@logto/schemas 1.34.0 → 1.36.0

package/lib/foundations/jsonb-types/logs.js

@@ -5,6 +5,56 @@ export var LogResult;
     LogResult["Success"] = "Success";
     LogResult["Error"] = "Error";
 })(LogResult || (LogResult = {}));
+// UAParser.js returns partial results, so all fields are optional
+// Ref: https://docs.uaparser.dev/api/main/overview.html#methods
+const uaParserBrowserGuard = z
+    .object({
+    name: z.string(),
+    version: z.string(),
+    major: z.string(),
+    type: z.string(),
+})
+    .partial()
+    .catchall(z.unknown());
+const uaParserDeviceGuard = z
+    .object({
+    model: z.string(),
+    type: z.string(),
+    vendor: z.string(),
+})
+    .partial()
+    .catchall(z.unknown());
+const uaParserEngineGuard = z
+    .object({
+    name: z.string(),
+    version: z.string(),
+})
+    .partial()
+    .catchall(z.unknown());
+const uaParserOsGuard = z
+    .object({
+    name: z.string(),
+    version: z.string(),
+})
+    .partial()
+    .catchall(z.unknown());
+const uaParserCpuGuard = z
+    .object({
+    architecture: z.string(),
+})
+    .partial()
+    .catchall(z.unknown());
+export const userAgentParsedGuard = z
+    .object({
+    ua: z.string(),
+    browser: uaParserBrowserGuard,
+    device: uaParserDeviceGuard,
+    engine: uaParserEngineGuard,
+    os: uaParserOsGuard,
+    cpu: uaParserCpuGuard,
+})
+    .partial()
+    .catchall(z.unknown());
 export const logContextPayloadGuard = z
     .object({
     key: z.string(),
@@ -12,6 +62,8 @@ export const logContextPayloadGuard = z
     error: z.record(z.string(), z.unknown()).or(z.string()).optional(),
     ip: z.string().optional(),
     userAgent: z.string().optional(),
+    userAgentParsed: userAgentParsedGuard.optional(),
+    injectedHeaders: z.record(z.string(), z.string()).optional(),
     userId: z.string().optional(),
     applicationId: z.string().optional(),
     sessionId: z.string().optional(),

package/lib/foundations/jsonb-types/oidc-module.d.ts

@@ -41,8 +41,8 @@ export type OidcClientMetadata = {
     logoUri?: string;
 };
 export declare const oidcClientMetadataGuard: z.ZodObject<{
-    redirectUris: z.ZodArray<z.ZodUnion<[z.ZodEffects<z.ZodString, string, string>, z.ZodEffects<z.ZodString, string, string>]>, "many">;
-    postLogoutRedirectUris: z.ZodArray<z.ZodString, "many">;
+    redirectUris: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+    postLogoutRedirectUris: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
     backchannelLogoutUri: z.ZodOptional<z.ZodString>;
     backchannelLogoutSessionRequired: z.ZodOptional<z.ZodBoolean>;
     logoUri: z.ZodOptional<z.ZodString>;
@@ -79,7 +79,16 @@ export declare enum CustomClientMetadataKey {
      *
      * It can be turned off for only traditional web apps for enhanced security.
      */
-    RotateRefreshToken = "rotateRefreshToken"
+    RotateRefreshToken = "rotateRefreshToken",
+    /**
+     * Whether the application is allowed to initiate token exchange requests.
+     *
+     * Only first-party applications can use token exchange. Third-party applications are always
+     * forbidden.
+     *
+     * Defaults to `false` for all new applications. Users must explicitly enable it.
+     */
+    AllowTokenExchange = "allowTokenExchange"
 }
 export declare const customClientMetadataGuard: z.ZodObject<{
     corsAllowedOrigins: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
@@ -89,6 +98,7 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     tenantId: z.ZodOptional<z.ZodString>;
     alwaysIssueRefreshToken: z.ZodOptional<z.ZodBoolean>;
     rotateRefreshToken: z.ZodOptional<z.ZodBoolean>;
+    allowTokenExchange: z.ZodOptional<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
     corsAllowedOrigins?: string[] | undefined;
     idTokenTtl?: number | undefined;
@@ -97,6 +107,7 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     tenantId?: string | undefined;
     alwaysIssueRefreshToken?: boolean | undefined;
     rotateRefreshToken?: boolean | undefined;
+    allowTokenExchange?: boolean | undefined;
 }, {
     corsAllowedOrigins?: string[] | undefined;
     idTokenTtl?: number | undefined;
@@ -105,6 +116,7 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     tenantId?: string | undefined;
     alwaysIssueRefreshToken?: boolean | undefined;
     rotateRefreshToken?: boolean | undefined;
+    allowTokenExchange?: boolean | undefined;
 }>;
 /**
  * @see {@link CustomClientMetadataKey} for key descriptions.

