@logto/schemas 1.19.0 → 1.20.0

package/alterations/1.20.0-1723448981-personal-access-tokens.ts

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table personal_access_tokens (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        /** The name of the secret. Should be unique within the user. */
+        name varchar(256) not null,
+        value varchar(64) not null,
+        created_at timestamptz not null default now(),
+        expires_at timestamptz,
+        primary key (tenant_id, user_id, name)
+      );
+
+      create index personal_access_token__value on personal_access_tokens (tenant_id, value);
+    `);
+    await applyTableRls(pool, 'personal_access_tokens');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'personal_access_tokens');
+    await pool.query(sql`
+      drop table personal_access_tokens;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.20.0-1724229102-add-report-sub-updates-cloud-scope.ts

@@ -0,0 +1,102 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+
+type Resource = {
+  tenantId: string;
+  id: string;
+  name: string;
+  indicator: string;
+  isDefault: boolean;
+};
+
+type Scope = {
+  tenantId: string;
+  id: string;
+  resourceId: string;
+  name: string;
+  description: string;
+};
+
+type Role = {
+  tenantId: string;
+  id: string;
+  name: string;
+  description: string;
+};
+
+const cloudApiIndicator = 'https://cloud.logto.io/api';
+
+const cloudConnectionAppRoleName = 'tenantApplication';
+
+const adminTenantId = 'admin';
+
+const reportSubscriptionUpdatesScopeName = 'report:subscription:updates';
+const reportSubscriptionUpdatesScopeDescription =
+  'Allow reporting changes on Stripe subscription to Logto Cloud.';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Get the Cloud API resource
+    const cloudApiResource = await pool.maybeOne<Resource>(sql`
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+
+    if (!cloudApiResource) {
+      return;
+    }
+
+    // Get cloud connection application role
+    const tenantApplicationRole = await pool.one<Role>(sql`
+      select * from roles
+      where tenant_id = ${adminTenantId}
+      and name = ${cloudConnectionAppRoleName} and type = 'MachineToMachine'
+    `);
+
+    // Create the `report:subscription:updates` scope
+    const reportSubscriptionUpdatesCloudScope = await pool.one<Scope>(sql`
+      insert into scopes (id, tenant_id, resource_id, name, description)
+      values (${generateStandardId()}, ${adminTenantId}, ${
+        cloudApiResource.id
+      }, ${reportSubscriptionUpdatesScopeName}, ${reportSubscriptionUpdatesScopeDescription})
+      on conflict (tenant_id, name, resource_id) do nothing
+      returning *;
+    `);
+
+    // Assign the `report:subscription:updates` scope to cloud connection application role
+    await pool.query(sql`
+      insert into roles_scopes (id, tenant_id, role_id, scope_id)
+      values (${generateStandardId()}, ${adminTenantId}, ${tenantApplicationRole.id}, ${
+        reportSubscriptionUpdatesCloudScope.id
+      }) on conflict (tenant_id, role_id, scope_id) do nothing;
+    `);
+  },
+  down: async (pool) => {
+    // Get the Cloud API resource
+    const cloudApiResource = await pool.maybeOne<Resource>(sql`
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+
+    if (!cloudApiResource) {
+      return;
+    }
+
+    // Remove the `report:subscription:updates` scope
+    await pool.query(sql`
+      delete from scopes
+      where
+        tenant_id = ${adminTenantId} and
+        name = ${reportSubscriptionUpdatesScopeName} and
+        description = ${reportSubscriptionUpdatesScopeDescription} and
+        resource_id = ${cloudApiResource.id}
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.20.0-1724316971-add-verified-identifier-to-verification-statuses.ts

@@ -0,0 +1,18 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table verification_statuses add column verified_identifier varchar(255);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table verification_statuses drop column verified_identifier;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.20.0-1725971571-add-verification-record.ts

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table verification_records (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        user_id varchar(21)
+          references users (id) on update cascade on delete cascade,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        data jsonb /* @use VerificationRecordData */ not null default '{}'::jsonb,
+        primary key (id)
+      );
+
+      create index verification_records__id
+        on verification_records (tenant_id, id);
+    `);
+    await applyTableRls(pool, 'verification_records');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'verification_records');
+    await pool.query(sql`
+      drop table verification_records;
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.20.0-1723448981-personal-access-tokens.js

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table personal_access_tokens (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        /** The name of the secret. Should be unique within the user. */
+        name varchar(256) not null,
+        value varchar(64) not null,
+        created_at timestamptz not null default now(),
+        expires_at timestamptz,
+        primary key (tenant_id, user_id, name)
+      );
+
+      create index personal_access_token__value on personal_access_tokens (tenant_id, value);
+    `);
+        await applyTableRls(pool, 'personal_access_tokens');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'personal_access_tokens');
+        await pool.query(sql `
+      drop table personal_access_tokens;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.20.0-1724229102-add-report-sub-updates-cloud-scope.js

@@ -0,0 +1,59 @@
+import { sql } from '@silverhand/slonik';
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+const cloudApiIndicator = 'https://cloud.logto.io/api';
+const cloudConnectionAppRoleName = 'tenantApplication';
+const adminTenantId = 'admin';
+const reportSubscriptionUpdatesScopeName = 'report:subscription:updates';
+const reportSubscriptionUpdatesScopeDescription = 'Allow reporting changes on Stripe subscription to Logto Cloud.';
+const alteration = {
+    up: async (pool) => {
+        // Get the Cloud API resource
+        const cloudApiResource = await pool.maybeOne(sql `
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+        if (!cloudApiResource) {
+            return;
+        }
+        // Get cloud connection application role
+        const tenantApplicationRole = await pool.one(sql `
+      select * from roles
+      where tenant_id = ${adminTenantId}
+      and name = ${cloudConnectionAppRoleName} and type = 'MachineToMachine'
+    `);
+        // Create the `report:subscription:updates` scope
+        const reportSubscriptionUpdatesCloudScope = await pool.one(sql `
+      insert into scopes (id, tenant_id, resource_id, name, description)
+      values (${generateStandardId()}, ${adminTenantId}, ${cloudApiResource.id}, ${reportSubscriptionUpdatesScopeName}, ${reportSubscriptionUpdatesScopeDescription})
+      on conflict (tenant_id, name, resource_id) do nothing
+      returning *;
+    `);
+        // Assign the `report:subscription:updates` scope to cloud connection application role
+        await pool.query(sql `
+      insert into roles_scopes (id, tenant_id, role_id, scope_id)
+      values (${generateStandardId()}, ${adminTenantId}, ${tenantApplicationRole.id}, ${reportSubscriptionUpdatesCloudScope.id}) on conflict (tenant_id, role_id, scope_id) do nothing;
+    `);
+    },
+    down: async (pool) => {
+        // Get the Cloud API resource
+        const cloudApiResource = await pool.maybeOne(sql `
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+        if (!cloudApiResource) {
+            return;
+        }
+        // Remove the `report:subscription:updates` scope
+        await pool.query(sql `
+      delete from scopes
+      where
+        tenant_id = ${adminTenantId} and
+        name = ${reportSubscriptionUpdatesScopeName} and
+        description = ${reportSubscriptionUpdatesScopeDescription} and
+        resource_id = ${cloudApiResource.id}
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.20.0-1724316971-add-verified-identifier-to-verification-statuses.js

@@ -0,0 +1,14 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table verification_statuses add column verified_identifier varchar(255);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table verification_statuses drop column verified_identifier;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.20.0-1725971571-add-verification-record.js

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table verification_records (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        user_id varchar(21)
+          references users (id) on update cascade on delete cascade,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        data jsonb /* @use VerificationRecordData */ not null default '{}'::jsonb,
+        primary key (id)
+      );
+
+      create index verification_records__id
+        on verification_records (tenant_id, id);
+    `);
+        await applyTableRls(pool, 'verification_records');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'verification_records');
+        await pool.query(sql `
+      drop table verification_records;
+    `);
+    },
+};
+export default alteration;

package/lib/consts/experience.d.ts

@@ -1,8 +1,11 @@
 export declare const experience: Readonly<{
-    routes: Readonly<{
-        signIn: "sign-in";
-        register: "register";
-        sso: "single-sign-on";
-        consent: "consent";
+    readonly routes: Readonly<{
+        readonly signIn: "sign-in";
+        readonly register: "register";
+        readonly sso: "single-sign-on";
+        readonly consent: "consent";
+        readonly resetPassword: "reset-password";
+        readonly identifierSignIn: "identifier-sign-in";
+        readonly identifierRegister: "identifier-register";
     }>;
 }>;

package/lib/consts/experience.js

@@ -3,6 +3,9 @@ const routes = Object.freeze({
     register: 'register',
     sso: 'single-sign-on',
     consent: 'consent',
+    resetPassword: 'reset-password',
+    identifierSignIn: 'identifier-sign-in',
+    identifierRegister: 'identifier-register',
 });
 export const experience = Object.freeze({
     routes,

package/lib/consts/oidc.d.ts

@@ -32,7 +32,24 @@ export declare enum ExtraParamsKey {
      * Override the default sign-in experience configuration with the settings from the specified
      * organization ID.
      */
-    OrganizationId = "organization_id"
+    OrganizationId = "organization_id",
+    /**
+     * Provides a hint about the login identifier the user might use.
+     * This can be used to pre-fill the identifier field **only on the first screen** of the sign-in/sign-up flow.
+     */
+    LoginHint = "login_hint",
+    /**
+     * Specifies the identifier used in the identifier sign-in or identifier register page.
+     *
+     * This parameter is applicable only when first_screen is set to either `FirstScreen.IdentifierSignIn` or `FirstScreen.IdentifierRegister`.
+     * Multiple identifiers can be provided in the identifier parameter, separated by spaces.
+     *
+     * If the provided identifier is not supported in the Logto sign-in experience configuration, it will be ignored,
+     * and if no one of them is supported, it will fallback to the sign-in / sign-up method value set in the sign-in experience configuration.
+     *
+     * @see {@link SignInIdentifier} for available values.
+     */
+    Identifier = "identifier"
 }
 /** @deprecated Use {@link FirstScreen} instead. */
 export declare enum InteractionMode {
@@ -40,28 +57,42 @@ export declare enum InteractionMode {
     SignUp = "signUp"
 }
 export declare enum FirstScreen {
-    SignIn = "signIn",
-    Register = "register"
+    SignIn = "sign_in",
+    Register = "register",
+    ResetPassword = "reset_password",
+    IdentifierSignIn = "identifier:sign_in",
+    IdentifierRegister = "identifier:register",
+    SingleSignOn = "single_sign_on",
+    /** @deprecated Use snake_case 'sign_in' instead. */
+    SignInDeprecated = "signIn"
 }
 export declare const extraParamsObjectGuard: z.ZodObject<{
     interaction_mode: z.ZodOptional<z.ZodNativeEnum<typeof InteractionMode>>;
     first_screen: z.ZodOptional<z.ZodNativeEnum<typeof FirstScreen>>;
     direct_sign_in: z.ZodOptional<z.ZodString>;
     organization_id: z.ZodOptional<z.ZodString>;
+    login_hint: z.ZodOptional<z.ZodString>;
+    identifier: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     interaction_mode?: InteractionMode | undefined;
     first_screen?: FirstScreen | undefined;
     direct_sign_in?: string | undefined;
     organization_id?: string | undefined;
+    login_hint?: string | undefined;
+    identifier?: string | undefined;
 }, {
     interaction_mode?: InteractionMode | undefined;
     first_screen?: FirstScreen | undefined;
     direct_sign_in?: string | undefined;
     organization_id?: string | undefined;
+    login_hint?: string | undefined;
+    identifier?: string | undefined;
 }>;
 export type ExtraParamsObject = Partial<{
     [ExtraParamsKey.InteractionMode]: InteractionMode;
     [ExtraParamsKey.FirstScreen]: FirstScreen;
     [ExtraParamsKey.DirectSignIn]: string;
     [ExtraParamsKey.OrganizationId]: string;
+    [ExtraParamsKey.LoginHint]: string;
+    [ExtraParamsKey.Identifier]: string;
 }>;

package/lib/consts/oidc.js

@@ -35,6 +35,23 @@ export var ExtraParamsKey;
      * organization ID.
      */
     ExtraParamsKey["OrganizationId"] = "organization_id";
+    /**
+     * Provides a hint about the login identifier the user might use.
+     * This can be used to pre-fill the identifier field **only on the first screen** of the sign-in/sign-up flow.
+     */
+    ExtraParamsKey["LoginHint"] = "login_hint";
+    /**
+     * Specifies the identifier used in the identifier sign-in or identifier register page.
+     *
+     * This parameter is applicable only when first_screen is set to either `FirstScreen.IdentifierSignIn` or `FirstScreen.IdentifierRegister`.
+     * Multiple identifiers can be provided in the identifier parameter, separated by spaces.
+     *
+     * If the provided identifier is not supported in the Logto sign-in experience configuration, it will be ignored,
+     * and if no one of them is supported, it will fallback to the sign-in / sign-up method value set in the sign-in experience configuration.
+     *
+     * @see {@link SignInIdentifier} for available values.
+     */
+    ExtraParamsKey["Identifier"] = "identifier";
 })(ExtraParamsKey || (ExtraParamsKey = {}));
 /** @deprecated Use {@link FirstScreen} instead. */
 export var InteractionMode;
@@ -44,8 +61,14 @@ export var InteractionMode;
 })(InteractionMode || (InteractionMode = {}));
 export var FirstScreen;
 (function (FirstScreen) {
-    FirstScreen["SignIn"] = "signIn";
+    FirstScreen["SignIn"] = "sign_in";
     FirstScreen["Register"] = "register";
+    FirstScreen["ResetPassword"] = "reset_password";
+    FirstScreen["IdentifierSignIn"] = "identifier:sign_in";
+    FirstScreen["IdentifierRegister"] = "identifier:register";
+    FirstScreen["SingleSignOn"] = "single_sign_on";
+    /** @deprecated Use snake_case 'sign_in' instead. */
+    FirstScreen["SignInDeprecated"] = "signIn";
 })(FirstScreen || (FirstScreen = {}));
 export const extraParamsObjectGuard = z
     .object({
@@ -53,5 +76,7 @@ export const extraParamsObjectGuard = z
     [ExtraParamsKey.FirstScreen]: z.nativeEnum(FirstScreen),
     [ExtraParamsKey.DirectSignIn]: z.string(),
     [ExtraParamsKey.OrganizationId]: z.string(),
+    [ExtraParamsKey.LoginHint]: z.string(),
+    [ExtraParamsKey.Identifier]: z.string(),
 })
     .partial();

package/lib/consts/subscriptions.d.ts

@@ -18,6 +18,7 @@ export declare enum ReservedPlanId {
      */
     Hobby = "hobby",
     Pro = "pro",
+    Enterprise = "enterprise",
     /**
      * @deprecated
      * Should not use this plan ID, we only use this tag as a record for the legacy `pro` plan since we will rename the `hobby` plan to be `pro`.

package/lib/consts/subscriptions.js

@@ -19,6 +19,7 @@ export var ReservedPlanId;
      */
     ReservedPlanId["Hobby"] = "hobby";
     ReservedPlanId["Pro"] = "pro";
+    ReservedPlanId["Enterprise"] = "enterprise";
     /**
      * @deprecated
      * Should not use this plan ID, we only use this tag as a record for the legacy `pro` plan since we will rename the `hobby` plan to be `pro`.

package/lib/db-entries/index.d.ts

@@ -36,6 +36,7 @@ export * from './organization-scope.js';
 export * from './organization-user-relation.js';
 export * from './organization.js';
 export * from './passcode.js';
+export * from './personal-access-token.js';
 export * from './resource.js';
 export * from './role.js';
 export * from './roles-scope.js';
@@ -49,4 +50,5 @@ export * from './system.js';
 export * from './user-sso-identity.js';
 export * from './user.js';
 export * from './users-role.js';
+export * from './verification-record.js';
 export * from './verification-status.js';

package/lib/db-entries/index.js

@@ -37,6 +37,7 @@ export * from './organization-scope.js';
 export * from './organization-user-relation.js';
 export * from './organization.js';
 export * from './passcode.js';
+export * from './personal-access-token.js';
 export * from './resource.js';
 export * from './role.js';
 export * from './roles-scope.js';
@@ -50,4 +51,5 @@ export * from './system.js';
 export * from './user-sso-identity.js';
 export * from './user.js';
 export * from './users-role.js';
+export * from './verification-record.js';
 export * from './verification-status.js';

package/lib/db-entries/personal-access-token.d.ts

@@ -0,0 +1,26 @@
+import { GeneratedSchema } from './../foundations/index.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link PersonalAccessToken} for the original type.
+ */
+export type CreatePersonalAccessToken = {
+    tenantId?: string;
+    userId: string;
+    /** The name of the secret. Should be unique within the user. */
+    name: string;
+    value: string;
+    createdAt?: number;
+    expiresAt?: number | null;
+};
+export type PersonalAccessToken = {
+    tenantId: string;
+    userId: string;
+    /** The name of the secret. Should be unique within the user. */
+    name: string;
+    value: string;
+    createdAt: number;
+    expiresAt: number | null;
+};
+export type PersonalAccessTokenKeys = 'tenantId' | 'userId' | 'name' | 'value' | 'createdAt' | 'expiresAt';
+export declare const PersonalAccessTokens: GeneratedSchema<PersonalAccessTokenKeys, CreatePersonalAccessToken, PersonalAccessToken, 'personal_access_tokens', 'personal_access_token'>;

package/lib/db-entries/personal-access-token.js

@@ -0,0 +1,41 @@
+// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+import { z } from 'zod';
+const createGuard = z.object({
+    tenantId: z.string().max(21).optional(),
+    userId: z.string().min(1).max(21),
+    name: z.string().min(1).max(256),
+    value: z.string().min(1).max(64),
+    createdAt: z.number().optional(),
+    expiresAt: z.number().nullable().optional(),
+});
+const guard = z.object({
+    tenantId: z.string().max(21),
+    userId: z.string().min(1).max(21),
+    name: z.string().min(1).max(256),
+    value: z.string().min(1).max(64),
+    createdAt: z.number(),
+    expiresAt: z.number().nullable(),
+});
+export const PersonalAccessTokens = Object.freeze({
+    table: 'personal_access_tokens',
+    tableSingular: 'personal_access_token',
+    fields: {
+        tenantId: 'tenant_id',
+        userId: 'user_id',
+        name: 'name',
+        value: 'value',
+        createdAt: 'created_at',
+        expiresAt: 'expires_at',
+    },
+    fieldKeys: [
+        'tenantId',
+        'userId',
+        'name',
+        'value',
+        'createdAt',
+        'expiresAt',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/db-entries/verification-record.d.ts

@@ -0,0 +1,26 @@
+import { JsonObject, GeneratedSchema } from './../foundations/index.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link VerificationRecord} for the original type.
+ */
+export type CreateVerificationRecord = {
+    tenantId?: string;
+    id: string;
+    userId?: string | null;
+    createdAt?: number;
+    expiresAt: number;
+    /** Use JsonObject here to avoid complex typing, the type will be validated in verification classes. */
+    data?: JsonObject;
+};
+export type VerificationRecord = {
+    tenantId: string;
+    id: string;
+    userId: string | null;
+    createdAt: number;
+    expiresAt: number;
+    /** Use JsonObject here to avoid complex typing, the type will be validated in verification classes. */
+    data: JsonObject;
+};
+export type VerificationRecordKeys = 'tenantId' | 'id' | 'userId' | 'createdAt' | 'expiresAt' | 'data';
+export declare const VerificationRecords: GeneratedSchema<VerificationRecordKeys, CreateVerificationRecord, VerificationRecord, 'verification_records', 'verification_record'>;

package/lib/db-entries/verification-record.js

@@ -0,0 +1,42 @@
+// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+import { z } from 'zod';
+import { jsonObjectGuard } from './../foundations/index.js';
+const createGuard = z.object({
+    tenantId: z.string().max(21).optional(),
+    id: z.string().min(1).max(21),
+    userId: z.string().max(21).nullable().optional(),
+    createdAt: z.number().optional(),
+    expiresAt: z.number(),
+    data: jsonObjectGuard.optional(),
+});
+const guard = z.object({
+    tenantId: z.string().max(21),
+    id: z.string().min(1).max(21),
+    userId: z.string().max(21).nullable(),
+    createdAt: z.number(),
+    expiresAt: z.number(),
+    data: jsonObjectGuard,
+});
+export const VerificationRecords = Object.freeze({
+    table: 'verification_records',
+    tableSingular: 'verification_record',
+    fields: {
+        tenantId: 'tenant_id',
+        id: 'id',
+        userId: 'user_id',
+        createdAt: 'created_at',
+        expiresAt: 'expires_at',
+        data: 'data',
+    },
+    fieldKeys: [
+        'tenantId',
+        'id',
+        'userId',
+        'createdAt',
+        'expiresAt',
+        'data',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/db-entries/verification-status.d.ts

@@ -9,12 +9,14 @@ export type CreateVerificationStatus = {
     id: string;
     userId: string;
     createdAt?: number;
+    verifiedIdentifier?: string | null;
 };
 export type VerificationStatus = {
     tenantId: string;
     id: string;
     userId: string;
     createdAt: number;
+    verifiedIdentifier: string | null;
 };
-export type VerificationStatusKeys = 'tenantId' | 'id' | 'userId' | 'createdAt';
+export type VerificationStatusKeys = 'tenantId' | 'id' | 'userId' | 'createdAt' | 'verifiedIdentifier';
 export declare const VerificationStatuses: GeneratedSchema<VerificationStatusKeys, CreateVerificationStatus, VerificationStatus, 'verification_statuses', 'verification_status'>;

package/lib/db-entries/verification-status.js

@@ -5,12 +5,14 @@ const createGuard = z.object({
     id: z.string().min(1).max(21),
     userId: z.string().min(1).max(21),
     createdAt: z.number().optional(),
+    verifiedIdentifier: z.string().max(255).nullable().optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
     id: z.string().min(1).max(21),
     userId: z.string().min(1).max(21),
     createdAt: z.number(),
+    verifiedIdentifier: z.string().max(255).nullable(),
 });
 export const VerificationStatuses = Object.freeze({
     table: 'verification_statuses',
@@ -20,12 +22,14 @@ export const VerificationStatuses = Object.freeze({
         id: 'id',
         userId: 'user_id',
         createdAt: 'created_at',
+        verifiedIdentifier: 'verified_identifier',
     },
     fieldKeys: [
         'tenantId',
         'id',
         'userId',
         'createdAt',
+        'verifiedIdentifier',
     ],
     createGuard,
     guard,

package/lib/foundations/jsonb-types/index.d.ts

@@ -8,5 +8,6 @@ export * from './sentinel.js';
 export * from './users.js';
 export * from './sso-connector.js';
 export * from './applications.js';
+export * from './verification-records.js';
 export { configurableConnectorMetadataGuard, type ConfigurableConnectorMetadata, jsonGuard, jsonObjectGuard, } from '@logto/connector-kit';
 export type { Json, JsonObject } from '@withtyped/server';

package/lib/foundations/jsonb-types/index.js

@@ -8,4 +8,5 @@ export * from './sentinel.js';
 export * from './users.js';
 export * from './sso-connector.js';
 export * from './applications.js';
+export * from './verification-records.js';
 export { configurableConnectorMetadataGuard, jsonGuard, jsonObjectGuard, } from '@logto/connector-kit';

package/lib/foundations/jsonb-types/logs.d.ts

@@ -14,6 +14,7 @@ export declare const logContextPayloadGuard: z.ZodObject<{
     userId: z.ZodOptional<z.ZodString>;
     applicationId: z.ZodOptional<z.ZodString>;
     sessionId: z.ZodOptional<z.ZodString>;
+    params: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, "strip", z.ZodUnknown, z.objectOutputType<{
     key: z.ZodString;
     result: z.ZodNativeEnum<typeof LogResult>;
@@ -23,6 +24,7 @@ export declare const logContextPayloadGuard: z.ZodObject<{
     userId: z.ZodOptional<z.ZodString>;
     applicationId: z.ZodOptional<z.ZodString>;
     sessionId: z.ZodOptional<z.ZodString>;
+    params: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, z.ZodUnknown, "strip">, z.objectInputType<{
     key: z.ZodString;
     result: z.ZodNativeEnum<typeof LogResult>;
@@ -32,6 +34,7 @@ export declare const logContextPayloadGuard: z.ZodObject<{
     userId: z.ZodOptional<z.ZodString>;
     applicationId: z.ZodOptional<z.ZodString>;
     sessionId: z.ZodOptional<z.ZodString>;
+    params: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, z.ZodUnknown, "strip">>;
 export type PartialPasswordPolicy = DeepPartial<PasswordPolicy>;
 export declare const partialPasswordPolicyGuard: z.ZodObject<{

package/lib/foundations/jsonb-types/logs.js

@@ -15,6 +15,7 @@ export const logContextPayloadGuard = z
     userId: z.string().optional(),
     applicationId: z.string().optional(),
     sessionId: z.string().optional(),
+    params: z.record(z.string(), z.unknown()).optional(),
 })
     .catchall(z.unknown());
 export const partialPasswordPolicyGuard = passwordPolicyGuard.deepPartial();

package/lib/foundations/jsonb-types/sign-in-experience.d.ts

@@ -51,13 +51,13 @@ export declare const brandingGuard: z.ZodObject<{
 export type Branding = z.infer<typeof brandingGuard>;
 export declare const languageInfoGuard: z.ZodObject<{
     autoDetect: z.ZodBoolean;
-    fallbackLanguage: z.ZodType<"af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR", z.ZodTypeDef, "af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR">;
+    fallbackLanguage: z.ZodType<"af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR", z.ZodTypeDef, "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR">;
 }, "strip", z.ZodTypeAny, {
     autoDetect: boolean;
-    fallbackLanguage: "af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+    fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
 }, {
     autoDetect: boolean;
-    fallbackLanguage: "af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+    fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
 }>;
 export type LanguageInfo = z.infer<typeof languageInfoGuard>;
 export declare enum SignInIdentifier {
@@ -65,6 +65,7 @@ export declare enum SignInIdentifier {
     Email = "email",
     Phone = "phone"
 }
+export declare const signInIdentifierGuard: z.ZodNativeEnum<typeof SignInIdentifier>;
 export declare const signUpGuard: z.ZodObject<{
     identifiers: z.ZodArray<z.ZodNativeEnum<typeof SignInIdentifier>, "many">;
     password: z.ZodBoolean;

package/lib/foundations/jsonb-types/sign-in-experience.js

@@ -31,6 +31,7 @@ export var SignInIdentifier;
     SignInIdentifier["Email"] = "email";
     SignInIdentifier["Phone"] = "phone";
 })(SignInIdentifier || (SignInIdentifier = {}));
+export const signInIdentifierGuard = z.nativeEnum(SignInIdentifier);
 export const signUpGuard = z.object({
     identifiers: z.nativeEnum(SignInIdentifier).array(),
     password: z.boolean(),

package/lib/foundations/jsonb-types/verification-records.d.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod';
+export declare enum VerificationType {
+    Password = "Password",
+    EmailVerificationCode = "EmailVerificationCode",
+    PhoneVerificationCode = "PhoneVerificationCode",
+    Social = "Social",
+    EnterpriseSso = "EnterpriseSso",
+    TOTP = "Totp",
+    WebAuthn = "WebAuthn",
+    BackupCode = "BackupCode",
+    NewPasswordIdentity = "NewPasswordIdentity"
+}
+export declare const verificationTypeGuard: z.ZodNativeEnum<typeof VerificationType>;

package/lib/foundations/jsonb-types/verification-records.js

@@ -0,0 +1,14 @@
+import { z } from 'zod';
+export var VerificationType;
+(function (VerificationType) {
+    VerificationType["Password"] = "Password";
+    VerificationType["EmailVerificationCode"] = "EmailVerificationCode";
+    VerificationType["PhoneVerificationCode"] = "PhoneVerificationCode";
+    VerificationType["Social"] = "Social";
+    VerificationType["EnterpriseSso"] = "EnterpriseSso";
+    VerificationType["TOTP"] = "Totp";
+    VerificationType["WebAuthn"] = "WebAuthn";
+    VerificationType["BackupCode"] = "BackupCode";
+    VerificationType["NewPasswordIdentity"] = "NewPasswordIdentity";
+})(VerificationType || (VerificationType = {}));
+export const verificationTypeGuard = z.nativeEnum(VerificationType);

package/lib/seeds/cloud-api.d.ts

@@ -14,6 +14,10 @@ export declare enum CloudScope {
      * scripts and fetch the parsed token payload.
      */
     FetchCustomJwt = "fetch:custom:jwt",
+    /**
+     * The entity can report changes on Stripe subscription to Logto Cloud.
+     */
+    ReportSubscriptionUpdates = "report:subscription:updates",
     /** The user can see and manage affiliates, including create, update, and delete. */
     ManageAffiliate = "manage:affiliate",
     /** The user can create new affiliates and logs. */

package/lib/seeds/cloud-api.js

@@ -17,6 +17,10 @@ export var CloudScope;
      * scripts and fetch the parsed token payload.
      */
     CloudScope["FetchCustomJwt"] = "fetch:custom:jwt";
+    /**
+     * The entity can report changes on Stripe subscription to Logto Cloud.
+     */
+    CloudScope["ReportSubscriptionUpdates"] = "report:subscription:updates";
     /** The user can see and manage affiliates, including create, update, and delete. */
     CloudScope["ManageAffiliate"] = "manage:affiliate";
     /** The user can create new affiliates and logs. */
@@ -51,6 +55,7 @@ export const createCloudApi = () => {
         buildScope(CloudScope.SendEmail, 'Allow sending emails. This scope is only available to M2M application.'),
         buildScope(CloudScope.SendSms, 'Allow sending SMS. This scope is only available to M2M application.'),
         buildScope(CloudScope.FetchCustomJwt, 'Allow accessing external resource to execute JWT payload customizer script and fetch the parsed token payload.'),
+        buildScope(CloudScope.ReportSubscriptionUpdates, 'Allow reporting changes on Stripe subscription to Logto Cloud.'),
         buildScope(CloudScope.CreateAffiliate, 'Allow creating new affiliates and logs.'),
         buildScope(CloudScope.ManageAffiliate, 'Allow managing affiliates, including create, update, and delete.'),
     ]);

package/lib/types/connector.d.ts

@@ -222,6 +222,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -350,6 +351,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -543,6 +545,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -671,6 +674,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1059,6 +1063,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1187,6 +1192,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1374,6 +1380,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1502,6 +1509,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;

package/lib/types/interactions.d.ts

@@ -41,18 +41,6 @@ export declare const verificationCodeIdentifierGuard: z.ZodObject<{
     type: SignInIdentifier.Email | SignInIdentifier.Phone;
     value: string;
 }>;
-/** Logto supported interaction verification types. */
-export declare enum VerificationType {
-    Password = "Password",
-    EmailVerificationCode = "EmailVerificationCode",
-    PhoneVerificationCode = "PhoneVerificationCode",
-    Social = "Social",
-    EnterpriseSso = "EnterpriseSso",
-    TOTP = "Totp",
-    WebAuthn = "WebAuthn",
-    BackupCode = "BackupCode",
-    NewPasswordIdentity = "NewPasswordIdentity"
-}
 /** Payload type for `POST /api/experience/verification/{social|sso}/:connectorId/authorization-uri`. */
 export type SocialAuthorizationUrlPayload = {
     state: string;

package/lib/types/interactions.js

@@ -20,19 +20,6 @@ export const verificationCodeIdentifierGuard = z.object({
     type: z.enum([SignInIdentifier.Email, SignInIdentifier.Phone]),
     value: z.string(),
 });
-/** Logto supported interaction verification types. */
-export var VerificationType;
-(function (VerificationType) {
-    VerificationType["Password"] = "Password";
-    VerificationType["EmailVerificationCode"] = "EmailVerificationCode";
-    VerificationType["PhoneVerificationCode"] = "PhoneVerificationCode";
-    VerificationType["Social"] = "Social";
-    VerificationType["EnterpriseSso"] = "EnterpriseSso";
-    VerificationType["TOTP"] = "Totp";
-    VerificationType["WebAuthn"] = "WebAuthn";
-    VerificationType["BackupCode"] = "BackupCode";
-    VerificationType["NewPasswordIdentity"] = "NewPasswordIdentity";
-})(VerificationType || (VerificationType = {}));
 export const socialAuthorizationUrlPayloadGuard = z.object({
     state: z.string(),
     redirectUri: z.string(),

package/lib/types/log/interaction.d.ts

@@ -1,5 +1,5 @@
-import { type MfaFactor } from '../../foundations/index.js';
-import type { InteractionEvent, VerificationType } from '../interactions.js';
+import { type VerificationType, type MfaFactor } from '../../foundations/index.js';
+import type { InteractionEvent } from '../interactions.js';
 export type Prefix = 'Interaction';
 export declare const prefix: Prefix;
 /** The interaction field to update. This is valid based on we only allow users update one field at a time. */

package/lib/types/logto-config/jwt-customizer.d.ts

@@ -1890,3 +1890,51 @@ export declare const customJwtFetcherGuard: z.ZodDiscriminatedUnion<"tokenType",
     environmentVariables?: Record<string, string> | undefined;
 }>]>;
 export type CustomJwtFetcher = z.infer<typeof customJwtFetcherGuard>;
+export declare enum CustomJwtErrorCode {
+    /**
+     * The `AccessDenied` error explicitly thrown
+     * by calling the `api.denyAccess` function in the custom JWT script.
+     */
+    AccessDenied = "AccessDenied",
+    /** General JWT customizer error,
+     * this is the fallback custom jwt error code
+     * for any internal error thrown by the JWT customizer (localVM, azure function, or CF worker).
+     */
+    General = "General"
+}
+export declare const customJwtErrorBodyGuard: z.ZodObject<{
+    code: z.ZodNativeEnum<typeof CustomJwtErrorCode>;
+    message: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    code: CustomJwtErrorCode;
+    message: string;
+}, {
+    code: CustomJwtErrorCode;
+    message: string;
+}>;
+export type CustomJwtErrorBody = z.infer<typeof customJwtErrorBodyGuard>;
+export type CustomJwtApiContext = {
+    /**
+     * Reject the the current token request.
+     *
+     * @remarks
+     * By calling this function, the current token request will be rejected,
+     * and a OIDC `AccessDenied` error will be thrown to the client with the given message.
+     *
+     * @param message The message to be shown to the user.
+     * @throws {ResponseError} with `CustomJwtErrorBody`
+     */
+    denyAccess: (message?: string) => never;
+};
+/**
+ * The payload type for the custom JWT script.
+ *
+ * @remarks
+ * We use this type to guard the input payload for the custom JWT script.
+ */
+export type CustomJwtScriptPayload = {
+    token: Record<string, unknown>;
+    context?: Record<string, unknown>;
+    environmentVariables?: Record<string, string>;
+    api: CustomJwtApiContext;
+};

package/lib/types/logto-config/jwt-customizer.js

@@ -101,3 +101,20 @@ export const customJwtFetcherGuard = z.discriminatedUnion('tokenType', [
         tokenType: z.literal(LogtoJwtTokenKeyType.ClientCredentials),
     }),
 ]);
+export var CustomJwtErrorCode;
+(function (CustomJwtErrorCode) {
+    /**
+     * The `AccessDenied` error explicitly thrown
+     * by calling the `api.denyAccess` function in the custom JWT script.
+     */
+    CustomJwtErrorCode["AccessDenied"] = "AccessDenied";
+    /** General JWT customizer error,
+     * this is the fallback custom jwt error code
+     * for any internal error thrown by the JWT customizer (localVM, azure function, or CF worker).
+     */
+    CustomJwtErrorCode["General"] = "General";
+})(CustomJwtErrorCode || (CustomJwtErrorCode = {}));
+export const customJwtErrorBodyGuard = z.object({
+    code: z.nativeEnum(CustomJwtErrorCode),
+    message: z.string(),
+});

package/lib/types/sign-in-experience.d.ts

@@ -54,10 +54,10 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
     }>;
     languageInfo: z.ZodType<{
         autoDetect: boolean;
-        fallbackLanguage: "af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+        fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
     }, z.ZodTypeDef, {
         autoDetect: boolean;
-        fallbackLanguage: "af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+        fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
     }>;
     termsOfUseUrl: z.ZodType<string | null, z.ZodTypeDef, string | null>;
     privacyPolicyUrl: z.ZodType<string | null, z.ZodTypeDef, string | null>;
@@ -332,6 +332,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;
@@ -466,6 +467,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;
@@ -671,6 +673,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;
@@ -845,6 +848,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.19.0",
+  "version": "1.20.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -66,10 +66,10 @@
     "@logto/connector-kit": "^4.0.0",
     "@logto/core-kit": "^2.5.0",
     "@logto/language-kit": "^1.1.0",
-    "@logto/phrases": "^1.13.0",
-    "@logto/phrases-experience": "^1.7.0",
+    "@logto/phrases": "^1.14.0",
+    "@logto/phrases-experience": "^1.8.0",
     "@logto/shared": "^3.1.1",
-    "@withtyped/server": "^0.13.6",
+    "@withtyped/server": "^0.14.0",
     "nanoid": "^5.0.1"
   },
   "peerDependencies": {

package/tables/personal_access_tokens.sql

@@ -0,0 +1,16 @@
+/* init_order = 2 */
+
+create table personal_access_tokens (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  user_id varchar(21) not null
+    references users (id) on update cascade on delete cascade,
+  /** The name of the secret. Should be unique within the user. */
+  name varchar(256) not null,
+  value varchar(64) not null,
+  created_at timestamptz not null default now(),
+  expires_at timestamptz,
+  primary key (tenant_id, user_id, name)
+);
+
+create index personal_access_token__value on personal_access_tokens (tenant_id, value);

package/tables/verification_records.sql

@@ -0,0 +1,15 @@
+create table verification_records (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  id varchar(21) not null,
+  user_id varchar(21)
+    references users (id) on update cascade on delete cascade,
+  created_at timestamptz not null default(now()),
+  expires_at timestamptz not null,
+  /** Use JsonObject here to avoid complex typing, the type will be validated in verification classes. */
+  data jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  primary key (id)
+);
+
+create index verification_records__id
+  on verification_records (tenant_id, id);

package/tables/verification_statuses.sql

@@ -5,6 +5,7 @@ create table verification_statuses (
   user_id varchar(21) not null
     references users (id) on update cascade on delete cascade,
   created_at timestamptz not null default(now()),
+  verified_identifier varchar(255),
   primary key (id)
 );