@logto/schemas 1.37.1 → 1.39.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (73) hide show
  1. package/alterations/1.38.0-1772615848-add-oidc-model-instances-grant-id-partial-index.ts +26 -0
  2. package/alterations/1.38.0-1772619963-tune-oidc-model-instances-autovacuum.ts +28 -0
  3. package/alterations/1.38.0-1772621060-add-oidc-model-instances-grant-account-id-index.ts +26 -0
  4. package/alterations/1.39.0-1774752400-add-delete-account-url.ts +20 -0
  5. package/alterations/1.39.0-1774770686-add-account-center-custom-css.ts +20 -0
  6. package/alterations/1.39.0-1776502301-add-sign-up-profile-fields.ts +20 -0
  7. package/alterations-js/1.38.0-1772615848-add-oidc-model-instances-grant-id-partial-index.js +22 -0
  8. package/alterations-js/1.38.0-1772619963-tune-oidc-model-instances-autovacuum.js +24 -0
  9. package/alterations-js/1.38.0-1772621060-add-oidc-model-instances-grant-account-id-index.js +22 -0
  10. package/alterations-js/1.39.0-1774752400-add-delete-account-url.js +16 -0
  11. package/alterations-js/1.39.0-1774770686-add-account-center-custom-css.js +16 -0
  12. package/alterations-js/1.39.0-1776502301-add-sign-up-profile-fields.js +16 -0
  13. package/lib/consts/cookie.d.ts +1 -0
  14. package/lib/consts/cookie.js +1 -0
  15. package/lib/consts/experience.d.ts +1 -0
  16. package/lib/consts/experience.js +1 -0
  17. package/lib/consts/oidc.d.ts +3 -0
  18. package/lib/consts/oidc.js +3 -0
  19. package/lib/consts/system.d.ts +4 -0
  20. package/lib/consts/system.js +4 -0
  21. package/lib/db-entries/account-center.d.ts +9 -1
  22. package/lib/db-entries/account-center.js +8 -0
  23. package/lib/db-entries/sign-in-experience.d.ts +6 -2
  24. package/lib/db-entries/sign-in-experience.js +5 -1
  25. package/lib/foundations/jsonb-types/account-centers.d.ts +1 -0
  26. package/lib/foundations/jsonb-types/account-centers.js +8 -0
  27. package/lib/foundations/jsonb-types/oidc-module.d.ts +26 -7
  28. package/lib/foundations/jsonb-types/oidc-module.js +16 -1
  29. package/lib/foundations/jsonb-types/sign-in-experience.d.ts +36 -6
  30. package/lib/foundations/jsonb-types/sign-in-experience.js +10 -2
  31. package/lib/seeds/application.d.ts +3 -1
  32. package/lib/seeds/application.js +26 -1
  33. package/lib/types/alteration.d.ts +5 -0
  34. package/lib/types/application.d.ts +14 -2
  35. package/lib/types/connector.d.ts +8 -0
  36. package/lib/types/consent.d.ts +11 -3
  37. package/lib/types/consent.js +2 -1
  38. package/lib/types/custom-profile-fields.d.ts +7 -13
  39. package/lib/types/custom-profile-fields.js +6 -13
  40. package/lib/types/log/interaction.d.ts +4 -2
  41. package/lib/types/log/interaction.js +2 -0
  42. package/lib/types/log/token.d.ts +5 -3
  43. package/lib/types/log/token.js +2 -0
  44. package/lib/types/logto-config/index.d.ts +331 -15
  45. package/lib/types/logto-config/index.js +28 -4
  46. package/lib/types/logto-config/index.test.d.ts +1 -0
  47. package/lib/types/logto-config/index.test.js +29 -0
  48. package/lib/types/logto-config/jwt-customizer.d.ts +787 -253
  49. package/lib/types/logto-config/jwt-customizer.js +8 -3
  50. package/lib/types/logto-config/jwt-customizer.test.js +14 -2
  51. package/lib/types/oidc-config.d.ts +2 -1
  52. package/lib/types/oidc-config.js +1 -0
  53. package/lib/types/onboarding.d.ts +93 -1
  54. package/lib/types/onboarding.js +22 -1
  55. package/lib/types/sign-in-experience.d.ts +15 -4
  56. package/lib/types/user-logto-config.d.ts +49 -0
  57. package/lib/types/user-logto-config.js +19 -0
  58. package/lib/types/user-sessions.d.ts +712 -112
  59. package/lib/types/user-sessions.js +33 -2
  60. package/lib/types/verification-records/verification-type.d.ts +1 -1
  61. package/lib/types/verification-records/verification-type.js +1 -1
  62. package/lib/types/verification-records/web-authn-verification.d.ts +11 -11
  63. package/lib/types/verification-records/web-authn-verification.js +3 -3
  64. package/lib/utils/index.d.ts +1 -0
  65. package/lib/utils/index.js +1 -0
  66. package/lib/utils/oidc-private-key.d.ts +88 -0
  67. package/lib/utils/oidc-private-key.js +163 -0
  68. package/lib/utils/oidc-private-key.test.d.ts +1 -0
  69. package/lib/utils/oidc-private-key.test.js +128 -0
  70. package/package.json +9 -8
  71. package/tables/account_centers.sql +4 -0
  72. package/tables/oidc_model_instances.sql +16 -0
  73. package/tables/sign_in_experiences.sql +2 -0
package/lib/types/logto-config/index.d.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  import { extendedIdTokenClaims } from '@logto/core-kit';
2
+ import { type Nullable, type Optional } from '@silverhand/essentials';
2
3
  import type { ZodType } from 'zod';
3
4
  import { z } from 'zod';
4
5
  import { type AccessTokenJwtCustomizer, type ClientCredentialsJwtCustomizer } from './jwt-customizer.js';
@@ -16,7 +17,8 @@ export declare enum LogtoOidcConfigKeyType {
16
17
  */
17
18
  export declare enum LogtoOidcConfigKey {
18
19
  PrivateKeys = "oidc.privateKeys",
19
- CookieKeys = "oidc.cookieKeys"
20
+ CookieKeys = "oidc.cookieKeys",
21
+ Session = "oidc.session"
20
22
  }
21
23
  /**
22
24
  * Logto supported signing key algorithms for OIDC private keys that sign JWT tokens.
