@drmhse/sso-sdk 0.2.8 → 0.3.0

package/dist/index.d.mts

@@ -1,65 +1,27 @@
 /**
- * HTTP response wrapper
+ * Abstract storage interface for persisting tokens
  */
-interface HttpResponse<T = any> {
-    data: T;
-    status: number;
-    headers: Headers;
+interface TokenStorage {
+    getItem(key: string): Promise<string | null> | string | null;
+    setItem(key: string, value: string): Promise<void> | void;
+    removeItem(key: string): Promise<void> | void;
 }
 /**
- * HTTP client defaults
+ * In-memory storage (Default for Node/Server)
  */
-interface HttpDefaults {
-    baseURL: string;
-    headers: {
-        common: Record<string, string>;
-    };
-    timeout: number;
+declare class MemoryStorage implements TokenStorage {
+    private store;
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
 }
 /**
- * Custom HTTP client using native fetch API.
- * Provides an interface similar to Axios for easy migration.
+ * Browser LocalStorage adapter
  */
-declare class HttpClient {
-    defaults: HttpDefaults;
-    constructor(baseURL: string);
-    /**
-     * Build query string from params object
-     */
-    private buildQueryString;
-    /**
-     * Build full URL from path and params
-     */
-    private buildUrl;
-    /**
-     * Make HTTP request with timeout support
-     */
-    private request;
-    /**
-     * GET request
-     */
-    get<T = any>(path: string, config?: {
-        params?: Record<string, any>;
-        headers?: Record<string, string>;
-    }): Promise<HttpResponse<T>>;
-    /**
-     * POST request
-     */
-    post<T = any>(path: string, data?: any, config?: {
-        headers?: Record<string, string>;
-    }): Promise<HttpResponse<T>>;
-    /**
-     * PATCH request
-     */
-    patch<T = any>(path: string, data?: any, config?: {
-        headers?: Record<string, string>;
-    }): Promise<HttpResponse<T>>;
-    /**
-     * DELETE request
-     */
-    delete<T = any>(path: string, config?: {
-        headers?: Record<string, string>;
-    }): Promise<HttpResponse<T>>;
+declare class BrowserStorage implements TokenStorage {
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
 }
 
 /**
@@ -75,13 +37,19 @@ interface User {
     created_at: string;
 }
 /**
- * User profile response (includes context from JWT)
+ * User profile response (includes context from JWT and cached permissions)
  */
 interface UserProfile {
     id: string;
     email: string;
+    is_platform_owner: boolean;
+    email_verified_at: string | null;
+    created_at: string;
     org?: string;
     service?: string;
+    permissions: string[];
+    plan: string | null;
+    features: string[] | null;
 }
 /**
  * Paginated response wrapper
@@ -103,7 +71,7 @@ interface PaginationParams {
 /**
  * OAuth provider types
  */
-type OAuthProvider = 'github' | 'google' | 'microsoft';
+type OAuthProvider = 'github' | 'google' | 'microsoft' | 'oidc';
 /**
  * Organization status types
  */
@@ -153,6 +121,12 @@ interface JwtClaims {
      * List of enabled features
      */
     features?: string[];
+    /**
+     * List of user permissions (Zanzibar relation tuples)
+     * Format: "namespace:object_id#relation"
+     * Example: ["organization:acme#owner", "service:api#admin"]
+     */
+    permissions?: string[];
     /**
      * Expiration timestamp (Unix epoch)
      */
@@ -163,6 +137,308 @@ interface JwtClaims {
     iat: number;
 }
 
+/**
+ * Risk assessment and engine types
+ */
+/**
+ * Risk score levels
+ */
+type RiskScore = number;
+/**
+ * Risk assessment results from the risk engine
+ */
+interface RiskAssessment {
+    /** Overall risk score (0-100, higher is more risky) */
+    score: RiskScore;
+    /** Action to take based on risk assessment */
+    action: RiskAction;
+    /** Specific risk factors that contributed to the score */
+    factors: RiskFactor[];
+    /** Geolocation data if available */
+    location?: GeolocationData;
+    /** When the assessment was performed */
+    assessedAt: string;
+    /** Additional metadata about the assessment */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Risk actions the engine can recommend
+ */
+declare enum RiskAction {
+    /** Allow the authentication to proceed */
+    ALLOW = "allow",
+    /** Log only - allow but monitor */
+    LOG_ONLY = "log_only",
+    /** Require additional verification (MFA) */
+    CHALLENGE_MFA = "challenge_mfa",
+    /** Block the authentication attempt */
+    BLOCK = "block"
+}
+/**
+ * Individual risk factors that contribute to overall risk score
+ */
+interface RiskFactor {
+    /** Type of risk factor */
+    type: RiskFactorType;
+    /** How much this factor contributes to the score */
+    weight: number;
+    /** Human-readable description */
+    description: string;
+    /** Additional data about this factor */
+    data?: Record<string, unknown>;
+}
+/**
+ * Types of risk factors the engine can detect
+ */
+declare enum RiskFactorType {
+    /** Unknown IP address or never seen before */
+    NEW_IP = "new_ip",
+    /** IP from high-risk country or region */
+    HIGH_RISK_LOCATION = "high_risk_location",
+    /** Impossible travel - login from geographically impossible locations */
+    IMPOSSIBLE_TRAVEL = "impossible_travel",
+    /** New device or browser fingerprint */
+    NEW_DEVICE = "new_device",
+    /** Multiple failed login attempts */
+    FAILED_ATTEMPTS = "failed_attempts",
+    /** Login from unusual time of day */
+    UNUSUAL_TIME = "unusual_time",
+    /** Suspicious user agent or bot patterns */
+    SUSPICIOUS_USER_AGENT = "suspicious_user_agent",
+    /** Tor exit node or VPN detected */
+    ANONYMOUS_NETWORK = "anonymous_network",
+    /** Account is new (recently created) */
+    NEW_ACCOUNT = "new_account",
+    /** Account has suspicious activity history */
+    SUSPICIOUS_HISTORY = "suspicious_history",
+    /** Velocity-based detection (too many actions) */
+    HIGH_VELOCITY = "high_velocity",
+    /** Custom rule triggered */
+    CUSTOM_RULE = "custom_rule"
+}
+/**
+ * Geolocation data for risk assessment
+ */
+interface GeolocationData {
+    /** Two-letter ISO country code */
+    country: string;
+    /** City name if available */
+    city?: string;
+    /** Region/state if available */
+    region?: string;
+    /** Latitude coordinate */
+    latitude?: number;
+    /** Longitude coordinate */
+    longitude?: number;
+    /** ISP or organization name */
+    isp?: string;
+    /** Whether this is a known VPN/proxy */
+    isVpn?: boolean;
+    /** Whether this is a Tor exit node */
+    isTor?: boolean;
+}
+/**
+ * Context provided to risk engine for assessment
+ */
+interface RiskContext {
+    /** User ID being authenticated */
+    userId: string;
+    /** Organization ID if applicable */
+    orgId?: string;
+    /** IP address of the request */
+    ipAddress: string;
+    /** User agent string */
+    userAgent: string;
+    /** Device fingerprint or cookie if available */
+    deviceCookie?: string;
+    /** Authentication method being used */
+    authMethod: AuthMethod;
+    /** Additional context data */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Authentication methods for risk assessment
+ */
+declare enum AuthMethod {
+    /** Email and password */
+    PASSWORD = "password",
+    /** OAuth provider (Google, GitHub, etc.) */
+    OAUTH = "oauth",
+    /** WebAuthn passkeys */
+    PASSKEY = "passkey",
+    /** Magic link email */
+    MAGIC_LINK = "magic_link",
+    /** Multi-factor authentication */
+    MFA = "mfa",
+    /** SAML SSO */
+    SAML = "saml"
+}
+/**
+ * Risk engine configuration for organizations
+ */
+interface RiskEngineConfig {
+    /** Enable/disable risk engine */
+    enabled: boolean;
+    /** Risk score threshold for blocking */
+    blockThreshold: RiskScore;
+    /** Risk score threshold for requiring MFA */
+    mfaThreshold: RiskScore;
+    /** Which risk factors to consider */
+    enabledFactors: RiskFactorType[];
+    /** Custom rules and weights */
+    customRules?: RiskRule[];
+    /** How long to remember trusted devices */
+    deviceTrustDuration: number;
+    /** Whether to enable location-based risk assessment */
+    enableLocationTracking: boolean;
+    /** Max failed attempts before increased risk */
+    maxFailedAttempts: number;
+    /** Time window for velocity checks */
+    velocityWindow: number;
+}
+/**
+ * Custom risk rule definition
+ */
+interface RiskRule {
+    /** Unique rule identifier */
+    id: string;
+    /** Rule name for display */
+    name: string;
+    /** Rule description */
+    description: string;
+    /** Condition to trigger the rule */
+    condition: RiskRuleCondition;
+    /** Action to take when rule triggers */
+    action: RiskAction;
+    /** How much weight this rule carries */
+    weight: number;
+    /** Whether the rule is enabled */
+    enabled: boolean;
+}
+/**
+ * Risk rule condition
+ */
+interface RiskRuleCondition {
+    /** Field to check */
+    field: string;
+    /** Operator for comparison */
+    operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'contains' | 'regex';
+    /** Value to compare against */
+    value: unknown;
+    /** Additional conditions (AND logic) */
+    and?: RiskRuleCondition[];
+    /** Alternative conditions (OR logic) */
+    or?: RiskRuleCondition[];
+}
+/**
+ * Device trust information
+ */
+interface DeviceTrust {
+    /** Device ID */
+    deviceId: string;
+    /** User ID this device belongs to */
+    userId: string;
+    /** Device name or description */
+    deviceName: string;
+    /** When the device was first seen */
+    firstSeenAt: string;
+    /** When the device was last used */
+    lastSeenAt: string;
+    /** When the device trust expires */
+    expiresAt: string;
+    /** IP address when device was registered */
+    registrationIp?: string;
+    /** Risk score for this device */
+    riskScore: RiskScore;
+    /** Whether this device is currently trusted */
+    isTrusted: boolean;
+}
+/**
+ * Risk event for logging and monitoring
+ */
+interface RiskEvent {
+    /** Unique event ID */
+    id: string;
+    /** User ID involved */
+    userId: string;
+    /** Organization ID if applicable */
+    orgId?: string;
+    /** Risk assessment that triggered this event */
+    assessment: RiskAssessment;
+    /** Authentication context */
+    context: RiskContext;
+    /** When the event occurred */
+    timestamp: string;
+    /** Event outcome */
+    outcome: RiskEventOutcome;
+    /** Additional event metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Risk event outcomes
+ */
+declare enum RiskEventOutcome {
+    /** Authentication was allowed */
+    ALLOWED = "allowed",
+    /** Authentication was blocked */
+    BLOCKED = "blocked",
+    /** Additional verification was required */
+    CHALLENGED = "challenged",
+    /** Event was logged but no action taken */
+    LOGGED = "logged"
+}
+/**
+ * Risk engine analytics and reporting
+ */
+interface RiskAnalytics {
+    /** Total risk assessments in time period */
+    totalAssessments: number;
+    /** Risk score distribution */
+    scoreDistribution: {
+        low: number;
+        medium: number;
+        high: number;
+        critical: number;
+    };
+    /** Most common risk factors */
+    topRiskFactors: Array<{
+        factor: RiskFactorType;
+        count: number;
+        percentage: number;
+    }>;
+    /** Blocked authentication attempts */
+    blockedAttempts: number;
+    /** MFA challenges issued */
+    mfaChallenges: number;
+    /** Geographic risk data */
+    locationRisk: Array<{
+        country: string;
+        riskCount: number;
+        riskScore: number;
+    }>;
+    /** Time-based risk patterns */
+    temporalPatterns: {
+        hourly: number[];
+        daily: number[];
+    };
+}
+/**
+ * Risk enforcement modes
+ */
+type RiskEnforcementMode = 'log_only' | 'monitor' | 'block' | 'challenge_mfa';
+/**
+ * Organization risk settings
+ */
+interface RiskSettings {
+    enforcement_mode: RiskEnforcementMode;
+    low_threshold: number;
+    medium_threshold: number;
+    new_device_score: number;
+    impossible_travel_score: number;
+    velocity_threshold: number;
+    velocity_score: number;
+}
+
 /**
  * Device code request payload
  */
@@ -225,6 +501,12 @@ interface LoginUrlParams {
      * Optional user code for device flow authorization
      */
     user_code?: string;
+    /**
+     * Optional connection ID for enterprise IdP routing (from HRD lookup).
+     * When provided, routes user to specific upstream provider instead of using default OAuth.
+     * Example: "azure-ad-connection", "okta-enterprise"
+     */
+    connection_id?: string;
 }
 /**
  * Parameters for constructing admin login URL
@@ -262,6 +544,10 @@ interface RefreshTokenResponse {
     access_token: string;
     refresh_token: string;
     expires_in: number;
+    /**
+     * Risk assessment details (only present if risk engine is enabled)
+     */
+    risk_assessment?: RiskAssessment;
 }
 /**
  * Registration request payload
@@ -325,6 +611,43 @@ interface MfaVerificationResponse {
     refresh_token: string;
     expires_in: number;
 }
+/**
+ * Home Realm Discovery (HRD) request payload
+ */
+interface LookupEmailRequest {
+    /**
+     * Email address to lookup
+     */
+    email: string;
+}
+/**
+ * Home Realm Discovery (HRD) response
+ */
+interface LookupEmailResponse {
+    /**
+     * The connection ID to use for authentication, if any.
+     * If present, use this to route the user to their enterprise IdP.
+     */
+    connection_id: string | null;
+    /**
+     * The name of the upstream provider, for display purposes.
+     * Example: "Acme Corp Azure AD", "Partner Okta"
+     */
+    provider_name: string | null;
+    /**
+     * Whether the email domain is verified.
+     * true = domain is verified and owned by an organization
+     * false = domain is not verified, use default auth flow
+     */
+    domain_verified: boolean;
+    /**
+     * The authentication method to use:
+     * - "upstream": Route to enterprise IdP via connection_id
+     * - "password": Use email/password authentication
+     * - "oauth": Use default OAuth providers (GitHub, Google, Microsoft)
+     */
+    auth_method: 'upstream' | 'password' | 'oauth';
+}
 
