@nauth-toolkit/client 0.1.111 → 0.1.114

package/dist/index.d.mts

@@ -44,6 +44,12 @@ interface RemoveMFADeviceResponse {
     removedMethod: MFADeviceMethod;
     mfaDisabled: boolean;
 }
+/**
+ * Response from getting user MFA devices.
+ */
+interface GetMFADevicesResponse {
+    devices: MFADevice[];
+}
 /**
  * MFA setup data returned by providers.
  */
@@ -726,6 +732,8 @@ interface NAuthAdminEndpoints {
     logoutAll: string;
     /** GET /users/:sub/mfa/status - Get MFA status */
     getMfaStatus: string;
+    /** GET /users/:sub/mfa/devices - Get MFA devices */
+    getMfaDevices: string;
     /** DELETE /mfa/devices/:deviceId - Remove a single MFA device by id */
     removeMfaDeviceById: string;
     /** POST /users/:sub/mfa/devices/:deviceId/preferred - Set preferred MFA device */
@@ -2524,21 +2532,22 @@ declare class AdminOperations {
      */
     getMfaStatus(sub: string): Promise<MFAStatus>;
     /**
-     * Set preferred MFA method for a user
+     * Get MFA devices for a user
      *
-     * @param sub - User UUID
-     * Remove MFA devices for a user
+     * Returns all active MFA devices for a user including device id, name, type, and isPreferred status.
      *
      * @param sub - User UUID
-     * @param method - MFA method to remove
-     * @returns Success message
+     * @returns Response containing array of MFA devices
      * @throws {NAuthClientError} If operation fails
      *
      * @example
      * ```typescript
-     * await client.admin.removeMfaDevices('user-uuid', 'sms');
+     * const result = await client.admin.getMfaDevices('user-uuid');
+     * console.log('Devices:', result.devices);
+     * // [{ id: 1, name: 'My Authenticator', type: 'totp', isPreferred: true, ... }]
      * ```
      */
+    getMfaDevices(sub: string): Promise<GetMFADevicesResponse>;
     /**
      * Remove a single MFA device by device ID (admin).
      *
@@ -2970,14 +2979,96 @@ declare class NAuthClient {
     getMfaStatus(): Promise<MFAStatus>;
     /**
      * Get MFA devices.
+     *
+     * @returns Promise of MFA devices response
+     *
+     * @example
+     * ```typescript
+     * const result = await client.getMfaDevices();
+     * console.log('Devices:', result.devices);
+     * ```
      */
-    getMfaDevices(): Promise<unknown[]>;
+    getMfaDevices(): Promise<GetMFADevicesResponse>;
     /**
      * Setup MFA device (authenticated user).
+     *
+     * Returns method-specific setup information:
+     * - TOTP: { secret, qrCode, manualEntryKey }
+     * - SMS: { maskedPhone } or { deviceId, autoCompleted: true }
+     * - Email: { maskedEmail } or { deviceId, autoCompleted: true }
+     * - Passkey: WebAuthn registration options
+     *
+     * @param method - MFA method to set up
+     * @returns Promise of setup data response
+     *
+     * @example
+     * ```typescript
+     * const result = await client.setupMfaDevice('totp');
+     * console.log('QR Code:', result.setupData.qrCode);
+     * ```
      */
-    setupMfaDevice(method: string): Promise<unknown>;
+    setupMfaDevice(method: string): Promise<GetSetupDataResponse>;
     /**
      * Verify MFA setup (authenticated user).
