@@ -19,46 +19,33 @@ export class Auth extends APIResource {
1919 invocations : InvocationsAPI . Invocations = new InvocationsAPI . Invocations ( this . _client ) ;
2020
2121 /**
22- * Creates a new auth agent for the specified domain and profile combination, or
23- * returns an existing one if it already exists. This is idempotent - calling with
24- * the same domain and profile will return the same agent. Does NOT start an
25- * invocation - use POST /agents/auth/invocations to start an auth flow.
22+ * **Deprecated: Use POST /auth/connections instead.** Creates a new auth agent for
23+ * the specified domain and profile combination, or returns an existing one if it
24+ * already exists. This is idempotent - calling with the same domain and profile
25+ * will return the same agent. Does NOT start an invocation - use POST
26+ * /agents/auth/invocations to start an auth flow.
2627 *
27- * @example
28- * ```ts
29- * const authAgent = await client.agents.auth.create({
30- * domain: 'netflix.com',
31- * profile_name: 'user-123',
32- * });
33- * ```
28+ * @deprecated
3429 */
3530 create ( body : AuthCreateParams , options ?: RequestOptions ) : APIPromise < AuthAgent > {
3631 return this . _client . post ( '/agents/auth' , { body, ...options } ) ;
3732 }
3833
3934 /**
40- * Retrieve an auth agent by its ID. Returns the current authentication status of
41- * the managed profile.
35+ * **Deprecated: Use GET / auth/connections/{id} instead.** Retrieve an auth agent
36+ * by its ID. Returns the current authentication status of the managed profile.
4237 *
43- * @example
44- * ```ts
45- * const authAgent = await client.agents.auth.retrieve('id');
46- * ```
38+ * @deprecated
4739 */
4840 retrieve ( id : string , options ?: RequestOptions ) : APIPromise < AuthAgent > {
4941 return this . _client . get ( path `/agents/auth/${ id } , options ) ;
5042 }
5143
5244 /**
53- * List auth agents with optional filters for profile_name and domain.
45+ * **Deprecated: Use GET /auth/connections instead.** List auth agents with
46+ * optional filters for profile_name and domain.
5447 *
55- * @example
56- * ```ts
57- * // Automatically fetches more pages as needed.
58- * for await (const authAgent of client.agents.auth.list()) {
59- * // ...
60- * }
61- * ```
48+ * @deprecated
6249 */
6350 list (
6451 query : AuthListParams | null | undefined = { } ,
@@ -68,16 +55,14 @@ export class Auth extends APIResource {
6855 }
6956
7057 /**
71- * Deletes an auth agent and terminates its workflow. This will:
58+ * **Deprecated: Use DELETE /auth/connections/{id} instead.** Deletes an auth agent
59+ * and terminates its workflow. This will:
7260 *
7361 * - Soft delete the auth agent record
7462 * - Gracefully terminate the agent's Temporal workflow
7563 * - Cancel any in-progress invocations
7664 *
77- * @example
78- * ```ts
79- * await client.agents.auth.delete('id');
80- * ```
65+ * @deprecated
8166 */
8267 delete ( id : string , options ?: RequestOptions ) : APIPromise < void > {
8368 return this . _client . delete ( path `/agents/auth/${ id } , {
@@ -126,13 +111,12 @@ export interface AgentAuthInvocationResponse {
126111 | 'expired' ;
127112
128113 /**
129- * The invocation type:
114+ * The session type:
130115 *
131- * - login: First-time authentication
132- * - reauth: Re-authentication for previously authenticated agents
133- * - auto_login: Legacy type (no longer created, kept for backward compatibility)
116+ * - login: User-initiated authentication
117+ * - reauth: System-triggered re-authentication (via health check)
134118 */
135- type : 'login' | 'auto_login' | ' reauth';
119+ type : 'login' | 'reauth' ;
136120
137121 /**
138122 * Error message explaining why the invocation failed (present when status=FAILED)
@@ -188,9 +172,9 @@ export namespace AgentAuthInvocationResponse {
188172 label : string ;
189173
190174 /**
191- * The MFA delivery method type
175+ * The MFA delivery method type (includes password for auth method selection pages)
192176 */
193- type : 'sms' | 'call' | 'email' | 'totp' | 'push' | 'security_key ' ;
177+ type : 'sms' | 'call' | 'email' | 'totp' | 'push' | 'password ' ;
194178
195179 /**
196180 * Additional instructions from the site
@@ -263,6 +247,21 @@ export interface AuthAgent {
263247 * Additional domains that are valid for this auth agent's authentication flow
264248 * (besides the primary domain). Useful when login pages redirect to different
265249 * domains.
250+ *
251+ * The following SSO/OAuth provider domains are automatically allowed by default
252+ * and do not need to be specified:
253+ *
254+ * - Google: accounts.google.com
255+ * - Microsoft/Azure AD: login.microsoftonline.com, login.live.com
256+ * - Okta: _.okta.com, _.oktapreview.com
257+ * - Auth0: _.auth0.com, _.us.auth0.com, _.eu.auth0.com, _.au.auth0.com
258+ * - Apple: appleid.apple.com
259+ * - GitHub: github.com
260+ * - Facebook/Meta: www.facebook.com
261+ * - LinkedIn: www.linkedin.com
262+ * - Amazon Cognito: \*.amazoncognito.com
263+ * - OneLogin: \*.onelogin.com
264+ * - Ping Identity: _.pingone.com, _.pingidentity.com
266265 */
267266 allowed_domains ?: Array < string > ;
268267
@@ -273,14 +272,19 @@ export interface AuthAgent {
273272 can_reauth ?: boolean ;
274273
275274 /**
276- * ID of the linked credential for automatic re-authentication
275+ * Reference to credentials for managed auth. Use one of:
276+ *
277+ * - { name } for Kernel credentials
278+ * - { provider, path } for external provider item
279+ * - { provider, auto: true } for external provider domain lookup
277280 */
278- credential_id ?: string ;
281+ credential ?: AuthAgent . Credential ;
279282
280283 /**
281- * Name of the linked credential for automatic re-authentication
284+ * ID of the linked Kernel credential for automatic re-authentication (deprecated,
285+ * use credential)
282286 */
283- credential_name ?: string ;
287+ credential_id ?: string ;
284288
285289 /**
286290 * Whether this auth agent has stored selectors for deterministic re-authentication
@@ -299,6 +303,37 @@ export interface AuthAgent {
299303 post_login_url ?: string ;
300304}
301305
306+ export namespace AuthAgent {
307+ /**
308+ * Reference to credentials for managed auth. Use one of:
309+ *
310+ * - { name } for Kernel credentials
311+ * - { provider, path } for external provider item
312+ * - { provider, auto: true } for external provider domain lookup
313+ */
314+ export interface Credential {
315+ /**
316+ * If true, lookup by domain from the specified provider
317+ */
318+ auto ?: boolean ;
319+
320+ /**
321+ * Kernel credential name
322+ */
323+ name ?: string ;
324+
325+ /**
326+ * Provider-specific path (e.g., "VaultName/ItemName" for 1Password)
327+ */
328+ path ?: string ;
329+
330+ /**
331+ * External provider name (e.g., "my-1p")
332+ */
333+ provider ?: string ;
334+ }
335+ }
336+
302337/**
303338 * Request to create or find an auth agent
304339 */
@@ -317,6 +352,21 @@ export interface AuthAgentCreateRequest {
317352 * Additional domains that are valid for this auth agent's authentication flow
318353 * (besides the primary domain). Useful when login pages redirect to different
319354 * domains.
355+ *
356+ * The following SSO/OAuth provider domains are automatically allowed by default
357+ * and do not need to be specified:
358+ *
359+ * - Google: accounts.google.com
360+ * - Microsoft/Azure AD: login.microsoftonline.com, login.live.com
361+ * - Okta: _.okta.com, _.oktapreview.com
362+ * - Auth0: _.auth0.com, _.us.auth0.com, _.eu.auth0.com, _.au.auth0.com
363+ * - Apple: appleid.apple.com
364+ * - GitHub: github.com
365+ * - Facebook/Meta: www.facebook.com
366+ * - LinkedIn: www.linkedin.com
367+ * - Amazon Cognito: \*.amazoncognito.com
368+ * - OneLogin: \*.onelogin.com
369+ * - Ping Identity: _.pingone.com, _.pingidentity.com
320370 */
321371 allowed_domains ?: Array < string > ;
322372
@@ -393,13 +443,12 @@ export interface AuthAgentInvocationCreateResponse {
393443 invocation_id : string ;
394444
395445 /**
396- * The invocation type:
446+ * The session type:
397447 *
398- * - login: First-time authentication
399- * - reauth: Re-authentication for previously authenticated agents
400- * - auto_login: Legacy type (no longer created, kept for backward compatibility)
448+ * - login: User-initiated authentication
449+ * - reauth: System-triggered re-authentication (via health check)
401450 */
402- type : 'login' | 'auto_login' | ' reauth';
451+ type : 'login' | 'reauth' ;
403452}
404453
405454/**
@@ -426,6 +475,12 @@ export interface DiscoveredField {
426475 */
427476 type : 'text' | 'email' | 'password' | 'tel' | 'number' | 'url' | 'code' | 'totp' ;
428477
478+ /**
479+ * If this field is associated with an MFA option, the type of that option (e.g.,
480+ * password field linked to "Enter password" option)
481+ */
482+ linked_mfa_type ?: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'password' | null ;
483+
429484 /**
430485 * Field placeholder
431486 */
@@ -452,6 +507,21 @@ export interface AuthCreateParams {
452507 * Additional domains that are valid for this auth agent's authentication flow
453508 * (besides the primary domain). Useful when login pages redirect to different
454509 * domains.
510+ *
511+ * The following SSO/OAuth provider domains are automatically allowed by default
512+ * and do not need to be specified:
513+ *
514+ * - Google: accounts.google.com
515+ * - Microsoft/Azure AD: login.microsoftonline.com, login.live.com
516+ * - Okta: _.okta.com, _.oktapreview.com
517+ * - Auth0: _.auth0.com, _.us.auth0.com, _.eu.auth0.com, _.au.auth0.com
518+ * - Apple: appleid.apple.com
519+ * - GitHub: github.com
520+ * - Facebook/Meta: www.facebook.com
521+ * - LinkedIn: www.linkedin.com
522+ * - Amazon Cognito: \*.amazoncognito.com
523+ * - OneLogin: \*.onelogin.com
524+ * - Ping Identity: _.pingone.com, _.pingidentity.com
455525 */
456526 allowed_domains ?: Array < string > ;
457527
![stainless-app[bot]](https://avatars.githubusercontent.com/in/378072?v=4&size=40){kind=avatar}
0 commit comments