 /**
  * User subscription details
@@ -413,6 +736,54 @@ interface MfaVerifyResponse {
 interface BackupCodesResponse {
     backup_codes: string[];
 }
+/**
+ * User device information
+ */
+interface UserDevice {
+    /** Unique device identifier */
+    id: string;
+    /** Device name/description */
+    device_name: string;
+    /** When the device was first seen */
+    first_seen_at: string;
+    /** When the device was last used */
+    last_used_at: string;
+    /** When the device trust expires */
+    expires_at: string;
+    /** IP address when device was registered */
+    registration_ip?: string;
+    /** Risk score for this device */
+    risk_score: number;
+    /** Whether this device is currently trusted */
+    is_trusted: boolean;
+}
+/**
+ * List devices response
+ */
+interface ListDevicesResponse {
+    /** Array of user devices */
+    devices: UserDevice[];
+    /** Total number of devices */
+    total: number;
+}
+/**
+ * Revoke device request
+ */
+interface RevokeDeviceRequest {
+    /** Device ID to revoke */
+    device_id: string;
+    /** Optional reason for revocation */
+    reason?: string;
+}
+/**
+ * Revoke device response
+ */
+interface RevokeDeviceResponse {
+    /** Success message */
+    message: string;
+    /** Whether revocation was successful */
+    success: boolean;
+}
 
 /**
  * Organization entity
@@ -577,20 +948,58 @@ interface SmtpConfigResponse {
 }
 /**
  * Organization audit log entry
+ *
+ * This type matches the API response from GET /api/organizations/:slug/audit-log
+ * The API joins user information from the users table to provide actor details.
  */
 interface AuditLog {
+    /** Unique identifier for the audit log entry */
     id: string;
+    /** Organization ID this audit log belongs to */
     org_id: string;
+    /** User ID who performed the action */
     actor_user_id: string;
+    /** Email of the user who performed the action (optional, joined from users table) */
     actor_user_email?: string;
+    /** Action that was performed (e.g., 'service.created', 'user.invited') */
     action: string;
+    /** Type of resource that was targeted (e.g., 'service', 'user', 'organization') */
     target_type: string;
+    /** ID of the resource that was targeted */
     target_id: string;
+    /** IP address from which the action was performed */
     ip_address?: string;
+    /** User agent string of the client */
     user_agent?: string;
+    /** Whether the action was successful */
     success: boolean;
+    /** Additional details about the action (JSON string or object) */
     details?: string;
+    /** Timestamp when the action was recorded */
     created_at: string;
+    /**
+     * Actor details (optional, joined from users table when available)
+     * This field is populated by the API when fetching audit logs
+     */
+    actor?: {
+        id: string;
+        email: string;
+    };
+    /**
+     * Organization ID (deprecated: use org_id)
+     * @deprecated Use org_id instead for consistency with backend
+     */
+    organization_id?: string;
+    /**
+     * Actor ID (deprecated: use actor_user_id)
+     * @deprecated Use actor_user_id instead for consistency with backend
+     */
+    actor_id?: string;
+    /**
+     * Metadata about the action (optional)
+     * Contains additional structured information about what changed
+     */
+    metadata?: Record<string, any> | null;
 }
 /**
  * Audit log response with pagination
@@ -758,6 +1167,59 @@ interface UpdateBrandingRequest {
     logo_url?: string | null;
     primary_color?: string | null;
 }
+/**
+ * Risk settings response
+ */
+interface GetRiskSettingsResponse {
+    enforcement_mode: string;
+    low_threshold: number;
+    medium_threshold: number;
+    new_device_score: number;
+    impossible_travel_score: number;
+    velocity_threshold: number;
+    velocity_score: number;
+}
+/**
+ * Update risk settings request
+ */
+interface UpdateRiskSettingsRequest {
+    enforcement_mode?: string;
+    low_threshold?: number;
+    medium_threshold?: number;
+    new_device_score?: number;
+    impossible_travel_score?: number;
+    velocity_threshold?: number;
+    velocity_score?: number;
+}
+/**
+ * Update risk settings response
+ */
+interface UpdateRiskSettingsResponse {
+    message: string;
+    settings: GetRiskSettingsResponse;
+}
+/**
+ * Create SCIM token request
+ */
+interface CreateScimTokenRequest {
+    name: string;
+}
+/**
+ * SCIM token response
+ */
+interface ScimTokenResponse {
+    id: string;
+    name: string;
+    token?: string;
+    last_used_at?: string;
+    created_at: string;
+}
+/**
+ * List SCIM tokens response
+ */
+interface ListScimTokensResponse {
+    tokens: ScimTokenResponse[];
+}
 