+     *
+     * Completes MFA device setup by verifying the setup data. The structure of `setupData` varies by method:
+     *
+     * **TOTP:**
+     * - Requires both `secret` (from `getSetupData()` response) and `code` (from authenticator app)
+     * - Example: `{ secret: 'JBSWY3DPEHPK3PXP', code: '123456' }`
+     *
+     * **SMS:**
+     * - Requires `phoneNumber` and `code` (verification code sent to phone)
+     * - Example: `{ phoneNumber: '+1234567890', code: '123456' }`
+     *
+     * **Email:**
+     * - Requires `code` (verification code sent to email)
+     * - Example: `{ code: '123456' }`
+     *
+     * **Passkey:**
+     * - Requires `credential` (WebAuthn credential from registration) and `expectedChallenge`
+     * - Example: `{ credential: {...}, expectedChallenge: '...' }`
+     *
+     * @param method - MFA method ('totp', 'sms', 'email', 'passkey')
+     * @param setupData - Method-specific setup verification data
+     * @param deviceName - Optional device name (can also be included in setupData for some methods)
+     * @returns Promise with device ID of the created MFA device
+     *
+     * @example TOTP Setup
+     * ```typescript
+     * // Step 1: Get setup data
+     * const setupData = await client.setupMfaDevice('totp');
+     * // Returns: { setupData: { secret: 'JBSWY3DPEHPK3PXP', qrCode: '...', ... } }
+     *
+     * // Step 2: User scans QR code and enters code from authenticator app
+     * const code = '123456'; // From authenticator app
+     *
+     * // Step 3: Verify setup (requires both secret and code)
+     * const result = await client.verifyMfaSetup('totp', {
+     *   secret: setupData.setupData.secret,
+     *   code: code,
+     * }, 'Google Authenticator');
+     * // Returns: { deviceId: 123 }
+     * ```
+     *
+     * @example SMS Setup
+     * ```typescript
+     * const result = await client.verifyMfaSetup('sms', {
+     *   phoneNumber: '+1234567890', // Phone number receiving the code
+     *   code: '123456', // Code sent to phone
+     * }, 'My iPhone');
+     * ```
+     *
+     * @example Passkey Setup
+     * ```typescript
+     * const credential = await navigator.credentials.create({
+     *   publicKey: setupData.setupData.options
+     * });
+     * const result = await client.verifyMfaSetup('passkey', {
+     *   credential: credential,
+     *   expectedChallenge: setupData.setupData.challenge,
+     * }, 'MacBook Pro');
+     * ```
      */
     verifyMfaSetup(method: string, setupData: Record<string, unknown>, deviceName?: string): Promise<{
         deviceId: number;
@@ -2985,7 +3076,7 @@ declare class NAuthClient {
     /**
      * Remove ALL MFA devices for a specific method type.
      *
-     * ⚠️ **Warning**: This removes ALL devices of the specified method.
+     * WARNING: This removes ALL devices of the specified method.
      * For example, if you have 3 TOTP devices, this will remove all 3.
      *
      * **Prefer `removeMfaDeviceById()`** to remove individual devices.
@@ -3461,4 +3552,4 @@ declare class FetchAdapter implements HttpAdapter {
     request<T>(config: HttpRequest): Promise<HttpResponse<T>>;
 }
 
-export { type AdminAuditHistoryRequest, AdminOperations, type AdminResetPasswordRequest, type AdminResetPasswordResponse, type AdminSignupRequest, type AdminSignupResponse, type AdminSignupSocialRequest, type AdminSignupSocialResponse, type AuditHistoryResponse, type AuthAuditEvent, type AuthAuditEventStatus, AuthAuditEventType, AuthChallenge, type AuthChallengeEvent, type AuthErrorEvent, type AuthEvent, type AuthEventListener, type AuthEventType, type AuthLoginEvent, type AuthLogoutEvent, type AuthRefreshEvent, type AuthResponse, type AuthResponseContext, type AuthSessionExpiredEvent, type AuthSignupEvent, type AuthSuccessEvent, type AuthUser, type AuthUserSummary, type BackupCodesResponse, type BaseChallengeResponse, BrowserStorage, type ChallengeResponse, ChallengeRouter, type ChangePasswordRequest, type ConfirmForgotPasswordRequest, type ConfirmForgotPasswordResponse, type DateFilter, type DeleteUserResponse, type DisableUserResponse, type EnableUserResponse, EventEmitter, FetchAdapter, type ForceChangePasswordResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetChallengeDataRequest, type