@cubist-labs/cubesigner-sdk 0.1.26 → 0.1.77

package/dist/src/schema.d.ts

@@ -2,21 +2,16 @@
  * This file was auto-generated by openapi-typescript.
  * Do not make direct changes to the file.
  */
-/** OneOf type helpers */
-type Without<T, U> = {
-    [P in Exclude<keyof T, keyof U>]?: never;
-};
-type XOR<T, U> = (T | U) extends object ? (Without<T, U> & U) | (Without<U, T> & T) : T | U;
-type OneOf<T extends any[]> = T extends [infer Only] ? Only : T extends [infer A, infer B, ...infer Rest] ? OneOf<[XOR<A, B>, ...Rest]> : never;
 export interface paths {
     "/v0/about_me": {
         /**
          * User Info
+         * @deprecated
          * @description User Info
          *
          * Retrieves information about the current user.
          */
-        get: operations["aboutMe"];
+        get: operations["aboutMeLegacy"];
     };
     "/v0/org/{org_id}": {
         /**
@@ -34,6 +29,16 @@ export interface paths {
          */
         patch: operations["updateOrg"];
     };
+    "/v0/org/{org_id}/ava/sign/{pubkey}": {
+        /**
+         * Sign Avalanche X- or P-Chain Message
+         * @description Sign Avalanche X- or P-Chain Message
+         *
+         * Signs an Avalanche message with a given SecpAva key.
+         * This is a pre-release feature.
+         */
+        post: operations["avaSign"];
+    };
     "/v0/org/{org_id}/btc/sign/{pubkey}": {
         /**
          * Sign Bitcoin Transaction
@@ -44,6 +49,66 @@ export interface paths {
          */
         post: operations["btcSign"];
     };
+    "/v0/org/{org_id}/derive_key": {
+        /**
+         * Derive Key From Long-Lived Mnemonic
+         * @description Derive Key From Long-Lived Mnemonic
+         *
+         * Derives a key of a specified type using a supplied derivation path and an
+         * existing long-lived mnemonic.
+         */
+        put: operations["deriveKey"];
+    };
+    "/v0/org/{org_id}/evm/eip712/sign/{pubkey}": {
+        /**
+         * Sign EIP-712 Typed Data
+         * @description Sign EIP-712 Typed Data
+         *
+         * Signs typed data according to EIP-712 with a given Secp256k1 key.
+         */
+        post: operations["eip712Sign"];
+    };
+    "/v0/org/{org_id}/identity/prove": {
+        /**
+         * Create [IdentityProof] from CubeSigner user session
+         * @description Create [IdentityProof] from CubeSigner user session
+         *
+         * This route can be used to prove to another party that a user has a
+         * valid CubeSigner session.
+         *
+         * Clients are intended to call this route and pass the returned evidence
+         * to another service which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
+         */
+        post: operations["createProofCubeSigner"];
+    };
+    "/v0/org/{org_id}/identity/prove/oidc": {
+        /**
+         * Create [IdentityProof] from OIDC token
+         * @description Create [IdentityProof] from OIDC token
+         *
+         * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
+         *
+         * This route can be used to prove to another party that a user has met the
+         * authentication requirements (allowed issuers & audiences) for CubeSigner
+         * without leaking their credentials.
+         *
+         * Clients are intended to call this route and pass the returned evidence to another service
+         * which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
+         */
+        post: operations["createProofOidc"];
+    };
+    "/v0/org/{org_id}/identity/verify": {
+        /**
+         * Verify identity proof
+         * @description Verify identity proof
+         *
+         * Allows a third-party to validate proof of authentication.
+         *
+         * When a third-party is provided an [IdentityProof] object, they must check its
+         * veracity by calling this endpoint
+         */
+        post: operations["verifyProof"];
+    };
     "/v0/org/{org_id}/import_key": {
         /**
          * Create Key-Import Key
@@ -77,31 +142,14 @@ export interface paths {
          * Gets the list of owned keys in a given org.
          */
         get: operations["listKeysInOrg"];
-        /**
-         * Import Key (Deprecated)
-         * @description Import Key (Deprecated)
-         *
-         * Securely imports an existing key. This API is deprecated; please use the new version.
-         */
-        put: operations["importKeyLegacy"];
         /**
          * Create Key
          * @description Create Key
          *
-         * Creates one or more new keys of the specified type (BLS or Secp).
+         * Creates one or more new keys of the specified type.
          */
         post: operations["createKey"];
     };
-    "/v0/org/{org_id}/keys/get_keys": {
-        /**
-         * Legacy List Keys
-         * @deprecated
-         * @description Legacy List Keys
-         *
-         * This route is deprecated. Use `GET /v0/org/<org_id>/keys?<key_type>`
-         */
-        post: operations["listKeysLegacy"];
-    };
     "/v0/org/{org_id}/keys/{key_id}": {
         /**
          * Get Key
@@ -110,6 +158,14 @@ export interface paths {
          * Returns the properties of a key.
          */
         get: operations["getKeyInOrg"];
+        /**
+         * Delete Key
+         * @description Delete Key
+         *
+         * Deletes a key specified by its ID.
+         * Only the key owner and org owners are allowed to delete keys.
+         */
+        delete: operations["deleteKey"];
         /**
          * Update Key
          * @description Update Key
@@ -118,30 +174,60 @@ export interface paths {
          */
         patch: operations["updateKey"];
     };
+    "/v0/org/{org_id}/mfa": {
+        /**
+         * List Pending MFA Requests
+         * @description List Pending MFA Requests
+         *
+         * Retrieves and returns all pending MFA requests that are accessible to the current user,
+         * i.e., those in which the current user is listed as an approver
+         */
+        get: operations["mfaList"];
+    };
     "/v0/org/{org_id}/mfa/{mfa_id}": {
         /**
-         * Gets a Pending MFA Request
-         * @description Gets a Pending MFA Request
+         * Get Pending MFA Request
+         * @description Get Pending MFA Request
          *
          * Retrieves and returns a pending MFA request by its id.
          */
         get: operations["mfaGet"];
         /**
-         * Approve a Pending MFA Request
-         * @description Approve a Pending MFA Request
+         * Approve MFA Request
+         * @description Approve MFA Request
+         *
+         * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+         * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
+         * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
+         * resume the original HTTP request.
+         */
+        patch: operations["mfaApproveCs"];
+    };
+    "/v0/org/{org_id}/mfa/{mfa_id}/fido": {
+        /**
+         * Initiate Approving an MFA Request with FIDO
+         * @description Initiate Approving an MFA Request with FIDO
+         *
+         * Initiates the approval process of an MFA Request using FIDO.
+         */
+        post: operations["mfaApproveFido"];
+        /**
+         * Finalize a FIDO MFA Approval
+         * @description Finalize a FIDO MFA Approval
+         *
+         * Adds an approver to a pending MFA request.
          *
-         * Adds the current user as an approver of a pending MFA request of the [Status::RequiredApprovers] kind.
          * If the required number of approvers is reached, the MFA request is approved;
          * the confirmation receipt can be used to resume the original HTTP request.
          */
-        patch: operations["mfaApproveCs"];
+        patch: operations["mfaApproveFidoComplete"];
     };
     "/v0/org/{org_id}/mfa/{mfa_id}/totp": {
         /**
          * Approve a TOTP MFA Request
          * @description Approve a TOTP MFA Request
          *
-         * Adds an approver to a pending TOTP MFA request.
+         * Adds the current user as approver to a pending MFA request by providing TOTP code.
          *
          * If the required number of approvers is reached, the MFA request is approved;
          * the confirmation receipt can be used to resume the original HTTP request.
@@ -218,6 +304,15 @@ export interface paths {
          */
         put: operations["addUserToRole"];
     };
+    "/v0/org/{org_id}/roles/{role_id}/keys": {
+        /**
+         * List Role Keys
+         * @description List Role Keys
+         *
+         * Returns an array of all keys in a role.
+         */
+        get: operations["listRoleKeys"];
+    };
     "/v0/org/{org_id}/roles/{role_id}/keys/{key_id}": {
         /**
          * Remove Key
@@ -229,8 +324,11 @@ export interface paths {
     };
     "/v0/org/{org_id}/roles/{role_id}/tokens": {
         /**
-         * List Tokens
-         * @description List Tokens
+         * List a single page of Tokens (Deprecated)
+         * @deprecated
+         * @description List a single page of Tokens (Deprecated)
+         *
+         * **Deprecated**: Use `GET /org/{org_id}/session?role=`
          *
          * Returns all access tokens for a given role.
          * Only users in the role or owners can create a token for it.
@@ -245,8 +343,11 @@ export interface paths {
          */
         post: operations["createRoleToken"];
         /**
-         * Revoke All Tokens
-         * @description Revoke All Tokens
+         * Revoke All Tokens (Deprecated)
+         * @deprecated
+         * @description Revoke All Tokens (Deprecated)
+         *
+         * **Deprecated**: Use `DELETE /org/{org_id}/session?role=` instead
          *
          * Revokes all access tokens associated with a role.
          * Only users in the role or owners can perform this action.
@@ -255,14 +356,67 @@ export interface paths {
     };
     "/v0/org/{org_id}/roles/{role_id}/tokens/{session_id}": {
         /**
-         * Revoke Token
-         * @description Revoke Token
+         * Revoke Token (Deprecated)
+         * @deprecated
+         * @description Revoke Token (Deprecated)
+         *
+         * **Deprecated**: Use `DELETE /org/{org_id}/session/{session_id}`
          *
          * Revokes an access token associated with a role.
          * Only users in the role or owners can perform this action.
          */
         delete: operations["revokeRoleToken"];
     };
+    "/v0/org/{org_id}/roles/{role_id}/users": {
+        /**
+         * List Role Users.
+         * @description List Role Users.
+         *
+         * Returns an array of all users who have access to a role.
+         */
+        get: operations["listRoleUsers"];
+    };
+    "/v0/org/{org_id}/session": {
+        /**
+         * List sessions
+         * @description List sessions
+         *
+         * If no query parameters are provided, information for the current session is returned
+         */
+        get: operations["listSessions"];
+        /**
+         * Revoke existing session(s)
+         * @description Revoke existing session(s)
+         *
+         * Immediately revokes existing sessions, preventing them from being used or refreshed.
+         * If no query params are provided, the current session is revoked.
+         */
+        delete: operations["revokeSessions"];
+    };
+    "/v0/org/{org_id}/session/{session_id}": {
+        /**
+         * Get session information
+         * @description Get session information
+         */
+        get: operations["getSession"];
+        /**
+         * Revoke a session
+         * @description Revoke a session
+         *
+         * Immediately revokes an existing session, preventing it from being used or refreshed
+         */
+        delete: operations["revokeSession"];
+    };
+    "/v0/org/{org_id}/solana/sign/{pubkey}": {
+        /**
+         * Sign Solana Message
+         * @description Sign Solana Message
+         *
+         * Signs a Solana message with a given key.