 /**
  * Service entity
@@ -804,6 +1266,7 @@ interface Plan {
     price_cents: number;
     currency: string;
     features: string;
+    stripe_price_id?: string;
     created_at: string;
 }
 /**
@@ -867,6 +1330,7 @@ interface CreatePlanPayload {
     price_cents: number;
     currency: string;
     features?: string[];
+    stripe_price_id?: string;
 }
 /**
  * Update plan payload
@@ -876,6 +1340,7 @@ interface UpdatePlanPayload {
     price_cents?: number;
     currency?: string;
     features?: string[];
+    stripe_price_id?: string | null;
 }
 /**
  * Service with aggregated details
@@ -982,6 +1447,21 @@ interface SamlCertificate {
     is_active: boolean;
     created_at: string;
 }
+/**
+ * Create checkout session payload
+ */
+interface CreateCheckoutPayload {
+    plan_id: string;
+    success_url: string;
+    cancel_url: string;
+}
+/**
+ * Create checkout session response
+ */
+interface CreateCheckoutResponse {
+    checkout_url: string;
+    session_id: string;
+}
 
 /**
  * Invitation entity
@@ -1001,7 +1481,7 @@ interface Invitation {
  * Create invitation payload
  */
 interface CreateInvitationPayload {
-    invitee_email: string;
+    email: string;
     role: MemberRole;
 }
 /**
@@ -1176,6 +1656,31 @@ interface PlatformAnalyticsDateRangeParams {
     start_date?: string;
     end_date?: string;
 }
+/**
+ * Impersonation request payload
+ */
+interface ImpersonateRequest {
+    user_id: string;
+    reason: string;
+}
+/**
+ * User info for impersonation response
+ */
+interface ImpersonationUserInfo {
+    id: string;
+    email: string;
+    is_platform_owner: boolean;
+    org_id?: string;
+    org_name?: string;
+}
+/**
+ * Impersonation response
+ */
+interface ImpersonateResponse {
+    token: string;
+    target_user: ImpersonationUserInfo;
+    actor_user: ImpersonationUserInfo;
+}
 
 /**
  * End-user subscription details
@@ -1278,108 +1783,481 @@ interface AnalyticsQuery {
 }
 
