@cubist-labs/cubesigner-sdk 0.1.26 → 0.1.77

package/src/schema.ts

@@ -4,20 +4,16 @@
  */
 
 
-/** OneOf type helpers */
-type Without<T, U> = { [P in Exclude<keyof T, keyof U>]?: never };
-type XOR<T, U> = (T | U) extends object ? (Without<T, U> & U) | (Without<U, T> & T) : T | U;
-type OneOf<T extends any[]> = T extends [infer Only] ? Only : T extends [infer A, infer B, ...infer Rest] ? OneOf<[XOR<A, B>, ...Rest]> : never;
-
 export interface paths {
   "/v0/about_me": {
     /**
      * User Info
+     * @deprecated
      * @description User Info
      *
      * Retrieves information about the current user.
      */
-    get: operations["aboutMe"];
+    get: operations["aboutMeLegacy"];
   };
   "/v0/org/{org_id}": {
     /**
@@ -35,6 +31,16 @@ export interface paths {
      */
     patch: operations["updateOrg"];
   };
+  "/v0/org/{org_id}/ava/sign/{pubkey}": {
+    /**
+     * Sign Avalanche X- or P-Chain Message
+     * @description Sign Avalanche X- or P-Chain Message
+     *
+     * Signs an Avalanche message with a given SecpAva key.
+     * This is a pre-release feature.
+     */
+    post: operations["avaSign"];
+  };
   "/v0/org/{org_id}/btc/sign/{pubkey}": {
     /**
      * Sign Bitcoin Transaction
@@ -45,6 +51,66 @@ export interface paths {
      */
     post: operations["btcSign"];
   };
+  "/v0/org/{org_id}/derive_key": {
+    /**
+     * Derive Key From Long-Lived Mnemonic
+     * @description Derive Key From Long-Lived Mnemonic
+     *
+     * Derives a key of a specified type using a supplied derivation path and an
+     * existing long-lived mnemonic.
+     */
+    put: operations["deriveKey"];
+  };
+  "/v0/org/{org_id}/evm/eip712/sign/{pubkey}": {
+    /**
+     * Sign EIP-712 Typed Data
+     * @description Sign EIP-712 Typed Data
+     *
+     * Signs typed data according to EIP-712 with a given Secp256k1 key.
+     */
+    post: operations["eip712Sign"];
+  };
+  "/v0/org/{org_id}/identity/prove": {
+    /**
+     * Create [IdentityProof] from CubeSigner user session
+     * @description Create [IdentityProof] from CubeSigner user session
+     *
+     * This route can be used to prove to another party that a user has a
+     * valid CubeSigner session.
+     *
+     * Clients are intended to call this route and pass the returned evidence
+     * to another service which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
+     */
+    post: operations["createProofCubeSigner"];
+  };
+  "/v0/org/{org_id}/identity/prove/oidc": {
+    /**
+     * Create [IdentityProof] from OIDC token
+     * @description Create [IdentityProof] from OIDC token
+     *
+     * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
+     *
+     * This route can be used to prove to another party that a user has met the
+     * authentication requirements (allowed issuers & audiences) for CubeSigner
+     * without leaking their credentials.
+     *
+     * Clients are intended to call this route and pass the returned evidence to another service
+     * which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
+     */
+    post: operations["createProofOidc"];
+  };
+  "/v0/org/{org_id}/identity/verify": {
+    /**
+     * Verify identity proof
+     * @description Verify identity proof
+     *
+     * Allows a third-party to validate proof of authentication.
+     *
+     * When a third-party is provided an [IdentityProof] object, they must check its
+     * veracity by calling this endpoint
+     */
+    post: operations["verifyProof"];
+  };
   "/v0/org/{org_id}/import_key": {
     /**
      * Create Key-Import Key
@@ -78,31 +144,14 @@ export interface paths {
      * Gets the list of owned keys in a given org.
      */
     get: operations["listKeysInOrg"];
-    /**
-     * Import Key (Deprecated)
-     * @description Import Key (Deprecated)
-     *
-     * Securely imports an existing key. This API is deprecated; please use the new version.
-     */
-    put: operations["importKeyLegacy"];
     /**
      * Create Key
      * @description Create Key
      *
-     * Creates one or more new keys of the specified type (BLS or Secp).
+     * Creates one or more new keys of the specified type.
      */
     post: operations["createKey"];
   };
-  "/v0/org/{org_id}/keys/get_keys": {
-    /**
-     * Legacy List Keys
-     * @deprecated
-     * @description Legacy List Keys
-     *
-     * This route is deprecated. Use `GET /v0/org/<org_id>/keys?<key_type>`
-     */
-    post: operations["listKeysLegacy"];
-  };
   "/v0/org/{org_id}/keys/{key_id}": {
     /**
      * Get Key
@@ -111,6 +160,14 @@ export interface paths {
      * Returns the properties of a key.
      */
     get: operations["getKeyInOrg"];
+    /**
+     * Delete Key
+     * @description Delete Key
+     *
+     * Deletes a key specified by its ID.
+     * Only the key owner and org owners are allowed to delete keys.
+     */
+    delete: operations["deleteKey"];
     /**
      * Update Key
      * @description Update Key
@@ -119,30 +176,60 @@ export interface paths {
      */
     patch: operations["updateKey"];
   };
+  "/v0/org/{org_id}/mfa": {
+    /**
+     * List Pending MFA Requests
+     * @description List Pending MFA Requests
+     *
+     * Retrieves and returns all pending MFA requests that are accessible to the current user,
+     * i.e., those in which the current user is listed as an approver
+     */
+    get: operations["mfaList"];
+  };
   "/v0/org/{org_id}/mfa/{mfa_id}": {
     /**
-     * Gets a Pending MFA Request
-     * @description Gets a Pending MFA Request
+     * Get Pending MFA Request
+     * @description Get Pending MFA Request
      *
      * Retrieves and returns a pending MFA request by its id.
      */
     get: operations["mfaGet"];
     /**
-     * Approve a Pending MFA Request
-     * @description Approve a Pending MFA Request
+     * Approve MFA Request
+     * @description Approve MFA Request
+     *
+     * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+     * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
+     * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
+     * resume the original HTTP request.
+     */
+    patch: operations["mfaApproveCs"];
+  };
+  "/v0/org/{org_id}/mfa/{mfa_id}/fido": {
+    /**
+     * Initiate Approving an MFA Request with FIDO
+     * @description Initiate Approving an MFA Request with FIDO
+     *
+     * Initiates the approval process of an MFA Request using FIDO.
+     */
+    post: operations["mfaApproveFido"];
+    /**
+     * Finalize a FIDO MFA Approval
+     * @description Finalize a FIDO MFA Approval
+     *
+     * Adds an approver to a pending MFA request.
      *
-     * Adds the current user as an approver of a pending MFA request of the [Status::RequiredApprovers] kind.
      * If the required number of approvers is reached, the MFA request is approved;
      * the confirmation receipt can be used to resume the original HTTP request.
      */
-    patch: operations["mfaApproveCs"];
+    patch: operations["mfaApproveFidoComplete"];
   };
   "/v0/org/{org_id}/mfa/{mfa_id}/totp": {
     /**
      * Approve a TOTP MFA Request
      * @description Approve a TOTP MFA Request
      *
-     * Adds an approver to a pending TOTP MFA request.
+     * Adds the current user as approver to a pending MFA request by providing TOTP code.
      *
      * If the required number of approvers is reached, the MFA request is approved;
      * the confirmation receipt can be used to resume the original HTTP request.
@@ -219,6 +306,15 @@ export interface paths {
      */
     put: operations["addUserToRole"];
   };
+  "/v0/org/{org_id}/roles/{role_id}/keys": {
+    /**
+     * List Role Keys
+     * @description List Role Keys
+     *
+     * Returns an array of all keys in a role.
+     */
+    get: operations["listRoleKeys"];
+  };
   "/v0/org/{org_id}/roles/{role_id}/keys/{key_id}": {
     /**
      * Remove Key
@@ -230,8 +326,11 @@ export interface paths {
   };
   "/v0/org/{org_id}/roles/{role_id}/tokens": {
     /**
-     * List Tokens
-     * @description List Tokens
+     * List a single page of Tokens (Deprecated)
+     * @deprecated
+     * @description List a single page of Tokens (Deprecated)
+     *
+     * **Deprecated**: Use `GET /org/{org_id}/session?role=`
      *
      * Returns all access tokens for a given role.
      * Only users in the role or owners can create a token for it.
@@ -246,8 +345,11 @@ export interface paths {
      */
     post: operations["createRoleToken"];
     /**
-     * Revoke All Tokens
-     * @description Revoke All Tokens
+     * Revoke All Tokens (Deprecated)
+     * @deprecated
+     * @description Revoke All Tokens (Deprecated)
+     *
+     * **Deprecated**: Use `DELETE /org/{org_id}/session?role=` instead
      *
      * Revokes all access tokens associated with a role.
      * Only users in the role or owners can perform this action.
@@ -256,14 +358,67 @@ export interface paths {
   };
   "/v0/org/{org_id}/roles/{role_id}/tokens/{session_id}": {
     /**
-     * Revoke Token
-     * @description Revoke Token
+     * Revoke Token (Deprecated)
+     * @deprecated
+     * @description Revoke Token (Deprecated)
+     *
+     * **Deprecated**: Use `DELETE /org/{org_id}/session/{session_id}`
      *
      * Revokes an access token associated with a role.
      * Only users in the role or owners can perform this action.
      */
     delete: operations["revokeRoleToken"];
   };
+  "/v0/org/{org_id}/roles/{role_id}/users": {
+    /**
+     * List Role Users.
+     * @description List Role Users.
+     *
+     * Returns an array of all users who have access to a role.
+     */
+    get: operations["listRoleUsers"];
+  };
+  "/v0/org/{org_id}/session": {
+    /**
+     * List sessions
+     * @description List sessions
+     *
+     * If no query parameters are provided, information for the current session is returned
+     */
+    get: operations["listSessions"];
+    /**
+     * Revoke existing session(s)
+     * @description Revoke existing session(s)
+     *
+     * Immediately revokes existing sessions, preventing them from being used or refreshed.
+     * If no query params are provided, the current session is revoked.
+     */
+    delete: operations["revokeSessions"];
+  };
+  "/v0/org/{org_id}/session/{session_id}": {
+    /**
+     * Get session information
+     * @description Get session information
+     */
+    get: operations["getSession"];
+    /**
+     * Revoke a session
+     * @description Revoke a session
+     *
+     * Immediately revokes an existing session, preventing it from being used or refreshed
+     */
+    delete: operations["revokeSession"];
+  };
+  "/v0/org/{org_id}/solana/sign/{pubkey}": {
+    /**
+     * Sign Solana Message
+     * @description Sign Solana Message
+     *
+     * Signs a Solana message with a given key.
+     * This is a pre-release feature.
+     */
+    post: operations["solanaSign"];
+  };
   "/v0/org/{org_id}/token/keys": {
     /**
      * Get Token-Accessible Keys
@@ -273,6 +428,64 @@ export interface paths {
      */
     get: operations["listTokenKeys"];
   };
+  "/v0/org/{org_id}/user/me": {
+    /**
+     * User Info
+     * @description User Info
+     *
+     * Retrieves information about the current user.
+     */
+    get: operations["aboutMe"];
+  };
+  "/v0/org/{org_id}/user/me/fido": {
+    /**
+     * Initiate registration of a FIDO key
+     * @description Initiate registration of a FIDO key
+     *
+     * Generates a challenge that must be answered to prove ownership of a key
+     */
+    post: operations["userRegisterFidoInit"];
+    /**
+     * Finalize registration of a FIDO key
+     * @description Finalize registration of a FIDO key
+     *
+     * Accepts the response to the challenge generated by the POST to this endpoint.
+     */
+    patch: operations["userRegisterFidoComplete"];
+  };
+  "/v0/org/{org_id}/user/me/totp": {
+    /**
+     * Initialize TOTP Reset
+     * @description Initialize TOTP Reset
+     *
+     * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+     * was successfully imported into an authenticator app.
+     *
+     * This operation is allowed if EITHER
+     * - the user account is not yet initialized and no TOTP is already set, OR
+     * - the user has not configured any auth factors;
+     * otherwise, MFA is required.
+     */
+    post: operations["userResetTotpInit"];
+    /**
+     * Finalize resetting TOTP
+     * @description Finalize resetting TOTP
+     *
+     * Checks if the response contains the correct TOTP code corresponding to the
+     * challenge generated by the POST method of this endpoint.
