@softwarepatterns/am 0.0.1 → 0.0.2

package/dist/index.d.ts

@@ -1,3 +1,34 @@
+/**
+ * Standard error object following RFC 7807 (Problem Details for HTTP APIs).
+ *
+ * Returned in AuthError.problem when the server responds with application/problem+json.
+ *
+ * - `type`: A URI reference that identifies the problem type. Often links to human-readable documentation.
+ * - `title`: A short, human-readable summary of the problem type.
+ * - `status`: The HTTP status code.
+ * - `code`: Application-specific error code for programmatic handling. Maps to the final part of the error type.
+ * - `detail`: Human-readable explanation specific to this occurrence. Do not rely on this for programmatic handling.
+ * - `invalidParams`: Present on validation errors (typically 400). Provides field-level details
+ *   for building precise UI feedback and can be used for programmatic handling. Each entry includes:
+ *   - `in`: Location of the invalid parameter (body, cookie, header, query, path).
+ *   - `path`: Dot-separated path to the invalid parameter.
+ *   - `type`: Error type code for this parameter (e.g. "required", "email", "min_length").
+ *   - `received`: The actual value received.
+ *   - `expected`: (optional) Description of the expected value.
+ *
+ * @example
+ * ```ts
+ * catch (e) {
+ *   if (e instanceof AuthError && e.invalidParams) {
+ *     const errors = e.invalidParams.reduce((acc, p) => {
+ *       acc[p.path] = p.type;
+ *       return acc;
+ *     }, {} as Record<string, string>);
+ *     setFieldErrors(errors);
+ *   }
+ * }
+ * ```
+ */
 type ProblemDetails = {
     type: string;
     title: string;
@@ -12,28 +43,97 @@ type ProblemDetails = {
         expected?: string;
     }[];
 };
+/**
+ * Opaque identifier for a client application.
+ *
+ * Used to look up client-specific settings on how authentication should be handled.
+ *
+ * All client-specific operations (invites, branding, rate limits) are scoped to a ClientId.
+ */
 type ClientId = `cid${string}`;
+/** Identifier for a user. */
 type UserId = `uid${string}`;
+/** Identifier for an account (i.e., a billable entity). */
 type AccountId = `acc${string}`;
+/** Identifier for a membership linking a user to an account. */
 type MembershipId = `mbr${string}`;
+/**
+ * Possible statuses for an account.
+ *
+ * - active: Normal operation
+ * - trial: In trial period
+ * - past_due: Payment failed but grace period active
+ * - suspended: Access restricted due to billing or policy
+ * - closed: Permanently closed
+ */
+type AccountStatus = "active" | "trial" | "past_due" | "suspended" | "closed";
+/**
+ * Accounts are billable entities that can access resources. Users are linked to accounts via memberships with roles.
+ *
+ * An account with subaccounts is acting as a tenant, and is used to create services with their own billing,
+ * accounts, users, memberships, etc. This is useful for SaaS platforms that want to offer isolated environments
+ * for different customers, and to allow reselling of their services to other SaaS providers.
+ *
+ * For example, an email service lets customers sign up. However, some customers want to offer
+ * email services to their own clients. Therefore, the email provider has an account for each customer, and those
+ * customers have accounts for their own clients as well. Each level is isolated, with separate billing and users.
+ */
+type AccountResource = {
+    id: AccountId;
+    /** Display name chosen by the account owner */
+    name: string | null;
+    /** URL to the account's avatar image */
+    avatarUrl: string | null;
+    /** Current account status */
+    status: AccountStatus;
+    /** ISO 8601 timestamp until which the account is paid (null if never paid or closed) */
+    paidUntil: string | null;
+};
+/**
+ * Possible statuses for a user.
+ *
+ * - active: Normal operation
+ * - trial: In trial period
+ * - past_due: Payment failed but grace period active
+ * - suspended: Access restricted due to billing or policy
+ * - closed: Permanently closed
+ */
 type UserStatus = "active" | "trial" | "past_due" | "suspended" | "closed";
+/**
+ * A reference to a user. Will not be deleted even due to GDPR requests or account closures,
+ * to maintain referential integrity in audit logs and historical records.
+ */
 type UserResource = {
     id: UserId;
     accountId: AccountId;
     status: UserStatus;
     preferredMembershipId: MembershipId | null;
 };
+/**
+ * Personal identity information (PII) for a user. Will be deleted due to GDPR requests or account
+ * closures to respect legal requirements of various regions..