package/lib/foundations/jsonb-types/oidc-module.js

@@ -14,10 +14,12 @@ export const oidcModelInstancePayloadGuard = z
 export const oidcClientMetadataGuard = z.object({
     redirectUris: z
         .string()
-        .refine((url) => validateRedirectUrl(url, 'web'))
-        .or(z.string().refine((url) => validateRedirectUrl(url, 'mobile')))
+        .refine((url) => validateRedirectUrl(url, 'web') || validateRedirectUrl(url, 'mobile'))
+        .array(),
+    postLogoutRedirectUris: z
+        .string()
+        .refine((url) => validateRedirectUrl(url, 'web') || validateRedirectUrl(url, 'mobile'))
         .array(),
-    postLogoutRedirectUris: z.string().url().array(),
     backchannelLogoutUri: z.string().url().optional(),
     backchannelLogoutSessionRequired: z.boolean().optional(),
     logoUri: z.string().optional(),
@@ -44,6 +46,15 @@ export var CustomClientMetadataKey;
      * It can be turned off for only traditional web apps for enhanced security.
      */
     CustomClientMetadataKey["RotateRefreshToken"] = "rotateRefreshToken";
+    /**
+     * Whether the application is allowed to initiate token exchange requests.
+     *
+     * Only first-party applications can use token exchange. Third-party applications are always
+     * forbidden.
+     *
+     * Defaults to `false` for all new applications. Users must explicitly enable it.
+     */
+    CustomClientMetadataKey["AllowTokenExchange"] = "allowTokenExchange";
 })(CustomClientMetadataKey || (CustomClientMetadataKey = {}));
 export const customClientMetadataGuard = z.object({
     [CustomClientMetadataKey.CorsAllowedOrigins]: z.string().min(1).array().optional(),
@@ -53,4 +64,5 @@ export const customClientMetadataGuard = z.object({
     [CustomClientMetadataKey.TenantId]: z.string().optional(),
     [CustomClientMetadataKey.AlwaysIssueRefreshToken]: z.boolean().optional(),
     [CustomClientMetadataKey.RotateRefreshToken]: z.boolean().optional(),
+    [CustomClientMetadataKey.AllowTokenExchange]: z.boolean().optional(),
 });

package/lib/foundations/jsonb-types/saml-application-configs.d.ts

@@ -1,7 +1,7 @@
 import { type UserClaim } from '@logto/core-kit';
 import { z } from 'zod';
 export type SamlAttributeMapping = Partial<Record<UserClaim | 'sub', string>>;
-export declare const samlAttributeMappingKeys: readonly ("name" | "username" | "email" | "sub" | "nickname" | "profile" | "website" | "gender" | "birthdate" | "zoneinfo" | "locale" | "address" | "given_name" | "family_name" | "middle_name" | "preferred_username" | "picture" | "email_verified" | "phone_number" | "phone_number_verified" | "updated_at" | "roles" | "organizations" | "organization_data" | "organization_roles" | "custom_data" | "identities" | "sso_identities" | "created_at")[];
+export declare const samlAttributeMappingKeys: readonly ("name" | "email" | "username" | "sub" | "nickname" | "profile" | "website" | "gender" | "birthdate" | "zoneinfo" | "locale" | "address" | "given_name" | "family_name" | "middle_name" | "preferred_username" | "picture" | "email_verified" | "phone_number" | "phone_number_verified" | "updated_at" | "roles" | "organizations" | "organization_data" | "organization_roles" | "custom_data" | "identities" | "sso_identities" | "created_at")[];
 export declare const samlAttributeMappingGuard: z.ZodObject<{
     [x: string]: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {

package/lib/foundations/jsonb-types/sentinel.d.ts

@@ -27,7 +27,19 @@ export declare enum SentinelActivityAction {
      * For example, a user (subject) who inputted a one-time token (action) to authenticate
      * themselves (target), e.g. Magic Link.
      */
-    OneTimeToken = "OneTimeToken"
+    OneTimeToken = "OneTimeToken",
+    /**
+     * The subject tries to pass a TOTP MFA verification.
+     */
+    MfaTotp = "MfaTotp",
+    /**
+     * The subject tries to pass a WebAuthn MFA verification.
+     */
+    MfaWebAuthn = "MfaWebAuthn",
+    /**
+     * The subject tries to pass a backup code MFA verification.
+     */
+    MfaBackupCode = "MfaBackupCode"
 }
 export declare const sentinelActivityActionGuard: z.ZodNativeEnum<typeof SentinelActivityAction>;
 export type SentinelActivityPayload = Record<string, unknown>;

package/lib/foundations/jsonb-types/sentinel.js

@@ -30,6 +30,18 @@ export var SentinelActivityAction;
      * themselves (target), e.g. Magic Link.
      */
     SentinelActivityAction["OneTimeToken"] = "OneTimeToken";
+    /**
+     * The subject tries to pass a TOTP MFA verification.
+     */
+    SentinelActivityAction["MfaTotp"] = "MfaTotp";
+    /**
+     * The subject tries to pass a WebAuthn MFA verification.
+     */
+    SentinelActivityAction["MfaWebAuthn"] = "MfaWebAuthn";
+    /**
+     * The subject tries to pass a backup code MFA verification.
+     */
+    SentinelActivityAction["MfaBackupCode"] = "MfaBackupCode";
 })(SentinelActivityAction || (SentinelActivityAction = {}));
 export const sentinelActivityActionGuard = z.nativeEnum(SentinelActivityAction);
 export const sentinelActivityPayloadGuard = z.record(z.unknown());

package/lib/foundations/jsonb-types/sign-in-experience.d.ts

@@ -199,13 +199,25 @@ export type SocialSignIn = {
      * to the system and exactly one existing account is found with the same identifier (e.g., email).
      */
     automaticAccountLinking?: boolean;
+    /**
+     * If required identifiers (e.g., email, phone) should be skipped during social sign-in.
+     * @remarks
+     * By default, if a social identity does not provide all required identifiers,
+     * the user will be prompted to provide them before completing sign-in.
+     *
+     * Setting this to `true` will bypass that requirement.
+     */
+    skipRequiredIdentifiers?: boolean;
 };
 export declare const socialSignInGuard: z.ZodObject<{
     automaticAccountLinking: z.ZodOptional<z.ZodBoolean>;
+    skipRequiredIdentifiers: z.ZodOptional<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
     automaticAccountLinking?: boolean | undefined;
+    skipRequiredIdentifiers?: boolean | undefined;
 }, {
     automaticAccountLinking?: boolean | undefined;
+    skipRequiredIdentifiers?: boolean | undefined;
 }>;
 export declare const connectorTargetsGuard: z.ZodArray<z.ZodString, "many">;
 export type ConnectorTargets = z.infer<typeof connectorTargetsGuard>;
@@ -274,6 +286,35 @@ export declare const mfaGuard: z.ZodObject<{
     policy: MfaPolicy;
     organizationRequiredMfaPolicy?: OrganizationRequiredMfaPolicy | undefined;
 }>;
+/**
+ * Adaptive MFA configuration for the sign-in experience.
+ *
+ * @remarks
+ * This is a single enable switch for the rule-based Adaptive MFA flow.
+ * Use it in Management API sign-in experience updates (`PATCH /api/sign-in-exp`).
+ * When enabled, the server evaluates fixed risk rules from request signals
+ * (IP, User-Agent, edge-injected headers) and may require MFA verification.
+ * If omitted, Adaptive MFA is disabled.
+ *
+ * @example
+ * ```ts
+ * {
+ *   adaptiveMfa: {
+ *     enabled: true,
+ *   },
+ * }
+ * ```
+ */
+export type AdaptiveMfa = {
+    enabled?: boolean;
+};
+export declare const adaptiveMfaGuard: z.ZodObject<{
+    enabled: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    enabled?: boolean | undefined;
+}, {
+    enabled?: boolean | undefined;
+}>;
 export declare const customUiAssetsGuard: z.ZodObject<{
     id: z.ZodString;
     createdAt: z.ZodNumber;
@@ -352,4 +393,22 @@ export declare enum ForgotPasswordMethod {
 }
 export declare const forgotPasswordMethodsGuard: z.ZodArray<z.ZodNativeEnum<typeof ForgotPasswordMethod>, "many">;
 export type ForgotPasswordMethods = z.infer<typeof forgotPasswordMethodsGuard>;
+export type PasskeySignIn = {
+    enabled?: boolean;
+    showPasskeyButton?: boolean;
+    allowAutofill?: boolean;
+};
+export declare const passkeySignInGuard: z.ZodObject<{
+    enabled: z.ZodOptional<z.ZodBoolean>;
+    showPasskeyButton: z.ZodOptional<z.ZodBoolean>;
+    allowAutofill: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    enabled?: boolean | undefined;
+    showPasskeyButton?: boolean | undefined;
+    allowAutofill?: boolean | undefined;
+}, {
+    enabled?: boolean | undefined;
+    showPasskeyButton?: boolean | undefined;
+    allowAutofill?: boolean | undefined;
+}>;
 export {};

