@aws-sdk/client-verifiedpermissions 3.549.0 → 3.552.0

package/dist-types/commands/BatchIsAuthorizedWithTokenCommand.d.ts

@@ -0,0 +1,285 @@
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+import { BatchIsAuthorizedWithTokenInput, BatchIsAuthorizedWithTokenOutput } from "../models/models_0";
+import { ServiceInputTypes, ServiceOutputTypes, VerifiedPermissionsClientResolvedConfig } from "../VerifiedPermissionsClient";
+/**
+ * @public
+ */
+export { __MetadataBearer, $Command };
+/**
+ * @public
+ *
+ * The input for {@link BatchIsAuthorizedWithTokenCommand}.
+ */
+export interface BatchIsAuthorizedWithTokenCommandInput extends BatchIsAuthorizedWithTokenInput {
+}
+/**
+ * @public
+ *
+ * The output of {@link BatchIsAuthorizedWithTokenCommand}.
+ */
+export interface BatchIsAuthorizedWithTokenCommandOutput extends BatchIsAuthorizedWithTokenOutput, __MetadataBearer {
+}
+declare const BatchIsAuthorizedWithTokenCommand_base: {
+    new (input: BatchIsAuthorizedWithTokenCommandInput): import("@smithy/smithy-client").CommandImpl<BatchIsAuthorizedWithTokenCommandInput, BatchIsAuthorizedWithTokenCommandOutput, VerifiedPermissionsClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    new (__0_0: BatchIsAuthorizedWithTokenCommandInput): import("@smithy/smithy-client").CommandImpl<BatchIsAuthorizedWithTokenCommandInput, BatchIsAuthorizedWithTokenCommandOutput, VerifiedPermissionsClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
+};
+/**
+ * <p>Makes a series of decisions about multiple authorization requests for one token. The
+ *             principal in this request comes from an external identity source in the form of an identity or
+ *             access token, formatted as a <a href="https://wikipedia.org/wiki/JSON_Web_Token">JSON
+ *                 web token (JWT)</a>. The information in the parameters can also define
+ *             additional context that Verified Permissions can include in the evaluations.</p>
+ *          <p>The request is evaluated against all policies in the specified policy store that match the
+ *             entities that you provide in the entities declaration and in the token. The result of
+ *             the decisions is a series of <code>Allow</code> or <code>Deny</code> responses, along
+ *             with the IDs of the policies that produced each decision.</p>
+ *          <p>The <code>entities</code> of a <code>BatchIsAuthorizedWithToken</code> API request can
+ *             contain up to 100 resources and up to 99 user groups. The <code>requests</code> of a
+ *                 <code>BatchIsAuthorizedWithToken</code> API request can contain up to 30
+ *             requests.</p>
+ *          <note>
+ *             <p>The <code>BatchIsAuthorizedWithToken</code> operation doesn't have its own
+ *                 IAM permission. To authorize this operation for Amazon Web Services principals, include the
+ *                 permission <code>verifiedpermissions:IsAuthorizedWithToken</code> in their IAM
+ *                 policies.</p>
+ *          </note>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { VerifiedPermissionsClient, BatchIsAuthorizedWithTokenCommand } from "@aws-sdk/client-verifiedpermissions"; // ES Modules import
+ * // const { VerifiedPermissionsClient, BatchIsAuthorizedWithTokenCommand } = require("@aws-sdk/client-verifiedpermissions"); // CommonJS import
+ * const client = new VerifiedPermissionsClient(config);
+ * const input = { // BatchIsAuthorizedWithTokenInput
+ *   policyStoreId: "STRING_VALUE", // required
+ *   identityToken: "STRING_VALUE",
+ *   accessToken: "STRING_VALUE",
+ *   entities: { // EntitiesDefinition Union: only one key present
+ *     entityList: [ // EntityList
+ *       { // EntityItem
+ *         identifier: { // EntityIdentifier
+ *           entityType: "STRING_VALUE", // required
+ *           entityId: "STRING_VALUE", // required
+ *         },
+ *         attributes: { // EntityAttributes
+ *           "<keys>": { // AttributeValue Union: only one key present
+ *             boolean: true || false,
+ *             entityIdentifier: {
+ *               entityType: "STRING_VALUE", // required
