-     */
-    handleRedirectCallback<TAppState = any>(url?: string): Promise<RedirectLoginResult<TAppState> | ConnectAccountRedirectResult<TAppState>>;
-    /**
-     * Handles the redirect callback from the login flow.
-     *
-     * @template AppState - The application state persisted from the /authorize redirect.
-     * @param {string} authenticationResult - The parsed authentication result from the URL.
-     * @param {string} transaction - The login transaction.
-     *
-     * @returns {RedirectLoginResult} Resolves with the persisted app state.
-     * @throws {GenericError | Error} If the transaction is missing, invalid, or the code exchange fails.
-     */
-    private _handleLoginRedirectCallback;
-    /**
-     * Handles the redirect callback from the connect account flow.
-     * This works the same as the redirect from the login flow expect it verifies the `connect_code`
-     * with the My Account API rather than the `code` with the Authorization Server.
-     *
-     * @template AppState - The application state persisted from the connect redirect.
-     * @param {string} connectResult - The parsed connect accounts result from the URL.
-     * @param {string} transaction - The login transaction.
-     * @returns {Promise<ConnectAccountRedirectResult>} The result of the My Account API, including any persisted app state.
-     * @throws {GenericError | MyAccountApiError} If the transaction is missing, invalid, or an error is returned from the My Account API.
-     */
-    private _handleConnectAccountRedirectCallback;
-    /**
-     * ```js
-     * await auth0.checkSession();
-     * ```
-     *
-     * Check if the user is logged in using `getTokenSilently`. The difference
-     * with `getTokenSilently` is that this doesn't return a token, but it will
-     * pre-fill the token cache.
-     *
-     * This method also heeds the `auth0.{clientId}.is.authenticated` cookie, as an optimization
-     *  to prevent calling Auth0 unnecessarily. If the cookie is not present because
-     * there was no previous login (or it has expired) then tokens will not be refreshed.
-     *
-     * It should be used for silently logging in the user when you instantiate the
-     * `Auth0Client` constructor. You should not need this if you are using the
-     * `createAuth0Client` factory.
-     *
-     * **Note:** the cookie **may not** be present if running an app using a private tab, as some
-     * browsers clear JS cookie data and local storage when the tab or page is closed, or on page reload. This effectively
-     * means that `checkSession` could silently return without authenticating the user on page refresh when
-     * using a private tab, despite having previously logged in. As a workaround, use `getTokenSilently` instead
-     * and handle the possible `login_required` error [as shown in the readme](https://github.com/auth0/auth0-spa-js#creating-the-client).
-     *
-     * @param options
-     */
-    checkSession(options?: GetTokenSilentlyOptions): Promise<void>;
-    /**
-     * Fetches a new access token and returns the response from the /oauth/token endpoint, omitting the refresh token.
-     *
-     * @param options
-     */
-    getTokenSilently(options: GetTokenSilentlyOptions & {
-        detailedResponse: true;
-    }): Promise<GetTokenSilentlyVerboseResponse>;
-    /**
-     * Fetches a new access token and returns it.
-     *
-     * @param options
-     */
-    getTokenSilently(options?: GetTokenSilentlyOptions): Promise<string>;
-    private _getTokenSilently;
-    /**
-     * Checks if an error should be handled by the interactive error handler.
-     * Matches:
-     * - MfaRequiredError (refresh token path, error='mfa_required')
-     * - GenericError from iframe path (error='login_required',
-     *   error_description='Multifactor authentication required')
-     * Extensible for future interactive error types.
-     */
-    private _isInteractiveError;
-    /**
-     * Checks if a login_required error from the iframe flow is actually
-     * an MFA step-up requirement. The /authorize endpoint returns
-     * error='login_required' with error_description='Multifactor authentication required'
-     * when MFA is needed but prompt=none prevents interaction.
-     */
-    private _isIframeMfaError;
-    /**
-     * Handles MFA errors by opening a popup to complete authentication,
-     * then reads the resulting token from cache.
-     */
-    private _handleInteractiveErrorWithPopup;
-    /**
-     * ```js
-     * const token = await auth0.getTokenWithPopup(options);
-     * ```
-     * Opens a popup with the `/authorize` URL using the parameters
-     * provided as arguments. Random and secure `state` and `nonce`
-     * parameters will be auto-generated. If the response is successful,
-     * results will be valid according to their expiration times.