+         * This is a pre-release feature.
+         */
+        post: operations["solanaSign"];
+    };
     "/v0/org/{org_id}/token/keys": {
         /**
          * Get Token-Accessible Keys
@@ -272,6 +426,64 @@ export interface paths {
          */
         get: operations["listTokenKeys"];
     };
+    "/v0/org/{org_id}/user/me": {
+        /**
+         * User Info
+         * @description User Info
+         *
+         * Retrieves information about the current user.
+         */
+        get: operations["aboutMe"];
+    };
+    "/v0/org/{org_id}/user/me/fido": {
+        /**
+         * Initiate registration of a FIDO key
+         * @description Initiate registration of a FIDO key
+         *
+         * Generates a challenge that must be answered to prove ownership of a key
+         */
+        post: operations["userRegisterFidoInit"];
+        /**
+         * Finalize registration of a FIDO key
+         * @description Finalize registration of a FIDO key
+         *
+         * Accepts the response to the challenge generated by the POST to this endpoint.
+         */
+        patch: operations["userRegisterFidoComplete"];
+    };
+    "/v0/org/{org_id}/user/me/totp": {
+        /**
+         * Initialize TOTP Reset
+         * @description Initialize TOTP Reset
+         *
+         * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+         * was successfully imported into an authenticator app.
+         *
+         * This operation is allowed if EITHER
+         * - the user account is not yet initialized and no TOTP is already set, OR
+         * - the user has not configured any auth factors;
+         * otherwise, MFA is required.
+         */
+        post: operations["userResetTotpInit"];
+        /**
+         * Finalize resetting TOTP
+         * @description Finalize resetting TOTP
+         *
+         * Checks if the response contains the correct TOTP code corresponding to the
+         * challenge generated by the POST method of this endpoint.
+         */
+        patch: operations["userResetTotpComplete"];
+    };
+    "/v0/org/{org_id}/user/me/totp/verify": {
+        /**
+         * Verify TOTP
+         * @description Verify TOTP
+         *
+         * Checks if a given code matches the current TOTP code for the current user.
+         * Errors with 403 if the current user has not set up TOTP or the code fails verification.
+         */
+        post: operations["userVerifyTotp"];
+    };
     "/v0/org/{org_id}/users": {
         /**
          * List users in organization
@@ -279,30 +491,71 @@ export interface paths {
          */
         get: operations["listUsersInOrg"];
         /**
-         * Adds a third-party user to the org
-         * @description Adds a third-party user to the org
+         * Add a third-party user to the org
+         * @description Add a third-party user to the org
          */
         post: operations["createOidcUser"];
     };
-    "/v0/totp": {
+    "/v0/org/{org_id}/users/oidc": {
+        /**
+         * Remove a third-party user from the org
+         * @description Remove a third-party user from the org
+         */
+        delete: operations["deleteOidcUser"];
+    };
+    "/v0/user/me/fido": {
+        /**
+         * Initiate registration of a FIDO key
+         * @deprecated
+         * @description Initiate registration of a FIDO key
+         *
+         * Generates a challenge that must be answered to prove ownership of a key
+         */
+        post: operations["registerFidoInitLegacy"];
+        /**
+         * Finalize registration of a FIDO key
+         * @deprecated
+         * @description Finalize registration of a FIDO key
+         *
+         * Accepts the response to the challenge generated by the POST to this endpoint.
+         */
+        patch: operations["registerFidoCompleteLegacy"];
+    };
+    "/v0/user/me/totp": {
+        /**
+         * Initialize TOTP Reset
+         * @deprecated
+         * @description Initialize TOTP Reset
+         *
+         * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+         * was successfully imported into an authenticator app.
+         *
+         * This operation is allowed if EITHER
+         * - the user account is not yet initialized and no TOTP is already set, OR
+         * - the user has not configured any auth factors;
+         * otherwise, MFA is required.
+         */
+        post: operations["resetTotpInitLegacy"];
         /**
-         * Reset TOTP
-         * @description Reset TOTP
+         * Finalize resetting TOTP
+         * @deprecated
+         * @description Finalize resetting TOTP
          *
-         * Creates and sets a new TOTP configuration for the current user,
-         * overriding the existing one (if any).
+         * Checks if the response contains the correct TOTP code corresponding to the
+         * challenge generated by the POST method of this endpoint.
          */
-        patch: operations["userResetTotp"];
+        patch: operations["resetTotpCompleteLegacy"];
     };
-    "/v0/totp/verify/{code}": {
+    "/v0/user/me/totp/verify": {
         /**
          * Verify TOTP
+         * @deprecated
          * @description Verify TOTP
          *
          * Checks if a given code matches the current TOTP code for the current user.
          * Errors with 403 if the current user has not set up TOTP or the code fails verification.
          */
-        get: operations["userVerifyTotp"];
+        post: operations["verifyTotpLegacy"];
     };
     "/v1/org/{org_id}/blob/sign/{key_id}": {
         /**
@@ -311,6 +564,13 @@ export interface paths {
          *
          * Signs an arbitrary blob with a given key.
          * This is a pre-release feature.
+         *
+         * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
+         * byte v, which can in general take any of the values 0, 1, 2, or 3.
+         *
+         * - EdDSA signatures are serialized in the standard format.
+         *
+         * - BLS signatures are not supported on the blob-sign endpoint.
          */
         post: operations["blobSign"];
     };
@@ -329,6 +589,7 @@ export interface paths {
          * @description Sign EVM Transaction
          *
          * Signs an Ethereum (and other EVM) transaction with a given Secp256k1 key.
+         * Returns an RLP-encoded transaction with EIP-155 signature.
          *
          * The key must be associated with the role and organization on whose behalf this action is called.
          */
@@ -370,16 +631,6 @@ export interface paths {
          */
         post: operations["unstake"];
     };
-    "/v1/org/{org_id}/solana/sign/{pubkey}": {
-        /**
-         * Sign Solana Message
-         * @description Sign Solana Message
-         *
-         * Signs a Solana message with a given key.
-         * This is a pre-release feature.
-         */
-        post: operations["solanaSign"];
-    };
     "/v1/org/{org_id}/token/refresh": {
         /**
          * Refresh Signer Session
@@ -402,7 +653,11 @@ export interface components {
          */
         AcceptedValue: {
             MfaRequired: {
+                /** @description MFA request id */
                 id: string;
+                /** @description Organization id */
+                org_id: string;
+                session?: components["schemas"]["NewSessionResponse"] | null;
             };
         };
         AddKeysToRoleRequest: {
@@ -439,15 +694,31 @@ export interface components {
              *   }
              * ]
              */
-            policy: Record<string, never>[] | null;
+            policy?: Record<string, never>[] | null;
         };
         AddThirdPartyUserRequest: {
+            /**
+             * @description User email
+             * @example alice@example.com
+             */
+            email: string;
             identity: components["schemas"]["OIDCIdentity"];
+            /** @description Optional login MFA policy */
+            mfa_policy?: Record<string, unknown> | null;
             role: components["schemas"]["MemberRole"];
         };
         ApprovalInfo: {
             timestamp: components["schemas"]["EpochDateTime"];
         };
+        /**
+         * @description WebAuthn Relying Parties may use AttestationConveyancePreference to specify
+         * their preference regarding attestation conveyance during credential
+         * generation.
+         *
+         * https://www.w3.org/TR/webauthn-2/#enumdef-attestationconveyancepreference
+         * @enum {string}
+         */
+        AttestationConveyancePreference: "none" | "indirect" | "direct" | "enterprise";
         /** @description Data required for both `authenticate` and `refresh`. */
         AuthData: {
             /** Format: int32 */
@@ -455,6 +726,136 @@ export interface components {
             epoch_token: components["schemas"]["B32"];
             other_token: string;
         };
+        /**
+         * @description Represents the assertion response used by clients when attempting to log in with a known credential
+         * https://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse
+         */
+        AuthenticatorAssertionResponse: {
+            /**
+             * @description Contains the standard CTAP2 authenticator data. Must be a valid [`AuthenticatorData`].
+             * This contains information about how key was invoked.
+             * https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-authenticatordata
+             */
+            authenticatorData: string;
+            /**
+             * @description Contains UTF8 encoded JSON which must be a valid [`ClientData`]
+             * This data is combined with `authenticator_data` to produce the signature
+             * meaning the client attests to the correctness of this data.
+             * https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson
+             */
+            clientDataJSON: string;
+            /**
+             * @description The signature of the concatenated `authenticatorData || hash` where
+             * `hash` is the SHA256 hash of the `clientDataJSON` buffer:
+             *
+             * Field Definition: https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-signature
+             * Step 11 of `getAssertion` specifies the concatenation: https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion
+             * Requirement for SHA-256: https://www.w3.org/TR/webauthn-2/#collectedclientdata-hash-of-the-serialized-client-data
+             */
+            signature: string;
+            /**
+             * @description Allows the authenticator to optionally declare the credential identifier they used.
+             * https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle
+             */
+            userHandle?: string | null;
+        };
+        /**
+         * @description This enumeration’s values describe authenticators' attachment modalities.
+         * Relying Parties use this to express a preferred authenticator attachment
+         * modality when calling navigator.credentials.create() to create a credential.
+         *
+         * https://www.w3.org/TR/webauthn-2/#enumdef-authenticatorattachment
+         * @enum {string}
+         */
+        AuthenticatorAttachment: "platform" | "cross-platform";
+        /**
+         * @description The AuthenticatorAttestationResponse interface represents the authenticator's
+         * response to a client’s request for the creation of a new public key
+         * credential. It contains information about the new credential that can be
+         * used to identify it for later use, and metadata that can be used by the
+         * WebAuthn Relying Party to assess the characteristics of the credential
+         * during registration.
+         *
+         * https://www.w3.org/TR/webauthn-2/#iface-authenticatorattestationresponse
+         */
+        AuthenticatorAttestationResponse: {
+            /**
+             * @description This attribute contains an attestation object, which is opaque to, and
+             * cryptographically protected against tampering by, the client. The
+             * attestation object contains both authenticator data and an attestation
+             * statement. The former contains the AAGUID, a unique credential ID, and
+             * the credential public key. The contents of the attestation statement are
+             * determined by the attestation statement format used by the
+             * authenticator. It also contains any additional information that the
+             * Relying Party's server requires to validate the attestation statement,
+             * as well as to decode and validate the authenticator data along with the
+             * JSON-compatible serialization of client data. For more details, see
+             * § 6.5 Attestation, § 6.5.4 Generating an Attestation Object, and Figure
+             * 6.