@@ -39,12 +41,44 @@ export declare const oidcConfigKeyGuard: z.ZodObject<{
39
41
  createdAt: number;
40
42
  }>;
41
43
  export type OidcConfigKey = z.infer<typeof oidcConfigKeyGuard>;
44
+ export declare enum OidcSigningKeyStatus {
45
+ Next = "Next",
46
+ Current = "Current",
47
+ Previous = "Previous"
48
+ }
49
+ export declare const oidcPrivateKeyGuard: z.ZodObject<{
50
+ id: z.ZodString;
51
+ value: z.ZodString;
52
+ createdAt: z.ZodNumber;
53
+ } & {
54
+ status: z.ZodOptional<z.ZodNativeEnum<typeof OidcSigningKeyStatus>>;
55
+ }, "strip", z.ZodTypeAny, {
56
+ value: string;
57
+ id: string;
58
+ createdAt: number;
59
+ status?: OidcSigningKeyStatus | undefined;
60
+ }, {
61
+ value: string;
62
+ id: string;
63
+ createdAt: number;
64
+ status?: OidcSigningKeyStatus | undefined;
65
+ }>;
66
+ export type OidcPrivateKey = z.infer<typeof oidcPrivateKeyGuard>;
67
+ export declare const oidcSessionConfigGuard: z.ZodObject<{
68
+ ttl: z.ZodOptional<z.ZodNumber>;
69
+ }, "strip", z.ZodTypeAny, {
70
+ ttl?: number | undefined;
71
+ }, {
72
+ ttl?: number | undefined;
73
+ }>;
74
+ export type OidcSessionConfig = z.infer<typeof oidcSessionConfigGuard>;
42
75
  export type LogtoOidcConfigType = {
43
- [LogtoOidcConfigKey.PrivateKeys]: OidcConfigKey[];
76
+ [LogtoOidcConfigKey.PrivateKeys]: OidcPrivateKey[];
44
77
  [LogtoOidcConfigKey.CookieKeys]: OidcConfigKey[];
78
+ [LogtoOidcConfigKey.Session]: OidcSessionConfig;
45
79
  };
46
80
  export declare const logtoOidcConfigGuard: Readonly<{
47
- [key in LogtoOidcConfigKey]: ZodType<LogtoOidcConfigType[key]>;
81
+ [key in LogtoOidcConfigKey]: ZodType<LogtoOidcConfigType[key], z.ZodTypeDef, Optional<Nullable<LogtoOidcConfigType[key]>>>;
48
82
  }>;
49
83
  export declare enum LogtoJwtTokenKey {
50
84
  AccessToken = "jwt.accessToken",
@@ -62,6 +96,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
62
96
  value: z.ZodObject<{
63
97
  script: z.ZodString;
64
98
  environmentVariables: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
99
+ blockIssuanceOnError: z.ZodOptional<z.ZodBoolean>;
65
100
  } & {
66
101
  tokenSample: z.ZodOptional<z.ZodObject<{
67
102
  accountId: z.ZodOptional<z.ZodString>;
@@ -533,6 +568,74 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
533
568
  };
534
569
  templateType: import("@logto/connector-kit").TemplateType;
535
570
  verified: boolean;
571
+ }>, z.ZodObject<{
572
+ id: z.ZodString;
573
+ templateType: z.ZodNativeEnum<typeof import("@logto/connector-kit").TemplateType>;
574
+ verified: z.ZodBoolean;
575
+ } & {
576
+ type: z.ZodLiteral<import("../index.js").VerificationType.MfaEmailVerificationCode>;
577
+ identifier: z.ZodObject<{
578
+ type: z.ZodLiteral<import("../../index.js").SignInIdentifier.Email>;
579
+ value: z.ZodString;
580
+ }, "strip", z.ZodTypeAny, {
581
+ value: string;
582
+ type: import("../../index.js").SignInIdentifier.Email;
583
+ }, {
584
+ value: string;
585
+ type: import("../../index.js").SignInIdentifier.Email;
586
+ }>;
587
+ }, "strip", z.ZodTypeAny, {
588
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
589
+ id: string;
590
+ identifier: {
591
+ value: string;
592
+ type: import("../../index.js").SignInIdentifier.Email;
593
+ };
594
+ templateType: import("@logto/connector-kit").TemplateType;
595
+ verified: boolean;
596
+ }, {
597
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
598
+ id: string;
599
+ identifier: {
600
+ value: string;
601
+ type: import("../../index.js").SignInIdentifier.Email;
602
+ };
603
+ templateType: import("@logto/connector-kit").TemplateType;
604
+ verified: boolean;
605
+ }>, z.ZodObject<{
606
+ id: z.ZodString;
607
+ templateType: z.ZodNativeEnum<typeof import("@logto/connector-kit").TemplateType>;
608
+ verified: z.ZodBoolean;
609
+ } & {
610
+ type: z.ZodLiteral<import("../index.js").VerificationType.MfaPhoneVerificationCode>;
611
+ identifier: z.ZodObject<{
612
+ type: z.ZodLiteral<import("../../index.js").SignInIdentifier.Phone>;
613
+ value: z.ZodString;
614
+ }, "strip", z.ZodTypeAny, {
615
+ value: string;
616
+ type: import("../../index.js").SignInIdentifier.Phone;
617
+ }, {
618
+ value: string;
619
+ type: import("../../index.js").SignInIdentifier.Phone;
620
+ }>;
621
+ }, "strip", z.ZodTypeAny, {
622
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
623
+ id: string;
624
+ identifier: {
625
+ value: string;
626
+ type: import("../../index.js").SignInIdentifier.Phone;
627
+ };
628
+ templateType: import("@logto/connector-kit").TemplateType;
629
+ verified: boolean;
630
+ }, {
631
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
632
+ id: string;
633
+ identifier: {
634
+ value: string;
635
+ type: import("../../index.js").SignInIdentifier.Phone;
636
+ };
637
+ templateType: import("@logto/connector-kit").TemplateType;
638
+ verified: boolean;
536
639
  }>, z.ZodObject<Omit<{
537
640
  id: z.ZodString;
538
641
  connectorId: z.ZodString;
@@ -810,17 +913,17 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
810
913
  name?: string | undefined;
811
914
  }>>;
812
915
  } & {
813
- type: z.ZodLiteral<import("../index.js").VerificationType.SignInWebAuthn>;
916
+ type: z.ZodLiteral<import("../index.js").VerificationType.SignInPasskey>;
814
917
  userId: z.ZodOptional<z.ZodString>;
815
918
  authenticationRpId: z.ZodOptional<z.ZodString>;
816
919
  }, "registrationChallenge" | "authenticationChallenge" | "registrationInfo" | "authenticationRpId">, "strip", z.ZodTypeAny, {
817
- type: import("../index.js").VerificationType.SignInWebAuthn;
920
+ type: import("../index.js").VerificationType.SignInPasskey;
818
921
  id: string;
819
922
  verified: boolean;
820
923
  userId?: string | undefined;
821
924
  registrationRpId?: string | undefined;
822
925
  }, {
823
- type: import("../index.js").VerificationType.SignInWebAuthn;
926
+ type: import("../index.js").VerificationType.SignInPasskey;
824
927
  id: string;
825
928
  verified: boolean;
826
929
  userId?: string | undefined;
@@ -925,6 +1028,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
925
1028
  };
926
1029
  templateType: import("@logto/connector-kit").TemplateType;
927
1030
  verified: boolean;
1031
+ } | {
1032
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
1033
+ id: string;
1034
+ identifier: {
1035
+ value: string;
1036
+ type: import("../../index.js").SignInIdentifier.Email;
1037
+ };
1038
+ templateType: import("@logto/connector-kit").TemplateType;
1039
+ verified: boolean;
1040
+ } | {
1041
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
1042
+ id: string;
1043
+ identifier: {
1044
+ value: string;
1045
+ type: import("../../index.js").SignInIdentifier.Phone;
1046
+ };
1047
+ templateType: import("@logto/connector-kit").TemplateType;
1048
+ verified: boolean;
928
1049
  } | {
929
1050
  type: import("../index.js").VerificationType.NewPasswordIdentity;
930
1051
  id: string;
@@ -988,7 +1109,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
988
1109
  verified: boolean;
989
1110
  registrationRpId?: string | undefined;
990
1111
  } | {
991
- type: import("../index.js").VerificationType.SignInWebAuthn;
1112
+ type: import("../index.js").VerificationType.SignInPasskey;
992
1113
  id: string;
993
1114
  verified: boolean;
994
1115
  userId?: string | undefined;
@@ -1021,6 +1142,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1021
1142
  };
1022
1143
  templateType: import("@logto/connector-kit").TemplateType;
1023
1144
  verified: boolean;
1145
+ } | {
1146
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
1147
+ id: string;
1148
+ identifier: {
1149
+ value: string;
1150
+ type: import("../../index.js").SignInIdentifier.Email;
1151
+ };
1152
+ templateType: import("@logto/connector-kit").TemplateType;
1153
+ verified: boolean;
1154
+ } | {
1155
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
1156
+ id: string;
1157
+ identifier: {
1158
+ value: string;
1159
+ type: import("../../index.js").SignInIdentifier.Phone;
1160
+ };
1161
+ templateType: import("@logto/connector-kit").TemplateType;
1162
+ verified: boolean;
1024
1163
  } | {
1025
1164
  type: import("../index.js").VerificationType.NewPasswordIdentity;
1026
1165
  id: string;
@@ -1084,7 +1223,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1084
1223
  verified: boolean;
1085
1224
  registrationRpId?: string | undefined;
1086
1225
  } | {
1087
- type: import("../index.js").VerificationType.SignInWebAuthn;
1226
+ type: import("../index.js").VerificationType.SignInPasskey;
1088
1227
  id: string;
1089
1228
  verified: boolean;
1090
1229
  userId?: string | undefined;
@@ -1110,6 +1249,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1110
1249
  alwaysIssueRefreshToken?: boolean | undefined;
1111
1250
  rotateRefreshToken?: boolean | undefined;
1112
1251
  allowTokenExchange?: boolean | undefined;
1252
+ isDeviceFlow?: boolean | undefined;
1253
+ maxAllowedGrants?: number | undefined;
1113
1254
  }, z.ZodTypeDef, {
1114
1255
  corsAllowedOrigins?: string[] | undefined;
1115
1256
  idTokenTtl?: number | undefined;
@@ -1119,6 +1260,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1119
1260
  alwaysIssueRefreshToken?: boolean | undefined;
1120
1261
  rotateRefreshToken?: boolean | undefined;
1121
1262
  allowTokenExchange?: boolean | undefined;
1263
+ isDeviceFlow?: boolean | undefined;
1264
+ maxAllowedGrants?: number | undefined;
1122
1265
  }>>;
1123
1266
  protectedAppMetadata: z.ZodOptional<ZodType<{
1124
1267
  host: string;
@@ -1196,6 +1339,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1196
1339
  alwaysIssueRefreshToken?: boolean | undefined;
1197
1340
  rotateRefreshToken?: boolean | undefined;
1198
1341
  allowTokenExchange?: boolean | undefined;
1342
+ isDeviceFlow?: boolean | undefined;
1343
+ maxAllowedGrants?: number | undefined;
1199
1344
  } | undefined;
1200
1345
  protectedAppMetadata?: {
1201
1346
  host: string;
@@ -1245,6 +1390,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1245
1390
  alwaysIssueRefreshToken?: boolean | undefined;
1246
1391
  rotateRefreshToken?: boolean | undefined;
1247
1392
  allowTokenExchange?: boolean | undefined;
1393
+ isDeviceFlow?: boolean | undefined;
1394
+ maxAllowedGrants?: number | undefined;
1248
1395
  } | undefined;
1249
1396
  protectedAppMetadata?: {
1250
1397
  host: string;
@@ -1364,6 +1511,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1364
1511
  alwaysIssueRefreshToken?: boolean | undefined;
1365
1512
  rotateRefreshToken?: boolean | undefined;
1366
1513
  allowTokenExchange?: boolean | undefined;
1514
+ isDeviceFlow?: boolean | undefined;
1515
+ maxAllowedGrants?: number | undefined;
1367
1516
  } | undefined;
1368
1517
  protectedAppMetadata?: {
1369
1518
  host: string;
@@ -1426,6 +1575,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1426
1575
  };
1427
1576
  templateType: import("@logto/connector-kit").TemplateType;
1428
1577
  verified: boolean;
1578
+ } | {
1579
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
1580
+ id: string;
1581
+ identifier: {
1582
+ value: string;
1583
+ type: import("../../index.js").SignInIdentifier.Email;
1584
+ };
1585
+ templateType: import("@logto/connector-kit").TemplateType;
1586
+ verified: boolean;
1587
+ } | {
1588
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
1589
+ id: string;
1590
+ identifier: {
1591
+ value: string;
1592
+ type: import("../../index.js").SignInIdentifier.Phone;
1593
+ };
1594
+ templateType: import("@logto/connector-kit").TemplateType;
1595
+ verified: boolean;
1429
1596
  } | {
1430
1597
  type: import("../index.js").VerificationType.NewPasswordIdentity;
1431
1598
  id: string;
@@ -1489,7 +1656,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1489
1656
  verified: boolean;
1490
1657
  registrationRpId?: string | undefined;
1491
1658
  } | {
1492
- type: import("../index.js").VerificationType.SignInWebAuthn;
1659
+ type: import("../index.js").VerificationType.SignInPasskey;
1493
1660
  id: string;
1494
1661
  verified: boolean;
1495
1662
  userId?: string | undefined;
@@ -1584,6 +1751,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1584
1751
  alwaysIssueRefreshToken?: boolean | undefined;
1585
1752
  rotateRefreshToken?: boolean | undefined;
1586
1753
  allowTokenExchange?: boolean | undefined;
1754
+ isDeviceFlow?: boolean | undefined;
1755
+ maxAllowedGrants?: number | undefined;
1587
1756
  } | undefined;
1588
1757
  protectedAppMetadata?: {
1589
1758
  host: string;
@@ -1646,6 +1815,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1646
1815
  };
1647
1816
  templateType: import("@logto/connector-kit").TemplateType;
1648
1817
  verified: boolean;
1818
+ } | {
1819
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
1820
+ id: string;
1821
+ identifier: {
1822
+ value: string;
1823
+ type: import("../../index.js").SignInIdentifier.Email;
1824
+ };
1825
+ templateType: import("@logto/connector-kit").TemplateType;
1826
+ verified: boolean;
1827
+ } | {
1828
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
1829
+ id: string;
1830
+ identifier: {
1831
+ value: string;
1832
+ type: import("../../index.js").SignInIdentifier.Phone;
1833
+ };
1834
+ templateType: import("@logto/connector-kit").TemplateType;
1835
+ verified: boolean;
1649
1836
  } | {
1650
1837
  type: import("../index.js").VerificationType.NewPasswordIdentity;
1651
1838
  id: string;
@@ -1709,7 +1896,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1709
1896
  verified: boolean;
1710
1897
  registrationRpId?: string | undefined;
1711
1898
  } | {
1712
- type: import("../index.js").VerificationType.SignInWebAuthn;
1899
+ type: import("../index.js").VerificationType.SignInPasskey;
1713
1900
  id: string;
1714
1901
  verified: boolean;
1715
1902
  userId?: string | undefined;
@@ -1808,6 +1995,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1808
1995
  alwaysIssueRefreshToken?: boolean | undefined;
1809
1996
  rotateRefreshToken?: boolean | undefined;
1810
1997
  allowTokenExchange?: boolean | undefined;
1998
+ isDeviceFlow?: boolean | undefined;
1999
+ maxAllowedGrants?: number | undefined;
1811
2000
  } | undefined;
1812
2001
  protectedAppMetadata?: {
1813
2002
  host: string;
@@ -1870,6 +2059,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1870
2059
  };
1871
2060
  templateType: import("@logto/connector-kit").TemplateType;
1872
2061
  verified: boolean;
2062
+ } | {
2063
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
2064
+ id: string;
2065
+ identifier: {
2066
+ value: string;
2067
+ type: import("../../index.js").SignInIdentifier.Email;
2068
+ };
2069
+ templateType: import("@logto/connector-kit").TemplateType;
2070
+ verified: boolean;
2071
+ } | {
2072
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
2073
+ id: string;
2074
+ identifier: {
2075
+ value: string;
2076
+ type: import("../../index.js").SignInIdentifier.Phone;
2077
+ };
2078
+ templateType: import("@logto/connector-kit").TemplateType;
2079
+ verified: boolean;
1873
2080
  } | {
1874
2081
  type: import("../index.js").VerificationType.NewPasswordIdentity;
1875
2082
  id: string;
@@ -1933,7 +2140,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1933
2140
  verified: boolean;
1934
2141
  registrationRpId?: string | undefined;
1935
2142
  } | {
1936
- type: import("../index.js").VerificationType.SignInWebAuthn;
2143
+ type: import("../index.js").VerificationType.SignInPasskey;
1937
2144
  id: string;
1938
2145
  verified: boolean;
1939
2146
  userId?: string | undefined;
@@ -1942,6 +2149,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1942
2149
  signInContext?: Record<string, string> | undefined;
1943
2150
  } | undefined;
1944
2151
  } | undefined;
2152
+ blockIssuanceOnError?: boolean | undefined;
1945
2153
  tokenSample?: {
1946
2154
  grantId?: string | undefined;
1947
2155
  sid?: string | undefined;
@@ -2045,6 +2253,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2045
2253
  alwaysIssueRefreshToken?: boolean | undefined;
2046
2254
  rotateRefreshToken?: boolean | undefined;
2047
2255
  allowTokenExchange?: boolean | undefined;
2256
+ isDeviceFlow?: boolean | undefined;
2257
+ maxAllowedGrants?: number | undefined;
2048
2258
  } | undefined;
2049
2259
  protectedAppMetadata?: {
2050
2260
  host: string;
@@ -2107,6 +2317,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2107
2317
  };
2108
2318
  templateType: import("@logto/connector-kit").TemplateType;
2109
2319
  verified: boolean;
2320
+ } | {
2321
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
2322
+ id: string;
2323
+ identifier: {
2324
+ value: string;
2325
+ type: import("../../index.js").SignInIdentifier.Email;
2326
+ };
2327
+ templateType: import("@logto/connector-kit").TemplateType;
2328
+ verified: boolean;
2329
+ } | {
2330
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
2331
+ id: string;
2332
+ identifier: {
2333
+ value: string;
2334
+ type: import("../../index.js").SignInIdentifier.Phone;
2335
+ };
2336
+ templateType: import("@logto/connector-kit").TemplateType;
2337
+ verified: boolean;
2110
2338
  } | {
2111
2339
  type: import("../index.js").VerificationType.NewPasswordIdentity;
2112
2340
  id: string;
@@ -2170,7 +2398,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2170
2398
  verified: boolean;
2171
2399
  registrationRpId?: string | undefined;
2172
2400
  } | {
2173
- type: import("../index.js").VerificationType.SignInWebAuthn;
2401
+ type: import("../index.js").VerificationType.SignInPasskey;
2174
2402
  id: string;
2175
2403
  verified: boolean;
2176
2404
  userId?: string | undefined;
@@ -2179,6 +2407,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2179
2407
  signInContext?: Record<string, string> | undefined;
2180
2408
  } | undefined;
2181
2409
  } | undefined;
2410
+ blockIssuanceOnError?: boolean | undefined;
2182
2411
  tokenSample?: {
2183
2412
  grantId?: string | undefined;
2184
2413
  sid?: string | undefined;
@@ -2284,6 +2513,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2284
2513
  alwaysIssueRefreshToken?: boolean | undefined;
2285
2514
  rotateRefreshToken?: boolean | undefined;
2286
2515
  allowTokenExchange?: boolean | undefined;
2516
+ isDeviceFlow?: boolean | undefined;
2517
+ maxAllowedGrants?: number | undefined;
2287
2518
  } | undefined;
2288
2519
  protectedAppMetadata?: {
2289
2520
  host: string;
@@ -2346,6 +2577,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2346
2577
  };
2347
2578
  templateType: import("@logto/connector-kit").TemplateType;
2348
2579
  verified: boolean;
2580
+ } | {
2581
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
2582
+ id: string;
2583
+ identifier: {
2584
+ value: string;
2585
+ type: import("../../index.js").SignInIdentifier.Email;
2586
+ };
2587
+ templateType: import("@logto/connector-kit").TemplateType;
2588
+ verified: boolean;
2589
+ } | {
2590
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
2591
+ id: string;
2592
+ identifier: {
2593
+ value: string;
2594
+ type: import("../../index.js").SignInIdentifier.Phone;
2595
+ };
2596
+ templateType: import("@logto/connector-kit").TemplateType;
2597
+ verified: boolean;
2349
2598
  } | {
2350
2599
  type: import("../index.js").VerificationType.NewPasswordIdentity;
2351
2600
  id: string;
@@ -2409,7 +2658,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2409
2658
  verified: boolean;
2410
2659
  registrationRpId?: string | undefined;
2411
2660
  } | {
2412
- type: import("../index.js").VerificationType.SignInWebAuthn;
2661
+ type: import("../index.js").VerificationType.SignInPasskey;
2413
2662
  id: string;
2414
2663
  verified: boolean;
2415
2664
  userId?: string | undefined;
@@ -2418,6 +2667,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2418
2667
  signInContext?: Record<string, string> | undefined;
2419
2668
  } | undefined;
2420
2669
  } | undefined;
2670
+ blockIssuanceOnError?: boolean | undefined;
2421
2671
  tokenSample?: {
2422
2672
  grantId?: string | undefined;
2423
2673
  sid?: string | undefined;
@@ -2524,6 +2774,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2524
2774
  alwaysIssueRefreshToken?: boolean | undefined;
2525
2775
  rotateRefreshToken?: boolean | undefined;
2526
2776
  allowTokenExchange?: boolean | undefined;
2777
+ isDeviceFlow?: boolean | undefined;
2778
+ maxAllowedGrants?: number | undefined;
2527
2779
  } | undefined;
2528
2780
  protectedAppMetadata?: {
2529
2781
  host: string;
@@ -2586,6 +2838,24 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2586
2838
  };
2587
2839
  templateType: import("@logto/connector-kit").TemplateType;
2588
2840
  verified: boolean;
2841
+ } | {
2842
+ type: import("../index.js").VerificationType.MfaEmailVerificationCode;
2843
+ id: string;
2844
+ identifier: {
2845
+ value: string;
2846
+ type: import("../../index.js").SignInIdentifier.Email;
2847
+ };
2848
+ templateType: import("@logto/connector-kit").TemplateType;
2849
+ verified: boolean;
2850
+ } | {
2851
+ type: import("../index.js").VerificationType.MfaPhoneVerificationCode;
2852
+ id: string;
2853
+ identifier: {
2854
+ value: string;
2855
+ type: import("../../index.js").SignInIdentifier.Phone;
2856
+ };
2857
+ templateType: import("@logto/connector-kit").TemplateType;
2858
+ verified: boolean;
2589
2859
  } | {
2590
2860
  type: import("../index.js").VerificationType.NewPasswordIdentity;
2591
2861
  id: string;
@@ -2649,7 +2919,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2649
2919
  verified: boolean;
2650
2920
  registrationRpId?: string | undefined;
2651
2921
  } | {
2652
- type: import("../index.js").VerificationType.SignInWebAuthn;
2922
+ type: import("../index.js").VerificationType.SignInPasskey;
2653
2923
  id: string;
2654
2924
  verified: boolean;
2655
2925
  userId?: string | undefined;
@@ -2658,6 +2928,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2658
2928
  signInContext?: Record<string, string> | undefined;
2659
2929
  } | undefined;
2660
2930
  } | undefined;
2931
+ blockIssuanceOnError?: boolean | undefined;
2661
2932
  tokenSample?: {
2662
2933
  grantId?: string | undefined;
2663
2934
  sid?: string | undefined;
@@ -2678,6 +2949,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2678
2949
  value: z.ZodObject<{
2679
2950