-     *
-     * @param options
-     * @param config
-     */
-    getTokenWithPopup(options?: GetTokenWithPopupOptions, config?: PopupConfigOptions): Promise<string | undefined>;
-    /**
-     * ```js
-     * const isAuthenticated = await auth0.isAuthenticated();
-     * ```
-     *
-     * Returns `true` if there's valid information stored,
-     * otherwise returns `false`.
-     *
-     */
-    isAuthenticated(): Promise<boolean>;
-    /**
-     * ```js
-     * await auth0.buildLogoutUrl(options);
-     * ```
-     *
-     * Builds a URL to the logout endpoint using the parameters provided as arguments.
-     * @param options
-     */
-    private _buildLogoutUrl;
-    /**
-     * ```js
-     * await auth0.logout(options);
-     * ```
-     *
-     * Clears the application session and performs a redirect to `/v2/logout`, using
-     * the parameters provided as arguments, to clear the Auth0 session.
-     *
-     * If the `federated` option is specified it also clears the Identity Provider session.
-     * [Read more about how Logout works at Auth0](https://auth0.com/docs/logout).
-     *
-     * @param options
-     */
-    logout(options?: LogoutOptions): Promise<void>;
-    private _getTokenFromIFrame;
-    private _getTokenUsingRefreshToken;
-    private _saveEntryInCache;
-    private _getIdTokenFromCache;
-    private _getEntryFromCache;
-    private _requestToken;
-    /**
-     * ```js
-     * await auth0.loginWithCustomTokenExchange(options);
-     * ```
-     *
-     * Exchanges an external subject token for Auth0 tokens and logs the user in.
-     * This method implements the Custom Token Exchange grant as specified in RFC 8693.
-     *
-     * The exchanged tokens are automatically cached, establishing an authenticated session.
-     * After calling this method, you can use `getUser()`, `getIdTokenClaims()`, and
-     * `getTokenSilently()` to access the user's information and tokens.
-     *
-     * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange.
-     *
-     * @returns {Promise<TokenEndpointResponse>} A promise that resolves to the token endpoint response,
-     * which contains the issued Auth0 tokens (access_token, id_token, etc.).
-     *
-     * The request includes the following parameters:
-     * - `grant_type`: "urn:ietf:params:oauth:grant-type:token-exchange"
-     * - `subject_token`: The external token to exchange
-     * - `subject_token_type`: The type identifier of the external token
-     * - `scope`: Merged scopes from the request and SDK defaults
-     * - `audience`: Target audience (defaults to SDK configuration)
-     * - `organization`: Optional organization ID/name for org-scoped authentication
-     *
-     * **Example Usage:**
-     *
-     * ```js
-     * const options = {
-     *   subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
-     *   subject_token_type: 'urn:acme:legacy-system-token',
-     *   scope: 'openid profile email',
-     *   audience: 'https://api.example.com',
-     *   organization: 'org_12345'
-     * };
-     *
-     * try {
-     *   const tokenResponse = await auth0.loginWithCustomTokenExchange(options);
-     *   console.log('Access token:', tokenResponse.access_token);
-     *
-     *   // User is now logged in - access user info
-     *   const user = await auth0.getUser();
-     *   console.log('Logged in user:', user);
-     * } catch (error) {
-     *   console.error('Token exchange failed:', error);
-     * }
-     * ```
-     */
-    loginWithCustomTokenExchange(options: CustomTokenExchangeOptions): Promise<TokenEndpointResponse>;
-    /**
-     * @deprecated Use `loginWithCustomTokenExchange()` instead. This method will be removed in the next major version.
-     *
-     * Exchanges an external subject token for Auth0 tokens.
-     *
-     * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange.
-     * @returns {Promise<TokenEndpointResponse>} A promise that resolves to the token endpoint response.