+             */
+            attestationObject: string;
+            /**
+             * @description This attribute, inherited from AuthenticatorResponse, contains the
+             * JSON-compatible serialization of client data (see § 6.5 Attestation)
+             * passed to the authenticator by the client in order to generate this
+             * credential. The exact JSON serialization MUST be preserved, as the hash
+             * of the serialized client data has been computed over it.
+             */
+            clientDataJSON: string;
+        };
+        /**
+         * @description WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria
+         * dictionary to specify their requirements regarding authenticator
+         * attributes.
+         *
+         * https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria
+         */
+        AuthenticatorSelectionCriteria: {
+            authenticator_attachment?: components["schemas"]["AuthenticatorAttachment"] | null;
+            /**
+             * @description This member is retained for backwards compatibility with WebAuthn Level
+             * 1 and, for historical reasons, its naming retains the deprecated
+             * “resident” terminology for discoverable credentials. Relying Parties
+             * SHOULD set it to true if, and only if, residentKey is set to required.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-requireresidentkey
+             */
+            require_resident_key?: boolean;
+            resident_key?: components["schemas"]["ResidentKeyRequirement"] | null;
+            user_verification?: components["schemas"]["UserVerificationRequirement"];
+        };
+        /**
+         * @description Authenticators may implement various transports for communicating with
+         * clients. This enumeration defines hints as to how clients might communicate
+         * with a particular authenticator in order to obtain an assertion for a
+         * specific credential. Note that these hints represent the WebAuthn Relying
+         * Party's best belief as to how an authenticator may be reached. A Relying
+         * Party will typically learn of the supported transports for a public key
+         * credential via getTransports().
+         *
+         * https://www.w3.org/TR/webauthn-2/#enumdef-authenticatortransport
+         * @enum {string}
+         */
+        AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
+        /** @description Request to sign an Avalanche transactions */
+        AvaSignRequest: {
+            /**
+             * @description Transaction to sign.
+             *
+             * Examples:
+             * - {"P": { "AddPermissionlessValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_permissionless_validator.rs#L14) }}
+             * - {"P": { "AddSubnetValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_subnet_validator.rs#L29) }}
+             * - {"P": { "AddValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_validator.rs#L12) }}
+             * - {"P": { "CreateChain": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_chain.rs#L8) }}
+             * - {"P": { "CreateSubnet": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_subnet.rs#L8) }}
+             * - {"P": { "Export": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/export.rs#L12) }}
+             * - {"P": { "Import": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/import.rs#L12) }}
+             * - {"X": { "Base": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/mod.rs#L21) }}
+             * - {"X": { "Export": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/export.rs#L16) }}
+             * - {"X": { "Import": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/import.rs#L14) }}
+             */
+            tx: Record<string, never>;
+        };
         /** @description Wrapper around a zeroizing 32-byte fixed-size array */
         B32: string;
         /**
@@ -520,20 +921,24 @@ export interface components {
             /** @description Session ID */
             session_id: string;
         };
-        ConfiguredMfa: OneOf<[
-            "Totp",
-            {
-                /** @description Named FIDO device (multiple can be configured per user, but the names must be different) */
-                Fido: string;
-            }
-        ]>;
+        ConfiguredMfa: {
+            /** @enum {string} */
+            type: "totp";
+        } | {
+            /** @description A unique credential id */
+            id: string;
+            /** @description A human-readable name given to the key */
+            name: string;
+            /** @enum {string} */
+            type: "fido";
+        };
         CreateKeyRequest: {
             /**
              * Format: int64
              * @description Chain id for which the key is allowed to sign messages
              * @example 5
              */
-            chain_id: number | null;
+            chain_id?: number | null;
             /**
              * Format: int32
              * @description Number of keys to create
@@ -545,7 +950,7 @@ export interface components {
              * @description Allows users to specify a user other than themselves to receive the key
              * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
              */
-            owner: string | null;
+            owner?: string | null;
         };
         /** @description Optional create role request body */
         CreateRoleRequest: {
@@ -555,12 +960,28 @@ export interface components {
              */
             name: string;
         };
-        CreateTokenRequest: components["schemas"]["RatchetConfig"] & {
+        CreateTokenRequest: components["schemas"]["RatchetConfig"] & ({
             /**
              * @description A human readable description of the purpose of the key
              * @example Validator Signing
              */
             purpose: string;
+            /**
+             * @description Controls what capabilities this session will have. By default, it has all
+             * signing capabilities, i.e., just the 'sign:*' scope.
+             * @example [
+             *   "sign:*"
+             * ]
+             */
+            scopes?: string[] | null;
+        });
+        CubeSignerUserInfo: {
+            /** @description All multi-factor authentication methods configured for this user */
+            configured_mfa: components["schemas"]["ConfiguredMfa"][];
+            /** @description Set once the user successfully logs into CubeSigner */
+            initialized: boolean;
+            /** @description CubeSigner's user identifier */
+            user_id: string;
         };
         /**
          * @description Information produced by a successful deposit
@@ -590,6 +1011,119 @@ export interface components {
          * @enum {string}
          */
         DepositType: "Canonical" | "Wrapper";
+        DeriveKeyRequest: {
+            /**
+             * @description One or more derivation paths from which to derive keys.
+             * @example [
+             *   "m/44'/60'/0'/0/0",
+             *   "m/44'/9000'/0'/0/0"
+             * ]
+             */
+            derivation_path: string[];
+            key_type: components["schemas"]["KeyType"];
+            /**
+             * @description Material-id of the mnemonic to use for derivation
+             * @example 0x9f07be82d934fcb5d0f75dd24c2dfea8a85a4d0c289d58828b3537fae24d32b8
+             */
+            mnemonic_id: string;
+        };
+        /**
+         * @example {
+         *   "chain_id": 1337,
+         *   "typed_data": {
+         *     "domain": {
+         *       "chainId": 1337,
+         *       "name": "Ether Mail",
+         *       "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC",
+         *       "version": "1"
+         *     },
+         *     "message": {
+         *       "contents": "Hello, Bob!",
+         *       "from": {
+         *         "name": "Cow",
+         *         "wallets": [
+         *           "0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826",
+         *           "0xDeaDbeefdEAdbeefdEadbEEFdeadbeEFdEaDbeeF"
+         *         ]
+         *       },
+         *       "to": {
+         *         "name": "Bob",
+         *         "wallets": [
+         *           "0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB",
+         *           "0xB0BdaBea57B0BDABeA57b0bdABEA57b0BDabEa57",
+         *           "0xB0B0b0b0b0b0B000000000000000000000000000"
+         *         ]
+         *       }
+         *     },
+         *     "primaryType": "Mail",
+         *     "types": {
+         *       "EIP712Domain": [
+         *         {
+         *           "name": "name",
+         *           "type": "string"
+         *         },
+         *         {
+         *           "name": "version",
+         *           "type": "string"
+         *         },
+         *         {
+         *           "name": "chainId",
+         *           "type": "uint256"
+         *         },
+         *         {
+         *           "name": "verifyingContract",
+         *           "type": "address"
+         *         }
+         *       ],
+         *       "Group": [
+         *         {
+         *           "name": "name",
+         *           "type": "string"
+         *         },
+         *         {
+         *           "name": "members",
+         *           "type": "Person[]"
+         *         }
+         *       ],
+         *       "Mail": [
+         *         {
+         *           "name": "from",
+         *           "type": "Person"
+         *         },
+         *         {
+         *           "name": "to",
+         *           "type": "Person"
+         *         },
+         *         {
+         *           "name": "contents",
+         *           "type": "string"
+         *         }
+         *       ],
+         *       "Person": [
+         *         {
+         *           "name": "name",
+         *           "type": "string"
+         *         },
+         *         {
+         *           "name": "wallets",
+         *           "type": "address[]"
+         *         }
+         *       ]
+         *     }
+         *   }
+         * }
+         */
+        Eip712SignRequest: {
+            /**
+             * Format: int64
+             * @description The chain-id to which this typed data will be sent
+             */
+            chain_id: number;
+            /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
+            typed_data: Record<string, never>;
+        };
+        /** @default null */
+        Empty: Record<string, unknown> | null;
         /**
          * @description Epoch is a quoted `uint64`.
          * @example 256
@@ -607,6 +1141,8 @@ export interface components {
             accepted?: components["schemas"]["AcceptedValue"] | null;
             /** @description Error message */
             message: string;
+            /** @description Optional request identifier */
+            request_id?: string;
         };
         /**
          * @example {
@@ -666,6 +1202,26 @@ export interface components {
             eth2_sign_request: Record<string, never>;
             network: components["schemas"]["Network"];
         };
+        /** @description Sent from the client to the server to answer a fido challenge */
+        FidoAssertAnswer: {
+            /** @description The ID of the challenge that was returned from the POST endpoint */
+            challenge_id: string;
+            credential: components["schemas"]["PublicKeyCredential"];
+        };
+        /** @description Sent from the client to the server to answer a fido challenge */
+        FidoCreateChallengeAnswer: {
+            /** @description The ID of the challenge that was returned from the POST endpoint */
+            challenge_id: string;
+            credential: components["schemas"]["PublicKeyCredential"];
+        };
+        /** @description Declares intent to register a new FIDO key */
+        FidoCreateRequest: {
+            /**
+             * @description A human-readable name for the new fido credential
+             * @example Work Yubikey
+             */
+            name: string;
+        };
         /**
          * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
          * The schema of `Fork` is defined in the [Beacon chain
@@ -713,7 +1269,7 @@ export interface components {
             genesis_validators_root: string;
         };
         GetKeysInOrgRequest: {
-            key_type: components["schemas"]["KeyType"] | null;
+            key_type?: components["schemas"]["KeyType"] | null;
         };
         /** @description Stats pertaining the the sender `cube3signer` instance */
         HeartbeatRequest: {
@@ -762,7 +1318,7 @@ export interface components {
              *
              * TODO: Make non-optional once we do not support proxies without version information
              */
-            proxy_version: string | null;
+            proxy_version?: string | null;
         };
         /**
          * @description Information about the request.
@@ -773,22 +1329,34 @@ export interface components {
          */
         HttpRequest: {
             /** @description HTTP request body */
-            body: Record<string, unknown> | null;
+            body?: Record<string, unknown> | null;
             /** @description HTTP method of the request */
             method: string;
             /** @description HTTP path of the request (including host or not?) */
             path: string;
         };
-        ImportKeyLegacyRequest: {
+        /**
+         * @description Proof that an end-user provided CubeSigner with a valid auth token
+         * (either an OIDC token or a CubeSigner session token)
+         */
+        IdentityProof: ({
             /**
-             * Format: int64
-             * @description The chain ID of the chain that the key will be used for
-             * @example 5
+             * @description OIDC audience; set only if the proof was obtained by using OIDC token.