package/lib/foundations/jsonb-types/sign-in-experience.js

@@ -64,6 +64,7 @@ export const signInGuard = z.object({
 });
 export const socialSignInGuard = z.object({
     automaticAccountLinking: z.boolean().optional(),
+    skipRequiredIdentifiers: z.boolean().optional(),
 });
 export const connectorTargetsGuard = z.string().array();
 export const customContentGuard = z.record(z.string());
@@ -101,6 +102,9 @@ export const mfaGuard = z.object({
     policy: z.nativeEnum(MfaPolicy),
     organizationRequiredMfaPolicy: z.nativeEnum(OrganizationRequiredMfaPolicy).optional(),
 });
+export const adaptiveMfaGuard = z.object({
+    enabled: z.boolean().optional(),
+});
 export const customUiAssetsGuard = z.object({
     id: z.string(),
     createdAt: z.number(),
@@ -123,3 +127,10 @@ export var ForgotPasswordMethod;
     ForgotPasswordMethod["PhoneVerificationCode"] = "PhoneVerificationCode";
 })(ForgotPasswordMethod || (ForgotPasswordMethod = {}));
 export const forgotPasswordMethodsGuard = z.nativeEnum(ForgotPasswordMethod).array();
+export const passkeySignInGuard = z
+    .object({
+    enabled: z.boolean(),
+    showPasskeyButton: z.boolean(),
+    allowAutofill: z.boolean(),
+})
+    .partial();

package/lib/seeds/account-center.d.ts

@@ -1,2 +1,8 @@
 import type { CreateAccountCenter } from '../db-entries/index.js';
 export declare const createDefaultAccountCenter: (forTenantId: string) => Readonly<CreateAccountCenter>;
+/**
+ * Create the account center for the admin tenant.
+ * The account center is enabled by default and allows editing all fields,
+ * so that the console profile page can use the Account API.
+ */
+export declare const createAdminTenantAccountCenter: () => Readonly<CreateAccountCenter>;

package/lib/seeds/account-center.js

@@ -1,6 +1,30 @@
+import { AccountCenterControlValue } from '../foundations/index.js';
+import { adminTenantId } from './tenant.js';
 export const createDefaultAccountCenter = (forTenantId) => Object.freeze({
     tenantId: forTenantId,
     id: 'default',
     enabled: false,
     fields: {},
 });
+/**
+ * Create the account center for the admin tenant.
+ * The account center is enabled by default and allows editing all fields,
+ * so that the console profile page can use the Account API.
+ */
+export const createAdminTenantAccountCenter = () => Object.freeze({
+    tenantId: adminTenantId,
+    id: 'default',
+    enabled: true,
+    fields: {
+        name: AccountCenterControlValue.Edit,
+        avatar: AccountCenterControlValue.Edit,
+        profile: AccountCenterControlValue.Edit,
+        email: AccountCenterControlValue.Edit,
+        phone: AccountCenterControlValue.Edit,
+        password: AccountCenterControlValue.Edit,
+        username: AccountCenterControlValue.Edit,
+        social: AccountCenterControlValue.Edit,
+        customData: AccountCenterControlValue.Edit,
+        mfa: AccountCenterControlValue.Edit,
+    },
+});

