@logto/schemas 1.37.1 → 1.39.0

package/alterations/1.38.0-1772615848-add-oidc-model-instances-grant-id-partial-index.ts

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  beforeUp: async (pool) => {
+    await pool.query(sql`
+      create index concurrently oidc_model_instances__model_name_payload_grant_id_partial
+        on oidc_model_instances (tenant_id, model_name, (payload->>'grantId'))
+        where payload ? 'grantId';
+    `);
+  },
+  up: async () => {
+    /** `concurrently` cannot be used inside a transaction. */
+  },
+  beforeDown: async (pool) => {
+    await pool.query(sql`
+      drop index concurrently oidc_model_instances__model_name_payload_grant_id_partial;
+    `);
+  },
+  down: async () => {
+    /** `concurrently` cannot be used inside a transaction. */
+  },
+};
+
+export default alteration;

package/alterations/1.38.0-1772619963-tune-oidc-model-instances-autovacuum.ts

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_model_instances set (
+        autovacuum_vacuum_scale_factor = 0.05,
+        autovacuum_analyze_scale_factor = 0.02,
+        autovacuum_vacuum_threshold = 5000,
+        autovacuum_analyze_threshold = 2000
+      );
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_model_instances reset (
+        autovacuum_vacuum_scale_factor,
+        autovacuum_analyze_scale_factor,
+        autovacuum_vacuum_threshold,
+        autovacuum_analyze_threshold
+      );
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.38.0-1772621060-add-oidc-model-instances-grant-account-id-index.ts

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  beforeUp: async (pool) => {
+    await pool.query(sql`
+      create index concurrently oidc_model_instances__grant_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Grant';
+    `);
+  },
+  up: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+  },
+  beforeDown: async (pool) => {
+    await pool.query(sql`
+      drop index concurrently oidc_model_instances__grant_payload_account_id_expires_at;
+    `);
+  },
+  down: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty. */
+  },
+};
+
+export default alteration;

package/alterations/1.39.0-1774752400-add-delete-account-url.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        add column delete_account_url varchar(2048);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        drop column delete_account_url;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.39.0-1774770686-add-account-center-custom-css.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        add column custom_css text;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        drop column custom_css;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.39.0-1776502301-add-sign-up-profile-fields.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column sign_up_profile_fields jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column sign_up_profile_fields;
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.38.0-1772615848-add-oidc-model-instances-grant-id-partial-index.js

@@ -0,0 +1,22 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    beforeUp: async (pool) => {
+        await pool.query(sql `
+      create index concurrently oidc_model_instances__model_name_payload_grant_id_partial
+        on oidc_model_instances (tenant_id, model_name, (payload->>'grantId'))
+        where payload ? 'grantId';
+    `);
+    },
+    up: async () => {
+        /** `concurrently` cannot be used inside a transaction. */
+    },
+    beforeDown: async (pool) => {
+        await pool.query(sql `
+      drop index concurrently oidc_model_instances__model_name_payload_grant_id_partial;
+    `);
+    },
+    down: async () => {
+        /** `concurrently` cannot be used inside a transaction. */
+    },
+};
+export default alteration;

package/alterations-js/1.38.0-1772619963-tune-oidc-model-instances-autovacuum.js

@@ -0,0 +1,24 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_model_instances set (
+        autovacuum_vacuum_scale_factor = 0.05,
+        autovacuum_analyze_scale_factor = 0.02,
+        autovacuum_vacuum_threshold = 5000,
+        autovacuum_analyze_threshold = 2000
+      );
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_model_instances reset (
+        autovacuum_vacuum_scale_factor,
+        autovacuum_analyze_scale_factor,
+        autovacuum_vacuum_threshold,
+        autovacuum_analyze_threshold
+      );
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.38.0-1772621060-add-oidc-model-instances-grant-account-id-index.js

