@supabase/gotrue-js 2.73.0-rc.3 → 2.79.1-canary.0

package/dist/main/lib/types.d.ts

@@ -1,12 +1,13 @@
-import { EIP1193Provider } from './web3/ethereum';
 import { AuthError } from './errors';
 import { Fetch } from './fetch';
+import { EIP1193Provider, EthereumSignInInput, Hex } from './web3/ethereum';
 import type { SolanaSignInInput, SolanaSignInOutput } from './web3/solana';
-import { EthereumSignInInput, Hex } from './web3/ethereum';
+import { ServerCredentialCreationOptions, ServerCredentialRequestOptions, WebAuthnApi } from './webauthn';
+import { AuthenticationCredential, PublicKeyCredentialCreationOptionsFuture, PublicKeyCredentialRequestOptionsFuture, RegistrationCredential } from './webauthn.dom';
 /** One of the providers supported by GoTrue. */
-export declare type Provider = 'apple' | 'azure' | 'bitbucket' | 'discord' | 'facebook' | 'figma' | 'github' | 'gitlab' | 'google' | 'kakao' | 'keycloak' | 'linkedin' | 'linkedin_oidc' | 'notion' | 'slack' | 'slack_oidc' | 'spotify' | 'twitch' | 'twitter' | 'workos' | 'zoom' | 'fly';
-export declare type AuthChangeEventMFA = 'MFA_CHALLENGE_VERIFIED';
-export declare type AuthChangeEvent = 'INITIAL_SESSION' | 'PASSWORD_RECOVERY' | 'SIGNED_IN' | 'SIGNED_OUT' | 'TOKEN_REFRESHED' | 'USER_UPDATED' | AuthChangeEventMFA;
+export type Provider = 'apple' | 'azure' | 'bitbucket' | 'discord' | 'facebook' | 'figma' | 'github' | 'gitlab' | 'google' | 'kakao' | 'keycloak' | 'linkedin' | 'linkedin_oidc' | 'notion' | 'slack' | 'slack_oidc' | 'spotify' | 'twitch' | 'twitter' | 'workos' | 'zoom' | 'fly';
+export type AuthChangeEventMFA = 'MFA_CHALLENGE_VERIFIED';
+export type AuthChangeEvent = 'INITIAL_SESSION' | 'PASSWORD_RECOVERY' | 'SIGNED_IN' | 'SIGNED_OUT' | 'TOKEN_REFRESHED' | 'USER_UPDATED' | AuthChangeEventMFA;
 /**
  * Provide your own global lock implementation instead of the default
  * implementation. The function should acquire a lock for the duration of the
@@ -22,8 +23,8 @@ export declare type AuthChangeEvent = 'INITIAL_SESSION' | 'PASSWORD_RECOVERY' |
  *                       acquired after this much time (ms).
  * @param fn The operation to execute when the lock is acquired.
  */
-export declare type LockFunc = <R>(name: string, acquireTimeout: number, fn: () => Promise<R>) => Promise<R>;
-export declare type GoTrueClientOptions = {
+export type LockFunc = <R>(name: string, acquireTimeout: number, fn: () => Promise<R>) => Promise<R>;
+export type GoTrueClientOptions = {
     url?: string;
     headers?: {
         [key: string]: string;
@@ -57,8 +58,8 @@ export declare type GoTrueClientOptions = {
     hasCustomAuthorizationHeader?: boolean;
 };
 declare const WeakPasswordReasons: readonly ["length", "characters", "pwned"];
-export declare type WeakPasswordReasons = typeof WeakPasswordReasons[number];
-export declare type WeakPassword = {
+export type WeakPasswordReasons = (typeof WeakPasswordReasons)[number];
+export type WeakPassword = {
     reasons: WeakPasswordReasons[];
     message: string;
 };
@@ -66,13 +67,19 @@ export declare type WeakPassword = {
  * Resolve mapped types and show the derived keys and their types when hovering in
  * VS Code, instead of just showing the names those mapped types are defined with.
  */
-export declare type Prettify<T> = T extends Function ? T : {
+export type Prettify<T> = T extends Function ? T : {
     [K in keyof T]: T[K];
 };
+/**
+ * A stricter version of TypeScript's Omit that only allows omitting keys that actually exist.
+ * This prevents typos and ensures type safety at compile time.
+ * Unlike regular Omit, this will error if you try to omit a non-existent key.