 /**
- * Analytics and login tracking methods
+ * WebAuthn/Passkey authentication types
  */
-declare class AnalyticsModule {
-    private http;
-    constructor(http: HttpClient);
-    /**
-     * Get login trends over time.
-     * Returns daily login counts grouped by date.
-     *
-     * @param orgSlug Organization slug
-     * @param params Optional query parameters (date range)
-     * @returns Array of login trend data points
-     *
-     * @example
-     * ```typescript
-     * const trends = await sso.analytics.getLoginTrends('acme-corp', {
-     *   start_date: '2025-01-01',
-     *   end_date: '2025-01-31'
-     * });
-     * trends.forEach(point => console.log(point.date, point.count));
-     * ```
-     */
-    getLoginTrends(orgSlug: string, params?: AnalyticsQuery): Promise<LoginTrendPoint[]>;
-    /**
-     * Get login counts grouped by service.
-     * Shows which services have the most authentication activity.
-     *
-     * @param orgSlug Organization slug
-     * @param params Optional query parameters (date range)
-     * @returns Array of login counts per service
-     *
-     * @example
-     * ```typescript
-     * const byService = await sso.analytics.getLoginsByService('acme-corp', {
-     *   start_date: '2025-01-01',
-     *   end_date: '2025-01-31'
-     * });
-     * byService.forEach(s => console.log(s.service_name, s.count));
-     * ```
-     */
-    getLoginsByService(orgSlug: string, params?: AnalyticsQuery): Promise<LoginsByService[]>;
-    /**
-     * Get login counts grouped by OAuth provider.
-     * Shows which authentication providers are being used (GitHub, Google, Microsoft).
-     *
-     * @param orgSlug Organization slug
-     * @param params Optional query parameters (date range)
-     * @returns Array of login counts per provider
-     *
-     * @example
-     * ```typescript
-     * const byProvider = await sso.analytics.getLoginsByProvider('acme-corp', {
-     *   start_date: '2025-01-01',
-     *   end_date: '2025-01-31'
-     * });
-     * byProvider.forEach(p => console.log(p.provider, p.count));
-     * ```
-     */
-    getLoginsByProvider(orgSlug: string, params?: AnalyticsQuery): Promise<LoginsByProvider[]>;
-    /**
-     * Get the most recent login events.
-     *
-     * @param orgSlug Organization slug
-     * @param params Optional query parameters (limit)
-     * @returns Array of recent login events
-     *
-     * @example
-     * ```typescript
-     * const recentLogins = await sso.analytics.getRecentLogins('acme-corp', {
-     *   limit: 10
-     * });
-     * recentLogins.forEach(login => {
-     *   console.log(login.user_id, login.provider, login.created_at);
-     * });
-     * ```
-     */
-    getRecentLogins(orgSlug: string, params?: AnalyticsQuery): Promise<RecentLogin[]>;
-}
-
+/**
+ * Request to start passkey registration
+ */
+interface PasskeyRegisterStartRequest {
+    name?: string;
+}
+/**
+ * Response from starting passkey registration
+ */
+interface PasskeyRegisterStartResponse {
+    challenge_id: string;
+    options: any;
+}
+/**
+ * Request to finish passkey registration
+ */
+interface PasskeyRegisterFinishRequest {
+    challenge_id: string;
+    credential: RegistrationResponseJSON;
+}
+/**
+ * Response from finishing passkey registration
+ */
+interface PasskeyRegisterFinishResponse {
+    success: boolean;
+    passkey_id: string;
+}
+/**
+ * Request to start passkey authentication
+ */
+interface PasskeyAuthStartRequest {
+    email: string;
+}
+/**
+ * Response from starting passkey authentication
+ */
+interface PasskeyAuthStartResponse {
+    challenge_id: string;
+    options: any;
+}
+/**
+ * Request to finish passkey authentication
+ */
+interface PasskeyAuthFinishRequest {
+    challenge_id: string;
+    credential: AuthenticationResponseJSON;
+}
+/**
+ * Response from finishing passkey authentication
+ */
+interface PasskeyAuthFinishResponse {
+    token: string;
+    user_id: string;
+    device_trust_token?: string;
+}
+/**
+ * JSON-serializable version of WebAuthn registration response
+ */
+interface RegistrationResponseJSON {
+    id: string;
+    rawId: string;
+    response: {
+        clientDataJSON: string;
+        attestationObject: string;
+        transports?: string[];
+    };
+    authenticatorAttachment?: 'platform' | 'cross-platform';
+    clientExtensionResults: Record<string, unknown>;
+    type: 'public-key';
+}
+/**
+ * JSON-serializable version of WebAuthn authentication response
+ */
+interface AuthenticationResponseJSON {
+    id: string;
+    rawId: string;
+    response: {
+        clientDataJSON: string;
+        authenticatorData: string;
+        signature: string;
+        userHandle?: string;
+    };
+    authenticatorAttachment?: 'platform' | 'cross-platform';
+    clientExtensionResults: Record<string, unknown>;
+    type: 'public-key';
+}
+/**
+ * Passkey information
+ */
+interface Passkey {
+    id: string;
+    user_id: string;
+    credential_id: string;
+    name: string;
+    aaguid?: string;
+    backup_eligible: boolean;
+    backup_state: boolean;
+    transports?: string;
+    last_used_at?: string;
+    created_at: string;
+}
+
+/**
+ * Privacy and GDPR compliance types
+ */
+/**
+ * User membership export data
+ */
+interface MembershipExport {
+    organization_id: string;
+    organization_slug: string;
+    role: string;
+    joined_at: string;
+}
+/**
+ * Login event export data
+ */
+interface LoginEventExport {
+    id: string;
+    timestamp: string;
+    ip_address: string | null;
+    user_agent: string | null;
+    provider: string | null;
+    success: boolean;
+    risk_score: number | null;
+    risk_factors: string | null;
+    geo_country: string | null;
+    geo_city: string | null;
+}
+/**
+ * OAuth identity export data
+ */
+interface OAuthIdentityExport {
+    provider: string;
+    provider_user_id: string;
+    linked_at: string;
+}
+/**
+ * MFA event export data
+ */
+interface MfaEventExport {
+    event_type: string;
+    timestamp: string;
+    success: boolean;
+}
+/**
+ * Passkey export data
+ */
+interface PasskeyExport {
+    id: string;
+    name: string | null;
+    aaguid: string | null;
+    backup_eligible: boolean;
+    created_at: string;
+    last_used_at: string | null;
+}
+/**
+ * Complete user data export response (GDPR Right to Access)
+ */
+interface ExportUserDataResponse {
+    user_id: string;
+    email: string;
+    created_at: string;
+    memberships: MembershipExport[];
+    login_events_count: number;
+    login_events: LoginEventExport[];
+    oauth_identities: OAuthIdentityExport[];
+    mfa_events: MfaEventExport[];
+    passkeys: PasskeyExport[];
+}
+/**
+ * User anonymization response (GDPR Right to be Forgotten)
+ */
+interface ForgetUserResponse {
+    success: boolean;
+    message: string;
+    user_id: string;
+}
+
+/**
+ * SIEM (Security Information and Event Management) types
+ */
+/**
+ * SIEM provider types
+ */
+type SiemProviderType = 'Datadog' | 'Splunk' | 'Elastic' | 'Custom';
+/**
+ * SIEM configuration response
+ */
+interface SiemConfigResponse {
+    id: string;
+    org_id: string;
+    name: string;
+    provider_type: SiemProviderType;
+    endpoint_url: string;
+    batch_size: number;
+    enabled: boolean;
+    last_successful_batch_at: string | null;
+    failure_count: number;
+    created_at: string;
+}
+/**
+ * Create SIEM configuration request
+ */
+interface CreateSiemConfigRequest {
+    name: string;
+    provider_type: SiemProviderType;
+    endpoint_url: string;
+    api_key?: string;
+    auth_header?: string;
+    batch_size?: number;
+}
+/**
+ * Update SIEM configuration request
+ */
+interface UpdateSiemConfigRequest {
+    name?: string;
+    endpoint_url?: string;
+    api_key?: string | null;
+    auth_header?: string | null;
+    batch_size?: number;
+    enabled?: boolean;
+}
+/**
+ * List SIEM configurations response
+ */
+interface ListSiemConfigsResponse {
+    siem_configs: SiemConfigResponse[];
+    total: number;
+}
+/**
+ * Test SIEM connection response
+ */
+interface TestConnectionResponse {
+    success: boolean;
+    message: string;
+}
+
+interface SessionConfig {
+    storageKeyPrefix?: string;
+    autoRefresh?: boolean;
+}
+declare class SessionManager {
+    private storage;
+    private refreshHandler;
+    private config;
+    private accessToken;
+    private refreshToken;
+    private refreshPromise;
+    private listeners;
+    constructor(storage: TokenStorage, refreshHandler: (token: string) => Promise<RefreshTokenResponse>, config?: SessionConfig);
+    /**
+     * Initialize session from storage
+     */
+    loadSession(): Promise<void>;
+    /**
+     * Set the session data (used after login/register)
+     */
+    setSession(tokens: {
+        access_token: string;
+        refresh_token?: string;
+    }): Promise<void>;
+    /**
+     * Clear session (logout)
+     */
+    clearSession(): Promise<void>;
+    /**
+     * Get the current access token, refreshing it if necessary/possible
+     */
+    getToken(): Promise<string | null>;
+    /**
+     * Handle logic for when a 401 occurs
+     */
+    refreshSession(): Promise<string>;
+    isAuthenticated(): boolean;
+    /**
+     * Subscribe to auth state changes (useful for UI updates)
+     */
+    subscribe(listener: (isAuthenticated: boolean) => void): () => void;
+    private notifyListeners;
+}
+
+/**
+ * HTTP response wrapper
+ */
+interface HttpResponse<T = any> {
+    data: T;
+    status: number;
+    headers: Headers;
+}
+/**
+ * HTTP client defaults
+ */
+interface HttpDefaults {
+    baseURL: string;
+    headers: {
+        common: Record<string, string>;
+    };
+    timeout: number;
+}
+/**
+ * Custom HTTP client using native fetch API.
+ * Provides an interface similar to Axios for easy migration.
+ */
+declare class HttpClient {
+    defaults: HttpDefaults;
+    private sessionManager?;
+    constructor(baseURL: string);
+    /**
+     * Allow injecting session manager after construction to avoid circular dep
+     */
+    setSessionManager(manager: SessionManager): void;
+    /**
+     * Build query string from params object
+     */
+    private buildQueryString;
+    /**
+     * Build full URL from path and params
+     */
+    private buildUrl;
+    /**
+     * Make HTTP request with timeout support
+     */
+    private request;
+    /**
+     * GET request
+     */
+    get<T = any>(path: string, config?: {
+        params?: Record<string, any>;
+        headers?: Record<string, string>;
+    }): Promise<HttpResponse<T>>;
+    /**
+     * POST request
+     */
