feat: Enhance managed authentication with CUA support and new features

stainless-app[bot] · stainless-app[bot] · commit ece76c2f7d2a · 2026-03-20T19:33:12.000Z
diff --git a/.stats.yml b/.stats.yml
@@ -1,4 +1,4 @@
-configured_endpoints: 103
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel%2Fkernel-17e50cf93d8052ff655c160fc0f156621d9029b041526d4e2e3317b13f80822f.yml
-openapi_spec_hash: f7dadc8d93e77983936eb18a8080ce15
-config_hash: cff4d43372b6fa66b64e2d4150f6aa76
+configured_endpoints: 104
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel%2Fkernel-bb2ac8e0d3a1c08e8afcbcbad7cb733d0f84bd22a8d233c1ec3100a01ee078ae.yml
+openapi_spec_hash: a83f7d1c422c85d6dc6158af7afe1d09
+config_hash: 16e4457a0bb26e98a335a1c2a572290a
diff --git a/api.md b/api.md
@@ -245,6 +245,7 @@ from kernel.types.auth import (
     LoginResponse,
     ManagedAuth,
     ManagedAuthCreateRequest,
+    ManagedAuthUpdateRequest,
     SubmitFieldsRequest,
     SubmitFieldsResponse,
     ConnectionFollowResponse,
@@ -255,6 +256,7 @@ Methods:
 
 - <code title="post /auth/connections">client.auth.connections.<a href="./src/kernel/resources/auth/connections.py">create</a>(\*\*<a href="src/kernel/types/auth/connection_create_params.py">params</a>) -> <a href="./src/kernel/types/auth/managed_auth.py">ManagedAuth</a></code>
 - <code title="get /auth/connections/{id}">client.auth.connections.<a href="./src/kernel/resources/auth/connections.py">retrieve</a>(id) -> <a href="./src/kernel/types/auth/managed_auth.py">ManagedAuth</a></code>
+- <code title="patch /auth/connections/{id}">client.auth.connections.<a href="./src/kernel/resources/auth/connections.py">update</a>(id, \*\*<a href="src/kernel/types/auth/connection_update_params.py">params</a>) -> <a href="./src/kernel/types/auth/managed_auth.py">ManagedAuth</a></code>
 - <code title="get /auth/connections">client.auth.connections.<a href="./src/kernel/resources/auth/connections.py">list</a>(\*\*<a href="src/kernel/types/auth/connection_list_params.py">params</a>) -> <a href="./src/kernel/types/auth/managed_auth.py">SyncOffsetPagination[ManagedAuth]</a></code>
 - <code title="delete /auth/connections/{id}">client.auth.connections.<a href="./src/kernel/resources/auth/connections.py">delete</a>(id) -> None</code>
 - <code title="get /auth/connections/{id}/events">client.auth.connections.<a href="./src/kernel/resources/auth/connections.py">follow</a>(id) -> <a href="./src/kernel/types/auth/connection_follow_response.py">ConnectionFollowResponse</a></code>
diff --git a/src/kernel/resources/auth/connections.py b/src/kernel/resources/auth/connections.py
@@ -23,6 +23,7 @@
     connection_login_params,
     connection_create_params,
     connection_submit_params,
+    connection_update_params,
 )
 from ..._base_client import AsyncPaginator, make_request_options
 from ...types.auth.managed_auth import ManagedAuth
@@ -186,6 +187,76 @@ def retrieve(
             cast_to=ManagedAuth,
         )
 
+    def update(
+        self,
+        id: str,
+        *,
+        allowed_domains: SequenceNotStr[str] | Omit = omit,
+        credential: connection_update_params.Credential | Omit = omit,
+        health_check_interval: int | Omit = omit,
+        login_url: str | Omit = omit,
+        proxy: connection_update_params.Proxy | Omit = omit,
+        save_credentials: bool | Omit = omit,
+        # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
+        # The extra values given here take precedence over values defined on the client or passed to this method.
+        extra_headers: Headers | None = None,
+        extra_query: Query | None = None,
+        extra_body: Body | None = None,
+        timeout: float | httpx.Timeout | None | NotGiven = not_given,
+    ) -> ManagedAuth:
+        """Update an auth connection's configuration.
+
+        Only the fields provided will be
+        updated.
+
+        Args:
+          allowed_domains: Additional domains valid for this auth flow (replaces existing list)
+
+          credential:
+              Reference to credentials for the auth connection. Use one of:
+
+              - { name } for Kernel credentials
+              - { provider, path } for external provider item
+              - { provider, auto: true } for external provider domain lookup
+
+          health_check_interval: Interval in seconds between automatic health checks
+
+          login_url: Login page URL. Set to empty string to clear.
+
+          proxy: Proxy selection. Provide either id or name. The proxy must belong to the
+              caller's org.
+
+          save_credentials: Whether to save credentials after every successful login
+
+          extra_headers: Send extra headers
+
+          extra_query: Add additional query parameters to the request
+
+          extra_body: Add additional JSON properties to the request
+
+          timeout: Override the client-level default timeout for this request, in seconds
+        """
+        if not id:
+            raise ValueError(f"Expected a non-empty value for `id` but received {id!r}")
+        return self._patch(
+            path_template("/auth/connections/{id}", id=id),
+            body=maybe_transform(
+                {
+                    "allowed_domains": allowed_domains,
+                    "credential": credential,
+                    "health_check_interval": health_check_interval,
+                    "login_url": login_url,
+                    "proxy": proxy,
+                    "save_credentials": save_credentials,
+                },
+                connection_update_params.ConnectionUpdateParams,
+            ),
+            options=make_request_options(
+                extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout
+            ),
+            cast_to=ManagedAuth,
+        )
+
     def list(
         self,
         *,
@@ -367,7 +438,9 @@ def submit(
         *,
         fields: Dict[str, str] | Omit = omit,
         mfa_option_id: str | Omit = omit,
+        sign_in_option_id: str | Omit = omit,
         sso_button_selector: str | Omit = omit,
+        sso_provider: str | Omit = omit,
         # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
         # The extra values given here take precedence over values defined on the client or passed to this method.
         extra_headers: Headers | None = None,
@@ -383,9 +456,15 @@ def submit(
         Args:
           fields: Map of field name to value
 
-          mfa_option_id: Optional MFA option ID if user selected an MFA method
+          mfa_option_id: The MFA method type to select (when mfa_options were returned)
+
+          sign_in_option_id: The sign-in option ID to select (when sign_in_options were returned)
 
-          sso_button_selector: Optional XPath selector if user chose to click an SSO button instead
+          sso_button_selector: XPath selector for the SSO button to click (ODA). Use sso_provider instead for
+              CUA.
+
+          sso_provider: SSO provider to click, matching the provider field from pending_sso_buttons
+              (e.g., "google", "github"). Cannot be used with sso_button_selector.
 
           extra_headers: Send extra headers
 
@@ -403,7 +482,9 @@ def submit(
                 {
                     "fields": fields,
                     "mfa_option_id": mfa_option_id,
+                    "sign_in_option_id": sign_in_option_id,
                     "sso_button_selector": sso_button_selector,
+                    "sso_provider": sso_provider,
                 },
                 connection_submit_params.ConnectionSubmitParams,
             ),
@@ -567,6 +648,76 @@ async def retrieve(
             cast_to=ManagedAuth,
         )
 
+    async def update(
+        self,
+        id: str,
+        *,
+        allowed_domains: SequenceNotStr[str] | Omit = omit,
+        credential: connection_update_params.Credential | Omit = omit,
+        health_check_interval: int | Omit = omit,
+        login_url: str | Omit = omit,
+        proxy: connection_update_params.Proxy | Omit = omit,
+        save_credentials: bool | Omit = omit,
+        # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
+        # The extra values given here take precedence over values defined on the client or passed to this method.
+        extra_headers: Headers | None = None,
+        extra_query: Query | None = None,
+        extra_body: Body | None = None,
+        timeout: float | httpx.Timeout | None | NotGiven = not_given,
+    ) -> ManagedAuth:
+        """Update an auth connection's configuration.
+
+        Only the fields provided will be
+        updated.
+
+        Args:
+          allowed_domains: Additional domains valid for this auth flow (replaces existing list)
+
+          credential:
+              Reference to credentials for the auth connection. Use one of:
+
+              - { name } for Kernel credentials
+              - { provider, path } for external provider item
+              - { provider, auto: true } for external provider domain lookup
+
+          health_check_interval: Interval in seconds between automatic health checks
+
+          login_url: Login page URL. Set to empty string to clear.
+
+          proxy: Proxy selection. Provide either id or name. The proxy must belong to the
+              caller's org.
+
+          save_credentials: Whether to save credentials after every successful login
+
+          extra_headers: Send extra headers
+
+          extra_query: Add additional query parameters to the request
+
+          extra_body: Add additional JSON properties to the request
+
+          timeout: Override the client-level default timeout for this request, in seconds
+        """
+        if not id:
+            raise ValueError(f"Expected a non-empty value for `id` but received {id!r}")
+        return await self._patch(
+            path_template("/auth/connections/{id}", id=id),
+            body=await async_maybe_transform(
+                {
+                    "allowed_domains": allowed_domains,
+                    "credential": credential,
+                    "health_check_interval": health_check_interval,
+                    "login_url": login_url,
+                    "proxy": proxy,
+                    "save_credentials": save_credentials,
+                },
+                connection_update_params.ConnectionUpdateParams,
+            ),
+            options=make_request_options(
+                extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout
+            ),
+            cast_to=ManagedAuth,
+        )
+
     def list(
         self,
         *,
@@ -748,7 +899,9 @@ async def submit(
         *,
         fields: Dict[str, str] | Omit = omit,
         mfa_option_id: str | Omit = omit,
+        sign_in_option_id: str | Omit = omit,
         sso_button_selector: str | Omit = omit,
+        sso_provider: str | Omit = omit,
         # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
         # The extra values given here take precedence over values defined on the client or passed to this method.
         extra_headers: Headers | None = None,
@@ -764,9 +917,15 @@ async def submit(
         Args:
           fields: Map of field name to value
 
-          mfa_option_id: Optional MFA option ID if user selected an MFA method
+          mfa_option_id: The MFA method type to select (when mfa_options were returned)
+
+          sign_in_option_id: The sign-in option ID to select (when sign_in_options were returned)
 
-          sso_button_selector: Optional XPath selector if user chose to click an SSO button instead
+          sso_button_selector: XPath selector for the SSO button to click (ODA). Use sso_provider instead for
+              CUA.
+
+          sso_provider: SSO provider to click, matching the provider field from pending_sso_buttons
+              (e.g., "google", "github"). Cannot be used with sso_button_selector.
 
           extra_headers: Send extra headers
 
@@ -784,7 +943,9 @@ async def submit(
                 {
                     "fields": fields,
                     "mfa_option_id": mfa_option_id,
+                    "sign_in_option_id": sign_in_option_id,
                     "sso_button_selector": sso_button_selector,
+                    "sso_provider": sso_provider,
                 },
                 connection_submit_params.ConnectionSubmitParams,
             ),
@@ -805,6 +966,9 @@ def __init__(self, connections: ConnectionsResource) -> None:
         self.retrieve = to_raw_response_wrapper(
             connections.retrieve,
         )
+        self.update = to_raw_response_wrapper(
+            connections.update,
+        )
         self.list = to_raw_response_wrapper(
             connections.list,
         )
@@ -832,6 +996,9 @@ def __init__(self, connections: AsyncConnectionsResource) -> None:
         self.retrieve = async_to_raw_response_wrapper(
             connections.retrieve,
         )
+        self.update = async_to_raw_response_wrapper(
+            connections.update,
+        )
         self.list = async_to_raw_response_wrapper(
             connections.list,
         )
@@ -859,6 +1026,9 @@ def __init__(self, connections: ConnectionsResource) -> None:
         self.retrieve = to_streamed_response_wrapper(
             connections.retrieve,
         )
+        self.update = to_streamed_response_wrapper(
+            connections.update,
+        )
         self.list = to_streamed_response_wrapper(
             connections.list,
         )
@@ -886,6 +1056,9 @@ def __init__(self, connections: AsyncConnectionsResource) -> None:
         self.retrieve = async_to_streamed_response_wrapper(
             connections.retrieve,
         )
+        self.update = async_to_streamed_response_wrapper(
+            connections.update,
+        )
         self.list = async_to_streamed_response_wrapper(
             connections.list,
         )
diff --git a/src/kernel/types/auth/__init__.py b/src/kernel/types/auth/__init__.py
@@ -9,4 +9,5 @@
 from .connection_login_params import ConnectionLoginParams as ConnectionLoginParams
 from .connection_create_params import ConnectionCreateParams as ConnectionCreateParams
 from .connection_submit_params import ConnectionSubmitParams as ConnectionSubmitParams
+from .connection_update_params import ConnectionUpdateParams as ConnectionUpdateParams
 from .connection_follow_response import ConnectionFollowResponse as ConnectionFollowResponse
diff --git a/src/kernel/types/auth/connection_follow_response.py b/src/kernel/types/auth/connection_follow_response.py
@@ -15,6 +15,7 @@
     "ManagedAuthStateEventDiscoveredField",
     "ManagedAuthStateEventMfaOption",
     "ManagedAuthStateEventPendingSSOButton",
+    "ManagedAuthStateEventSignInOption",
 ]
 
 
@@ -77,6 +78,22 @@ class ManagedAuthStateEventPendingSSOButton(BaseModel):
     """XPath selector for the button"""
 
 
+class ManagedAuthStateEventSignInOption(BaseModel):
+    """A non-MFA choice presented during the auth flow (e.g.
+
+    account selection, org picker)
+    """
+
+    id: str
+    """Unique identifier for this option (used to submit selection back)"""
+
+    label: str
+    """Display text for the option"""
+
+    description: Optional[str] = None
+    """Additional context such as email address or org name"""
+
+
 class ManagedAuthStateEvent(BaseModel):
     """An event representing the current state of a managed auth flow."""
 
@@ -128,6 +145,12 @@ class ManagedAuthStateEvent(BaseModel):
     post_login_url: Optional[str] = None
     """URL where the browser landed after successful login."""
 
+    sign_in_options: Optional[List[ManagedAuthStateEventSignInOption]] = None
+    """
+    Non-MFA choices presented during the auth flow, such as account selection or org
+    pickers (present when flow_step=AWAITING_INPUT).
+    """
+
     website_error: Optional[str] = None
     """Visible error message from the website (e.g., 'Incorrect password').
 
diff --git a/src/kernel/types/auth/connection_submit_params.py b/src/kernel/types/auth/connection_submit_params.py
@@ -13,7 +13,19 @@ class ConnectionSubmitParams(TypedDict, total=False):
     """Map of field name to value"""
 
     mfa_option_id: str
-    """Optional MFA option ID if user selected an MFA method"""
+    """The MFA method type to select (when mfa_options were returned)"""
+
+    sign_in_option_id: str
+    """The sign-in option ID to select (when sign_in_options were returned)"""
 
     sso_button_selector: str
-    """Optional XPath selector if user chose to click an SSO button instead"""
+    """XPath selector for the SSO button to click (ODA).
+
+    Use sso_provider instead for CUA.
+    """
+
+    sso_provider: str
+    """
+    SSO provider to click, matching the provider field from pending_sso_buttons
+    (e.g., "google", "github"). Cannot be used with sso_button_selector.
+    """
diff --git a/src/kernel/types/auth/connection_update_params.py b/src/kernel/types/auth/connection_update_params.py
diff --git a/src/kernel/types/auth/managed_auth.py b/src/kernel/types/auth/managed_auth.py
diff --git a/tests/api_resources/auth/test_connections.py b/tests/api_resources/auth/test_connections.py
