@fusionauth/typescript-client 1.61.0 → 1.63.0

package/build/src/FusionAuthClient.d.ts

@@ -56,6 +56,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<DeviceApprovalResponse>>}
      */
     approveDevice(client_id: string, client_secret: string, token: string, user_code: string): Promise<ClientResponse<DeviceApprovalResponse>>;
+    /**
+     * Approve a device grant.
+     *
+     * @param {DeviceApprovalRequest} request The request object containing the device approval information and optional tenantId.
+     * @returns {Promise<ClientResponse<DeviceApprovalResponse>>}
+     */
+    approveDeviceWithRequest(request: DeviceApprovalRequest): Promise<ClientResponse<DeviceApprovalResponse>>;
     /**
      * Cancels the user action.
      *
@@ -120,6 +127,18 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingId(changePasswordId: string): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Token Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} changePasswordId The change password Id used to find the user. This value is generated by FusionAuth once the change password workflow has been initiated.
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingIdAndIPAddress(changePasswordId: string, ipAddress: string): Promise<ClientResponse<void>>;
     /**
      * Check to see if the user must obtain a Trust Token Id in order to complete a change password request.
      * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
@@ -131,6 +150,18 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingJWT(encodedJWT: string): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Token Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} encodedJWT The encoded JWT (access token).
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingJWTAndIPAddress(encodedJWT: string, ipAddress: string): Promise<ClientResponse<void>>;
     /**
      * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
      * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
@@ -142,6 +173,18 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingLoginId(loginId: string): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} loginId The loginId (email or username) of the User that you intend to change the password for.
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingLoginIdAndIPAddress(loginId: string, ipAddress: string): Promise<ClientResponse<void>>;
     /**
      * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
      * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
@@ -154,6 +197,19 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     checkChangePasswordUsingLoginIdAndLoginIdTypes(loginId: string, loginIdTypes: Array<String>): Promise<ClientResponse<void>>;
+    /**
+     * Check to see if the user must obtain a Trust Request Id in order to complete a change password request.
+     * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change
+     * your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication.
+     *
+     * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API.
+     *
+     * @param {string} loginId The loginId of the User that you intend to change the password for.
+     * @param {Array<String>} loginIdTypes The identity types that FusionAuth will compare the loginId to.
+     * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    checkChangePasswordUsingLoginIdAndLoginIdTypesAndIPAddress(loginId: string, loginIdTypes: Array<String>, ipAddress: string): Promise<ClientResponse<void>>;
     /**
      * Make a Client Credentials grant request to obtain an access token.
      *
@@ -165,6 +221,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     clientCredentialsGrant(client_id: string, client_secret: string, scope: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Make a Client Credentials grant request to obtain an access token.
+     *
+     * @param {ClientCredentialsGrantRequest} request The client credentials grant request containing client authentication, scope and optional tenantId.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    clientCredentialsGrantWithRequest(request: ClientCredentialsGrantRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Adds a comment to the user's account.
      *
@@ -766,6 +829,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     deleteWebAuthnCredential(id: UUID): Promise<ClientResponse<void>>;
+    /**
+     * Deletes all of the WebAuthn credentials for the given User Id.
+     *
+     * @param {UUID} userId The unique Id of the User to delete WebAuthn passkeys for.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    deleteWebAuthnCredentialsForUser(userId: UUID): Promise<ClientResponse<void>>;
     /**
      * Deletes the webhook for the given Id.
      *
@@ -773,6 +843,22 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     deleteWebhook(webhookId: UUID): Promise<ClientResponse<void>>;
+    /**
+     * Start the Device Authorization flow using form-encoded parameters
+     *
+     * @param {string} client_id The unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.
+     * @param {string} client_secret (Optional) The client secret. This value may optionally be provided in the request body instead of the Authorization header.
+     * @param {string} scope (Optional) A space-delimited string of the requested scopes. Defaults to all scopes configured in the Application's OAuth configuration.
+     * @returns {Promise<ClientResponse<DeviceResponse>>}
+     */
+    deviceAuthorize(client_id: string, client_secret: string, scope: string): Promise<ClientResponse<DeviceResponse>>;
+    /**
+     * Start the Device Authorization flow using a request body
+     *
+     * @param {DeviceAuthorizationRequest} request The device authorization request containing client authentication, scope, and optional device metadata.
+     * @returns {Promise<ClientResponse<DeviceResponse>>}
+     */
+    deviceAuthorizeWithRequest(request: DeviceAuthorizationRequest): Promise<ClientResponse<DeviceResponse>>;
     /**
      * Disable two-factor authentication for a user.
      *
@@ -823,6 +909,22 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     exchangeOAuthCodeForAccessTokenUsingPKCE(code: string, client_id: string, client_secret: string, redirect_uri: string, code_verifier: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchanges an OAuth authorization code and code_verifier for an access token.
+     * Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a code_verifier for an access token.
+     *
+     * @param {OAuthCodePKCEAccessTokenRequest} request The PKCE OAuth code access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeOAuthCodeForAccessTokenUsingPKCEWithRequest(request: OAuthCodePKCEAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchanges an OAuth authorization code for an access token.
+     * Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token.
+     *
+     * @param {OAuthCodeAccessTokenRequest} request The OAuth code access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeOAuthCodeForAccessTokenWithRequest(request: OAuthCodeAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Exchange a Refresh Token for an Access Token.
      * If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token.
@@ -836,6 +938,14 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     exchangeRefreshTokenForAccessToken(refresh_token: string, client_id: string, client_secret: string, scope: string, user_code: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchange a Refresh Token for an Access Token.
+     * If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token.
+     *
+     * @param {RefreshTokenAccessTokenRequest} request The refresh token access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeRefreshTokenForAccessTokenWithRequest(request: RefreshTokenAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Exchange a refresh token for a new JWT.
      *
@@ -857,6 +967,14 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<AccessToken>>}
      */
     exchangeUserCredentialsForAccessToken(username: string, password: string, client_id: string, client_secret: string, scope: string, user_code: string): Promise<ClientResponse<AccessToken>>;
+    /**
+     * Exchange User Credentials for a Token.
+     * If you will be using the Resource Owner Password Credential Grant, you will make a request to the Token endpoint to exchange the user’s email and password for an access token.
+     *
+     * @param {UserCredentialsAccessTokenRequest} request The user credentials access token exchange request.
+     * @returns {Promise<ClientResponse<AccessToken>>}
+     */
+    exchangeUserCredentialsForAccessTokenWithRequest(request: UserCredentialsAccessTokenRequest): Promise<ClientResponse<AccessToken>>;
     /**
      * Begins the forgot password sequence, which kicks off an email to the user so that they can reset their password.
      *
@@ -973,6 +1091,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<IntrospectResponse>>}
      */
     introspectAccessToken(client_id: string, token: string): Promise<ClientResponse<IntrospectResponse>>;
+    /**
+     * Inspect an access token issued as the result of the User based grant such as the Authorization Code Grant, Implicit Grant, the User Credentials Grant or the Refresh Grant.
+     *
+     * @param {AccessTokenIntrospectRequest} request The access token introspection request.
+     * @returns {Promise<ClientResponse<IntrospectResponse>>}
+     */
+    introspectAccessTokenWithRequest(request: AccessTokenIntrospectRequest): Promise<ClientResponse<IntrospectResponse>>;
     /**
      * Inspect an access token issued as the result of the Client Credentials Grant.
      *
@@ -980,6 +1105,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<IntrospectResponse>>}
      */
     introspectClientCredentialsAccessToken(token: string): Promise<ClientResponse<IntrospectResponse>>;
+    /**
+     * Inspect an access token issued as the result of the Client Credentials Grant.
+     *
+     * @param {ClientCredentialsAccessTokenIntrospectRequest} request The client credentials access token.
+     * @returns {Promise<ClientResponse<IntrospectResponse>>}
+     */
+    introspectClientCredentialsAccessTokenWithRequest(request: ClientCredentialsAccessTokenIntrospectRequest): Promise<ClientResponse<IntrospectResponse>>;
     /**
      * Issue a new access token (JWT) for the requested Application after ensuring the provided JWT is valid. A valid
      * access token is properly signed and not expired.
@@ -1048,13 +1180,23 @@ export declare class FusionAuthClient {
      */
     logoutWithRequest(request: LogoutRequest): Promise<ClientResponse<void>>;
     /**
-     * Retrieves the identity provider for the given domain. A 200 response code indicates the domain is managed
+     * Retrieves any global identity providers for the given domain. A 200 response code indicates the domain is managed
      * by a registered identity provider. A 404 indicates the domain is not managed.
      *
      * @param {string} domain The domain or email address to lookup.
      * @returns {Promise<ClientResponse<LookupResponse>>}
      */
     lookupIdentityProvider(domain: string): Promise<ClientResponse<LookupResponse>>;
+    /**
+     * Retrieves the identity provider for the given domain and tenantId. A 200 response code indicates the domain is managed
+     * by a registered identity provider. A 404 indicates the domain is not managed.
+     *
+     * @param {string} domain The domain or email address to lookup.
+     * @param {UUID} tenantId If provided, the API searches for an identity provider scoped to the corresponding tenant that manages the requested domain.
+     *    If no result is found, the API then searches for global identity providers.
+     * @returns {Promise<ClientResponse<LookupResponse>>}
+     */
+    lookupIdentityProviderByTenantId(domain: string, tenantId: UUID): Promise<ClientResponse<LookupResponse>>;
     /**
      * Modifies a temporal user action by changing the expiration of the action and optionally adding a comment to the
      * action.
@@ -1944,6 +2086,13 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<TotalsReportResponse>>}
      */
     retrieveTotalReport(): Promise<ClientResponse<TotalsReportResponse>>;
+    /**
+     * Retrieves the totals report. This allows excluding applicationTotals from the report. An empty list will include the applicationTotals.
+     *
+     * @param {Array<String>} excludes List of fields to exclude in the response. Currently only allows applicationTotals.
+     * @returns {Promise<ClientResponse<TotalsReportResponse>>}
+     */
+    retrieveTotalReportWithExcludes(excludes: Array<String>): Promise<ClientResponse<TotalsReportResponse>>;
     /**
      * Retrieve two-factor recovery codes for a user.
      *
@@ -1963,6 +2112,17 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<TwoFactorStatusResponse>>}
      */
     retrieveTwoFactorStatus(userId: UUID, applicationId: UUID, twoFactorTrustId: string): Promise<ClientResponse<TwoFactorStatusResponse>>;
+    /**
+     * Retrieve a user's two-factor status.
+     *
+     * This can be used to see if a user will need to complete a two-factor challenge to complete a login,
+     * and optionally identify the state of the two-factor trust across various applications. This operation
+     * provides more payload options than retrieveTwoFactorStatus.
+     *
+     * @param {TwoFactorStatusRequest} request The request object that contains all the information used to check the status.
+     * @returns {Promise<ClientResponse<TwoFactorStatusResponse>>}
+     */
+    retrieveTwoFactorStatusWithRequest(request: TwoFactorStatusRequest): Promise<ClientResponse<TwoFactorStatusResponse>>;
     /**
      * Retrieves the user for the given Id.
      *
@@ -2065,6 +2225,26 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     retrieveUserCodeUsingAPIKey(user_code: string): Promise<ClientResponse<void>>;
+    /**
+     * Retrieve a user_code that is part of an in-progress Device Authorization Grant.
+     *
+     * This API is useful if you want to build your own login workflow to complete a device grant.
+     *
+     * This request will require an API key.
+     *
+     * @param {RetrieveUserCodeUsingAPIKeyRequest} request The user code retrieval request including optional tenantId.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    retrieveUserCodeUsingAPIKeyWithRequest(request: RetrieveUserCodeUsingAPIKeyRequest): Promise<ClientResponse<void>>;
+    /**
+     * Retrieve a user_code that is part of an in-progress Device Authorization Grant.
+     *
+     * This API is useful if you want to build your own login workflow to complete a device grant.
+     *
+     * @param {RetrieveUserCodeRequest} request The user code retrieval request.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    retrieveUserCodeWithRequest(request: RetrieveUserCodeRequest): Promise<ClientResponse<void>>;
     /**
      * Retrieves all the comments for the user with the given Id.
      *
@@ -2153,13 +2333,6 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<RecentLoginResponse>>}
      */
     retrieveUserRecentLogins(userId: UUID, offset: number, limit: number): Promise<ClientResponse<RecentLoginResponse>>;
-    /**
-     * Retrieves the user for the given Id. This method does not use an API key, instead it uses a JSON Web Token (JWT) for authentication.
-     *
-     * @param {string} encodedJWT The encoded JWT (access token).
-     * @returns {Promise<ClientResponse<UserResponse>>}
-     */
-    retrieveUserUsingJWT(encodedJWT: string): Promise<ClientResponse<UserResponse>>;
     /**
      * Retrieves the FusionAuth version string.
      *
@@ -2856,6 +3029,14 @@ export declare class FusionAuthClient {
      * @returns {Promise<ClientResponse<void>>}
      */
     validateDevice(user_code: string, client_id: string): Promise<ClientResponse<void>>;
+    /**
+     * Validates the end-user provided user_code from the user-interaction of the Device Authorization Grant.
+     * If you build your own activation form you should validate the user provided code prior to beginning the Authorization grant.
+     *
+     * @param {ValidateDeviceRequest} request The device validation request.
+     * @returns {Promise<ClientResponse<void>>}
+     */
+    validateDeviceWithRequest(request: ValidateDeviceRequest): Promise<ClientResponse<void>>;
     /**
      * Validates the provided JWT (encoded JWT string) to ensure the token is valid. A valid access token is properly
      * signed and not expired.
@@ -3008,6 +3189,16 @@ export interface AccessToken {
     token_type?: TokenType;
     userId?: UUID;
 }
+/**
+ * The request object for introspecting an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface AccessTokenIntrospectRequest {
+    client_id?: string;
+    tenantId?: string;
+    token?: string;
+}
 /**
  * The user action request object.
  *
@@ -3139,6 +3330,7 @@ export interface AuthenticationTokenConfiguration extends Enableable {
 export interface LambdaConfiguration {
     accessTokenPopulateId?: UUID;
     idTokenPopulateId?: UUID;
+    multiFactorRequirementId?: UUID;
     samlv2PopulateId?: UUID;
     selfServiceRegistrationValidationId?: UUID;
     userinfoPopulateId?: UUID;
@@ -3623,6 +3815,7 @@ export interface BaseIdentityProvider<D extends BaseIdentityProviderApplicationC
     linkingStrategy?: IdentityProviderLinkingStrategy;
     name?: string;
     tenantConfiguration?: Record<UUID, IdentityProviderTenantConfiguration>;
+    tenantId?: UUID;
     type?: IdentityProviderType;
 }
 export interface LambdaConfiguration {
@@ -3795,6 +3988,27 @@ export declare enum ClientAuthenticationPolicy {
     NotRequired = "NotRequired",
     NotRequiredWhenUsingPKCE = "NotRequiredWhenUsingPKCE"
 }
+/**
+ * Contains the parameters used to introspect an access token that was obtained via the client credentials grant.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface ClientCredentialsAccessTokenIntrospectRequest {
+    tenantId?: string;
+    token?: string;
+}
+/**
+ * The request object to make a Client Credentials grant request to obtain an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface ClientCredentialsGrantRequest {
+    client_id?: string;
+    client_secret?: string;
+    grant_type?: string;
+    scope?: string;
+    tenantId?: string;
+}
 /**
  * @author Trevor Smith
  */
@@ -3911,6 +4125,19 @@ export declare enum ContentStatus {
     PENDING = "PENDING",
     REJECTED = "REJECTED"
 }
+/**
+ * Represents the inbound lambda parameter 'context' for MFA Required lambdas.
+ */
+export interface Context {
+    accessToken?: string;
+    action?: MultiFactorAction;
+    application?: Application;
+    authenticationThreats?: Array<AuthenticationThreats>;
+    authenticationType?: string;
+    eventInfo?: EventInfo;
+    mfaTrust?: Trust;
+    policies?: Policies;
+}
 /**
  * A number identifying a cryptographic algorithm. Values should be registered with the <a
  * href="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">IANA COSE Algorithms registry</a>
@@ -3980,6 +4207,18 @@ export interface DailyActiveUserReportResponse {
     dailyActiveUsers?: Array<Count>;
     total?: number;
 }
+/**
+ * The request object to approve a device grant.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface DeviceApprovalRequest {
+    client_id?: string;
+    client_secret?: string;
+    tenantId?: UUID;
+    token?: string;
+    user_code?: string;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -3990,6 +4229,15 @@ export interface DeviceApprovalResponse {
     tenantId?: UUID;
     userId?: UUID;
 }
+/**
+ * @author Lyle Schemmerling
+ */
+export interface DeviceAuthorizationRequest {
+    client_id?: string;
+    client_secret?: string;
+    scope?: string;
+    tenantId?: UUID;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -4590,6 +4838,13 @@ export declare enum EventType {
     UserIdentityVerified = "user.identity.verified",
     UserIdentityUpdate = "user.identity.update"
 }
+/**
+ * Represent the various states/expectations of a user in the context of starting verification
+ */
+export declare enum ExistingUserStrategy {
+    mustExist = "mustExist",
+    mustNotExist = "mustNotExist"
+}
 /**
  * An expandable API request.
  *
@@ -4672,6 +4927,18 @@ export interface ExternalJWTIdentityProvider extends BaseIdentityProvider<Extern
     oauth2?: IdentityProviderOauth2Configuration;
     uniqueIdentityClaim?: string;
 }
+/**
+ * Determines if FusionAuth is in FIPS mode based on the system property <code>fusionauth.fips.enabled</code>. This can only be enabled once and
+ * should be enabled when the VM starts or as close to that point as possible.
+ * <p>
+ * Once this has been enabled, it cannot be disabled.
+ * <p>
+ * This also provides some helpers for FIPS things such as password length requirements.
+ *
+ * @author Brian Pontarelli and Daniel DeGroff
+ */
+export interface FIPS {
+}
 /**
  * @author Daniel DeGroff
  */
@@ -4918,6 +5185,15 @@ export interface FormResponse {
  */
 export interface FormStep {
     fields?: Array<UUID>;
+    type?: FormStepType;
+}
+/**
+ * Denotes the type of form step. This is used to configure different behavior on form steps in the registration flow.
+ */
+export declare enum FormStepType {
+    collectData = "collectData",
+    verifyEmail = "verifyEmail",
+    verifyPhoneNumber = "verifyPhoneNumber"
 }
 /**
  * @author Daniel DeGroff
@@ -5413,6 +5689,7 @@ export interface IdentityProviderResponse {
 export interface IdentityProviderSearchCriteria extends BaseSearchCriteria {
     applicationId?: UUID;
     name?: string;
+    tenantId?: UUID;
     type?: IdentityProviderType;
 }
 /**
@@ -5747,12 +6024,14 @@ export declare enum KeyAlgorithm {
     HS512 = "HS512",
     RS256 = "RS256",
     RS384 = "RS384",
-    RS512 = "RS512"
+    RS512 = "RS512",
+    Ed25519 = "Ed25519"
 }
 export declare enum KeyType {
     EC = "EC",
     RSA = "RSA",
-    HMAC = "HMAC"
+    HMAC = "HMAC",
+    OKP = "OKP"
 }
 /**
  * Key API request object.
@@ -5939,7 +6218,8 @@ export declare enum LambdaType {
     SCIMServerUserResponseConverter = "SCIMServerUserResponseConverter",
     SelfServiceRegistrationValidation = "SelfServiceRegistrationValidation",
     UserInfoPopulate = "UserInfoPopulate",
-    LoginValidation = "LoginValidation"
+    LoginValidation = "LoginValidation",
+    MFARequirement = "MFARequirement"
 }
 /**
  * @author Daniel DeGroff
@@ -6136,6 +6416,7 @@ export interface IdentityProviderDetails {
     idpEndpoint?: string;
     name?: string;
     oauth2?: IdentityProviderOauth2Configuration;
+    tenantId?: UUID;
     type?: IdentityProviderType;
 }
 /**
@@ -6259,6 +6540,14 @@ export interface MonthlyActiveUserReportResponse {
     monthlyActiveUsers?: Array<Count>;
     total?: number;
 }
+/**
+ * Communicate various actions/contexts in which multi-factor authentication can be used.
+ */
+export declare enum MultiFactorAction {
+    changePassword = "changePassword",
+    login = "login",
+    stepUp = "stepUp"
+}
 /**
  * @author Daniel DeGroff
  */
@@ -6335,6 +6624,34 @@ export declare enum OAuthApplicationRelationship {
     FirstParty = "FirstParty",
     ThirdParty = "ThirdParty"
 }
+/**
+ * The request object for exchanging an OAuth authorization code for an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface OAuthCodeAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    code?: string;
+    grant_type?: string;
+    redirect_uri?: string;
+    tenantId?: string;
+}
+/**
+ * The request object to make a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a
+ * code_verifier for an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface OAuthCodePKCEAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    code?: string;
+    code_verifier?: string;
+    grant_type?: string;
+    redirect_uri?: string;
+    tenantId?: UUID;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -6452,7 +6769,8 @@ export declare enum OAuthErrorType {
     two_factor_required = "two_factor_required",
     authorization_pending = "authorization_pending",
     expired_token = "expired_token",
-    unsupported_token_type = "unsupported_token_type"
+    unsupported_token_type = "unsupported_token_type",
+    invalid_dpop_proof = "invalid_dpop_proof"
 }
 /**
  * @author Daniel DeGroff
@@ -6513,6 +6831,7 @@ export interface OpenIdConfiguration {
     backchannel_logout_supported?: boolean;
     claims_supported?: Array<string>;
     device_authorization_endpoint?: string;
+    dpop_signing_alg_values_supported?: Array<string>;
     end_session_endpoint?: string;
     frontchannel_logout_supported?: boolean;
     grant_types_supported?: Array<string>;
@@ -6580,6 +6899,7 @@ export interface PasswordEncryptionConfiguration {
  */
 export interface PasswordValidationRules {
     breachDetection?: PasswordBreachDetection;
+    disallowUserLoginId?: boolean;
     maxLength?: number;
     minLength?: number;
     rememberPreviousPasswords?: RememberPreviousPasswords;
@@ -6670,6 +6990,14 @@ export interface PhoneUnverifiedOptions {
     allowPhoneNumberChangeWhenGated?: boolean;
     behavior?: UnverifiedBehavior;
 }
+/**
+ * Represents the inbound lambda parameter 'policies' for MFA Required lambdas.
+ */
+export interface Policies {
+    applicationLoginPolicy?: MultiFactorLoginPolicy;
+    applicationMultiFactorTrustPolicy?: ApplicationMultiFactorTrustPolicy;
+    tenantLoginPolicy?: MultiFactorLoginPolicy;
+}
 /**
  * @author Michael Sleevi
  */
@@ -6874,10 +7202,12 @@ export interface ReactorStatus {
     applicationThemes?: ReactorFeatureStatus;
     breachedPasswordDetection?: ReactorFeatureStatus;
     connectors?: ReactorFeatureStatus;
+    dPoP?: ReactorFeatureStatus;
     entityManagement?: ReactorFeatureStatus;
     expiration?: string;
     licenseAttributes?: Record<string, string>;
     licensed?: boolean;
+    multiFactorLambdas?: ReactorFeatureStatus;
     scimServer?: ReactorFeatureStatus;
     tenantManagerApplication?: ReactorFeatureStatus;
     threatDetection?: ReactorFeatureStatus;
@@ -6928,6 +7258,20 @@ export interface MetaData {
     device?: DeviceInfo;
     scopes?: Array<string>;
 }
+/**
+ * The request object to exchange a Refresh Token for an Access Token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface RefreshTokenAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    grant_type?: string;
+    refresh_token?: string;
+    scope?: string;
+    tenantId?: UUID;
+    user_code?: string;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -7025,6 +7369,7 @@ export interface RegistrationRequest extends BaseEventRequest {
     skipRegistrationVerification?: boolean;
     skipVerification?: boolean;
     user?: User;
+    verificationIds?: Array<string>;
 }
 /**
  * Registration API request object.
@@ -7040,6 +7385,7 @@ export interface RegistrationResponse {
     token?: string;
     tokenExpirationInstant?: number;
     user?: User;
+    verificationIds?: Array<VerificationId>;
 }
 /**
  * @author Daniel DeGroff
@@ -7076,6 +7422,13 @@ export interface RememberPreviousPasswords extends Enableable {
 export interface Requirable extends Enableable {
     required?: boolean;
 }
+/**
+ * Represents the inbound lambda parameter 'result' for MFA Required lambdas.
+ */
+export interface RequiredLambdaResult {
+    required?: boolean;
+    sendSuspiciousLoginEvent?: boolean;
+}
 /**
  * Interface describing the need for CORS configuration.
  *
@@ -7094,6 +7447,26 @@ export declare enum ResidentKeyRequirement {
     preferred = "preferred",
     required = "required"
 }
+/**
+ * The request object for retrieving a user code that is part of an in-progress Device Authorization Grant.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface RetrieveUserCodeRequest {
+    client_id?: string;
+    client_secret?: string;
+    tenantId?: UUID;
+    user_code?: string;
+}
+/**
+ * The request object for retrieving a user code that is part of an in-progress Device Authorization Grant using an API key
+ *
+ * @author Lyle Schemmerling
+ */
+export interface RetrieveUserCodeUsingAPIKeyRequest {
+    tenantId?: UUID;
+    user_code?: string;
+}
 /**
  * @author Brian Pontarelli
  */
@@ -7575,6 +7948,7 @@ export interface TenantFormConfiguration {
  */
 export interface TenantLambdaConfiguration {
     loginValidationId?: UUID;
+    multiFactorRequirementId?: UUID;
     scimEnterpriseUserRequestConverterId?: UUID;
     scimEnterpriseUserResponseConverterId?: UUID;
     scimGroupRequestConverterId?: UUID;
@@ -7903,13 +8277,15 @@ export interface TimeBasedDeletePolicy extends Enableable {
  * <a href="https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05">
  * Draft RFC on OAuth 2.0 Message Authentication Code (MAC) Tokens</a>
  * </li>
+ * <li>DPoP Token type as defined by <a href="https://datatracker.ietf.org/doc/html/rfc9449">RFC 9449</a></li>
  * </ul>
  *
  * @author Daniel DeGroff
  */
 export declare enum TokenType {
     Bearer = "Bearer",
-    MAC = "MAC"
+    MAC = "MAC",
+    DPoP = "DPoP"
 }
 /**
  * The response from the total report. This report stores the total numbers for each application.
@@ -7938,6 +8314,24 @@ export declare enum TransactionType {
     SuperMajority = "SuperMajority",
     AbsoluteMajority = "AbsoluteMajority"
 }
+/**
+ * Represents the inbound lambda parameter 'mfaTrust' inside the 'context' parameter for MFA Required lambdas.
+ */
+export interface Trust {
+    applicationId?: UUID;
+    attributes?: Record<string, string>;
+    expirationInstant?: number;
+    id?: string;
+    insertInstant?: number;
+    startInstants?: StartInstant;
+    state?: Record<string, any>;
+    tenantId?: UUID;
+    userId?: UUID;
+}
+export interface StartInstant {
+    applications?: Record<UUID, number>;
+    tenant?: number;
+}
 /**
  * @author Brett Guy
  */
@@ -8082,6 +8476,16 @@ export interface TwoFactorStartResponse {
     methods?: Array<TwoFactorMethod>;
     twoFactorId?: string;
 }
+/**
+ * Check the status of two-factor authentication for a user, with more options than on a GET request.
+ */
+export interface TwoFactorStatusRequest extends BaseEventRequest {
+    accessToken?: string;
+    action?: MultiFactorAction;
+    applicationId?: UUID;
+    twoFactorTrustId?: string;
+    userId?: UUID;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -8411,6 +8815,21 @@ export interface UserCreateCompleteEvent extends BaseUserEvent {
  */
 export interface UserCreateEvent extends BaseUserEvent {
 }
+/**
+ * The request object for exchanging user credentials (username and password) for an access token.
+ *
+ * @author Lyle Schemmerling
+ */
+export interface UserCredentialsAccessTokenRequest {
+    client_id?: string;
+    client_secret?: string;
+    grant_type?: string;
+    password?: string;
+    scope?: string;
+    tenantId?: string;
+    user_code?: string;
+    username?: string;
+}
 /**
  * Models the User Deactivate Event.
  *
@@ -8851,6 +9270,16 @@ export declare enum UserVerificationRequirement {
  */
 export interface UserinfoResponse extends Record<string, any> {
 }
+/**
+ * The request object for validating an end-user provided user_code from the user-interaction of the Device Authorization Grant
+ *
+ * @author Lyle Schemmerling
+ */
+export interface ValidateDeviceRequest {
+    client_id?: string;
+    tenantId?: UUID;
+    user_code?: string;
+}
 /**
  * @author Daniel DeGroff
  */
@@ -8924,6 +9353,7 @@ export interface VerifySendRequest {
  */
 export interface VerifyStartRequest {
     applicationId?: UUID;
+    existingUserStrategy?: ExistingUserStrategy;
     loginId?: string;
     loginIdType?: string;
     state?: Record<string, any>;