+ */
+export type StrictOmit<T, K extends keyof T> = Omit<T, K>;
 /**
  * a shared result type that encapsulates errors instead of throwing them, allows you to optionally specify the ErrorType
  */
-export declare type RequestResult<T, ErrorType extends Error = AuthError> = {
+export type RequestResult<T, ErrorType extends Error = AuthError> = {
     data: T;
     error: null;
 } | {
@@ -83,7 +90,7 @@ export declare type RequestResult<T, ErrorType extends Error = AuthError> = {
  * similar to RequestResult except it allows you to destructure the possible shape of the success response
  *  {@see RequestResult}
  */
-export declare type RequestResultSafeDestructure<T> = {
+export type RequestResultSafeDestructure<T> = {
     data: T;
     error: null;
 } | {
@@ -92,11 +99,11 @@ export declare type RequestResultSafeDestructure<T> = {
     } : null;
     error: AuthError;
 };
-export declare type AuthResponse = RequestResultSafeDestructure<{
+export type AuthResponse = RequestResultSafeDestructure<{
     user: User | null;
     session: Session | null;
 }>;
-export declare type AuthResponsePassword = RequestResultSafeDestructure<{
+export type AuthResponsePassword = RequestResultSafeDestructure<{
     user: User | null;
     session: Session | null;
     weak_password?: WeakPassword | null;
@@ -106,21 +113,21 @@ export declare type AuthResponsePassword = RequestResultSafeDestructure<{
  *
  * {@see AuthResponse}
  */
-export declare type AuthOtpResponse = RequestResultSafeDestructure<{
+export type AuthOtpResponse = RequestResultSafeDestructure<{
     user: null;
     session: null;
     messageId?: string | null;
 }>;
-export declare type AuthTokenResponse = RequestResultSafeDestructure<{
+export type AuthTokenResponse = RequestResultSafeDestructure<{
     user: User;
     session: Session;
 }>;
-export declare type AuthTokenResponsePassword = RequestResultSafeDestructure<{
+export type AuthTokenResponsePassword = RequestResultSafeDestructure<{
     user: User;
     session: Session;
     weakPassword?: WeakPassword;
 }>;
-export declare type OAuthResponse = {
+export type OAuthResponse = {
     data: {
         provider: Provider;
         url: string;
@@ -133,7 +140,7 @@ export declare type OAuthResponse = {
     };
     error: AuthError;
 };
-export declare type SSOResponse = RequestResult<{
+export type SSOResponse = RequestResult<{
     /**
      * URL to open in a browser which will complete the sign-in flow by
      * taking the user to the identity provider's authentication flow.
@@ -143,7 +150,7 @@ export declare type SSOResponse = RequestResult<{
      */
     url: string;
 }>;
-export declare type UserResponse = RequestResultSafeDestructure<{
+export type UserResponse = RequestResultSafeDestructure<{
     user: User;
 }>;
 export interface Session {
@@ -178,8 +185,8 @@ export interface Session {
      */
     user: User;
 }
-declare const AMRMethods: readonly ["password", "otp", "oauth", "totp", "mfa/totp", "mfa/phone", "anonymous", "sso/saml", "magiclink", "web3"];
-export declare type AMRMethod = typeof AMRMethods[number] | (string & {});
+declare const AMRMethods: readonly ["password", "otp", "oauth", "totp", "mfa/totp", "mfa/phone", "mfa/webauthn", "anonymous", "sso/saml", "magiclink", "web3"];
+export type AMRMethod = (typeof AMRMethods)[number] | (string & {});
 /**
  * An authentication methord reference (AMR) entry.
  *
@@ -209,16 +216,16 @@ export interface UserIdentity {
     last_sign_in_at?: string;
     updated_at?: string;
 }
-export declare const FactorTypes: readonly ["totp", "phone"];
+declare const FactorTypes: readonly ["totp", "phone", "webauthn"];
 /**
  * Type of factor. `totp` and `phone` supported with this version
  */
-export declare type FactorType = typeof FactorTypes[number];
+export type FactorType = (typeof FactorTypes)[number];
 declare const FactorVerificationStatuses: readonly ["verified", "unverified"];
 /**
  * The verification status of the factor, default is `unverified` after `.enroll()`, then `verified` after the user verifies it with `.verify()`
  */
-declare type FactorVerificationStatus = typeof FactorVerificationStatuses[number];
+type FactorVerificationStatus = (typeof FactorVerificationStatuses)[number];
 /**
  * A MFA factor.
  *
@@ -226,7 +233,7 @@ declare type FactorVerificationStatus = typeof FactorVerificationStatuses[number
  * @see {@link GoTrueMFAApi#listFactors}
  * @see {@link GoTrueMFAAdminApi#listFactors}
  */
-export declare type Factor<Type extends FactorType = FactorType, Status extends FactorVerificationStatus = typeof FactorVerificationStatuses[number]> = {
+export type Factor<Type extends FactorType = FactorType, Status extends FactorVerificationStatus = (typeof FactorVerificationStatuses)[number]> = {
     /** ID of the factor. */
     id: string;
     /** Friendly name of the factor, useful to disambiguate between multiple factors. */
@@ -273,7 +280,7 @@ export interface User {
     identities?: UserIdentity[];
     is_anonymous?: boolean;
     is_sso_user?: boolean;
-    factors?: Factor<FactorType>[];
+    factors?: (Factor<FactorType, 'verified'> | Factor<FactorType, 'unverified'>)[];
     deleted_at?: string;
 }
 export interface UserAttributes {
@@ -384,7 +391,7 @@ export interface Subscription {
      */
     unsubscribe: () => void;
 }
-export declare type SignInAnonymouslyCredentials = {
+export type SignInAnonymouslyCredentials = {
     options?: {
         /**
          * A custom data object to store the user's metadata. This maps to the `auth.users.raw_user_meta_data` column.
@@ -396,7 +403,7 @@ export declare type SignInAnonymouslyCredentials = {
         captchaToken?: string;
     };
 };
-export declare type SignUpWithPasswordCredentials = Prettify<PasswordCredentialsBase & {
+export type SignUpWithPasswordCredentials = Prettify<PasswordCredentialsBase & {
     options?: {
         emailRedirectTo?: string;
         data?: object;
@@ -404,19 +411,19 @@ export declare type SignUpWithPasswordCredentials = Prettify<PasswordCredentials
         channel?: 'sms' | 'whatsapp';
     };
 }>;
-declare type PasswordCredentialsBase = {
+type PasswordCredentialsBase = {
     email: string;
     password: string;
 } | {
     phone: string;
     password: string;
 };
-export declare type SignInWithPasswordCredentials = PasswordCredentialsBase & {
+export type SignInWithPasswordCredentials = PasswordCredentialsBase & {
     options?: {
         captchaToken?: string;
     };
 };
-export declare type SignInWithPasswordlessCredentials = {
+export type SignInWithPasswordlessCredentials = {
     /** The user's email address. */
     email: string;
     options?: {
@@ -451,8 +458,8 @@ export declare type SignInWithPasswordlessCredentials = {
         channel?: 'sms' | 'whatsapp';
     };
 };
-export declare type AuthFlowType = 'implicit' | 'pkce';
-export declare type SignInWithOAuthCredentials = {
+export type AuthFlowType = 'implicit' | 'pkce';
+export type SignInWithOAuthCredentials = {
     /** One of the providers supported by GoTrue. */
     provider: Provider;
     options?: {
@@ -468,7 +475,7 @@ export declare type SignInWithOAuthCredentials = {
         skipBrowserRedirect?: boolean;
     };
 };
-export declare type SignInWithIdTokenCredentials = {
+export type SignInWithIdTokenCredentials = {
     /** Provider name or OIDC `iss` value identifying which provider should be used to verify the provided token. Supported names: `google`, `apple`, `azure`, `facebook`, `kakao`, `keycloak` (deprecated). */
     provider: 'google' | 'apple' | 'azure' | 'facebook' | 'kakao' | (string & {});
     /** OIDC ID token issued by the specified provider. The `iss` claim in the ID token must match the supplied provider. Some ID tokens contain an `at_hash` which require that you provide an `access_token` value to be accepted properly. If the token contains a `nonce` claim you must supply the nonce used to obtain the ID token. */
@@ -482,14 +489,14 @@ export declare type SignInWithIdTokenCredentials = {
         captchaToken?: string;
     };
 };
-export declare type SolanaWallet = {
+export type SolanaWallet = {
     signIn?: (...inputs: SolanaSignInInput[]) => Promise<SolanaSignInOutput | SolanaSignInOutput[]>;
     publicKey?: {
         toBase58: () => string;
     } | null;
     signMessage?: (message: Uint8Array, encoding?: 'utf8' | string) => Promise<Uint8Array> | undefined;
 };
-export declare type SolanaWeb3Credentials = {
+export type SolanaWeb3Credentials = {
     chain: 'solana';
     /** Wallet interface to use. If not specified will default to `window.solana`. */
     wallet?: SolanaWallet;
@@ -513,8 +520,8 @@ export declare type SolanaWeb3Credentials = {
         captchaToken?: string;
     };
 };
-export declare type EthereumWallet = EIP1193Provider;
-export declare type EthereumWeb3Credentials = {
+export type EthereumWallet = EIP1193Provider;
+export type EthereumWeb3Credentials = {
     chain: 'ethereum';
     /** Wallet interface to use. If not specified will default to `window.ethereum`. */
     wallet?: EthereumWallet;
@@ -538,8 +545,8 @@ export declare type EthereumWeb3Credentials = {
         captchaToken?: string;
     };
 };
-export declare type Web3Credentials = SolanaWeb3Credentials | EthereumWeb3Credentials;
-export declare type VerifyOtpParams = VerifyMobileOtpParams | VerifyEmailOtpParams | VerifyTokenHashParams;
+export type Web3Credentials = SolanaWeb3Credentials | EthereumWeb3Credentials;
+export type VerifyOtpParams = VerifyMobileOtpParams | VerifyEmailOtpParams | VerifyTokenHashParams;
 export interface VerifyMobileOtpParams {
     /** The user's phone number. */
     phone: string;
@@ -581,9 +588,9 @@ export interface VerifyTokenHashParams {
     /** The user's verification type. */
     type: EmailOtpType;
 }
-export declare type MobileOtpType = 'sms' | 'phone_change';
-export declare type EmailOtpType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change' | 'email';
-export declare type ResendParams = {
+export type MobileOtpType = 'sms' | 'phone_change';
+export type EmailOtpType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change' | 'email';
+export type ResendParams = {
     type: Extract<EmailOtpType, 'signup' | 'email_change'>;
     email: string;
     options?: {
@@ -600,7 +607,7 @@ export declare type ResendParams = {
         captchaToken?: string;
     };
 };
-export declare type SignInWithSSO = {
+export type SignInWithSSO = {
     /** UUID of the SSO provider to invoke single-sign on to. */
     providerId: string;
     options?: {
@@ -619,25 +626,25 @@ export declare type SignInWithSSO = {
         captchaToken?: string;
     };
 };
-export declare type GenerateSignupLinkParams = {
+export type GenerateSignupLinkParams = {
     type: 'signup';
     email: string;
     password: string;
     options?: Pick<GenerateLinkOptions, 'data' | 'redirectTo'>;
 };
-export declare type GenerateInviteOrMagiclinkParams = {
+export type GenerateInviteOrMagiclinkParams = {
     type: 'invite' | 'magiclink';
     /** The user's email */
     email: string;
     options?: Pick<GenerateLinkOptions, 'data' | 'redirectTo'>;
 };
-export declare type GenerateRecoveryLinkParams = {
+export type GenerateRecoveryLinkParams = {
     type: 'recovery';
     /** The user's email */
     email: string;
     options?: Pick<GenerateLinkOptions, 'redirectTo'>;
 };
-export declare type GenerateEmailChangeLinkParams = {
+export type GenerateEmailChangeLinkParams = {
     type: 'email_change_current' | 'email_change_new';
     /** The user's email */
     email: string;
@@ -657,13 +664,13 @@ export interface GenerateLinkOptions {
     /** The URL which will be appended to the email link generated. */
     redirectTo?: string;
 }
-export declare type GenerateLinkParams = GenerateSignupLinkParams | GenerateInviteOrMagiclinkParams | GenerateRecoveryLinkParams | GenerateEmailChangeLinkParams;
-export declare type GenerateLinkResponse = RequestResultSafeDestructure<{
+export type GenerateLinkParams = GenerateSignupLinkParams | GenerateInviteOrMagiclinkParams | GenerateRecoveryLinkParams | GenerateEmailChangeLinkParams;
+export type GenerateLinkResponse = RequestResultSafeDestructure<{
     properties: GenerateLinkProperties;
     user: User;
 }>;
 /** The properties related to the email link generated  */
-export declare type GenerateLinkProperties = {
+export type GenerateLinkProperties = {
     /**
      * The email link to send to the user.
      * The action_link follows the following format: auth/v1/verify?type={verification_type}&token={hashed_token}&redirect_to={redirect_to}
@@ -683,46 +690,90 @@ export declare type GenerateLinkProperties = {
     /** The verification type that the email link is associated to. */
     verification_type: GenerateLinkType;
 };
-export declare type GenerateLinkType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change_current' | 'email_change_new';
-export declare type MFAEnrollParams = MFAEnrollTOTPParams | MFAEnrollPhoneParams;
-export declare type MFAUnenrollParams = {
+export type GenerateLinkType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change_current' | 'email_change_new';
+export type MFAEnrollParams = MFAEnrollTOTPParams | MFAEnrollPhoneParams | MFAEnrollWebauthnParams;
+export type MFAUnenrollParams = {
     /** ID of the factor being unenrolled. */
     factorId: string;
 };
-declare type MFAVerifyParamsBase = {
+type MFAVerifyParamsBase = {
     /** ID of the factor being verified. Returned in enroll(). */
     factorId: string;
     /** ID of the challenge being verified. Returned in challenge(). */
     challengeId: string;
 };
-declare type MFAVerifyTOTPParamFields = {
+type MFAVerifyTOTPParamFields = {
     /** Verification code provided by the user. */
     code: string;
 };
-export declare type MFAVerifyTOTPParams = Prettify<MFAVerifyParamsBase & MFAVerifyTOTPParamFields>;
-declare type MFAVerifyPhoneParamFields = MFAVerifyTOTPParamFields;
-export declare type MFAVerifyPhoneParams = Prettify<MFAVerifyParamsBase & MFAVerifyPhoneParamFields>;
-export declare type MFAVerifyParams = MFAVerifyTOTPParams | MFAVerifyPhoneParams;
-declare type MFAChallengeParamsBase = {
+export type MFAVerifyTOTPParams = Prettify<MFAVerifyParamsBase & MFAVerifyTOTPParamFields>;
+type MFAVerifyPhoneParamFields = MFAVerifyTOTPParamFields;
+export type MFAVerifyPhoneParams = Prettify<MFAVerifyParamsBase & MFAVerifyPhoneParamFields>;
+type MFAVerifyWebauthnParamFieldsBase = {
+    /** Relying party ID */
+    rpId: string;
+    /** Relying party origins */
+    rpOrigins?: string[];
+};
+type MFAVerifyWebauthnCredentialParamFields<T extends 'create' | 'request' = 'create' | 'request'> = {
+    /** Operation type */
+    type: T;
+    /** Creation response from the authenticator (for enrollment/unverified factors) */
+    credential_response: T extends 'create' ? RegistrationCredential : AuthenticationCredential;
+};
+/**
+ * WebAuthn-specific fields for MFA verification.
+ * Supports both credential creation (registration) and request (authentication) flows.
+ * @template T - Type of WebAuthn operation: 'create' for registration, 'request' for authentication
+ */
+export type MFAVerifyWebauthnParamFields<T extends 'create' | 'request' = 'create' | 'request'> = {
+    webauthn: MFAVerifyWebauthnParamFieldsBase & MFAVerifyWebauthnCredentialParamFields<T>;
+};
+/**
+ * Parameters for WebAuthn MFA verification.
+ * Used to verify WebAuthn credentials after challenge.
+ * @template T - Type of WebAuthn operation: 'create' for registration, 'request' for authentication
+ * @see {@link https://w3c.github.io/webauthn/#sctn-verifying-assertion W3C WebAuthn Spec - Verifying an Authentication Assertion}
+ */
+export type MFAVerifyWebauthnParams<T extends 'create' | 'request' = 'create' | 'request'> = Prettify<MFAVerifyParamsBase & MFAVerifyWebauthnParamFields<T>>;
+export type MFAVerifyParams = MFAVerifyTOTPParams | MFAVerifyPhoneParams | MFAVerifyWebauthnParams;
+type MFAChallengeParamsBase = {
     /** ID of the factor to be challenged. Returned in enroll(). */
     factorId: string;
 };
 declare const MFATOTPChannels: readonly ["sms", "whatsapp"];
-export declare type MFATOTPChannel = typeof MFATOTPChannels[number];
-export declare type MFAChallengeTOTPParams = Prettify<MFAChallengeParamsBase>;
-declare type MFAChallengePhoneParamFields<Channel extends MFATOTPChannel = MFATOTPChannel> = {
+export type MFATOTPChannel = (typeof MFATOTPChannels)[number];
+export type MFAChallengeTOTPParams = Prettify<MFAChallengeParamsBase>;
+type MFAChallengePhoneParamFields<Channel extends MFATOTPChannel = MFATOTPChannel> = {
     /** Messaging channel to use (e.g. whatsapp or sms). Only relevant for phone factors */
     channel: Channel;
 };
-export declare type MFAChallengePhoneParams = Prettify<MFAChallengeParamsBase & MFAChallengePhoneParamFields>;
-export declare type MFAChallengeParams = MFAChallengeTOTPParams | MFAChallengePhoneParams;
-declare type MFAChallengeAndVerifyParamsBase = Omit<MFAVerifyParamsBase, 'challengeId'>;
-declare type MFAChallengeAndVerifyTOTPParamFields = MFAVerifyTOTPParamFields;
-declare type MFAChallengeAndVerifyTOTPParams = Prettify<MFAChallengeAndVerifyParamsBase & MFAChallengeAndVerifyTOTPParamFields>;
-declare type MFAChallengeAndVerifyPhoneParamFields = MFAVerifyPhoneParamFields;
-declare type MFAChallengeAndVerifyPhoneParams = Prettify<MFAChallengeAndVerifyParamsBase & MFAChallengeAndVerifyPhoneParamFields>;
-export declare type MFAChallengeAndVerifyParams = MFAChallengeAndVerifyTOTPParams | MFAChallengeAndVerifyPhoneParams;
-export declare type AuthMFAVerifyResponse = RequestResult<{
+export type MFAChallengePhoneParams = Prettify<MFAChallengeParamsBase & MFAChallengePhoneParamFields>;
+/** WebAuthn parameters for WebAuthn factor challenge */
+type MFAChallengeWebauthnParamFields = {
+    webauthn: {
+        /** Relying party ID */
+        rpId: string;
+        /** Relying party origins*/
+        rpOrigins?: string[];
+    };
+};
+/**
+ * Parameters for initiating a WebAuthn MFA challenge.
+ * Includes Relying Party information needed for WebAuthn ceremonies.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-rp-operations W3C WebAuthn Spec - Relying Party Operations}
+ */
+export type MFAChallengeWebauthnParams = Prettify<MFAChallengeParamsBase & MFAChallengeWebauthnParamFields>;
+export type MFAChallengeParams = MFAChallengeTOTPParams | MFAChallengePhoneParams | MFAChallengeWebauthnParams;
+type MFAChallengeAndVerifyParamsBase = Omit<MFAVerifyParamsBase, 'challengeId'>;
+type MFAChallengeAndVerifyTOTPParamFields = MFAVerifyTOTPParamFields;
+type MFAChallengeAndVerifyTOTPParams = Prettify<MFAChallengeAndVerifyParamsBase & MFAChallengeAndVerifyTOTPParamFields>;
+export type MFAChallengeAndVerifyParams = MFAChallengeAndVerifyTOTPParams;
+/**
+ * Data returned after successful MFA verification.
+ * Contains new session tokens and updated user information.
