@lap v0.3 # Machine-readable API spec. Each @endpoint block is one API call. @api Stytch API @base https://api.stytch.com @version 1.0.0 @auth Bearer basic @endpoints 184 @hint download_for_search @toc connected_apps(8), b2b(97), users(17), sessions(7), rbac(1), crypto_wallets(2), debug(1), fingerprint(1), rules(2), verdict_reasons(2), email(1), idp(2), impersonation(1), m2m(8), magic_links(6), passwords(8), oauth(2), otps(7), projects(1), totps(4), webauthn(6) @group connected_apps @endpoint GET /v1/connected_apps/clients/{client_id} @desc Get @required {client_id: str # The ID of the Connected App client.} @returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/connected_apps/clients/{client_id} @desc Update @required {client_id: str # The ID of the client.} @optional {client_name: str # A human-readable name for the client., client_description: str # A human-readable description for the client., redirect_urls: [str] # Array of redirect URI values for use in OAuth Authorization flows., full_access_allowed: bool # Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session., access_token_expiry_minutes: int(int32) # The number of minutes before the access token expires. The default is 60 minutes., access_token_custom_audience: str # The custom audience for the access token., access_token_template_content: str # The content of the access token custom claims template. The template must be a valid JSON object., post_logout_redirect_urls: [str] # Array of redirect URI values for use in OIDC Logout flows., logo_url: str # The logo URL of the Connected App, if any., bypass_consent_for_offline_access: bool # Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.} @returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/connected_apps/clients/{client_id} @desc Delete @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, client_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/connected_apps/clients/search @desc Search @optional {cursor: str # The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null., limit: int(int32) # The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field.} @returns(200) {request_id: str, connected_apps: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/connected_apps/clients @desc Create @required {client_type: str(first_party/first_party_public/third_party/third_party_public)} @optional {client_name: str # A human-readable name for the client., client_description: str # A human-readable description for the client., redirect_urls: [str] # Array of redirect URI values for use in OAuth Authorization flows., full_access_allowed: bool # Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session., access_token_expiry_minutes: int(int32) # The number of minutes before the access token expires. The default is 60 minutes., access_token_custom_audience: str # The custom audience for the access token., access_token_template_content: str # The content of the access token custom claims template. The template must be a valid JSON object., post_logout_redirect_urls: [str] # Array of redirect URI values for use in OIDC Logout flows., logo_url: str # The logo URL of the Connected App, if any., bypass_consent_for_offline_access: bool # Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.} @returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, client_secret_last_four: str, next_client_secret_last_four: str, client_secret: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start @desc Rotatestart @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, client_secret_last_four: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], next_client_secret: str, access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/connected_apps/clients/{client_id}/secrets/rotate/cancel @desc Rotatecancel @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/connected_apps/clients/{client_id}/secrets/rotate @desc Rotate @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group b2b @endpoint PUT /v1/b2b/scim/{organization_id}/connection/{connection_id} @desc Update @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SCIM connection.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., display_name: str # A human-readable display name for the connection., identity_provider: str(generic/okta/microsoft-entra/cyberark/jumpcloud/onelogin/pingfederate/rippling), scim_group_implicit_role_assignments: [map{role_id!: str, group_id!: str, group_name!: str}] # An array of SCIM group implicit role assignments. Each object in the array must contain a `group_id` and a `role_id`.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/scim/{organization_id}/connection/{connection_id} @desc Delete @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SCIM connection.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, connection_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/scim/{organization_id}/connection/{connection_id} @desc Getgroups @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SCIM connection.} @optional {cursor: str, limit: int(int32), X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {scim_groups: [map], status_code: int(int32), next_cursor: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/scim/{organization_id}/connection/{connection_id}/rotate/start @desc Rotatestart @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SCIM connection.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, base_url: str, identity_provider: str, bearer_token_last_four: str, next_bearer_token: str, scim_group_implicit_role_assignments: [map], bearer_token_expires_at: str, next_bearer_token_expires_at: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/scim/{organization_id}/connection/{connection_id}/rotate/complete @desc Rotatecomplete @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SCIM connection.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/scim/{organization_id}/connection/{connection_id}/rotate/cancel @desc Rotatecancel @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SCIM connection.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/scim/{organization_id}/connection @desc Create @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., display_name: str # A human-readable display name for the connection., identity_provider: str(generic/okta/microsoft-entra/cyberark/jumpcloud/onelogin/pingfederate/rippling)} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token: str, scim_group_implicit_role_assignments: [map], bearer_token_expires_at: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/scim/{organization_id}/connection @desc Get @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/organizations @desc Create @required {organization_name: str # The name of the Organization. Must be between 1 and 128 characters in length.} @optional {organization_slug: str # The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience., organization_logo_url: str # The image URL of the Organization logo., trusted_metadata: map # An arbitrary JSON object for storing application-specific data or identity-provider-specific data., organization_external_id: str # An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace., sso_jit_provisioning: str # The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. `NOT_ALLOWED` – disable JIT provisioning via SSO., email_allowed_domains: [str] # An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list., email_jit_provisioning: str # The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth., email_invites: str # The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: `ALL_ALLOWED` – any new Member can be invited to join via email. `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. `NOT_ALLOWED` – disable email invites., auth_methods: str # The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`., allowed_auth_methods: [str] # An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`., mfa_policy: str # The setting that controls the MFA policy for all Members in the Organization. The accepted values are: `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true., rbac_email_implicit_role_assignments: [map{domain!: str, role_id!: str}] # Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment., mfa_methods: str # The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`., allowed_mfa_methods: [str] # An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. The list's accepted values are: `sms_otp` and `totp`., oauth_tenant_jit_provisioning: str # The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant., allowed_oauth_tenants: map # A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github"., claimed_email_domains: [str] # A list of email domains that are claimed by the Organization., first_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_first_party_connected_apps: [str] # An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`., third_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_third_party_connected_apps: [str] # An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`.} @returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id} @desc Get @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/organizations/{organization_id} @desc Update @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., organization_name: str # The name of the Organization. Must be between 1 and 128 characters in length. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource., organization_slug: str # The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource., organization_logo_url: str # The image URL of the Organization logo. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource., trusted_metadata: map # An arbitrary JSON object for storing application-specific data or identity-provider-specific data. If a session header is passed into the request, this field may **not** be passed into the request. You cannot update trusted metadata when acting as a Member., organization_external_id: str # An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace., sso_default_connection_id: str # The default connection used for SSO when there are multiple active connections. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-sso-connection` action on the `stytch.organization` Resource., sso_jit_provisioning: str # The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. `NOT_ALLOWED` – disable JIT provisioning via SSO. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource., sso_jit_provisioning_allowed_connections: [str] # An array of `connection_id`s that reference [SAML Connection objects](https://stytch.com/docs/b2b/api/saml-connection-object). Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource., email_allowed_domains: [str] # An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource., email_jit_provisioning: str # The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource., email_invites: str # The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: `ALL_ALLOWED` – any new Member can be invited to join via email. `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. `NOT_ALLOWED` – disable email invites. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource., auth_methods: str # The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource., allowed_auth_methods: [str] # An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource., mfa_policy: str # The setting that controls the MFA policy for all Members in the Organization. The accepted values are: `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource., rbac_email_implicit_role_assignments: [map{domain!: str, role_id!: str}] # Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource., mfa_methods: str # The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource., allowed_mfa_methods: [str] # An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. The list's accepted values are: `sms_otp` and `totp`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource., oauth_tenant_jit_provisioning: str # The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource., allowed_oauth_tenants: map # A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource., claimed_email_domains: [str] # A list of email domains that are claimed by the Organization., first_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_first_party_connected_apps: [str] # An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`., third_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_third_party_connected_apps: [str] # An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`.} @returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/organizations/{organization_id} @desc Delete @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, organization_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/organizations/search @desc Search @optional {cursor: str # The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null., limit: int(int32) # The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field., query: map{operator!: str, operands!: [map]}} @returns(200) {request_id: str, organizations: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/metrics @desc Metrics @required {organization_id: str} @returns(200) {request_id: str, member_count: int(int32), status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/connected_apps @desc Connectedapps @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, connected_apps: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/connected_apps/{connected_app_id} @desc Getconnectedapp @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connected_app_id: str # The ID of the Connected App.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {connected_app_id: str, name: str, description: str, client_type: str, active_members: [map], status_code: int(int32), logo_url: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/organizations/{organization_id}/external_id @desc Deleteexternalid @required {organization_id: str} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/organizations/{organization_id}/members/{member_id} @desc Update @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., name: str # The name of the Member. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.name` action on the `stytch.self` Resource., trusted_metadata: map # An arbitrary JSON object for storing application-specific data or identity-provider-specific data. If a session header is passed into the request, this field may **not** be passed into the request. You cannot update trusted metadata when acting as a Member., untrusted_metadata: map # An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) for complete field behavior details. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.untrusted-metadata` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.untrusted-metadata` action on the `stytch.self` Resource., is_breakglass: bool # Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.is-breakglass` action on the `stytch.member` Resource., mfa_phone_number: str # Sets the Member's phone number. Throws an error if the Member already has a phone number. To change the Member's phone number, use the [Delete member phone number endpoint](https://stytch.com/docs/b2b/api/delete-member-mfa-phone-number) to delete the Member's existing phone number first. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.mfa-phone` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.info.mfa-phone` action on the `stytch.self` Resource., mfa_enrolled: bool # Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-enrolled` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.mfa-enrolled` action on the `stytch.self` Resource., roles: [str] # Roles to explicitly assign to this Member. Will completely replace any existing explicitly assigned roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. If a Role is removed from a Member, and the Member is also implicitly assigned this Role from an SSO connection or an SSO group, we will by default revoke any existing sessions for the Member that contain any SSO authentication factors with the affected connection ID. You can preserve these sessions by passing in the `preserve_existing_sessions` parameter with a value of `true`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.roles` action on the `stytch.member` Resource., preserve_existing_sessions: bool # Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO authentication factors with the affected SSO connection IDs will be revoked., default_mfa_method: str # The Member's default MFA method. This value is used to determine which secondary MFA method to use in the case of multiple methods registered for a Member. The current possible values are `sms_otp` and `totp`. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource., email_address: str # Updates the Member's `email_address`, if provided. This will clear any existing passwords and require re-verification of the new email address. If a Member's email address is changed, other Members in the same Organization cannot use the old email address, although the Member may update back to their old email address. A Member's email address can only be useable again by other Members if the Member is deleted. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.email` action on the `stytch.member` Resource. Members cannot update their own email address., external_id: str # An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project., unlink_email: bool # If `unlink_email` is `true` and an `email_address` is provided, the Member's previous email will be deleted instead of retired. Defaults to `false`.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/organizations/{organization_id}/members/{member_id} @desc Delete @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, member_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/organizations/{organization_id}/members/{member_id}/reactivate @desc Reactivate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/organizations/{organization_id}/members/mfa_phone_numbers/{member_id} @desc Deletemfaphonenumber @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/organizations/{organization_id}/members/{member_id}/totp @desc Deletetotp @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/organizations/members/search @desc Search @required {organization_ids: [str] # An array of organization_ids. At least one value is required.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., cursor: str # The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null., limit: int(int32) # The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field., query: map{operator!: str, operands!: [map]}} @returns(200) {request_id: str, members: [map], results_metadata: map{total: int(int32), next_cursor: str}, organizations: map, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/organizations/{organization_id}/members/passwords/{member_password_id} @desc Deletepassword @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_password_id: str # Globally unique UUID that identifies a Member's password.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/members/dangerously_get/{member_id} @desc Dangerouslyget @required {member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value.} @optional {include_deleted: bool} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oidc_providers @desc Oidcproviders @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {include_refresh_token: bool} @returns(200) {request_id: str, registrations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/organizations/{organization_id}/members/{member_id}/unlink_retired_email @desc Unlinkretiredemail @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., email_id: str # The globally unique UUID of a Member's email., email_address: str # The email address of the Member.} @returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/organizations/{organization_id}/members/{member_id}/start_email_update @desc Startemailupdate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., email_address: str # The new email address for the Member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., login_redirect_url: str # The URL that the Member clicks from the login Email Magic Link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned., locale: str(en/es/pt-br/fr), login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic Links - Login”., delivery_method: str(EMAIL_MAGIC_LINK/EMAIL_OTP)} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/connected_apps @desc Getconnectedapps @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, connected_apps: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/organizations/{organization_id}/members/{member_id}/external_id @desc Deleteexternalid @required {organization_id: str, member_id: str} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/organizations/{organization_id}/members @desc Create @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., email_address: str # The email address of the Member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., name: str # The name of the Member., trusted_metadata: map # An arbitrary JSON object for storing application-specific data or identity-provider-specific data., untrusted_metadata: map # An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) for complete field behavior details., create_member_as_pending: bool # Flag for whether or not to save a Member as `pending` or `active` in Stytch. It defaults to false. If true, new Members will be created with status `pending` in Stytch's backend. Their status will remain `pending` and they will continue to receive signup email templates for every Email Magic Link until that Member authenticates and becomes `active`. If false, new Members will be created with status `active`., is_breakglass: bool # Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](https://stytch.com/docs/b2b/api/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details., mfa_phone_number: str # The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX)., mfa_enrolled: bool # Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`., roles: [str] # Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment., external_id: str # An identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/member @desc Get @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {member_id: str, email_address: str} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/google @desc Google @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {include_refresh_token: bool} @returns(200) {request_id: str, provider_type: str, provider_subject: str, id_token: str, scopes: [str], status_code: int(int32), access_token: str, access_token_expires_in: int(int32), refresh_token: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/microsoft @desc Microsoft @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {include_refresh_token: bool} @returns(200) {request_id: str, provider_type: str, provider_subject: str, access_token: str, access_token_expires_in: int(int32), id_token: str, scopes: [str], status_code: int(int32), refresh_token: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/slack @desc Slack @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @returns(200) {request_id: str, provider_type: str, registrations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/hubspot @desc Hubspot @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {include_refresh_token: bool} @returns(200) {request_id: str, provider_type: str, registrations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/github @desc Github @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {include_refresh_token: bool} @returns(200) {request_id: str, provider_type: str, registrations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/organizations/{organization_id}/members/{member_id}/connected_apps/{connected_app_id}/revoke @desc Revoke @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., connected_app_id: str # The ID of the Connected App.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/idp/oauth/authorize/start @desc Authorizestart @required {client_id: str # The ID of the Connected App client., redirect_uri: str # The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant., response_type: str # The OAuth 2.0 response type. For authorization code flows this value is `code`., scopes: [str] # An array of scopes requested by the client.} @optional {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., prompt: str # Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, client: map{client_id: str, client_name: str, client_description: str, client_type: str, logo_url: str}, consent_required: bool, scope_results: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/idp/oauth/authorize @desc Authorize @required {consent_granted: bool # Indicates whether the user granted the requested scopes., scopes: [str] # An array of scopes requested by the client., client_id: str # The ID of the Connected App client., redirect_uri: str # The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant., response_type: str # The OAuth 2.0 response type. For authorization code flows this value is `code`.} @optional {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., prompt: str # Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today., state: str # An opaque value used to maintain state between the request and callback., nonce: str # A string used to associate a client session with an ID token to mitigate replay attacks., code_challenge: str # A base64url encoded challenge derived from the code verifier for PKCE flows., resources: [str]} @returns(200) {request_id: str, redirect_uri: str, status_code: int(int32), authorization_code: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group users @endpoint POST /v1/users @desc Create @optional {email: str # The email address of the end user., name: map{first_name: str, middle_name: str, last_name: str}, attributes: map{ip_address: str, user_agent: str}, phone_number: str # The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail., create_user_as_pending: bool # Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until authenticated. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them., trusted_metadata: map # The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., untrusted_metadata: map # The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., external_id: str # An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters., roles: [str] # Roles to explicitly assign to this User. See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.} @returns(200) {request_id: str, user_id: str, email_id: str, status: str, phone_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/users/{user_id} @desc Get @required {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user.} @returns(200) {request_id: str, user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], status_code: int(int32), name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/users/{user_id} @desc Update @required {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user.} @optional {name: map{first_name: str, middle_name: str, last_name: str}, attributes: map{ip_address: str, user_agent: str}, trusted_metadata: map # The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., untrusted_metadata: map # The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., external_id: str # An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters., roles: [str] # Roles to explicitly assign to this User. See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.} @returns(200) {request_id: str, user_id: str, emails: [map], phone_numbers: [map], crypto_wallets: [map], user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/{user_id} @desc Delete @required {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user.} @returns(200) {request_id: str, user_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/users/search @desc Search @optional {cursor: str # The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null., limit: int(int32) # The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field., query: map{operator!: str, operands!: [map]}} @returns(200) {request_id: str, results: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/users/{user_id}/exchange_primary_factor @desc Exchangeprimaryfactor @required {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user.} @optional {email_address: str # The email address to exchange to., phone_number: str # The phone number to exchange to. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/emails/{email_id} @desc Deleteemail @required {email_id: str # The `email_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/phone_numbers/{phone_id} @desc Deletephonenumber @required {phone_id: str # The `phone_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/webauthn_registrations/{webauthn_registration_id} @desc Deletewebauthnregistration @required {webauthn_registration_id: str # The `webauthn_registration_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/biometric_registrations/{biometric_registration_id} @desc Deletebiometricregistration @required {biometric_registration_id: str # The `biometric_registration_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/totps/{totp_id} @desc Deletetotp @required {totp_id: str # The `totp_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/crypto_wallets/{crypto_wallet_id} @desc Deletecryptowallet @required {crypto_wallet_id: str # The `crypto_wallet_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/passwords/{password_id} @desc Deletepassword @required {password_id: str # The `password_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/oauth/{oauth_user_registration_id} @desc Deleteoauthregistration @required {oauth_user_registration_id: str # The `oauth_user_registration_id` to be deleted.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/users/{user_id}/external_id @desc Deleteexternalid @required {user_id: str} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/users/{user_id}/connected_apps @desc Connectedapps @required {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user.} @returns(200) {request_id: str, connected_apps: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/users/{user_id}/connected_apps/{connected_app_id}/revoke @desc Revoke @required {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., connected_app_id: str # The ID of the Connected App.} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group sessions @endpoint GET /v1/sessions @desc Get @required {user_id: str} @returns(200) {request_id: str, sessions: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/sessions/authenticate @desc Authenticate @optional {session_token: str # The session token to authenticate., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now; minimum of 5 and a maximum of 527040 minutes (366 days). Note that a successful authentication will continue to extend the session this many minutes., session_jwt: str # The JWT to authenticate. You may provide a JWT that has expired according to its `exp` claim and needs to be refreshed. If the signature is valid and the underlying session is still active then Stytch will return a new JWT., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., authorization_check: map{resource_id!: str, action!: str}} @returns(200) {request_id: str, session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), verdict: map{authorized: bool, granting_roles: [str]}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/sessions/revoke @desc Revoke @optional {session_id: str # The `session_id` to revoke., session_token: str # The session token to revoke., session_jwt: str # A JWT for the session to revoke.} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/sessions/migrate @desc Migrate @required {session_token: str # The authorization token Stytch will pass in to the external userinfo endpoint.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/sessions/exchange_access_token @desc Exchangeaccesstoken @required {access_token: str # The access token to exchange for a Stytch Session. Must be granted the `full_access` scope.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/sessions/jwks/{project_id} @desc Getjwks @required {project_id: str # The `project_id` to get the JWKS for.} @returns(200) {keys: [map], request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/sessions/attest @desc Attest @required {profile_id: str # The ID of the trusted auth token profile to use for attestation., token: str # The trusted auth token to authenticate.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., session_token: str # The `session_token` for the session that you wish to add the trusted auth token authentication factor to., session_jwt: str # The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group b2b @endpoint GET /v1/b2b/sessions @desc Get @required {organization_id: str, member_id: str} @returns(200) {request_id: str, member_sessions: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sessions/authenticate @desc Authenticate @optional {session_token: str # A secret token for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., authorization_check: map{organization_id!: str, resource_id!: str, action!: str}} @returns(200) {request_id: str, member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), verdict: map{authorized: bool, granting_roles: [str]}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sessions/revoke @desc Revoke @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., member_session_id: str # Globally unique UUID that identifies a specific Session in the Stytch API. The `member_session_id` is critical to perform operations on an Session, so be sure to preserve this value., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value.} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sessions/exchange @desc Exchange @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {session_token: str # The `session_token` belonging to the member that you wish to associate the email with., session_jwt: str # The `session_jwt` belonging to the member that you wish to associate the email with., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sessions/exchange_access_token @desc Exchangeaccesstoken @required {access_token: str # The access token to exchange for a Stytch Session. Must be granted the `full_access` scope.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sessions/attest @desc Attest @required {profile_id: str # The ID of the trusted auth token profile to use for attestation., token: str # The trusted auth token to authenticate. The token must have an organization ID claim if JIT provisioning is enabled.} @optional {organization_id: str # The organization ID that the session should be authenticated in. Must be provided if the trusted auth token does not have an organization ID claim., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., session_token: str # The `session_token` for the session that you wish to add the trusted auth token authentication factor to., session_jwt: str # The `session_jwt` for the session that you wish to add the trusted auth token authentication factor to., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sessions/migrate @desc Migrate @required {session_token: str # The authorization token Stytch will pass in to the external userinfo endpoint., organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes.} @returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/sessions/jwks/{project_id} @desc Getjwks @required {project_id: str # The `project_id` to get the JWKS for.} @returns(200) {keys: [map], request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/impersonation/authenticate @desc Authenticate @required {impersonation_token: str # The Member Impersonation token to authenticate. Expires in 5 minutes by default.} @returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/rbac/policy @desc Policy @returns(200) {request_id: str, status_code: int(int32), policy: map{roles: [map], resources: [map], scopes: [map]}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/rbac/organizations/{organization_id} @desc Getorgpolicy @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @returns(200) {request_id: str, org_policy: map{roles: [map]}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/rbac/organizations/{organization_id} @desc Setorgpolicy @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., org_policy: map{roles!: [map]}} @returns(200) {request_id: str, org_policy: map{roles: [map]}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/recovery_codes/recover @desc Recover @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., recovery_code: str # The recovery code generated by a secondary MFA method. This code is used to authenticate in place of the secondary MFA method if that method as a backup.} @optional {intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, recovery_codes_remaining: int(int32), status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/b2b/recovery_codes/{organization_id}/{member_id} @desc Get @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, recovery_codes: [str], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/recovery_codes/rotate @desc Rotate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, recovery_codes: [str], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/totp @desc Create @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {expiration_minutes: int(int32) # The expiration for the TOTP registration. If the newly created TOTP registration is not authenticated within this time frame the member will have to restart the registration flow. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 1440., intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session.} @returns(200) {request_id: str, member_id: str, totp_registration_id: str, secret: str, qr_code: str, recovery_codes: [str], member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/totp/authenticate @desc Authenticate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., code: str # The code to authenticate.} @optional {intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., set_mfa_enrollment: str # Optionally sets the Member’s MFA enrollment status upon a successful authentication. If the Organization’s MFA policy is `REQUIRED_FOR_ALL`, this field will be ignored. If this field is not passed in, the Member’s `mfa_enrolled` boolean will not be affected. The options are: `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization., set_default_mfa: bool # If passed will set the authenticated method to the default MFA method. Completing an MFA authentication flow for the first time for a Member will implicitly set the method to the default MFA method. This option can be used to update the default MFA method if multiple are being used., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/totp/migrate @desc Migrate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., secret: str # The TOTP secret key shared between the authenticator app and the server used to generate TOTP codes., recovery_codes: [str] # An existing set of recovery codes to be imported into Stytch to be used to authenticate in place of the secondary MFA method.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, totp_registration_id: str, recovery_codes: [str], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group rbac @endpoint GET /v1/rbac/policy @desc Policy @returns(200) {request_id: str, status_code: int(int32), policy: map{roles: [map], resources: [map], scopes: [map]}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group crypto_wallets @endpoint POST /v1/crypto_wallets/authenticate/start @desc Authenticatestart @required {crypto_wallet_type: str # The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type., crypto_wallet_address: str # The crypto wallet address to authenticate.} @optional {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session., siwe_params: map{domain!: str, uri!: str, resources!: [str], chain_id: str, statement: str, issued_at: str, not_before: str, message_request_id: str}} @returns(200) {request_id: str, user_id: str, challenge: str, user_created: bool, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/crypto_wallets/authenticate @desc Authenticate @required {crypto_wallet_type: str # The type of wallet to authenticate. Currently `ethereum` and `solana` are supported. Wallets for any EVM-compatible chains (such as Polygon or BSC) are also supported and are grouped under the `ethereum` type., crypto_wallet_address: str # The crypto wallet address to authenticate., signature: str # The signature from the message challenge.} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, siwe_params: map{domain: str, uri: str, chain_id: str, resources: [str], status_code: int(int32), issued_at: str, message_request_id: str}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group debug @endpoint GET /v1/debug/whoami @desc Whoami @returns(200) {request_id: str, project_id: str, name: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group b2b @endpoint POST /v1/b2b/discovery/intermediate_sessions/exchange @desc Exchange @required {intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/discovery/organizations/create @desc Create @required {intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., organization_name: str # The name of the Organization. If the name is not specified, a default name will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization name will be generated based on the name portion of the email. Otherwise, the organization name will be generated based on the email domain., organization_slug: str # The unique URL slug of the Organization. A minimum of two characters is required. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. If the slug is not specified, a default slug will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization slug will be generated based on the name portion of the email. Otherwise, the organization slug will be generated based on the email domain., organization_external_id: str # An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace., organization_logo_url: str # The image URL of the Organization logo., trusted_metadata: map # An arbitrary JSON object for storing application-specific data or identity-provider-specific data., sso_jit_provisioning: str # The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`. `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication. `NOT_ALLOWED` – disable JIT provisioning via SSO., email_allowed_domains: [str] # An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list., email_jit_provisioning: str # The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth. `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth., email_invites: str # The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: `ALL_ALLOWED` – any new Member can be invited to join via email. `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email. `NOT_ALLOWED` – disable email invites., auth_methods: str # The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`., allowed_auth_methods: [str] # An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`., mfa_policy: str # The setting that controls the MFA policy for all Members in the Organization. The accepted values are: `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true., rbac_email_implicit_role_assignments: [map{domain!: str, role_id!: str}] # Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment., mfa_methods: str # The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`., allowed_mfa_methods: [str] # An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. The list's accepted values are: `sms_otp` and `totp`., oauth_tenant_jit_provisioning: str # The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant., allowed_oauth_tenants: map # A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github"., first_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_first_party_connected_apps: [str] # An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`., third_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_third_party_connected_apps: [str] # An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/discovery/organizations @desc List @optional {intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session.} @returns(200) {request_id: str, email_address: str, discovered_organizations: [map], status_code: int(int32), organization_id_hint: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group fingerprint @endpoint POST /v1/fingerprint/lookup @desc Lookup @required {telemetry_id: str # The telemetry ID associated with the fingerprint getting looked up.} @optional {external_metadata: map{external_id: str, organization_id: str, user_action: str}} @returns(200) {request_id: str, telemetry_id: str, fingerprints: map{network_fingerprint: str, hardware_fingerprint: str, browser_fingerprint: str, visitor_fingerprint: str, visitor_id: str, browser_id: str}, verdict: map{action: str, reasons: [str], detected_device_type: str, is_authentic_device: bool, verdict_reason_overrides: [map], rule_match_type: str, rule_match_identifier: str}, external_metadata: map{external_id: str, organization_id: str, user_action: str}, created_at: str, expires_at: str, status_code: int(int32), properties: map{network_properties: map{ip_address: str, asn: map{asn: str, name: str, network: str}, ip_geolocation: map{city: str, region: str, country: str}, is_proxy: bool, is_vpn: bool}, browser_properties: map{user_agent: str}}, raw_signals: map} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group rules @endpoint POST /v1/rules/set @desc Set @required {action: str(ALLOW/CHALLENGE/BLOCK/NONE)} @optional {visitor_id: str # The visitor ID we want to set a rule for. Only one identifier can be specified in the request., browser_id: str # The browser ID we want to set a rule for. Only one identifier can be specified in the request., visitor_fingerprint: str # The visitor fingerprint we want to set a rule for. Only one identifier can be specified in the request., browser_fingerprint: str # The browser fingerprint we want to set a rule for. Only one identifier can be specified in the request., hardware_fingerprint: str # The hardware fingerprint we want to set a rule for. Only one identifier can be specified in the request., network_fingerprint: str # The network fingerprint we want to set a rule for. Only one identifier can be specified in the request., expires_in_minutes: int(int32) # The number of minutes until this rule expires. If no `expires_in_minutes` is specified, then the rule is kept permanently., description: str # An optional description for the rule., cidr_block: str # The CIDR block we want to set a rule for. You may pass either an IP address or a CIDR block. The CIDR block prefix must be between 16 and 32, inclusive. If an end user's IP address is within this CIDR block, this rule will be applied. Only one identifier can be specified in the request., country_code: str # The country code we want to set a rule for. The country code must be a valid ISO 3166-1 alpha-2 code. You may not set `ALLOW` rules for country codes. Only one identifier can be specified in the request., asn: str # The ASN we want to set a rule for. The ASN must be the string representation of an integer between 0 and 4294967295, inclusive. Only one identifier can be specified in the request.} @returns(200) {request_id: str, action: str, status_code: int(int32), visitor_id: str, browser_id: str, visitor_fingerprint: str, browser_fingerprint: str, hardware_fingerprint: str, network_fingerprint: str, expires_at: str, cidr_block: str, country_code: str, asn: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/rules/list @desc List @optional {cursor: str # The `cursor` field allows you to paginate through your results. Each result array is limited to 100 results. If your query returns more than 100 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor`, repeat the request with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make requests until the `next_cursor` in the response is null., limit: int(int32) # The number of results to return per page. The default limit is 10. A maximum of 100 results can be returned by a single get request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field.} @returns(200) {request_id: str, next_cursor: str, rules: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group verdict_reasons @endpoint POST /v1/verdict_reasons/override @desc Override @required {verdict_reason: str # The verdict reason that you wish to override. For a list of possible reasons to override, see [Warning Flags (Verdict Reasons)](https://stytch.com/docs/docs/fraud/guides/device-fingerprinting/reference/warning-flags-verdict-reasons). You may not override the `RULE_MATCH` reason., override_action: str(ALLOW/CHALLENGE/BLOCK/NONE)} @optional {override_description: str # An optional description for the verdict reason override.} @returns(200) {request_id: str, verdict_reason_action: map{verdict_reason: str, default_action: str, override_action: str, override_created_at: str, override_description: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/verdict_reasons/list @desc List @optional {overrides_only: bool # Whether to return only verdict reasons that have overrides set. Defaults to false.} @returns(200) {request_id: str, verdict_reason_actions: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group email @endpoint POST /v1/email/risk @desc Risk @required {email_address: str # The email address to check.} @returns(200) {request_id: str, address_information: map{has_known_bounces: bool, has_valid_syntax: bool, is_suspected_role_address: bool, normalized_email: str, tumbling_character_count: int(int32)}, domain_information: map{has_mx_or_a_record: bool, is_disposable_domain: bool}, action: str, risk_score: int(int32), status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group idp @endpoint POST /v1/idp/oauth/authorize/start @desc Authorizestart @required {client_id: str # The ID of the Connected App client., redirect_uri: str # The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant., response_type: str # The OAuth 2.0 response type. For authorization code flows this value is `code`., scopes: [str] # An array of scopes requested by the client.} @optional {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session., prompt: str # Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, client: map{client_id: str, client_name: str, client_description: str, client_type: str, logo_url: str}, consent_required: bool, scope_results: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/idp/oauth/authorize @desc Authorize @required {consent_granted: bool # Indicates whether the user granted the requested scopes., scopes: [str] # An array of scopes requested by the client., client_id: str # The ID of the Connected App client., redirect_uri: str # The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant., response_type: str # The OAuth 2.0 response type. For authorization code flows this value is `code`.} @optional {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session., prompt: str # Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today., state: str # An opaque value used to maintain state between the request and callback., nonce: str # A string used to associate a client session with an ID token to mitigate replay attacks., code_challenge: str # A base64url encoded challenge derived from the code verifier for PKCE flows., resources: [str]} @returns(200) {request_id: str, redirect_uri: str, status_code: int(int32), authorization_code: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group impersonation @endpoint POST /v1/impersonation/authenticate @desc Authenticate @required {impersonation_token: str # The User Impersonation token to authenticate. Expires in 5 minutes by default.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group m2m @endpoint GET /v1/m2m/clients/{client_id} @desc Get @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/m2m/clients/{client_id} @desc Update @required {client_id: str # The ID of the client.} @optional {client_name: str # A human-readable name for the client., client_description: str # A human-readable description for the client., status: str(active/inactive), scopes: [str] # An array of scopes assigned to the client., trusted_metadata: map # The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.} @returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/m2m/clients/{client_id} @desc Delete @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, client_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/m2m/clients/search @desc Search @optional {cursor: str # The `cursor` field allows you to paginate through your results. Each result array is limited to 1000 results. If your query returns more than 1000 results, you will need to paginate the responses using the `cursor`. If you receive a response that includes a non-null `next_cursor` in the `results_metadata` object, repeat the search call with the `next_cursor` value set to the `cursor` field to retrieve the next page of results. Continue to make search calls until the `next_cursor` in the response is null., limit: int(int32) # The number of search results to return per page. The default limit is 100. A maximum of 1000 results can be returned by a single search request. If the total size of your result set is greater than one page size, you must paginate the response. See the `cursor` field., query: map{operator!: str, operands!: [map]}} @returns(200) {request_id: str, m2m_clients: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/m2m/clients @desc Create @required {scopes: [str] # An array of scopes assigned to the client.} @optional {client_id: str # If provided, the ID of the client to create. If not provided, Stytch will generate this value for you. The `client_id` must be unique within your project., client_secret: str # If provided, the stored secret of the client to create. If not provided, Stytch will generate this value for you. If provided, the `client_secret` must be at least 8 characters long and pass entropy requirements., client_name: str # A human-readable name for the client., client_description: str # A human-readable description for the client., trusted_metadata: map # The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.} @returns(200) {request_id: str, m2m_client: map{client_id: str, client_secret: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/m2m/clients/{client_id}/secrets/rotate/start @desc Rotatestart @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, m2m_client: map{client_id: str, next_client_secret: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/m2m/clients/{client_id}/secrets/rotate/cancel @desc Rotatecancel @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/m2m/clients/{client_id}/secrets/rotate @desc Rotate @required {client_id: str # The ID of the client.} @returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group magic_links @endpoint POST /v1/magic_links/authenticate @desc Authenticate @required {token: str # The Magic Link `token` from the `?token=` query parameter in the URL. The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail.} @optional {attributes: map{ip_address: str, user_agent: str}, options: map{ip_match_required!: bool, user_agent_match_required!: bool}, session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, method_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, reset_sessions: bool, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/magic_links @desc Create @required {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user.} @optional {expiration_minutes: int(int32) # Set the expiration for the Magic Link `token` in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins)., attributes: map{ip_address: str, user_agent: str}} @returns(200) {request_id: str, user_id: str, token: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/magic_links/email/send @desc Send @required {email: str # The email address of the User to send the Magic Link to.} @optional {login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Login”., attributes: map{ip_address: str, user_agent: str}, login_magic_link_url: str # The URL the end user clicks from the login Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and log in the User. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned., signup_magic_link_url: str # The URL the end user clicks from the sign-up Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and sign-up the User. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned., login_expiration_minutes: int(int32) # Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins)., signup_expiration_minutes: int(int32) # Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins)., code_challenge: str # A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device., user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` of the user to associate the email with., session_jwt: str # The `session_jwt` of the user to associate the email with., locale: str(en/es/pt-br/fr), signup_template_id: str # Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Sign-up”.} @returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/magic_links/email/login_or_create @desc Loginorcreate @required {email: str # The email address of the end user.} @optional {login_magic_link_url: str # The URL the end user clicks from the login Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and log in the User. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned., signup_magic_link_url: str # The URL the end user clicks from the sign-up Email Magic Link. This should be a URL that your app receives and parses and subsequently send an API request to authenticate the Magic Link and sign-up the User. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned., login_expiration_minutes: int(int32) # Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins)., signup_expiration_minutes: int(int32) # Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins)., login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Login”., signup_template_id: str # Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Sign-up”., attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool # Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until authenticated. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them., code_challenge: str # A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device., locale: str(en/es/pt-br/fr)} @returns(200) {request_id: str, user_id: str, email_id: str, user_created: bool, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/magic_links/email/invite @desc Invite @required {email: str # The email address of the User to send the invite Magic Link to.} @optional {invite_template_id: str # Use a custom template for invite emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Invite”., attributes: map{ip_address: str, user_agent: str}, name: map{first_name: str, middle_name: str, last_name: str}, invite_magic_link_url: str # The URL the end user clicks from the Email Magic Link. This should be a URL that your app receives and parses and subsequently sends an API request to authenticate the Magic Link and log in the User. If this value is not passed, the default invite redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned., invite_expiration_minutes: int(int32) # Set the expiration for the email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins)., locale: str(en/es/pt-br/fr), trusted_metadata: map # The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., untrusted_metadata: map # The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.} @returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/magic_links/email/revoke_invite @desc Revokeinvite @required {email: str # The email of the user.} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group b2b @endpoint POST /v1/b2b/magic_links/authenticate @desc Authenticate @required {magic_links_token: str # The Email Magic Link token to authenticate.} @optional {pkce_code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device., session_token: str # Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided., session_jwt: str # Reuse an existing session instead of creating a new one. If you provide a `session_jwt`, Stytch will update the session. If the `session_jwt` and `magic_links_token` belong to different Members, the `session_jwt` will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr), intermediate_session_token: str # Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, method_id: str, reset_sessions: bool, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/magic_links/email/login_or_signup @desc Loginorsignup @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., email_address: str # The email address of the Member.} @optional {login_redirect_url: str # The URL that the Member clicks from the login Email Magic Link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned., signup_redirect_url: str # The URL the Member clicks from the signup Email Magic Link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned., pkce_code_challenge: str # A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device., login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic Links - Login”., signup_template_id: str # Use a custom template for signup emails. By default, it will use your default email template. The template must be from Stytch's built-in customizations or a custom HTML email for “Magic Links - Signup”., locale: str(en/es/pt-br/fr), login_expiration_minutes: int(int32) # The expiration time, in minutes, for a login Email Magic Link. If not authenticated within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week)., signup_expiration_minutes: int(int32) # The expiration time, in minutes, for a signup Email Magic Link. If not authenticated within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week).} @returns(200) {request_id: str, member_id: str, member_created: bool, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/magic_links/email/invite @desc Invite @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., email_address: str # The email address of the Member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., invite_redirect_url: str # The URL that the Member clicks from the invite Email Magic Link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the invite flow. If this value is not passed, the default `invite_redirect_url` that you set in your Dashboard is used. If you have not set a default `invite_redirect_url`, an error is returned., invited_by_member_id: str # The `member_id` of the Member who sends the invite., name: str # The name of the Member., trusted_metadata: map # An arbitrary JSON object for storing application-specific data or identity-provider-specific data., untrusted_metadata: map # An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) for complete field behavior details., invite_template_id: str # Use a custom template for invite emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic Links - Invite”., locale: str(en/es/pt-br/fr), roles: [str] # Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment., invite_expiration_minutes: int(int32) # The expiration time, in minutes, for an invite email. If not accepted within this time frame, the invite will need to be resent. Defaults to 10080 (1 week) with a minimum of 5 and a maximum of 10080.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/magic_links/email/discovery/send @desc Send @required {email_address: str # The email address of the Member.} @optional {discovery_redirect_url: str # The URL that the end user clicks from the discovery Magic Link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned., pkce_code_challenge: str # A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device., login_template_id: str # Use a custom template for discovery emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic Links - Login”., locale: str(en/es/pt-br/fr), discovery_expiration_minutes: int(int32) # The expiration time, in minutes, for an discovery magic link email. If not accepted within this time frame, the email will need to be resent. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 10080 (1 week).} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/magic_links/discovery/authenticate @desc Authenticate @required {discovery_magic_links_token: str # The Discovery Email Magic Link token to authenticate.} @optional {pkce_code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device.} @returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/oauth/authenticate @desc Authenticate @required {oauth_token: str # The token to authenticate.} @optional {session_token: str # A secret token for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., pkce_code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device., locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), intermediate_session_token: str # Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, provider_subject: str, provider_type: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, reset_sessions: bool, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, provider_values: map{scopes: [str], access_token: str, refresh_token: str, expires_at: str, id_token: str}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/oauth/discovery/authenticate @desc Authenticate @required {discovery_oauth_token: str # The Discovery OAuth token to authenticate.} @optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, pkce_code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device.} @returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], provider_type: str, provider_tenant_id: str, provider_tenant_ids: [str], full_name: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/otps/sms/send @desc Send @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @optional {mfa_phone_number: str # The phone number to send the OTP to. If the Member already has a phone number, this argument is not needed., locale: str(en/es/pt-br/fr), intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/otps/sms/authenticate @desc Authenticate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member., code: str # The code to authenticate.} @optional {intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., set_mfa_enrollment: str # Optionally sets the Member’s MFA enrollment status upon a successful authentication. If the Organization’s MFA policy is `REQUIRED_FOR_ALL`, this field will be ignored. If this field is not passed in, the Member’s `mfa_enrolled` boolean will not be affected. The options are: `enroll` – sets the Member's `mfa_enrolled` boolean to `true`. The Member will be required to complete an MFA step upon subsequent logins to the Organization. `unenroll` – sets the Member's `mfa_enrolled` boolean to `false`. The Member will no longer be required to complete MFA steps when logging in to the Organization., set_default_mfa: bool, telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/otps/email/login_or_signup @desc Loginorsignup @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., email_address: str # The email address of the Member.} @optional {login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “OTP - Login”., signup_template_id: str # Use a custom template for signup emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “OTP - Signup”., locale: str(en/es/pt-br/fr), login_expiration_minutes: int(int32) # The expiration time, in minutes, for a login OTP email to a Member. If not authenticated within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15., signup_expiration_minutes: int(int32) # The expiration time, in minutes, for a signup OTP email to a Member. If not authenticated within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15.} @returns(200) {request_id: str, member_id: str, member_created: bool, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/otps/email/authenticate @desc Authenticate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., email_address: str # The email address of the Member., code: str # The code to authenticate.} @optional {session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., intermediate_session_token: str # The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr), telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, method_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/otps/email/discovery/send @desc Send @required {email_address: str # The email address to start the discovery flow for.} @optional {login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “OTP - Login”., locale: str(en/es/pt-br/fr), discovery_expiration_minutes: int(int32) # The expiration time, in minutes, for a discovery OTP email. If not accepted within this time frame, the OTP will need to be resent. Defaults to 10 with a minimum of 2 and a maximum of 15.} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/otps/email/discovery/authenticate @desc Authenticate @required {email_address: str # The email address of the Member., code: str # The code to authenticate.} @returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group passwords @endpoint POST /v1/passwords @desc Create @required {email: str # The email address of the end user., password: str # The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., trusted_metadata: map # The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., untrusted_metadata: map # The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., name: map{first_name: str, middle_name: str, last_name: str}, telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, email_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/passwords/authenticate @desc Authenticate @required {email: str # The email address of the end user., password: str # The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/passwords/strength_check @desc Strengthcheck @required {password: str # The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {email: str # The email address of the end user.} @returns(200) {request_id: str, valid_password: bool, score: int(int32), breached_password: bool, strength_policy: str, breach_detection_on_create: bool, status_code: int(int32), feedback: map{warning: str, suggestions: [str], luds_requirements: map{has_lower_case: bool, has_upper_case: bool, has_digit: bool, has_symbol: bool, missing_complexity: int(int32), missing_characters: int(int32)}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/passwords/migrate @desc Migrate @required {email: str # The email address of the end user., hash: str # The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string., hash_type: str(bcrypt/md_5/argon_2i/argon_2id/sha_1/sha_512/scrypt/phpass/pbkdf_2)} @optional {md_5_config: map{prepend_salt!: str, append_salt!: str}, argon_2_config: map{salt!: str, iteration_amount!: int(int32), memory!: int(int32), threads!: int(int32), key_length!: int(int32)}, sha_1_config: map{prepend_salt!: str, append_salt!: str}, sha_512_config: map{prepend_salt!: str, append_salt!: str}, scrypt_config: map{salt!: str, n_parameter!: int(int32), r_parameter!: int(int32), p_parameter!: int(int32), key_length!: int(int32)}, pbkdf_2_config: map{salt!: str, iteration_amount!: int(int32), key_length!: int(int32), algorithm!: str}, trusted_metadata: map # The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., untrusted_metadata: map # The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details., set_email_verified: bool # Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question., name: map{first_name: str, middle_name: str, last_name: str}, phone_number: str # The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX)., set_phone_number_verified: bool # Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that the user owns the phone number in question., external_id: str # If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters., roles: [str] # Roles to explicitly assign to this User. See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.} @returns(200) {request_id: str, user_id: str, email_id: str, user_created: bool, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/passwords/email/reset/start @desc Resetstart @required {email: str # The email of the User that requested the password reset.} @optional {reset_password_redirect_url: str # The URL that the User is redirected to from the reset password magic link. This URL should display your application's reset password page. Before rendering the reset page, extract the `token` from the query parameters. On the reset page, collect the new password and complete the flow by calling the corresponding Password Reset by Email endpoint. If this parameter is not specified, the default Reset Password redirect URL configured in the Dashboard will be used. If you have not set a default Reset Password redirect URL, an error is returned., reset_password_expiration_minutes: int(int32) # Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins)., code_challenge: str # A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device., attributes: map{ip_address: str, user_agent: str}, login_redirect_url: str # The URL that Users are redirected to upon clicking the "Log in without password" button in password reset emails. After Users are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the User in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned., locale: str(en/es/pt-br/fr), reset_password_template_id: str # Use a custom template for password reset emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Passwords - Password reset”.} @returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/passwords/email/reset @desc Reset @required {token: str # The Passwords `token` from the `?token=` query parameter in the URL. In the redirect URL, the `stytch_token_type` will be `login` or `reset_password`. See examples and read more about redirect URLs [here](https://stytch.com/docs/workspace-management/redirect-urls)., password: str # The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., attributes: map{ip_address: str, user_agent: str}, options: map{ip_match_required!: bool, user_agent_match_required!: bool}, telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/passwords/existing_password/reset @desc Reset @required {email: str # The email address of the end user., existing_password: str # The user's existing password., new_password: str # The new password for the user.} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/passwords/session/reset @desc Reset @required {password: str # The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group b2b @endpoint POST /v1/b2b/passwords/strength_check @desc Strengthcheck @required {password: str # The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {email_address: str # The email address of the Member.} @returns(200) {request_id: str, valid_password: bool, score: int(int32), breached_password: bool, strength_policy: str, breach_detection_on_create: bool, status_code: int(int32), luds_feedback: map{has_lower_case: bool, has_upper_case: bool, has_digit: bool, has_symbol: bool, missing_complexity: int(int32), missing_characters: int(int32)}, zxcvbn_feedback: map{warning: str, suggestions: [str]}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/migrate @desc Migrate @required {email_address: str # The email address of the Member., hash: str # The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string., hash_type: str(bcrypt/md_5/argon_2i/argon_2id/sha_1/sha_512/scrypt/phpass/pbkdf_2), organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {md_5_config: map{prepend_salt!: str, append_salt!: str}, argon_2_config: map{salt!: str, iteration_amount!: int(int32), memory!: int(int32), threads!: int(int32), key_length!: int(int32)}, sha_1_config: map{prepend_salt!: str, append_salt!: str}, sha_512_config: map{prepend_salt!: str, append_salt!: str}, scrypt_config: map{salt!: str, n_parameter!: int(int32), r_parameter!: int(int32), p_parameter!: int(int32), key_length!: int(int32)}, pbkdf_2_config: map{salt!: str, iteration_amount!: int(int32), key_length!: int(int32), algorithm!: str}, name: str # The name of the Member. Each field in the name object is optional., trusted_metadata: map # An arbitrary JSON object for storing application-specific data or identity-provider-specific data., untrusted_metadata: map # An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata) for complete field behavior details., roles: [str] # Roles to explicitly assign to this Member. Will completely replace any existing explicitly assigned roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. If a Role is removed from a Member, and the Member is also implicitly assigned this Role from an SSO connection or an SSO group, we will by default revoke any existing sessions for the Member that contain any SSO authentication factors with the affected connection ID. You can preserve these sessions by passing in the `preserve_existing_sessions` parameter with a value of `true`., preserve_existing_sessions: bool # Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO authentication factors with the affected SSO connection IDs will be revoked., mfa_phone_number: str # The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX)., set_phone_number_verified: bool # Whether to set the user's phone number as verified. This is a dangerous field. This flag should only be set if you can attest that the user owns the phone number in question., external_id: str # If a new member is created, this will set an identifier that can be used in most API calls where a `member_id` is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored.} @returns(200) {request_id: str, member_id: str, member_created: bool, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/authenticate @desc Authenticate @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., email_address: str # The email address of the Member., password: str # The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {session_token: str # A secret token for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr), intermediate_session_token: str # Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/email/reset/start @desc Resetstart @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., email_address: str # The email address of the Member to start the email reset process for.} @optional {reset_password_redirect_url: str # The URL that the Member is redirected to from the reset password magic link. This URL should display your application's reset password page. Before rendering the reset page, extract the `token` from the query parameters. On the reset page, collect the new password and complete the flow by calling the corresponding Password Reset by Email endpoint. If this parameter is not specified, the default Reset Password redirect URL configured in the Dashboard will be used. If you have not set a default Reset Password redirect URL, an error is returned., reset_password_expiration_minutes: int(int32) # Sets a time limit after which the email link to reset the member's password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes., code_challenge: str # A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device., login_redirect_url: str # The URL that Members are redirected to upon clicking the "Log in without password" button in password reset emails. After Members are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the Member in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned., locale: str(en/es/pt-br/fr), reset_password_template_id: str # Use a custom template for reset password emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Passwords - Reset Password”., verify_email_template_id: str # Use a custom template for verification emails sent during password reset flows. When cross-organization passwords are enabled for your Project, this template will be used the first time a user sets a password via a password reset flow. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Passwords - Email Verification”.} @returns(200) {request_id: str, member_id: str, member_email_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/email/reset @desc Reset @required {password_reset_token: str # The password reset token to authenticate., password: str # The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {session_token: str # Reuse an existing session instead of creating a new one. If you provide a `session_token`, Stytch will update the session. If the `session_token` and `magic_links_token` belong to different Members, the `session_token` will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_jwt: str # Reuse an existing session instead of creating a new one. If you provide a `session_jwt`, Stytch will update the session. If the `session_jwt` and `magic_links_token` belong to different Members, the `session_jwt` will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided., code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr), intermediate_session_token: str # Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, member_email_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/email/require_reset @desc Requirereset @required {email_address: str # The email address of the Member to start the email reset process for.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., member_id: str # Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.} @returns(200) {request_id: str, status_code: int(int32), member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/session/reset @desc Reset @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., password: str # The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {session_token: str # A secret token for a given Stytch Session., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr), telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/existing_password/reset @desc Reset @required {email_address: str # The email address of the Member., existing_password: str # The Member's current password that they supplied., new_password: str # The Member's elected new password., organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {session_token: str # A secret token for a given Stytch Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_jwt: str # The JSON Web Token (JWT) for a given Stytch Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr), telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/discovery/authenticate @desc Authenticate @required {email_address: str # The email address of the Member., password: str # The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @returns(200) {request_id: str, email_address: str, intermediate_session_token: str, discovered_organizations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/discovery/email/reset/start @desc Resetstart @required {email_address: str # The email address of the Member to start the email reset process for.} @optional {reset_password_redirect_url: str # The URL that the Member is redirected to from the reset password magic link. This URL should display your application's reset password page. Before rendering the reset page, extract the `token` from the query parameters. On the reset page, collect the new password and complete the flow by calling the corresponding Password Reset by Email endpoint. If this parameter is not specified, the default Reset Password redirect URL configured in the Dashboard will be used. If you have not set a default Reset Password redirect URL, an error is returned., discovery_redirect_url: str # The URL that the end user clicks from the discovery Magic Link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's discovery authenticate endpoint and continues the flow. If this value is not passed, the default discovery redirect URL that you set in your Dashboard is used. If you have not set a default discovery redirect URL, an error is returned., reset_password_template_id: str # Use a custom template for reset password emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Passwords - Reset Password”., reset_password_expiration_minutes: int(int32) # Sets a time limit after which the email link to reset the member's password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes., pkce_code_challenge: str, locale: str # Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`. Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English. Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!, verify_email_template_id: str # Use a custom template for verification emails sent during password reset flows. When cross-organization passwords are enabled for your Project, this template will be used the first time a user sets a password via a password reset flow. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Passwords - Email Verification”.} @returns(200) {request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/passwords/discovery/email/reset @desc Reset @required {password_reset_token: str # The password reset token to authenticate., password: str # The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.} @optional {pkce_code_verifier: str} @returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group oauth @endpoint POST /v1/oauth/attach @desc Attach @required {provider: str # The OAuth provider's name.} @optional {user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session.} @returns(200) {request_id: str, oauth_attach_token: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/oauth/authenticate @desc Authenticate @required {token: str # The OAuth `token` from the `?token=` query parameter in the URL. The redirect URL will look like `https://example.com/authenticate?stytch_token_type=oauth&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7` In the redirect URL, the `stytch_token_type` will be `oauth`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail.} @optional {session_token: str # Reuse an existing session instead of creating a new one. If you provide us with a `session_token`, then we'll update the session represented by this session token with this OAuth factor. If this `session_token` belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # Reuse an existing session instead of creating a new one. If you provide us with a `session_jwt`, then we'll update the session represented by this JWT with this OAuth factor. If this `session_jwt` belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, provider_subject: str, provider_type: str, session_token: str, session_jwt: str, provider_values: map{access_token: str, refresh_token: str, id_token: str, scopes: [str], expires_at: str}, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, reset_sessions: bool, oauth_user_registration_id: str, status_code: int(int32), user_session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group otps @endpoint POST /v1/otps/authenticate @desc Authenticate @required {method_id: str # The `email_id` or `phone_id` involved in the given authentication., code: str # The code to authenticate.} @optional {attributes: map{ip_address: str, user_agent: str}, options: map{ip_match_required!: bool, user_agent_match_required!: bool}, session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, method_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, reset_sessions: bool, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/otps/sms/send @desc Send @required {phone_number: str # The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail.} @optional {expiration_minutes: int(int32) # Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes., attributes: map{ip_address: str, user_agent: str}, locale: str(en/es/pt-br/fr), user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session.} @returns(200) {request_id: str, user_id: str, phone_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/otps/sms/login_or_create @desc Loginorcreate @required {phone_number: str # The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail.} @optional {expiration_minutes: int(int32) # Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes., attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool # Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until authenticated. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them., locale: str(en/es/pt-br/fr)} @returns(200) {request_id: str, user_id: str, phone_id: str, user_created: bool, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/otps/whatsapp/send @desc Send @required {phone_number: str # The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail.} @optional {expiration_minutes: int(int32) # Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes., attributes: map{ip_address: str, user_agent: str}, locale: str(en/es/pt-br/fr), user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session.} @returns(200) {request_id: str, user_id: str, phone_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/otps/whatsapp/login_or_create @desc Loginorcreate @required {phone_number: str # The phone number to use for one-time passcodes. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail.} @optional {expiration_minutes: int(int32) # Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes., attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool # Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until authenticated. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them., locale: str(en/es/pt-br/fr)} @returns(200) {request_id: str, user_id: str, phone_id: str, user_created: bool, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/otps/email/send @desc Send @required {email: str # The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail.} @optional {expiration_minutes: int(int32) # Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes., attributes: map{ip_address: str, user_agent: str}, locale: str(en/es/pt-br/fr), user_id: str # The unique ID of a specific User. You may use an `external_id` here if one is set for the user., session_token: str # The `session_token` associated with a User's existing Session., session_jwt: str # The `session_jwt` associated with a User's existing Session., login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “OTP - Login”., signup_template_id: str # Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “OTP - Sign-up”.} @returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/otps/email/login_or_create @desc Loginorcreate @required {email: str # The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see [Testing](https://stytch.com/docs/home#resources_testing) for more detail.} @optional {expiration_minutes: int(int32) # Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes., attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool # Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until authenticated. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them., locale: str(en/es/pt-br/fr), login_template_id: str # Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Login”., signup_template_id: str # Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Sign-up”.} @returns(200) {request_id: str, user_id: str, email_id: str, user_created: bool, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group projects @endpoint GET /v1/projects/metrics @desc Metrics @returns(200) {request_id: str, project_id: str, metrics: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group b2b @endpoint GET /v1/b2b/sso/{organization_id} @desc Getconnections @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, saml_connections: [map], oidc_connections: [map], external_connections: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/sso/{organization_id}/connections/{connection_id} @desc Deleteconnection @required {organization_id: str # The organization ID that the SSO connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SSO connection. SAML, OIDC, and External connection IDs can be provided.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, connection_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sso/authenticate @desc Authenticate @required {sso_token: str # The token to authenticate.} @optional {pkce_code_verifier: str # A base64url encoded one time secret used to validate that the request starts and ends on the same device., session_token: str # The `session_token` belonging to the member that you wish to associate the email with., session_jwt: str # The `session_jwt` belonging to the member that you wish to associate the email with., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want to use the Stytch session product, you can ignore the session fields in the response., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes., locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), intermediate_session_token: str # Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, reset_session: bool, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sso/oidc/{organization_id} @desc Createconnection @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., display_name: str # A human-readable display name for the connection., identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth)} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, redirect_url: str, client_id: str, client_secret: str, issuer: str, authorization_url: str, token_url: str, userinfo_url: str, jwks_url: str, identity_provider: str, custom_scopes: str, attribute_mapping: map}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id} @desc Updateconnection @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # Globally unique UUID that identifies a specific SSO `connection_id` for a Member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., display_name: str # A human-readable display name for the connection., client_id: str # The OAuth2.0 client ID used to authenticate login attempts. This will be provided by the IdP., client_secret: str # The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided by the IdP., issuer: str # A case-sensitive `https://` URL that uniquely identifies the IdP. This will be provided by the IdP., authorization_url: str # The location of the URL that starts an OAuth login at the IdP. This will be provided by the IdP., token_url: str # The location of the URL that issues OAuth2.0 access tokens and OIDC ID tokens. This will be provided by the IdP., userinfo_url: str # The location of the IDP's [UserInfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). This will be provided by the IdP., jwks_url: str # The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be provided by the IdP., identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth), custom_scopes: str # Include a space-separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, e.g. the spaces must be expressed as %20., attribute_mapping: map # An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values, which will appear on the member's Trusted Metadata.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, redirect_url: str, client_id: str, client_secret: str, issuer: str, authorization_url: str, token_url: str, userinfo_url: str, jwks_url: str, identity_provider: str, custom_scopes: str, attribute_mapping: map}, warning: str} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sso/saml/{organization_id} @desc Createconnection @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., display_name: str # A human-readable display name for the connection., identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth)} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, idp_entity_id: str, display_name: str, idp_sso_url: str, acs_url: str, audience_uri: str, signing_certificates: [map], verification_certificates: [map], encryption_private_keys: [map], saml_connection_implicit_role_assignments: [map], saml_group_implicit_role_assignments: [map], alternative_audience_uri: str, identity_provider: str, nameid_format: str, alternative_acs_url: str, idp_initiated_auth_disabled: bool, allow_gateway_callback: bool, attribute_mapping: map}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/sso/saml/{organization_id}/connections/{connection_id} @desc Updateconnection @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # Globally unique UUID that identifies a specific SSO `connection_id` for a Member.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., idp_entity_id: str # A globally unique name for the IdP. This will be provided by the IdP., display_name: str # A human-readable display name for the connection., attribute_mapping: map # An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`., x509_certificate: str # A certificate that Stytch will use to verify the sign-in assertion sent by the IdP, in [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) format. See our [X509 guide](https://stytch.com/docs/b2b/api/saml-certificates) for more info., idp_sso_url: str # The URL for which assertions for login requests will be sent. This will be provided by the IdP., saml_connection_implicit_role_assignments: [map{role_id!: str}] # All Members who log in with this SAML connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment., saml_group_implicit_role_assignments: [map{role_id!: str, group!: str}] # Defines the names of the SAML groups that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and belongs to the specified SAML group, they will be granted the associated Role. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's `attribute_mapping`. Make sure that your IdP is configured to correctly send the group information., alternative_audience_uri: str # An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info., identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth), signing_private_key: str # A PKCS1 format RSA private key used for signing SAML requests. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported. When provided, Stytch will generate a new x509 certificate from this key and return it in the signing_certificates array., nameid_format: str # The NameID format the SAML Connection expects to use. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`., alternative_acs_url: str # An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info., idp_initiated_auth_disabled: bool # Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled)., saml_encryption_private_key: str # A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported., allow_gateway_callback: bool} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, idp_entity_id: str, display_name: str, idp_sso_url: str, acs_url: str, audience_uri: str, signing_certificates: [map], verification_certificates: [map], encryption_private_keys: [map], saml_connection_implicit_role_assignments: [map], saml_group_implicit_role_assignments: [map], alternative_audience_uri: str, identity_provider: str, nameid_format: str, alternative_acs_url: str, idp_initiated_auth_disabled: bool, allow_gateway_callback: bool, attribute_mapping: map}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url @desc Updatebyurl @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # Globally unique UUID that identifies a specific SSO `connection_id` for a Member., metadata_url: str # A URL that points to the IdP metadata. This will be provided by the IdP.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, idp_entity_id: str, display_name: str, idp_sso_url: str, acs_url: str, audience_uri: str, signing_certificates: [map], verification_certificates: [map], encryption_private_keys: [map], saml_connection_implicit_role_assignments: [map], saml_group_implicit_role_assignments: [map], alternative_audience_uri: str, identity_provider: str, nameid_format: str, alternative_acs_url: str, idp_initiated_auth_disabled: bool, allow_gateway_callback: bool, attribute_mapping: map}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/verification_certificates/{certificate_id} @desc Deleteverificationcertificate @required {organization_id: str # The organization ID that the SAML connection belongs to. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # The ID of the SAML connection., certificate_id: str # The ID of the certificate to be deleted.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, certificate_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint DELETE /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/encryption_private_keys/{private_key_id} @desc Deleteencryptionprivatekey @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # Globally unique UUID that identifies a specific SSO `connection_id` for a Member., private_key_id: str # The ID of the encryption private key to be deleted.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.} @returns(200) {request_id: str, private_key_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/b2b/sso/external/{organization_id} @desc Createconnection @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., external_organization_id: str # Globally unique UUID that identifies a different Organization within your Project., external_connection_id: str # Globally unique UUID that identifies a specific SSO connection configured for a different Organization in your Project.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., display_name: str # A human-readable display name for the connection., connection_implicit_role_assignments: [map{role_id!: str}], group_implicit_role_assignments: [map{role_id!: str, group!: str}]} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, external_organization_id: str, external_connection_id: str, display_name: str, status: str, external_connection_implicit_role_assignments: [map], external_group_implicit_role_assignments: [map]}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/b2b/sso/external/{organization_id}/connections/{connection_id} @desc Updateconnection @required {organization_id: str # Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience., connection_id: str # Globally unique UUID that identifies a specific External SSO Connection.} @optional {X-Stytch-Member-Session: str # A Stytch session that can be used to run the request with the given member's permissions., X-Stytch-Member-SessionJWT: str # A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions., display_name: str # A human-readable display name for the connection., external_connection_implicit_role_assignments: [map{role_id!: str}] # All Members who log in with this External connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Implicit role assignments are not supported for External connections if the underlying SSO connection is an OIDC connection., external_group_implicit_role_assignments: [map{role_id!: str, group!: str}] # Defines the names of the groups that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and belongs to the specified group, they will be granted the associated Role. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. Before adding any group implicit role assignments to an external connection, you must add a "groups" key to the underlying SAML connection's `attribute_mapping`. Make sure that the SAML connection IdP is configured to correctly send the group information. Implicit role assignments are not supported for External connections if the underlying SSO connection is an OIDC connection.} @returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, external_organization_id: str, external_connection_id: str, display_name: str, status: str, external_connection_implicit_role_assignments: [map], external_group_implicit_role_assignments: [map]}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group totps @endpoint POST /v1/totps @desc Create @required {user_id: str # The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user.} @optional {expiration_minutes: int(int32) # The expiration for the TOTP instance. If the newly created TOTP is not authenticated within this time frame the TOTP will be unusable. Defaults to 1440 (1 day) with a minimum of 5 and a maximum of 1440.} @returns(200) {request_id: str, totp_id: str, secret: str, qr_code: str, recovery_codes: [str], user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, user_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/totps/authenticate @desc Authenticate @required {user_id: str # The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user., totp_code: str # The TOTP code to authenticate. The TOTP code should consist of 6 digits.} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, session_token: str, totp_id: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/totps/recovery_codes @desc Recoverycodes @required {user_id: str # The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user.} @returns(200) {request_id: str, user_id: str, totps: [map], status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/totps/recover @desc Recover @required {user_id: str # The `user_id` of an active user the TOTP registration should be tied to. You may use an `external_id` here if one is set for the user., recovery_code: str # The recovery code to authenticate.} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, totp_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @group webauthn @endpoint POST /v1/webauthn/register/start @desc Registerstart @required {user_id: str # The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user., domain: str # The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`.} @optional {user_agent: str # The user agent of the client., authenticator_type: str # The requested authenticator type of the Passkey or WebAuthn device. The two valid values are platform and cross-platform. If no value passed, we assume both values are allowed., return_passkey_credential_options: bool # If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `residentKey` set to `"required"` and `userVerification` set to `"preferred"`., override_id: str, override_name: str, override_display_name: str, use_base64_url_encoding: bool # If true, values in the `public_key_credential_creation_options` will be base64 URL encoded. Set this option to true when using built-in browser methods like `navigator.credentials.create` and `navigator.credentials.get`.} @returns(200) {request_id: str, user_id: str, public_key_credential_creation_options: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/webauthn/register @desc Register @required {user_id: str # The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user., public_key_credential: str # The response of the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential).} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, webauthn_registration_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/webauthn/authenticate/start @desc Authenticatestart @required {domain: str # The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`.} @optional {user_id: str # The `user_id` of an active user the Passkey or WebAuthn registration should be tied to. You may use an `external_id` here if one is set for the user., return_passkey_credential_options: bool # If true, the `public_key_credential_creation_options` returned will be optimized for Passkeys with `userVerification` set to `"preferred"`., use_base64_url_encoding: bool # If true, values in the `public_key_credential_creation_options` will be base64 URL encoded. Set this option to true when using built-in browser methods like `navigator.credentials.create` and `navigator.credentials.get`.} @returns(200) {request_id: str, user_id: str, public_key_credential_request_options: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint POST /v1/webauthn/authenticate @desc Authenticate @required {public_key_credential: str # The response of the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential).} @optional {session_token: str # The `session_token` associated with a User's existing Session., session_duration_minutes: int(int32) # Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created., session_jwt: str # The `session_jwt` associated with a User's existing Session., session_custom_claims: map # Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes., telemetry_id: str # If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.} @returns(200) {request_id: str, user_id: str, webauthn_registration_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint PUT /v1/webauthn/{webauthn_registration_id} @desc Update @required {webauthn_registration_id: str # Globally unique UUID that identifies a Passkey or WebAuthn registration in the Stytch API. The `webauthn_registration_id` is used when you need to operate on a specific User's WebAuthn registration., name: str # The `name` of the WebAuthn registration or Passkey.} @returns(200) {request_id: str, status_code: int(int32), webauthn_registration: map{webauthn_registration_id: str, domain: str, user_agent: str, verified: bool, authenticator_type: str, name: str}} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endpoint GET /v1/webauthn/credentials/{user_id}/{domain} @desc Listcredentials @required {user_id: str # The `user_id` of an active user the Passkey or WebAuthn registration should be tied to., domain: str # The domain for Passkeys or WebAuthn. Defaults to `window.location.hostname`.} @returns(200) {credentials: [map], request_id: str, status_code: int(int32)} # Successful response @errors {400: Bad request, 401: Unauthorized, 429: Too Many Requests, 500: Internal server error} @endgroup @end