+ *               entityId: "STRING_VALUE", // required
+ *             },
+ *             long: Number("long"),
+ *             string: "STRING_VALUE",
+ *             set: [ // SetAttribute
+ *               {//  Union: only one key present
+ *                 boolean: true || false,
+ *                 entityIdentifier: "<EntityIdentifier>",
+ *                 long: Number("long"),
+ *                 string: "STRING_VALUE",
+ *                 set: [
+ *                   "<AttributeValue>",
+ *                 ],
+ *                 record: { // RecordAttribute
+ *                   "<keys>": "<AttributeValue>",
+ *                 },
+ *               },
+ *             ],
+ *             record: {
+ *               "<keys>": "<AttributeValue>",
+ *             },
+ *           },
+ *         },
+ *         parents: [ // ParentList
+ *           "<EntityIdentifier>",
+ *         ],
+ *       },
+ *     ],
+ *   },
+ *   requests: [ // BatchIsAuthorizedWithTokenInputList // required
+ *     { // BatchIsAuthorizedWithTokenInputItem
+ *       action: { // ActionIdentifier
+ *         actionType: "STRING_VALUE", // required
+ *         actionId: "STRING_VALUE", // required
+ *       },
+ *       resource: "<EntityIdentifier>",
+ *       context: { // ContextDefinition Union: only one key present
+ *         contextMap: { // ContextMap
+ *           "<keys>": "<AttributeValue>",
+ *         },
+ *       },
+ *     },
+ *   ],
+ * };
+ * const command = new BatchIsAuthorizedWithTokenCommand(input);
+ * const response = await client.send(command);
+ * // { // BatchIsAuthorizedWithTokenOutput
+ * //   principal: { // EntityIdentifier
+ * //     entityType: "STRING_VALUE", // required
+ * //     entityId: "STRING_VALUE", // required
+ * //   },
+ * //   results: [ // BatchIsAuthorizedWithTokenOutputList // required
+ * //     { // BatchIsAuthorizedWithTokenOutputItem
+ * //       request: { // BatchIsAuthorizedWithTokenInputItem
+ * //         action: { // ActionIdentifier
+ * //           actionType: "STRING_VALUE", // required
+ * //           actionId: "STRING_VALUE", // required
+ * //         },
+ * //         resource: {
+ * //           entityType: "STRING_VALUE", // required
+ * //           entityId: "STRING_VALUE", // required
+ * //         },
+ * //         context: { // ContextDefinition Union: only one key present
+ * //           contextMap: { // ContextMap
+ * //             "<keys>": { // AttributeValue Union: only one key present
+ * //               boolean: true || false,
+ * //               entityIdentifier: "<EntityIdentifier>",
+ * //               long: Number("long"),
+ * //               string: "STRING_VALUE",
+ * //               set: [ // SetAttribute
+ * //                 {//  Union: only one key present
+ * //                   boolean: true || false,
+ * //                   entityIdentifier: "<EntityIdentifier>",
+ * //                   long: Number("long"),
+ * //                   string: "STRING_VALUE",
+ * //                   set: [
+ * //                     "<AttributeValue>",
+ * //                   ],
+ * //                   record: { // RecordAttribute
+ * //                     "<keys>": "<AttributeValue>",
+ * //                   },
+ * //                 },
+ * //               ],
+ * //               record: {
+ * //                 "<keys>": "<AttributeValue>",
+ * //               },
+ * //             },
+ * //           },
+ * //         },
+ * //       },
+ * //       decision: "ALLOW" || "DENY", // required
+ * //       determiningPolicies: [ // DeterminingPolicyList // required
+ * //         { // DeterminingPolicyItem
+ * //           policyId: "STRING_VALUE", // required
+ * //         },
+ * //       ],
+ * //       errors: [ // EvaluationErrorList // required
+ * //         { // EvaluationErrorItem
+ * //           errorDescription: "STRING_VALUE", // required
+ * //         },
+ * //       ],
+ * //     },
+ * //   ],
+ * // };
+ *
+ * ```
+ *
+ * @param BatchIsAuthorizedWithTokenCommandInput - {@link BatchIsAuthorizedWithTokenCommandInput}
+ * @returns {@link BatchIsAuthorizedWithTokenCommandOutput}
+ * @see {@link BatchIsAuthorizedWithTokenCommandInput} for command's `input` shape.