@@ -0,0 +1,22 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    beforeUp: async (pool) => {
+        await pool.query(sql `
+      create index concurrently oidc_model_instances__grant_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Grant';
+    `);
+    },
+    up: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+    },
+    beforeDown: async (pool) => {
+        await pool.query(sql `
+      drop index concurrently oidc_model_instances__grant_payload_account_id_expires_at;
+    `);
+    },
+    down: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty. */
+    },
+};
+export default alteration;

package/alterations-js/1.39.0-1774752400-add-delete-account-url.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        add column delete_account_url varchar(2048);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        drop column delete_account_url;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.39.0-1774770686-add-account-center-custom-css.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        add column custom_css text;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        drop column custom_css;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.39.0-1776502301-add-sign-up-profile-fields.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column sign_up_profile_fields jsonb;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        drop column sign_up_profile_fields;
+    `);
+    },
+};
+export default alteration;

package/lib/consts/cookie.d.ts

@@ -1 +1,2 @@
 export declare const logtoCookieKey = "_logto";
+export declare const deviceFlowXsrfCookieKey = "_logto_device_flow_xsrf";

package/lib/consts/cookie.js

@@ -1 +1,2 @@
 export const logtoCookieKey = '_logto';
+export const deviceFlowXsrfCookieKey = '_logto_device_flow_xsrf';

package/lib/consts/experience.d.ts

@@ -4,6 +4,7 @@ export declare const experience: Readonly<{
         readonly register: "register";
         readonly sso: "single-sign-on";
         readonly consent: "consent";
+        readonly device: "device";
         readonly resetPassword: "reset-password";
         readonly identifierSignIn: "identifier-sign-in";
         readonly identifierRegister: "identifier-register";

package/lib/consts/experience.js

@@ -3,6 +3,7 @@ const routes = Object.freeze({
     register: 'register',
     sso: 'single-sign-on',
     consent: 'consent',
+    device: 'device',
     resetPassword: 'reset-password',
     identifierSignIn: 'identifier-sign-in',
     identifierRegister: 'identifier-register',

package/lib/consts/oidc.d.ts

@@ -1,5 +1,8 @@
 import { z } from 'zod';
 export declare const tenantIdKey = "tenant_id";
+export declare const oidcRoutes: Readonly<{
+    readonly codeVerification: "/oidc/device";
+}>;
 export declare const customClientMetadataDefault: Readonly<{
     readonly idTokenTtl: number;
     readonly refreshTokenTtlInDays: 14;

package/lib/consts/oidc.js

@@ -1,6 +1,9 @@
 import { z } from 'zod';
 import { inSeconds } from './date.js';
 export const tenantIdKey = 'tenant_id';
+export const oidcRoutes = Object.freeze({
+    codeVerification: '/oidc/device',
+});
 export const customClientMetadataDefault = Object.freeze({
     idTokenTtl: inSeconds.oneHour,
     refreshTokenTtlInDays: 14,

package/lib/consts/system.d.ts

@@ -11,3 +11,7 @@
 export declare const ossConsolePath = "/console";
 /** The prefix for keys and values that need to be explicitly marked as internal. */
 export declare const internalPrefix = "#internal:";
+/**
+ * The timeout for WebAuthn authentication options, in milliseconds.
+ */
+export declare const webAuthnAuthenticationOptionsTimeout = 60000;

package/lib/consts/system.js

@@ -11,3 +11,7 @@
 export const ossConsolePath = '/console';
 /** The prefix for keys and values that need to be explicitly marked as internal. */
 export const internalPrefix = '#internal:';
+/**
+ * The timeout for WebAuthn authentication options, in milliseconds.
+ */
+export const webAuthnAuthenticationOptionsTimeout = 60_000;

package/lib/db-entries/account-center.d.ts

@@ -12,6 +12,10 @@ export type CreateAccountCenter = {
     /** Control each fields */
     fields?: AccountCenterFieldControl;
     webauthnRelatedOrigins?: WebauthnRelatedOrigins;
+    /** URL for custom account deletion endpoint */
+    deleteAccountUrl?: string | null;
+    /** User-defined custom CSS for the account center */
+    customCss?: string | null;
 };
 export type AccountCenter = {
     tenantId: string;
@@ -21,6 +25,10 @@ export type AccountCenter = {
     /** Control each fields */
     fields: AccountCenterFieldControl;
     webauthnRelatedOrigins: WebauthnRelatedOrigins;
+    /** URL for custom account deletion endpoint */
+    deleteAccountUrl: string | null;
+    /** User-defined custom CSS for the account center */
+    customCss: string | null;
 };
-export type AccountCenterKeys = 'tenantId' | 'id' | 'enabled' | 'fields' | 'webauthnRelatedOrigins';
+export type AccountCenterKeys = 'tenantId' | 'id' | 'enabled' | 'fields' | 'webauthnRelatedOrigins' | 'deleteAccountUrl' | 'customCss';
 export declare const AccountCenters: GeneratedSchema<AccountCenterKeys, CreateAccountCenter, AccountCenter, 'account_centers', 'account_center'>;

package/lib/db-entries/account-center.js

@@ -7,6 +7,8 @@ const createGuard = z.object({
     enabled: z.boolean().optional(),
     fields: accountCenterFieldControlGuard.optional(),
     webauthnRelatedOrigins: webauthnRelatedOriginsGuard.optional(),
+    deleteAccountUrl: z.string().max(2048).nullable().optional(),
+    customCss: z.string().nullable().optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
@@ -14,6 +16,8 @@ const guard = z.object({
     enabled: z.boolean(),
     fields: accountCenterFieldControlGuard,
     webauthnRelatedOrigins: webauthnRelatedOriginsGuard,
+    deleteAccountUrl: z.string().max(2048).nullable(),
+    customCss: z.string().nullable(),
 });
 export const AccountCenters = Object.freeze({
     table: 'account_centers',
@@ -24,6 +28,8 @@ export const AccountCenters = Object.freeze({
         enabled: 'enabled',
         fields: 'fields',
         webauthnRelatedOrigins: 'webauthn_related_origins',
+        deleteAccountUrl: 'delete_account_url',
+        customCss: 'custom_css',
     },
     fieldKeys: [
         'tenantId',
@@ -31,6 +37,8 @@ export const AccountCenters = Object.freeze({
         'enabled',
         'fields',
         'webauthnRelatedOrigins',
+        'deleteAccountUrl',
+        'customCss',
     ],
     createGuard,
     guard,

package/lib/db-entries/sign-in-experience.d.ts

@@ -1,4 +1,4 @@
-import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, PartialPasswordPolicy, Mfa, AdaptiveMfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, PasskeySignIn, GeneratedSchema } from './../foundations/index.js';
+import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, PartialPasswordPolicy, Mfa, AdaptiveMfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, PasskeySignIn, SignUpProfileFields, GeneratedSchema } from './../foundations/index.js';
 import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
 /**
  *
@@ -36,6 +36,8 @@ export type CreateSignInExperience = {
     emailBlocklistPolicy?: EmailBlocklistPolicy;
     forgotPasswordMethods?: ForgotPasswordMethods | null;
     passkeySignIn?: PasskeySignIn;
+    /** Nullable by design: null keeps legacy full-catalog behavior and [] collects no custom profile fields. */
+    signUpProfileFields?: SignUpProfileFields | null;
 };
 export type SignInExperience = {
     tenantId: string;
@@ -68,6 +70,8 @@ export type SignInExperience = {
     emailBlocklistPolicy: EmailBlocklistPolicy;
     forgotPasswordMethods: ForgotPasswordMethods | null;
     passkeySignIn: PasskeySignIn;
+    /** Nullable by design: null keeps legacy full-catalog behavior and [] collects no custom profile fields. */
+    signUpProfileFields: SignUpProfileFields | null;
 };
-export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'passwordPolicy' | 'mfa' | 'adaptiveMfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods' | 'passkeySignIn';
+export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'passwordPolicy' | 'mfa' | 'adaptiveMfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods' | 'passkeySignIn' | 'signUpProfileFields';
 export declare const SignInExperiences: GeneratedSchema<SignInExperienceKeys, CreateSignInExperience, SignInExperience, 'sign_in_experiences', 'sign_in_experience'>;

