@drmhse/sso-sdk 0.2.9 → 0.3.1

package/dist/index.d.ts

@@ -71,7 +71,7 @@ interface PaginationParams {
 /**
  * OAuth provider types
  */
-type OAuthProvider = 'github' | 'google' | 'microsoft';
+type OAuthProvider = 'github' | 'google' | 'microsoft' | 'oidc';
 /**
  * Organization status types
  */
@@ -137,6 +137,308 @@ interface JwtClaims {
     iat: number;
 }
 
+/**
+ * Risk assessment and engine types
+ */
+/**
+ * Risk score levels
+ */
+type RiskScore = number;
+/**
+ * Risk assessment results from the risk engine
+ */
+interface RiskAssessment {
+    /** Overall risk score (0-100, higher is more risky) */
+    score: RiskScore;
+    /** Action to take based on risk assessment */
+    action: RiskAction;
+    /** Specific risk factors that contributed to the score */
+    factors: RiskFactor[];
+    /** Geolocation data if available */
+    location?: GeolocationData;
+    /** When the assessment was performed */
+    assessedAt: string;
+    /** Additional metadata about the assessment */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Risk actions the engine can recommend
+ */
+declare enum RiskAction {
+    /** Allow the authentication to proceed */
+    ALLOW = "allow",
+    /** Log only - allow but monitor */
+    LOG_ONLY = "log_only",
+    /** Require additional verification (MFA) */
+    CHALLENGE_MFA = "challenge_mfa",
+    /** Block the authentication attempt */
+    BLOCK = "block"
+}
+/**
+ * Individual risk factors that contribute to overall risk score
+ */
+interface RiskFactor {
+    /** Type of risk factor */
+    type: RiskFactorType;
+    /** How much this factor contributes to the score */
+    weight: number;
+    /** Human-readable description */
+    description: string;
+    /** Additional data about this factor */
+    data?: Record<string, unknown>;
+}
+/**
+ * Types of risk factors the engine can detect
+ */
+declare enum RiskFactorType {
+    /** Unknown IP address or never seen before */
+    NEW_IP = "new_ip",
+    /** IP from high-risk country or region */
+    HIGH_RISK_LOCATION = "high_risk_location",
+    /** Impossible travel - login from geographically impossible locations */
+    IMPOSSIBLE_TRAVEL = "impossible_travel",
+    /** New device or browser fingerprint */
+    NEW_DEVICE = "new_device",
+    /** Multiple failed login attempts */
+    FAILED_ATTEMPTS = "failed_attempts",
+    /** Login from unusual time of day */
+    UNUSUAL_TIME = "unusual_time",
+    /** Suspicious user agent or bot patterns */
+    SUSPICIOUS_USER_AGENT = "suspicious_user_agent",
+    /** Tor exit node or VPN detected */
+    ANONYMOUS_NETWORK = "anonymous_network",
+    /** Account is new (recently created) */
+    NEW_ACCOUNT = "new_account",
+    /** Account has suspicious activity history */
+    SUSPICIOUS_HISTORY = "suspicious_history",
+    /** Velocity-based detection (too many actions) */
+    HIGH_VELOCITY = "high_velocity",
+    /** Custom rule triggered */
+    CUSTOM_RULE = "custom_rule"
+}
+/**
+ * Geolocation data for risk assessment
+ */
+interface GeolocationData {
+    /** Two-letter ISO country code */
+    country: string;
+    /** City name if available */
+    city?: string;
+    /** Region/state if available */
+    region?: string;
+    /** Latitude coordinate */
+    latitude?: number;
+    /** Longitude coordinate */
+    longitude?: number;
+    /** ISP or organization name */
+    isp?: string;
+    /** Whether this is a known VPN/proxy */
+    isVpn?: boolean;
+    /** Whether this is a Tor exit node */
+    isTor?: boolean;
+}
+/**
+ * Context provided to risk engine for assessment
+ */
+interface RiskContext {
+    /** User ID being authenticated */
+    userId: string;
+    /** Organization ID if applicable */
+    orgId?: string;
+    /** IP address of the request */
+    ipAddress: string;
+    /** User agent string */
+    userAgent: string;
+    /** Device fingerprint or cookie if available */
+    deviceCookie?: string;
+    /** Authentication method being used */
+    authMethod: AuthMethod;
+    /** Additional context data */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Authentication methods for risk assessment
+ */
+declare enum AuthMethod {
+    /** Email and password */
+    PASSWORD = "password",
+    /** OAuth provider (Google, GitHub, etc.) */
+    OAUTH = "oauth",
