Stytch B2B TOTP Authenticator Enrollment

arazzo: 1.0.1
info:
  title: Stytch B2B TOTP Authenticator Enrollment
  summary: Register a TOTP authenticator for a member and authenticate the first code.
  description: >-
    An authenticator-app (TOTP) enrollment flow for B2B members. The workflow
    creates a TOTP registration for a member of an organization, returning the
    secret and QR code for their authenticator app to scan, and then
    authenticates the first generated code to complete enrollment and produce a
    member session. Every step spells out its request inline so the flow can be
    read and executed without opening the underlying OpenAPI description. All
    calls authenticate with HTTP Basic auth using your Stytch project_id as the
    username and secret as the password.
  version: 1.0.0
sourceDescriptions:
- name: stytchB2bApi
  url: ../openapi/stytch-b2b-openapi.yml
  type: openapi
workflows:
- workflowId: totp-enrollment
  summary: Create a member TOTP registration and authenticate the first code.
  description: >-
    Generates a TOTP secret and QR code for a member, then verifies the first
    authenticator code to complete enrollment and mint a member session.
  inputs:
    type: object
    required:
    - organization_id
    - member_id
    - code
    properties:
      organization_id:
        type: string
        description: The id of the organization the member belongs to.
      member_id:
        type: string
        description: The id of the member enrolling into TOTP.
      code:
        type: string
        description: The first TOTP code generated by the member's authenticator app.
      session_duration_minutes:
        type: integer
        description: Optional session lifetime in minutes for the member session.
  steps:
  - stepId: createTotp
    description: >-
      Create a TOTP registration for the member, returning the shared secret, QR
      code, and recovery codes for the authenticator app to scan.
    operationId: api_b2b_totp_v1_Create
    requestBody:
      contentType: application/json
      payload:
        organization_id: $inputs.organization_id
        member_id: $inputs.member_id
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      totpRegistrationId: $response.body#/totp_registration_id
      secret: $response.body#/secret
      qrCode: $response.body#/qr_code
      recoveryCodes: $response.body#/recovery_codes
  - stepId: authenticateTotp
    description: >-
      Authenticate the first TOTP code generated by the member's authenticator
      app to complete enrollment and mint a member session.
    operationId: api_b2b_totp_v1_Authenticate
    requestBody:
      contentType: application/json
      payload:
        organization_id: $inputs.organization_id
        member_id: $inputs.member_id
        code: $inputs.code
        session_duration_minutes: $inputs.session_duration_minutes
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      memberId: $response.body#/member_id
      sessionToken: $response.body#/session_token
  outputs:
    totpRegistrationId: $steps.createTotp.outputs.totpRegistrationId
    memberId: $steps.authenticateTotp.outputs.memberId
    sessionToken: $steps.authenticateTotp.outputs.sessionToken