+ * @see {@link BatchIsAuthorizedWithTokenCommandOutput} for command's `response` shape.
+ * @see {@link VerifiedPermissionsClientResolvedConfig | config} for VerifiedPermissionsClient's `config` shape.
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>The request failed because it references a resource that doesn't exist.</p>
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You don't have sufficient access to perform this action.</p>
+ *
+ * @throws {@link InternalServerException} (server fault)
+ *  <p>The request failed because of an internal error. Try your request again later</p>
+ *
+ * @throws {@link ThrottlingException} (client fault)
+ *  <p>The request failed because it exceeded a throttling quota.</p>
+ *
+ * @throws {@link ValidationException} (client fault)
+ *  <p>The request failed because one or more input parameters don't satisfy their constraint
+ *             requirements. The output is provided as a list of fields and a reason for each field that
+ *             isn't valid.</p>
+ *          <p>The possible reasons include the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <b>UnrecognizedEntityType</b>
+ *                </p>
+ *                <p>The policy includes an entity type that isn't found in the schema.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>UnrecognizedActionId</b>
+ *                </p>
+ *                <p>The policy includes an action id that isn't found in the schema.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>InvalidActionApplication</b>
+ *                </p>
+ *                <p>The policy includes an action that, according to the schema, doesn't support
+ *                     the specified principal and resource.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>UnexpectedType</b>
+ *                </p>
+ *                <p>The policy included an operand that isn't a valid type for the specified
+ *                     operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>IncompatibleTypes</b>
+ *                </p>
+ *                <p>The types of elements included in a <code>set</code>, or the types of
+ *                     expressions used in an <code>if...then...else</code> clause aren't compatible in
+ *                     this context.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>MissingAttribute</b>
+ *                </p>
+ *                <p>The policy attempts to access a record or entity attribute that isn't
+ *                     specified in the schema. Test for the existence of the attribute first before
+ *                     attempting to access its value. For more information, see the <a href="https://docs.cedarpolicy.com/policies/syntax-operators.html#has-presence-of-attribute-test">has (presence of attribute test) operator</a> in the
+ *                         <i>Cedar Policy Language Guide</i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>UnsafeOptionalAttributeAccess</b>
+ *                </p>
+ *                <p>The policy attempts to access a record or entity attribute that is optional
+ *                     and isn't guaranteed to be present. Test for the existence of the attribute
+ *                     first before attempting to access its value. For more information, see the
+ *                         <a href="https://docs.cedarpolicy.com/policies/syntax-operators.html#has-presence-of-attribute-test">has (presence of attribute test) operator</a> in the
+ *                         <i>Cedar Policy Language Guide</i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>ImpossiblePolicy</b>
+ *                </p>
+ *                <p>Cedar has determined that a policy condition always evaluates to false. If
+ *                     the policy is always false, it can never apply to any query, and so it can never
+ *                     affect an authorization decision.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>WrongNumberArguments</b>
+ *                </p>
+ *                <p>The policy references an extension type with the wrong number of
+ *                     arguments.</p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>FunctionArgumentValidationError</b>
+ *                </p>
+ *                <p>Cedar couldn't parse the argument passed to an extension type. For example,
+ *                     a string that is to be parsed as an IPv4 address can contain only digits and the
+ *                     period character.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link VerifiedPermissionsServiceException}
+ * <p>Base exception class for all service exceptions from VerifiedPermissions service.</p>
+ *
+ * @public
+ */