+             *
+             * In other words, presence of this field testifies that authorization was obtained via OIDC.
              */
-            chain_id: number | null;
-            /** @description The key to import encrypted with the public key of the organization */
-            key_material: components["schemas"]["RsaOaepXChaChaMaterial"][];
-            key_type: components["schemas"]["KeyType"];
+            aud?: string | null;
+            /**
+             * @description The email associated with the user
+             * @example user@email.com
+             */
+            email: string;
+            exp_epoch: components["schemas"]["EpochDateTime"];
+            identity?: components["schemas"]["OIDCIdentity"] | null;
+            user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
+        }) & {
+            /** @description An opaque identifier for the proof */
+            id: string;
         };
         ImportKeyRequest: components["schemas"]["KeyImportKey"] & {
             /** @description A set of encrypted keys to be imported */
@@ -818,11 +1386,14 @@ export interface components {
              * @example alice@acme.com
              */
             email: string;
+            /** @description Optional login MFA policy */
+            mfa_policy?: Record<string, unknown> | null;
             /**
              * @description The user's full name
              * @example Alice Wonderland
              */
             name: string;
+            role?: components["schemas"]["MemberRole"] | null;
             /**
              * @description Skip sending an invitation email to this user if true.
              *
@@ -832,6 +1403,13 @@ export interface components {
              */
             skip_email: boolean;
         };
+        /** @description Derivation-related metadata for keys derived from a long-lived mnemonic */
+        KeyDerivationInfo: {
+            /** @description The derivation path used to derive this key */
+            derivation_path: string;
+            /** @description The mnemonic-id of the key's parent mnemonic */
+            mnemonic_id: string;
+        };
         /** @description A wrapped key-import key */
         KeyImportKey: {
             /** @description Base64-encoded, encrypted data key. */
@@ -849,9 +1427,31 @@ export interface components {
             /** @description Base64-encoded, encrypted secret key. */
             sk_enc: string;
         };
-        KeyInfo: {
-            /** @description Whether the key is enabled (only enabled keys may be used for signing) */
-            enabled: boolean;
+        KeyInRoleInfo: {
+            /**
+             * @description Key ID
+             * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
+             */
+            key_id: string;
+            /**
+             * @description Policies that are checked before this key is used on behalf of this role
+             * @example [
+             *   {
+             *     "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa"
+             *   },
+             *   {
+             *     "TxDeposit": {
+             *       "kind": "Canonical"
+             *     }
+             *   }
+             * ]
+             */
+            policy?: Record<string, never>[];
+        };
+        KeyInfo: {
+            derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
+            /** @description Whether the key is enabled (only enabled keys may be used for signing) */
+            enabled: boolean;
             /**
              * @description The id of the key: "Key#" followed by a unique identifier specific to
              * the type of key (such as a public key for BLS or an ethereum address for Secp)
@@ -871,14 +1471,22 @@ export interface components {
             owner: string;
             /**
              * @description Key policy
-             * @example []
+             * @example [
+             *   "AllowRawBlobSigning",
+             *   {
+             *     "RequireMfa": {
+             *       "count": 1
+             *     }
+             *   }
+             * ]
              */
             policy: Record<string, never>[];
             /**
              * @description Hex-encoded, serialized public key. The format used depends on the key type:
-             * - secp256k1 keys use 65-byte uncompressed SECG format;
+             * - Secp256k1 keys use 65-byte uncompressed SECG format;
+             * - Stark keys use 33-byte compressed SECG format;
              * - BLS keys use 48-byte compressed BLS12-381 (ZCash) format;
-             * - ed25519 keys use the canonical 64-byte encoding specified in RFC 8032.
+             * - Ed25519 keys use the canonical 32-byte encoding specified in RFC 8032.
              * @example 0x04d2688b6bc2ce7f9879b9e745f3c4dc177908c5cef0c1b64cff19ae7ff27dee623c64fe9d9c325c7fbbc748bbd5f607ce14dd83e28ebbbb7d3e7f2ffb70a79431
              */
             public_key: string;
@@ -889,41 +1497,45 @@ export interface components {
             purpose: string;
         };
         /** @enum {string} */
-        KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr";
-        KeyWithPolicies: {
-            /**
-             * @description Key ID
-             * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-             */
-            key_id: string;
-            /**
-             * @description Policies that are checked before this key is used on behalf of this role
-             * @example [
-             *   {
-             *     "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa"
-             *   },
-             *   {
-             *     "TxDeposit": {
-             *       "kind": "Canonical"
-             *     }
-             *   }
-             * ]
-             */
-            policy?: Record<string, never>[];
-        };
+        KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
+        /**
+         * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
+         *
+         * We serialize this into a base64url-encoded string and return to the user
+         * so that they can pass this back to us as a url query parameter.
+         */
+        LastEvalKey: string;
         /**
          * @description Describes whether a user in an org is an Owner or just a regular member
          * @enum {string}
          */
-        MemberRole: "Owner" | "Member" | "Alien";
+        MemberRole: "Alien" | "Member" | "Owner";
+        /** @description Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp'). */
+        MfaRequestInfo: {
+            expires_at: components["schemas"]["EpochDateTime"];
+            /** @description Approval request ID. */
+            id: string;
+            receipt?: components["schemas"]["Receipt"] | null;
+            request: components["schemas"]["HttpRequest"];
+            status: components["schemas"]["Status"];
+        };
         /** @enum {string} */
-        MfaType: "CubeSigner" | "Totp";
+        MfaType: "CubeSigner" | "Totp" | "Fido";
         /**
          * @description Network name ('mainnet', 'prater', 'goerli')
          * @example goerli
          * @enum {string}
          */
-        Network: "mainnet" | "prater" | "goerli";
+        Network: "mainnet" | "prater" | "goerli" | "holesky";
+        /** @description Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.). */
+        NewSessionResponse: {
+            session_info: components["schemas"]["ClientSessionInfo"];
+            /**
+             * @description New token to be used for authentication. Requests to signing endpoints
+             * should include this value in the `Authorization` header
+             */
+            token: string;
+        };
         /**
          * @description Represents a globally unique OIDC-authorized user by expressing the full "path" to a user. That is:
          *
@@ -968,23 +1580,13 @@ export interface components {
              * ]
              */
             scopes: string[];
-        };
-        OidcLoginResponse: {
-            /**
-             * @description Token to be used for signing auth. Requests to signing endpoints
-             * should include this value in the `Authorization` header
-             */
-            token: string;
+            tokens?: components["schemas"]["RatchetConfig"];
         };
         OrgInfo: {
             /** @description When false, all cryptographic operations involving keys in this org are disabled. */
             enabled: boolean;
-            /**
-             * @description The RSA public key to use when importing keys into this organization. This string is the
-             * hex encoding of the DER representation of the key.
-             * @example 30820222300d06092a864886f70d01010105000382020f003082020a0282020100c89765b8f347caafbec09fcb17740e032d854ec99f2d9c16167be335339b4fdeba18a7f13d8e8b7ae7d689cab63d8ecdf548f4746eacaf95b61fef76ade9f81b3c038891c52542fd352697b618afbea6103723c28f2db450e9d852be16a4dc2cbc9442da9a6610044009e056ba90728f0b9888d9b036e493aaed168ccf930fa2f730b17eb3ad6f455a792b762c47f3d3c6b7a7c458556a592e688791599a576bf2149d8e9614db775e7a48602d237a347d5399c681f7f7d9c81f6a64e7cfd356bba545d45e5023ca1f09a66a1d4550f61cf2c4367e14997b5d749bb0326a44d058119e8caf7fd79d517eb2d11dddb2db329f350698f0f978d5e150bb402c8bc4c5ec36d6f38db3f3a204813cda9f52dbcee809204f8e35a455c0e110e10eec41f734f2d55a058a7a21fa90602f94da6de2378ff61e7b3550b77e53d75d7b3d3b39ccab0e5101b916dab01da096f7627175d5b68a1a6464ce5be3e95e7c464d69eb0b675057705c11bc79c3543313b0d9c703c50dc1a16dd9b55e5599e3b02e527b85938e7b81c65e56960bcd7c7a266b07dc05107fd0d7d3c208a878eb0fc74b0d007f421d0c5b28cf78eb441aa0166dceeeac255d68622492f9b526ae13c93754ea8eda96f3b764ba931f8d49c7de8b00ac53d993ab9b08fd2892d8e82cc1a9746f0b426b19256d13d780445e150ce81da0b3c96e32559cb47cb5cb93f805650203010001
-             */
-            key_import_key: string;
+            /** @description Deprecated: this field should be ignored. */
+            key_import_key?: string | null;
             /**
              * @description The organization's universally unique key-wrapping-key identifier.
              * This value is required when setting up key export.
@@ -1021,9 +1623,350 @@ export interface components {
              */
             policy?: Record<string, never>[];
         };
+        /**
+         * @description The rocket query parameter representing the page from which to start a paginated query.
+         *
+         * MUST be named `<page>` in rocket url spec so that 'serde(rename = "page.*")' below continues to work
+         */
+        Page: {
+            /**
+             * Format: int32
+             * @description Max number of items to return per page.
+             *
+             * If the actual number of returned items may be less that this, even if there exist more
+             * data in the result set. To reliably determine if more data is left in the result set,
+             * inspect the [UnencryptedLastEvalKey] value in the response object.
+             */
+            "page.size"?: number;
+            /**
+             * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+             * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+             */
+            "page.start"?: string | null;
+        };
+        /**
+         * @description This type represents a wire-encodable form of the PublicKeyCredential interface
+         * Clients may need to manually encode into this format to communicate with the server
+         *
+         * The PublicKeyCredential interface inherits from Credential
+         * [CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to
+         * the caller when a new credential is created, or a new assertion is
+         * requested.
+         *
+         * https://www.w3.org/TR/webauthn-2/#iface-pkcredential
+         */
+        PublicKeyCredential: {
+            /**
+             * @description This internal slot contains the results of processing client extensions
+             * requested by the Relying Party upon the Relying Party's invocation of
+             * either navigator.credentials.create() or navigator.credentials.get().
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredential-clientextensionsresults-slot
+             *
+             * IMPLEMENTATION NOTE: The type for this field comes from the type of getClientExtensionResults() which as the following doc:
+             *
+             * This operation returns the value of [[clientExtensionsResults]], which is a map containing extension identifier → client extension output entries produced by the extension’s client extension processing.
