@meistrari/auth-core 1.20.0 → 1.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.d.mts +796 -63
  2. package/dist/index.d.ts +796 -63
  3. package/dist/index.mjs +457 -32
  4. package/package.json +1 -1
package/dist/index.d.mts CHANGED
@@ -2,13 +2,95 @@ import * as better_auth_plugins from 'better-auth/plugins';
2
2
  import * as better_auth from 'better-auth';
3
3
  import { JWTPayload as JWTPayload$1 } from 'better-auth';
4
4
  export { APIError } from 'better-auth';
5
- import z$1, { z } from 'zod';
5
+ import z, { z as z$1 } from 'zod';
6
6
  import * as better_auth_client from 'better-auth/client';
7
7
  import { BetterFetchOption } from 'better-auth/client';
8
8
  import * as jose from 'jose';
9
9
  import * as _better_auth_sso from '@better-auth/sso';
10
10
  import { ApiKey as ApiKey$1 } from '@better-auth/api-key';
11
11
 
12
+ declare const AMRBrand: unique symbol;
13
+ declare const AALBrand: unique symbol;
14
+ declare const ACRBrand: unique symbol;
15
+ declare const AuthMethodBrand: unique symbol;
16
+ declare const AMRs: {
17
+ readonly Pwd: ("sso" & z.core.$brand<typeof AMRBrand>) | ("saml" & z.core.$brand<typeof AMRBrand>) | ("otp" & z.core.$brand<typeof AMRBrand>) | ("pwd" & z.core.$brand<typeof AMRBrand>) | ("oauth" & z.core.$brand<typeof AMRBrand>);
18
+ readonly Otp: ("sso" & z.core.$brand<typeof AMRBrand>) | ("saml" & z.core.$brand<typeof AMRBrand>) | ("otp" & z.core.$brand<typeof AMRBrand>) | ("pwd" & z.core.$brand<typeof AMRBrand>) | ("oauth" & z.core.$brand<typeof AMRBrand>);
19
+ readonly Oauth: ("sso" & z.core.$brand<typeof AMRBrand>) | ("saml" & z.core.$brand<typeof AMRBrand>) | ("otp" & z.core.$brand<typeof AMRBrand>) | ("pwd" & z.core.$brand<typeof AMRBrand>) | ("oauth" & z.core.$brand<typeof AMRBrand>);
20
+ readonly Sso: ("sso" & z.core.$brand<typeof AMRBrand>) | ("saml" & z.core.$brand<typeof AMRBrand>) | ("otp" & z.core.$brand<typeof AMRBrand>) | ("pwd" & z.core.$brand<typeof AMRBrand>) | ("oauth" & z.core.$brand<typeof AMRBrand>);
21
+ readonly Saml: ("sso" & z.core.$brand<typeof AMRBrand>) | ("saml" & z.core.$brand<typeof AMRBrand>) | ("otp" & z.core.$brand<typeof AMRBrand>) | ("pwd" & z.core.$brand<typeof AMRBrand>) | ("oauth" & z.core.$brand<typeof AMRBrand>);
22
+ };
23
+ declare const AALs: {
24
+ readonly Aal1: ("aal1" & z.core.$brand<typeof AALBrand>) | ("aal2" & z.core.$brand<typeof AALBrand>) | ("aal3" & z.core.$brand<typeof AALBrand>);
25
+ readonly Aal2: ("aal1" & z.core.$brand<typeof AALBrand>) | ("aal2" & z.core.$brand<typeof AALBrand>) | ("aal3" & z.core.$brand<typeof AALBrand>);
26
+ readonly Aal3: ("aal1" & z.core.$brand<typeof AALBrand>) | ("aal2" & z.core.$brand<typeof AALBrand>) | ("aal3" & z.core.$brand<typeof AALBrand>);
27
+ };
28
+ declare const ACRs: {
29
+ readonly Unspecified: "urn:tela:auth:unspecified" & z.core.$brand<typeof ACRBrand>;
30
+ };
31
+ declare const AuthMethods: {
32
+ readonly Password: ("unknown" & z.core.$brand<typeof AuthMethodBrand>) | ("password" & z.core.$brand<typeof AuthMethodBrand>) | ("saml" & z.core.$brand<typeof AuthMethodBrand>) | ("oauth" & z.core.$brand<typeof AuthMethodBrand>) | ("email_otp" & z.core.$brand<typeof AuthMethodBrand>);
33
+ readonly EmailOTP: ("unknown" & z.core.$brand<typeof AuthMethodBrand>) | ("password" & z.core.$brand<typeof AuthMethodBrand>) | ("saml" & z.core.$brand<typeof AuthMethodBrand>) | ("oauth" & z.core.$brand<typeof AuthMethodBrand>) | ("email_otp" & z.core.$brand<typeof AuthMethodBrand>);
34
+ readonly OAuth: ("unknown" & z.core.$brand<typeof AuthMethodBrand>) | ("password" & z.core.$brand<typeof AuthMethodBrand>) | ("saml" & z.core.$brand<typeof AuthMethodBrand>) | ("oauth" & z.core.$brand<typeof AuthMethodBrand>) | ("email_otp" & z.core.$brand<typeof AuthMethodBrand>);
35
+ readonly SAML: ("unknown" & z.core.$brand<typeof AuthMethodBrand>) | ("password" & z.core.$brand<typeof AuthMethodBrand>) | ("saml" & z.core.$brand<typeof AuthMethodBrand>) | ("oauth" & z.core.$brand<typeof AuthMethodBrand>) | ("email_otp" & z.core.$brand<typeof AuthMethodBrand>);
36
+ readonly Unknown: ("unknown" & z.core.$brand<typeof AuthMethodBrand>) | ("password" & z.core.$brand<typeof AuthMethodBrand>) | ("saml" & z.core.$brand<typeof AuthMethodBrand>) | ("oauth" & z.core.$brand<typeof AuthMethodBrand>) | ("email_otp" & z.core.$brand<typeof AuthMethodBrand>);
37
+ };
38
+ declare const AMR: z.core.$ZodBranded<z.ZodEnum<{
39
+ readonly Pwd: "pwd";
40
+ readonly Otp: "otp";
41
+ readonly Oauth: "oauth";
42
+ readonly Sso: "sso";
43
+ readonly Saml: "saml";
44
+ }>, typeof AMRBrand, "out">;
45
+ type AMR = z.infer<typeof AMR>;
46
+ declare const AAL: z.core.$ZodBranded<z.ZodEnum<{
47
+ readonly Aal1: "aal1";
48
+ readonly Aal2: "aal2";
49
+ readonly Aal3: "aal3";
50
+ }>, typeof AALBrand, "out">;
51
+ type AAL = z.infer<typeof AAL>;
52
+ declare const ACR: z.core.$ZodBranded<z.ZodEnum<{
53
+ readonly Unspecified: "urn:tela:auth:unspecified";
54
+ }>, typeof ACRBrand, "out">;
55
+ type ACR = z.infer<typeof ACR>;
56
+ declare const AuthMethod: z.core.$ZodBranded<z.ZodEnum<{
57
+ readonly Password: "password";
58
+ readonly EmailOTP: "email_otp";
59
+ readonly OAuth: "oauth";
60
+ readonly SAML: "saml";
61
+ readonly Unknown: "unknown";
62
+ }>, typeof AuthMethodBrand, "out">;
63
+ type AuthMethod = z.infer<typeof AuthMethod>;
64
+ declare const assuranceFields: {
65
+ authMethod: {
66
+ type: "string";
67
+ required: true;
68
+ };
69
+ amr: {
70
+ type: "json";
71
+ required: true;
72
+ };
73
+ aal: {
74
+ type: "string";
75
+ required: true;
76
+ };
77
+ acr: {
78
+ type: "string";
79
+ required: true;
80
+ };
81
+ assuredAt: {
82
+ type: "date";
83
+ required: true;
84
+ };
85
+ };
86
+ type AssuranceFields = {
87
+ authMethod: AuthMethod;
88
+ amr: AMR[];
89
+ aal: AAL;
90
+ acr: ACR;
91
+ assuredAt: Date;
92
+ };
93
+
12
94
  declare const ac: {
13
95
  newRole<K extends "member" | "access" | "organization" | "invitation" | "team" | "ac">(statements: better_auth_plugins.Subset<K, {
14
96
  access: string[];
@@ -224,61 +306,249 @@ declare const invitationAdditionalFields: {
224
306
  /**
225
307
  * Zod schema and type for the `user` claim within a JWT payload.
