@stytch/react 20.0.0-next.1 → 20.0.0-next.3

package/dist/types/createAuthUrlHandler-R1kNNQD_.d.ts

@@ -0,0 +1,2406 @@
+import { bs as RNUIProductConfig, bD as StytchSDKError, R as ResponseCommon, b5 as EmailMagicLinksOptions, bb as OAuthOptions, bd as OtpOptions, bf as SessionOptions, be as PasswordOptions, bg as PasskeyOptions, ex as DFPProtectedAuthMode, ey as RBACPolicyRaw, a as StytchProjectConfigurationInput, w as SessionDurationOptions, A as AuthenticateResponse, U as User, ez as Cacheable, x as UnsubscribeFunction, D as DeleteResponse, F as SDKDeviceHistory, cs as B2BAuthenticateResponse, M as MemberSession, y as locale, ct as B2BAuthenticateResponseWithMFA, aq as SessionTokens, eA as IfOpaqueTokens, eB as ExtractOpaqueTokens, ah as SessionAuthenticateOptions, am as SessionRevokeResponse, ar as SessionTokensUpdate, r as Member, z as MemberEmailUpdateDeliveryMethod, co as MemberResponseCommon, eC as Values, G as ConnectedAppPublic, H as ScopeResult } from './ui-B7IvSGQf.js';
+
+declare enum EmailSentType {
+    LoginOrCreateEML = "login_or_create_eml",
+    LoginOrCreateOTP = "login_or_create_otp",
+    ResetPassword = "reset_password"
+}
+type AnalyticsEvent = {
+    name: 'sdk_instance_instantiated';
+    details: {
+        event_callback_registered: boolean;
+        error_callback_registered: boolean;
+        success_callback_registered: boolean;
+    };
+} | {
+    name: 'b2b_sdk_instance_instantiated';
+    details: {
+        event_callback_registered: boolean;
+        error_callback_registered: boolean;
+        success_callback_registered: boolean;
+    };
+} | {
+    name: 'render_login_screen';
+    details: {
+        options: CommonLoginConfig | RNUIProductConfig;
+        bootstrap: BootstrapData;
+    };
+} | {
+    name: 'render_b2b_login_screen';
+    details: {
+        options: CommonB2BLoginConfig;
+        bootstrap: BootstrapData;
+    };
+} | {
+    name: 'render_idp_screen';
+    details: {
+        bootstrap: BootstrapData;
+    };
+} | {
+    name: 'render_b2b_idp_screen';
+    details: {
+        bootstrap: BootstrapData;
+    };
+} | {
+    name: 'email_sent';
+    details: {
+        email: string;
+        type: EmailSentType;
+    };
+} | {
+    name: 'email_try_again_clicked';
+    details: {
+        email: string;
+        type: EmailSentType;
+    };
+} | {
+    name: 'start_oauth_flow';
+    details: {
+        provider_type: string;
+        custom_scopes?: string[];
+        cname_domain: string | null;
+        pkce: boolean;
+        provider_params?: Record<string, string>;
+    };
+} | {
+    name: 'deeplink_handled_success';
+    details: {
+        token_type: TokenType;
+    };
+} | {
+    name: 'deeplink_handled_failure';
+    details: {
+        error: StytchSDKError | undefined;
+    };
+} | {
+    name: 'oauth_success';
+    details: {
+        provider_type: string;
+    };
+} | {
+    name: 'oauth_failure';
+    details: {
+        error: StytchSDKError | string | undefined;
+    };
+} | {
+    name: 'ui_authentication_success';
+    details: {
+        method: 'oauth' | 'otp' | 'magicLinks' | 'passwords';
+    };
+} | {
+    name: 'render_b2b_admin_portal_sso';
+    details: Record<string, never>;
+} | {
+    name: 'render_b2b_admin_portal_org_settings';
+    details: Record<string, never>;
+} | {
+    name: 'render_b2b_admin_portal_member_management';
+    details: Record<string, never>;
+} | {
+    name: 'render_b2b_admin_portal_scim';
+    details: Record<string, never>;
+};
+
+type SDKRequestMethodAndBody = {
+    method: 'GET' | 'DELETE';
+    body?: null;
+} | {
+    method: 'POST' | 'PUT';
+    body?: Record<string, unknown>;
+};
+type SDKRequestInfo = SDKRequestMethodAndBody & {
+    url: string;
+    additionalMetadata?: Record<string, string>;
+};
+interface SDKTelemetry {
+    event_id: string;
+    app_session_id: string;
+    persistent_id: string;
+    client_sent_at: string;
+    timezone: string;
+    app: {
+        identifier: string;
+        version?: string;
+    };
+    os?: {
+        identifier?: string;
+        version?: string;
+    };
+    device?: {
+        model?: string;
+        screen_size?: string;
+    };
+    sdk: {
+        identifier: string;
+        version: string;
+    };
+}
+interface INetworkClient {
+    createTelemetryBlob(additionalMetadata?: SDKRequestInfo['additionalMetadata']): SDKTelemetry;
+    fetchSDK: <T extends ResponseCommon>(info: SDKRequestInfo) => Promise<T>;
+    retriableFetchSDK: <T extends ResponseCommon>(info: RetriableSDKRequestInfo) => Promise<T>;
+    logEvent<E extends AnalyticsEvent>({ name, details, error, }: {
+        name: E['name'];
+        details: E['details'];
+        error?: {
+            error_code?: string;
+            error_description?: string;
+            http_status_code?: string;
+        };
+    }): void;
+    updateSessionToken: (sessionToken: string | null) => void;
+}
+type RetriableSDKRequestInfo = SDKRequestInfo & {
+    retryCallback: (e: RetriableError, info: SDKBaseRequestInfo) => Promise<SDKBaseRequestInfo>;
+};
+declare enum RetriableErrorType {
+    RequiredCaptcha = "CAPTCHA required"
+}
+declare class RetriableError extends Error {
+    type: RetriableErrorType;
+    constructor(type: RetriableErrorType);
+}
+type SDKBaseRequestInfo = {
+    basicAuthHeader: string;
+    xSDKClientHeader: string;
+    xSDKParentHostHeader?: string;
+    body: SDKRequestInfo['body'];
+    method: SDKRequestInfo['method'];
+    finalURL: string;
+};
+
+declare const VERTICAL_B2B = "B2B";
+declare const VERTICAL_CONSUMER = "CONSUMER";
+type Vertical = typeof VERTICAL_B2B | typeof VERTICAL_CONSUMER;
+
+type BootstrapData = {
+    projectName: string | null;
+    displayWatermark: boolean;
+    cnameDomain: string | null;
+    emailDomains: string[];
+    captchaSettings: {
+        enabled: false;
+    } | {
+        enabled: true;
+        siteKey: string;
+    };
+    pkceRequiredForEmailMagicLinks: boolean;
+    pkceRequiredForPasswordResets: boolean;
+    pkceRequiredForOAuth: boolean;
+    pkceRequiredForSso: boolean;
+    slugPattern: string | null;
+    createOrganizationEnabled: boolean;
+    passwordConfig: {
+        ludsComplexity: number;
+        ludsMinimumCount: number;
+    } | null;
+    runDFPProtectedAuth: boolean;
+    dfpProtectedAuthMode?: DFPProtectedAuthMode;
+    rbacPolicy: RBACPolicyRaw | null;
+    siweRequiredForCryptoWallets: boolean;
+    vertical: Vertical | null;
+};
+/**
+ * Internal common config options, excluding platform specific configs like styling and the
+ * products array on web. This is just internal to avoid this being exported out and getting
+ * confused with the public StytchLoginConfig type
+ */
+type CommonLoginConfig = {
+    emailMagicLinksOptions?: EmailMagicLinksOptions;
+    oauthOptions?: OAuthOptions;
+    otpOptions?: OtpOptions;
+    sessionOptions?: SessionOptions;
+    passwordOptions?: PasswordOptions;
+    passkeyOptions?: PasskeyOptions;
+    /**
+     * The `enableShadowDOM` configuration option allows developers to use the Stytch SDK in a shadow DOM. This defaults to `false`.
+     */
+    enableShadowDOM?: boolean;
+};
+/**
+ * Internal common config options, excluding platform specific configs like styling and the
+ * products array on web. This is just internal to avoid this being exported out and getting
+ * confused with the public StytchB2BUIConfig type
+ */
+type CommonB2BLoginConfig = {
+    authFlowType: AuthFlowType;
+    sessionOptions: SessionOptions;
+    emailMagicLinksOptions?: B2BEmailMagicLinksOptions;
+    ssoOptions?: B2BSSOOptions;
+    passwordOptions?: B2BPasswordOptions;
+    oauthOptions?: B2BOAuthOptions;
+    emailOtpOptions?: B2BEmailOTPOptions;
+    smsOtpOptions?: B2BSMSOTPOptions;
+    /**
+     * An optional config that allows you to skip the discover flow and log a member
+     * in directly only if they are a member of a single organization.
+     */
+    directLoginForSingleMembership?: DirectLoginForSingleMembershipConfig;
+    /**
+     * Whether or not an organization should be created directly when a user has
+     * no memberships, invitations, or organizations they could join via JIT
+     * provisioning. This has no effect if the ability to create organizations
+     * from the frontend SDK is disabled in the Stytch dashboard. Defaults to
+     * `false`.
+     */
+    directCreateOrganizationForNoMembership?: boolean;
+    /**
+     * Whether to prevent users who are not members of any organization from
+     * creating a new organization during the discovery flow. This has no effect
+     * if the ability to create organizations from the frontend SDK is disabled in
+     * the Stytch dashboard. Defaults to `false`.
+     */
+    disableCreateOrganization?: boolean;
+    /**
+     * The order to present MFA products to a member when multiple choices are
+     * available, such as during enrollment.
+     */
+    mfaProductOrder?: readonly B2BMFAProducts[];
+    /**
+     * MFA products to include in the UI. If specified, the list of available
+     * products will be limited to those included. Defaults to all available
+     * products.
+     *
+     * Note that if an organization restricts the available MFA methods, the
+     * organization's settings will take precedence. In addition, if a member is
+     * enrolled in MFA compatible with their organization's policies, their
+     * enrolled methods will always be made available.
+     */
+    mfaProductInclude?: readonly B2BMFAProducts[];
+    /**
+     * The slug of the organization to use in the organization-specific auth flow.
+     * If not specified, the organization will be inferred from the URL based on
+     * the project's configured slug pattern.
+     *
+     * This has no effect outside of the organization-specific auth flow.
+     */
+    organizationSlug?: string | null;
+    /**
+     * The `enableShadowDOM` configuration option allows developers to use the Stytch SDK in a shadow DOM. This defaults to `false`.
+     */
+    enableShadowDOM?: boolean;
+};
+
+type OAuthGetURLOptions = {
+    /**
+     * The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists.
+     * This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login.
+     * The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page.
+     * If the field is not specified, the default in the Dashboard is used.
+     */
+    login_redirect_url?: string;
+    /**
+     * The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist.
+     * This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login.
+     * The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page.
+     * If the field is not specified, the default in the Dashboard is used.
+     */
+    signup_redirect_url?: string;
+    /**
+     * An optional list of custom scopes that you'd like to request from the user in addition to the ones Stytch requests by default.
+     * @example Google Custom Scopes
+     * ['https://www.googleapis.com/auth/gmail.compose', 'https://www.googleapis.com/auth/firebase']
+     *
+     * @example Facebook Custom Scopes
+     * ['public_profile', 'instagram_shopping_tag_products']
+     */
+    custom_scopes?: string[];
+    /**
+     * An optional mapping of provider specific values to pass through to the OAuth provider
+     * @example Google authorization parameters
+     * {"prompt": "select_account", "login_hint": "example@stytch.com"}
+     */
+    provider_params?: Record<string, string>;
+    /**
+     * An optional token to pre-associate an OAuth flow with an existing Stytch User
+     */
+    oauth_attach_token?: string;
+};
+type OAuthAuthenticateOptions = SessionDurationOptions;
+type OAuthAuthenticateResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = AuthenticateResponse<TProjectConfiguration> & {
+    /**
+     * The `provider_subject` field is the unique identifier used to identify the user within a given OAuth provider.
+     * Also commonly called the "sub" or "Subject field" in OAuth protocols.
+     */
+    provider_subject: string;
+    /**
+     * The `type` field denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.
+     */
+    provider_type: string;
+    /**
+     * If available, the `profile_picture_url` is a url of the user's profile picture set in OAuth identity the provider that the user has authenticated with, e.g. Facebook profile picture.
+     */
+    profile_picture_url: string;
+    /**
+     * If available, the `locale` is the user's locale set in the OAuth identity provider that the user has authenticated with.
+     */
+    locale: string;
+    /**
+     * The `provider_values` object lists relevant identifiers, values, and scopes for a given OAuth provider.
+     * For example this object will include a provider's `access_token` that you can use to access the provider's API for a given user.
+     * Note that these values will vary based on the OAuth provider in question, e.g. `id_token` may not be returned by all providers.
+     */
+    provider_values: {
+        /**
+         * The `access_token` that you may use to access the user's data in the provider's API.
+         */
+        access_token: string;
+        /**
+         * The `id_token` returned by the OAuth provider.
+         * ID Tokens are JWTs that contain structured information about a user.
+         * The exact content of each ID Token varies from provider to provider.
+         * ID Tokens are returned from OAuth providers that conform to the {@link https://openid.net/foundation/ OpenID Connect} specification, which is based on OAuth.
+         */
+        id_token: string;
+        /**
+         * The `refresh_token` that you may use to refresh a user's session within the provider's API.
+         */
+        refresh_token: string;
+        /**
+         * The OAuth scopes included for a given provider.
+         * See each provider's section above to see which scopes are included by default and how to add custom scopes.
+         */
+        scopes: string[];
+        /**
+         * The timestamp when the Session expires.
+         * Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
+         */
+        expires_at: string;
+    };
+};
+type OAuthStartFailureReason = 'User Canceled' | 'Authentication Failed' | 'Invalid Platform';
+type OAuthStartResponse = void | {
+    success: true;
+} | {
+    success: false;
+    reason: OAuthStartFailureReason;
+    error?: Error;
+};
+/**
+ * Methods for interacting with an individual OAuth provider.
+ */
+interface IOAuthProvider {
+    /**
+     * Start an OAuth flow by redirecting the browser to one of Stytch's {@link https://stytch.com/docs/api/oauth-google-start oauth start} endpoints.
+     * If enabled, this method will also generate a PKCE code_verifier and store it in localstorage on the device (See the {@link https://stytch.com/docs/oauth#guides_pkce PKCE OAuth guide} for details).
+     * If your application is configured to use a custom subdomain with Stytch, it will be used automatically.
+     * @example
+     * const loginWithGoogle = useCallback(()=> {
+     *   stytch.oauth.google.start({
+     *     login_redirect_url: 'https://example.com/oauth/callback',
+     *     signup_redirect_url: 'https://example.com/oauth/callback',
+     *     custom_scopes: ['https://www.googleapis.com/auth/gmail.compose']
+     *   })
+     * }, [stytch]);
+     * return (
+     *   <Button onClick={loginWithGoogle}> Log in! </Button>
+     * );
+     *
+     * @param options - An {@link OAuthGetURLOptions} object
+     *
+     * @returns OAuthStartResponse - In browsers, the browser is redirected during this function call and will return void. You should not attempt to run any code after calling this function. In React Native applications, an external browser is opened, and this method will return the result of the browser/native authentication attempt.
+     *
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    start(options?: OAuthGetURLOptions): Promise<OAuthStartResponse>;
+}
+type OAuthAttachResponse = ResponseCommon & {
+    oauth_attach_token: string;
+};
+interface IHeadlessOAuthClient<TProjectConfiguration extends StytchProjectConfigurationInput> {
+    google: IOAuthProvider;
+    microsoft: IOAuthProvider;
+    apple: IOAuthProvider;
+    github: IOAuthProvider;
+    gitlab: IOAuthProvider;
+    facebook: IOAuthProvider;
+    discord: IOAuthProvider;
+    salesforce: IOAuthProvider;
+    slack: IOAuthProvider;
+    amazon: IOAuthProvider;
+    bitbucket: IOAuthProvider;
+    linkedin: IOAuthProvider;
+    coinbase: IOAuthProvider;
+    twitch: IOAuthProvider;
+    twitter: IOAuthProvider;
+    tiktok: IOAuthProvider;
+    snapchat: IOAuthProvider;
+    figma: IOAuthProvider;
+    yahoo: IOAuthProvider;
+    /**
+     * The authenticate method wraps the {@link https://stytch.com/docs/api/oauth-authenticate authenticate} OAuth API endpoint which validates the OAuth token passed in.
+     *
+     * @example
+     * const token = new URLSearchParams(window.location.search).get('token');
+     * stytch.oauth.authenticate(token, {
+     *   session_duration_minutes: 60
+     * }).then(...)
+     *
+     * @param token - The token to authenticate
+     * @param options - {@link OAuthAuthenticateOptions}
+     *
+     * @returns A {@link OAuthAuthenticateResponse} indicating the token has been authenticated.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    authenticate(token: string, options: OAuthAuthenticateOptions): Promise<OAuthAuthenticateResponse<TProjectConfiguration>>;
+    /**
+     * The attach method wraps the {@link https://stytch.com/docs/api/oauth-attach attach} OAuth API endpoint and generates an OAuth Attach Token to pre-associate an OAuth flow with an existing Stytch User.
+     *
+     * You must have an active Stytch session to use this endpoint.
+     * Pass the returned oauth_attach_token to the same provider's OAuth Start endpoint to treat this OAuth flow as a
+     * login for that user instead of a signup
+     *
+     * @param provider - The OAuth provider's name.
+     *
+     * @returns A {@link OAuthAttachResponse} containing a single-use token for connecting the Stytch User selection from this request to the corresponding OAuth Start request.
+     */
+    attach(provider: string): Promise<OAuthAttachResponse>;
+}
+
+type UserOnChangeCallback = (user: User | null) => void;
+type UserUpdateOptions = {
+    /**
+     * The name of the user. If at least one name field is passed, all name fields will be updated.
+     */
+    name?: {
+        /**
+         * The first name of the user. Replaces an existing first name, if it exists.
+         */
+        first_name?: string;
+        /**
+         * The middle name(s) of the user. Replaces an existing middle name, if it exists.
+         */
+        middle_name?: string;
+        /**
+         * The last name of the user. Replaces an existing last name, if it exists.
+         */
+        last_name?: string;
+    };
+    /**
+     * A JSON object containing application-specific metadata.
+     * Use it to store fields that a user can be allowed to edit directly without backend validation - such as `display_theme` or `preferred_locale`.
+     * See our {@link https://stytch.com/docs/api/metadata metadata reference} for complete details.
+     */
+    untrusted_metadata?: Record<string, unknown>;
+};
+type UserUpdateResponse = ResponseCommon & {
+    /**
+     * Globally unique UUID that identifies a specific user in the Stytch API.
+     */
+    user_id: string;
+    /**
+     * The updated emails for the user.
+     */
+    emails: User['emails'];
+    /**
+     * The updated phone numbers for the user.
+     */
+    phone_numbers: User['phone_numbers'];
+    /**
+     * The updated crypto wallets for the user.
+     */
+    crypto_wallets: User['crypto_wallets'];
+};
+type UserInfo = Cacheable<{
+    /**
+     * The user object, or null if no user exists.
+     */
+    user: User | null;
+}>;
+type UserGetConnectedAppsResponse = ResponseCommon & {
+    connected_apps: {
+        connected_app_id: string;
+        name: string;
+        description: string;
+        client_type: string;
+        logo_url?: string;
+        scopes_granted: string;
+    }[];
+};
+interface IHeadlessUserClient {
+    /**
+     * The asynchronous method, `user.get`, wraps the {@link https://stytch.com/docs/api/get-user get user} endpoint.
+     * It fetches the user's data and refreshes the cached object if changes are detected.
+     * The Stytch SDK will invoke this method automatically in the background, so you probably won't need to call this method directly.
+     *
+     * @returns A {@link User} object, or null if no user exists.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     */
+    get(): Promise<User>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/update-user update user} endpoint. Use this method to change the user's name, untrusted metadata, and attributes.
+     *
+     * You can listen for successful user updates anywhere in the codebase with the `stytch.user.onChange()` method or `useStytchUser()` hook if you are using React.
+     *
+     * **Note:** If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk#resources_multi-factor-authentication Multi-factor authentication} section for more details.
+     *
+     * @example
+     * ```
+     * const updateName = useCallback(() => {
+     *  stytchClient.user.update({
+     *    name: {
+     *      first_name: 'Jane',
+     *      last_name: 'Doe',
+     *    },
+     *  });
+     * }, [stytchClient]);
+     * ```
+     *
+     * @param options - {@link UserUpdateOptions}
+     *
+     * @returns A {@link UserUpdateResponse} indicating the user has been updated.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    update(options: UserUpdateOptions): Promise<UserUpdateResponse>;
+    /**
+     * The `user.getSync` is a synchronous method for getting a user. This is the recommended approach. You can listen to changes with the `onChange` method.
+     * If logged in, this returns the cached user object, otherwise it returns null. This method does not refresh the user's data.
+     *
+     * @returns A {@link User} object, or null if no user exists.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     */
+    getSync(): User | null;
+    /**
+     * The `user.getInfo` method is similar to `user.getSync`, but it returns an object containing the `user` object and a `fromCache` boolean.
+     * If `fromCache` is true, the user object is from the cache and a state refresh is in progress.
+     */
+    getInfo(): UserInfo;
+    /**
+     * The `user.onChange` method takes in a callback that gets called whenever the user object changes. It returns an unsubscribe method for you to call when you no longer want to listen for such changes.
+     *
+     * In React, the `@stytch/react` library provides the `useStytchUser` hook that implements these methods for you to easily access the user and listen for changes.
+     *
+     * @param callback - Gets called whenever the user object changes. See {@link UserOnChangeCallback}.
+     *
+     * @returns An {@link UnsubscribeFunction} for you to call when you no longer want to listen for changes in the user object.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    onChange(callback: UserOnChangeCallback): UnsubscribeFunction;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/delete-user-email delete user email} endpoint.
+     * This methods cannot be used to remove all factors from a user. A user must have at least one email, phone number, or OAuth provider associated with their account at all times, otherwise they will not be able to log in again.
+     * Note: If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk#resources_multi-factor-authentication Multi-factor authentication} section for more details.
+     *
+     * @param emailId - ID of the email to be deleted.
+     *
+     * @returns A {@link DeleteResponse} that indicates the user email has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteEmail(emailId: string): Promise<DeleteResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/delete-user-phone-number delete phone number} endpoint.
+     * This methods cannot be used to remove all factors from a user. A user must have at least one email, phone number, or OAuth provider associated with their account at all times, otherwise they will not be able to log in again.
+     * Note: If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk#resources_multi-factor-authentication Multi-factor authentication} section for more details.
+     *
+     * @param phoneId - ID of the phone number to be deleted.
+     *
+     * @returns A {@link DeleteResponse} that indicates the user phone number has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deletePhoneNumber(phoneId: string): Promise<DeleteResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/delete-user-totp delete TOTP} endpoint.
+     * Note: If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk#resources_multi-factor-authentication Multi-factor authentication} section for more details.
+     *
+     * @param totpId - ID of the TOTP registration to be deleted.
+     *
+     * @returns A {@link DeleteResponse} that indicates the user TOTP registration has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteTOTP(totpId: string): Promise<DeleteResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/delete-user-oauth-registration delete OAuth} endpoint.
+     * Note: If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk#resources_multi-factor-authentication Multi-factor authentication} section for more details.
+     *
+     * @param oauthUserRegistrationId - ID of the OAuth registration to be deleted.
+     *
+     * @returns A {@link DeleteResponse} that indicates the user OAuth registration has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteOAuthRegistration(oauthUserRegistrationId: string): Promise<DeleteResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/delete-user-crypto-wallet delete crypto wallet} endpoint.