+             * https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredential-getclientextensionresults
+             */
+            clientExtensionResults?: Record<string, unknown> | null;
+            /**
+             * @description This internal slot contains the credential ID, chosen by the
+             * authenticator. The credential ID is used to look up credentials for use,
+             * and is therefore expected to be globally unique with high probability
+             * across all credentials of the same type, across all authenticators.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredential-identifier-slot
+             */
+            id: string;
+            /** @description Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface */
+            response: components["schemas"]["AuthenticatorAttestationResponse"] | components["schemas"]["AuthenticatorAssertionResponse"];
+        };
+        /**
+         * @description Defines the parameters for the creation of a new public key credential
+         *
+         * https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialcreationoptions
+         */
+        PublicKeyCredentialCreationOptions: {
+            attestation?: components["schemas"]["AttestationConveyancePreference"];
+            authenticator_selection?: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
+            /**
+             * @description This member contains a challenge intended to be used for generating the
+             * newly created credential’s attestation object. See the § 13.4.3
+             * Cryptographic Challenges security consideration.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-challenge
+             */
+            challenge: string;
+            /**
+             * @description This member is intended for use by Relying Parties that wish to limit
+             * the creation of multiple credentials for the same account on a single
+             * authenticator. The client is requested to return an error if the new
+             * credential would be created on an authenticator that also contains one
+             * of the credentials enumerated in this parameter.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials
+             */
+            exclude_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+            /**
+             * @description This member contains additional parameters requesting additional
+             * processing by the client and authenticator. For example, the caller may
+             * request that only authenticators with certain capabilities be used to
+             * create the credential, or that particular information be returned in the
+             * attestation object. Some extensions are defined in § 9 WebAuthn
+             * Extensions; consult the IANA "WebAuthn Extension Identifiers" registry
+             * [IANA-WebAuthn-Registries] established by [RFC8809] for an up-to-date
+             * list of registered WebAuthn Extensions.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-extensions
+             */
+            extensions?: Record<string, unknown> | null;
+            /**
+             * @description This member contains information about the desired properties of the
+             * credential to be created. The sequence is ordered from most preferred to
+             * least preferred. The client makes a best-effort to create the most
+             * preferred credential that it can.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-pubkeycredparams
+             */
+            pub_key_cred_params: components["schemas"]["PublicKeyCredentialParameters"][];
+            rp: components["schemas"]["PublicKeyCredentialRpEntity"];
+            /**
+             * Format: int32
+             * @description This member specifies a time, in milliseconds, that the caller is
+             * willing to wait for the call to complete. This is treated as a hint, and
+             * MAY be overridden by the client.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-timeout
+             */
+            timeout?: number | null;
+            user?: components["schemas"]["PublicKeyCredentialUserEntity"] | null;
+        };
+        /**
+         * @description This dictionary contains the attributes that are specified by a caller when
+         * referring to a public key credential as an input parameter to the create()
+         * or get() methods. It mirrors the fields of the PublicKeyCredential object
+         * returned by the latter methods.
+         *
+         * https://www.w3.org/TR/webauthn-2/#dictionary-credential-descriptor
+         */
+        PublicKeyCredentialDescriptor: {
+            /**
+             * @description This member contains the credential ID of the public key credential the caller is referring to.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialdescriptor-id
+             */
+            id: string;
+            /**
+             * @description This OPTIONAL member contains a hint as to how the client might
+             * communicate with the managing authenticator of the public key credential
+             * the caller is referring to. The values SHOULD be members of
+             * AuthenticatorTransport but client platforms MUST ignore unknown values.
+             *
+             * The getTransports() operation can provide suitable values for this
+             * member. When registering a new credential, the Relying Party SHOULD
+             * store the value returned from getTransports(). When creating a
+             * PublicKeyCredentialDescriptor for that credential, the Relying Party
+             * SHOULD retrieve that stored value and set it as the value of the
+             * transports member.
+             */
+            transports?: components["schemas"]["AuthenticatorTransport"][] | null;
+            type: components["schemas"]["PublicKeyCredentialType"];
+        };
+        /**
+         * @description This dictionary is used to supply additional parameters when creating a new
+         * credential.
+         *
+         * https://www.w3.org/TR/webauthn-2/#dictionary-credential-params
+         */
+        PublicKeyCredentialParameters: {
+            /**
+             * Format: int64
+             * @description This member specifies the cryptographic signature algorithm with which
+             * the newly generated credential will be used, and thus also the type of
+             * asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
+             */
+            alg: number;
+            type: components["schemas"]["PublicKeyCredentialType"];
+        };
+        /**
+         * @description The `PublicKeyCredentialRequestOptions` dictionary supplies get() with the
+         * data it needs to generate an assertion. Its challenge member MUST be
+         * present, while its other members are OPTIONAL.
+         *
+         * This struct is also used as part of the verification procedure for assertions
+         */
+        PublicKeyCredentialRequestOptions: {
+            /**
+             * @description This OPTIONAL member contains a list of PublicKeyCredentialDescriptor
+             * objects representing public key credentials acceptable to the caller, in
+             * descending order of the caller’s preference (the first item in the list
+             * is the most preferred credential, and so on down the list).
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-allowcredentials
+             */
+            allow_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+            /**
+             * @description This member represents a challenge that the selected authenticator
+             * signs, along with other data, when producing an authentication
+             * assertion.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-challenge
+             */
+            challenge: string;
+            extensions?: Record<string, unknown> | null;
+            /**
+             * @description This OPTIONAL member specifies the relying party identifier claimed by
+             * the caller. If omitted, its value will be the CredentialsContainer
+             * object’s relevant settings object's origin's effective domain.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid
+             */
+            rp_id?: string | null;
+            /**
+             * Format: int32
+             * @description This OPTIONAL member specifies a time, in milliseconds, that the caller
+             * is willing to wait for the call to complete. The value is treated as a
+             * hint, and MAY be overridden by the client.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-timeout
+             */
+            timeout?: number | null;
+            user_verification?: components["schemas"]["UserVerificationRequirement"];
+        };
+        /**
+         * @description The PublicKeyCredentialRpEntity dictionary is used to supply additional
+         * Relying Party attributes when creating a new credential.
+         *
+         * https://www.w3.org/TR/webauthn-2/#dictionary-rp-credential-params
+         */
+        PublicKeyCredentialRpEntity: {
+            /**
+             * @description A unique identifier for the Relying Party entity, which sets the RP ID.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id
+             */
+            id: string;
+            /**
+             * @description A human-palatable name for the entity. Its function depends on what the
+             * PublicKeyCredentialEntity represents: When inherited by
+             * PublicKeyCredentialRpEntity it is a human-palatable identifier for the
+             * Relying Party, intended only for display. For example, "ACME
+             * Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".
+             *
+             * Relying Parties SHOULD perform enforcement, as prescribed in Section 2.3
+             * of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass
+             * [RFC8264], when setting name's value, or displaying the value to the
+             * user.
+             *
+             * This string MAY contain language and direction metadata. Relying Parties
+             * SHOULD consider providing this information. See § 6.4.2 Language and
+             * Direction Encoding about how this metadata is encoded.
+             */
+            name: string;
+        };
+        /**
+         * @description This enumeration defines the valid credential types. It is an extension
+         * point; values can be added to it in the future, as more credential types are
+         * defined. The values of this enumeration are used for versioning the
+         * Authentication Assertion and attestation structures according to the type of
+         * the authenticator.  Currently one credential type is defined, namely
+         * "public-key".
+         *
+         * https://www.w3.org/TR/webauthn-2/#enumdef-publickeycredentialtype
+         * @enum {string}
+         */
+        PublicKeyCredentialType: "public-key";
+        /**
+         * @description The PublicKeyCredentialUserEntity dictionary is used to supply additional
+         * user account attributes when creating a new credential.
+         */
+        PublicKeyCredentialUserEntity: {
+            /**
+             * @description A human-palatable name for the user account, intended only for display.
+             * For example, "Alex Müller" or "田中倫". The Relying Party SHOULD let the
+             * user choose this, and SHOULD NOT restrict the choice more than
+             * necessary.
+             *
+             * Relying Parties SHOULD perform enforcement, as prescribed in Section 2.3
+             * of [RFC8266] for the Nickname Profile of the PRECIS FreeformClass
+             * [RFC8264], when setting displayName's value, or displaying the value to
+             * the user.
+             *
+             * This string MAY contain language and direction metadata. Relying Parties
+             * SHOULD consider providing this information. See § 6.4.2 Language and
+             * Direction Encoding about how this metadata is encoded.
+             *
+             * Clients SHOULD perform enforcement, as prescribed in Section 2.3 of
+             * [RFC8266] for the Nickname Profile of the PRECIS FreeformClass
+             * [RFC8264], on displayName's value prior to displaying the value to the
+             * user or including the value as a parameter of the
+             * authenticatorMakeCredential operation.
+             *
+             * When clients, client platforms, or authenticators display a
+             * displayName's value, they should always use UI elements to provide a
+             * clear boundary around the displayed value, and not allow overflow into
+             * other elements [css-overflow-3].
+             *
+             * Authenticators MUST accept and store a 64-byte minimum length for a
+             * displayName member’s value. Authenticators MAY truncate a displayName
+             * member’s value so that it fits within 64 bytes. See § 6.4.1 String
+             * Truncation about truncation and other considerations.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-displayname
+             */
+            displayName: string;
+            /**
+             * @description The user handle of the user account entity. A user handle is an opaque
+             * byte sequence with a maximum size of 64 bytes, and is not meant to be
+             * displayed to the user.
+             *
+             * To ensure secure operation, authentication and authorization decisions
+             * MUST be made on the basis of this id member, not the displayName nor
+             * name members. See Section 6.1 of [RFC8266].
+             *
+             * The user handle MUST NOT contain personally identifying information
+             * about the user, such as a username or e-mail address; see § 14.6.1 User
+             * Handle Contents for details. The user handle MUST NOT be empty, though
+             * it MAY be null.
+             *
+             * Note: the user handle ought not be a constant value across different
+             * accounts, even for non-discoverable credentials, because some
+             * authenticators always create discoverable credentials. Thus a constant
+             * user handle would prevent a user from using such an authenticator with
+             * more than one account at the Relying Party.
+             *
+             * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id
+             */
+            id: string;
+            /**
+             * @description When inherited by PublicKeyCredentialUserEntity, it is a human-palatable
+             * identifier for a user account. It is intended only for display, i.e.,
+             * aiding the user in determining the difference between user accounts with
+             * similar displayNames. For example, "alexm", "alex.mueller@example.com"
+             * or "+14255551234".
+             *
+             * The Relying Party MAY let the user choose this value. The Relying Party
+             * SHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265]
+             * for the UsernameCasePreserved Profile of the PRECIS IdentifierClass
+             * [RFC8264], when setting name's value, or displaying the value to the
+             * user.
+             *
+             * This string MAY contain language and direction metadata. Relying Parties
+             * SHOULD consider providing this information. See § 6.4.2 Language and
+             * Direction Encoding about how this metadata is encoded.
