@lap v0.3
# Machine-readable API spec. Each @endpoint block is one API call.
@api Stytch API
@base https://api.stytch.com
@version 1.0.0
@auth Bearer basic
@endpoints 184
@hint download_for_search
@toc connected_apps(8), b2b(97), users(17), sessions(7), rbac(1), crypto_wallets(2), debug(1), fingerprint(1), rules(2), verdict_reasons(2), email(1), idp(2), impersonation(1), m2m(8), magic_links(6), passwords(8), oauth(2), otps(7), projects(1), totps(4), webauthn(6)

@group connected_apps
@endpoint GET /v1/connected_apps/clients/{client_id}
@required {client_id: str}
@returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/connected_apps/clients/{client_id}
@required {client_id: str}
@optional {client_name: str, client_description: str, redirect_urls: [str], full_access_allowed: bool, access_token_expiry_minutes: int(int32), access_token_custom_audience: str, access_token_template_content: str, post_logout_redirect_urls: [str], logo_url: str, bypass_consent_for_offline_access: bool}
@returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/connected_apps/clients/{client_id}
@required {client_id: str}
@returns(200) {request_id: str, client_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/connected_apps/clients/search
@optional {cursor: str, limit: int(int32)}
@returns(200) {request_id: str, connected_apps: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/connected_apps/clients
@required {client_type: str(first_party/first_party_public/third_party/third_party_public)}
@optional {client_name: str, client_description: str, redirect_urls: [str], full_access_allowed: bool, access_token_expiry_minutes: int(int32), access_token_custom_audience: str, access_token_template_content: str, post_logout_redirect_urls: [str], logo_url: str, bypass_consent_for_offline_access: bool}
@returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, client_secret_last_four: str, next_client_secret_last_four: str, client_secret: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start
@required {client_id: str}
@returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, client_secret_last_four: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], next_client_secret: str, access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/connected_apps/clients/{client_id}/secrets/rotate/cancel
@required {client_id: str}
@returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/connected_apps/clients/{client_id}/secrets/rotate
@required {client_id: str}
@returns(200) {request_id: str, connected_app: map{client_id: str, client_name: str, client_description: str, status: str, full_access_allowed: bool, client_type: str, redirect_urls: [str], access_token_expiry_minutes: int(int32), access_token_template_content: str, post_logout_redirect_urls: [str], bypass_consent_for_offline_access: bool, creation_method: str, client_secret_last_four: str, next_client_secret_last_four: str, access_token_custom_audience: str, logo_url: str, client_id_metadata_url: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group b2b
@endpoint PUT /v1/b2b/scim/{organization_id}/connection/{connection_id}
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, display_name: str, identity_provider: str(generic/okta/microsoft-entra/cyberark/jumpcloud/onelogin/pingfederate/rippling), scim_group_implicit_role_assignments: [map{role_id!: str, group_id!: str, group_name!: str}]}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/scim/{organization_id}/connection/{connection_id}
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, connection_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/scim/{organization_id}/connection/{connection_id}
@required {organization_id: str, connection_id: str}
@optional {cursor: str, limit: int(int32), X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {scim_groups: [map], status_code: int(int32), next_cursor: str}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/scim/{organization_id}/connection/{connection_id}/rotate/start
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, base_url: str, identity_provider: str, bearer_token_last_four: str, next_bearer_token: str, scim_group_implicit_role_assignments: [map], bearer_token_expires_at: str, next_bearer_token_expires_at: str}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/scim/{organization_id}/connection/{connection_id}/rotate/complete
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/scim/{organization_id}/connection/{connection_id}/rotate/cancel
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/scim/{organization_id}/connection
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, display_name: str, identity_provider: str(generic/okta/microsoft-entra/cyberark/jumpcloud/onelogin/pingfederate/rippling)}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token: str, scim_group_implicit_role_assignments: [map], bearer_token_expires_at: str}}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/scim/{organization_id}/connection
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, identity_provider: str, base_url: str, bearer_token_last_four: str, scim_group_implicit_role_assignments: [map], next_bearer_token_last_four: str, bearer_token_expires_at: str, next_bearer_token_expires_at: str}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/organizations
@required {organization_name: str}
@optional {organization_slug: str, organization_logo_url: str, trusted_metadata: map, organization_external_id: str, sso_jit_provisioning: str, email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map{domain!: str, role_id!: str}], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, allowed_oauth_tenants: map, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_third_party_connected_apps: [str]}
@returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}
@required {organization_id: str}
@returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/organizations/{organization_id}
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, organization_name: str, organization_slug: str, organization_logo_url: str, trusted_metadata: map, organization_external_id: str, sso_default_connection_id: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map{domain!: str, role_id!: str}], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, allowed_oauth_tenants: map, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_third_party_connected_apps: [str]}
@returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/organizations/{organization_id}
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, organization_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/organizations/search
@optional {cursor: str, limit: int(int32), query: map{operator!: str, operands!: [map]}}
@returns(200) {request_id: str, organizations: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/metrics
@required {organization_id: str}
@returns(200) {request_id: str, member_count: int(int32), status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/connected_apps
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, connected_apps: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/connected_apps/{connected_app_id}
@required {organization_id: str, connected_app_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {connected_app_id: str, name: str, description: str, client_type: str, active_members: [map], status_code: int(int32), logo_url: str}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/organizations/{organization_id}/external_id
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/organizations/{organization_id}/members/{member_id}
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, name: str, trusted_metadata: map, untrusted_metadata: map, is_breakglass: bool, mfa_phone_number: str, mfa_enrolled: bool, roles: [str], preserve_existing_sessions: bool, default_mfa_method: str, email_address: str, external_id: str, unlink_email: bool}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/organizations/{organization_id}/members/{member_id}
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, member_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/organizations/{organization_id}/members/{member_id}/reactivate
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/organizations/{organization_id}/members/mfa_phone_numbers/{member_id}
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/organizations/{organization_id}/members/{member_id}/totp
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/organizations/members/search
@required {organization_ids: [str]}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, cursor: str, limit: int(int32), query: map{operator!: str, operands!: [map]}}
@returns(200) {request_id: str, members: [map], results_metadata: map{total: int(int32), next_cursor: str}, organizations: map, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/organizations/{organization_id}/members/passwords/{member_password_id}
@required {organization_id: str, member_password_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/members/dangerously_get/{member_id}
@required {member_id: str}
@optional {include_deleted: bool}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oidc_providers
@required {organization_id: str, member_id: str}
@optional {include_refresh_token: bool}
@returns(200) {request_id: str, registrations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/organizations/{organization_id}/members/{member_id}/unlink_retired_email
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, email_id: str, email_address: str}
@returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/organizations/{organization_id}/members/{member_id}/start_email_update
@required {organization_id: str, member_id: str, email_address: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, login_redirect_url: str, locale: str(en/es/pt-br/fr), login_template_id: str, delivery_method: str(EMAIL_MAGIC_LINK/EMAIL_OTP)}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/connected_apps
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, connected_apps: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/organizations/{organization_id}/members/{member_id}/external_id
@required {organization_id: str, member_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/organizations/{organization_id}/members
@required {organization_id: str, email_address: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, name: str, trusted_metadata: map, untrusted_metadata: map, create_member_as_pending: bool, is_breakglass: bool, mfa_phone_number: str, mfa_enrolled: bool, roles: [str], external_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/member
@required {organization_id: str}
@optional {member_id: str, email_address: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/google
@required {organization_id: str, member_id: str}
@optional {include_refresh_token: bool}
@returns(200) {request_id: str, provider_type: str, provider_subject: str, id_token: str, scopes: [str], status_code: int(int32), access_token: str, access_token_expires_in: int(int32), refresh_token: str}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/microsoft
@required {organization_id: str, member_id: str}
@optional {include_refresh_token: bool}
@returns(200) {request_id: str, provider_type: str, provider_subject: str, access_token: str, access_token_expires_in: int(int32), id_token: str, scopes: [str], status_code: int(int32), refresh_token: str}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/slack
@required {organization_id: str, member_id: str}
@returns(200) {request_id: str, provider_type: str, registrations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/hubspot
@required {organization_id: str, member_id: str}
@optional {include_refresh_token: bool}
@returns(200) {request_id: str, provider_type: str, registrations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/organizations/{organization_id}/members/{member_id}/oauth_providers/github
@required {organization_id: str, member_id: str}
@optional {include_refresh_token: bool}
@returns(200) {request_id: str, provider_type: str, registrations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/organizations/{organization_id}/members/{member_id}/connected_apps/{connected_app_id}/revoke
@required {organization_id: str, member_id: str, connected_app_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/idp/oauth/authorize/start
@required {client_id: str, redirect_uri: str, response_type: str, scopes: [str]}
@optional {organization_id: str, member_id: str, session_token: str, session_jwt: str, prompt: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, client: map{client_id: str, client_name: str, client_description: str, client_type: str, logo_url: str}, consent_required: bool, scope_results: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/idp/oauth/authorize
@required {consent_granted: bool, scopes: [str], client_id: str, redirect_uri: str, response_type: str}
@optional {organization_id: str, member_id: str, session_token: str, session_jwt: str, prompt: str, state: str, nonce: str, code_challenge: str, resources: [str]}
@returns(200) {request_id: str, redirect_uri: str, status_code: int(int32), authorization_code: str}
@errors {400, 401, 429, 500}