226
308
  */
227
- declare const JWTPayloadUser: z.ZodObject<{
228
- id: z.ZodString;
229
- name: z.ZodString;
230
- image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
231
- role: z.ZodNullable<z.ZodString>;
232
- }, z.core.$strip>;
233
- type JWTPayloadUser = z.infer<typeof JWTPayloadUser>;
309
+ declare const JWTPayloadUser: z$1.ZodObject<{
310
+ id: z$1.ZodString;
311
+ name: z$1.ZodString;
312
+ image: z$1.ZodOptional<z$1.ZodNullable<z$1.ZodString>>;
313
+ role: z$1.ZodNullable<z$1.ZodString>;
314
+ }, z$1.core.$strip>;
315
+ type JWTPayloadUser = z$1.infer<typeof JWTPayloadUser>;
234
316
  /**
235
317
  * Zod schema and type for the `workspace` claim within a JWT payload.
236
318
  */
237
- declare const JWTPayloadWorkspace: z.ZodObject<{
238
- id: z.ZodString;
239
- title: z.ZodString;
240
- }, z.core.$strip>;
241
- type JWTPayloadWorkspace = z.infer<typeof JWTPayloadWorkspace>;
319
+ declare const JWTPayloadWorkspace: z$1.ZodObject<{
320
+ id: z$1.ZodString;
321
+ title: z$1.ZodString;
322
+ }, z$1.core.$strip>;
323
+ type JWTPayloadWorkspace = z$1.infer<typeof JWTPayloadWorkspace>;
324
+ type JWTPayloadAssurance = {
325
+ authMethod: AuthMethod;
326
+ amr: AMR[];
327
+ aal: AAL;
328
+ acr: ACR;
329
+ assuredAt: string;
330
+ };
331
+ declare const JWTPayloadAssurance: z$1.ZodType<JWTPayloadAssurance>;
332
+ declare const DEFAULT_JWT_ASSURANCE: JWTPayloadAssurance;
333
+ type JWTPayloadData = {
334
+ email: string;
335
+ user: JWTPayloadUser;
336
+ workspace: JWTPayloadWorkspace;
337
+ sessionKey: string;
338
+ assurance: JWTPayloadAssurance;
339
+ };
242
340
  /**
243
341
  * Zod schema and type for the full JWT payload issued by the auth API.
244
342
  *
245
343
  * Includes `email`, `user`, `workspace`, and `sessionKey` claims
246
344
  * on top of the standard Better Auth JWT fields (`sub`, `iss`, `exp`, etc.).
247
345
  */
248
- declare const JWTPayload: z.ZodObject<{
249
- email: z.ZodString;
346
+ declare const JWTPayload: z$1.ZodType<JWTPayloadData>;
347
+ type JWTPayload = JWTPayload$1 & JWTPayloadData;
348
+
349
+ declare const OAuthStepUpProvider: z.ZodEnum<{
350
+ google: "google";
351
+ microsoft: "microsoft";
352
+ }>;
353
+ type OAuthStepUpProvider = z.infer<typeof OAuthStepUpProvider>;
354
+ type StepUpOption = {
355
+ method: typeof AMRs.Pwd;
356
+ } | {
357
+ method: typeof AMRs.Otp;
358
+ } | {
359
+ method: typeof AMRs.Oauth;
360
+ providers: OAuthStepUpProvider[];
361
+ };
362
+ declare const StepUpOption: z.ZodType<StepUpOption>;
363
+ type SessionAssurancePolicy = {
364
+ minAal: typeof AALs.Aal1 | typeof AALs.Aal2 | typeof AALs.Aal3;
365
+ acceptedAmr: AMR[];
366
+ };
367
+ declare const SessionAssurancePolicy: z.ZodType<SessionAssurancePolicy>;
368
+ declare const SENSITIVE_ACTION_ASSURANCE_POLICY: SessionAssurancePolicy;
369
+ declare function getAalRank(aal: JWTPayload['assurance']['aal']): number;
370
+ declare function isAssuranceSufficientForPolicy(assurance: JWTPayload['assurance'] | null | undefined, policy: SessionAssurancePolicy): boolean;
371
+ declare function canStepUpWithAmr(assurance: JWTPayload['assurance'], amr: AMR): boolean;
372
+ declare function mergeStepUpAssurance(assurance: JWTPayload['assurance'], amr: AMR, now?: Date): JWTPayload['assurance'];
373
+
374
+ /**
375
+ * Base error class for all SDK errors.
376
+ *
377
+ * Extends the native `Error` with a machine-readable `code` property
378
+ * that can be used for programmatic error handling.
379
+ */
380
+ declare class BaseError extends Error {
381
+ /** Machine-readable error code (e.g. `"INVALID_SOCIAL_PROVIDER"`). */
382
+ code: string;
383
+ /**
384
+ * @param code - A machine-readable error code
385
+ * @param message - A human-readable error message
386
+ * @param options - Standard `ErrorOptions` (e.g. `cause`)
387
+ */
388
+ constructor(code: string, message: string, options?: ErrorOptions);
389
+ }
390
+
391
+ declare const SessionAssuranceRequiredPayload: z.ZodObject<{
392
+ code: z.ZodEnum<{
393
+ session_assurance_required: "session_assurance_required";
394
+ application_session_assurance_not_met: "application_session_assurance_not_met";
395
+ }>;
396
+ currentAssurance: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodType<JWTPayloadAssurance, unknown, z.core.$ZodTypeInternals<JWTPayloadAssurance, unknown>>>;
397
+ requiredAssurance: z.ZodType<SessionAssurancePolicy, unknown, z.core.$ZodTypeInternals<SessionAssurancePolicy, unknown>>;
398
+ validStepUps: z.ZodArray<z.ZodType<StepUpOption, unknown, z.core.$ZodTypeInternals<StepUpOption, unknown>>>;
399
+ }, z.core.$strip>;
400
+ type SessionAssuranceRequiredPayload = z.infer<typeof SessionAssuranceRequiredPayload>;
401
+ declare function parseSessionAssuranceRequiredPayload(error: unknown): {
402
+ code: "session_assurance_required" | "application_session_assurance_not_met";
403
+ currentAssurance: JWTPayloadAssurance;
404
+ requiredAssurance: SessionAssurancePolicy;
405
+ validStepUps: StepUpOption[];
406
+ } | null;
407
+ declare class SessionAssuranceRequiredError extends BaseError {
408
+ readonly payload: SessionAssuranceRequiredPayload;
409
+ readonly currentAssurance: SessionAssuranceRequiredPayload['currentAssurance'];
410
+ readonly requiredAssurance: SessionAssuranceRequiredPayload['requiredAssurance'];
411
+ readonly validStepUps: SessionAssuranceRequiredPayload['validStepUps'];
412
+ constructor(payload: SessionAssuranceRequiredPayload, options?: ErrorOptions);
413
+ }
414
+
415
+ declare function sessionAssurancePluginClient(): {
416
+ id: "session-assurance";
417
+ getActions: ($fetch: better_auth_client.BetterFetch) => {
418
+ sessionAssurance: {
419
+ getSessionAssurance: () => Promise<{
420
+ data: null;
421
+ error: {
422
+ message?: string | undefined;
423
+ status: number;
424
+ statusText: string;
425
+ };
426
+ } | {
427
+ data: unknown;
428
+ error: null;
429
+ }>;
430
+ stepUpWithPassword: (body: {
431
+ password: string;
432
+ }) => Promise<{
433
+ data: null;
434
+ error: {
435
+ message?: string | undefined;
436
+ status: number;
437
+ statusText: string;
438
+ };
439
+ } | {
440
+ data: unknown;
441
+ error: null;
442
+ }>;
443
+ sendOtp: () => Promise<{
444
+ data: null;
445
+ error: {
446
+ message?: string | undefined;
447
+ status: number;
448
+ statusText: string;
449
+ };
450
+ } | {
451
+ data: unknown;
452
+ error: null;
453
+ }>;
454
+ verifyOtp: (body: {
455
+ otp: string;
456
+ }) => Promise<{
457
+ data: null;
458
+ error: {
459
+ message?: string | undefined;
460
+ status: number;
461
+ statusText: string;
462
+ };
463
+ } | {
464
+ data: unknown;
465
+ error: null;
466
+ }>;
467
+ beginOAuthStepUp: (body: {
468
+ provider: OAuthStepUpProvider;
469
+ returnUrl?: string;
470
+ }) => Promise<{
471
+ data: null;
472
+ error: {
473
+ message?: string | undefined;
474
+ status: number;
475
+ statusText: string;
476
+ };
477
+ } | {
478
+ data: unknown;
479
+ error: null;
480
+ }>;
481
+ completeOAuthStepUp: (body: {
482
+ stepUpToken: string;
483
+ }) => Promise<{
484
+ data: null;
485
+ error: {
486
+ message?: string | undefined;
487
+ status: number;
488
+ statusText: string;
489
+ };
490
+ } | {
491
+ data: unknown;
492
+ error: null;
493
+ }>;
494
+ };
495
+ };
496
+ };
497
+ type SessionAssuranceActions = ReturnType<ReturnType<typeof sessionAssurancePluginClient>['getActions']>['sessionAssurance'];
498
+
499
+ type BeginOAuthStepUpParams = {
500
+ provider: OAuthStepUpProvider;
501
+ returnUrl?: string;
502
+ };
503
+ declare const SessionAssuranceResponse: z.ZodObject<{
504
+ assurance: z.ZodType<AssuranceFields, unknown, z.core.$ZodTypeInternals<AssuranceFields, unknown>>;
505
+ validStepUps: z.ZodArray<z.ZodType<StepUpOption, unknown, z.core.$ZodTypeInternals<StepUpOption, unknown>>>;
506
+ }, z.core.$strip>;
507
+ type SessionAssuranceResponse = z.infer<typeof SessionAssuranceResponse>;
508
+ declare const OAuthBeginStepUpResponse: z.ZodObject<{
509
+ stepUpToken: z.ZodString;
510
+ callbackURL: z.ZodString;
511
+ }, z.core.$strip>;
512
+ type OAuthBeginStepUpResponse = z.infer<typeof OAuthBeginStepUpResponse>;
513
+ declare const OAuthCompleteStepUpResponse: z.ZodObject<{
514
+ assurance: z.ZodType<AssuranceFields, unknown, z.core.$ZodTypeInternals<AssuranceFields, unknown>>;
515
+ validStepUps: z.ZodArray<z.ZodType<StepUpOption, unknown, z.core.$ZodTypeInternals<StepUpOption, unknown>>>;
516
+ returnPath: z.ZodString;
517
+ }, z.core.$strip>;
518
+ type OAuthCompleteStepUpResponse = z.infer<typeof OAuthCompleteStepUpResponse>;
519
+ declare const SendOtpResponse: z.ZodObject<{
520
+ success: z.ZodBoolean;
521
+ }, z.core.$strip>;
522
+ type SendOtpResponse = z.infer<typeof SendOtpResponse>;
523
+ declare class SessionAssuranceService {
524
+ private readonly client;
525
+ constructor(client: APIClient);
526
+ get(): Promise<SessionAssuranceResponse>;
527
+ stepUpWithPassword(password: string): Promise<SessionAssuranceResponse>;
528
+ sendOtp(): Promise<SendOtpResponse>;
529
+ verifyOtp(otp: string): Promise<SessionAssuranceResponse>;
530
+ beginOAuthStepUp(params: BeginOAuthStepUpParams): Promise<OAuthBeginStepUpResponse>;
531
+ completeOAuthStepUp(stepUpToken: string): Promise<OAuthCompleteStepUpResponse>;
532
+ }
533
+
534
+ declare const ApiKeyMetadata: z.ZodObject<{
250
535
  user: z.ZodObject<{
251
536
  id: z.ZodString;
252
- name: z.ZodString;
253
- image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
254
- role: z.ZodNullable<z.ZodString>;
537
+ email: z.ZodString;
255
538
  }, z.core.$strip>;
256
539
  workspace: z.ZodObject<{
257
540
  id: z.ZodString;
258
541
  title: z.ZodString;
259
542
  }, z.core.$strip>;
260
- sessionKey: z.ZodString;
543
+ application: z.ZodNullable<z.ZodOptional<z.ZodObject<{
544
+ id: z.ZodString;
545
+ name: z.ZodString;
546
+ }, z.core.$strip>>>;
261
547
  }, z.core.$strip>;
262
- type JWTPayload = JWTPayload$1 & z.infer<typeof JWTPayload>;
263
-
264
- declare const ApiKeyMetadata: z$1.ZodObject<{
265
- user: z$1.ZodObject<{
266
- id: z$1.ZodString;
267
- email: z$1.ZodString;
268
- }, z$1.core.$strip>;
269
- workspace: z$1.ZodObject<{
270
- id: z$1.ZodString;
271
- title: z$1.ZodString;
272
- }, z$1.core.$strip>;
273
- application: z$1.ZodNullable<z$1.ZodOptional<z$1.ZodObject<{
274
- id: z$1.ZodString;
275
- name: z$1.ZodString;
276
- }, z$1.core.$strip>>>;
277
- }, z$1.core.$strip>;
278
548
  /**
279
549
  * Metadata attached to an API key, identifying the owning user and workspace.
280
550
  */
281
- type ApiKeyMetadata = z$1.infer<typeof ApiKeyMetadata> & Record<string, unknown>;
551
+ type ApiKeyMetadata = z.infer<typeof ApiKeyMetadata> & Record<string, unknown>;
282
552
  /**
283
553
  * A full API key including the secret key value.
284
554
  *
@@ -2704,10 +2974,258 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
2704
2974
  message?: string | undefined;
2705
2975
  }, FetchOptions["throw"] extends true ? true : true>>;
2706
2976
  };
2977
+ } & {
2978
+ emailOtp: {
2979
+ sendVerificationOtp: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
2980
+ email: string;
2981
+ type: "sign-in" | "change-email" | "email-verification" | "forget-password";
2982
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
2983
+ email: string;
2984
+ type: "sign-in" | "change-email" | "email-verification" | "forget-password";
2985
+ } & {
2986
+ fetchOptions?: FetchOptions | undefined;
2987
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<{
2988
+ success: boolean;
2989
+ }, {
2990
+ code?: string | undefined;
2991
+ message?: string | undefined;
2992
+ }, FetchOptions["throw"] extends true ? true : true>>;
2993
+ };
2994
+ } & {
2995
+ emailOtp: {
2996
+ checkVerificationOtp: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
2997
+ email: string;
2998
+ type: "sign-in" | "change-email" | "email-verification" | "forget-password";
2999
+ otp: string;
3000
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3001
+ email: string;
3002
+ type: "sign-in" | "change-email" | "email-verification" | "forget-password";
3003
+ otp: string;
3004
+ } & {
3005
+ fetchOptions?: FetchOptions | undefined;
3006
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<{
3007
+ success: boolean;
3008
+ }, {
3009
+ code?: string | undefined;
3010
+ message?: string | undefined;
3011
+ }, FetchOptions["throw"] extends true ? true : true>>;
3012
+ };
3013
+ } & {
3014
+ emailOtp: {
3015
+ verifyEmail: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
3016
+ email: string;
3017
+ otp: string;
3018
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3019
+ email: string;
3020
+ otp: string;
3021
+ } & {
3022
+ fetchOptions?: FetchOptions | undefined;
3023
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<(Omit<{
3024
+ status: boolean;
3025
+ token: string;
3026
+ user: {
3027
+ id: string;
3028
+ createdAt: Date;
3029
+ updatedAt: Date;
3030
+ email: string;
3031
+ emailVerified: boolean;
3032
+ name: string;
3033
+ image?: string | null | undefined;
3034
+ } & Record<string, any>;
3035
+ }, "user"> & {
3036
+ user: better_auth.StripEmptyObjects<{
3037
+ id: string;
3038
+ createdAt: Date;
3039
+ updatedAt: Date;
3040
+ email: string;
3041
+ emailVerified: boolean;
3042
+ name: string;
3043
+ image?: string | null | undefined;
3044
+ } & {
3045
+ twoFactorEnabled: boolean | null | undefined;
3046
+ } & {} & {
3047
+ banned: boolean | null | undefined;
3048
+ } & {
3049
+ role?: string | null | undefined;
3050
+ banReason?: string | null | undefined;
3051
+ banExpires?: Date | null | undefined;
3052
+ } & {} & {
3053
+ lastActiveAt?: Date | null | undefined;
3054
+ }>;
3055
+ }) | (Omit<{
3056
+ status: boolean;
3057
+ token: null;
3058
+ user: {
3059
+ id: string;
3060
+ createdAt: Date;
3061
+ updatedAt: Date;
3062
+ email: string;
3063
+ emailVerified: boolean;
3064
+ name: string;
3065
+ image?: string | null | undefined;
3066
+ } & Record<string, any>;
3067
+ }, "user"> & {
3068
+ user: better_auth.StripEmptyObjects<{
3069
+ id: string;
3070
+ createdAt: Date;
3071
+ updatedAt: Date;
3072
+ email: string;
3073
+ emailVerified: boolean;
3074
+ name: string;
3075
+ image?: string | null | undefined;
3076
+ } & {
3077
+ twoFactorEnabled: boolean | null | undefined;
3078
+ } & {} & {
3079
+ banned: boolean | null | undefined;
3080
+ } & {
3081
+ role?: string | null | undefined;
3082
+ banReason?: string | null | undefined;
3083
+ banExpires?: Date | null | undefined;
3084
+ } & {} & {
3085
+ lastActiveAt?: Date | null | undefined;
3086
+ }>;
3087
+ }), {
3088
+ code?: string | undefined;
3089
+ message?: string | undefined;
3090
+ }, FetchOptions["throw"] extends true ? true : true>>;
3091
+ };
3092
+ } & {
3093
+ signIn: {
3094
+ emailOtp: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
3095
+ email: string;
3096
+ otp: string;
3097
+ name?: string | undefined;
3098
+ image?: string | undefined;
3099
+ } & Record<string, any>> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3100
+ email: string;
3101
+ otp: string;
3102
+ name?: string | undefined;
3103
+ image?: string | undefined;
3104
+ } & Record<string, any> & {
3105
+ fetchOptions?: FetchOptions | undefined;
3106
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<Omit<{
3107
+ token: string;
3108
+ user: {
3109
+ id: string;
3110
+ createdAt: Date;
3111
+ updatedAt: Date;
3112
+ email: string;
3113
+ emailVerified: boolean;
3114
+ name: string;
3115
+ image?: string | null | undefined;
3116
+ };
3117
+ }, "user"> & {
3118
+ user: better_auth.StripEmptyObjects<{
3119
+ id: string;
3120
+ createdAt: Date;
3121
+ updatedAt: Date;
3122
+ email: string;
3123
+ emailVerified: boolean;
3124
+ name: string;
3125
+ image?: string | null | undefined;
3126
+ } & {
3127
+ twoFactorEnabled: boolean | null | undefined;
3128
+ } & {} & {
3129
+ banned: boolean | null | undefined;
3130
+ } & {
3131
+ role?: string | null | undefined;
3132
+ banReason?: string | null | undefined;
3133
+ banExpires?: Date | null | undefined;
3134
+ } & {} & {
3135
+ lastActiveAt?: Date | null | undefined;
3136
+ }>;
3137
+ }, {
3138
+ code?: string | undefined;
3139
+ message?: string | undefined;
3140
+ }, FetchOptions["throw"] extends true ? true : true>>;
3141
+ };
3142
+ } & {
3143
+ emailOtp: {
3144
+ requestPasswordReset: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
3145
+ email: string;
3146
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3147
+ email: string;
3148
+ } & {
3149
+ fetchOptions?: FetchOptions | undefined;
3150
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<{
3151
+ success: boolean;
3152
+ }, {
3153
+ code?: string | undefined;
3154
+ message?: string | undefined;
3155
+ }, FetchOptions["throw"] extends true ? true : true>>;
3156
+ };
3157
+ } & {
3158
+ forgetPassword: {
3159
+ emailOtp: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
3160
+ email: string;
3161
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3162
+ email: string;
3163
+ } & {
3164
+ fetchOptions?: FetchOptions | undefined;
3165
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<{
3166
+ success: boolean;
3167
+ }, {
3168
+ code?: string | undefined;
3169
+ message?: string | undefined;
3170
+ }, FetchOptions["throw"] extends true ? true : true>>;
3171
+ };
3172
+ } & {
3173
+ emailOtp: {
3174
+ resetPassword: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
3175
+ email: string;
3176
+ otp: string;
3177
+ password: string;
3178
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3179
+ email: string;
3180
+ otp: string;
3181
+ password: string;
3182
+ } & {
3183
+ fetchOptions?: FetchOptions | undefined;
3184
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<{
3185
+ success: boolean;
3186
+ }, {
3187
+ code?: string | undefined;
3188
+ message?: string | undefined;
3189
+ }, FetchOptions["throw"] extends true ? true : true>>;
3190
+ };
3191
+ } & {
3192
+ emailOtp: {
3193
+ requestEmailChange: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
3194
+ newEmail: string;
3195
+ otp?: string | undefined;
3196
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3197
+ newEmail: string;
3198
+ otp?: string | undefined;
3199
+ } & {
3200
+ fetchOptions?: FetchOptions | undefined;
3201
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<{
3202
+ success: boolean;
3203
+ }, {
3204
+ code?: string | undefined;
3205
+ message?: string | undefined;
3206
+ }, FetchOptions["throw"] extends true ? true : true>>;
3207
+ };
3208
+ } & {
3209
+ emailOtp: {
3210
+ changeEmail: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
3211
+ newEmail: string;
3212
+ otp: string;
3213
+ }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
3214
+ newEmail: string;
3215
+ otp: string;
3216
+ } & {
3217
+ fetchOptions?: FetchOptions | undefined;
3218
+ }>, data_1?: FetchOptions | undefined) => Promise<better_auth_client.BetterFetchResponse<{
3219
+ success: boolean;
3220
+ }, {
3221
+ code?: string | undefined;
3222
+ message?: string | undefined;
3223
+ }, FetchOptions["throw"] extends true ? true : true>>;
3224
+ };
2707
3225
  } & {
2708
3226
  signIn: {
2709
3227
  social: <FetchOptions extends better_auth.ClientFetchOption<Partial<{
2710
- provider: (string & {}) | "linear" | "huggingface" | "github" | "apple" | "atlassian" | "cognito" | "discord" | "facebook" | "figma" | "microsoft" | "google" | "slack" | "spotify" | "twitch" | "twitter" | "dropbox" | "kick" | "linkedin" | "gitlab" | "tiktok" | "reddit" | "roblox" | "salesforce" | "vk" | "zoom" | "notion" | "kakao" | "naver" | "line" | "paybin" | "paypal" | "polar" | "railway" | "vercel";
3228
+ provider: (string & {}) | "google" | "microsoft" | "linear" | "huggingface" | "github" | "apple" | "atlassian" | "cognito" | "discord" | "facebook" | "figma" | "slack" | "spotify" | "twitch" | "twitter" | "dropbox" | "kick" | "linkedin" | "gitlab" | "tiktok" | "reddit" | "roblox" | "salesforce" | "vk" | "zoom" | "notion" | "kakao" | "naver" | "line" | "paybin" | "paypal" | "polar" | "railway" | "vercel";
2711
3229
  callbackURL?: string | undefined;
2712
3230
  newUserCallbackURL?: string | undefined;
2713
3231
  errorCallbackURL?: string | undefined;
@@ -2724,7 +3242,7 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
2724
3242
  loginHint?: string | undefined;
2725
3243
  additionalData?: Record<string, any> | undefined;
2726
3244
  }> & Record<string, any>, Partial<Record<string, any>> & Record<string, any>, Record<string, any> | undefined>>(data_0: better_auth.Prettify<{
2727
- provider: (string & {}) | "linear" | "huggingface" | "github" | "apple" | "atlassian" | "cognito" | "discord" | "facebook" | "figma" | "microsoft" | "google" | "slack" | "spotify" | "twitch" | "twitter" | "dropbox" | "kick" | "linkedin" | "gitlab" | "tiktok" | "reddit" | "roblox" | "salesforce" | "vk" | "zoom" | "notion" | "kakao" | "naver" | "line" | "paybin" | "paypal" | "polar" | "railway" | "vercel";
3245
+ provider: (string & {}) | "google" | "microsoft" | "linear" | "huggingface" | "github" | "apple" | "atlassian" | "cognito" | "discord" | "facebook" | "figma" | "slack" | "spotify" | "twitch" | "twitter" | "dropbox" | "kick" | "linkedin" | "gitlab" | "tiktok" | "reddit" | "roblox" | "salesforce" | "vk" | "zoom" | "notion" | "kakao" | "naver" | "line" | "paybin" | "paypal" | "polar" | "railway" | "vercel";
2728
3246
  callbackURL?: string | undefined;
2729
3247
  newUserCallbackURL?: string | undefined;
2730
3248
  errorCallbackURL?: string | undefined;
@@ -3518,6 +4036,84 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
3518
4036
  error: null;
3519
4037
  }>;
3520
4038
  };
4039
+ } & {
4040
+ sessionAssurance: {
4041
+ getSessionAssurance: () => Promise<{
4042
+ data: null;
4043
+ error: {
4044
+ message?: string | undefined;
4045
+ status: number;
4046
+ statusText: string;
4047
+ };
4048
+ } | {
4049
+ data: unknown;
4050
+ error: null;
4051
+ }>;
4052
+ stepUpWithPassword: (body: {
4053
+ password: string;
4054
+ }) => Promise<{
4055
+ data: null;
4056
+ error: {
4057
+ message?: string | undefined;
4058
+ status: number;
4059
+ statusText: string;
4060
+ };
4061
+ } | {
4062
+ data: unknown;
4063
+ error: null;
4064
+ }>;
4065
+ sendOtp: () => Promise<{
4066
+ data: null;
4067
+ error: {
4068
+ message?: string | undefined;
4069
+ status: number;
4070
+ statusText: string;
4071
+ };
4072
+ } | {
4073
+ data: unknown;
4074
+ error: null;
4075
+ }>;
4076
+ verifyOtp: (body: {
4077
+ otp: string;
4078
+ }) => Promise<{
4079
+ data: null;
4080
+ error: {
4081
+ message?: string | undefined;
4082
+ status: number;
4083
+ statusText: string;
4084
+ };
4085
+ } | {
4086
+ data: unknown;
4087
+ error: null;
4088
+ }>;
4089
+ beginOAuthStepUp: (body: {
4090
+ provider: OAuthStepUpProvider;
4091
+ returnUrl?: string;
4092
+ }) => Promise<{
4093
+ data: null;
4094
+ error: {
4095
+ message?: string | undefined;
4096
+ status: number;
4097
+ statusText: string;
4098
+ };
4099
+ } | {
4100
+ data: unknown;
4101
+ error: null;
4102
+ }>;
4103
+ completeOAuthStepUp: (body: {
4104
+ stepUpToken: string;
4105
+ }) => Promise<{
4106
+ data: null;
4107
+ error: {
4108
+ message?: string | undefined;
4109
+ status: number;
4110
+ statusText: string;
4111
+ };
4112
+ } | {
4113
+ data: unknown;
4114
+ error: null;
4115
+ }>;
4116
+ };
3521
4117
  } & {
3522
4118
  $Infer: {
3523
4119
  ActiveOrganization: {
@@ -4266,6 +4862,18 @@ declare function createAPIClient(apiUrl: string, fetchOptions?: BetterFetchOptio
4266
4862
  readonly code: "INVALID_ROLE_TYPE";
4267
4863
  message: string;
4268
4864
  };
4865
+ OTP_EXPIRED: {
4866
+ readonly code: "OTP_EXPIRED";
4867
+ message: string;
4868
+ };
4869
+ INVALID_OTP: {
4870
+ readonly code: "INVALID_OTP";
4871
+ message: string;
4872
+ };
4873
+ TOO_MANY_ATTEMPTS: {
4874
+ readonly code: "TOO_MANY_ATTEMPTS";
4875
+ message: string;
4876
+ };
4269
4877
  USER_NOT_FOUND: {
4270
4878
  readonly code: "USER_NOT_FOUND";
4271
4879
  message: string;
@@ -4513,6 +5121,21 @@ type TeamMember = {
4513
5121
  createdAt: Date;
4514
5122
  };
4515
5123
 
5124
+ declare const DEFAULT_SESSION_ASSURANCE_CONFIG: ApplicationSessionAssuranceConfig;
5125
+ declare const DEFAULT_APPLICATION_CONFIG: {
5126
+ version: 1;
5127
+ sessionAssurance: ApplicationSessionAssuranceConfig;
5128
+ };
5129
+ type ApplicationSessionAssuranceConfig = {
5130
+ acceptedAmr: AMR[];
5131
+ minAal: AAL;
5132
+ };
5133
+ declare const ApplicationSessionAssuranceConfig: z.ZodType<ApplicationSessionAssuranceConfig>;
5134
+ type ApplicationConfig = {
5135
+ version: 1;
5136
+ sessionAssurance: ApplicationSessionAssuranceConfig;
5137
+ };
5138
+ declare const ApplicationConfig: z.ZodType<ApplicationConfig>;
4516
5139
  /**
4517
5140
  * Keys of the organization's related collections that can be optionally
4518
5141
  * included in the "who am I" response.
@@ -4530,6 +5153,8 @@ type Application = {
4530
5153
  description: string;
4531
5154
  /** Allowed OAuth redirect URIs for this application. */
4532
5155
  redirectUris: string[];
5156
+ /** Additional configuration for this application. */
5157
+ config?: ApplicationConfig;
4533
5158
  };
4534
5159
  /**
4535
5160
  * Response returned when listing candidate organizations for an application.
@@ -4540,7 +5165,7 @@ type ListCandidateOrganizationsResponse = FullOrganization[];
4540
5165
  */
4541
5166
  type ApplicationAuthContextResponse = {
4542
5167
  /** Minimal application identity shown in the hosted auth flow. */
4543
- application: Pick<Application, 'id' | 'name'>;
5168
+ application: Pick<Application, 'id' | 'name' | 'config'>;
4544
5169
  };
4545
5170
  /**
4546
5171
  * Response returned when starting an authorization flow.
@@ -4561,6 +5186,8 @@ type CompleteAuthorizationFlowResponse = {
4561
5186
  user: User;
4562
5187
  /** The organization the tokens are scoped to. */
4563
5188
  organization: FullOrganization;
5189
+ /** Assurance context embedded in the issued access token. */
5190
+ assurance: JWTPayload['assurance'];
4564
5191
  };
4565
5192
  /**
4566
5193
  * Response returned by the "who am I" endpoint.
@@ -4574,6 +5201,8 @@ type WhoAmIResponse = {
4574
5201
  user: User;
4575
5202
  /** The user's active organization. */
4576
5203
  organization: WhoAmIOrganization;
5204
+ /** Assurance context embedded in the verified access token. */
5205
+ assurance: JWTPayload['assurance'];
4577
5206
  };
4578
5207
  /**
4579
5208
  * Options accepted by the "who am I" client method.
@@ -4642,23 +5271,6 @@ type DeviceAuthorizationActionResponse = {
4642
5271
  success: boolean;
4643
5272
  };
4644
5273
 
4645
- /**
4646
- * Base error class for all SDK errors.
4647
- *
4648
- * Extends the native `Error` with a machine-readable `code` property
4649
- * that can be used for programmatic error handling.
4650
- */
4651
- declare class BaseError extends Error {
4652
- /** Machine-readable error code (e.g. `"INVALID_SOCIAL_PROVIDER"`). */
4653
- code: string;
4654
- /**
4655
- * @param code - A machine-readable error code
4656
- * @param message - A human-readable error message
4657
- * @param options - Standard `ErrorOptions` (e.g. `cause`)
4658
- */
4659
- constructor(code: string, message: string, options?: ErrorOptions);
4660
- }
4661
-
4662
5274
  /**
4663
5275
  * Generic error thrown by the `ApplicationService`.
4664
5276
  *
@@ -4683,6 +5295,20 @@ declare class RefreshTokenExpiredError extends ApplicationError {
4683
5295
  declare class AuthorizationFlowError extends ApplicationError {
4684
5296
  constructor(message: string, options?: ErrorOptions);
4685
5297
  }
5298
+ /**
5299
+ * Thrown when the authenticated session no longer satisfies the target
5300
+ * application's assurance policy.
5301
+ *
5302
+ * During device-code token exchange this is a final error: the consumed flow
5303
+ * cannot be retried and the client must start a new device authorization flow.
5304
+ */
5305
+ declare class ApplicationSessionAssuranceError extends ApplicationError {
5306
+ readonly payload: SessionAssuranceRequiredPayload | null;
5307
+ readonly currentAssurance: SessionAssuranceRequiredPayload['currentAssurance'] | null;
5308
+ readonly requiredAssurance: SessionAssuranceRequiredPayload['requiredAssurance'] | null;
5309
+ readonly validStepUps: SessionAssuranceRequiredPayload['validStepUps'];
5310
+ constructor(payload?: SessionAssuranceRequiredPayload | null, options?: ErrorOptions);
5311
+ }
4686
5312
  /**
4687
5313
  * Thrown when an operation requires an authenticated user but no session exists.
4688
5314
  */
@@ -4728,6 +5354,11 @@ declare class DeviceTransientServerError extends ApplicationError {
4728
5354
  constructor(options?: ErrorOptions);
4729
5355
  }
4730
5356
 
5357
+ /**
5358
+ * Checks whether a session assurance value satisfies an application policy.
5359
+ */
5360
+ declare function isSessionAssuranceSufficient(sessionAssurance: JWTPayload['assurance'] | null | undefined, config?: ApplicationConfig): boolean;
5361
+
4731
5362
  /**
4732
5363
  * Service for managing applications and their candidate organizations.
4733
5364
  *
@@ -4821,6 +5452,7 @@ declare class ApplicationService {
4821
5452
  * @throws {DeviceAccessDeniedError} The user denied the request
4822
5453
  * @throws {DeviceCodeExpiredError} The device code has expired
4823
5454
  * @throws {DeviceTransientServerError} Transient server error — safe to retry
5455
+ * @throws {ApplicationSessionAssuranceError} Assurance policy changed or is no longer met — start a new flow
4824
5456
  */
4825
5457
  exchangeDeviceCodeForTokens(deviceCode: string): Promise<CompleteAuthorizationFlowResponse>;
4826
5458
  /**
@@ -5258,8 +5890,6 @@ type SignInWithEmailAndPasswordOptions = {
5258
5890
  password: string;
5259
5891
  /** URL to redirect to after successful authentication. */
5260
5892
  callbackURL: string;
5261
- /** URL to redirect to if authentication fails. */
5262
- errorCallbackURL?: string;
5263
5893
  };
5264
5894
 
5265
5895
  /**
@@ -5357,8 +5987,9 @@ declare class SessionService {
5357
5987
  * @param options - Email/password sign-in configuration
5358
5988
  * @param options.email - User's email address
5359
5989
  * @param options.password - User's password
5990
+ * @param options.callbackURL - URL to redirect to after successful authentication
5360
5991
  */
5361
- signInWithEmailAndPassword({ email, password, }: SignInWithEmailAndPasswordOptions): Promise<void>;
5992
+ signInWithEmailAndPassword({ email, password, callbackURL, }: SignInWithEmailAndPasswordOptions): Promise<void>;
5362
5993
  /**
5363
5994
  * Signs out the currently authenticated user.
5364
5995
  *
@@ -5455,6 +6086,92 @@ declare class ApiKeyService {
5455
6086
  }>;
5456
6087
  }
5457
6088
 
6089
+ /**
6090
+ * Options for requesting an email OTP.
6091
+ */
6092
+ type SendVerificationOTPOptions = {
6093
+ /**
6094
+ * Application ID used to scope the OTP request to an application's
6095
+ * configured sign-in policy.
6096
+ */
6097
+ applicationId: string;
6098
+ };
6099
+ /**
6100
+ * Options for completing email OTP sign-in.
6101
+ */
6102
+ type EmailOTPSignInOptions = {
6103
+ /**
6104
+ * Application ID used to scope the OTP sign-in to an application's
6105
+ * configured sign-in policy.
6106
+ */
6107
+ applicationId: string;
6108
+ };
6109
+ /**
6110
+ * Service for email OTP authentication operations.
6111
+ *
6112
+ * Provides helpers for sending one-time passcodes used by passwordless
6113
+ * sign-in flows.
6114
+ */
6115
+ declare class EmailOTPService {
6116
+ private client;
6117
+ /**
6118
+ * Creates a new EmailOTPService instance.
6119
+ *
6120
+ * @param client - The API client for making email OTP requests
6121
+ */
6122
+ constructor(client: APIClient);
6123
+ /**
6124
+ * Sends a sign-in verification OTP to an email address.
6125
+ *
6126
+ * @param email - Email address that should receive the OTP
6127
+ * @param options - Request configuration
6128
+ * @returns The underlying email OTP API response
6129
+ */
6130
+ sendVerificationOTP(email: string, options: SendVerificationOTPOptions): Promise<{
6131
+ success: boolean;
6132
+ }>;
6133
+ /**
6134
+ * Completes email OTP sign-in with a one-time passcode.
