Documentation ¶
Index ¶
- type DiscoveryClient
- type DiscoveryIntermediateSessionsClient
- type DiscoveryOrganizationsClient
- type MagicLinksClient
- func (c *MagicLinksClient) Authenticate(ctx context.Context, body *magiclinks.AuthenticateParams) (*magiclinks.AuthenticateResponse, error)
- func (c *MagicLinksClient) AuthenticateWithClaims(ctx context.Context, body *magiclinks.AuthenticateParams, claims any) (*magiclinks.AuthenticateResponse, error)
- type MagicLinksDiscoveryClient
- type MagicLinksEmailClient
- type MagicLinksEmailDiscoveryClient
- type OAuthClient
- type OAuthDiscoveryClient
- type OTPsClient
- type OTPsSmsClient
- func (c *OTPsSmsClient) Authenticate(ctx context.Context, body *sms.AuthenticateParams) (*sms.AuthenticateResponse, error)
- func (c *OTPsSmsClient) AuthenticateWithClaims(ctx context.Context, body *sms.AuthenticateParams, claims any) (*sms.AuthenticateResponse, error)
- func (c *OTPsSmsClient) Send(ctx context.Context, body *sms.SendParams) (*sms.SendResponse, error)
- type OrganizationsClient
- func (c *OrganizationsClient) Create(ctx context.Context, body *organizations.CreateParams) (*organizations.CreateResponse, error)
- func (c *OrganizationsClient) Delete(ctx context.Context, body *organizations.DeleteParams, ...) (*organizations.DeleteResponse, error)
- func (c *OrganizationsClient) Get(ctx context.Context, body *organizations.GetParams) (*organizations.GetResponse, error)
- func (c *OrganizationsClient) Metrics(ctx context.Context, body *organizations.MetricsParams) (*organizations.MetricsResponse, error)
- func (c *OrganizationsClient) Search(ctx context.Context, body *organizations.SearchParams) (*organizations.SearchResponse, error)
- func (c *OrganizationsClient) Update(ctx context.Context, body *organizations.UpdateParams, ...) (*organizations.UpdateResponse, error)
- type OrganizationsMembersClient
- func (c *OrganizationsMembersClient) Create(ctx context.Context, body *members.CreateParams, ...) (*members.CreateResponse, error)
- func (c *OrganizationsMembersClient) DangerouslyGet(ctx context.Context, body *members.DangerouslyGetParams) (*members.GetResponse, error)
- func (c *OrganizationsMembersClient) Delete(ctx context.Context, body *members.DeleteParams, ...) (*members.DeleteResponse, error)
- func (c *OrganizationsMembersClient) DeleteMFAPhoneNumber(ctx context.Context, body *members.DeleteMFAPhoneNumberParams, ...) (*members.DeleteMFAPhoneNumberResponse, error)
- func (c *OrganizationsMembersClient) DeletePassword(ctx context.Context, body *members.DeletePasswordParams, ...) (*members.DeletePasswordResponse, error)
- func (c *OrganizationsMembersClient) DeleteTOTP(ctx context.Context, body *members.DeleteTOTPParams, ...) (*members.DeleteTOTPResponse, error)
- func (c *OrganizationsMembersClient) Get(ctx context.Context, body *members.GetParams) (*members.GetResponse, error)
- func (c *OrganizationsMembersClient) OIDCProviders(ctx context.Context, body *members.OIDCProviderInformationParams) (*members.OIDCProvidersResponse, error)
- func (c *OrganizationsMembersClient) Reactivate(ctx context.Context, body *members.ReactivateParams, ...) (*members.ReactivateResponse, error)
- func (c *OrganizationsMembersClient) Search(ctx context.Context, body *members.SearchParams, ...) (*members.SearchResponse, error)
- func (c *OrganizationsMembersClient) UnlinkRetiredEmail(ctx context.Context, body *members.UnlinkRetiredEmailParams, ...) (*members.UnlinkRetiredEmailResponse, error)
- func (c *OrganizationsMembersClient) Update(ctx context.Context, body *members.UpdateParams, ...) (*members.UpdateResponse, error)
- type OrganizationsMembersOAuthProvidersClient
- func (c *OrganizationsMembersOAuthProvidersClient) Google(ctx context.Context, body *oauthproviders.ProviderInformationParams) (*oauthproviders.GoogleResponse, error)
- func (c *OrganizationsMembersOAuthProvidersClient) Microsoft(ctx context.Context, body *oauthproviders.ProviderInformationParams) (*oauthproviders.MicrosoftResponse, error)
- type PasswordsClient
- func (c *PasswordsClient) Authenticate(ctx context.Context, body *passwords.AuthenticateParams) (*passwords.AuthenticateResponse, error)
- func (c *PasswordsClient) AuthenticateWithClaims(ctx context.Context, body *passwords.AuthenticateParams, claims any) (*passwords.AuthenticateResponse, error)
- func (c *PasswordsClient) Migrate(ctx context.Context, body *passwords.MigrateParams) (*passwords.MigrateResponse, error)
- func (c *PasswordsClient) StrengthCheck(ctx context.Context, body *passwords.StrengthCheckParams) (*passwords.StrengthCheckResponse, error)
- type PasswordsEmailClient
- func (c *PasswordsEmailClient) Delete(ctx context.Context, body *email.DeleteParams) (*email.DeleteResponse, error)
- func (c *PasswordsEmailClient) Reset(ctx context.Context, body *email.ResetParams) (*email.ResetResponse, error)
- func (c *PasswordsEmailClient) ResetStart(ctx context.Context, body *email.ResetStartParams) (*email.ResetStartResponse, error)
- type PasswordsExistingPasswordClient
- type PasswordsSessionsClient
- type PolicyCache
- type RBACClient
- type RecoveryCodesClient
- func (c *RecoveryCodesClient) Get(ctx context.Context, body *recoverycodes.GetParams) (*recoverycodes.GetResponse, error)
- func (c *RecoveryCodesClient) Recover(ctx context.Context, body *recoverycodes.RecoverParams) (*recoverycodes.RecoverResponse, error)
- func (c *RecoveryCodesClient) Rotate(ctx context.Context, body *recoverycodes.RotateParams) (*recoverycodes.RotateResponse, error)
- type SCIMClient
- type SCIMConnectionClient
- func (c *SCIMConnectionClient) Create(ctx context.Context, body *connection.CreateParams, ...) (*connection.CreateResponse, error)
- func (c *SCIMConnectionClient) Delete(ctx context.Context, body *connection.DeleteParams, ...) (*connection.DeleteResponse, error)
- func (c *SCIMConnectionClient) Get(ctx context.Context, body *connection.GetParams, ...) (*connection.GetResponse, error)
- func (c *SCIMConnectionClient) GetGroups(ctx context.Context, body *connection.GetGroupsParams, ...) (*connection.GetGroupsResponse, error)
- func (c *SCIMConnectionClient) RotateCancel(ctx context.Context, body *connection.RotateCancelParams, ...) (*connection.RotateCancelResponse, error)
- func (c *SCIMConnectionClient) RotateComplete(ctx context.Context, body *connection.RotateCompleteParams, ...) (*connection.RotateCompleteResponse, error)
- func (c *SCIMConnectionClient) RotateStart(ctx context.Context, body *connection.RotateStartParams, ...) (*connection.RotateStartResponse, error)
- func (c *SCIMConnectionClient) Update(ctx context.Context, body *connection.UpdateParams, ...) (*connection.UpdateResponse, error)
- type SSOClient
- func (c *SSOClient) Authenticate(ctx context.Context, body *sso.AuthenticateParams) (*sso.AuthenticateResponse, error)
- func (c *SSOClient) AuthenticateWithClaims(ctx context.Context, body *sso.AuthenticateParams, claims any) (*sso.AuthenticateResponse, error)
- func (c *SSOClient) DeleteConnection(ctx context.Context, body *sso.DeleteConnectionParams, ...) (*sso.DeleteConnectionResponse, error)
- func (c *SSOClient) GetConnections(ctx context.Context, body *sso.GetConnectionsParams, ...) (*sso.GetConnectionsResponse, error)
- type SSOOIDCClient
- type SSOSAMLClient
- func (c *SSOSAMLClient) CreateConnection(ctx context.Context, body *saml.CreateConnectionParams, ...) (*saml.CreateConnectionResponse, error)
- func (c *SSOSAMLClient) DeleteVerificationCertificate(ctx context.Context, body *saml.DeleteVerificationCertificateParams, ...) (*saml.DeleteVerificationCertificateResponse, error)
- func (c *SSOSAMLClient) UpdateByURL(ctx context.Context, body *saml.UpdateByURLParams, ...) (*saml.UpdateByURLResponse, error)
- func (c *SSOSAMLClient) UpdateConnection(ctx context.Context, body *saml.UpdateConnectionParams, ...) (*saml.UpdateConnectionResponse, error)
- type SessionsClient
- func (c *SessionsClient) Authenticate(ctx context.Context, body *sessions.AuthenticateParams) (*sessions.AuthenticateResponse, error)
- func (c *SessionsClient) AuthenticateJWT(ctx context.Context, params *sessions.AuthenticateJWTParams) (*sessions.AuthenticateResponse, error)
- func (c *SessionsClient) AuthenticateJWTLocal(ctx context.Context, token string, maxTokenAge time.Duration, ...) (*sessions.MemberSession, error)
- func (c *SessionsClient) AuthenticateJWTWithClaims(ctx context.Context, maxTokenAge time.Duration, ...) (*sessions.AuthenticateResponse, error)
- func (c *SessionsClient) AuthenticateWithClaims(ctx context.Context, body *sessions.AuthenticateParams, claims any) (*sessions.AuthenticateResponse, error)
- func (c *SessionsClient) Exchange(ctx context.Context, body *sessions.ExchangeParams) (*sessions.ExchangeResponse, error)
- func (c *SessionsClient) Get(ctx context.Context, body *sessions.GetParams) (*sessions.GetResponse, error)
- func (c *SessionsClient) GetJWKS(ctx context.Context, body *sessions.GetJWKSParams) (*sessions.GetJWKSResponse, error)
- func (c *SessionsClient) Migrate(ctx context.Context, body *sessions.MigrateParams) (*sessions.MigrateResponse, error)
- func (c *SessionsClient) Revoke(ctx context.Context, body *sessions.RevokeParams, ...) (*sessions.RevokeResponse, error)
- type TOTPsClient
- func (c *TOTPsClient) Authenticate(ctx context.Context, body *totps.AuthenticateParams) (*totps.AuthenticateResponse, error)
- func (c *TOTPsClient) AuthenticateWithClaims(ctx context.Context, body *totps.AuthenticateParams, claims any) (*totps.AuthenticateResponse, error)
- func (c *TOTPsClient) Create(ctx context.Context, body *totps.CreateParams) (*totps.CreateResponse, error)
- func (c *TOTPsClient) Migrate(ctx context.Context, body *totps.MigrateParams) (*totps.MigrateResponse, error)
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DiscoveryClient ¶
type DiscoveryClient struct { C stytch.Client IntermediateSessions *DiscoveryIntermediateSessionsClient Organizations *DiscoveryOrganizationsClient }
func NewDiscoveryClient ¶
func NewDiscoveryClient(c stytch.Client) *DiscoveryClient
type DiscoveryIntermediateSessionsClient ¶
func NewDiscoveryIntermediateSessionsClient ¶
func NewDiscoveryIntermediateSessionsClient(c stytch.Client) *DiscoveryIntermediateSessionsClient
func (*DiscoveryIntermediateSessionsClient) Exchange ¶
func (c *DiscoveryIntermediateSessionsClient) Exchange( ctx context.Context, body *intermediatesessions.ExchangeParams, ) (*intermediatesessions.ExchangeResponse, error)
Exchange an Intermediate Session for a fully realized [Member Session](https://stytch.com/docs/b2b/api/session-object) in a desired [Organization](https://stytch.com/docs/b2b/api/organization-object). This operation consumes the Intermediate Session.
This endpoint can be used to accept invites and create new members via domain matching.
If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`. The `intermediate_session_token` will not be consumed and instead will be returned in the response. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session. The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
If the Member is logging in via an OAuth provider that does not fully verify the email, the returned value of `member_authenticated` will be `false`. The `intermediate_session_token` will not be consumed and instead will be returned in the response. The `primary_required` field details the authentication flow the Member must perform in order to [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the organization. The `intermediate_session_token` must be passed into that authentication flow.
type DiscoveryOrganizationsClient ¶
func NewDiscoveryOrganizationsClient ¶
func NewDiscoveryOrganizationsClient(c stytch.Client) *DiscoveryOrganizationsClient
func (*DiscoveryOrganizationsClient) Create ¶
func (c *DiscoveryOrganizationsClient) Create( ctx context.Context, body *organizations.CreateParams, ) (*organizations.CreateResponse, error)
Create: If an end user does not want to join any already-existing, or has no possible Organizations to join, this endpoint can be used to create a new [Organization](https://stytch.com/docs/b2b/api/organization-object) and [Member](https://stytch.com/docs/b2b/api/member-object).
This operation consumes the Intermediate Session.
This endpoint will also create an initial Member Session for the newly created Member.
The created by this endpoint will automatically be granted the `stytch_admin` Role. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role.
If the new Organization is created with a `mfa_policy` of `REQUIRED_FOR_ALL`, the newly created Member will need to complete an MFA step to log in to the Organization. The `intermediate_session_token` will not be consumed and instead will be returned in the response. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session. The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
func (*DiscoveryOrganizationsClient) List ¶
func (c *DiscoveryOrganizationsClient) List( ctx context.Context, body *organizations.ListParams, ) (*organizations.ListResponse, error)
List all possible organization relationships connected to a [Member Session](https://stytch.com/docs/b2b/api/session-object) or Intermediate Session.
When a Member Session is passed in, relationships with a type of `active_member`, `pending_member`, or `invited_member` will be returned, and any membership can be assumed by calling the [Exchange Session](https://stytch.com/docs/b2b/api/exchange-session) endpoint.
When an Intermediate Session is passed in, all relationship types - `active_member`, `pending_member`, `invited_member`, and `eligible_to_join_by_email_domain` - will be returned, and any membership can be assumed by calling the [Exchange Intermediate Session](https://stytch.com/docs/b2b/api/exchange-intermediate-session) endpoint.
This endpoint requires either an `intermediate_session_token`, `session_jwt` or `session_token` be included in the request. It will return an error if multiple are present.