+    /** WebAuthn passkeys */
+    PASSKEY = "passkey",
+    /** Magic link email */
+    MAGIC_LINK = "magic_link",
+    /** Multi-factor authentication */
+    MFA = "mfa",
+    /** SAML SSO */
+    SAML = "saml"
+}
+/**
+ * Risk engine configuration for organizations
+ */
+interface RiskEngineConfig {
+    /** Enable/disable risk engine */
+    enabled: boolean;
+    /** Risk score threshold for blocking */
+    blockThreshold: RiskScore;
+    /** Risk score threshold for requiring MFA */
+    mfaThreshold: RiskScore;
+    /** Which risk factors to consider */
+    enabledFactors: RiskFactorType[];
+    /** Custom rules and weights */
+    customRules?: RiskRule[];
+    /** How long to remember trusted devices */
+    deviceTrustDuration: number;
+    /** Whether to enable location-based risk assessment */
+    enableLocationTracking: boolean;
+    /** Max failed attempts before increased risk */
+    maxFailedAttempts: number;
+    /** Time window for velocity checks */
+    velocityWindow: number;
+}
+/**
+ * Custom risk rule definition
+ */
+interface RiskRule {
+    /** Unique rule identifier */
+    id: string;
+    /** Rule name for display */
+    name: string;
+    /** Rule description */
+    description: string;
+    /** Condition to trigger the rule */
+    condition: RiskRuleCondition;
+    /** Action to take when rule triggers */
+    action: RiskAction;
+    /** How much weight this rule carries */
+    weight: number;
+    /** Whether the rule is enabled */
+    enabled: boolean;
+}
+/**
+ * Risk rule condition
+ */
+interface RiskRuleCondition {
+    /** Field to check */
+    field: string;
+    /** Operator for comparison */
+    operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'contains' | 'regex';
+    /** Value to compare against */
+    value: unknown;
+    /** Additional conditions (AND logic) */
+    and?: RiskRuleCondition[];
+    /** Alternative conditions (OR logic) */
+    or?: RiskRuleCondition[];
+}
+/**
+ * Device trust information
+ */
+interface DeviceTrust {
+    /** Device ID */
+    deviceId: string;
+    /** User ID this device belongs to */
+    userId: string;
+    /** Device name or description */
+    deviceName: string;
+    /** When the device was first seen */
+    firstSeenAt: string;
+    /** When the device was last used */
+    lastSeenAt: string;
+    /** When the device trust expires */
+    expiresAt: string;
+    /** IP address when device was registered */
+    registrationIp?: string;
+    /** Risk score for this device */
+    riskScore: RiskScore;
+    /** Whether this device is currently trusted */
+    isTrusted: boolean;
+}
+/**
+ * Risk event for logging and monitoring
+ */
+interface RiskEvent {
+    /** Unique event ID */
+    id: string;
+    /** User ID involved */
+    userId: string;
+    /** Organization ID if applicable */
+    orgId?: string;
+    /** Risk assessment that triggered this event */
+    assessment: RiskAssessment;
+    /** Authentication context */
+    context: RiskContext;
+    /** When the event occurred */
+    timestamp: string;
+    /** Event outcome */
+    outcome: RiskEventOutcome;
+    /** Additional event metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Risk event outcomes
+ */
+declare enum RiskEventOutcome {
+    /** Authentication was allowed */
+    ALLOWED = "allowed",
+    /** Authentication was blocked */
+    BLOCKED = "blocked",
+    /** Additional verification was required */
+    CHALLENGED = "challenged",
+    /** Event was logged but no action taken */
+    LOGGED = "logged"
+}
+/**
+ * Risk engine analytics and reporting
+ */
+interface RiskAnalytics {
+    /** Total risk assessments in time period */
+    totalAssessments: number;
+    /** Risk score distribution */
+    scoreDistribution: {
+        low: number;
+        medium: number;
+        high: number;
+        critical: number;
+    };
+    /** Most common risk factors */
+    topRiskFactors: Array<{
+        factor: RiskFactorType;
+        count: number;
+        percentage: number;
+    }>;
+    /** Blocked authentication attempts */
+    blockedAttempts: number;
+    /** MFA challenges issued */
+    mfaChallenges: number;
+    /** Geographic risk data */
+    locationRisk: Array<{
+        country: string;
+        riskCount: number;
+        riskScore: number;
