> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate Impersonation Token

> Authenticate an impersonation token to impersonate a Member using the Stytch B2B API

export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";

Authenticate an impersonation token to impersonate a <Tooltip tip={member}>Member</Tooltip>. This endpoint requires an impersonation token that is not expired or previously used. A Stytch session will be created for the impersonated member with a 60 minute duration. Impersonated sessions cannot be extended.

Prior to this step, you can generate an impersonation token by visiting the [Stytch Dashboard](https://stytch.com/dashboard/members), viewing a member, and clicking the `Impersonate Member` button.


## OpenAPI

````yaml POST /v1/b2b/impersonation/authenticate
openapi: 3.0.3
info:
  title: Stytch API
  description: The Stytch API provides endpoints for authentication and user management.
  version: 2.1.1
  contact:
    name: Stytch Support
    url: https://stytch.com/docs
    email: support@stytch.com
servers:
  - url: https://api.stytch.com
    description: Production server
  - url: https://test.stytch.com
    description: Test server
security:
  - basicAuth: []
paths:
  /v1/b2b/impersonation/authenticate:
    post:
      tags:
        - B2B Impersonation
      summary: Authenticate
      description: >-
        Authenticate an impersonation token to impersonate a Member. This
        endpoint requires an impersonation token that is not expired or
        previously used. 

        A Stytch session will be created for the impersonated member with a 60
        minute duration. Impersonated sessions cannot be extended.


        Prior to this step, you can generate an impersonation token by visiting
        the Stytch Dashboard, viewing a member, and clicking the `Impersonate
        Member` button.
      operationId: api_b2b_impersonation_v1_Authenticate
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: >-
                #/components/schemas/api_b2b_impersonation_v1_AuthenticateRequest
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/api_b2b_impersonation_v1_AuthenticateResponse
        '400':
          description: Bad request
        '401':
          description: Unauthorized
          content:
            application/json:
              example:
                status_code: 401
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: unauthorized_credentials
                error_message: Unauthorized credentials.
                error_url: https://stytch.com/docs/api/errors/401
        '429':
          description: Too Many Requests
          content:
            application/json:
              example:
                status_code: 429
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: too_many_requests
                error_message: Too many requests have been made.
                error_url: https://stytch.com/docs/api/errors/429
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                status_code: 500
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: internal_server_error
                error_message: >-
                  Oops, something seems to have gone wrong, please reach out to
                  support@stytch.com to let us know what went wrong.
                error_url: https://stytch.com/docs/api/errors/500
      x-code-samples:
        - lang: csharp
          label: C#
          source: |-
            // POST /v1/b2b/impersonation/authenticate
            const stytch = require('stytch');

            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              impersonation_token: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
            };

            client.Impersonation.Authenticate(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: go
          label: Go
          source: "// POST /v1/b2b/impersonation/authenticate\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/impersonation\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &impersonation.AuthenticateParams{\n\t\tImpersonationToken: \"SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=\",\n\t}\n\n\tresp, err := client.Impersonation.Authenticate(context.Background(), params)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
        - lang: java
          label: Java
          source: |-
            // POST /v1/b2b/impersonation/authenticate
            package com.example;

            import com.stytch.java.b2b.models.impersonation.AuthenticateRequest;
            import com.stytch.java.b2b.StytchB2BClient;
            import com.stytch.java.common.StytchResult;

            public class Main {
                public static void main(String[] args) {
                    StytchB2BClient.configure("${projectId}", "${secret}");

                    AuthenticateRequest params = new AuthenticateRequest();
                    params.setImpersonationToken("SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=");

                    Object result = StytchB2BClient.getImpersonation().authenticate(params);
                    if (result instanceof StytchResult.Success) {
                      System.out.println(((StytchResult.Success) result).getValue());
                    } else {
                      System.out.println(((StytchResult.Error) result).getException());
                    }
                }
            }
        - lang: kotlin
          label: Kotlin
          source: |
            // POST /v1/b2b/impersonation/authenticate
            package com.example

            import com.stytch.java.b2b.StytchB2BClient
            import com.stytch.java.b2b.models.impersonation.AuthenticateRequest

            fun main() {
                StytchB2BClient.configure(
                    projectId = "${projectId}",
                    secret = "${secret}",
                )

                when (
                    val result =
                        StytchB2BClient.impersonation.authenticate(
                            AuthenticateRequest(
                                impersonationToken = "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
                            ),
                        )
                ) {
                    is StytchResult.Success -> println(result.value)
                    is StytchResult.Error -> println(result.exception)
                }
            }
        - lang: javascript
          label: Node.js
          source: |-
            // POST /v1/b2b/impersonation/authenticate
            const stytch = require('stytch');

            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              impersonation_token: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
            };

            client.impersonation.authenticate(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: php
          label: PHP
          source: |-
            $response = $client->impersonation->authenticate([
                'impersonation_token' => 'SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=',
            ]);
        - lang: python
          label: Python
          source: |
            # POST /v1/b2b/impersonation/authenticate
            from stytch import B2BClient

            client = B2BClient(
                project_id="${projectId}",
                secret="${secret}",
            )

            resp = client.impersonation.authenticate(
                impersonation_token="SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
            )

            print(resp)
        - lang: ruby
          label: Ruby
          source: |-
            # frozen_string_literal: true

            # POST /v1/b2b/impersonation/authenticate
            require 'stytch'

            client = StytchB2B::Client.new(
              project_id: "${projectId}",
              secret: "${secret}"
            )

            resp = client.impersonation.authenticate(
              impersonation_token: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4="
              
            )

            puts resp
        - lang: rust
          label: Rust
          source: |-
            // POST /v1/b2b/impersonation/authenticate
            use stytch::b2b::client::Client;
            use stytch::b2b::impersonation::AuthenticateRequest;

            fn main() {
                let client = Client::new("${projectId}", "${secret}").unwrap();
                let resp = client.impersonation.authenticate(
                    AuthenticateRequest{
                        impersonation_token: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
                        ..Default::default()
                    }
                ).await;
                println!("The response is {:?}", resp);
            }
        - lang: bash
          label: cURL
          source: |-
            # POST /v1/b2b/impersonation/authenticate
            curl --request POST \
              --url https://test.stytch.com/v1/b2b/impersonation/authenticate \
              -u '${projectId}:${secret}' \
              -H 'Content-Type: application/json' \
              -d '{
                "impersonation_token": "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4="
              }'
components:
  schemas:
    api_b2b_impersonation_v1_AuthenticateRequest:
      type: object
      properties:
        impersonation_token:
          type: string
          description: >-
            The Member Impersonation token to authenticate. Expires in 5 minutes
            by default.
      description: Request type
      required:
        - impersonation_token
    api_b2b_impersonation_v1_AuthenticateResponse:
      type: object
      properties:
        request_id:
          type: string
          description: >-
            Globally unique UUID that is returned with every API call. This
            value is important to log for debugging purposes; we may ask for
            this value to help identify a specific API call when helping you
            debug an issue.
        member_id:
          type: string
          description: Globally unique UUID that identifies a specific Member.
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value.
        member:
          $ref: '#/components/schemas/api_organization_v1_Member'
          description: The [Member object](https://stytch.com/docs/b2b/api/member-object)
        session_token:
          type: string
          description: A secret token for a given Stytch Session.
        session_jwt:
          type: string
          description: The JSON Web Token (JWT) for a given Stytch Session.
        organization:
          $ref: '#/components/schemas/api_organization_v1_Organization'
          description: >-
            The [Organization
            object](https://stytch.com/docs/b2b/api/organization-object).
        intermediate_session_token:
          type: string
          description: >-
            Successfully authenticating an impersonation token will never result
            in an intermediate session. If the token is valid, a full session
            will be created.
        member_authenticated:
          type: boolean
          description: >-
            The member will always be fully authenticated if an impersonation
            token is successfully authenticated.
        status_code:
          type: integer
          format: int32
          description: >-
            The HTTP status code of the response. Stytch follows standard HTTP
            response status code patterns, e.g. 2XX values equate to success,
            3XX values are redirects, 4XX are client errors, and 5XX are server
            errors.
        member_session:
          $ref: '#/components/schemas/api_b2b_session_v1_MemberSession'
          description: >-
            The [Session object](https://stytch.com/docs/b2b/api/session-object)
            for the impersonated Member.
        mfa_required:
          $ref: '#/components/schemas/api_b2b_mfa_v1_MfaRequired'
          description: MFA will not be required when authenticating impersonation tokens.
        intermediate_session_token_expires_at:
          type: string
      required:
        - request_id
        - member_id
        - organization_id
        - member
        - session_token
        - session_jwt
        - organization
        - intermediate_session_token
        - member_authenticated
        - status_code
    api_organization_v1_Member:
      type: object
      properties:
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        member_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Member. The
            `member_id` is critical to perform operations on a Member, so be
            sure to preserve this value. You may use an external_id here if one
            is set for the member.
        email_address:
          type: string
          description: The email address of the Member.
        status:
          type: string
          description: >-
            The status of the Member. The possible values are: `pending`,
            `invited`, `active`, or `deleted`.
        name:
          type: string
          description: The name of the Member.
        sso_registrations:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_SSORegistration'
          description: >-
            An array of registered [SAML
            Connection](https://stytch.com/docs/b2b/api/saml-connection-object)
            or [OIDC
            Connection](https://stytch.com/docs/b2b/api/oidc-connection-object)
            objects the Member has authenticated with.
        is_breakglass:
          type: boolean
          description: >-
            Identifies the Member as a break glass user - someone who has
            permissions to authenticate into an Organization by bypassing the
            Organization's settings. A break glass account is typically used for
            emergency purposes to gain access outside of normal authentication
            procedures. Refer to the [Organization
            object](https://stytch.com/docs/b2b/api/organization-object) and its
            `auth_methods` and `allowed_auth_methods` fields for more details.
        member_password_id:
          type: string
          description: Globally unique UUID that identifies a Member's password.
        oauth_registrations:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_OAuthRegistration'
          description: A list of OAuth registrations for this member.
        email_address_verified:
          type: boolean
          description: Whether or not the Member's email address is verified.
        mfa_phone_number_verified:
          type: boolean
          description: Whether or not the Member's phone number is verified.
        is_admin:
          type: boolean
          description: >-
            Whether or not the Member has the `stytch_admin` Role. This Role is
            automatically granted to Members
              who create an Organization through the [discovery flow](https://stytch.com/docs/b2b/api/create-organization-via-discovery). See the
              [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role.
        totp_registration_id:
          type: string
          description: Globally unique UUID that identifies a TOTP instance.
        retired_email_addresses:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_RetiredEmail'
          description: |2-

              A list of retired email addresses for this member.
              A previously active email address can be marked as retired in one of two ways:
              - It's replaced with a new primary email address during an explicit Member update.
              - A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the
              Member's primary email address and the old primary email address is retired.
             
              A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email
              addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked
              using the [Unlink Retired Email endpoint](https://stytch.com/docs/b2b/api/unlink-retired-member-email).
              
        is_locked:
          type: boolean
          description: >-
            Whether the Member is temporarily locked due to too many failed
            authentication attempts. See the [User Locking
            Guide](https://stytch.com/docs/resources/platform/user-locks) for
            more information.
        mfa_enrolled:
          type: boolean
          description: >-
            Sets whether the Member is enrolled in MFA. If true, the Member must
            complete an MFA step whenever they wish to log in to their
            Organization. If false, the Member only needs to complete an MFA
            step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
        mfa_phone_number:
          type: string
          description: >-
            The Member's phone number. A Member may only have one phone number.
            The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
        default_mfa_method:
          type: string
          description: >-
            The Member's default MFA method. This value is used to determine
            which secondary MFA method to use in the case of multiple methods
            registered for a Member. The current possible values are `sms_otp`
            and `totp`.
        roles:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_MemberRole'
          description: >-
            Explicit or implicit Roles assigned to this Member, along with
            details about the role assignment source.
               See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.
        trusted_metadata:
          type: object
          additionalProperties: true
          description: >-
            An arbitrary JSON object for storing application-specific data or
            identity-provider-specific data.
        untrusted_metadata:
          type: object
          additionalProperties: true
          description: >-
            An arbitrary JSON object of application-specific data. These fields
            can be edited directly by the
              frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata)
              for complete field behavior details.
        created_at:
          type: string
          description: >-
            The timestamp of the Member's creation. Values conform to the RFC
            3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
        updated_at:
          type: string
          description: >-
            The timestamp of when the Member was last updated. Values conform to
            the RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        scim_registration:
          $ref: '#/components/schemas/api_organization_v1_SCIMRegistration'
          description: >-
            A scim member registration, referencing a [SCIM
            Connection](https://stytch.com/docs/b2b/api/scim-connection-object)
            object in use for the Member creation.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
        lock_created_at:
          type: string
          description: >-
            When the member lock was created, if there is one. Values conform to
            the RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        lock_expires_at:
          type: string
          description: >-
            When the member lock expires, if there is one. Values conform to the
            RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
      required:
        - organization_id
        - member_id
        - email_address
        - status
        - name
        - sso_registrations
        - is_breakglass
        - member_password_id
        - oauth_registrations
        - email_address_verified
        - mfa_phone_number_verified
        - is_admin
        - totp_registration_id
        - retired_email_addresses
        - is_locked
        - mfa_enrolled
        - mfa_phone_number
        - default_mfa_method
        - roles
    api_organization_v1_Organization:
      type: object
      properties:
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        organization_name:
          type: string
          description: >-
            The name of the Organization. Must be between 1 and 128 characters
            in length.
        organization_logo_url:
          type: string
          description: The image URL of the Organization logo.
        organization_slug:
          type: string
          description: >-
            The unique URL slug of the Organization. The slug only accepts
            alphanumeric characters and the following reserved characters: `-`
            `.` `_` `~`. Must be between 2 and 128 characters in length.
            Wherever an organization_id is expected in a path or request
            parameter, you may also use the organization_slug as a convenience.
        sso_jit_provisioning:
          type: string
          description: >-
            The authentication setting that controls the JIT provisioning of
            Members when authenticating via SSO. The accepted values are:
             
              `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
             
              `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.
             
              `NOT_ALLOWED` – disable JIT provisioning via SSO.
              
        sso_jit_provisioning_allowed_connections:
          type: array
          items:
            type: string
          description: >-
            An array of `connection_id`s that reference [SAML Connection
            objects](https://stytch.com/docs/b2b/api/saml-connection-object).
              Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`.
        sso_active_connections:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_ActiveSSOConnection'
          description: >-
            An array of active [SAML Connection
            references](https://stytch.com/docs/b2b/api/saml-connection-object)
            or [OIDC Connection
            references](https://stytch.com/docs/b2b/api/oidc-connection-object).
        email_allowed_domains:
          type: array
          items:
            type: string
          description: >-
            An array of email domains that allow invites or JIT provisioning for
            new Members. This list is enforced when either `email_invites` or
            `email_jit_provisioning` is set to `RESTRICTED`.
               
               
                Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.
        email_jit_provisioning:
          type: string
          description: >-
            The authentication setting that controls how a new Member can be
            provisioned by authenticating via Email Magic Link or OAuth. The
            accepted values are:
             
              `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.
             
              `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
              
        email_invites:
          type: string
          description: >-
            The authentication setting that controls how a new Member can be
            invited to an organization by email. The accepted values are:
             
              `ALL_ALLOWED` – any new Member can be invited to join via email.
             
              `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email.
             
              `NOT_ALLOWED` – disable email invites.
              
        auth_methods:
          type: string
          description: >-
            The setting that controls which authentication methods can be used
            by Members of an Organization. The accepted values are:
             
              `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
             
              `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
              
        allowed_auth_methods:
          type: array
          items:
            type: string
          description: >-
            An array of allowed authentication methods. This list is enforced
            when `auth_methods` is set to `RESTRICTED`.
              The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
              
        mfa_policy:
          type: string
          description: >-
            The setting that controls the MFA policy for all Members in the
            Organization. The accepted values are:
             
              `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.
             
              `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
              
        rbac_email_implicit_role_assignments:
          type: array
          items:
            $ref: >-
              #/components/schemas/api_organization_v1_EmailImplicitRoleAssignment
          description: |-
            Implicit role assignments based off of email domains.
              For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the
              associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
              for more information about role assignment.
        mfa_methods:
          type: string
          description: >-
            The setting that controls which MFA methods can be used by Members
            of an Organization. The accepted values are:
             
              `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
             
              `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
              
        allowed_mfa_methods:
          type: array
          items:
            type: string
          description: >-
            An array of allowed MFA authentication methods. This list is
            enforced when `mfa_methods` is set to `RESTRICTED`.
              The list's accepted values are: `sms_otp` and `totp`.
              
        oauth_tenant_jit_provisioning:
          type: string
          description: >-
            The authentication setting that controls how a new Member can JIT
            provision into an organization by tenant. The accepted values are:
             
              `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
             
              `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.
              
        claimed_email_domains:
          type: array
          items:
            type: string
          description: A list of email domains that are claimed by the Organization.
        first_party_connected_apps_allowed_type:
          type: string
          description: >-
            The authentication setting that sets the Organization's policy
            towards first party Connected Apps. The accepted values are:
             
              `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.
             
              `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
             
              `NOT_ALLOWED` – no first party Connected Apps are permitted.
              
        allowed_first_party_connected_apps:
          type: array
          items:
            type: string
          description: >-
            An array of first party Connected App IDs that are allowed for the
            Organization. Only used when the Organization's
            `first_party_connected_apps_allowed_type` is `RESTRICTED`.
        third_party_connected_apps_allowed_type:
          type: string
          description: >-
            The authentication setting that sets the Organization's policy
            towards third party Connected Apps. The accepted values are:
             
              `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.
             
              `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
             
              `NOT_ALLOWED` – no third party Connected Apps are permitted.
              
        allowed_third_party_connected_apps:
          type: array
          items:
            type: string
          description: >-
            An array of third party Connected App IDs that are allowed for the
            Organization. Only used when the Organization's
            `third_party_connected_apps_allowed_type` is `RESTRICTED`.
        custom_roles:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_CustomRole'
        trusted_metadata:
          type: object
          additionalProperties: true
          description: >-
            An arbitrary JSON object for storing application-specific data or
            identity-provider-specific data.
        created_at:
          type: string
          description: >-
            The timestamp of the Organization's creation. Values conform to the
            RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        updated_at:
          type: string
          description: >-
            The timestamp of when the Organization was last updated. Values
            conform to the RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        organization_external_id:
          type: string
          description: A unique identifier for the organization.
        sso_default_connection_id:
          type: string
          description: >-
            The default connection used for SSO when there are multiple active
            connections.
        scim_active_connection:
          $ref: '#/components/schemas/api_organization_v1_ActiveSCIMConnection'
          description: >-
            An active [SCIM Connection
            references](https://stytch.com/docs/b2b/api/scim-connection-object).
        allowed_oauth_tenants:
          type: object
          additionalProperties: true
          description: >-
            A map of allowed OAuth tenants. If this field is not passed in, the
            Organization will not allow JIT provisioning by OAuth Tenant.
            Allowed keys are "slack", "hubspot", and "github".
      required:
        - organization_id
        - organization_name
        - organization_logo_url
        - organization_slug
        - sso_jit_provisioning
        - sso_jit_provisioning_allowed_connections
        - sso_active_connections
        - email_allowed_domains
        - email_jit_provisioning
        - email_invites
        - auth_methods
        - allowed_auth_methods
        - mfa_policy
        - rbac_email_implicit_role_assignments
        - mfa_methods
        - allowed_mfa_methods
        - oauth_tenant_jit_provisioning
        - claimed_email_domains
        - first_party_connected_apps_allowed_type
        - allowed_first_party_connected_apps
        - third_party_connected_apps_allowed_type
        - allowed_third_party_connected_apps
        - custom_roles
    api_b2b_session_v1_MemberSession:
      type: object
      properties:
        member_session_id:
          type: string
          description: Globally unique UUID that identifies a specific Session.
        member_id:
          type: string
          description: Globally unique UUID that identifies a specific Member.
        started_at:
          type: string
          description: >-
            The timestamp when the Session was created. Values conform to the
            RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        last_accessed_at:
          type: string
          description: >-
            The timestamp when the Session was last accessed. Values conform to
            the RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        expires_at:
          type: string
          description: >-
            The timestamp when the Session expires. Values conform to the RFC
            3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
        authentication_factors:
          type: array
          items:
            $ref: '#/components/schemas/api_session_v1_AuthenticationFactor'
          description: >-
            An array of different authentication factors that comprise a
            Session.
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value.
        roles:
          type: array
          items:
            type: string
        organization_slug:
          type: string
          description: >-
            The unique URL slug of the Organization. The slug only accepts
            alphanumeric characters and the following reserved characters: `-`
            `.` `_` `~`. Must be between 2 and 128 characters in length.
            Wherever an organization_id is expected in a path or request
            parameter, you may also use the organization_slug as a convenience.
        custom_claims:
          type: object
          additionalProperties: true
          description: >-
            The custom claims map for a Session. Claims can be added to a
            session during a Sessions authenticate call.
      required:
        - member_session_id
        - member_id
        - started_at
        - last_accessed_at
        - expires_at
        - authentication_factors
        - organization_id
        - roles
        - organization_slug
    api_b2b_mfa_v1_MfaRequired:
      type: object
      properties:
        member_options:
          $ref: '#/components/schemas/api_b2b_mfa_v1_MemberOptions'
          description: Information about the Member's options for completing MFA.
        secondary_auth_initiated:
          type: string
          description: >-
            If null, indicates that no secondary authentication has been
            initiated. If equal to "sms_otp", indicates that the Member has a
            phone number, and a one time passcode has been sent to the Member's
            phone number. No secondary authentication will be initiated during
            calls to the discovery authenticate or list organizations endpoints,
            even if the Member has a phone number.
    api_organization_v1_SSORegistration:
      type: object
      properties:
        connection_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific SSO `connection_id`
            for a Member.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
        registration_id:
          type: string
          description: The unique ID of an SSO Registration.
        sso_attributes:
          type: object
          additionalProperties: true
          description: >-
            An object for storing SSO attributes brought over from the identity
            provider.
      required:
        - connection_id
        - external_id
        - registration_id
    api_organization_v1_OAuthRegistration:
      type: object
      properties:
        provider_type:
          type: string
          description: >-
            Denotes the OAuth identity provider that the user has authenticated
            with, e.g. Google, Microsoft, GitHub etc.
        provider_subject:
          type: string
          description: >-
            The unique identifier for the User within a given OAuth provider.
            Also commonly called the `sub` or "Subject field" in OAuth
            protocols.
        member_oauth_registration_id:
          type: string
          description: The unique ID of an OAuth registration.
        profile_picture_url:
          type: string
          description: >-
            If available, the `profile_picture_url` is a URL of the User's
            profile picture set in OAuth identity the provider that the User has
            authenticated with, e.g. Google profile picture.
        locale:
          type: string
          description: >-
            If available, the `locale` is the Member's locale set in the OAuth
            identity provider that the user has authenticated with.
      required:
        - provider_type
        - provider_subject
        - member_oauth_registration_id
    api_organization_v1_RetiredEmail:
      type: object
      properties:
        email_id:
          type: string
          description: The globally unique UUID of a Member's email.
        email_address:
          type: string
          description: The email address of the Member.
      required:
        - email_id
        - email_address
    api_organization_v1_MemberRole:
      type: object
      properties:
        role_id:
          type: string
          description: >-
            The unique identifier of the RBAC Role, provided by the developer
            and intended to be human-readable.

              Reserved `role_id`s that are predefined by Stytch include:

              * `stytch_member`
              * `stytch_admin`

              Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.

              
        sources:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_MemberRoleSource'
          description: >-
            A list of sources for this role assignment. A role assignment can
            come from multiple sources - for example, the Role could be both
            explicitly assigned and implicitly granted from the Member's email
            domain.
      required:
        - role_id
        - sources
    api_organization_v1_SCIMRegistration:
      type: object
      properties:
        connection_id:
          type: string
          description: The ID of the SCIM connection.
        registration_id:
          type: string
          description: The unique ID of a SCIM Registration.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
        scim_attributes:
          $ref: '#/components/schemas/api_b2b_scim_v1_SCIMAttributes'
          description: >-
            An object for storing SCIM attributes brought over from the identity
            provider.
      required:
        - connection_id
        - registration_id
    api_organization_v1_ActiveSSOConnection:
      type: object
      properties:
        connection_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific SSO `connection_id`
            for a Member.
        display_name:
          type: string
          description: A human-readable display name for the connection.
        identity_provider:
          type: string
      required:
        - connection_id
        - display_name
        - identity_provider
    api_organization_v1_EmailImplicitRoleAssignment:
      type: object
      properties:
        domain:
          type: string
          description: Email domain that grants the specified Role.
        role_id:
          type: string
          description: >-
            The unique identifier of the RBAC Role, provided by the developer
            and intended to be human-readable.

              Reserved `role_id`s that are predefined by Stytch include:

              * `stytch_member`
              * `stytch_admin`

              Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.

              
      required:
        - domain
        - role_id
    api_organization_v1_CustomRole:
      type: object
      properties:
        role_id:
          type: string
        description:
          type: string
        permissions:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_CustomRolePermission'
      required:
        - role_id
        - description
        - permissions
    api_organization_v1_ActiveSCIMConnection:
      type: object
      properties:
        connection_id:
          type: string
          description: The ID of the SCIM connection.
        display_name:
          type: string
          description: A human-readable display name for the connection.
        bearer_token_last_four:
          type: string
        bearer_token_expires_at:
          type: string
      required:
        - connection_id
        - display_name
        - bearer_token_last_four
    api_session_v1_AuthenticationFactor:
      type: object
      properties:
        type:
          $ref: >-
            #/components/schemas/api_session_v1_sessions_AuthenticationFactorType
          description: >-
            The type of authentication factor. The possible values are:
            `email_otp`, `impersonated`, `imported`,
                   `magic_link`, `oauth`, `otp`, `password`, `recovery_codes`, `sso`, `trusted_auth_token`, or `totp`.
        delivery_method:
          $ref: >-
            #/components/schemas/api_session_v1_sessions_AuthenticationFactorDeliveryMethod
          description: >-
            The method that was used to deliver the authentication factor. The
            possible values depend on the `type`:
                 
                  `email_otp` – Only `email`.
                 
                  `impersonated` – Only `impersonation`.
                  
                  `imported` – Only `imported_auth0`.
                 
                  `magic_link` – Only `email`.
                 
                  `oauth` – The delivery method is determined by the specific OAuth provider used. The possible values are `oauth_google`, `oauth_microsoft`, `oauth_hubspot`, `oauth_slack`, or `oauth_github`.
                  
                    In addition, you may see an 'exchange' delivery method when a non-email-verifying OAuth factor originally authenticated in one organization is exchanged for a factor in another organization.
                    This can happen during authentication flows such as [session exchange](https://stytch.com/docs/b2b/api/exchange-session).
                    The non-email-verifying OAuth providers are Hubspot, Slack, and Github.
                    Google is also considered non-email-verifying when the HD claim is empty.
                    The possible exchange values are `oauth_exchange_google`, `oauth_exchange_hubspot`, `oauth_exchange_slack`, or `oauth_exchange_github`.
                   
                    The final possible value is `oauth_access_token_exchange`, if this factor came from an [access token exchange flow](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange).
                 
                  `otp` –  Only `sms`.
                 
                  `password` – Only `knowledge`.
                 
                  `recovery_codes` – Only `recovery_code`.
                 
                  `sso` – Either `sso_saml` or `sso_oidc`.
                 
                  `trusted_auth_token` – Only `trusted_token_exchange`.
                 
                  `totp` – Only `authenticator_app`.
                  
        last_authenticated_at:
          type: string
          description: The timestamp when the factor was last authenticated.
        created_at:
          type: string
          description: The timestamp when the factor was initially authenticated.
        updated_at:
          type: string
          description: The timestamp when the factor was last updated.
        email_factor:
          $ref: '#/components/schemas/api_session_v1_EmailFactor'
          description: Information about the email factor, if one is present.
        phone_number_factor:
          $ref: '#/components/schemas/api_session_v1_PhoneNumberFactor'
          description: Information about the phone number factor, if one is present.
        google_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_GoogleOAuthFactor'
          description: Information about the Google OAuth factor, if one is present.
        microsoft_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_MicrosoftOAuthFactor'
          description: Information about the Microsoft OAuth factor, if one is present.
        apple_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_AppleOAuthFactor'
        webauthn_factor:
          $ref: '#/components/schemas/api_session_v1_WebAuthnFactor'
        authenticator_app_factor:
          $ref: '#/components/schemas/api_session_v1_AuthenticatorAppFactor'
          description: >-
            Information about the TOTP-backed Authenticator App factor, if one
            is present.
        github_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_GithubOAuthFactor'
          description: Information about the Github OAuth factor, if one is present.
        recovery_code_factor:
          $ref: '#/components/schemas/api_session_v1_RecoveryCodeFactor'
        facebook_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_FacebookOAuthFactor'
        crypto_wallet_factor:
          $ref: '#/components/schemas/api_session_v1_CryptoWalletFactor'
        amazon_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_AmazonOAuthFactor'
        bitbucket_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_BitbucketOAuthFactor'
        coinbase_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_CoinbaseOAuthFactor'
        discord_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_DiscordOAuthFactor'
        figma_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_FigmaOAuthFactor'
        git_lab_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_GitLabOAuthFactor'
        instagram_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_InstagramOAuthFactor'
        linked_in_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_LinkedInOAuthFactor'
        shopify_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_ShopifyOAuthFactor'
        slack_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_SlackOAuthFactor'
          description: Information about the Slack OAuth factor, if one is present.
        snapchat_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_SnapchatOAuthFactor'
        spotify_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_SpotifyOAuthFactor'
        steam_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_SteamOAuthFactor'
        tik_tok_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_TikTokOAuthFactor'
        twitch_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_TwitchOAuthFactor'
        twitter_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_TwitterOAuthFactor'
        embeddable_magic_link_factor:
          $ref: '#/components/schemas/api_session_v1_EmbeddableMagicLinkFactor'
        biometric_factor:
          $ref: '#/components/schemas/api_session_v1_BiometricFactor'
        saml_sso_factor:
          $ref: '#/components/schemas/api_session_v1_SAMLSSOFactor'
          description: Information about the SAML SSO factor, if one is present.
        oidc_sso_factor:
          $ref: '#/components/schemas/api_session_v1_OIDCSSOFactor'
          description: Information about the OIDC SSO factor, if one is present.
        salesforce_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_SalesforceOAuthFactor'
        yahoo_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_YahooOAuthFactor'
        hubspot_oauth_factor:
          $ref: '#/components/schemas/api_session_v1_HubspotOAuthFactor'
          description: Information about the Hubspot OAuth factor, if one is present.
        slack_oauth_exchange_factor:
          $ref: '#/components/schemas/api_session_v1_SlackOAuthExchangeFactor'
          description: >-
            Information about the Slack OAuth Exchange factor, if one is
            present.
        hubspot_oauth_exchange_factor:
          $ref: '#/components/schemas/api_session_v1_HubspotOAuthExchangeFactor'
          description: >-
            Information about the Hubspot OAuth Exchange factor, if one is
            present.
        github_oauth_exchange_factor:
          $ref: '#/components/schemas/api_session_v1_GithubOAuthExchangeFactor'
          description: >-
            Information about the Github OAuth Exchange factor, if one is
            present.
        google_oauth_exchange_factor:
          $ref: '#/components/schemas/api_session_v1_GoogleOAuthExchangeFactor'
          description: >-
            Information about the Google OAuth Exchange factor, if one is
            present.
        impersonated_factor:
          $ref: '#/components/schemas/api_session_v1_ImpersonatedFactor'
          description: Information about the impersonated factor, if one is present.
        oauth_access_token_exchange_factor:
          $ref: '#/components/schemas/api_session_v1_OAuthAccessTokenExchangeFactor'
          description: >-
            Information about the access token exchange factor, if one is
            present.
        trusted_auth_token_factor:
          $ref: '#/components/schemas/api_session_v1_TrustedAuthTokenFactor'
          description: Information about the trusted auth token factor, if one is present.
      required:
        - type
        - delivery_method
    api_b2b_mfa_v1_MemberOptions:
      type: object
      properties:
        mfa_phone_number:
          type: string
          description: The Member's MFA phone number.
        totp_registration_id:
          type: string
          description: The Member's MFA TOTP registration ID.
      required:
        - mfa_phone_number
        - totp_registration_id
    api_organization_v1_MemberRoleSource:
      type: object
      properties:
        type:
          type: string
          description: |-
            The type of role assignment. The possible values are:
             
              `direct_assignment` – an explicitly assigned Role.

              Directly assigned roles can be updated by passing in the `roles` argument to the
              [Update Member](https://stytch.com/docs/b2b/api/update-member) endpoint.
             
              `email_assignment` – an implicit Role granted by the Member's email domain, regardless of their login method.

              Email implicit role assignments can be updated by passing in the `rbac_email_implicit_role_assignments` argument to
              the [Update Organization](https://stytch.com/docs/b2b/api/update-organization) endpoint.
             
              `sso_connection` – an implicit Role granted by the Member's SSO connection. This is currently only available
              for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this
              role assignment will appear in the list. However, for authorization check purposes (in
              [sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint that enforces RBAC with session
              headers), the Member will only be granted the Role if their session contains an authentication factor with the
              specified SAML connection.

              SAML connection implicit role assignments can be updated by passing in the
              `saml_connection_implicit_role_assignments` argument to the
              [Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint.
             
              `sso_connection_group` – an implicit Role granted by the Member's SSO connection and group. This is currently only
              available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given
              connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However,
              for authorization check purposes (in [sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint
              that enforces RBAC with session headers), the Member will only be granted the role if their session contains an
              authentication factor with the specified SAML connection.

              SAML group implicit role assignments can be updated by passing in the `saml_group_implicit_role_assignments`
              argument to the [Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint.

                `scim_connection_group` – an implicit Role granted by the Member's SCIM connection and group. If the Member has
              a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.

              SCIM group implicit role assignments can be updated by passing in the `scim_group_implicit_role_assignments`
              argument to the [Update SCIM connection](https://stytch.com/docs/b2b/api/update-scim-connection) endpoint.
              
        details:
          type: object
          additionalProperties: true
          description: >-
            An object containing additional metadata about the source
            assignment. The fields will vary depending
              on the role assignment type as follows:
             
              `direct_assignment` – no additional details.
             
              `email_assignment` – will contain the email domain that granted the assignment.
              
              `sso_connection` – will contain the `connection_id` of the SAML connection that granted the assignment.
             
              `sso_connection_group` – will contain the `connection_id` of the SAML connection and the name of the `group`
              that granted the assignment.
             
              `scim_connection_group` – will contain the `connection_id` of the SAML connection and the `group_id`
              that granted the assignment.
              
      required:
        - type
    api_b2b_scim_v1_SCIMAttributes:
      type: object
      properties:
        user_name:
          type: string
        id:
          type: string
        external_id:
          type: string
        active:
          type: boolean
        groups:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Group'
        display_name:
          type: string
        nick_name:
          type: string
        profile_url:
          type: string
        user_type:
          type: string
        title:
          type: string
        preferred_language:
          type: string
        locale:
          type: string
        timezone:
          type: string
        emails:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Email'
        phone_numbers:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_PhoneNumber'
        addresses:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Address'
        ims:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_IMs'
        photos:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Photo'
        entitlements:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Entitlement'
        roles:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Role'
        x509certificates:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_X509Certificate'
        name:
          $ref: '#/components/schemas/api_b2b_scim_v1_Name'
        enterprise_extension:
          $ref: '#/components/schemas/api_b2b_scim_v1_EnterpriseExtension'
      required:
        - user_name
        - id
        - external_id
        - active
        - groups
        - display_name
        - nick_name
        - profile_url
        - user_type
        - title
        - preferred_language
        - locale
        - timezone
        - emails
        - phone_numbers
        - addresses
        - ims
        - photos
        - entitlements
        - roles
        - x509certificates
    api_organization_v1_CustomRolePermission:
      type: object
      properties:
        resource_id:
          type: string
        actions:
          type: array
          items:
            type: string
      required:
        - resource_id
        - actions
    api_session_v1_sessions_AuthenticationFactorType:
      type: string
      enum:
        - magic_link
        - otp
        - oauth
        - webauthn
        - totp
        - crypto
        - password
        - signature_challenge
        - sso
        - imported
        - recovery_codes
        - email_otp
        - impersonated
        - trusted_auth_token
    api_session_v1_sessions_AuthenticationFactorDeliveryMethod:
      type: string
      enum:
        - email
        - sms
        - whatsapp
        - embedded
        - oauth_google
        - oauth_microsoft
        - oauth_apple
        - webauthn_registration
        - authenticator_app
        - oauth_github
        - recovery_code
        - oauth_facebook
        - crypto_wallet
        - oauth_amazon
        - oauth_bitbucket
        - oauth_coinbase
        - oauth_discord
        - oauth_figma
        - oauth_gitlab
        - oauth_instagram
        - oauth_linkedin
        - oauth_shopify
        - oauth_slack
        - oauth_snapchat
        - oauth_spotify
        - oauth_steam
        - oauth_tiktok
        - oauth_twitch
        - oauth_twitter
        - knowledge
        - biometric
        - sso_saml
        - sso_oidc
        - oauth_salesforce
        - oauth_yahoo
        - oauth_hubspot
        - imported_auth0
        - oauth_exchange_slack
        - oauth_exchange_hubspot
        - oauth_exchange_github
        - oauth_exchange_google
        - impersonation
        - oauth_access_token_exchange
        - trusted_token_exchange
    api_session_v1_EmailFactor:
      type: object
      properties:
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
        email_address:
          type: string
          description: The email address of the Member.
      required:
        - email_id
        - email_address
    api_session_v1_PhoneNumberFactor:
      type: object
      properties:
        phone_id:
          type: string
          description: The globally unique UUID of the Member's phone number.
        phone_number:
          type: string
          description: The phone number of the Member.
      required:
        - phone_id
        - phone_number
    api_session_v1_GoogleOAuthFactor:
      type: object
      properties:
        id:
          type: string
          description: The unique ID of an OAuth registration.
        provider_subject:
          type: string
          description: >-
            The unique identifier for the User within a given OAuth provider.
            Also commonly called the `sub` or "Subject field" in OAuth
            protocols.
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - id
        - provider_subject
    api_session_v1_MicrosoftOAuthFactor:
      type: object
      properties:
        id:
          type: string
          description: The unique ID of an OAuth registration.
        provider_subject:
          type: string
          description: >-
            The unique identifier for the User within a given OAuth provider.
            Also commonly called the `sub` or "Subject field" in OAuth
            protocols.
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - id
        - provider_subject
    api_session_v1_AppleOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_WebAuthnFactor:
      type: object
      properties:
        webauthn_registration_id:
          type: string
        domain:
          type: string
        user_agent:
          type: string
      required:
        - webauthn_registration_id
        - domain
    api_session_v1_AuthenticatorAppFactor:
      type: object
      properties:
        totp_id:
          type: string
          description: Globally unique UUID that identifies a TOTP instance.
      required:
        - totp_id
    api_session_v1_GithubOAuthFactor:
      type: object
      properties:
        id:
          type: string
          description: The unique ID of an OAuth registration.
        provider_subject:
          type: string
          description: >-
            The unique identifier for the User within a given OAuth provider.
            Also commonly called the `sub` or "Subject field" in OAuth
            protocols.
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - id
        - provider_subject
    api_session_v1_RecoveryCodeFactor:
      type: object
      properties:
        totp_recovery_code_id:
          type: string
      required:
        - totp_recovery_code_id
    api_session_v1_FacebookOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_CryptoWalletFactor:
      type: object
      properties:
        crypto_wallet_id:
          type: string
        crypto_wallet_address:
          type: string
        crypto_wallet_type:
          type: string
      required:
        - crypto_wallet_id
        - crypto_wallet_address
        - crypto_wallet_type
    api_session_v1_AmazonOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_BitbucketOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_CoinbaseOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_DiscordOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_FigmaOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_GitLabOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_InstagramOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_LinkedInOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_ShopifyOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_SlackOAuthFactor:
      type: object
      properties:
        id:
          type: string
          description: The unique ID of an OAuth registration.
        provider_subject:
          type: string
          description: >-
            The unique identifier for the User within a given OAuth provider.
            Also commonly called the `sub` or "Subject field" in OAuth
            protocols.
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - id
        - provider_subject
    api_session_v1_SnapchatOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_SpotifyOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_SteamOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_TikTokOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_TwitchOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_TwitterOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_EmbeddableMagicLinkFactor:
      type: object
      properties:
        embedded_id:
          type: string
      required:
        - embedded_id
    api_session_v1_BiometricFactor:
      type: object
      properties:
        biometric_registration_id:
          type: string
      required:
        - biometric_registration_id
    api_session_v1_SAMLSSOFactor:
      type: object
      properties:
        id:
          type: string
          description: The unique ID of an SSO Registration.
        provider_id:
          type: string
          description: Globally unique UUID that identifies a specific SAML Connection.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
      required:
        - id
        - provider_id
        - external_id
    api_session_v1_OIDCSSOFactor:
      type: object
      properties:
        id:
          type: string
          description: The unique ID of an SSO Registration.
        provider_id:
          type: string
          description: Globally unique UUID that identifies a specific OIDC Connection.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
      required:
        - id
        - provider_id
        - external_id
    api_session_v1_SalesforceOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_YahooOAuthFactor:
      type: object
      properties:
        id:
          type: string
        provider_subject:
          type: string
        email_id:
          type: string
      required:
        - id
        - provider_subject
    api_session_v1_HubspotOAuthFactor:
      type: object
      properties:
        id:
          type: string
          description: The unique ID of an OAuth registration.
        provider_subject:
          type: string
          description: >-
            The unique identifier for the User within a given OAuth provider.
            Also commonly called the `sub` or "Subject field" in OAuth
            protocols.
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - id
        - provider_subject
    api_session_v1_SlackOAuthExchangeFactor:
      type: object
      properties:
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - email_id
    api_session_v1_HubspotOAuthExchangeFactor:
      type: object
      properties:
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - email_id
    api_session_v1_GithubOAuthExchangeFactor:
      type: object
      properties:
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - email_id
    api_session_v1_GoogleOAuthExchangeFactor:
      type: object
      properties:
        email_id:
          type: string
          description: The globally unique UUID of the Member's email.
      required:
        - email_id
    api_session_v1_ImpersonatedFactor:
      type: object
      properties:
        impersonator_id:
          type: string
          description: >-
            For impersonated sessions initiated via the Stytch Dashboard, the
            `impersonator_id` will be the impersonator's Stytch Dashboard
            `member_id`.
        impersonator_email_address:
          type: string
          description: The email address of the impersonator.
      required:
        - impersonator_id
        - impersonator_email_address
    api_session_v1_OAuthAccessTokenExchangeFactor:
      type: object
      properties:
        client_id:
          type: string
          description: The ID of the Connected App client.
      required:
        - client_id
    api_session_v1_TrustedAuthTokenFactor:
      type: object
      properties:
        token_id:
          type: string
          description: The ID of the trusted auth token.
      required:
        - token_id
    api_b2b_scim_v1_Group:
      type: object
      properties:
        value:
          type: string
        display:
          type: string
      required:
        - value
        - display
    api_b2b_scim_v1_Email:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_PhoneNumber:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Address:
      type: object
      properties:
        formatted:
          type: string
        street_address:
          type: string
        locality:
          type: string
        region:
          type: string
        postal_code:
          type: string
        country:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - formatted
        - street_address
        - locality
        - region
        - postal_code
        - country
        - type
        - primary
    api_b2b_scim_v1_IMs:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Photo:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Entitlement:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Role:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_X509Certificate:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Name:
      type: object
      properties:
        formatted:
          type: string
        family_name:
          type: string
        given_name:
          type: string
        middle_name:
          type: string
        honorific_prefix:
          type: string
        honorific_suffix:
          type: string
      required:
        - formatted
        - family_name
        - given_name
        - middle_name
        - honorific_prefix
        - honorific_suffix
    api_b2b_scim_v1_EnterpriseExtension:
      type: object
      properties:
        employee_number:
          type: string
        cost_center:
          type: string
        division:
          type: string
        department:
          type: string
        organization:
          type: string
        manager:
          $ref: '#/components/schemas/api_b2b_scim_v1_Manager'
      required:
        - employee_number
        - cost_center
        - division
        - department
        - organization
    api_b2b_scim_v1_Manager:
      type: object
      properties:
        value:
          type: string
        ref:
          type: string
        display_name:
          type: string
      required:
        - value
        - ref
        - display_name
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

````