package/lib/seeds/cloud-api.d.ts

@@ -21,7 +21,9 @@ export declare enum CloudScope {
     /** The user can see and manage affiliates, including create, update, and delete. */
     ManageAffiliate = "manage:affiliate",
     /** The user can create new affiliates and logs. */
-    CreateAffiliate = "create:affiliate"
+    CreateAffiliate = "create:affiliate",
+    /** Allow accessing Logto MCP API (part of Logto Cloud API). This scope is only available to M2M MCP server. */
+    AccessMcpApi = "access:mcp:api"
 }
 export declare const createCloudApi: () => Readonly<[UpdateAdminData, ...CreateScope[]]>;
 export declare const createTenantApplicationRole: () => Readonly<Role>;

package/lib/seeds/cloud-api.js

@@ -25,6 +25,8 @@ export var CloudScope;
     CloudScope["ManageAffiliate"] = "manage:affiliate";
     /** The user can create new affiliates and logs. */
     CloudScope["CreateAffiliate"] = "create:affiliate";
+    /** Allow accessing Logto MCP API (part of Logto Cloud API). This scope is only available to M2M MCP server. */
+    CloudScope["AccessMcpApi"] = "access:mcp:api";
 })(CloudScope || (CloudScope = {}));
 export const createCloudApi = () => {
     const resourceId = generateStandardId();

package/lib/seeds/sign-in-experience.js

@@ -1,6 +1,6 @@
 import { generateDarkColor } from '@logto/core-kit';
 import { SignInMode } from '../db-entries/index.js';
-import { MfaPolicy, SignInIdentifier } from '../foundations/index.js';
+import { MfaFactor, MfaPolicy, OrganizationRequiredMfaPolicy, SignInIdentifier, } from '../foundations/index.js';
 import { adminTenantId, defaultTenantId } from './tenant.js';
 export const defaultPrimaryColor = '#6139F6';
 export const createDefaultSignInExperience = (forTenantId, isCloud) => Object.freeze({
@@ -62,4 +62,9 @@ export const createAdminTenantSignInExperience = () => Object.freeze({
         logoUrl: 'https://logto.io/logo.svg',
         darkLogoUrl: 'https://logto.io/logo-dark.svg',
     },
+    mfa: {
+        factors: [MfaFactor.TOTP, MfaFactor.WebAuthn, MfaFactor.BackupCode],
+        policy: MfaPolicy.NoPrompt,
+        organizationRequiredMfaPolicy: OrganizationRequiredMfaPolicy.Mandatory,
+    },
 });

package/lib/types/alteration.d.ts

@@ -1,5 +1,15 @@
-import type { DatabaseTransactionConnection } from '@silverhand/slonik';
+import type { CommonQueryMethods, DatabaseTransactionConnection } from '@silverhand/slonik';
 export type AlterationScript = {
+    /**
+     * Optional hook that runs before `up` outside of a transaction.
+     * Use for operations that cannot be wrapped in a transaction (e.g., CREATE INDEX CONCURRENTLY).
+     */
+    beforeUp?: (connection: CommonQueryMethods) => Promise<void>;
+    /**
+     * Optional hook that runs before `down` outside of a transaction.
+     * Use for operations that cannot be wrapped in a transaction (e.g., DROP INDEX CONCURRENTLY).
+     */
+    beforeDown?: (connection: CommonQueryMethods) => Promise<void>;
     up: (connection: DatabaseTransactionConnection) => Promise<void>;
     down: (connection: DatabaseTransactionConnection) => Promise<void>;
 };

