@logto/schemas 1.38.0 → 1.39.0

package/alterations/1.39.0-1774752400-add-delete-account-url.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        add column delete_account_url varchar(2048);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        drop column delete_account_url;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.39.0-1774770686-add-account-center-custom-css.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        add column custom_css text;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+        drop column custom_css;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.39.0-1776502301-add-sign-up-profile-fields.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column sign_up_profile_fields jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column sign_up_profile_fields;
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.39.0-1774752400-add-delete-account-url.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        add column delete_account_url varchar(2048);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        drop column delete_account_url;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.39.0-1774770686-add-account-center-custom-css.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        add column custom_css text;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        drop column custom_css;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.39.0-1776502301-add-sign-up-profile-fields.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column sign_up_profile_fields jsonb;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        drop column sign_up_profile_fields;
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/account-center.d.ts

@@ -12,6 +12,10 @@ export type CreateAccountCenter = {
     /** Control each fields */
     fields?: AccountCenterFieldControl;
     webauthnRelatedOrigins?: WebauthnRelatedOrigins;
+    /** URL for custom account deletion endpoint */
+    deleteAccountUrl?: string | null;
+    /** User-defined custom CSS for the account center */
+    customCss?: string | null;
 };
 export type AccountCenter = {
     tenantId: string;
@@ -21,6 +25,10 @@ export type AccountCenter = {
     /** Control each fields */
     fields: AccountCenterFieldControl;
     webauthnRelatedOrigins: WebauthnRelatedOrigins;
+    /** URL for custom account deletion endpoint */
+    deleteAccountUrl: string | null;
+    /** User-defined custom CSS for the account center */
+    customCss: string | null;
 };
-export type AccountCenterKeys = 'tenantId' | 'id' | 'enabled' | 'fields' | 'webauthnRelatedOrigins';
+export type AccountCenterKeys = 'tenantId' | 'id' | 'enabled' | 'fields' | 'webauthnRelatedOrigins' | 'deleteAccountUrl' | 'customCss';
 export declare const AccountCenters: GeneratedSchema<AccountCenterKeys, CreateAccountCenter, AccountCenter, 'account_centers', 'account_center'>;

package/lib/db-entries/account-center.js

@@ -7,6 +7,8 @@ const createGuard = z.object({
     enabled: z.boolean().optional(),
     fields: accountCenterFieldControlGuard.optional(),
     webauthnRelatedOrigins: webauthnRelatedOriginsGuard.optional(),
+    deleteAccountUrl: z.string().max(2048).nullable().optional(),
+    customCss: z.string().nullable().optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
@@ -14,6 +16,8 @@ const guard = z.object({
     enabled: z.boolean(),
     fields: accountCenterFieldControlGuard,
     webauthnRelatedOrigins: webauthnRelatedOriginsGuard,
+    deleteAccountUrl: z.string().max(2048).nullable(),
+    customCss: z.string().nullable(),
 });
 export const AccountCenters = Object.freeze({
     table: 'account_centers',
@@ -24,6 +28,8 @@ export const AccountCenters = Object.freeze({
         enabled: 'enabled',
         fields: 'fields',
         webauthnRelatedOrigins: 'webauthn_related_origins',
+        deleteAccountUrl: 'delete_account_url',
+        customCss: 'custom_css',
     },
     fieldKeys: [
         'tenantId',
@@ -31,6 +37,8 @@ export const AccountCenters = Object.freeze({
         'enabled',
         'fields',
         'webauthnRelatedOrigins',
+        'deleteAccountUrl',
+        'customCss',
     ],
     createGuard,
     guard,

