import * as client from 'openid-client'; import { IDToken, TokenEndpointResponse, TokenEndpointResponseHelpers } from 'openid-client'; /** * Supported authenticator types returned by Auth0 API. * Note: Email authenticators use 'oob' type with oob_channel: 'email' */ type AuthenticatorType = 'otp' | 'oob' | 'recovery-code'; /** * Out-of-band delivery channels. * Includes 'email' which is also delivered out-of-band. */ type OobChannel = 'sms' | 'voice' | 'auth0' | 'email'; /** * Represents an MFA authenticator enrolled by a user. */ interface AuthenticatorResponse { /** Unique identifier for the authenticator */ id: string; /** Type of authenticator */ authenticatorType: AuthenticatorType; /** Whether the authenticator is active */ active: boolean; /** Optional friendly name */ name?: string; /** Delivery channels for OOB authenticators (only present for authenticatorType: 'oob') */ oobChannels?: OobChannel[]; /** Additional type information */ type?: string; } /** * Options for listing MFA authenticators. */ interface ListAuthenticatorsOptions { /** MFA token from authentication response */ mfaToken: string; } /** * Options for deleting an MFA authenticator. */ interface DeleteAuthenticatorOptions { /** ID of the authenticator to delete */ authenticatorId: string; /** MFA token from authentication response */ mfaToken: string; } /** * Options for enrolling an OTP authenticator (TOTP apps like Google Authenticator). * * Refer - https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticators */ interface EnrollOtpOptions { /** Must be ['otp'] for OTP enrollment */ authenticatorTypes: ['otp']; /** MFA token from authentication response */ mfaToken: string; } /** * Options for enrolling an out-of-band authenticator (SMS, Voice, Push). */ interface EnrollOobOptions { /** Must be ['oob'] for OOB enrollment */ authenticatorTypes: ['oob']; /** Delivery channels to enable */ oobChannels: OobChannel[]; /** Phone number for SMS/Voice (E.164 format: +1234567890) */ phoneNumber?: string; /** MFA token from authentication response */ mfaToken: string; } /** * Options for enrolling an email authenticator. * Refer - https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-email-authenticators */ interface EnrollEmailOptions { /** Must be ['oob'] for email enrollment */ authenticatorTypes: ['oob']; /** Must be ['email'] for email delivery channel */ oobChannels: ['email']; /** Email address (optional, uses user's email if not provided) */ email?: string; /** MFA token from authentication response */ mfaToken: string; } /** * Union type for all enrollment options types. */ type EnrollAuthenticatorOptions = EnrollOtpOptions | EnrollOobOptions | EnrollEmailOptions; /** * Response when enrolling an OTP authenticator. */ interface OtpEnrollmentResponse { /** Authenticator type */ authenticatorType: 'otp'; /** Base32-encoded secret for TOTP generation */ secret: string; /** URI for generating QR code (otpauth://...) */ barcodeUri: string; /** Recovery codes for account recovery */ recoveryCodes?: string[]; /** Authenticator ID */ id?: string; } /** * Response when enrolling an OOB authenticator. */ interface OobEnrollmentResponse { /** Authenticator type */ authenticatorType: 'oob'; /** Delivery channel used */ oobChannel: OobChannel; /** Out-of-band code for verification */ oobCode?: string; /** Binding method (e.g., 'prompt' for user code entry) */ bindingMethod?: string; /** Authenticator ID */ id?: string; /** URI for generating QR code (otpauth://...) */ barcodeUri?: string; /** Recovery codes for account recovery */ recoveryCodes?: string[]; } /** * Union type for all enrollment response types. * Note: Email enrollments return OobEnrollmentResponse with oobChannel: 'email' */ type EnrollmentResponse = OtpEnrollmentResponse | OobEnrollmentResponse; /** * Options for initiating an MFA challenge. */ interface ChallengeOptions { /** Type of challenge to initiate */ challengeType: 'otp' | 'oob'; /** Specific authenticator to challenge (optional) */ authenticatorId?: string; /** MFA token from authentication response */ mfaToken: string; } /** * Response from initiating an MFA challenge. */ interface ChallengeResponse { /** Type of challenge created */ challengeType: 'otp' | 'oob'; /** Out-of-band code (for OOB challenges) */ oobCode?: string; /** Binding method for OOB (e.g., 'prompt') */ bindingMethod?: string; } /** * MFA factor types for verifying MFA challenges. */ type MfaFactorType = 'otp' | 'oob' | 'recovery-code'; /** * Options for verifying an MFA challenge with an OTP code. */ interface MfaVerifyOtpOptions { /** MFA token from authentication response */ mfaToken: string; /** Must be the OTP factor type */ factorType: 'otp'; /** The OTP code from the user's authenticator app */ otp: string; /** Optional audience for the requested access token */ audience?: string; } /** * Options for verifying an MFA challenge with an out-of-band code. */ interface MfaVerifyOobOptions { /** MFA token from authentication response */ mfaToken: string; /** Must be the OOB factor type */ factorType: 'oob'; /** The out-of-band code received from the MFA challenge */ oobCode: string; /** Optional binding code entered by the user (for prompt-based OOB) */ bindingCode?: string; /** Optional audience for the requested access token */ audience?: string; } /** * Options for verifying an MFA challenge with a recovery code. */ interface MfaVerifyRecoveryCodeOptions { /** MFA token from authentication response */ mfaToken: string; /** Must be the recovery-code factor type */ factorType: 'recovery-code'; /** The recovery code */ recoveryCode: string; /** Optional audience for the requested access token */ audience?: string; } /** * Union type for all MFA verify options. */ type MfaVerifyOptions = MfaVerifyOtpOptions | MfaVerifyOobOptions | MfaVerifyRecoveryCodeOptions; interface TelemetryData { /** * Override the package name in the telemetry header. */ name: string; /** * Override the package version in the telemetry header. */ version: string; } type TelemetryConfig = { enabled: false; } | ({ enabled?: true; } & TelemetryData); interface AuthClientOptions { /** * The Auth0 domain to use for authentication. * @example 'example.auth0.com' (without https://) */ domain: string; /** * The client ID of the application. */ clientId: string; /** * The client secret of the application. */ clientSecret?: string; /** * The client assertion signing key to use. */ clientAssertionSigningKey?: string | CryptoKey; /** * The client assertion signing algorithm to use. */ clientAssertionSigningAlg?: string; /** * Authorization Parameters to be sent with the authorization request. */ authorizationParams?: AuthorizationParameters; /** * Optional, custom Fetch implementation to use. */ customFetch?: typeof fetch; /** * Optional cache configuration for discovery and JWKS lookups. * * Allows: * - Configuring TTL and entry limits * * @example * ```typescript * // Custom cache with longer TTL (per-instance) * { discoveryCache: { ttl: 1800, maxEntries: 200 } } * ``` */ discoveryCache?: DiscoveryCacheOptions; /** * Indicates whether the SDK should use the mTLS endpoints if they are available. * * When set to `true`, using a `customFetch` is required. */ useMtls?: boolean; /** * Optional telemetry configuration. * Telemetry is enabled by default and sends the Auth0-Client header with package name and version. */ telemetry?: TelemetryConfig; } interface DiscoveryCacheOptions { /** * Cache time-to-live in seconds. * Each cached entry expires after this duration. * * @default 600 */ ttl?: number; /** * Maximum number of cache entries to keep. * When exceeded, oldest entries (LRU) are evicted. * * @default 100 */ maxEntries?: number; } interface AuthorizationParameters { /** * The scope to use for the authentication request. */ scope?: string; /** * The audience to use for the authentication request. */ audience?: string; /** * The redirect URI to use for the authentication request, to which Auth0 will redirect the browser after the user has authenticated. * @example 'https://example.com/callback' */ redirect_uri?: string; [key: string]: unknown; } interface BuildAuthorizationUrlOptions { /** * Indicates whether the authorization request should be done using a Pushed Authorization Request. */ pushedAuthorizationRequests?: boolean; /** * Authorization Parameters to be sent with the authorization request. */ authorizationParams?: AuthorizationParameters; } interface BuildAuthorizationUrlResult { /** * The URL to use to authenticate the user, including the query parameters. * Redirect the user to this URL to authenticate. * @example 'https://example.auth0.com/authorize?client_id=...&scope=...' */ authorizationUrl: URL; /** * The code verifier that is used for the authorization request. */ codeVerifier: string; } interface BuildLinkUserUrlOptions { /** * The connection for the user to link. */ connection: string; /** * The scope for the connection. */ connectionScope: string; /** * The id token of the user initiating the link. */ idToken: string; /** * Additional authorization parameters to be sent with the link user request. */ authorizationParams?: AuthorizationParameters; } interface BuildLinkUserUrlResult { /** * The URL to use to link the user, including the query parameters. * Redirect the user to this URL to link the user. * @example 'https://example.auth0.com/authorize?request_uri=urn:ietf:params:oauth:request_uri&client_id=...' */ linkUserUrl: URL; /** * The code verifier that is used for the link user request. */ codeVerifier: string; } interface BuildUnlinkUserUrlOptions { /** * The connection for the user to unlink. */ connection: string; /** * The id token of the user initiating the unlink. */ idToken: string; /** * Additional authorization parameters to be sent with the unlink user request. */ authorizationParams?: AuthorizationParameters; } interface BuildUnlinkUserUrlResult { /** * The URL to use to unlink the user, including the query parameters. * Redirect the user to this URL to unlink the user. * @example 'https://example.auth0.com/authorize?request_uri=urn:ietf:params:oauth:request_uri&client_id=...' */ unlinkUserUrl: URL; /** * The code verifier that is used for the unlink user request. */ codeVerifier: string; } interface TokenByClientCredentialsOptions { /** * The audience for which the token should be requested. */ audience: string; /** * The organization for which the token should be requested. */ organization?: string; } interface TokenByRefreshTokenOptions { /** * The refresh token to use to get a token. */ refreshToken: string; /** * Optional audience for multi-resource refresh token support. * When specified, requests an access token for this audience. * * @example 'https://api.example.com' */ audience?: string; /** * When specified, requests an access token with these scopes. * Space-separated scope string. * * @example 'read:data write:data' */ scope?: string; } interface TokenByPasswordOptions { /** * The username of the user. */ username: string; /** * The password of the user. */ password: string; /** * The audience for which the token should be requested. */ audience?: string; /** * The scope for which the token should be requested. */ scope?: string; /** * The realm to use for the authentication request. * * Specifies which database connection or identity provider to authenticate against * when using the password-realm grant type. This is useful when your tenant has * multiple database connections and you need to authenticate against a specific one * instead of using the tenant's default directory. * * @see {@link https://auth0.com/docs/api/authentication/resource-owner-password-flow/get-token Resource Owner Password Flow} * @see {@link https://auth0.com/docs/authenticate/database-connections Database Connections} * @example 'Username-Password-Authentication' */ realm?: string; /** * The end-user's IP address. * * When provided, Auth0 uses this IP address for rate limiting and anomaly detection * instead of the IP address of your server. This is particularly useful when your * application acts as a proxy between the end-user and Auth0. * * @see {@link https://auth0.com/docs/api/authentication/resource-owner-password-flow/get-token Authentication API Reference} * @example '203.0.113.42' */ auth0ForwardedFor?: string; } interface TokenByCodeOptions { /** * The code verifier that is used for the authorization request. */ codeVerifier: string; } /** * @deprecated Since v1.2.0. Use {@link TokenVaultExchangeOptions} with {@link AuthClient#exchangeToken}. * This interface remains for backward compatibility and is planned for removal in v2.0. */ interface TokenForConnectionOptions { /** * The connection for which a token should be requested. */ connection: string; /** * Login hint to inform which connection account to use, can be useful when multiple accounts for the connection exist for the same user. */ loginHint?: string; /** * The refresh token to use to get an access token for the connection. */ refreshToken?: string; /** * The access token to use to get an access token for the connection. */ accessToken?: string; } /** * Configuration options for Token Exchange via Token Exchange Profile (RFC 8693). * * Token Exchange Profiles enable first-party on-behalf-of flows where you exchange * a custom token for Auth0 tokens targeting a different API, while preserving user identity. * * **Requirements:** * - Requires a confidential client (client_secret or client_assertion must be configured) * - Requires a Token Exchange Profile to be created in Auth0 via the Management API * - The subject_token_type must match a profile configured in your tenant * - Reserved namespaces are validated by the Auth0 platform; the SDK does not pre-validate * - The organization parameter is not supported during Early Access * * @see {@link https://auth0.com/docs/authenticate/custom-token-exchange Custom Token Exchange Documentation} * @see {@link https://auth0.com/docs/api/management/v2/token-exchange-profiles Token Exchange Profiles API} * @see {@link https://www.rfc-editor.org/rfc/rfc8693 RFC 8693: OAuth 2.0 Token Exchange} * * @example Basic usage * ```typescript * const response = await authClient.exchangeToken({ * subjectTokenType: 'urn:acme:custom-token', * subjectToken: userProvidedToken, * audience: 'https://api.example.com', * scope: 'openid profile read:data' * }); * ``` * * @example With custom parameters for Action validation * ```typescript * const response = await authClient.exchangeToken({ * subjectTokenType: 'urn:acme:legacy-token', * subjectToken: legacyToken, * audience: 'https://api.example.com', * scope: 'openid offline_access', * extra: { * device_id: 'device-12345', * session_token: 'sess-abc' * } * }); * ``` */ interface ExchangeProfileOptions { /** * A URI that identifies the type of the subject token being exchanged. * Must match a subject_token_type configured in a Token Exchange Profile. * * For custom token types, this must be a URI scoped under your own ownership. * * **Reserved namespaces** (validated by Auth0 platform): * - http://auth0.com, https://auth0.com * - http://okta.com, https://okta.com * - urn:ietf, urn:auth0, urn:okta * * @example "urn:acme:legacy-token" * @example "http://acme.com/mcp-token" */ subjectTokenType: string; /** * The token to be exchanged. */ subjectToken: string; /** * The unique identifier (audience) of the target API. * Must match an API identifier configured in your Auth0 tenant. * * @example "https://api.example.com" */ audience?: string; /** * Space-separated list of OAuth 2.0 scopes to request. * Scopes must be allowed by the target API and token exchange profile configuration. * * @example "openid profile email" * @example "openid profile read:data write:data" */ scope?: string; /** * Type of token being requested (RFC 8693). * Defaults to access_token if not specified. * * @see {@link https://datatracker.ietf.org/doc/html/rfc8693#section-2.1 RFC 8693 Section 2.1} * @example "urn:ietf:params:oauth:token-type:access_token" * @example "urn:ietf:params:oauth:token-type:refresh_token" */ requestedTokenType?: string; /** * ID or name of the organization to use when authenticating a user. * When provided, the user will be authenticated within the organization context, * and the organization ID will be present in the access token payload. * * @see https://auth0.com/docs/manage-users/organizations */ organization?: string; /** * The actor token to include in the delegation exchange (RFC 8693). * * When provided, identifies the acting party (the intermediate service or agent) * on whose behalf the exchange is being performed. The resulting token will carry * an `act` claim describing the actor. * * Must be used together with `actorTokenType`. * * @see {@link https://www.rfc-editor.org/rfc/rfc8693#section-2.1 RFC 8693 Section 2.1} */ actorToken?: string; /** * A URI that identifies the type of the actor token (RFC 8693). * * Must be a syntactically valid URI. Reserved namespaces are validated by the * Auth0 platform, not the SDK. * * Must be used together with `actorToken`. * * @example "urn:acme:actor-token" * @example "http://acme.com/service-token" */ actorTokenType?: string; /** * Additional custom parameters accessible in Auth0 Actions via event.request.body. * * Use for context like device fingerprints, session IDs, or business metadata. * Cannot override reserved OAuth parameters. * * Array values are limited to 20 items per key to prevent DoS attacks. * * **Security Warning**: Never include PII (Personally Identifiable Information), * secrets, passwords, or sensitive data in extra parameters. These values may be * logged by Auth0, stored in audit trails, or visible in network traces. Use only * for non-sensitive metadata like device IDs, session identifiers, or request context. * * @example * ```typescript * { * device_fingerprint: 'a3d8f7b2c1e4...', * session_id: 'sess_abc123', * risk_score: '0.95' * } * ``` */ extra?: Record; } /** * Configuration options for Access Token Exchange with Token Vault. * * Access Token Exchange with Token Vault enables secure access to third-party APIs (e.g., Google Calendar, Salesforce) * by exchanging an Auth0 token for an external provider's access token without the client handling * the external provider's refresh tokens. * * **Requirements:** * - Requires a confidential client (client credentials must be configured) * - Token Vault must be enabled for the specified connection * - The connection must support the requested token type * * @see {@link https://auth0.com/docs/secure/tokens/token-vault Token Vault Documentation} * @see {@link https://auth0.com/docs/secure/tokens/token-vault/configure-token-vault Configure Token Vault} * * @example Using an access token * ```typescript * const response = await authClient.exchangeToken({ * connection: 'google-oauth2', * subjectToken: auth0AccessToken, * subjectTokenType: 'urn:ietf:params:oauth:token-type:access_token', * loginHint: 'user@example.com' * }); * ``` * * @example Using a refresh token * ```typescript * const response = await authClient.exchangeToken({ * connection: 'google-oauth2', * subjectToken: auth0RefreshToken, * subjectTokenType: 'urn:ietf:params:oauth:token-type:refresh_token' * }); * ``` */ interface TokenVaultExchangeOptions { /** * The name of the connection configured in Auth0 with Token Vault enabled. * * @example "google-oauth2" * @example "salesforce" */ connection: string; /** * The Auth0 token to exchange (access token or refresh token). */ subjectToken: string; /** * Type of the Auth0 token being exchanged. * * **Important**: Defaults to `urn:ietf:params:oauth:token-type:access_token` if not specified. * If you're passing a refresh token, you MUST explicitly set this to * `urn:ietf:params:oauth:token-type:refresh_token` to avoid token type mismatch errors. * * @default 'urn:ietf:params:oauth:token-type:access_token' */ subjectTokenType?: 'urn:ietf:params:oauth:token-type:access_token' | 'urn:ietf:params:oauth:token-type:refresh_token'; /** * Type of token being requested from the external provider. * Typically defaults to the external provider's access token type. */ requestedTokenType?: string; /** * Hint about which external provider account to use. * Useful when multiple accounts for the connection exist for the same user. * * @example "user@example.com" * @example "external_user_id_123" */ loginHint?: string; /** * Space-separated list of scopes to request from the external provider. * * @example "https://www.googleapis.com/auth/calendar.readonly" */ scope?: string; /** * Additional custom parameters. * Cannot override reserved OAuth parameters. * * Array values are limited to 20 items per key to prevent DoS attacks. */ extra?: Record; } interface BuildLogoutUrlOptions { /** * The URL to which the user should be redirected after the logout. * @example 'https://example.com' */ returnTo: string; } interface VerifyLogoutTokenOptions { /** * The logout token to verify. */ logoutToken: string; } interface VerifyLogoutTokenResult { /** * The sid claim of the logout token. */ sid: string; /** * The sub claim of the logout token. */ sub: string; } interface AuthorizationDetails { readonly type: string; readonly [parameter: string]: unknown; } /** * Represents the `act` (actor) claim in a token response (RFC 8693). * * Present when a token was issued via a delegation exchange, identifying the * acting party (e.g., an intermediate service) that performed the exchange on * behalf of the subject. * * @see {@link https://www.rfc-editor.org/rfc/rfc8693#section-4.1 RFC 8693 Section 4.1} */ interface ActClaim { /** * The subject identifier of the actor. */ sub: string; [key: string]: unknown; } /** * Represents a successful token response from Auth0. * * Contains all tokens and metadata returned from Auth0 token endpoints, * including standard OAuth 2.0 tokens and optional OIDC tokens. */ declare class TokenResponse { /** * The access token retrieved from Auth0. */ accessToken: string; /** * The id token retrieved from Auth0. */ idToken?: string; /** * The refresh token retrieved from Auth0. */ refreshToken?: string; /** * The time at which the access token expires (Unix timestamp in seconds). */ expiresAt: number; /** * The scope of the access token. */ scope?: string; /** * The claims of the id token. */ claims?: IDToken; /** * The authorization details of the token response. */ authorizationDetails?: AuthorizationDetails[]; /** * The type of the token (typically "Bearer"). */ tokenType?: string; /** * A URI that identifies the type of the issued token (RFC 8693). * * @see {@link https://datatracker.ietf.org/doc/html/rfc8693#section-3 RFC 8693 Section 3} * @example "urn:ietf:params:oauth:token-type:access_token" */ issuedTokenType?: string; /** * A new recovery code returned after verifying with a recovery code. * Only present when using the recovery-code MFA factor. */ recoveryCode?: string; /** * The actor claim from a delegation token exchange (RFC 8693). * * Present when an `actorToken` was provided. Sourced from the ID token when * one is issued, or from the JWT access token in M2M flows where no ID token * is returned. Identifies the acting party on whose behalf the subject token * was exchanged. * * @see {@link https://www.rfc-editor.org/rfc/rfc8693#section-4.1 RFC 8693 Section 4.1} */ act?: ActClaim; constructor(accessToken: string, expiresAt: number, idToken?: string, refreshToken?: string, scope?: string, claims?: IDToken, authorizationDetails?: AuthorizationDetails[]); /** * Create a TokenResponse from a TokenEndpointResponse (openid-client). * * Populates all standard OAuth 2.0 token response fields plus RFC 8693 extensions. * Safely handles responses that may not include all optional fields (e.g., ID token, * refresh token, issued_token_type). * * @param response The TokenEndpointResponse from the token endpoint. * @returns A TokenResponse instance with all available token data. */ static fromTokenEndpointResponse(response: TokenEndpointResponse & TokenEndpointResponseHelpers): TokenResponse; } interface BackchannelAuthenticationOptions { /** * Human-readable message to be displayed at the consumption device and authentication device. * This allows the user to ensure the transaction initiated by the consumption device is the same that triggers the action on the authentication device. */ bindingMessage: string; /** * The login hint to inform which user to use. */ loginHint: { /** * The `sub` claim of the user that is trying to login using Client-Initiated Backchannel Authentication, and to which a push notification to authorize the login will be sent. */ sub: string; }; /** * Set a custom expiry time for the CIBA flow in seconds. Defaults to 300 seconds (5 minutes) if not set. */ requestedExpiry?: number; /** * Optional authorization details to use Rich Authorization Requests (RAR). * @see https://auth0.com/docs/get-started/apis/configure-rich-authorization-requests */ authorizationDetails?: AuthorizationDetails[]; /** * Authorization Parameters to be sent with the authorization request. */ authorizationParams?: AuthorizationParameters; } declare class MfaClient { #private; /** * Lists all MFA authenticators enrolled by the user. * * Retrieves a list of all multi-factor authentication methods that have been * enrolled for the user, including OTP (TOTP), SMS, voice, email, and recovery codes. * * @param options - Options for listing authenticators * @param options.mfaToken - MFA token obtained from an MFA challenge response * @returns Promise resolving to an array of enrolled authenticators * @throws {MfaListAuthenticatorsError} When the request fails (e.g., invalid token, network error) * * @example * ```typescript * const authenticators = await authClient.mfa.listAuthenticators({ * mfaToken: 'your_mfa_token_here' * }); * * // authenticators is an array of enrolled authenticators * // Each has: id, authenticatorType, active, name, oobChannels (for OOB types), type * ``` */ listAuthenticators(options: ListAuthenticatorsOptions): Promise; /** * Enrolls a new MFA authenticator for the user. * * Initiates the enrollment process for a new multi-factor authentication method. * Supports OTP (TOTP apps like Google Authenticator), SMS, voice, and email authenticators. * * For OTP enrollment, the response includes a secret and QR code URI that the user * can scan with their authenticator app. For SMS/voice enrollment, a phone number * must be provided. For email enrollment, an optional email address can be specified. * * @param options - Enrollment options (type depends on authenticator being enrolled) * @param options.mfaToken - MFA token obtained from an MFA challenge response * @param options.authenticatorTypes - Array with one authenticator type: 'otp', 'oob', or 'email' * @param options.oobChannels - (OOB only) Delivery channels: 'sms', 'voice', or 'auth0' * @param options.phoneNumber - (OOB only) Phone number in E.164 format (e.g., +1234567890) * @param options.email - (Email only) Email address (optional, uses user's email if not provided) * @returns Promise resolving to enrollment response with authenticator details * @throws {MfaEnrollmentError} When enrollment fails (e.g., invalid parameters, network error) * * @example * ```typescript * // Enroll OTP authenticator (Google Authenticator, etc.) * const otpEnrollment = await authClient.mfa.enrollAuthenticator({ * authenticatorTypes: ['otp'], * mfaToken: 'your_mfa_token_here' * }); * // otpEnrollment.secret - Base32-encoded secret for TOTP * // otpEnrollment.barcodeUri - URI for generating QR code * * // Enroll SMS authenticator * const smsEnrollment = await authClient.mfa.enrollAuthenticator({ * authenticatorTypes: ['oob'], * oobChannels: ['sms'], * phoneNumber: '+1234567890', * mfaToken: 'your_mfa_token_here' * }); * ``` */ enrollAuthenticator(options: EnrollAuthenticatorOptions): Promise; /** * Deletes an enrolled MFA authenticator. * * Removes a previously enrolled multi-factor authentication method from the user's account. * The authenticator ID can be obtained from the listAuthenticators() method. * * @param options - Options for deleting an authenticator * @param options.authenticatorId - ID of the authenticator to delete (e.g., 'totp|dev_abc123') * @param options.mfaToken - MFA token obtained from an MFA challenge response * @returns Promise that resolves when the authenticator is successfully deleted * @throws {MfaDeleteAuthenticatorError} When deletion fails (e.g., invalid ID, network error) * * @example * ```typescript * // First, list authenticators to get the ID * const authenticators = await authClient.mfa.listAuthenticators({ * mfaToken: 'your_mfa_token_here' * }); * * // Delete a specific authenticator * await authClient.mfa.deleteAuthenticator({ * authenticatorId: authenticators[0].id, * mfaToken: 'your_mfa_token_here' * }); * ``` */ deleteAuthenticator(options: DeleteAuthenticatorOptions): Promise; /** * Initiates an MFA challenge for user verification. * * Creates a challenge that the user must complete to verify their identity using * one of their enrolled MFA factors. For OTP challenges, the user enters a code * from their authenticator app. For OOB (out-of-band) challenges like SMS, a code * is sent to the user's device. * * @param options - Challenge options * @param options.mfaToken - MFA token obtained from an MFA challenge response * @param options.challengeType - Type of challenge: 'otp' for TOTP apps, 'oob' for SMS/voice/push * @param options.authenticatorId - (Optional) Specific authenticator to challenge * @returns Promise resolving to challenge response with challenge details * @throws {MfaChallengeError} When the challenge fails (e.g., invalid parameters, network error) * * @example * ```typescript * // Challenge with OTP (user enters code from their app) * const otpChallenge = await authClient.mfa.challengeAuthenticator({ * challengeType: 'otp', * mfaToken: 'your_mfa_token_here' * }); * * // Challenge with SMS (code sent to user's phone) * const smsChallenge = await authClient.mfa.challengeAuthenticator({ * challengeType: 'oob', * authenticatorId: 'sms|dev_abc123', * mfaToken: 'your_mfa_token_here' * }); * // smsChallenge.oobCode - Out-of-band code for verification * ``` */ challengeAuthenticator(options: ChallengeOptions): Promise; /** * Verifies an MFA challenge by exchanging the MFA token and code for access tokens. * * @param options - The MFA token, factor type (otp / oob / recovery-code), and the code to verify * @returns Promise resolving to a TokenResponse containing the issued tokens * @throws {MfaVerifyError} When verification fails (e.g. invalid token, wrong code, malformed response) */ verify(options: MfaVerifyOptions): Promise; } /** * Public key credential creation options returned by signup challenges. */ interface PasskeyCreationOptions { challenge: string; rp: { id: string; name: string; }; user: { id: string; name: string; displayName: string; }; pubKeyCredParams: Array<{ type: string; alg: number; }>; authenticatorSelection?: { residentKey?: string; userVerification?: string; }; timeout?: number; } /** * Public key credential request options returned by login challenges. */ interface PasskeyRequestOptions { challenge: string; rpId: string; timeout?: number; userVerification?: string; } /** * Serialized credential response from the platform WebAuthn API. * All binary fields (rawId, clientDataJSON, etc.) must be base64url-encoded strings. */ interface PasskeyCredentialResponse { id: string; rawId: string; type: string; authenticatorAttachment?: string; response: { clientDataJSON: string; attestationObject?: string; authenticatorData?: string; signature?: string; userHandle?: string; }; clientExtensionResults?: Record; } /** * Base fields shared by all signup challenge option variants. */ interface PasskeySignupChallengeBaseOptions { /** Display name for the user (optional) */ name?: string; /** Given name / first name */ givenName?: string; /** Family name / last name */ familyName?: string; /** Nickname */ nickname?: string; /** URL to the user's profile picture */ picture?: string; /** Arbitrary user metadata (stored in `user_metadata` on the Auth0 user) */ userMetadata?: Record; /** Database connection name (sent as `realm` to the API) */ realm?: string; /** Organization ID or name to associate the user with */ organization?: string; } /** * Options for requesting a passkey signup challenge. * * At least one user identifier (`email`, `username`, or `phoneNumber`) must be provided. * Which identifiers are accepted depends on what is configured on your database connection. */ type PasskeySignupChallengeOptions = PasskeySignupChallengeBaseOptions & ({ email: string; phoneNumber?: string; username?: string; } | { phoneNumber: string; email?: string; username?: string; } | { username: string; email?: string; phoneNumber?: string; }); /** * Response from a passkey signup challenge request. */ interface PasskeySignupChallengeResponse { authSession: string; authnParamsPublicKey: PasskeyCreationOptions; } /** * Options for requesting a passkey login challenge. */ interface PasskeyLoginChallengeOptions { /** Database connection name (sent as `realm` to the API) */ realm?: string; /** Organization ID or name (scopes tokens to the organization context) */ organization?: string; } /** * Response from a passkey login challenge request. */ interface PasskeyLoginChallengeResponse { authSession: string; authnParamsPublicKey: PasskeyRequestOptions; } /** * Options for exchanging a passkey credential response for tokens. */ interface GetTokenByPasskeyOptions { /** Auth session ID returned from a signup or login challenge */ authSession: string; /** Serialized credential response from the platform WebAuthn API */ credential: PasskeyCredentialResponse; /** Database connection name (sent as `realm` to the API) */ realm?: string; /** Requested OAuth scopes (e.g. 'openid profile email') */ scope?: string; /** Target API audience */ audience?: string; /** Organization ID or name (scopes tokens to the organization context) */ organization?: string; } declare class PasskeyClient { #private; /** * Requests a passkey signup challenge for a new user. * * Returns the WebAuthn public key creation options that should be passed to * the platform's credential manager (e.g., `navigator.credentials.create()`) * to register a new passkey. * * @param options - User profile data and optional realm * @returns Promise resolving to the signup challenge with auth session and public key creation options * @throws {PasskeyRegisterError} When the challenge request fails * * @example * ```typescript * const challenge = await authClient.passkey.register({ * email: 'user@example.com', * name: 'Jane Doe', * realm: 'Username-Password-Authentication' * }); * ``` */ register(options: PasskeySignupChallengeOptions): Promise; /** * Requests a passkey login challenge for an existing user. * * Returns the WebAuthn public key request options that should be passed to * the platform's credential manager (e.g., `navigator.credentials.get()`) * to retrieve an existing passkey. * * @param options - Optional realm configuration * @returns Promise resolving to the login challenge with auth session and public key request options * @throws {PasskeyChallengeError} When the challenge request fails * * @example * ```typescript * const challenge = await authClient.passkey.challenge({ * realm: 'Username-Password-Authentication' * }); * ``` */ challenge(options?: PasskeyLoginChallengeOptions): Promise; /** * Exchanges a passkey credential for tokens using the WebAuthn grant type. * * This method should be called after obtaining a credential response from the * platform's WebAuthn API (via `navigator.credentials.create()` for signup or * `navigator.credentials.get()` for login), using the challenge obtained from * `register()` or `challenge()`. * * Unlike `register()` and `challenge()` (which work with public clients), this * token exchange requires a **confidential client** — the `AuthClient` must be * configured with a `clientSecret` or a `clientAssertionSigningKey`. Without * client credentials it throws a `PasskeyGetTokenError` whose `cause` reports * that a client secret or client assertion signing key is required. * * @param options - The auth session and serialized credential response * @returns Promise resolving to a TokenResponse with access token, ID token, and optional refresh token * @throws {PasskeyGetTokenError} When the token exchange fails, or when no client credentials are configured * * @example * ```typescript * const challenge = await authClient.passkey.challenge(); * // Pass challenge.authnParamsPublicKey to navigator.credentials.get() * // Then serialize the credential response and exchange for tokens: * const tokens = await authClient.passkey.getTokenByPasskey({ * authSession: challenge.authSession, * credential: serializedCredential, * scope: 'openid profile email', * audience: 'https://api.example.com', * }); * ``` */ getTokenByPasskey(options: GetTokenByPasskeyOptions): Promise; } /** * Auth0 authentication client for handling OAuth 2.0 and OIDC flows. * * Provides methods for authorization, token exchange, token refresh, and verification * of tokens issued by Auth0. Supports multiple authentication methods including * client_secret_post, private_key_jwt, and mTLS. */ declare class AuthClient { #private; mfa: MfaClient; passkey: PasskeyClient; constructor(options: AuthClientOptions); /** * Returns the discovered server metadata for the configured domain. */ getServerMetadata(): Promise; /** * Builds the URL to redirect the user-agent to to request authorization at Auth0. * @param options Options used to configure the authorization URL. * * @throws {BuildAuthorizationUrlError} If there was an issue when building the Authorization URL. * * @returns A promise resolving to an object, containing the authorizationUrl and codeVerifier. */ buildAuthorizationUrl(options?: BuildAuthorizationUrlOptions): Promise; /** * Builds the URL to redirect the user-agent to to link a user account at Auth0. * @param options Options used to configure the link user URL. * * @throws {BuildLinkUserUrlError} If there was an issue when building the Link User URL. * * @returns A promise resolving to an object, containing the linkUserUrl and codeVerifier. */ buildLinkUserUrl(options: BuildLinkUserUrlOptions): Promise; /** * Builds the URL to redirect the user-agent to to unlink a user account at Auth0. * @param options Options used to configure the unlink user URL. * * @throws {BuildUnlinkUserUrlError} If there was an issue when building the Unlink User URL. * * @returns A promise resolving to an object, containing the unlinkUserUrl and codeVerifier. */ buildUnlinkUserUrl(options: BuildUnlinkUserUrlOptions): Promise; /** * Authenticates using Client-Initiated Backchannel Authentication. * * This method will initialize the backchannel authentication process with Auth0, and poll the token endpoint until the authentication is complete. * * Using Client-Initiated Backchannel Authentication requires the feature to be enabled in the Auth0 dashboard. * @see https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow * @param options Options used to configure the backchannel authentication process. * * @throws {BackchannelAuthenticationError} If there was an issue when doing backchannel authentication. * * @returns A Promise, resolving to the TokenResponse as returned from Auth0. */ backchannelAuthentication(options: BackchannelAuthenticationOptions): Promise; /** * Initiates Client-Initiated Backchannel Authentication flow by calling the `/bc-authorize` endpoint. * This method only initiates the authentication request and returns the `auth_req_id` to be used in subsequent calls to `backchannelAuthenticationGrant`. * * Typically, you would call this method to start the authentication process, then use the returned `auth_req_id` to poll for the token using `backchannelAuthenticationGrant`. * * @param options Options used to configure the backchannel authentication initiation. * * @throws {BackchannelAuthenticationError} If there was an issue when initiating backchannel authentication. * * @returns An object containing `authReqId`, `expiresIn`, and `interval` for polling. */ initiateBackchannelAuthentication(options: BackchannelAuthenticationOptions): Promise<{ authReqId: string; expiresIn: number; interval: number | undefined; }>; /** * Exchanges the `auth_req_id` obtained from `initiateBackchannelAuthentication` for tokens. * * @param authReqId The `auth_req_id` obtained from `initiateBackchannelAuthentication`. * * @throws {BackchannelAuthenticationError} If there was an issue when exchanging the `auth_req_id` for tokens. * * @returns A Promise, resolving to the TokenResponse as returned from Auth0. */ backchannelAuthenticationGrant({ authReqId }: { authReqId: string; }): Promise; /** * Retrieves a token for a connection using Token Vault. * * @deprecated Since v1.2.0. Use {@link exchangeToken} with a Token Vault payload: * `exchangeToken({ connection, subjectToken, subjectTokenType, loginHint?, scope?, extra? })`. * This method remains for backward compatibility and is planned for removal in v2.0. * * This is a convenience wrapper around exchangeToken() for Token Vault scenarios, * providing a simpler API for the common use case of exchanging Auth0 tokens for * federated access tokens. * * Either a refresh token or access token must be provided, but not both. The method * automatically determines the correct subject_token_type based on which token is provided. * * @param options Options for retrieving an access token for a connection. * * @throws {TokenForConnectionError} If there was an issue requesting the access token, * or if both/neither token types are provided. * * @returns The access token for the connection * * @see {@link exchangeToken} for the unified token exchange method with more options * * @example Using an access token (deprecated, use exchangeToken instead) * ```typescript * const response = await authClient.getTokenForConnection({ * connection: 'google-oauth2', * accessToken: auth0AccessToken, * loginHint: 'user@example.com' * }); * ``` * * @example Using a refresh token (deprecated, use exchangeToken instead) * ```typescript * const response = await authClient.getTokenForConnection({ * connection: 'salesforce', * refreshToken: auth0RefreshToken * }); * ``` */ getTokenForConnection(options: TokenForConnectionOptions): Promise; /** * @overload * Exchanges a custom token for Auth0 tokens using RFC 8693 Token Exchange via Token Exchange Profile. * * This overload is used when you DON'T provide a `connection` parameter. * It enables exchanging custom tokens (from MCP servers, legacy systems, or partner * services) for Auth0 tokens targeting a specific API audience. Requires a Token * Exchange Profile configured in Auth0. * * @param options Token Exchange Profile configuration (without `connection` parameter) * @returns Promise resolving to TokenResponse with Auth0 tokens * @throws {TokenExchangeError} When exchange fails or validation errors occur * @throws {MissingClientAuthError} When client authentication is not configured * * @example * ```typescript * // Exchange custom token (organization is optional) * const response = await authClient.exchangeToken({ * subjectTokenType: 'urn:acme:mcp-token', * subjectToken: mcpServerToken, * audience: 'https://api.example.com', * organization: 'org_abc123', // Optional - Organization ID or name * scope: 'openid profile read:data' * }); * // The resulting access token will include the organization ID in its payload * ``` */ exchangeToken(options: ExchangeProfileOptions): Promise; /** * @overload * Exchanges an Auth0 token for an external provider's access token using Token Vault. * * This overload is used when you DO provide a `connection` parameter. * It exchanges Auth0 tokens (access or refresh) for external provider's access tokens * (Google, Facebook, etc.). The external provider's refresh token is securely stored in * Auth0's Token Vault. * * @param options Token Vault exchange configuration (with `connection` parameter) * @returns Promise resolving to TokenResponse with external provider's access token * @throws {TokenExchangeError} When exchange fails or validation errors occur * @throws {MissingClientAuthError} When client authentication is not configured * * @example * ```typescript * const response = await authClient.exchangeToken({ * connection: 'google-oauth2', * subjectToken: auth0AccessToken, * loginHint: 'user@example.com' * }); * ``` */ exchangeToken(options: TokenVaultExchangeOptions): Promise; /** * Retrieves a token by exchanging an authorization code. * @param url The URL containing the authorization code. * @param options Options for exchanging the authorization code, containing the expected code verifier. * * @throws {TokenByCodeError} If there was an issue requesting the access token. * * @returns A Promise, resolving to the TokenResponse as returned from Auth0. */ getTokenByCode(url: URL, options: TokenByCodeOptions): Promise; /** * Retrieves a token by exchanging a refresh token. * @param options Options for exchanging the refresh token. * * @throws {TokenByRefreshTokenError} If there was an issue requesting the access token. * * @returns A Promise, resolving to the TokenResponse as returned from Auth0. */ getTokenByRefreshToken(options: TokenByRefreshTokenOptions): Promise; /** * Retrieves a token using Resource Owner Password Grant. * @param options Options for authenticating with username and password. * * @throws {TokenByPasswordError} If there was an issue requesting the access token. * * @returns A Promise, resolving to the TokenResponse as returned from Auth0. */ getTokenByPassword(options: TokenByPasswordOptions): Promise; /** * Retrieves a token by exchanging client credentials. * @param options Options for retrieving the token. * * @throws {TokenByClientCredentialsError} If there was an issue requesting the access token. * * @returns A Promise, resolving to the TokenResponse as returned from Auth0. */ getTokenByClientCredentials(options: TokenByClientCredentialsOptions): Promise; /** * Builds the URL to redirect the user-agent to to request logout at Auth0. * @param options Options used to configure the logout URL. * @returns A promise resolving to the URL to redirect the user-agent to. */ buildLogoutUrl(options: BuildLogoutUrlOptions): Promise; /** * Verifies whether a logout token is valid. * @param options Options used to verify the logout token. * * @throws {VerifyLogoutTokenError} If there was an issue verifying the logout token. * * @returns An object containing the `sid` and `sub` claims from the logout token. */ verifyLogoutToken(options: VerifyLogoutTokenOptions): Promise; } /** * Factor types that can appear in an `mfa_required` error's `mfa_requirements` payload. */ type MfaRequiredFactorType = 'otp' | 'oob' | 'email' | 'webauthn-roaming' | 'webauthn-platform' | 'push-notification' | 'phone'; /** * Describes which MFA factors the user must challenge or enroll. */ interface MfaRequirements { challenge?: Array<{ type: MfaRequiredFactorType; }>; enroll?: Array<{ type: MfaRequiredFactorType; }>; } /** * Interface to represent an OAuth2 error. * When the error is `mfa_required`, `mfa_token` and `mfa_requirements` will be populated. */ interface OAuth2Error { error: string; error_description: string; message?: string; mfa_token?: string; mfa_requirements?: MfaRequirements; } /** * Error codes used for {@link NotSupportedError} */ declare enum NotSupportedErrorCode { PAR_NOT_SUPPORTED = "par_not_supported_error", MTLS_WITHOUT_CUSTOMFETCH_NOT_SUPPORT = "mtls_without_custom_fetch_not_supported" } /** * Error thrown when a feature is not supported. * For example, when trying to use Pushed Authorization Requests (PAR) but the Auth0 tenant was not configured to support it. */ declare class NotSupportedError extends Error { code: string; constructor(code: string, message: string); } /** * Base class for API errors, containing the error, error_description and message (if available). */ declare abstract class ApiError extends Error { cause?: OAuth2Error; code: string; constructor(code: string, message: string, cause?: OAuth2Error); } /** * Error thrown when trying to get an access token. */ declare class TokenByCodeError extends ApiError { constructor(message: string, cause?: OAuth2Error); } /** * Error thrown when trying to get an access token. */ declare class TokenByClientCredentialsError extends ApiError { constructor(message: string, cause?: OAuth2Error); } /** * Error thrown when trying to get an access token. */ declare class TokenByRefreshTokenError extends ApiError { constructor(message: string, cause?: OAuth2Error); } /** * Error thrown when trying to get an access token using Resource Owner Password Grant. */ declare class TokenByPasswordError extends ApiError { constructor(message: string, cause?: OAuth2Error); } /** * Error thrown when trying to get an access token for a connection. * * @deprecated Since v1.2.0, using {@link AuthClient#getTokenForConnection} is deprecated and we recommend to use {@link AuthClient#exchangeToken}. * When doing so, use {@link TokenExchangeError} instead of {@link TokenForConnectionError}. * This error class remains for backward compatibility and is planned for removal in v2.0. */ declare class TokenForConnectionError extends ApiError { constructor(message: string, cause?: OAuth2Error); } /** * Error thrown when a Token Exchange flow fails. This can occur due to misconfiguration, * an invalid subject_token, or if the exchange is denied by the server. */ declare class TokenExchangeError extends ApiError { constructor(message: string, cause?: OAuth2Error); } /** * Error thrown when verifying the logout token. */ declare class VerifyLogoutTokenError extends Error { code: string; constructor(message: string); } /** * Error thrown when trying to use Client-Initiated Backchannel Authentication. */ declare class BackchannelAuthenticationError extends ApiError { code: string; constructor(cause?: OAuth2Error); } /** * Error thrown when trying to build the authorization URL. */ declare class BuildAuthorizationUrlError extends ApiError { constructor(cause?: OAuth2Error); } /** * Error thrown when trying to build the Link User URL. */ declare class BuildLinkUserUrlError extends ApiError { constructor(cause?: OAuth2Error); } /** * Error thrown when trying to build the Unlink User URL. */ declare class BuildUnlinkUserUrlError extends ApiError { constructor(cause?: OAuth2Error); } /** * Narrows an error thrown by a token request method to one caused by an `mfa_required` response. * * When the Auth0 server requires multi-factor authentication, token request methods * (`getTokenByPassword`, `getTokenByRefreshToken`, `exchangeToken`, `passkey.getTokenByPasskey`) * throw their usual error (e.g. `TokenByPasswordError`, `PasskeyGetTokenError`) with * `cause.error` set to `'mfa_required'`. * The `cause` will also contain: * - `mfa_token` — the token needed to proceed with enrollment or challenge MFA APIs * - `mfa_requirements` — (optional) describes which factors to challenge or enroll * * This type guard checks whether an error was caused by an `mfa_required` response and * narrows the type so that `cause` and `cause.mfa_token` are guaranteed to be defined. * * @param error - The error caught from a token request method * @returns `true` if the error was caused by an `mfa_required` server response * * @example * ```typescript * import { AuthClient, isMfaRequiredError } from '@auth0/auth0-auth-js'; * * try { * await authClient.getTokenByPassword({ username, password }); * } catch (error) { * if (isMfaRequiredError(error)) { * // error.cause.mfa_token is guaranteed to be defined here * const challenge = await authClient.mfa.challengeAuthenticator({ * mfaToken: error.cause.mfa_token, * challengeType: 'otp', * }); * } * } * ``` */ interface MfaRequiredError extends Error { code: string; cause: OAuth2Error & { error: 'mfa_required'; mfa_token: string; mfa_requirements?: MfaRequirements; }; } declare function isMfaRequiredError(error: unknown): error is MfaRequiredError; /** * Error thrown when Client Secret or Client Assertion Signing Key is missing. */ declare class MissingClientAuthError extends Error { code: string; constructor(); } /** * Interface to represent an MFA API error response. */ interface MfaApiErrorResponse { error: string; error_description: string; message?: string; } /** * Base class for MFA-related errors. */ declare abstract class MfaError extends Error { cause?: MfaApiErrorResponse; code: string; constructor(code: string, message: string, cause?: MfaApiErrorResponse); } /** * Error thrown when listing authenticators fails. */ declare class MfaListAuthenticatorsError extends MfaError { constructor(message: string, cause?: MfaApiErrorResponse); } /** * Error thrown when enrolling an authenticator fails. */ declare class MfaEnrollmentError extends MfaError { constructor(message: string, cause?: MfaApiErrorResponse); } /** * Error thrown when deleting an authenticator fails. */ declare class MfaDeleteAuthenticatorError extends MfaError { constructor(message: string, cause?: MfaApiErrorResponse); } /** * Error thrown when initiating an MFA challenge fails. */ declare class MfaChallengeError extends MfaError { constructor(message: string, cause?: MfaApiErrorResponse); } /** * Error thrown when MFA verification fails (e.g., invalid OTP, invalid MFA token). */ declare class MfaVerifyError extends MfaError { constructor(message: string, cause?: MfaApiErrorResponse); } /** * Interface to represent a Passkey API error response. */ interface PasskeyApiErrorResponse { error: string; error_description: string; message?: string; } /** * Passkey token exchange (`getTokenByPasskey`) error response. * * In addition to the common fields, an `mfa_required` response carries * `mfa_token` and `mfa_requirements` (mirroring {@link OAuth2Error}). Only the * token exchange can require MFA; the signup/login challenge requests cannot. * Use {@link isMfaRequiredError} to detect this case and continue with the MFA APIs. */ interface PasskeyGetTokenApiErrorResponse extends PasskeyApiErrorResponse { mfa_token?: string; mfa_requirements?: MfaRequirements; } /** * Base class for Passkey-related errors. */ declare abstract class PasskeyError extends Error { cause?: PasskeyApiErrorResponse; code: string; constructor(code: string, message: string, cause?: PasskeyApiErrorResponse); } /** * Error thrown when requesting a passkey register challenge fails. */ declare class PasskeyRegisterError extends PasskeyError { constructor(message: string, cause?: PasskeyApiErrorResponse); } /** * Error thrown when requesting a passkey login challenge fails. */ declare class PasskeyChallengeError extends PasskeyError { constructor(message: string, cause?: PasskeyApiErrorResponse); } /** * Error thrown when exchanging a passkey credential for tokens fails. * * Unlike the challenge errors, this carries `mfa_token` / `mfa_requirements` on * its `cause` when the server responds with `mfa_required`. */ declare class PasskeyGetTokenError extends PasskeyError { cause?: PasskeyGetTokenApiErrorResponse; constructor(message: string, cause?: PasskeyGetTokenApiErrorResponse); } export { type ActClaim, AuthClient, type AuthClientOptions, type AuthenticatorResponse, type AuthenticatorType, type AuthorizationDetails, type AuthorizationParameters, BackchannelAuthenticationError, type BackchannelAuthenticationOptions, BuildAuthorizationUrlError, type BuildAuthorizationUrlOptions, type BuildAuthorizationUrlResult, BuildLinkUserUrlError, type BuildLinkUserUrlOptions, type BuildLinkUserUrlResult, type BuildLogoutUrlOptions, BuildUnlinkUserUrlError, type BuildUnlinkUserUrlOptions, type BuildUnlinkUserUrlResult, type ChallengeOptions, type ChallengeResponse, type DeleteAuthenticatorOptions, type DiscoveryCacheOptions, type EnrollAuthenticatorOptions, type EnrollEmailOptions, type EnrollOobOptions, type EnrollOtpOptions, type EnrollmentResponse, type ExchangeProfileOptions, type GetTokenByPasskeyOptions, type ListAuthenticatorsOptions, type MfaApiErrorResponse, MfaChallengeError, MfaClient, MfaDeleteAuthenticatorError, MfaEnrollmentError, type MfaFactorType, MfaListAuthenticatorsError, type MfaRequiredError, type MfaRequiredFactorType, type MfaRequirements, MfaVerifyError, type MfaVerifyOobOptions, type MfaVerifyOptions, type MfaVerifyOtpOptions, type MfaVerifyRecoveryCodeOptions, MissingClientAuthError, NotSupportedError, NotSupportedErrorCode, type OAuth2Error, type OobChannel, type OobEnrollmentResponse, type OtpEnrollmentResponse, type PasskeyApiErrorResponse, PasskeyChallengeError, PasskeyClient, type PasskeyCreationOptions, type PasskeyCredentialResponse, PasskeyError, type PasskeyGetTokenApiErrorResponse, PasskeyGetTokenError, type PasskeyLoginChallengeOptions, type PasskeyLoginChallengeResponse, PasskeyRegisterError, type PasskeyRequestOptions, type PasskeySignupChallengeOptions, type PasskeySignupChallengeResponse, type TelemetryConfig, TokenByClientCredentialsError, type TokenByClientCredentialsOptions, TokenByCodeError, type TokenByCodeOptions, TokenByPasswordError, type TokenByPasswordOptions, TokenByRefreshTokenError, type TokenByRefreshTokenOptions, TokenExchangeError, TokenForConnectionError, type TokenForConnectionOptions, TokenResponse, type TokenVaultExchangeOptions, VerifyLogoutTokenError, type VerifyLogoutTokenOptions, type VerifyLogoutTokenResult, isMfaRequiredError };