diff --git a/.stats.yml b/.stats.yml
index e7699746..7915e042 100644
--- a/.stats.yml
+++ b/.stats.yml
@@ -1,4 +1,4 @@
 configured_endpoints: 112
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel/kernel-7d2d29d7598105d50e5118e0bc5ac654361a92cb95555705dbd1d236848e1456.yml
-openapi_spec_hash: 10002eae793e08f81932239bbc72b503
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel/kernel-a33e59aa1758ba51f13538838ecd70b0a23ed69739b3022e8c2ce0622e42b904.yml
+openapi_spec_hash: c042d2f6880c927be09aa9fa79d7241e
 config_hash: 08d55086449943a8fec212b870061a3f
diff --git a/src/resources/auth/connections.ts b/src/resources/auth/connections.ts
index d5815819..55e2e843 100644
--- a/src/resources/auth/connections.ts
+++ b/src/resources/auth/connections.ts
@@ -212,6 +212,12 @@ export interface ManagedAuth {
    */
   profile_name: string;
 
+  /**
+   * Whether to record browser session replays for this connection by default. Useful
+   * for debugging login flows. Can be overridden per-login.
+   */
+  record_session: boolean;
+
   /**
    * Whether credentials are saved after every successful login. One-time codes
    * (TOTP, SMS, etc.) are not saved.
@@ -272,7 +278,8 @@ export interface ManagedAuth {
   credential?: ManagedAuth.Credential;
 
   /**
-   * Fields awaiting input (present when flow_step=awaiting_input)
+   * Fields awaiting input (present when flow_step=awaiting_input; may also be
+   * present with awaiting_external_action as fallback actions)
    */
   discovered_fields?: Array<ManagedAuth.DiscoveredField> | null;
 
@@ -362,13 +369,14 @@ export interface ManagedAuth {
   login_url?: string;
 
   /**
-   * MFA method options (present when flow_step=awaiting_input and MFA selection
-   * required)
+   * MFA method options (present when flow_step=awaiting_input; may also be present
+   * with awaiting_external_action as fallback actions)
    */
   mfa_options?: Array<ManagedAuth.MfaOption> | null;
 
   /**
-   * SSO buttons available (present when flow_step=awaiting_input)
+   * SSO buttons available (present when flow_step=awaiting_input; may also be
+   * present with awaiting_external_action as fallback actions)
    */
   pending_sso_buttons?: Array<ManagedAuth.PendingSSOButton> | null;
 
@@ -384,7 +392,8 @@ export interface ManagedAuth {
 
   /**
    * Non-MFA choices presented during the auth flow, such as account selection or org
-   * pickers (present when flow_step=awaiting_input).
+   * pickers (present when flow_step=awaiting_input; may also be present with
+   * awaiting_external_action as fallback actions).
    */
   sign_in_options?: Array<ManagedAuth.SignInOption> | null;
 
@@ -611,6 +620,12 @@ export interface ManagedAuthCreateRequest {
    */
   proxy?: ManagedAuthCreateRequest.Proxy;
 
+  /**
+   * Whether to record browser sessions for this connection by default. Useful for
+   * debugging. Can be overridden per-login. Defaults to false.
+   */
+  record_session?: boolean;
+
   /**
    * Whether to save credentials after every successful login. Defaults to true.
    * One-time codes (TOTP, SMS, etc.) are not saved.
@@ -699,6 +714,11 @@ export interface ManagedAuthUpdateRequest {
    */
   proxy?: ManagedAuthUpdateRequest.Proxy;
 
+  /**
+   * Whether to record browser sessions for this connection by default
+   */
+  record_session?: boolean;
+
   /**
    * Whether to save credentials after every successful login
    */
@@ -830,7 +850,8 @@ export namespace ConnectionFollowResponse {
     timestamp: string;
 
     /**
-     * Fields awaiting input (present when flow_step=AWAITING_INPUT).
+     * Fields awaiting input (present when flow_step=AWAITING_INPUT; may also be
+     * present with AWAITING_EXTERNAL_ACTION as fallback actions).
      */
     discovered_fields?: Array<ManagedAuthStateEvent.DiscoveredField>;
 
@@ -866,13 +887,14 @@ export namespace ConnectionFollowResponse {
     live_view_url?: string;
 
     /**
-     * MFA method options (present when flow_step=AWAITING_INPUT and MFA selection
-     * required).
+     * MFA method options (present when flow_step=AWAITING_INPUT; may also be present
+     * with AWAITING_EXTERNAL_ACTION as fallback actions).
      */
     mfa_options?: Array<ManagedAuthStateEvent.MfaOption>;
 
     /**
-     * SSO buttons available (present when flow_step=AWAITING_INPUT).
+     * SSO buttons available (present when flow_step=AWAITING_INPUT; may also be
+     * present with AWAITING_EXTERNAL_ACTION as fallback actions).
      */
     pending_sso_buttons?: Array<ManagedAuthStateEvent.PendingSSOButton>;
 
@@ -883,7 +905,8 @@ export namespace ConnectionFollowResponse {
 
     /**
      * Non-MFA choices presented during the auth flow, such as account selection or org
-     * pickers (present when flow_step=AWAITING_INPUT).
+     * pickers (present when flow_step=AWAITING_INPUT; may also be present with
+     * AWAITING_EXTERNAL_ACTION as fallback actions).
      */
     sign_in_options?: Array<ManagedAuthStateEvent.SignInOption>;
 
@@ -1074,6 +1097,12 @@ export interface ConnectionCreateParams {
    */
   proxy?: ConnectionCreateParams.Proxy;
 
+  /**
+   * Whether to record browser sessions for this connection by default. Useful for
+   * debugging. Can be overridden per-login. Defaults to false.
+   */
+  record_session?: boolean;
+
   /**
    * Whether to save credentials after every successful login. Defaults to true.
    * One-time codes (TOTP, SMS, etc.) are not saved.
@@ -1159,6 +1188,11 @@ export interface ConnectionUpdateParams {
    */
   proxy?: ConnectionUpdateParams.Proxy;
 
+  /**
+   * Whether to record browser sessions for this connection by default
+   */
+  record_session?: boolean;
+
   /**
    * Whether to save credentials after every successful login
    */
@@ -1230,6 +1264,12 @@ export interface ConnectionLoginParams {
    * caller's org.
    */
   proxy?: ConnectionLoginParams.Proxy;
+
+  /**
+   * Override the connection's default for recording this login's browser session.
+   * When omitted, the connection's record_session default is used.
+   */
+  record_session?: boolean;
 }
 
 export namespace ConnectionLoginParams {
diff --git a/tests/api-resources/auth/connections.test.ts b/tests/api-resources/auth/connections.test.ts
index 1d08c5c0..675c3620 100644
--- a/tests/api-resources/auth/connections.test.ts
+++ b/tests/api-resources/auth/connections.test.ts
@@ -38,6 +38,7 @@ describe('resource connections', () => {
       health_check_interval: 3600,
       login_url: 'https://netflix.com/login',
       proxy: { id: 'id', name: 'name' },
+      record_session: false,
       save_credentials: true,
     });
   });
@@ -136,7 +137,10 @@ describe('resource connections', () => {
     await expect(
       client.auth.connections.login(
         'id',
-        { proxy: { id: 'id', name: 'name' } },
+        {
+          proxy: { id: 'id', name: 'name' },
+          record_session: true,
+        },
         { path: '/_stainless_unknown_path' },
       ),
     ).rejects.toThrow(Kernel.NotFoundError);