+export declare class BatchIsAuthorizedWithTokenCommand extends BatchIsAuthorizedWithTokenCommand_base {
+}

package/dist-types/commands/IsAuthorizedWithTokenCommand.d.ts

@@ -34,15 +34,6 @@ declare const IsAuthorizedWithTokenCommand_base: {
  *             matching policies in the specified policy store. The result of the decision is either
  *                 <code>Allow</code> or <code>Deny</code>, along with a list of the policies that
  *             resulted in the decision.</p>
- *          <important>
- *             <p>If you specify the <code>identityToken</code> parameter, then this operation
- *                 derives the principal from that token. You must not also include that principal in
- *                 the <code>entities</code> parameter or the operation fails and reports a conflict
- *                 between the two entity sources.</p>
- *             <p>If you provide only an <code>accessToken</code>, then you can include the entity
- *                 as part of the <code>entities</code> parameter to provide additional
- *                 attributes.</p>
- *          </important>
  *          <p>At this time, Verified Permissions accepts tokens from only Amazon Cognito.</p>
  *          <p>Verified Permissions validates each token that is specified in a request by checking its expiration
  *             date and its signature.</p>

package/dist-types/commands/index.d.ts

@@ -1,4 +1,5 @@
 export * from "./BatchIsAuthorizedCommand";
+export * from "./BatchIsAuthorizedWithTokenCommand";
 export * from "./CreateIdentitySourceCommand";
 export * from "./CreatePolicyCommand";
 export * from "./CreatePolicyStoreCommand";

package/dist-types/models/models_0.d.ts

@@ -293,8 +293,8 @@ export declare class ValidationException extends __BaseException {
     constructor(opts: __ExceptionOptionType<ValidationException, __BaseException>);
 }
 /**
- * <p>The type of entity that a policy store maps to groups from an Amazon Cognito user
- *             pool identity source.</p>
+ * <p>A list of user groups and entities from an Amazon Cognito user pool identity
+ *             source.</p>
  *          <p>This data type is part of a <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CognitoUserPoolConfiguration.html">CognitoUserPoolConfiguration</a> structure and is a request parameter in <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html">CreateIdentitySource</a>.</p>
  * @public
  */
@@ -307,8 +307,8 @@ export interface CognitoGroupConfiguration {
     groupEntityType: string | undefined;
 }
 /**
- * <p>The type of entity that a policy store maps to groups from an Amazon Cognito user
- *             pool identity source.</p>
+ * <p>A list of user groups and entities from an Amazon Cognito user pool identity
+ *             source.</p>
  *          <p>This data type is part of an <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CognitoUserPoolConfigurationItem.html">CognitoUserPoolConfigurationDetail</a> structure and is a response parameter to
  *             <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html">GetIdentitySource</a>.</p>
  * @public
@@ -322,8 +322,8 @@ export interface CognitoGroupConfigurationDetail {
     groupEntityType?: string;
 }
 /**
- * <p>The type of entity that a policy store maps to groups from an Amazon Cognito user
- *             pool identity source.</p>
+ * <p>A list of user groups and entities from an Amazon Cognito user pool identity
+ *             source.</p>
  *          <p>This data type is part of an <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CognitoUserPoolConfigurationDetail.html">CognitoUserPoolConfigurationItem</a> structure and is a response parameter to
  *             <a href="http://forums.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html">ListIdentitySources</a>.</p>
  * @public
@@ -342,7 +342,7 @@ export interface CognitoGroupConfigurationItem {
  *          <p>This data type is used as a field that is part of an <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html">Configuration</a> structure that is
  *             used as a parameter to <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html">CreateIdentitySource</a>.</p>
  *          <p>Example:<code>"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds":
- *             ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": \{"groupEntityType": "MyCorp::Group"\}\}</code>
+ *                 ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\}</code>
  *          </p>
  * @public
  */
@@ -365,8 +365,8 @@ export interface CognitoUserPoolConfiguration {
      */
     clientIds?: string[];
     /**
-     * <p>The type of entity that a policy store maps to groups from an Amazon Cognito user
-     *             pool identity source.</p>