package/lib/db-entries/sign-in-experience.d.ts

@@ -1,4 +1,4 @@
-import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, PartialPasswordPolicy, Mfa, AdaptiveMfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, PasskeySignIn, GeneratedSchema } from './../foundations/index.js';
+import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, PartialPasswordPolicy, Mfa, AdaptiveMfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, PasskeySignIn, SignUpProfileFields, GeneratedSchema } from './../foundations/index.js';
 import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
 /**
  *
@@ -36,6 +36,8 @@ export type CreateSignInExperience = {
     emailBlocklistPolicy?: EmailBlocklistPolicy;
     forgotPasswordMethods?: ForgotPasswordMethods | null;
     passkeySignIn?: PasskeySignIn;
+    /** Nullable by design: null keeps legacy full-catalog behavior and [] collects no custom profile fields. */
+    signUpProfileFields?: SignUpProfileFields | null;
 };
 export type SignInExperience = {
     tenantId: string;
@@ -68,6 +70,8 @@ export type SignInExperience = {
     emailBlocklistPolicy: EmailBlocklistPolicy;
     forgotPasswordMethods: ForgotPasswordMethods | null;
     passkeySignIn: PasskeySignIn;
+    /** Nullable by design: null keeps legacy full-catalog behavior and [] collects no custom profile fields. */
+    signUpProfileFields: SignUpProfileFields | null;
 };
-export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'passwordPolicy' | 'mfa' | 'adaptiveMfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods' | 'passkeySignIn';
+export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'passwordPolicy' | 'mfa' | 'adaptiveMfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods' | 'passkeySignIn' | 'signUpProfileFields';
 export declare const SignInExperiences: GeneratedSchema<SignInExperienceKeys, CreateSignInExperience, SignInExperience, 'sign_in_experiences', 'sign_in_experience'>;

package/lib/db-entries/sign-in-experience.js

@@ -1,6 +1,6 @@
 // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
 import { z } from 'zod';
-import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, partialPasswordPolicyGuard, mfaGuard, adaptiveMfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard, passkeySignInGuard } from './../foundations/index.js';
+import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, partialPasswordPolicyGuard, mfaGuard, adaptiveMfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard, passkeySignInGuard, signUpProfileFieldsGuard } from './../foundations/index.js';
 import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
 const createGuard = z.object({
     tenantId: z.string().max(21).optional(),
@@ -32,6 +32,7 @@ const createGuard = z.object({
     emailBlocklistPolicy: emailBlocklistPolicyGuard.optional(),
     forgotPasswordMethods: forgotPasswordMethodsGuard.nullable().optional(),
     passkeySignIn: passkeySignInGuard.optional(),
+    signUpProfileFields: signUpProfileFieldsGuard.nullable().optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
@@ -63,6 +64,7 @@ const guard = z.object({
     emailBlocklistPolicy: emailBlocklistPolicyGuard,
     forgotPasswordMethods: forgotPasswordMethodsGuard.nullable(),
     passkeySignIn: passkeySignInGuard,
+    signUpProfileFields: signUpProfileFieldsGuard.nullable(),
 });
 export const SignInExperiences = Object.freeze({
     table: 'sign_in_experiences',
@@ -97,6 +99,7 @@ export const SignInExperiences = Object.freeze({
         emailBlocklistPolicy: 'email_blocklist_policy',
         forgotPasswordMethods: 'forgot_password_methods',
         passkeySignIn: 'passkey_sign_in',
+        signUpProfileFields: 'sign_up_profile_fields',
     },
     fieldKeys: [
         'tenantId',
@@ -128,6 +131,7 @@ export const SignInExperiences = Object.freeze({
         'emailBlocklistPolicy',
         'forgotPasswordMethods',
         'passkeySignIn',
+        'signUpProfileFields',
     ],
     createGuard,
     guard,

package/lib/foundations/jsonb-types/account-centers.d.ts

@@ -49,3 +49,4 @@ export declare const accountCenterFieldControlGuard: z.ZodObject<{
 export type AccountCenterFieldControl = z.infer<typeof accountCenterFieldControlGuard>;
 export declare const webauthnRelatedOriginsGuard: z.ZodArray<z.ZodString, "many">;
 export type WebauthnRelatedOrigins = z.infer<typeof webauthnRelatedOriginsGuard>;
+export declare const deleteAccountUrlGuard: z.ZodEffects<z.ZodString, string, string>;

package/lib/foundations/jsonb-types/account-centers.js

@@ -26,3 +26,11 @@ export const accountCenterFieldControlGuard = z
 })
     .partial();
 export const webauthnRelatedOriginsGuard = z.array(z.string());
+export const deleteAccountUrlGuard = z
+    .string()
+    .max(2048)
+    .refine((value) => value === '' ||
+    ((value.startsWith('https://') || value.startsWith('http://')) &&
+        z.string().url().safeParse(value).success), {
+    message: 'deleteAccountUrl must be a valid http(s) URL',
+});

package/lib/foundations/jsonb-types/sign-in-experience.d.ts

@@ -415,4 +415,30 @@ export declare const passkeySignInGuard: z.ZodObject<{
     showPasskeyButton?: boolean | undefined;
     allowAutofill?: boolean | undefined;
 }>;
+/**
+ * Configuration for which custom profile fields are shown on the sign-up page and in which order.
+ *
+ * The list is a pure projection over the catalog in `custom_profile_fields` — each entry references
+ * an existing field by name. Fields in the catalog but not in this list are not collected during
+ * sign-up. This enables reusing the same catalog for other surfaces (e.g. account center) without
+ * affecting sign-up.
+ */
+export type SignUpProfileFieldItem = {
+    name: string;
+};
+export declare const signUpProfileFieldItemGuard: z.ZodObject<{
+    name: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+}, {
+    name: string;
+}>;
+export declare const signUpProfileFieldsGuard: z.ZodArray<z.ZodObject<{
+    name: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+}, {
+    name: string;
+}>, "many">;
+export type SignUpProfileFields = z.infer<typeof signUpProfileFieldsGuard>;
 export {};

package/lib/foundations/jsonb-types/sign-in-experience.js

@@ -138,3 +138,7 @@ export const passkeySignInGuard = z
     allowAutofill: z.boolean(),
 })
     .partial();
+export const signUpProfileFieldItemGuard = z.object({
+    name: z.string(),
+});
+export const signUpProfileFieldsGuard = z.array(signUpProfileFieldItemGuard);

package/lib/types/alteration.d.ts

@@ -1,4 +1,9 @@
 import type { CommonQueryMethods, DatabaseTransactionConnection } from '@silverhand/slonik';
+/**
+ * IMPORTANT: Logto Cloud has a parallel `AlterationScript` type in `@logto/cloud-alterations`
+ * (logto-cloud repo: `packages/cloud-alterations/src/types.ts`).
+ * Any changes to this type must be synchronized with the Cloud type definition.
+ */
 export type AlterationScript = {
     /**
      * Optional hook that runs before `up` outside of a transaction.

package/lib/types/application.d.ts

@@ -549,16 +549,16 @@ export declare const applicationSignInExperienceCreateGuard: z.ZodObject<Omit<{
     privacyPolicyUrl: z.ZodUnion<[z.ZodNullable<z.ZodOptional<z.ZodString>>, z.ZodLiteral<"">]>;
 }, "strip", z.ZodTypeAny, {
     displayName?: string | null;
+    customCss?: string | null;
     color?: import("../index.js").PartialColor;
     branding?: import("../index.js").Branding;
-    customCss?: string | null;
     termsOfUseUrl?: string | null | undefined;
     privacyPolicyUrl?: string | null | undefined;
 }, {
     displayName?: string | null;
+    customCss?: string | null;
     color?: import("../index.js").PartialColor;
     branding?: import("../index.js").Branding;
-    customCss?: string | null;
     termsOfUseUrl?: string | null | undefined;
     privacyPolicyUrl?: string | null | undefined;
 }>;

package/lib/types/custom-profile-fields.d.ts

@@ -2383,11 +2383,10 @@ export declare const updateCustomProfileFieldSieOrderGuard: z.ZodObject<{
     sieOrder: number;
 }>;
 export type UpdateCustomProfileFieldSieOrder = z.infer<typeof updateCustomProfileFieldSieOrderGuard>;
-/**
- * Reserved custom data keys, which are used by the system and should not be used by custom profile fields.
- */
+/** Reserved custom data keys, which are used by the system and should not be used by custom profile fields. */
 export declare const reservedCustomDataKeyGuard: z.ZodObject<{
     onboarding: z.ZodOptional<z.ZodString>;
+    ossOnboarding: z.ZodOptional<z.ZodString>;
     guideRequests: z.ZodOptional<z.ZodString>;
     adminConsolePreferences: z.ZodOptional<z.ZodString>;
     defaultTenantId: z.ZodOptional<z.ZodString>;
@@ -2396,17 +2395,16 @@ export declare const reservedCustomDataKeyGuard: z.ZodObject<{
     guideRequests?: string | undefined;
     defaultTenantId?: string | undefined;
     onboarding?: string | undefined;
+    ossOnboarding?: string | undefined;
 }, {
     adminConsolePreferences?: string | undefined;
     guideRequests?: string | undefined;
     defaultTenantId?: string | undefined;
     onboarding?: string | undefined;
+    ossOnboarding?: string | undefined;
 }>;
-export declare const reservedCustomDataKeys: readonly ["adminConsolePreferences", "guideRequests", "defaultTenantId", "onboarding"];
-/**
- * Disallow sign-in identifiers related field keys in custom profile fields, as this is conflicting
- * with the built-in sign-in/sign-up experience flows.
- */
+export declare const reservedCustomDataKeys: readonly ["adminConsolePreferences", "guideRequests", "defaultTenantId", "onboarding", "ossOnboarding"];
+/** Disallow sign-in identifier related field keys in custom profile fields to avoid conflicts with built-in sign-in/sign-up flows. */
 export declare const signInIdentifierKeyGuard: z.ZodObject<Pick<{
     tenantId: z.ZodOptional<z.ZodType<string, z.ZodTypeDef, string>>;
     id: z.ZodType<string, z.ZodTypeDef, string>;
@@ -2544,11 +2542,7 @@ export declare const signInIdentifierKeyGuard: z.ZodObject<Pick<{
     primaryPhone?: string | null;
 }>;
 export declare const reservedSignInIdentifierKeys: readonly ["username", "email", "phone", "primaryEmail", "primaryPhone"];
-/**
- * Reserved user profile keys.
- * Currently only `preferredUsername` is reserved since it is the standard username property used
- * by most identity providers. Should not allow user updating this field via profile related APIs.
- */
+/** Reserved user profile keys. Currently only `preferredUsername` is reserved for standard IdP usage. */
 export declare const reservedBuiltInProfileKeyGuard: z.ZodObject<Pick<{
     familyName: z.ZodOptional<z.ZodString>;
     givenName: z.ZodOptional<z.ZodString>;

package/lib/types/custom-profile-fields.js

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { Users } from '../db-entries/user.js';
 import { CustomProfileFieldType, customProfileFieldTypeGuard, fieldPartGuard, userProfileAddressKeys, userProfileGuard, } from '../foundations/index.js';
-import { userOnboardingDataKey } from './onboarding.js';
+import { ossUserOnboardingDataKey, userOnboardingDataKey } from './onboarding.js';
 import { defaultTenantIdKey } from './tenant.js';
 import { consoleUserPreferenceKey, guideRequestsKey } from './user.js';
 const baseProfileFieldGuard = z.object({
@@ -129,22 +129,18 @@ export const updateCustomProfileFieldSieOrderGuard = z.object({
     name: z.string(),
     sieOrder: z.number(),
 });
-/**
- * Reserved custom data keys, which are used by the system and should not be used by custom profile fields.
- */
+/** Reserved custom data keys, which are used by the system and should not be used by custom profile fields. */
 export const reservedCustomDataKeyGuard = z
     .object({
     [userOnboardingDataKey]: z.string(),
+    [ossUserOnboardingDataKey]: z.string(),
     [guideRequestsKey]: z.string(),
     [consoleUserPreferenceKey]: z.string(),
     [defaultTenantIdKey]: z.string(),
 })
     .partial();
 export const reservedCustomDataKeys = Object.freeze(reservedCustomDataKeyGuard.keyof().options);
-/**
- * Disallow sign-in identifiers related field keys in custom profile fields, as this is conflicting
- * with the built-in sign-in/sign-up experience flows.
- */
+/** Disallow sign-in identifier related field keys in custom profile fields to avoid conflicts with built-in sign-in/sign-up flows. */
 export const signInIdentifierKeyGuard = Users.createGuard
     .pick({
     username: true,
@@ -156,11 +152,7 @@ export const signInIdentifierKeyGuard = Users.createGuard
     phone: z.string().nullable().optional(),
 });
 export const reservedSignInIdentifierKeys = Object.freeze(signInIdentifierKeyGuard.keyof().options);
-/**
- * Reserved user profile keys.
- * Currently only `preferredUsername` is reserved since it is the standard username property used
- * by most identity providers. Should not allow user updating this field via profile related APIs.
- */
+/** Reserved user profile keys. Currently only `preferredUsername` is reserved for standard IdP usage. */
 export const reservedBuiltInProfileKeyGuard = userProfileGuard.pick({ preferredUsername: true });
 export const reservedBuiltInProfileKeys = Object.freeze(reservedBuiltInProfileKeyGuard.keyof().options);
 export var SupportedDateFormat;
@@ -176,3 +168,4 @@ export var Gender;
     Gender["Male"] = "male";
     Gender["Other"] = "prefer_not_to_say";
 })(Gender || (Gender = {}));
+/* eslint-enable max-lines */

package/lib/types/logto-config/index.d.ts

@@ -41,6 +41,29 @@ export declare const oidcConfigKeyGuard: z.ZodObject<{
     createdAt: number;
 }>;
 export type OidcConfigKey = z.infer<typeof oidcConfigKeyGuard>;
+export declare enum OidcSigningKeyStatus {
+    Next = "Next",
+    Current = "Current",
+    Previous = "Previous"
+}
+export declare const oidcPrivateKeyGuard: z.ZodObject<{
+    id: z.ZodString;
+    value: z.ZodString;
+    createdAt: z.ZodNumber;
+} & {
+    status: z.ZodOptional<z.ZodNativeEnum<typeof OidcSigningKeyStatus>>;
+}, "strip", z.ZodTypeAny, {
+    value: string;
+    id: string;
+    createdAt: number;
+    status?: OidcSigningKeyStatus | undefined;
+}, {
+    value: string;
+    id: string;
+    createdAt: number;
+    status?: OidcSigningKeyStatus | undefined;
+}>;
+export type OidcPrivateKey = z.infer<typeof oidcPrivateKeyGuard>;
 export declare const oidcSessionConfigGuard: z.ZodObject<{
     ttl: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
@@ -50,7 +73,7 @@ export declare const oidcSessionConfigGuard: z.ZodObject<{
 }>;
 export type OidcSessionConfig = z.infer<typeof oidcSessionConfigGuard>;
 export type LogtoOidcConfigType = {
-    [LogtoOidcConfigKey.PrivateKeys]: OidcConfigKey[];
+    [LogtoOidcConfigKey.PrivateKeys]: OidcPrivateKey[];
     [LogtoOidcConfigKey.CookieKeys]: OidcConfigKey[];
     [LogtoOidcConfigKey.Session]: OidcSessionConfig;
 };
@@ -73,6 +96,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
     value: z.ZodObject<{
         script: z.ZodString;
         environmentVariables: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        blockIssuanceOnError: z.ZodOptional<z.ZodBoolean>;
     } & {
         tokenSample: z.ZodOptional<z.ZodObject<{
             accountId: z.ZodOptional<z.ZodString>;
@@ -2125,6 +2149,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 signInContext?: Record<string, string> | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             grantId?: string | undefined;
             sid?: string | undefined;
@@ -2382,6 +2407,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 signInContext?: Record<string, string> | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             grantId?: string | undefined;
             sid?: string | undefined;
@@ -2641,6 +2667,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 signInContext?: Record<string, string> | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             grantId?: string | undefined;
             sid?: string | undefined;
@@ -2901,6 +2928,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 signInContext?: Record<string, string> | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             grantId?: string | undefined;
             sid?: string | undefined;
@@ -2921,6 +2949,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
     value: z.ZodObject<{
         script: z.ZodString;
         environmentVariables: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        blockIssuanceOnError: z.ZodOptional<z.ZodBoolean>;
     } & {
         tokenSample: z.ZodOptional<z.ZodObject<{
             kind: z.ZodOptional<z.ZodLiteral<"ClientCredentials">>;
@@ -3299,6 +3328,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 isThirdParty?: boolean | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             jti?: string | undefined;
             kind?: "ClientCredentials" | undefined;
@@ -3363,6 +3393,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 isThirdParty?: boolean | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             jti?: string | undefined;
             kind?: "ClientCredentials" | undefined;
@@ -3429,6 +3460,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 isThirdParty?: boolean | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             jti?: string | undefined;
             kind?: "ClientCredentials" | undefined;
@@ -3496,6 +3528,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
                 isThirdParty?: boolean | undefined;
             } | undefined;
         } | undefined;
+        blockIssuanceOnError?: boolean | undefined;
         tokenSample?: {
             jti?: string | undefined;
             kind?: "ClientCredentials" | undefined;
@@ -3597,13 +3630,26 @@ export declare const idTokenConfigGuard: z.ZodObject<{
     enabledExtendedClaims?: ("custom_data" | "identities" | "sso_identities" | "roles" | "organizations" | "organization_data" | "organization_roles")[] | undefined;
 }>;
 export type IdTokenConfig = z.infer<typeof idTokenConfigGuard>;
+export declare const signingKeyRotationStateGuard: z.ZodObject<{
+    tenantCacheExpiresAt: z.ZodOptional<z.ZodNumber>;
+    signingKeyRotationAt: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    tenantCacheExpiresAt?: number | undefined;
+    signingKeyRotationAt?: number | undefined;
+}, {
+    tenantCacheExpiresAt?: number | undefined;
+    signingKeyRotationAt?: number | undefined;
+}>;
+export type SigningKeyRotationState = z.infer<typeof signingKeyRotationStateGuard>;
 export declare enum LogtoTenantConfigKey {
     AdminConsole = "adminConsole",
     CloudConnection = "cloudConnection",
     /** The URL to redirect when session not found in Sign-in Experience. */
     SessionNotFoundRedirectUrl = "sessionNotFoundRedirectUrl",
     /** ID token configuration for extended claims. */
-    IdToken = "idToken"
+    IdToken = "idToken",
+    /** Tenant-scoped rotation state for staged private signing key activation. */
+    SigningKeyRotationState = "signingKeyRotationState"
 }
 export type LogtoTenantConfigType = {
     [LogtoTenantConfigKey.AdminConsole]: AdminConsoleData;
@@ -3612,6 +3658,7 @@ export type LogtoTenantConfigType = {
         url: string;
     };
     [LogtoTenantConfigKey.IdToken]: IdTokenConfig;
+    [LogtoTenantConfigKey.SigningKeyRotationState]: SigningKeyRotationState;
 };
 export declare const logtoTenantConfigGuard: Readonly<{
     [key in LogtoTenantConfigKey]: ZodType<LogtoTenantConfigType[key]>;
@@ -3627,13 +3674,19 @@ export declare const oidcConfigKeysResponseGuard: z.ZodObject<Omit<{
     createdAt: z.ZodNumber;
 }, "value"> & {
     signingKeyAlgorithm: z.ZodOptional<z.ZodNativeEnum<typeof SupportedSigningKeyAlgorithm>>;
+    status: z.ZodOptional<z.ZodNativeEnum<typeof OidcSigningKeyStatus>>;
+    effectiveAt: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
     id: string;
     createdAt: number;
+    status?: OidcSigningKeyStatus | undefined;
     signingKeyAlgorithm?: SupportedSigningKeyAlgorithm | undefined;
+    effectiveAt?: number | undefined;
 }, {
     id: string;
     createdAt: number;
+    status?: OidcSigningKeyStatus | undefined;
     signingKeyAlgorithm?: SupportedSigningKeyAlgorithm | undefined;
+    effectiveAt?: number | undefined;
 }>;
 export type OidcConfigKeysResponse = z.infer<typeof oidcConfigKeysResponseGuard>;