This operation does not consume the Intermediate Session or Session Token passed in.
type MagicLinksClient ¶
type MagicLinksClient struct { C stytch.Client Email *MagicLinksEmailClient Discovery *MagicLinksDiscoveryClient }
func NewMagicLinksClient ¶
func NewMagicLinksClient(c stytch.Client) *MagicLinksClient
func (*MagicLinksClient) Authenticate ¶
func (c *MagicLinksClient) Authenticate( ctx context.Context, body *magiclinks.AuthenticateParams, ) (*magiclinks.AuthenticateResponse, error)
Authenticate a with a Magic Link. This endpoint requires a Magic Link token that is not expired or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`. Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete the MFA step and acquire a full member session. The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step.
func (*MagicLinksClient) AuthenticateWithClaims ¶
func (c *MagicLinksClient) AuthenticateWithClaims( ctx context.Context, body *magiclinks.AuthenticateParams, claims any, ) (*magiclinks.AuthenticateResponse, error)
AuthenticateWithClaims fills in the claims pointer with custom claims from the response. Pass in a map with the types of values you're expecting so that this function can marshal the claims from the response. See ExampleClient_AuthenticateWithClaims_map, ExampleClient_AuthenticateWithClaims_struct for examples
type MagicLinksDiscoveryClient ¶
func NewMagicLinksDiscoveryClient ¶
func NewMagicLinksDiscoveryClient(c stytch.Client) *MagicLinksDiscoveryClient
func (*MagicLinksDiscoveryClient) Authenticate ¶
func (c *MagicLinksDiscoveryClient) Authenticate( ctx context.Context, body *discovery.AuthenticateParams, ) (*discovery.AuthenticateResponse, error)
Authenticate: Authenticates the Discovery Magic Link token and exchanges it for an Intermediate Session Token. Intermediate Session Tokens can be used for various Discovery login flows and are valid for 10 minutes.
type MagicLinksEmailClient ¶
type MagicLinksEmailClient struct { C stytch.Client Discovery *MagicLinksEmailDiscoveryClient }
func NewMagicLinksEmailClient ¶
func NewMagicLinksEmailClient(c stytch.Client) *MagicLinksEmailClient
func (*MagicLinksEmailClient) Invite ¶
func (c *MagicLinksEmailClient) Invite( ctx context.Context, body *email.InviteParams, methodOptions ...*email.InviteRequestOptions, ) (*email.InviteResponse, error)
Invite: Send an invite email to a new to join an. The Member will be created with an `invited` status until they successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. Sending invites to already `active` Members will return an error.
The magic link invite will be valid for 1 week.
func (*MagicLinksEmailClient) LoginOrSignup ¶
func (c *MagicLinksEmailClient) LoginOrSignup( ctx context.Context, body *email.LoginOrSignupParams, ) (*email.LoginOrSignupResponse, error)
LoginOrSignup: Send either a login or signup magic link to a Member. A new, pending, or invited Member will receive a signup Email Magic Link. Members will have a `pending` status until they successfully authenticate. An active Member will receive a login Email Magic Link.
The magic link is valid for 60 minutes.
type MagicLinksEmailDiscoveryClient ¶
func NewMagicLinksEmailDiscoveryClient ¶
func NewMagicLinksEmailDiscoveryClient(c stytch.Client) *MagicLinksEmailDiscoveryClient
func (*MagicLinksEmailDiscoveryClient) Send ¶
func (c *MagicLinksEmailDiscoveryClient) Send( ctx context.Context, body *discovery.SendParams, ) (*discovery.SendResponse, error)
Send a discovery magic link to an email address. The magic link is valid for 60 minutes.
type OAuthClient ¶
type OAuthClient struct { C stytch.Client Discovery *OAuthDiscoveryClient }
func NewOAuthClient ¶
func NewOAuthClient(c stytch.Client) *OAuthClient
func (*OAuthClient) Authenticate ¶
func (c *OAuthClient) Authenticate( ctx context.Context, body *oauth.AuthenticateParams, ) (*oauth.AuthenticateResponse, error)
Authenticate a given a `token`. This endpoint verifies that the member completed the flow by verifying that the token is valid and hasn't expired. Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session. The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step.
If the Member is logging in via an OAuth provider that does not fully verify the email, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `primary_required` field details the authentication flow the Member must perform in order to [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the organization. The `intermediate_session_token` must be passed into that authentication flow.
We’re actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth provider that is not currently supported.
func (*OAuthClient) AuthenticateWithClaims ¶
func (c *OAuthClient) AuthenticateWithClaims( ctx context.Context, body *oauth.AuthenticateParams, claims any, ) (*oauth.AuthenticateResponse, error)
AuthenticateWithClaims fills in the claims pointer with custom claims from the response. Pass in a map with the types of values you're expecting so that this function can marshal the claims from the response. See ExampleClient_AuthenticateWithClaims_map, ExampleClient_AuthenticateWithClaims_struct for examples
type OAuthDiscoveryClient ¶
func NewOAuthDiscoveryClient ¶
func NewOAuthDiscoveryClient(c stytch.Client) *OAuthDiscoveryClient
func (*OAuthDiscoveryClient) Authenticate ¶
func (c *OAuthDiscoveryClient) Authenticate( ctx context.Context, body *discovery.AuthenticateParams, ) (*discovery.AuthenticateResponse, error)
Authenticate: Authenticates the Discovery token and exchanges it for an Intermediate Session Token. Intermediate Session Tokens can be used for various Discovery login flows and are valid for 10 minutes.
type OTPsClient ¶
type OTPsClient struct { C stytch.Client Sms *OTPsSmsClient }
func NewOTPsClient ¶
func NewOTPsClient(c stytch.Client) *OTPsClient
type OTPsSmsClient ¶
func NewOTPsSmsClient ¶
func NewOTPsSmsClient(c stytch.Client) *OTPsSmsClient
func (*OTPsSmsClient) Authenticate ¶
func (c *OTPsSmsClient) Authenticate( ctx context.Context, body *sms.AuthenticateParams, ) (*sms.AuthenticateResponse, error)
Authenticate: SMS OTPs may not be used as a primary authentication mechanism. They can be used to complete an MFA requirement, or they can be used as a step-up factor to be added to an existing session.
This endpoint verifies that the one-time passcode (OTP) is valid and hasn't expired or been previously used. A given Member may only have a single active OTP code at any given time. If a Member requests another OTP code before the first one has expired, the first one will be invalidated.
Exactly one of `intermediate_session_token`, `session_token`, or `session_jwt` must be provided in the request. If an intermediate session token is provided, this operation will consume it.
Intermediate session tokens are generated upon successful calls to primary authenticate methods in the case where MFA is required, such as [email magic link authenticate](https://stytch.com/docs/b2b/api/authenticate-magic-link), or upon successful calls to discovery authenticate methods, such as [email magic link discovery authenticate](https://stytch.com/docs/b2b/api/authenticate-discovery-magic-link).
If the's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the's `mfa_enrolled` status to `true` if it is not already `true`. If the Organization's MFA policy is `OPTIONAL`, the Member's MFA enrollment can be toggled by passing in a value for the `set_mfa_enrollment` field. The Member's MFA enrollment can also be toggled through the [Update Member](https://stytch.com/docs/b2b/api/update-member) endpoint.
Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a duration of 60 minutes.
func (*OTPsSmsClient) AuthenticateWithClaims ¶
func (c *OTPsSmsClient) AuthenticateWithClaims( ctx context.Context, body *sms.AuthenticateParams, claims any, ) (*sms.AuthenticateResponse, error)
AuthenticateWithClaims fills in the claims pointer with custom claims from the response. Pass in a map with the types of values you're expecting so that this function can marshal the claims from the response. See ExampleClient_AuthenticateWithClaims_map, ExampleClient_AuthenticateWithClaims_struct for examples
func (*OTPsSmsClient) Send ¶
func (c *OTPsSmsClient) Send( ctx context.Context, body *sms.SendParams, ) (*sms.SendResponse, error)
Send a One-Time Passcode (OTP) to a's phone number.
If the Member already has a phone number, the `mfa_phone_number` field is not needed; the endpoint will send an OTP to the number associated with the Member. If the Member does not have a phone number, the endpoint will send an OTP to the `mfa_phone_number` provided and link the `mfa_phone_number` with the Member.
An error will be thrown if the Member already has a phone number and the provided `mfa_phone_number` does not match the existing one.
Note that sending another OTP code before the first has expired will invalidate the first code.
If a Member has a phone number and is enrolled in MFA, then after a successful primary authentication event (e.g. [email magic link](https://stytch.com/docs/b2b/api/authenticate-magic-link) or [SSO](https://stytch.com/docs/b2b/api/sso-authenticate) login is complete), an SMS OTP will automatically be sent to their phone number. In that case, this endpoint should only be used for subsequent authentication events, such as prompting a Member for an OTP again after a period of inactivity.
Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the Member ID passed.
### Cost to send SMS OTP Before configuring SMS or WhatsApp OTPs, please review how Stytch [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
__Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
type OrganizationsClient ¶
type OrganizationsClient struct { C stytch.Client Members *OrganizationsMembersClient }
func NewOrganizationsClient ¶
func NewOrganizationsClient(c stytch.Client) *OrganizationsClient
func (*OrganizationsClient) Create ¶
func (c *OrganizationsClient) Create( ctx context.Context, body *organizations.CreateParams, ) (*organizations.CreateResponse, error)
Create: Creates an. An `organization_name` and a unique `organization_slug` are required.
By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` will be set to `OPTIONAL` if no Organization authentication settings are explicitly defined in the request.
*See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors.
func (*OrganizationsClient) Delete ¶
func (c *OrganizationsClient) Delete( ctx context.Context, body *organizations.DeleteParams, methodOptions ...*organizations.DeleteRequestOptions, ) (*organizations.DeleteResponse, error)
Delete: Deletes an specified by `organization_id`. All Members of the Organization will also be deleted.
func (*OrganizationsClient) Get ¶
func (c *OrganizationsClient) Get( ctx context.Context, body *organizations.GetParams, ) (*organizations.GetResponse, error)
Get: Returns an specified by `organization_id`.
func (*OrganizationsClient) Metrics ¶
func (c *OrganizationsClient) Metrics( ctx context.Context, body *organizations.MetricsParams, ) (*organizations.MetricsResponse, error)
func (*OrganizationsClient) Search ¶
func (c *OrganizationsClient) Search( ctx context.Context, body *organizations.SearchParams, ) (*organizations.SearchResponse, error)
Search for Organizations. If you send a request with no body params, no filtering will be applied and the endpoint will return all Organizations. All fuzzy search filters require a minimum of three characters.
func (*OrganizationsClient) Update ¶
func (c *OrganizationsClient) Update( ctx context.Context, body *organizations.UpdateParams, methodOptions ...*organizations.UpdateRequestOptions, ) (*organizations.UpdateResponse, error)
Update: Updates an specified by `organization_id`. An Organization must always have at least one auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members.
*See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors.
type OrganizationsMembersClient ¶
type OrganizationsMembersClient struct { C stytch.Client OAuthProviders *OrganizationsMembersOAuthProvidersClient }
func NewOrganizationsMembersClient ¶
func NewOrganizationsMembersClient(c stytch.Client) *OrganizationsMembersClient
func (*OrganizationsMembersClient) Create ¶
func (c *OrganizationsMembersClient) Create( ctx context.Context, body *members.CreateParams, methodOptions ...*members.CreateRequestOptions, ) (*members.CreateResponse, error)
Create: Creates a. An `organization_id` and `email_address` are required.
func (*OrganizationsMembersClient) DangerouslyGet ¶
func (c *OrganizationsMembersClient) DangerouslyGet( ctx context.Context, body *members.DangerouslyGetParams, ) (*members.GetResponse, error)
DangerouslyGet: Get a Member by `member_id`. This endpoint does not require an `organization_id`, enabling you to get members across organizations. This is a dangerous operation. Incorrect use may open you up to indirect object reference (IDOR) attacks. We recommend using the [Get Member](https://stytch.com/docs/b2b/api/get-member) API instead.
func (*OrganizationsMembersClient) Delete ¶
func (c *OrganizationsMembersClient) Delete( ctx context.Context, body *members.DeleteParams, methodOptions ...*members.DeleteRequestOptions, ) (*members.DeleteResponse, error)
Delete: Deletes a specified by `organization_id` and `member_id`.
func (*OrganizationsMembersClient) DeleteMFAPhoneNumber ¶
func (c *OrganizationsMembersClient) DeleteMFAPhoneNumber( ctx context.Context, body *members.DeleteMFAPhoneNumberParams, methodOptions ...*members.DeleteMFAPhoneNumberRequestOptions, ) (*members.DeleteMFAPhoneNumberResponse, error)
DeleteMFAPhoneNumber: Delete a's MFA phone number.
To change a Member's phone number, you must first call this endpoint to delete the existing phone number.
Existing Member Sessions that include a phone number authentication factor will not be revoked if the phone number is deleted, and MFA will not be enforced until the Member logs in again. If you wish to enforce MFA immediately after a phone number is deleted, you can do so by prompting the Member to enter a new phone number and calling the [OTP SMS send](https://stytch.com/docs/b2b/api/otp-sms-send) endpoint, then calling the [OTP SMS Authenticate](https://stytch.com/docs/b2b/api/authenticate-otp-sms) endpoint.
func (*OrganizationsMembersClient) DeletePassword ¶
func (c *OrganizationsMembersClient) DeletePassword( ctx context.Context, body *members.DeletePasswordParams, methodOptions ...*members.DeletePasswordRequestOptions, ) (*members.DeletePasswordResponse, error)
DeletePassword: Delete a's password.
func (*OrganizationsMembersClient) DeleteTOTP ¶
func (c *OrganizationsMembersClient) DeleteTOTP( ctx context.Context, body *members.DeleteTOTPParams, methodOptions ...*members.DeleteTOTPRequestOptions, ) (*members.DeleteTOTPResponse, error)
DeleteTOTP: Delete a Member's MFA TOTP registration.
To mint a new registration for a Member, you must first call this endpoint to delete the existing registration.
Existing Member Sessions that include the TOTP authentication factor will not be revoked if the registration is deleted, and MFA will not be enforced until the Member logs in again.
func (*OrganizationsMembersClient) Get ¶
func (c *OrganizationsMembersClient) Get( ctx context.Context, body *members.GetParams, ) (*members.GetResponse, error)
Get a Member by `member_id` or `email_address`.
func (*OrganizationsMembersClient) OIDCProviders ¶ added in v15.7.0
func (c *OrganizationsMembersClient) OIDCProviders( ctx context.Context, body *members.OIDCProviderInformationParams, ) (*members.OIDCProvidersResponse, error)
func (*OrganizationsMembersClient) Reactivate ¶
func (c *OrganizationsMembersClient) Reactivate( ctx context.Context, body *members.ReactivateParams, methodOptions ...*members.ReactivateRequestOptions, ) (*members.ReactivateResponse, error)
Reactivate: Reactivates a deleted's status and its associated email status (if applicable) to active, specified by `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified email where their `email_address_verified` is `true`.
func (*OrganizationsMembersClient) Search ¶
func (c *OrganizationsMembersClient) Search( ctx context.Context, body *members.SearchParams, methodOptions ...*members.SearchRequestOptions, ) (*members.SearchResponse, error)
Search for Members within specified Organizations. An array with at least one `organization_id` is required. Submitting an empty `query` returns all non-deleted Members within the specified Organizations.
*All fuzzy search filters require a minimum of three characters.
func (*OrganizationsMembersClient) UnlinkRetiredEmail ¶ added in v15.2.0
func (c *OrganizationsMembersClient) UnlinkRetiredEmail( ctx context.Context, body *members.UnlinkRetiredEmailParams, methodOptions ...*members.UnlinkRetiredEmailRequestOptions, ) (*members.UnlinkRetiredEmailResponse, error)
UnlinkRetiredEmail: Unlinks a retired email address from a specified by their `organization_id` and `member_id`. The email address to be retired can be identified in the request body by either its `email_id`, its `email_address`, or both. If using both identifiers they must refer to the same email.
A previously active email address can be marked as retired in one of two ways:
- It's replaced with a new primary email address during an explicit Member update. - A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the
Member's primary email address and the old primary email address is retired.
A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be viewed on the [Member object](https://stytch.com/docs/b2b/api/member-object).
%}
func (*OrganizationsMembersClient) Update ¶
func (c *OrganizationsMembersClient) Update( ctx context.Context, body *members.UpdateParams, methodOptions ...*members.UpdateRequestOptions, ) (*members.UpdateResponse, error)
Update: Updates a specified by `organization_id` and `member_id`.
type OrganizationsMembersOAuthProvidersClient ¶
func NewOrganizationsMembersOAuthProvidersClient ¶
func NewOrganizationsMembersOAuthProvidersClient(c stytch.Client) *OrganizationsMembersOAuthProvidersClient
func (*OrganizationsMembersOAuthProvidersClient) Google ¶
func (c *OrganizationsMembersOAuthProvidersClient) Google( ctx context.Context, body *oauthproviders.ProviderInformationParams, ) (*oauthproviders.GoogleResponse, error)
Google: Retrieve the saved Google access token and ID token for a member. After a successful OAuth login, Stytch will save the issued access token and ID token from the identity provider. If a refresh token has been issued, Stytch will refresh the access token automatically.
Google One Tap does not return access tokens. If the member has only authenticated through Google One Tap and not through a regular Google OAuth flow, this endpoint will not return any tokens.
__Note:__ Google does not issue a refresh token on every login, and refresh tokens may expire if unused. To force a refresh token to be issued, pass the `?provider_prompt=consent` query param into the [Start Google OAuth flow](https://stytch.com/docs/b2b/api/oauth-google-start) endpoint.
func (*OrganizationsMembersOAuthProvidersClient) Microsoft ¶
func (c *OrganizationsMembersOAuthProvidersClient) Microsoft( ctx context.Context, body *oauthproviders.ProviderInformationParams, ) (*oauthproviders.MicrosoftResponse, error)
Microsoft: Retrieve the saved Microsoft access token and ID token for a member. After a successful OAuth login, Stytch will save the issued access token and ID token from the identity provider. If a refresh token has been issued, Stytch will refresh the access token automatically.
type PasswordsClient ¶
type PasswordsClient struct { C stytch.Client Email *PasswordsEmailClient Sessions *PasswordsSessionsClient ExistingPassword *PasswordsExistingPasswordClient }
func NewPasswordsClient ¶
func NewPasswordsClient(c stytch.Client) *PasswordsClient
func (*PasswordsClient) Authenticate ¶
func (c *PasswordsClient) Authenticate( ctx context.Context, body *passwords.AuthenticateParams, ) (*passwords.AuthenticateResponse, error)
Authenticate a member with their email address and password. This endpoint verifies that the member has a password currently set, and that the entered password is correct.
If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step.
func (*PasswordsClient) AuthenticateWithClaims ¶
func (c *PasswordsClient) AuthenticateWithClaims( ctx context.Context, body *passwords.AuthenticateParams, claims any, ) (*passwords.AuthenticateResponse, error)
AuthenticateWithClaims fills in the claims pointer with custom claims from the response. Pass in a map with the types of values you're expecting so that this function can marshal the claims from the response. See ExampleClient_AuthenticateWithClaims_map, ExampleClient_AuthenticateWithClaims_struct for examples
func (*PasswordsClient) Migrate ¶
func (c *PasswordsClient) Migrate( ctx context.Context, body *passwords.MigrateParams, ) (*passwords.MigrateResponse, error)
Migrate: Adds an existing password to a member's email that doesn't have a password yet. We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
The member's email will be marked as verified when you use this endpoint.
func (*PasswordsClient) StrengthCheck ¶
func (c *PasswordsClient) StrengthCheck( ctx context.Context, body *passwords.StrengthCheckParams, ) (*passwords.StrengthCheckResponse, error)
StrengthCheck: This API allows you to check whether the user’s provided password is valid, and to provide feedback to the user on how to increase the strength of their password.
This endpoint adapts to your Project's password strength configuration. If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
## Password feedback The zxcvbn_feedback and luds_feedback objects contains relevant fields for you to relay feedback to users that failed to create a strong enough password.
If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the feedback object will contain warning and suggestions for any password that does not meet the [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) strength requirements. You can return these strings directly to the user to help them craft a strong password.
If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), the feedback object will contain a collection of fields that the user failed or passed. You'll want to prompt the user to create a password that meets all requirements that they failed.
type PasswordsEmailClient ¶
func NewPasswordsEmailClient ¶
func NewPasswordsEmailClient(c stytch.Client) *PasswordsEmailClient
func (*PasswordsEmailClient) Delete ¶ added in v15.6.0
func (c *PasswordsEmailClient) Delete( ctx context.Context, body *email.DeleteParams, ) (*email.DeleteResponse, error)
func (*PasswordsEmailClient) Reset ¶
func (c *PasswordsEmailClient) Reset( ctx context.Context, body *email.ResetParams, ) (*email.ResetResponse, error)
Reset the's password and authenticate them. This endpoint checks that the password reset token is valid, hasn’t expired, or already been used.
The provided password needs to meet our password strength requirements, which can be checked in advance with the password strength endpoint. If the token and password are accepted, the password is securely stored for future authentication and the user is authenticated.
If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step.
Note that a successful password reset by email will revoke all active sessions for the `member_id`.
func (*PasswordsEmailClient) ResetStart ¶
func (c *PasswordsEmailClient) ResetStart( ctx context.Context, body *email.ResetStartParams, ) (*email.ResetStartResponse, error)
ResetStart: Initiates a password reset for the email address provided. This will trigger an email to be sent to the address, containing a magic link that will allow them to set a new password and authenticate.
This endpoint adapts to your Project's password strength configuration. If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
type PasswordsExistingPasswordClient ¶
func NewPasswordsExistingPasswordClient ¶
func NewPasswordsExistingPasswordClient(c stytch.Client) *PasswordsExistingPasswordClient
func (*PasswordsExistingPasswordClient) Reset ¶
func (c *PasswordsExistingPasswordClient) Reset( ctx context.Context, body *existingpassword.ResetParams, ) (*existingpassword.ResetResponse, error)
Reset the’s password using their existing password.
This endpoint adapts to your Project's password strength configuration. If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your passwords are considered valid if the strength score is >= 3. If you're using [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration in the [stytch dashboard](https://stytch.com/dashboard/password-strength-config).
If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step.
Note that a successful password reset via an existing password will revoke all active sessions for the `member_id`.
type PasswordsSessionsClient ¶
func NewPasswordsSessionsClient ¶
func NewPasswordsSessionsClient(c stytch.Client) *PasswordsSessionsClient
func (*PasswordsSessionsClient) Reset ¶
func (c *PasswordsSessionsClient) Reset( ctx context.Context, body *session.ResetParams, ) (*session.ResetResponse, error)
Reset the's password using their existing session. The endpoint will error if the session does not contain an authentication factor that has been issued within the last 5 minutes. Either `session_token` or `session_jwt` should be provided.
Note that a successful password reset via an existing session will revoke all active sessions for the `member_id`, except for the one used during the reset flow.
type PolicyCache ¶
type PolicyCache struct {
// contains filtered or unexported fields
}
func NewPolicyCache ¶
func NewPolicyCache(rbacClient *RBACClient) *PolicyCache
type RBACClient ¶
func NewRBACClient ¶
func NewRBACClient(c stytch.Client) *RBACClient
func (*RBACClient) Policy ¶
func (c *RBACClient) Policy( ctx context.Context, body *rbac.PolicyParams, ) (*rbac.PolicyResponse, error)
Policy: Get the active RBAC Policy for your current Stytch Project. An RBAC Policy is the canonical document that stores all defined Resources and Roles within your RBAC permissioning model.
When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an extra request to Stytch. The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 minutes ago.
Resources and Roles can be created and managed within the [Dashboard](/dashboard/rbac). Additionally, [Role assignment](https://stytch.com/docs/b2b/guides/rbac/role-assignment) can be programmatically managed through certain Stytch API endpoints.
Check out the [RBAC overview](https://stytch.com/docs/b2b/guides/rbac/overview) to learn more about Stytch's RBAC permissioning model.
type RecoveryCodesClient ¶
func NewRecoveryCodesClient ¶
func NewRecoveryCodesClient(c stytch.Client) *RecoveryCodesClient
func (*RecoveryCodesClient) Get ¶
func (c *RecoveryCodesClient) Get( ctx context.Context, body *recoverycodes.GetParams, ) (*recoverycodes.GetResponse, error)
Get: Returns a's full set of active recovery codes.
func (*RecoveryCodesClient) Recover ¶
func (c *RecoveryCodesClient) Recover( ctx context.Context, body *recoverycodes.RecoverParams, ) (*recoverycodes.RecoverResponse, error)
Recover: Allows a to complete an MFA flow by consuming a recovery code. This consumes the recovery code and returns a session token that can be used to authenticate the Member.
func (*RecoveryCodesClient) Rotate ¶
func (c *RecoveryCodesClient) Rotate( ctx context.Context, body *recoverycodes.RotateParams, ) (*recoverycodes.RotateResponse, error)
Rotate a's recovery codes. This invalidates all existing recovery codes and generates a new set of recovery codes.
type SCIMClient ¶
type SCIMClient struct { C stytch.Client Connection *SCIMConnectionClient }
func NewSCIMClient ¶
func NewSCIMClient(c stytch.Client) *SCIMClient
type SCIMConnectionClient ¶
func NewSCIMConnectionClient ¶
func NewSCIMConnectionClient(c stytch.Client) *SCIMConnectionClient
func (*SCIMConnectionClient) Create ¶
func (c *SCIMConnectionClient) Create( ctx context.Context, body *connection.CreateParams, methodOptions ...*connection.CreateRequestOptions, ) (*connection.CreateResponse, error)
Create a new SCIM Connection.
func (*SCIMConnectionClient) Delete ¶
func (c *SCIMConnectionClient) Delete( ctx context.Context, body *connection.DeleteParams, methodOptions ...*connection.DeleteRequestOptions, ) (*connection.DeleteResponse, error)
Delete: Deletes a SCIM Connection.
func (*SCIMConnectionClient) Get ¶
func (c *SCIMConnectionClient) Get( ctx context.Context, body *connection.GetParams, methodOptions ...*connection.GetRequestOptions, ) (*connection.GetResponse, error)
Get SCIM Connection.
func (*SCIMConnectionClient) GetGroups ¶ added in v15.2.0
func (c *SCIMConnectionClient) GetGroups( ctx context.Context, body *connection.GetGroupsParams, methodOptions ...*connection.GetGroupsRequestOptions, ) (*connection.GetGroupsResponse, error)
GetGroups: Gets a paginated list of all SCIM Groups associated with a given Connection.
func (*SCIMConnectionClient) RotateCancel ¶
func (c *SCIMConnectionClient) RotateCancel( ctx context.Context, body *connection.RotateCancelParams, methodOptions ...*connection.RotateCancelRequestOptions, ) (*connection.RotateCancelResponse, error)
RotateCancel: Cancel a SCIM token rotation. This will cancel the current token rotation process, keeping the original token active.
func (*SCIMConnectionClient) RotateComplete ¶
func (c *SCIMConnectionClient) RotateComplete( ctx context.Context, body *connection.RotateCompleteParams, methodOptions ...*connection.RotateCompleteRequestOptions, ) (*connection.RotateCompleteResponse, error)
RotateComplete: Completes a SCIM token rotation. This will complete the current token rotation process and update the active token to be the new token supplied in the [start SCIM token rotation](https://stytch.com/docs/b2b/api/scim-rotate-token-start) response.
func (*SCIMConnectionClient) RotateStart ¶
func (c *SCIMConnectionClient) RotateStart( ctx context.Context, body *connection.RotateStartParams, methodOptions ...*connection.RotateStartRequestOptions, ) (*connection.RotateStartResponse, error)
RotateStart: Start a SCIM token rotation.
func (*SCIMConnectionClient) Update ¶
func (c *SCIMConnectionClient) Update( ctx context.Context, body *connection.UpdateParams, methodOptions ...*connection.UpdateRequestOptions, ) (*connection.UpdateResponse, error)
Update a SCIM Connection.
type SSOClient ¶
type SSOClient struct { C stytch.Client OIDC *SSOOIDCClient SAML *SSOSAMLClient }
func NewSSOClient ¶
func (*SSOClient) Authenticate ¶
func (c *SSOClient) Authenticate( ctx context.Context, body *sso.AuthenticateParams, ) (*sso.AuthenticateResponse, error)
Authenticate a user given a token. This endpoint verifies that the user completed the SSO Authentication flow by verifying that the token is valid and hasn't expired. Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. To link this authentication event to an existing Stytch session, include either the `session_token` or `session_jwt` param.
If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete the MFA step and acquire a full member session. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step.
func (*SSOClient) AuthenticateWithClaims ¶
func (c *SSOClient) AuthenticateWithClaims( ctx context.Context, body *sso.AuthenticateParams, claims any, ) (*sso.AuthenticateResponse, error)
AuthenticateWithClaims fills in the claims pointer with custom claims from the response. Pass in a map with the types of values you're expecting so that this function can marshal the claims from the response. See ExampleClient_AuthenticateWithClaims_map, ExampleClient_AuthenticateWithClaims_struct for examples
func (*SSOClient) DeleteConnection ¶
func (c *SSOClient) DeleteConnection( ctx context.Context, body *sso.DeleteConnectionParams, methodOptions ...*sso.DeleteConnectionRequestOptions, ) (*sso.DeleteConnectionResponse, error)
DeleteConnection: Delete an existing SSO connection.
func (*SSOClient) GetConnections ¶
func (c *SSOClient) GetConnections( ctx context.Context, body *sso.GetConnectionsParams, methodOptions ...*sso.GetConnectionsRequestOptions, ) (*sso.GetConnectionsResponse, error)
GetConnections: Get all SSO Connections owned by the organization.
type SSOOIDCClient ¶
func NewSSOOIDCClient ¶
func NewSSOOIDCClient(c stytch.Client) *SSOOIDCClient
func (*SSOOIDCClient) CreateConnection ¶
func (c *SSOOIDCClient) CreateConnection( ctx context.Context, body *oidc.CreateConnectionParams, methodOptions ...*oidc.CreateConnectionRequestOptions, ) (*oidc.CreateConnectionResponse, error)
CreateConnection: Create a new OIDC Connection.
func (*SSOOIDCClient) UpdateConnection ¶
func (c *SSOOIDCClient) UpdateConnection( ctx context.Context, body *oidc.UpdateConnectionParams, methodOptions ...*oidc.UpdateConnectionRequestOptions, ) (*oidc.UpdateConnectionResponse, error)
UpdateConnection: Updates an existing OIDC connection.
When the value of `issuer` changes, Stytch will attempt to retrieve the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) document found at `$/.well-known/openid-configuration`. If the metadata document can be retrieved successfully, Stytch will use it to infer the values of `authorization_url`, `token_url`, `jwks_url`, and `userinfo_url`. The `client_id` and `client_secret` values cannot be inferred from the metadata document, and *must* be passed in explicitly.
If the metadata document cannot be retrieved, Stytch will still update the connection using values from the request body.
If the metadata document can be retrieved, and values are passed in the request body, the explicit values passed in from the request body will take precedence over the values inferred from the metadata document.
Note that a newly created connection will not become active until all of the following fields are provided: * `issuer` * `client_id` * `client_secret` * `authorization_url` * `token_url` * `userinfo_url` * `jwks_url`
type SSOSAMLClient ¶
func NewSSOSAMLClient ¶
func NewSSOSAMLClient(c stytch.Client) *SSOSAMLClient
func (*SSOSAMLClient) CreateConnection ¶
func (c *SSOSAMLClient) CreateConnection( ctx context.Context, body *saml.CreateConnectionParams, methodOptions ...*saml.CreateConnectionRequestOptions, ) (*saml.CreateConnectionResponse, error)
CreateConnection: Create a new SAML Connection.
func (*SSOSAMLClient) DeleteVerificationCertificate ¶
func (c *SSOSAMLClient) DeleteVerificationCertificate( ctx context.Context, body *saml.DeleteVerificationCertificateParams, methodOptions ...*saml.DeleteVerificationCertificateRequestOptions, ) (*saml.DeleteVerificationCertificateResponse, error)
DeleteVerificationCertificate: Delete a SAML verification certificate.
You may need to do this when rotating certificates from your IdP, since Stytch allows a maximum of 5 certificates per connection. There must always be at least one certificate per active connection.
func (*SSOSAMLClient) UpdateByURL ¶
func (c *SSOSAMLClient) UpdateByURL( ctx context.Context, body *saml.UpdateByURLParams, methodOptions ...*saml.UpdateByURLRequestOptions, ) (*saml.UpdateByURLResponse, error)
UpdateByURL: Used to update an existing SAML connection using an IDP metadata URL.
A newly created connection will not become active until all the following are provided: * `idp_sso_url` * `idp_entity_id` * `x509_certificate` * `attribute_mapping` (must be supplied using [Update SAML Connection](update-saml-connection))
func (*SSOSAMLClient) UpdateConnection ¶
func (c *SSOSAMLClient) UpdateConnection( ctx context.Context, body *saml.UpdateConnectionParams, methodOptions ...*saml.UpdateConnectionRequestOptions, ) (*saml.UpdateConnectionResponse, error)
UpdateConnection: Updates an existing SAML connection.
Note that a newly created connection will not become active until all of the following are provided: * `idp_sso_url` * `attribute_mapping` * `idp_entity_id` * `x509_certificate`
type SessionsClient ¶
type SessionsClient struct { C stytch.Client JWKS *keyfunc.JWKS PolicyCache *PolicyCache }
func NewSessionsClient ¶
func NewSessionsClient(c stytch.Client, jwks *keyfunc.JWKS, policyCache *PolicyCache) *SessionsClient
func (*SessionsClient) Authenticate ¶
func (c *SessionsClient) Authenticate( ctx context.Context, body *sessions.AuthenticateParams, ) (*sessions.AuthenticateResponse, error)
Authenticate: Authenticates a Session and updates its lifetime by the specified `session_duration_minutes`. If the `session_duration_minutes` is not specified, a Session will not be extended. This endpoint requires either a `session_jwt` or `session_token` be included in the request. It will return an error if both are present.
You may provide a JWT that needs to be refreshed and is expired according to its `exp` claim. A new JWT will be returned if both the signature and the underlying Session are still valid. See our [How to use Stytch Session JWTs](https://stytch.com/docs/b2b/guides/sessions/resources/using-jwts) guide for more information.
If an `authorization_check` object is passed in, this method will also check if the Member is authorized to perform the given action on the given Resource in the specified. A is authorized if their Member Session contains a Role, assigned [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate permissions. In addition, the `organization_id` passed in the authorization check must match the Member's Organization.
If the Member is not authorized to perform the specified action on the specified Resource, or if the `organization_id` does not match the Member's Organization, a 403 error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.
func (*SessionsClient) AuthenticateJWT ¶
func (c *SessionsClient) AuthenticateJWT( ctx context.Context, params *sessions.AuthenticateJWTParams, ) (*sessions.AuthenticateResponse, error)
func (*SessionsClient) AuthenticateJWTLocal ¶
func (c *SessionsClient) AuthenticateJWTLocal( ctx context.Context, token string, maxTokenAge time.Duration, authorizationCheck *sessions.AuthorizationCheck, ) (*sessions.MemberSession, error)
ADDIMPORT: "github.com/stytchauth/stytch-go/v15/stytch/shared"
func (*SessionsClient) AuthenticateJWTWithClaims ¶
func (c *SessionsClient) AuthenticateJWTWithClaims( ctx context.Context, maxTokenAge time.Duration, body *sessions.AuthenticateParams, claims map[string]any, ) (*sessions.AuthenticateResponse, error)
func (*SessionsClient) AuthenticateWithClaims ¶
func (c *SessionsClient) AuthenticateWithClaims( ctx context.Context, body *sessions.AuthenticateParams, claims any, ) (*sessions.AuthenticateResponse, error)
AuthenticateWithClaims fills in the claims pointer with custom claims from the response. Pass in a map with the types of values you're expecting so that this function can marshal the claims from the response. See ExampleClient_AuthenticateWithClaims_map, ExampleClient_AuthenticateWithClaims_struct for examples
Example (Map) ¶
package main import ( "context" "fmt" "net/http" "net/http/httptest" "strings" "github.com/stytchauth/stytch-go/v15/stytch/b2b/b2bstytchapi" "github.com/stytchauth/stytch-go/v15/stytch/b2b/sessions" ) func main() { // If we know that our claims will follow this exact map structure, we can marshal the // custom claims from the response into it srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Handle the async JWKS fetch. if strings.HasPrefix(r.URL.Path, "/v1/b2b/sessions/jwks/") { _, _ = w.Write([]byte(`{"keys": []}`)) return } // This is the test request if r.URL.Path == "/v1/b2b/sessions/authenticate" { // There are many other fields in this response, but these are the only ones we need // for this test. _, _ = w.Write([]byte(`{ "member_session": { "expires_at": "2022-06-29T19:53:48Z", "last_accessed_at": "2022-06-29T17:54:13Z", "member_session_id": "session-test-aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "started_at": "2022-06-29T17:53:48Z", "member_id": "user-test-00000000-0000-0000-0000-000000000000", "custom_claims": { "https://my-app.example.net/custom-claim": { "claim1": 1, "claim2": 2, "claim3": 3 } } }, "member": {}, "organization": {} }`)) return } http.Error(w, "Bad Request", http.StatusBadRequest) })) client, _ := b2bstytchapi.NewClient( "project-test-00000000-0000-0000-0000-000000000000", "secret-test-11111111-1111-1111-1111-111111111111", b2bstytchapi.WithBaseURI(srv.URL), ) // Expecting a map where all the values are maps from strings to integers var mapClaims map[string]map[string]int32 _, _ = client.Sessions.AuthenticateWithClaims( context.Background(), &sessions.AuthenticateParams{ SessionToken: "fake session token", }, &mapClaims, ) fmt.Println(mapClaims) }
Output: map[https://my-app.example.net/custom-claim:map[claim1:1 claim2:2 claim3:3]]
Example (Struct) ¶
package main import ( "context" "fmt" "net/http" "net/http/httptest" "strings" "github.com/stytchauth/stytch-go/v15/stytch/b2b/b2bstytchapi" "github.com/stytchauth/stytch-go/v15/stytch/b2b/sessions" ) func main() { // When we define a struct that follows the shape of our claims, we can marshal the // custom claims from the response into it srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Handle the async JWKS fetch. if strings.HasPrefix(r.URL.Path, "/v1/b2b/sessions/jwks/") { _, _ = w.Write([]byte(`{"keys": []}`)) return } // This is the test request if r.URL.Path == "/v1/b2b/sessions/authenticate" { // There are many other fields in this response, but these are the only ones we need // for this test. _, _ = w.Write([]byte(`{ "member_session": { "expires_at": "2022-06-29T19:53:48Z", "last_accessed_at": "2022-06-29T17:54:13Z", "member_session_id": "session-test-aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "started_at": "2022-06-29T17:53:48Z", "member_id": "user-test-00000000-0000-0000-0000-000000000000", "custom_claims": { "https://my-app.example.net/custom-claim": { "number": 1, "array": [1, "foo", null], "nested": { "data": "here" } } } }, "member": {}, "organization": {} }`)) return } http.Error(w, "Bad Request", http.StatusBadRequest) })) client, _ := b2bstytchapi.NewClient( "project-test-00000000-0000-0000-0000-000000000000", "secret-test-11111111-1111-1111-1111-111111111111", b2bstytchapi.WithBaseURI(srv.URL), ) // Expecting claims to follow this exact data structure type MyAppClaims struct { Number int Array []interface{} Nested struct { Data string } } type StructClaims struct { MyApp MyAppClaims `json:"https://my-app.example.net/custom-claim"` } var structClaims StructClaims _, _ = client.Sessions.AuthenticateWithClaims( context.Background(), &sessions.AuthenticateParams{ SessionToken: "fake session token", }, &structClaims, ) fmt.Println(structClaims) }
Output: {{1 [1 foo <nil>] {here}}}
func (*SessionsClient) Exchange ¶
func (c *SessionsClient) Exchange( ctx context.Context, body *sessions.ExchangeParams, ) (*sessions.ExchangeResponse, error)
Exchange: Use this endpoint to exchange a's existing session for another session in a different. This can be used to accept an invite, but not to create a new member via domain matching.
To create a new member via domain matching, use the [Exchange Intermediate Session](https://stytch.com/docs/b2b/api/exchange-intermediate-session) flow instead.
Only Email Magic Link, OAuth, and SMS OTP factors can be transferred between sessions. Other authentication factors, such as password factors, will not be transferred to the new session. Any OAuth Tokens owned by the Member will not be transferred to the new Organization. SMS OTP factors can be used to fulfill MFA requirements for the target Organization if both the original and target Member have the same phone number and the phone number is verified for both Members. HubSpot and Slack OAuth registrations will not be transferred between sessions. Instead, you will receive a corresponding factor with type `"oauth_exchange_slack"` or `"oauth_exchange_hubspot"`
If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session. The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
func (*SessionsClient) Get ¶
func (c *SessionsClient) Get( ctx context.Context, body *sessions.GetParams, ) (*sessions.GetResponse, error)
Get: Retrieves all active Sessions for a Member.
func (*SessionsClient) GetJWKS ¶
func (c *SessionsClient) GetJWKS( ctx context.Context, body *sessions.GetJWKSParams, ) (*sessions.GetJWKSResponse, error)
GetJWKS: Get the JSON Web Key Set (JWKS) for a project.
JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will be returned by this endpoint for a period of 1 month.
JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching the `kid` value of the JWT and JWKS.
If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS roll will be handled for you.
If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the `kid` value.
See our [How to use Stytch Session JWTs](https://stytch.com/docs/b2b/guides/sessions/resources/using-jwts) guide for more information.
func (*SessionsClient) Migrate ¶
func (c *SessionsClient) Migrate( ctx context.Context, body *sessions.MigrateParams, ) (*sessions.MigrateResponse, error)
Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing in your and create a Stytch Session. You will need to create the member before using this endpoint.
func (*SessionsClient) Revoke ¶
func (c *SessionsClient) Revoke( ctx context.Context, body *sessions.RevokeParams, methodOptions ...*sessions.RevokeRequestOptions, ) (*sessions.RevokeResponse, error)
Revoke a Session and immediately invalidate all its tokens. To revoke a specific Session, pass either the `member_session_id`, `session_token`, or `session_jwt`. To revoke all Sessions for a Member, pass the `member_id`.
type TOTPsClient ¶
func NewTOTPsClient ¶
func NewTOTPsClient(c stytch.Client) *TOTPsClient
func (*TOTPsClient) Authenticate ¶
func (c *TOTPsClient) Authenticate( ctx context.Context, body *totps.AuthenticateParams, ) (*totps.AuthenticateResponse, error)
Authenticate a Member provided TOTP.
func (*TOTPsClient) AuthenticateWithClaims ¶
func (c *TOTPsClient) AuthenticateWithClaims( ctx context.Context, body *totps.AuthenticateParams, claims any, ) (*totps.AuthenticateResponse, error)
AuthenticateWithClaims fills in the claims pointer with custom claims from the response. Pass in a map with the types of values you're expecting so that this function can marshal the claims from the response. See ExampleClient_AuthenticateWithClaims_map, ExampleClient_AuthenticateWithClaims_struct for examples
func (*TOTPsClient) Create ¶
func (c *TOTPsClient) Create( ctx context.Context, body *totps.CreateParams, ) (*totps.CreateResponse, error)
Create a new TOTP instance for a. The Member can use the authenticator application of their choice to scan the QR code or enter the secret.
Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the Member ID passed.
func (*TOTPsClient) Migrate ¶
func (c *TOTPsClient) Migrate( ctx context.Context, body *totps.MigrateParams, ) (*totps.MigrateResponse, error)
Migrate an existing TOTP instance for a. Recovery codes are not required and will be minted for the Member if not provided.
Source Files ¶
- discovery.go
- discovery_intermediatesessions.go
- discovery_organizations.go
- magiclinks.go
- magiclinks_discovery.go
- magiclinks_email.go
- magiclinks_email_discovery.go
- oauth.go
- oauth_discovery.go
- organizations.go
- organizations_members.go
- organizations_members_oauthproviders.go
- otp.go
- otp_sms.go
- passwords.go
- passwords_email.go
- passwords_existingpassword.go
- passwords_session.go
- rbac.go
- recoverycodes.go
- scim.go
- scim_connection.go
- sessions.go
- sso.go
- sso_oidc.go
- sso_saml.go
- totps.go