npm - @fusionauth/typescript-client - Versions diffs - 1.39.0 → 1.42.0 - Mend

@fusionauth/typescript-client 1.39.0 → 1.42.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/build/src/FusionAuthClient.d.ts +566 -14
package/build/src/FusionAuthClient.js +289 -12
package/build/src/FusionAuthClient.js.map +1 -1
package/dist/fusionauth-typescript-client.js +290 -13
package/dist/fusionauth-typescript-client.min.js +1 -1
package/dist/fusionauth-typescript-client.min.js.map +1 -1
package/package.json +1 -1

package/build/src/FusionAuthClient.d.ts CHANGED Viewed

@@ -108,6 +108,15 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingLoginId(loginId: string): Promise<ClientResponse<void>>;
+    /**
+     * Make a Client Credentials grant request to obtain an access token.
+     *
+     * @param {string} client_id The client identifier. The client Id is the Id of the FusionAuth Entity in which you are attempting to authenticate.
+     * @param {string} client_secret The client secret used to authenticate this request.
+     * @param {string} scope (Optional) This parameter is used to indicate which target entity you are requesting access. To request access to an entity, use the format target-entity:&lt;target-entity-id&gt;:&lt;roles&gt;. Roles are an optional comma separated list.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    clientCredentialsGrant(client_id: string, client_secret: string, scope: string): Promise<ClientResponse<AccessToken>>;
     /**
      * Adds a comment to the user's account.
      *
@@ -115,6 +124,27 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     commentOnUser(request: UserCommentRequest): Promise<ClientResponse<void>>;
+    /**
+     * Complete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge without logging the user in
+     *
+     * @param {WebAuthnLoginRequest} request An object containing data necessary for completing the authentication ceremony
+     * @returns {Promise<ClientResponse<WebAuthnAssertResponse>>}
+     */
+    completeWebAuthnAssertion(request: WebAuthnLoginRequest): Promise<ClientResponse<WebAuthnAssertResponse>>;
+    /**
+     * Complete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge and then login the user in
+     *
+     * @param {WebAuthnLoginRequest} request An object containing data necessary for completing the authentication ceremony
+     * @returns {Promise<ClientResponse<LoginResponse>>}
+     */
+    completeWebAuthnLogin(request: WebAuthnLoginRequest): Promise<ClientResponse<LoginResponse>>;
+    /**
+     * Complete a WebAuthn registration ceremony by validating the client request and saving the new credential
+     *
+     * @param {WebAuthnRegisterCompleteRequest} request An object containing data necessary for completing the registration ceremony
+     * @returns {Promise<ClientResponse<WebAuthnRegisterCompleteResponse>>}
+     */
+    completeWebAuthnRegistration(request: WebAuthnRegisterCompleteRequest): Promise<ClientResponse<WebAuthnRegisterCompleteResponse>>;
     /**
      * Creates an API key. You can optionally specify a unique Id for the key, if not provided one will be generated.
      * an API key can only be created with equal or lesser authority. An API key cannot create another API key unless it is granted
@@ -655,6 +685,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<UserDeleteResponse>>}
      */
     deleteUsersByQuery(request: UserDeleteRequest): Promise<ClientResponse<UserDeleteResponse>>;
+    /**
+     * Deletes the WebAuthn credential for the given Id.
+     *
+     * @param {UUID} id The Id of the WebAuthn credential to delete.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    deleteWebAuthnCredential(id: UUID): Promise<ClientResponse<void>>;
     /**
      * Deletes the webhook for the given Id.
      *
@@ -663,27 +700,27 @@ export declare class FusionAuthClient {
      */
     deleteWebhook(webhookId: UUID): Promise<ClientResponse<void>>;
     /**
-     * Disable Two Factor authentication for a user.
+     * Disable two-factor authentication for a user.
      *
-     * @param {UUID} userId The Id of the User for which you're disabling Two Factor authentication.
+     * @param {UUID} userId The Id of the User for which you're disabling two-factor authentication.
      * @param {string} methodId The two-factor method identifier you wish to disable
-     * @param {string} code The Two Factor code used verify the the caller knows the Two Factor secret.
+     * @param {string} code The two-factor code used verify the the caller knows the two-factor secret.