+     * <p>The configuration of the user groups from an Amazon Cognito user pool identity
+     *             source.</p>
      * @public
      */
     groupConfiguration?: CognitoGroupConfiguration;
@@ -377,7 +377,7 @@ export interface CognitoUserPoolConfiguration {
  *          <p>This data type is used as a field that is part of an <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ConfigurationDetail.html">ConfigurationDetail</a> structure that is
  *             part of the response to <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html">GetIdentitySource</a>.</p>
  *          <p>Example:<code>"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds":
- *             ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": \{"groupEntityType": "MyCorp::Group"\}\}</code>
+ *             ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\}</code>
  *          </p>
  * @public
  */
@@ -409,8 +409,8 @@ export interface CognitoUserPoolConfigurationDetail {
      */
     issuer: string | undefined;
     /**
-     * <p>The type of entity that a policy store maps to groups from an Amazon Cognito user
-     *             pool identity source.</p>
+     * <p>The configuration of the user groups from an Amazon Cognito user pool identity
+     *             source.</p>
      * @public
      */
     groupConfiguration?: CognitoGroupConfigurationDetail;
@@ -421,7 +421,7 @@ export interface CognitoUserPoolConfigurationDetail {
  *          <p>This data type is used as a field that is part of the <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ConfigurationItem.html">ConfigurationItem</a> structure that is
  *             part of the response to <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html">ListIdentitySources</a>.</p>
  *          <p>Example:<code>"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds":
- *             ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": \{"groupEntityType": "MyCorp::Group"\}\}</code>
+ *             ["a1b2c3d4e5f6g7h8i9j0kalbmc"]\}</code>
  *          </p>
  * @public
  */
@@ -453,8 +453,8 @@ export interface CognitoUserPoolConfigurationItem {
      */
     issuer: string | undefined;
     /**
-     * <p>The type of entity that a policy store maps to groups from an Amazon Cognito user
-     *             pool identity source.</p>
+     * <p>The configuration of the user groups from an Amazon Cognito user pool identity
+     *             source.</p>
      * @public
      */
     groupConfiguration?: CognitoGroupConfigurationItem;
@@ -464,7 +464,7 @@ export interface CognitoUserPoolConfigurationItem {
  *          <note>
  *             <p>At this time, the only valid member of this structure is a Amazon Cognito user pool
  *                 configuration.</p>
- *             <p>Specifies a <code>userPoolArn</code>, a <code>groupConfiguration</code>, and a
+ *             <p>You must specify a <code>userPoolArn</code>, and optionally, a
  *                     <code>ClientId</code>.</p>
  *          </note>
  *          <p>This data type is used as a request parameter for the <a href="https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html">CreateIdentitySource</a>
@@ -516,8 +516,7 @@ export type ConfigurationDetail = ConfigurationDetail.CognitoUserPoolConfigurati
 export declare namespace ConfigurationDetail {
     /**
      * <p>Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of
-     *             authenticated identities as entities. It specifies the <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Name (ARN)</a> of a Amazon Cognito user pool,
-     *             the policy store entity that you want to assign to user groups,
+     *             authenticated identities as entities. It specifies the <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Name (ARN)</a> of a Amazon Cognito user pool
      *             and one or more application client IDs.</p>
      *          <p>Example:
      *             <code>"configuration":\{"cognitoUserPoolConfiguration":\{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds":
@@ -555,8 +554,7 @@ export type ConfigurationItem = ConfigurationItem.CognitoUserPoolConfigurationMe
 export declare namespace ConfigurationItem {
     /**
      * <p>Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of
-     *             authenticated identities as entities. It specifies the <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Name (ARN)</a> of a Amazon Cognito user pool,
-     *             the policy store entity that you want to assign to user groups,
+     *             authenticated identities as entities. It specifies the <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Name (ARN)</a> of a Amazon Cognito user pool