+    post<T = any>(path: string, data?: any, config?: {
+        headers?: Record<string, string>;
+    }): Promise<HttpResponse<T>>;
+    /**
+     * PUT request
+     */
+    put<T = any>(path: string, data?: any, config?: {
+        headers?: Record<string, string>;
+    }): Promise<HttpResponse<T>>;
+    /**
+     * PATCH request
+     */
+    patch<T = any>(path: string, data?: any, config?: {
+        headers?: Record<string, string>;
+    }): Promise<HttpResponse<T>>;
+    /**
+     * DELETE request
+     */
+    delete<T = any>(path: string, config?: {
+        headers?: Record<string, string>;
+    }): Promise<HttpResponse<T>>;
+}
+
+/**
+ * Analytics and login tracking methods
+ */
+declare class AnalyticsModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Get login trends over time.
+     * Returns daily login counts grouped by date.
+     *
+     * @param orgSlug Organization slug
+     * @param params Optional query parameters (date range)
+     * @returns Array of login trend data points
+     *
+     * @example
+     * ```typescript
+     * const trends = await sso.analytics.getLoginTrends('acme-corp', {
+     *   start_date: '2025-01-01',
+     *   end_date: '2025-01-31'
+     * });
+     * trends.forEach(point => console.log(point.date, point.count));
+     * ```
+     */
+    getLoginTrends(orgSlug: string, params?: AnalyticsQuery): Promise<LoginTrendPoint[]>;
+    /**
+     * Get login counts grouped by service.
+     * Shows which services have the most authentication activity.
+     *
+     * @param orgSlug Organization slug
+     * @param params Optional query parameters (date range)
+     * @returns Array of login counts per service
+     *
+     * @example
+     * ```typescript
+     * const byService = await sso.analytics.getLoginsByService('acme-corp', {
+     *   start_date: '2025-01-01',
+     *   end_date: '2025-01-31'
+     * });
+     * byService.forEach(s => console.log(s.service_name, s.count));
+     * ```
+     */
+    getLoginsByService(orgSlug: string, params?: AnalyticsQuery): Promise<LoginsByService[]>;
+    /**
+     * Get login counts grouped by OAuth provider.
+     * Shows which authentication providers are being used (GitHub, Google, Microsoft).
+     *
+     * @param orgSlug Organization slug
+     * @param params Optional query parameters (date range)
+     * @returns Array of login counts per provider
+     *
+     * @example
+     * ```typescript
+     * const byProvider = await sso.analytics.getLoginsByProvider('acme-corp', {
+     *   start_date: '2025-01-01',
+     *   end_date: '2025-01-31'
+     * });
+     * byProvider.forEach(p => console.log(p.provider, p.count));
+     * ```
+     */
+    getLoginsByProvider(orgSlug: string, params?: AnalyticsQuery): Promise<LoginsByProvider[]>;
+    /**
+     * Get the most recent login events.
+     *
+     * @param orgSlug Organization slug
+     * @param params Optional query parameters (limit)
+     * @returns Array of recent login events
+     *
+     * @example
+     * ```typescript
+     * const recentLogins = await sso.analytics.getRecentLogins('acme-corp', {
+     *   limit: 10
+     * });
+     * recentLogins.forEach(login => {
+     *   console.log(login.user_id, login.provider, login.created_at);
+     * });
+     * ```
+     */
+    getRecentLogins(orgSlug: string, params?: AnalyticsQuery): Promise<RecentLogin[]>;
+}
+
 /**
  * Authentication and OAuth flow methods
  */
 declare class AuthModule {
     private http;
-    constructor(http: HttpClient);
+    private session;
+    constructor(http: HttpClient, session: SessionManager);
     /**
      * Constructs the OAuth login URL for end-users.
      * This does not perform the redirect; the consuming application
      * should redirect the user's browser to this URL.
      *
      * @param provider The OAuth provider to use
-     * @param params Login parameters (org, service, redirect_uri)
+     * @param params Login parameters (org, service, redirect_uri, connection_id)
      * @returns The full URL to redirect the user to
      *
      * @example
      * ```typescript
+     * // Standard OAuth login
      * const url = sso.auth.getLoginUrl('github', {
      *   org: 'acme-corp',
      *   service: 'main-app',
      *   redirect_uri: 'https://app.acme.com/callback'
      * });
      * window.location.href = url;
+     *
+     * // Enterprise IdP login (after HRD lookup)
+     * const hrd = await sso.auth.lookupEmail('user@enterprise.com');
+     * if (hrd.connection_id) {
+     *   const url = sso.auth.getLoginUrl('github', {
+     *     org: 'acme-corp',
+     *     service: 'main-app',
+     *     connection_id: hrd.connection_id
+     *   });
+     *   window.location.href = url;
+     * }
      * ```
      */
     getLoginUrl(provider: OAuthProvider, params: LoginUrlParams): string;
@@ -1438,6 +2316,9 @@ declare class AuthModule {
         /**
          * Exchange a device code for a JWT token.
          * This should be polled by the device/CLI after displaying the user code.
+         * Note: This returns a TokenResponse (not RefreshTokenResponse) and typically
+         * only includes access_token. For device flows that need persistence,
+         * manually call sso.session.setSession() if needed.
          *
          * @param payload Token request payload
          * @returns Token response with JWT
@@ -1453,7 +2334,7 @@ declare class AuthModule {
          *       client_id: 'service-client-id'
          *     });
          *     clearInterval(interval);
-         *     sso.setAuthToken(token.access_token);
+         *     // Session is automatically configured
          *   } catch (error) {
          *     if (error.errorCode !== 'authorization_pending') {
          *       clearInterval(interval);
@@ -1467,15 +2348,12 @@ declare class AuthModule {
     };
     /**
      * Logout the current user by revoking their JWT.
-     * After calling this, you should clear the token from storage
-     * and call `sso.setAuthToken(null)`.
+     * Automatically clears the session and tokens from storage.
      *
      * @example
      * ```typescript
      * await sso.auth.logout();
-     * sso.setAuthToken(null);
-     * localStorage.removeItem('sso_access_token');
-     * localStorage.removeItem('sso_refresh_token');
+     * // Session is automatically cleared - no need for manual cleanup
      * ```
      */
     logout(): Promise<void>;
@@ -1536,10 +2414,21 @@ declare class AuthModule {
      * ```
      */
     register(payload: RegisterRequest): Promise<RegisterResponse>;
+    /**
+     * Verify an email address using the token from the verification email.
+     *
+     * @param token Verification token
+     * @returns HTML success page string
+     *
+     * @example
+     * ```typescript
+     * const html = await sso.auth.verifyEmail('token-from-email');
+     * ```
+     */
+    verifyEmail(token: string): Promise<string>;
     /**
      * Login with email and password.
-     * Returns access token and refresh token on successful authentication.
-     * The user's email must be verified before login.
+     * Automatically persists the session and configures the client.
      *
      * @param payload Login credentials (email and password)
      * @returns Access token, refresh token, and expiration info
@@ -1550,9 +2439,7 @@ declare class AuthModule {
      *   email: 'user@example.com',
      *   password: 'SecurePassword123!'
      * });
-     * sso.setAuthToken(tokens.access_token);
-     * localStorage.setItem('sso_access_token', tokens.access_token);
-     * localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+     * // Session is automatically saved - no need for manual token management
      * ```
      */
     login(payload: LoginRequest): Promise<RefreshTokenResponse>;
@@ -1561,6 +2448,7 @@ declare class AuthModule {
      * This method should be called after login when the user has MFA enabled.
      * The login will return a pre-auth token with a short expiration (5 minutes).
      * Exchange the pre-auth token and TOTP code for a full session.
+     * Automatically persists the session after successful MFA verification.
      *
      * @param preauthToken The pre-authentication token received from login
      * @param code The TOTP code from the user's authenticator app or a backup code
@@ -1579,9 +2467,7 @@ declare class AuthModule {
      *   // User needs to provide MFA code
      *   const mfaCode = prompt('Enter your 6-digit code from authenticator app');
      *   const tokens = await sso.auth.verifyMfa(loginResponse.access_token, mfaCode);
-     *   sso.setAuthToken(tokens.access_token);
-     *   localStorage.setItem('sso_access_token', tokens.access_token);
-     *   localStorage.setItem('sso_refresh_token', tokens.refresh_token);
+     *   // Session is automatically saved - no need for manual token management
      * }
      * ```
      */
@@ -1620,6 +2506,44 @@ declare class AuthModule {
      * ```
      */
     resetPassword(payload: ResetPasswordRequest): Promise<ResetPasswordResponse>;
+    /**
+     * Lookup an email address to determine which authentication method to use.
+     * This implements Home Realm Discovery (HRD), allowing users to simply enter
+     * their email address and be automatically routed to the correct identity provider.
+     *
+     * The system will:
+     * 1. Extract the domain from the email address
+     * 2. Check if the domain is verified and mapped to an enterprise IdP
+     * 3. Return routing information (connection_id) if found
+     * 4. Otherwise, indicate to use default authentication (password or OAuth)
+     *
+     * @param email The user's email address
+     * @returns HRD response with routing information
+     *
+     * @example
+     * ```typescript
+     * // Lookup email to determine authentication flow
+     * const result = await sso.auth.lookupEmail('john@acmecorp.com');
+     *
+     * if (result.auth_method === 'upstream' && result.connection_id) {
+     *   // Route to enterprise IdP
+     *   console.log(`Redirecting to ${result.provider_name}`);
+     *   const url = sso.auth.getLoginUrl('github', {
+     *     org: 'acme-corp',
+     *     service: 'main-app',
+     *     connection_id: result.connection_id
+     *   });
+     *   window.location.href = url;
+     * } else if (result.auth_method === 'password') {
+     *   // Show password login form
+     *   showPasswordForm();
+     * } else {
+     *   // Show default OAuth provider buttons (GitHub, Google, Microsoft)
+     *   showOAuthButtons();
+     * }
+     * ```
+     */
+    lookupEmail(email: string): Promise<LookupEmailResponse>;
 }
 
