{
  "endpoint": "SsoHandler",
  "preferredHttpPath": "l",
  "alternateHttpPaths": [
    "SsoHandler",
    "HttpSso"
  ],
  "summary": "Single sign-on related APIs.",
  "description": "This endpoint provides APIs for configuring and using single sign-on (SSO) identity providers (IdPs).\n            Currently Google and Apple are supported.\n            Two modes of operation are supported:\n            1. The UI redirects the main page or a popup to the appropriate Start*Authentication API, which redirects to the provider\u0027s login page, which is instructed to redirect back to the API\u0027s callback, which interprets and verifies the response, creates the account or logs the user in, and the redirects back to the UI\u0027s configured target with the access token and refresh tokens in the query string.  If there is an error in the process, a possibly-different target is called with the error code and message in the query string.  The Server never actually renders any UI in this scenario, but it does take control of the browser.\n            2. The UI controls the process, turning control over to the provider and receiving a JWT back from the provider.  The UI then POSTs the JWT to the Continue*Authentication API, which verifies the JWT, creates the account or logs the user in, and returns access and refresh tokens in the response.\n            Information needed to contact the provider can be obtained by the UI using the Get*AuthenticationConfig APIs.\n            System administrators can update that configuration, as well as the associated secrets using the Update*AuthenticationConfig APIs.",
  "apis": [
    {
      "name": "IntermediateGoogleAuthentication",
      "httpMethod": "GET",
      "httpPathRegex": "^/sso/google/callback",
      "subPathPattern": "/sso/google/callback",
      "summary": "Receives the Google Ouath credentials from Google.  This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
      "parameters": [
        {
          "name": "code",
          "required": false,
          "type": "String",
          "description": "The authorization code received from Google after successful OAuth authentication."
        },
        {
          "name": "state",
          "required": false,
          "type": "String",
          "description": "The state passed through the OAuth process.  Defaults to all empty state."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into <paramref name=\"state\" />).  Defaults to false."
        }
      ],
      "return": {
        "type": "RedirectResponse",
        "description": "A <see cref=\"T:AmbientServices.RedirectResponse\" /> containing the response"
      }
    },
    {
      "name": "IntermediateGoogleAuthentication",
      "httpMethod": "POST",
      "httpPathRegex": "^/sso/google/callback",
      "subPathPattern": "/sso/google/callback",
      "summary": "Receives the Google Ouath credentials from Google.  This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
      "parameters": [
        {
          "name": "code",
          "required": false,
          "type": "String",
          "description": "The authorization code received from Google after successful OAuth authentication."
        },
        {
          "name": "state",
          "required": false,
          "type": "String",
          "description": "The state passed through the OAuth process.  Defaults to all empty state."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into <paramref name=\"state\" />).  Defaults to false."
        }
      ],
      "return": {
        "type": "RedirectResponse",
        "description": "A <see cref=\"T:AmbientServices.RedirectResponse\" /> containing the response"
      }
    },
    {
      "name": "IntermediateAppleAuthentication",
      "httpMethod": "GET",
      "httpPathRegex": "^/sso/apple/callback",
      "subPathPattern": "/sso/apple/callback",
      "summary": "Receives the Apple Ouath credentials from Apple.  This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
      "parameters": [
        {
          "name": "code",
          "required": false,
          "type": "String",
          "description": "The authorization code received from Apple after successful OAuth authentication."
        },
        {
          "name": "state",
          "required": false,
          "type": "String",
          "description": "The state passed through the OAuth process.  Defaults to all empty state."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into <paramref name=\"state\" />).  Defaults to false."
        }
      ],
      "return": {
        "type": "RedirectResponse",
        "description": "A <see cref=\"T:AmbientServices.RedirectResponse\" /> containing the response"
      }
    },
    {
      "name": "IntermediateAppleAuthentication",
      "httpMethod": "POST",
      "httpPathRegex": "^/sso/apple/callback",
      "subPathPattern": "/sso/apple/callback",
      "summary": "Receives the Apple Ouath credentials from Apple.  This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
      "parameters": [
        {
          "name": "code",
          "required": false,
          "type": "String",
          "description": "The authorization code received from Apple after successful OAuth authentication."
        },
        {
          "name": "state",
          "required": false,
          "type": "String",
          "description": "The state passed through the OAuth process.  Defaults to all empty state."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into <paramref name=\"state\" />).  Defaults to false."
        }
      ],
      "return": {
        "type": "RedirectResponse",
        "description": "A <see cref=\"T:AmbientServices.RedirectResponse\" /> containing the response"
      }
    },
    {
      "name": "ContinueGoogleAuthentication",
      "httpMethod": "POST",
      "httpPathRegex": "^/sso/google/jwt",
      "subPathPattern": "/sso/google/jwt",
      "summary": "Processes a JWT token received from Google, using that to complete the Google login process.",
      "parameters": [
        {
          "name": "jwtToken",
          "required": true,
          "type": "String",
          "description": "A JWT token received from Google, but not through the normal web UI flow (ie. possibly from the OS in an app)."
        },
        {
          "name": "allowAccountCreation",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to allow account creation if the Google user doesn't already have an account.  Defaults to true."
        },
        {
          "name": "audience",
          "required": false,
          "type": "String?",
          "description": "The audience the calling application, as configured in the Google developer console.  Defaults to the configured Client ID."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to.  Defaults to false."
        }
      ],
      "return": {
        "type": "ContinueGoogleAuthenticationResponse",
        "description": "A <see cref=\"T:PicMeApi.ContinueGoogleAuthenticationResponse\" /> containing the response"
      }
    },
    {
      "name": "UpdateGoogleAuthenticationConfig",
      "httpMethod": "PUT",
      "httpPathRegex": "^/config/google",
      "subPathPattern": "/config/google",
      "summary": "Updates the Google OAuth configuration.",
      "parameters": [
        {
          "name": "config",
          "required": true,
          "type": "GoogleAuthConfig",
          "description": "The <see cref=\"T:AmbientServices.GoogleAuthConfig\" /> to store."
        },
        {
          "name": "configName",
          "required": false,
          "type": "String?",
          "description": "The optional name of the SSO configuration to use for accessing the Google OAuth configuration and secrets.  Defaults to the standard Google OAuth configuration."
        }
      ],
      "return": {
        "type": "UpdateGoogleAuthenticationConfigResponse",
        "description": "A <see cref=\"T:PicMeApi.UpdateGoogleAuthenticationConfigResponse\" /> containing the response"
      }
    },
    {
      "name": "GetGoogleAuthenticationConfig",
      "httpMethod": "GET",
      "httpPathRegex": "^/config/google",
      "subPathPattern": "/config/google",
      "summary": "Gets the Google OAuth configuration needed by the client.\n            When <see cref=\"P:PicMeApi.GetGoogleAuthenticationConfigResponse.Available\" /> is false, the client should not display Google authentication.",
      "parameters": [
        {
          "name": "configName",
          "required": false,
          "type": "String?",
          "description": "The optional name of the SSO configuration to use for accessing the Google OAuth configuration and secrets.  Defaults to the standard Google OAuth configuration."
        }
      ],
      "return": {
        "type": "GetGoogleAuthenticationConfigResponse",
        "description": "A <see cref=\"T:PicMeApi.GetGoogleAuthenticationConfigResponse\" /> containing the response"
      }
    },
    {
      "name": "ContinueAppleAuthentication",
      "httpMethod": "POST",
      "httpPathRegex": "^/sso/apple/jwt",
      "subPathPattern": "/sso/apple/jwt",
      "summary": "Processes a JWT token received from Apple, using that to complete the Apple login process.",
      "parameters": [
        {
          "name": "jwtToken",
          "required": true,
          "type": "String",
          "description": "A JWT token received from Apple, but not through the normal web UI flow (ie. possibly from the OS in an app)."
        },
        {
          "name": "allowAccountCreation",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to allow account creation if the Apple user doesn't already have an account.  Defaults to true."
        },
        {
          "name": "audience",
          "required": false,
          "type": "String?",
          "description": "The audience the calling application, as configured in the Apple developer console.  Defaults to the configured Service ID."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to.  Defaults to false."
        }
      ],
      "return": {
        "type": "ContinueAppleAuthenticationResponse",
        "description": "A <see cref=\"T:PicMeApi.ContinueAppleAuthenticationResponse\" /> containing the response"
      }
    },
    {
      "name": "UpdateAppleAuthenticationConfig",
      "httpMethod": "PUT",
      "httpPathRegex": "^/config/apple",
      "subPathPattern": "/config/apple",
      "summary": "Updates the Apple OAuth configuration.",
      "parameters": [
        {
          "name": "config",
          "required": true,
          "type": "AppleAuthConfig",
          "description": "The <see cref=\"T:AmbientServices.AppleAuthConfig\" /> to store."
        },
        {
          "name": "configName",
          "required": false,
          "type": "String?",
          "description": "The optional name of the SSO configuration to use for accessing the Apple OAuth configuration and secrets.  Defaults to the standard Apple OAuth configuration."
        }
      ],
      "return": {
        "type": "UpdateAppleAuthenticationConfigResponse",
        "description": "A <see cref=\"T:PicMeApi.UpdateAppleAuthenticationConfigResponse\" /> containing the response"
      }
    },
    {
      "name": "GetAppleAuthenticationConfig",
      "httpMethod": "GET",
      "httpPathRegex": "^/config/apple",
      "subPathPattern": "/config/apple",
      "summary": "Gets the Apple OAuth configuration needed by the client.\n            When <see cref=\"P:PicMeApi.GetAppleAuthenticationConfigResponse.Available\" /> is false, the client should not display Apple authentication.",
      "parameters": [
        {
          "name": "configName",
          "required": false,
          "type": "String?",
          "description": "The optional name of the SSO configuration to use for accessing the Apple OAuth configuration and secrets.  Defaults to the standard Apple OAuth configuration."
        }
      ],
      "return": {
        "type": "GetAppleAuthenticationConfigResponse",
        "description": "A <see cref=\"T:PicMeApi.GetAppleAuthenticationConfigResponse\" /> containing the response"
      }
    },
    {
      "name": "StartGoogleAuthentication",
      "httpMethod": "GET",
      "httpPathRegex": "^/sso/google",
      "subPathPattern": "/sso/google",
      "summary": "Kicks off a Google OAuth login by redirecting to the Google OAuth login page.  \n            When the login is complete, the browser will be redirected back to the <see cref=\"T:AmbientServices.SsoAuthCallbackEndpoint\" /> corresponding to <paramref name=\"responseUriId\" />,\n            with the parameters \"access\", \"refresh\", \"type\", and \"expires\" appended to the query string.\n            If there is an error during the authentication process, the browser will be redirected back to the <see cref=\"T:AmbientServices.SsoAuthCallbackEndpoint\" /> corresponding to the \"Error:\" prefixed <paramref name=\"responseUriId\" /> if it exists, or the non-prefixed (success) endpoint if it does not exist.\n            Error conditions (to either endpoint) will have the parameters \"error\" and \"message\" appended to the query string.",
      "parameters": [
        {
          "name": "configName",
          "required": false,
          "type": "String?",
          "description": "The optional name of the SSO configuration to use for accessing the Google OAuth configuration and secrets.  Defaults to the standard Google OAuth configuration."
        },
        {
          "name": "responseUriId",
          "required": false,
          "type": "String",
          "description": "The endpoint ID of the respsonse (callback) URL as specified in the Google SSO configuration.  Defaults to empty string."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to.  Defaults to false."
        }
      ],
      "return": {
        "type": "RedirectResponse",
        "description": "A <see cref=\"T:AmbientServices.RedirectResponse\" /> containing the response"
      }
    },
    {
      "name": "StartAppleAuthentication",
      "httpMethod": "GET",
      "httpPathRegex": "^/sso/apple",
      "subPathPattern": "/sso/apple",
      "summary": "Kicks off a Apple OAuth login by redirecting to the Apple OAuth login page.  \n            When the login is complete, the browser will be redirected back to the <see cref=\"T:AmbientServices.SsoAuthCallbackEndpoint\" /> corresponding to <paramref name=\"responseUriId\" />,\n            with the parameters \"access\", \"refresh\", \"type\", and \"expires\" appended to the query string.\n            If there is an error during the authentication process, the browser will be redirected back to the <see cref=\"T:AmbientServices.SsoAuthCallbackEndpoint\" /> corresponding to the \"Error:\" prefixed <paramref name=\"responseUriId\" /> if it exists, or the non-prefixed (success) endpoint if it does not exist.\n            Error conditions (to either endpoint) will have the parameters \"error\" and \"message\" appended to the query string.",
      "parameters": [
        {
          "name": "configName",
          "required": false,
          "type": "String?",
          "description": "The optional name of the SSO configuration to use for accessing the Apple OAuth configuration and secrets.  Defaults to the standard Apple OAuth configuration."
        },
        {
          "name": "responseUriId",
          "required": false,
          "type": "String",
          "description": "The endpoint ID of the respsonse (callback) URL as specified in the Apple SSO configuration.  Defaults to empty string."
        },
        {
          "name": "setTosRead",
          "required": false,
          "type": "Boolean",
          "description": "Whether or not to mark the terms of service as having been read/agreed to.  Defaults to false."
        }
      ],
      "return": {
        "type": "RedirectResponse",
        "description": "A <see cref=\"T:AmbientServices.RedirectResponse\" /> containing the response"
      }
    }
  ],
  "types": [
    {
      "name": "RedirectResponse",
      "summary": "A special response type to use for an API that causes the framework code to respond with an HTTP redirect.\n            This type and the properties within it are never actually returned to callers.\n            The caller will recieve a standard HTTP redirect response with a 30? redirect code and a \"Location\" header containing the location this API has redirected you to.\n            May also be thrown internally for conditional redirection.",
      "description": "<pitch>Triggers an HTTP redirect response from a Lambda API function; may be thrown or returned from the handler.</pitch>\n<pledge>When thrown or returned inside a <c>Wrap</c> call, causes a 3xx redirect response with a Location header. <see cref=\"P:AmbientServices.RedirectResponse.Type\" /> should be a redirect-range HTTP status code.</pledge>",
      "type": "proxy",
      "representedBy": "HttpRedirect"
    },
    {
      "name": "HttpRedirect",
      "summary": "An HTTP response containing a redirect HTTP status response code and a \"Location\" header with a new location for the resource.",
      "description": "<pitch>Lightweight wire-schema type that <see cref=\"T:AmbientServices.RedirectResponse\" /> is documented as in API metadata, exposing only the new location.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "location",
          "type": "Uri",
          "summary": "The new location."
        }
      ]
    },
    {
      "name": "ContinueGoogleAuthenticationResponse",
      "summary": "A record containing the response from <see cref=\"M:PicMeApi.SsoApis.ContinueGoogleAuthentication(AmbientServices.Auth,AmbientServices.Database,AmbientServices.ExternalEncryptionKeyManager,System.Uri,System.String,System.Boolean,System.String,System.Boolean,System.Net.IPAddress,System.String)\" />.",
      "type": "composite",
      "members": [
        {
          "name": "successfulAuthentication",
          "type": "AuthenticationComplete?",
          "summary": "A <see cref=\"T:AmbientServices.AuthenticationComplete\" /> object with information related to a successful authentication."
        },
        {
          "name": "moreAuthenticationRequired",
          "type": "MoreAuthenticationRequired?",
          "summary": "A <see cref=\"P:PicMeApi.ContinueGoogleAuthenticationResponse.MoreAuthenticationRequired\" /> object with information indicating that more steps are needed to complete authentication."
        }
      ]
    },
    {
      "name": "MoreAuthenticationRequired",
      "summary": "A record whose presence indicates that the user will need to do something else to continue with authentication.\n            Each type contains a ContinueWith*** typed token that should be round-tripped through to a ContinueWith*** API along with the additional information that is specific to the type of extra information needed (new password, MFA code, etc.).",
      "description": "<pitch>Partial authentication result: login cannot complete yet because a further step is required (new password, MFA code, or certificate challenge); exactly one non-null property tells the caller which continuation endpoint to call.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "newPasswordRequired",
          "type": "CollectNewPassword?",
          "summary": "A <see cref=\"T:AmbientServices.CollectNewPassword\" /> containing information needed to set a new password."
        },
        {
          "name": "continueWithMfa",
          "type": "ContinueWithMfa?",
          "summary": "A <see cref=\"T:AmbientServices.ContinueWithMfa\" /> containing information needed to finish authenticating with multi-factor authentication."
        },
        {
          "name": "continueWithSigningChallenge",
          "type": "ContinueWithSigningChallenge?",
          "summary": "A <see cref=\"T:AmbientServices.ContinueWithSigningChallenge\" /> containing information needed to finish authenticating using certificate signing."
        }
      ]
    },
    {
      "name": "ContinueWithSigningChallenge",
      "summary": "A record containing data needed to complete login with multi-factor authentication, using either email or an authenticator app.",
      "description": "<pitch>Carries the server-generated nonce that must be cryptographically signed with the client certificate and returned to complete certificate-based authentication.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "nonce",
          "type": "String",
          "summary": "A random one-time use string that the caller must sign with the certificate and return in an authentication continuation API call."
        }
      ]
    },
    {
      "name": "ContinueWithMfa",
      "summary": "A record containing data needed to complete login with multi-factor authentication, using either email or an authenticator app.",
      "description": "<pitch>Carries the signed MFA continuation token that must be round-tripped to the MFA continuation endpoint along with the OTP code.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "token",
          "type": "SignedSecurityToken",
          "summary": "A <see cref=\"T:AmbientServices.SignedSecurityToken\" /> that contains the signed MFA security token."
        }
      ]
    },
    {
      "name": "SignedSecurityToken",
      "summary": "A struct that holds a PicMe collection sharing authorization code.",
      "description": "<pitch>Strongly-typed wrapper for a signed security token string, preventing accidental misuse of raw strings in authorization paths that expect a cryptographically signed value.</pitch>\n<pledge>Value type with transparent JSON serialization via <see cref=\"T:AmbientServices.SignedSecurityTokenJsonConverter\" />. Construct via <see cref=\"M:AmbientServices.SignedSecurityToken.FromRaw(System.String,System.Nullable{System.Int64})\" />; no validation is performed at construction—callers are responsible for verifying the token before trusting it.</pledge>\n<plan>Thin wrapper over a <c>string</c> with an optional runtime-only <see cref=\"P:AmbientServices.SignedSecurityToken.KeyHash\" /> for diagnosing key-mismatch issues without exposing key material. <see cref=\"T:AmbientServices.ProxyTypeAttribute\" /> marks it as a string proxy for parameter binding.</plan>",
      "type": "proxy",
      "representedBy": "String"
    },
    {
      "name": "CollectNewPassword",
      "summary": "A record containing data needed to set a new password.",
      "description": "<pitch>Carries the opaque <see cref=\"T:AmbientServices.NewPasswordChallengeToken\" /> returned when authentication requires a password change before proceeding.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "token",
          "type": "NewPasswordChallengeToken",
          "summary": "A <see cref=\"T:AmbientServices.NewPasswordChallengeToken\" /> that can be used to set a new password."
        }
      ]
    },
    {
      "name": "NewPasswordChallengeToken",
      "summary": "A struct that holds a password challenge token.",
      "description": "<pitch>Opaque token returned when an authentication step requires the user to set a new password; carries session and username context encoded as a URL-safe string for safe round-tripping.</pitch>",
      "type": "proxy",
      "representedBy": "String"
    },
    {
      "name": "AuthenticationComplete",
      "summary": "A record containing the response to a request to authenticate or refresh authentication.",
      "description": "<pitch>Successful authentication result bundling tokens, user data, and optional organization membership into one value returned by login and SSO endpoints.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "authenticated",
          "type": "UserAuthenticated",
          "summary": "A <see cref=\"T:AmbientServices.UserAuthenticated\" /> object containing authentication information."
        },
        {
          "name": "authenticatedUser",
          "type": "UserData",
          "summary": "<see cref=\"T:AmbientServices.UserData\" /> for the authenticated user."
        },
        {
          "name": "organizationMembership",
          "type": "OrganizationMembership?",
          "summary": "An <see cref=\"T:AmbientServices.OrganizationMembership\" /> containing the user's organizational membership status, or null if not populated."
        }
      ]
    },
    {
      "name": "OrganizationMembership",
      "summary": "A record containing organizational membership information for an authenticated user.",
      "description": "<pitch>Optionally included in <see cref=\"T:AmbientServices.AuthenticationComplete\" /> to indicate whether the authenticated user belongs to an organizer's account.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "organizerId",
          "type": "UserId?",
          "summary": "The <see cref=\"T:AmbientServices.UserId\" /> of the organizing user this user belongs to, or null if the user is not a member of any organization."
        }
      ]
    },
    {
      "name": "UserId",
      "summary": "A struct that holds a user identifier.",
      "description": "<pitch>Compact, URL-safe user identifier; use as the key for user-scoped database records and as a <see cref=\"T:AmbientServices.DataScope\" /> to partition records per-user.</pitch>\n<pledge>May not contain slashes or backslashes; <see cref=\"P:AmbientServices.UserId.Anonymous\" /> is the empty-string sentinel for unauthenticated users; <see cref=\"M:AmbientServices.UserId.New\" /> generates a globally unique ID from <see cref=\"T:AmbientServices.GenericIdentifier\" />.</pledge>",
      "type": "proxy",
      "representedBy": "String"
    },
    {
      "name": "UserData",
      "summary": "A record containing a selective copy of information about a user.",
      "description": "<pitch>Lightweight public-facing user snapshot returned by APIs; contains only the fields safe to expose externally, without audit history or credentials.</pitch>\n<pledge>All fields reflect the state at read time; <see cref=\"P:AmbientServices.UserData.EmailVerified\" />, <see cref=\"P:AmbientServices.UserData.PhoneNumberVerified\" />, and <see cref=\"P:AmbientServices.UserData.TermsOfServiceRead\" /> are boolean summaries derived from the underlying nullable DateTime fields on <see cref=\"T:AmbientServices.UserAccount\" />.</pledge>",
      "type": "composite",
      "members": [
        {
          "name": "userId",
          "type": "UserId",
          "summary": "The user's <see cref=\"P:AmbientServices.UserData.UserId\" />, which uniquely identifies this user account."
        },
        {
          "name": "userGlobalId",
          "type": "RecordGlobalId",
          "summary": "A <see cref=\"T:AmbientServices.RecordGlobalId\" /> that can be used to generically identify the user record."
        },
        {
          "name": "email",
          "type": "String",
          "summary": "A possibly-empty email address for the user."
        },
        {
          "name": "name",
          "type": "String",
          "summary": "A possibly-empty name (firstname/lastname) for the user."
        },
        {
          "name": "phoneNumber",
          "type": "String",
          "summary": "A possibly-empty phone number for the user."
        },
        {
          "name": "emailVerified",
          "type": "Boolean",
          "summary": "Whether or not the email address has been verified."
        },
        {
          "name": "phoneNumberVerified",
          "type": "Boolean",
          "summary": "Whether or not the phone number has been verified."
        },
        {
          "name": "termsOfServiceRead",
          "type": "Boolean",
          "summary": "Whether or not the terms of service have been read and agreed to."
        },
        {
          "name": "isRegistered",
          "type": "Boolean",
          "summary": "Whether or not the user is \"registered\"."
        },
        {
          "name": "externalIds",
          "type": "ExternalEntityIdentifier[]?",
          "summary": "An optional array of <see cref=\"T:AmbientServices.ExternalEntityIdentifier\" /> identifying this user account in external systems."
        }
      ]
    },
    {
      "name": "ExternalEntityIdentifier",
      "summary": "A record that contains an external system identifier and an identifier for a specific item in that system.",
      "description": "<pitch>Opaque cross-system reference pairing a system name (e.g. \"com.facebook\") with a system-specific item ID; used to link database records to their counterparts in external platforms.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "externalSystemId",
          "type": "String",
          "summary": "A string that uniquely identifies an external system, often a reverse domain name like 'com.facebook' or 'com.venmo'."
        },
        {
          "name": "externalItemId",
          "type": "String",
          "summary": "A string that uniquely identifies an item in that external system."
        }
      ]
    },
    {
      "name": "RecordGlobalId",
      "summary": "A structured replacement for <see cref=\"T:AmbientServices.RecordIdentifier\" /> that contains the same data, a type-qualified and parent-qualified global identifier for a database record.\n            Records may be children of other records, and this identifier contains the path to the parent in addition to the path to the child record.\n            An example of a record that is a child of another record is an upload within a collection.",
      "description": "<pitch>Structured, three-part form of a globally unique database record key (scope + type + local ID); preferred over flat <see cref=\"T:AmbientServices.RecordIdentifier\" /> when individual parts are needed.</pitch>\n<pledge>Default (all-empty) is <see cref=\"P:AmbientServices.RecordGlobalId.Empty\" />; <see cref=\"M:AmbientServices.RecordGlobalId.AsScope\" /> converts this ID into a parent scope for child records; <see cref=\"P:AmbientServices.RecordGlobalId.Raw\" /> and <see cref=\"P:AmbientServices.RecordGlobalId.AsS3PathSegment\" /> provide encoded string forms for file-system paths.</pledge>",
      "type": "proxy",
      "representedBy": "String"
    },
    {
      "name": "UserAuthenticated",
      "summary": "A record containing authentication information.",
      "description": "<pitch>Returned by authentication and token-refresh endpoints; carries all tokens, type, expiry, and server time needed to start an authenticated session.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "accessToken",
          "type": "SignedSecurityToken",
          "summary": "The temporary access token."
        },
        {
          "name": "tokenType",
          "type": "String",
          "summary": "The token type.  Currently always \"Bearer\"."
        },
        {
          "name": "refreshToken",
          "type": "SignedSecurityToken",
          "summary": "The more long-term refresh token.  For guest accounts, there is no account password, so this is a permanent token stored in the app, or in the browser data."
        },
        {
          "name": "expiresInSeconds",
          "type": "Int32",
          "summary": "The number of seconds that <paramref name=\"AccessToken\" /> will last before needing to be refreshed."
        },
        {
          "name": "serverTime",
          "type": "DateTime",
          "summary": "The server time in case there is a discrepancy with the client."
        }
      ]
    },
    {
      "name": "GoogleAuthConfig",
      "summary": "A record containing Google-specific authentication configuration.",
      "description": "<pitch>Holds all settings required to run Google Sign-In: client credentials, endpoint overrides for testing, project ID, and the list of post-auth redirect endpoints.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "googleLoginEndpoint",
          "type": "String?",
          "summary": "The Google login endpoint URL."
        },
        {
          "name": "googleTokenExchangeEndpoint",
          "type": "String?",
          "summary": "The URL to exchange a Google authentication code for a JWT."
        },
        {
          "name": "googleJwtValidationEndpoint",
          "type": "String?",
          "summary": "The URL used to validate the Google JWT."
        },
        {
          "name": "googleClientId",
          "type": "String",
          "summary": "The Google Client ID."
        },
        {
          "name": "googleClientSecret",
          "type": "String",
          "summary": "The Google Client Secret."
        },
        {
          "name": "googleProjectId",
          "type": "String?",
          "summary": "The Google Project ID."
        },
        {
          "name": "endpoints",
          "type": "SsoAuthCallbackEndpoint[]",
          "summary": "The array of <see cref=\"T:AmbientServices.SsoAuthCallbackEndpoint\" />s to use for callback endpoints."
        }
      ]
    },
    {
      "name": "SsoAuthCallbackEndpoint",
      "summary": "A record containing an auth callback endpoint and the corresonding redirect URL.",
      "description": "<pitch>Names a redirect target for SSO success or error callbacks; the endpoint ID is matched at OAuth flow initiation to pick the correct post-authentication destination URI.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "endpointId",
          "type": "String",
          "summary": "A string that uniquely identifies this endpoint.  The empty string endpoint is the default.  Endpoints should come in pairs with an \"Error:\" prefix for the corresponding error endpoint (\"Error:\" by itself is the default error endpoint)."
        },
        {
          "name": "endpointUri",
          "type": "String",
          "summary": "The URI to redirect to when this endpoint's name is specified at the start of the SSO login process.  The URI may contain {access}, {refresh}, {code}, {message}, {type}, {expires}, and/or {requestErrorId} either in the path or query string to indicate where it is desired."
        }
      ]
    },
    {
      "name": "UpdateGoogleAuthenticationConfigResponse",
      "summary": "A record containing the response to a request to set the Google authentication configuration."
    },
    {
      "name": "GetGoogleAuthenticationConfigResponse",
      "summary": "A record containing the response to a request to get the Google authentication configuration.",
      "type": "composite",
      "members": [
        {
          "name": "available",
          "type": "Boolean",
          "summary": "Whether Google SSO is configured and enabled for this request."
        },
        {
          "name": "googleClientId",
          "type": "String?",
          "summary": "The Google Client ID the client should use for Google OuAth SSO, or null when <paramref name=\"Available\" /> is false."
        },
        {
          "name": "endpoints",
          "type": "SsoAuthCallbackEndpoint[]?",
          "summary": "The named <see cref=\"T:System.Uri\" />s that should be redirected to on completion, or null when <paramref name=\"Available\" /> is false."
        }
      ]
    },
    {
      "name": "ContinueAppleAuthenticationResponse",
      "summary": "A record containing the response from <see cref=\"M:PicMeApi.SsoApis.ContinueAppleAuthentication(AmbientServices.Auth,AmbientServices.Database,AmbientServices.ExternalEncryptionKeyManager,System.Uri,System.String,System.Boolean,System.String,System.Boolean,System.Net.IPAddress,System.String)\" />.",
      "type": "composite",
      "members": [
        {
          "name": "successfulAuthentication",
          "type": "AuthenticationComplete?",
          "summary": "A <see cref=\"T:AmbientServices.AuthenticationComplete\" /> object with information related to a successful authentication."
        },
        {
          "name": "moreAuthenticationRequired",
          "type": "MoreAuthenticationRequired?",
          "summary": "A <see cref=\"P:PicMeApi.ContinueAppleAuthenticationResponse.MoreAuthenticationRequired\" /> object with information indicating that more steps are needed to complete authentication."
        }
      ]
    },
    {
      "name": "AppleAuthConfig",
      "summary": "A record containing Apple-specific authentication configuration.",
      "description": "<pitch>Stores the complete set of Apple OAuth credentials and endpoint overrides needed to instantiate an <see cref=\"T:AmbientServices.AppleAuth\" />; persisted encrypted via <see cref=\"T:AmbientServices.ExternalEncryptionKeyManager\" />.</pitch>",
      "type": "composite",
      "members": [
        {
          "name": "appleLoginEndpoint",
          "type": "String?",
          "summary": "The Apple login endpoint."
        },
        {
          "name": "appleTokenExchangeEndpoint",
          "type": "String?",
          "summary": "The Apple code exchange endpoint."
        },
        {
          "name": "appleJwtValidationEndpoint",
          "type": "String?",
          "summary": "The Apple JWT validation endpoint."
        },
        {
          "name": "appleServiceId",
          "type": "String",
          "summary": "The Apple service ID."
        },
        {
          "name": "appleTeamId",
          "type": "String",
          "summary": "The Apple team ID."
        },
        {
          "name": "appleKeyId",
          "type": "String",
          "summary": "The Apple key ID."
        },
        {
          "name": "appleKey",
          "type": "String",
          "summary": "The Apple key."
        },
        {
          "name": "endpoints",
          "type": "SsoAuthCallbackEndpoint[]",
          "summary": "The list of <see cref=\"T:AmbientServices.SsoAuthCallbackEndpoint\" />s to use for Apple SSO."
        }
      ]
    },
    {
      "name": "UpdateAppleAuthenticationConfigResponse",
      "summary": "A record containing the response to a request to set the Apple authentication configuration."
    },
    {
      "name": "GetAppleAuthenticationConfigResponse",
      "summary": "A record containing the response to a request to get the Apple authentication configuration.",
      "type": "composite",
      "members": [
        {
          "name": "available",
          "type": "Boolean",
          "summary": "Whether Apple web SSO is configured, enabled, and supported for this request."
        },
        {
          "name": "appleServiceId",
          "type": "String?",
          "summary": "The Apple Service ID the client should use for Apple OAth SSO, or null when <paramref name=\"Available\" /> is false."
        },
        {
          "name": "endpoints",
          "type": "SsoAuthCallbackEndpoint[]?",
          "summary": "The named <see cref=\"T:System.Uri\" />s that should be redirected to on completion, or null when <paramref name=\"Available\" /> is false."
        }
      ]
    }
  ]
}