      * @returns {Promise<ClientResponse<void>>}
      */
     disableTwoFactor(userId: UUID, methodId: string, code: string): Promise<ClientResponse<void>>;
     /**
-     * Disable Two Factor authentication for a user using a JSON body rather than URL parameters.
+     * Disable two-factor authentication for a user using a JSON body rather than URL parameters.
      *
-     * @param {UUID} userId The Id of the User for which you're disabling Two Factor authentication.
+     * @param {UUID} userId The Id of the User for which you're disabling two-factor authentication.
      * @param {TwoFactorDisableRequest} request The request information that contains the code and methodId along with any event information.
      * @returns {Promise<ClientResponse<void>>}
      */
     disableTwoFactorWithRequest(userId: UUID, request: TwoFactorDisableRequest): Promise<ClientResponse<void>>;
     /**
-     * Enable Two Factor authentication for a user.
+     * Enable two-factor authentication for a user.
      *
-     * @param {UUID} userId The Id of the user to enable Two Factor authentication.
-     * @param {TwoFactorRequest} request The two factor enable request information.
+     * @param {UUID} userId The Id of the user to enable two-factor authentication.
+     * @param {TwoFactorRequest} request The two-factor enable request information.
      * @returns {Promise<ClientResponse<TwoFactorResponse>>}
      */
     enableTwoFactor(userId: UUID, request: TwoFactorRequest): Promise<ClientResponse<TwoFactorResponse>>;
@@ -692,7 +729,7 @@ export declare class FusionAuthClient {
      * Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token.
      *
      * @param {string} code The authorization code returned on the /oauth2/authorize response.
-     * @param {string} client_id The unique client identifier. The client Id is the Id of the FusionAuth Application in which you you are attempting to authenticate.
+     * @param {string} client_id The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.
      * @param {string} client_secret (Optional) The client secret. This value will be required if client authentication is enabled.
      * @param {string} redirect_uri The URI to redirect to upon a successful request.
      * @returns {Promise<ClientResponse<AccessToken>>}
@@ -703,7 +740,7 @@ export declare class FusionAuthClient {
      * Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a code_verifier for an access token.
      *
      * @param {string} code The authorization code returned on the /oauth2/authorize response.
-     * @param {string} client_id (Optional) The unique client identifier. The client Id is the Id of the FusionAuth Application in which you you are attempting to authenticate. This parameter is optional when the Authorization header is provided.
+     * @param {string} client_id (Optional) The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate. This parameter is optional when the Authorization header is provided.
      * @param {string} client_secret (Optional) The client secret. This value may optionally be provided in the request body instead of the Authorization header.
      * @param {string} redirect_uri The URI to redirect to upon a successful request.
      * @param {string} code_verifier The random string generated previously. Will be compared with the code_challenge sent previously, which allows the OAuth provider to authenticate your app.
@@ -715,7 +752,7 @@ export declare class FusionAuthClient {
      * If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token.
      *
      * @param {string} refresh_token The refresh token that you would like to use to exchange for an access token.
-     * @param {string} client_id (Optional) The unique client identifier. The client Id is the Id of the FusionAuth Application in which you you are attempting to authenticate. This parameter is optional when the Authorization header is provided.
+     * @param {string} client_id (Optional) The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate. This parameter is optional when the Authorization header is provided.
      * @param {string} client_secret (Optional) The client secret. This value may optionally be provided in the request body instead of the Authorization header.
      * @param {string} scope (Optional) This parameter is optional and if omitted, the same scope requested during the authorization request will be used. If provided the scopes must match those requested during the initial authorization request.
      * @param {string} user_code (Optional) The end-user verification code. This code is required if using this endpoint to approve the Device Authorization.
@@ -735,7 +772,7 @@ export declare class FusionAuthClient {
      *
      * @param {string} username The login identifier of the user. The login identifier can be either the email or the username.
      * @param {string} password The user’s password.
-     * @param {string} client_id (Optional) The unique client identifier. The client Id is the Id of the FusionAuth Application in which you you are attempting to authenticate. This parameter is optional when the Authorization header is provided.
+     * @param {string} client_id (Optional) The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate. This parameter is optional when the Authorization header is provided.
      * @param {string} client_secret (Optional) The client secret. This value may optionally be provided in the request body instead of the Authorization header.
      * @param {string} scope (Optional) This parameter is optional and if omitted, the same scope requested during the authorization request will be used. If provided the scopes must match those requested during the initial authorization request.
      * @param {string} user_code (Optional) The end-user verification code. This code is required if using this endpoint to approve the Device Authorization.
@@ -843,6 +880,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     importUsers(request: ImportRequest): Promise<ClientResponse<void>>;
+    /**
+     * Import a WebAuthn credential
+     *
+     * @param {WebAuthnCredentialImportRequest} request An object containing data necessary for importing the credential
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    importWebAuthnCredential(request: WebAuthnCredentialImportRequest): Promise<ClientResponse<void>>;
     /**
      * Inspect an access token issued by FusionAuth.
      *
@@ -1903,6 +1947,20 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<VersionResponse>>}
      */
     retrieveVersion(): Promise<ClientResponse<VersionResponse>>;
+    /**
+     * Retrieves the WebAuthn credential for the given Id.
+     *
+     * @param {UUID} id The Id of the WebAuthn credential.
+     * @returns {Promise<ClientResponse<WebAuthnCredentialResponse>>}
+     */
+    retrieveWebAuthnCredential(id: UUID): Promise<ClientResponse<WebAuthnCredentialResponse>>;
+    /**
+     * Retrieves all WebAuthn credentials for the given user.
+     *
+     * @param {UUID} userId The user's ID.
+     * @returns {Promise<ClientResponse<WebAuthnCredentialResponse>>}
+     */
+    retrieveWebAuthnCredentialsForUser(userId: UUID): Promise<ClientResponse<WebAuthnCredentialResponse>>;
     /**
      * Retrieves the webhook for the given Id. If you pass in null for the id, this will return all the webhooks.
      *
@@ -2187,6 +2245,20 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<TwoFactorStartResponse>>}
      */
     startTwoFactorLogin(request: TwoFactorStartRequest): Promise<ClientResponse<TwoFactorStartResponse>>;
+    /**
+     * Start a WebAuthn authentication ceremony by generating a new challenge for the user
+     *
+     * @param {WebAuthnStartRequest} request An object containing data necessary for starting the authentication ceremony
+     * @returns {Promise<ClientResponse<WebAuthnStartResponse>>}
+     */
+    startWebAuthnLogin(request: WebAuthnStartRequest): Promise<ClientResponse<WebAuthnStartResponse>>;
+    /**
+     * Start a WebAuthn registration ceremony by generating a new challenge for the user
+     *
+     * @param {WebAuthnRegisterStartRequest} request An object containing data necessary for starting the registration ceremony
+     * @returns {Promise<ClientResponse<WebAuthnRegisterStartResponse>>}
+     */
+    startWebAuthnRegistration(request: WebAuthnRegisterStartRequest): Promise<ClientResponse<WebAuthnRegisterStartResponse>>;
     /**
      * Complete login using a 2FA challenge
      *
@@ -2687,6 +2759,7 @@ export interface Application {
     verificationEmailTemplateId?: UUID;
     verificationStrategy?: VerificationStrategy;
     verifyRegistration?: boolean;
+    webAuthnConfiguration?: ApplicationWebAuthnConfiguration;
 }
 /**
  * @author Daniel DeGroff
@@ -2710,6 +2783,13 @@ export interface ApplicationEmailConfiguration {
     twoFactorMethodAddEmailTemplateId?: UUID;
     twoFactorMethodRemoveEmailTemplateId?: UUID;
 }
+/**
+ * Events that are bound to applications.
+ *
+ * @author Brian Pontarelli
+ */
+export interface ApplicationEvent {
+}
 /**
  * @author Daniel DeGroff
  */
@@ -2789,6 +2869,20 @@ export interface ApplicationUnverifiedConfiguration {
     verificationStrategy?: VerificationStrategy;
     whenGated?: RegistrationUnverifiedOptions;
 }
+/**
+ * Application-level configuration for WebAuthn
+ *
+ * @author Daniel DeGroff
+ */
+export interface ApplicationWebAuthnConfiguration extends Enableable {
+    bootstrapWorkflow?: ApplicationWebAuthnWorkflowConfiguration;
+    reauthenticationWorkflow?: ApplicationWebAuthnWorkflowConfiguration;
+}
+/**
+ * @author Daniel DeGroff
+ */
+export interface ApplicationWebAuthnWorkflowConfiguration extends Enableable {
+}
 /**
  * This class is a simple attachment with a byte array, name and MIME type.
  *
@@ -2799,6 +2893,29 @@ export interface Attachment {
     mime?: string;
     name?: string;
 }
+/**
+ * Used to communicate whether and how authenticator attestation should be delivered to the Relying Party
+ *
+ * @author Spencer Witt
+ */
+export declare enum AttestationConveyancePreference {
+    none = "none",
+    indirect = "indirect",
+    direct = "direct",
+    enterprise = "enterprise"
+}
+/**
+ * Used to indicate what type of attestation was included in the authenticator response for a given WebAuthn credential at the time it was created
+ *
+ * @author Spencer Witt
+ */
+export declare enum AttestationType {
+    basic = "basic",
+    self = "self",
+    attestationCa = "attestationCa",
+    anonymizationCa = "anonymizationCa",
+    none = "none"
+}
 /**
  * An audit log.
  *
@@ -2880,6 +2997,25 @@ export declare enum AuthenticationThreats {
 }
 export interface AuthenticationTokenConfiguration extends Enableable {
 }
+/**
+ * Describes the <a href="https://www.w3.org/TR/webauthn-2/#authenticator-attachment-modality">authenticator attachment modality</a>.
+ *
+ * @author Spencer Witt
+ */
+export declare enum AuthenticatorAttachment {
+    platform = "platform",
+    crossPlatform = "crossPlatform"
+}
+/**
+ * Describes the authenticator attachment modality preference for a WebAuthn workflow. See {@link AuthenticatorAttachment}
+ *
+ * @author Spencer Witt
+ */
+export declare enum AuthenticatorAttachmentPreference {
+    any = "any",
+    platform = "platform",
+    crossPlatform = "crossPlatform"
+}
 /**
  * @author Daniel DeGroff
  */
@@ -2888,6 +3024,18 @@ export interface AuthenticatorConfiguration {
     codeLength?: number;
     timeStep?: number;
 }
+/**
+ * Used by the Relying Party to specify their requirements for authenticator attributes. Fields use the deprecated "resident key" terminology to refer
+ * to client-side discoverable credentials to maintain backwards compatibility with WebAuthn Level 1.
+ *
+ * @author Spencer Witt
+ */
+export interface AuthenticatorSelectionCriteria {
+    authenticatorAttachment?: AuthenticatorAttachment;
+    requireResidentKey?: boolean;
+    residentKey?: ResidentKeyRequirement;
+    userVerification?: UserVerificationRequirement;
+}
 export interface BaseConnectorConfiguration {
     data?: Record<string, any>;
     debug?: boolean;
@@ -3202,6 +3350,51 @@ export interface CORSConfiguration extends Enableable {
     exposedHeaders?: Array<string>;
     preflightMaxAgeInSeconds?: number;
 }
+/**
+ * A number identifying a cryptographic algorithm. Values should be registered with the <a
+ * href="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">IANA COSE Algorithms registry</a>
+ *
+ * @author Spencer Witt
+ */
+export declare enum CoseAlgorithmIdentifier {
+    ES256 = "SHA256withECDSA",
+    ES384 = "SHA384withECDSA",
+    ES512 = "SHA512withECDSA",
+    RS256 = "SHA256withRSA",
+    RS384 = "SHA384withRSA",
+    RS512 = "SHA512withRSA",
+    PS256 = "SHA-256",
+    PS384 = "SHA-384",
+    PS512 = "SHA-512"
+}
+/**
+ * COSE Elliptic Curve identifier to determine which elliptic curve to use with a given key
+ *
+ * @author Spencer Witt
+ */
+export declare enum CoseEllipticCurve {
+    Reserved = "Reserved",
+    P256 = "P256",
+    P384 = "P384",
+    P521 = "P521",
+    X25519 = "X25519",
+    X448 = "X448",
+    Ed25519 = "Ed25519",
+    Ed448 = "Ed448",
+    Secp256k1 = "Secp256k1"
+}
+/**
+ * COSE key type
+ *
+ * @author Spencer Witt
+ */
+export declare enum CoseKeyType {
+    Reserved = "0",
+    OKP = "1",
+    EC2 = "2",
+    RSA = "3",
+    Symmetric = "4"
+}
 /**
  * @author Brian Pontarelli
  */
@@ -3209,6 +3402,14 @@ export interface Count {
     count?: number;
     interval?: number;
 }
+/**
+ * Contains the output for the {@code credProps} extension
+ *
+ * @author Spencer Witt
+ */
+export interface CredentialPropertiesOutput {
+    rk?: boolean;
+}
 /**
  * Response for the daily active user report.
  *
@@ -3831,6 +4032,8 @@ export interface ExternalIdentifierConfiguration {
     twoFactorOneTimeCodeIdGenerator?: SecureGeneratorConfiguration;
     twoFactorOneTimeCodeIdTimeToLiveInSeconds?: number;
     twoFactorTrustIdTimeToLiveInSeconds?: number;
+    webAuthnAuthenticationChallengeTimeToLiveInSeconds?: number;
+    webAuthnRegistrationChallengeTimeToLiveInSeconds?: number;
 }
 /**
  * @author Daniel DeGroff
@@ -3874,14 +4077,24 @@ export interface FacebookIdentityProvider extends BaseIdentityProvider<FacebookA
     loginMethod?: IdentityProviderLoginMethod;
     permissions?: string;
 }
+/**
+ * A policy to configure if and when the user-action is canceled prior to the expiration of the action.
+ *
+ * @author Daniel DeGroff
+ */
+export interface FailedAuthenticationActionCancelPolicy {
+    onPasswordReset?: boolean;
+}
 /**
  * Configuration for the behavior of failed login attempts. This helps us protect against brute force password attacks.
  *
  * @author Daniel DeGroff
  */
 export interface FailedAuthenticationConfiguration {
+    actionCancelPolicy?: FailedAuthenticationActionCancelPolicy;
     actionDuration?: number;
     actionDurationUnit?: ExpiryUnit;
+    emailUser?: boolean;
     resetCountInSeconds?: number;
     tooManyAttempts?: number;
     userActionId?: UUID;
@@ -4328,7 +4541,6 @@ export interface GroupResponse {
  * @author Daniel DeGroff
  */
 export interface GroupSearchCriteria extends BaseSearchCriteria {
-    id?: UUID;
     name?: string;
     tenantId?: UUID;
 }
@@ -5145,6 +5357,7 @@ export interface LoginResponse {
     actions?: Array<LoginPreventedResponse>;
     changePasswordId?: string;
     changePasswordReason?: ChangePasswordReason;
+    configurableMethods?: Array<string>;
     emailVerificationId?: string;
     methods?: Array<TwoFactorMethod>;
     pendingIdPLinkId?: string;
@@ -5289,6 +5502,7 @@ export declare enum MessengerType {
     Twilio = "Twilio"
 }
 export interface MetaData {
+    data?: Record<string, any>;
     device?: DeviceInfo;
     scopes?: Array<string>;
 }
@@ -5323,7 +5537,8 @@ export interface MultiFactorEmailTemplate {
  */
 export declare enum MultiFactorLoginPolicy {
     Disabled = "Disabled",
-    Enabled = "Enabled"
+    Enabled = "Enabled",
+    Required = "Required"
 }
 export interface MultiFactorSMSMethod extends Enableable {
     messengerId?: UUID;
@@ -5665,6 +5880,84 @@ export declare enum ProofKeyForCodeExchangePolicy {
     NotRequired = "NotRequired",
     NotRequiredWhenUsingClientAuthentication = "NotRequiredWhenUsingClientAuthentication"
 }
+/**
+ * Allows the Relying Party to specify desired attributes of a new credential.
+ *
+ * @author Spencer Witt
+ */
+export interface PublicKeyCredentialCreationOptions {
+    attestation?: AttestationConveyancePreference;
+    authenticatorSelection?: AuthenticatorSelectionCriteria;
+    challenge?: string;
+    excludeCredentials?: Array<PublicKeyCredentialDescriptor>;
+    extensions?: WebAuthnRegistrationExtensionOptions;
+    pubKeyCredParams?: Array<PublicKeyCredentialParameters>;
+    rp?: PublicKeyCredentialRelyingPartyEntity;
+    timeout?: number;
+    user?: PublicKeyCredentialUserEntity;
+}
+/**
+ * Contains attributes for the Relying Party to refer to an existing public key credential as an input parameter.
+ *
+ * @author Spencer Witt
+ */
+export interface PublicKeyCredentialDescriptor {
+    id?: string;
+    transports?: Array<string>;
+    type?: PublicKeyCredentialType;
+}
+/**
+ * Describes a user account or WebAuthn Relying Party associated with a public key credential
+ */
+export interface PublicKeyCredentialEntity {
+    name?: string;
+}
+/**
+ * Supply information on credential type and algorithm to the <i>authenticator</i>.
+ *
+ * @author Spencer Witt
+ */
+export interface PublicKeyCredentialParameters {
+    alg?: CoseAlgorithmIdentifier;
+    type?: PublicKeyCredentialType;
+}
+/**
+ * Supply additional information about the Relying Party when creating a new credential
+ *
+ * @author Spencer Witt
+ */
+export interface PublicKeyCredentialRelyingPartyEntity extends PublicKeyCredentialEntity {
+    id?: string;
+}
+/**
+ * Provides the <i>authenticator</i> with the data it needs to generate an assertion.
+ *
+ * @author Spencer Witt
+ */
+export interface PublicKeyCredentialRequestOptions {
+    allowCredentials?: Array<PublicKeyCredentialDescriptor>;
+    challenge?: string;
+    rpId?: string;
+    timeout?: number;
+    userVerification?: UserVerificationRequirement;
+}
+/**
+ * Defines valid credential types. This is an extension point in the WebAuthn spec. The only defined value at this time is "public-key"
+ *
+ * @author Spencer Witt
+ */
+export declare enum PublicKeyCredentialType {
+    publicKey = "public-key"
+}
+/**
+ * Supply additional information about the user account when creating a new credential
+ *
+ * @author Spencer Witt
+ */
+export interface PublicKeyCredentialUserEntity extends PublicKeyCredentialEntity {
+    displayName?: string;
+    id?: string;
+}
 /**
  * JWT Public Key Response Object
  *
@@ -5758,6 +6051,9 @@ export interface ReactorStatus {
     licensed?: boolean;
     scimServer?: ReactorFeatureStatus;
     threatDetection?: ReactorFeatureStatus;
+    webAuthn?: ReactorFeatureStatus;
+    webAuthnPlatformAuthenticators?: ReactorFeatureStatus;
+    webAuthnRoamingAuthenticators?: ReactorFeatureStatus;
 }
 /**
  * Response for the user login report.
@@ -5825,6 +6121,7 @@ export interface RefreshTokenResponse {
  */
 export interface RefreshTokenRevocationPolicy {
     onLoginPrevented?: boolean;
+    onMultiFactorEnable?: boolean;
     onPasswordChanged?: boolean;
 }
 /**
@@ -5945,6 +6242,17 @@ export interface Requirable extends Enableable {
  */
 export interface RequiresCORSConfiguration {
 }
+/**
+ * Describes the Relying Party's requirements for <a href="https://www.w3.org/TR/webauthn-2/#client-side-discoverable-credential">client-side
+ * discoverable credentials</a> (formerly known as "resident keys")
+ *
+ * @author Spencer Witt
+ */
+export declare enum ResidentKeyRequirement {
+    discouraged = "discouraged",
+    preferred = "preferred",
+    required = "required"
+}
 export declare enum SAMLLogoutBehavior {
     AllParticipants = "AllParticipants",
     OnlyOriginator = "OnlyOriginator"
@@ -5962,6 +6270,7 @@ export interface SAMLv2Configuration extends Enableable {
     callbackURL?: string;
     debug?: boolean;
     defaultVerificationKeyId?: UUID;
+    initiatedLogin?: SAMLv2IdPInitiatedLoginConfiguration;
     issuer?: string;
     keyId?: UUID;
     logout?: SAMLv2Logout;
@@ -6010,6 +6319,14 @@ export interface SAMLv2IdPInitiatedIdentityProvider extends BaseIdentityProvider
     useNameIdForEmail?: boolean;
     usernameClaim?: string;
 }
+/**
+ * IdP Initiated login configuration
+ *
+ * @author Daniel DeGroff
+ */
+export interface SAMLv2IdPInitiatedLoginConfiguration extends Enableable {
+    nameIdFormat?: string;
+}
 export interface SAMLv2Logout {
     behavior?: SAMLLogoutBehavior;
     defaultVerificationKeyId?: UUID;
@@ -6231,6 +6548,9 @@ export interface Templates {
     accountTwoFactorDisable?: string;
     accountTwoFactorEnable?: string;
     accountTwoFactorIndex?: string;
+    accountWebAuthnAdd?: string;
+    accountWebAuthnDelete?: string;
+    accountWebAuthnIndex?: string;
     emailComplete?: string;
     emailSend?: string;
     emailSent?: string;
@@ -6251,8 +6571,13 @@ export interface Templates {
     oauth2Register?: string;
     oauth2StartIdPLink?: string;
     oauth2TwoFactor?: string;
+    oauth2TwoFactorEnable?: string;
+    oauth2TwoFactorEnableComplete?: string;
     oauth2TwoFactorMethods?: string;
     oauth2Wait?: string;
+    oauth2WebAuthn?: string;
+    oauth2WebAuthnReauth?: string;
+    oauth2WebAuthnReauthEnable?: string;
     passwordChange?: string;
     passwordComplete?: string;
     passwordForgot?: string;
@@ -6304,6 +6629,7 @@ export interface Tenant {
     themeId?: UUID;
     userDeletePolicy?: TenantUserDeletePolicy;
     usernameConfiguration?: TenantUsernameConfiguration;
+    webAuthnConfiguration?: TenantWebAuthnConfiguration;
 }
 /**
  * @author Brian Pontarelli
@@ -6435,6 +6761,25 @@ export interface TenantUserDeletePolicy {
 export interface TenantUsernameConfiguration {
     unique?: UniqueUsernameConfiguration;
 }
+/**
+ * Tenant-level configuration for WebAuthn
+ *
+ * @author Spencer Witt
+ */
+export interface TenantWebAuthnConfiguration extends Enableable {
+    bootstrapWorkflow?: TenantWebAuthnWorkflowConfiguration;
+    debug?: boolean;
+    reauthenticationWorkflow?: TenantWebAuthnWorkflowConfiguration;
+    relyingPartyId?: string;
+    relyingPartyName?: string;
+}
+/**
+ * @author Spencer Witt
+ */
+export interface TenantWebAuthnWorkflowConfiguration extends Enableable {
+    authenticatorAttachmentPreference?: AuthenticatorAttachmentPreference;
+    userVerificationRequirement?: UserVerificationRequirement;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -6632,11 +6977,13 @@ export interface TwoFactorRequest extends BaseEventRequest {
     mobilePhone?: string;
     secret?: string;
     secretBase32Encoded?: string;
+    twoFactorId?: string;
 }
 /**
  * @author Daniel DeGroff
  */
 export interface TwoFactorResponse {
+    code?: string;
     recoveryCodes?: Array<string>;
 }
 /**
@@ -7352,6 +7699,17 @@ export interface UserUpdateEvent extends BaseEvent {
     original?: User;
     user?: User;
 }
+/**
+ * Used to express whether the Relying Party requires <a href="https://www.w3.org/TR/webauthn-2/#user-verification">user verification</a> for the
+ * current operation.
+ *
+ * @author Spencer Witt
+ */
+export declare enum UserVerificationRequirement {
+    required = "required",
+    preferred = "preferred",
+    discouraged = "discouraged"
+}
 /**
  * @author Daniel DeGroff
  */
@@ -7400,6 +7758,200 @@ export interface VerifyRegistrationResponse {
 export interface VersionResponse {
     version?: string;
 }
+/**
+ * API response for completing WebAuthn assertion
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnAssertResponse {
+    credential?: WebAuthnCredential;
+}
+/**
+ * The <i>authenticator's</i> response for the authentication ceremony in its encoded format
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnAuthenticatorAuthenticationResponse {
+    authenticatorData?: string;
+    clientDataJSON?: string;
+    signature?: string;
+    userHandle?: string;
+}
+/**
+ * The <i>authenticator's</i> response for the registration ceremony in its encoded format
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnAuthenticatorRegistrationResponse {
+    attestationObject?: string;
+    clientDataJSON?: string;
+}
+/**
+ * A User's WebAuthnCredential. Contains all data required to complete WebAuthn authentication ceremonies.
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnCredential {
+    algorithm?: CoseAlgorithmIdentifier;
+    attestationType?: AttestationType;
+    authenticatorSupportsUserVerification?: boolean;
+    credentialId?: string;
+    data?: Record<string, any>;
+    discoverable?: boolean;
+    displayName?: string;
+    id?: UUID;
+    insertInstant?: number;
+    lastUseInstant?: number;
+    name?: string;
+    publicKey?: string;
+    relyingPartyId?: string;
+    signCount?: number;
+    tenantId?: UUID;
+    transports?: Array<string>;
+    userAgent?: string;
+    userId?: UUID;
+}
+/**
+ * API request to import an existing WebAuthn credential(s)
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnCredentialImportRequest {
+    credentials?: Array<WebAuthnCredential>;
+    validateDbConstraints?: boolean;
+}
+/**
+ * WebAuthn Credential API response
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnCredentialResponse {
+    credential?: WebAuthnCredential;
+    credentials?: Array<WebAuthnCredential>;
+}
+/**
+ * Contains extension output for requested extensions during a WebAuthn ceremony
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnExtensionsClientOutputs {
+    credProps?: CredentialPropertiesOutput;
+}
+/**
+ * Request to complete the WebAuthn registration ceremony
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnLoginRequest extends BaseLoginRequest {
+    credential?: WebAuthnPublicKeyAuthenticationRequest;
+    origin?: string;
+    rpId?: string;
+    twoFactorTrustId?: string;
+}
+/**
+ * Request to authenticate with WebAuthn
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnPublicKeyAuthenticationRequest {
+    clientExtensionResults?: WebAuthnExtensionsClientOutputs;
+    id?: string;
+    response?: WebAuthnAuthenticatorAuthenticationResponse;
+    rpId?: string;
+    type?: string;
+}
+/**
+ * Request to register a new public key with WebAuthn
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnPublicKeyRegistrationRequest {
+    clientExtensionResults?: WebAuthnExtensionsClientOutputs;
+    id?: string;
+    response?: WebAuthnAuthenticatorRegistrationResponse;
+    rpId?: string;
+    transports?: Array<string>;
+    type?: string;
+}
+/**
+ * Request to complete the WebAuthn registration ceremony for a new credential,.
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnRegisterCompleteRequest {
+    credential?: WebAuthnPublicKeyRegistrationRequest;
+    origin?: string;
+    rpId?: string;
+    userId?: UUID;
+}
+/**
+ * API response for completing WebAuthn credential registration or assertion
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnRegisterCompleteResponse {
+    credential?: WebAuthnCredential;
+}
+/**
+ * API request to start a WebAuthn registration ceremony
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnRegisterStartRequest {
+    displayName?: string;
+    name?: string;
+    userAgent?: string;
+    userId?: UUID;
+    workflow?: WebAuthnWorkflow;
+}
+/**
+ * API response for starting a WebAuthn registration ceremony
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnRegisterStartResponse {
+    options?: PublicKeyCredentialCreationOptions;
+}
+/**
+ * Options to request extensions during credential registration
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnRegistrationExtensionOptions {
+    credProps?: boolean;
+}
+/**
+ * API request to start a WebAuthn authentication ceremony
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnStartRequest {
+    applicationId?: UUID;
+    credentialId?: UUID;
+    loginId?: string;
+    state?: Record<string, any>;
+    userId?: UUID;
+    workflow?: WebAuthnWorkflow;
+}
+/**
+ * API response for starting a WebAuthn authentication ceremony
+ *
+ * @author Spencer Witt
+ */
+export interface WebAuthnStartResponse {
+    options?: PublicKeyCredentialRequestOptions;
+}
+/**
+ * Identifies the WebAuthn workflow. This will affect the parameters used for credential creation
+ * and request based on the Tenant configuration.
+ *
+ * @author Spencer Witt
+ */
+export declare enum WebAuthnWorkflow {
+    bootstrap = "bootstrap",
+    general = "general",
+    reauthentication = "reauthentication"
+}
 /**
  * A server where events are sent. This includes user action events and any other events sent by FusionAuth.
  *