@supabase/auth-js 2.72.0-rc.8 → 2.72.1-canary.0

package/dist/main/lib/types.d.ts

@@ -1,12 +1,13 @@
-import { EIP1193Provider } from './web3/ethereum';
 import { AuthError } from './errors';
 import { Fetch } from './fetch';
+import { EIP1193Provider, EthereumSignInInput, Hex } from './web3/ethereum';
 import type { SolanaSignInInput, SolanaSignInOutput } from './web3/solana';
-import { EthereumSignInInput, Hex } from './web3/ethereum';
+import { ServerCredentialCreationOptions, ServerCredentialRequestOptions, WebAuthnApi } from './webauthn';
+import { AuthenticationCredential, PublicKeyCredentialCreationOptionsFuture, PublicKeyCredentialRequestOptionsFuture, RegistrationCredential } from './webauthn.dom';
 /** One of the providers supported by GoTrue. */
-export declare type Provider = 'apple' | 'azure' | 'bitbucket' | 'discord' | 'facebook' | 'figma' | 'github' | 'gitlab' | 'google' | 'kakao' | 'keycloak' | 'linkedin' | 'linkedin_oidc' | 'notion' | 'slack' | 'slack_oidc' | 'spotify' | 'twitch' | 'twitter' | 'workos' | 'zoom' | 'fly';
-export declare type AuthChangeEventMFA = 'MFA_CHALLENGE_VERIFIED';
-export declare type AuthChangeEvent = 'INITIAL_SESSION' | 'PASSWORD_RECOVERY' | 'SIGNED_IN' | 'SIGNED_OUT' | 'TOKEN_REFRESHED' | 'USER_UPDATED' | AuthChangeEventMFA;
+export type Provider = 'apple' | 'azure' | 'bitbucket' | 'discord' | 'facebook' | 'figma' | 'github' | 'gitlab' | 'google' | 'kakao' | 'keycloak' | 'linkedin' | 'linkedin_oidc' | 'notion' | 'slack' | 'slack_oidc' | 'spotify' | 'twitch' | 'twitter' | 'workos' | 'zoom' | 'fly';
+export type AuthChangeEventMFA = 'MFA_CHALLENGE_VERIFIED';
+export type AuthChangeEvent = 'INITIAL_SESSION' | 'PASSWORD_RECOVERY' | 'SIGNED_IN' | 'SIGNED_OUT' | 'TOKEN_REFRESHED' | 'USER_UPDATED' | AuthChangeEventMFA;
 /**
  * Provide your own global lock implementation instead of the default
  * implementation. The function should acquire a lock for the duration of the
@@ -22,8 +23,8 @@ export declare type AuthChangeEvent = 'INITIAL_SESSION' | 'PASSWORD_RECOVERY' |
  *                       acquired after this much time (ms).
  * @param fn The operation to execute when the lock is acquired.
  */
-export declare type LockFunc = <R>(name: string, acquireTimeout: number, fn: () => Promise<R>) => Promise<R>;
-export declare type GoTrueClientOptions = {
+export type LockFunc = <R>(name: string, acquireTimeout: number, fn: () => Promise<R>) => Promise<R>;
+export type GoTrueClientOptions = {
     url?: string;
     headers?: {
         [key: string]: string;
@@ -56,87 +57,77 @@ export declare type GoTrueClientOptions = {
      */
     hasCustomAuthorizationHeader?: boolean;
 };
-export declare type WeakPasswordReasons = 'length' | 'characters' | 'pwned' | (string & {});
-export declare type WeakPassword = {
+declare const WeakPasswordReasons: readonly ["length", "characters", "pwned"];
+export type WeakPasswordReasons = (typeof WeakPasswordReasons)[number];
+export type WeakPassword = {
     reasons: WeakPasswordReasons[];
     message: string;
 };
-export declare type AuthResponse = {
-    data: {
-        user: User | null;
-        session: Session | null;
-    };
+/**
+ * Resolve mapped types and show the derived keys and their types when hovering in
+ * VS Code, instead of just showing the names those mapped types are defined with.
+ */
+export type Prettify<T> = T extends Function ? T : {
+    [K in keyof T]: T[K];
+};
+/**
+ * A stricter version of TypeScript's Omit that only allows omitting keys that actually exist.
+ * This prevents typos and ensures type safety at compile time.
+ * Unlike regular Omit, this will error if you try to omit a non-existent key.
+ */
+export type StrictOmit<T, K extends keyof T> = Omit<T, K>;
+/**
+ * a shared result type that encapsulates errors instead of throwing them, allows you to optionally specify the ErrorType
+ */
+export type RequestResult<T, ErrorType extends Error = AuthError> = {
+    data: T;
     error: null;
 } | {
-    data: {
-        user: null;
-        session: null;
-    };
-    error: AuthError;
+    data: null;
+    error: Error extends AuthError ? AuthError : ErrorType;
 };
-export declare type AuthResponsePassword = {
-    data: {
-        user: User | null;
-        session: Session | null;
-        weak_password?: WeakPassword | null;
-    };
+/**
+ * similar to RequestResult except it allows you to destructure the possible shape of the success response
+ *  {@see RequestResult}
+ */
+export type RequestResultSafeDestructure<T> = {
+    data: T;
     error: null;
 } | {
-    data: {
-        user: null;
-        session: null;
-    };
+    data: T extends object ? {
+        [K in keyof T]: null;
+    } : null;
     error: AuthError;
 };
+export type AuthResponse = RequestResultSafeDestructure<{
+    user: User | null;
+    session: Session | null;
+}>;
+export type AuthResponsePassword = RequestResultSafeDestructure<{
+    user: User | null;
+    session: Session | null;
+    weak_password?: WeakPassword | null;
+}>;
 /**
  * AuthOtpResponse is returned when OTP is used.
  *
  * {@see AuthResponse}
  */
-export declare type AuthOtpResponse = {
-    data: {
-        user: null;
-        session: null;
-        messageId?: string | null;
-    };
-    error: null;
-} | {
-    data: {
-        user: null;
-        session: null;
-        messageId?: string | null;
-    };
-    error: AuthError;
-};
-export declare type AuthTokenResponse = {
-    data: {
-        user: User;
-        session: Session;
-    };
-    error: null;
-} | {
-    data: {
-        user: null;
-        session: null;
-    };
-    error: AuthError;
-};
-export declare type AuthTokenResponsePassword = {
-    data: {
-        user: User;
-        session: Session;
-        weakPassword?: WeakPassword;
-    };
-    error: null;
-} | {
-    data: {
-        user: null;
-        session: null;
-        weakPassword?: null;
-    };
-    error: AuthError;
-};
-export declare type OAuthResponse = {
+export type AuthOtpResponse = RequestResultSafeDestructure<{
+    user: null;
+    session: null;
+    messageId?: string | null;
+}>;
+export type AuthTokenResponse = RequestResultSafeDestructure<{
+    user: User;
+    session: Session;
+}>;
+export type AuthTokenResponsePassword = RequestResultSafeDestructure<{
+    user: User;
+    session: Session;
+    weakPassword?: WeakPassword;
+}>;
+export type OAuthResponse = {
     data: {
         provider: Provider;
         url: string;
@@ -149,33 +140,19 @@ export declare type OAuthResponse = {
     };
     error: AuthError;
 };
-export declare type SSOResponse = {
-    data: {
-        /**
-         * URL to open in a browser which will complete the sign-in flow by
-         * taking the user to the identity provider's authentication flow.
-         *
-         * On browsers you can set the URL to `window.location.href` to take
-         * the user to the authentication flow.
-         */
-        url: string;
-    };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
-};
-export declare type UserResponse = {
-    data: {
-        user: User;
-    };
-    error: null;
-} | {
-    data: {
-        user: null;
-    };
-    error: AuthError;
-};
+export type SSOResponse = RequestResult<{
+    /**
+     * URL to open in a browser which will complete the sign-in flow by
+     * taking the user to the identity provider's authentication flow.
+     *
+     * On browsers you can set the URL to `window.location.href` to take
+     * the user to the authentication flow.
+     */
+    url: string;
+}>;
+export type UserResponse = RequestResultSafeDestructure<{
+    user: User;
+}>;
 export interface Session {
     /**
      * The oauth provider token. If present, this can be used to make external API requests to the oauth provider used.
@@ -202,12 +179,14 @@ export interface Session {
      * A timestamp of when the token will expire. Returned when a login is confirmed.
      */
     expires_at?: number;
-    token_type: string;
+    token_type: 'bearer';
     /**
      * When using a separate user storage, accessing properties of this object will throw an error.
      */
     user: User;
 }
+declare const AMRMethods: readonly ["password", "otp", "oauth", "totp", "mfa/totp", "mfa/phone", "mfa/webauthn", "anonymous", "sso/saml", "magiclink", "web3"];
+export type AMRMethod = (typeof AMRMethods)[number] | (string & {});
 /**
  * An authentication methord reference (AMR) entry.
  *
@@ -218,7 +197,7 @@ export interface Session {
  */
 export interface AMREntry {
     /** Authentication method name. */
-    method: 'password' | 'otp' | 'oauth' | 'mfa/totp' | (string & {});
+    method: AMRMethod;
     /**
      * Timestamp when the method was successfully used. Represents number of
      * seconds since 1st January 1970 (UNIX epoch) in UTC.
@@ -237,6 +216,16 @@ export interface UserIdentity {
     last_sign_in_at?: string;
     updated_at?: string;
 }
+declare const FactorTypes: readonly ["totp", "phone", "webauthn"];
+/**
+ * Type of factor. `totp` and `phone` supported with this version
+ */
+export type FactorType = (typeof FactorTypes)[number];
+declare const FactorVerificationStatuses: readonly ["verified", "unverified"];
+/**
+ * The verification status of the factor, default is `unverified` after `.enroll()`, then `verified` after the user verifies it with `.verify()`
+ */
+type FactorVerificationStatus = (typeof FactorVerificationStatuses)[number];
 /**
  * A MFA factor.
  *
@@ -244,7 +233,7 @@ export interface UserIdentity {
  * @see {@link GoTrueMFAApi#listFactors}
  * @see {@link GoTrueMFAAdminApi#listFactors}
  */
-export interface Factor {
+export type Factor<Type extends FactorType = FactorType, Status extends FactorVerificationStatus = (typeof FactorVerificationStatuses)[number]> = {
     /** ID of the factor. */
     id: string;
     /** Friendly name of the factor, useful to disambiguate between multiple factors. */
@@ -252,12 +241,14 @@ export interface Factor {
     /**
      * Type of factor. `totp` and `phone` supported with this version
      */
-    factor_type: 'totp' | 'phone' | (string & {});
-    /** Factor's status. */
-    status: 'verified' | 'unverified';
+    factor_type: Type;
+    /**
+     * The verification status of the factor, default is `unverified` after `.enroll()`, then `verified` after the user verifies it with `.verify()`
+     */
+    status: Status;
     created_at: string;
     updated_at: string;
-}
+};
 export interface UserAppMetadata {
     provider?: string;
     [key: string]: any;
@@ -289,7 +280,7 @@ export interface User {
     identities?: UserIdentity[];
     is_anonymous?: boolean;
     is_sso_user?: boolean;
-    factors?: Factor[];
+    factors?: (Factor<FactorType, 'verified'> | Factor<FactorType, 'unverified'>)[];
     deleted_at?: string;
 }
 export interface UserAttributes {
@@ -400,7 +391,7 @@ export interface Subscription {
      */
     unsubscribe: () => void;
 }
-export declare type SignInAnonymouslyCredentials = {
+export type SignInAnonymouslyCredentials = {
     options?: {
         /**
          * A custom data object to store the user's metadata. This maps to the `auth.users.raw_user_meta_data` column.
@@ -412,61 +403,27 @@ export declare type SignInAnonymouslyCredentials = {
         captchaToken?: string;
     };
 };
-export declare type SignUpWithPasswordCredentials = {
-    /** The user's email address. */
-    email: string;
-    /** The user's password. */
-    password: string;
+export type SignUpWithPasswordCredentials = Prettify<PasswordCredentialsBase & {
     options?: {
-        /** The redirect url embedded in the email link */
         emailRedirectTo?: string;
-        /**
-         * A custom data object to store the user's metadata. This maps to the `auth.users.raw_user_meta_data` column.
-         *
-         * The `data` should be a JSON object that includes user-specific info, such as their first and last name.
-         */
-        data?: object;
-        /** Verification token received when the user completes the captcha on the site. */
-        captchaToken?: string;
-    };
-} | {
-    /** The user's phone number. */
-    phone: string;
-    /** The user's password. */
-    password: string;
-    options?: {
-        /**
-         * A custom data object to store the user's metadata. This maps to the `auth.users.raw_user_meta_data` column.
-         *
-         * The `data` should be a JSON object that includes user-specific info, such as their first and last name.
-         */
         data?: object;
-        /** Verification token received when the user completes the captcha on the site. Requires a configured WhatsApp sender on Twilio */
         captchaToken?: string;
-        /** Messaging channel to use (e.g. whatsapp or sms) */
         channel?: 'sms' | 'whatsapp';
     };
-};
-export declare type SignInWithPasswordCredentials = {
-    /** The user's email address. */
+}>;
+type PasswordCredentialsBase = {
     email: string;
-    /** The user's password. */
     password: string;
-    options?: {
-        /** Verification token received when the user completes the captcha on the site. */
-        captchaToken?: string;
-    };
 } | {
-    /** The user's phone number. */
     phone: string;
-    /** The user's password. */
     password: string;
+};
+export type SignInWithPasswordCredentials = PasswordCredentialsBase & {
     options?: {
-        /** Verification token received when the user completes the captcha on the site. */
         captchaToken?: string;
     };
 };
-export declare type SignInWithPasswordlessCredentials = {
+export type SignInWithPasswordlessCredentials = {
     /** The user's email address. */
     email: string;
     options?: {
@@ -501,8 +458,8 @@ export declare type SignInWithPasswordlessCredentials = {
         channel?: 'sms' | 'whatsapp';
     };
 };
-export declare type AuthFlowType = 'implicit' | 'pkce';
-export declare type SignInWithOAuthCredentials = {
+export type AuthFlowType = 'implicit' | 'pkce';
+export type SignInWithOAuthCredentials = {
     /** One of the providers supported by GoTrue. */
     provider: Provider;
     options?: {
@@ -518,7 +475,7 @@ export declare type SignInWithOAuthCredentials = {
         skipBrowserRedirect?: boolean;
     };
 };
-export declare type SignInWithIdTokenCredentials = {
+export type SignInWithIdTokenCredentials = {
     /** Provider name or OIDC `iss` value identifying which provider should be used to verify the provided token. Supported names: `google`, `apple`, `azure`, `facebook`, `kakao`, `keycloak` (deprecated). */
     provider: 'google' | 'apple' | 'azure' | 'facebook' | 'kakao' | (string & {});
     /** OIDC ID token issued by the specified provider. The `iss` claim in the ID token must match the supplied provider. Some ID tokens contain an `at_hash` which require that you provide an `access_token` value to be accepted properly. If the token contains a `nonce` claim you must supply the nonce used to obtain the ID token. */
@@ -532,14 +489,14 @@ export declare type SignInWithIdTokenCredentials = {
         captchaToken?: string;
     };
 };
-export declare type SolanaWallet = {
+export type SolanaWallet = {
     signIn?: (...inputs: SolanaSignInInput[]) => Promise<SolanaSignInOutput | SolanaSignInOutput[]>;
     publicKey?: {
         toBase58: () => string;
     } | null;
     signMessage?: (message: Uint8Array, encoding?: 'utf8' | string) => Promise<Uint8Array> | undefined;
 };
-export declare type SolanaWeb3Credentials = {
+export type SolanaWeb3Credentials = {
     chain: 'solana';
     /** Wallet interface to use. If not specified will default to `window.solana`. */
     wallet?: SolanaWallet;
@@ -563,12 +520,12 @@ export declare type SolanaWeb3Credentials = {
         captchaToken?: string;
     };
 };
-export declare type EthereumWallet = EIP1193Provider;
-export declare type EthereumWeb3Credentials = {
+export type EthereumWallet = EIP1193Provider;
+export type EthereumWeb3Credentials = {
     chain: 'ethereum';
-    /** Wallet interface to use. If not specified will default to `window.solana`. */
+    /** Wallet interface to use. If not specified will default to `window.ethereum`. */
     wallet?: EthereumWallet;
-    /** Optional statement to include in the Sign in with Solana message. Must not include new line characters. Most wallets like Phantom **require specifying a statement!** */
+    /** Optional statement to include in the Sign in with Ethereum message. Must not include new line characters. Most wallets like Phantom **require specifying a statement!** */
     statement?: string;
     options?: {
         /** URL to use with the wallet interface. Some wallets do not allow signing a message for URLs different from the current page. */
@@ -581,15 +538,15 @@ export declare type EthereumWeb3Credentials = {
     chain: 'ethereum';
     /** Sign in with Ethereum compatible message. Must include `Issued At`, `URI` and `Version`. */
     message: string;
-    /** Ed25519 signature of the message. */
+    /** Ethereum curve (secp256k1) signature of the message. */
     signature: Hex;
     options?: {
         /** Verification token received when the user completes the captcha on the site. */
         captchaToken?: string;
     };
 };
-export declare type Web3Credentials = SolanaWeb3Credentials | EthereumWeb3Credentials;
-export declare type VerifyOtpParams = VerifyMobileOtpParams | VerifyEmailOtpParams | VerifyTokenHashParams;
+export type Web3Credentials = SolanaWeb3Credentials | EthereumWeb3Credentials;
+export type VerifyOtpParams = VerifyMobileOtpParams | VerifyEmailOtpParams | VerifyTokenHashParams;
 export interface VerifyMobileOtpParams {
     /** The user's phone number. */
     phone: string;
@@ -631,9 +588,9 @@ export interface VerifyTokenHashParams {
     /** The user's verification type. */
     type: EmailOtpType;
 }
-export declare type MobileOtpType = 'sms' | 'phone_change';
-export declare type EmailOtpType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change' | 'email';
-export declare type ResendParams = {
+export type MobileOtpType = 'sms' | 'phone_change';
+export type EmailOtpType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change' | 'email';
+export type ResendParams = {
     type: Extract<EmailOtpType, 'signup' | 'email_change'>;
     email: string;
     options?: {
@@ -650,7 +607,7 @@ export declare type ResendParams = {
         captchaToken?: string;
     };
 };
-export declare type SignInWithSSO = {
+export type SignInWithSSO = {
     /** UUID of the SSO provider to invoke single-sign on to. */
     providerId: string;
     options?: {
@@ -669,25 +626,25 @@ export declare type SignInWithSSO = {
         captchaToken?: string;
     };
 };
-export declare type GenerateSignupLinkParams = {
+export type GenerateSignupLinkParams = {
     type: 'signup';
     email: string;
     password: string;
     options?: Pick<GenerateLinkOptions, 'data' | 'redirectTo'>;
 };
-export declare type GenerateInviteOrMagiclinkParams = {
+export type GenerateInviteOrMagiclinkParams = {
     type: 'invite' | 'magiclink';
     /** The user's email */
     email: string;
     options?: Pick<GenerateLinkOptions, 'data' | 'redirectTo'>;
 };
-export declare type GenerateRecoveryLinkParams = {
+export type GenerateRecoveryLinkParams = {
     type: 'recovery';
     /** The user's email */
     email: string;
     options?: Pick<GenerateLinkOptions, 'redirectTo'>;
 };
-export declare type GenerateEmailChangeLinkParams = {
+export type GenerateEmailChangeLinkParams = {
     type: 'email_change_current' | 'email_change_new';
     /** The user's email */
     email: string;
@@ -707,22 +664,13 @@ export interface GenerateLinkOptions {
     /** The URL which will be appended to the email link generated. */
     redirectTo?: string;
 }
-export declare type GenerateLinkParams = GenerateSignupLinkParams | GenerateInviteOrMagiclinkParams | GenerateRecoveryLinkParams | GenerateEmailChangeLinkParams;
-export declare type GenerateLinkResponse = {
-    data: {
-        properties: GenerateLinkProperties;
-        user: User;
-    };
-    error: null;
-} | {
-    data: {
-        properties: null;
-        user: null;
-    };
-    error: AuthError;
-};
+export type GenerateLinkParams = GenerateSignupLinkParams | GenerateInviteOrMagiclinkParams | GenerateRecoveryLinkParams | GenerateEmailChangeLinkParams;
+export type GenerateLinkResponse = RequestResultSafeDestructure<{
+    properties: GenerateLinkProperties;
+    user: User;
+}>;
 /** The properties related to the email link generated  */
-export declare type GenerateLinkProperties = {
+export type GenerateLinkProperties = {
     /**
      * The email link to send to the user.
      * The action_link follows the following format: auth/v1/verify?type={verification_type}&token={hashed_token}&redirect_to={redirect_to}
@@ -742,113 +690,191 @@ export declare type GenerateLinkProperties = {
     /** The verification type that the email link is associated to. */
     verification_type: GenerateLinkType;
 };
-export declare type GenerateLinkType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change_current' | 'email_change_new';
-export declare type MFAEnrollParams = MFAEnrollTOTPParams | MFAEnrollPhoneParams;
-export declare type MFAUnenrollParams = {
+export type GenerateLinkType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change_current' | 'email_change_new';
+export type MFAEnrollParams = MFAEnrollTOTPParams | MFAEnrollPhoneParams | MFAEnrollWebauthnParams;
+export type MFAUnenrollParams = {
     /** ID of the factor being unenrolled. */
     factorId: string;
 };
-export declare type MFAVerifyParams = {
+type MFAVerifyParamsBase = {
     /** ID of the factor being verified. Returned in enroll(). */
     factorId: string;
     /** ID of the challenge being verified. Returned in challenge(). */
     challengeId: string;
+};
+type MFAVerifyTOTPParamFields = {
     /** Verification code provided by the user. */
     code: string;
 };
-export declare type MFAChallengeParams = {
+export type MFAVerifyTOTPParams = Prettify<MFAVerifyParamsBase & MFAVerifyTOTPParamFields>;
+type MFAVerifyPhoneParamFields = MFAVerifyTOTPParamFields;
+export type MFAVerifyPhoneParams = Prettify<MFAVerifyParamsBase & MFAVerifyPhoneParamFields>;
+type MFAVerifyWebauthnParamFieldsBase = {
+    /** Relying party ID */
+    rpId: string;
+    /** Relying party origins */
+    rpOrigins?: string[];
+};
+type MFAVerifyWebauthnCredentialParamFields<T extends 'create' | 'request' = 'create' | 'request'> = {
+    /** Operation type */
+    type: T;
+    /** Creation response from the authenticator (for enrollment/unverified factors) */
+    credential_response: T extends 'create' ? RegistrationCredential : AuthenticationCredential;
+};
+/**
+ * WebAuthn-specific fields for MFA verification.
+ * Supports both credential creation (registration) and request (authentication) flows.
+ * @template T - Type of WebAuthn operation: 'create' for registration, 'request' for authentication
+ */
+export type MFAVerifyWebauthnParamFields<T extends 'create' | 'request' = 'create' | 'request'> = {
+    webauthn: MFAVerifyWebauthnParamFieldsBase & MFAVerifyWebauthnCredentialParamFields<T>;
+};
+/**
+ * Parameters for WebAuthn MFA verification.
+ * Used to verify WebAuthn credentials after challenge.
+ * @template T - Type of WebAuthn operation: 'create' for registration, 'request' for authentication
+ * @see {@link https://w3c.github.io/webauthn/#sctn-verifying-assertion W3C WebAuthn Spec - Verifying an Authentication Assertion}
+ */
+export type MFAVerifyWebauthnParams<T extends 'create' | 'request' = 'create' | 'request'> = Prettify<MFAVerifyParamsBase & MFAVerifyWebauthnParamFields<T>>;
+export type MFAVerifyParams = MFAVerifyTOTPParams | MFAVerifyPhoneParams | MFAVerifyWebauthnParams;
+type MFAChallengeParamsBase = {
     /** ID of the factor to be challenged. Returned in enroll(). */
     factorId: string;
-    /** Messaging channel to use (e.g. whatsapp or sms). Only relevant for phone factors */
-    channel?: 'sms' | 'whatsapp';
 };
-export declare type MFAChallengeAndVerifyParams = {
-    /** ID of the factor being verified. Returned in enroll(). */
-    factorId: string;
-    /** Verification code provided by the user. */
-    code: string;
+declare const MFATOTPChannels: readonly ["sms", "whatsapp"];
+export type MFATOTPChannel = (typeof MFATOTPChannels)[number];
+export type MFAChallengeTOTPParams = Prettify<MFAChallengeParamsBase>;
+type MFAChallengePhoneParamFields<Channel extends MFATOTPChannel = MFATOTPChannel> = {
+    /** Messaging channel to use (e.g. whatsapp or sms). Only relevant for phone factors */
+    channel: Channel;
 };
-export declare type AuthMFAVerifyResponse = {
-    data: {
-        /** New access token (JWT) after successful verification. */
-        access_token: string;
-        /** Type of token, typically `Bearer`. */
-        token_type: string;
-        /** Number of seconds in which the access token will expire. */
-        expires_in: number;
-        /** Refresh token you can use to obtain new access tokens when expired. */
-        refresh_token: string;
-        /** Updated user profile. */
-        user: User;
+export type MFAChallengePhoneParams = Prettify<MFAChallengeParamsBase & MFAChallengePhoneParamFields>;
+/** WebAuthn parameters for WebAuthn factor challenge */
+type MFAChallengeWebauthnParamFields = {
+    webauthn: {
+        /** Relying party ID */
+        rpId: string;
+        /** Relying party origins*/
+        rpOrigins?: string[];
     };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
 };
-export declare type AuthMFAEnrollResponse = AuthMFAEnrollTOTPResponse | AuthMFAEnrollPhoneResponse;
-export declare type AuthMFAUnenrollResponse = {
-    data: {
-        /** ID of the factor that was successfully unenrolled. */
-        id: string;
-    };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
+/**
+ * Parameters for initiating a WebAuthn MFA challenge.
+ * Includes Relying Party information needed for WebAuthn ceremonies.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-rp-operations W3C WebAuthn Spec - Relying Party Operations}
+ */
+export type MFAChallengeWebauthnParams = Prettify<MFAChallengeParamsBase & MFAChallengeWebauthnParamFields>;
+export type MFAChallengeParams = MFAChallengeTOTPParams | MFAChallengePhoneParams | MFAChallengeWebauthnParams;
+type MFAChallengeAndVerifyParamsBase = Omit<MFAVerifyParamsBase, 'challengeId'>;
+type MFAChallengeAndVerifyTOTPParamFields = MFAVerifyTOTPParamFields;
+type MFAChallengeAndVerifyTOTPParams = Prettify<MFAChallengeAndVerifyParamsBase & MFAChallengeAndVerifyTOTPParamFields>;
+export type MFAChallengeAndVerifyParams = MFAChallengeAndVerifyTOTPParams;
+/**
+ * Data returned after successful MFA verification.
+ * Contains new session tokens and updated user information.
+ */
+export type AuthMFAVerifyResponseData = {
+    /** New access token (JWT) after successful verification. */
+    access_token: string;
+    /** Type of token, always `bearer`. */
+    token_type: 'bearer';
+    /** Number of seconds in which the access token will expire. */
+    expires_in: number;
+    /** Refresh token you can use to obtain new access tokens when expired. */
+    refresh_token: string;
+    /** Updated user profile. */
+    user: User;
 };
-export declare type AuthMFAChallengeResponse = {
-    data: {
-        /** ID of the newly created challenge. */
-        id: string;
-        /** Factor Type which generated the challenge */
-        type: 'totp' | 'phone';
-        /** Timestamp in UNIX seconds when this challenge will no longer be usable. */
-        expires_at: number;
-    };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
+/**
+ * Response type for MFA verification operations.
+ * Returns session tokens on successful verification.
+ */
+export type AuthMFAVerifyResponse = RequestResult<AuthMFAVerifyResponseData>;
+export type AuthMFAEnrollResponse = AuthMFAEnrollTOTPResponse | AuthMFAEnrollPhoneResponse | AuthMFAEnrollWebauthnResponse;
+export type AuthMFAUnenrollResponse = RequestResult<{
+    /** ID of the factor that was successfully unenrolled. */
+    id: string;
+}>;
+type AuthMFAChallengeResponseBase<T extends FactorType> = {
+    /** ID of the newly created challenge. */
+    id: string;
+    /** Factor Type which generated the challenge */
+    type: T;
+    /** Timestamp in UNIX seconds when this challenge will no longer be usable. */
+    expires_at: number;
 };
-export declare type AuthMFAListFactorsResponse = {
-    data: {
-        /** All available factors (verified and unverified). */
-        all: Factor[];
-        /** Only verified TOTP factors. (A subset of `all`.) */
-        totp: Factor[];
-        /** Only verified Phone factors. (A subset of `all`.) */
-        phone: Factor[];
+type AuthMFAChallengeTOTPResponseFields = {};
+export type AuthMFAChallengeTOTPResponse = RequestResult<Prettify<AuthMFAChallengeResponseBase<'totp'> & AuthMFAChallengeTOTPResponseFields>>;
+type AuthMFAChallengePhoneResponseFields = {};
+export type AuthMFAChallengePhoneResponse = RequestResult<Prettify<AuthMFAChallengeResponseBase<'phone'> & AuthMFAChallengePhoneResponseFields>>;
+type AuthMFAChallengeWebauthnResponseFields = {
+    webauthn: {
+        type: 'create';
+        credential_options: {
+            publicKey: PublicKeyCredentialCreationOptionsFuture;
+        };
+    } | {
+        type: 'request';
+        credential_options: {
+            publicKey: PublicKeyCredentialRequestOptionsFuture;
+        };
     };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
 };
-export declare type AuthenticatorAssuranceLevels = 'aal1' | 'aal2';
-export declare type AuthMFAGetAuthenticatorAssuranceLevelResponse = {
-    data: {
-        /** Current AAL level of the session. */
-        currentLevel: AuthenticatorAssuranceLevels | null;
-        /**
-         * Next possible AAL level for the session. If the next level is higher
-         * than the current one, the user should go through MFA.
-         *
-         * @see {@link GoTrueMFAApi#challenge}
-         */
-        nextLevel: AuthenticatorAssuranceLevels | null;
-        /**
-         * A list of all authentication methods attached to this session. Use
-         * the information here to detect the last time a user verified a
-         * factor, for example if implementing a step-up scenario.
-         */
-        currentAuthenticationMethods: AMREntry[];
+/**
+ * Response type for WebAuthn MFA challenge.
+ * Contains credential creation or request options from the server.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-credential-creation W3C WebAuthn Spec - Credential Creation}
+ */
+export type AuthMFAChallengeWebauthnResponse = RequestResult<Prettify<AuthMFAChallengeResponseBase<'webauthn'> & AuthMFAChallengeWebauthnResponseFields>>;
+type AuthMFAChallengeWebauthnResponseFieldsJSON = {
+    webauthn: {
+        type: 'create';
+        credential_options: {
+            publicKey: ServerCredentialCreationOptions;
+        };
+    } | {
+        type: 'request';
+        credential_options: {
+            publicKey: ServerCredentialRequestOptions;
+        };
     };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
 };
+/**
+ * JSON-serializable version of WebAuthn challenge response.
+ * Used for server communication with base64url-encoded binary fields.
+ */
+export type AuthMFAChallengeWebauthnResponseDataJSON = Prettify<AuthMFAChallengeResponseBase<'webauthn'> & AuthMFAChallengeWebauthnResponseFieldsJSON>;
+/**
+ * Server response type for WebAuthn MFA challenge.
+ * Contains JSON-formatted WebAuthn options ready for browser API.
+ */
+export type AuthMFAChallengeWebauthnServerResponse = RequestResult<AuthMFAChallengeWebauthnResponseDataJSON>;
+export type AuthMFAChallengeResponse = AuthMFAChallengeTOTPResponse | AuthMFAChallengePhoneResponse | AuthMFAChallengeWebauthnResponse;
+/** response of ListFactors, which should contain all the types of factors that are available, this ensures we always include all */
+export type AuthMFAListFactorsResponse<T extends typeof FactorTypes = typeof FactorTypes> = RequestResult<{
+    /** All available factors (verified and unverified). */
+    all: Prettify<Factor>[];
+} & {
+    [K in T[number]]: Prettify<Factor<K, 'verified'>>[];
+}>;
+export type AuthenticatorAssuranceLevels = 'aal1' | 'aal2';
+export type AuthMFAGetAuthenticatorAssuranceLevelResponse = RequestResult<{
+    /** Current AAL level of the session. */
+    currentLevel: AuthenticatorAssuranceLevels | null;
+    /**
+     * Next possible AAL level for the session. If the next level is higher
+     * than the current one, the user should go through MFA.
+     *
+     * @see {@link GoTrueMFAApi#challenge}
+     */
+    nextLevel: AuthenticatorAssuranceLevels | null;
+    /**
+     * A list of all authentication methods attached to this session. Use
+     * the information here to detect the last time a user verified a
+     * factor, for example if implementing a step-up scenario.
+     */
+    currentAuthenticationMethods: AMREntry[];
+}>;
 /**
  * Contains the full multi-factor authentication API.
  *
@@ -862,20 +888,26 @@ export interface GoTrueMFAApi {
      * The user has to enter the code from their authenticator app to verify it.
      *
      * Upon verifying a factor, all other sessions are logged out and the current session's authenticator level is promoted to `aal2`.
-     *
      */
     enroll(params: MFAEnrollTOTPParams): Promise<AuthMFAEnrollTOTPResponse>;
     enroll(params: MFAEnrollPhoneParams): Promise<AuthMFAEnrollPhoneResponse>;
+    enroll(params: MFAEnrollWebauthnParams): Promise<AuthMFAEnrollWebauthnResponse>;
     enroll(params: MFAEnrollParams): Promise<AuthMFAEnrollResponse>;
     /**
      * Prepares a challenge used to verify that a user has access to a MFA
      * factor.
      */
+    challenge(params: MFAChallengeTOTPParams): Promise<Prettify<AuthMFAChallengeTOTPResponse>>;
+    challenge(params: MFAChallengePhoneParams): Promise<Prettify<AuthMFAChallengePhoneResponse>>;
+    challenge(params: MFAChallengeWebauthnParams): Promise<Prettify<AuthMFAChallengeWebauthnResponse>>;
     challenge(params: MFAChallengeParams): Promise<AuthMFAChallengeResponse>;
     /**
      * Verifies a code against a challenge. The verification code is
      * provided by the user by entering a code seen in their authenticator app.
      */
+    verify(params: MFAVerifyTOTPParams): Promise<AuthMFAVerifyResponse>;
+    verify(params: MFAVerifyPhoneParams): Promise<AuthMFAVerifyResponse>;
+    verify(params: MFAVerifyWebauthnParams): Promise<AuthMFAVerifyResponse>;
     verify(params: MFAVerifyParams): Promise<AuthMFAVerifyResponse>;
     /**
      * Unenroll removes a MFA factor.
@@ -910,24 +942,19 @@ export interface GoTrueMFAApi {
      *
      */
     getAuthenticatorAssuranceLevel(): Promise<AuthMFAGetAuthenticatorAssuranceLevelResponse>;
+    webauthn: WebAuthnApi;
 }
 /**
  * @expermental
  */
-export declare type AuthMFAAdminDeleteFactorResponse = {
-    data: {
-        /** ID of the factor that was successfully deleted. */
-        id: string;
-    };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
-};
+export type AuthMFAAdminDeleteFactorResponse = RequestResult<{
+    /** ID of the factor that was successfully deleted. */
+    id: string;
+}>;
 /**
  * @expermental
  */
-export declare type AuthMFAAdminDeleteFactorParams = {
+export type AuthMFAAdminDeleteFactorParams = {
     /** ID of the MFA factor to delete. */
     id: string;
     /** ID of the user whose factor is being deleted. */
@@ -936,20 +963,14 @@ export declare type AuthMFAAdminDeleteFactorParams = {
 /**
  * @expermental
  */
-export declare type AuthMFAAdminListFactorsResponse = {
-    data: {
-        /** All factors attached to the user. */
-        factors: Factor[];
-    };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
-};
+export type AuthMFAAdminListFactorsResponse = RequestResult<{
+    /** All factors attached to the user. */
+    factors: Factor[];
+}>;
 /**
  * @expermental
  */
-export declare type AuthMFAAdminListFactorsParams = {
+export type AuthMFAAdminListFactorsParams = {
     /** ID of the user. */
     userId: string;
 };
@@ -974,12 +995,12 @@ export interface GoTrueAdminMFAApi {
      */
     deleteFactor(params: AuthMFAAdminDeleteFactorParams): Promise<AuthMFAAdminDeleteFactorResponse>;
 }
-declare type AnyFunction = (...args: any[]) => any;
-declare type MaybePromisify<T> = T | Promise<T>;
-declare type PromisifyMethods<T> = {
+type AnyFunction = (...args: any[]) => any;
+type MaybePromisify<T> = T | Promise<T>;
+type PromisifyMethods<T> = {
     [K in keyof T]: T[K] extends AnyFunction ? (...args: Parameters<T[K]>) => MaybePromisify<ReturnType<T[K]>> : T[K];
 };
-export declare type SupportedStorage = PromisifyMethods<Pick<Storage, 'getItem' | 'setItem' | 'removeItem'>> & {
+export type SupportedStorage = PromisifyMethods<Pick<Storage, 'getItem' | 'setItem' | 'removeItem'>> & {
     /**
      * If set to `true` signals to the library that the storage medium is used
      * on a server and the values may not be authentic, such as reading from
@@ -989,29 +1010,23 @@ export declare type SupportedStorage = PromisifyMethods<Pick<Storage, 'getItem'
      */
     isServer?: boolean;
 };
-export declare type InitializeResult = {
+export type InitializeResult = {
     error: AuthError | null;
 };
-export declare type CallRefreshTokenResult = {
-    session: Session;
-    error: null;
-} | {
-    session: null;
-    error: AuthError;
-};
-export declare type Pagination = {
+export type CallRefreshTokenResult = RequestResult<Session>;
+export type Pagination = {
     [key: string]: any;
     nextPage: number | null;
     lastPage: number;
     total: number;
 };
-export declare type PageParams = {
+export type PageParams = {
     /** The page number */
     page?: number;
     /** Number of items returned per page */
     perPage?: number;
 };
-export declare type SignOut = {
+export type SignOut = {
     /**
      * Determines which sessions should be
      * logged out. Global means all
@@ -1024,72 +1039,72 @@ export declare type SignOut = {
      */
     scope?: 'global' | 'local' | 'others';
 };
-export declare type MFAEnrollTOTPParams = {
+type MFAEnrollParamsBase<T extends FactorType> = {
     /** The type of factor being enrolled. */
-    factorType: 'totp';
-    /** Domain which the user is enrolled with. */
-    issuer?: string;
+    factorType: T;
     /** Human readable name assigned to the factor. */
     friendlyName?: string;
 };
-export declare type MFAEnrollPhoneParams = {
-    /** The type of factor being enrolled. */
-    factorType: 'phone';
-    /** Human readable name assigned to the factor. */
-    friendlyName?: string;
+type MFAEnrollTOTPParamFields = {
+    /** Domain which the user is enrolled with. */
+    issuer?: string;
+};
+export type MFAEnrollTOTPParams = Prettify<MFAEnrollParamsBase<'totp'> & MFAEnrollTOTPParamFields>;
+type MFAEnrollPhoneParamFields = {
     /** Phone number associated with a factor. Number should conform to E.164 format */
     phone: string;
 };
-export declare type AuthMFAEnrollTOTPResponse = {
-    data: {
-        /** ID of the factor that was just enrolled (in an unverified state). */
-        id: string;
-        /** Type of MFA factor.*/
-        type: 'totp';
-        /** TOTP enrollment information. */
-        totp: {
-            /** Contains a QR code encoding the authenticator URI. You can
-             * convert it to a URL by prepending `data:image/svg+xml;utf-8,` to
-             * the value. Avoid logging this value to the console. */
-            qr_code: string;
-            /** The TOTP secret (also encoded in the QR code). Show this secret
-             * in a password-style field to the user, in case they are unable to
-             * scan the QR code. Avoid logging this value to the console. */
-            secret: string;
-            /** The authenticator URI encoded within the QR code, should you need
-             * to use it. Avoid loggin this value to the console. */
-            uri: string;
-        };
-        /** Friendly name of the factor, useful for distinguishing between factors **/
-        friendly_name?: string;
-    };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
+export type MFAEnrollPhoneParams = Prettify<MFAEnrollParamsBase<'phone'> & MFAEnrollPhoneParamFields>;
+type MFAEnrollWebauthnFields = {};
+/**
+ * Parameters for enrolling a WebAuthn factor.
+ * Creates an unverified WebAuthn factor that must be verified with a credential.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-registering-a-new-credential W3C WebAuthn Spec - Registering a New Credential}
+ */
+export type MFAEnrollWebauthnParams = Prettify<MFAEnrollParamsBase<'webauthn'> & MFAEnrollWebauthnFields>;
+type AuthMFAEnrollResponseBase<T extends FactorType> = {
+    /** ID of the factor that was just enrolled (in an unverified state). */
+    id: string;
+    /** Type of MFA factor.*/
+    type: T;
+    /** Friendly name of the factor, useful for distinguishing between factors **/
+    friendly_name?: string;
 };
-export declare type AuthMFAEnrollPhoneResponse = {
-    data: {
-        /** ID of the factor that was just enrolled (in an unverified state). */
-        id: string;
-        /** Type of MFA factor. */
-        type: 'phone';
-        /** Friendly name of the factor, useful for distinguishing between factors **/
-        friendly_name?: string;
-        /** Phone number of the MFA factor in E.164 format. Used to send messages  */
-        phone: string;
+type AuthMFAEnrollTOTPResponseFields = {
+    /** TOTP enrollment information. */
+    totp: {
+        /** Contains a QR code encoding the authenticator URI. You can
+         * convert it to a URL by prepending `data:image/svg+xml;utf-8,` to
+         * the value. Avoid logging this value to the console. */
+        qr_code: string;
+        /** The TOTP secret (also encoded in the QR code). Show this secret
+         * in a password-style field to the user, in case they are unable to
+         * scan the QR code. Avoid logging this value to the console. */
+        secret: string;
+        /** The authenticator URI encoded within the QR code, should you need
+         * to use it. Avoid loggin this value to the console. */
+        uri: string;
     };
-    error: null;
-} | {
-    data: null;
-    error: AuthError;
 };
-export declare type JwtHeader = {
+export type AuthMFAEnrollTOTPResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'totp'> & AuthMFAEnrollTOTPResponseFields>>;
+type AuthMFAEnrollPhoneResponseFields = {
+    /** Phone number of the MFA factor in E.164 format. Used to send messages  */
+    phone: string;
+};
+export type AuthMFAEnrollPhoneResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'phone'> & AuthMFAEnrollPhoneResponseFields>>;
+type AuthMFAEnrollWebauthnFields = {};
+/**
+ * Response type for WebAuthn factor enrollment.
+ * Returns the enrolled factor ID and metadata.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-registering-a-new-credential W3C WebAuthn Spec - Registering a New Credential}
+ */
+export type AuthMFAEnrollWebauthnResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'webauthn'> & AuthMFAEnrollWebauthnFields>>;
+export type JwtHeader = {
     alg: 'RS256' | 'ES256' | 'HS256';
     kid: string;
     typ: string;
 };
-export declare type RequiredClaims = {
+export type RequiredClaims = {
     iss: string;
     sub: string;
     aud: string | string[];
@@ -1099,7 +1114,7 @@ export declare type RequiredClaims = {
     aal: AuthenticatorAssuranceLevels;
     session_id: string;
 };
-export declare type JwtPayload = RequiredClaims & {
+export type JwtPayload = RequiredClaims & {
     [key: string]: any;
 };
 export interface JWK {
@@ -1110,6 +1125,6 @@ export interface JWK {
     [key: string]: any;
 }
 export declare const SIGN_OUT_SCOPES: readonly ["global", "local", "others"];
-export declare type SignOutScope = typeof SIGN_OUT_SCOPES[number];
+export type SignOutScope = (typeof SIGN_OUT_SCOPES)[number];
 export {};
 //# sourceMappingURL=types.d.ts.map