  script: z.ZodString;
2680
2951
  environmentVariables: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
2952
+ blockIssuanceOnError: z.ZodOptional<z.ZodBoolean>;
2681
2953
  } & {
2682
2954
  tokenSample: z.ZodOptional<z.ZodObject<{
2683
2955
  kind: z.ZodOptional<z.ZodLiteral<"ClientCredentials">>;
@@ -2717,6 +2989,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2717
2989
  alwaysIssueRefreshToken?: boolean | undefined;
2718
2990
  rotateRefreshToken?: boolean | undefined;
2719
2991
  allowTokenExchange?: boolean | undefined;
2992
+ isDeviceFlow?: boolean | undefined;
2993
+ maxAllowedGrants?: number | undefined;
2720
2994
  }, z.ZodTypeDef, {
2721
2995
  corsAllowedOrigins?: string[] | undefined;
2722
2996
  idTokenTtl?: number | undefined;
@@ -2726,6 +3000,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2726
3000
  alwaysIssueRefreshToken?: boolean | undefined;
2727
3001
  rotateRefreshToken?: boolean | undefined;
2728
3002
  allowTokenExchange?: boolean | undefined;
3003
+ isDeviceFlow?: boolean | undefined;
3004
+ maxAllowedGrants?: number | undefined;
2729
3005
  }>>;
2730
3006
  protectedAppMetadata: z.ZodOptional<ZodType<{
2731
3007
  host: string;
@@ -2803,6 +3079,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2803
3079
  alwaysIssueRefreshToken?: boolean | undefined;
2804
3080
  rotateRefreshToken?: boolean | undefined;
2805
3081
  allowTokenExchange?: boolean | undefined;
3082
+ isDeviceFlow?: boolean | undefined;
3083
+ maxAllowedGrants?: number | undefined;
2806
3084
  } | undefined;
2807
3085
  protectedAppMetadata?: {
2808
3086
  host: string;
@@ -2852,6 +3130,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2852
3130
  alwaysIssueRefreshToken?: boolean | undefined;
2853
3131
  rotateRefreshToken?: boolean | undefined;
2854
3132
  allowTokenExchange?: boolean | undefined;
3133
+ isDeviceFlow?: boolean | undefined;
3134
+ maxAllowedGrants?: number | undefined;
2855
3135
  } | undefined;
2856
3136
  protectedAppMetadata?: {
2857
3137
  host: string;
@@ -2903,6 +3183,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2903
3183
  alwaysIssueRefreshToken?: boolean | undefined;
2904
3184
  rotateRefreshToken?: boolean | undefined;
2905
3185
  allowTokenExchange?: boolean | undefined;
3186
+ isDeviceFlow?: boolean | undefined;
3187
+ maxAllowedGrants?: number | undefined;
2906
3188
  } | undefined;
2907
3189
  protectedAppMetadata?: {
2908
3190
  host: string;
@@ -2954,6 +3236,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2954
3236
  alwaysIssueRefreshToken?: boolean | undefined;
2955
3237
  rotateRefreshToken?: boolean | undefined;
2956
3238
  allowTokenExchange?: boolean | undefined;
3239
+ isDeviceFlow?: boolean | undefined;
3240
+ maxAllowedGrants?: number | undefined;
2957
3241
  } | undefined;
2958
3242
  protectedAppMetadata?: {
2959
3243
  host: string;
@@ -3009,6 +3293,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3009
3293
  alwaysIssueRefreshToken?: boolean | undefined;
3010
3294
  rotateRefreshToken?: boolean | undefined;
3011
3295
  allowTokenExchange?: boolean | undefined;
3296
+ isDeviceFlow?: boolean | undefined;
3297
+ maxAllowedGrants?: number | undefined;
3012
3298
  } | undefined;
3013
3299
  protectedAppMetadata?: {
3014
3300
  host: string;
@@ -3042,6 +3328,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3042
3328
  isThirdParty?: boolean | undefined;
3043
3329
  } | undefined;
3044
3330
  } | undefined;
3331
+ blockIssuanceOnError?: boolean | undefined;
3045
3332
  tokenSample?: {
3046
3333
  jti?: string | undefined;
3047
3334
  kind?: "ClientCredentials" | undefined;
@@ -3071,6 +3358,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3071
3358
  alwaysIssueRefreshToken?: boolean | undefined;
3072
3359
  rotateRefreshToken?: boolean | undefined;
3073
3360
  allowTokenExchange?: boolean | undefined;
3361
+ isDeviceFlow?: boolean | undefined;
3362
+ maxAllowedGrants?: number | undefined;
3074
3363
  } | undefined;
3075
3364
  protectedAppMetadata?: {
3076
3365
  host: string;
@@ -3104,6 +3393,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3104
3393
  isThirdParty?: boolean | undefined;
3105
3394
  } | undefined;
3106
3395
  } | undefined;
3396
+ blockIssuanceOnError?: boolean | undefined;
3107
3397
  tokenSample?: {
3108
3398
  jti?: string | undefined;
3109
3399
  kind?: "ClientCredentials" | undefined;
@@ -3135,6 +3425,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3135
