stytchauth · taronish-stytch · Jan 23, 2024 · Jan 22, 2024 · Jan 23, 2024 · Jan 23, 2024
@@ -42,8 +42,10 @@ type API struct {
 	Organizations *b2b.OrganizationsClient
 	Passwords     *b2b.PasswordsClient
 	RBAC          *b2b.RBACClient
+	RecoveryCodes *b2b.RecoveryCodesClient
 	SSO           *b2b.SSOClient
 	Sessions      *b2b.SessionsClient
+	TOTPs         *b2b.TOTPsClient
 }
 
 type Option func(*API)
@@ -146,8 +148,10 @@ func NewClient(projectID string, secret string, opts ...Option) (*API, error) {
 	a.Organizations = b2b.NewOrganizationsClient(a.client)
 	a.Passwords = b2b.NewPasswordsClient(a.client)
 	a.RBAC = b2b.NewRBACClient(a.client)
+	a.RecoveryCodes = b2b.NewRecoveryCodesClient(a.client)
 	a.SSO = b2b.NewSSOClient(a.client)
 	a.Sessions = b2b.NewSessionsClient(a.client, jwks, policyCache)
+	a.TOTPs = b2b.NewTOTPsClient(a.client)
 
 	return a, nil
 }

@@ -131,13 +131,27 @@ type CreateParams struct {
 	// Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
 	//
 	MFAPolicy string `json:"mfa_policy,omitempty"`
-	// RBACEmailImplicitRoleAssignments: (Coming Soon) Implicit role assignments based off of email domains.
+	// RBACEmailImplicitRoleAssignments: Implicit role assignments based off of email domains.
 	//   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
 	// granted the
 	//   associated Role, regardless of their login method. See the
 	// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
 	//   for more information about role assignment.
 	RBACEmailImplicitRoleAssignments []*organizations.EmailImplicitRoleAssignment `json:"rbac_email_implicit_role_assignments,omitempty"`
+	// MFAMethods: The setting that controls which mfa methods can be used by Members of an Organization. The
+	// accepted values are:
+	//
+	//   `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
+	//
+	//   `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication.
+	// This setting does not apply to Members with `is_breakglass` set to `true`.
+	//
+	MFAMethods string `json:"mfa_methods,omitempty"`
+	// AllowedMFAMethods: An array of allowed mfa authentication methods. This list is enforced when
+	// `mfa_methods` is set to `RESTRICTED`.
+	//   The list's accepted values are: `sms_otp` and `totp`.
+	//
+	AllowedMFAMethods []string `json:"allowed_mfa_methods,omitempty"`
 }
 
 // ListParams: Request type for `Organizations.List`.

@@ -52,7 +52,7 @@ type InviteParams struct {
 	// [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
 	//
 	Locale InviteRequestLocale `json:"locale,omitempty"`
-	// Roles: (Coming Soon) Roles to explicitly assign to this Member. See the
+	// Roles to explicitly assign to this Member. See the
 	// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
 	//    for more information about role assignment.
 	Roles []string `json:"roles,omitempty"`

@@ -93,8 +93,8 @@ func (c *OrganizationsClient) Get(
 // resource to learn more about fields like `email_jit_provisioning`, `email_invites`,
 // `sso_jit_provisioning`, etc., and their behaviors.
 //
-// (Coming Soon) Our RBAC implementation offers out-of-the-box handling of authorization checks for this
-// endpoint. If you pass in
+// Our RBAC implementation offers out-of-the-box handling of authorization checks for this endpoint. If you
+// pass in
 // a header containing a `session_token` or a `session_jwt` for an unexpired Member Session, we will check
 // that the
 // Member Session has the necessary permissions. The specific permissions needed depend on which of the

@@ -47,7 +47,7 @@ type CreateParams struct {
 	// whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA
 	// step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
 	MFAEnrolled bool `json:"mfa_enrolled,omitempty"`
-	// Roles: (Coming Soon) Roles to explicitly assign to this Member. See the
+	// Roles to explicitly assign to this Member. See the
 	// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
 	//    for more information about role assignment.
 	Roles []string `json:"roles,omitempty"`
@@ -132,6 +132,11 @@ type SearchParams struct {
 	Query *organizations.SearchQuery `json:"query,omitempty"`
 }
 
+type TOTPParams struct {
+	OrganizationID string `json:"organization_id,omitempty"`
+	MemberID       string `json:"member_id,omitempty"`
+}
+
 // UpdateParams: Request type for `Members.Update`.
 type UpdateParams struct {
 	// OrganizationID: Globally unique UUID that identifies a specific Organization. The `organization_id` is
@@ -196,7 +201,7 @@ type UpdateParams struct {
 	// request, the authorization check will also allow a Member Session that has permission to perform the
 	// `update.settings.mfa-enrolled` action on the `stytch.self` Resource.
 	MFAEnrolled bool `json:"mfa_enrolled,omitempty"`
-	// Roles: (Coming Soon) Roles to explicitly assign to this Member.
+	// Roles to explicitly assign to this Member.
 	//  Will completely replace any existing explicitly assigned roles. See the
 	//  [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role
 	// assignment.
@@ -211,12 +216,16 @@ type UpdateParams struct {
 	// If this field is provided and a session header is passed into the request, the Member Session must have
 	// permission to perform the `update.settings.roles` action on the `stytch.member` Resource.
 	Roles []string `json:"roles,omitempty"`
-	// PreserveExistingSessions: (Coming Soon) Whether to preserve existing sessions when explicit Roles that
-	// are revoked are also implicitly assigned
+	// PreserveExistingSessions: Whether to preserve existing sessions when explicit Roles that are revoked are
+	// also implicitly assigned
 	//   by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain
 	// SSO
 	//   authentication factors with the affected SSO connection IDs will be revoked.
 	PreserveExistingSessions bool `json:"preserve_existing_sessions,omitempty"`
+	// DefaultMFAMethod: The Member's default MFA method. This value is used to determine which secondary MFA
+	// method to use in the case of multiple methods registered for a Member. The current possible values are
+	// `sms_otp` and `totp`.
+	DefaultMFAMethod string `json:"default_mfa_method,omitempty"`
 }
 
 // CreateRequestOptions:
@@ -297,6 +306,19 @@ func (o *SearchRequestOptions) AddHeaders(headers map[string][]string) map[strin
 	return headers
 }
 
+// TOTPRequestOptions:
+type TOTPRequestOptions struct {
+	// Authorization: Optional authorization object.
+	// Pass in an active Stytch Member session token or session JWT and the request
+	// will be run using that member's permissions.
+	Authorization methodoptions.Authorization `json:"authorization,omitempty"`
+}
+
+func (o *TOTPRequestOptions) AddHeaders(headers map[string][]string) map[string][]string {
+	headers = o.Authorization.AddHeaders(headers)
+	return headers
+}
+
 // UpdateRequestOptions:
 type UpdateRequestOptions struct {
 	// Authorization: Optional authorization object.
@@ -435,6 +457,14 @@ type SearchResponse struct {
 	StatusCode int32 `json:"status_code,omitempty"`
 }
 
+type TOTPResponse struct {
+	RequestID    string                     `json:"request_id,omitempty"`
+	MemberID     string                     `json:"member_id,omitempty"`
+	Member       organizations.Member       `json:"member,omitempty"`
+	Organization organizations.Organization `json:"organization,omitempty"`
+	StatusCode   int32                      `json:"status_code,omitempty"`
+}
+
 // UpdateResponse: Response type for `Members.Update`.
 type UpdateResponse struct {
 	// RequestID: Globally unique UUID that is returned with every API call. This value is important to log for

@@ -94,13 +94,27 @@ type CreateParams struct {
 	// Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
 	//
 	MFAPolicy string `json:"mfa_policy,omitempty"`
-	// RBACEmailImplicitRoleAssignments: (Coming Soon) Implicit role assignments based off of email domains.
+	// RBACEmailImplicitRoleAssignments: Implicit role assignments based off of email domains.
 	//   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
 	// granted the
 	//   associated Role, regardless of their login method. See the
 	// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
 	//   for more information about role assignment.
 	RBACEmailImplicitRoleAssignments []*EmailImplicitRoleAssignment `json:"rbac_email_implicit_role_assignments,omitempty"`
+	// MFAMethods: The setting that controls which mfa methods can be used by Members of an Organization. The
+	// accepted values are:
+	//
+	//   `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
+	//
+	//   `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication.
+	// This setting does not apply to Members with `is_breakglass` set to `true`.
+	//
+	MFAMethods string `json:"mfa_methods,omitempty"`
+	// AllowedMFAMethods: An array of allowed mfa authentication methods. This list is enforced when
+	// `mfa_methods` is set to `RESTRICTED`.
+	//   The list's accepted values are: `sms_otp` and `totp`.
+	//
+	AllowedMFAMethods []string `json:"allowed_mfa_methods,omitempty"`
 }
 
 // DeleteParams: Request type for `Organizations.Delete`.
@@ -180,20 +194,22 @@ type Member struct {
 	EmailAddressVerified bool `json:"email_address_verified,omitempty"`
 	// MFAPhoneNumberVerified: Whether or not the Member's phone number is verified.
 	MFAPhoneNumberVerified bool `json:"mfa_phone_number_verified,omitempty"`
-	// IsAdmin: (Coming Soon) Whether or not the Member has the `stytch_admin` Role. This Role is automatically
-	// granted to Members
+	// IsAdmin: Whether or not the Member has the `stytch_admin` Role. This Role is automatically granted to
+	// Members
 	//   who create an Organization through the
 	// [discovery flow](https://stytch.com/docs/b2b/api/create-organization-via-discovery). See the
 	//   [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for more details on this Role.
-	IsAdmin bool `json:"is_admin,omitempty"`
+	IsAdmin            bool   `json:"is_admin,omitempty"`
+	TOTPRegistrationID string `json:"totp_registration_id,omitempty"`
 	// MFAEnrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step
 	// whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA
 	// step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
 	MFAEnrolled bool `json:"mfa_enrolled,omitempty"`
 	// MFAPhoneNumber: The Member's phone number. A Member may only have one phone number.
-	MFAPhoneNumber string `json:"mfa_phone_number,omitempty"`
-	// Roles: (Coming Soon) Explicit or implicit Roles assigned to this Member, along with details about the
-	// role assignment source.
+	MFAPhoneNumber   string `json:"mfa_phone_number,omitempty"`
+	DefaultMFAMethod string `json:"default_mfa_method,omitempty"`
+	// Roles: Explicit or implicit Roles assigned to this Member, along with details about the role assignment
+	// source.
 	//    See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information
 	// about role assignment.
 	Roles []MemberRole `json:"roles,omitempty"`
@@ -387,13 +403,27 @@ type Organization struct {
 	//
 	AllowedAuthMethods []string `json:"allowed_auth_methods,omitempty"`
 	MFAPolicy          string   `json:"mfa_policy,omitempty"`
-	// RBACEmailImplicitRoleAssignments: (Coming Soon) Implicit role assignments based off of email domains.
+	// RBACEmailImplicitRoleAssignments: Implicit role assignments based off of email domains.
 	//   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
 	// granted the
 	//   associated Role, regardless of their login method. See the
 	// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
 	//   for more information about role assignment.
 	RBACEmailImplicitRoleAssignments []EmailImplicitRoleAssignment `json:"rbac_email_implicit_role_assignments,omitempty"`
+	// MFAMethods: The setting that controls which mfa methods can be used by Members of an Organization. The
+	// accepted values are:
+	//
+	//   `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
+	//
+	//   `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication.
+	// This setting does not apply to Members with `is_breakglass` set to `true`.
+	//
+	MFAMethods string `json:"mfa_methods,omitempty"`
+	// AllowedMFAMethods: An array of allowed mfa authentication methods. This list is enforced when
+	// `mfa_methods` is set to `RESTRICTED`.
+	//   The list's accepted values are: `sms_otp` and `totp`.
+	//
+	AllowedMFAMethods []string `json:"allowed_mfa_methods,omitempty"`
 	// TrustedMetadata: An arbitrary JSON object for storing application-specific data or
 	// identity-provider-specific data.
 	TrustedMetadata map[string]any `json:"trusted_metadata,omitempty"`
@@ -585,7 +615,7 @@ type UpdateParams struct {
 	// If this field is provided and a session header is passed into the request, the Member Session must have
 	// permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource.
 	MFAPolicy string `json:"mfa_policy,omitempty"`
-	// RBACEmailImplicitRoleAssignments: (Coming Soon) Implicit role assignments based off of email domains.
+	// RBACEmailImplicitRoleAssignments: Implicit role assignments based off of email domains.
 	//   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
 	// granted the
 	//   associated Role, regardless of their login method. See the
@@ -595,6 +625,28 @@ type UpdateParams struct {
 	// If this field is provided and a session header is passed into the request, the Member Session must have
 	// permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource.
 	RBACEmailImplicitRoleAssignments []string `json:"rbac_email_implicit_role_assignments,omitempty"`
+	// MFAMethods: The setting that controls which mfa methods can be used by Members of an Organization. The
+	// accepted values are:
+	//
+	//   `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
+	//
+	//   `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication.
+	// This setting does not apply to Members with `is_breakglass` set to `true`.
+	//
+	//
+	// If this field is provided and a session header is passed into the request, the Member Session must have
+	// permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization`
+	// Resource.
+	MFAMethods string `json:"mfa_methods,omitempty"`
+	// AllowedMFAMethods: An array of allowed mfa authentication methods. This list is enforced when
+	// `mfa_methods` is set to `RESTRICTED`.
+	//   The list's accepted values are: `sms_otp` and `totp`.
+	//
+	//
+	// If this field is provided and a session header is passed into the request, the Member Session must have
+	// permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization`
+	// Resource.
+	AllowedMFAMethods []string `json:"allowed_mfa_methods,omitempty"`
 }
 
 // UpdateRequestOptions:

@@ -28,8 +28,8 @@ func NewOrganizationsMembersClient(c stytch.Client) *OrganizationsMembersClient
 
 // Update: Updates a Member specified by `organization_id` and `member_id`.
 //
-// (Coming Soon) Our RBAC implementation offers out-of-the-box handling of authorization checks for this
-// endpoint. If you pass in
+// Our RBAC implementation offers out-of-the-box handling of authorization checks for this endpoint. If you
+// pass in
 // a header containing a `session_token` or a `session_jwt` for an unexpired Member Session, we will check
 // that the
 // Member Session has the necessary permissions. The specific permissions needed depend on which of the
@@ -171,13 +171,36 @@ func (c *OrganizationsMembersClient) DeleteMFAPhoneNumber(
 	return &retVal, err
 }
 
+func (c *OrganizationsMembersClient) TOTP(
+	ctx context.Context,
+	body *members.TOTPParams,
+	methodOptions ...*members.TOTPRequestOptions,
+) (*members.TOTPResponse, error) {
+	headers := make(map[string][]string)
+	for _, methodOption := range methodOptions {
+		headers = methodOption.AddHeaders(headers)
+	}
+
+	var retVal members.TOTPResponse
+	err := c.C.NewRequest(
+		ctx,
+		"DELETE",
+		fmt.Sprintf("/v1/b2b/organizations/%s/members/%s/totp", body.OrganizationID, body.MemberID),
+		nil,
+		nil,
+		&retVal,
+		headers,
+	)
+	return &retVal, err
+}
+
 // Search for Members within specified Organizations. An array with at least one `organization_id` is
 // required. Submitting an empty `query` returns all non-deleted Members within the specified Organizations.
 //
 // *All fuzzy search filters require a minimum of three characters.
 //
-// (Coming Soon) Our RBAC implementation offers out-of-the-box handling of authorization checks for this
-// endpoint. If you pass in
+// Our RBAC implementation offers out-of-the-box handling of authorization checks for this endpoint. If you
+// pass in
 // a header containing a `session_token` or a `session_jwt` for an unexpired Member Session, we will check
 // that the
 // Member Session has permission to perform the `search` action on the `stytch.member` Resource. In

@@ -70,6 +70,7 @@ type AuthenticateParams struct {
 	// required to complete MFA steps when logging in to the Organization.
 	//
 	SetMFAEnrollment string `json:"set_mfa_enrollment,omitempty"`
+	SetDefaultMFA    bool   `json:"set_default_mfa,omitempty"`
 }
 
 // SendParams: Request type for `Sms.Send`.
@@ -93,6 +94,21 @@ type SendParams struct {
 	// [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
 	//
 	Locale SendRequestLocale `json:"locale,omitempty"`
+	// IntermediateSessionToken: The Intermediate Session Token. This token does not necessarily belong to a
+	// specific instance of a Member, but represents a bag of factors that may be converted to a member session.
+	//     The token can be used with the
+	// [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete an MFA
+	// flow;
+	//     the
+	// [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session)
+	// to join a specific Organization that allows the factors represented by the intermediate session token;
+	//     or the
+	// [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member.
+	IntermediateSessionToken string `json:"intermediate_session_token,omitempty"`
+	// SessionToken: A secret token for a given Stytch Session.
+	SessionToken string `json:"session_token,omitempty"`
+	// SessionJWT: The JSON Web Token (JWT) for a given Stytch Session.
+	SessionJWT string `json:"session_jwt,omitempty"`
 }
 
 // AuthenticateResponse: Response type for `Sms.Authenticate`.