@endgroup

@group users
@endpoint POST /v1/users
@optional {email: str, name: map{first_name: str, middle_name: str, last_name: str}, attributes: map{ip_address: str, user_agent: str}, phone_number: str, create_user_as_pending: bool, trusted_metadata: map, untrusted_metadata: map, external_id: str, roles: [str]}
@returns(200) {request_id: str, user_id: str, email_id: str, status: str, phone_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/users/{user_id}
@required {user_id: str}
@returns(200) {request_id: str, user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], status_code: int(int32), name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/users/{user_id}
@required {user_id: str}
@optional {name: map{first_name: str, middle_name: str, last_name: str}, attributes: map{ip_address: str, user_agent: str}, trusted_metadata: map, untrusted_metadata: map, external_id: str, roles: [str]}
@returns(200) {request_id: str, user_id: str, emails: [map], phone_numbers: [map], crypto_wallets: [map], user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/{user_id}
@required {user_id: str}
@returns(200) {request_id: str, user_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/users/search
@optional {cursor: str, limit: int(int32), query: map{operator!: str, operands!: [map]}}
@returns(200) {request_id: str, results: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/users/{user_id}/exchange_primary_factor
@required {user_id: str}
@optional {email_address: str, phone_number: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/emails/{email_id}
@required {email_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/phone_numbers/{phone_id}
@required {phone_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/webauthn_registrations/{webauthn_registration_id}
@required {webauthn_registration_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/biometric_registrations/{biometric_registration_id}
@required {biometric_registration_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/totps/{totp_id}
@required {totp_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/crypto_wallets/{crypto_wallet_id}
@required {crypto_wallet_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/passwords/{password_id}
@required {password_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/oauth/{oauth_user_registration_id}
@required {oauth_user_registration_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/users/{user_id}/external_id
@required {user_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint GET /v1/users/{user_id}/connected_apps
@required {user_id: str}
@returns(200) {request_id: str, connected_apps: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/users/{user_id}/connected_apps/{connected_app_id}/revoke
@required {user_id: str, connected_app_id: str}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group sessions
@endpoint GET /v1/sessions
@required {user_id: str}
@returns(200) {request_id: str, sessions: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/sessions/authenticate
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, authorization_check: map{resource_id!: str, action!: str}}
@returns(200) {request_id: str, session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), verdict: map{authorized: bool, granting_roles: [str]}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/sessions/revoke
@optional {session_id: str, session_token: str, session_jwt: str}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/sessions/migrate
@required {session_token: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/sessions/exchange_access_token
@required {access_token: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint GET /v1/sessions/jwks/{project_id}
@required {project_id: str}
@returns(200) {keys: [map], request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/sessions/attest
@required {profile_id: str, token: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map, session_token: str, session_jwt: str, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endgroup

@group b2b
@endpoint GET /v1/b2b/sessions
@required {organization_id: str, member_id: str}
@returns(200) {request_id: str, member_sessions: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sessions/authenticate
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, authorization_check: map{organization_id!: str, resource_id!: str, action!: str}}
@returns(200) {request_id: str, member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), verdict: map{authorized: bool, granting_roles: [str]}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sessions/revoke
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, member_session_id: str, session_token: str, session_jwt: str, member_id: str}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sessions/exchange
@required {organization_id: str}
@optional {session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), telemetry_id: str}
@returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sessions/exchange_access_token
@required {access_token: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sessions/attest
@required {profile_id: str, token: str}
@optional {organization_id: str, session_duration_minutes: int(int32), session_custom_claims: map, session_token: str, session_jwt: str, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sessions/migrate
@required {session_token: str, organization_id: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map}
@returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/sessions/jwks/{project_id}
@required {project_id: str}
@returns(200) {keys: [map], request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/impersonation/authenticate
@required {impersonation_token: str}
@returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/rbac/policy
@returns(200) {request_id: str, status_code: int(int32), policy: map{roles: [map], resources: [map], scopes: [map]}}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/rbac/organizations/{organization_id}
@required {organization_id: str}
@returns(200) {request_id: str, org_policy: map{roles: [map]}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/rbac/organizations/{organization_id}
@required {organization_id: str, org_policy: map{roles!: [map]}}
@returns(200) {request_id: str, org_policy: map{roles: [map]}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/recovery_codes/recover
@required {organization_id: str, member_id: str, recovery_code: str}
@optional {intermediate_session_token: str, session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, recovery_codes_remaining: int(int32), status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint GET /v1/b2b/recovery_codes/{organization_id}/{member_id}
@required {organization_id: str, member_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, recovery_codes: [str], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/recovery_codes/rotate
@required {organization_id: str, member_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, recovery_codes: [str], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/totp
@required {organization_id: str, member_id: str}
@optional {expiration_minutes: int(int32), intermediate_session_token: str, session_token: str, session_jwt: str}
@returns(200) {request_id: str, member_id: str, totp_registration_id: str, secret: str, qr_code: str, recovery_codes: [str], member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/totp/authenticate
@required {organization_id: str, member_id: str, code: str}
@optional {intermediate_session_token: str, session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, set_mfa_enrollment: str, set_default_mfa: bool, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/totp/migrate
@required {organization_id: str, member_id: str, secret: str, recovery_codes: [str]}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, totp_registration_id: str, recovery_codes: [str], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group rbac
@endpoint GET /v1/rbac/policy
@returns(200) {request_id: str, status_code: int(int32), policy: map{roles: [map], resources: [map], scopes: [map]}}
@errors {400, 401, 429, 500}

@endgroup

@group crypto_wallets
@endpoint POST /v1/crypto_wallets/authenticate/start
@required {crypto_wallet_type: str, crypto_wallet_address: str}
@optional {user_id: str, session_token: str, session_jwt: str, siwe_params: map{domain!: str, uri!: str, resources!: [str], chain_id: str, statement: str, issued_at: str, not_before: str, message_request_id: str}}
@returns(200) {request_id: str, user_id: str, challenge: str, user_created: bool, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/crypto_wallets/authenticate
@required {crypto_wallet_type: str, crypto_wallet_address: str, signature: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, siwe_params: map{domain: str, uri: str, chain_id: str, resources: [str], status_code: int(int32), issued_at: str, message_request_id: str}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endgroup

@group debug
@endpoint GET /v1/debug/whoami
@returns(200) {request_id: str, project_id: str, name: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group b2b
@endpoint POST /v1/b2b/discovery/intermediate_sessions/exchange
@required {intermediate_session_token: str, organization_id: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map, locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), telemetry_id: str}
@returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/discovery/organizations/create
@required {intermediate_session_token: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map, organization_name: str, organization_slug: str, organization_external_id: str, organization_logo_url: str, trusted_metadata: map, sso_jit_provisioning: str, email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map{domain!: str, role_id!: str}], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, allowed_oauth_tenants: map, first_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str(ALL_ALLOWED/RESTRICTED/NOT_ALLOWED), allowed_third_party_connected_apps: [str], telemetry_id: str}
@returns(200) {request_id: str, member_id: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/discovery/organizations
@optional {intermediate_session_token: str, session_token: str, session_jwt: str}
@returns(200) {request_id: str, email_address: str, discovered_organizations: [map], status_code: int(int32), organization_id_hint: str}
@errors {400, 401, 429, 500}

@endgroup

@group fingerprint
@endpoint POST /v1/fingerprint/lookup
@required {telemetry_id: str}
@optional {external_metadata: map{external_id: str, organization_id: str, user_action: str}}
@returns(200) {request_id: str, telemetry_id: str, fingerprints: map{network_fingerprint: str, hardware_fingerprint: str, browser_fingerprint: str, visitor_fingerprint: str, visitor_id: str, browser_id: str}, verdict: map{action: str, reasons: [str], detected_device_type: str, is_authentic_device: bool, verdict_reason_overrides: [map], rule_match_type: str, rule_match_identifier: str}, external_metadata: map{external_id: str, organization_id: str, user_action: str}, created_at: str, expires_at: str, status_code: int(int32), properties: map{network_properties: map{ip_address: str, asn: map{asn: str, name: str, network: str}, ip_geolocation: map{city: str, region: str, country: str}, is_proxy: bool, is_vpn: bool}, browser_properties: map{user_agent: str}}, raw_signals: map}
@errors {400, 401, 429, 500}