package/lib/db-entries/sign-in-experience.js

@@ -1,6 +1,6 @@
 // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
 import { z } from 'zod';
-import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, partialPasswordPolicyGuard, mfaGuard, adaptiveMfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard, passkeySignInGuard } from './../foundations/index.js';
+import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, partialPasswordPolicyGuard, mfaGuard, adaptiveMfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard, passkeySignInGuard, signUpProfileFieldsGuard } from './../foundations/index.js';
 import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
 const createGuard = z.object({
     tenantId: z.string().max(21).optional(),
@@ -32,6 +32,7 @@ const createGuard = z.object({
     emailBlocklistPolicy: emailBlocklistPolicyGuard.optional(),
     forgotPasswordMethods: forgotPasswordMethodsGuard.nullable().optional(),
     passkeySignIn: passkeySignInGuard.optional(),
+    signUpProfileFields: signUpProfileFieldsGuard.nullable().optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
@@ -63,6 +64,7 @@ const guard = z.object({
     emailBlocklistPolicy: emailBlocklistPolicyGuard,
     forgotPasswordMethods: forgotPasswordMethodsGuard.nullable(),
     passkeySignIn: passkeySignInGuard,
+    signUpProfileFields: signUpProfileFieldsGuard.nullable(),
 });
 export const SignInExperiences = Object.freeze({
     table: 'sign_in_experiences',
@@ -97,6 +99,7 @@ export const SignInExperiences = Object.freeze({
         emailBlocklistPolicy: 'email_blocklist_policy',
         forgotPasswordMethods: 'forgot_password_methods',
         passkeySignIn: 'passkey_sign_in',
+        signUpProfileFields: 'sign_up_profile_fields',
     },
     fieldKeys: [
         'tenantId',
@@ -128,6 +131,7 @@ export const SignInExperiences = Object.freeze({
         'emailBlocklistPolicy',
         'forgotPasswordMethods',
         'passkeySignIn',
+        'signUpProfileFields',
     ],
     createGuard,
     guard,

package/lib/foundations/jsonb-types/account-centers.d.ts

@@ -49,3 +49,4 @@ export declare const accountCenterFieldControlGuard: z.ZodObject<{
 export type AccountCenterFieldControl = z.infer<typeof accountCenterFieldControlGuard>;
 export declare const webauthnRelatedOriginsGuard: z.ZodArray<z.ZodString, "many">;
 export type WebauthnRelatedOrigins = z.infer<typeof webauthnRelatedOriginsGuard>;
+export declare const deleteAccountUrlGuard: z.ZodEffects<z.ZodString, string, string>;

package/lib/foundations/jsonb-types/account-centers.js

@@ -26,3 +26,11 @@ export const accountCenterFieldControlGuard = z
 })
     .partial();
 export const webauthnRelatedOriginsGuard = z.array(z.string());
+export const deleteAccountUrlGuard = z
+    .string()
+    .max(2048)
+    .refine((value) => value === '' ||
+    ((value.startsWith('https://') || value.startsWith('http://')) &&
+        z.string().url().safeParse(value).success), {
+    message: 'deleteAccountUrl must be a valid http(s) URL',
+});