+ */
 type UserIdentity = {
     id: UserId;
     avatarUrl: string | null;
+    /** External identifier from third-party provider (i.e., SCIM) */
     externalId: string | null;
     givenName: string | null;
     familyName: string | null;
     displayName: string | null;
+    /** Preferred language code (en-CA, fr-FR, zh-CN, etc.) */
     preferredLanguage: string | null;
+    /** Locale code (e.g., "en-US") */
     locale: string | null;
     timezone: string | null;
 };
+/**
+ * Roles within an account membership.
+ *
+ * - owner: Full administrative access, may perform destructive actions.
+ * - member: Standard non-destructive access
+ * - viewer: Read-only access
+ */
 type MembershipRole = "owner" | "member" | "viewer";
 type Membership = {
     id: MembershipId;
@@ -41,34 +141,129 @@ type Membership = {
     accountId: AccountId;
     role: MembershipRole;
 };
+/**
+ * Email credential record attached to a user.
+ *
+ * Sensitive fields (email) are only included when explicitly requested
+ * or when the caller has appropriate permissions.
+ */
 type EmailCredential = {
     id: string;
     email: string | null;
-    hashedEmail: string | null;
-    hashedPassword: string | null;
     emailVerifiedAt: string | null;
 };
 type SessionTokens = {
+    /** Signed JWT access token for authenticating API requests */
     accessToken: string;
+    /** Opaque refresh token for obtaining new access tokens */
     refreshToken: string;
     tokenType: "Bearer";
+    /** Seconds until the access token expires from time of issuance */
     expiresIn: number;
     idToken?: string;
+    /** Absolute expiration time (milliseconds since epoch) set by the client library */
+    expiresAt: number;
 };
+/**
+ * Complete profile of the currently authenticated user.
+ *
+ * Combines basic user data with identity, credentials, memberships, and freshness timestamp.
+ *
+ * `lastUpdatedAt` is updated whenever the profile is fetched from the server.
+ */
 type SessionProfile = UserResource & {
-    identity: UserIdentity;
+    identity: UserIdentity | null;
     emailCredentials: EmailCredential[];
     memberships: Membership[];
+    /** Currently active membership in the accessToken (determined by preferredMembershipId or context) */
     activeMembership: Membership | null;
+    lastUpdatedAt: number;
 };
-type AuthenticationResult = {
-    session: SessionTokens;
-    profile: SessionProfile;
+/**
+ * Combined authentication state containing tokens and optional profile.
+ */
+type Authentication = {
+    tokens: SessionTokens;
+    profile: SessionProfile | null;
 };
+/**
+ * Result of checkEmail() indicating whether the email is registered.
+ */
 type EmailCheckStatus = "active" | "inactive";
+/**
+ * Supported login methods for an email address.
+ *
+ * Currently limited to email/password and magic link flows.
+ */
 type LoginMethod = "email_password" | "magic_link";
+/**
+ * Minimal storage interface required for session persistence.
+ *
+ * Compatible with localStorage, sessionStorage, AsyncStorage (React Native), or any custom implementation.
+ */
+type StorageLike = {
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+};
 
+type StorageConfig = StorageLike | "localStorage" | null | undefined;
 type FetchFn = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+type Config = {
+    baseUrl: string;
+    earlyRefreshMs: number;
+    fetchFn: FetchFn;
+    onRefresh?: (tokens: SessionTokens) => void | Promise<void>;
+    onProfileRefetch?: (profile: SessionProfile) => void | Promise<void>;
+    onUnauthenticated?: (e: AuthError) => void | Promise<void>;
+    profileStorageKey: string;
+    storage: StorageConfig;
+    tokensStorageKey: string;
+};
+/**
+ * Error type for authentication-related failures.
+ *
+ * Always thrown on non-2xx responses from auth endpoints. Contains structured ProblemDetails
+ * from the server when available.
+ *
+ * Most 400 errors will also contain `invalidParams` for parameters that caused
+ * the error, which can be used to display field-level validation messages.
+ *
+ * Note that network errors, timeouts, etc. will throw other Error types (e.g. TypeError) unrelated
+ * to AuthError.
+ *
+ * Note that HTTP error codes are distinctly:
+ * - 400: Client error (bad request, invalid input, etc.)