 /**
@@ -1739,6 +2663,100 @@ declare class MfaModule {
      */
     regenerateBackupCodes(): Promise<BackupCodesResponse>;
 }
+/**
+ * Device management methods
+ */
+declare class DevicesModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * List all devices associated with the authenticated user.
+     *
+     * @param options Optional query parameters for pagination
+     * @returns Array of user devices
+     *
+     * @example
+     * ```typescript
+     * const { devices, total } = await sso.user.devices.list();
+     * console.log(devices); // Array of trusted devices
+     * ```
+     */
+    list(options?: {
+        page?: number;
+        limit?: number;
+        sort_by?: 'first_seen_at' | 'last_used_at' | 'device_name';
+        sort_order?: 'asc' | 'desc';
+    }): Promise<ListDevicesResponse>;
+    /**
+     * Get details for a specific device.
+     *
+     * @param deviceId The device ID to retrieve
+     * @returns Device details
+     *
+     * @example
+     * ```typescript
+     * const device = await sso.user.devices.get('device-123');
+     * console.log(device.device_name, device.is_trusted);
+     * ```
+     */
+    get(deviceId: string): Promise<UserDevice>;
+    /**
+     * Revoke access for a specific device.
+     * This will remove the device's trust and require re-authentication.
+     *
+     * @param deviceId The device ID to revoke
+     * @param reason Optional reason for revocation
+     * @returns Confirmation message
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.user.devices.revoke('device-123', 'Device lost');
+     * console.log(result.message);
+     * ```
+     */
+    revoke(deviceId: string, reason?: string): Promise<RevokeDeviceResponse>;
+    /**
+     * Revoke all devices except the current one.
+     * This is useful when you suspect account compromise or want to force re-authentication on all devices.
+     *
+     * @returns Confirmation message
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.user.devices.revokeAll();
+     * console.log(result.message); // "All other devices have been revoked"
+     * ```
+     */
+    revokeAll(): Promise<RevokeDeviceResponse>;
+    /**
+     * Update the name of a device.
+     *
+     * @param deviceId The device ID to update
+     * @param deviceName New device name
+     * @returns Updated device information
+     *
+     * @example
+     * ```typescript
+     * const device = await sso.user.devices.updateName('device-123', 'My Laptop');
+     * console.log(device.device_name); // "My Laptop"
+     * ```
+     */
+    updateName(deviceId: string, deviceName: string): Promise<UserDevice>;
+    /**
+     * Mark a device as trusted manually.
+     * This is useful for devices that you want to explicitly trust regardless of risk assessment.
+     *
+     * @param deviceId The device ID to trust
+     * @returns Updated device information
+     *
+     * @example
+     * ```typescript
+     * const device = await sso.user.devices.trust('device-123');
+     * console.log(device.is_trusted); // true
+     * ```
+     */
+    trust(deviceId: string): Promise<UserDevice>;
+}
 /**
  * User profile and subscription methods
  */
@@ -1746,6 +2764,7 @@ declare class UserModule {
     private http;
     readonly identities: IdentitiesModule;
     readonly mfa: MfaModule;
+    readonly devices: DevicesModule;
     constructor(http: HttpClient);
     /**
      * Get the profile of the currently authenticated user.
@@ -2132,6 +3151,28 @@ declare class OrganizationsModule {
      * ```
      */
     delete(orgSlug: string): Promise<void>;
+    /**
+     * SCIM token management methods
+     */
+    scim: {
+        /**
+         * Create a new SCIM token.
+         * The token is only returned once upon creation.
+         */
+        createToken: (orgSlug: string, payload: CreateScimTokenRequest) => Promise<ScimTokenResponse>;
+        /**
+         * List all SCIM tokens.
+         */
+        listTokens: (orgSlug: string) => Promise<ListScimTokensResponse>;
+        /**
+         * Revoke a SCIM token.
+         */
+        revokeToken: (orgSlug: string, tokenId: string) => Promise<void>;
+        /**
+         * Delete a SCIM token.
+         */
+        deleteToken: (orgSlug: string, tokenId: string) => Promise<void>;
+    };
     /**
      * Member management methods
      */
@@ -2150,6 +3191,16 @@ declare class OrganizationsModule {
          * ```
          */
         list: (orgSlug: string) => Promise<MemberListResponse>;
+        /**
+         * Add a member to the organization (Invite + Accept).
+         * This is a convenience method that creates an invitation and immediately accepts it.
+         * Useful for testing and admin operations.
+         *
+         * @param orgSlug Organization slug
+         * @param payload Member details (email, role)
+         * @returns The created invitation
+         */
+        add: (orgSlug: string, payload: CreateInvitationPayload) => Promise<Invitation>;
         /**
          * Update a member's role.
          * Requires 'owner' role.
@@ -2473,6 +3524,170 @@ declare class OrganizationsModule {
      * ```
      */
     getPublicBranding(orgSlug: string): Promise<BrandingConfiguration>;
+    /**
+     * Risk settings management methods
+     */
+    riskSettings: {
+        /**
+         * Get risk settings for an organization.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @returns Risk settings configuration
+         *
+         * @example
+         * ```typescript
+         * const settings = await sso.organizations.riskSettings.get('acme-corp');
+         * console.log('Enforcement mode:', settings.enforcement_mode);
+         * console.log('Low threshold:', settings.low_threshold);
+         * ```
+         */
+        get: (orgSlug: string) => Promise<GetRiskSettingsResponse>;
+        /**
+         * Update risk settings for an organization.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param payload Risk settings update payload
+         * @returns Updated risk settings
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.organizations.riskSettings.update('acme-corp', {
+         *   enforcement_mode: 'challenge',
+         *   low_threshold: 30,
+         *   medium_threshold: 70,
+         *   new_device_score: 20,
+         *   impossible_travel_score: 50
+         * });
+         * console.log(result.message);
+         * ```
+         */
+        update: (orgSlug: string, payload: UpdateRiskSettingsRequest) => Promise<UpdateRiskSettingsResponse>;
+        /**
+         * Reset risk settings to default values.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @returns Reset confirmation with default values
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.organizations.riskSettings.reset('acme-corp');
+         * console.log('Risk settings reset to defaults');
+         * ```
+         */
+        reset: (orgSlug: string) => Promise<UpdateRiskSettingsResponse>;
+    };
+    /**
+     * SIEM (Security Information and Event Management) configuration methods
+     */
+    siem: {
+        /**
+         * Create a new SIEM configuration.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param payload SIEM configuration payload
+         * @returns Created SIEM configuration
+         *
+         * @example
+         * ```typescript
+         * const config = await sso.organizations.siem.create('acme-corp', {
+         *   name: 'Datadog Integration',
+         *   provider_type: 'Datadog',
+         *   endpoint_url: 'https://http-intake.logs.datadoghq.com/v1/input',
+         *   api_key: 'dd-api-key',
+         *   batch_size: 100
+         * });
+         * ```
+         */
+        create: (orgSlug: string, payload: CreateSiemConfigRequest) => Promise<SiemConfigResponse>;
+        /**
+         * List all SIEM configurations for an organization.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @returns List of SIEM configurations
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.organizations.siem.list('acme-corp');
+         * console.log(`Total SIEM configs: ${result.total}`);
+         * result.siem_configs.forEach(config => {
+         *   console.log(config.name, config.provider_type, config.enabled);
+         * });
+         * ```
+         */
+        list: (orgSlug: string) => Promise<ListSiemConfigsResponse>;
+        /**
+         * Get a specific SIEM configuration.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param configId SIEM configuration ID
+         * @returns SIEM configuration
+         *
+         * @example
+         * ```typescript
+         * const config = await sso.organizations.siem.get('acme-corp', 'config-id');
+         * console.log(config.name, config.endpoint_url);
+         * ```
+         */
+        get: (orgSlug: string, configId: string) => Promise<SiemConfigResponse>;
+        /**
+         * Update a SIEM configuration.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param configId SIEM configuration ID
+         * @param payload Update payload
+         * @returns Updated SIEM configuration
+         *
+         * @example
+         * ```typescript
+         * const updated = await sso.organizations.siem.update('acme-corp', 'config-id', {
+         *   enabled: false,
+         *   batch_size: 200
+         * });
+         * ```
+         */
+        update: (orgSlug: string, configId: string, payload: UpdateSiemConfigRequest) => Promise<SiemConfigResponse>;
+        /**
+         * Delete a SIEM configuration.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param configId SIEM configuration ID
+         *
+         * @example
+         * ```typescript
+         * await sso.organizations.siem.delete('acme-corp', 'config-id');
+         * console.log('SIEM configuration deleted');
+         * ```
+         */
+        delete: (orgSlug: string, configId: string) => Promise<void>;
+        /**
+         * Test connection to a SIEM endpoint.
+         * Sends a test event to verify the configuration.
+         * Requires 'owner' or 'admin' role.
+         *
+         * @param orgSlug Organization slug
+         * @param configId SIEM configuration ID
+         * @returns Test result
+         *
+         * @example
+         * ```typescript
+         * const result = await sso.organizations.siem.test('acme-corp', 'config-id');
+         * if (result.success) {
+         *   console.log('Connection successful:', result.message);
+         * } else {
+         *   console.error('Connection failed:', result.message);
+         * }
+         * ```
+         */
+        test: (orgSlug: string, configId: string) => Promise<TestConnectionResponse>;
+    };
 }
 