6135
+ *
6136
+ * @param email - Email address that received the OTP
6137
+ * @param otp - One-time passcode from the sign-in email
6138
+ * @param options - Request configuration
6139
+ * @returns The underlying email OTP sign-in API response
6140
+ */
6141
+ signIn(email: string, otp: string, options: EmailOTPSignInOptions): Promise<Omit<{
6142
+ token: string;
6143
+ user: {
6144
+ id: string;
6145
+ createdAt: Date;
6146
+ updatedAt: Date;
6147
+ email: string;
6148
+ emailVerified: boolean;
6149
+ name: string;
6150
+ image?: string | null | undefined;
6151
+ };
6152
+ }, "user"> & {
6153
+ user: better_auth.StripEmptyObjects<{
6154
+ id: string;
6155
+ createdAt: Date;
6156
+ updatedAt: Date;
6157
+ email: string;
6158
+ emailVerified: boolean;
6159
+ name: string;
6160
+ image?: string | null | undefined;
6161
+ } & {
6162
+ twoFactorEnabled: boolean | null | undefined;
6163
+ } & {} & {
6164
+ banned: boolean | null | undefined;
6165
+ } & {
6166
+ role?: string | null | undefined;
6167
+ banReason?: string | null | undefined;
6168
+ banExpires?: Date | null | undefined;
6169
+ } & {} & {
6170
+ lastActiveAt?: Date | null | undefined;
6171
+ }>;
6172
+ }>;
6173
+ }
6174
+
5458
6175
  /**
5459
6176
  * Error thrown when an invalid social provider is specified.
5460
6177
  */
@@ -5480,7 +6197,7 @@ declare class EmailRequired extends BaseError {
5480
6197
  /**
5481
6198
  * Main authentication client for interacting with the Auth API.
5482
6199
  *
5483
- * Provides access to session management and organization management services.
6200
+ * Provides access to session, organization, application, API key, and email OTP services.
5484
6201
  *
5485
6202
  * @example
5486
6203
  * ```typescript
@@ -5498,6 +6215,11 @@ declare class EmailRequired extends BaseError {
5498
6215
  * ```
5499
6216
  */
5500
6217
  declare class AuthClient {
6218
+ /**
6219
+ * Configured Better Auth client used by the public service wrappers.
6220
+ *
6221
+ * @internal
6222
+ */
5501
6223
  private client;
5502
6224
  /**
5503
6225
  * Session management service for authentication operations
@@ -5515,6 +6237,14 @@ declare class AuthClient {
5515
6237
  * API key management service for API key operations
5516
6238
  */
5517
6239
  apiKey: ApiKeyService;
6240
+ /**
6241
+ * Email OTP service for passwordless sign-in operations
6242
+ */
6243
+ emailOtp: EmailOTPService;
6244
+ /**
6245
+ * Session assurance service for step-up operations
6246
+ */
6247
+ sessionAssurance: SessionAssuranceService;
5518
6248
  /**
5519
6249
  * Creates a new AuthClient instance.
5520
6250
  *
@@ -5524,6 +6254,9 @@ declare class AuthClient {
5524
6254
  constructor(apiUrl: string, fetchOptions?: BetterFetchOption);
5525
6255
  }
5526
6256
 
6257
+ type DecodedJWTPayload = Omit<JWTPayload, 'assurance'> & {
6258
+ assurance?: JWTPayloadAssurance;
6259
+ };
5527
6260
  /**
5528
6261
  * Checks if a JWT token has expired or will expire within a specified time window.
5529
6262
  *
@@ -5583,7 +6316,7 @@ declare function validateToken(token: string, apiUrl: string): Promise<boolean>;
5583
6316
  * console.log(payload.exp) // expiration timestamp
5584
6317
  * ```
5585
6318
  */
5586
- declare function extractTokenPayload(token: string): JWTPayload;
6319
+ declare function extractTokenPayload(token: string): DecodedJWTPayload;
5587
6320
 
5588
- export { ApiKeyMetadata, ApplicationError, AuthClient, AuthorizationFlowError, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadUser, JWTPayloadWorkspace, RefreshTokenExpiredError, Roles, UserNotLoggedInError, ac, createAPIClient, extractTokenPayload, invitationAdditionalFields, isTokenExpired, memberAdditionalFields, organizationAdditionalFields, rolesAccessControl, userAdditionalFields, validateToken };
5589
- export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, BaseOrganization, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, FullOrganization, Invitation, InviteUserToOrganizationOptions, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, Session, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };
6321
+ export { AAL, AALBrand, AALs, ACR, ACRBrand, ACRs, AMR, AMRBrand, AMRs, ApiKeyMetadata, ApplicationConfig, ApplicationError, ApplicationSessionAssuranceConfig, ApplicationSessionAssuranceError, AuthClient, AuthMethod, AuthMethodBrand, AuthMethods, AuthorizationFlowError, DEFAULT_APPLICATION_CONFIG, DEFAULT_JWT_ASSURANCE, DEFAULT_SESSION_ASSURANCE_CONFIG, DeviceAccessDeniedError, DeviceAuthorizationPendingError, DeviceAuthorizationSlowDownError, DeviceCodeExpiredError, DeviceTransientServerError, EmailOTPService, EmailRequired, InvalidCallbackURL, InvalidSocialProvider, JWTPayload, JWTPayloadAssurance, JWTPayloadUser, JWTPayloadWorkspace, OAuthBeginStepUpResponse, OAuthCompleteStepUpResponse, OAuthStepUpProvider, RefreshTokenExpiredError, Roles, SENSITIVE_ACTION_ASSURANCE_POLICY, SendOtpResponse, SessionAssurancePolicy, SessionAssuranceRequiredError, SessionAssuranceRequiredPayload, SessionAssuranceResponse, SessionAssuranceService, StepUpOption, UserNotLoggedInError, ac, assuranceFields, canStepUpWithAmr, createAPIClient, extractTokenPayload, getAalRank, invitationAdditionalFields, isAssuranceSufficientForPolicy, isSessionAssuranceSufficient, isTokenExpired, memberAdditionalFields, mergeStepUpAssurance, organizationAdditionalFields, parseSessionAssuranceRequiredPayload, rolesAccessControl, sessionAssurancePluginClient, userAdditionalFields, validateToken };
6322
+ export type { APIClient, ApiKey, ApiKeyWithoutSecret, Application, ApplicationAuthContextResponse, AssuranceFields, BaseOrganization, BeginOAuthStepUpParams, CompleteAuthorizationFlowResponse, CreateApiKeyPayload, CreateTeamPayload, DecodedJWTPayload, DeviceAuthorizationActionResponse, DeviceAuthorizationContextResponse, DeviceAuthorizationResponse, DeviceContextApplication, EmailOTPSignInOptions, FullOrganization, Invitation, InviteUserToOrganizationOptions, JWTPayloadData, ListCandidateOrganizationsResponse, ListMembersOptions, Member, ExtendedOrganization as Organization, OrganizationSettings, RemoveUserFromOrganizationOptions, Role, SendVerificationOTPOptions, Session, SessionAssuranceActions, SignInWithEmailAndPasswordOptions, SignInWithSamlOptions, SocialSignInOptions, StartAuthorizationFlowResponse, Strict, Team, TeamMember, UpdateApiKeyPayload, UpdateMemberRoleOptions, UpdateOrganizationPayload, UpdateTeamPayload, User, WhoAmIInclude, WhoAmIOptions, WhoAmIOrganization, WhoAmIResponse };