3425
  alwaysIssueRefreshToken?: boolean | undefined;
3136
3426
  rotateRefreshToken?: boolean | undefined;
3137
3427
  allowTokenExchange?: boolean | undefined;
3428
+ isDeviceFlow?: boolean | undefined;
3429
+ maxAllowedGrants?: number | undefined;
3138
3430
  } | undefined;
3139
3431
  protectedAppMetadata?: {
3140
3432
  host: string;
@@ -3168,6 +3460,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3168
3460
  isThirdParty?: boolean | undefined;
3169
3461
  } | undefined;
3170
3462
  } | undefined;
3463
+ blockIssuanceOnError?: boolean | undefined;
3171
3464
  tokenSample?: {
3172
3465
  jti?: string | undefined;
3173
3466
  kind?: "ClientCredentials" | undefined;
@@ -3200,6 +3493,8 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3200
3493
  alwaysIssueRefreshToken?: boolean | undefined;
3201
3494
  rotateRefreshToken?: boolean | undefined;
3202
3495
  allowTokenExchange?: boolean | undefined;
3496
+ isDeviceFlow?: boolean | undefined;
3497
+ maxAllowedGrants?: number | undefined;
3203
3498
  } | undefined;
3204
3499
  protectedAppMetadata?: {
3205
3500
  host: string;
@@ -3233,6 +3528,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3233
3528
  isThirdParty?: boolean | undefined;
3234
3529
  } | undefined;
3235
3530
  } | undefined;
3531
+ blockIssuanceOnError?: boolean | undefined;
3236
3532
  tokenSample?: {
3237
3533
  jti?: string | undefined;
3238
3534
  kind?: "ClientCredentials" | undefined;
@@ -3334,13 +3630,26 @@ export declare const idTokenConfigGuard: z.ZodObject<{
3334
3630
  enabledExtendedClaims?: ("custom_data" | "identities" | "sso_identities" | "roles" | "organizations" | "organization_data" | "organization_roles")[] | undefined;
3335
3631
  }>;
3336
3632
  export type IdTokenConfig = z.infer<typeof idTokenConfigGuard>;
3633
+ export declare const signingKeyRotationStateGuard: z.ZodObject<{
3634
+ tenantCacheExpiresAt: z.ZodOptional<z.ZodNumber>;
3635
+ signingKeyRotationAt: z.ZodOptional<z.ZodNumber>;
3636
+ }, "strip", z.ZodTypeAny, {
3637
+ tenantCacheExpiresAt?: number | undefined;
3638
+ signingKeyRotationAt?: number | undefined;
3639
+ }, {
3640
+ tenantCacheExpiresAt?: number | undefined;
3641
+ signingKeyRotationAt?: number | undefined;
3642
+ }>;
3643
+ export type SigningKeyRotationState = z.infer<typeof signingKeyRotationStateGuard>;
3337
3644
  export declare enum LogtoTenantConfigKey {
3338
3645
  AdminConsole = "adminConsole",
3339
3646
  CloudConnection = "cloudConnection",
3340
3647
  /** The URL to redirect when session not found in Sign-in Experience. */
3341
3648
  SessionNotFoundRedirectUrl = "sessionNotFoundRedirectUrl",
3342
3649
  /** ID token configuration for extended claims. */
3343
- IdToken = "idToken"
3650
+ IdToken = "idToken",
3651
+ /** Tenant-scoped rotation state for staged private signing key activation. */
3652
+ SigningKeyRotationState = "signingKeyRotationState"
3344
3653
  }
3345
3654
  export type LogtoTenantConfigType = {
3346
3655
  [LogtoTenantConfigKey.AdminConsole]: AdminConsoleData;
@@ -3349,6 +3658,7 @@ export type LogtoTenantConfigType = {
3349
3658
  url: string;
3350
3659
  };
3351
3660
  [LogtoTenantConfigKey.IdToken]: IdTokenConfig;
3661
+ [LogtoTenantConfigKey.SigningKeyRotationState]: SigningKeyRotationState;
3352
3662
  };
3353
3663
  export declare const logtoTenantConfigGuard: Readonly<{
3354
3664
  [key in LogtoTenantConfigKey]: ZodType<LogtoTenantConfigType[key]>;
@@ -3364,13 +3674,19 @@ export declare const oidcConfigKeysResponseGuard: z.ZodObject<Omit<{
3364
3674
  createdAt: z.ZodNumber;
3365
3675
  }, "value"> & {
3366
3676
  signingKeyAlgorithm: z.ZodOptional<z.ZodNativeEnum<typeof SupportedSigningKeyAlgorithm>>;
3677
+ status: z.ZodOptional<z.ZodNativeEnum<typeof OidcSigningKeyStatus>>;
3678
+ effectiveAt: z.ZodOptional<z.ZodNumber>;
3367
3679
  }, "strip", z.ZodTypeAny, {
3368
3680
  id: string;
3369
3681
  createdAt: number;
3682
+ status?: OidcSigningKeyStatus | undefined;
3370
3683
  signingKeyAlgorithm?: SupportedSigningKeyAlgorithm | undefined;
3684
+ effectiveAt?: number | undefined;
3371
3685
  }, {
3372
3686
  id: string;
3373
3687
  createdAt: number;
3688
+ status?: OidcSigningKeyStatus | undefined;
3374
3689
  signingKeyAlgorithm?: SupportedSigningKeyAlgorithm | undefined;
3690
+ effectiveAt?: number | undefined;
3375
3691
  }>;
3376
3692
  export type OidcConfigKeysResponse = z.infer<typeof oidcConfigKeysResponseGuard>;