+    }>;
+    /** Time-based risk patterns */
+    temporalPatterns: {
+        hourly: number[];
+        daily: number[];
+    };
+}
+/**
+ * Risk enforcement modes
+ */
+type RiskEnforcementMode = 'log_only' | 'monitor' | 'block' | 'challenge_mfa';
+/**
+ * Organization risk settings
+ */
+interface RiskSettings {
+    enforcement_mode: RiskEnforcementMode;
+    low_threshold: number;
+    medium_threshold: number;
+    new_device_score: number;
+    impossible_travel_score: number;
+    velocity_threshold: number;
+    velocity_score: number;
+}
+
 /**
  * Device code request payload
  */
@@ -242,6 +544,10 @@ interface RefreshTokenResponse {
     access_token: string;
     refresh_token: string;
     expires_in: number;
+    /**
+     * Risk assessment details (only present if risk engine is enabled)
+     */
+    risk_assessment?: RiskAssessment;
 }
 /**
  * Registration request payload
@@ -642,20 +948,58 @@ interface SmtpConfigResponse {
 }
 /**
  * Organization audit log entry
+ *
+ * This type matches the API response from GET /api/organizations/:slug/audit-log
+ * The API joins user information from the users table to provide actor details.
  */
 interface AuditLog {
+    /** Unique identifier for the audit log entry */
     id: string;
+    /** Organization ID this audit log belongs to */
     org_id: string;
+    /** User ID who performed the action */
     actor_user_id: string;
+    /** Email of the user who performed the action (optional, joined from users table) */
     actor_user_email?: string;
+    /** Action that was performed (e.g., 'service.created', 'user.invited') */
     action: string;
+    /** Type of resource that was targeted (e.g., 'service', 'user', 'organization') */
     target_type: string;
+    /** ID of the resource that was targeted */
     target_id: string;
+    /** IP address from which the action was performed */
     ip_address?: string;
+    /** User agent string of the client */
     user_agent?: string;
+    /** Whether the action was successful */
     success: boolean;
+    /** Additional details about the action (JSON string or object) */
     details?: string;
+    /** Timestamp when the action was recorded */
     created_at: string;
+    /**
+     * Actor details (optional, joined from users table when available)
+     * This field is populated by the API when fetching audit logs
+     */
+    actor?: {
+        id: string;
+        email: string;
+    };
+    /**
+     * Organization ID (deprecated: use org_id)
+     * @deprecated Use org_id instead for consistency with backend
+     */
+    organization_id?: string;
+    /**
+     * Actor ID (deprecated: use actor_user_id)
+     * @deprecated Use actor_user_id instead for consistency with backend
+     */
+    actor_id?: string;
+    /**
+     * Metadata about the action (optional)
+     * Contains additional structured information about what changed
+     */
+    metadata?: Record<string, any> | null;
 }
 /**
  * Audit log response with pagination
@@ -854,6 +1198,28 @@ interface UpdateRiskSettingsResponse {
     message: string;
     settings: GetRiskSettingsResponse;
 }
+/**
+ * Create SCIM token request
+ */
+interface CreateScimTokenRequest {
+    name: string;
+}
+/**
+ * SCIM token response
+ */
+interface ScimTokenResponse {
+    id: string;
+    name: string;
+    token?: string;
+    last_used_at?: string;
+    created_at: string;
+}
+/**
+ * List SCIM tokens response
+ */
+interface ListScimTokensResponse {
+    tokens: ScimTokenResponse[];
+}
 
 /**
  * Service entity
@@ -1115,7 +1481,7 @@ interface Invitation {
  * Create invitation payload
  */
 interface CreateInvitationPayload {
-    invitee_email: string;
+    email: string;
     role: MemberRole;
 }
 /**
@@ -1442,368 +1808,83 @@ interface PasskeyRegisterFinishRequest {
 /**
  * Response from finishing passkey registration
  */
-interface PasskeyRegisterFinishResponse {
-    success: boolean;
-    passkey_id: string;
-}
-/**
- * Request to start passkey authentication
- */
-interface PasskeyAuthStartRequest {
-    email: string;
-}
-/**
- * Response from starting passkey authentication
- */
-interface PasskeyAuthStartResponse {
-    challenge_id: string;
-    options: any;
-}
-/**
- * Request to finish passkey authentication
- */
-interface PasskeyAuthFinishRequest {
-    challenge_id: string;
-    credential: AuthenticationResponseJSON;
-}
-/**
- * Response from finishing passkey authentication
- */
-interface PasskeyAuthFinishResponse {
-    token: string;
-    user_id: string;
-}
-/**
- * JSON-serializable version of WebAuthn registration response
- */
-interface RegistrationResponseJSON {
-    id: string;
-    rawId: string;
-    response: {
-        clientDataJSON: string;
-        attestationObject: string;
-        transports?: string[];
-    };
-    authenticatorAttachment?: 'platform' | 'cross-platform';
-    clientExtensionResults: Record<string, unknown>;
-    type: 'public-key';
-}
-/**
- * JSON-serializable version of WebAuthn authentication response
- */
-interface AuthenticationResponseJSON {
-    id: string;
-    rawId: string;
-    response: {
-        clientDataJSON: string;
-        authenticatorData: string;
-        signature: string;
-        userHandle?: string;
-    };
-    authenticatorAttachment?: 'platform' | 'cross-platform';
-    clientExtensionResults: Record<string, unknown>;
-    type: 'public-key';
-}
-/**
- * Passkey information
- */
-interface Passkey {
-    id: string;
-    user_id: string;
-    credential_id: string;
-    name: string;
-    aaguid?: string;
-    backup_eligible: boolean;
-    backup_state: boolean;
-    transports?: string;
-    last_used_at?: string;
-    created_at: string;
-}
-
-/**
- * Risk assessment and engine types
- */
-/**
- * Risk score levels
- */
-type RiskScore = number;
-/**
- * Risk assessment results from the risk engine
- */
-interface RiskAssessment {
-    /** Overall risk score (0-100, higher is more risky) */
-    score: RiskScore;
-    /** Action to take based on risk assessment */
-    action: RiskAction;
-    /** Specific risk factors that contributed to the score */
-    factors: RiskFactor[];
-    /** Geolocation data if available */
-    location?: GeolocationData;
-    /** When the assessment was performed */
-    assessedAt: string;
-    /** Additional metadata about the assessment */
-    metadata?: Record<string, unknown>;
-}
-/**
- * Risk actions the engine can recommend
- */
-declare enum RiskAction {
-    /** Allow the authentication to proceed */
-    ALLOW = "allow",
-    /** Log only - allow but monitor */
-    LOG_ONLY = "log_only",
-    /** Require additional verification (MFA) */
-    CHALLENGE_MFA = "challenge_mfa",
-    /** Block the authentication attempt */
-    BLOCK = "block"
-}
-/**
- * Individual risk factors that contribute to overall risk score
- */
-interface RiskFactor {
-    /** Type of risk factor */
-    type: RiskFactorType;
-    /** How much this factor contributes to the score */
-    weight: number;
-    /** Human-readable description */
-    description: string;
-    /** Additional data about this factor */
-    data?: Record<string, unknown>;
-}
-/**
- * Types of risk factors the engine can detect
- */
-declare enum RiskFactorType {
-    /** Unknown IP address or never seen before */
-    NEW_IP = "new_ip",
-    /** IP from high-risk country or region */
-    HIGH_RISK_LOCATION = "high_risk_location",
-    /** Impossible travel - login from geographically impossible locations */
-    IMPOSSIBLE_TRAVEL = "impossible_travel",
-    /** New device or browser fingerprint */
-    NEW_DEVICE = "new_device",
-    /** Multiple failed login attempts */
-    FAILED_ATTEMPTS = "failed_attempts",
-    /** Login from unusual time of day */
-    UNUSUAL_TIME = "unusual_time",
-    /** Suspicious user agent or bot patterns */
-    SUSPICIOUS_USER_AGENT = "suspicious_user_agent",
-    /** Tor exit node or VPN detected */
-    ANONYMOUS_NETWORK = "anonymous_network",
-    /** Account is new (recently created) */
-    NEW_ACCOUNT = "new_account",
-    /** Account has suspicious activity history */
-    SUSPICIOUS_HISTORY = "suspicious_history",
-    /** Velocity-based detection (too many actions) */
-    HIGH_VELOCITY = "high_velocity",
-    /** Custom rule triggered */
-    CUSTOM_RULE = "custom_rule"
-}
-/**
- * Geolocation data for risk assessment
- */
-interface GeolocationData {
-    /** Two-letter ISO country code */
-    country: string;
-    /** City name if available */
-    city?: string;
-    /** Region/state if available */
-    region?: string;
-    /** Latitude coordinate */
-    latitude?: number;
-    /** Longitude coordinate */
-    longitude?: number;
-    /** ISP or organization name */
-    isp?: string;
-    /** Whether this is a known VPN/proxy */
-    isVpn?: boolean;
-    /** Whether this is a Tor exit node */
-    isTor?: boolean;
-}
-/**
- * Context provided to risk engine for assessment
- */
-interface RiskContext {
-    /** User ID being authenticated */
-    userId: string;
-    /** Organization ID if applicable */
-    orgId?: string;
-    /** IP address of the request */
-    ipAddress: string;
-    /** User agent string */
-    userAgent: string;
-    /** Device fingerprint or cookie if available */
-    deviceCookie?: string;
-    /** Authentication method being used */
-    authMethod: AuthMethod;
-    /** Additional context data */
-    metadata?: Record<string, unknown>;
-}
-/**
- * Authentication methods for risk assessment
- */
-declare enum AuthMethod {
-    /** Email and password */
-    PASSWORD = "password",
-    /** OAuth provider (Google, GitHub, etc.) */
-    OAUTH = "oauth",
-    /** WebAuthn passkeys */
-    PASSKEY = "passkey",
-    /** Magic link email */
-    MAGIC_LINK = "magic_link",
-    /** Multi-factor authentication */
-    MFA = "mfa",
-    /** SAML SSO */
-    SAML = "saml"
-}
-/**
- * Risk engine configuration for organizations
- */
-interface RiskEngineConfig {
-    /** Enable/disable risk engine */
-    enabled: boolean;
-    /** Risk score threshold for blocking */
-    blockThreshold: RiskScore;
-    /** Risk score threshold for requiring MFA */
-    mfaThreshold: RiskScore;
-    /** Which risk factors to consider */
-    enabledFactors: RiskFactorType[];
-    /** Custom rules and weights */
-    customRules?: RiskRule[];
-    /** How long to remember trusted devices */
-    deviceTrustDuration: number;
-    /** Whether to enable location-based risk assessment */
-    enableLocationTracking: boolean;
-    /** Max failed attempts before increased risk */
-    maxFailedAttempts: number;
-    /** Time window for velocity checks */
-    velocityWindow: number;
+interface PasskeyRegisterFinishResponse {
+    success: boolean;
+    passkey_id: string;
 }
 /**
- * Custom risk rule definition
+ * Request to start passkey authentication
  */
-interface RiskRule {
-    /** Unique rule identifier */
-    id: string;
-    /** Rule name for display */
-    name: string;
-    /** Rule description */
-    description: string;
-    /** Condition to trigger the rule */
-    condition: RiskRuleCondition;
-    /** Action to take when rule triggers */
-    action: RiskAction;
-    /** How much weight this rule carries */
-    weight: number;
-    /** Whether the rule is enabled */
-    enabled: boolean;
+interface PasskeyAuthStartRequest {
+    email: string;
 }
 /**
- * Risk rule condition
+ * Response from starting passkey authentication
  */
-interface RiskRuleCondition {
-    /** Field to check */
-    field: string;
-    /** Operator for comparison */
-    operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'contains' | 'regex';
-    /** Value to compare against */
-    value: unknown;
-    /** Additional conditions (AND logic) */
-    and?: RiskRuleCondition[];
-    /** Alternative conditions (OR logic) */
-    or?: RiskRuleCondition[];
+interface PasskeyAuthStartResponse {
+    challenge_id: string;
+    options: any;
 }
 /**
- * Device trust information
+ * Request to finish passkey authentication
  */
-interface DeviceTrust {
-    /** Device ID */
-    deviceId: string;
-    /** User ID this device belongs to */
-    userId: string;
-    /** Device name or description */
-    deviceName: string;
-    /** When the device was first seen */
-    firstSeenAt: string;
-    /** When the device was last used */
-    lastSeenAt: string;
-    /** When the device trust expires */
-    expiresAt: string;
-    /** IP address when device was registered */
-    registrationIp?: string;
-    /** Risk score for this device */
-    riskScore: RiskScore;
-    /** Whether this device is currently trusted */
-    isTrusted: boolean;
+interface PasskeyAuthFinishRequest {
+    challenge_id: string;
+    credential: AuthenticationResponseJSON;
 }
 /**
- * Risk event for logging and monitoring
+ * Response from finishing passkey authentication
  */
-interface RiskEvent {
-    /** Unique event ID */
-    id: string;
-    /** User ID involved */
-    userId: string;
-    /** Organization ID if applicable */
-    orgId?: string;
-    /** Risk assessment that triggered this event */
-    assessment: RiskAssessment;
-    /** Authentication context */
-    context: RiskContext;
-    /** When the event occurred */
-    timestamp: string;
-    /** Event outcome */
-    outcome: RiskEventOutcome;
-    /** Additional event metadata */
-    metadata?: Record<string, unknown>;
+interface PasskeyAuthFinishResponse {
+    token: string;
+    user_id: string;
+    device_trust_token?: string;
 }
 /**
- * Risk event outcomes
+ * JSON-serializable version of WebAuthn registration response
  */
-declare enum RiskEventOutcome {
-    /** Authentication was allowed */
-    ALLOWED = "allowed",
-    /** Authentication was blocked */
-    BLOCKED = "blocked",
-    /** Additional verification was required */
-    CHALLENGED = "challenged",
-    /** Event was logged but no action taken */
-    LOGGED = "logged"
+interface RegistrationResponseJSON {
+    id: string;
+    rawId: string;
+    response: {
+        clientDataJSON: string;
+        attestationObject: string;
+        transports?: string[];
+    };
+    authenticatorAttachment?: 'platform' | 'cross-platform';
+    clientExtensionResults: Record<string, unknown>;
+    type: 'public-key';
 }
 /**
- * Risk engine analytics and reporting
+ * JSON-serializable version of WebAuthn authentication response
  */
-interface RiskAnalytics {
-    /** Total risk assessments in time period */
-    totalAssessments: number;
-    /** Risk score distribution */
-    scoreDistribution: {
-        low: number;
-        medium: number;
-        high: number;
-        critical: number;
-    };
-    /** Most common risk factors */
-    topRiskFactors: Array<{
-        factor: RiskFactorType;
-        count: number;
-        percentage: number;
-    }>;
-    /** Blocked authentication attempts */
-    blockedAttempts: number;
-    /** MFA challenges issued */
-    mfaChallenges: number;
-    /** Geographic risk data */
-    locationRisk: Array<{
-        country: string;
-        riskCount: number;
-        riskScore: number;
-    }>;
-    /** Time-based risk patterns */
-    temporalPatterns: {
-        hourly: number[];
-        daily: number[];
+interface AuthenticationResponseJSON {
+    id: string;
+    rawId: string;
+    response: {
+        clientDataJSON: string;
+        authenticatorData: string;
+        signature: string;
+        userHandle?: string;
     };
+    authenticatorAttachment?: 'platform' | 'cross-platform';
+    clientExtensionResults: Record<string, unknown>;
+    type: 'public-key';
+}
+/**
+ * Passkey information
+ */
+interface Passkey {
+    id: string;
+    user_id: string;
+    credential_id: string;
+    name: string;
+    aaguid?: string;
+    backup_eligible: boolean;
+    backup_state: boolean;
+    transports?: string;
+    last_used_at?: string;
+    created_at: string;
 }
 
 /**
@@ -2333,6 +2414,18 @@ declare class AuthModule {
      * ```
      */
     register(payload: RegisterRequest): Promise<RegisterResponse>;
+    /**
+     * Verify an email address using the token from the verification email.
+     *
+     * @param token Verification token
+     * @returns HTML success page string
+     *
+     * @example
+     * ```typescript
+     * const html = await sso.auth.verifyEmail('token-from-email');
+     * ```
+     */
+    verifyEmail(token: string): Promise<string>;
     /**
      * Login with email and password.
      * Automatically persists the session and configures the client.
@@ -3058,6 +3151,28 @@ declare class OrganizationsModule {
      * ```
      */
     delete(orgSlug: string): Promise<void>;
+    /**
+     * SCIM token management methods
+     */
+    scim: {
+        /**
+         * Create a new SCIM token.
+         * The token is only returned once upon creation.
+         */
+        createToken: (orgSlug: string, payload: CreateScimTokenRequest) => Promise<ScimTokenResponse>;
+        /**
+         * List all SCIM tokens.
+         */
+        listTokens: (orgSlug: string) => Promise<ListScimTokensResponse>;
+        /**
+         * Revoke a SCIM token.
+         */
+        revokeToken: (orgSlug: string, tokenId: string) => Promise<void>;
+        /**
+         * Delete a SCIM token.
+         */
+        deleteToken: (orgSlug: string, tokenId: string) => Promise<void>;
+    };
     /**
      * Member management methods
      */
@@ -3076,6 +3191,16 @@ declare class OrganizationsModule {
          * ```
          */
         list: (orgSlug: string) => Promise<MemberListResponse>;
+        /**
+         * Add a member to the organization (Invite + Accept).
+         * This is a convenience method that creates an invitation and immediately accepts it.
+         * Useful for testing and admin operations.
+         *
+         * @param orgSlug Organization slug
+         * @param payload Member details (email, role)
+         * @returns The created invitation
+         */
+        add: (orgSlug: string, payload: CreateInvitationPayload) => Promise<Invitation>;
         /**
          * Update a member's role.
          * Requires 'owner' role.
@@ -3620,7 +3745,7 @@ declare class ServicesModule {
      * console.log(service.plans);
      * ```
      */
-    get(orgSlug: string, serviceSlug: string): Promise<ServiceResponse>;
+    get(orgSlug: string, serviceSlug: string): Promise<Service>;
     /**
      * Update service configuration.
      * Requires 'owner' or 'admin' role.
@@ -3897,6 +4022,21 @@ declare class ServicesModule {
          * ```
          */
         deleteConfig: (orgSlug: string, serviceSlug: string) => Promise<ConfigureSamlResponse>;
+        /**
+         * Initiate an IdP-initiated SAML login.
+         * Returns an HTML page with an auto-submitting form that POSTs the SAML assertion to the Service Provider.
+         *
+         * @param orgSlug Organization slug
+         * @param serviceSlug Service slug
+         * @returns HTML page with auto-submitting form
+         *
+         * @example
+         * ```typescript
+         * const html = await sso.services.saml.initiateLogin('acme-corp', 'salesforce');
+         * document.body.innerHTML = html; // Auto-submits
+         * ```
+         */
+        initiateLogin: (orgSlug: string, serviceSlug: string) => Promise<string>;
         /**
          * Generate a new SAML signing certificate for the IdP.
          * Requires 'owner' or 'admin' role.
@@ -4026,7 +4166,7 @@ declare class InvitationsModule {
      * @example
      * ```typescript
      * const invitation = await sso.invitations.create('acme-corp', {
-     *   invitee_email: 'newuser@example.com',
+     *   email: 'newuser@example.com',
      *   role: 'member'
      * });
      * ```
@@ -4520,9 +4660,31 @@ interface ServiceApiInfo {
     service_type: string;
     created_at: string;
 }
+/**
+ * Response for list users endpoint
+ */
+interface ListUsersResponse {
+    users: ServiceApiUser[];
+    total: number;
+}
+/**
+ * Response for list subscriptions endpoint
+ */
+interface ListSubscriptionsResponse {
+    subscriptions: ServiceApiSubscription[];
+    total: number;
+}
+/**
+ * Service analytics response
+ */
+interface ServiceAnalytics {
+    total_users: number;
+    active_subscriptions: number;
+    [key: string]: any;
+}
 /**
  * Service API module for API key-based service-to-service operations.
- * Provides write operations for managing users, subscriptions, and service configuration.
+ * Provides operations for managing users, subscriptions, and service configuration.
  *
  * @example
  * ```typescript
@@ -4531,6 +4693,9 @@ interface ServiceApiInfo {
  *   apiKey: 'sk_live_abcd1234...'
  * });
  *
+ * // List users
+ * const { users, total } = await sso.serviceApi.listUsers({ limit: 50 });
+ *
  * // Create a user
  * const user = await sso.serviceApi.createUser({ email: 'user@example.com' });
  *
@@ -4548,6 +4713,58 @@ interface ServiceApiInfo {
 declare class ServiceApiModule {
     private http;
     constructor(http: HttpClient);
+    /**
+     * List all users for the service
+     * Requires 'read:users' permission on the API key
+     *
+     * @param params Optional pagination parameters
+     * @returns List of users with total count
+     */
+    listUsers(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<ListUsersResponse>;
+    /**
+     * Get a specific user by ID
+     * Requires 'read:users' permission on the API key
+     *
+     * @param userId User ID to retrieve
+     * @returns User details
+     */
+    getUser(userId: string): Promise<ServiceApiUser>;
+    /**
+     * List all subscriptions for the service
+     * Requires 'read:subscriptions' permission on the API key
+     *
+     * @param params Optional pagination parameters
+     * @returns List of subscriptions with total count
+     */
+    listSubscriptions(params?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<ListSubscriptionsResponse>;
+    /**
+     * Get subscription for a specific user
+     * Requires 'read:subscriptions' permission on the API key
+     *
+     * @param userId User ID whose subscription to retrieve
+     * @returns User's subscription
+     */
+    getSubscription(userId: string): Promise<ServiceApiSubscription>;
+    /**
+     * Get analytics for the service
+     * Requires 'read:analytics' permission on the API key
+     *
+     * @returns Service analytics data
+     */
+    getAnalytics(): Promise<ServiceAnalytics>;
+    /**
+     * Get service information
+     * Requires 'read:service' permission on the API key
+     *
+     * @returns Service information
+     */
+    getServiceInfo(): Promise<ServiceApiInfo>;
     /**
      * Create a new user
      * Requires 'write:users' permission on the API key
@@ -4899,6 +5116,20 @@ declare class PasskeysModule {
      * }
      * ```
      */
+    /**
+     * Start the passkey registration ceremony.
+     * returns the options required to create credentials in the browser.
+     */
+    registerStart(displayName?: string): Promise<PasskeyRegisterStartResponse>;
+    /**
+     * Finish the passkey registration ceremony.
+     * Verifies the credential created by the browser.
+     */
+    registerFinish(challengeId: string, credential: RegistrationResponseJSON): Promise<PasskeyRegisterFinishResponse>;
+    /**
+     * Register a new passkey for the authenticated user
+     * ...
+     */
     register(displayName?: string): Promise<string>;
     /**
      * Authenticate with a passkey and obtain a JWT token
@@ -4922,6 +5153,20 @@ declare class PasskeysModule {
      * }
      * ```
      */
+    /**
+     * Start the passkey authentication ceremony.
+     * Returns the options required to get credentials from the browser.
+     */
+    authenticateStart(email: string): Promise<PasskeyAuthStartResponse>;
+    /**
+     * Finish the passkey authentication ceremony.
+     * Verifies the assertion returned by the browser.
+     */
+    authenticateFinish(challengeId: string, credential: AuthenticationResponseJSON): Promise<PasskeyAuthFinishResponse>;
+    /**
+     * Authenticate with a passkey and obtain a JWT token
+     * ...
+     */
     login(email: string): Promise<PasskeyAuthFinishResponse>;
     /**
      * Convert Base64URL string to Uint8Array
@@ -5078,7 +5323,7 @@ interface SsoClientOptions {
  * ```
  */
 declare class SsoClient {
-    private http;
+    http: HttpClient;
     private session;
     /**
      * Analytics and login tracking methods
@@ -5133,6 +5378,10 @@ declare class SsoClient {
      * Sets the JWT for all subsequent authenticated requests.
      * Pass null to clear the token.
      *
+     * NOTE: For OAuth callback flows, prefer using setSession() which properly
+     * updates the SessionManager. This method updates both the HTTP headers
+     * AND the SessionManager for backward compatibility.
+     *
      * @param token The JWT string, or null to clear
      *
      * @example
@@ -5145,6 +5394,25 @@ declare class SsoClient {
      * ```
      */
     setAuthToken(token: string | null): void;
+    /**
+     * Sets the session tokens for OAuth callback flows.
+     * This properly updates the SessionManager and persists tokens to storage.
+     *
+     * @param tokens Object containing access_token and optionally refresh_token
+     *
+     * @example
+     * ```typescript
+     * // After OAuth callback
+     * await sso.setSession({
+     *   access_token: accessToken,
+     *   refresh_token: refreshToken
+     * });
+     * ```
+     */
+    setSession(tokens: {
+        access_token: string;
+        refresh_token?: string;
+    }): Promise<void>;
     /**
      * Sets the API key for service-to-service authentication.
      * Pass null to clear the API key.
@@ -5231,4 +5499,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
 
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthMethod, AuthModule, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type SamlCertificate, type SamlConfig, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthMethod, AuthModule, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceTrust, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeolocationData, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, RiskAction, type RiskAnalytics, type RiskAssessment, type RiskContext, type RiskEnforcementMode, type RiskEngineConfig, type RiskEvent, RiskEventOutcome, type RiskFactor, RiskFactorType, type RiskRule, type RiskRuleCondition, type RiskScore, type RiskSettings, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };