workos 5.27.0__tar.gz → 5.29.0__tar.gz

{workos-5.27.0 → workos-5.29.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.27.0
+Version: 5.29.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

{workos-5.27.0 → workos-5.29.0}/tests/test_organizations.py

@@ -2,6 +2,7 @@ import datetime
 from typing import Union
 import pytest
 from tests.types.test_auto_pagination_function import TestAutoPaginationFunction
+from tests.utils.fixtures.mock_feature_flag import MockFeatureFlag
 from tests.utils.fixtures.mock_organization import MockOrganization
 from tests.utils.fixtures.mock_role import MockRole
 from tests.utils.list_resource import list_response_of
@@ -77,6 +78,14 @@ class TestOrganizations:
             "object": "list",
         }
 
+    @pytest.fixture
+    def mock_feature_flags(self):
+        return {
+            "data": [MockFeatureFlag(id=f"flag_{str(i)}").dict() for i in range(2)],
+            "object": "list",
+            "list_metadata": {"before": None, "after": None},
+        }
+
     def test_list_organizations(
         self, mock_organizations, capture_and_mock_http_client_request
     ):
@@ -264,3 +273,28 @@ class TestOrganizations:
             list(map(to_dict, organization_roles_response.data))
             == mock_organization_roles["data"]
         )
+
+    def test_list_feature_flags(
+        self, mock_feature_flags, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_feature_flags, 200
+        )
+
+        feature_flags_response = syncify(
+            self.organizations.list_feature_flags(
+                organization_id="org_01EHT88Z8J8795GZNQ4ZP1J81T"
+            )
+        )
+
+        def to_dict(x):
+            return x.dict()
+
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["url"].endswith(
+            "/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/feature-flags"
+        )
+        assert (
+            list(map(to_dict, feature_flags_response.data))
+            == mock_feature_flags["data"]
+        )

{workos-5.27.0 → workos-5.29.0}/tests/test_session.py

@@ -1,8 +1,11 @@
-import pytest
+import concurrent.futures
+from datetime import datetime, timezone
 from unittest.mock import AsyncMock, Mock, patch
+
 import jwt
-from datetime import datetime, timezone
-import concurrent.futures
+import pytest
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
 
 from tests.conftest import with_jwks_mock
 from workos.session import AsyncSession, Session, _get_jwks_client
@@ -16,9 +19,6 @@ from workos.types.user_management.session import (
     RefreshWithSessionCookieSuccessResponse,
 )
 
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-
 
 class SessionFixtures:
     @pytest.fixture(autouse=True)
@@ -48,6 +48,7 @@ class SessionFixtures:
             "sid": "session_123",
             "org_id": "organization_123",
             "role": "admin",
+            "roles": ["admin"],
             "permissions": ["read"],
             "entitlements": ["feature_1"],
             "exp": int(current_datetime.timestamp()) + 3600,
@@ -215,6 +216,7 @@ class TestSessionBase(SessionFixtures):
                     "sid": session_constants["SESSION_ID"],
                     "org_id": session_constants["ORGANIZATION_ID"],
                     "role": "admin",
+                    "roles": ["admin"],
                     "permissions": ["read"],
                     "entitlements": ["feature_1"],
                     "exp": int(datetime.now(timezone.utc).timestamp()) + 3600,
@@ -239,6 +241,7 @@ class TestSessionBase(SessionFixtures):
             "sid": session_constants["SESSION_ID"],
             "org_id": session_constants["ORGANIZATION_ID"],
             "role": "admin",
+            "roles": ["admin"],
             "permissions": ["read"],
             "entitlements": ["feature_1"],
         }
@@ -257,11 +260,80 @@ class TestSessionBase(SessionFixtures):
             assert response.session_id == session_constants["SESSION_ID"]
             assert response.organization_id == session_constants["ORGANIZATION_ID"]
             assert response.role == "admin"
+            assert response.roles == ["admin"]
             assert response.permissions == ["read"]
             assert response.entitlements == ["feature_1"]
             assert response.user.id == session_constants["USER_ID"]
             assert response.impersonator is None
 