@endgroup

@group rules
@endpoint POST /v1/rules/set
@required {action: str(ALLOW/CHALLENGE/BLOCK/NONE)}
@optional {visitor_id: str, browser_id: str, visitor_fingerprint: str, browser_fingerprint: str, hardware_fingerprint: str, network_fingerprint: str, expires_in_minutes: int(int32), description: str, cidr_block: str, country_code: str, asn: str}
@returns(200) {request_id: str, action: str, status_code: int(int32), visitor_id: str, browser_id: str, visitor_fingerprint: str, browser_fingerprint: str, hardware_fingerprint: str, network_fingerprint: str, expires_at: str, cidr_block: str, country_code: str, asn: str}
@errors {400, 401, 429, 500}

@endpoint POST /v1/rules/list
@optional {cursor: str, limit: int(int32)}
@returns(200) {request_id: str, next_cursor: str, rules: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group verdict_reasons
@endpoint POST /v1/verdict_reasons/override
@required {verdict_reason: str, override_action: str(ALLOW/CHALLENGE/BLOCK/NONE)}
@optional {override_description: str}
@returns(200) {request_id: str, verdict_reason_action: map{verdict_reason: str, default_action: str, override_action: str, override_created_at: str, override_description: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/verdict_reasons/list
@optional {overrides_only: bool}
@returns(200) {request_id: str, verdict_reason_actions: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group email
@endpoint POST /v1/email/risk
@required {email_address: str}
@returns(200) {request_id: str, address_information: map{has_known_bounces: bool, has_valid_syntax: bool, is_suspected_role_address: bool, normalized_email: str, tumbling_character_count: int(int32)}, domain_information: map{has_mx_or_a_record: bool, is_disposable_domain: bool}, action: str, risk_score: int(int32), status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group idp
@endpoint POST /v1/idp/oauth/authorize/start
@required {client_id: str, redirect_uri: str, response_type: str, scopes: [str]}
@optional {user_id: str, session_token: str, session_jwt: str, prompt: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, client: map{client_id: str, client_name: str, client_description: str, client_type: str, logo_url: str}, consent_required: bool, scope_results: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/idp/oauth/authorize
@required {consent_granted: bool, scopes: [str], client_id: str, redirect_uri: str, response_type: str}
@optional {user_id: str, session_token: str, session_jwt: str, prompt: str, state: str, nonce: str, code_challenge: str, resources: [str]}
@returns(200) {request_id: str, redirect_uri: str, status_code: int(int32), authorization_code: str}
@errors {400, 401, 429, 500}

@endgroup

@group impersonation
@endpoint POST /v1/impersonation/authenticate
@required {impersonation_token: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}}
@errors {400, 401, 429, 500}

@endgroup

@group m2m
@endpoint GET /v1/m2m/clients/{client_id}
@required {client_id: str}
@returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/m2m/clients/{client_id}
@required {client_id: str}
@optional {client_name: str, client_description: str, status: str(active/inactive), scopes: [str], trusted_metadata: map}
@returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/m2m/clients/{client_id}
@required {client_id: str}
@returns(200) {request_id: str, client_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/m2m/clients/search
@optional {cursor: str, limit: int(int32), query: map{operator!: str, operands!: [map]}}
@returns(200) {request_id: str, m2m_clients: [map], results_metadata: map{total: int(int32), next_cursor: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/m2m/clients
@required {scopes: [str]}
@optional {client_id: str, client_secret: str, client_name: str, client_description: str, trusted_metadata: map}
@returns(200) {request_id: str, m2m_client: map{client_id: str, client_secret: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/m2m/clients/{client_id}/secrets/rotate/start
@required {client_id: str}
@returns(200) {request_id: str, m2m_client: map{client_id: str, next_client_secret: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/m2m/clients/{client_id}/secrets/rotate/cancel
@required {client_id: str}
@returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/m2m/clients/{client_id}/secrets/rotate
@required {client_id: str}
@returns(200) {request_id: str, m2m_client: map{client_id: str, client_name: str, client_description: str, status: str, scopes: [str], client_secret_last_four: str, trusted_metadata: map, next_client_secret_last_four: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group magic_links
@endpoint POST /v1/magic_links/authenticate
@required {token: str}
@optional {attributes: map{ip_address: str, user_agent: str}, options: map{ip_match_required!: bool, user_agent_match_required!: bool}, session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, code_verifier: str, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, method_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, reset_sessions: bool, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/magic_links
@required {user_id: str}
@optional {expiration_minutes: int(int32), attributes: map{ip_address: str, user_agent: str}}
@returns(200) {request_id: str, user_id: str, token: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/magic_links/email/send
@required {email: str}
@optional {login_template_id: str, attributes: map{ip_address: str, user_agent: str}, login_magic_link_url: str, signup_magic_link_url: str, login_expiration_minutes: int(int32), signup_expiration_minutes: int(int32), code_challenge: str, user_id: str, session_token: str, session_jwt: str, locale: str(en/es/pt-br/fr), signup_template_id: str}
@returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/magic_links/email/login_or_create
@required {email: str}
@optional {login_magic_link_url: str, signup_magic_link_url: str, login_expiration_minutes: int(int32), signup_expiration_minutes: int(int32), login_template_id: str, signup_template_id: str, attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool, code_challenge: str, locale: str(en/es/pt-br/fr)}
@returns(200) {request_id: str, user_id: str, email_id: str, user_created: bool, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/magic_links/email/invite
@required {email: str}
@optional {invite_template_id: str, attributes: map{ip_address: str, user_agent: str}, name: map{first_name: str, middle_name: str, last_name: str}, invite_magic_link_url: str, invite_expiration_minutes: int(int32), locale: str(en/es/pt-br/fr), trusted_metadata: map, untrusted_metadata: map}
@returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/magic_links/email/revoke_invite
@required {email: str}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group b2b
@endpoint POST /v1/b2b/magic_links/authenticate
@required {magic_links_token: str}
@optional {pkce_code_verifier: str, session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, locale: str(en/es/pt-br/fr), intermediate_session_token: str, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, method_id: str, reset_sessions: bool, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/magic_links/email/login_or_signup
@required {organization_id: str, email_address: str}
@optional {login_redirect_url: str, signup_redirect_url: str, pkce_code_challenge: str, login_template_id: str, signup_template_id: str, locale: str(en/es/pt-br/fr), login_expiration_minutes: int(int32), signup_expiration_minutes: int(int32)}
@returns(200) {request_id: str, member_id: str, member_created: bool, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/magic_links/email/invite
@required {organization_id: str, email_address: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, invite_redirect_url: str, invited_by_member_id: str, name: str, trusted_metadata: map, untrusted_metadata: map, invite_template_id: str, locale: str(en/es/pt-br/fr), roles: [str], invite_expiration_minutes: int(int32)}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/magic_links/email/discovery/send
@required {email_address: str}
@optional {discovery_redirect_url: str, pkce_code_challenge: str, login_template_id: str, locale: str(en/es/pt-br/fr), discovery_expiration_minutes: int(int32)}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/magic_links/discovery/authenticate
@required {discovery_magic_links_token: str}
@optional {pkce_code_verifier: str}
@returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/oauth/authenticate
@required {oauth_token: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, pkce_code_verifier: str, locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), intermediate_session_token: str, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, provider_subject: str, provider_type: str, session_token: str, session_jwt: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization_id: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, reset_sessions: bool, member_authenticated: bool, intermediate_session_token: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, provider_values: map{scopes: [str], access_token: str, refresh_token: str, expires_at: str, id_token: str}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/oauth/discovery/authenticate
@required {discovery_oauth_token: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, pkce_code_verifier: str}
@returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], provider_type: str, provider_tenant_id: str, provider_tenant_ids: [str], full_name: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/otps/sms/send
@required {organization_id: str, member_id: str}
@optional {mfa_phone_number: str, locale: str(en/es/pt-br/fr), intermediate_session_token: str, session_token: str, session_jwt: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/otps/sms/authenticate
@required {organization_id: str, member_id: str, code: str}
@optional {intermediate_session_token: str, session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, set_mfa_enrollment: str, set_default_mfa: bool, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/otps/email/login_or_signup
@required {organization_id: str, email_address: str}
@optional {login_template_id: str, signup_template_id: str, locale: str(en/es/pt-br/fr), login_expiration_minutes: int(int32), signup_expiration_minutes: int(int32)}
@returns(200) {request_id: str, member_id: str, member_created: bool, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/otps/email/authenticate
@required {organization_id: str, email_address: str, code: str}
@optional {session_token: str, session_jwt: str, intermediate_session_token: str, session_duration_minutes: int(int32), session_custom_claims: map, locale: str(en/es/pt-br/fr), telemetry_id: str}
@returns(200) {request_id: str, member_id: str, method_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/otps/email/discovery/send
@required {email_address: str}
@optional {login_template_id: str, locale: str(en/es/pt-br/fr), discovery_expiration_minutes: int(int32)}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/otps/email/discovery/authenticate
@required {email_address: str, code: str}
@returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group passwords
@endpoint POST /v1/passwords
@required {email: str, password: str}
@optional {session_duration_minutes: int(int32), session_custom_claims: map, trusted_metadata: map, untrusted_metadata: map, name: map{first_name: str, middle_name: str, last_name: str}, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, email_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/passwords/authenticate
@required {email: str, password: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/passwords/strength_check
@required {password: str}
@optional {email: str}
@returns(200) {request_id: str, valid_password: bool, score: int(int32), breached_password: bool, strength_policy: str, breach_detection_on_create: bool, status_code: int(int32), feedback: map{warning: str, suggestions: [str], luds_requirements: map{has_lower_case: bool, has_upper_case: bool, has_digit: bool, has_symbol: bool, missing_complexity: int(int32), missing_characters: int(int32)}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/passwords/migrate
@required {email: str, hash: str, hash_type: str(bcrypt/md_5/argon_2i/argon_2id/sha_1/sha_512/scrypt/phpass/pbkdf_2)}
@optional {md_5_config: map{prepend_salt!: str, append_salt!: str}, argon_2_config: map{salt!: str, iteration_amount!: int(int32), memory!: int(int32), threads!: int(int32), key_length!: int(int32)}, sha_1_config: map{prepend_salt!: str, append_salt!: str}, sha_512_config: map{prepend_salt!: str, append_salt!: str}, scrypt_config: map{salt!: str, n_parameter!: int(int32), r_parameter!: int(int32), p_parameter!: int(int32), key_length!: int(int32)}, pbkdf_2_config: map{salt!: str, iteration_amount!: int(int32), key_length!: int(int32), algorithm!: str}, trusted_metadata: map, untrusted_metadata: map, set_email_verified: bool, name: map{first_name: str, middle_name: str, last_name: str}, phone_number: str, set_phone_number_verified: bool, external_id: str, roles: [str]}
@returns(200) {request_id: str, user_id: str, email_id: str, user_created: bool, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/passwords/email/reset/start
@required {email: str}
@optional {reset_password_redirect_url: str, reset_password_expiration_minutes: int(int32), code_challenge: str, attributes: map{ip_address: str, user_agent: str}, login_redirect_url: str, locale: str(en/es/pt-br/fr), reset_password_template_id: str}
@returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/passwords/email/reset
@required {token: str, password: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, code_verifier: str, session_custom_claims: map, attributes: map{ip_address: str, user_agent: str}, options: map{ip_match_required!: bool, user_agent_match_required!: bool}, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/passwords/existing_password/reset
@required {email: str, existing_password: str, new_password: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/passwords/session/reset
@required {password: str}
@optional {session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endgroup

@group b2b
@endpoint POST /v1/b2b/passwords/strength_check
@required {password: str}
@optional {email_address: str}
@returns(200) {request_id: str, valid_password: bool, score: int(int32), breached_password: bool, strength_policy: str, breach_detection_on_create: bool, status_code: int(int32), luds_feedback: map{has_lower_case: bool, has_upper_case: bool, has_digit: bool, has_symbol: bool, missing_complexity: int(int32), missing_characters: int(int32)}, zxcvbn_feedback: map{warning: str, suggestions: [str]}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/migrate
@required {email_address: str, hash: str, hash_type: str(bcrypt/md_5/argon_2i/argon_2id/sha_1/sha_512/scrypt/phpass/pbkdf_2), organization_id: str}
@optional {md_5_config: map{prepend_salt!: str, append_salt!: str}, argon_2_config: map{salt!: str, iteration_amount!: int(int32), memory!: int(int32), threads!: int(int32), key_length!: int(int32)}, sha_1_config: map{prepend_salt!: str, append_salt!: str}, sha_512_config: map{prepend_salt!: str, append_salt!: str}, scrypt_config: map{salt!: str, n_parameter!: int(int32), r_parameter!: int(int32), p_parameter!: int(int32), key_length!: int(int32)}, pbkdf_2_config: map{salt!: str, iteration_amount!: int(int32), key_length!: int(int32), algorithm!: str}, name: str, trusted_metadata: map, untrusted_metadata: map, roles: [str], preserve_existing_sessions: bool, mfa_phone_number: str, set_phone_number_verified: bool, external_id: str}
@returns(200) {request_id: str, member_id: str, member_created: bool, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/authenticate
@required {organization_id: str, email_address: str, password: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, locale: str(en/es/pt-br/fr), intermediate_session_token: str, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/email/reset/start
@required {organization_id: str, email_address: str}
@optional {reset_password_redirect_url: str, reset_password_expiration_minutes: int(int32), code_challenge: str, login_redirect_url: str, locale: str(en/es/pt-br/fr), reset_password_template_id: str, verify_email_template_id: str}
@returns(200) {request_id: str, member_id: str, member_email_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/email/reset
@required {password_reset_token: str, password: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, code_verifier: str, session_custom_claims: map, locale: str(en/es/pt-br/fr), intermediate_session_token: str, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, member_email_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/email/require_reset
@required {email_address: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, organization_id: str, member_id: str}
@returns(200) {request_id: str, status_code: int(int32), member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/session/reset
@required {organization_id: str, password: str}
@optional {session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, locale: str(en/es/pt-br/fr), telemetry_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, session_token: str, session_jwt: str, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/existing_password/reset
@required {email_address: str, existing_password: str, new_password: str, organization_id: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, locale: str(en/es/pt-br/fr), telemetry_id: str}
@returns(200) {request_id: str, member_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/discovery/authenticate
@required {email_address: str, password: str}
@returns(200) {request_id: str, email_address: str, intermediate_session_token: str, discovered_organizations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/discovery/email/reset/start
@required {email_address: str}
@optional {reset_password_redirect_url: str, discovery_redirect_url: str, reset_password_template_id: str, reset_password_expiration_minutes: int(int32), pkce_code_challenge: str, locale: str, verify_email_template_id: str}
@returns(200) {request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/passwords/discovery/email/reset
@required {password_reset_token: str, password: str}
@optional {pkce_code_verifier: str}
@returns(200) {request_id: str, intermediate_session_token: str, email_address: str, discovered_organizations: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group oauth
@endpoint POST /v1/oauth/attach
@required {provider: str}
@optional {user_id: str, session_token: str, session_jwt: str}
@returns(200) {request_id: str, oauth_attach_token: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/oauth/authenticate
@required {token: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, code_verifier: str, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, provider_subject: str, provider_type: str, session_token: str, session_jwt: str, provider_values: map{access_token: str, refresh_token: str, id_token: str, scopes: [str], expires_at: str}, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, reset_sessions: bool, oauth_user_registration_id: str, status_code: int(int32), user_session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endgroup

@group otps
@endpoint POST /v1/otps/authenticate
@required {method_id: str, code: str}
@optional {attributes: map{ip_address: str, user_agent: str}, options: map{ip_match_required!: bool, user_agent_match_required!: bool}, session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, method_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, reset_sessions: bool, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/otps/sms/send
@required {phone_number: str}
@optional {expiration_minutes: int(int32), attributes: map{ip_address: str, user_agent: str}, locale: str(en/es/pt-br/fr), user_id: str, session_token: str, session_jwt: str}
@returns(200) {request_id: str, user_id: str, phone_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/otps/sms/login_or_create
@required {phone_number: str}
@optional {expiration_minutes: int(int32), attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool, locale: str(en/es/pt-br/fr)}
@returns(200) {request_id: str, user_id: str, phone_id: str, user_created: bool, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/otps/whatsapp/send
@required {phone_number: str}
@optional {expiration_minutes: int(int32), attributes: map{ip_address: str, user_agent: str}, locale: str(en/es/pt-br/fr), user_id: str, session_token: str, session_jwt: str}
@returns(200) {request_id: str, user_id: str, phone_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/otps/whatsapp/login_or_create
@required {phone_number: str}
@optional {expiration_minutes: int(int32), attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool, locale: str(en/es/pt-br/fr)}
@returns(200) {request_id: str, user_id: str, phone_id: str, user_created: bool, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/otps/email/send
@required {email: str}
@optional {expiration_minutes: int(int32), attributes: map{ip_address: str, user_agent: str}, locale: str(en/es/pt-br/fr), user_id: str, session_token: str, session_jwt: str, login_template_id: str, signup_template_id: str}
@returns(200) {request_id: str, user_id: str, email_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/otps/email/login_or_create
@required {email: str}
@optional {expiration_minutes: int(int32), attributes: map{ip_address: str, user_agent: str}, create_user_as_pending: bool, locale: str(en/es/pt-br/fr), login_template_id: str, signup_template_id: str}
@returns(200) {request_id: str, user_id: str, email_id: str, user_created: bool, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group projects
@endpoint GET /v1/projects/metrics
@returns(200) {request_id: str, project_id: str, metrics: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@group b2b
@endpoint GET /v1/b2b/sso/{organization_id}
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, saml_connections: [map], oidc_connections: [map], external_connections: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/sso/{organization_id}/connections/{connection_id}
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, connection_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sso/authenticate
@required {sso_token: str}
@optional {pkce_code_verifier: str, session_token: str, session_jwt: str, session_duration_minutes: int(int32), session_custom_claims: map, locale: str(en/es/pt-br/fr/it/de-DE/zh-Hans/ca-ES), intermediate_session_token: str, telemetry_id: str}
@returns(200) {request_id: str, member_id: str, organization_id: str, member: map{organization_id: str, member_id: str, email_address: str, status: str, name: str, sso_registrations: [map], is_breakglass: bool, member_password_id: str, oauth_registrations: [map], email_address_verified: bool, mfa_phone_number_verified: bool, is_admin: bool, totp_registration_id: str, retired_email_addresses: [map], is_locked: bool, mfa_enrolled: bool, mfa_phone_number: str, default_mfa_method: str, roles: [map], trusted_metadata: map, untrusted_metadata: map, created_at: str, updated_at: str, scim_registration: map{connection_id: str, registration_id: str, external_id: str, scim_attributes: map{user_name: str, id: str, external_id: str, active: bool, groups: [map], display_name: str, nick_name: str, profile_url: str, user_type: str, title: str, preferred_language: str, locale: str, timezone: str, emails: [map], phone_numbers: [map], addresses: [map], ims: [map], photos: [map], entitlements: [map], roles: [map], x509certificates: [map], name: map, enterprise_extension: map}}, external_id: str, lock_created_at: str, lock_expires_at: str}, session_token: str, session_jwt: str, reset_session: bool, organization: map{organization_id: str, organization_name: str, organization_logo_url: str, organization_slug: str, sso_jit_provisioning: str, sso_jit_provisioning_allowed_connections: [str], sso_active_connections: [map], email_allowed_domains: [str], email_jit_provisioning: str, email_invites: str, auth_methods: str, allowed_auth_methods: [str], mfa_policy: str, rbac_email_implicit_role_assignments: [map], mfa_methods: str, allowed_mfa_methods: [str], oauth_tenant_jit_provisioning: str, claimed_email_domains: [str], first_party_connected_apps_allowed_type: str, allowed_first_party_connected_apps: [str], third_party_connected_apps_allowed_type: str, allowed_third_party_connected_apps: [str], custom_roles: [map], trusted_metadata: map, created_at: str, updated_at: str, organization_external_id: str, sso_default_connection_id: str, scim_active_connection: map{connection_id: str, display_name: str, bearer_token_last_four: str, bearer_token_expires_at: str}, allowed_oauth_tenants: map}, intermediate_session_token: str, member_authenticated: bool, status_code: int(int32), member_session: map{member_session_id: str, member_id: str, started_at: str, last_accessed_at: str, expires_at: str, authentication_factors: [map], organization_id: str, roles: [str], organization_slug: str, custom_claims: map}, mfa_required: map{member_options: map{mfa_phone_number: str, totp_registration_id: str}, secondary_auth_initiated: str}, primary_required: map{allowed_auth_methods: [str]}, member_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sso/oidc/{organization_id}
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, display_name: str, identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth)}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, redirect_url: str, client_id: str, client_secret: str, issuer: str, authorization_url: str, token_url: str, userinfo_url: str, jwks_url: str, identity_provider: str, custom_scopes: str, attribute_mapping: map}}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, display_name: str, client_id: str, client_secret: str, issuer: str, authorization_url: str, token_url: str, userinfo_url: str, jwks_url: str, identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth), custom_scopes: str, attribute_mapping: map}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, display_name: str, redirect_url: str, client_id: str, client_secret: str, issuer: str, authorization_url: str, token_url: str, userinfo_url: str, jwks_url: str, identity_provider: str, custom_scopes: str, attribute_mapping: map}, warning: str}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sso/saml/{organization_id}
@required {organization_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, display_name: str, identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth)}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, idp_entity_id: str, display_name: str, idp_sso_url: str, acs_url: str, audience_uri: str, signing_certificates: [map], verification_certificates: [map], encryption_private_keys: [map], saml_connection_implicit_role_assignments: [map], saml_group_implicit_role_assignments: [map], alternative_audience_uri: str, identity_provider: str, nameid_format: str, alternative_acs_url: str, idp_initiated_auth_disabled: bool, allow_gateway_callback: bool, attribute_mapping: map}}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, idp_entity_id: str, display_name: str, attribute_mapping: map, x509_certificate: str, idp_sso_url: str, saml_connection_implicit_role_assignments: [map{role_id!: str}], saml_group_implicit_role_assignments: [map{role_id!: str, group!: str}], alternative_audience_uri: str, identity_provider: str(classlink/cyberark/duo/generic/google-workspace/jumpcloud/keycloak/miniorange/microsoft-entra/okta/onelogin/pingfederate/rippling/salesforce/shibboleth), signing_private_key: str, nameid_format: str, alternative_acs_url: str, idp_initiated_auth_disabled: bool, saml_encryption_private_key: str, allow_gateway_callback: bool}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, idp_entity_id: str, display_name: str, idp_sso_url: str, acs_url: str, audience_uri: str, signing_certificates: [map], verification_certificates: [map], encryption_private_keys: [map], saml_connection_implicit_role_assignments: [map], saml_group_implicit_role_assignments: [map], alternative_audience_uri: str, identity_provider: str, nameid_format: str, alternative_acs_url: str, idp_initiated_auth_disabled: bool, allow_gateway_callback: bool, attribute_mapping: map}}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url
@required {organization_id: str, connection_id: str, metadata_url: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, status: str, idp_entity_id: str, display_name: str, idp_sso_url: str, acs_url: str, audience_uri: str, signing_certificates: [map], verification_certificates: [map], encryption_private_keys: [map], saml_connection_implicit_role_assignments: [map], saml_group_implicit_role_assignments: [map], alternative_audience_uri: str, identity_provider: str, nameid_format: str, alternative_acs_url: str, idp_initiated_auth_disabled: bool, allow_gateway_callback: bool, attribute_mapping: map}}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/verification_certificates/{certificate_id}
@required {organization_id: str, connection_id: str, certificate_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, certificate_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint DELETE /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/encryption_private_keys/{private_key_id}
@required {organization_id: str, connection_id: str, private_key_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str}
@returns(200) {request_id: str, private_key_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/b2b/sso/external/{organization_id}
@required {organization_id: str, external_organization_id: str, external_connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, display_name: str, connection_implicit_role_assignments: [map{role_id!: str}], group_implicit_role_assignments: [map{role_id!: str, group!: str}]}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, external_organization_id: str, external_connection_id: str, display_name: str, status: str, external_connection_implicit_role_assignments: [map], external_group_implicit_role_assignments: [map]}}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/b2b/sso/external/{organization_id}/connections/{connection_id}
@required {organization_id: str, connection_id: str}
@optional {X-Stytch-Member-Session: str, X-Stytch-Member-SessionJWT: str, display_name: str, external_connection_implicit_role_assignments: [map{role_id!: str}], external_group_implicit_role_assignments: [map{role_id!: str, group!: str}]}
@returns(200) {request_id: str, status_code: int(int32), connection: map{organization_id: str, connection_id: str, external_organization_id: str, external_connection_id: str, display_name: str, status: str, external_connection_implicit_role_assignments: [map], external_group_implicit_role_assignments: [map]}}
@errors {400, 401, 429, 500}

@endgroup

@group totps
@endpoint POST /v1/totps
@required {user_id: str}
@optional {expiration_minutes: int(int32)}
@returns(200) {request_id: str, totp_id: str, secret: str, qr_code: str, recovery_codes: [str], user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, user_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/totps/authenticate
@required {user_id: str, totp_code: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, session_token: str, totp_id: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/totps/recovery_codes
@required {user_id: str}
@returns(200) {request_id: str, user_id: str, totps: [map], status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/totps/recover
@required {user_id: str, recovery_code: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, totp_id: str, user_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endgroup

@group webauthn
@endpoint POST /v1/webauthn/register/start
@required {user_id: str, domain: str}
@optional {user_agent: str, authenticator_type: str, return_passkey_credential_options: bool, override_id: str, override_name: str, override_display_name: str, use_base64_url_encoding: bool}
@returns(200) {request_id: str, user_id: str, public_key_credential_creation_options: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/webauthn/register
@required {user_id: str, public_key_credential: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, webauthn_registration_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint POST /v1/webauthn/authenticate/start
@required {domain: str}
@optional {user_id: str, return_passkey_credential_options: bool, use_base64_url_encoding: bool}
@returns(200) {request_id: str, user_id: str, public_key_credential_request_options: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endpoint POST /v1/webauthn/authenticate
@required {public_key_credential: str}
@optional {session_token: str, session_duration_minutes: int(int32), session_jwt: str, session_custom_claims: map, telemetry_id: str}
@returns(200) {request_id: str, user_id: str, webauthn_registration_id: str, session_token: str, session_jwt: str, user: map{user_id: str, emails: [map], status: str, phone_numbers: [map], webauthn_registrations: [map], providers: [map], totps: [map], crypto_wallets: [map], biometric_registrations: [map], is_locked: bool, roles: [str], name: map{first_name: str, middle_name: str, last_name: str}, created_at: str, password: map{password_id: str, requires_reset: bool}, trusted_metadata: map, untrusted_metadata: map, external_id: str, lock_created_at: str, lock_expires_at: str}, status_code: int(int32), session: map{session_id: str, user_id: str, authentication_factors: [map], roles: [str], started_at: str, last_accessed_at: str, expires_at: str, attributes: map{ip_address: str, user_agent: str}, custom_claims: map}, user_device: map{visitor_id: str, visitor_id_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_address: str, ip_address_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}, ip_geo_city: str, ip_geo_region: str, ip_geo_country: str, ip_geo_country_details: map{is_new: bool, first_seen_at: str, last_seen_at: str}}}
@errors {400, 401, 429, 500}

@endpoint PUT /v1/webauthn/{webauthn_registration_id}
@required {webauthn_registration_id: str, name: str}
@returns(200) {request_id: str, status_code: int(int32), webauthn_registration: map{webauthn_registration_id: str, domain: str, user_agent: str, verified: bool, authenticator_type: str, name: str}}
@errors {400, 401, 429, 500}

@endpoint GET /v1/webauthn/credentials/{user_id}/{domain}
@required {user_id: str, domain: str}
@returns(200) {credentials: [map], request_id: str, status_code: int(int32)}
@errors {400, 401, 429, 500}

@endgroup

@end