package/lib/types/application.d.ts

@@ -26,6 +26,7 @@ export declare const featuredApplicationGuard: z.ZodObject<Pick<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }, z.ZodTypeDef, {
         corsAllowedOrigins?: string[] | undefined;
         idTokenTtl?: number | undefined;
@@ -34,6 +35,7 @@ export declare const featuredApplicationGuard: z.ZodObject<Pick<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }>;
     protectedAppMetadata: z.ZodType<{
         host: string;
@@ -116,6 +118,7 @@ export declare const applicationCreateGuard: z.ZodObject<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }, z.ZodTypeDef, {
         corsAllowedOrigins?: string[] | undefined;
         idTokenTtl?: number | undefined;
@@ -124,6 +127,7 @@ export declare const applicationCreateGuard: z.ZodObject<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }>>>;
     protectedAppMetadata: z.ZodOptional<z.ZodOptional<z.ZodType<{
         host: string;
@@ -217,6 +221,7 @@ export declare const applicationPatchGuard: z.ZodObject<Omit<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }, z.ZodTypeDef, {
         corsAllowedOrigins?: string[] | undefined;
         idTokenTtl?: number | undefined;
@@ -225,6 +230,7 @@ export declare const applicationPatchGuard: z.ZodObject<Omit<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }>>>>;
     protectedAppMetadata: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodType<{
         host: string;

package/lib/types/consent.d.ts

@@ -157,6 +157,7 @@ export declare const publicApplicationGuard: z.ZodObject<Pick<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }, z.ZodTypeDef, {
         corsAllowedOrigins?: string[] | undefined;
         idTokenTtl?: number | undefined;
@@ -165,6 +166,7 @@ export declare const publicApplicationGuard: z.ZodObject<Pick<{
         tenantId?: string | undefined;
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
+        allowTokenExchange?: boolean | undefined;
     }>;
     protectedAppMetadata: z.ZodType<{
         host: string;
@@ -474,6 +476,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
             tenantId?: string | undefined;
             alwaysIssueRefreshToken?: boolean | undefined;
             rotateRefreshToken?: boolean | undefined;
+            allowTokenExchange?: boolean | undefined;
         }, z.ZodTypeDef, {
             corsAllowedOrigins?: string[] | undefined;
             idTokenTtl?: number | undefined;
@@ -482,6 +485,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
             tenantId?: string | undefined;
             alwaysIssueRefreshToken?: boolean | undefined;
             rotateRefreshToken?: boolean | undefined;
+            allowTokenExchange?: boolean | undefined;
         }>;
         protectedAppMetadata: z.ZodType<{
             host: string;

package/lib/types/custom-profile-fields.d.ts

@@ -2531,19 +2531,19 @@ export declare const signInIdentifierKeyGuard: z.ZodObject<Pick<{
     email: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     phone: z.ZodOptional<z.ZodNullable<z.ZodString>>;
 }, "strip", z.ZodTypeAny, {
-    username?: string | null;
     email?: string | null | undefined;
+    username?: string | null;
     phone?: string | null | undefined;
     primaryEmail?: string | null;
     primaryPhone?: string | null;
 }, {
-    username?: string | null;
     email?: string | null | undefined;
+    username?: string | null;
     phone?: string | null | undefined;
     primaryEmail?: string | null;
     primaryPhone?: string | null;
 }>;
-export declare const reservedSignInIdentifierKeys: readonly ["username", "email", "phone", "primaryEmail", "primaryPhone"];
+export declare const reservedSignInIdentifierKeys: readonly ["email", "username", "phone", "primaryEmail", "primaryPhone"];
 /**
  * Reserved user profile keys.
  * Currently only `preferredUsername` is reserved since it is the standard username property used

package/lib/types/hook.d.ts

@@ -47,8 +47,8 @@ export declare const hookResponseGuard: z.ZodObject<{
     name: string;
     id: string;
     tenantId: string;
-    createdAt: number;
     enabled: boolean;
+    createdAt: number;
     config: import("../foundations/index.js").HookConfig;
     event: import("../foundations/index.js").HookEvent | null;
     events: import("../foundations/index.js").HookEvents;
@@ -61,8 +61,8 @@ export declare const hookResponseGuard: z.ZodObject<{
     name: string;
     id: string;
     tenantId: string;
-    createdAt: number;
     enabled: boolean;
+    createdAt: number;
     config: import("../foundations/index.js").HookConfig;
     event: import("../foundations/index.js").HookEvent | null;
     events: import("../foundations/index.js").HookEvents;

package/lib/types/interactions.d.ts

@@ -45,16 +45,25 @@ export type VerificationCodeIdentifier<T extends VerificationCodeSignInIdentifie
     type: T;
     value: string;
 };
-export declare const verificationCodeIdentifierGuard: z.ZodObject<{
-    type: z.ZodEnum<[SignInIdentifier.Email, SignInIdentifier.Phone]>;
+export declare const verificationCodeIdentifierGuard: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    type: z.ZodLiteral<SignInIdentifier.Email>;
     value: z.ZodString;
 }, "strip", z.ZodTypeAny, {
     value: string;
-    type: SignInIdentifier.Email | SignInIdentifier.Phone;
+    type: SignInIdentifier.Email;
 }, {
     value: string;
-    type: SignInIdentifier.Email | SignInIdentifier.Phone;
-}>;
+    type: SignInIdentifier.Email;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<SignInIdentifier.Phone>;
+    value: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    value: string;
+    type: SignInIdentifier.Phone;
+}, {
+    value: string;
+    type: SignInIdentifier.Phone;
+}>]>;
 /** Payload type for `POST /api/experience/verification/{social|sso}/:connectorId/authorization-uri`. */
 export type SocialAuthorizationUrlPayload = {
     state: string;
@@ -450,14 +459,14 @@ export declare const profileGuard: z.ZodObject<{
     connectorId: z.ZodOptional<z.ZodString>;
     password: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
-    username?: string | undefined;
     email?: string | undefined;
+    username?: string | undefined;
     phone?: string | undefined;
     password?: string | undefined;
     connectorId?: string | undefined;
 }, {
-    username?: string | undefined;
     email?: string | undefined;
+    username?: string | undefined;
     phone?: string | undefined;
     password?: string | undefined;
     connectorId?: string | undefined;

package/lib/types/interactions.js

@@ -21,10 +21,16 @@ export const interactionIdentifierGuard = z.object({
     type: z.nativeEnum(SignInIdentifier),
     value: z.string(),
 });
-export const verificationCodeIdentifierGuard = z.object({
-    type: z.enum([SignInIdentifier.Email, SignInIdentifier.Phone]),
-    value: z.string(),
-});
+export const verificationCodeIdentifierGuard = z.discriminatedUnion('type', [
+    z.object({
+        type: z.literal(SignInIdentifier.Email),
+        value: z.string().regex(emailRegEx),
+    }),
+    z.object({
+        type: z.literal(SignInIdentifier.Phone),
+        value: z.string().regex(phoneRegEx),
+    }),
+]);
 export const socialAuthorizationUrlPayloadGuard = z.object({
     state: z.string(),
     redirectUri: z.string(),

package/lib/types/log/index.d.ts

@@ -10,16 +10,22 @@ export * as jwtCustomizer from './jwt-customizer.js';
 export * as saml from './saml.js';
 /** Fallback for empty or unrecognized log keys. */
 export declare const LogKeyUnknown = "Unknown";
-export type AuditLogKey = typeof LogKeyUnknown | interaction.LogKey | token.LogKey | saml.LogKey;
+export type InteractionLogKey = interaction.LogKey;
+export type TokenLogKey = token.LogKey;
 export type WebhookLogKey = hook.LogKey;
 export type JwtCustomizerLogKey = jwtCustomizer.LogKey;
 export type SamlLogKey = saml.LogKey;
+/**
+ * The union type of all available audit log keys.
+ *
+ * - All user-facing audit log keys should be included here.
+ * - Webhook log keys are excluded.
+ */
+export type AuditLogKey = typeof LogKeyUnknown | InteractionLogKey | TokenLogKey | SamlLogKey | JwtCustomizerLogKey;
 /**
  * The union type of all available log keys.
  * Note duplicate keys are allowed but should be avoided.
- *
- * @see {@link interaction.LogKey} for interaction log keys.
- * @see {@link token.LogKey} for token log keys.
- * @see {@link saml.LogKey} for SAML application log keys.
  **/
-export type LogKey = AuditLogKey | WebhookLogKey | JwtCustomizerLogKey;
+export type LogKey = AuditLogKey | WebhookLogKey;
+export type AuditLogPrefix = interaction.Prefix | token.Type | saml.Prefix | jwtCustomizer.Prefix | typeof LogKeyUnknown;
+export type WebhookLogPrefix = hook.Type;