+    @with_jwks_mock
+    def test_authenticate_success_with_roles(
+        self, session_constants, mock_user_management
+    ):
+        session = Session(
+            user_management=mock_user_management,
+            client_id=session_constants["CLIENT_ID"],
+            session_data=session_constants["SESSION_DATA"],
+            cookie_password=session_constants["COOKIE_PASSWORD"],
+        )
+
+        # Mock the session data that would be unsealed
+        mock_session = {
+            "access_token": jwt.encode(
+                {
+                    "sid": session_constants["SESSION_ID"],
+                    "org_id": session_constants["ORGANIZATION_ID"],
+                    "role": "admin",
+                    "roles": ["admin", "member"],
+                    "permissions": ["read", "write"],
+                    "entitlements": ["feature_1"],
+                    "exp": int(datetime.now(timezone.utc).timestamp()) + 3600,
+                    "iat": int(datetime.now(timezone.utc).timestamp()),
+                },
+                session_constants["PRIVATE_KEY"],
+                algorithm="RS256",
+            ),
+            "user": {
+                "object": "user",
+                "id": session_constants["USER_ID"],
+                "email": "user@example.com",
+                "email_verified": True,
+                "created_at": session_constants["CURRENT_TIMESTAMP"],
+                "updated_at": session_constants["CURRENT_TIMESTAMP"],
+            },
+            "impersonator": None,
+        }
+
+        # Mock the JWT payload that would be decoded
+        mock_jwt_payload = {
+            "sid": session_constants["SESSION_ID"],
+            "org_id": session_constants["ORGANIZATION_ID"],
+            "role": "admin",
+            "roles": ["admin", "member"],
+            "permissions": ["read", "write"],
+            "entitlements": ["feature_1"],
+        }
+
+        with patch.object(Session, "unseal_data", return_value=mock_session), patch(
+            "jwt.decode", return_value=mock_jwt_payload
+        ), patch.object(
+            session.jwks,
+            "get_signing_key_from_jwt",
+            return_value=Mock(key=session_constants["PUBLIC_KEY"]),
+        ):
+            response = session.authenticate()
+
+            assert isinstance(response, AuthenticateWithSessionCookieSuccessResponse)
+            assert response.authenticated is True
+            assert response.session_id == session_constants["SESSION_ID"]
+            assert response.organization_id == session_constants["ORGANIZATION_ID"]
+            assert response.role == "admin"
+            assert response.roles == ["admin", "member"]
+            assert response.permissions == ["read", "write"]
+            assert response.entitlements == ["feature_1"]
+            assert response.user.id == session_constants["USER_ID"]
+            assert response.impersonator is None
+
     @with_jwks_mock
     def test_refresh_invalid_session_cookie(
         self, session_constants, mock_user_management
@@ -335,6 +407,7 @@ class TestSession(SessionFixtures):
                 "sid": session_constants["SESSION_ID"],
                 "org_id": session_constants["ORGANIZATION_ID"],
                 "role": "admin",
+                "roles": ["admin"],
                 "permissions": ["read"],
                 "entitlements": ["feature_1"],
             },
@@ -435,6 +508,7 @@ class TestAsyncSession(SessionFixtures):
                 "sid": session_constants["SESSION_ID"],
                 "org_id": session_constants["ORGANIZATION_ID"],
                 "role": "admin",
+                "roles": ["admin"],
                 "permissions": ["read"],
                 "entitlements": ["feature_1"],
             },

{workos-5.27.0 → workos-5.29.0}/workos/__about__.py

@@ -12,7 +12,7 @@ __package_name__ = "workos"
 
 __package_url__ = "https://github.com/workos-inc/workos-python"
 
-__version__ = "5.27.0"
+__version__ = "5.29.0"
 
 __author__ = "WorkOS"
 

{workos-5.27.0 → workos-5.29.0}/workos/organizations.py

@@ -1,5 +1,7 @@
 from typing import Optional, Protocol, Sequence
 
+from workos.types.feature_flags import FeatureFlag
+from workos.types.feature_flags.list_filters import FeatureFlagListFilters
 from workos.types.metadata import Metadata
 from workos.types.organizations.domain_data_input import DomainDataInput
 from workos.types.organizations.list_filters import OrganizationListFilters
@@ -24,6 +26,10 @@ OrganizationsListResource = WorkOSListResource[
     Organization, OrganizationListFilters, ListMetadata
 ]
 
+FeatureFlagsListResource = WorkOSListResource[
+    FeatureFlag, FeatureFlagListFilters, ListMetadata
+]
+
 
 class OrganizationsModule(Protocol):
     """Offers methods through the WorkOS Organizations service."""
@@ -128,6 +134,29 @@ class OrganizationsModule(Protocol):
         """
         ...
 
+    def list_feature_flags(
+        self,
+        organization_id: str,
+        *,
+        limit: int = DEFAULT_LIST_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+        order: PaginationOrder = "desc",
+    ) -> SyncOrAsync[FeatureFlagsListResource]:
+        """Retrieve a list of feature flags for an organization
+
+        Args:
+            organization_id (str): Organization's unique identifier
+            limit (int): Maximum number of records to return. (Optional)
+            before (str): Pagination cursor to receive records before a provided Feature Flag ID. (Optional)
+            after (str): Pagination cursor to receive records after a provided Feature Flag ID. (Optional)
+            order (Literal["asc","desc"]): Sort records in either ascending or descending (default) order by created_at timestamp. (Optional)
+
+        Returns:
+            FeatureFlagsListResource: Feature flags list response from WorkOS.
+        """
+        ...
+
 
 class Organizations(OrganizationsModule):
     _http_client: SyncHTTPClient
@@ -247,6 +276,34 @@ class Organizations(OrganizationsModule):
 
         return RoleList.model_validate(response)
 
+    def list_feature_flags(
+        self,
+        organization_id: str,
+        *,
+        limit: int = DEFAULT_LIST_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+        order: PaginationOrder = "desc",
+    ) -> FeatureFlagsListResource:
+        list_params: FeatureFlagListFilters = {
+            "limit": limit,
+            "before": before,
+            "after": after,
+            "order": order,
+        }
+
+        response = self._http_client.request(
+            f"organizations/{organization_id}/feature-flags",
+            method=REQUEST_METHOD_GET,
+            params=list_params,
+        )
+
+        return WorkOSListResource[FeatureFlag, FeatureFlagListFilters, ListMetadata](
+            list_method=self.list_feature_flags,
+            list_args=list_params,
+            **ListPage[FeatureFlag](**response).model_dump(),
+        )
+
 
 class AsyncOrganizations(OrganizationsModule):
     _http_client: AsyncHTTPClient
@@ -365,3 +422,31 @@ class AsyncOrganizations(OrganizationsModule):
         )
 
         return RoleList.model_validate(response)
+
+    async def list_feature_flags(
+        self,
+        organization_id: str,
+        *,
+        limit: int = DEFAULT_LIST_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+        order: PaginationOrder = "desc",
+    ) -> FeatureFlagsListResource:
+        list_params: FeatureFlagListFilters = {
+            "limit": limit,
+            "before": before,
+            "after": after,
+            "order": order,
+        }
+
+        response = await self._http_client.request(
+            f"organizations/{organization_id}/feature-flags",
+            method=REQUEST_METHOD_GET,
+            params=list_params,
+        )
+
+        return WorkOSListResource[FeatureFlag, FeatureFlagListFilters, ListMetadata](
+            list_method=self.list_feature_flags,
+            list_args=list_params,
+            **ListPage[FeatureFlag](**response).model_dump(),
+        )

{workos-5.27.0 → workos-5.29.0}/workos/session.py

@@ -102,6 +102,7 @@ class SessionModule(Protocol):
             session_id=decoded["sid"],
             organization_id=decoded.get("org_id", None),
             role=decoded.get("role", None),
+            roles=decoded.get("roles", None),
             permissions=decoded.get("permissions", None),
             entitlements=decoded.get("entitlements", None),
             user=session["user"],
@@ -229,6 +230,7 @@ class Session(SessionModule):
                 session_id=decoded["sid"],
                 organization_id=decoded.get("org_id", None),
                 role=decoded.get("role", None),
+                roles=decoded.get("roles", None),
                 permissions=decoded.get("permissions", None),
                 entitlements=decoded.get("entitlements", None),
                 user=auth_response.user,
@@ -319,6 +321,7 @@ class AsyncSession(SessionModule):
                 session_id=decoded["sid"],
                 organization_id=decoded.get("org_id", None),
                 role=decoded.get("role", None),
+                roles=decoded.get("roles", None),
                 permissions=decoded.get("permissions", None),
                 entitlements=decoded.get("entitlements", None),
                 user=auth_response.user,

workos-5.29.0/workos/types/feature_flags/__init__.py

@@ -0,0 +1,3 @@
+from workos.types.feature_flags.feature_flag import FeatureFlag
+
+__all__ = ["FeatureFlag"]

workos-5.29.0/workos/types/feature_flags/feature_flag.py

@@ -0,0 +1,12 @@
+from typing import Literal, Optional
+from workos.types.workos_model import WorkOSModel
+
+
+class FeatureFlag(WorkOSModel):
+    id: str
+    object: Literal["feature_flag"]
+    slug: str
+    name: str
+    description: Optional[str]
+    created_at: str
+    updated_at: str

workos-5.29.0/workos/types/feature_flags/list_filters.py

@@ -0,0 +1,5 @@
+from workos.types.list_resource import ListArgs
+
+
+class FeatureFlagListFilters(ListArgs, total=False):
+    pass

{workos-5.27.0 → workos-5.29.0}/workos/types/list_resource.py

@@ -23,6 +23,7 @@ from workos.types.directory_sync import (
     DirectoryUserWithGroups,
 )
 from workos.types.events import Event
+from workos.types.feature_flags import FeatureFlag
 from workos.types.fga import (
     Warrant,
     AuthorizationResource,
@@ -46,6 +47,7 @@ ListableResource = TypeVar(
     DirectoryGroup,
     DirectoryUserWithGroups,
     Event,
+    FeatureFlag,
     Invitation,
     Organization,
     OrganizationMembership,

{workos-5.27.0 → workos-5.29.0}/workos/types/sso/connection.py

@@ -37,6 +37,7 @@ ConnectionType = Literal[
     "PingFederateSAML",
     "PingOneSAML",
     "RipplingSAML",
+    "SalesforceOAuth",
     "SalesforceSAML",
     "ShibbolethGenericSAML",
     "ShibbolethSAML",

{workos-5.27.0 → workos-5.29.0}/workos/types/sso/sso_provider_type.py

@@ -6,4 +6,5 @@ SsoProviderType = Literal[
     "GitHubOAuth",
     "GoogleOAuth",
     "MicrosoftOAuth",
+    "SalesforceOAuth",
 ]

{workos-5.27.0 → workos-5.29.0}/workos/types/user_management/authentication_response.py

@@ -13,6 +13,7 @@ AuthenticationMethod = Literal[
     "GitHubOAuth",
     "GoogleOAuth",
     "MicrosoftOAuth",
+    "SalesforceOAuth",
     "MagicAuth",
     "Impersonation",
 ]

{workos-5.27.0 → workos-5.29.0}/workos/types/user_management/oauth_tokens.py

@@ -7,6 +7,7 @@ OAuthTokensProvidersType = Literal[
     "GitHubOauth",
     "GoogleOauth",
     "MicrosoftOauth",
+    "SalesforceOauth",
 ]
 
 

{workos-5.27.0 → workos-5.29.0}/workos/types/user_management/organization_membership.py

@@ -1,4 +1,4 @@
-from typing import Literal
+from typing import Literal, Sequence, Optional
 from typing_extensions import TypedDict
 
 from workos.types.workos_model import WorkOSModel
@@ -19,6 +19,7 @@ class OrganizationMembership(WorkOSModel):
     user_id: str
     organization_id: str
     role: OrganizationMembershipRole
+    roles: Optional[Sequence[OrganizationMembershipRole]] = None
     status: LiteralOrUntyped[OrganizationMembershipStatus]
     created_at: str
     updated_at: str

{workos-5.27.0 → workos-5.29.0}/workos/types/user_management/session.py

@@ -1,6 +1,8 @@
-from typing import Optional, Sequence, TypedDict, Union
 from enum import Enum
+from typing import Optional, Sequence, TypedDict, Union
+
 from typing_extensions import Literal
+
 from workos.types.user_management.impersonator import Impersonator
 from workos.types.user_management.user import User
 from workos.types.workos_model import WorkOSModel
@@ -17,6 +19,7 @@ class AuthenticateWithSessionCookieSuccessResponse(WorkOSModel):
     session_id: str
     organization_id: Optional[str] = None
     role: Optional[str] = None
+    roles: Optional[Sequence[str]] = None
     permissions: Optional[Sequence[str]] = None
     user: User
     impersonator: Optional[Impersonator] = None

workos-5.29.0/workos/types/user_management/user_management_provider_type.py

@@ -0,0 +1,11 @@
+from typing import Literal
+
+
+UserManagementProviderType = Literal[
+    "authkit",
+    "AppleOAuth",
+    "GitHubOAuth",
+    "GoogleOAuth",
+    "MicrosoftOAuth",
+    "SalesforceOAuth",
+]

{workos-5.27.0 → workos-5.29.0}/workos/types/webhooks/webhook.py

@@ -1,9 +1,9 @@
 from typing import Literal, Union
+
 from pydantic import Field
 from typing_extensions import Annotated
+
 from workos.types.directory_sync import DirectoryGroup
-from workos.types.user_management import OrganizationMembership, User
-from workos.types.webhooks.webhook_model import WebhookModel
 from workos.types.directory_sync.directory_user import DirectoryUser
 from workos.types.events.authentication_payload import (
     AuthenticationEmailVerificationSucceededPayload,
@@ -37,16 +37,18 @@ from workos.types.events.organization_domain_verification_failed_payload import
     OrganizationDomainVerificationFailedPayload,
 )
 from workos.types.events.session_created_payload import SessionCreatedPayload
-from workos.types.organizations.organization_common import OrganizationCommon
 from workos.types.organization_domains import OrganizationDomain
+from workos.types.organizations.organization_common import OrganizationCommon
 from workos.types.roles.role import EventRole
 from workos.types.sso.connection import Connection
+from workos.types.user_management import OrganizationMembership, User
 from workos.types.user_management.email_verification import (
     EmailVerificationCommon,
 )
 from workos.types.user_management.invitation import InvitationCommon
 from workos.types.user_management.magic_auth import MagicAuthCommon
 from workos.types.user_management.password_reset import PasswordResetCommon
+from workos.types.webhooks.webhook_model import WebhookModel
 
 # README
 # When adding a new webhook event type, ensure the new webhook class is
@@ -205,6 +207,18 @@ class OrganizationDomainVerifiedWebhook(WebhookModel[OrganizationDomain]):
     event: Literal["organization_domain.verified"]
 
 
+class OrganizationDomainCreatedWebhook(WebhookModel[OrganizationDomain]):
+    event: Literal["organization_domain.created"]
+
+
+class OrganizationDomainUpdatedWebhook(WebhookModel[OrganizationDomain]):
+    event: Literal["organization_domain.updated"]
+
+
+class OrganizationDomainDeletedWebhook(WebhookModel[OrganizationDomain]):
+    event: Literal["organization_domain.deleted"]
+
+
 class OrganizationMembershipCreatedWebhook(WebhookModel[OrganizationMembership]):
     event: Literal["organization_membership.created"]
 
@@ -286,6 +300,9 @@ Webhook = Annotated[
         OrganizationCreatedWebhook,
         OrganizationDeletedWebhook,
         OrganizationUpdatedWebhook,
+        OrganizationDomainCreatedWebhook,
+        OrganizationDomainDeletedWebhook,
+        OrganizationDomainUpdatedWebhook,
         OrganizationDomainVerificationFailedWebhook,
         OrganizationDomainVerifiedWebhook,
         OrganizationMembershipCreatedWebhook,

{workos-5.27.0 → workos-5.29.0}/workos/user_management.py

@@ -245,15 +245,24 @@ class UserManagementModule(Protocol):
         ...
 
     def create_organization_membership(
-        self, *, user_id: str, organization_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        user_id: str,
+        organization_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> SyncOrAsync[OrganizationMembership]:
         """Create a new OrganizationMembership for the given Organization and User.
 
         Kwargs:
-            user_id: The Unique ID of the User.
-            organization_id: The Unique ID of the Organization to which the user belongs to.
-            role_slug: The Unique Slug of the Role to which to grant to this membership.
-                If no slug is passed in, the default role will be granted.(Optional)
+            user_id: The unique ID of the User.
+            organization_id: The unique ID of the Organization to which the user belongs to.
+            role_slug: The unique slug of the role to grant to this membership.(Optional)
+            role_slugs: The unique slugs of the roles to grant to this membership.(Optional)
+
+        Note:
+          role_slug and role_slugs are mutually exclusive. If neither is provided,
+          the user will be assigned the organization's default role.
 
         Returns:
             OrganizationMembership: Created OrganizationMembership response from WorkOS.
@@ -261,14 +270,22 @@ class UserManagementModule(Protocol):
         ...
 
     def update_organization_membership(
-        self, *, organization_membership_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        organization_membership_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> SyncOrAsync[OrganizationMembership]:
         """Updates an OrganizationMembership for the given id.
 
         Args:
             organization_membership_id (str):  The unique ID of the Organization Membership.
-            role_slug: The Unique Slug of the Role to which to grant to this membership.
-                If no slug is passed in, it will not be changed (Optional)
+            role_slug: The unique slug of the role to grant to this membership.(Optional)
+            role_slugs: The unique slugs of the roles to grant to this membership.(Optional)
+
+        Note:
+          role_slug and role_slugs are mutually exclusive. If neither is provided,
+          the role(s) of the membership will remain unchanged.
 
         Returns:
             OrganizationMembership: Updated OrganizationMembership response from WorkOS.
@@ -379,7 +396,7 @@ class UserManagementModule(Protocol):
             organization_id (str): The organization_id connection selector is used to initiate SSO for an Organization.
                 The value of this parameter should be a WorkOS Organization ID. (Optional)
             provider (UserManagementProviderType): The provider connection selector is used to initiate SSO using an OAuth-compatible provider.
-                Currently, the supported values for provider are 'authkit', 'AppleOAuth', 'GitHubOAuth, 'GoogleOAuth', and 'MicrosoftOAuth'. (Optional)
+                Currently, the supported values for provider are 'authkit', 'AppleOAuth', 'GitHubOAuth, 'GoogleOAuth', 'MicrosoftOAuth', and 'SalesforceOAuth'. (Optional)
             provider_scopes (Sequence[str]): Can be used to specify additional scopes that will be requested when initiating SSO using an OAuth provider. (Optional)
             domain_hint (str): Can be used to pre-fill the domain field when initiating authentication with Microsoft OAuth,
                 or with a GoogleSAML connection type. (Optional)
@@ -988,12 +1005,18 @@ class UserManagement(UserManagementModule):
         )
 
     def create_organization_membership(
-        self, *, user_id: str, organization_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        user_id: str,
+        organization_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "user_id": user_id,
             "organization_id": organization_id,
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = self._http_client.request(
@@ -1003,10 +1026,15 @@ class UserManagement(UserManagementModule):
         return OrganizationMembership.model_validate(response)
 
     def update_organization_membership(
-        self, *, organization_membership_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        organization_membership_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = self._http_client.request(
@@ -1614,12 +1642,18 @@ class AsyncUserManagement(UserManagementModule):
         )
 
     async def create_organization_membership(
-        self, *, user_id: str, organization_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        user_id: str,
+        organization_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "user_id": user_id,
             "organization_id": organization_id,
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = await self._http_client.request(
@@ -1629,10 +1663,15 @@ class AsyncUserManagement(UserManagementModule):
         return OrganizationMembership.model_validate(response)
 
     async def update_organization_membership(
-        self, *, organization_membership_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        organization_membership_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = await self._http_client.request(