Class: WorkOS::UserManagement

Inherits:

Object

• Object
• WorkOS::UserManagement

Defined in:

lib/workos/user_management.rb

Defined Under Namespace

Classes: PasswordHashed, PasswordPlaintext

Instance Attribute Summary

• #password ⇒ String readonly
• #password_hash ⇒ String readonly
• #password_hash_type ⇒ WorkOS::Types::CreateUserPasswordHashType readonly

Instance Method Summary

• #accept_invitation(id:, request_options: {}) ⇒ WorkOS::Invitation

  Accept an invitation.

• #authenticate_with_code(code:, code_verifier: nil, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with code.

• #authenticate_with_code_pkce(code:, code_verifier:, client_id: nil, ip_address: nil, user_agent: nil, request_options: {}) ⇒ Object

  H11 — Exchange a code for tokens with PKCE support (public client; no secret).

• #authenticate_with_device_code(device_code:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with device code.

• #authenticate_with_email_verification(code:, pending_authentication_token:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with email verification.

• #authenticate_with_magic_auth(code:, email:, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with magic auth.

• #authenticate_with_organization_selection(pending_authentication_token:, organization_id:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with organization selection.

• #authenticate_with_password(email:, password:, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with password.

• #authenticate_with_refresh_token(refresh_token:, organization_id: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with refresh token.

• #authenticate_with_totp(code:, pending_authentication_token:, authentication_challenge_id:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate with totp.

• #authorize_device(client_id: nil, request_options: {}) ⇒ WorkOS::DeviceAuthorizationResponse

  H12 — Initiate the OAuth 2.0 device authorization flow.

• #confirm_email_change(id:, code:, request_options: {}) ⇒ WorkOS::EmailChangeConfirmation

  Confirm email change.

• #confirm_password_reset(token:, new_password:, request_options: {}) ⇒ WorkOS::ResetPasswordResponse

  Reset the password.

• #create_authenticate(client_id:, grant_type:, client_secret: nil, code: nil, code_verifier: nil, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, email: nil, password: nil, refresh_token: nil, organization_id: nil, pending_authentication_token: nil, authentication_challenge_id: nil, device_code: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

  Authenticate.

• #create_cors_origin(origin:, request_options: {}) ⇒ WorkOS::CORSOriginResponse

  Create a CORS origin.

• #create_device(client_id:, request_options: {}) ⇒ WorkOS::DeviceAuthorizationResponse

  Get device authorization URL.

• #create_magic_auth(email:, invitation_token: nil, request_options: {}) ⇒ WorkOS::MagicAuth

  Create a Magic Auth code.

• #create_redirect_uri(uri:, request_options: {}) ⇒ WorkOS::RedirectUri

  Create a redirect URI.

• #create_user(email:, first_name: nil, last_name: nil, email_verified: nil, metadata: nil, external_id: nil, password: nil, request_options: {}) ⇒ WorkOS::User

  Create a user.

• #create_user_api_key(user_id:, name:, organization_id:, permissions: nil, expires_at: nil, request_options: {}) ⇒ WorkOS::UserApiKeyWithValue

  Create an API key for a user.

• #delete_user(id:, request_options: {}) ⇒ void

  Delete a user.

• #delete_user_authorized_application(application_id:, user_id:, request_options: {}) ⇒ void

  Delete an authorized application.

• #find_invitation_by_token(token:, request_options: {}) ⇒ WorkOS::UserInvite

  Find an invitation by token.

• #get_authorization_url(redirect_uri:, client_id: nil, provider: nil, connection_id: nil, organization_id: nil, domain_hint: nil, login_hint: nil, state: nil, screen_hint: nil, code_challenge: nil, code_challenge_method: nil, prompt: nil) ⇒ Object

  H09 — Build an AuthKit authorization URL (client-side, no HTTP call).

• #get_authorization_url_with_pkce(redirect_uri:, client_id: nil, **opts) ⇒ Object

  H10 — AuthKit authorization URL with auto-generated PKCE + state.

• #get_email_verification(id:, request_options: {}) ⇒ WorkOS::EmailVerification

  Get an email verification code.

• #get_invitation(id:, request_options: {}) ⇒ WorkOS::UserInvite

  Get an invitation.

• #get_jwks(client_id:, request_options: {}) ⇒ WorkOS::JwksResponse

  Get JWKS.

• #get_jwks_url(client_id: nil) ⇒ Object

  @oagen-ignore-start — non-spec helpers (hand-maintained) H13 — Build the JWKS URL for a given client_id (no HTTP call).

• #get_logout_url(session_id:, return_to: nil) ⇒ String

  Build the AuthKit logout redirect URL (client-side, no HTTP call).

• #get_magic_auth(id:, request_options: {}) ⇒ WorkOS::MagicAuth

  Get Magic Auth code details.

• #get_password_reset(id:, request_options: {}) ⇒ WorkOS::PasswordReset

  Get a password reset token.

• #get_user(id:, request_options: {}) ⇒ WorkOS::User

  Get a user.

• #get_user_by_external_id(external_id:, request_options: {}) ⇒ WorkOS::User

  Get a user by external ID.

• #get_user_identities(id:, request_options: {}) ⇒ Array<WorkOS::UserIdentitiesGetItem>

  Get user identities.

• #initialize(client) ⇒ UserManagement constructor

  A new instance of UserManagement.

• #list_invitations(before: nil, after: nil, limit: 10, order: "desc", organization_id: nil, email: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserInvite>

  List invitations.

• #list_jwt_template(request_options: {}) ⇒ WorkOS::JWTTemplateResponse

  Get JWT template.

• #list_sessions(id:, before: nil, after: nil, limit: 10, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserSessionsListItem>

  List sessions.

• #list_user_api_keys(user_id:, before: nil, after: nil, limit: 10, order: "desc", organization_id: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserApiKey>

  List API keys for a user.

• #list_user_authorized_applications(user_id:, before: nil, after: nil, limit: 10, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizedConnectApplicationListData>

  List authorized applications.

• #list_users(before: nil, after: nil, limit: 10, order: "desc", organization: nil, organization_id: nil, email: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::User>

  List users.

• #resend_invitation(id:, locale: nil, request_options: {}) ⇒ WorkOS::UserInvite

  Resend an invitation.

• #reset_password(email:, request_options: {}) ⇒ WorkOS::PasswordReset

  Create a password reset token.

• #revoke_invitation(id:, request_options: {}) ⇒ WorkOS::Invitation

  Revoke an invitation.

• #revoke_session(session_id:, return_to: nil, request_options: {}) ⇒ void

  Revoke Session.

• #send_email_change(id:, new_email:, request_options: {}) ⇒ WorkOS::EmailChange

  Send email change code.

• #send_invitation(email:, organization_id: nil, role_slug: nil, expires_in_days: nil, inviter_user_id: nil, locale: nil, request_options: {}) ⇒ WorkOS::UserInvite

  Send an invitation.

• #send_verification_email(id:, request_options: {}) ⇒ WorkOS::SendVerificationEmailResponse

  Send verification email.

• #update_jwt_template(content:, request_options: {}) ⇒ WorkOS::JWTTemplateResponse

  Update JWT template.

• #update_user(id:, email: nil, first_name: nil, last_name: nil, email_verified: nil, metadata: nil, external_id: nil, locale: nil, password: nil, request_options: {}) ⇒ WorkOS::User

  Update a user.

• #verify_email(id:, code:, request_options: {}) ⇒ WorkOS::VerifyEmailResponse

  Verify email.

Constructor Details

#initialize(client) ⇒ UserManagement

Returns a new instance of UserManagement.

# File 'lib/workos/user_management.rb', line 23

def initialize(client)
  @client = client
end

Instance Attribute Details

#password ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/user_management.rb', line 13

PasswordPlaintext = Data.define(:password)

#password_hash ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/user_management.rb', line 21

PasswordHashed = Data.define(:password_hash, :password_hash_type)

#password_hash_type ⇒ WorkOS::Types::CreateUserPasswordHashType (readonly)

Returns:

• (WorkOS::Types::CreateUserPasswordHashType)

# File 'lib/workos/user_management.rb', line 21

PasswordHashed = Data.define(:password_hash, :password_hash_type)

Instance Method Details

#accept_invitation(id:, request_options: {}) ⇒ WorkOS::Invitation

Accept an invitation

Parameters:

• id (String) —

  The unique ID of the invitation.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Invitation)

# File 'lib/workos/user_management.rb', line 1076

def accept_invitation(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :post,
    path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}/accept",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::Invitation.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#authenticate_with_code(code:, code_verifier: nil, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with code.

Parameters:

• code (String)
• code_verifier (String, nil) (defaults to: nil)
• invitation_token (String, nil) (defaults to: nil)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 162

def authenticate_with_code(
  code:,
  code_verifier: nil,
  invitation_token: nil,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "authorization_code",
    "client_id" => @client.client_id,
    "client_secret" => @client.api_key,
    "code" => code,
    "code_verifier" => code_verifier,
    "invitation_token" => invitation_token,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_code_pkce(code:, code_verifier:, client_id: nil, ip_address: nil, user_agent: nil, request_options: {}) ⇒ Object

H11 — Exchange a code for tokens with PKCE support (public client; no secret). NOTE: Unlike the other authenticate_with_* helpers, this does NOT delegate to create_authenticate because PKCE is a public-client flow that requires auth: false (no Bearer token / API key in the Authorization header).

Raises:

• (ArgumentError)

# File 'lib/workos/user_management.rb', line 1456

def authenticate_with_code_pkce(code:, code_verifier:, client_id: nil, ip_address: nil, user_agent: nil, request_options: {})
  cid = client_id || @client.client_id
  raise ArgumentError, "client_id is required" if cid.nil? || cid.empty?
  body = {
    "grant_type" => "authorization_code",
    "client_id" => cid,
    "code" => code,
    "code_verifier" => code_verifier,
    "ip_address" => ip_address,
    "user_agent" => user_agent
  }.compact
  response = @client.request(method: :post, path: "/user_management/authenticate", auth: false, body: body, request_options: request_options)
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_device_code(device_code:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with device code.

Parameters:

• device_code (String)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 385

def authenticate_with_device_code(
  device_code:,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "urn:ietf:params:oauth:grant-type:device_code",
    "client_id" => @client.client_id,
    "device_code" => device_code,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_email_verification(code:, pending_authentication_token:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with email verification.

Parameters:

• code (String)
• pending_authentication_token (String)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 275

def authenticate_with_email_verification(
  code:,
  pending_authentication_token:,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "urn:workos:oauth:grant-type:email-verification:code",
    "client_id" => @client.client_id,
    "client_secret" => @client.api_key,
    "code" => code,
    "pending_authentication_token" => pending_authentication_token,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_magic_auth(code:, email:, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with magic auth.

Parameters:

• code (String)
• email (String)
• invitation_token (String, nil) (defaults to: nil)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 237

def authenticate_with_magic_auth(
  code:,
  email:,
  invitation_token: nil,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "urn:workos:oauth:grant-type:magic-auth:code",
    "client_id" => @client.client_id,
    "client_secret" => @client.api_key,
    "code" => code,
    "email" => email,
    "invitation_token" => invitation_token,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_organization_selection(pending_authentication_token:, organization_id:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with organization selection.