+             *
+             * Clients SHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265] for the UsernameCasePreserved Profile of the PRECIS IdentifierClass [RFC8264], on name's value prior to displaying the value to the user or including the value as a parameter of the authenticatorMakeCredential operation.
+             */
+            name: string;
+        };
         RatchetConfig: {
+            /** @default 300 */
             auth_lifetime?: components["schemas"]["Seconds"];
+            /** @default default_grace_lifetime */
+            grace_lifetime?: components["schemas"]["Seconds"];
+            /** @default 86400 */
             refresh_lifetime?: components["schemas"]["Seconds"];
+            /** @default 31536000 */
             session_lifetime?: components["schemas"]["Seconds"];
         };
         /** @description Receipt that an MFA request was approved. */
@@ -1037,14 +1980,23 @@ export interface components {
             final_approver: string;
             timestamp: components["schemas"]["EpochDateTime"];
         };
+        /**
+         * @description This enumeration’s values describe the Relying Party's requirements for
+         * client-side discoverable credentials (formerly known as resident credentials
+         * or resident keys):
+         *
+         * https://www.w3.org/TR/webauthn-2/#enumdef-residentkeyrequirement
+         * @enum {string}
+         */
+        ResidentKeyRequirement: "discouraged" | "preferred" | "required";
         RoleInfo: {
             /**
              * @description Whether the role is enabled
              * @example true
              */
             enabled: boolean;
-            /** @description The CubeSigner IDs of the keys */
-            keys: components["schemas"]["KeyWithPolicies"][];
+            /** @description Deprecated The CubeSigner IDs of at most 100 keys associated with this role */
+            keys?: components["schemas"]["KeyInRoleInfo"][] | null;
             /**
              * @description The human-readable name for the role (must be alphanumeric)
              * @example my_role
@@ -1055,52 +2007,27 @@ export interface components {
              * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
              */
             role_id: string;
-            /**
-             * @description The list of users with access to the role
-             * @example [
-             *   "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f",
-             *   "User#5593c25b-52e2-4fb5-b39b-96d41d681d82"
-             * ]
-             */
-            users: string[];
+            /** @description Deprecated. The list of at most 100 users with access to the role. */
+            users?: string[] | null;
         };
         /**
-         * @description Encrypted key material for import using hybrid encryption.
-         *
-         * The imported keying material is encrypted using [XChaCha20Poly1305], which
-         * we choose for its speed and side channel resistance, its ability to encrypt
-         * very long messages, and its safety when using random nonces even for a large
-         * number of messages. The latter should not happen in this case, but the cost
-         * is negligible and the benefit is that we know it's safe to use random nonces.
-         *
-         * The XChaCha key is encrypted using [RSAES-OAEP-SHA256], which we choose because
-         * it's the best of the [available options for asymmetric encryption][kmsopts]
-         * in AWS KMS.
-         *
-         * [XChaCha20Poly1305]: https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction
-         * [RSAES-OAEP-SHA256]: https://www.rfc-editor.org/rfc/rfc8017#section-7.1
-         * [kmsopts]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html
+         * Format: int64
+         * @description Duration measured in seconds
+         * A wrapper type for serialization that encodes a `Duration` as a `u64` representing the number of seconds.
          */
-        RsaOaepXChaChaMaterial: {
+        Seconds: number;
+        SessionInfo: {
             /**
-             * @description The keying material to be imported, encrypted with
-             * [XChaCha20Poly1305](https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction).
+             * @description A human-readable description for the session
+             * @example OIDC login session
              */
-            ikm_enc: number[];
+            purpose: string;
             /**
-             * @description The key-wrapping key used to encrypt `ikm_enc`, encrypted with
-             * [RSAES-OAEP-SHA256](https://www.rfc-editor.org/rfc/rfc8017#section-7.1).
+             * @description Session ID. Uniquely identifies the session, but cannot be used for auth.
+             * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
              */
-            kwk_enc: number[];
-            /** @description The nonce used to generate `ikm_enc`. */
-            nonce: number[];
+            session_id: string;
         };
-        /**
-         * Format: int64
-         * @description Duration measured in seconds
-         * A wrapper type for serialization that encodes a `Duration` as a `u64` representing the number of seconds.
-         */
-        Seconds: number;
         SignRequest: {
             message: Record<string, never>;
         };
@@ -1113,12 +2040,20 @@ export interface components {
              */
             chain_id: number;
             deposit_type: components["schemas"]["DepositType"];
-            unsafe_conf: components["schemas"]["UnsafeConf"] | null;
+            /**
+             * Format: int64
+             * @description Optional staking amount in GWEI.
+             * If not specified, defaults to 32_000_000_000 (32 ETH).
+             * Must be between 1 ETH and 32 ETH.
+             * Must not be different from the default value when 'deposit_type' is "Wrapper".
+             */
+            staking_amount_gwei?: number;
+            unsafe_conf?: components["schemas"]["UnsafeConf"] | null;
             /**
              * @description The validator BLS public key to use, or `None` to generate a fresh one.
              * @example 0xa99a76ed7796f7be22d5b7e85deeb7c5677e88e511e0b337618f8c4eb61349b4bf2d153f649f7b53359fe8b94a38e44c
              */
-            validator_key: string | null;
+            validator_key?: string | null;
             /**
              * @description The ethereum address to which withdrawn funds go
              * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
@@ -1132,9 +2067,9 @@ export interface components {
             allowed_mfa_types?: components["schemas"]["MfaType"][] | null;
             /** @description Users who have already approved */
             approved_by: {
-                [key: string]: ({
-                    [key: string]: components["schemas"]["ApprovalInfo"] | undefined;
-                }) | undefined;
+                [key: string]: {
+                    [key: string]: components["schemas"]["ApprovalInfo"];
+                };
             };
             /**
              * Format: int32
@@ -1157,18 +2092,25 @@ export interface components {
             /** @description TOTP verification code */
             code: string;
         };
+        /** @description Sent from the client to the server to answer a TOTP challenge */
+        TotpChallengeAnswer: {
+            /** @description The current TOTP code */
+            code: string;
+            /** @description The ID of the challenge that was returned from the POST endpoint */
+            totp_id: string;
+        };
         /** @description Options that should be set only for local devnet testing. */
         UnsafeConf: {
             /**
              * @description The hex-encoded address of the deposit contract. If omitted, inferred from `chain_id`
              * @example 0xff50ed3d0ec03ac01d4c79aad74928bff48a7b2b
              */
-            deposit_contract_addr: string | null;
+            deposit_contract_addr?: string | null;
             /**
              * @description The hex-encoded 4-byte fork version
              * @example 0x00001020
              */
-            genesis_fork_version: string | null;
+            genesis_fork_version?: string | null;
         };
         /**
          * @description Unstake message request.
@@ -1189,7 +2131,7 @@ export interface components {
          * }
          */
         UnstakeRequest: {
-            epoch: components["schemas"]["Epoch"] | null;
+            epoch?: components["schemas"]["Epoch"] | null;
             fork: components["schemas"]["Fork"];
             genesis_data: components["schemas"]["GenesisData"];
             network: components["schemas"]["Network"];
@@ -1217,7 +2159,14 @@ export interface components {
             owner?: string | null;
             /**
              * @description If set, update this key's policies (old policies will be overwritten!).
-             * @example []
+             * @example [
+             *   "AllowRawBlobSigning",
+             *   {
+             *     "RequireMfa": {
+             *       "count": 1
+             *     }
+             *   }
+             * ]
              */
             policy?: Record<string, never>[] | null;
         };
@@ -1269,11 +2218,16 @@ export interface components {
              */
             id: string;
         };
+        UserInRoleInfo: {
+            user_id: string;
+        };
         UserInfo: {
             /** @example alice@example.com */
             email: string;
             /** @description All multi-factor authentication methods configured for this user */
             mfa: components["schemas"]["ConfiguredMfa"][];
+            /** @description MFA policy, applies before logging in and other sensitive operations */
+            mfa_policy?: Record<string, unknown> | null;
             /**
              * @description All organizations the user belongs to
              * @example [
@@ -1287,6 +2241,14 @@ export interface components {
              */
             user_id: string;
         };
+        /**
+         * @description A WebAuthn Relying Party may require user verification for some of its
+         * operations but not for others, and may use this type to express its needs.
+         *
+         * https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement
+         * @enum {string}
+         */
+        UserVerificationRequirement: "required" | "discouraged" | "preferred";
         /**
          * @description An exit voluntarily submitted a validator who wishes to withdraw.
          * The schema for this message is defined
@@ -1310,6 +2272,14 @@ export interface components {
                 };
             };
         };
+        AvaSignResponse: {
+            content: {
+                "application/json": {
+                    /** @description The hex-encoded signature. */
+                    signature: string;
+                };
+            };
+        };
         BlobSignResponse: {
             content: {
                 "application/json": {
@@ -1322,8 +2292,8 @@ export interface components {
             content: {
                 "application/json": {
                     /**
-                     * @description The hex-encoded signature in DER format.
-                     * @example 0x3045022100e12be3904f665f755e106741680548fefc9febf4cff31c5c0ee4627b3c1b35fe022066fde9a0b17e4cd38da983fb0d604294f00d0bd47fcb649c5216f3a2e8b7ad2d01
+                     * @description The hex-encoded signature in compact format.
+                     * @example 0x454aef27c21df7dd8f537dc869f4cd65286ce239a52d36470f4d85be85a891b02789e5ffd8560b32a98110e5d0096802e4c14145cf6c44f10a768c87755eaa4800
                      */
                     signature: string;
                 };
@@ -1370,15 +2340,16 @@ export interface components {
                 };
             };
         };
-        CreateTokenResponse: {
+        Eip712SignResponse: {
             content: {
                 "application/json": {
-                    session_info: components["schemas"]["ClientSessionInfo"];
                     /**
-                     * @description Token to be used for signing auth. Requests to signing endpoints
-                     * should include this value in the `Authorization` header
+                     * @description Hex-encoded signature comprising 65 bytes in the format required
+                     * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+                     * which is either 27 or 28.
+                     * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
                      */
-                    token: string;
+                    signature: string;
                 };
             };
         };
@@ -1411,10 +2382,25 @@ export interface components {
                 };
             };
         };
-        GetKeysInOrgResponse: {
+        FidoAssertChallenge: {
             content: {
                 "application/json": {
-                    keys: components["schemas"]["KeyInfo"][];
+                    /** @description The id of the challenge. Must be supplied when answering the challenge. */
+                    challenge_id: string;
+                    options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+                };
+            };
+        };
+        /**
+         * @description Sent by the server to the client. Contains the challenge data that must be
+         * used to generate a new credential
+         */
+        FidoCreateChallengeResponse: {
+            content: {
+                "application/json": {
+                    /** @description The id of the challenge. Must be supplied when answering the challenge. */
+                    challenge_id: string;
+                    options: components["schemas"]["PublicKeyCredentialCreationOptions"];
                 };
             };
         };
@@ -1426,14 +2412,52 @@ export interface components {
                 };
             };
         };
-        /** @description A wrapped key-import key */
-        KeyImportKey: {
+        /**
+         * @description Proof that an end-user provided CubeSigner with a valid auth token
+         * (either an OIDC token or a CubeSigner session token)
+         */
+        IdentityProof: {
             content: {
-                "application/json": {
-                    /** @description Base64-encoded, encrypted data key. */
-                    dk_enc: string;
+                "application/json": ({
                     /**
-                     * Format: int64
+                     * @description OIDC audience; set only if the proof was obtained by using OIDC token.
+                     *
+                     * In other words, presence of this field testifies that authorization was obtained via OIDC.
+                     */
+                    aud?: string | null;
+                    /**
+                     * @description The email associated with the user
+                     * @example user@email.com
+                     */
+                    email: string;
+                    exp_epoch: components["schemas"]["EpochDateTime"];
+                    identity?: components["schemas"]["OIDCIdentity"] | null;
+                    user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
+                }) & {
+                    /** @description An opaque identifier for the proof */
+                    id: string;
+                };
+            };
+        };
+        /** @description Derivation-related metadata for keys derived from a long-lived mnemonic */
+        KeyDerivationInfo: {
+            content: {
+                "application/json": {
+                    /** @description The derivation path used to derive this key */
+                    derivation_path: string;
+                    /** @description The mnemonic-id of the key's parent mnemonic */
+                    mnemonic_id: string;
+                };
+            };
+        };
+        /** @description A wrapped key-import key */
+        KeyImportKey: {
+            content: {
+                "application/json": {
+                    /** @description Base64-encoded, encrypted data key. */
+                    dk_enc: string;
+                    /**
+                     * Format: int64
                      * @description Expiration timestamp expressed as seconds since the UNIX epoch.
                      */
                     expires: number;
@@ -1450,6 +2474,7 @@ export interface components {
         KeyInfo: {
             content: {
                 "application/json": {
+                    derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
                     /** @description Whether the key is enabled (only enabled keys may be used for signing) */
                     enabled: boolean;
                     /**
@@ -1471,14 +2496,22 @@ export interface components {
                     owner: string;
                     /**
                      * @description Key policy
-                     * @example []
+                     * @example [
+                     *   "AllowRawBlobSigning",
+                     *   {
+                     *     "RequireMfa": {
+                     *       "count": 1
+                     *     }
+                     *   }
+                     * ]
                      */
                     policy: Record<string, never>[];
                     /**
                      * @description Hex-encoded, serialized public key. The format used depends on the key type:
-                     * - secp256k1 keys use 65-byte uncompressed SECG format;
+                     * - Secp256k1 keys use 65-byte uncompressed SECG format;
+                     * - Stark keys use 33-byte compressed SECG format;
                      * - BLS keys use 48-byte compressed BLS12-381 (ZCash) format;
-                     * - ed25519 keys use the canonical 64-byte encoding specified in RFC 8032.
+                     * - Ed25519 keys use the canonical 32-byte encoding specified in RFC 8032.
                      * @example 0x04d2688b6bc2ce7f9879b9e745f3c4dc177908c5cef0c1b64cff19ae7ff27dee623c64fe9d9c325c7fbbc748bbd5f607ce14dd83e28ebbbb7d3e7f2ffb70a79431
                      */
                     public_key: string;
@@ -1497,11 +2530,11 @@ export interface components {
                 };
             };
         };
-        ListRolesResponse: {
+        ListMfaResponse: {
             content: {
                 "application/json": {
-                    /** @description All roles in an organization. */
-                    roles: components["schemas"]["RoleInfo"][];
+                    /** @description All pending MFA requests */
+                    mfa_requests: components["schemas"]["MfaRequestInfo"][];
                 };
             };
         };
@@ -1519,17 +2552,19 @@ export interface components {
                     expires_at: components["schemas"]["EpochDateTime"];
                     /** @description Approval request ID. */
                     id: string;
-                    receipt: components["schemas"]["Receipt"] | null;
+                    receipt?: components["schemas"]["Receipt"] | null;
                     request: components["schemas"]["HttpRequest"];
                     status: components["schemas"]["Status"];
                 };
             };
         };
-        OidcLoginResponse: {
+        /** @description Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.). */
+        NewSessionResponse: {
             content: {
                 "application/json": {
+                    session_info: components["schemas"]["ClientSessionInfo"];
                     /**
-                     * @description Token to be used for signing auth. Requests to signing endpoints
+                     * @description New token to be used for authentication. Requests to signing endpoints
                      * should include this value in the `Authorization` header
                      */
                     token: string;
@@ -1541,12 +2576,8 @@ export interface components {
                 "application/json": {
                     /** @description When false, all cryptographic operations involving keys in this org are disabled. */
                     enabled: boolean;
-                    /**
-                     * @description The RSA public key to use when importing keys into this organization. This string is the
-                     * hex encoding of the DER representation of the key.
-                     * @example 30820222300d06092a864886f70d01010105000382020f003082020a0282020100c89765b8f347caafbec09fcb17740e032d854ec99f2d9c16167be335339b4fdeba18a7f13d8e8b7ae7d689cab63d8ecdf548f4746eacaf95b61fef76ade9f81b3c038891c52542fd352697b618afbea6103723c28f2db450e9d852be16a4dc2cbc9442da9a6610044009e056ba90728f0b9888d9b036e493aaed168ccf930fa2f730b17eb3ad6f455a792b762c47f3d3c6b7a7c458556a592e688791599a576bf2149d8e9614db775e7a48602d237a347d5399c681f7f7d9c81f6a64e7cfd356bba545d45e5023ca1f09a66a1d4550f61cf2c4367e14997b5d749bb0326a44d058119e8caf7fd79d517eb2d11dddb2db329f350698f0f978d5e150bb402c8bc4c5ec36d6f38db3f3a204813cda9f52dbcee809204f8e35a455c0e110e10eec41f734f2d55a058a7a21fa90602f94da6de2378ff61e7b3550b77e53d75d7b3d3b39ccab0e5101b916dab01da096f7627175d5b68a1a6464ce5be3e95e7c464d69eb0b675057705c11bc79c3543313b0d9c703c50dc1a16dd9b55e5599e3b02e527b85938e7b81c65e56960bcd7c7a266b07dc05107fd0d7d3c208a878eb0fc74b0d007f421d0c5b28cf78eb441aa0166dceeeac255d68622492f9b526ae13c93754ea8eda96f3b764ba931f8d49c7de8b00ac53d993ab9b08fd2892d8e82cc1a9746f0b426b19256d13d780445e150ce81da0b3c96e32559cb47cb5cb93f805650203010001
-                     */
-                    key_import_key: string;
+                    /** @description Deprecated: this field should be ignored. */
+                    key_import_key?: string | null;
                     /**
                      * @description The organization's universally unique key-wrapping-key identifier.
                      * This value is required when setting up key export.
@@ -1585,16 +2616,78 @@ export interface components {
                 };
             };
         };
-        RefreshResponse: {
+        PaginatedListKeysResponse: {
             content: {
                 "application/json": {
-                    session_info: components["schemas"]["ClientSessionInfo"];
+                    keys: components["schemas"]["KeyInfo"][];
+                } & ({
                     /**
-                     * @description New token to be used for signing auth. Requests to signing endpoints
-                     * should include this value in the `Authorization` header
+                     * @description If set, the content of `response` does not contain the entire result set.
+                     * To fetch the next page of the result set, call the same endpoint
+                     * but specify this value as the 'page.start' query parameter.
                      */
-                    token: string;
-                };
+                    last_evaluated_key?: string | null;
+                });
+            };
+        };
+        PaginatedListRoleKeysResponse: {
+            content: {
+                "application/json": {
+                    /** @description All keys in a role */
+                    keys: components["schemas"]["KeyInRoleInfo"][];
+                } & ({
+                    /**
+                     * @description If set, the content of `response` does not contain the entire result set.
+                     * To fetch the next page of the result set, call the same endpoint
+                     * but specify this value as the 'page.start' query parameter.
+                     */
+                    last_evaluated_key?: string | null;
+                });
+            };
+        };
+        PaginatedListRoleUsersResponse: {
+            content: {
+                "application/json": {
+                    /** @description All users in a role */
+                    users: components["schemas"]["UserInRoleInfo"][];
+                } & ({
+                    /**
+                     * @description If set, the content of `response` does not contain the entire result set.
+                     * To fetch the next page of the result set, call the same endpoint
+                     * but specify this value as the 'page.start' query parameter.
+                     */
+                    last_evaluated_key?: string | null;
+                });
+            };
+        };
+        PaginatedListRolesResponse: {
+            content: {
+                "application/json": {
+                    /** @description All roles in an organization. */
+                    roles: components["schemas"]["RoleInfo"][];
+                } & ({
+                    /**
+                     * @description If set, the content of `response` does not contain the entire result set.
+                     * To fetch the next page of the result set, call the same endpoint
+                     * but specify this value as the 'page.start' query parameter.
+                     */
+                    last_evaluated_key?: string | null;
+                });
+            };
+        };
+        PaginatedSessionsResponse: {
+            content: {
+                "application/json": {
+                    /** @description The list of sessions */
+                    sessions: components["schemas"]["SessionInfo"][];
+                } & ({
+                    /**
+                     * @description If set, the content of `response` does not contain the entire result set.
+                     * To fetch the next page of the result set, call the same endpoint
+                     * but specify this value as the 'page.start' query parameter.
+                     */
+                    last_evaluated_key?: string | null;
+                });
             };
         };
         RevokeTokenResponse: {
@@ -1620,8 +2713,8 @@ export interface components {
                      * @example true
                      */
                     enabled: boolean;
-                    /** @description The CubeSigner IDs of the keys */
-                    keys: components["schemas"]["KeyWithPolicies"][];
+                    /** @description Deprecated The CubeSigner IDs of at most 100 keys associated with this role */
+                    keys?: components["schemas"]["KeyInRoleInfo"][] | null;
                     /**
                      * @description The human-readable name for the role (must be alphanumeric)
                      * @example my_role
@@ -1632,14 +2725,33 @@ export interface components {
                      * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
                      */
                     role_id: string;
+                    /** @description Deprecated. The list of at most 100 users with access to the role. */
+                    users?: string[] | null;
+                };
+            };
+        };
+        SessionInfo: {
+            content: {
+                "application/json": {
                     /**
-                     * @description The list of users with access to the role
-                     * @example [
-                     *   "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f",
-                     *   "User#5593c25b-52e2-4fb5-b39b-96d41d681d82"
-                     * ]
+                     * @description A human-readable description for the session
+                     * @example OIDC login session
                      */
-                    users: string[];
+                    purpose: string;
+                    /**
+                     * @description Session ID. Uniquely identifies the session, but cannot be used for auth.
+                     * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
+                     */
+                    session_id: string;
+                };
+            };
+        };
+        /** @description The response from any operation operating on multiple sessions */
+        SessionsResponse: {
+            content: {
+                "application/json": {
+                    /** @description The list of sessions */
+                    sessions: components["schemas"]["SessionInfo"][];
                 };
             };
         };
@@ -1663,9 +2775,24 @@ export interface components {
                 };
             };
         };
+        TokenInfo: {
+            content: {
+                "application/json": {
+                    /** @description Session ID. Use it to revoke a session. Cannot be used for auth. */
+                    hash: string;
+                    /** @description Tokens purpose */
+                    purpose: string;
+                };
+            };
+        };
         TotpInfo: {
             content: {
                 "application/json": {
+                    /**
+                     * @description The ID of the TOTP challenge.
+                     * @example TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286
+                     */
+                    totp_id: string;
                     /**
                      * @description Standard TOTP url which includes everything needed to initialize TOTP.
                      * @example otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist
@@ -1733,6 +2860,8 @@ export interface components {
                     email: string;
                     /** @description All multi-factor authentication methods configured for this user */
                     mfa: components["schemas"]["ConfiguredMfa"][];
+                    /** @description MFA policy, applies before logging in and other sensitive operations */
+                    mfa_policy?: Record<string, unknown> | null;
                     /**
                      * @description All organizations the user belongs to
                      * @example [
@@ -1754,15 +2883,17 @@ export interface components {
     headers: never;
     pathItems: never;
 }
+export type $defs = Record<string, never>;
 export type external = Record<string, never>;
 export interface operations {
     /**
      * User Info
+     * @deprecated
      * @description User Info
      *
      * Retrieves information about the current user.
      */
-    aboutMe: {
+    aboutMeLegacy: {
         responses: {
             200: components["responses"]["UserInfo"];
             default: {
@@ -1828,13 +2959,13 @@ export interface operations {
         };
     };
     /**
-     * Sign Bitcoin Transaction
-     * @description Sign Bitcoin Transaction
+     * Sign Avalanche X- or P-Chain Message
+     * @description Sign Avalanche X- or P-Chain Message
      *
-     * Signs a Bitcoin transaction with a given key.
+     * Signs an Avalanche message with a given SecpAva key.
      * This is a pre-release feature.
      */
-    btcSign: {
+    avaSign: {
         parameters: {
             path: {
                 /**
@@ -1843,19 +2974,19 @@ export interface operations {
                  */
                 org_id: string;
                 /**
-                 * @description bech32 encoding of the public key
-                 * @example bc1q5p5qkae77ly80kr4pyfytdqm7rf08ddhdejl9g
+                 * @description Avalanche bech32 address format without the chain prefix
+                 * @example avax1am4w6hfrvmh3akduzkjthrtgtqafalce6an8cr
                  */
                 pubkey: string;
             };
         };
         requestBody: {
             content: {
-                "application/json": components["schemas"]["BtcSignRequest"];
+                "application/json": components["schemas"]["AvaSignRequest"];
             };
         };
         responses: {
-            200: components["responses"]["BtcSignResponse"];
+            200: components["responses"]["AvaSignResponse"];
             202: {
                 content: {
                     "application/json": components["schemas"]["AcceptedResponse"];
@@ -1869,12 +3000,13 @@ export interface operations {
         };
     };
     /**
-     * Create Key-Import Key
-     * @description Create Key-Import Key
+     * Sign Bitcoin Transaction
+     * @description Sign Bitcoin Transaction
      *
-     * Generate an ephemeral key that a client can use for key-import encryption.
+     * Signs a Bitcoin transaction with a given key.
+     * This is a pre-release feature.
      */
-    createKeyImportKey: {
+    btcSign: {
         parameters: {
             path: {
                 /**
@@ -1882,10 +3014,25 @@ export interface operations {
                  * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 org_id: string;
+                /**
+                 * @description bech32 encoding of the public key
+                 * @example bc1q5p5qkae77ly80kr4pyfytdqm7rf08ddhdejl9g
+                 */
+                pubkey: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["BtcSignRequest"];
             };
         };
         responses: {
-            200: components["responses"]["CreateKeyImportKeyResponse"];
+            200: components["responses"]["BtcSignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -1894,12 +3041,13 @@ export interface operations {
         };
     };
     /**
-     * Import Key
-     * @description Import Key
+     * Derive Key From Long-Lived Mnemonic
+     * @description Derive Key From Long-Lived Mnemonic
      *
-     * Securely imports an existing key using a previously generated key-import key.
+     * Derives a key of a specified type using a supplied derivation path and an
+     * existing long-lived mnemonic.
      */
-    importKey: {
+    deriveKey: {
         parameters: {
             path: {
                 /**
@@ -1911,7 +3059,7 @@ export interface operations {
         };
         requestBody: {
             content: {
-                "application/json": components["schemas"]["ImportKeyRequest"];
+                "application/json": components["schemas"]["DeriveKeyRequest"];
             };
         };
         responses: {
@@ -1924,12 +3072,12 @@ export interface operations {
         };
     };
     /**
-     * Invite User
-     * @description Invite User
+     * Sign EIP-712 Typed Data
+     * @description Sign EIP-712 Typed Data
      *
-     * Creates a new user in an existing org and sends that user an invite email.
+     * Signs typed data according to EIP-712 with a given Secp256k1 key.
      */
-    invite: {
+    eip712Sign: {
         parameters: {
             path: {
                 /**
@@ -1937,15 +3085,25 @@ export interface operations {
                  * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 org_id: string;
+                /**
+                 * @description Hex-encoded ethereum address of the secp key
+                 * @example 0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+                 */
+                pubkey: string;
             };
         };
         requestBody: {
             content: {
-                "application/json": components["schemas"]["InviteRequest"];
+                "application/json": components["schemas"]["Eip712SignRequest"];
             };
         };
         responses: {
-            200: components["responses"]["EmptyImpl"];
+            200: components["responses"]["Eip712SignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -1954,20 +3112,49 @@ export interface operations {
         };
     };
     /**
-     * List Keys
-     * @description List Keys
+     * Create [IdentityProof] from CubeSigner user session
+     * @description Create [IdentityProof] from CubeSigner user session
      *
-     * Gets the list of owned keys in a given org.
+     * This route can be used to prove to another party that a user has a
+     * valid CubeSigner session.
+     *
+     * Clients are intended to call this route and pass the returned evidence
+     * to another service which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
      */
-    listKeysInOrg: {
+    createProofCubeSigner: {
         parameters: {
-            query?: {
+            path: {
                 /**
-                 * @description Filter by key type
-                 * @example SecpEthAddr
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
-                key_type?: components["schemas"]["KeyType"];
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["IdentityProof"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
             };
+        };
+    };
+    /**
+     * Create [IdentityProof] from OIDC token
+     * @description Create [IdentityProof] from OIDC token
+     *
+     * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
+     *
+     * This route can be used to prove to another party that a user has met the
+     * authentication requirements (allowed issuers & audiences) for CubeSigner
+     * without leaking their credentials.
+     *
+     * Clients are intended to call this route and pass the returned evidence to another service
+     * which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
+     */
+    createProofOidc: {
+        parameters: {
             path: {
                 /**
                  * @description Name or ID of the desired Org
@@ -1977,7 +3164,7 @@ export interface operations {
             };
         };
         responses: {
-            200: components["responses"]["GetKeysInOrgResponse"];
+            200: components["responses"]["IdentityProof"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -1986,12 +3173,15 @@ export interface operations {
         };
     };
     /**
-     * Import Key (Deprecated)
-     * @description Import Key (Deprecated)
+     * Verify identity proof
+     * @description Verify identity proof
+     *
+     * Allows a third-party to validate proof of authentication.
      *
-     * Securely imports an existing key. This API is deprecated; please use the new version.
+     * When a third-party is provided an [IdentityProof] object, they must check its
+     * veracity by calling this endpoint
      */
-    importKeyLegacy: {
+    verifyProof: {
         parameters: {
             path: {
                 /**
@@ -2003,11 +3193,29 @@ export interface operations {
         };
         requestBody: {
             content: {
-                "application/json": components["schemas"]["ImportKeyLegacyRequest"];
+                "application/json": components["schemas"]["IdentityProof"];
+            };
+        };
+        responses: {};
+    };
+    /**
+     * Create Key-Import Key
+     * @description Create Key-Import Key
+     *
+     * Generate an ephemeral key that a client can use for key-import encryption.
+     */
+    createKeyImportKey: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
             };
         };
         responses: {
-            200: components["responses"]["CreateKeyResponse"];
+            200: components["responses"]["CreateKeyImportKeyResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2016,12 +3224,12 @@ export interface operations {
         };
     };
     /**
-     * Create Key
-     * @description Create Key
+     * Import Key
+     * @description Import Key
      *
-     * Creates one or more new keys of the specified type (BLS or Secp).
+     * Securely imports an existing key using a previously generated key-import key.
      */
-    createKey: {
+    importKey: {
         parameters: {
             path: {
                 /**
@@ -2033,7 +3241,7 @@ export interface operations {
         };
         requestBody: {
             content: {
-                "application/json": components["schemas"]["CreateKeyRequest"];
+                "application/json": components["schemas"]["ImportKeyRequest"];
             };
         };
         responses: {
@@ -2046,13 +3254,12 @@ export interface operations {
         };
     };
     /**
-     * Legacy List Keys
-     * @deprecated
-     * @description Legacy List Keys
+     * Invite User
+     * @description Invite User
      *
-     * This route is deprecated. Use `GET /v0/org/<org_id>/keys?<key_type>`
+     * Creates a new user in an existing org and sends that user an invite email.
      */
-    listKeysLegacy: {
+    invite: {
         parameters: {
             path: {
                 /**
@@ -2064,11 +3271,11 @@ export interface operations {
         };
         requestBody: {
             content: {
-                "application/json": components["schemas"]["GetKeysInOrgRequest"];
+                "application/json": components["schemas"]["InviteRequest"];
             };
         };
         responses: {
-            200: components["responses"]["GetKeysInOrgResponse"];
+            200: components["responses"]["EmptyImpl"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2077,28 +3284,43 @@ export interface operations {
         };
     };
     /**
-     * Get Key
-     * @description Get Key
+     * List Keys
+     * @description List Keys
      *
-     * