@nhost/nhost-js 4.4.0 → 4.6.0

package/dist/src/auth/client.d.ts

@@ -840,7 +840,11 @@ export interface SignInPATRequest {
  @property email (`string`) - A valid email
     *    Example - `"john.smith@nhost.io"`
     *    Format - email
- @property options? (`SignUpOptions`) - */
+ @property options? (`SignUpOptions`) -
+ @property codeChallenge? (`string`) - PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+    *    Pattern - ^[A-Za-z0-9_-]{43}$
+    *    MinLength - 43
+    *    MaxLength - 43*/
 export interface SignInPasswordlessEmailRequest {
     /**
      * A valid email
@@ -852,6 +856,13 @@ export interface SignInPasswordlessEmailRequest {
      *
      */
     options?: SignUpOptions;
+    /**
+     * PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+     *    Pattern - ^[A-Za-z0-9_-]{43}$
+     *    MinLength - 43
+     *    MaxLength - 43
+     */
+    codeChallenge?: string;
 }
 /**
  *
@@ -953,7 +964,11 @@ export interface SignOutRequest {
     *    Example - `"Str0ngPassw#ord-94|%"`
     *    MinLength - 3
     *    MaxLength - 50
- @property options? (`SignUpOptions`) - */
+ @property options? (`SignUpOptions`) -
+ @property codeChallenge? (`string`) - PKCE code challenge (S256). When provided and email verification is required, the verification redirect will contain an authorization code instead of a refresh token.
+    *    Pattern - ^[A-Za-z0-9_-]{43}$
+    *    MinLength - 43
+    *    MaxLength - 43*/
 export interface SignUpEmailPasswordRequest {
     /**
      * Email address for the new user account
@@ -972,6 +987,13 @@ export interface SignUpEmailPasswordRequest {
      *
      */
     options?: SignUpOptions;
+    /**
+     * PKCE code challenge (S256). When provided and email verification is required, the verification redirect will contain an authorization code instead of a refresh token.
+     *    Pattern - ^[A-Za-z0-9_-]{43}$
+     *    MinLength - 43
+     *    MaxLength - 43
+     */
+    codeChallenge?: string;
 }
 /**
  *
@@ -1051,7 +1073,11 @@ export interface SignUpWebauthnRequest {
  *
  @property credential (`CredentialCreationResponse`) -
  @property options? (`SignUpOptions`) -
- @property nickname? (`string`) - Nickname for the security key*/
+ @property nickname? (`string`) - Nickname for the security key
+ @property codeChallenge? (`string`) - PKCE code challenge (S256). When provided and email verification is required, the verification redirect will contain an authorization code instead of a refresh token.
+    *    Pattern - ^[A-Za-z0-9_-]{43}$
+    *    MinLength - 43
+    *    MaxLength - 43*/
 export interface SignUpWebauthnVerifyRequest {
     /**
      *
@@ -1065,6 +1091,31 @@ export interface SignUpWebauthnVerifyRequest {
      * Nickname for the security key
      */
     nickname?: string;
+    /**
+     * PKCE code challenge (S256). When provided and email verification is required, the verification redirect will contain an authorization code instead of a refresh token.
+     *    Pattern - ^[A-Za-z0-9_-]{43}$
+     *    MinLength - 43
+     *    MaxLength - 43
+     */
+    codeChallenge?: string;
+}
+/**
+ * Request to exchange an authorization code for a session using PKCE
+ @property code (`string`) - The authorization code received from the redirect
+ @property codeVerifier (`string`) - The original PKCE code verifier (43-128 characters)
+    *    MinLength - 43
+    *    MaxLength - 128*/
+export interface TokenExchangeRequest {
+    /**
+     * The authorization code received from the redirect
+     */
+    code: string;
+    /**
+     * The original PKCE code verifier (43-128 characters)
+     *    MinLength - 43
+     *    MaxLength - 128
+     */
+    codeVerifier: string;
 }
 /**
  * Response containing TOTP setup information for MFA
@@ -1213,7 +1264,11 @@ export type UserDeanonymizeRequestSignInMethod = 'email-password' | 'passwordles
     *    MinLength - 3
     *    MaxLength - 50
  @property connection? (`string`) - Deprecated, will be ignored
- @property options? (`SignUpOptions`) - */
+ @property options? (`SignUpOptions`) -
+ @property codeChallenge? (`string`) - PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+    *    Pattern - ^[A-Za-z0-9_-]{43}$
+    *    MinLength - 43
+    *    MaxLength - 43*/
 export interface UserDeanonymizeRequest {
     /**
      * Which sign-in method to use
@@ -1240,13 +1295,24 @@ export interface UserDeanonymizeRequest {
      *
      */
     options?: SignUpOptions;
+    /**
+     * PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+     *    Pattern - ^[A-Za-z0-9_-]{43}$
+     *    MinLength - 43
+     *    MaxLength - 43
+     */
+    codeChallenge?: string;
 }
 /**
  *
  @property newEmail (`string`) - A valid email
     *    Example - `"john.smith@nhost.io"`
     *    Format - email
- @property options? (`OptionsRedirectTo`) - */
+ @property options? (`OptionsRedirectTo`) -
+ @property codeChallenge? (`string`) - PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+    *    Pattern - ^[A-Za-z0-9_-]{43}$
+    *    MinLength - 43
+    *    MaxLength - 43*/
 export interface UserEmailChangeRequest {
     /**
      * A valid email
@@ -1258,13 +1324,24 @@ export interface UserEmailChangeRequest {
      *
      */
     options?: OptionsRedirectTo;
+    /**
+     * PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+     *    Pattern - ^[A-Za-z0-9_-]{43}$
+     *    MinLength - 43
+     *    MaxLength - 43
+     */
+    codeChallenge?: string;
 }
 /**
  *
  @property email (`string`) - A valid email
     *    Example - `"john.smith@nhost.io"`
     *    Format - email
- @property options? (`OptionsRedirectTo`) - */
+ @property options? (`OptionsRedirectTo`) -
+ @property codeChallenge? (`string`) - PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+    *    Pattern - ^[A-Za-z0-9_-]{43}$
+    *    MinLength - 43
+    *    MaxLength - 43*/
 export interface UserEmailSendVerificationEmailRequest {
     /**
      * A valid email
@@ -1276,6 +1353,13 @@ export interface UserEmailSendVerificationEmailRequest {
      *
      */
     options?: OptionsRedirectTo;
+    /**
+     * PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+     *    Pattern - ^[A-Za-z0-9_-]{43}$
+     *    MinLength - 43
+     *    MaxLength - 43
+     */
+    codeChallenge?: string;
 }
 /**
  *
@@ -1345,7 +1429,11 @@ export interface UserPasswordRequest {
  @property email (`string`) - A valid email
     *    Example - `"john.smith@nhost.io"`
     *    Format - email
- @property options? (`OptionsRedirectTo`) - */
+ @property options? (`OptionsRedirectTo`) -
+ @property codeChallenge? (`string`) - PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+    *    Pattern - ^[A-Za-z0-9_-]{43}$
+    *    MinLength - 43
+    *    MaxLength - 43*/
 export interface UserPasswordResetRequest {
     /**
      * A valid email
@@ -1357,6 +1445,13 @@ export interface UserPasswordResetRequest {
      *
      */
     options?: OptionsRedirectTo;
+    /**
+     * PKCE code challenge (S256). When provided, the verification redirect will contain an authorization code instead of a refresh token.
+     *    Pattern - ^[A-Za-z0-9_-]{43}$
+     *    MinLength - 43
+     *    MaxLength - 43
+     */
+    codeChallenge?: string;
 }
 /**
  * A requirement for user verification for the operation
@@ -1401,6 +1496,397 @@ export interface VerifyTokenRequest {
      */
     token?: string;
 }
+/**
+ *
+ @property error (`string`) - OAuth2 error code
+ @property error_description? (`string`) - Human-readable error description*/
+export interface OAuth2ErrorResponse {
+    /**
+     * OAuth2 error code
+     */
+    error: string;
+    /**
+     * Human-readable error description
+     */
+    error_description?: string;
+}
+/**
+ *
+ @property issuer (`string`) -
+ @property authorization_endpoint (`string`) -
+ @property token_endpoint (`string`) -
+ @property userinfo_endpoint? (`string`) -
+ @property jwks_uri (`string`) -
+ @property revocation_endpoint? (`string`) -
+ @property introspection_endpoint? (`string`) -
+ @property scopes_supported? (`string[]`) -
+ @property response_types_supported (`string[]`) -
+ @property grant_types_supported? (`string[]`) -
+ @property subject_types_supported? (`string[]`) -
+ @property id_token_signing_alg_values_supported? (`string[]`) -
+ @property token_endpoint_auth_methods_supported? (`string[]`) -
+ @property code_challenge_methods_supported? (`string[]`) -
+ @property claims_supported? (`string[]`) -
+ @property request_parameter_supported? (`boolean`) -
+ @property authorization_response_iss_parameter_supported? (`boolean`) -
+ @property client_id_metadata_document_supported? (`boolean`) - */
+export interface OAuth2DiscoveryResponse {
+    /**
+     *
+     */
+    issuer: string;
+    /**
+     *
+     */
+    authorization_endpoint: string;
+    /**
+     *
+     */
+    token_endpoint: string;
+    /**
+     *
+     */
+    userinfo_endpoint?: string;
+    /**
+     *
+     */
+    jwks_uri: string;
+    /**
+     *
+     */
+    revocation_endpoint?: string;
+    /**
+     *
+     */
+    introspection_endpoint?: string;
+    /**
+     *
+     */
+    scopes_supported?: string[];
+    /**
+     *
+     */
+    response_types_supported: string[];
+    /**
+     *
+     */
+    grant_types_supported?: string[];
+    /**
+     *
+     */
+    subject_types_supported?: string[];
+    /**
+     *
+     */
+    id_token_signing_alg_values_supported?: string[];
+    /**
+     *
+     */
+    token_endpoint_auth_methods_supported?: string[];
+    /**
+     *
+     */
+    code_challenge_methods_supported?: string[];
+    /**
+     *
+     */
+    claims_supported?: string[];
+    /**
+     *
+     */
+    request_parameter_supported?: boolean;
+    /**
+     *
+     */
+    authorization_response_iss_parameter_supported?: boolean;
+    /**
+     *
+     */
+    client_id_metadata_document_supported?: boolean;
+}
+/**
+ *
+ */
+export type OAuth2TokenRequestGrant_type = 'authorization_code' | 'refresh_token';
+/**
+ *
+ @property grant_type (`OAuth2TokenRequestGrant_type`) -
+ @property code? (`string`) -
+ @property redirect_uri? (`string`) -
+ @property client_id? (`string`) -
+ @property client_secret? (`string`) -
+ @property code_verifier? (`string`) -
+ @property refresh_token? (`string`) -
+ @property resource? (`string`) - */
+export interface OAuth2TokenRequest {
+    /**
+     *
+     */
+    grant_type: OAuth2TokenRequestGrant_type;
+    /**
+     *
+     */
+    code?: string;
+    /**
+     *
+     */
+    redirect_uri?: string;
+    /**
+     *
+     */
+    client_id?: string;
+    /**
+     *
+     */
+    client_secret?: string;
+    /**
+     *
+     */
+    code_verifier?: string;
+    /**
+     *
+     */
+    refresh_token?: string;
+    /**
+     *
+     */
+    resource?: string;
+}
+/**
+ *
+ @property access_token (`string`) -
+ @property token_type (`string`) -
+ @property expires_in (`number`) -
+ @property refresh_token? (`string`) -
+ @property id_token? (`string`) -
+ @property scope? (`string`) - */
+export interface OAuth2TokenResponse {
+    /**
+     *
+     */
+    access_token: string;
+    /**
+     *
+     */
+    token_type: string;
+    /**
+     *
+     */
+    expires_in: number;
+    /**
+     *
+     */
+    refresh_token?: string;
+    /**
+     *
+     */
+    id_token?: string;
+    /**
+     *
+     */
+    scope?: string;
+}
+/**
+ *
+ @property sub (`string`) -
+ @property name? (`string`) -
+ @property email? (`string`) -
+ @property email_verified? (`boolean`) -
+ @property picture? (`string`) -
+ @property locale? (`string`) -
+ @property phone_number? (`string`) -
+ @property phone_number_verified? (`boolean`) - */
+export interface OAuth2UserinfoResponse {
+    /**
+     *
+     */
+    sub: string;
+    /**
+     *
+     */
+    name?: string;
+    /**
+     *
+     */
+    email?: string;
+    /**
+     *
+     */
+    email_verified?: boolean;
+    /**
+     *
+     */
+    picture?: string;
+    /**
+     *
+     */
+    locale?: string;
+    /**
+     *
+     */
+    phone_number?: string;
+    /**
+     *
+     */
+    phone_number_verified?: boolean;
+}
+/**
+ *
+ @property keys (`JWK[]`) - */
+export interface OAuth2JWKSResponse {
+    /**
+     *
+     */
+    keys: JWK[];
+}
+/**
+ *
+ */
+export type OAuth2RevokeRequestToken_type_hint = 'access_token' | 'refresh_token';
+/**
+ *
+ @property token (`string`) -
+ @property token_type_hint? (`OAuth2RevokeRequestToken_type_hint`) -
+ @property client_id? (`string`) -
+ @property client_secret? (`string`) - */
+export interface OAuth2RevokeRequest {
+    /**
+     *
+     */
+    token: string;
+    /**
+     *
+     */
+    token_type_hint?: OAuth2RevokeRequestToken_type_hint;
+    /**
+     *
+     */
+    client_id?: string;
+    /**
+     *
+     */
+    client_secret?: string;
+}
+/**
+ *
+ */
+export type OAuth2IntrospectRequestToken_type_hint = 'access_token' | 'refresh_token';
+/**
+ *
+ @property token (`string`) -
+ @property token_type_hint? (`OAuth2IntrospectRequestToken_type_hint`) -
+ @property client_id? (`string`) -
+ @property client_secret? (`string`) - */
+export interface OAuth2IntrospectRequest {
+    /**
+     *
+     */
+    token: string;
+    /**
+     *
+     */
+    token_type_hint?: OAuth2IntrospectRequestToken_type_hint;
+    /**
+     *
+     */
+    client_id?: string;
+    /**
+     *
+     */
+    client_secret?: string;
+}
+/**
+ *
+ @property active (`boolean`) -
+ @property scope? (`string`) -
+ @property client_id? (`string`) -
+ @property sub? (`string`) -
+ @property exp? (`number`) -
+ @property iat? (`number`) -
+ @property iss? (`string`) -
+ @property token_type? (`string`) - */
+export interface OAuth2IntrospectResponse {
+    /**
+     *
+     */
+    active: boolean;
+    /**
+     *
+     */
+    scope?: string;
+    /**
+     *
+     */
+    client_id?: string;
+    /**
+     *
+     */
+    sub?: string;
+    /**
+     *
+     */
+    exp?: number;
+    /**
+     *
+     */
+    iat?: number;
+    /**
+     *
+     */
+    iss?: string;
+    /**
+     *
+     */
+    token_type?: string;
+}
+/**
+ *
+ @property requestId (`string`) -
+    *    Format - uuid
+ @property clientId (`string`) -
+ @property scopes (`string[]`) -
+ @property redirectUri (`string`) - */
+export interface OAuth2LoginResponse {
+    /**
+     *
+     *    Format - uuid
+     */
+    requestId: string;
+    /**
+     *
+     */
+    clientId: string;
+    /**
+     *
+     */
+    scopes: string[];
+    /**
+     *
+     */
+    redirectUri: string;
+}
+/**
+ *
+ @property requestId (`string`) -
+    *    Format - uuid*/
+export interface OAuth2LoginRequest {
+    /**
+     *
+     *    Format - uuid
+     */
+    requestId: string;
+}
+/**
+ *
+ @property redirectUri (`string`) -
+    *    Format - uri*/
+export interface OAuth2LoginCompleteResponse {
+    /**
+     *
+     *    Format - uri
+     */
+    redirectUri: string;
+}
 /**
  * Target URL for the redirect
  */
@@ -1428,6 +1914,64 @@ export interface GetVersionResponse200 {
      */
     version: string;
 }
+/**
+ *
+ */
+export type GetCode_challenge_method = 'S256';
+/**
+ *
+ @property client_id (`string`) -
+ @property redirect_uri (`string`) -
+ @property response_type (`string`) -
+ @property scope? (`string`) -
+ @property state? (`string`) -
+ @property nonce? (`string`) -
+ @property code_challenge? (`string`) -
+ @property code_challenge_method? (`string`) - Only S256 is supported. The plain method is not allowed.
+ @property resource? (`string`) -
+ @property prompt? (`string`) - */
+export interface Oauth2AuthorizePostBody {
+    /**
+     *
+     */
+    client_id: string;
+    /**
+     *
+     */
+    redirect_uri: string;
+    /**
+     *
+     */
+    response_type: string;
+    /**
+     *
+     */
+    scope?: string;
+    /**
+     *
+     */
+    state?: string;
+    /**
+     *
+     */
+    nonce?: string;
+    /**
+     *
+     */
+    code_challenge?: string;
+    /**
+     * Only S256 is supported. The plain method is not allowed.
+     */
+    code_challenge_method?: string;
+    /**
+     *
+     */
+    resource?: string;
+    /**
+     *
+     */
+    prompt?: string;
+}
 /**
  * Parameters for the signInProvider method.
     @property allowedRoles? (string[]) - Array of allowed roles for the user
@@ -1447,6 +1991,8 @@ export interface GetVersionResponse200 {
     @property state? (string) - Opaque state value to be returned by the provider
   
     @property providerSpecificParams? (ProviderSpecificParams) - Additional provider-specific parameters
+  
+    @property codeChallenge? (string) - PKCE code challenge (S256). When provided, the callback redirect will contain an authorization code instead of a refresh token.
   */
 export interface SignInProviderParams {
     /**
@@ -1494,6 +2040,11 @@ export interface SignInProviderParams {
     
      */
     providerSpecificParams?: ProviderSpecificParams;
+    /**
+     * PKCE code challenge (S256). When provided, the callback redirect will contain an authorization code instead of a refresh token.
+    
+     */
+    codeChallenge?: string;
 }
 /**
  * Parameters for the verifyTicket method.
@@ -1505,7 +2056,9 @@ export interface SignInProviderParams {
     *    Type of the ticket
     @property redirectTo (RedirectToQuery) - Target URL for the redirect
   
-    *    Target URL for the redirect*/
+    *    Target URL for the redirect
+    @property codeChallenge? (string) - PKCE code challenge (S256). When present, the redirect will contain an authorization code instead of a refresh token.
+  */
 export interface VerifyTicketParams {
     /**
      * Ticket
@@ -1525,6 +2078,96 @@ export interface VerifyTicketParams {
       *    Target URL for the redirect
      */
     redirectTo: RedirectToQuery;
+    /**
+     * PKCE code challenge (S256). When present, the redirect will contain an authorization code instead of a refresh token.
+    
+     */
+    codeChallenge?: string;
+}
+/**
+ * Parameters for the oauth2Authorize method.
+    @property client_id (string) - The OAuth2 client identifier (RFC 6749 Section 2.2).
+  
+    @property redirect_uri (string) - The URI to redirect the user-agent to after authorization (RFC 6749 Section 3.1.2).
+  
+    @property response_type (string) - The authorization response type. Only 'code' is supported (RFC 6749 Section 3.1.1).