+     * Note: If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk#resources_multi-factor-authentication Multi-factor authentication} section for more details.
+     *
+     * @param cryptoWalletId - ID of the crypto wallet to be deleted.
+     *
+     * @returns A {@link DeleteResponse} that indicates the user crypto wallet has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteCryptoWallet(cryptoWalletId: string): Promise<DeleteResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/delete-user-webauthn-registration delete WebAuthn} endpoint.
+     * Note: If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk#resources_multi-factor-authentication Multi-factor authentication} section for more details.
+     *
+     * @param webAuthnId - ID of the WebAuthn registration to be deleted.
+     *
+     * @returns A {@link DeleteResponse} that indicates the user WebAuthn registration has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteWebauthnRegistration(webAuthnId: string): Promise<DeleteResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/delete-user-biometric-registration delete biometric} endpoint.
+     *
+     * @param biometricRegistrationId - ID of the biometric registration to be deleted.
+     *
+     * @returns A {@link DeleteResponse} that indicates the user Biometric registration has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteBiometricRegistration(biometricRegistrationId: string): Promise<DeleteResponse>;
+    /**
+     * The User Get Connected Apps method wraps the {@link https://stytch.com/docs/api/connected-app-user-get-all User Get Connected Apps} API endpoint.
+     * The `user_id` will be automatically inferred from the logged-in user's session.
+     *
+     * This method retrieves a list of Connected Apps that the user has completed an authorization flow with successfully.
+     * If the user revokes a Connected App's access (e.g. via the `revokeConnectedApp` method) then the Connected App will
+     * no longer be returned in this endpoint's response.
+     *
+     * @returns A {@link UserGetConnectedAppsResponse} containing a list of the user's connected apps
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    getConnectedApps(): Promise<UserGetConnectedAppsResponse>;
+    /**
+     * The User Revoke Connected App method wraps the {@link https://stytch.com/docs/api/connected-app-user-revoke User Revoke Connected App} API endpoint.
+     * The `user_id` will be automatically inferred from the logged-in user's session.
+     *
+     * This method revokes a Connected App's access to the user and revokes all active tokens that have been
+     * created on the user's behalf. New tokens cannot be created until the user completes a new authorization
+     * flow with the Connected App.
+     *
+     * Note that after calling this method, the user will be forced to grant consent in subsequent authorization
+     * flows with the Connected App.
+     *
+     * @param connectedAppId - ID of the Connected App to revoke.
+     * @returns A {@link ResponseCommon} indicating that the Connected App's access has been revoked.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    revokedConnectedApp(connectedAppId: string): Promise<ResponseCommon>;
+}
+
+type TOTPCreateOptions = {
+    /**
+     * The expiration for the TOTP instance. If the newly created TOTP is not authenticated within this time frame the TOTP will be unusable. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 1440.
+     */
+    expiration_minutes: number;
+};
+type TOTPCreateResponse = ResponseCommon & {
+    /**
+     * Globally unique UUID that identifies a specific TOTP registration in the Stytch API.
+     */
+    totp_id: string;
+    /**
+     * The TOTP secret key shared between the authenticator app and the server used to generate TOTP codes.
+     */
+    secret: string;
+    /**
+     * The QR code image encoded in base64.
+     */
+    qr_code: string;
+    /**
+     * The recovery codes used to authenticate the user without an authenticator app.
+     */
+    recovery_codes: string[];
+};
+type TOTPAuthenticateOptions = SessionDurationOptions & {
+    /**
+     * The TOTP code to authenticate. The TOTP code should consist of 6 digits.
+     */
+    totp_code: string;
+};
+type TOTPAuthenticateResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = AuthenticateResponse<TProjectConfiguration> & {
+    /**
+     * Globally unique UUID that identifies a specific TOTP registration in the Stytch API.
+     */
+    totp_id: string;
+    /**
+     * The device history of the user.
+     */
+    user_device?: SDKDeviceHistory;
+};
+type TOTPRecovery = {
+    /**
+     * Globally unique UUID that identifies a specific TOTP registration in the Stytch API.
+     */
+    totp_id: string;
+    /**
+     * Indicates whether or not the TOTP registration has been verified by the user.
+     */
+    verified: boolean;
+    /**
+     * The recovery codes for the TOTP registration.
+     */
+    recovery_codes: string[];
+};
+type TOTPRecoveryCodesResponse = ResponseCommon & {
+    /**
+     * Globally unique UUID that identifies a specific user in the Stytch API.
+     */
+    user_id: string;
+    /**
+     * See {@link TOTPRecovery}.
+     */
+    totps: TOTPRecovery;
+};
+type TOTPRecoverOptions = SessionDurationOptions & {
+    /**
+     * The recovery code to authenticate.
+     */
+    recovery_code: string;
+};
+type TOTPRecoverResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = AuthenticateResponse<TProjectConfiguration> & {
+    /**
+     * Globally unique UUID that identifies a specific TOTP registration in the Stytch API.
+     */
+    totp_id: string;
+    /**
+     * The device history of the user.
+     */
+    user_device?: SDKDeviceHistory;
+};
+interface IHeadlessTOTPClient<TProjectConfiguration extends StytchProjectConfigurationInput> {
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/totp-create Create} endpoint. Call this method to create a new TOTP instance for a user. The user can use the authenticator application of their choice to scan the QR code or enter the secret.
+     *
+     * You can listen for successful user updates anywhere in the codebase with the `stytch.user.onChange()` method or `useStytchUser()` hook if you are using React.
+     *
+     * **Note:** If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk/resources/mfa Multi-factor Authentication} section for more details.
+     *
+     * @example
+     * ```
+     * stytchClient.totps.create({ expiration_minutes: 60 });
+     * ```
+     *
+     * @param options - {@link TOTPCreateOptions}
+     *
+     * @returns A {@link TOTPCreateResponse} indicating a new TOTP instance has been created.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    create(options: TOTPCreateOptions): Promise<TOTPCreateResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/totp-authenticate Authenticate} endpoint. Call this method to authenticate a TOTP code entered by a user.
+     *
+     * @example
+     * ```
+     * stytch.totps.authenticate({ totp_code: '123456', session_duration_minutes: 60 });
+     * ```
+     *
+     * @param options - {@link TOTPAuthenticateOptions}
+     *
+     * @returns A {@link TOTPAuthenticateResponse} indicating the TOTP code has been authenticated.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    authenticate(options: TOTPAuthenticateOptions): Promise<TOTPAuthenticateResponse<TProjectConfiguration>>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/totp-get-recovery-codes Recovery Codes} endpoint. Call this method to retrieve the recovery codes for a TOTP instance tied to a user.
+     *
+     * You can listen for successful user updates anywhere in the codebase with the `stytch.user.onChange()` method or `useStytchUser()` hook if you are using React.
+     *
+     * **Note:** If a user has enrolled another MFA method, this method will require MFA. See the {@link https://stytch.com/docs/sdks/javascript-sdk/resources/mfa Multi-factor authentication} section for more details.
+     *
+     * @example
+     * ```
+     * stytchClient.totps.recoveryCodes();
+     * ```
+     *
+     * @returns A {@link TOTPRecoveryCodesResponse} containing the TOTP recovery codes tied to the user.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     */
+    recoveryCodes(): Promise<TOTPRecoveryCodesResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/totp-recover Recover} endpoint. Call this method to authenticate a recovery code for a TOTP instance.
+     *
+     * @example
+     * ```
+     * stytch.totps.recover({ recovery_code: 'xxxx-xxxx-xxxx', session_duration_minutes: 60 });
+     * ```
+     *
+     * @param options - {@link TOTPRecoverOptions}
+     *
+     * @returns A {@link TOTPRecoverResponse} indicating the TOTP recovery code has been authenticated.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    recover(options: TOTPRecoverOptions): Promise<TOTPRecoverResponse<TProjectConfiguration>>;
+}
+
+type B2BSessionAuthenticateResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = B2BAuthenticateResponse<TProjectConfiguration>;
+type B2BSessionRevokeOptions = {
+    /**
+     * When true, clear the user and session object in the local storage, even in the event of a network failure revoking the session.
+     * When false, the user and session object will not be cleared in the event that the SDK cannot contact the Stytch servers.
+     * The user and session object will always be cleared when the session revoke call succeeds.
+     * Defaults to false
+     */
+    forceClear?: boolean;
+};
+type B2BSessionRevokeForMemberOptions = {
+    /**
+     * The ID of the Member whose sessions should be revoked.
+     */
+    member_id: string;
+};
+type B2BSessionRevokeForMemberResponse = ResponseCommon;
+type B2BSessionOnChangeCallback = (session: MemberSession | null) => void;
+type B2BSessionExchangeOptions = SessionDurationOptions & {
+    /**
+     * The ID of the organization that the new session should belong to.
+     */
+    organization_id: string;
+    /**
+     * The locale will be used if an OTP code is sent to the member's phone number as part of a
+     * secondary authentication requirement.
+     */
+    locale?: locale;
+};
+type B2BSessionExchangeResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = B2BAuthenticateResponseWithMFA<TProjectConfiguration>;
+type B2BSessionAccessTokenExchangeOptions = SessionDurationOptions & {
+    /**
+     * The Connected Apps access token.
+     */
+    access_token: string;
+};
+type B2BSessionAccessTokenExchangeResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = B2BAuthenticateResponse<TProjectConfiguration>;
+type MemberSessionInfo = Cacheable<{
+    /**
+     * The session object, or null if no session exists.
+     */
+    session: MemberSession | null;
+}>;
+type B2BSessionAttestOptions = SessionDurationOptions & {
+    /**
+     * The ID of the organization that the new session should belong to.
+     */
+    organization_id?: string;
+    /**
+     * The ID of the token profile used to validate the JWT string.
+     */
+    profile_id: string;
+    /**
+     * JWT string.
+     */
+    token: string;
+} & Partial<SessionTokens>;
+type B2BSessionAttestResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = B2BAuthenticateResponse<TProjectConfiguration>;
+interface IHeadlessB2BSessionClient<TProjectConfiguration extends StytchProjectConfigurationInput> {
+    /**
+     * If logged in, the `session.getSync` method returns the cached session object. Otherwise it returns `null`.
+     *
+     * @example
+     * const memberSession = stytch.session.getSync();
+     * @returns The user's active {@link MemberSession} object or `null`
+     */
+    getSync(): MemberSession | null;
+    /**
+     * The `session.getInfo` method is similar to `session.getSync`, but it returns an object containing the `session` object and a `fromCache` boolean.
+     * If `fromCache` is true, the session object is from the cache and a state refresh is in progress.
+     */
+    getInfo(): MemberSessionInfo;
+    /**
+     * Returns the `session_token` and `session_jwt` values associated with the logged-in user's active session.
+     *
+     * Session tokens are only available if:
+     * - There is an active session, and
+     * - The session is _not_ managed via HttpOnly cookies.
+     *
+     * If either of these conditions is not met, `getTokens` will return `null`.
+     *
+     * Note that the Stytch SDK stores the `session_token` and `session_jwt` values as session cookies in the user's browser.
+     * Those cookies will be automatically included in any request that your frontend makes to a service (such as your backend) that shares the domain set on the cookies, so in most cases, you will not need to explicitly retrieve the `session_token` and `session_jwt` values using the `getTokens()` method.
+     * However, we offer this method to serve some unique use cases where explicitly retrieving the tokens may be necessary.
+     *
+     * @example
+     * const {session_jwt} = stytch.session.getTokens();
+     * fetch('https://api.example.com, {
+     *   headers: new Headers({
+     *    'Authorization': 'Bearer ' + session_jwt,
+     *    credentials: 'include',
+     *   }),
+     * })
+     *
+     */
+    getTokens(): IfOpaqueTokens<ExtractOpaqueTokens<TProjectConfiguration>, never, SessionTokens | null>;
+    /**
+     * The `session.onChange` method takes in a callback that gets called whenever the Member Session object changes.
+     * It returns an unsubscribe method for you to call when you no longer want to listen for such changes.
+     *
+     * The `useStytchMemberSession` hook is available in `@stytch/react` or `@stytch/nextjs`. It implements these methods for you to easily access the session and listen for changes.
+     * @example
+     * stytch.session.onChange((memberSession) => {
+     *   if(!memberSession) {
+     *     // The member has been logged out!
+     *     window.location.href = 'https://example.com/login'
+     *   }
+     * })
+     * @param callback - {@link B2BSessionOnChangeCallback}
+     */
+    onChange(callback: B2BSessionOnChangeCallback): UnsubscribeFunction;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/b2b/api/authenticate-session authenticate } Session endpoint and validates that the session issued to the user is still valid.
+     * The SDK will invoke this method automatically in the background. You probably won't need to call this method directly.
+     * It's recommended to use `session.getSync` and `session.onChange` instead.
+     * @example
+     * stytch.session.authenticate({
+     *   // Extend the session for another 60 minutes
+     *   session_duration_minutes: 60
+     * })
+     * @param options - {@link SessionAuthenticateOptions}
+     * @returns A {@link B2BSessionAuthenticateResponse} object
+     */
+    authenticate(options?: SessionAuthenticateOptions): Promise<B2BSessionAuthenticateResponse<TProjectConfiguration>>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/b2b/api/revoke-session revoke} Session endpoint and revokes the user's current session.
+     * This method should be used to log out a user. While calling this method, we clear the user and session objects from local storage
+     * unless the SDK cannot contact the Stytch servers. This behavior can be overriden by using the optional param object.
+     *
+     * @param options - {@link B2BSessionRevokeOptions}
+     *
+     * @example
+     * stytch.session.revoke()
+     *   .then(() => window.location.href = 'https://example.com/login');
+     * @returns A {@link SessionRevokeResponse}
+     */
+    revoke(options?: B2BSessionRevokeOptions): Promise<SessionRevokeResponse>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/b2b/api/revoke-session revoke} Session endpoint and revokes all Sessions for a given Member.
+     *
+     * @rbac action="revoke-sessions", resource="stytch.member"
+     *
+     * @param options - {@link B2BSessionRevokeForMemberOptions}
+     *
+     * @example
+     * stytch.session.revokeForMember({ member_id: 'member-id-123' });
+     * @returns A {@link B2BSessionRevokeForMemberResponse}
+     */
+    revokeForMember(options: B2BSessionRevokeForMemberOptions): Promise<B2BSessionRevokeForMemberResponse>;
+    /**
+     * Update a user's session tokens to hydrate a front-end session from the backend.
+     * For example, if you log your users in with one of our backend SDKs, you can pass the resulting `session_token` and `session_jwt` to this method to prime the frontend SDK with a valid set of tokens.
+     * You must then make an {@link https://stytch.com/docs/api/session-auth authenticate} call to authenticate the session tokens and retrieve the user's current session.
+     *
+     * @param tokens - The session tokens to update to
+     */
+    updateSession(tokens: SessionTokensUpdate): void;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/b2b/api/exchange-session Exchange Session} endpoint and exchanges the member's current session for a session in the specified Organization.
+     * @example
+     * stytch.session.exchange({
+     *   organization_id: 'organization-123',
+     *   session_duration_minutes: 60
+     * })
+     * @param options - {@link B2BSessionExchangeOptions}
+     * @returns A {@link B2BSessionExchangeResponse}
+     */
+    exchange(options: B2BSessionExchangeOptions): Promise<B2BSessionExchangeResponse<TProjectConfiguration>>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/b2b/api/connected-app-access-token-exchange Exchange Access Token} endpoint and exchanges a Connected Apps token for a Session for the original Member.
+     * @example
+     * stytch.session.exchangeAccessToken({
+     *   access_token: 'eyJh...',
+     *   session_duration_minutes: 60
+     * })
+     * @param options - {@link B2BSessionExchangeOptions}
+     * @returns A {@link B2BSessionExchangeResponse}
+     */
+    exchangeAccessToken(options: B2BSessionAccessTokenExchangeOptions): Promise<B2BSessionAccessTokenExchangeResponse<TProjectConfiguration>>;
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/b2b/api/attest-session Attest} Session endpoint and gets a Stytch session from a trusted JWT.
+     * @example
+     * stytch.session.attest({
+     *   organization_id: 'organization-123',
+     *   profile_id: 'profile-123',
+     *   token: 'eyJh...',
+     *   session_duration_minutes: 60
+     * })
+     * @param data - {@link B2BSessionAttestOptions}
+     * @returns A {@link B2BSessionAttestResponse}
+     */
+    attest(data: B2BSessionAttestOptions): Promise<B2BSessionAttestResponse<TProjectConfiguration>>;
+}
+
+type B2BMemberOnChangeCallback = (member: Member | null) => void;
+type B2BMemberUpdateOptions = {
+    /**
+     * The name of the Member. Replaces the existing name, if it exists.
+     */
+    name?: string;
+    /**
+     * A JSON object containing application-specific metadata.
+     * Use it to store fields that a Member can be allowed to edit directly without backend validation - such as `display_theme` or `preferred_locale`.
+     * See our {@link https://stytch.com/docs/api/metadata metadata reference} for complete details.
+     */
+    untrusted_metadata?: Record<string, unknown>;
+    /**
+     * Sets whether the Member is enrolled in MFA.
+     * If true, the Member must complete an MFA step whenever they wish to log in to their Organization.
+     * If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to REQUIRED_FOR_ALL.
+     */
+    mfa_enrolled?: boolean;
+    /**
+     * Sets the Member's phone number. Throws an error if the Member already has a phone number.
+     */
+    mfa_phone_number?: string;
+    /**
+     * Sets the Member's default MFA method. Valid values are 'sms_otp' and 'totp'.
+     * This value will determine
+     * 1. Which MFA method the Member is prompted to use when logging in
+     * 2. Whether An SMS will be sent automatically after completing the first leg of authentication
+     */
+    default_mfa_method?: 'sms_otp' | 'totp';
+};
+type B2BMemberUnlinkRetiredEmailRequest = {
+    /**
+     * ID of the retired email to be deleted. At least one of email id or email address must be provided.
+     */
+    email_id?: string;
+    /**
+     * Address of the retired email to be deleted. At least one of email id or email address must be provided.
+     */
+    email_address?: string;
+};
+type B2BMemberStartEmailUpdateRequest = {
+    /**
+     * The new email address to be set (after verification) for the Member.
+     */
+    email_address: string;
+    /**
+     * The url the user is redirected to after clicking the login email magic link.
+     * This should be a url that your app receives and parses and subsequently send an API request to authenticate the magic link and log in the member.
+     * If this value is not passed, the default login redirect URL that you set in your Dashboard is used.
+     * If you have not set a default login redirect URL, an error is returned.
+     */
+    login_redirect_url?: string;
+    /**
+     * The email template ID to use for magic linkemails.
+     * If not provided, your default email template will be sent. If providing a template ID, it must be either a template using Stytch's customizations,
+     * or a Magic link Login custom HTML template.
+     */
+    login_template_id?: string;
+    /**
+     * The locale is used to determine which language to use in the email. Parameter is a {@link https://www.w3.org/International/articles/language-tags/ IETF BCP 47 language tag}, e.g. "en".
+     * Currently supported languages are English ("en"), Spanish ("es"), and Brazilian Portuguese ("pt-br"); if no value is provided, the copy defaults to English.
+     */
+    locale?: locale;
+    /**
+     * The delivery method to use when sending the email, either EMAIL_MAGIC_LINK or EMAIL_OTP. By default, EMAIL_MAGIC_LINK is used.
+     */
+    delivery_method?: MemberEmailUpdateDeliveryMethod;
+};
+type B2BMemberStartEmailUpdateResponse = MemberResponseCommon;
+type B2BMemberGetConnectedAppsResponse = ResponseCommon & {
+    connected_apps: {
+        connected_app_id: string;
+        name: string;
+        description: string;
+        client_type: string;
+        logo_url?: string;
+        scopes_granted: string;
+    }[];
+};
+type B2BMemberRevokeConnectedAppOptions = {
+    connected_app_id: string;
+};
+type B2BMemberRevokeConnectedAppResponse = ResponseCommon;
+type B2BMemberUpdateResponse = MemberResponseCommon;
+type B2BMemberDeleteMFAPhoneNumberResponse = MemberResponseCommon;
+type B2BMemberDeletePasswordResponse = MemberResponseCommon;
+type B2BMemberDeleteMFATOTPResponse = MemberResponseCommon;
+type B2BMemberUnlinkRetiredEmailResponse = MemberResponseCommon;
+type MemberInfo = Cacheable<{
+    /**
+     * The member object, or null if no member exists.
+     */
+    member: Member | null;
+}>;
+interface IHeadlessB2BSelfClient {
+    /**
+     * The asynchronous method, `member.get`, wraps the {@link https://stytch.com/docs/b2b/api/search-members search member} endpoint.
+     * It fetches the Member's data and refreshes the cached object if changes are detected.
+     * The Stytch SDK will invoke this method automatically in the background, so you probably won't need to call this method directly.
+     *
+     * @returns A {@link Member} object, or null if no member exists.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     */
+    get(): Promise<Member | null>;
+    /**
+     * If logged in, the `member.getSync` method returns the cached Member object.
+     * Otherwise it returns `null`.
+     * This method does not refresh the Member's data.
+     *
+     * @returns A {@link Member} object, or null if no user exists.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     */
+    getSync(): Member | null;
+    /**
+     * The `member.getInfo` method is similar to `member.getSync`, but it returns an object containing the `member` object and a `fromCache` boolean.
+     * If `fromCache` is true, the Member object is from the cache and a state refresh is in progress.
+     */
+    getInfo(): MemberInfo;
+    /**
+     * The `member.onChange` method takes in a callback that gets called whenever the Member object changes.
+     * It returns an unsubscribe method for you to call when you no longer want to listen for such changes.
+     *
+     * @param callback - Gets called whenever the member object changes. See {@link B2BMemberOnChangeCallback}.
+     *
+     * @returns An {@link UnsubscribeFunction} for you to call when you no longer want to listen for changes in the member object.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    onChange(callback: B2BMemberOnChangeCallback): UnsubscribeFunction;
+    /**
+     * The Update Member method wraps the {@link https://stytch.com/docs/b2b/api/update-member Update Member} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     * This method can be used to update any Member in the logged-in Member's Organization.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/javascript-sdk/members#update-self Stytch Docs} for a complete reference.
+     *
+     * @example
+     * stytch.self.update({
+     *   mfa_enrolled: true,
+     *   phone_number: '+12025550162',
+     * });
+     *
+     * @rbac action="requested", resource="stytch.self"
+     *
+     * @param data - {@link B2BMemberUpdateOptions}
+     *
+     * @returns A {@link B2BMemberUpdateResponse} indicating that the member has been updated.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    update(data: B2BMemberUpdateOptions): Promise<B2BMemberUpdateResponse>;
+    /**
+     * The Delete Self MFA phone number method wraps the {@link https://stytch.com/docs/b2b/api/delete-member-mfa-phone-number Delete Member MFA phone number} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     * This method can only be used to delete the logged-in Member's MFA phone number.
+     *
+     * To change a Member's phone number, you must first call this endpoint to delete the existing phone number.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/javascript-sdk/members#delete-self-mfa-phone-number Stytch Docs} for a complete reference.
+     *
+     * @rbac action="update.info.delete.mfa-phone", resource="stytch.self"
+     *
+     * @returns A {@link B2BMemberDeleteMFAPhoneNumberResponse} indicating that the member's phone number has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteMFAPhoneNumber(): Promise<B2BMemberDeleteMFAPhoneNumberResponse>;
+    /**
+     * The Delete Self password method wraps the {@link https://stytch.com/docs/b2b/api/delete-member-password Delete Member password} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     * This method can only be used to delete the logged-in Member's password.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/javascript-sdk/members#delete-self-password Stytch Docs} for a complete reference.
+     *
+     * @rbac action="update.info.delete.password", resource="stytch.self"
+     *
+     * @returns A {@link B2BMemberDeletePasswordResponse} indicating that the member's phone number has been deleted.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deletePassword(passwordId: string): Promise<B2BMemberDeletePasswordResponse>;
+    /**
+     * The Delete Self MFA totp method wraps the {@link https://stytch.com/docs/b2b/api/delete-member-mfa-totp Delete Member MFA TOTP} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     * This method can only be used to delete the logged-in Member's MFA totp.
+     *
+     * To change a Member's totp, you must first call this endpoint to delete the existing totp.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/javascript-sdk/members#delete-self-mfa-totp Stytch Docs} for a complete reference.
+     *
+     * @rbac action="update.info.delete.mfa-totp", resource="stytch.self"
+     *
+     * @returns A {@link B2BMemberDeleteMFATOTPResponse} indicating that the member's totp has been deleted.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteMFATOTP(): Promise<B2BMemberDeleteMFATOTPResponse>;
+    /**
+     * The Unlink Self Retired Email Address method wraps the {@link https://stytch.com/docs/b2b/api/unlink-retired-member-email Unlink Retired Email} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     * This method can only be used to unlink the logged-in Member's retired email.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/javascript-sdk/members#unlink-retired-member-email Stytch Docs} for a complete reference.
+     *
+     * @rbac action="update.info.unlink.retired-email", resource="stytch.self"
+     *
+     * @param data - {@link B2BMemberUnlinkRetiredEmailRequest}
+     * @returns A {@link B2BMemberUnlinkRetiredEmailResponse} indicating that the member's retired email has been marked as deleted.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    unlinkRetiredEmail(data: B2BMemberUnlinkRetiredEmailRequest): Promise<B2BMemberUnlinkRetiredEmailResponse>;
+    /**
+     * The Start Email Update method wraps the {@link https://stytch.com/docs/b2b/api/start-member-email-update Start Member Email Update} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     * This method can be used to start the self-serve email update process for the logged-in Member.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/members/start-self-email-update Stytch Docs} for a complete reference.
+     *
+     * @rbac action="update.info.email", resource="stytch.self"
+     *
+     * @param data - {@link B2BMemberStartEmailUpdateRequest}
+     * @returns A {@link B2BMemberStartEmailUpdateResponse} indicating that an email update has been started.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    startEmailUpdate(data: B2BMemberStartEmailUpdateRequest): Promise<B2BMemberStartEmailUpdateResponse>;
+    /**
+     * The Member Get Connected Apps method wraps the {@link https://stytch.com/docs/b2b/api/connected-app-member-get-all Member Get Connected Apps} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     *
+     * This method retrieves a list of Connected Apps that the Member has completed an authorization flow with successfully.
+     * If the Member revokes a Connected App's access (e.g. via the `revokeConnectedApp` method) then the Connected App will
+     * no longer be returned in this endpoint's response. A Connected App's access may be revoked if the Organization's
+     * allowed Connected App policy changes.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/members/get-self-connected-apps Stytch Docs} for a complete reference.
+     *
+     * @rbac action="get.connected-apps", resource="stytch.self"
+     *
+     * @returns A {@link B2BMemberGetConnectedAppsResponse} indicating that the member's retired email has been marked as deleted.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    getConnectedApps(): Promise<B2BMemberGetConnectedAppsResponse>;
+    /**
+     * The Member Revoke Connected App method wraps the {@link https://stytch.com/docs/b2b/api/connected-app-member-revoke Member Revoke Connected App} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     *
+     * This method revokes a Connected App's access to the Member and revokes all active tokens that have been
+     * created on the Member's behalf. New tokens cannot be created until the Member completes a new authorization
+     * flow with the Connected App.
+     *
+     * Note that after calling this method, the Member will be forced to grant consent in subsequent authorization
+     * flows with the Connected App.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/members/revoke-self-connected-app Stytch Docs} for a complete reference.
+     *
+     * @rbac action="revoke.connected-app", resource="stytch.self"
+     *
+     * @param data - {@link B2BMemberRevokeConnectedAppOptions}
+     * @returns A {@link B2BMemberRevokeConnectedAppResponse} indicating that the Connected App's access has been revoked.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    revokeConnectedApp(data: B2BMemberRevokeConnectedAppOptions): Promise<B2BMemberRevokeConnectedAppResponse>;
+}
+/**
+ * @deprecated please use IHeadlessB2BSelfClient
+ */
+interface IHeadlessB2BMemberClient {
+    /**
+     * The asynchronous method, `member.get`, wraps the {@link https://stytch.com/docs/b2b/api/search-members Search Member} endpoint.
+     * It fetches the Member's data and refreshes the cached object if changes are detected.
+     * The Stytch SDK will invoke this method automatically in the background, so you probably won't need to call this method directly.
+     *
+     * @deprecated please use {@link IHeadlessB2BSelfClient#get self.get()} instead
+     * @returns A {@link Member} object, or null if no member exists.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     */
+    get(): Promise<Member | null>;
+    /**
+     * If logged in, the `member.getSync` method returns the cached Member object.
+     * Otherwise it returns `null`. This method does not refresh the Member's data.
+     * The synchronous method for getting a member. This is the recommended approach.
+     *
+     * @deprecated please use {@link IHeadlessB2BSelfClient#get self.getSync()} instead
+     * @returns A {@link Member} object, or null if no user exists.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     */
+    getSync(): Member | null;
+    /**
+     * The `member.onChange` method takes in a callback that gets called whenever the Member object changes.
+     * It returns an unsubscribe method for you to call when you no longer want to listen for such changes.
+     *
+     * @deprecated please use {@link IHeadlessB2BSelfClient#get self.onChange()} instead
+     * @param callback - Gets called whenever the member object changes. See {@link B2BMemberOnChangeCallback}.
+     *
+     * @returns An {@link UnsubscribeFunction} for you to call when you no longer want to listen for changes in the member object.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    onChange(callback: B2BMemberOnChangeCallback): UnsubscribeFunction;
+    /**
+     * The Update Self method wraps the {@link https://stytch.com/docs/b2b/api/update-member Update Member} API endpoint.
+     * The `organization_id` and `member_id` will be automatically inferred from the logged-in Member's session.
+     * This method can be used to update only the logged-in Member.
+     *
+     * See the {@link https://stytch.com/docs/b2b/sdks/javascript-sdk/members#update-member-deprecated Stytch Docs} for a complete reference.
+     *
+     * @example
+     * stytch.self.update({
+     *   mfa_enrolled: true,
+     *   phone_number: '+12025550162',
+     * });
+     *
+     * @deprecated please use {@link IHeadlessB2BSelfClient#get self.update()} instead
+     * @param data - {@link B2BMemberUpdateOptions}
+     *
+     * @returns A {@link B2BMemberUpdateResponse} indicating that the member has been updated.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    update(data: B2BMemberUpdateOptions): Promise<B2BMemberUpdateResponse>;
+    /**
+     * The Delete Member MFA phone number method wraps the {@link https://stytch.com/docs/b2b/api/delete-member-mfa-phone-number Delete Member MFA phone number} API endpoint.
+     * Use this method to delete the Member's MFA phone number.
+     *
+     * To change a Member's phone number, you must first call this endpoint to delete the existing phone number.
+     *
+     * @deprecated please use {@link IHeadlessB2BSelfClient#get self.deleteMFAPhoneNumber()} instead
+     * @returns A {@link B2BMemberDeleteMFAPhoneNumberResponse} indicating that the member's phone number has been deleted.
+     *
+     * @throws A `StytchSDKAPIError` when the Stytch API returns an error.
+     * @throws A `SDKAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteMFAPhoneNumber(): Promise<B2BMemberDeleteMFAPhoneNumberResponse>;
+}
+
+/**
+ * The authentication methods we support through our UI.
+ * Currently we support `emailMagicLinks`, `emailOtp`, `sso`, `passwords`, and `oauth`.
+ */
+declare const AuthFlowType: {
+    readonly Discovery: "Discovery";
+    readonly Organization: "Organization";
+    readonly PasswordReset: "PasswordReset";
+};
+type AuthFlowType = Values<typeof AuthFlowType>;
+declare const RedirectURLType: {
+    readonly ResetPassword: "reset_password";
+};
+type RedirectURLType = Values<typeof RedirectURLType>;
+/**
+ * The OAuth providers we support in our B2B OAuth product.
+ */
+declare const B2BOAuthProviders: {
+    readonly Google: "google";
+    readonly Microsoft: "microsoft";
+    readonly HubSpot: "hubspot";
+    readonly Slack: "slack";
+    readonly GitHub: "github";
+};
+type B2BOAuthProviders = Values<typeof B2BOAuthProviders>;
+/**
+ * The options for email magic links. This is used if you've enabled the `emailMagicLinks` product
+ * in your configuration.
+ */
+type B2BEmailMagicLinksOptions = {
+    loginRedirectURL?: string;
+    signupRedirectURL?: string;
+    discoveryRedirectURL?: string;
+    loginTemplateId?: string;
+    signupTemplateId?: string;
+    /**
+     * @param domainHint - An optional hint indicating what domain the email will be sent from.
+     * This field is only required if your project uses more than one custom domain to send emails.
+     */
+    domainHint?: string;
+    locale?: string;
+};
+/**
+ * The options for SSO. This is used if you've enabled the `sso` product
+ * in your configuration.
+ */
+type B2BSSOOptions = {
+    loginRedirectURL?: string;
+    signupRedirectURL?: string;
+};
+/**
+ * The options for OAuth. This is required if you've enabled the `oauth` product
+ * in your configuration.
+ */
+type B2BOAuthOptions = {
+    loginRedirectURL?: string;
+    signupRedirectURL?: string;
+    discoveryRedirectURL?: string;
+    /** @deprecated Use customScopes in B2BOAuthProviderConfig instead */
+    customScopes?: string[];
+    providers: B2BOAuthProviderConfig[];
+    /** @deprecated Use providerParams in B2BOAuthProviderConfig instead */
+    providerParams?: Record<string, string>;
+    locale?: string;
+};
+/**
+ * Details about the OAuth provider you wish to use. Each B2BOAuthProviderConfig object can be either a plain
+ * B2BOAuthProviders string (e.g. 'google'), or  an object with a type key that determines the type of provider. For
+ * Google OAuth, you can optionally specify the one_tap property to display Google One Tap.
+ */
+type B2BOAuthProviderConfig = B2BOAuthProviders | {
+    type: typeof B2BOAuthProviders.Google;
+    customScopes?: string[];
+    providerParams?: Record<string, string>;
+    one_tap?: boolean;
+    /**
+     * Whether to cancel the One Tap prompt when the user taps outside of it.
+     * This is only applicable if one_tap is true.
+     */
+    cancel_on_tap_outside?: boolean;
+} | {
+    type: Exclude<B2BOAuthProviders, typeof B2BOAuthProviders.Google>;
+    customScopes?: string[];
+    providerParams?: Record<string, string>;
+};
+/**
+ * The options for Passwords. This is used if you've enabled the `passwords` product
+ * in your configuration.
+ */
+type B2BPasswordOptions = {
+    loginRedirectURL?: string;
+    resetPasswordRedirectURL?: string;
+    resetPasswordExpirationMinutes?: number;
+    resetPasswordTemplateId?: string;
+    discoveryRedirectURL?: string;
+    verifyEmailTemplateId?: string;
+    locale?: string;
+};
+type B2BEmailOTPOptions = {
+    loginTemplateId?: string;
+    signupTemplateId?: string;
+    locale?: string;
+};
+type B2BSMSOTPOptions = {
+    locale?: string;
+};
+type DirectLoginForSingleMembershipConfig = {
+    /**
+     * Whether or not direct login for single membership is enabled.
+     */
+    status: boolean;
+    /**
+     * If enabled, logs user in directly even if they have pending invite to a different organization
+     */
+    ignoreInvites: boolean;
+    /**
+     * If enabled, logs user in directly even if they have organizations they could join via JIT provisioning
+     */
+    ignoreJitProvisioning: boolean;
+};
+declare const B2BMFAProducts: {
+    readonly smsOtp: "smsOtp";
+    readonly totp: "totp";
+};
+type B2BMFAProducts = Values<typeof B2BMFAProducts>;
+
+type Actions$1<Actions extends string> = Record<Actions, boolean>;
+type PermissionsMap<Permissions extends Record<string, string>> = {
+    [ResourceID in keyof Permissions]: Actions$1<Permissions[ResourceID]>;
+};
+interface IHeadlessB2BRBACClient {
+    /**
+     * The `isAuthorizedSync` method determines whether the logged-in member is allowed to perform the specified action on the specified resource.
+     * Returns `true` if the member can perform the action, `false` otherwise.
+     *
+     * If the member is not logged in, or the RBAC policy has not been loaded, this method will always return false.
+     * If the resource or action provided are not valid for the configured RBAC policy, this method will return false.
+     * @example
+     * const isAuthorized = stytch.rbac.isAuthorizedSync<Permissions>('document', 'image');
+     */
+    isAuthorizedSync(resourceId: string, action: string): boolean;
+    /**
+     * The `isAuthorized` method determines whether the logged-in member is allowed to perform the specified action on the specified resource.
+     * It will return a Promise that resolves after the RBAC policy has been loaded. Returns `true` if the member can perform the action, `false` otherwise.
+     *
+     * If the member is not logged in, this method will always return false.
+     * If the resource or action provided are not valid for the configured RBAC policy, this method will return false.
+     *
+     * @example
+     * const isAuthorized = await stytch.rbac.isAuthorizedSync<Permissions>('document', 'image');
+     */
+    isAuthorized(resourceId: string, action: string): Promise<boolean>;
+    /**
+     * The `allPermissions` method returns the complete list of permissions assigned to the currently logged-in Member. If the Member is not logged in, all values will be `false`.
+     *
+     * As a best practice, authorization checks for sensitive actions should also occur on the backend.
+     *
+     * @example
+     * type Permissions = {
+     *   document: 'create' | 'read' | 'write
+     *   image: 'create' | 'read'
+     * }
+     * const permissions = await stytch.rbac.allPermissions<Permissions>();
+     * console.log(permissions.document.create) // true
+     * console.log(permissions.image.create) // false
+     * @returns A {@link PermissionsMap} for the active member
+     */
+    allPermissions<Permissions extends Record<string, string>>(): Promise<PermissionsMap<Permissions>>;
+}
+
+interface BaseSCIMConnection {
+    /**
+     * Globally unique UUID that identifies a specific Organization.
+     */
+    organization_id: string;
+    /**
+     * Globally unique UUID that identifies a specific SCIM Connection.
+     */
+    connection_id: string;
+    /**
+     * The status of the connection. The possible values are deleted or active.
+     */
+    status: string;
+    /**
+     * A human-readable display name for the connection.
+     */
+    display_name: string;
+    /**
+     * The identity provider of this connection.
+     */
+    identity_provider: string;
+    /**
+     * The base URL of the SCIM connection.
+     */
+    base_url: string;
+    /**
+     * An array of implicit group role assignments granted to members in this organization who are provisioned this SCIM connection
+     * and belong to the specified group.
+     * See our {@link https://stytch.com/docs/b2b/guides/rbac/role-assignment RBAC guide} for more information about
+     * role assignment.
+     */
+    scim_group_implicit_role_assignments: {
+        role_id: string;
+        group_id: string;
+    }[];
+}
+interface SCIMConnection extends BaseSCIMConnection {
+    /**
+     * Last four characters of the issued bearer token.
+     */
+    bearer_token_last_four: string;
+    /**
+     * The time at which the bearer token expires.
+     */
+    bearer_token_expires_at: string;
+    /**
+     * Present during rotation, the next bearer token's last four digits.
+     */
+    next_bearer_token_last_four?: string;
+    /**
+     * Present during rotation, the time at which the next bearer token expires.
+     */
+    next_bearer_token_expires_at?: string;
+}
+interface SCIMConnectionWithBearerToken extends BaseSCIMConnection {
+    /**
+     * The bearer token used to authenticate with the SCIM API.
+     */
+    bearer_token: string;
+    /**
+     * The time at which the bearer token expires.
+     */
+    bearer_token_expires_at: string;
+}
+interface SCIMConnectionWithNextBearerToken extends BaseSCIMConnection {
+    /**
+     * The bearer token used to authenticate with the SCIM API.
+     */
+    next_bearer_token: string;
+    /**
+     * The time at which the bearer token expires.
+     */
+    next_bearer_token_expires_at: string;
+    /**
+     * Last four characters of the issued bearer token.
+     */
+    bearer_token_last_four: string;
+    /**
+     * The time at which the bearer token expires.
+     */
+    bearer_token_expires_at: string;
+}
+interface SCIMGroup {
+    /**
+     * Globally unique UUID that identifies a specific Organization.
+     */
+    organization_id: string;
+    /**
+     * Globally unique UUID that identifies a specific SCIM Connection.
+     */
+    connection_id: string;
+    /**
+     * Globally unique UUID that identifies a specific SCIM Group.
+     */
+    group_id: string;
+    /**
+     * Name given to the group by the IDP.
+     */
+    group_name: string;
+}
+type B2BSCIMCreateConnectionOptions = {
+    /**
+     * A human-readable display name for the connection.
+     */
+    display_name?: string;
+    /**
+     * The identity provider of this connection.
+     */
+    identity_provider?: string;
+};
+type B2BSCIMCreateConnectionResponse = ResponseCommon & {
+    connection: SCIMConnectionWithBearerToken;
+};
+type B2BSCIMUpdateConnectionOptions = {
+    /**
+     * Globally unique UUID that identifies a specific SCIM Connection.
+     */
+    connection_id: string;
+    /**
+     * A human-readable display name for the connection.
+     */
+    display_name?: string;
+    /**
+     * The identity provider of this connection.
+     */
+    identity_provider?: string;
+    /**
+     * An array of implicit role assignments granted to members in this organization who are created via this SCIM connection
+     * and belong to the specified group.
+     * Before adding any group implicit role assignments, you must first provision groups from your IdP into Stytch,
+     * see our {@link https://stytch.com/docs/b2b/guides/scim/overview scim-guide}.
+     * See our {@link https://stytch.com/docs/b2b/guides/rbac/role-assignment RBAC guide} for more information about
+     * role assignment.
+     */
+    scim_group_implicit_role_assignments?: {
+        role_id: string;
+        group_id: string;
+    }[];
+};
+type B2BSCIMUpdateConnectionResponse = ResponseCommon & {
+    connection: SCIMConnection;
+};
+type B2BSCIMDeleteConnectionResponse = ResponseCommon & {
+    /**
+     * Globally unique UUID that identifies a specific SCIM Connection.
+     */
+    connection_id: string;
+};
+type B2BSCIMGetConnectionResponse = ResponseCommon & {
+    connection: SCIMConnection;
+};
+type B2BSCIMGetConnectionGroupsOptions = {
+    /**
+     * The maximum number of groups that should be returned by the API.
+     */
+    limit?: number;
+    /**
+     * The cursor to use to indicate where to start group results.
+     */
+    cursor?: string;
+};
+type B2BSCIMGetConnectionGroupsResponse = ResponseCommon & {
+    /**
+     * List of SCIM Groups for the connection.
+     */
+    scim_groups: SCIMGroup[];
+    /**
+     * The cursor to use to get the next page of results.
+     */
+    next_cursor: string | null;
+};
+type B2BSCIMRotateStartResponse = ResponseCommon & {
+    connection: SCIMConnectionWithNextBearerToken;
+};
+type B2BSCIMRotateCompleteResponse = ResponseCommon & {
+    connection: SCIMConnection;
+};
+type B2BSCIMRotateCancelResponse = ResponseCommon & {
+    connection: SCIMConnection;
+};
+interface IHeadlessB2BSCIMClient {
+    /**
+     * The Create SCIM Connection method wraps the {@link https://stytch.com/docs/b2b/api/create-scim-connection Create SCIM Connection} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     * This method cannot be used to create SCIM connections in other Organizations.
+     *
+     * @example
+     * stytch.scim.createConnection({
+     *   display_name: 'My SCIM Connection',
+     *   identity_provider: 'okta'
+     * });
+     *
+     * @rbac action="create", resource="stytch.scim"
+     *
+     * @param data - {@link B2BSCIMCreateConnectionOptions}
+     *
+     * returns A {@link B2BSCIMCreateConnectionResponse} indicating that the SCIM connection has been created.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    createConnection(data: B2BSCIMCreateConnectionOptions): Promise<B2BSCIMCreateConnectionResponse>;
+    /**
+     * Updates an existing SCIM connection.
+     * This method wraps the {@link https://stytch.com/docs/b2b/api/update-scim-connection update-connection} endpoint.
+     * If attempting to modify the `scim_group_implicit_role_assignments` the caller must have the `update.settings.implicit-roles` permission on the `stytch.organization` resource.
+     * For all other fields, the caller must have the `update` permission on the `stytch.scim` resource.
+     * SCIM via the project's RBAC policy & their role assignments.
+     *
+     * @example
+     * stytch.scim.updateConnection({
+     *   connection_id: 'connection-id-123',
+     *   display_name: 'My SCIM Connection',
+     *   identity_provider: 'okta',
+     *   scim_group_implicit_role_assignments: [
+     *    {
+     *      group_id: 'group-id-123',
+     *      role_id: 'role-id-123'
+     *    }
+     *   ]
+     * });
+     *
+     * @rbac action="update", resource="stytch.scim"
+     *
+     * @param data - {@link B2BSCIMUpdateConnectionOptions}
+     *
+     * returns A {@link B2BSCIMUpdateConnectionResponse} indicating that the SCIM connection has been updated.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    updateConnection(data: B2BSCIMUpdateConnectionOptions): Promise<B2BSCIMUpdateConnectionResponse>;
+    /**
+     * The Delete SCIM Connection method wraps the {@link https://stytch.com/docs/b2b/api/delete-scim-connection Delete SCIM Connection} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     * This method cannot be used to delete SCIM connections in other Organizations.
+     *
+     * @example
+     * stytch.scim.deleteConnection('connection-id-123');
+     *
+     * @rbac action="delete", resource="stytch.scim"
+     *
+     * @param connectionId
+     *
+     * returns A {@link B2BSCIMDeleteConnectionResponse} indicating that the SCIM connection has been deleted.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    deleteConnection(connectionId: string): Promise<B2BSCIMDeleteConnectionResponse>;
+    /**
+     * The Get SCIM Connection method wraps the {@link https://stytch.com/docs/b2b/api/get-scim-connection Get SCIM Connection} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     * This method cannot be used to get SCIM connection from other Organizations.
+     *
+     * @example
+     * stytch.scim.getConnection();
+     *
+     * @rbac action="get", resource="stytch.scim"
+     *
+     * @param connectionId
+     *
+     * returns A {@link B2BSCIMGetConnectionResponse} indicating that the SCIM connection has been retrieved.
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    getConnection(connectionId: string): Promise<B2BSCIMGetConnectionResponse>;
+    /**
+     * The Get SCIM Connection Groups method wraps the {@link https://stytch.com/docs/b2b/api/get-scim-connection-groups Get SCIM Connection} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     *
+     * @example
+     * stytch.scim.getConnectionGroups({
+     *   limit: 10
+     * });
+     *
+     * @rbac action="get", resource="stytch.scim"
+     *
+     * @param data
+     */
+    getConnectionGroups(data: B2BSCIMGetConnectionGroupsOptions): Promise<B2BSCIMGetConnectionGroupsResponse>;
+    /**
+     * The SCIM Rotate Token Start method wraps the {@link https://stytch.com/docs/b2b/api/scim-rotate-token-start SCIM Rotate Token Start} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     * This method cannot be used to start token rotations for SCIM connections in other Organizations.
+     *
+     * @example
+     * stytch.scim.rotateStart('connection-id-123');
+     *
+     * @rbac action="update", resource="stytch.scim"
+     *
+     * @param connectionId
+     *
+     * returns A {@link B2BSCIMRotateStartResponse} containing a new bearer token
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    rotateStart(connectionId: string): Promise<B2BSCIMRotateStartResponse>;
+    /**
+     * The SCIM Rotate Token Complete method wraps the {@link https://stytch.com/docs/b2b/api/scim-rotate-token-complete SCIM Rotate Token Complete} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     * This method cannot be used to complete token rotations for SCIM connections in other Organizations.
+     *
+     * @example
+     * stytch.scim.rotateComplete('connection-id-123');
+     *
+     * @rbac action="update", resource="stytch.scim"
+     *
+     * @param connectionId
+     *
+     * returns A {@link B2BSCIMRotateCompleteResponse} containing a new bearer token
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    rotateComplete(connectionId: string): Promise<B2BSCIMRotateCompleteResponse>;
+    /**
+     * The SCIM Rotate Token Cancel method wraps the {@link https://stytch.com/docs/b2b/api/scim-rotate-token-cancel SCIM Rotate Token Cancel} API endpoint.
+     * The `organization_id` will be automatically inferred from the logged-in Member's session.
+     * This method cannot be used to cancel token rotations for SCIM connections in other Organizations.
+     *
+     * @example
+     * stytch.scim.rotateCancel('connection-id-123');
+     *
+     * @rbac action="update", resource="stytch.scim"
+     *
+     * @param connectionId
+     *
+     * returns A {@link B2BSCIMRotateCancelResponse} containing a new bearer token
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input.
+     */
+    rotateCancel(connectionId: string): Promise<B2BSCIMRotateCancelResponse>;
+}
+
+type B2BOAuthAuthorizeStartOptions = {
+    client_id: string;
+    redirect_uri: string;
+    response_type: string;
+    scopes: string[];
+    prompt?: string;
+};
+type B2BOAuthAuthorizeStartResponse = ResponseCommon & {
+    client: ConnectedAppPublic;
+    consent_required: boolean;
+    scope_results: ScopeResult[];
+};
+type B2BOAuthAuthorizeSubmitOptions = {
+    client_id: string;
+    redirect_uri: string;
+    response_type: string;
+    scopes: string[];
+    state?: string;
+    nonce?: string;
+    code_challenge?: string;
+    consent_granted: boolean;
+    prompt?: string;
+};
+type B2BOAuthAuthorizeSubmitResponse = ResponseCommon & {
+    redirect_uri: string;
+    authorization_code?: string;
+};
+type B2BOAuthLogoutStartOptions = {
+    client_id: string;
+    post_logout_redirect_uri: string;
+    state: string;
+    id_token_hint?: string;
+};
+type B2BOAuthLogoutStartResponse = ResponseCommon & {
+    redirect_uri: string;
+    consent_required: boolean;
+};
+interface IHeadlessB2BIDPClient {
+    /**
+     * Initiates a request for authorization of a Connected App to access a Member's account.
+     *
+     * Call this endpoint using the query parameters from an OAuth Authorization request. This endpoint validates various fields (scope, client_id, redirect_uri, prompt, etc...) are correct and returns relevant information for rendering an OAuth Consent Screen.
+     *
+     * @example
+     * const response = await stytch.idp.oauthAuthorizeStart({
+     *   client_id: 'client_123',
+     *   redirect_uri: 'https://example.com/callback',
+     *   scope: 'openid email profile',
+     * });
+     */
+    oauthAuthorizeStart(data: B2BOAuthAuthorizeStartOptions): Promise<B2BOAuthAuthorizeStartResponse>;
+    /**
+     * Completes a request for authorization of a Connected App to access a Member's account.
+     *
+     * Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the Preflight Check API. Note that this endpoint takes in a few additional parameters the preflight check does not- state, nonce, and code_challenge.
+     *
+     * If the authorization was successful, the redirect_uri will contain a valid authorization_code embedded as a query parameter. If the authorization was unsuccessful, the redirect_uri will contain an OAuth2.1 error_code. In both cases, redirect the Member to the location for the response to be consumed by the Connected App.
+     *
+     * Exactly one of the following must be provided to identify the Member granting authorization:
+     * organization_id + member_id
+     * session_token
+     * session_jwt
+     *
+     * If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.
+     *
+     * @example
+     * const response = await stytch.idp.oauthAuthorizeSubmit({
+     *   client_id: 'client_123',
+     *   redirect_uri: 'https://example.com/callback',
+     *   scope: 'openid email profile',
+     * });
+     */
+    oauthAuthorizeSubmit(data: B2BOAuthAuthorizeSubmitOptions): Promise<B2BOAuthAuthorizeSubmitResponse>;
+}
+
+type BiometricsRegisterOptions = {
+    /**
+     * The text rendered when raising the biometric prompt.
+     */
+    prompt: string;
+    /**
+     * The text rendered on the cancel button when raising the biometric prompt. Defaults to "Cancel".
+     */
+    cancelButtonText?: string;
+    /**
+     * On Android devices, allow the private key data to be stored as cleartext in the application sandbox.
+     */
+    allowFallbackToCleartext?: boolean;
+    /**
+     * Allows user to enter their device credentials as a fallback for failed biometric authentication.
+     */
+    allowDeviceCredentials?: boolean;
+    /**
+     * Specify the desired session duration, in minutes
+     */
+    sessionDurationMinutes?: number;
+};
+type BiometricsRegisterStartResponse = ResponseCommon & {
+    /**
+     * A unique ID that identifies a specific biometric registration.
+     */
+    biometric_registration_id: string;
+    /**
+     * The challenge to be signed by the device.
+     */
+    challenge: string;
+};
+type BiometricsRegisterCompleteResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = AuthenticateResponse<TProjectConfiguration> & {
+    /**
+     * A unique ID that identifies a specific biometric registration.
+     */
+    biometric_registration_id: string;
+};
+type BiometricsAuthenticateOptions = {
+    /**
+     * The text rendered when raising the biometric prompt.
+     */
+    prompt: string;
+    /**
+     * Set the session lifetime to be this many minutes from now.
+     * This value must be a minimum of 5 and may not exceed the `maximum session duration minutes` value set in the {@link https://stytch.com/dashboard/sdk-configuration SDK Configuration} page of the Stytch dashboard.
+     * A successful authentication will continue to extend the session this many minutes.
+     */
+    sessionDurationMinutes: number;
+    /**
+     * The text rendered on the cancel button when raising the biometric prompt. Defaults to "Cancel".
+     */
+    cancelButtonText?: string;
+    /**
+     * Allows user to enter their device credentials as a fallback for failed biometric authentication.
+     */
+    allowDeviceCredentials?: boolean;
+    /**
+     * The text rendered on the fallback prompt after biometrics has failed and allowDeviceCredentials is true. Defaults to "Enter Passcode". This only appears on iOS devices.
+     */
+    fallbackTitle?: string;
+};
+type BiometricsAuthenticateStartResponse = ResponseCommon & {
+    /**
+     * The challenge to be signed by the device.
+     */
+    challenge: string;
+    /**
+     * A unique ID that identifies a specific biometric registration.
+     */
+    biometric_registration_id: string;
+};
+type BiometricsAuthenticateCompleteResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = AuthenticateResponse<TProjectConfiguration> & {
+    /**
+     * A unique ID that identifies a specific biometric registration.
+     */
+    biometric_registration_id: string;
+    /**
+     * The device history of the user.
+     */
+    user_device?: SDKDeviceHistory;
+};
+type BiometricsDeleteResponse = ResponseCommon & {
+    /**
+     * A unique ID that identifies a specific biometric registration.
+     */
+    biometric_registration_id: string;
+    /**
+     * Globally unique UUID that identifies a specific user in the Stytch API.
+     */
+    user_id: string;
+};
+/**
+ * Type of biometric authentication available on the device. iOS supports 'TouchID' or 'FaceID', and Android supports 'Biometrics'.
+ */
+type BiometryType = 'TouchID' | 'FaceID' | 'Biometrics';
+type BiometricsGetSensorResponse = {
+    /**
+     * Type of biometric authentication available on the device.
+     */
+    biometryType: BiometryType;
+};
+interface IHeadlessBiometricsClient<TProjectConfiguration extends StytchProjectConfigurationInput> {
+    /**
+     * Indicates if there is an existing biometric registration on the device.
+     *
+     * @returns true if there is a biometric registration on the device, otherwise false.
+     */
+    isRegistrationAvailable: () => Promise<boolean>;
+    /**
+     * Indicates whether or not the Keystore is available on the device.
+     *
+     * @returns true if the keystore is available, otherwise false.
+     */
+    isKeystoreAvailable: () => Promise<boolean>;
+    /**
+     * Adds a biometric registration for the current user.
+     *
+     * @param options - {@link BiometricsRegisterOptions}
+     *
+     * @returns A {@link BiometricsRegisterCompleteResponse} indicating the biometric registration has been successful.
+     *
+     * @throws A `StytchSDKError` when the Stytch React Native module returns an error.
+     */
+    register: (options: BiometricsRegisterOptions) => Promise<BiometricsRegisterCompleteResponse<TProjectConfiguration>>;
+    /**
+     * Updates the session by using a biometric registration.
+     *
+     * @param options - {@link BiometricsAuthenticateOptions}
+     *
+     * @returns A {@link BiometricsRegisterCompleteResponse} indicating the authentication has been successful.
+     *
+     * @throws A `StytchSDKError` when the Stytch React Native module returns an error.
+     */
+    authenticate: (options: BiometricsAuthenticateOptions) => Promise<BiometricsAuthenticateCompleteResponse<TProjectConfiguration>>;
+    /**
+     * Attempts to remove the biometric registration from the user and device.
+     *
+     * @returns A {@link BiometricsDeleteResponse} indicating whether the deletion has been successful.
+     */
+    removeRegistration: () => Promise<BiometricsDeleteResponse>;
+    /**
+     * Checks the type of biometrics that is available on the device.
+     *
+     * @param allowDeviceCredentials Allows user to enter their device credentials as a fallback for failed biometric authentication.
+     *
+     * @returns A {@link BiometricsGetSensorResponse} containing a {@link BiometryType}.
+     *
+     * @throws A `StytchSDKError` when the Stytch React Native module returns an error.
+     */
+    getSensor: (allowDeviceCredentials?: boolean) => Promise<BiometricsGetSensorResponse>;
+    /**
+     * Gets the current biometric_registration_id saved on device, if it exists
+     */
+    getBiometricRegistrationId: () => Promise<string | undefined>;
+    /**
+     * Deletes the local biometric keys from the device, if any
+     *
+     * @returns true if keys were found and deleted from the device, false if no keys were present
+     */
+    deleteDeviceRegistration: () => Promise<boolean>;
+}
+
+type ImpersonationAuthenticateOptions = {
+    /**
+     * The impersonation token used to authenticate a user
+     */
+    impersonation_token: string;
+};
+type ImpersonationAuthenticateResponse<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> = AuthenticateResponse<TProjectConfiguration>;
+interface IHeadlessImpersonationClient<TProjectConfiguration extends StytchProjectConfigurationInput = Stytch.DefaultProjectConfiguration> {
+    /**
+     * Wraps Stytch's {@link https://stytch.com/docs/api/authenticate-impersonation-token Authenticate Impersonation Token} endpoint.
+     * The authenticate method wraps the consumer impersonation authenticate endpoint.
+     *
+     * @param data - {@link ImpersonationAuthenticateOptions}
+     * @returns A {@link ImpersonationAuthenticateResponse} indicating that the token has been authenticated
+     *
+     * @throws A `StytchAPIError` when the Stytch API returns an error.
+     * @throws A `StytchAPIUnreachableError` when the SDK cannot contact the Stytch API.
+     * @throws A `StytchSDKUsageError` when called with invalid input (invalid token, invalid options, etc.)
+     */
+    authenticate(data: ImpersonationAuthenticateOptions): Promise<ImpersonationAuthenticateResponse<TProjectConfiguration>>;
+}
+
+type Actions<Actions extends string> = Record<Actions, boolean>;
+type ConsumerPermissionsMap<Permissions extends Record<string, string>> = {
+    [ResourceID in keyof Permissions]: Actions<Permissions[ResourceID]>;
+};
+interface IHeadlessRBACClient {
+    /**
+     * The `isAuthorizedSync` method determines whether the logged-in user is allowed to perform the specified action on the specified resource.
+     * Returns `true` if the user can perform the action, `false` otherwise.
+     *
+     * If the user is not logged in, or the RBAC policy has not been loaded, this method will always return false.
+     * If the resource or action provided are not valid for the configured RBAC policy, this method will return false.
+     * @example
+     * const isAuthorized = stytch.rbac.isAuthorizedSync<Permissions>('document', 'image');
+     */
+    isAuthorizedSync(resourceId: string, action: string): boolean;
+    /**
+     * The `isAuthorized` method determines whether the logged-in user is allowed to perform the specified action on the specified resource.
+     * It will return a Promise that resolves after the RBAC policy has been loaded. Returns `true` if the user can perform the action, `false` otherwise.
+     *
+     * If the user is not logged in, this method will always return false.
+     * If the resource or action provided are not valid for the configured RBAC policy, this method will return false.
+     *
+     * @example
+     * const isAuthorized = await stytch.rbac.isAuthorizedSync<Permissions>('document', 'image');
+     */
+    isAuthorized(resourceId: string, action: string): Promise<boolean>;
+    /**
+     * The `allPermissions` method returns the complete list of permissions assigned to the currently logged-in user. If the user is not logged in, all values will be `false`.
+     *
+     * As a best practice, authorization checks for sensitive actions should also occur on the backend.
+     *
+     * @example
+     * type Permissions = {
+     *   document: 'create' | 'read' | 'write
+     *   image: 'create' | 'read'
+     * }
+     * const permissions = await stytch.rbac.allPermissions<Permissions>();
+     * console.log(permissions.document.create) // true
+     * console.log(permissions.image.create) // false
+     * @returns A {@link ConsumerPermissionsMap} for the active member
+     */
+    allPermissions<Permissions extends Record<string, string>>(): Promise<ConsumerPermissionsMap<Permissions>>;
+}
+
+type OAuthAuthorizeStartOptions = {
+    client_id: string;
+    redirect_uri: string;
+    response_type: string;
+    scopes: string[];
+    prompt?: string;
+};
+type OAuthAuthorizeStartResponse = ResponseCommon & {
+    user_id: string;
+    user: User;
+    client: ConnectedAppPublic;
+    consent_required: boolean;
+    scope_results: ScopeResult[];
+};
+type OAuthAuthorizeSubmitOptions = {
+    client_id: string;
+    redirect_uri: string;
+    response_type: string;
+    scopes: string[];
+    state?: string;
+    nonce?: string;
+    code_challenge?: string;
+    consent_granted: boolean;
+    prompt?: string;
+    resource?: string[];
+};
+type OAuthAuthorizeSubmitResponse = ResponseCommon & {
+    redirect_uri: string;
+    authorization_code?: string;
+};
+type OAuthLogoutStartOptions = {
+    client_id: string;
+    post_logout_redirect_uri: string;
+    state?: string;
+    id_token_hint?: string;
+};
+type OAuthLogoutStartResponse = ResponseCommon & {
+    redirect_uri: string;
+    consent_required: boolean;
+};
+interface IHeadlessIDPClient {
+    /**
+     * Initiates a request for authorization of a Connected App to access a User's account.
+     *
+     * Call this endpoint using the query parameters from an OAuth Authorization request. This endpoint validates various fields (scope, client_id, redirect_uri, prompt, etc...) are correct and returns relevant information for rendering an OAuth Consent Screen.
+     *
+     * @param data - The options for the OAuth authorization flow.
+     * @returns The response from the OAuth authorization flow.
+     * @example
+     * const response = await stytch.idp.oauthAuthorizeStart({
+     *   client_id: 'client_123',
+     */
+    oauthAuthorizeStart(data: OAuthAuthorizeStartOptions): Promise<OAuthAuthorizeStartResponse>;
+    /**
+     * Completes a request for authorization of a Connected App to access a Member's account.
+     *
+     * Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the Preflight Check API. Note that this endpoint takes in a few additional parameters the preflight check does not- state, nonce, and code_challenge.
+     *
+     * If the authorization was successful, the redirect_uri will contain a valid authorization_code embedded as a query parameter. If the authorization was unsuccessful, the redirect_uri will contain an OAuth2.1 error_code. In both cases, redirect the Member to the location for the response to be consumed by the Connected App.
+     *
+     * Exactly one of the following must be provided to identify the Member granting authorization:
+     * organization_id + member_id
+     * session_token
+     * session_jwt
+     *
+     * If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.
+     *
+     * @param data - The options for the OAuth authorization flow.
+     * @returns The response from the OAuth authorization flow.
+     * @example
+     * const response = await stytch.idp.oauthAuthorizeSubmit({
+     *   client_id: 'client_123',
+     *   redirect_uri: 'https://example.com/callback',
+     *   scope: 'openid email profile',
+     * });
+     */
+    oauthAuthorizeSubmit(data: OAuthAuthorizeSubmitOptions): Promise<OAuthAuthorizeSubmitResponse>;
+}
+
+type TokenType = 'magic_links' | 'oauth' | 'reset_password';
+
+type DeepReadonly<T> = {
+    readonly [P in keyof T]: DeepReadonly<T[P]>;
+};
+type StateChangeHandler<T> = (state: DeepReadonly<T>) => void;
+type StateChangeRegisterFunction<T> = (callback: StateChangeHandler<T>) => UnsubscribeFunction;
+
+interface PromptMomentNotification {
+    isDisplayMoment: () => boolean;
+    isDisplayed: () => boolean;
+    isNotDisplayed: () => boolean;
+    getNotDisplayedReason: () =>
+        | "browser_not_supported"
+        | "invalid_client"
+        | "missing_client_id"
+        | "opt_out_or_no_session"
+        | "secure_http_required"
+        | "suppressed_by_user"
+        | "unregistered_origin"
+        | "unknown_reason";
+    isSkippedMoment: () => boolean;
+    getSkippedReason: () => "auto_cancel" | "user_cancel" | "tap_outside" | "issuing_failed";
+    isDismissedMoment: () => boolean;
+    getDismissedReason: () => "credential_returned" | "cancel_called" | "flow_restarted";
+    getMomentType: () => "display" | "skipped" | "dismissed";
+}
+
+type OneTapNotShownReason = ReturnType<PromptMomentNotification['getNotDisplayedReason']> | ReturnType<PromptMomentNotification['getSkippedReason']>;
+type OneTapRenderResult = {
+    success: true;
+} | {
+    success: false;
+    reason: OneTapNotShownReason;
+};
+
+type ParseAuthenticateUrl<HandledTokenType extends string> = (href?: string) => {
+    handled: true;
+    token: string;
+    tokenType: HandledTokenType;
+} | {
+    handled: false;
+    token: string;
+    tokenType: string;
+} | null;
+type AuthenticateByUrl<TokenType extends string> = (options: {
+    /**
+     * Clear token and stytch_token_type URL params after authenticate is called.
+     * @default true if the href parameter is window.location.href (the default)
+     **/
+    clearParams?: boolean;
+} & SessionDurationOptions, 
+/**
+ * Allow overriding URL where the token and stytch_token_type params are extracted from.
+ * You usually would not need to set this.
+ * @default window.location.href
+ */
+href?: string) => Promise<{
+    handled: true;
+    tokenType: TokenType;
+    data: unknown;
+} | {
+    handled: false;
+    tokenType: string;
+    token: string;
+} | null>;
+
+export { B2BMFAProducts as aH, AuthFlowType as aw, RedirectURLType as ax, B2BOAuthProviders as ay };
+export type { BiometricsAuthenticateOptions as $, AuthenticateByUrl as A, B2BOAuthAuthorizeStartOptions as B, OAuthAuthenticateResponse as C, OAuthStartFailureReason as D, OAuthStartResponse as E, IOAuthProvider as F, OAuthAttachResponse as G, UserUpdateOptions as H, IHeadlessIDPClient as I, UserUpdateResponse as J, UserInfo as K, UserGetConnectedAppsResponse as L, TOTPCreateOptions as M, TOTPCreateResponse as N, OAuthAuthorizeStartOptions as O, ParseAuthenticateUrl as P, TOTPAuthenticateOptions as Q, TOTPAuthenticateResponse as R, StateChangeRegisterFunction as S, TokenType as T, UserOnChangeCallback as U, TOTPRecoveryCodesResponse as V, TOTPRecoverOptions as W, TOTPRecoverResponse as X, BiometricsRegisterOptions as Y, BiometricsRegisterStartResponse as Z, BiometricsRegisterCompleteResponse as _, INetworkClient as a, CommonB2BLoginConfig as a$, BiometricsAuthenticateStartResponse as a0, BiometricsAuthenticateCompleteResponse as a1, BiometricsDeleteResponse as a2, BiometryType as a3, BiometricsGetSensorResponse as a4, IHeadlessBiometricsClient as a5, B2BSessionAuthenticateResponse as a6, B2BSessionRevokeOptions as a7, B2BSessionRevokeForMemberOptions as a8, B2BSessionRevokeForMemberResponse as a9, B2BSSOOptions as aA, B2BOAuthOptions as aB, B2BOAuthProviderConfig as aC, B2BPasswordOptions as aD, B2BEmailOTPOptions as aE, B2BSMSOTPOptions as aF, DirectLoginForSingleMembershipConfig as aG, SCIMConnection as aI, SCIMConnectionWithBearerToken as aJ, SCIMConnectionWithNextBearerToken as aK, SCIMGroup as aL, B2BSCIMCreateConnectionOptions as aM, B2BSCIMCreateConnectionResponse as aN, B2BSCIMUpdateConnectionOptions as aO, B2BSCIMUpdateConnectionResponse as aP, B2BSCIMDeleteConnectionResponse as aQ, B2BSCIMGetConnectionResponse as aR, B2BSCIMGetConnectionGroupsOptions as aS, B2BSCIMGetConnectionGroupsResponse as aT, B2BSCIMRotateStartResponse as aU, B2BSCIMRotateCompleteResponse as aV, B2BSCIMRotateCancelResponse as aW, ImpersonationAuthenticateOptions as aX, ImpersonationAuthenticateResponse as aY, ConsumerPermissionsMap as aZ, CommonLoginConfig as a_, B2BSessionOnChangeCallback as aa, B2BSessionExchangeOptions as ab, B2BSessionExchangeResponse as ac, B2BSessionAccessTokenExchangeOptions as ad, B2BSessionAccessTokenExchangeResponse as ae, MemberSessionInfo as af, B2BSessionAttestOptions as ag, B2BSessionAttestResponse as ah, B2BMemberOnChangeCallback as ai, B2BMemberUpdateOptions as aj, B2BMemberUnlinkRetiredEmailRequest as ak, B2BMemberStartEmailUpdateRequest as al, B2BMemberStartEmailUpdateResponse as am, B2BMemberGetConnectedAppsResponse as an, B2BMemberRevokeConnectedAppOptions as ao, B2BMemberRevokeConnectedAppResponse as ap, B2BMemberUpdateResponse as aq, B2BMemberDeleteMFAPhoneNumberResponse as ar, B2BMemberDeletePasswordResponse as as, B2BMemberDeleteMFATOTPResponse as at, B2BMemberUnlinkRetiredEmailResponse as au, MemberInfo as av, B2BEmailMagicLinksOptions as az, OAuthAuthorizeStartResponse as b, OAuthAuthorizeSubmitOptions as c, OAuthAuthorizeSubmitResponse as d, OAuthLogoutStartOptions as e, OAuthLogoutStartResponse as f, IHeadlessOAuthClient as g, OneTapRenderResult as h, IHeadlessUserClient as i, IHeadlessTOTPClient as j, IHeadlessImpersonationClient as k, IHeadlessRBACClient as l, IHeadlessB2BIDPClient as m, B2BOAuthAuthorizeStartResponse as n, B2BOAuthAuthorizeSubmitOptions as o, B2BOAuthAuthorizeSubmitResponse as p, B2BOAuthLogoutStartOptions as q, B2BOAuthLogoutStartResponse as r, IHeadlessB2BSessionClient as s, IHeadlessB2BMemberClient as t, IHeadlessB2BSelfClient as u, IHeadlessB2BRBACClient as v, IHeadlessB2BSCIMClient as w, PermissionsMap as x, OAuthGetURLOptions as y, OAuthAuthenticateOptions as z };