+     */
+    patch: operations["userResetTotpComplete"];
+  };
+  "/v0/org/{org_id}/user/me/totp/verify": {
+    /**
+     * Verify TOTP
+     * @description Verify TOTP
+     *
+     * Checks if a given code matches the current TOTP code for the current user.
+     * Errors with 403 if the current user has not set up TOTP or the code fails verification.
+     */
+    post: operations["userVerifyTotp"];
+  };
   "/v0/org/{org_id}/users": {
     /**
      * List users in organization
@@ -280,30 +493,71 @@ export interface paths {
      */
     get: operations["listUsersInOrg"];
     /**
-     * Adds a third-party user to the org
-     * @description Adds a third-party user to the org
+     * Add a third-party user to the org
+     * @description Add a third-party user to the org
      */
     post: operations["createOidcUser"];
   };
-  "/v0/totp": {
+  "/v0/org/{org_id}/users/oidc": {
+    /**
+     * Remove a third-party user from the org
+     * @description Remove a third-party user from the org
+     */
+    delete: operations["deleteOidcUser"];
+  };
+  "/v0/user/me/fido": {
+    /**
+     * Initiate registration of a FIDO key
+     * @deprecated
+     * @description Initiate registration of a FIDO key
+     *
+     * Generates a challenge that must be answered to prove ownership of a key
+     */
+    post: operations["registerFidoInitLegacy"];
+    /**
+     * Finalize registration of a FIDO key
+     * @deprecated
+     * @description Finalize registration of a FIDO key
+     *
+     * Accepts the response to the challenge generated by the POST to this endpoint.
+     */
+    patch: operations["registerFidoCompleteLegacy"];
+  };
+  "/v0/user/me/totp": {
     /**
-     * Reset TOTP
-     * @description Reset TOTP
+     * Initialize TOTP Reset
+     * @deprecated
+     * @description Initialize TOTP Reset
+     *
+     * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+     * was successfully imported into an authenticator app.
+     *
+     * This operation is allowed if EITHER
+     * - the user account is not yet initialized and no TOTP is already set, OR
+     * - the user has not configured any auth factors;
+     * otherwise, MFA is required.
+     */
+    post: operations["resetTotpInitLegacy"];
+    /**
+     * Finalize resetting TOTP
+     * @deprecated
+     * @description Finalize resetting TOTP
      *
-     * Creates and sets a new TOTP configuration for the current user,
-     * overriding the existing one (if any).
+     * Checks if the response contains the correct TOTP code corresponding to the
+     * challenge generated by the POST method of this endpoint.
      */
-    patch: operations["userResetTotp"];
+    patch: operations["resetTotpCompleteLegacy"];
   };
-  "/v0/totp/verify/{code}": {
+  "/v0/user/me/totp/verify": {
     /**
      * Verify TOTP
+     * @deprecated
      * @description Verify TOTP
      *
      * Checks if a given code matches the current TOTP code for the current user.
      * Errors with 403 if the current user has not set up TOTP or the code fails verification.
      */
-    get: operations["userVerifyTotp"];
+    post: operations["verifyTotpLegacy"];
   };
   "/v1/org/{org_id}/blob/sign/{key_id}": {
     /**
@@ -312,6 +566,13 @@ export interface paths {
      *
      * Signs an arbitrary blob with a given key.
      * This is a pre-release feature.
+     *
+     * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
+     * byte v, which can in general take any of the values 0, 1, 2, or 3.
+     *
+     * - EdDSA signatures are serialized in the standard format.
+     *
+     * - BLS signatures are not supported on the blob-sign endpoint.
      */
     post: operations["blobSign"];
   };
@@ -330,6 +591,7 @@ export interface paths {
      * @description Sign EVM Transaction
      *
      * Signs an Ethereum (and other EVM) transaction with a given Secp256k1 key.
+     * Returns an RLP-encoded transaction with EIP-155 signature.
      *
      * The key must be associated with the role and organization on whose behalf this action is called.
      */
@@ -371,16 +633,6 @@ export interface paths {
      */
     post: operations["unstake"];
   };
-  "/v1/org/{org_id}/solana/sign/{pubkey}": {
-    /**
-     * Sign Solana Message
-     * @description Sign Solana Message
-     *
-     * Signs a Solana message with a given key.
-     * This is a pre-release feature.
-     */
-    post: operations["solanaSign"];
-  };
   "/v1/org/{org_id}/token/refresh": {
     /**
      * Refresh Signer Session
@@ -405,7 +657,11 @@ export interface components {
      */
     AcceptedValue: {
       MfaRequired: {
+        /** @description MFA request id */
         id: string;
+        /** @description Organization id */
+        org_id: string;
+        session?: components["schemas"]["NewSessionResponse"] | null;
       };
     };
     AddKeysToRoleRequest: {
@@ -442,15 +698,31 @@ export interface components {
        *   }
        * ]
        */
-      policy: Record<string, never>[] | null;
+      policy?: Record<string, never>[] | null;
     };
     AddThirdPartyUserRequest: {
+      /**
+       * @description User email
+       * @example alice@example.com
+       */
+      email: string;
       identity: components["schemas"]["OIDCIdentity"];
+      /** @description Optional login MFA policy */
+      mfa_policy?: Record<string, unknown> | null;
       role: components["schemas"]["MemberRole"];
     };
     ApprovalInfo: {
       timestamp: components["schemas"]["EpochDateTime"];
     };
+    /**
+     * @description WebAuthn Relying Parties may use AttestationConveyancePreference to specify
+     * their preference regarding attestation conveyance during credential
+     * generation.
+     *
+     * https://www.w3.org/TR/webauthn-2/#enumdef-attestationconveyancepreference
+     * @enum {string}
+     */
+    AttestationConveyancePreference: "none" | "indirect" | "direct" | "enterprise";
     /** @description Data required for both `authenticate` and `refresh`. */
     AuthData: {
       /** Format: int32 */
@@ -458,6 +730,136 @@ export interface components {
       epoch_token: components["schemas"]["B32"];
       other_token: string;
     };
+    /**
+     * @description Represents the assertion response used by clients when attempting to log in with a known credential
+     * https://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse
+     */
+    AuthenticatorAssertionResponse: {
+      /**
+       * @description Contains the standard CTAP2 authenticator data. Must be a valid [`AuthenticatorData`].
+       * This contains information about how key was invoked.
+       * https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-authenticatordata
+       */
+      authenticatorData: string;
+      /**
+       * @description Contains UTF8 encoded JSON which must be a valid [`ClientData`]
+       * This data is combined with `authenticator_data` to produce the signature
+       * meaning the client attests to the correctness of this data.
+       * https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson
+       */
+      clientDataJSON: string;
+      /**
+       * @description The signature of the concatenated `authenticatorData || hash` where
+       * `hash` is the SHA256 hash of the `clientDataJSON` buffer:
+       *
+       * Field Definition: https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-signature
+       * Step 11 of `getAssertion` specifies the concatenation: https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion
+       * Requirement for SHA-256: https://www.w3.org/TR/webauthn-2/#collectedclientdata-hash-of-the-serialized-client-data
+       */
+      signature: string;
+      /**
+       * @description Allows the authenticator to optionally declare the credential identifier they used.
+       * https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle
+       */
+      userHandle?: string | null;
+    };
+    /**
+     * @description This enumeration’s values describe authenticators' attachment modalities.
+     * Relying Parties use this to express a preferred authenticator attachment
+     * modality when calling navigator.credentials.create() to create a credential.
+     *
+     * https://www.w3.org/TR/webauthn-2/#enumdef-authenticatorattachment
+     * @enum {string}
+     */
+    AuthenticatorAttachment: "platform" | "cross-platform";
+    /**
+     * @description The AuthenticatorAttestationResponse interface represents the authenticator's
+     * response to a client’s request for the creation of a new public key
+     * credential. It contains information about the new credential that can be
+     * used to identify it for later use, and metadata that can be used by the
+     * WebAuthn Relying Party to assess the characteristics of the credential
+     * during registration.
+     *
+     * https://www.w3.org/TR/webauthn-2/#iface-authenticatorattestationresponse
+     */
+    AuthenticatorAttestationResponse: {
+      /**
+       * @description This attribute contains an attestation object, which is opaque to, and
+       * cryptographically protected against tampering by, the client. The
+       * attestation object contains both authenticator data and an attestation
+       * statement. The former contains the AAGUID, a unique credential ID, and
+       * the credential public key. The contents of the attestation statement are
+       * determined by the attestation statement format used by the
+       * authenticator. It also contains any additional information that the
+       * Relying Party's server requires to validate the attestation statement,
+       * as well as to decode and validate the authenticator data along with the
+       * JSON-compatible serialization of client data. For more details, see
+       * § 6.5 Attestation, § 6.5.4 Generating an Attestation Object, and Figure
+       * 6.
+       */
+      attestationObject: string;
+      /**
+       * @description This attribute, inherited from AuthenticatorResponse, contains the
+       * JSON-compatible serialization of client data (see § 6.5 Attestation)
+       * passed to the authenticator by the client in order to generate this
+       * credential. The exact JSON serialization MUST be preserved, as the hash
+       * of the serialized client data has been computed over it.
+       */
+      clientDataJSON: string;
+    };
+    /**
+     * @description WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria
+     * dictionary to specify their requirements regarding authenticator
+     * attributes.
+     *
+     * https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria
+     */
+    AuthenticatorSelectionCriteria: {
+      authenticator_attachment?: components["schemas"]["AuthenticatorAttachment"] | null;
+      /**
+       * @description This member is retained for backwards compatibility with WebAuthn Level
+       * 1 and, for historical reasons, its naming retains the deprecated
+       * “resident” terminology for discoverable credentials. Relying Parties
+       * SHOULD set it to true if, and only if, residentKey is set to required.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-requireresidentkey
+       */
+      require_resident_key?: boolean;
+      resident_key?: components["schemas"]["ResidentKeyRequirement"] | null;
+      user_verification?: components["schemas"]["UserVerificationRequirement"];
+    };
+    /**
+     * @description Authenticators may implement various transports for communicating with
+     * clients. This enumeration defines hints as to how clients might communicate
+     * with a particular authenticator in order to obtain an assertion for a
+     * specific credential. Note that these hints represent the WebAuthn Relying
+     * Party's best belief as to how an authenticator may be reached. A Relying
+     * Party will typically learn of the supported transports for a public key
+     * credential via getTransports().
+     *
+     * https://www.w3.org/TR/webauthn-2/#enumdef-authenticatortransport
+     * @enum {string}
+     */
+    AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
+    /** @description Request to sign an Avalanche transactions */
+    AvaSignRequest: {
+      /**
+       * @description Transaction to sign.
+       *
+       * Examples:
+       * - {"P": { "AddPermissionlessValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_permissionless_validator.rs#L14) }}
+       * - {"P": { "AddSubnetValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_subnet_validator.rs#L29) }}
+       * - {"P": { "AddValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_validator.rs#L12) }}
+       * - {"P": { "CreateChain": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_chain.rs#L8) }}
+       * - {"P": { "CreateSubnet": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_subnet.rs#L8) }}
+       * - {"P": { "Export": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/export.rs#L12) }}
+       * - {"P": { "Import": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/import.rs#L12) }}
+       * - {"X": { "Base": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/mod.rs#L21) }}
+       * - {"X": { "Export": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/export.rs#L16) }}
+       * - {"X": { "Import": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/import.rs#L14) }}
+       */
+      tx: Record<string, never>;
+    };
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
     /**
@@ -523,17 +925,24 @@ export interface components {
       /** @description Session ID */
       session_id: string;
     };
-    ConfiguredMfa: OneOf<["Totp", {
-      /** @description Named FIDO device (multiple can be configured per user, but the names must be different) */
-      Fido: string;
-    }]>;
+    ConfiguredMfa: {
+      /** @enum {string} */
+      type: "totp";
+    } | {
+      /** @description A unique credential id */
+      id: string;
+      /** @description A human-readable name given to the key */
+      name: string;
+      /** @enum {string} */
+      type: "fido";
+    };
     CreateKeyRequest: {
       /**
        * Format: int64
        * @description Chain id for which the key is allowed to sign messages
        * @example 5
        */
-      chain_id: number | null;
+      chain_id?: number | null;
       /**
        * Format: int32
        * @description Number of keys to create
@@ -545,7 +954,7 @@ export interface components {
        * @description Allows users to specify a user other than themselves to receive the key
        * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
        */
-      owner: string | null;
+      owner?: string | null;
     };
     /** @description Optional create role request body */
     CreateRoleRequest: {
@@ -555,12 +964,28 @@ export interface components {
        */
       name: string;
     };
-    CreateTokenRequest: components["schemas"]["RatchetConfig"] & {
+    CreateTokenRequest: components["schemas"]["RatchetConfig"] & ({
       /**
        * @description A human readable description of the purpose of the key
        * @example Validator Signing
        */
       purpose: string;
+      /**
+       * @description Controls what capabilities this session will have. By default, it has all
+       * signing capabilities, i.e., just the 'sign:*' scope.
+       * @example [
+       *   "sign:*"
+       * ]
+       */
+      scopes?: string[] | null;
+    });
+    CubeSignerUserInfo: {
+      /** @description All multi-factor authentication methods configured for this user */
+      configured_mfa: components["schemas"]["ConfiguredMfa"][];
+      /** @description Set once the user successfully logs into CubeSigner */
+      initialized: boolean;
+      /** @description CubeSigner's user identifier */
+      user_id: string;
     };
     /**
      * @description Information produced by a successful deposit
@@ -590,6 +1015,119 @@ export interface components {
      * @enum {string}
      */
     DepositType: "Canonical" | "Wrapper";
+    DeriveKeyRequest: {
+      /**
+       * @description One or more derivation paths from which to derive keys.
+       * @example [
+       *   "m/44'/60'/0'/0/0",
+       *   "m/44'/9000'/0'/0/0"
+       * ]
+       */
+      derivation_path: string[];
+      key_type: components["schemas"]["KeyType"];
+      /**
+       * @description Material-id of the mnemonic to use for derivation
+       * @example 0x9f07be82d934fcb5d0f75dd24c2dfea8a85a4d0c289d58828b3537fae24d32b8
+       */
+      mnemonic_id: string;
+    };
+    /**
+     * @example {
+     *   "chain_id": 1337,
+     *   "typed_data": {
+     *     "domain": {
+     *       "chainId": 1337,
+     *       "name": "Ether Mail",
+     *       "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC",
+     *       "version": "1"
+     *     },
+     *     "message": {
+     *       "contents": "Hello, Bob!",
+     *       "from": {
+     *         "name": "Cow",
+     *         "wallets": [
+     *           "0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826",
+     *           "0xDeaDbeefdEAdbeefdEadbEEFdeadbeEFdEaDbeeF"
+     *         ]
+     *       },
+     *       "to": {
+     *         "name": "Bob",
+     *         "wallets": [
+     *           "0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB",
+     *           "0xB0BdaBea57B0BDABeA57b0bdABEA57b0BDabEa57",
+     *           "0xB0B0b0b0b0b0B000000000000000000000000000"
+     *         ]
+     *       }
+     *     },
+     *     "primaryType": "Mail",
+     *     "types": {
+     *       "EIP712Domain": [
+     *         {
+     *           "name": "name",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "version",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "chainId",
+     *           "type": "uint256"
+     *         },
+     *         {
+     *           "name": "verifyingContract",
+     *           "type": "address"
+     *         }
+     *       ],
+     *       "Group": [
+     *         {
+     *           "name": "name",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "members",
+     *           "type": "Person[]"
+     *         }
+     *       ],
+     *       "Mail": [
+     *         {
+     *           "name": "from",
+     *           "type": "Person"
+     *         },
+     *         {
+     *           "name": "to",
+     *           "type": "Person"
+     *         },
+     *         {
+     *           "name": "contents",
+     *           "type": "string"
+     *         }
+     *       ],
+     *       "Person": [
+     *         {
+     *           "name": "name",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "wallets",
+     *           "type": "address[]"
+     *         }
+     *       ]
+     *     }
+     *   }
+     * }
+     */
+    Eip712SignRequest: {
+      /**
+       * Format: int64
+       * @description The chain-id to which this typed data will be sent
+       */
+      chain_id: number;
+      /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
+      typed_data: Record<string, never>;
+    };
+    /** @default null */
+    Empty: Record<string, unknown> | null;
     /**
      * @description Epoch is a quoted `uint64`.
      * @example 256
@@ -607,6 +1145,8 @@ export interface components {
       accepted?: components["schemas"]["AcceptedValue"] | null;
       /** @description Error message */
       message: string;
+      /** @description Optional request identifier */
+      request_id?: string;
     };
     /**
      * @example {
@@ -666,6 +1206,26 @@ export interface components {
       eth2_sign_request: Record<string, never>;
       network: components["schemas"]["Network"];
     };
+    /** @description Sent from the client to the server to answer a fido challenge */
+    FidoAssertAnswer: {
+      /** @description The ID of the challenge that was returned from the POST endpoint */
+      challenge_id: string;
+      credential: components["schemas"]["PublicKeyCredential"];
+    };
+    /** @description Sent from the client to the server to answer a fido challenge */
+    FidoCreateChallengeAnswer: {
+      /** @description The ID of the challenge that was returned from the POST endpoint */
+      challenge_id: string;
+      credential: components["schemas"]["PublicKeyCredential"];
+    };
+    /** @description Declares intent to register a new FIDO key */
+    FidoCreateRequest: {
+      /**
+       * @description A human-readable name for the new fido credential
+       * @example Work Yubikey
+       */
+      name: string;
+    };
     /**
      * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
      * The schema of `Fork` is defined in the [Beacon chain
@@ -713,7 +1273,7 @@ export interface components {
       genesis_validators_root: string;
     };
     GetKeysInOrgRequest: {
-      key_type: components["schemas"]["KeyType"] | null;
+      key_type?: components["schemas"]["KeyType"] | null;
     };
     /** @description Stats pertaining the the sender `cube3signer` instance */
     HeartbeatRequest: {
@@ -762,7 +1322,7 @@ export interface components {
        *
        * TODO: Make non-optional once we do not support proxies without version information
        */
-      proxy_version: string | null;
+      proxy_version?: string | null;
     };
     /**
      * @description Information about the request.
@@ -773,22 +1333,34 @@ export interface components {
      */
     HttpRequest: {
       /** @description HTTP request body */
-      body: Record<string, unknown> | null;
+      body?: Record<string, unknown> | null;
       /** @description HTTP method of the request */
       method: string;
       /** @description HTTP path of the request (including host or not?) */
       path: string;
     };
-    ImportKeyLegacyRequest: {
+    /**
+     * @description Proof that an end-user provided CubeSigner with a valid auth token
+     * (either an OIDC token or a CubeSigner session token)
+     */
+    IdentityProof: ({
       /**
-       * Format: int64
-       * @description The chain ID of the chain that the key will be used for
-       * @example 5
+       * @description OIDC audience; set only if the proof was obtained by using OIDC token.
+       *
+       * In other words, presence of this field testifies that authorization was obtained via OIDC.
        */
-      chain_id: number | null;
-      /** @description The key to import encrypted with the public key of the organization */
-      key_material: components["schemas"]["RsaOaepXChaChaMaterial"][];
-      key_type: components["schemas"]["KeyType"];
+      aud?: string | null;
+      /**
+       * @description The email associated with the user
+       * @example user@email.com
+       */
+      email: string;
+      exp_epoch: components["schemas"]["EpochDateTime"];
+      identity?: components["schemas"]["OIDCIdentity"] | null;
+      user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
+    }) & {
+      /** @description An opaque identifier for the proof */
+      id: string;
     };
     ImportKeyRequest: components["schemas"]["KeyImportKey"] & {
       /** @description A set of encrypted keys to be imported */
@@ -818,11 +1390,14 @@ export interface components {
        * @example alice@acme.com
        */
       email: string;
+      /** @description Optional login MFA policy */
+      mfa_policy?: Record<string, unknown> | null;
       /**
        * @description The user's full name
        * @example Alice Wonderland
        */
       name: string;
+      role?: components["schemas"]["MemberRole"] | null;
       /**
        * @description Skip sending an invitation email to this user if true.
        *
@@ -832,6 +1407,13 @@ export interface components {
        */
       skip_email: boolean;
     };
+    /** @description Derivation-related metadata for keys derived from a long-lived mnemonic */
+    KeyDerivationInfo: {
+      /** @description The derivation path used to derive this key */
+      derivation_path: string;
+      /** @description The mnemonic-id of the key's parent mnemonic */
+      mnemonic_id: string;
+    };
     /** @description A wrapped key-import key */
     KeyImportKey: {
       /** @description Base64-encoded, encrypted data key. */
@@ -849,8 +1431,30 @@ export interface components {
       /** @description Base64-encoded, encrypted secret key. */
       sk_enc: string;
     };
-    KeyInfo: {
-      /** @description Whether the key is enabled (only enabled keys may be used for signing) */
+    KeyInRoleInfo: {
+      /**
+       * @description Key ID
+       * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
+       */
+      key_id: string;
+      /**
+       * @description Policies that are checked before this key is used on behalf of this role
+       * @example [
+       *   {
+       *     "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa"
+       *   },
+       *   {
+       *     "TxDeposit": {
+       *       "kind": "Canonical"
+       *     }
+       *   }
+       * ]
+       */
+      policy?: Record<string, never>[];
+    };
+    KeyInfo: {
+      derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
+      /** @description Whether the key is enabled (only enabled keys may be used for signing) */
       enabled: boolean;
       /**
        * @description The id of the key: "Key#" followed by a unique identifier specific to
@@ -871,14 +1475,22 @@ export interface components {
       owner: string;
       /**
        * @description Key policy
-       * @example []
+       * @example [
+       *   "AllowRawBlobSigning",
+       *   {
+       *     "RequireMfa": {
+       *       "count": 1
+       *     }
+       *   }
+       * ]
        */
       policy: Record<string, never>[];
       /**
        * @description Hex-encoded, serialized public key. The format used depends on the key type:
-       * - secp256k1 keys use 65-byte uncompressed SECG format;
+       * - Secp256k1 keys use 65-byte uncompressed SECG format;
+       * - Stark keys use 33-byte compressed SECG format;
        * - BLS keys use 48-byte compressed BLS12-381 (ZCash) format;
-       * - ed25519 keys use the canonical 64-byte encoding specified in RFC 8032.
+       * - Ed25519 keys use the canonical 32-byte encoding specified in RFC 8032.
        * @example 0x04d2688b6bc2ce7f9879b9e745f3c4dc177908c5cef0c1b64cff19ae7ff27dee623c64fe9d9c325c7fbbc748bbd5f607ce14dd83e28ebbbb7d3e7f2ffb70a79431
        */
       public_key: string;
@@ -889,41 +1501,45 @@ export interface components {
       purpose: string;
     };
     /** @enum {string} */
-    KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr";
-    KeyWithPolicies: {
-      /**
-       * @description Key ID
-       * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-       */
-      key_id: string;
-      /**
-       * @description Policies that are checked before this key is used on behalf of this role
-       * @example [
-       *   {
-       *     "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa"
-       *   },
-       *   {
-       *     "TxDeposit": {
-       *       "kind": "Canonical"
-       *     }
-       *   }
-       * ]
-       */
-      policy?: Record<string, never>[];
-    };
+    KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
+    /**
+     * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
+     *
+     * We serialize this into a base64url-encoded string and return to the user
+     * so that they can pass this back to us as a url query parameter.
+     */
+    LastEvalKey: string;
     /**
      * @description Describes whether a user in an org is an Owner or just a regular member
      * @enum {string}
      */
-    MemberRole: "Owner" | "Member" | "Alien";
+    MemberRole: "Alien" | "Member" | "Owner";
+    /** @description Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp'). */
+    MfaRequestInfo: {
+      expires_at: components["schemas"]["EpochDateTime"];
+      /** @description Approval request ID. */
+      id: string;
+      receipt?: components["schemas"]["Receipt"] | null;
+      request: components["schemas"]["HttpRequest"];
+      status: components["schemas"]["Status"];
+    };
     /** @enum {string} */
-    MfaType: "CubeSigner" | "Totp";
+    MfaType: "CubeSigner" | "Totp" | "Fido";
     /**
      * @description Network name ('mainnet', 'prater', 'goerli')
      * @example goerli
      * @enum {string}
      */
-    Network: "mainnet" | "prater" | "goerli";
+    Network: "mainnet" | "prater" | "goerli" | "holesky";
+    /** @description Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.). */
+    NewSessionResponse: {
+      session_info: components["schemas"]["ClientSessionInfo"];
+      /**
+       * @description New token to be used for authentication. Requests to signing endpoints
+       * should include this value in the `Authorization` header
+       */
+      token: string;
+    };
     /**
      * @description Represents a globally unique OIDC-authorized user by expressing the full "path" to a user. That is:
      *
@@ -968,23 +1584,13 @@ export interface components {
        * ]
        */
       scopes: string[];
-    };
-    OidcLoginResponse: {
-      /**
-       * @description Token to be used for signing auth. Requests to signing endpoints
-       * should include this value in the `Authorization` header
-       */
-      token: string;
+      tokens?: components["schemas"]["RatchetConfig"];
     };
     OrgInfo: {
       /** @description When false, all cryptographic operations involving keys in this org are disabled. */
       enabled: boolean;
-      /**
-       * @description The RSA public key to use when importing keys into this organization. This string is the
-       * hex encoding of the DER representation of the key.
-       * @example 30820222300d06092a864886f70d01010105000382020f003082020a0282020100c89765b8f347caafbec09fcb17740e032d854ec99f2d9c16167be335339b4fdeba18a7f13d8e8b7ae7d689cab63d8ecdf548f4746eacaf95b61fef76ade9f81b3c038891c52542fd352697b618afbea6103723c28f2db450e9d852be16a4dc2cbc9442da9a6610044009e056ba90728f0b9888d9b036e493aaed168ccf930fa2f730b17eb3ad6f455a792b762c47f3d3c6b7a7c458556a592e688791599a576bf2149d8e9614db775e7a48602d237a347d5399c681f7f7d9c81f6a64e7cfd356bba545d45e5023ca1f09a66a1d4550f61cf2c4367e14997b5d749bb0326a44d058119e8caf7fd79d517eb2d11dddb2db329f350698f0f978d5e150bb402c8bc4c5ec36d6f38db3f3a204813cda9f52dbcee809204f8e35a455c0e110e10eec41f734f2d55a058a7a21fa90602f94da6de2378ff61e7b3550b77e53d75d7b3d3b39ccab0e5101b916dab01da096f7627175d5b68a1a6464ce5be3e95e7c464d69eb0b675057705c11bc79c3543313b0d9c703c50dc1a16dd9b55e5599e3b02e527b85938e7b81c65e56960bcd7c7a266b07dc05107fd0d7d3c208a878eb0fc74b0d007f421d0c5b28cf78eb441aa0166dceeeac255d68622492f9b526ae13c93754ea8eda96f3b764ba931f8d49c7de8b00ac53d993ab9b08fd2892d8e82cc1a9746f0b426b19256d13d780445e150ce81da0b3c96e32559cb47cb5cb93f805650203010001
-       */
-      key_import_key: string;
+      /** @description Deprecated: this field should be ignored. */
+      key_import_key?: string | null;
       /**
        * @description The organization's universally unique key-wrapping-key identifier.
        * This value is required when setting up key export.
@@ -1021,9 +1627,350 @@ export interface components {
        */
       policy?: Record<string, never>[];
     };
+    /**
+     * @description The rocket query parameter representing the page from which to start a paginated query.
+     *
+     * MUST be named `<page>` in rocket url spec so that 'serde(rename = "page.*")' below continues to work
+     */
+    Page: {
+      /**
+       * Format: int32
+       * @description Max number of items to return per page.
+       *
+       * If the actual number of returned items may be less that this, even if there exist more
+       * data in the result set. To reliably determine if more data is left in the result set,
+       * inspect the [UnencryptedLastEvalKey] value in the response object.
+       */
+      "page.size"?: number;
+      /**
+       * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+       * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+       */
+      "page.start"?: string | null;
+    };
+    /**
+     * @description This type represents a wire-encodable form of the PublicKeyCredential interface
+     * Clients may need to manually encode into this format to communicate with the server
+     *
+     * The PublicKeyCredential interface inherits from Credential
+     * [CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to
+     * the caller when a new credential is created, or a new assertion is
+     * requested.
+     *
+     * https://www.w3.org/TR/webauthn-2/#iface-pkcredential
+     */
+    PublicKeyCredential: {
+      /**
+       * @description This internal slot contains the results of processing client extensions
+       * requested by the Relying Party upon the Relying Party's invocation of
+       * either navigator.credentials.create() or navigator.credentials.get().
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredential-clientextensionsresults-slot
+       *
+       * IMPLEMENTATION NOTE: The type for this field comes from the type of getClientExtensionResults() which as the following doc:
+       *
+       * This operation returns the value of [[clientExtensionsResults]], which is a map containing extension identifier → client extension output entries produced by the extension’s client extension processing.
+       * https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredential-getclientextensionresults
+       */
+      clientExtensionResults?: Record<string, unknown> | null;
+      /**
+       * @description This internal slot contains the credential ID, chosen by the
+       * authenticator. The credential ID is used to look up credentials for use,
+       * and is therefore expected to be globally unique with high probability
+       * across all credentials of the same type, across all authenticators.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredential-identifier-slot
+       */
+      id: string;
+      /** @description Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface */
+      response: components["schemas"]["AuthenticatorAttestationResponse"] | components["schemas"]["AuthenticatorAssertionResponse"];
+    };
+    /**
+     * @description Defines the parameters for the creation of a new public key credential
+     *
+     * https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialcreationoptions
+     */
+    PublicKeyCredentialCreationOptions: {
+      attestation?: components["schemas"]["AttestationConveyancePreference"];
+      authenticator_selection?: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
+      /**
+       * @description This member contains a challenge intended to be used for generating the
+       * newly created credential’s attestation object. See the § 13.4.3
+       * Cryptographic Challenges security consideration.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-challenge
+       */
+      challenge: string;
+      /**
+       * @description This member is intended for use by Relying Parties that wish to limit
+       * the creation of multiple credentials for the same account on a single
+       * authenticator. The client is requested to return an error if the new
+       * credential would be created on an authenticator that also contains one
+       * of the credentials enumerated in this parameter.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials
+       */
+      exclude_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+      /**
+       * @description This member contains additional parameters requesting additional
+       * processing by the client and authenticator. For example, the caller may
+       * request that only authenticators with certain capabilities be used to
+       * create the credential, or that particular information be returned in the
+       * attestation object. Some extensions are defined in § 9 WebAuthn
+       * Extensions; consult the IANA "WebAuthn Extension Identifiers" registry
+       * [IANA-WebAuthn-Registries] established by [RFC8809] for an up-to-date
+       * list of registered WebAuthn Extensions.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-extensions
+       */
+      extensions?: Record<string, unknown> | null;
+      /**
+       * @description This member contains information about the desired properties of the
+       * credential to be created. The sequence is ordered from most preferred to
+       * least preferred. The client makes a best-effort to create the most
+       * preferred credential that it can.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-pubkeycredparams
+       */
+      pub_key_cred_params: components["schemas"]["PublicKeyCredentialParameters"][];
+      rp: components["schemas"]["PublicKeyCredentialRpEntity"];
+      /**
+       * Format: int32
+       * @description This member specifies a time, in milliseconds, that the caller is
+       * willing to wait for the call to complete. This is treated as a hint, and
+       * MAY be overridden by the client.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-timeout
+       */
+      timeout?: number | null;
+      user?: components["schemas"]["PublicKeyCredentialUserEntity"] | null;
+    };
+    /**
+     * @description This dictionary contains the attributes that are specified by a caller when
+     * referring to a public key credential as an input parameter to the create()
+     * or get() methods. It mirrors the fields of the PublicKeyCredential object
+     * returned by the latter methods.
+     *
+     * https://www.w3.org/TR/webauthn-2/#dictionary-credential-descriptor
+     */
+    PublicKeyCredentialDescriptor: {
+      /**
+       * @description This member contains the credential ID of the public key credential the caller is referring to.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialdescriptor-id
+       */
+      id: string;
+      /**
+       * @description This OPTIONAL member contains a hint as to how the client might
+       * communicate with the managing authenticator of the public key credential
+       * the caller is referring to. The values SHOULD be members of
+       * AuthenticatorTransport but client platforms MUST ignore unknown values.
+       *
+       * The getTransports() operation can provide suitable values for this
+       * member. When registering a new credential, the Relying Party SHOULD
+       * store the value returned from getTransports(). When creating a
+       * PublicKeyCredentialDescriptor for that credential, the Relying Party
+       * SHOULD retrieve that stored value and set it as the value of the
+       * transports member.
+       */
+      transports?: components["schemas"]["AuthenticatorTransport"][] | null;
+      type: components["schemas"]["PublicKeyCredentialType"];
+    };
+    /**
+     * @description This dictionary is used to supply additional parameters when creating a new
+     * credential.
+     *
+     * https://www.w3.org/TR/webauthn-2/#dictionary-credential-params
+     */
+    PublicKeyCredentialParameters: {
+      /**
+       * Format: int64
+       * @description This member specifies the cryptographic signature algorithm with which
+       * the newly generated credential will be used, and thus also the type of
+       * asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
+       */
+      alg: number;
+      type: components["schemas"]["PublicKeyCredentialType"];
+    };
+    /**
+     * @description The `PublicKeyCredentialRequestOptions` dictionary supplies get() with the
+     * data it needs to generate an assertion. Its challenge member MUST be
+     * present, while its other members are OPTIONAL.
+     *
+     * This struct is also used as part of the verification procedure for assertions
+     */
+    PublicKeyCredentialRequestOptions: {
+      /**
+       * @description This OPTIONAL member contains a list of PublicKeyCredentialDescriptor
+       * objects representing public key credentials acceptable to the caller, in
+       * descending order of the caller’s preference (the first item in the list
+       * is the most preferred credential, and so on down the list).
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-allowcredentials
+       */
+      allow_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+      /**
+       * @description This member represents a challenge that the selected authenticator
+       * signs, along with other data, when producing an authentication
+       * assertion.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-challenge
+       */
+      challenge: string;
+      extensions?: Record<string, unknown> | null;
+      /**
+       * @description This OPTIONAL member specifies the relying party identifier claimed by
+       * the caller. If omitted, its value will be the CredentialsContainer
+       * object’s relevant settings object's origin's effective domain.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid
+       */
+      rp_id?: string | null;
+      /**
+       * Format: int32
+       * @description This OPTIONAL member specifies a time, in milliseconds, that the caller
+       * is willing to wait for the call to complete. The value is treated as a
+       * hint, and MAY be overridden by the client.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-timeout
+       */
+      timeout?: number | null;
+      user_verification?: components["schemas"]["UserVerificationRequirement"];
+    };
+    /**
+     * @description The PublicKeyCredentialRpEntity dictionary is used to supply additional
+     * Relying Party attributes when creating a new credential.
+     *
+     * https://www.w3.org/TR/webauthn-2/#dictionary-rp-credential-params
+     */
+    PublicKeyCredentialRpEntity: {
+      /**
+       * @description A unique identifier for the Relying Party entity, which sets the RP ID.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id
+       */
+      id: string;
+      /**
+       * @description A human-palatable name for the entity. Its function depends on what the
+       * PublicKeyCredentialEntity represents: When inherited by
+       * PublicKeyCredentialRpEntity it is a human-palatable identifier for the
+       * Relying Party, intended only for display. For example, "ACME
+       * Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".
+       *
+       * Relying Parties SHOULD perform enforcement, as prescribed in Section 2.3
+       * of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass
+       * [RFC8264], when setting name's value, or displaying the value to the
+       * user.
+       *
+       * This string MAY contain language and direction metadata. Relying Parties
+       * SHOULD consider providing this information. See § 6.4.2 Language and
+       * Direction Encoding about how this metadata is encoded.
+       */
+      name: string;
+    };
+    /**
+     * @description This enumeration defines the valid credential types. It is an extension
+     * point; values can be added to it in the future, as more credential types are
+     * defined. The values of this enumeration are used for versioning the
+     * Authentication Assertion and attestation structures according to the type of
+     * the authenticator.  Currently one credential type is defined, namely
+     * "public-key".
+     *
+     * https://www.w3.org/TR/webauthn-2/#enumdef-publickeycredentialtype
+     * @enum {string}
+     */
+    PublicKeyCredentialType: "public-key";
+    /**
+     * @description The PublicKeyCredentialUserEntity dictionary is used to supply additional
+     * user account attributes when creating a new credential.
+     */
+    PublicKeyCredentialUserEntity: {
+      /**
+       * @description A human-palatable name for the user account, intended only for display.
+       * For example, "Alex Müller" or "田中倫". The Relying Party SHOULD let the
+       * user choose this, and SHOULD NOT restrict the choice more than
+       * necessary.
+       *
+       * Relying Parties SHOULD perform enforcement, as prescribed in Section 2.3
+       * of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass
+       * [RFC8264], when setting displayName's value, or displaying the value to
+       * the user.
+       *
+       * This string MAY contain language and direction metadata. Relying Parties
+       * SHOULD consider providing this information. See § 6.4.2 Language and
+       * Direction Encoding about how this metadata is encoded.
+       *
+       * Clients SHOULD perform enforcement, as prescribed in Section 2.3 of
+       * [RFC8266] for the Nickname Profile of the PRECIS FreeformClass
+       * [RFC8264], on displayName's value prior to displaying the value to the
+       * user or including the value as a parameter of the
+       * authenticatorMakeCredential operation.
+       *
+       * When clients, client platforms, or authenticators display a
+       * displayName's value, they should always use UI elements to provide a
+       * clear boundary around the displayed value, and not allow overflow into
+       * other elements [css-overflow-3].
+       *
+       * Authenticators MUST accept and store a 64-byte minimum length for a
+       * displayName member’s value. Authenticators MAY truncate a displayName
+       * member’s value so that it fits within 64 bytes. See § 6.4.1 String
+       * Truncation about truncation and other considerations.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-displayname
+       */
+      displayName: string;
+      /**
+       * @description The user handle of the user account entity. A user handle is an opaque
+       * byte sequence with a maximum size of 64 bytes, and is not meant to be
+       * displayed to the user.
+       *
+       * To ensure secure operation, authentication and authorization decisions
+       * MUST be made on the basis of this id member, not the displayName nor
+       * name members. See Section 6.1 of [RFC8266].
+       *
+       * The user handle MUST NOT contain personally identifying information
+       * about the user, such as a username or e-mail address; see § 14.6.1 User
+       * Handle Contents for details. The user handle MUST NOT be empty, though
+       * it MAY be null.
+       *
+       * Note: the user handle ought not be a constant value across different
+       * accounts, even for non-discoverable credentials, because some
+       * authenticators always create discoverable credentials. Thus a constant
+       * user handle would prevent a user from using such an authenticator with
+       * more than one account at the Relying Party.
+       *
+       * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id
+       */
+      id: string;
+      /**
+       * @description When inherited by PublicKeyCredentialUserEntity, it is a human-palatable
+       * identifier for a user account. It is intended only for display, i.e.,
+       * aiding the user in determining the difference between user accounts with
+       * similar displayNames. For example, "alexm", "alex.mueller@example.com"
+       * or "+14255551234".
+       *
+       * The Relying Party MAY let the user choose this value. The Relying Party
+       * SHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265]
+       * for the UsernameCasePreserved Profile of the PRECIS IdentifierClass
+       * [RFC8264], when setting name's value, or displaying the value to the
+       * user.
+       *
+       * This string MAY contain language and direction metadata. Relying Parties
+       * SHOULD consider providing this information. See § 6.4.2 Language and
+       * Direction Encoding about how this metadata is encoded.
+       *
+       * Clients SHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265] for the UsernameCasePreserved Profile of the PRECIS IdentifierClass [RFC8264], on name's value prior to displaying the value to the user or including the value as a parameter of the authenticatorMakeCredential operation.
+       */
+      name: string;
+    };
     RatchetConfig: {
+      /** @default 300 */
       auth_lifetime?: components["schemas"]["Seconds"];
+      /** @default default_grace_lifetime */
+      grace_lifetime?: components["schemas"]["Seconds"];
+      /** @default 86400 */
       refresh_lifetime?: components["schemas"]["Seconds"];
+      /** @default 31536000 */
       session_lifetime?: components["schemas"]["Seconds"];
     };
     /** @description Receipt that an MFA request was approved. */
@@ -1037,14 +1984,23 @@ export interface components {
       final_approver: string;
       timestamp: components["schemas"]["EpochDateTime"];
     };
+    /**
+     * @description This enumeration’s values describe the Relying Party's requirements for
+     * client-side discoverable credentials (formerly known as resident credentials
+     * or resident keys):
+     *
+     * https://www.w3.org/TR/webauthn-2/#enumdef-residentkeyrequirement
+     * @enum {string}
+     */
+    ResidentKeyRequirement: "discouraged" | "preferred" | "required";
     RoleInfo: {
       /**
        * @description Whether the role is enabled
        * @example true
        */
       enabled: boolean;
-      /** @description The CubeSigner IDs of the keys */
-      keys: components["schemas"]["KeyWithPolicies"][];
+      /** @description Deprecated The CubeSigner IDs of at most 100 keys associated with this role */
+      keys?: components["schemas"]["KeyInRoleInfo"][] | null;
       /**
        * @description The human-readable name for the role (must be alphanumeric)
        * @example my_role
@@ -1055,52 +2011,27 @@ export interface components {
        * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
        */
       role_id: string;
-      /**
-       * @description The list of users with access to the role
-       * @example [
-       *   "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f",
-       *   "User#5593c25b-52e2-4fb5-b39b-96d41d681d82"
-       * ]
-       */
-      users: string[];
+      /** @description Deprecated. The list of at most 100 users with access to the role. */
+      users?: string[] | null;
     };
     /**
-     * @description Encrypted key material for import using hybrid encryption.
-     *
-     * The imported keying material is encrypted using [XChaCha20Poly1305], which
-     * we choose for its speed and side channel resistance, its ability to encrypt
-     * very long messages, and its safety when using random nonces even for a large
-     * number of messages. The latter should not happen in this case, but the cost
-     * is negligible and the benefit is that we know it's safe to use random nonces.
-     *
-     * The XChaCha key is encrypted using [RSAES-OAEP-SHA256], which we choose because
-     * it's the best of the [available options for asymmetric encryption][kmsopts]
-     * in AWS KMS.
-     *
-     * [XChaCha20Poly1305]: https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction
-     * [RSAES-OAEP-SHA256]: https://www.rfc-editor.org/rfc/rfc8017#section-7.1
-     * [kmsopts]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html
+     * Format: int64
+     * @description Duration measured in seconds
+     * A wrapper type for serialization that encodes a `Duration` as a `u64` representing the number of seconds.
      */
-    RsaOaepXChaChaMaterial: {
+    Seconds: number;
+    SessionInfo: {
       /**
-       * @description The keying material to be imported, encrypted with
-       * [XChaCha20Poly1305](https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction).
+       * @description A human-readable description for the session
+       * @example OIDC login session
        */
-      ikm_enc: number[];
+      purpose: string;
       /**
-       * @description The key-wrapping key used to encrypt `ikm_enc`, encrypted with
-       * [RSAES-OAEP-SHA256](https://www.rfc-editor.org/rfc/rfc8017#section-7.1).
+       * @description Session ID. Uniquely identifies the session, but cannot be used for auth.
+       * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
        */
-      kwk_enc: number[];
-      /** @description The nonce used to generate `ikm_enc`. */
-      nonce: number[];
+      session_id: string;
     };
-    /**
-     * Format: int64
-     * @description Duration measured in seconds
-     * A wrapper type for serialization that encodes a `Duration` as a `u64` representing the number of seconds.
-     */
-    Seconds: number;
     SignRequest: {
       message: Record<string, never>;
     };
@@ -1113,12 +2044,20 @@ export interface components {
        */
       chain_id: number;
       deposit_type: components["schemas"]["DepositType"];
-      unsafe_conf: components["schemas"]["UnsafeConf"] | null;
+      /**
+       * Format: int64
+       * @description Optional staking amount in GWEI.
+       * If not specified, defaults to 32_000_000_000 (32 ETH).
+       * Must be between 1 ETH and 32 ETH.
+       * Must not be different from the default value when 'deposit_type' is "Wrapper".
+       */
+      staking_amount_gwei?: number;
+      unsafe_conf?: components["schemas"]["UnsafeConf"] | null;
       /**
        * @description The validator BLS public key to use, or `None` to generate a fresh one.
        * @example 0xa99a76ed7796f7be22d5b7e85deeb7c5677e88e511e0b337618f8c4eb61349b4bf2d153f649f7b53359fe8b94a38e44c
        */
-      validator_key: string | null;
+      validator_key?: string | null;
       /**
        * @description The ethereum address to which withdrawn funds go
        * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
@@ -1132,9 +2071,9 @@ export interface components {
       allowed_mfa_types?: components["schemas"]["MfaType"][] | null;
       /** @description Users who have already approved */
       approved_by: {
-        [key: string]: ({
-          [key: string]: components["schemas"]["ApprovalInfo"] | undefined;
-        }) | undefined;
+        [key: string]: {
+          [key: string]: components["schemas"]["ApprovalInfo"];
+        };
       };
       /**
        * Format: int32
@@ -1157,18 +2096,25 @@ export interface components {
       /** @description TOTP verification code */
       code: string;
     };
+    /** @description Sent from the client to the server to answer a TOTP challenge */
+    TotpChallengeAnswer: {
+      /** @description The current TOTP code */
+      code: string;
+      /** @description The ID of the challenge that was returned from the POST endpoint */
+      totp_id: string;
+    };
     /** @description Options that should be set only for local devnet testing. */
     UnsafeConf: {
       /**
        * @description The hex-encoded address of the deposit contract. If omitted, inferred from `chain_id`
        * @example 0xff50ed3d0ec03ac01d4c79aad74928bff48a7b2b
        */
-      deposit_contract_addr: string | null;
+      deposit_contract_addr?: string | null;
       /**
        * @description The hex-encoded 4-byte fork version
        * @example 0x00001020
        */
-      genesis_fork_version: string | null;
+      genesis_fork_version?: string | null;
     };
     /**
      * @description Unstake message request.
@@ -1189,7 +2135,7 @@ export interface components {
      * }
      */
     UnstakeRequest: {
-      epoch: components["schemas"]["Epoch"] | null;
+      epoch?: components["schemas"]["Epoch"] | null;
       fork: components["schemas"]["Fork"];
       genesis_data: components["schemas"]["GenesisData"];
       network: components["schemas"]["Network"];
@@ -1217,7 +2163,14 @@ export interface components {
       owner?: string | null;
       /**
        * @description If set, update this key's policies (old policies will be overwritten!).
-       * @example []
+       * @example [
+       *   "AllowRawBlobSigning",
+       *   {
+       *     "RequireMfa": {
+       *       "count": 1
+       *     }
+       *   }
+       * ]
        */
       policy?: Record<string, never>[] | null;
     };
@@ -1269,11 +2222,16 @@ export interface components {
        */
       id: string;
     };
+    UserInRoleInfo: {
+      user_id: string;
+    };
     UserInfo: {
       /** @example alice@example.com */
       email: string;
       /** @description All multi-factor authentication methods configured for this user */
       mfa: components["schemas"]["ConfiguredMfa"][];
+      /** @description MFA policy, applies before logging in and other sensitive operations */
+      mfa_policy?: Record<string, unknown> | null;
       /**
        * @description All organizations the user belongs to
        * @example [
@@ -1287,6 +2245,14 @@ export interface components {
        */
       user_id: string;
     };
+    /**
+     * @description A WebAuthn Relying Party may require user verification for some of its
+     * operations but not for others, and may use this type to express its needs.
+     *
+     * https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement
+     * @enum {string}
+     */
+    UserVerificationRequirement: "required" | "discouraged" | "preferred";
     /**
      * @description An exit voluntarily submitted a validator who wishes to withdraw.
      * The schema for this message is defined
@@ -1310,6 +2276,14 @@ export interface components {
         };
       };
     };
+    AvaSignResponse: {
+      content: {
+        "application/json": {
+          /** @description The hex-encoded signature. */
+          signature: string;
+        };
+      };
+    };
     BlobSignResponse: {
       content: {
         "application/json": {
@@ -1322,8 +2296,8 @@ export interface components {
       content: {
         "application/json": {
           /**
-           * @description The hex-encoded signature in DER format.
-           * @example 0x3045022100e12be3904f665f755e106741680548fefc9febf4cff31c5c0ee4627b3c1b35fe022066fde9a0b17e4cd38da983fb0d604294f00d0bd47fcb649c5216f3a2e8b7ad2d01
+           * @description The hex-encoded signature in compact format.
+           * @example 0x454aef27c21df7dd8f537dc869f4cd65286ce239a52d36470f4d85be85a891b02789e5ffd8560b32a98110e5d0096802e4c14145cf6c44f10a768c87755eaa4800
            */
           signature: string;
         };
@@ -1370,15 +2344,16 @@ export interface components {
         };
       };
     };
-    CreateTokenResponse: {
+    Eip712SignResponse: {
       content: {
         "application/json": {
-          session_info: components["schemas"]["ClientSessionInfo"];
           /**
-           * @description Token to be used for signing auth. Requests to signing endpoints
-           * should include this value in the `Authorization` header
+           * @description Hex-encoded signature comprising 65 bytes in the format required
+           * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+           * which is either 27 or 28.
+           * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
            */
-          token: string;
+          signature: string;
         };
       };
     };
@@ -1411,10 +2386,25 @@ export interface components {
         };
       };
     };
-    GetKeysInOrgResponse: {
+    FidoAssertChallenge: {
       content: {
         "application/json": {
-          keys: components["schemas"]["KeyInfo"][];
+          /** @description The id of the challenge. Must be supplied when answering the challenge. */
+          challenge_id: string;
+          options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+        };
+      };
+    };
+    /**
+     * @description Sent by the server to the client. Contains the challenge data that must be
+     * used to generate a new credential
+     */
+    FidoCreateChallengeResponse: {
+      content: {
+        "application/json": {
+          /** @description The id of the challenge. Must be supplied when answering the challenge. */
+          challenge_id: string;
+          options: components["schemas"]["PublicKeyCredentialCreationOptions"];
         };
       };
     };
@@ -1426,15 +2416,53 @@ export interface components {
         };
       };
     };
-    /** @description A wrapped key-import key */
-    KeyImportKey: {
+    /**
+     * @description Proof that an end-user provided CubeSigner with a valid auth token
+     * (either an OIDC token or a CubeSigner session token)
+     */
+    IdentityProof: {
       content: {
-        "application/json": {
-          /** @description Base64-encoded, encrypted data key. */
-          dk_enc: string;
+        "application/json": ({
           /**
-           * Format: int64
-           * @description Expiration timestamp expressed as seconds since the UNIX epoch.
+           * @description OIDC audience; set only if the proof was obtained by using OIDC token.
+           *
+           * In other words, presence of this field testifies that authorization was obtained via OIDC.
+           */
+          aud?: string | null;
+          /**
+           * @description The email associated with the user
+           * @example user@email.com
+           */
+          email: string;
+          exp_epoch: components["schemas"]["EpochDateTime"];
+          identity?: components["schemas"]["OIDCIdentity"] | null;
+          user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
+        }) & {
+          /** @description An opaque identifier for the proof */
+          id: string;
+        };
+      };
+    };
+    /** @description Derivation-related metadata for keys derived from a long-lived mnemonic */
+    KeyDerivationInfo: {
+      content: {
+        "application/json": {
+          /** @description The derivation path used to derive this key */
+          derivation_path: string;
+          /** @description The mnemonic-id of the key's parent mnemonic */
+          mnemonic_id: string;
+        };
+      };
+    };
+    /** @description A wrapped key-import key */
+    KeyImportKey: {
+      content: {
+        "application/json": {
+          /** @description Base64-encoded, encrypted data key. */
+          dk_enc: string;
+          /**
+           * Format: int64
+           * @description Expiration timestamp expressed as seconds since the UNIX epoch.
            */
           expires: number;
           /**
@@ -1450,6 +2478,7 @@ export interface components {
     KeyInfo: {
       content: {
         "application/json": {
+          derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
           /** @description Whether the key is enabled (only enabled keys may be used for signing) */
           enabled: boolean;
           /**
@@ -1471,14 +2500,22 @@ export interface components {
           owner: string;
           /**
            * @description Key policy
-           * @example []
+           * @example [
+           *   "AllowRawBlobSigning",
+           *   {
+           *     "RequireMfa": {
+           *       "count": 1
+           *     }
+           *   }
+           * ]
            */
           policy: Record<string, never>[];
           /**
            * @description Hex-encoded, serialized public key. The format used depends on the key type:
-           * - secp256k1 keys use 65-byte uncompressed SECG format;
+           * - Secp256k1 keys use 65-byte uncompressed SECG format;
+           * - Stark keys use 33-byte compressed SECG format;
            * - BLS keys use 48-byte compressed BLS12-381 (ZCash) format;
-           * - ed25519 keys use the canonical 64-byte encoding specified in RFC 8032.
+           * - Ed25519 keys use the canonical 32-byte encoding specified in RFC 8032.
            * @example 0x04d2688b6bc2ce7f9879b9e745f3c4dc177908c5cef0c1b64cff19ae7ff27dee623c64fe9d9c325c7fbbc748bbd5f607ce14dd83e28ebbbb7d3e7f2ffb70a79431
            */
           public_key: string;
@@ -1497,11 +2534,11 @@ export interface components {
         };
       };
     };
-    ListRolesResponse: {
+    ListMfaResponse: {
       content: {
         "application/json": {
-          /** @description All roles in an organization. */
-          roles: components["schemas"]["RoleInfo"][];
+          /** @description All pending MFA requests */
+          mfa_requests: components["schemas"]["MfaRequestInfo"][];
         };
       };
     };
@@ -1519,17 +2556,19 @@ export interface components {
           expires_at: components["schemas"]["EpochDateTime"];
           /** @description Approval request ID. */
           id: string;
-          receipt: components["schemas"]["Receipt"] | null;
+          receipt?: components["schemas"]["Receipt"] | null;
           request: components["schemas"]["HttpRequest"];
           status: components["schemas"]["Status"];
         };
       };
     };
-    OidcLoginResponse: {
+    /** @description Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.). */
+    NewSessionResponse: {
       content: {
         "application/json": {
+          session_info: components["schemas"]["ClientSessionInfo"];
           /**
-           * @description Token to be used for signing auth. Requests to signing endpoints
+           * @description New token to be used for authentication. Requests to signing endpoints
            * should include this value in the `Authorization` header
            */
           token: string;
@@ -1541,12 +2580,8 @@ export interface components {
         "application/json": {
           /** @description When false, all cryptographic operations involving keys in this org are disabled. */
           enabled: boolean;
-          /**
-           * @description The RSA public key to use when importing keys into this organization. This string is the
-           * hex encoding of the DER representation of the key.
-           * @example 30820222300d06092a864886f70d01010105000382020f003082020a0282020100c89765b8f347caafbec09fcb17740e032d854ec99f2d9c16167be335339b4fdeba18a7f13d8e8b7ae7d689cab63d8ecdf548f4746eacaf95b61fef76ade9f81b3c038891c52542fd352697b618afbea6103723c28f2db450e9d852be16a4dc2cbc9442da9a6610044009e056ba90728f0b9888d9b036e493aaed168ccf930fa2f730b17eb3ad6f455a792b762c47f3d3c6b7a7c458556a592e688791599a576bf2149d8e9614db775e7a48602d237a347d5399c681f7f7d9c81f6a64e7cfd356bba545d45e5023ca1f09a66a1d4550f61cf2c4367e14997b5d749bb0326a44d058119e8caf7fd79d517eb2d11dddb2db329f350698f0f978d5e150bb402c8bc4c5ec36d6f38db3f3a204813cda9f52dbcee809204f8e35a455c0e110e10eec41f734f2d55a058a7a21fa90602f94da6de2378ff61e7b3550b77e53d75d7b3d3b39ccab0e5101b916dab01da096f7627175d5b68a1a6464ce5be3e95e7c464d69eb0b675057705c11bc79c3543313b0d9c703c50dc1a16dd9b55e5599e3b02e527b85938e7b81c65e56960bcd7c7a266b07dc05107fd0d7d3c208a878eb0fc74b0d007f421d0c5b28cf78eb441aa0166dceeeac255d68622492f9b526ae13c93754ea8eda96f3b764ba931f8d49c7de8b00ac53d993ab9b08fd2892d8e82cc1a9746f0b426b19256d13d780445e150ce81da0b3c96e32559cb47cb5cb93f805650203010001
-           */
-          key_import_key: string;
+          /** @description Deprecated: this field should be ignored. */
+          key_import_key?: string | null;
           /**
            * @description The organization's universally unique key-wrapping-key identifier.
            * This value is required when setting up key export.
@@ -1585,16 +2620,78 @@ export interface components {
         };
       };
     };
-    RefreshResponse: {
+    PaginatedListKeysResponse: {
       content: {
         "application/json": {
-          session_info: components["schemas"]["ClientSessionInfo"];
+          keys: components["schemas"]["KeyInfo"][];
+        } & ({
           /**
-           * @description New token to be used for signing auth. Requests to signing endpoints
-           * should include this value in the `Authorization` header
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
            */
-          token: string;
-        };
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedListRoleKeysResponse: {
+      content: {
+        "application/json": {
+          /** @description All keys in a role */
+          keys: components["schemas"]["KeyInRoleInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedListRoleUsersResponse: {
+      content: {
+        "application/json": {
+          /** @description All users in a role */
+          users: components["schemas"]["UserInRoleInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedListRolesResponse: {
+      content: {
+        "application/json": {
+          /** @description All roles in an organization. */
+          roles: components["schemas"]["RoleInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedSessionsResponse: {
+      content: {
+        "application/json": {
+          /** @description The list of sessions */
+          sessions: components["schemas"]["SessionInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
       };
     };
     RevokeTokenResponse: {
@@ -1620,8 +2717,8 @@ export interface components {
            * @example true
            */
           enabled: boolean;
-          /** @description The CubeSigner IDs of the keys */
-          keys: components["schemas"]["KeyWithPolicies"][];
+          /** @description Deprecated The CubeSigner IDs of at most 100 keys associated with this role */
+          keys?: components["schemas"]["KeyInRoleInfo"][] | null;
           /**
            * @description The human-readable name for the role (must be alphanumeric)
            * @example my_role
@@ -1632,14 +2729,33 @@ export interface components {
            * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
            */
           role_id: string;
+          /** @description Deprecated. The list of at most 100 users with access to the role. */
+          users?: string[] | null;
+        };
+      };
+    };
+    SessionInfo: {
+      content: {
+        "application/json": {
           /**
-           * @description The list of users with access to the role
-           * @example [
-           *   "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f",
-           *   "User#5593c25b-52e2-4fb5-b39b-96d41d681d82"
-           * ]
+           * @description A human-readable description for the session
+           * @example OIDC login session
+           */
+          purpose: string;
+          /**
+           * @description Session ID. Uniquely identifies the session, but cannot be used for auth.
+           * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
            */
-          users: string[];
+          session_id: string;
+        };
+      };
+    };
+    /** @description The response from any operation operating on multiple sessions */
+    SessionsResponse: {
+      content: {
+        "application/json": {
+          /** @description The list of sessions */
+          sessions: components["schemas"]["SessionInfo"][];
         };
       };
     };
@@ -1663,9 +2779,24 @@ export interface components {
         };
       };
     };
+    TokenInfo: {
+      content: {
+        "application/json": {
+          /** @description Session ID. Use it to revoke a session. Cannot be used for auth. */
+          hash: string;
+          /** @description Tokens purpose */
+          purpose: string;
+        };
+      };
+    };
     TotpInfo: {
       content: {
         "application/json": {
+          /**
+           * @description The ID of the TOTP challenge.
+           * @example TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286
+           */
+          totp_id: string;
           /**
            * @description Standard TOTP url which includes everything needed to initialize TOTP.
            * @example otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist
@@ -1733,6 +2864,8 @@ export interface components {
           email: string;
           /** @description All multi-factor authentication methods configured for this user */
           mfa: components["schemas"]["ConfiguredMfa"][];
+          /** @description MFA policy, applies before logging in and other sensitive operations */
+          mfa_policy?: Record<string, unknown> | null;
           /**
            * @description All organizations the user belongs to
            * @example [
@@ -1755,17 +2888,20 @@ export interface components {
   pathItems: never;
 }
 
+export type $defs = Record<string, never>;
+
 export type external = Record<string, never>;
 
 export interface operations {
 
   /**
    * User Info
+   * @deprecated
    * @description User Info
    *
    * Retrieves information about the current user.
    */
-  aboutMe: {
+  aboutMeLegacy: {
     responses: {
       200: components["responses"]["UserInfo"];
       default: {
@@ -1831,13 +2967,13 @@ export interface operations {
     };
   };
   /**
-   * Sign Bitcoin Transaction
-   * @description Sign Bitcoin Transaction
+   * Sign Avalanche X- or P-Chain Message
+   * @description Sign Avalanche X- or P-Chain Message
    *
-   * Signs a Bitcoin transaction with a given key.
+   * Signs an Avalanche message with a given SecpAva key.
    * This is a pre-release feature.
    */
-  btcSign: {
+  avaSign: {
     parameters: {
       path: {
         /**
@@ -1846,19 +2982,19 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description bech32 encoding of the public key
-         * @example bc1q5p5qkae77ly80kr4pyfytdqm7rf08ddhdejl9g
+         * @description Avalanche bech32 address format without the chain prefix
+         * @example avax1am4w6hfrvmh3akduzkjthrtgtqafalce6an8cr
          */
         pubkey: string;
       };
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["BtcSignRequest"];
+        "application/json": components["schemas"]["AvaSignRequest"];
       };
     };
     responses: {
-      200: components["responses"]["BtcSignResponse"];
+      200: components["responses"]["AvaSignResponse"];
       202: {
         content: {
           "application/json": components["schemas"]["AcceptedResponse"];
@@ -1872,12 +3008,13 @@ export interface operations {
     };
   };
   /**
-   * Create Key-Import Key
-   * @description Create Key-Import Key
+   * Sign Bitcoin Transaction
+   * @description Sign Bitcoin Transaction
    *
-   * Generate an ephemeral key that a client can use for key-import encryption.
+   * Signs a Bitcoin transaction with a given key.
+   * This is a pre-release feature.
    */
-  createKeyImportKey: {
+  btcSign: {
     parameters: {
       path: {
         /**
@@ -1885,10 +3022,25 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
+        /**
+         * @description bech32 encoding of the public key
+         * @example bc1q5p5qkae77ly80kr4pyfytdqm7rf08ddhdejl9g
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["BtcSignRequest"];
       };
     };
     responses: {
-      200: components["responses"]["CreateKeyImportKeyResponse"];
+      200: components["responses"]["BtcSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -1897,12 +3049,13 @@ export interface operations {
     };
   };
   /**
-   * Import Key
-   * @description Import Key
+   * Derive Key From Long-Lived Mnemonic
+   * @description Derive Key From Long-Lived Mnemonic
    *
-   * Securely imports an existing key using a previously generated key-import key.
+   * Derives a key of a specified type using a supplied derivation path and an
+   * existing long-lived mnemonic.
    */
-  importKey: {
+  deriveKey: {
     parameters: {
       path: {
         /**
@@ -1914,7 +3067,7 @@ export interface operations {
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["ImportKeyRequest"];
+        "application/json": components["schemas"]["DeriveKeyRequest"];
       };
     };
     responses: {
@@ -1927,12 +3080,12 @@ export interface operations {
     };
   };
   /**
-   * Invite User
-   * @description Invite User
+   * Sign EIP-712 Typed Data
+   * @description Sign EIP-712 Typed Data
    *
-   * Creates a new user in an existing org and sends that user an invite email.
+   * Signs typed data according to EIP-712 with a given Secp256k1 key.
    */
-  invite: {
+  eip712Sign: {
     parameters: {
       path: {
         /**
@@ -1940,15 +3093,25 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
+        /**
+         * @description Hex-encoded ethereum address of the secp key
+         * @example 0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+         */
+        pubkey: string;
       };
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["InviteRequest"];
+        "application/json": components["schemas"]["Eip712SignRequest"];
       };
     };
     responses: {
-      200: components["responses"]["EmptyImpl"];
+      200: components["responses"]["Eip712SignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -1957,20 +3120,17 @@ export interface operations {
     };
   };
   /**
-   * List Keys
-   * @description List Keys
+   * Create [IdentityProof] from CubeSigner user session
+   * @description Create [IdentityProof] from CubeSigner user session
    *
-   * Gets the list of owned keys in a given org.
+   * This route can be used to prove to another party that a user has a
+   * valid CubeSigner session.
+   *
+   * Clients are intended to call this route and pass the returned evidence
+   * to another service which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
    */
-  listKeysInOrg: {
+  createProofCubeSigner: {
     parameters: {
-      query?: {
-        /**
-         * @description Filter by key type
-         * @example SecpEthAddr
-         */
-        key_type?: components["schemas"]["KeyType"];
-      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -1980,7 +3140,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["GetKeysInOrgResponse"];
+      200: components["responses"]["IdentityProof"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -1989,12 +3149,19 @@ export interface operations {
     };
   };
   /**
-   * Import Key (Deprecated)
-   * @description Import Key (Deprecated)
+   * Create [IdentityProof] from OIDC token
+   * @description Create [IdentityProof] from OIDC token
+   *
+   * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
    *
-   * Securely imports an existing key. This API is deprecated; please use the new version.
+   * This route can be used to prove to another party that a user has met the
+   * authentication requirements (allowed issuers & audiences) for CubeSigner
+   * without leaking their credentials.
+   *
+   * Clients are intended to call this route and pass the returned evidence to another service
+   * which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
    */
-  importKeyLegacy: {
+  createProofOidc: {
     parameters: {
       path: {
         /**
@@ -2004,13 +3171,8 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["ImportKeyLegacyRequest"];
-      };
-    };
     responses: {
-      200: components["responses"]["CreateKeyResponse"];
+      200: components["responses"]["IdentityProof"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2019,12 +3181,15 @@ export interface operations {
     };
   };
   /**
-   * Create Key
-   * @description Create Key
+   * Verify identity proof
+   * @description Verify identity proof
    *
-   * Creates one or more new keys of the specified type (BLS or Secp).
+   * Allows a third-party to validate proof of authentication.
+   *
+   * When a third-party is provided an [IdentityProof] object, they must check its
+   * veracity by calling this endpoint
    */
-  createKey: {
+  verifyProof: {
     parameters: {
       path: {
         /**
@@ -2036,26 +3201,19 @@ export interface operations {
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["CreateKeyRequest"];
+        "application/json": components["schemas"]["IdentityProof"];
       };
     };
     responses: {
-      200: components["responses"]["CreateKeyResponse"];
-      default: {
-        content: {
-          "application/json": components["schemas"]["ErrorResponse"];
-        };
-      };
     };
   };
   /**
-   * Legacy List Keys
-   * @deprecated
-   * @description Legacy List Keys
+   * Create Key-Import Key
+   * @description Create Key-Import Key
    *
-   * This route is deprecated. Use `GET /v0/org/<org_id>/keys?<key_type>`
+   * Generate an ephemeral key that a client can use for key-import encryption.
    */
-  listKeysLegacy: {
+  createKeyImportKey: {
     parameters: {
       path: {
         /**
@@ -2065,13 +3223,8 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["GetKeysInOrgRequest"];
-      };
-    };
     responses: {
-      200: components["responses"]["GetKeysInOrgResponse"];
+      200: components["responses"]["CreateKeyImportKeyResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2080,12 +3233,12 @@ export interface operations {
     };
   };
   /**
-   * Get Key
-   * @description Get Key
+   * Import Key
+   * @description Import Key
    *
-   * Returns the properties of a key.
+   * Securely imports an existing key using a previously generated key-import key.
    */
-  getKeyInOrg: {
+  importKey: {
     parameters: {
       path: {
         /**
@@ -2093,15 +3246,15 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description ID of the key
-         * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-         */
-        key_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["ImportKeyRequest"];
       };
     };
     responses: {
-      200: components["responses"]["KeyInfo"];
+      200: components["responses"]["CreateKeyResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2110,12 +3263,12 @@ export interface operations {
     };
   };
   /**
-   * Update Key
-   * @description Update Key
+   * Invite User
+   * @description Invite User
    *
-   * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+   * Creates a new user in an existing org and sends that user an invite email.
    */
-  updateKey: {
+  invite: {
     parameters: {
       path: {
         /**
@@ -2123,20 +3276,15 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description ID of the key
-         * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-         */
-        key_id: string;
       };
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["UpdateKeyRequest"];
+        "application/json": components["schemas"]["InviteRequest"];
       };
     };
     responses: {
-      200: components["responses"]["KeyInfo"];
+      200: components["responses"]["EmptyImpl"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2145,28 +3293,43 @@ export interface operations {
     };
   };
   /**
-   * Gets a Pending MFA Request
-   * @description Gets a Pending MFA Request
+   * List Keys
+   * @description List Keys
    *
-   * Retrieves and returns a pending MFA request by its id.
+   * Gets the list of owned keys in a given org.
    */
-  mfaGet: {
+  listKeysInOrg: {
     parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+        /**
+         * @description Filter by key type
+         * @example SecpEthAddr
+         */
+        key_type?: components["schemas"]["KeyType"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description ID of the approval
-         * @example ...
-         */
-        mfa_id: string;
       };
     };
     responses: {
-      200: components["responses"]["MfaRequestInfo"];
+      200: components["responses"]["PaginatedListKeysResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2175,14 +3338,12 @@ export interface operations {
     };
   };
   /**
-   * Approve a Pending MFA Request
-   * @description Approve a Pending MFA Request
+   * Create Key
+   * @description Create Key
    *
-   * Adds the current user as an approver of a pending MFA request of the [Status::RequiredApprovers] kind.
-   * If the required number of approvers is reached, the MFA request is approved;
-   * the confirmation receipt can be used to resume the original HTTP request.
+   * Creates one or more new keys of the specified type.
    */
-  mfaApproveCs: {
+  createKey: {
     parameters: {
       path: {
         /**
@@ -2190,15 +3351,15 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description ID of the MFA approval request
-         * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
-         */
-        mfa_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["CreateKeyRequest"];
       };
     };
     responses: {
-      200: components["responses"]["MfaRequestInfo"];
+      200: components["responses"]["CreateKeyResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2207,10 +3368,263 @@ export interface operations {
     };
   };
   /**
-   * Approve a TOTP MFA Request
-   * @description Approve a TOTP MFA Request
+   * Get Key
+   * @description Get Key
    *
-   * Adds an approver to a pending TOTP MFA request.
+   * Returns the properties of a key.
+   */
+  getKeyInOrg: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["KeyInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Delete Key
+   * @description Delete Key
+   *
+   * Deletes a key specified by its ID.
+   * Only the key owner and org owners are allowed to delete keys.
+   */
+  deleteKey: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Update Key
+   * @description Update Key
+   *
+   * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+   */
+  updateKey: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["UpdateKeyRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["KeyInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * List Pending MFA Requests
+   * @description List Pending MFA Requests
+   *
+   * Retrieves and returns all pending MFA requests that are accessible to the current user,
+   * i.e., those in which the current user is listed as an approver
+   */
+  mfaList: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["ListMfaResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Get Pending MFA Request
+   * @description Get Pending MFA Request
+   *
+   * Retrieves and returns a pending MFA request by its id.
+   */
+  mfaGet: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        mfa_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["MfaRequestInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Approve MFA Request
+   * @description Approve MFA Request
+   *
+   * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+   * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
+   * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
+   * resume the original HTTP request.
+   */
+  mfaApproveCs: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        mfa_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["MfaRequestInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Initiate Approving an MFA Request with FIDO
+   * @description Initiate Approving an MFA Request with FIDO
+   *
+   * Initiates the approval process of an MFA Request using FIDO.
+   */
+  mfaApproveFido: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        mfa_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["FidoAssertChallenge"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Finalize a FIDO MFA Approval
+   * @description Finalize a FIDO MFA Approval
+   *
+   * Adds an approver to a pending MFA request.
+   *
+   * If the required number of approvers is reached, the MFA request is approved;
+   * the confirmation receipt can be used to resume the original HTTP request.
+   */
+  mfaApproveFidoComplete: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        mfa_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["FidoAssertAnswer"];
+      };
+    };
+    responses: {
+      200: components["responses"]["MfaRequestInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Approve a TOTP MFA Request
+   * @description Approve a TOTP MFA Request
+   *
+   * Adds the current user as approver to a pending MFA request by providing TOTP code.
    *
    * If the required number of approvers is reached, the MFA request is approved;
    * the confirmation receipt can be used to resume the original HTTP request.
@@ -2224,8 +3638,8 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description ID of the MFA approval request
-         * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         mfa_id: string;
       };
@@ -2266,7 +3680,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["OidcLoginResponse"];
+      200: components["responses"]["NewSessionResponse"];
       202: {
         content: {
           "application/json": components["schemas"]["AcceptedResponse"];
@@ -2287,6 +3701,23 @@ export interface operations {
    */
   listRoles: {
     parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+        /** @description Don't include keys and users for each role */
+        summarize?: boolean | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -2296,7 +3727,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["ListRolesResponse"];
+      200: components["responses"]["PaginatedListRolesResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2324,7 +3755,7 @@ export interface operations {
     /** @description Optional request body to set the role name */
     requestBody?: {
       content: {
-        "application/json": components["schemas"]["CreateRoleRequest"];
+        "application/json": components["schemas"]["CreateRoleRequest"] | null;
       };
     };
     responses: {
@@ -2483,8 +3914,8 @@ export interface operations {
          */
         role_id: string;
         /**
-         * @description ID of the user to add to role
-         * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
+         * @description ID of the desired User
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         user_id: string;
       };
@@ -2492,13 +3923,477 @@ export interface operations {
     responses: {
     };
   };
+  /**
+   * List Role Keys
+   * @description List Role Keys
+   *
+   * Returns an array of all keys in a role.
+   */
+  listRoleKeys: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedListRoleKeysResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Remove Key
    * @description Remove Key
    *
    * Removes a given key from a role
    */
-  removeKeyFromRole: {
+  removeKeyFromRole: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    responses: {
+    };
+  };
+  /**
+   * List a single page of Tokens (Deprecated)
+   * @deprecated
+   * @description List a single page of Tokens (Deprecated)
+   *
+   * **Deprecated**: Use `GET /org/{org_id}/session?role=`
+   *
+   * Returns all access tokens for a given role.
+   * Only users in the role or owners can create a token for it.
+   */
+  listRoleTokens: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["ListTokensResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Create Token
+   * @description Create Token
+   *
+   * Creates a new access token for a given role (to be used as "API Key" for all signing actions).
+   * Only users in the role or owners can create a token for it.
+   */
+  createRoleToken: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["CreateTokenRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["NewSessionResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Revoke All Tokens (Deprecated)
+   * @deprecated
+   * @description Revoke All Tokens (Deprecated)
+   *
+   * **Deprecated**: Use `DELETE /org/{org_id}/session?role=` instead
+   *
+   * Revokes all access tokens associated with a role.
+   * Only users in the role or owners can perform this action.
+   */
+  revokeAllRoleTokens: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["RevokeTokensResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Revoke Token (Deprecated)
+   * @deprecated
+   * @description Revoke Token (Deprecated)
+   *
+   * **Deprecated**: Use `DELETE /org/{org_id}/session/{session_id}`
+   *
+   * Revokes an access token associated with a role.
+   * Only users in the role or owners can perform this action.
+   */
+  revokeRoleToken: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+        /**
+         * @description The ID of the session to revoke
+         * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
+         */
+        session_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["RevokeTokenResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * List Role Users.
+   * @description List Role Users.
+   *
+   * Returns an array of all users who have access to a role.
+   */
+  listRoleUsers: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedListRoleUsersResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * List sessions
+   * @description List sessions
+   *
+   * If no query parameters are provided, information for the current session is returned
+   */
+  listSessions: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+        /**
+         * @description If provided, the name or ID of a role to operate on
+         * @example my-role
+         */
+        role?: string | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedSessionsResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Revoke existing session(s)
+   * @description Revoke existing session(s)
+   *
+   * Immediately revokes existing sessions, preventing them from being used or refreshed.
+   * If no query params are provided, the current session is revoked.
+   */
+  revokeSessions: {
+    parameters: {
+      query?: {
+        /**
+         * @description If provided, the name or ID of a role to operate on
+         * @example my-role
+         */
+        role?: string | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["SessionsResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Get session information
+   * @description Get session information
+   */
+  getSession: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description The ID of the session to get
+         * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
+         */
+        session_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["SessionInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Revoke a session
+   * @description Revoke a session
+   *
+   * Immediately revokes an existing session, preventing it from being used or refreshed
+   */
+  revokeSession: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description The ID of the session to revoke
+         * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
+         */
+        session_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["SessionInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Sign Solana Message
+   * @description Sign Solana Message
+   *
+   * Signs a Solana message with a given key.
+   * This is a pre-release feature.
+   */
+  solanaSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description The base58-encoded public key
+         * @example 86ZRPszBp5EoPj7wR3bHn7wnAZ5iYfpasRc7DKFPTUaZ
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["SolanaSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["SolanaSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Get Token-Accessible Keys
+   * @description Get Token-Accessible Keys
+   *
+   * Retrieves the keys that the role token can access.
+   */
+  listTokenKeys: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["KeyInfos"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * User Info
+   * @description User Info
+   *
+   * Retrieves information about the current user.
+   */
+  aboutMe: {
     parameters: {
       path: {
         /**
@@ -2506,29 +4401,24 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description Name or ID of the desired Role
-         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        role_id: string;
-        /**
-         * @description ID of the desired Key
-         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        key_id: string;
       };
     };
     responses: {
+      200: components["responses"]["UserInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
     };
   };
   /**
-   * List Tokens
-   * @description List Tokens
+   * Initiate registration of a FIDO key
+   * @description Initiate registration of a FIDO key
    *
-   * Returns all access tokens for a given role.
-   * Only users in the role or owners can create a token for it.
+   * Generates a challenge that must be answered to prove ownership of a key
    */
-  listRoleTokens: {
+  userRegisterFidoInit: {
     parameters: {
       path: {
         /**
@@ -2536,15 +4426,20 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description Name or ID of the desired Role
-         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        role_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["FidoCreateRequest"];
       };
     };
     responses: {
-      200: components["responses"]["ListTokensResponse"];
+      200: components["responses"]["FidoCreateChallengeResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2553,13 +4448,12 @@ export interface operations {
     };
   };
   /**
-   * Create Token
-   * @description Create Token
+   * Finalize registration of a FIDO key
+   * @description Finalize registration of a FIDO key
    *
-   * Creates a new access token for a given role (to be used as "API Key" for all signing actions).
-   * Only users in the role or owners can create a token for it.
+   * Accepts the response to the challenge generated by the POST to this endpoint.
    */
-  createRoleToken: {
+  userRegisterFidoComplete: {
     parameters: {
       path: {
         /**
@@ -2567,20 +4461,15 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description Name or ID of the desired Role
-         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        role_id: string;
       };
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["CreateTokenRequest"];
+        "application/json": components["schemas"]["FidoCreateChallengeAnswer"];
       };
     };
     responses: {
-      200: components["responses"]["CreateTokenResponse"];
+      200: components["responses"]["EmptyImpl"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2589,13 +4478,18 @@ export interface operations {
     };
   };
   /**
-   * Revoke All Tokens
-   * @description Revoke All Tokens
+   * Initialize TOTP Reset
+   * @description Initialize TOTP Reset
    *
-   * Revokes all access tokens associated with a role.
-   * Only users in the role or owners can perform this action.
+   * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+   * was successfully imported into an authenticator app.
+   *
+   * This operation is allowed if EITHER
+   * - the user account is not yet initialized and no TOTP is already set, OR
+   * - the user has not configured any auth factors;
+   * otherwise, MFA is required.
    */
-  revokeAllRoleTokens: {
+  userResetTotpInit: {
     parameters: {
       path: {
         /**
@@ -2603,15 +4497,20 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description Name or ID of the desired Role
-         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        role_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
       };
     };
     responses: {
-      200: components["responses"]["RevokeTokensResponse"];
+      200: components["responses"]["TotpInfo"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2620,13 +4519,13 @@ export interface operations {
     };
   };
   /**
-   * Revoke Token
-   * @description Revoke Token
+   * Finalize resetting TOTP
+   * @description Finalize resetting TOTP
    *
-   * Revokes an access token associated with a role.
-   * Only users in the role or owners can perform this action.
+   * Checks if the response contains the correct TOTP code corresponding to the
+   * challenge generated by the POST method of this endpoint.
    */
-  revokeRoleToken: {
+  userResetTotpComplete: {
     parameters: {
       path: {
         /**
@@ -2634,20 +4533,15 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description Name or ID of the desired Role
-         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        role_id: string;
-        /**
-         * @description The ID of the session to revoke
-         * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
-         */
-        session_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpChallengeAnswer"];
       };
     };
     responses: {
-      200: components["responses"]["RevokeTokenResponse"];
+      200: components["responses"]["EmptyImpl"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2656,12 +4550,13 @@ export interface operations {
     };
   };
   /**
-   * Get Token-Accessible Keys
-   * @description Get Token-Accessible Keys
+   * Verify TOTP
+   * @description Verify TOTP
    *
-   * Retrieves the keys that the role token can access.
+   * Checks if a given code matches the current TOTP code for the current user.
+   * Errors with 403 if the current user has not set up TOTP or the code fails verification.
    */
-  listTokenKeys: {
+  userVerifyTotp: {
     parameters: {
       path: {
         /**
@@ -2671,8 +4566,13 @@ export interface operations {
         org_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpApproveRequest"];
+      };
+    };
     responses: {
-      200: components["responses"]["KeyInfos"];
+      200: components["responses"]["EmptyImpl"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2704,8 +4604,8 @@ export interface operations {
     };
   };
   /**
-   * Adds a third-party user to the org
-   * @description Adds a third-party user to the org
+   * Add a third-party user to the org
+   * @description Add a third-party user to the org
    */
   createOidcUser: {
     parameters: {
@@ -2732,15 +4632,131 @@ export interface operations {
     };
   };
   /**
-   * Reset TOTP
-   * @description Reset TOTP
+   * Remove a third-party user from the org
+   * @description Remove a third-party user from the org
+   */
+  deleteOidcUser: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["OIDCIdentity"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Initiate registration of a FIDO key
+   * @deprecated
+   * @description Initiate registration of a FIDO key
+   *
+   * Generates a challenge that must be answered to prove ownership of a key
+   */
+  registerFidoInitLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["FidoCreateRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["FidoCreateChallengeResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Finalize registration of a FIDO key
+   * @deprecated
+   * @description Finalize registration of a FIDO key
+   *
+   * Accepts the response to the challenge generated by the POST to this endpoint.
+   */
+  registerFidoCompleteLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["FidoCreateChallengeAnswer"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Initialize TOTP Reset
+   * @deprecated
+   * @description Initialize TOTP Reset
    *
-   * Creates and sets a new TOTP configuration for the current user,
-   * overriding the existing one (if any).
+   * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+   * was successfully imported into an authenticator app.
+   *
+   * This operation is allowed if EITHER
+   * - the user account is not yet initialized and no TOTP is already set, OR
+   * - the user has not configured any auth factors;
+   * otherwise, MFA is required.
    */
-  userResetTotp: {
+  resetTotpInitLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {
       200: components["responses"]["TotpInfo"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Finalize resetting TOTP
+   * @deprecated
+   * @description Finalize resetting TOTP
+   *
+   * Checks if the response contains the correct TOTP code corresponding to the
+   * challenge generated by the POST method of this endpoint.
+   */
+  resetTotpCompleteLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpChallengeAnswer"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2750,15 +4766,16 @@ export interface operations {
   };
   /**
    * Verify TOTP
+   * @deprecated
    * @description Verify TOTP
    *
    * Checks if a given code matches the current TOTP code for the current user.
    * Errors with 403 if the current user has not set up TOTP or the code fails verification.
    */
-  userVerifyTotp: {
-    parameters: {
-      path: {
-        code: string;
+  verifyTotpLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpApproveRequest"];
       };
     };
     responses: {
@@ -2776,6 +4793,13 @@ export interface operations {
    *
    * Signs an arbitrary blob with a given key.
    * This is a pre-release feature.
+   *
+   * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
+   * byte v, which can in general take any of the values 0, 1, 2, or 3.
+   *
+   * - EdDSA signatures are serialized in the standard format.
+   *
+   * - BLS signatures are not supported on the blob-sign endpoint.
    */
   blobSign: {
     parameters: {
@@ -2786,8 +4810,8 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description The ID of the key
-         * @example Key#0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         key_id: string;
       };
@@ -2821,7 +4845,7 @@ export interface operations {
     parameters: {
       path: {
         /**
-         * @description Name or ID of the organization owning the key
+         * @description Name or ID of the desired Org
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
@@ -2846,6 +4870,7 @@ export interface operations {
    * @description Sign EVM Transaction
    *
    * Signs an Ethereum (and other EVM) transaction with a given Secp256k1 key.
+   * Returns an RLP-encoded transaction with EIP-155 signature.
    *
    * The key must be associated with the role and organization on whose behalf this action is called.
    */
@@ -2871,6 +4896,11 @@ export interface operations {
     };
     responses: {
       200: components["responses"]["Eth1SignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2908,6 +4938,11 @@ export interface operations {
     };
     responses: {
       200: components["responses"]["Eth2SignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2942,6 +4977,11 @@ export interface operations {
     };
     responses: {
       200: components["responses"]["StakeResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2980,42 +5020,11 @@ export interface operations {
     };
     responses: {
       200: components["responses"]["UnstakeResponse"];
-      default: {
+      202: {
         content: {
-          "application/json": components["schemas"]["ErrorResponse"];
+          "application/json": components["schemas"]["AcceptedResponse"];
         };
       };
-    };
-  };
-  /**
-   * Sign Solana Message
-   * @description Sign Solana Message
-   *
-   * Signs a Solana message with a given key.
-   * This is a pre-release feature.
-   */
-  solanaSign: {
-    parameters: {
-      path: {
-        /**
-         * @description Name or ID of the desired Org
-         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        org_id: string;
-        /**
-         * @description The base58-encoded public key
-         * @example 86ZRPszBp5EoPj7wR3bHn7wnAZ5iYfpasRc7DKFPTUaZ
-         */
-        pubkey: string;
-      };
-    };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["SolanaSignRequest"];
-      };
-    };
-    responses: {
-      200: components["responses"]["SolanaSignResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3043,7 +5052,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["RefreshResponse"];
+      200: components["responses"]["NewSessionResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];