+  
+    @property scope? (string) - Space-delimited list of requested scopes (RFC 6749 Section 3.3).
+  
+    @property state? (string) - Opaque value used to maintain state between the request and callback (RFC 6749 Section 4.1.1).
+  
+    @property nonce? (string) - String value used to associate a client session with an ID token (OpenID Connect Core Section 3.1.2.1).
+  
+    @property code_challenge? (string) - PKCE code challenge derived from the code verifier (RFC 7636 Section 4.2).
+  
+    @property code_challenge_method? (GetCode_challenge_method) - Only S256 is supported. The plain method is not allowed.
+  
+    @property resource? (string) - Resource indicator for the target service (RFC 8707).
+  
+    @property prompt? (string) - Space-delimited list of prompts to present to the user (OpenID Connect Core Section 3.1.2.1).
+  */
+export interface Oauth2AuthorizeParams {
+    /**
+     * The OAuth2 client identifier (RFC 6749 Section 2.2).
+    
+     */
+    client_id: string;
+    /**
+     * The URI to redirect the user-agent to after authorization (RFC 6749 Section 3.1.2).
+    
+     */
+    redirect_uri: string;
+    /**
+     * The authorization response type. Only 'code' is supported (RFC 6749 Section 3.1.1).
+    
+     */
+    response_type: string;
+    /**
+     * Space-delimited list of requested scopes (RFC 6749 Section 3.3).
+    
+     */
+    scope?: string;
+    /**
+     * Opaque value used to maintain state between the request and callback (RFC 6749 Section 4.1.1).
+    
+     */
+    state?: string;
+    /**
+     * String value used to associate a client session with an ID token (OpenID Connect Core Section 3.1.2.1).
+    
+     */
+    nonce?: string;
+    /**
+     * PKCE code challenge derived from the code verifier (RFC 7636 Section 4.2).
+    
+     */
+    code_challenge?: string;
+    /**
+     * Only S256 is supported. The plain method is not allowed.
+    
+     */
+    code_challenge_method?: GetCode_challenge_method;
+    /**
+     * Resource indicator for the target service (RFC 8707).
+    
+     */
+    resource?: string;
+    /**
+     * Space-delimited list of prompts to present to the user (OpenID Connect Core Section 3.1.2.1).
+    
+     */
+    prompt?: string;
+}
+/**
+ * Parameters for the oauth2LoginGet method.
+    @property request_id (string) - The pending authorization request identifier.
+  */
+export interface Oauth2LoginGetParams {
+    /**
+     * The pending authorization request identifier.
+    
+     */
+    request_id: string;
 }
 export interface Client {
     baseURL: string;
@@ -1835,6 +2478,14 @@ export interface Client {
        - 200: VerifyAddSecurityKeyResponse
        */
     verifyAddSecurityKey(body: VerifyAddSecurityKeyRequest, options?: RequestInit): Promise<FetchResponse<VerifyAddSecurityKeyResponse>>;
+    /**
+       Summary: Exchange authorization code for session
+       Exchange an authorization code (obtained via PKCE flow) together with the original code_verifier for a session containing access and refresh tokens.
+  
+       This method may return different T based on the response code:
+       - 200: SessionPayload
+       */
+    tokenExchange(body: TokenExchangeRequest, options?: RequestInit): Promise<FetchResponse<SessionPayload>>;
     /**
        Summary: Verify email and authentication tickets
        Verify tickets created by email verification, magic link authentication, or password reset processes. Redirects the user to the appropriate destination upon successful verification.
@@ -1850,6 +2501,100 @@ export interface Client {
        - 200: GetVersionResponse200
        */
     getVersion(options?: RequestInit): Promise<FetchResponse<GetVersionResponse200>>;
+    /**
+       Summary: OpenID Connect Discovery
+       Returns the OpenID Provider Metadata (RFC 8414)
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2DiscoveryResponse
+       */
+    getOpenIDConfiguration(options?: RequestInit): Promise<FetchResponse<OAuth2DiscoveryResponse>>;
+    /**
+       Summary: OAuth2 Authorization Server Metadata
+       Returns the Authorization Server Metadata (RFC 8414). Same content as OpenID Discovery.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2DiscoveryResponse
+       */
+    getOAuthAuthorizationServer(options?: RequestInit): Promise<FetchResponse<OAuth2DiscoveryResponse>>;
+    /**
+       Summary: OAuth2 Authorization Endpoint
+       Initiates an OAuth2 authorization code flow. Validates the request and redirects to the login UI for user authentication and consent.
+  
+       As this method is a redirect, it returns a URL string instead of a Promise
+       */
+    oauth2AuthorizeURL(params?: Oauth2AuthorizeParams, options?: RequestInit): string;
+    /**
+       Summary: OAuth2 Authorization Endpoint (POST)
+       Initiates an OAuth2 authorization code flow via POST. Validates the request and redirects to the login UI for user authentication and consent.
+  
+       As this method is a redirect, it returns a URL string instead of a Promise
+       */
+    oauth2AuthorizePostURL(body: Oauth2AuthorizePostBody, options?: RequestInit): string;
+    /**
+       Summary: OAuth2 Token Endpoint
+       Exchange an authorization code for tokens, or refresh an existing token. Supports grant_type authorization_code and refresh_token.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2TokenResponse
+       */
+    oauth2Token(body: OAuth2TokenRequest, options?: RequestInit): Promise<FetchResponse<OAuth2TokenResponse>>;
+    /**
+       Summary: OpenID Connect UserInfo Endpoint (GET)
+       Returns claims about the authenticated user based on the access token scopes.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2UserinfoResponse
+       */
+    oauth2UserinfoGet(options?: RequestInit): Promise<FetchResponse<OAuth2UserinfoResponse>>;
+    /**
+       Summary: OpenID Connect UserInfo Endpoint (POST)
+       Returns claims about the authenticated user based on the access token scopes.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2UserinfoResponse
+       */
+    oauth2UserinfoPost(options?: RequestInit): Promise<FetchResponse<OAuth2UserinfoResponse>>;
+    /**
+       Summary: OAuth2 Provider JWKS Endpoint
+       Returns the JSON Web Key Set containing public keys used for OAuth2/OIDC token signing.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2JWKSResponse
+       */
+    oauth2Jwks(options?: RequestInit): Promise<FetchResponse<OAuth2JWKSResponse>>;
+    /**
+       Summary: OAuth2 Token Revocation (RFC 7009)
+       Revoke an access token or refresh token.
+  
+       This method may return different T based on the response code:
+       - 200: void
+       */
+    oauth2Revoke(body: OAuth2RevokeRequest, options?: RequestInit): Promise<FetchResponse<void>>;
+    /**
+       Summary: OAuth2 Token Introspection (RFC 7662)
+       Introspect a token to determine its current state and metadata.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2IntrospectResponse
+       */
+    oauth2Introspect(body: OAuth2IntrospectRequest, options?: RequestInit): Promise<FetchResponse<OAuth2IntrospectResponse>>;
+    /**
+       Summary: Get authorization request details for consent screen
+       Called by the consent UI to get details about the pending authorization request.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2LoginResponse
+       */
+    oauth2LoginGet(params?: Oauth2LoginGetParams, options?: RequestInit): Promise<FetchResponse<OAuth2LoginResponse>>;
+    /**
+       Summary: Complete login/consent for an authorization request
+       Called by the consent UI after user authenticates and consents. Sets the user on the auth request and redirects back to the client with an authorization code.
+  
+       This method may return different T based on the response code:
+       - 200: OAuth2LoginCompleteResponse
+       */
+    oauth2LoginPost(body: OAuth2LoginRequest, options?: RequestInit): Promise<FetchResponse<OAuth2LoginCompleteResponse>>;
 }
 export declare const createAPIClient: (baseURL: string, chainFunctions?: ChainFunction[]) => Client;
 //# sourceMappingURL=client.d.ts.map