-     *
-     * **Example:**
-     * ```js
-     * // Instead of:
-     * const tokens = await auth0.exchangeToken(options);
-     *
-     * // Use:
-     * const tokens = await auth0.loginWithCustomTokenExchange(options);
-     * ```
-     */
-    exchangeToken(options: CustomTokenExchangeOptions): Promise<TokenEndpointResponse>;
-    protected _assertDpop(dpop: Dpop | undefined): asserts dpop is Dpop;
-    /**
-     * Returns the current DPoP nonce used for making requests to Auth0.
-     *
-     * It can return `undefined` because when starting fresh it will not
-     * be populated until after the first response from the server.
-     *
-     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
-     *
-     * @param nonce The nonce value.
-     * @param id    The identifier of a nonce: if absent, it will get the nonce
-     *              used for requests to Auth0. Otherwise, it will be used to
-     *              select a specific non-Auth0 nonce.
-     */
-    getDpopNonce(id?: string): Promise<string | undefined>;
-    /**
-     * Sets the current DPoP nonce used for making requests to Auth0.
-     *
-     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
-     *
-     * @param nonce The nonce value.
-     * @param id    The identifier of a nonce: if absent, it will set the nonce
-     *              used for requests to Auth0. Otherwise, it will be used to
-     *              select a specific non-Auth0 nonce.
-     */
-    setDpopNonce(nonce: string, id?: string): Promise<void>;
-    /**
-     * Returns a string to be used to demonstrate possession of the private
-     * key used to cryptographically bind access tokens with DPoP.
-     *
-     * It requires enabling the {@link Auth0ClientOptions.useDpop} option.
-     */
-    generateDpopProof(params: {
-        url: string;
-        method: string;
-        nonce?: string;
-        accessToken: string;
-    }): Promise<string>;
-    /**
-     * Returns a new `Fetcher` class that will contain a `fetchWithAuth()` method.
-     * This is a drop-in replacement for the Fetch API's `fetch()` method, but will
-     * handle certain authentication logic for you, like building the proper auth
-     * headers or managing DPoP nonces and retries automatically.
-     *
-     * Check the `EXAMPLES.md` file for a deeper look into this method.
-     */
-    createFetcher<TOutput extends CustomFetchMinimalOutput = Response>(config?: FetcherConfig<TOutput>): Fetcher<TOutput>;
-    /**
-     * Initiates a redirect to connect the user's account with a specified connection.
-     * This method generates PKCE parameters, creates a transaction, and redirects to the /connect endpoint.
-     *
-     * You must enable `Offline Access` from the Connection Permissions settings to be able to use the connection with Connected Accounts.
-     *
-     * @template TAppState - The application state to persist through the transaction.
-     * @param {RedirectConnectAccountOptions<TAppState>} options - Options for the connect account redirect flow.
-     * @param   {string} options.connection - The name of the connection to link (e.g. 'google-oauth2').
-     * @param   {string[]} [options.scopes] - Array of scopes to request from the Identity Provider during the connect account flow.
-     * @param   {AuthorizationParams} [options.authorization_params] - Additional authorization parameters for the request to the upstream IdP.
-     * @param   {string} [options.redirectUri] - The URI to redirect back to after connecting the account.
-     * @param   {TAppState} [options.appState] - Application state to persist through the transaction.
-     * @param   {(url: string) => Promise<void>} [options.openUrl] - Custom function to open the URL.
-     *
-     * @returns {Promise<void>} Resolves when the redirect is initiated.
-     * @throws {MyAccountApiError} If the connect request to the My Account API fails.
-     */
-    connectAccountWithRedirect<TAppState = any>(options: RedirectConnectAccountOptions<TAppState>): Promise<void>;
-    /**
-     * @internal
-     * Internal method used by MfaApiClient to exchange MFA tokens for access tokens.
-     * This method should not be called directly by applications.
-     */
-    _requestTokenForMfa(options: {
-        grant_type: string;
-        mfaToken: string;
-        scope?: string;
-        audience?: string;
-        otp?: string;
-        binding_code?: string;
-        oob_code?: string;
-        recovery_code?: string;
-    }, additionalParameters?: RequestTokenAdditionalParameters): Promise<TokenEndpointResponse>;
-}
-interface RequestTokenAdditionalParameters {
-    nonceIn?: string;
-    organization?: string;
-    scopesToRequest?: string;
-}
-export {};