GetChallengeDataResponse, type GetSetupDataRequest, type GetSetupDataResponse, type GetUserSessionsResponse, type GetUsersRequest, type GetUsersResponse, type HttpAdapter, type HttpRequest, type HttpResponse, InMemoryStorage, type LinkedAccountsResponse, type LoginRequest, type LogoutAllRequest, type LogoutRequest, type MFAChallengeMethod, type MFACodeResponse, type MFADevice, type MFADeviceMethod, type MFAMethod, type MFAPasskeyResponse, type MFASetupData, type MFASetupResponse, type MFAStatus, type MfaRoutesConfig, type NAuthAdminEndpoints, NAuthClient, type NAuthClientConfig, NAuthClientError, type NAuthEndpoints, type NAuthError, NAuthErrorCode, type NAuthRedirectsConfig, type NAuthStorageAdapter, type OAuthCallbackEvent, type OAuthCompletedEvent, type OAuthErrorEvent, type OAuthStartedEvent, type RecaptchaConfig, type RecaptchaVersion, type RemoveMFADeviceResponse, type ResendCodeRequest, type ResetPasswordWithCodeRequest, type ResetPasswordWithCodeResponse, type ResolvedNAuthClientConfig, type SignupRequest, type SocialLoginOptions, type SocialProvider, type SocialVerifyRequest, type TokenDeliveryMode, type TokenResponse, type UpdateProfileRequest, type UserSessionInfo, type VerifyEmailResponse, type VerifyPhoneCodeResponse, type VerifyPhoneCollectResponse, defaultAdminEndpoints, defaultEndpoints, getChallengeInstructions, getMFAMethod, getMaskedDestination, isOTPChallenge, requiresPhoneCollection, resolveConfig };
+export { type AdminAuditHistoryRequest, AdminOperations, type AdminResetPasswordRequest, type AdminResetPasswordResponse, type AdminSignupRequest, type AdminSignupResponse, type AdminSignupSocialRequest, type AdminSignupSocialResponse, type AuditHistoryResponse, type AuthAuditEvent, type AuthAuditEventStatus, AuthAuditEventType, AuthChallenge, type AuthChallengeEvent, type AuthErrorEvent, type AuthEvent, type AuthEventListener, type AuthEventType, type AuthLoginEvent, type AuthLogoutEvent, type AuthRefreshEvent, type AuthResponse, type AuthResponseContext, type AuthSessionExpiredEvent, type AuthSignupEvent, type AuthSuccessEvent, type AuthUser, type AuthUserSummary, type BackupCodesResponse, type BaseChallengeResponse, BrowserStorage, type ChallengeResponse, ChallengeRouter, type ChangePasswordRequest, type ConfirmForgotPasswordRequest, type ConfirmForgotPasswordResponse, type DateFilter, type DeleteUserResponse, type DisableUserResponse, type EnableUserResponse, EventEmitter, FetchAdapter, type ForceChangePasswordResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetChallengeDataRequest, type GetChallengeDataResponse, type GetMFADevicesResponse, type GetSetupDataRequest, type GetSetupDataResponse, type GetUserSessionsResponse, type GetUsersRequest, type GetUsersResponse, type HttpAdapter, type HttpRequest, type HttpResponse, InMemoryStorage, type LinkedAccountsResponse, type LoginRequest, type LogoutAllRequest, type LogoutRequest, type MFAChallengeMethod, type MFACodeResponse, type MFADevice, type MFADeviceMethod, type MFAMethod, type MFAPasskeyResponse, type MFASetupData, type MFASetupResponse, type MFAStatus, type MfaRoutesConfig, type NAuthAdminEndpoints, NAuthClient, type NAuthClientConfig, NAuthClientError, type NAuthEndpoints, type NAuthError, NAuthErrorCode, type NAuthRedirectsConfig, type NAuthStorageAdapter, type OAuthCallbackEvent, type OAuthCompletedEvent, type OAuthErrorEvent, type OAuthStartedEvent, type RecaptchaConfig, type RecaptchaVersion, type RemoveMFADeviceResponse, type ResendCodeRequest, type ResetPasswordWithCodeRequest, type ResetPasswordWithCodeResponse, type ResolvedNAuthClientConfig, type SignupRequest, type SocialLoginOptions, type SocialProvider, type SocialVerifyRequest, type TokenDeliveryMode, type TokenResponse, type UpdateProfileRequest, type UserSessionInfo, type VerifyEmailResponse, type VerifyPhoneCodeResponse, type VerifyPhoneCollectResponse, defaultAdminEndpoints, defaultEndpoints, getChallengeInstructions, getMFAMethod, getMaskedDestination, isOTPChallenge, requiresPhoneCollection, resolveConfig };

package/dist/index.d.ts

@@ -44,6 +44,12 @@ interface RemoveMFADeviceResponse {
     removedMethod: MFADeviceMethod;
     mfaDisabled: boolean;
 }
+/**
+ * Response from getting user MFA devices.
+ */
+interface GetMFADevicesResponse {
+    devices: MFADevice[];
+}
 /**
  * MFA setup data returned by providers.
  */
@@ -726,6 +732,8 @@ interface NAuthAdminEndpoints {
     logoutAll: string;
     /** GET /users/:sub/mfa/status - Get MFA status */
     getMfaStatus: string;
+    /** GET /users/:sub/mfa/devices - Get MFA devices */
+    getMfaDevices: string;
     /** DELETE /mfa/devices/:deviceId - Remove a single MFA device by id */
     removeMfaDeviceById: string;
     /** POST /users/:sub/mfa/devices/:deviceId/preferred - Set preferred MFA device */
@@ -2524,21 +2532,22 @@ declare class AdminOperations {
      */
     getMfaStatus(sub: string): Promise<MFAStatus>;
     /**
-     * Set preferred MFA method for a user
+     * Get MFA devices for a user
      *
-     * @param sub - User UUID
-     * Remove MFA devices for a user
+     * Returns all active MFA devices for a user including device id, name, type, and isPreferred status.
      *
      * @param sub - User UUID
-     * @param method - MFA method to remove
-     * @returns Success message
+     * @returns Response containing array of MFA devices
      * @throws {NAuthClientError} If operation fails
      *
      * @example
      * ```typescript
-     * await client.admin.removeMfaDevices('user-uuid', 'sms');
+     * const result = await client.admin.getMfaDevices('user-uuid');
+     * console.log('Devices:', result.devices);
+     * // [{ id: 1, name: 'My Authenticator', type: 'totp', isPreferred: true, ... }]
      * ```
      */
+    getMfaDevices(sub: string): Promise<GetMFADevicesResponse>;
     /**
      * Remove a single MFA device by device ID (admin).
      *
@@ -2970,14 +2979,96 @@ declare class NAuthClient {
     getMfaStatus(): Promise<MFAStatus>;
     /**
      * Get MFA devices.
+     *
+     * @returns Promise of MFA devices response
+     *
+     * @example
+     * ```typescript
+     * const result = await client.getMfaDevices();
+     * console.log('Devices:', result.devices);
+     * ```
      */
-    getMfaDevices(): Promise<unknown[]>;
+    getMfaDevices(): Promise<GetMFADevicesResponse>;
     /**
      * Setup MFA device (authenticated user).
+     *
+     * Returns method-specific setup information:
+     * - TOTP: { secret, qrCode, manualEntryKey }
+     * - SMS: { maskedPhone } or { deviceId, autoCompleted: true }
+     * - Email: { maskedEmail } or { deviceId, autoCompleted: true }
+     * - Passkey: WebAuthn registration options
+     *
+     * @param method - MFA method to set up
+     * @returns Promise of setup data response
+     *
+     * @example
+     * ```typescript
+     * const result = await client.setupMfaDevice('totp');
+     * console.log('QR Code:', result.setupData.qrCode);
+     * ```
      */
-    setupMfaDevice(method: string): Promise<unknown>;
+    setupMfaDevice(method: string): Promise<GetSetupDataResponse>;
     /**
      * Verify MFA setup (authenticated user).
+     *
+     * Completes MFA device setup by verifying the setup data. The structure of `setupData` varies by method:
+     *
+     * **TOTP:**
+     * - Requires both `secret` (from `getSetupData()` response) and `code` (from authenticator app)
+     * - Example: `{ secret: 'JBSWY3DPEHPK3PXP', code: '123456' }`
+     *
+     * **SMS:**
+     * - Requires `phoneNumber` and `code` (verification code sent to phone)
+     * - Example: `{ phoneNumber: '+1234567890', code: '123456' }`
+     *
+     * **Email:**
+     * - Requires `code` (verification code sent to email)
+     * - Example: `{ code: '123456' }`
+     *
+     * **Passkey:**
+     * - Requires `credential` (WebAuthn credential from registration) and `expectedChallenge`
+     * - Example: `{ credential: {...}, expectedChallenge: '...' }`
+     *
+     * @param method - MFA method ('totp', 'sms', 'email', 'passkey')
+     * @param setupData - Method-specific setup verification data
+     * @param deviceName - Optional device name (can also be included in setupData for some methods)
+     * @returns Promise with device ID of the created MFA device
+     *
+     * @example TOTP Setup
+     * ```typescript
+     * // Step 1: Get setup data
+     * const setupData = await client.setupMfaDevice('totp');
+     * // Returns: { setupData: { secret: 'JBSWY3DPEHPK3PXP', qrCode: '...', ... } }
+     *
+     * // Step 2: User scans QR code and enters code from authenticator app
+     * const code = '123456'; // From authenticator app
+     *
+     * // Step 3: Verify setup (requires both secret and code)
+     * const result = await client.verifyMfaSetup('totp', {
+     *   secret: setupData.setupData.secret,
+     *   code: code,
+     * }, 'Google Authenticator');
+     * // Returns: { deviceId: 123 }
+     * ```
+     *
+     * @example SMS Setup
+     * ```typescript
+     * const result = await client.verifyMfaSetup('sms', {
+     *   phoneNumber: '+1234567890', // Phone number receiving the code
+     *   code: '123456', // Code sent to phone
+     * }, 'My iPhone');
+     * ```
+     *
+     * @example Passkey Setup
+     * ```typescript
+     * const credential = await navigator.credentials.create({
+     *   publicKey: setupData.setupData.options
+     * });
+     * const result = await client.verifyMfaSetup('passkey', {
+     *   credential: credential,
+     *   expectedChallenge: setupData.setupData.challenge,
+     * }, 'MacBook Pro');
+     * ```
      */
     verifyMfaSetup(method: string, setupData: Record<string, unknown>, deviceName?: string): Promise<{
         deviceId: number;
@@ -2985,7 +3076,7 @@ declare class NAuthClient {
     /**
      * Remove ALL MFA devices for a specific method type.
      *
-     * ⚠️ **Warning**: This removes ALL devices of the specified method.
+     * WARNING: This removes ALL devices of the specified method.
      * For example, if you have 3 TOTP devices, this will remove all 3.
      *
      * **Prefer `removeMfaDeviceById()`** to remove individual devices.
@@ -3461,4 +3552,4 @@ declare class FetchAdapter implements HttpAdapter {
     request<T>(config: HttpRequest): Promise<HttpResponse<T>>;
 }
 
-export { type AdminAuditHistoryRequest, AdminOperations, type AdminResetPasswordRequest, type AdminResetPasswordResponse, type AdminSignupRequest, type AdminSignupResponse, type AdminSignupSocialRequest, type AdminSignupSocialResponse, type AuditHistoryResponse, type AuthAuditEvent, type AuthAuditEventStatus, AuthAuditEventType, AuthChallenge, type AuthChallengeEvent, type AuthErrorEvent, type AuthEvent, type AuthEventListener, type AuthEventType, type AuthLoginEvent, type AuthLogoutEvent, type AuthRefreshEvent, type AuthResponse, type AuthResponseContext, type AuthSessionExpiredEvent, type AuthSignupEvent, type AuthSuccessEvent, type AuthUser, type AuthUserSummary, type BackupCodesResponse, type BaseChallengeResponse, BrowserStorage, type ChallengeResponse, ChallengeRouter, type ChangePasswordRequest, type ConfirmForgotPasswordRequest, type ConfirmForgotPasswordResponse, type DateFilter, type DeleteUserResponse, type DisableUserResponse, type EnableUserResponse, EventEmitter, FetchAdapter, type ForceChangePasswordResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetChallengeDataRequest, type GetChallengeDataResponse, type GetSetupDataRequest, type GetSetupDataResponse, type GetUserSessionsResponse, type GetUsersRequest, type GetUsersResponse, type HttpAdapter, type HttpRequest, type HttpResponse, InMemoryStorage, type LinkedAccountsResponse, type LoginRequest, type LogoutAllRequest, type LogoutRequest, type MFAChallengeMethod, type MFACodeResponse, type MFADevice, type MFADeviceMethod, type MFAMethod, type MFAPasskeyResponse, type MFASetupData, type MFASetupResponse, type MFAStatus, type MfaRoutesConfig, type NAuthAdminEndpoints, NAuthClient, type NAuthClientConfig, NAuthClientError, type NAuthEndpoints, type NAuthError, NAuthErrorCode, type NAuthRedirectsConfig, type NAuthStorageAdapter, type OAuthCallbackEvent, type OAuthCompletedEvent, type OAuthErrorEvent, type OAuthStartedEvent, type RecaptchaConfig, type RecaptchaVersion, type RemoveMFADeviceResponse, type ResendCodeRequest, type ResetPasswordWithCodeRequest, type ResetPasswordWithCodeResponse, type ResolvedNAuthClientConfig, type SignupRequest, type SocialLoginOptions, type SocialProvider, type SocialVerifyRequest, type TokenDeliveryMode, type TokenResponse, type UpdateProfileRequest, type UserSessionInfo, type VerifyEmailResponse, type VerifyPhoneCodeResponse, type VerifyPhoneCollectResponse, defaultAdminEndpoints, defaultEndpoints, getChallengeInstructions, getMFAMethod, getMaskedDestination, isOTPChallenge, requiresPhoneCollection, resolveConfig };
+export { type AdminAuditHistoryRequest, AdminOperations, type AdminResetPasswordRequest, type AdminResetPasswordResponse, type AdminSignupRequest, type AdminSignupResponse, type AdminSignupSocialRequest, type AdminSignupSocialResponse, type AuditHistoryResponse, type AuthAuditEvent, type AuthAuditEventStatus, AuthAuditEventType, AuthChallenge, type AuthChallengeEvent, type AuthErrorEvent, type AuthEvent, type AuthEventListener, type AuthEventType, type AuthLoginEvent, type AuthLogoutEvent, type AuthRefreshEvent, type AuthResponse, type AuthResponseContext, type AuthSessionExpiredEvent, type AuthSignupEvent, type AuthSuccessEvent, type AuthUser, type AuthUserSummary, type BackupCodesResponse, type BaseChallengeResponse, BrowserStorage, type ChallengeResponse, ChallengeRouter, type ChangePasswordRequest, type ConfirmForgotPasswordRequest, type ConfirmForgotPasswordResponse, type DateFilter, type DeleteUserResponse, type DisableUserResponse, type EnableUserResponse, EventEmitter, FetchAdapter, type ForceChangePasswordResponse, type ForgotPasswordRequest, type ForgotPasswordResponse, type GetChallengeDataRequest, type GetChallengeDataResponse, type GetMFADevicesResponse, type GetSetupDataRequest, type GetSetupDataResponse, type GetUserSessionsResponse, type GetUsersRequest, type GetUsersResponse, type HttpAdapter, type HttpRequest, type HttpResponse, InMemoryStorage, type LinkedAccountsResponse, type LoginRequest, type LogoutAllRequest, type LogoutRequest, type MFAChallengeMethod, type MFACodeResponse, type MFADevice, type MFADeviceMethod, type MFAMethod, type MFAPasskeyResponse, type MFASetupData, type MFASetupResponse, type MFAStatus, type MfaRoutesConfig, type NAuthAdminEndpoints, NAuthClient, type NAuthClientConfig, NAuthClientError, type NAuthEndpoints, type NAuthError, NAuthErrorCode, type NAuthRedirectsConfig, type NAuthStorageAdapter, type OAuthCallbackEvent, type OAuthCompletedEvent, type OAuthErrorEvent, type OAuthStartedEvent, type RecaptchaConfig, type RecaptchaVersion, type RemoveMFADeviceResponse, type ResendCodeRequest, type ResetPasswordWithCodeRequest, type ResetPasswordWithCodeResponse, type ResolvedNAuthClientConfig, type SignupRequest, type SocialLoginOptions, type SocialProvider, type SocialVerifyRequest, type TokenDeliveryMode, type TokenResponse, type UpdateProfileRequest, type UserSessionInfo, type VerifyEmailResponse, type VerifyPhoneCodeResponse, type VerifyPhoneCollectResponse, defaultAdminEndpoints, defaultEndpoints, getChallengeInstructions, getMFAMethod, getMaskedDestination, isOTPChallenge, requiresPhoneCollection, resolveConfig };

package/dist/index.mjs

@@ -149,6 +149,7 @@ var defaultAdminEndpoints = {
   getUserSessions: "/users/:sub/sessions",
   logoutAll: "/users/:sub/logout-all",
   getMfaStatus: "/users/:sub/mfa/status",
+  getMfaDevices: "/users/:sub/mfa/devices",
   removeMfaDeviceById: "/mfa/devices/:deviceId",
   setPreferredMfaDevice: "/users/:sub/mfa/devices/:deviceId/preferred",
   setMfaExemption: "/mfa/exemption",
@@ -1109,21 +1110,25 @@ var AdminOperations = class {
     return this.get(path);
   }
   /**
-   * Set preferred MFA method for a user
+   * Get MFA devices for a user
    *
-   * @param sub - User UUID
-   * Remove MFA devices for a user
+   * Returns all active MFA devices for a user including device id, name, type, and isPreferred status.
    *
    * @param sub - User UUID
-   * @param method - MFA method to remove
-   * @returns Success message
+   * @returns Response containing array of MFA devices
    * @throws {NAuthClientError} If operation fails
    *
    * @example
    * ```typescript
-   * await client.admin.removeMfaDevices('user-uuid', 'sms');
+   * const result = await client.admin.getMfaDevices('user-uuid');
+   * console.log('Devices:', result.devices);
+   * // [{ id: 1, name: 'My Authenticator', type: 'totp', isPreferred: true, ... }]
    * ```
    */
+  async getMfaDevices(sub) {
+    const path = this.buildAdminUrl(this.adminEndpoints.getMfaDevices, { sub });
+    return this.get(path);
+  }
   /**
    * Remove a single MFA device by device ID (admin).
    *
@@ -1728,7 +1733,8 @@ var NAuthClient = class {
    */
   async respondToChallenge(response) {
     if (this.selectedDeviceId !== void 0 && response.type === "MFA_REQUIRED" /* MFA_REQUIRED */ && (response.method === "totp" || response.method === "passkey")) {
-      response.deviceId = this.selectedDeviceId;
+      const mfaResponse = response;
+      mfaResponse.deviceId = this.selectedDeviceId;
     }
     if (response.type === "MFA_SETUP_REQUIRED" /* MFA_SETUP_REQUIRED */ && response.method === "totp") {
       const setupData = response.setupData;
@@ -1966,18 +1972,100 @@ var NAuthClient = class {
   }
   /**
    * Get MFA devices.
+   *
+   * @returns Promise of MFA devices response
+   *
+   * @example
+   * ```typescript
+   * const result = await client.getMfaDevices();
+   * console.log('Devices:', result.devices);
+   * ```
    */
   async getMfaDevices() {
     return this.get(this.config.endpoints.mfaDevices, true);
   }
   /**
    * Setup MFA device (authenticated user).