      *             and one or more application client IDs.</p>
      *          <p>Example:
      *             <code>"configuration":\{"cognitoUserPoolConfiguration":\{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds":
@@ -1774,7 +1772,7 @@ export interface ListIdentitySourcesOutput {
     identitySources: IdentitySourceItem[] | undefined;
 }
 /**
- * <p>The user group entities from an Amazon Cognito user pool identity
+ * <p>A list of user groups and entities from an Amazon Cognito user pool identity
  *             source.</p>
  * @public
  */
@@ -2956,6 +2954,31 @@ export interface BatchIsAuthorizedInputItem {
      */
     context?: ContextDefinition;
 }
+/**
+ * <p>An authorization request that you include in a <code>BatchIsAuthorizedWithToken</code>
+ *             API request.</p>
+ * @public
+ */
+export interface BatchIsAuthorizedWithTokenInputItem {
+    /**
+     * <p>Specifies the requested action to be authorized. For example,
+     *             <code>PhotoFlash::ReadPhoto</code>.</p>
+     * @public
+     */
+    action?: ActionIdentifier;
+    /**
+     * <p>Specifies the resource that you want an authorization decision for. For example,
+     *             <code>PhotoFlash::Photo</code>.</p>
+     * @public
+     */
+    resource?: EntityIdentifier;
+    /**
+     * <p>Specifies additional context that can be used to make more granular authorization
+     *             decisions.</p>
+     * @public
+     */
+    context?: ContextDefinition;
+}
 /**
  * <p>The decision, based on policy evaluation, from an individual authorization request in
  *             a <code>BatchIsAuthorized</code> API request.</p>
@@ -2990,6 +3013,39 @@ export interface BatchIsAuthorizedOutputItem {
      */
     errors: EvaluationErrorItem[] | undefined;
 }
+/**
+ * <p>The decision, based on policy evaluation, from an individual authorization request in a
+ *             <code>BatchIsAuthorizedWithToken</code> API request.</p>
+ * @public
+ */
+export interface BatchIsAuthorizedWithTokenOutputItem {
+    /**
+     * <p>The authorization request that initiated the decision.</p>
+     * @public
+     */
+    request: BatchIsAuthorizedWithTokenInputItem | undefined;
+    /**
+     * <p>An authorization decision that indicates if the authorization request should be allowed
+     *             or denied.</p>
+     * @public
+     */
+    decision: Decision | undefined;
+    /**
+     * <p>The list of determining policies used to make the authorization decision. For example,
+     *             if there are two matching policies, where one is a forbid and the other is a permit, then
+     *             the forbid policy will be the determining policy. In the case of multiple matching permit
+     *             policies then there would be multiple determining policies. In the case that no policies
+     *             match, and hence the response is DENY, there would be no determining policies.</p>
+     * @public
+     */
+    determiningPolicies: DeterminingPolicyItem[] | undefined;
+    /**
+     * <p>Errors that occurred while making an authorization decision. For example, a policy might
+     *             reference an entity or attribute that doesn't exist in the request.</p>
+     * @public
+     */
+    errors: EvaluationErrorItem[] | undefined;
+}
 /**
  * <p>Contains the list of entities to be considered during an authorization request. This
  *             includes all principals, resources, and actions required to successfully evaluate the
@@ -3037,6 +3093,22 @@ export interface BatchIsAuthorizedOutput {
      */
     results: BatchIsAuthorizedOutputItem[] | undefined;
 }
+/**
+ * @public
+ */
+export interface BatchIsAuthorizedWithTokenOutput {
+    /**
+     * <p>The identifier of the principal in the ID or access token.</p>
+     * @public
+     */
+    principal?: EntityIdentifier;
+    /**
+     * <p>A series of <code>Allow</code> or <code>Deny</code> decisions for each request, and
+     *             the policies that produced them.</p>
+     * @public
+     */
+    results: BatchIsAuthorizedWithTokenOutputItem[] | undefined;
+}
 /**
  * @public
  */
@@ -3131,9 +3203,10 @@ export interface IsAuthorizedWithTokenInput {
     /**
      * <p>Specifies the list of resources and their associated attributes that Verified Permissions can examine
      *             when evaluating the policies. </p>
-     *          <note>
-     *             <p>You can include only resource and action entities in this parameter; you can't
-     *                 include principals.</p>
+     *          <important>
+     *             <p>You can't include principals in this parameter, only resource and action entities.
