feat: Add health check and auto-reauth controls for managed auth connections

stainless-app[bot] · stainless-app[bot] · commit 259c75be12f6 · 2026-05-15T20:32:41.000Z
diff --git a/.stats.yml b/.stats.yml
@@ -1,4 +1,4 @@
 configured_endpoints: 112
 openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel/kernel-b7a19ff1fbd93322c8cffcd0b397ce2536ca8bff91594e0081bd030d4bec879f.yml
-openapi_spec_hash: 490520e6f0a8b1ebc89e9c0add46082d
+openapi_spec_hash: 9dd204b37a357b19032aea9eb4496645
 config_hash: 08d55086449943a8fec212b870061a3f
diff --git a/src/resources/auth/connections.ts b/src/resources/auth/connections.ts
@@ -250,6 +250,17 @@ export interface ManagedAuth {
    */
   allowed_domains?: Array<string>;
 
+  /**
+   * Whether automatic re-authentication is permitted for this connection. This is an
+   * opt-in flag only — it does not check whether re-auth is actually feasible. Even
+   * when true, re-auth only runs when the system has what it needs to perform it
+   * (for example, saved credentials for the required login fields), and only after a
+   * scheduled health check detects an expired session — so this flag has no effect
+   * when `health_checks` is false. When false, expired sessions detected by a health
+   * check are marked as `NEEDS_AUTH` instead of attempting re-auth.
+   */
+  auto_reauth?: boolean;
+
   /**
    * ID of the underlying browser session driving the current flow (present when flow
    * in progress). Use this to inspect or terminate the browser session via the
@@ -337,6 +348,15 @@ export interface ManagedAuth {
    */
   health_check_interval?: number | null;
 
+  /**
+   * Whether periodic health checks are enabled for this connection. When false, the
+   * system will not automatically verify authentication status, and `auto_reauth`
+   * has no effect on the automatic flow (since re-auth is only triggered by a failed
+   * scheduled health check). Manually triggering a health check via the API still
+   * works regardless of this setting.
+   */
+  health_checks?: boolean;
+
   /**
    * URL to redirect user to for hosted login (present when flow in progress)
    */
@@ -591,6 +611,18 @@ export interface ManagedAuthCreateRequest {
    */
   allowed_domains?: Array<string>;
 
+  /**
+   * Whether to permit automatic re-authentication when a scheduled health check
+   * detects an expired session. This is an opt-in flag only — it does not check
+   * whether re-auth is actually feasible. Even when true, re-auth only runs when the
+   * system has what it needs to perform it (for example, saved credentials for the
+   * required login fields), and only after a scheduled health check detects an
+   * expired session — so this flag has no effect when `health_checks` is false. When
+   * false, expired sessions are marked as `NEEDS_AUTH` instead of attempting
+   * re-auth. Defaults to true.
+   */
+  auto_reauth?: boolean;
+
   /**
    * Reference to credentials for the auth connection. Use one of:
    *
@@ -609,6 +641,14 @@ export interface ManagedAuthCreateRequest {
    */
   health_check_interval?: number;
 
+  /**
+   * Whether to enable periodic health checks. When false, the system will not
+   * automatically verify authentication status, and `auto_reauth` has no effect on
+   * the automatic flow (since re-auth is only triggered by a failed scheduled health
+   * check). Defaults to true.
+   */
+  health_checks?: boolean;
+
   /**
    * Optional login page URL to skip discovery
    */
@@ -689,6 +729,17 @@ export interface ManagedAuthUpdateRequest {
    */
   allowed_domains?: Array<string>;
 
+  /**
+   * Whether automatic re-authentication is permitted for this connection. This is an
+   * opt-in flag only — it does not check whether re-auth is actually feasible. Even
+   * when true, re-auth only runs when the system has what it needs to perform it
+   * (for example, saved credentials for the required login fields), and only after a
+   * scheduled health check detects an expired session — so this flag has no effect
+   * when `health_checks` is false. When false, expired sessions detected by a health
+   * check are marked as `NEEDS_AUTH` instead of attempting re-auth.
+   */
+  auto_reauth?: boolean;
+
   /**
    * Reference to credentials for the auth connection. Use one of:
    *
@@ -703,6 +754,14 @@ export interface ManagedAuthUpdateRequest {
    */
   health_check_interval?: number;
 
+  /**
+   * Whether periodic health checks are enabled. When set to false, the system will
+   * not automatically verify authentication status, and `auto_reauth` has no effect
+   * on the automatic flow (since re-auth is only triggered by a failed scheduled
+   * health check).
+   */
+  health_checks?: boolean;
+
   /**
    * Login page URL. Set to empty string to clear.
    */
@@ -1068,6 +1127,18 @@ export interface ConnectionCreateParams {
    */
   allowed_domains?: Array<string>;
 
+  /**
+   * Whether to permit automatic re-authentication when a scheduled health check
+   * detects an expired session. This is an opt-in flag only — it does not check
+   * whether re-auth is actually feasible. Even when true, re-auth only runs when the
+   * system has what it needs to perform it (for example, saved credentials for the
+   * required login fields), and only after a scheduled health check detects an
+   * expired session — so this flag has no effect when `health_checks` is false. When
+   * false, expired sessions are marked as `NEEDS_AUTH` instead of attempting
+   * re-auth. Defaults to true.
+   */
+  auto_reauth?: boolean;
+
   /**
    * Reference to credentials for the auth connection. Use one of:
    *
@@ -1086,6 +1157,14 @@ export interface ConnectionCreateParams {
    */
   health_check_interval?: number;
 
+  /**
+   * Whether to enable periodic health checks. When false, the system will not
+   * automatically verify authentication status, and `auto_reauth` has no effect on
+   * the automatic flow (since re-auth is only triggered by a failed scheduled health
+   * check). Defaults to true.
+   */
+  health_checks?: boolean;
+
   /**
    * Optional login page URL to skip discovery
    */
@@ -1163,6 +1242,17 @@ export interface ConnectionUpdateParams {
    */
   allowed_domains?: Array<string>;
 
+  /**
+   * Whether automatic re-authentication is permitted for this connection. This is an
+   * opt-in flag only — it does not check whether re-auth is actually feasible. Even
+   * when true, re-auth only runs when the system has what it needs to perform it
+   * (for example, saved credentials for the required login fields), and only after a
+   * scheduled health check detects an expired session — so this flag has no effect
+   * when `health_checks` is false. When false, expired sessions detected by a health
+   * check are marked as `NEEDS_AUTH` instead of attempting re-auth.
+   */
+  auto_reauth?: boolean;
+
   /**
    * Reference to credentials for the auth connection. Use one of:
    *
@@ -1177,6 +1267,14 @@ export interface ConnectionUpdateParams {
    */
   health_check_interval?: number;
 
+  /**
+   * Whether periodic health checks are enabled. When set to false, the system will
+   * not automatically verify authentication status, and `auto_reauth` has no effect
+   * on the automatic flow (since re-auth is only triggered by a failed scheduled
+   * health check).
+   */
+  health_checks?: boolean;
+
   /**
    * Login page URL. Set to empty string to clear.
    */
diff --git a/tests/api-resources/auth/connections.test.ts b/tests/api-resources/auth/connections.test.ts
@@ -29,13 +29,15 @@ describe('resource connections', () => {
       domain: 'netflix.com',
       profile_name: 'user-123',
       allowed_domains: ['login.netflix.com', 'auth.netflix.com'],
+      auto_reauth: true,
       credential: {
         auto: true,
         name: 'my-netflix-creds',
         path: 'Personal/Netflix',
         provider: 'my-1p',
       },
       health_check_interval: 3600,
+      health_checks: true,
       login_url: 'https://netflix.com/login',
       proxy: { id: 'id', name: 'name' },
       record_session: false,