 /**
@@ -2530,7 +3745,7 @@ declare class ServicesModule {
      * console.log(service.plans);
      * ```
      */
-    get(orgSlug: string, serviceSlug: string): Promise<ServiceResponse>;
+    get(orgSlug: string, serviceSlug: string): Promise<Service>;
     /**
      * Update service configuration.
      * Requires 'owner' or 'admin' role.
@@ -2807,6 +4022,21 @@ declare class ServicesModule {
          * ```
          */
         deleteConfig: (orgSlug: string, serviceSlug: string) => Promise<ConfigureSamlResponse>;
+        /**
+         * Initiate an IdP-initiated SAML login.
+         * Returns an HTML page with an auto-submitting form that POSTs the SAML assertion to the Service Provider.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @returns HTML page with auto-submitting form
+         *
+         * @example
+         * ```typescript
+         * const html = await sso.services.saml.initiateLogin('acme-corp', 'salesforce');
+         * document.body.innerHTML = html; // Auto-submits
+         * ```
+         */
+        initiateLogin: (orgSlug: string, serviceSlug: string) => Promise<string>;
         /**
          * Generate a new SAML signing certificate for the IdP.
          * Requires 'owner' or 'admin' role.
@@ -2888,6 +4118,35 @@ declare class ServicesModule {
          */
         getSsoUrl: (baseURL: string, orgSlug: string, serviceSlug: string) => string;
     };
+    /**
+     * Stripe billing and checkout methods
+     */
+    billing: {
+        /**
+         * Create a Stripe checkout session for the authenticated user to subscribe to a plan.
+         * Requires organization membership.
+         *
+         * IMPORTANT: The plan must have a `stripe_price_id` configured to be available for purchase.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @param payload Checkout payload containing plan_id and redirect URLs
+         * @returns Checkout session with URL to redirect user to
+         *
+         * @example
+         * ```typescript
+         * const checkout = await sso.services.billing.createCheckout('acme-corp', 'main-app', {
+         *   plan_id: 'plan_pro',
+         *   success_url: 'https://app.acme.com/billing/success?session_id={CHECKOUT_SESSION_ID}',
+         *   cancel_url: 'https://app.acme.com/billing/cancel'
+         * });
+         *
+         * // Redirect user to Stripe checkout
+         * window.location.href = checkout.checkout_url;
+         * ```
+         */
+        createCheckout: (orgSlug: string, serviceSlug: string, payload: CreateCheckoutPayload) => Promise<CreateCheckoutResponse>;
+    };
 }
 
 /**
@@ -2907,7 +4166,7 @@ declare class InvitationsModule {
      * @example
      * ```typescript
      * const invitation = await sso.invitations.create('acme-corp', {
-     *   invitee_email: 'newuser@example.com',
+     *   email: 'newuser@example.com',
      *   role: 'member'
      * });
      * ```
@@ -3304,6 +4563,38 @@ declare class PlatformModule {
          */
         getRecentOrganizations: (params?: GetAuditLogParams) => Promise<RecentOrganization[]>;
     };
+    /**
+     * Impersonate a user (Platform Owner or Org Admin only).
+     * Returns a short-lived JWT (15 minutes) that allows acting as the target user.
+     *
+     * Security:
+     * - Platform Owners can impersonate any user
+     * - Organization Admins can only impersonate users within their organization
+     * - All impersonation actions are logged to the platform audit log with HIGH severity
+     * - Tokens contain RFC 8693 actor claim for full audit trail
+     *
+     * @param payload Impersonation details (user_id and reason)
+     * @returns Impersonation token and user context
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.platform.impersonateUser({
+     *   user_id: 'user-uuid-123',
+     *   reason: 'Investigating support ticket #456'
+     * });
+     *
+     * // Use the returned token to create a new client acting as the user
+     * const userClient = new SsoClient({
+     *   baseURL: 'https://sso.example.com',
+     *   token: result.token
+     * });
+     *
+     * // Now all requests with userClient are made as the target user
+     * const profile = await userClient.user.getProfile();
+     * console.log('Acting as:', result.target_user.email);
+     * ```
+     */
+    impersonateUser(payload: ImpersonateRequest): Promise<ImpersonateResponse>;
 }
 
