@fusionauth/typescript-client 1.60.0 → 1.62.0

package/build/src/FusionAuthClient.d.ts

@@ -56,6 +56,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<DeviceApprovalResponse>>}
      */
     approveDevice(client_id: string, client_secret: string, token: string, user_code: string): Promise<ClientResponse<DeviceApprovalResponse>>;
+    /**
+     * Approve a device grant.
+     *
+     * @param {DeviceApprovalRequest} request The request object containing the device approval information and optional tenantId.
+     * @returns {Promise<ClientResponse<DeviceApprovalResponse>>}
+     */
+    approveDeviceWithRequest(request: DeviceApprovalRequest): Promise<ClientResponse<DeviceApprovalResponse>>;
     /**
      * Cancels the user action.
      *
@@ -120,6 +127,18 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingId(changePasswordId: string): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Token Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} changePasswordId The change password Id used to find the user. This value is generated by FusionAuth once the change password workflow has been initiated.
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingIdAndIPAddress(changePasswordId: string, ipAddress: string): Promise<ClientResponse<void>>;
     /**
      * Check to see if the user must obtain a Trust Token Id in order to complete a change password request.
      * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
@@ -131,6 +150,18 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingJWT(encodedJWT: string): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Token Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} encodedJWT The encoded JWT (access token).
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingJWTAndIPAddress(encodedJWT: string, ipAddress: string): Promise<ClientResponse<void>>;
     /**
      * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
      * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
@@ -138,10 +169,47 @@ export declare class FusionAuthClient {
      *
      * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
      *
-     * @param {string} loginId The loginId of the User that you intend to change the password for.
+     * @param {string} loginId The loginId (email or username) of the User that you intend to change the password for.
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingLoginId(loginId: string): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} loginId The loginId (email or username) of the User that you intend to change the password for.
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingLoginIdAndIPAddress(loginId: string, ipAddress: string): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} loginId The loginId of the User that you intend to change the password for.
+     * @param {Array<String>} loginIdTypes The identity types that FusionAuth will compare the loginId to.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingLoginIdAndLoginIdTypes(loginId: string, loginIdTypes: Array<String>): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} loginId The loginId of the User that you intend to change the password for.
+     * @param {Array<String>} loginIdTypes The identity types that FusionAuth will compare the loginId to.
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingLoginIdAndLoginIdTypesAndIPAddress(loginId: string, loginIdTypes: Array<String>, ipAddress: string): Promise<ClientResponse<void>>;
     /**
      * Make a Client Credentials grant request to obtain an access token.
      *
@@ -153,6 +221,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     clientCredentialsGrant(client_id: string, client_secret: string, scope: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Make a Client Credentials grant request to obtain an access token.
+     *
+     * @param {ClientCredentialsGrantRequest} request The client credentials grant request containing client authentication, scope and optional tenantId.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    clientCredentialsGrantWithRequest(request: ClientCredentialsGrantRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Adds a comment to the user's account.
      *
@@ -761,6 +836,22 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     deleteWebhook(webhookId: UUID): Promise<ClientResponse<void>>;
+    /**
+     * Start the Device Authorization flow using form-encoded parameters
+     *
+     * @param {string} client_id The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.
+     * @param {string} client_secret (Optional) The client secret. This value may optionally be provided in the request body instead of the Authorization header.
+     * @param {string} scope (Optional) A space-delimited string of the requested scopes. Defaults to all scopes configured in the Application's OAuth configuration.
+     * @returns {Promise<ClientResponse<DeviceResponse>>}
+     */
+    deviceAuthorize(client_id: string, client_secret: string, scope: string): Promise<ClientResponse<DeviceResponse>>;
+    /**
+     * Start the Device Authorization flow using a request body
+     *
+     * @param {DeviceAuthorizationRequest} request The device authorization request containing client authentication, scope, and optional device metadata.
+     * @returns {Promise<ClientResponse<DeviceResponse>>}
+     */
+    deviceAuthorizeWithRequest(request: DeviceAuthorizationRequest): Promise<ClientResponse<DeviceResponse>>;
     /**
      * Disable two-factor authentication for a user.
      *
@@ -811,6 +902,22 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     exchangeOAuthCodeForAccessTokenUsingPKCE(code: string, client_id: string, client_secret: string, redirect_uri: string, code_verifier: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchanges an OAuth authorization code and code_verifier for an access token.
+     * Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a code_verifier for an access token.
+     *
+     * @param {OAuthCodePKCEAccessTokenRequest} request The PKCE OAuth code access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeOAuthCodeForAccessTokenUsingPKCEWithRequest(request: OAuthCodePKCEAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchanges an OAuth authorization code for an access token.
+     * Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token.
+     *
+     * @param {OAuthCodeAccessTokenRequest} request The OAuth code access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeOAuthCodeForAccessTokenWithRequest(request: OAuthCodeAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Exchange a Refresh Token for an Access Token.
      * If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token.
@@ -824,6 +931,14 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     exchangeRefreshTokenForAccessToken(refresh_token: string, client_id: string, client_secret: string, scope: string, user_code: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchange a Refresh Token for an Access Token.
+     * If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token.
+     *
+     * @param {RefreshTokenAccessTokenRequest} request The refresh token access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeRefreshTokenForAccessTokenWithRequest(request: RefreshTokenAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Exchange a refresh token for a new JWT.
      *
@@ -845,6 +960,14 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     exchangeUserCredentialsForAccessToken(username: string, password: string, client_id: string, client_secret: string, scope: string, user_code: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchange User Credentials for a Token.
+     * If you will be using the Resource Owner Password Credential Grant, you will make a request to the Token endpoint to exchange the user’s email and password for an access token.
+     *
+     * @param {UserCredentialsAccessTokenRequest} request The user credentials access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeUserCredentialsForAccessTokenWithRequest(request: UserCredentialsAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Begins the forgot password sequence, which kicks off an email to the user so that they can reset their password.
      *
@@ -961,6 +1084,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<IntrospectResponse>>}
      */
     introspectAccessToken(client_id: string, token: string): Promise<ClientResponse<IntrospectResponse>>;
+    /**
+     * Inspect an access token issued as the result of the User based grant such as the Authorization Code Grant, Implicit Grant, the User Credentials Grant or the Refresh Grant.
+     *
+     * @param {AccessTokenIntrospectRequest} request The access token introspection request.
+     * @returns {Promise<ClientResponse<IntrospectResponse>>}
+     */
+    introspectAccessTokenWithRequest(request: AccessTokenIntrospectRequest): Promise<ClientResponse<IntrospectResponse>>;
     /**
      * Inspect an access token issued as the result of the Client Credentials Grant.
      *
@@ -968,6 +1098,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<IntrospectResponse>>}
      */
     introspectClientCredentialsAccessToken(token: string): Promise<ClientResponse<IntrospectResponse>>;
+    /**
+     * Inspect an access token issued as the result of the Client Credentials Grant.
+     *
+     * @param {ClientCredentialsAccessTokenIntrospectRequest} request The client credentials access token.
+     * @returns {Promise<ClientResponse<IntrospectResponse>>}
+     */
+    introspectClientCredentialsAccessTokenWithRequest(request: ClientCredentialsAccessTokenIntrospectRequest): Promise<ClientResponse<IntrospectResponse>>;
     /**
      * Issue a new access token (JWT) for the requested Application after ensuring the provided JWT is valid. A valid
      * access token is properly signed and not expired.
@@ -1932,6 +2069,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<TotalsReportResponse>>}
      */
     retrieveTotalReport(): Promise<ClientResponse<TotalsReportResponse>>;
+    /**
+     * Retrieves the totals report. This allows excluding applicationTotals from the report. An empty list will include the applicationTotals.
+     *
+     * @param {Array<String>} excludes List of fields to exclude in the response. Currently only allows applicationTotals.
+     * @returns {Promise<ClientResponse<TotalsReportResponse>>}
+     */
+    retrieveTotalReportWithExcludes(excludes: Array<String>): Promise<ClientResponse<TotalsReportResponse>>;
     /**
      * Retrieve two-factor recovery codes for a user.
      *
@@ -1951,6 +2095,17 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<TwoFactorStatusResponse>>}
      */
     retrieveTwoFactorStatus(userId: UUID, applicationId: UUID, twoFactorTrustId: string): Promise<ClientResponse<TwoFactorStatusResponse>>;
+    /**
+     * Retrieve a user's two-factor status.
+     *
+     * This can be used to see if a user will need to complete a two-factor challenge to complete a login,
+     * and optionally identify the state of the two-factor trust across various applications. This operation
+     * provides more payload options than retrieveTwoFactorStatus.
+     *
+     * @param {TwoFactorStatusRequest} request The request object that contains all the information used to check the status.
+     * @returns {Promise<ClientResponse<TwoFactorStatusResponse>>}
+     */
+    retrieveTwoFactorStatusWithRequest(request: TwoFactorStatusRequest): Promise<ClientResponse<TwoFactorStatusResponse>>;
     /**
      * Retrieves the user for the given Id.
      *
@@ -2012,7 +2167,7 @@ export declare class FusionAuthClient {
      * Retrieves the user for the loginId, using specific loginIdTypes.
      *
      * @param {string} loginId The email or username of the user.
-     * @param {Array<String>} loginIdTypes the identity types that FusionAuth will compare the loginId to.
+     * @param {Array<String>} loginIdTypes The identity types that FusionAuth will compare the loginId to.
      * @returns {Promise<ClientResponse<UserResponse>>}
      */
     retrieveUserByLoginIdWithLoginIdTypes(loginId: string, loginIdTypes: Array<String>): Promise<ClientResponse<UserResponse>>;
@@ -2053,6 +2208,26 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     retrieveUserCodeUsingAPIKey(user_code: string): Promise<ClientResponse<void>>;
+    /**
+     * Retrieve a user_code that is part of an in-progress Device Authorization Grant.
+     *
+     * This API is useful if you want to build your own login workflow to complete a device grant.
+     *
+     * This request will require an API key.
+     *
+     * @param {RetrieveUserCodeUsingAPIKeyRequest} request The user code retrieval request including optional tenantId.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    retrieveUserCodeUsingAPIKeyWithRequest(request: RetrieveUserCodeUsingAPIKeyRequest): Promise<ClientResponse<void>>;
+    /**
+     * Retrieve a user_code that is part of an in-progress Device Authorization Grant.
+     *
+     * This API is useful if you want to build your own login workflow to complete a device grant.
+     *
+     * @param {RetrieveUserCodeRequest} request The user code retrieval request.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    retrieveUserCodeWithRequest(request: RetrieveUserCodeRequest): Promise<ClientResponse<void>>;
     /**
      * Retrieves all the comments for the user with the given Id.
      *
@@ -2128,7 +2303,7 @@ export declare class FusionAuthClient {
      * @param {string} loginId The userId id.
      * @param {number} start The start instant as UTC milliseconds since Epoch.
      * @param {number} end The end instant as UTC milliseconds since Epoch.
-     * @param {Array<String>} loginIdTypes the identity types that FusionAuth will compare the loginId to.
+     * @param {Array<String>} loginIdTypes The identity types that FusionAuth will compare the loginId to.
      * @returns {Promise<ClientResponse<LoginReportResponse>>}
      */
     retrieveUserLoginReportByLoginIdAndLoginIdTypes(applicationId: UUID, loginId: string, start: number, end: number, loginIdTypes: Array<String>): Promise<ClientResponse<LoginReportResponse>>;
@@ -2844,6 +3019,14 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     validateDevice(user_code: string, client_id: string): Promise<ClientResponse<void>>;
+    /**
+     * Validates the end-user provided user_code from the user-interaction of the Device Authorization Grant.
+     * If you build your own activation form you should validate the user provided code prior to beginning the Authorization grant.
+     *
+     * @param {ValidateDeviceRequest} request The device validation request.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    validateDeviceWithRequest(request: ValidateDeviceRequest): Promise<ClientResponse<void>>;
     /**
      * Validates the provided JWT (encoded JWT string) to ensure the token is valid. A valid access token is properly
      * signed and not expired.
@@ -2996,6 +3179,16 @@ export interface AccessToken {
     token_type?: TokenType;
     userId?: UUID;
 }
+/**
+ * The request object for introspecting an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface AccessTokenIntrospectRequest {
+    client_id?: string;
+    tenantId?: string;
+    token?: string;
+}
 /**
  * The user action request object.
  *
@@ -3127,6 +3320,7 @@ export interface AuthenticationTokenConfiguration extends Enableable {
 export interface LambdaConfiguration {
     accessTokenPopulateId?: UUID;
     idTokenPopulateId?: UUID;
+    multiFactorRequirementId?: UUID;
     samlv2PopulateId?: UUID;
     selfServiceRegistrationValidationId?: UUID;
     userinfoPopulateId?: UUID;
@@ -3611,6 +3805,7 @@ export interface BaseIdentityProvider<D extends BaseIdentityProviderApplicationC
     linkingStrategy?: IdentityProviderLinkingStrategy;
     name?: string;
     tenantConfiguration?: Record<UUID, IdentityProviderTenantConfiguration>;
+    tenantId?: UUID;
     type?: IdentityProviderType;
 }
 export interface LambdaConfiguration {
@@ -3783,6 +3978,27 @@ export declare enum ClientAuthenticationPolicy {
     NotRequired = "NotRequired",
     NotRequiredWhenUsingPKCE = "NotRequiredWhenUsingPKCE"
 }
+/**
+ * Contains the parameters used to introspect an access token that was obtained via the client credentials grant.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface ClientCredentialsAccessTokenIntrospectRequest {
+    tenantId?: string;
+    token?: string;
+}
+/**
+ * The request object to make a Client Credentials grant request to obtain an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface ClientCredentialsGrantRequest {
+    client_id?: string;
+    client_secret?: string;
+    grant_type?: string;
+    scope?: string;
+    tenantId?: string;
+}
 /**
  * @author Trevor Smith
  */
@@ -3899,6 +4115,18 @@ export declare enum ContentStatus {
     PENDING = "PENDING",
     REJECTED = "REJECTED"
 }
+/**
+ * Represents the inbound lambda parameter 'context' for MFA Required lambdas.
+ */
+export interface Context {
+    accessToken?: string;
+    action?: MultiFactorAction;
+    application?: Application;
+    authenticationThreats?: Array<AuthenticationThreats>;
+    eventInfo?: EventInfo;
+    mfaTrust?: Trust;
+    policies?: Policies;
+}
 /**
  * A number identifying a cryptographic algorithm. Values should be registered with the <a
  * href="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">IANA COSE Algorithms registry</a>
@@ -3968,6 +4196,18 @@ export interface DailyActiveUserReportResponse {
     dailyActiveUsers?: Array<Count>;
     total?: number;
 }
+/**
+ * The request object to approve a device grant.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface DeviceApprovalRequest {
+    client_id?: string;
+    client_secret?: string;
+    tenantId?: UUID;
+    token?: string;
+    user_code?: string;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -3978,6 +4218,15 @@ export interface DeviceApprovalResponse {
     tenantId?: UUID;
     userId?: UUID;
 }
+/**
+ * @author Lyle Schemmerling
+ */
+export interface DeviceAuthorizationRequest {
+    client_id?: string;
+    client_secret?: string;
+    scope?: string;
+    tenantId?: UUID;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -4578,6 +4827,13 @@ export declare enum EventType {
     UserIdentityVerified = "user.identity.verified",
     UserIdentityUpdate = "user.identity.update"
 }
+/**
+ * Represent the various states/expectations of a user in the context of starting verification
+ */
+export declare enum ExistingUserStrategy {
+    mustExist = "mustExist",
+    mustNotExist = "mustNotExist"
+}
 /**
  * An expandable API request.
  *
@@ -4660,6 +4916,18 @@ export interface ExternalJWTIdentityProvider extends BaseIdentityProvider<Extern
     oauth2?: IdentityProviderOauth2Configuration;
     uniqueIdentityClaim?: string;
 }
+/**
+ * Determines if FusionAuth is in FIPS mode based on the system property <code>fusionauth.fips.enabled</code>. This can only be enabled once and
+ * should be enabled when the VM starts or as close to that point as possible.
+ * <p>
+ * Once this has been enabled, it cannot be disabled.
+ * <p>
+ * This also provides some helpers for FIPS things such as password length requirements.
+ *
+ * @author Brian Pontarelli and Daniel DeGroff
+ */
+export interface FIPS {
+}
 /**
  * @author Daniel DeGroff
  */
@@ -4906,6 +5174,15 @@ export interface FormResponse {
  */
 export interface FormStep {
     fields?: Array<UUID>;
+    type?: FormStepType;
+}
+/**
+ * Denotes the type of form step. This is used to configure different behavior on form steps in the registration flow.
+ */
+export declare enum FormStepType {
+    collectData = "collectData",
+    verifyEmail = "verifyEmail",
+    verifyPhoneNumber = "verifyPhoneNumber"
 }
 /**
  * @author Daniel DeGroff
@@ -5401,6 +5678,7 @@ export interface IdentityProviderResponse {
 export interface IdentityProviderSearchCriteria extends BaseSearchCriteria {
     applicationId?: UUID;
     name?: string;
+    tenantId?: UUID;
     type?: IdentityProviderType;
 }
 /**
@@ -5735,12 +6013,14 @@ export declare enum KeyAlgorithm {
     HS512 = "HS512",
     RS256 = "RS256",
     RS384 = "RS384",
-    RS512 = "RS512"
+    RS512 = "RS512",
+    Ed25519 = "Ed25519"
 }
 export declare enum KeyType {
     EC = "EC",
     RSA = "RSA",
-    HMAC = "HMAC"
+    HMAC = "HMAC",
+    OKP = "OKP"
 }
 /**
  * Key API request object.
@@ -5927,7 +6207,8 @@ export declare enum LambdaType {
     SCIMServerUserResponseConverter = "SCIMServerUserResponseConverter",
     SelfServiceRegistrationValidation = "SelfServiceRegistrationValidation",
     UserInfoPopulate = "UserInfoPopulate",
-    LoginValidation = "LoginValidation"
+    LoginValidation = "LoginValidation",
+    MFARequirement = "MFARequirement"
 }
 /**
  * @author Daniel DeGroff
@@ -6124,6 +6405,7 @@ export interface IdentityProviderDetails {
     idpEndpoint?: string;
     name?: string;
     oauth2?: IdentityProviderOauth2Configuration;
+    tenantId?: UUID;
     type?: IdentityProviderType;
 }
 /**
@@ -6247,6 +6529,14 @@ export interface MonthlyActiveUserReportResponse {
     monthlyActiveUsers?: Array<Count>;
     total?: number;
 }
+/**
+ * Communicate various actions/contexts in which multi-factor authentication can be used.
+ */
+export declare enum MultiFactorAction {
+    changePassword = "changePassword",
+    login = "login",
+    stepUp = "stepUp"
+}
 /**
  * @author Daniel DeGroff
  */
@@ -6323,6 +6613,34 @@ export declare enum OAuthApplicationRelationship {
     FirstParty = "FirstParty",
     ThirdParty = "ThirdParty"
 }
+/**
+ * The request object for exchanging an OAuth authorization code for an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface OAuthCodeAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    code?: string;
+    grant_type?: string;
+    redirect_uri?: string;
+    tenantId?: string;
+}
+/**
+ * The request object to make a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a
+ * code_verifier for an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface OAuthCodePKCEAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    code?: string;
+    code_verifier?: string;
+    grant_type?: string;
+    redirect_uri?: string;
+    tenantId?: UUID;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -6658,6 +6976,14 @@ export interface PhoneUnverifiedOptions {
     allowPhoneNumberChangeWhenGated?: boolean;
     behavior?: UnverifiedBehavior;
 }
+/**
+ * Represents the inbound lambda parameter 'policies' for MFA Required lambdas.
+ */
+export interface Policies {
+    applicationLoginPolicy?: MultiFactorLoginPolicy;
+    applicationMultiFactorTrustPolicy?: ApplicationMultiFactorTrustPolicy;
+    tenantLoginPolicy?: MultiFactorLoginPolicy;
+}
 /**
  * @author Michael Sleevi
  */
@@ -6866,6 +7192,7 @@ export interface ReactorStatus {
     expiration?: string;
     licenseAttributes?: Record<string, string>;
     licensed?: boolean;
+    multiFactorLambdas?: ReactorFeatureStatus;
     scimServer?: ReactorFeatureStatus;
     tenantManagerApplication?: ReactorFeatureStatus;
     threatDetection?: ReactorFeatureStatus;
@@ -6916,6 +7243,20 @@ export interface MetaData {
     device?: DeviceInfo;
     scopes?: Array<string>;
 }
+/**
+ * The request object to exchange a Refresh Token for an Access Token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface RefreshTokenAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    grant_type?: string;
+    refresh_token?: string;
+    scope?: string;
+    tenantId?: UUID;
+    user_code?: string;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -7013,6 +7354,7 @@ export interface RegistrationRequest extends BaseEventRequest {
     skipRegistrationVerification?: boolean;
     skipVerification?: boolean;
     user?: User;
+    verificationIds?: Array<string>;
 }
 /**
  * Registration API request object.
@@ -7028,6 +7370,7 @@ export interface RegistrationResponse {
     token?: string;
     tokenExpirationInstant?: number;
     user?: User;
+    verificationIds?: Array<VerificationId>;
 }
 /**
  * @author Daniel DeGroff
@@ -7064,6 +7407,13 @@ export interface RememberPreviousPasswords extends Enableable {
 export interface Requirable extends Enableable {
     required?: boolean;
 }
+/**
+ * Represents the inbound lambda parameter 'result' for MFA Required lambdas.
+ */
+export interface RequiredLambdaResult {
+    required?: boolean;
+    sendSuspiciousLoginEvent?: boolean;
+}
 /**
  * Interface describing the need for CORS configuration.
  *
@@ -7082,6 +7432,26 @@ export declare enum ResidentKeyRequirement {
     preferred = "preferred",
     required = "required"
 }
+/**
+ * The request object for retrieving a user code that is part of an in-progress Device Authorization Grant.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface RetrieveUserCodeRequest {
+    client_id?: string;
+    client_secret?: string;
+    tenantId?: UUID;
+    user_code?: string;
+}
+/**
+ * The request object for retrieving a user code that is part of an in-progress Device Authorization Grant using an API key
+ *
+ * @author Lyle Schemmerling
+ */
+export interface RetrieveUserCodeUsingAPIKeyRequest {
+    tenantId?: UUID;
+    user_code?: string;
+}
 /**
  * @author Brian Pontarelli
  */
@@ -7563,6 +7933,7 @@ export interface TenantFormConfiguration {
  */
 export interface TenantLambdaConfiguration {
     loginValidationId?: UUID;
+    multiFactorRequirementId?: UUID;
     scimEnterpriseUserRequestConverterId?: UUID;
     scimEnterpriseUserResponseConverterId?: UUID;
     scimGroupRequestConverterId?: UUID;
@@ -7926,6 +8297,24 @@ export declare enum TransactionType {
     SuperMajority = "SuperMajority",
     AbsoluteMajority = "AbsoluteMajority"
 }
+/**
+ * Represents the inbound lambda parameter 'mfaTrust' inside the 'context' parameter for MFA Required lambdas.
+ */
+export interface Trust {
+    applicationId?: UUID;
+    attributes?: Record<string, string>;
+    expirationInstant?: number;
+    id?: string;
+    insertInstant?: number;
+    startInstants?: StartInstant;
+    state?: Record<string, any>;
+    tenantId?: UUID;
+    userId?: UUID;
+}
+export interface StartInstant {
+    applications?: Record<UUID, number>;
+    tenant?: number;
+}
 /**
  * @author Brett Guy
  */
@@ -8070,6 +8459,16 @@ export interface TwoFactorStartResponse {
     methods?: Array<TwoFactorMethod>;
     twoFactorId?: string;
 }
+/**
+ * Check the status of two-factor authentication for a user, with more options than on a GET request.
+ */
+export interface TwoFactorStatusRequest extends BaseEventRequest {
+    accessToken?: string;
+    action?: MultiFactorAction;
+    applicationId?: UUID;
+    twoFactorTrustId?: string;
+    userId?: UUID;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -8399,6 +8798,21 @@ export interface UserCreateCompleteEvent extends BaseUserEvent {
  */
 export interface UserCreateEvent extends BaseUserEvent {
 }
+/**
+ * The request object for exchanging user credentials (username and password) for an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface UserCredentialsAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    grant_type?: string;
+    password?: string;
+    scope?: string;
+    tenantId?: string;
+    user_code?: string;
+    username?: string;
+}
 /**
  * Models the User Deactivate Event.
  *
@@ -8839,6 +9253,16 @@ export declare enum UserVerificationRequirement {
  */
 export interface UserinfoResponse extends Record<string, any> {
 }
+/**
+ * The request object for validating an end-user provided user_code from the user-interaction of the Device Authorization Grant
+ *
+ * @author Lyle Schemmerling
+ */
+export interface ValidateDeviceRequest {
+    client_id?: string;
+    tenantId?: UUID;
+    user_code?: string;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -8912,6 +9336,7 @@ export interface VerifySendRequest {
  */
 export interface VerifyStartRequest {
     applicationId?: UUID;
+    existingUserStrategy?: ExistingUserStrategy;
     loginId?: string;
     loginIdType?: string;
     state?: Record<string, any>;