Parameters:

• pending_authentication_token (String)
• organization_id (String)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 350

def authenticate_with_organization_selection(
  pending_authentication_token:,
  organization_id:,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "urn:workos:oauth:grant-type:organization-selection",
    "client_id" => @client.client_id,
    "client_secret" => @client.api_key,
    "pending_authentication_token" => pending_authentication_token,
    "organization_id" => organization_id,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_password(email:, password:, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with password.

Parameters:

• email (String)
• password (String)
• invitation_token (String, nil) (defaults to: nil)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 123

def authenticate_with_password(
  email:,
  password:,
  invitation_token: nil,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "password",
    "client_id" => @client.client_id,
    "client_secret" => @client.api_key,
    "email" => email,
    "password" => password,
    "invitation_token" => invitation_token,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_refresh_token(refresh_token:, organization_id: nil, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with refresh token.

Parameters:

• refresh_token (String)
• organization_id (String, nil) (defaults to: nil)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 200

def authenticate_with_refresh_token(
  refresh_token:,
  organization_id: nil,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "refresh_token",
    "client_id" => @client.client_id,
    "client_secret" => @client.api_key,
    "refresh_token" => refresh_token,
    "organization_id" => organization_id,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authenticate_with_totp(code:, pending_authentication_token:, authentication_challenge_id:, ip_address: nil, device_id: nil, user_agent: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate with totp.

Parameters:

• code (String)
• pending_authentication_token (String)
• authentication_challenge_id (String)
• ip_address (String, nil) (defaults to: nil)
• device_id (String, nil) (defaults to: nil)
• user_agent (String, nil) (defaults to: nil)
• request_options (Hash) (defaults to: {}) —

  Per-request overrides.

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 312

def authenticate_with_totp(
  code:,
  pending_authentication_token:,
  authentication_challenge_id:,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  request_options: {}
)
  body = {
    "grant_type" => "urn:workos:oauth:grant-type:mfa-totp",
    "client_id" => @client.client_id,
    "client_secret" => @client.api_key,
    "code" => code,
    "pending_authentication_token" => pending_authentication_token,
    "authentication_challenge_id" => authentication_challenge_id,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  WorkOS::AuthenticateResponse.new(response.body)
end

#authorize_device(client_id: nil, request_options: {}) ⇒ WorkOS::DeviceAuthorizationResponse

H12 — Initiate the OAuth 2.0 device authorization flow.

Returns:

• (WorkOS::DeviceAuthorizationResponse)

Raises:

• (ArgumentError)

# File 'lib/workos/user_management.rb', line 1473

def authorize_device(client_id: nil, request_options: {})
  cid = client_id || @client.client_id
  raise ArgumentError, "client_id is required" if cid.nil? || cid.empty?
  body = {"client_id" => cid}
  response = @client.request(method: :post, path: "/oauth2/device_authorization", auth: false, body: body, request_options: request_options)
  WorkOS::DeviceAuthorizationResponse.new(response.body)
end

#confirm_email_change(id:, code:, request_options: {}) ⇒ WorkOS::EmailChangeConfirmation

Confirm email change

Parameters:

• id (String) —

  The unique ID of the user.

• code (String) —

  The one-time code used to confirm the email change.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::EmailChangeConfirmation)

# File 'lib/workos/user_management.rb', line 790

def confirm_email_change(
  id:,
  code:,
  request_options: {}
)
  body = {
    "code" => code
  }
  response = @client.request(
    method: :post,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_change/confirm",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::EmailChangeConfirmation.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#confirm_password_reset(token:, new_password:, request_options: {}) ⇒ WorkOS::ResetPasswordResponse

Reset the password

Parameters:

• token (String) —

  The password reset token.

• new_password (String) —

  The new password to set for the user.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::ResetPasswordResponse)

# File 'lib/workos/user_management.rb', line 527

def confirm_password_reset(
  token:,
  new_password:,
  request_options: {}
)
  body = {
    "token" => token,
    "new_password" => new_password
  }
  response = @client.request(
    method: :post,
    path: "/user_management/password_reset/confirm",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::ResetPasswordResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_authenticate(client_id:, grant_type:, client_secret: nil, code: nil, code_verifier: nil, invitation_token: nil, ip_address: nil, device_id: nil, user_agent: nil, email: nil, password: nil, refresh_token: nil, organization_id: nil, pending_authentication_token: nil, authentication_challenge_id: nil, device_code: nil, request_options: {}) ⇒ WorkOS::AuthenticateResponse

Authenticate

Parameters:

• client_id (String) —

  The client ID of the application.

• client_secret (String, nil) (defaults to: nil) —

  The client secret of the application.

• grant_type (String)
• code (String, nil) (defaults to: nil) —

  The authorization code received from the redirect.

• code_verifier (String, nil) (defaults to: nil) —

  The PKCE code verifier used to derive the code challenge passed to the authorization URL.

• invitation_token (String, nil) (defaults to: nil) —

  An invitation token to accept during authentication.

• ip_address (String, nil) (defaults to: nil) —

  The IP address of the user's request.

• device_id (String, nil) (defaults to: nil) —

  A unique identifier for the device.

• user_agent (String, nil) (defaults to: nil) —

  The user agent string from the user's browser.

• email (String, nil) (defaults to: nil) —

  The user's email address.

• password (String, nil) (defaults to: nil) —

  The user's password.

• refresh_token (String, nil) (defaults to: nil) —

  The refresh token to exchange for new tokens.

• organization_id (String, nil) (defaults to: nil) —

  The ID of the organization to scope the session to.

• pending_authentication_token (String, nil) (defaults to: nil) —

  The pending authentication token from a previous authentication attempt.

• authentication_challenge_id (String, nil) (defaults to: nil) —

  The ID of the MFA authentication challenge.

• device_code (String, nil) (defaults to: nil) —

  The device verification code.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthenticateResponse)

# File 'lib/workos/user_management.rb', line 65

def create_authenticate(
  client_id:,
  grant_type:,
  client_secret: nil,
  code: nil,
  code_verifier: nil,
  invitation_token: nil,
  ip_address: nil,
  device_id: nil,
  user_agent: nil,
  email: nil,
  password: nil,
  refresh_token: nil,
  organization_id: nil,
  pending_authentication_token: nil,
  authentication_challenge_id: nil,
  device_code: nil,
  request_options: {}
)
  body = {
    "client_id" => client_id,
    "client_secret" => client_secret,
    "grant_type" => grant_type,
    "code" => code,
    "code_verifier" => code_verifier,
    "invitation_token" => invitation_token,
    "ip_address" => ip_address,
    "device_id" => device_id,
    "user_agent" => user_agent,
    "email" => email,
    "password" => password,
    "refresh_token" => refresh_token,
    "organization_id" => organization_id,
    "pending_authentication_token" => pending_authentication_token,
    "authentication_challenge_id" => authentication_challenge_id,
    "device_code" => device_code
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/authenticate",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::AuthenticateResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_cors_origin(origin:, request_options: {}) ⇒ WorkOS::CORSOriginResponse

Create a CORS origin

Parameters:

• origin (String) —

  The origin URL to allow for CORS requests.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::CORSOriginResponse)

# File 'lib/workos/user_management.rb', line 461

def create_cors_origin(
  origin:,
  request_options: {}
)
  body = {
    "origin" => origin
  }
  response = @client.request(
    method: :post,
    path: "/user_management/cors_origins",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::CORSOriginResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_device(client_id:, request_options: {}) ⇒ WorkOS::DeviceAuthorizationResponse

Get device authorization URL

Parameters:

• client_id (String) —

  The WorkOS client ID for your application.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::DeviceAuthorizationResponse)

# File 'lib/workos/user_management.rb', line 414

def create_device(
  client_id:,
  request_options: {}
)
  body = {
    "client_id" => client_id
  }
  response = @client.request(
    method: :post,
    path: "/user_management/authorize/device",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::DeviceAuthorizationResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_magic_auth(email:, invitation_token: nil, request_options: {}) ⇒ WorkOS::MagicAuth

Create a Magic Auth code

Parameters:

• email (String) —

  The email address to send the magic code to.

• invitation_token (String, nil) (defaults to: nil) —

  The invitation token to associate with this magic code.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::MagicAuth)

# File 'lib/workos/user_management.rb', line 1178

def create_magic_auth(
  email:,
  invitation_token: nil,
  request_options: {}
)
  body = {
    "email" => email,
    "invitation_token" => invitation_token
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/magic_auth",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::MagicAuth.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_redirect_uri(uri:, request_options: {}) ⇒ WorkOS::RedirectUri

Create a redirect URI

Parameters:

• uri (String) —

  The redirect URI to create.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::RedirectUri)

# File 'lib/workos/user_management.rb', line 1222

def create_redirect_uri(
  uri:,
  request_options: {}
)
  body = {
    "uri" => uri
  }
  response = @client.request(
    method: :post,
    path: "/user_management/redirect_uris",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::RedirectUri.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_user(email:, first_name: nil, last_name: nil, email_verified: nil, metadata: nil, external_id: nil, password: nil, request_options: {}) ⇒ WorkOS::User

Create a user

Parameters:

• email (String) —

  The email address of the user.

• first_name (String, nil) (defaults to: nil) —

  The first name of the user.

• last_name (String, nil) (defaults to: nil) —

  The last name of the user.

• email_verified (Boolean, nil) (defaults to: nil) —

  Whether the user's email has been verified.

• metadata (Hash{String => String}, nil) (defaults to: nil) —

  Object containing metadata key/value pairs associated with the user.

• external_id (String, nil) (defaults to: nil) —

  The external ID of the user.

• password (WorkOS::UserManagement::PasswordPlaintext, WorkOS::UserManagement::PasswordHashed, nil) (defaults to: nil) —

  Identifies the password.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::User)

# File 'lib/workos/user_management.rb', line 633

def create_user(
  email:,
  first_name: nil,
  last_name: nil,
  email_verified: nil,
  metadata: nil,
  external_id: nil,
  password: nil,
  request_options: {}
)
  body = {
    "email" => email,
    "first_name" => first_name,
    "last_name" => last_name,
    "email_verified" => email_verified,
    "metadata" => metadata,
    "external_id" => external_id
  }.compact
  if password
    case password
    when WorkOS::UserManagement::PasswordPlaintext
      body["password"] = password.password
    when WorkOS::UserManagement::PasswordHashed
      body["password_hash"] = password.password_hash
      body["password_hash_type"] = password.password_hash_type
    else
      raise ArgumentError, "expected password to be one of: WorkOS::UserManagement::PasswordPlaintext, WorkOS::UserManagement::PasswordHashed, got #{password.class}"
    end
  end
  response = @client.request(
    method: :post,
    path: "/user_management/users",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::User.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_user_api_key(user_id:, name:, organization_id:, permissions: nil, expires_at: nil, request_options: {}) ⇒ WorkOS::UserApiKeyWithValue

Create an API key for a user

Parameters:

• user_id (String) —

  Unique identifier of the user.

• name (String) —

  A descriptive name for the API key.

• organization_id (String) —

  The ID of the organization the user API key is associated with. The user must have an active membership in this organization.

• permissions (Array<String>, nil) (defaults to: nil) —

  The permission slugs to assign to the API key. Each permission must be enabled for user API keys.

• expires_at (String, nil) (defaults to: nil) —

  The timestamp when the API key should expire. Must be a future timestamp. If omitted, the key does not expire.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::UserApiKeyWithValue)

# File 'lib/workos/user_management.rb', line 1366

def create_user_api_key(
  user_id:,
  name:,
  organization_id:,
  permissions: nil,
  expires_at: nil,
  request_options: {}
)
  body = {
    "name" => name,
    "organization_id" => organization_id,
    "permissions" => permissions,
    "expires_at" => expires_at
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/users/#{WorkOS::Util.encode_path(user_id)}/api_keys",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::UserApiKeyWithValue.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#delete_user(id:, request_options: {}) ⇒ void

This method returns an undefined value.

Delete a user

Parameters:

• id (String) —

  The unique ID of the user.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/user_management.rb', line 772

def delete_user(
  id:,
  request_options: {}
)
  @client.request(
    method: :delete,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  nil
end

#delete_user_authorized_application(application_id:, user_id:, request_options: {}) ⇒ void

This method returns an undefined value.

Delete an authorized application

Parameters:

• application_id (String) —

  The ID or client ID of the application.

• user_id (String) —

  The ID of the user.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/user_management.rb', line 1293

def delete_user_authorized_application(
  application_id:,
  user_id:,
  request_options: {}
)
  @client.request(
    method: :delete,
    path: "/user_management/users/#{WorkOS::Util.encode_path(user_id)}/authorized_applications/#{WorkOS::Util.encode_path(application_id)}",
    auth: true,
    request_options: request_options
  )
  nil
end

#find_invitation_by_token(token:, request_options: {}) ⇒ WorkOS::UserInvite

Find an invitation by token

Parameters:

• token (String) —

  The token used to accept the invitation.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::UserInvite)

# File 'lib/workos/user_management.rb', line 1038

def find_invitation_by_token(
  token:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/invitations/by_token/#{WorkOS::Util.encode_path(token)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::UserInvite.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_authorization_url(redirect_uri:, client_id: nil, provider: nil, connection_id: nil, organization_id: nil, domain_hint: nil, login_hint: nil, state: nil, screen_hint: nil, code_challenge: nil, code_challenge_method: nil, prompt: nil) ⇒ Object

H09 — Build an AuthKit authorization URL (client-side, no HTTP call). Overrides the generated get_authorization_url which hits the API.

Raises:

• (ArgumentError)

# File 'lib/workos/user_management.rb', line 1404

def get_authorization_url(redirect_uri:, client_id: nil, provider: nil, connection_id: nil,
  organization_id: nil, domain_hint: nil, login_hint: nil,
  state: nil, screen_hint: nil, code_challenge: nil,
  code_challenge_method: nil, prompt: nil, **)
  cid = client_id || @client.client_id
  raise ArgumentError, "client_id is required (set on Client or pass explicitly)" if cid.nil? || cid.empty?
  raise ArgumentError, "provider, connection_id, or organization_id required" if provider.nil? && connection_id.nil? && organization_id.nil?
  params = {
    "client_id" => cid,
    "redirect_uri" => redirect_uri,
    "response_type" => "code",
    "provider" => provider,
    "connection_id" => connection_id,
    "organization_id" => organization_id,
    "domain_hint" => domain_hint,
    "login_hint" => login_hint,
    "state" => state,
    "screen_hint" => screen_hint,
    "code_challenge" => code_challenge,
    "code_challenge_method" => code_challenge_method,
    "prompt" => prompt
  }.compact
  build_url("/user_management/authorize", params)
end

#get_authorization_url_with_pkce(redirect_uri:, client_id: nil, **opts) ⇒ Object

H10 — AuthKit authorization URL with auto-generated PKCE + state. Returns [url, code_verifier, state].

# File 'lib/workos/user_management.rb', line 1431

def get_authorization_url_with_pkce(redirect_uri:, client_id: nil, **opts)
  pair = WorkOS::PKCE.generate_pair
  state = opts.delete(:state) || WorkOS::PKCE.generate_code_verifier
  # Strip caller-supplied PKCE params: this helper exists specifically
  # to generate them, so a caller-provided value would either silently
  # override our freshly-generated challenge (defeating the helper) or
  # collide with the keyword args below and raise. Mirror the existing
  # opts.delete(:state) pattern.
  opts.delete(:code_challenge)
  opts.delete(:code_challenge_method)
  url = get_authorization_url(
    redirect_uri: redirect_uri,
    client_id: client_id,
    state: state,
    code_challenge: pair[:code_challenge],
    code_challenge_method: "S256",
    **opts
  )
  [url, pair[:code_verifier], state]
end

#get_email_verification(id:, request_options: {}) ⇒ WorkOS::EmailVerification

Get an email verification code

Parameters:

• id (String) —

  The ID of the email verification code.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::EmailVerification)

# File 'lib/workos/user_management.rb', line 484

def get_email_verification(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/email_verification/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::EmailVerification.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_invitation(id:, request_options: {}) ⇒ WorkOS::UserInvite

Get an invitation

Parameters:

• id (String) —

  The unique ID of the invitation.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::UserInvite)

# File 'lib/workos/user_management.rb', line 1057

def get_invitation(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::UserInvite.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_jwks(client_id:, request_options: {}) ⇒ WorkOS::JwksResponse

Get JWKS

Parameters:

• client_id (String) —

  Identifies the application making the request to the WorkOS server. You can obtain your client ID from the API Keys page in the dashboard.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::JwksResponse)

# File 'lib/workos/user_management.rb', line 31

def get_jwks(
  client_id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/sso/jwks/#{WorkOS::Util.encode_path(client_id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::JwksResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_jwks_url(client_id: nil) ⇒ Object

@oagen-ignore-start — non-spec helpers (hand-maintained) H13 — Build the JWKS URL for a given client_id (no HTTP call). Pair with #get_jwks (generated) to fetch the keyset.

Raises:

• (ArgumentError)

# File 'lib/workos/user_management.rb', line 1395

def get_jwks_url(client_id: nil)
  cid = client_id || @client.client_id
  raise ArgumentError, "client_id is required" if cid.nil? || cid.empty?
  base = @client.base_url
  URI.join(base, "/sso/jwks/#{WorkOS::Util.encode_path(cid)}").to_s
end

#get_logout_url(session_id:, return_to: nil) ⇒ String

Build the AuthKit logout redirect URL (client-side, no HTTP call).

Parameters:

• session_id (String) —

  The session ID (from the sid claim of the access token).

• return_to (String, nil) (defaults to: nil) —

  URL to redirect the user to after session revocation.

Returns:

• (String)

# File 'lib/workos/user_management.rb', line 1489

def get_logout_url(session_id:, return_to: nil)
  params = {"session_id" => session_id}
  params["return_to"] = return_to if return_to
  build_url("/user_management/sessions/logout", params)
end

#get_magic_auth(id:, request_options: {}) ⇒ WorkOS::MagicAuth

Get Magic Auth code details

Parameters:

• id (String) —

  The unique ID of the Magic Auth code.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::MagicAuth)

# File 'lib/workos/user_management.rb', line 1203

def get_magic_auth(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/magic_auth/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::MagicAuth.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_password_reset(id:, request_options: {}) ⇒ WorkOS::PasswordReset

Get a password reset token

Parameters:

• id (String) —

  The ID of the password reset token.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::PasswordReset)

# File 'lib/workos/user_management.rb', line 552

def get_password_reset(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/password_reset/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::PasswordReset.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_user(id:, request_options: {}) ⇒ WorkOS::User

Get a user

Parameters:

• id (String) —

  The unique ID of the user.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::User)

# File 'lib/workos/user_management.rb', line 697

def get_user(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::User.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_user_by_external_id(external_id:, request_options: {}) ⇒ WorkOS::User

Get a user by external ID

Parameters:

• external_id (String) —

  The external ID of the user.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::User)

# File 'lib/workos/user_management.rb', line 678

def get_user_by_external_id(
  external_id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/users/external_id/#{WorkOS::Util.encode_path(external_id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::User.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_user_identities(id:, request_options: {}) ⇒ Array<WorkOS::UserIdentitiesGetItem>

Get user identities

Parameters:

• id (String) —

  The unique ID of the user.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (Array<WorkOS::UserIdentitiesGetItem>)

# File 'lib/workos/user_management.rb', line 883

def get_user_identities(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/identities",
    auth: true,
    request_options: request_options
  )
  parsed = JSON.parse(response.body)
  (parsed || []).map { |item| WorkOS::UserIdentitiesGetItem.new(item) }
end

#list_invitations(before: nil, after: nil, limit: 10, order: "desc", organization_id: nil, email: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserInvite>

List invitations

Parameters:

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include after="obj_123" to fetch a new batch of objects after "obj_123".

• limit (Integer, nil) (defaults to: 10) —

  Upper limit on the number of objects to return, between 1 and 100.

• order (WorkOS::Types::PaginationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are "asc" (ascending), "desc" (descending), and "normal" (descending with reversed cursor semantics where before fetches older records and after fetches newer records). Defaults to descending.

• organization_id (String, nil) (defaults to: nil) —

  The ID of the organization that the recipient will join.

• email (String, nil) (defaults to: nil) —

  The email address of the recipient.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::UserInvite>)

# File 'lib/workos/user_management.rb', line 953

def list_invitations(
  before: nil,
  after: nil,
  limit: 10,
  order: "desc",
  organization_id: nil,
  email: nil,
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order,
    "organization_id" => organization_id,
    "email" => email
  }.compact
  response = @client.request(
    method: :get,
    path: "/user_management/invitations",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_invitations(
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      organization_id: organization_id,
      email: email,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::UserInvite,
    filters: {before: before, limit: limit, order: order, organization_id: organization_id, email: email},
    fetch_next: fetch_next
  )
end

#list_jwt_template(request_options: {}) ⇒ WorkOS::JWTTemplateResponse

Get JWT template

Parameters:

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::JWTTemplateResponse)

# File 'lib/workos/user_management.rb', line 1138

def list_jwt_template(request_options: {})
  response = @client.request(
    method: :get,
    path: "/user_management/jwt_template",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::JWTTemplateResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#list_sessions(id:, before: nil, after: nil, limit: 10, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserSessionsListItem>

List sessions

Parameters:

• id (String) —

  The ID of the user.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include after="obj_123" to fetch a new batch of objects after "obj_123".

• limit (Integer, nil) (defaults to: 10) —

  Upper limit on the number of objects to return, between 1 and 100.

• order (WorkOS::Types::PaginationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are "asc" (ascending), "desc" (descending), and "normal" (descending with reversed cursor semantics where before fetches older records and after fetches newer records). Defaults to descending.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::UserSessionsListItem>)

# File 'lib/workos/user_management.rb', line 905

def list_sessions(
  id:,
  before: nil,
  after: nil,
  limit: 10,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order
  }.compact
  response = @client.request(
    method: :get,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/sessions",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_sessions(
      id: id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::UserSessionsListItem,
    filters: {id: id, before: before, limit: limit, order: order},
    fetch_next: fetch_next
  )
end

#list_user_api_keys(user_id:, before: nil, after: nil, limit: 10, order: "desc", organization_id: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserApiKey>

List API keys for a user

Parameters:

• user_id (String) —

  Unique identifier of the user.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.

• limit (Integer, nil) (defaults to: 10) —

  Upper limit on the number of objects to return, between 1 and 100.

• order (WorkOS::Types::PaginationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time.

• organization_id (String, nil) (defaults to: nil) —

  The ID of the organization to filter user API keys by. When provided, only API keys created against that organization membership are returned.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::UserApiKey>)

# File 'lib/workos/user_management.rb', line 1316

def list_user_api_keys(
  user_id:,
  before: nil,
  after: nil,
  limit: 10,
  order: "desc",
  organization_id: nil,
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order,
    "organization_id" => organization_id
  }.compact
  response = @client.request(
    method: :get,
    path: "/user_management/users/#{WorkOS::Util.encode_path(user_id)}/api_keys",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_user_api_keys(
      user_id: user_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      organization_id: organization_id,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::UserApiKey,
    filters: {user_id: user_id, before: before, limit: limit, order: order, organization_id: organization_id},
    fetch_next: fetch_next
  )
end

#list_user_authorized_applications(user_id:, before: nil, after: nil, limit: 10, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizedConnectApplicationListData>

List authorized applications

Parameters:

• user_id (String) —

  The ID of the user.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include after="obj_123" to fetch a new batch of objects after "obj_123".

• limit (Integer, nil) (defaults to: 10) —

  Upper limit on the number of objects to return, between 1 and 100.

• order (WorkOS::Types::PaginationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are "asc" (ascending), "desc" (descending), and "normal" (descending with reversed cursor semantics where before fetches older records and after fetches newer records). Defaults to descending.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::AuthorizedConnectApplicationListData>)

# File 'lib/workos/user_management.rb', line 1249

def list_user_authorized_applications(
  user_id:,
  before: nil,
  after: nil,
  limit: 10,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order
  }.compact
  response = @client.request(
    method: :get,
    path: "/user_management/users/#{WorkOS::Util.encode_path(user_id)}/authorized_applications",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_user_authorized_applications(
      user_id: user_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::AuthorizedConnectApplicationListData,
    filters: {user_id: user_id, before: before, limit: limit, order: order},
    fetch_next: fetch_next
  )
end

#list_users(before: nil, after: nil, limit: 10, order: "desc", organization: nil, organization_id: nil, email: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::User>

List users

Parameters:

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include after="obj_123" to fetch a new batch of objects after "obj_123".

• limit (Integer, nil) (defaults to: 10) —

  Upper limit on the number of objects to return, between 1 and 100.

• order (WorkOS::Types::PaginationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are "asc" (ascending), "desc" (descending), and "normal" (descending with reversed cursor semantics where before fetches older records and after fetches newer records). Defaults to descending.

• organization (String, nil) (defaults to: nil) —

  (deprecated) Filter users by the organization they are a member of. Deprecated in favor of organization_id.

• organization_id (String, nil) (defaults to: nil) —

  Filter users by the organization they are a member of.

• email (String, nil) (defaults to: nil) —

  Filter users by their email address.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::User>)

# File 'lib/workos/user_management.rb', line 577

def list_users(
  before: nil,
  after: nil,
  limit: 10,
  order: "desc",
  organization: nil,
  organization_id: nil,
  email: nil,
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order,
    "organization" => organization,
    "organization_id" => organization_id,
    "email" => email
  }.compact
  response = @client.request(
    method: :get,
    path: "/user_management/users",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_users(
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      organization: organization,
      organization_id: organization_id,
      email: email,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::User,
    filters: {before: before, limit: limit, order: order, organization: organization, organization_id: organization_id, email: email},
    fetch_next: fetch_next
  )
end

#resend_invitation(id:, locale: nil, request_options: {}) ⇒ WorkOS::UserInvite

Resend an invitation

Parameters:

• id (String) —

  The unique ID of the invitation.

• locale (WorkOS::Types::ResendUserInviteOptionsLocale, nil) (defaults to: nil) —

  The locale to use when rendering the invitation email. See supported locales.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::UserInvite)

# File 'lib/workos/user_management.rb', line 1096

def resend_invitation(
  id:,
  locale: nil,
  request_options: {}
)
  body = {
    "locale" => locale
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}/resend",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::UserInvite.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#reset_password(email:, request_options: {}) ⇒ WorkOS::PasswordReset

Create a password reset token

Parameters:

• email (String) —

  The email address of the user requesting a password reset.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::PasswordReset)

# File 'lib/workos/user_management.rb', line 503

def reset_password(
  email:,
  request_options: {}
)
  body = {
    "email" => email
  }
  response = @client.request(
    method: :post,
    path: "/user_management/password_reset",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::PasswordReset.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#revoke_invitation(id:, request_options: {}) ⇒ WorkOS::Invitation

Revoke an invitation

Parameters:

• id (String) —

  The unique ID of the invitation.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Invitation)

# File 'lib/workos/user_management.rb', line 1120

def revoke_invitation(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :post,
    path: "/user_management/invitations/#{WorkOS::Util.encode_path(id)}/revoke",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::Invitation.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#revoke_session(session_id:, return_to: nil, request_options: {}) ⇒ void

This method returns an undefined value.

Revoke Session

Parameters:

• session_id (String) —

  The ID of the session to revoke. This can be extracted from the sid claim of the access token.

• return_to (String, nil) (defaults to: nil) —

  The URL to redirect the user to after session revocation.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/user_management.rb', line 438

def revoke_session(
  session_id:,
  return_to: nil,
  request_options: {}
)
  body = {
    "session_id" => session_id,
    "return_to" => return_to
  }.compact
  @client.request(
    method: :post,
    path: "/user_management/sessions/revoke",
    auth: true,
    body: body,
    request_options: request_options
  )
  nil
end

#send_email_change(id:, new_email:, request_options: {}) ⇒ WorkOS::EmailChange

Send email change code

Parameters:

• id (String) —

  The unique ID of the user.

• new_email (String) —

  The new email address to change to.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::EmailChange)

# File 'lib/workos/user_management.rb', line 815

def send_email_change(
  id:,
  new_email:,
  request_options: {}
)
  body = {
    "new_email" => new_email
  }
  response = @client.request(
    method: :post,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_change/send",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::EmailChange.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#send_invitation(email:, organization_id: nil, role_slug: nil, expires_in_days: nil, inviter_user_id: nil, locale: nil, request_options: {}) ⇒ WorkOS::UserInvite

Send an invitation

Parameters:

• email (String) —

  The email address of the recipient.

• organization_id (String, nil) (defaults to: nil) —

  The ID of the organization that the recipient will join.

• role_slug (String, nil) (defaults to: nil) —

  The role that the recipient will receive when they join the organization in the invitation.

• expires_in_days (Integer, nil) (defaults to: nil) —

  How many days the invitations will be valid for. Must be between 1 and 30 days. Defaults to 7 days if not specified.

• inviter_user_id (String, nil) (defaults to: nil) —

  The ID of the user who invites the recipient. The invitation email will mention the name of this user.

• locale (WorkOS::Types::CreateUserInviteOptionsLocale, nil) (defaults to: nil) —

  The locale to use when rendering the invitation email. See supported locales.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::UserInvite)

# File 'lib/workos/user_management.rb', line 1005

def send_invitation(
  email:,
  organization_id: nil,
  role_slug: nil,
  expires_in_days: nil,
  inviter_user_id: nil,
  locale: nil,
  request_options: {}
)
  body = {
    "email" => email,
    "organization_id" => organization_id,
    "role_slug" => role_slug,
    "expires_in_days" => expires_in_days,
    "inviter_user_id" => inviter_user_id,
    "locale" => locale
  }.compact
  response = @client.request(
    method: :post,
    path: "/user_management/invitations",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::UserInvite.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#send_verification_email(id:, request_options: {}) ⇒ WorkOS::SendVerificationEmailResponse

Send verification email

Parameters:

• id (String) —

  The ID of the user.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::SendVerificationEmailResponse)

# File 'lib/workos/user_management.rb', line 864

def send_verification_email(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :post,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_verification/send",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::SendVerificationEmailResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#update_jwt_template(content:, request_options: {}) ⇒ WorkOS::JWTTemplateResponse

Update JWT template

Parameters:

• content (String) —

  The JWT template content as a Liquid template string.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::JWTTemplateResponse)

# File 'lib/workos/user_management.rb', line 1154

def update_jwt_template(
  content:,
  request_options: {}
)
  body = {
    "content" => content
  }
  response = @client.request(
    method: :put,
    path: "/user_management/jwt_template",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::JWTTemplateResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#update_user(id:, email: nil, first_name: nil, last_name: nil, email_verified: nil, metadata: nil, external_id: nil, locale: nil, password: nil, request_options: {}) ⇒ WorkOS::User

Update a user

Parameters:

• id (String) —

  The unique ID of the user.

• email (String, nil) (defaults to: nil) —

  The email address of the user.

• first_name (String, nil) (defaults to: nil) —

  The first name of the user.

• last_name (String, nil) (defaults to: nil) —

  The last name of the user.

• email_verified (Boolean, nil) (defaults to: nil) —

  Whether the user's email has been verified.

• metadata (Hash{String => String}, nil) (defaults to: nil) —

  Object containing metadata key/value pairs associated with the user.

• external_id (String, nil) (defaults to: nil) —

  The external ID of the user.

• locale (String, nil) (defaults to: nil) —

  The user's preferred locale.

• password (WorkOS::UserManagement::PasswordPlaintext, WorkOS::UserManagement::PasswordHashed, nil) (defaults to: nil) —

  Identifies the password.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::User)

# File 'lib/workos/user_management.rb', line 724

def update_user(
  id:,
  email: nil,
  first_name: nil,
  last_name: nil,
  email_verified: nil,
  metadata: nil,
  external_id: nil,
  locale: nil,
  password: nil,
  request_options: {}
)
  body = {
    "email" => email,
    "first_name" => first_name,
    "last_name" => last_name,
    "email_verified" => email_verified,
    "metadata" => metadata,
    "external_id" => external_id,
    "locale" => locale
  }.compact
  if password
    case password
    when WorkOS::UserManagement::PasswordPlaintext
      body["password"] = password.password
    when WorkOS::UserManagement::PasswordHashed
      body["password_hash"] = password.password_hash
      body["password_hash_type"] = password.password_hash_type
    else
      raise ArgumentError, "expected password to be one of: WorkOS::UserManagement::PasswordPlaintext, WorkOS::UserManagement::PasswordHashed, got #{password.class}"
    end
  end
  response = @client.request(
    method: :put,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::User.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#verify_email(id:, code:, request_options: {}) ⇒ WorkOS::VerifyEmailResponse

Verify email

Parameters:

• id (String) —

  The ID of the user.

• code (String) —

  The one-time email verification code.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::VerifyEmailResponse)

# File 'lib/workos/user_management.rb', line 840

def verify_email(
  id:,
  code:,
  request_options: {}
)
  body = {
    "code" => code
  }
  response = @client.request(
    method: :post,
    path: "/user_management/users/#{WorkOS::Util.encode_path(id)}/email_verification/confirm",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::VerifyEmailResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end