+   *
+   * Returns method-specific setup information:
+   * - TOTP: { secret, qrCode, manualEntryKey }
+   * - SMS: { maskedPhone } or { deviceId, autoCompleted: true }
+   * - Email: { maskedEmail } or { deviceId, autoCompleted: true }
+   * - Passkey: WebAuthn registration options
+   *
+   * @param method - MFA method to set up
+   * @returns Promise of setup data response
+   *
+   * @example
+   * ```typescript
+   * const result = await client.setupMfaDevice('totp');
+   * console.log('QR Code:', result.setupData.qrCode);
+   * ```
    */
   async setupMfaDevice(method) {
     return this.post(this.config.endpoints.mfaSetupData, { methodName: method }, true);
   }
   /**
    * Verify MFA setup (authenticated user).
+   *
+   * Completes MFA device setup by verifying the setup data. The structure of `setupData` varies by method:
+   *
+   * **TOTP:**
+   * - Requires both `secret` (from `getSetupData()` response) and `code` (from authenticator app)
+   * - Example: `{ secret: 'JBSWY3DPEHPK3PXP', code: '123456' }`
+   *
+   * **SMS:**
+   * - Requires `phoneNumber` and `code` (verification code sent to phone)
+   * - Example: `{ phoneNumber: '+1234567890', code: '123456' }`
+   *
+   * **Email:**
+   * - Requires `code` (verification code sent to email)
+   * - Example: `{ code: '123456' }`
+   *
+   * **Passkey:**
+   * - Requires `credential` (WebAuthn credential from registration) and `expectedChallenge`
+   * - Example: `{ credential: {...}, expectedChallenge: '...' }`
+   *
+   * @param method - MFA method ('totp', 'sms', 'email', 'passkey')
+   * @param setupData - Method-specific setup verification data
+   * @param deviceName - Optional device name (can also be included in setupData for some methods)
+   * @returns Promise with device ID of the created MFA device
+   *
+   * @example TOTP Setup
+   * ```typescript
+   * // Step 1: Get setup data
+   * const setupData = await client.setupMfaDevice('totp');
+   * // Returns: { setupData: { secret: 'JBSWY3DPEHPK3PXP', qrCode: '...', ... } }
+   *
+   * // Step 2: User scans QR code and enters code from authenticator app
+   * const code = '123456'; // From authenticator app
+   *
+   * // Step 3: Verify setup (requires both secret and code)
+   * const result = await client.verifyMfaSetup('totp', {
+   *   secret: setupData.setupData.secret,
+   *   code: code,
+   * }, 'Google Authenticator');
+   * // Returns: { deviceId: 123 }
+   * ```
+   *
+   * @example SMS Setup
+   * ```typescript
+   * const result = await client.verifyMfaSetup('sms', {
+   *   phoneNumber: '+1234567890', // Phone number receiving the code
+   *   code: '123456', // Code sent to phone
+   * }, 'My iPhone');
+   * ```
+   *
+   * @example Passkey Setup
+   * ```typescript
+   * const credential = await navigator.credentials.create({
+   *   publicKey: setupData.setupData.options
+   * });
+   * const result = await client.verifyMfaSetup('passkey', {
+   *   credential: credential,
+   *   expectedChallenge: setupData.setupData.challenge,
+   * }, 'MacBook Pro');
+   * ```
    */
   async verifyMfaSetup(method, setupData, deviceName) {
     return this.post(
@@ -1991,7 +2079,7 @@ var NAuthClient = class {
   /**
    * Remove ALL MFA devices for a specific method type.
    *
-   * ⚠️ **Warning**: This removes ALL devices of the specified method.
+   * WARNING: This removes ALL devices of the specified method.
    * For example, if you have 3 TOTP devices, this will remove all 3.
    *
    * **Prefer `removeMfaDeviceById()`** to remove individual devices.