+ * - 401: Unauthenticated (we don't know who you are)
+ * - 402: Payment required (e.g. billing issue)
+ * - 403: Unauthorized (we know who you are, but you don't have permission)
+ * - 404: Not found
+ * - 409: Conflict (email already registered, user already invited, etc.)
+ * - 429: Too many requests (rate limiting)
+ * - 500: Internal server error (server's fault)
+ *
+ * Also note that the `type` field often contains a URI that points to documentation about the
+ * specific error type, including how to resolve it, code samples, and links to the RFCs or other
+ * standards that define the error.
+ *
+ * @example
+ * ```ts
+ * try {
+ *  const session = await am.signIn({ email: 'test@example.com', password: 'password123' });
+ * } catch (e) {
+ *  if (e instanceof AuthError) {
+ *   console.error("Authentication failed:", e.title);
+ *   if (e.invalidParams) {
+ *    for (const param of e.invalidParams) {
+ *      console.error(` - Invalid parameter: ${param.path} (${param.type})`);
+ *     }
+ *    }
+ *   } else {
+ *    console.error("Unexpected error:", e);
+ *   }
+ * }
+ * ```
+ */
 declare class AuthError extends Error {
     readonly problem: ProblemDetails;
     constructor(problem: ProblemDetails);
@@ -79,48 +274,177 @@ declare class AuthError extends Error {
     get detail(): string | undefined;
     get invalidParams(): ProblemDetails["invalidParams"] | undefined;
 }
-type Config = {
-    fetchFn: FetchFn;
-    baseUrl: string;
-};
+/**
+ * You receive an AuthSession after successful sign-in/register/etc.
+ *
+ * It contains the current access token, user profile, and methods to perform authorized
+ * requests.
+ *
+ * Features:
+ * - session.fetch() will always use a valid access token (refreshing automatically)
+ * - All non-2xx responses throw AuthError
+ * - Tokens and profile are automatically persisted to storage (if configured)
+ */
 declare class AuthSession {
-    private tokens;
-    private config;
-    private lastUpdated;
-    constructor(tokens: SessionTokens, config: Partial<Config>);
-    get accessToken(): string;
-    get refreshToken(): string;
-    get idToken(): string | undefined;
-    get tokenType(): "Bearer";
-    get expiresIn(): number;
-    get lastUpdatedAt(): Date;
-    get expiresAt(): Date;
+    constructor(initial: Authentication, config: Partial<Config>);
+    /**
+     * Restores an AuthSession from persisted storage. Returns null if no valid session
+     * is found.
+     *
+     * @example
+     * ```ts
+     * const session = AuthSession.restoreSession();
+     * if (session) {
+     *   console.log("Restored session for user:", session.profile);
+     * } else {
+     *   console.log("No valid session found.");
+     * }
+     * ```
+     */
+    static restoreSession(config?: Partial<Config>): AuthSession | null;
+    /**
+     * Removes all persisted data (tokens, profile) from storage, and prevents future
+     * refreshs of token and profile data. Does NOT clear current token or profile data from the
+     * session memory, but effectively deactivates the session for future use.
+     */
+    clear(): void;
+    accessToken(): string;
+    refreshToken(): string;
+    idToken(): string | undefined;
+    expiresIn(): number;
+    expiresAt(): Date;
+    profile(): SessionProfile | null;
+    toJSON(): Authentication;
+    /**
+     * Creates an AuthSession from existing authentication data. Useful for restoring
+     * a session from custom storage or creating a session from custom server-provided data.
+     */
+    static fromJSON(initial: Authentication, config: Partial<Config>): AuthSession;
+    /**
+     * Returns true if the access token is expired or will expire soon. The
+     * "soon" threshold is configured via Config.earlyRefreshMs (default 1 minute).
+     */
     isExpired(): boolean;
     /**
-     * Fetch with automatic token refresh.
+     * Perform an authenticated fetch. Used to call your own APIs with the current
+     * session's access token. Any service can validate the token against Am's public
+     * keys at https://api.accountmaker.com/.well-known/jwks.json?client_id={clientId}
+     *
+     * Automatically:
+     *   - Adds Authorization header
+     *   - Refreshes token if expired
+     *   - Retries once on 401 if refresh succeeds
+     *
+     * Assumes the response is JSON and parses it. Throws AuthError on non-2xx responses.
      *
-     * If the access token is expired, it will be refreshed before making the request. The
-     * Authorization header will be set with the current access token.
+     * If the error is a RFC 7807 Problem Details response, the AuthError.problem
+     * will contain the full details.
+     *
+     * @example
+     * ```ts
+     * const res = await session.fetch('/api/projects');
+     * const projects = await res.json();
+     * ```
+     *
+     * Throws AuthError on network errors, etc.
+     * @throws AuthError
+     */
+    fetch(url: string | URL, init?: RequestInit): Promise<any>;
+    /**
+     * Refreshes the access token using the refresh token. Updates the stored tokens on
+     * success. This is called automatically by fetch() if the token is expired or close to
+     * expiring.
      */
-    fetch(url: string | URL | Request, init?: RequestInit): Promise<Response>;
     refresh(): Promise<void>;
+    /**
+     * Refetches the user's profile from the server and updates the stored profile.
+     *
+     * @example
+     * ```ts
+     * await session.refetchProfile();
+     * console.log("Updated profile:", session.profile);
+     * ```
+     *
+     * Throws AuthError on network errors, etc.
+     * @throws AuthError
+     */
+    refetchProfile(): Promise<void>;
+    /**
+     * Sends a verification email to the user's primary email address. This only succeeds if
+     * called by the currently authenticated user or an account admin.
+     *
+     * Throws AuthError on network errors, etc.
+     * @throws AuthError
+     */
     sendVerificationEmail(): Promise<void>;
-    me(): Promise<SessionProfile>;
+    /**
+     * Fetches a user by ID.
+     *
+     * Throws AuthError on invalid user ID, network errors, etc.
+     * @throws AuthError
+     */
     user(id: UserId): Promise<UserResource>;
 }
+/**
+ * Use `Am` to perform initial sign-in, registration, password reset flows, magic links,
+ * invite acceptance, and other unauthenticated actions.
+ *
+ * Once authentication succeeds, these methods return an `AuthSession` that you use
+ * for all subsequent authenticated requests.
+ *
+ * Example:
+ * ```ts
+ * const am = new Am();
+ * const session = await am.signIn({ email: 'user@example.com', password: 'secret' });
+ * // Now use `session` for protected API calls
+ * ```
+ */
 declare class Am {
     private options;
     constructor(config?: Partial<Config>);
-    static createAuthSession(tokens: SessionTokens, config?: Partial<Config>): AuthSession;
-    createAuthSession(tokens: SessionTokens): AuthSession;
+    /**
+     * Creates an AuthSession from existing authentication data. Useful for restoring
+     * a session from custom storage or creating a session from custom server-provided data.
+     */
+    static createAuthSession(initial: Authentication, config?: Partial<Config>): AuthSession;
+    /**
+     * Creates an AuthSession from existing authentication data. Useful for restoring
+     * a session from custom storage or creating a session from custom server-provided data.
+     */
+    createAuthSession(initial: Authentication): AuthSession;
+    /**
+     * Accepts an invitation to join an account. On success, returns an AuthSession
+     * containing fresh tokens and profile. Tokens are automatically persisted (if
+     * storage is enabled).
+     *
+     * Throws AuthError on invalid or expired token, etc.
+     * @throws AuthError
+     */
     static acceptInvite(query: {
         clientId: ClientId;
         token: string;
-    }, config?: Partial<Config>): Promise<AuthenticationResult>;
+    }, config?: Partial<Config>): Promise<AuthSession>;
+    /**
+     * Accepts an invitation to join an account. On success, returns an AuthSession
+     * containing fresh tokens and profile. Tokens are automatically persisted (if
+     * storage is enabled).
+     *
+     * Throws AuthError on invalid or expired token, etc.
+     * @throws AuthError
+     */
     acceptInvite(query: {
         clientId: ClientId;
         token: string;
-    }): Promise<AuthenticationResult>;
+    }): Promise<AuthSession>;
+    /**
+     * Checks the status of an email address for authentication purposes. Indicates whether the
+     * email is associated with an active account, and what login methods are preferred and
+     * available for that user. This can be used to enforce login expierences for enterprise SSO or
+     * to prefer passwordless login methods.
+     *
+     * Throws AuthError on invalid client ID, network errors, etc.
+     * @throws AuthError
+     */
     static checkEmail(body: {
         clientId: ClientId;
         email: string;
@@ -130,6 +454,15 @@ declare class Am {
         preferred: LoginMethod[];
         available: LoginMethod[];
     }>;
+    /**
+     * Checks the status of an email address for authentication purposes. Indicates whether the
+     * email is associated with an active account, and what login methods are preferred and
+     * available for that user. This can be used to enforce login expierences for enterprise SSO or
+     * to prefer passwordless login methods.
+     *
+     * Throws AuthError on invalid client ID, network errors, etc.
+     * @throws AuthError
+     */
     checkEmail(body: {
         clientId: ClientId;
         email: string;
@@ -139,67 +472,207 @@ declare class Am {
         preferred: LoginMethod[];
         available: LoginMethod[];
     }>;
+    /**
+     * When called, sets a httpOnly CSRF session cookie. Then when rendering a form, call csrfToken()
+     * to get the signed token to include in the form. When the form is submitted, the server
+     * will verify the signed token against the session cookie. This prevents a certain class
+     * of CSRF attacks that rely on being able to read values from the target site.
+     */
     static csrfSession(config?: Partial<Config>): Promise<{
         csrfToken: string;
     }>;
+    /**
+     * When called, sets a httpOnly CSRF session cookie. Then when rendering a form, call csrfToken()
+     * to get the signed token to include in the form. When the form is submitted, the server
+     * will verify the signed token against the session cookie. This prevents a certain class
+     * of CSRF attacks that rely on being able to read values from the target site.
+     */
     csrfSession(): Promise<{
         csrfToken: string;
     }>;
+    /**
+     * Fetches a signed CSRF token for use in forms. Call csrfSession() first to set a httpOnly CSRF
+     * session cookie, then call this method to get the signed token, then include the token in your
+     * form submissions. When the form is submitted, the server will verify the signed token against
+     * the httpOnly session cookie. This prevents a certain class of CSRF attacks that rely on being
+     * able to read values from the target site.
+     *
+     * @throws AuthError
+     */
     static csrfToken(config?: Partial<Config>): Promise<{
         csrfToken: string;
     }>;
+    /**
+     * Fetches a signed CSRF token for use in forms. Call csrfSession() first to set a httpOnly CSRF
+     * session cookie, then call this method to get the signed token, then include the token in your
+     * form submissions. When the form is submitted, the server will verify the signed token against
+     * the httpOnly session cookie. This prevents a certain class of CSRF attacks that rely on being
+     * able to read values from the target site.
+     *
+     * @throws AuthError
+     */
     csrfToken(): Promise<{
         csrfToken: string;
     }>;
-    static login(body: {
+    /**
+     * On success, returns an AuthSession containing fresh tokens and profile.
+     * Tokens are automatically persisted (if storage is enabled).
+     *
+     * Throws AuthError on invalid credentials, unverified email, etc.
+     * @throws AuthError
+     */
+    static signIn(body: {
+        clientId: ClientId;
         email: string;
         password: string;
         csrfToken?: string;
-    }, config?: Partial<Config>): Promise<AuthenticationResult>;
-    login(body: {
+    }, config?: Partial<Config>): Promise<AuthSession>;
+    /**
+     * On success, returns an AuthSession containing fresh tokens and profile.
+     * Tokens are automatically persisted (if storage is enabled).
+     *
+     * Throws AuthError on invalid credentials, unverified email, etc.
+     * @throws AuthError
+     */
+    signIn(body: {
+        clientId: ClientId;
         email: string;
         password: string;
         csrfToken?: string;
-    }): Promise<AuthenticationResult>;
-    static tokenLogin(token: string, config?: Partial<Config>): Promise<AuthenticationResult>;
-    tokenLogin(token: string): Promise<AuthenticationResult>;
+    }): Promise<AuthSession>;
+    /**
+     * Authenticates using a one-time token (e.g., magic link or invite token).
+     *
+     * On success, returns an AuthSession containing fresh tokens and profile.
+     * Tokens are automatically persisted (if storage is enabled).
+     *
+     * Throws AuthError on invalid or expired token, etc.
+     * @throws AuthError
+     */
+    static signInWithToken(token: string, config?: Partial<Config>): Promise<AuthSession>;
+    /**
+     * Authenticates using a one-time token (e.g., magic link or invite token).
+     *
+     * On success, returns an AuthSession containing fresh tokens and profile.
+     * Tokens are automatically persisted (if storage is enabled).
+     *
+     * Throws AuthError on invalid or expired token, etc.
+     * @throws AuthError
+     */
+    signInWithToken(token: string): Promise<AuthSession>;
+    /**
+     * Manually refreshes session tokens using the provided refresh token. Does NOT
+     * persist tokens. Use AuthSession.refresh() to refresh and persist tokens in an
+     * existing session.
+     *
+     * Throws AuthError on invalid or expired refresh token, etc.
+     * @throws AuthError
+     */
     static refresh(refreshToken: string, config?: Partial<Config>): Promise<SessionTokens>;
+    /**
+     * Manually refreshes session tokens using the provided refresh token. Does NOT
+     * persist tokens. Use AuthSession.refresh() to refresh and persist tokens in an
+     * existing session.
+     *
+     * Throws AuthError on invalid or expired refresh token, etc.
+     * @throws AuthError
+     */
     refresh(refreshToken: string): Promise<SessionTokens>;
-    static register(body: {
+    /**
+     * Successful registration immediately authenticates the user and returns an
+     * AuthSession. Tokens are automatically persisted (if storage is enabled).
+     *
+     * Throws AuthError on invalid data, existing email, etc.
+     * @throws AuthError
+     */
+    static signUp(body: {
+        clientId: ClientId;
         email: string;
         password: string;
         csrfToken?: string;
-    }, config?: Partial<Config>): Promise<AuthenticationResult>;
-    register(body: {
+    }, config?: Partial<Config>): Promise<AuthSession>;
+    /**
+     * Successful registration immediately authenticates the user and returns an
+     * AuthSession. Tokens are automatically persisted (if storage is enabled).
+     *
+     * Throws AuthError on invalid data, existing email, etc.
+     * @throws AuthError
+     */
+    signUp(body: {
+        clientId: ClientId;
         email: string;
         password: string;
         csrfToken?: string;
-    }): Promise<AuthenticationResult>;
+    }): Promise<AuthSession>;
+    /**
+     * Completes a password reset using the token received via email. On success,
+     * the user's password is updated.
+     *
+     * Throws AuthError on invalid or expired token, weak password, etc.
+     * @throws AuthError
+     */
     static resetPassword(body: {
         token: string;
         newPassword: string;
     }, config?: Partial<Config>): Promise<void>;
+    /**
+     * Completes a password reset using the token received via email. On success,
+     * the user's password is updated.
+     *
+     * Throws AuthError on invalid or expired token, weak password, etc.
+     * @throws AuthError
+     */
     resetPassword(body: {
         token: string;
         newPassword: string;
     }): Promise<void>;
+    /**
+     * Sends a magic link email to the specified address. A magic link allows
+     * passwordless authentication.
+     *
+     * Throws AuthError on invalid email format, etc.
+     * @throws AuthError
+     */
     static sendMagicLink(body: {
+        clientId: ClientId;
         email: string;
         csrfToken?: string;
     }, config?: Partial<Config>): Promise<void>;
+    /**
+     * Sends a magic link email to the specified address. A magic link allows
+     * passwordless authentication.
+     *
+     * Throws AuthError on invalid email format, etc.
+     * @throws AuthError
+     */
     sendMagicLink(body: {
+        clientId: ClientId;
         email: string;
         csrfToken?: string;
     }): Promise<void>;
+    /**
+     * Sends a password reset email to the specified address.
+     *
+     * Throws AuthError on invalid email format, etc.
+     * @throws AuthError
+     */
     static sendPasswordReset(body: {
+        clientId: ClientId;
         email: string;
         csrfToken?: string;
     }, config?: Partial<Config>): Promise<void>;
+    /**
+     * Sends a password reset email to the specified address.
+     *
+     * Throws AuthError on invalid email format, etc.
+     * @throws AuthError
+     */
     sendPasswordReset(body: {
+        clientId: ClientId;
         email: string;
         csrfToken?: string;
     }): Promise<void>;
 }
 
 export { Am, AuthError, AuthSession };
-export type { AuthenticationResult, ClientId, EmailCheckStatus, LoginMethod, ProblemDetails, SessionProfile, SessionTokens, UserId, UserResource };
+export type { AccountId, AccountResource, AccountStatus, Authentication, ClientId, EmailCheckStatus, EmailCredential, LoginMethod, Membership, MembershipId, MembershipRole, ProblemDetails, SessionProfile, SessionTokens, StorageLike, UserId, UserIdentity, UserResource, UserStatus };