package/lib/foundations/jsonb-types/oidc-module.d.ts

@@ -88,7 +88,20 @@ export declare enum CustomClientMetadataKey {
      *
      * Defaults to `false` for all new applications. Users must explicitly enable it.
      */
-    AllowTokenExchange = "allowTokenExchange"
+    AllowTokenExchange = "allowTokenExchange",
+    /**
+     * Whether the application uses the OAuth 2.0 Device Authorization Grant (RFC 8628)
+     * instead of the standard Authorization Code flow.
+     *
+     * Only applicable to native applications. Defaults to `false`.
+     */
+    IsDeviceFlow = "isDeviceFlow",
+    /**
+     * The maximum number of active sessions (devices) allowed per user for this application.
+     *
+     * When exceeded, old sessions should be revoked according to server policy.
+     */
+    MaxAllowedGrants = "maxAllowedGrants"
 }
 export declare const customClientMetadataGuard: z.ZodObject<{
     corsAllowedOrigins: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
@@ -99,6 +112,8 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     alwaysIssueRefreshToken: z.ZodOptional<z.ZodBoolean>;
     rotateRefreshToken: z.ZodOptional<z.ZodBoolean>;
     allowTokenExchange: z.ZodOptional<z.ZodBoolean>;
+    isDeviceFlow: z.ZodOptional<z.ZodBoolean>;
+    maxAllowedGrants: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
     corsAllowedOrigins?: string[] | undefined;
     idTokenTtl?: number | undefined;
@@ -108,6 +123,8 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     alwaysIssueRefreshToken?: boolean | undefined;
     rotateRefreshToken?: boolean | undefined;
     allowTokenExchange?: boolean | undefined;
+    isDeviceFlow?: boolean | undefined;
+    maxAllowedGrants?: number | undefined;
 }, {
     corsAllowedOrigins?: string[] | undefined;
     idTokenTtl?: number | undefined;
@@ -117,6 +134,8 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     alwaysIssueRefreshToken?: boolean | undefined;
     rotateRefreshToken?: boolean | undefined;
     allowTokenExchange?: boolean | undefined;
+    isDeviceFlow?: boolean | undefined;
+    maxAllowedGrants?: number | undefined;
 }>;
 /**
  * @see {@link CustomClientMetadataKey} for key descriptions.
@@ -207,7 +226,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+    authorizations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         /**
          * The `sid` (session ID) Claim associated with the session for the current client.
          *
@@ -279,7 +298,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
          * Mark optional to make the guard more robust.
          */
         persistsLogout: z.ZodOptional<z.ZodBoolean>;
-    }, z.ZodUnknown, "strip">>>;
+    }, z.ZodUnknown, "strip">>>>;
 }, "strip", z.ZodUnknown, z.objectOutputType<{
     exp: z.ZodNumber;
     iat: z.ZodNumber;
@@ -291,7 +310,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+    authorizations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         /**
          * The `sid` (session ID) Claim associated with the session for the current client.
          *
@@ -363,7 +382,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
          * Mark optional to make the guard more robust.
          */
         persistsLogout: z.ZodOptional<z.ZodBoolean>;
-    }, z.ZodUnknown, "strip">>>;
+    }, z.ZodUnknown, "strip">>>>;
 }, z.ZodUnknown, "strip">, z.objectInputType<{
     exp: z.ZodNumber;
     iat: z.ZodNumber;
@@ -375,7 +394,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+    authorizations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         /**
          * The `sid` (session ID) Claim associated with the session for the current client.
          *
@@ -447,6 +466,6 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
          * Mark optional to make the guard more robust.
          */
         persistsLogout: z.ZodOptional<z.ZodBoolean>;
-    }, z.ZodUnknown, "strip">>>;
+    }, z.ZodUnknown, "strip">>>>;
 }, z.ZodUnknown, "strip">>;
 export type OidcSessionInstancePayload = z.infer<typeof oidcSessionInstancePayloadGuard>;

package/lib/foundations/jsonb-types/oidc-module.js

@@ -55,6 +55,19 @@ export var CustomClientMetadataKey;
      * Defaults to `false` for all new applications. Users must explicitly enable it.
      */
     CustomClientMetadataKey["AllowTokenExchange"] = "allowTokenExchange";
+    /**
+     * Whether the application uses the OAuth 2.0 Device Authorization Grant (RFC 8628)
+     * instead of the standard Authorization Code flow.
+     *
+     * Only applicable to native applications. Defaults to `false`.
+     */
+    CustomClientMetadataKey["IsDeviceFlow"] = "isDeviceFlow";
+    /**
+     * The maximum number of active sessions (devices) allowed per user for this application.
+     *
+     * When exceeded, old sessions should be revoked according to server policy.
+     */
+    CustomClientMetadataKey["MaxAllowedGrants"] = "maxAllowedGrants";
 })(CustomClientMetadataKey || (CustomClientMetadataKey = {}));
 export const customClientMetadataGuard = z.object({
     [CustomClientMetadataKey.CorsAllowedOrigins]: z.string().min(1).array().optional(),
@@ -65,6 +78,8 @@ export const customClientMetadataGuard = z.object({
     [CustomClientMetadataKey.AlwaysIssueRefreshToken]: z.boolean().optional(),
     [CustomClientMetadataKey.RotateRefreshToken]: z.boolean().optional(),
     [CustomClientMetadataKey.AllowTokenExchange]: z.boolean().optional(),
+    [CustomClientMetadataKey.IsDeviceFlow]: z.boolean().optional(),
+    [CustomClientMetadataKey.MaxAllowedGrants]: z.number().int().positive().optional(),
 });
 export const oidcSessionAuthorizationDetailsGuard = z
     .object({
@@ -105,6 +120,6 @@ export const oidcSessionInstancePayloadGuard = z
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.record(z.string(), oidcSessionAuthorizationDetailsGuard),
+    authorizations: z.record(z.string(), oidcSessionAuthorizationDetailsGuard).optional(),
 })
     .catchall(z.unknown());