stytchauth · ci-stytch · Nov 10, 2023
@@ -81,7 +81,6 @@ func (c *OrganizationsClient) Get(
 
 // Update: Updates an Organization specified by `organization_id`. An Organization must always have at
 // least one auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members.
-// test
 //
 // *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings)
 // resource to learn more about fields like `email_jit_provisioning`, `email_invites`,

@@ -50,6 +50,10 @@ func NewOTPsSmsClient(c stytch.Client) *OTPsSmsClient {
 // Before configuring SMS or WhatsApp OTPs, please review how Stytch
 // [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your
 // app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
+//
+// __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did
+// not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out
+// to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
 func (c *OTPsSmsClient) Send(
 	ctx context.Context,
 	body *sms.SendParams,

@@ -22,40 +22,10 @@ type ResetParams struct {
 	// SessionToken: A secret token for a given Stytch Session.
 	SessionToken string `json:"session_token,omitempty"`
 	// SessionJWT: The JSON Web Token (JWT) for a given Stytch Session.
-	SessionJWT string `json:"session_jwt,omitempty"`
-	// SessionDurationMinutes: Set the session lifetime to be this many minutes from now. This will start a new
-	// session if one doesn't already exist,
-	//   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the
-	// `session_jwt` will have a fixed lifetime of
-	//   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
-	//
-	//   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
-	//
-	//   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to
-	// extend the session this many minutes.
-	//
-	//   If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a
-	// 60 minute duration. If you don't want
-	//   to use the Stytch session product, you can ignore the session fields in the response.
-	SessionDurationMinutes int32 `json:"session_duration_minutes,omitempty"`
-	// SessionCustomClaims: Add a custom claims map to the Session being authenticated. Claims are only created
-	// if a Session is initialized by providing a value in
-	//   `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a
-	// key in an existing Session, supply a new value. To
-	//   delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`,
-	// `exp`, `nbf`, `iat`, `jti`) will be ignored.
-	//   Total custom claims size cannot exceed four kilobytes.
-	SessionCustomClaims map[string]any `json:"session_custom_claims,omitempty"`
-	// Locale: Used to determine which language to use when sending the user this delivery method. Parameter is
-	// a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
-	//
-	// Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese
-	// (`"pt-br"`); if no value is provided, the copy defaults to English.
-	//
-	// Request support for additional languages
-	// [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
-	//
-	Locale ResetRequestLocale `json:"locale,omitempty"`
+	SessionJWT             string             `json:"session_jwt,omitempty"`
+	SessionDurationMinutes int32              `json:"session_duration_minutes,omitempty"`
+	SessionCustomClaims    map[string]any     `json:"session_custom_claims,omitempty"`
+	Locale                 ResetRequestLocale `json:"locale,omitempty"`
 }
 
 // ResetResponse: Response type for `Sessions.Reset`.
@@ -69,34 +39,18 @@ type ResetResponse struct {
 	// Member: The [Member object](https://stytch.com/docs/b2b/api/member-object)
 	Member organizations.Member `json:"member,omitempty"`
 	// Organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
-	Organization organizations.Organization `json:"organization,omitempty"`
-	// SessionToken: A secret token for a given Stytch Session.
-	SessionToken string `json:"session_token,omitempty"`
-	// SessionJWT: The JSON Web Token (JWT) for a given Stytch Session.
-	SessionJWT string `json:"session_jwt,omitempty"`
-	// IntermediateSessionToken: The Intermediate Session Token. This token does not necessarily belong to a
-	// specific instance of a Member, but represents a bag of factors that may be converted to a member session.
-	//     The token can be used with the
-	// [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete an MFA
-	// flow;
-	//     the
-	// [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session)
-	// to join a specific Organization that allows the factors represented by the intermediate session token;
-	//     or the
-	// [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member.
-	IntermediateSessionToken string `json:"intermediate_session_token,omitempty"`
-	// MemberAuthenticated: Indicates whether the Member is fully authenticated. If false, the Member needs to
-	// complete an MFA step to log in to the Organization.
-	MemberAuthenticated bool `json:"member_authenticated,omitempty"`
+	Organization             organizations.Organization `json:"organization,omitempty"`
+	SessionToken             string                     `json:"session_token,omitempty"`
+	SessionJWT               string                     `json:"session_jwt,omitempty"`
+	IntermediateSessionToken string                     `json:"intermediate_session_token,omitempty"`
+	MemberAuthenticated      bool                       `json:"member_authenticated,omitempty"`
 	// StatusCode: The HTTP status code of the response. Stytch follows standard HTTP response status code
 	// patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX
 	// are server errors.
 	StatusCode int32 `json:"status_code,omitempty"`
 	// MemberSession: The [Session object](https://stytch.com/docs/b2b/api/session-object).
 	MemberSession *sessions.MemberSession `json:"member_session,omitempty"`
-	// MFARequired: Information about the MFA requirements of the Organization and the Member's options for
-	// fulfilling MFA.
-	MFARequired *mfa.MfaRequired `json:"mfa_required,omitempty"`
+	MFARequired   *mfa.MfaRequired        `json:"mfa_required,omitempty"`
 }
 
 type ResetRequestLocale string

@@ -223,6 +223,20 @@ func (c *SessionsClient) Exchange(
 }
 
 // GetJWKS: Get the JSON Web Key Set (JWKS) for a project.
+//
+// JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both
+// key sets will be returned by this endpoint for a period of 1 month.
+//
+// JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed
+// by the old JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is
+// determined by matching the `kid` value of the JWT and JWKS.
+//
+// If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS roll will be
+// handled for you.
+//
+// If you're using your own JWT validation library, many have built-in support for JWKS rotation, and
+// you'll just need to supply this API endpoint. If not, your application should decide which JWKS to use
+// for validation by inspecting the `kid` value.
 func (c *SessionsClient) GetJWKS(
 	ctx context.Context,
 	body *sessions.GetJWKSParams,

@@ -29,6 +29,17 @@ type DeleteVerificationCertificateParams struct {
 	CertificateID string `json:"certificate_id,omitempty"`
 }
 
+// UpdateByURLParams: Request type for `SAML.UpdateByURL`.
+type UpdateByURLParams struct {
+	// OrganizationID: Globally unique UUID that identifies a specific Organization. The `organization_id` is
+	// critical to perform operations on an Organization, so be sure to preserve this value.
+	OrganizationID string `json:"organization_id,omitempty"`
+	// ConnectionID: Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
+	ConnectionID string `json:"connection_id,omitempty"`
+	// MetadataURL: A URL that points to the IdP metadata. This will be provided by the IdP.
+	MetadataURL string `json:"metadata_url,omitempty"`
+}
+
 // UpdateConnectionParams: Request type for `SAML.UpdateConnection`.
 type UpdateConnectionParams struct {
 	// OrganizationID: Globally unique UUID that identifies a specific Organization. The `organization_id` is
@@ -83,8 +94,8 @@ type DeleteVerificationCertificateResponse struct {
 	StatusCode int32 `json:"status_code,omitempty"`
 }
 
-// UpdateConnectionResponse: Response type for `SAML.UpdateConnection`.
-type UpdateConnectionResponse struct {
+// UpdateByURLResponse: Response type for `SAML.UpdateByURL`.
+type UpdateByURLResponse struct {
 	// RequestID: Globally unique UUID that is returned with every API call. This value is important to log for
 	// debugging purposes; we may ask for this value to help identify a specific API call when helping you
 	// debug an issue.

@@ -103,6 +103,7 @@ type SAMLConnection struct {
 	AudienceURI              string            `json:"audience_uri,omitempty"`
 	SigningCertificates      []X509Certificate `json:"signing_certificates,omitempty"`
 	VerificationCertificates []X509Certificate `json:"verification_certificates,omitempty"`
+	AlternativeAudienceURI   string            `json:"alternative_audience_uri,omitempty"`
 	AttributeMapping         map[string]any    `json:"attribute_mapping,omitempty"`
 }
 type X509Certificate struct {

@@ -62,7 +62,7 @@ func (c *SSOSAMLClient) CreateConnection(
 func (c *SSOSAMLClient) UpdateConnection(
 	ctx context.Context,
 	body *saml.UpdateConnectionParams,
-) (*saml.UpdateConnectionResponse, error) {
+) (*saml.UpdateByURLResponse, error) {
 	var jsonBody []byte
 	var err error
 	if body != nil {
@@ -72,7 +72,7 @@ func (c *SSOSAMLClient) UpdateConnection(
 		}
 	}
 
-	var retVal saml.UpdateConnectionResponse
+	var retVal saml.UpdateByURLResponse
 	err = c.C.NewRequest(
 		ctx,
 		"PUT",
@@ -84,6 +84,38 @@ func (c *SSOSAMLClient) UpdateConnection(
 	return &retVal, err
 }
 
+// UpdateByURL: Used to update an existing SAML connection using an IDP metadata URL.
+//
+// A newly created connection will not become active until all the following are provided:
+// * `idp_sso_url`
+// * `idp_entity_id`
+// * `x509_certificate`
+// * `attribute_mapping` (must be supplied using [Update SAML Connection](update-saml-connection))
+func (c *SSOSAMLClient) UpdateByURL(
+	ctx context.Context,
+	body *saml.UpdateByURLParams,
+) (*saml.UpdateByURLResponse, error) {
+	var jsonBody []byte
+	var err error
+	if body != nil {
+		jsonBody, err = json.Marshal(body)
+		if err != nil {
+			return nil, stytcherror.NewClientLibraryError("error marshaling request body")
+		}
+	}
+
+	var retVal saml.UpdateByURLResponse
+	err = c.C.NewRequest(
+		ctx,
+		"PUT",
+		fmt.Sprintf("/v1/b2b/sso/saml/%s/connections/%s/url", body.OrganizationID, body.ConnectionID),
+		nil,
+		jsonBody,
+		&retVal,
+	)
+	return &retVal, err
+}
+
 // DeleteVerificationCertificate: Delete a SAML verification certificate.
 //
 // You may need to do this when rotating certificates from your IdP, since Stytch allows a maximum of 5

@@ -1,3 +1,3 @@
 package config
 
-const APIVersion = "11.4.2"
+const APIVersion = "12.0.0"
@@ -36,6 +36,10 @@ func NewOTPsSmsClient(c stytch.Client) *OTPsSmsClient {
 // [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your
 // app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
 //
+// __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did
+// not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out
+// to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
+//
 // ### Add a phone number to an existing user
 //
 // This endpoint also allows you to add a new phone number to an existing Stytch User. Including a
@@ -82,6 +86,11 @@ func (c *OTPsSmsClient) Send(
 // Before configuring SMS or WhatsApp OTPs, please review how Stytch
 // [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your
 // app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
+//
+// __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did
+// not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out
+// to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
+//
 // ### Next steps
 //
 // Collect the OTP which was delivered to the User. Call

@@ -173,7 +173,21 @@ func (c *SessionsClient) Revoke(
 	return &retVal, err
 }
 
-// GetJWKS: Get the JSON Web Key Set (JWKS) for a Stytch Project.
+// GetJWKS: Get the JSON Web Key Set (JWKS) for a project.
+//
+// JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both
+// key sets will be returned by this endpoint for a period of 1 month.
+//
+// JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed
+// by the old JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is
+// determined by matching the `kid` value of the JWT and JWKS.
+//
+// If you're using one of our [backend SDKs](https://stytch.com/docs/sdks), the JWKS roll will be handled
+// for you.
+//
+// If you're using your own JWT validation library, many have built-in support for JWKS rotation, and
+// you'll just need to supply this API endpoint. If not, your application should decide which JWKS to use
+// for validation by inspecting the `kid` value.
 func (c *SessionsClient) GetJWKS(
 	ctx context.Context,
 	body *sessions.GetJWKSParams,

@@ -305,12 +305,18 @@ type User struct {
 
 // WebAuthnRegistration:
 type WebAuthnRegistration struct {
+	// WebAuthnRegistrationID: The unique ID for the WebAuthn registration.
 	WebAuthnRegistrationID string `json:"webauthn_registration_id,omitempty"`
 	// Domain: The `domain` on which a WebAuthn registration was started. This will be the domain of your app.
 	Domain string `json:"domain,omitempty"`
 	// UserAgent: The user agent of the User.
-	UserAgent         string `json:"user_agent,omitempty"`
-	Verified          bool   `json:"verified,omitempty"`
+	UserAgent string `json:"user_agent,omitempty"`
+	// Verified: The verified boolean denotes whether or not this send method, e.g. phone number, email
+	// address, etc., has been successfully authenticated by the User.
+	Verified bool `json:"verified,omitempty"`
+	// AuthenticatorType: The `authenticator_type` string displays the requested authenticator type of the
+	// WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the
+	// WebAuthn device was created without an authenticator type preference.
 	AuthenticatorType string `json:"authenticator_type,omitempty"`
 	Name              string `json:"name,omitempty"`
 }

@@ -58,11 +58,32 @@ type RegisterParams struct {
 	UserID string `json:"user_id,omitempty"`
 	// PublicKeyCredential: The response of the
 	// [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential).
-	PublicKeyCredential    string         `json:"public_key_credential,omitempty"`
-	SessionToken           string         `json:"session_token,omitempty"`
-	SessionDurationMinutes int32          `json:"session_duration_minutes,omitempty"`
-	SessionJWT             string         `json:"session_jwt,omitempty"`
-	SessionCustomClaims    map[string]any `json:"session_custom_claims,omitempty"`
+	PublicKeyCredential string `json:"public_key_credential,omitempty"`
+	// SessionToken: The `session_token` associated with a User's existing Session.
+	SessionToken string `json:"session_token,omitempty"`
+	// SessionDurationMinutes: Set the session lifetime to be this many minutes from now. This will start a new
+	// session if one doesn't already exist,
+	//   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the
+	// `session_jwt` will have a fixed lifetime of
+	//   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
+	//
+	//   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
+	//
+	//   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to
+	// extend the session this many minutes.
+	//
+	//   If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created.
+	SessionDurationMinutes int32 `json:"session_duration_minutes,omitempty"`
+	// SessionJWT: The `session_jwt` associated with a User's existing Session.
+	SessionJWT string `json:"session_jwt,omitempty"`
+	// SessionCustomClaims: Add a custom claims map to the Session being authenticated. Claims are only created
+	// if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included
+	// on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
+	// delete a key, supply a null value.
+	//
+	//   Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be
+	// ignored. Total custom claims size cannot exceed four kilobytes.
+	SessionCustomClaims map[string]any `json:"session_custom_claims,omitempty"`
 }
 
 // RegisterStartParams: Request type for `WebAuthn.RegisterStart`.
@@ -137,15 +158,22 @@ type RegisterResponse struct {
 	// UserID: The unique ID of the affected User.
 	UserID string `json:"user_id,omitempty"`
 	// WebAuthnRegistrationID: The unique ID for the WebAuthn registration.
-	WebAuthnRegistrationID string     `json:"webauthn_registration_id,omitempty"`
-	SessionToken           string     `json:"session_token,omitempty"`
-	SessionJWT             string     `json:"session_jwt,omitempty"`
-	User                   users.User `json:"user,omitempty"`
+	WebAuthnRegistrationID string `json:"webauthn_registration_id,omitempty"`
+	// SessionToken: A secret token for a given Stytch Session.
+	SessionToken string `json:"session_token,omitempty"`
+	// SessionJWT: The JSON Web Token (JWT) for a given Stytch Session.
+	SessionJWT string     `json:"session_jwt,omitempty"`
+	User       users.User `json:"user,omitempty"`
 	// StatusCode: The HTTP status code of the response. Stytch follows standard HTTP response status code
 	// patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX
 	// are server errors.
-	StatusCode int32             `json:"status_code,omitempty"`
-	Session    *sessions.Session `json:"session,omitempty"`
+	StatusCode int32 `json:"status_code,omitempty"`
+	// Session: If you initiate a Session, by including `session_duration_minutes` in your authenticate call,
+	// you'll receive a full Session object in the response.
+	//
+	//   See [GET sessions](https://stytch.com/docs/api/session-get) for complete response fields.
+	//
+	Session *sessions.Session `json:"session,omitempty"`
 }
 
 // RegisterStartResponse: Response type for `WebAuthn.RegisterStart`.