stytchauth · etaylormcgregor-stytch · Feb 14, 2025 · Feb 14, 2025 · Feb 14, 2025 · Feb 14, 2025
@@ -274,14 +274,14 @@ public interface Sessions {
     /**
      * Get the JSON Web Key Set (JWKS) for a project.
      *
-     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will
-     * be returned by this endpoint for a period of 1 month.
+     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key, and both keys will be
+     * returned by this endpoint for a period of 1 month.
      *
      * JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old
      * JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching
      * the `kid` value of the JWT and JWKS.
      *
-     * If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS roll will be handled for you.
+     * If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS rotation will be handled for you.
      *
      * If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to
      * supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the
@@ -295,14 +295,14 @@ public interface Sessions {
     /**
      * Get the JSON Web Key Set (JWKS) for a project.
      *
-     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will
-     * be returned by this endpoint for a period of 1 month.
+     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key, and both keys will be
+     * returned by this endpoint for a period of 1 month.
      *
      * JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old
      * JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching
      * the `kid` value of the JWT and JWKS.
      *
-     * If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS roll will be handled for you.
+     * If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS rotation will be handled for you.
      *
      * If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to
      * supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the
@@ -319,14 +319,14 @@ public interface Sessions {
     /**
      * Get the JSON Web Key Set (JWKS) for a project.
      *
-     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will
-     * be returned by this endpoint for a period of 1 month.
+     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key, and both keys will be
+     * returned by this endpoint for a period of 1 month.
      *
      * JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old
      * JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching
      * the `kid` value of the JWT and JWKS.
      *
-     * If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS roll will be handled for you.
+     * If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS rotation will be handled for you.
      *
      * If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to
      * supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the

@@ -23,6 +23,8 @@ public data class Policy
          */
         @Json(name = "resources")
         val resources: List<PolicyResource>,
+        @Json(name = "scopes")
+        val scopes: List<PolicyScope>,
     )
 
 @JsonClass(generateAdapter = true)
@@ -161,6 +163,28 @@ public data class PolicyRolePermission
         val actions: List<String>,
     )
 
+@JsonClass(generateAdapter = true)
+public data class PolicyScope
+    @JvmOverloads
+    constructor(
+        @Json(name = "scope")
+        val scope: String,
+        @Json(name = "description")
+        val description: String,
+        @Json(name = "permissions")
+        val permissions: List<PolicyScopePermission>,
+    )
+
+@JsonClass(generateAdapter = true)
+public data class PolicyScopePermission
+    @JvmOverloads
+    constructor(
+        @Json(name = "resource_id")
+        val resourceId: String,
+        @Json(name = "actions")
+        val actions: List<String>,
+    )
+
 /**
 * Request type for `RBAC.policy`.
 */

@@ -450,7 +450,7 @@ public data class GetJWKSResponse
     @JvmOverloads
     constructor(
         /**
-         * The JWK
+         * The list of JWKs associated with the project.
          */
         @Json(name = "keys")
         val keys: List<JWK>,

@@ -1,3 +1,3 @@
 package com.stytch.java.common
 
-internal const val VERSION = "7.4.0"
+internal const val VERSION = "7.5.0"
@@ -13,6 +13,8 @@ import com.stytch.java.consumer.api.cryptowallets.CryptoWallets
 import com.stytch.java.consumer.api.cryptowallets.CryptoWalletsImpl
 import com.stytch.java.consumer.api.fraud.Fraud
 import com.stytch.java.consumer.api.fraud.FraudImpl
+import com.stytch.java.consumer.api.impersonation.Impersonation
+import com.stytch.java.consumer.api.impersonation.ImpersonationImpl
 import com.stytch.java.consumer.api.m2m.M2M
 import com.stytch.java.consumer.api.m2m.M2MImpl
 import com.stytch.java.consumer.api.magiclinks.MagicLinks
@@ -69,6 +71,9 @@ public class StytchClient
         @JvmField
         public val fraud: Fraud = FraudImpl(fraudHttpClient, coroutineScope)
 
+        @JvmField
+        public val impersonation: Impersonation = ImpersonationImpl(httpClient, coroutineScope)
+
         @JvmField
         public val m2m: M2M = M2MImpl(httpClient, coroutineScope, httpsJwks, jwtOptions)
 

@@ -0,0 +1,79 @@
+package com.stytch.java.consumer.api.impersonation
+
+// !!!
+// WARNING: This file is autogenerated
+// Only modify code within MANUAL() sections
+// or your changes may be overwritten later!
+// !!!
+
+import com.squareup.moshi.Moshi
+import com.stytch.java.common.InstantAdapter
+import com.stytch.java.common.StytchResult
+import com.stytch.java.consumer.models.impersonation.AuthenticateRequest
+import com.stytch.java.consumer.models.impersonation.AuthenticateResponse
+import com.stytch.java.http.HttpClient
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.async
+import kotlinx.coroutines.future.asCompletableFuture
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
+import java.util.concurrent.CompletableFuture
+
+public interface Impersonation {
+    /**
+     * Authenticate an impersonation token to impersonate a User. This endpoint requires an impersonation token that is not
+     * expired or previously used.
+     * A Stytch session will be created for the impersonated user with a 60 minute duration. Impersonated sessions cannot be
+     * extended.
+     */
+    public suspend fun authenticate(data: AuthenticateRequest): StytchResult<AuthenticateResponse>
+
+    /**
+     * Authenticate an impersonation token to impersonate a User. This endpoint requires an impersonation token that is not
+     * expired or previously used.
+     * A Stytch session will be created for the impersonated user with a 60 minute duration. Impersonated sessions cannot be
+     * extended.
+     */
+    public fun authenticate(
+        data: AuthenticateRequest,
+        callback: (StytchResult<AuthenticateResponse>) -> Unit,
+    )
+
+    /**
+     * Authenticate an impersonation token to impersonate a User. This endpoint requires an impersonation token that is not
+     * expired or previously used.
+     * A Stytch session will be created for the impersonated user with a 60 minute duration. Impersonated sessions cannot be
+     * extended.
+     */
+    public fun authenticateCompletable(data: AuthenticateRequest): CompletableFuture<StytchResult<AuthenticateResponse>>
+}
+
+internal class ImpersonationImpl(
+    private val httpClient: HttpClient,
+    private val coroutineScope: CoroutineScope,
+) : Impersonation {
+    private val moshi = Moshi.Builder().add(InstantAdapter()).build()
+
+    override suspend fun authenticate(data: AuthenticateRequest): StytchResult<AuthenticateResponse> =
+        withContext(Dispatchers.IO) {
+            var headers = emptyMap<String, String>()
+
+            val asJson = moshi.adapter(AuthenticateRequest::class.java).toJson(data)
+            httpClient.post("/v1/impersonation/authenticate", asJson, headers)
+        }
+
+    override fun authenticate(
+        data: AuthenticateRequest,
+        callback: (StytchResult<AuthenticateResponse>) -> Unit,
+    ) {
+        coroutineScope.launch {
+            callback(authenticate(data))
+        }
+    }
+
+    override fun authenticateCompletable(data: AuthenticateRequest): CompletableFuture<StytchResult<AuthenticateResponse>> =
+        coroutineScope.async {
+            authenticate(data)
+        }.asCompletableFuture()
+}
@@ -161,14 +161,14 @@ public interface Sessions {
     /**
      * Get the JSON Web Key Set (JWKS) for a project.
      *
-     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will
-     * be returned by this endpoint for a period of 1 month.
+     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key, and both keys will be
+     * returned by this endpoint for a period of 1 month.
      *
      * JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old
      * JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching
      * the `kid` value of the JWT and JWKS.
      *
-     * If you're using one of our [backend SDKs](https://stytch.com/docs/sdks), the JWKS roll will be handled for you.
+     * If you're using one of our [backend SDKs](https://stytch.com/docs/sdks), the JWKS rotation will be handled for you.
      *
      * If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to
      * supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the
@@ -181,14 +181,14 @@ public interface Sessions {
     /**
      * Get the JSON Web Key Set (JWKS) for a project.
      *
-     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will
-     * be returned by this endpoint for a period of 1 month.
+     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key, and both keys will be
+     * returned by this endpoint for a period of 1 month.
      *
      * JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old
      * JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching
      * the `kid` value of the JWT and JWKS.
      *
-     * If you're using one of our [backend SDKs](https://stytch.com/docs/sdks), the JWKS roll will be handled for you.
+     * If you're using one of our [backend SDKs](https://stytch.com/docs/sdks), the JWKS rotation will be handled for you.
      *
      * If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to
      * supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the
@@ -204,14 +204,14 @@ public interface Sessions {
     /**
      * Get the JSON Web Key Set (JWKS) for a project.
      *
-     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both key sets will
-     * be returned by this endpoint for a period of 1 month.
+     * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key, and both keys will be
+     * returned by this endpoint for a period of 1 month.
      *
      * JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old
      * JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is determined by matching
      * the `kid` value of the JWT and JWKS.
      *
-     * If you're using one of our [backend SDKs](https://stytch.com/docs/sdks), the JWKS roll will be handled for you.
+     * If you're using one of our [backend SDKs](https://stytch.com/docs/sdks), the JWKS rotation will be handled for you.
      *
      * If you're using your own JWT validation library, many have built-in support for JWKS rotation, and you'll just need to
      * supply this API endpoint. If not, your application should decide which JWKS to use for validation by inspecting the

@@ -0,0 +1,77 @@
+package com.stytch.java.consumer.models.impersonation
+
+// !!!
+// WARNING: This file is autogenerated
+// Only modify code within MANUAL() sections
+// or your changes may be overwritten later!
+// !!!
+
+import com.squareup.moshi.Json
+import com.squareup.moshi.JsonClass
+import com.stytch.java.consumer.models.sessions.Session
+import com.stytch.java.consumer.models.users.User
+
+/**
+* Request type for `Impersonation.authenticate`.
+*/
+@JsonClass(generateAdapter = true)
+public data class AuthenticateRequest
+    @JvmOverloads
+    constructor(
+        /**
+         * The User Impersonation token to authenticate.
+         */
+        @Json(name = "impersonation_token")
+        val impersonationToken: String,
+    )
+
+/**
+* Response type for `Impersonation.authenticate`.
+*/
+@JsonClass(generateAdapter = true)
+public data class AuthenticateResponse
+    @JvmOverloads
+    constructor(
+        /**
+         * Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we
+         * may ask for this value to help identify a specific API call when helping you debug an issue.
+         */
+        @Json(name = "request_id")
+        val requestId: String,
+        /**
+         * The unique ID of the affected User.
+         */
+        @Json(name = "user_id")
+        val userId: String,
+        /**
+         * The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for
+         * complete response field details.
+         */
+        @Json(name = "user")
+        val user: User,
+        /**
+         * A secret token for a given Stytch Session.
+         */
+        @Json(name = "session_token")
+        val sessionToken: String,
+        /**
+         * The JSON Web Token (JWT) for a given Stytch Session.
+         */
+        @Json(name = "session_jwt")
+        val sessionJwt: String,
+        /**
+         * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values
+         * equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+         */
+        @Json(name = "status_code")
+        val statusCode: Int,
+        /**
+         * If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full
+         * Session object in the response.
+         *
+         *   See [GET sessions](https://stytch.com/docs/api/session-get) for complete response fields.
+         *
+         */
+        @Json(name = "session")
+        val session: Session? = null,
+    )
@@ -995,7 +995,7 @@ public data class GetJWKSResponse
     @JvmOverloads
     constructor(
         /**
-         * The JWK
+         * The list of JWKs associated with the project.
          */
         @Json(name = "keys")
         val keys: List<JWK>,

@@ -6,6 +6,7 @@ import com.stytch.java.b2b.models.rbac.PolicyResource
 import com.stytch.java.b2b.models.rbac.PolicyResponse
 import com.stytch.java.b2b.models.rbac.PolicyRole
 import com.stytch.java.b2b.models.rbac.PolicyRolePermission
+import com.stytch.java.b2b.models.rbac.PolicyScope
 import com.stytch.java.b2b.models.sessions.AuthorizationCheck
 import io.mockk.every
 import io.mockk.mockk
@@ -86,6 +87,20 @@ private val policy =
                         ),
                 ),
             ),
+        scopes =
+            listOf(
+                PolicyScope(
+                    scopeId = "global",
+                    description = "Global scope",
+                    roles =
+                        listOf(
+                            PolicyRolePermission(
+                                resourceId = "bar",
+                                actions = listOf("read", "write"),
+                            ),
+                        ),
+                ),
+            ),
     )
 
 internal class PolicyCacheTest {

@@ -1 +1 @@
-version = "7.4.0"
+version = "7.5.0"