 /**
@@ -3369,9 +4660,31 @@ interface ServiceApiInfo {
     service_type: string;
     created_at: string;
 }
+/**
+ * Response for list users endpoint
+ */
+interface ListUsersResponse {
+    users: ServiceApiUser[];
+    total: number;
+}
+/**
+ * Response for list subscriptions endpoint
+ */
+interface ListSubscriptionsResponse {
+    subscriptions: ServiceApiSubscription[];
+    total: number;
+}
+/**
+ * Service analytics response
+ */
+interface ServiceAnalytics {
+    total_users: number;
+    active_subscriptions: number;
+    [key: string]: any;
+}
 /**
  * Service API module for API key-based service-to-service operations.
- * Provides write operations for managing users, subscriptions, and service configuration.
+ * Provides operations for managing users, subscriptions, and service configuration.
  *
  * @example
  * ```typescript
@@ -3380,6 +4693,9 @@ interface ServiceApiInfo {
  *   apiKey: 'sk_live_abcd1234...'
  * });
  *
+ * // List users
+ * const { users, total } = await sso.serviceApi.listUsers({ limit: 50 });
+ *
  * // Create a user
  * const user = await sso.serviceApi.createUser({ email: 'user@example.com' });
  *
@@ -3397,6 +4713,58 @@ interface ServiceApiInfo {
 declare class ServiceApiModule {
     private http;
     constructor(http: HttpClient);
+    /**
+     * List all users for the service
+     * Requires 'read:users' permission on the API key
+     *
+     * @param params Optional pagination parameters
+     * @returns List of users with total count
+     */
+    listUsers(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<ListUsersResponse>;
+    /**
+     * Get a specific user by ID
+     * Requires 'read:users' permission on the API key
+     *
+     * @param userId User ID to retrieve
+     * @returns User details
+     */
+    getUser(userId: string): Promise<ServiceApiUser>;
+    /**
+     * List all subscriptions for the service
+     * Requires 'read:subscriptions' permission on the API key
+     *
+     * @param params Optional pagination parameters
+     * @returns List of subscriptions with total count
+     */
+    listSubscriptions(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<ListSubscriptionsResponse>;
+    /**
+     * Get subscription for a specific user
+     * Requires 'read:subscriptions' permission on the API key
+     *
+     * @param userId User ID whose subscription to retrieve
+     * @returns User's subscription
+     */
+    getSubscription(userId: string): Promise<ServiceApiSubscription>;
+    /**
+     * Get analytics for the service
+     * Requires 'read:analytics' permission on the API key
+     *
+     * @returns Service analytics data
+     */
+    getAnalytics(): Promise<ServiceAnalytics>;
+    /**
+     * Get service information
+     * Requires 'read:service' permission on the API key
+     *
+     * @returns Service information
+     */
+    getServiceInfo(): Promise<ServiceApiInfo>;
     /**
      * Create a new user
      * Requires 'write:users' permission on the API key
@@ -3455,6 +4823,463 @@ declare class ServiceApiModule {
     deleteSubscription(userId: string): Promise<void>;
 }
 
+/**
+ * Permission checking and management methods
+ *
+ * This module provides utilities for working with ReBAC (Relationship-Based Access Control)
+ * permissions. Permissions use Zanzibar-style relation tuples and are now fetched from the
+ * API instead of being embedded in JWT tokens (for improved security and smaller token size).
+ */
+declare class PermissionsModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Check if user has a specific permission.
+     * Fetches from user profile API (which uses cached permissions).
+     *
+     * @param permission Permission in format "namespace:object_id#relation"
+     * @returns true if the permission is present
+     *
+     * @example
+     * ```typescript
+     * const hasAccess = await sso.permissions.hasPermission('organization:acme#owner');
+     * ```
+     */
+    hasPermission(permission: string): Promise<boolean>;
+    /**
+     * Get all user permissions.
+     * Fetches from user profile API (which uses cached permissions).
+     *
+     * @returns Array of permission strings
+     *
+     * @example
+     * ```typescript
+     * const permissions = await sso.permissions.listPermissions();
+     * // ["organization:acme#owner", "service:api#admin"]
+     * ```
+     */
+    listPermissions(): Promise<string[]>;
+    /**
+     * Check if user has access to a feature.
+     *
+     * @param feature Feature name to check
+     * @returns true if the feature is available
+     *
+     * @example
+     * ```typescript
+     * const canExport = await sso.permissions.hasFeature('advanced-export');
+     * ```
+     */
+    hasFeature(feature: string): Promise<boolean>;
+    /**
+     * Get current plan name.
+     *
+     * @returns Current plan name or null if not in org/service context
+     *
+     * @example
+     * ```typescript
+     * const plan = await sso.permissions.getPlan();
+     * console.log(plan); // "pro", "enterprise", etc.
+     * ```
+     */
+    getPlan(): Promise<string | null>;
+    /**
+     * Check if user has a specific permission on a resource.
+     *
+     * @param namespace The permission namespace (e.g., "organization", "service")
+     * @param objectId The object ID (e.g., organization slug, service slug)
+     * @param relation The relation type (e.g., "owner", "admin", "member")
+     * @returns true if the user has the permission
+     *
+     * @example
+     * ```typescript
+     * const isOwner = await sso.permissions.can('organization', 'acme-corp', 'owner');
+     * ```
+     */
+    can(namespace: string, objectId: string, relation: string): Promise<boolean>;
+    /**
+     * Check if user is a member of an organization.
+     *
+     * @param orgId The organization ID or slug
+     * @returns true if the user is a member
+     *
+     * @example
+     * ```typescript
+     * if (await sso.permissions.isOrgMember('acme-corp')) {
+     *   // User is a member
+     * }
+     * ```
+     */
+    isOrgMember(orgId: string): Promise<boolean>;
+    /**
+     * Check if user is an admin of an organization.
+     *
+     * @param orgId The organization ID or slug
+     * @returns true if the user is an admin
+     *
+     * @example
+     * ```typescript
+     * if (await sso.permissions.isOrgAdmin('acme-corp')) {
+     *   // User is an admin
+     * }
+     * ```
+     */
+    isOrgAdmin(orgId: string): Promise<boolean>;
+    /**
+     * Check if user is an owner of an organization.
+     *
+     * @param orgId The organization ID or slug
+     * @returns true if the user is an owner
+     *
+     * @example
+     * ```typescript
+     * if (await sso.permissions.isOrgOwner('acme-corp')) {
+     *   // User is an owner
+     * }
+     * ```
+     */
+    isOrgOwner(orgId: string): Promise<boolean>;
+    /**
+     * Check if user has access to a service.
+     *
+     * @param serviceId The service ID or slug
+     * @returns true if the user has access
+     *
+     * @example
+     * ```typescript
+     * if (await sso.permissions.hasServiceAccess('api-service')) {
+     *   // User has access to the service
+     * }
+     * ```
+     */
+    hasServiceAccess(serviceId: string): Promise<boolean>;
+    /**
+     * Filter permissions by namespace.
+     *
+     * @param namespace The namespace to filter by (e.g., "organization", "service")
+     * @returns Array of permissions matching the namespace
+     *
+     * @example
+     * ```typescript
+     * const orgPermissions = await sso.permissions.getPermissionsByNamespace('organization');
+     * ```
+     */
+    getPermissionsByNamespace(namespace: string): Promise<string[]>;
+    /**
+     * @deprecated Use `hasPermission()` instead (without token parameter)
+     * Decode a JWT token to extract claims (including permissions)
+     * Note: This does NOT verify the signature - it only decodes the payload
+     *
+     * @param token The JWT access token
+     * @returns The decoded JWT claims
+     * @throws Error if the token is malformed
+     */
+    decodeToken(token: string): JwtClaims;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `hasPermission(permission)` instead.
+     * Check if a JWT token contains a specific permission
+     *
+     * @param token The JWT access token (ignored)
+     * @param permission Permission in format "namespace:object_id#relation"
+     * @returns true if the permission is present in the token
+     */
+    hasPermissionFromToken(token: string, permission: string): boolean;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `can(namespace, objectId, relation)` instead.
+     * Check if a user has a specific permission on a resource
+     *
+     * @param token The JWT access token (ignored)
+     * @param namespace The permission namespace (e.g., "organization", "service")
+     * @param objectId The object ID (e.g., organization slug, service slug)
+     * @param relation The relation type (e.g., "owner", "admin", "member")
+     * @returns true if the user has the permission
+     */
+    canFromToken(token: string, namespace: string, objectId: string, relation: string): boolean;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `isOrgMember(orgId)` instead.
+     * Check if user is a member of an organization
+     *
+     * @param token The JWT access token (ignored)
+     * @param orgId The organization ID or slug
+     * @returns true if the user is a member
+     */
+    isOrgMemberFromToken(token: string, orgId: string): boolean;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `isOrgAdmin(orgId)` instead.
+     * Check if user is an admin of an organization
+     *
+     * @param token The JWT access token (ignored)
+     * @param orgId The organization ID or slug
+     * @returns true if the user is an admin
+     */
+    isOrgAdminFromToken(token: string, orgId: string): boolean;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `isOrgOwner(orgId)` instead.
+     * Check if user is an owner of an organization
+     *
+     * @param token The JWT access token (ignored)
+     * @param orgId The organization ID or slug
+     * @returns true if the user is an owner
+     */
+    isOrgOwnerFromToken(token: string, orgId: string): boolean;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `hasServiceAccess(serviceId)` instead.
+     * Check if user has access to a service
+     *
+     * @param token The JWT access token (ignored)
+     * @param serviceId The service ID or slug
+     * @returns true if the user has access
+     */
+    hasServiceAccessFromToken(token: string, serviceId: string): boolean;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `listPermissions()` instead.
+     * Get all permissions from a JWT token
+     *
+     * @param token The JWT access token
+     * @returns Array of permission strings, or empty array if none
+     */
+    getAllPermissionsFromToken(token: string): string[];
+    /**
+     * Parse a permission string into its components
+     *
+     * @param permission Permission string in format "namespace:object_id#relation"
+     * @returns Parsed permission components or null if invalid format
+     *
+     * @example
+     * ```typescript
+     * const parsed = sso.permissions.parsePermission('organization:acme#owner');
+     * // { namespace: 'organization', objectId: 'acme', relation: 'owner' }
+     * ```
+     */
+    parsePermission(permission: string): {
+        namespace: string;
+        objectId: string;
+        relation: string;
+    } | null;
+    /**
+     * @deprecated JWT tokens no longer contain permissions. Use `getPermissionsByNamespace(namespace)` instead.
+     * Filter permissions by namespace
+     *
+     * @param token The JWT access token (ignored)
+     * @param namespace The namespace to filter by (e.g., "organization", "service")
+     * @returns Array of permissions matching the namespace
+     */
+    getPermissionsByNamespaceFromToken(token: string, namespace: string): string[];
+}
+
+/**
+ * WebAuthn/Passkey authentication module
+ *
+ * Provides methods for registering and authenticating with FIDO2 passkeys.
+ * Requires a browser environment with WebAuthn support.
+ *
+ * @example
+ * ```typescript
+ * // Register a new passkey (requires authenticated session)
+ * await sso.passkeys.register();
+ *
+ * // Login with passkey
+ * const { token } = await sso.passkeys.login('user@example.com');
+ * sso.setToken(token);
+ * ```
+ */
+declare class PasskeysModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Check if WebAuthn is supported in the current browser
+     */
+    isSupported(): boolean;
+    /**
+     * Check if platform authenticator (like Touch ID, Face ID, Windows Hello) is available
+     */
+    isPlatformAuthenticatorAvailable(): Promise<boolean>;
+    /**
+     * Register a new passkey for the authenticated user
+     *
+     * This method requires an authenticated session (JWT token must be set).
+     * It starts the WebAuthn registration ceremony, prompts the user to create
+     * a passkey using their device's authenticator (e.g., Touch ID, Face ID,
+     * Windows Hello, or hardware security key), and stores the credential.
+     *
+     * @param displayName Optional display name for the passkey
+     * @returns Promise resolving to the registered passkey ID
+     * @throws {Error} If WebAuthn is not supported or registration fails
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   const passkeyId = await sso.passkeys.register('My MacBook Pro');
+     *   console.log('Passkey registered:', passkeyId);
+     * } catch (error) {
+     *   console.error('Passkey registration failed:', error);
+     * }
+     * ```
+     */
+    /**
+     * Start the passkey registration ceremony.
+     * returns the options required to create credentials in the browser.
+     */
+    registerStart(displayName?: string): Promise<PasskeyRegisterStartResponse>;
+    /**
+     * Finish the passkey registration ceremony.
+     * Verifies the credential created by the browser.
+     */
+    registerFinish(challengeId: string, credential: RegistrationResponseJSON): Promise<PasskeyRegisterFinishResponse>;
+    /**
+     * Register a new passkey for the authenticated user
+     * ...
+     */
+    register(displayName?: string): Promise<string>;
+    /**
+     * Authenticate with a passkey and obtain a JWT token
+     *
+     * This method prompts the user to authenticate using their passkey.
+     * Upon successful authentication, a JWT token is returned which can
+     * be used to make authenticated API requests.
+     *
+     * @param email User's email address
+     * @returns Promise resolving to authentication response with JWT token
+     * @throws {Error} If WebAuthn is not supported or authentication fails
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   const { token, user_id } = await sso.passkeys.login('user@example.com');
+     *   sso.setToken(token);
+     *   console.log('Logged in as:', user_id);
+     * } catch (error) {
+     *   console.error('Passkey login failed:', error);
+     * }
+     * ```
+     */
+    /**
+     * Start the passkey authentication ceremony.
+     * Returns the options required to get credentials from the browser.
+     */
+    authenticateStart(email: string): Promise<PasskeyAuthStartResponse>;
+    /**
+     * Finish the passkey authentication ceremony.
+     * Verifies the assertion returned by the browser.
+     */
+    authenticateFinish(challengeId: string, credential: AuthenticationResponseJSON): Promise<PasskeyAuthFinishResponse>;
+    /**
+     * Authenticate with a passkey and obtain a JWT token
+     * ...
+     */
+    login(email: string): Promise<PasskeyAuthFinishResponse>;
+    /**
+     * Convert Base64URL string to Uint8Array
+     */
+    private base64UrlToUint8Array;
+    /**
+     * Convert Uint8Array to Base64URL string
+     */
+    private uint8ArrayToBase64Url;
+}
+
+/**
+ * Magic link request payload
+ */
+interface MagicLinkRequest {
+    /** Email address to send the magic link to */
+    email: string;
+    /** Optional organization context */
+    orgSlug?: string;
+}
+/**
+ * Magic link response
+ */
+interface MagicLinkResponse {
+    /** Success message */
+    message: string;
+}
+/**
+ * Magic links module for passwordless authentication
+ */
+declare class MagicLinks {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Request a magic link to be sent to the user's email
+     *
+     * @param data Magic link request data
+     * @returns Promise resolving to magic link response
+     */
+    request(data: MagicLinkRequest): Promise<MagicLinkResponse>;
+    /**
+     * Verify a magic link token and complete authentication
+     * Note: This is typically handled by redirecting to the magic link URL
+     * The backend will handle verification and either redirect or return tokens
+     *
+     * @param token The magic link token to verify
+     * @param redirectUri Optional where to redirect after success
+     * @returns URL to redirect to for verification
+     */
+    getVerificationUrl(token: string, redirectUri?: string): string;
+    /**
+     * Verify a magic link token via API call
+     * This is an alternative to redirect-based verification
+     *
+     * @param token The magic link token
+     * @param redirectUri Optional redirect URI
+     * @returns Promise resolving to authentication response
+     */
+    verify(token: string, redirectUri?: string): Promise<any>;
+    /**
+     * Construct the complete magic link URL that would be sent via email
+     *
+     * @param token The magic link token
+     * @param redirectUri Optional redirect URI
+     * @returns Complete magic link URL
+     */
+    constructMagicLink(token: string, redirectUri?: string): string;
+}
+
+/**
+ * Privacy and GDPR compliance methods
+ */
+declare class PrivacyModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * Export all user data (GDPR Right to Access).
+     * Users can export their own data, or organization owners can export their members' data.
+     *
+     * @param userId User ID to export data for
+     * @returns Complete user data export including memberships, login events, identities, MFA events, and passkeys
+     *
+     * @example
+     * ```typescript
+     * const userData = await sso.privacy.exportData('user-id');
+     * console.log(`Exported ${userData.login_events_count} login events`);
+     * console.log(`User has ${userData.memberships.length} organization memberships`);
+     * ```
+     */
+    exportData(userId: string): Promise<ExportUserDataResponse>;
+    /**
+     * Anonymize user data (GDPR Right to be Forgotten).
+     * Requires organization owner permission for all organizations the user is a member of.
+     * Platform owners cannot be anonymized.
+     *
+     * This operation:
+     * - Soft-deletes the user account
+     * - Hard-deletes PII from identities and passkeys tables
+     * - Preserves audit logs for compliance
+     *
+     * @param userId User ID to anonymize
+     * @returns Anonymization confirmation response
+     *
+     * @example
+     * ```typescript
+     * const result = await sso.privacy.forgetUser('user-id');
+     * console.log(result.message);
+     * // "User data has been anonymized. PII has been removed while preserving audit logs."
+     * ```
+     */
+    forgetUser(userId: string): Promise<ForgetUserResponse>;
+}
+
 /**
  * Configuration options for the SSO client
  */
@@ -3471,6 +5296,15 @@ interface SsoClientOptions {
      * Optional API key for service-to-service authentication
      */
     apiKey?: string;
+    /**
+     * Custom storage provider (optional).
+     * Defaults to localStorage in browser, Memory in Node.
+     */
+    storage?: TokenStorage;
+    /**
+     * Prefix for storage keys. Default: 'sso_'
+     */
+    storagePrefix?: string;
 }
 /**
  * Main SSO client class.
@@ -3489,7 +5323,8 @@ interface SsoClientOptions {
  * ```
  */
 declare class SsoClient {
-    private http;
+    http: HttpClient;
+    private session;
     /**
      * Analytics and login tracking methods
      */
@@ -3522,6 +5357,22 @@ declare class SsoClient {
      * Service API methods (requires API key authentication)
      */
     readonly serviceApi: ServiceApiModule;
+    /**
+     * Permission checking and management methods
+     */
+    readonly permissions: PermissionsModule;
+    /**
+     * WebAuthn/Passkey authentication methods
+     */
+    readonly passkeys: PasskeysModule;
+    /**
+     * Magic link authentication methods
+     */
+    readonly magicLinks: MagicLinks;
+    /**
+     * Privacy and GDPR compliance methods
+     */
+    readonly privacy: PrivacyModule;
     constructor(options: SsoClientOptions);
     /**
      * Sets the JWT for all subsequent authenticated requests.
@@ -3559,6 +5410,34 @@ declare class SsoClient {
      * Gets the current base URL
      */
     getBaseURL(): string;
+    /**
+     * Check if the user is currently authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Subscribe to authentication state changes.
+     * Useful for updating UI when login/logout/expiration occurs.
+     *
+     * @param listener Callback function that receives the authentication state
+     * @returns Unsubscribe function
+     *
+     * @example
+     * ```typescript
+     * const unsubscribe = sso.onAuthStateChange((isAuth) => {
+     *   console.log(isAuth ? 'User is logged in' : 'User is logged out');
+     * });
+     *
+     * // Later, to stop listening
+     * unsubscribe();
+     * ```
+     */
+    onAuthStateChange(listener: (isAuthenticated: boolean) => void): () => void;
+    /**
+     * Manually retrieve the current access token
+     *
+     * @returns The current access token, or null if not authenticated
+     */
+    getToken(): Promise<string | null>;
 }
 
 /**
@@ -3597,4 +5476,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
 
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthModule, type BackupCodesResponse, type BrandingConfiguration, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateServicePayload, type CreateServiceResponse, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetAuditLogParams, type GrowthTrendPoint, type Identity, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type LoginActivityPoint, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type MemberListResponse, type MemberRole, type Membership, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeSessionsResponse, type SamlCertificate, type SamlConfig, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TokenRequest, type TokenResponse, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateServicePayload, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthMethod, AuthModule, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };