npm - @drmhse/sso-sdk - Versions diffs - 0.3.14 → 0.5.0 - Mend

@drmhse/sso-sdk 0.3.14 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -108,7 +108,7 @@ type ServiceType = 'web' | 'mobile' | 'desktop' | 'api';
 /**
  * Organization member roles
  */
-type MemberRole = 'owner' | 'admin' | 'member';
+type MemberRole = 'owner' | 'admin' | 'member' | (string & {});
 /**
  * Invitation status
  */
@@ -182,8 +182,11 @@ interface RiskEventResponse {
     created_at: string;
     risk_score: number;
     risk_factors: string[];
+    risk_action: RiskAction | string;
     geo_country?: string;
     geo_city?: string;
+    geo_lat?: number;
+    geo_long?: number;
     ip_address?: string;
     provider: string;
 }
@@ -320,6 +323,10 @@ interface RegisterRequest {
      * This ensures password users are tracked the same as OAuth users.
      */
     service_slug?: string;
+    /**
+     * Optional service callback URI to preserve the original app return path in the verification link.
+     */
+    redirect_uri?: string;
 }
 /**
  * Registration response
@@ -344,6 +351,12 @@ interface LoginRequest {
      * Only required for regular members; org owners/admins can omit.
      */
     service_slug?: string;
+    /**
+     * Optional service callback URI for hosted password login.
+     * When supplied with org_slug and service_slug, the API validates it
+     * against the service before tokens are returned to the hosted UI.
+     */
+    redirect_uri?: string;
 }
 /**
  * Forgot password request payload
@@ -351,6 +364,8 @@ interface LoginRequest {
 interface ForgotPasswordRequest {
     email: string;
     org_slug?: string;
+    service_slug?: string;
+    redirect_uri?: string;
 }
 /**
  * Forgot password response
@@ -376,6 +391,9 @@ interface ResetPasswordResponse {
  */
 interface ResendVerificationRequest {
     email: string;
+    org_slug?: string;
+    service_slug?: string;
+    redirect_uri?: string;
 }
 /**
  * Resend verification response
@@ -435,6 +453,43 @@ interface LookupEmailResponse {
      */
     auth_method: 'upstream' | 'password' | 'oauth';
 }
+/**
+ * Public hosted-auth context request.
+ */
+interface AuthContextRequest {
+    org?: string;
+    service?: string;
+    redirect_uri?: string;
+}
+/**
+ * Public hosted-auth organization context.
+ */
+interface AuthOrganizationContext {
+    slug: string;
+    name: string;
+    logo_url?: string | null;
+    primary_color?: string | null;
+    status: string;
+}
+/**
+ * Public hosted-auth service context.
+ */
+interface AuthServiceContext {
+    slug: string;
+    name: string;
+    service_type: string;
+    redirect_uri_valid?: boolean | null;
+}
+/**
+ * Public hosted-auth context response.
+ */
+interface AuthContextResponse {
+    organization: AuthOrganizationContext | null;
+    service: AuthServiceContext | null;
+    available_providers: string[];
+    auth_methods: string[];
+    support_available: boolean;
+}
 /**
  * User subscription details
@@ -464,6 +519,54 @@ interface Identity {
 interface StartLinkResponse {
     authorization_url: string;
 }
+interface ProviderDefinition {
+    provider: string;
+    display_name: string;
+    provider_type: string;
+    scopes: string[];
+    connect_supported: boolean;
+}
+interface LinkedAccountGrant {
+    id: string;
+    service_id: string;
+    scopes: string[];
+    granted_at: string;
+    last_used_at?: string;
+}
+interface LinkedAccount {
+    id: string;
+    provider: string;
+    provider_user_id: string;
+    email?: string;
+    display_name?: string;
+    scopes: string[];
+    expires_at?: string;
+    status: string;
+    grants: LinkedAccountGrant[];
+}
+interface LinkedAccountsResponse {
+    accounts: LinkedAccount[];
+    available_providers: ProviderDefinition[];
+}
+interface GrantLinkedAccountRequest {
+    service_id?: string;
+    scopes: string[];
+}
+interface ProviderTokenRequestDetails {
+    state: string;
+    provider: string;
+    requested_scopes: string[];
+    service_id: string;
+    service_name: string;
+    expires_at: string;
+    accounts: LinkedAccount[];
+}
+interface CompleteProviderTokenRequestPayload {
+    connected_account_id?: string;
+}
+interface CompleteProviderTokenRequestResponse {
+    redirect_url: string;
+}
 /**
  * Change password request payload
  */
@@ -589,6 +692,12 @@ interface Organization {
     rejected_by?: string | null;
     rejected_at?: string | null;
     rejection_reason?: string | null;
+    custom_domain?: string | null;
+    domain_verified?: boolean;
+    domain_verification_token?: string | null;
+    brand_logo_url?: string | null;
+    brand_primary_color?: string | null;
+    feature_overrides?: string | Record<string, unknown> | null;
     created_at: string;
     updated_at: string;
 }
@@ -634,6 +743,18 @@ interface OrganizationMember {
     role: MemberRole;
     joined_at: string;
 }
+interface MemberServiceAccess {
+    service_id: string;
+    service_slug: string;
+    service_name: string;
+    access: 'viewer' | 'manager' | null;
+}
+interface UpdateMemberServiceAccessPayload {
+    grants: Array<{
+        service_slug: string;
+        access: 'viewer' | 'manager' | null;
+    }>;
+}
 /**
  * Create organization payload (authenticated endpoint)
  */
@@ -842,6 +963,7 @@ interface WebhookResponse {
     url: string;
     events: string[];
     is_active: boolean;
+    secret?: string;
     created_at: string;
     updated_at: string;
 }
@@ -1028,6 +1150,7 @@ interface Service {
     name: string;
     service_type: ServiceType;
     client_id: string;
+    client_secret?: string | null;
     github_scopes: string[];
     microsoft_scopes: string[];
     google_scopes: string[];
@@ -1043,16 +1166,6 @@ interface Service {
     saml_sign_response: boolean;
     created_at: string;
 }
-/**
- * Provider token grant configuration
- */
-interface ProviderTokenGrant {
-    id: string;
-    service_id: string;
-    provider: string;
-    scopes: string[];
-    created_at: string;
-}
 /**
  * Subscription plan
  */
@@ -1075,6 +1188,30 @@ interface PlanResponse {
     plan: Plan;
     subscription_count: number;
 }
+/**
+ * Create plan payload
+ */
+interface CreatePlanPayload {
+    name: string;
+    description?: string;
+    price_cents: number;
+    currency: string;
+    features?: string[];
+    stripe_price_id?: string;
+    is_default?: boolean;
+}
+/**
+ * Update plan payload
+ */
+interface UpdatePlanPayload {
+    name?: string;
+    description?: string;
+    price_cents?: number;
+    currency?: string;
+    features?: string[];
+    stripe_price_id?: string | null;
+    is_default?: boolean;
+}
 /**
  * Create service payload
  */
@@ -1093,7 +1230,6 @@ interface CreateServicePayload {
  */
 interface CreateServiceResponse {
     service: Service;
-    provider_grants: ProviderTokenGrant[];
     default_plan: Plan;
     usage: {
         current_services: number;
@@ -1101,6 +1237,10 @@ interface CreateServiceResponse {
         tier: string;
     };
 }
+interface RotateServiceSecretResponse {
+    service: Service;
+    client_secret: string;
+}
 /**
  * Update service payload
  */
@@ -1114,41 +1254,10 @@ interface UpdateServicePayload {
     device_activation_uri?: string;
 }
 /**
- * Service response with details
+ * Service with aggregated details (for listing)
  */
-interface ServiceResponse {
+interface ServiceWithDetails {
     service: Service;
-    provider_grants: ProviderTokenGrant[];
-    plans: Plan[];
-}
-/**
- * Create plan payload
- */
-interface CreatePlanPayload {
-    name: string;
-    description?: string;
-    price_cents: number;
-    currency: string;
-    features?: string[];
-    stripe_price_id?: string;
-    is_default?: boolean;
-}
-/**
- * Update plan payload
- */
-interface UpdatePlanPayload {
-    name?: string;
-    description?: string;
-    price_cents?: number;
-    currency?: string;
-    features?: string[];
-    stripe_price_id?: string | null;
-    is_default?: boolean;
-}
-/**
- * Service with aggregated details
- */
-interface ServiceWithDetails extends Service {
     plan_count: number;
     subscription_count: number;
 }
@@ -1522,6 +1631,30 @@ interface EndUserIdentity {
     provider_user_id: string;
     created_at: string;
 }
+interface EndUserSession {
+    id: string;
+    service_id?: string | null;
+    service_name?: string | null;
+    org_slug?: string | null;
+    ip_address?: string | null;
+    user_agent?: string | null;
+    expires_at: string;
+    refresh_token_expires_at?: string | null;
+    created_at: string;
+}
+interface EndUserLoginEvent {
+    id: string;
+    service_id?: string | null;
+    service_name?: string | null;
+    provider: string;
+    ip_address?: string | null;
+    user_agent?: string | null;
+    risk_score?: number | null;
+    risk_factors: string[];
+    geo_country?: string | null;
+    geo_city?: string | null;
+    created_at: string;
+}
 /**
  * End-user with subscriptions and identities
  */
@@ -1557,6 +1690,8 @@ interface EndUserDetailResponse {
     subscriptions: EndUserSubscription[];
     identities: EndUserIdentity[];
     session_count: number;
+    sessions: EndUserSession[];
+    recent_logins: EndUserLoginEvent[];
 }
 /**
  * List end-users query params
@@ -1636,6 +1771,9 @@ interface PasskeyRegisterFinishResponse {
  */
 interface PasskeyAuthStartRequest {
     email: string;
+    org_slug?: string;
+    service_slug?: string;
+    redirect_uri?: string;
 }
 /**
  * Response from starting passkey authentication
@@ -1655,6 +1793,10 @@ interface PasskeyAuthFinishRequest {
  * Response from finishing passkey authentication
  */
 interface PasskeyAuthFinishResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    /** Backward compatible alias for access_token. */
     token: string;
     user_id: string;
     device_trust_token?: string;
@@ -1705,6 +1847,25 @@ interface Passkey {
     last_used_at?: string;
     created_at: string;
 }
+/**
+ * Passkey shown in authenticated self-service settings.
+ */
+interface UserPasskey {
+    id: string;
+    name: string;
+    backup_eligible: boolean;
+    backup_state: boolean;
+    transports?: string | null;
+    last_used_at?: string | null;
+    created_at: string;
+}
+/**
+ * Generic passkey action response.
+ */
+interface PasskeyActionResponse {
+    success: boolean;
+    message: string;
+}
 /**
  * Privacy and GDPR compliance types
@@ -1774,6 +1935,13 @@ interface ExportUserDataResponse {
     mfa_events: MfaEventExport[];
     passkeys: PasskeyExport[];
 }
+/**
+ * User anonymization confirmation payload.
+ */
+interface ForgetUserRequest {
+    current_password?: string;
+    mfa_code?: string;
+}
 /**
  * User anonymization response (GDPR Right to be Forgotten)
  */
@@ -1864,6 +2032,57 @@ interface UpdateRoleRequest {
     permissions?: string[];
 }
+/**
+ * Upstream Provider (Enterprise SSO) types
+ */
+type UpstreamProviderType = 'oidc' | 'oauth2' | 'saml';
+interface UpstreamProvider {
+    id: string;
+    org_id: string;
+    connection_id: string;
+    name: string;
+    provider_type: UpstreamProviderType;
+    enabled: boolean;
+    client_id: string;
+    issuer?: string;
+    authorization_url?: string;
+    token_url?: string;
+    userinfo_url?: string;
+    discovery_url?: string;
+    scopes?: string;
+    metadata?: any;
+    created_at: string;
+    updated_at: string;
+}
+interface CreateUpstreamProviderPayload {
+    connection_id: string;
+    name: string;
+    provider_type: UpstreamProviderType;
+    client_id: string;
+    client_secret?: string;
+    issuer?: string;
+    authorization_url?: string;
+    token_url?: string;
+    userinfo_url?: string;
+    discovery_url?: string;
+    scopes?: string;
+    metadata?: any;
+    enabled?: boolean;
+}
+interface UpdateUpstreamProviderPayload {
+    name?: string;
+    enabled?: boolean;
+    client_id?: string;
+    client_secret?: string;
+    issuer?: string;
+    authorization_url?: string;
+    token_url?: string;
+    userinfo_url?: string;
+    discovery_url?: string;
+    scopes?: string;
+    metadata?: any;
+}
 interface SessionConfig {
     storageKeyPrefix?: string;
     autoRefresh?: boolean;
@@ -1992,7 +2211,7 @@ declare class HttpClient {
     /**
      * DELETE request
      */
-    delete<T = any>(path: string, config?: {
+    delete<T = any>(path: string, data?: any, config?: {
         headers?: Record<string, string>;
     }): Promise<HttpResponse<T>>;
 }
@@ -2299,7 +2518,7 @@ declare class AuthModule {
     resendVerification(payload: ResendVerificationRequest): Promise<ResendVerificationResponse>;
     /**
      * Login with email and password.
-     * Automatically persists the session and configures the client.
+     * Automatically persists the session once authentication is complete.
      *
      * @param payload Login credentials (email and password)
      * @returns Access token, refresh token, and expiration info
@@ -2310,7 +2529,7 @@ declare class AuthModule {
      *   email: 'user@example.com',
      *   password: 'SecurePassword123!'
      * });
-     * // Session is automatically saved - no need for manual token management
+     * // Session is automatically saved unless MFA is required
      * ```
      */
     login(payload: LoginRequest): Promise<RefreshTokenResponse>;
@@ -2415,6 +2634,10 @@ declare class AuthModule {
      * ```
      */
     lookupEmail(email: string): Promise<LookupEmailResponse>;
+    /**
+     * Fetch public hosted-auth context for an organization/service login.
+     */
+    getContext(params?: AuthContextRequest): Promise<AuthContextResponse>;
 }
 /**
@@ -2462,6 +2685,18 @@ declare class IdentitiesModule {
      */
     unlink(provider: string): Promise<void>;
 }
+declare class LinkedAccountsModule {
+    private http;
+    constructor(http: HttpClient);
+    list(): Promise<LinkedAccountsResponse>;
+    startLink(provider: string): Promise<StartLinkResponse>;
+    grant(accountId: string, payload: GrantLinkedAccountRequest): Promise<LinkedAccountGrant>;
+    revokeGrant(accountId: string, serviceId: string): Promise<void>;
+    unlink(accountId: string): Promise<void>;
+    getProviderTokenRequest(state: string): Promise<ProviderTokenRequestDetails>;
+    completeProviderTokenRequest(state: string, payload?: CompleteProviderTokenRequestPayload): Promise<CompleteProviderTokenRequestResponse>;
+    startProviderTokenRequestLink(state: string): Promise<StartLinkResponse>;
+}
 /**
  * Multi-Factor Authentication (MFA) methods
  */
@@ -2634,6 +2869,7 @@ declare class DevicesModule {
 declare class UserModule {
     private http;
     readonly identities: IdentitiesModule;
+    readonly linkedAccounts: LinkedAccountsModule;
     readonly mfa: MfaModule;
     readonly devices: DevicesModule;
     constructor(http: HttpClient);
@@ -2942,6 +3178,53 @@ declare class WebhooksModule {
     }>;
 }
+/**
+ * Upstream Provider (Enterprise SSO) management methods
+ */
+declare class UpstreamProvidersModule {
+    private http;
+    constructor(http: HttpClient);
+    /**
+     * List all upstream providers for an organization.
+     *
+     * @param orgSlug Organization slug
+     * @returns Array of upstream providers
+     */
+    list(orgSlug: string): Promise<UpstreamProvider[]>;
+    /**
+     * Get a specific upstream provider.
+     *
+     * @param orgSlug Organization slug
+     * @param providerId Provider ID or connection_id
+     * @returns Upstream provider details
+     */
+    get(orgSlug: string, providerId: string): Promise<UpstreamProvider>;
+    /**
+     * Create a new upstream provider.
+     *
+     * @param orgSlug Organization slug
+     * @param payload Provider configuration
+     * @returns Created upstream provider
+     */
+    create(orgSlug: string, payload: CreateUpstreamProviderPayload): Promise<UpstreamProvider>;
+    /**
+     * Update an existing upstream provider.
+     *
+     * @param orgSlug Organization slug
+     * @param providerId Provider ID or connection_id
+     * @param payload Update payload
+     * @returns Updated upstream provider
+     */
+    update(orgSlug: string, providerId: string, payload: UpdateUpstreamProviderPayload): Promise<UpstreamProvider>;
+    /**
+     * Delete an upstream provider.
+     *
+     * @param orgSlug Organization slug
+     * @param providerId Provider ID or connection_id
+     */
+    delete(orgSlug: string, providerId: string): Promise<void>;
+}
 /**
  * Organization management methods
  */
@@ -2956,6 +3239,10 @@ declare class OrganizationsModule {
      * Webhooks management
      */
     webhooks: WebhooksModule;
+    /**
+     * Upstream provider (Enterprise SSO) management
+     */
+    upstreamProviders: UpstreamProvidersModule;
     /**
      * Create a new organization (requires authentication).
      * The authenticated user becomes the organization owner.
@@ -3141,6 +3428,14 @@ declare class OrganizationsModule {
          * ```
          */
         remove: (orgSlug: string, userId: string) => Promise<void>;
+        /**
+         * List a member's direct per-service access grants.
+         */
+        listServiceAccess: (orgSlug: string, userId: string) => Promise<MemberServiceAccess[]>;
+        /**
+         * Replace a member's direct per-service access grants.
+         */
+        updateServiceAccess: (orgSlug: string, userId: string, payload: UpdateMemberServiceAccessPayload) => Promise<MemberServiceAccess[]>;
         /**
          * Transfer organization ownership to another member.
          * Requires 'owner' role.
@@ -3802,13 +4097,12 @@ declare class ServicesModule {
      *
      * @param orgSlug Organization slug
      * @param serviceSlug Service slug
-     * @returns Service with provider grants and plans
+     * @returns Service details
      *
      * @example
      * ```typescript
      * const service = await sso.services.get('acme-corp', 'main-app');
-     * console.log(service.service.redirect_uris);
-     * console.log(service.plans);
+     * console.log(service.name, service.client_id);
      * ```
      */
     get(orgSlug: string, serviceSlug: string): Promise<Service>;
@@ -3843,6 +4137,11 @@ declare class ServicesModule {
      * ```
      */
     delete(orgSlug: string, serviceSlug: string): Promise<void>;
+    /**
+     * Rotate a service client secret.
+     * The new secret is returned once and cannot be retrieved later.
+     */
+    rotateSecret(orgSlug: string, serviceSlug: string): Promise<RotateServiceSecretResponse>;
     /**
      * Plan management methods
      */
@@ -4290,6 +4589,12 @@ declare class InvitationsModule {
      * ```
      */
     accept(token: string): Promise<void>;
+    /**
+     * Accept one of the current user's invitations by invitation ID.
+     *
+     * @param invitationId Invitation ID
+     */
+    acceptById(invitationId: string): Promise<void>;
     /**
      * Decline an invitation using its token.
      *
@@ -4301,6 +4606,12 @@ declare class InvitationsModule {
      * ```
      */
     decline(token: string): Promise<void>;
+    /**
+     * Decline one of the current user's invitations by invitation ID.
+     *
+     * @param invitationId Invitation ID
+     */
+    declineById(invitationId: string): Promise<void>;
 }
 /**
@@ -4433,12 +4744,17 @@ declare class PlatformModule {
          */
         updateFeatures: (orgId: string, payload: {
             allow_saml?: boolean;
+            allow_saml_idp?: boolean;
             allow_scim?: boolean;
             allow_custom_domain?: boolean;
             allow_custom_branding?: boolean;
+            allow_branding?: boolean;
             allow_advanced_risk_engine?: boolean;
             allow_siem_integration?: boolean;
+            allow_siem?: boolean;
             allow_webhooks?: boolean;
+            allow_passkeys?: boolean;
+            allow_overage?: boolean;
         }) => Promise<Organization>;
         /**
          * Delete an organization and all its associated data.
@@ -4526,6 +4842,15 @@ declare class PlatformModule {
             limit?: number;
             offset?: number;
         }) => Promise<PlatformUserListResponse>;
+        /**
+         * Get a single platform user by ID.
+         */
+        get: (userId: string) => Promise<{
+            id: string;
+            email: string;
+            is_platform_owner: boolean;
+            created_at: string;
+        }>;
         /**
          * Search users by email address or user ID.
          *
@@ -4703,6 +5028,17 @@ declare class PlatformModule {
      * ```
      */
     impersonateUser(payload: ImpersonateRequest): Promise<ImpersonateResponse>;
+    /**
+     * Get platform operational counters for jobs, webhooks, and SIEM delivery.
+     */
+    getOperationsStatus(): Promise<{
+        jobs_pending: number;
+        jobs_running: number;
+        jobs_failed: number;
+        webhook_deliveries_failed: number;
+        siem_configs_enabled: number;
+        siem_configs_with_failures: number;
+    }>;
 }
 /**
@@ -4790,6 +5126,33 @@ interface ServiceAnalytics {
     active_subscriptions: number;
     [key: string]: any;
 }
+interface ProviderTokenRequest {
+    user_id: string;
+    provider: string;
+    scopes?: string[];
+    redirect_uri?: string;
+    state?: string;
+}
+interface ProviderTokenAccount {
+    id: string;
+    provider_user_id: string;
+    email?: string;
+    display_name?: string;
+}
+type ProviderTokenResult = {
+    status: 'ok';
+    access_token: string;
+    expires_at?: string;
+    scopes: string[];
+    provider: string;
+    account: ProviderTokenAccount;
+} | {
+    status: 'action_required';
+    code: 'PROVIDER_LINK_REQUIRED' | 'PROVIDER_GRANT_REQUIRED' | 'PROVIDER_SCOPE_CONSENT_REQUIRED' | 'PROVIDER_REAUTH_REQUIRED' | string;
+    reauth_url: string;
+    missing_scopes: string[];
+    provider: string;
+};
 /**
  * Service API module for API key-based service-to-service operations.
  * Provides operations for managing users, subscriptions, and service configuration.
@@ -4873,6 +5236,11 @@ declare class ServiceApiModule {
      * @returns Service information
      */
     getServiceInfo(): Promise<ServiceApiInfo>;
+    /**
+     * Request a backend-only third-party provider access token for an AuthOS user.
+     * Requires `read:provider_tokens` or `read:provider_tokens:{provider}` on the API key.
+     */
+    requestProviderToken(request: ProviderTokenRequest): Promise<ProviderTokenResult>;
     /**
      * Create a new user
      * Requires 'write:users' permission on the API key
@@ -5229,6 +5597,18 @@ declare class PasskeysModule {
      * returns the options required to create credentials in the browser.
      */
     registerStart(displayName?: string): Promise<PasskeyRegisterStartResponse>;
+    /**
+     * List registered passkeys for the authenticated user.
+     */
+    list(): Promise<UserPasskey[]>;
+    /**
+     * Rename a passkey for the authenticated user.
+     */
+    updateName(passkeyId: string, name: string): Promise<UserPasskey>;
+    /**
+     * Delete a passkey for the authenticated user.
+     */
+    delete(passkeyId: string): Promise<PasskeyActionResponse>;
     /**
      * Finish the passkey registration ceremony.
      * Verifies the credential created by the browser.
@@ -5265,7 +5645,11 @@ declare class PasskeysModule {
      * Start the passkey authentication ceremony.
      * Returns the options required to get credentials from the browser.
      */
-    authenticateStart(email: string): Promise<PasskeyAuthStartResponse>;
+    authenticateStart(email: string, context?: {
+        org_slug?: string;
+        service_slug?: string;
+        redirect_uri?: string;
+    }): Promise<PasskeyAuthStartResponse>;
     /**
      * Finish the passkey authentication ceremony.
      * Verifies the assertion returned by the browser.
@@ -5275,7 +5659,11 @@ declare class PasskeysModule {
      * Authenticate with a passkey and obtain a JWT token
      * ...
      */
-    login(email: string): Promise<PasskeyAuthFinishResponse>;
+    login(email: string, context?: {
+        org_slug?: string;
+        service_slug?: string;
+        redirect_uri?: string;
+    }): Promise<PasskeyAuthFinishResponse>;
     /**
      * Convert Base64URL string to Uint8Array
      */
@@ -5293,7 +5681,12 @@ interface MagicLinkRequest {
     /** Email address to send the magic link to */
     email: string;
     /** Optional organization context */
+    org_slug?: string;
     orgSlug?: string;
+    /** Optional service context */
+    service_slug?: string;
+    /** Optional service callback URI */
+    redirect_uri?: string;
 }
 /**
  * Magic link response
@@ -5385,7 +5778,7 @@ declare class PrivacyModule {
      * // "User data has been anonymized. PII has been removed while preserving audit logs."
      * ```
      */
-    forgetUser(userId: string): Promise<ForgetUserResponse>;
+    forgetUser(userId: string, payload?: ForgetUserRequest): Promise<ForgetUserResponse>;
 }
 /**
@@ -5595,16 +5988,16 @@ declare enum AuthErrorCodes {
     ORG_REQUIRED = "ORG_REQUIRED",
     /** The provided credentials are invalid */
     INVALID_CREDENTIALS = "INVALID_CREDENTIALS",
-    /** The JWT token has expired */
-    TOKEN_EXPIRED = "TOKEN_EXPIRED",
     /** The refresh token is invalid or has been revoked */
     REFRESH_TOKEN_INVALID = "REFRESH_TOKEN_INVALID",
+    /** The requested resource was not found */
+    NOT_FOUND = "NOT_FOUND",
     /** The user is not authorized to perform this action */
     UNAUTHORIZED = "UNAUTHORIZED",
     /** The user does not have permission for this resource */
     FORBIDDEN = "FORBIDDEN",
-    /** The requested resource was not found */
-    NOT_FOUND = "NOT_FOUND",
+    /** The JWT token has expired */
+    TOKEN_EXPIRED = "TOKEN_EXPIRED",
     /** The request failed validation */
     VALIDATION_ERROR = "VALIDATION_ERROR",
     /** The email address is already registered */
@@ -5615,20 +6008,48 @@ declare enum AuthErrorCodes {
     ACCOUNT_SUSPENDED = "ACCOUNT_SUSPENDED",
     /** The organization has been suspended */
     ORG_SUSPENDED = "ORG_SUSPENDED",
+    /** The request failed validation or is malformed */
+    BAD_REQUEST = "BAD_REQUEST",
+    /** A resource with this information already exists */
+    DUPLICATE_CONSTRAINT = "DUPLICATE_CONSTRAINT",
+    /** Organization is pending approval or suspended */
+    ORGANIZATION_NOT_ACTIVE = "ORGANIZATION_NOT_ACTIVE",
+    /** Service creation limit reached for organization tier */
+    SERVICE_LIMIT_EXCEEDED = "SERVICE_LIMIT_EXCEEDED",
+    /** Team member limit reached for organization tier */
+    TEAM_LIMIT_EXCEEDED = "TEAM_LIMIT_EXCEEDED",
+    /** Invitation link has expired */
+    INVITATION_EXPIRED = "INVITATION_EXPIRED",
+    /** The magic link or verification token has expired */
+    LINK_EXPIRED = "LINK_EXPIRED",
+    /** Device code for headless authentication has expired */
+    DEVICE_CODE_EXPIRED = "DEVICE_CODE_EXPIRED",
+    /** Authorization is still pending (device flow) */
+    AUTHORIZATION_PENDING = "AUTHORIZATION_PENDING",
+    DEVICE_CODE_PENDING = "DEVICE_CODE_PENDING",
+    /** Feature not available in organization's current tier */
+    FEATURE_NOT_AVAILABLE_IN_TIER = "FEATURE_NOT_AVAILABLE_IN_TIER",
     /** Rate limit exceeded */
     RATE_LIMITED = "RATE_LIMITED",
+    TOO_MANY_REQUESTS = "TOO_MANY_REQUESTS",
     /** The password does not meet requirements */
     WEAK_PASSWORD = "WEAK_PASSWORD",
     /** The MFA code is invalid */
     INVALID_MFA_CODE = "INVALID_MFA_CODE",
-    /** The magic link or verification token has expired */
-    LINK_EXPIRED = "LINK_EXPIRED",
-    /** The device code has expired */
-    DEVICE_CODE_EXPIRED = "DEVICE_CODE_EXPIRED",
-    /** Authorization is still pending (device flow) */
-    AUTHORIZATION_PENDING = "AUTHORIZATION_PENDING",
+    /** Malformed or invalid JWT token */
+    JWT_ERROR = "JWT_ERROR",
+    /** Unexpected server error */
+    INTERNAL_SERVER_ERROR = "INTERNAL_SERVER_ERROR",
+    /** OAuth provider communication failed */
+    OAUTH_ERROR = "OAUTH_ERROR",
     /** The passkey authentication failed */
-    PASSKEY_ERROR = "PASSKEY_ERROR"
+    PASSKEY_ERROR = "PASSKEY_ERROR",
+    /** Billing system error */
+    STRIPE_ERROR = "STRIPE_ERROR",
+    /** General database operation failed */
+    DATABASE_ERROR = "DATABASE_ERROR",
+    /** General system error */
+    GENERIC_ERROR = "GENERIC_ERROR"
 }
 /**
  * Custom error class for SSO API errors.
@@ -5666,4 +6087,4 @@ declare class SsoApiError extends Error {
     isNotFound(): boolean;
 }
-export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, AuthErrorCodes, AuthModule, type AuthSnapshot, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, CookieStorage, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateRoleRequest, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeoLocation, type GetAuditLogParams, type GetRiskSettingsResponse, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PlatformUser, type PlatformUserListResponse, type PromotePlatformOwnerPayload, type ProviderToken, type ProviderTokenGrant, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResendVerificationRequest, type ResendVerificationResponse, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, type RiskAction, type RiskAssessment, type RiskEventResponse, type RiskEventsQuery, type RoleResponse, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type SelectOrganizationResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateRoleRequest, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUserProfilePayload, type UpdateWebhookRequest, type User, type UserDevice, UserModule, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };
+export { type AcceptInvitationPayload, type AdminLoginUrlParams, type AnalyticsQuery, type ApiKey, type ApiKeyCreateResponse, type ApproveOrganizationPayload, type AuditLog, type AuditLogEntry, type AuditLogQueryParams, type AuditLogResponse, type AuthContextRequest, type AuthContextResponse, AuthErrorCodes, AuthModule, type AuthOrganizationContext, type AuthServiceContext, type AuthSnapshot, type AuthenticationResponseJSON, type BackupCodesResponse, type BrandingConfiguration, BrowserStorage, type ChangePasswordRequest, type ChangePasswordResponse, type CompleteProviderTokenRequestPayload, type CompleteProviderTokenRequestResponse, type ConfigureSamlPayload, type ConfigureSamlResponse, CookieStorage, type CreateApiKeyPayload, type CreateCheckoutPayload, type CreateCheckoutResponse, type CreateInvitationPayload, type CreateOrganizationPayload, type CreateOrganizationResponse, type CreatePlanPayload, type CreateRoleRequest, type CreateScimTokenRequest, type CreateServicePayload, type CreateServiceResponse, type CreateSiemConfigRequest, type CreateUpstreamProviderPayload, type CreateWebhookRequest, type DeclineInvitationPayload, type DeviceCodeRequest, type DeviceCodeResponse, type DeviceVerifyResponse, type DomainConfiguration, type DomainVerificationMethod, type DomainVerificationResponse, type DomainVerificationResult, type EndUser, type EndUserDetailResponse, type EndUserIdentity, type EndUserListResponse, type EndUserLoginEvent, type EndUserSession, type EndUserSubscription, type EventTypeInfo, type ExportUserDataResponse, type ForgetUserRequest, type ForgetUserResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GeoLocation, type GetAuditLogParams, type GetRiskSettingsResponse, type GrantLinkedAccountRequest, type GrowthTrendPoint, type Identity, type ImpersonateRequest, type ImpersonateResponse, type ImpersonationUserInfo, type Invitation, type InvitationStatus, type InvitationWithOrg, InvitationsModule, type JwtClaims, type LinkedAccount, type LinkedAccountGrant, type LinkedAccountsResponse, type ListApiKeysResponse, type ListDevicesResponse, type ListEndUsersParams, type ListOrganizationsParams, type ListPlatformOrganizationsParams, type ListScimTokensResponse, type ListSiemConfigsResponse, type LoginActivityPoint, type LoginEventExport, type LoginRequest, type LoginTrendPoint, type LoginUrlParams, type LoginsByProvider, type LoginsByService, type LookupEmailRequest, type LookupEmailResponse, MagicLinks, type MemberListResponse, type MemberRole, type MemberServiceAccess, type Membership, type MembershipExport, MemoryStorage, type MfaEventExport, type MfaSetupResponse, type MfaStatusResponse, type MfaVerificationRequest, type MfaVerificationResponse, type MfaVerifyRequest, type MfaVerifyResponse, type OAuthCredentials, type OAuthIdentityExport, type OAuthProvider, type Organization, type OrganizationMember, type OrganizationResponse, type OrganizationStatus, type OrganizationStatusBreakdown, type OrganizationTier, OrganizationsModule, type PaginatedResponse, type PaginationInfo, type PaginationParams, type Passkey, type PasskeyActionResponse, type PasskeyAuthFinishRequest, type PasskeyAuthFinishResponse, type PasskeyAuthStartRequest, type PasskeyAuthStartResponse, type PasskeyExport, type PasskeyRegisterFinishRequest, type PasskeyRegisterFinishResponse, type PasskeyRegisterStartRequest, type PasskeyRegisterStartResponse, PasskeysModule, PermissionsModule, type Plan, type PlanResponse, type PlatformAnalyticsDateRangeParams, PlatformModule, type PlatformOrganizationResponse, type PlatformOrganizationsListResponse, type PlatformOverviewMetrics, type PlatformUser, type PlatformUserListResponse, type PromotePlatformOwnerPayload, type ProviderDefinition, type ProviderToken, type ProviderTokenRequestDetails, type RecentLogin, type RecentOrganization, type RefreshTokenRequest, type RefreshTokenResponse, type RegisterRequest, type RegisterResponse, type RegistrationResponseJSON, type RejectOrganizationPayload, type ResendVerificationRequest, type ResendVerificationResponse, type ResetPasswordRequest, type ResetPasswordResponse, type RevokeDeviceRequest, type RevokeDeviceResponse, type RevokeSessionsResponse, type RiskAction, type RiskAssessment, type RiskEventResponse, type RiskEventsQuery, type RoleResponse, type RotateServiceSecretResponse, type SamlCertificate, type SamlConfig, type ScimTokenResponse, type SelectOrganizationResponse, type Service, ServiceApiModule, type ServiceListResponse, type ServiceType, type ServiceWithDetails, ServicesModule, type SetCustomDomainRequest, type SetOAuthCredentialsPayload, type SetPasswordRequest, type SetPasswordResponse, type SetSmtpRequest, type SiemConfigResponse, type SiemProviderType, type SmtpConfigResponse, SsoApiError, SsoClient, type SsoClientOptions, type StartLinkResponse, type Subscription, type TestConnectionResponse, type TokenRequest, type TokenResponse, type TokenStorage, type TopOrganization, type TransferOwnershipPayload, type UpdateBrandingRequest, type UpdateMemberRolePayload, type UpdateMemberServiceAccessPayload, type UpdateOrganizationPayload, type UpdateOrganizationTierPayload, type UpdatePlanPayload, type UpdateRiskSettingsRequest, type UpdateRiskSettingsResponse, type UpdateRoleRequest, type UpdateServicePayload, type UpdateSiemConfigRequest, type UpdateUpstreamProviderPayload, type UpdateUserProfilePayload, type UpdateWebhookRequest, type UpstreamProvider, type UpstreamProviderType, type User, type UserDevice, UserModule, type UserPasskey, type UserProfile, type Webhook, type WebhookDelivery, type WebhookDeliveryListResponse, type WebhookDeliveryQueryParams, type WebhookListResponse, type WebhookResponse };