+ */
+export type AuthMFAVerifyResponseData = {
     /** New access token (JWT) after successful verification. */
     access_token: string;
     /** Type of token, always `bearer`. */
@@ -733,29 +784,81 @@ export declare type AuthMFAVerifyResponse = RequestResult<{
     refresh_token: string;
     /** Updated user profile. */
     user: User;
-}>;
-export declare type AuthMFAEnrollResponse = AuthMFAEnrollTOTPResponse | AuthMFAEnrollPhoneResponse;
-export declare type AuthMFAUnenrollResponse = RequestResult<{
+};
+/**
+ * Response type for MFA verification operations.
+ * Returns session tokens on successful verification.
+ */
+export type AuthMFAVerifyResponse = RequestResult<AuthMFAVerifyResponseData>;
+export type AuthMFAEnrollResponse = AuthMFAEnrollTOTPResponse | AuthMFAEnrollPhoneResponse | AuthMFAEnrollWebauthnResponse;
+export type AuthMFAUnenrollResponse = RequestResult<{
     /** ID of the factor that was successfully unenrolled. */
     id: string;
 }>;
-export declare type AuthMFAChallengeResponse<T extends FactorType> = RequestResult<{
+type AuthMFAChallengeResponseBase<T extends FactorType> = {
     /** ID of the newly created challenge. */
     id: string;
     /** Factor Type which generated the challenge */
     type: T;
     /** Timestamp in UNIX seconds when this challenge will no longer be usable. */
     expires_at: number;
-}>;
+};
+type AuthMFAChallengeTOTPResponseFields = {};
+export type AuthMFAChallengeTOTPResponse = RequestResult<Prettify<AuthMFAChallengeResponseBase<'totp'> & AuthMFAChallengeTOTPResponseFields>>;
+type AuthMFAChallengePhoneResponseFields = {};
+export type AuthMFAChallengePhoneResponse = RequestResult<Prettify<AuthMFAChallengeResponseBase<'phone'> & AuthMFAChallengePhoneResponseFields>>;
+type AuthMFAChallengeWebauthnResponseFields = {
+    webauthn: {
+        type: 'create';
+        credential_options: {
+            publicKey: PublicKeyCredentialCreationOptionsFuture;
+        };
+    } | {
+        type: 'request';
+        credential_options: {
+            publicKey: PublicKeyCredentialRequestOptionsFuture;
+        };
+    };
+};
+/**
+ * Response type for WebAuthn MFA challenge.
+ * Contains credential creation or request options from the server.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-credential-creation W3C WebAuthn Spec - Credential Creation}
+ */
+export type AuthMFAChallengeWebauthnResponse = RequestResult<Prettify<AuthMFAChallengeResponseBase<'webauthn'> & AuthMFAChallengeWebauthnResponseFields>>;
+type AuthMFAChallengeWebauthnResponseFieldsJSON = {
+    webauthn: {
+        type: 'create';
+        credential_options: {
+            publicKey: ServerCredentialCreationOptions;
+        };
+    } | {
+        type: 'request';
+        credential_options: {
+            publicKey: ServerCredentialRequestOptions;
+        };
+    };
+};
+/**
+ * JSON-serializable version of WebAuthn challenge response.
+ * Used for server communication with base64url-encoded binary fields.
+ */
+export type AuthMFAChallengeWebauthnResponseDataJSON = Prettify<AuthMFAChallengeResponseBase<'webauthn'> & AuthMFAChallengeWebauthnResponseFieldsJSON>;
+/**
+ * Server response type for WebAuthn MFA challenge.
+ * Contains JSON-formatted WebAuthn options ready for browser API.
+ */
+export type AuthMFAChallengeWebauthnServerResponse = RequestResult<AuthMFAChallengeWebauthnResponseDataJSON>;
+export type AuthMFAChallengeResponse = AuthMFAChallengeTOTPResponse | AuthMFAChallengePhoneResponse | AuthMFAChallengeWebauthnResponse;
 /** response of ListFactors, which should contain all the types of factors that are available, this ensures we always include all */
-export declare type AuthMFAListFactorsResponse<T extends typeof FactorTypes = typeof FactorTypes> = RequestResult<{
+export type AuthMFAListFactorsResponse<T extends typeof FactorTypes = typeof FactorTypes> = RequestResult<{
     /** All available factors (verified and unverified). */
     all: Prettify<Factor>[];
 } & {
     [K in T[number]]: Prettify<Factor<K, 'verified'>>[];
 }>;
-export declare type AuthenticatorAssuranceLevels = 'aal1' | 'aal2';
-export declare type AuthMFAGetAuthenticatorAssuranceLevelResponse = RequestResult<{
+export type AuthenticatorAssuranceLevels = 'aal1' | 'aal2';
+export type AuthMFAGetAuthenticatorAssuranceLevelResponse = RequestResult<{
     /** Current AAL level of the session. */
     currentLevel: AuthenticatorAssuranceLevels | null;
     /**
@@ -788,20 +891,23 @@ export interface GoTrueMFAApi {
      */
     enroll(params: MFAEnrollTOTPParams): Promise<AuthMFAEnrollTOTPResponse>;
     enroll(params: MFAEnrollPhoneParams): Promise<AuthMFAEnrollPhoneResponse>;
+    enroll(params: MFAEnrollWebauthnParams): Promise<AuthMFAEnrollWebauthnResponse>;
     enroll(params: MFAEnrollParams): Promise<AuthMFAEnrollResponse>;
     /**
      * Prepares a challenge used to verify that a user has access to a MFA
      * factor.
      */
-    challenge(params: MFAChallengeTOTPParams): Promise<Prettify<AuthMFAChallengeResponse<'totp'>>>;
-    challenge(params: MFAChallengePhoneParams): Promise<Prettify<AuthMFAChallengeResponse<'phone'>>>;
-    challenge(params: MFAChallengeParams): Promise<Prettify<AuthMFAChallengeResponse<'totp' | 'phone'>>>;
+    challenge(params: MFAChallengeTOTPParams): Promise<Prettify<AuthMFAChallengeTOTPResponse>>;
+    challenge(params: MFAChallengePhoneParams): Promise<Prettify<AuthMFAChallengePhoneResponse>>;
+    challenge(params: MFAChallengeWebauthnParams): Promise<Prettify<AuthMFAChallengeWebauthnResponse>>;
+    challenge(params: MFAChallengeParams): Promise<AuthMFAChallengeResponse>;
     /**
      * Verifies a code against a challenge. The verification code is
      * provided by the user by entering a code seen in their authenticator app.
      */
     verify(params: MFAVerifyTOTPParams): Promise<AuthMFAVerifyResponse>;
     verify(params: MFAVerifyPhoneParams): Promise<AuthMFAVerifyResponse>;
+    verify(params: MFAVerifyWebauthnParams): Promise<AuthMFAVerifyResponse>;
     verify(params: MFAVerifyParams): Promise<AuthMFAVerifyResponse>;
     /**
      * Unenroll removes a MFA factor.
@@ -836,18 +942,19 @@ export interface GoTrueMFAApi {
      *
      */
     getAuthenticatorAssuranceLevel(): Promise<AuthMFAGetAuthenticatorAssuranceLevelResponse>;
+    webauthn: WebAuthnApi;
 }
 /**
  * @expermental
  */
-export declare type AuthMFAAdminDeleteFactorResponse = RequestResult<{
+export type AuthMFAAdminDeleteFactorResponse = RequestResult<{
     /** ID of the factor that was successfully deleted. */
     id: string;
 }>;
 /**
  * @expermental
  */
-export declare type AuthMFAAdminDeleteFactorParams = {
+export type AuthMFAAdminDeleteFactorParams = {
     /** ID of the MFA factor to delete. */
     id: string;
     /** ID of the user whose factor is being deleted. */
@@ -856,14 +963,14 @@ export declare type AuthMFAAdminDeleteFactorParams = {
 /**
  * @expermental
  */
-export declare type AuthMFAAdminListFactorsResponse = RequestResult<{
+export type AuthMFAAdminListFactorsResponse = RequestResult<{
     /** All factors attached to the user. */
     factors: Factor[];
 }>;
 /**
  * @expermental
  */
-export declare type AuthMFAAdminListFactorsParams = {
+export type AuthMFAAdminListFactorsParams = {
     /** ID of the user. */
     userId: string;
 };
@@ -888,12 +995,12 @@ export interface GoTrueAdminMFAApi {
      */
     deleteFactor(params: AuthMFAAdminDeleteFactorParams): Promise<AuthMFAAdminDeleteFactorResponse>;
 }
-declare type AnyFunction = (...args: any[]) => any;
-declare type MaybePromisify<T> = T | Promise<T>;
-declare type PromisifyMethods<T> = {
+type AnyFunction = (...args: any[]) => any;
+type MaybePromisify<T> = T | Promise<T>;
+type PromisifyMethods<T> = {
     [K in keyof T]: T[K] extends AnyFunction ? (...args: Parameters<T[K]>) => MaybePromisify<ReturnType<T[K]>> : T[K];
 };
-export declare type SupportedStorage = PromisifyMethods<Pick<Storage, 'getItem' | 'setItem' | 'removeItem'>> & {
+export type SupportedStorage = PromisifyMethods<Pick<Storage, 'getItem' | 'setItem' | 'removeItem'>> & {
     /**
      * If set to `true` signals to the library that the storage medium is used
      * on a server and the values may not be authentic, such as reading from
@@ -903,23 +1010,23 @@ export declare type SupportedStorage = PromisifyMethods<Pick<Storage, 'getItem'
      */
     isServer?: boolean;
 };
-export declare type InitializeResult = {
+export type InitializeResult = {
     error: AuthError | null;
 };
-export declare type CallRefreshTokenResult = RequestResult<Session>;
-export declare type Pagination = {
+export type CallRefreshTokenResult = RequestResult<Session>;
+export type Pagination = {
     [key: string]: any;
     nextPage: number | null;
     lastPage: number;
     total: number;
 };
-export declare type PageParams = {
+export type PageParams = {
     /** The page number */
     page?: number;
     /** Number of items returned per page */
     perPage?: number;
 };
-export declare type SignOut = {
+export type SignOut = {
     /**
      * Determines which sessions should be
      * logged out. Global means all
@@ -932,23 +1039,30 @@ export declare type SignOut = {
      */
     scope?: 'global' | 'local' | 'others';
 };
-declare type MFAEnrollParamsBase<T extends FactorType> = {
+type MFAEnrollParamsBase<T extends FactorType> = {
     /** The type of factor being enrolled. */
     factorType: T;
     /** Human readable name assigned to the factor. */
     friendlyName?: string;
 };
-declare type MFAEnrollTOTPParamFields = {
+type MFAEnrollTOTPParamFields = {
     /** Domain which the user is enrolled with. */
     issuer?: string;
 };
-export declare type MFAEnrollTOTPParams = Prettify<MFAEnrollParamsBase<'totp'> & MFAEnrollTOTPParamFields>;
-declare type MFAEnrollPhoneParamFields = {
+export type MFAEnrollTOTPParams = Prettify<MFAEnrollParamsBase<'totp'> & MFAEnrollTOTPParamFields>;
+type MFAEnrollPhoneParamFields = {
     /** Phone number associated with a factor. Number should conform to E.164 format */
     phone: string;
 };
-export declare type MFAEnrollPhoneParams = Prettify<MFAEnrollParamsBase<'phone'> & MFAEnrollPhoneParamFields>;
-declare type AuthMFAEnrollResponseBase<T extends FactorType> = {
+export type MFAEnrollPhoneParams = Prettify<MFAEnrollParamsBase<'phone'> & MFAEnrollPhoneParamFields>;
+type MFAEnrollWebauthnFields = {};
+/**
+ * Parameters for enrolling a WebAuthn factor.
+ * Creates an unverified WebAuthn factor that must be verified with a credential.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-registering-a-new-credential W3C WebAuthn Spec - Registering a New Credential}
+ */
+export type MFAEnrollWebauthnParams = Prettify<MFAEnrollParamsBase<'webauthn'> & MFAEnrollWebauthnFields>;
+type AuthMFAEnrollResponseBase<T extends FactorType> = {
     /** ID of the factor that was just enrolled (in an unverified state). */
     id: string;
     /** Type of MFA factor.*/
@@ -956,7 +1070,7 @@ declare type AuthMFAEnrollResponseBase<T extends FactorType> = {
     /** Friendly name of the factor, useful for distinguishing between factors **/
     friendly_name?: string;
 };
-declare type AuthMFAEnrollTOTPResponseFields = {
+type AuthMFAEnrollTOTPResponseFields = {
     /** TOTP enrollment information. */
     totp: {
         /** Contains a QR code encoding the authenticator URI. You can
@@ -972,18 +1086,25 @@ declare type AuthMFAEnrollTOTPResponseFields = {
         uri: string;
     };
 };
-export declare type AuthMFAEnrollTOTPResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'totp'> & AuthMFAEnrollTOTPResponseFields>>;
-declare type AuthMFAEnrollPhoneResponseFields = {
+export type AuthMFAEnrollTOTPResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'totp'> & AuthMFAEnrollTOTPResponseFields>>;
+type AuthMFAEnrollPhoneResponseFields = {
     /** Phone number of the MFA factor in E.164 format. Used to send messages  */
     phone: string;
 };
-export declare type AuthMFAEnrollPhoneResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'phone'> & AuthMFAEnrollPhoneResponseFields>>;
-export declare type JwtHeader = {
+export type AuthMFAEnrollPhoneResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'phone'> & AuthMFAEnrollPhoneResponseFields>>;
+type AuthMFAEnrollWebauthnFields = {};
+/**
+ * Response type for WebAuthn factor enrollment.
+ * Returns the enrolled factor ID and metadata.
+ * @see {@link https://w3c.github.io/webauthn/#sctn-registering-a-new-credential W3C WebAuthn Spec - Registering a New Credential}
+ */
+export type AuthMFAEnrollWebauthnResponse = RequestResult<Prettify<AuthMFAEnrollResponseBase<'webauthn'> & AuthMFAEnrollWebauthnFields>>;
+export type JwtHeader = {
     alg: 'RS256' | 'ES256' | 'HS256';
     kid: string;
     typ: string;
 };
-export declare type RequiredClaims = {
+export type RequiredClaims = {
     iss: string;
     sub: string;
     aud: string | string[];
@@ -993,7 +1114,7 @@ export declare type RequiredClaims = {
     aal: AuthenticatorAssuranceLevels;
     session_id: string;
 };
-export declare type JwtPayload = RequiredClaims & {
+export type JwtPayload = RequiredClaims & {
     [key: string]: any;
 };
 export interface JWK {
@@ -1004,6 +1125,6 @@ export interface JWK {
     [key: string]: any;
 }
 export declare const SIGN_OUT_SCOPES: readonly ["global", "local", "others"];
-export declare type SignOutScope = typeof SIGN_OUT_SCOPES[number];
+export type SignOutScope = (typeof SIGN_OUT_SCOPES)[number];
 export {};
 //# sourceMappingURL=types.d.ts.map