+     *                 This parameter can't include any entities of a type that matches the user or group
+     *                 entity types that you defined in your identity source.</p>
      *             <ul>
      *                <li>
      *                   <p>The <code>IsAuthorizedWithToken</code> operation takes principal
@@ -3148,7 +3221,7 @@ export interface IsAuthorizedWithTokenInput {
      *                         and <code>EntityType</code>. </p>
      *                </li>
      *             </ul>
-     *          </note>
+     *          </important>
      * @public
      */
     entities?: EntitiesDefinition;
@@ -3179,6 +3252,67 @@ export interface BatchIsAuthorizedInput {
      */
     requests: BatchIsAuthorizedInputItem[] | undefined;
 }
+/**
+ * @public
+ */
+export interface BatchIsAuthorizedWithTokenInput {
+    /**
+     * <p>Specifies the ID of the policy store. Policies in this policy store will be used to make an
+     *             authorization decision for the input.</p>
+     * @public
+     */
+    policyStoreId: string | undefined;
+    /**
+     * <p>Specifies an identity (ID) token for the principal that you want to authorize in each
+     *             request. This token is provided to you by the identity provider (IdP) associated with
+     *             the specified identity source. You must specify either an <code>accessToken</code>, an
+     *                 <code>identityToken</code>, or both.</p>
+     *          <p>Must be an ID token. Verified Permissions returns an error if the <code>token_use</code> claim in the
+     *             submitted token isn't <code>id</code>.</p>
+     * @public
+     */
+    identityToken?: string;
+    /**
+     * <p>Specifies an access token for the principal that you want to authorize in each
+     *             request. This token is provided to you by the identity provider (IdP) associated with
+     *             the specified identity source. You must specify either an <code>accessToken</code>, an
+     *                 <code>identityToken</code>, or both.</p>
+     *          <p>Must be an access token. Verified Permissions returns an error if the <code>token_use</code> claim in
+     *             the submitted token isn't <code>access</code>.</p>
+     * @public
+     */
+    accessToken?: string;
+    /**
+     * <p>Specifies the list of resources and their associated attributes that Verified Permissions can examine
+     *             when evaluating the policies. </p>
+     *          <important>
+     *             <p>You can't include principals in this parameter, only resource and action entities.
+     *                 This parameter can't include any entities of a type that matches the user or group
+     *                 entity types that you defined in your identity source.</p>
+     *             <ul>
+     *                <li>
+     *                   <p>The <code>BatchIsAuthorizedWithToken</code> operation takes principal
+     *                         attributes from <b>
+     *                         <i>only</i>
+     *                      </b>
+     *                         the <code>identityToken</code> or <code>accessToken</code> passed to the
+     *                         operation.</p>
+     *                </li>
+     *                <li>
+     *                   <p>For action entities, you can include only their <code>Identifier</code>
+     *                         and <code>EntityType</code>. </p>
+     *                </li>
+     *             </ul>
+     *          </important>
+     * @public
+     */
+    entities?: EntitiesDefinition;
+    /**
+     * <p>An array of up to 30 requests that you want Verified Permissions to evaluate.</p>
+     * @public
+     */
+    requests: BatchIsAuthorizedWithTokenInputItem[] | undefined;
+}
 /**
  * @internal
  */
@@ -3439,10 +3573,18 @@ export declare const EntityItemFilterSensitiveLog: (obj: EntityItem) => any;
  * @internal
  */
 export declare const BatchIsAuthorizedInputItemFilterSensitiveLog: (obj: BatchIsAuthorizedInputItem) => any;
+/**
+ * @internal
+ */
+export declare const BatchIsAuthorizedWithTokenInputItemFilterSensitiveLog: (obj: BatchIsAuthorizedWithTokenInputItem) => any;
 /**
  * @internal
  */
 export declare const BatchIsAuthorizedOutputItemFilterSensitiveLog: (obj: BatchIsAuthorizedOutputItem) => any;
+/**
+ * @internal
+ */
+export declare const BatchIsAuthorizedWithTokenOutputItemFilterSensitiveLog: (obj: BatchIsAuthorizedWithTokenOutputItem) => any;
 /**
  * @internal
  */
@@ -3451,6 +3593,10 @@ export declare const EntitiesDefinitionFilterSensitiveLog: (obj: EntitiesDefinit
  * @internal
  */
 export declare const BatchIsAuthorizedOutputFilterSensitiveLog: (obj: BatchIsAuthorizedOutput) => any;
+/**
+ * @internal
+ */
+export declare const BatchIsAuthorizedWithTokenOutputFilterSensitiveLog: (obj: BatchIsAuthorizedWithTokenOutput) => any;
 /**
  * @internal
  */
@@ -3463,3 +3609,7 @@ export declare const IsAuthorizedWithTokenInputFilterSensitiveLog: (obj: IsAutho
  * @internal
  */
 export declare const BatchIsAuthorizedInputFilterSensitiveLog: (obj: BatchIsAuthorizedInput) => any;
+/**
+ * @internal
+ */
+export declare const BatchIsAuthorizedWithTokenInputFilterSensitiveLog: (obj: BatchIsAuthorizedWithTokenInput) => any;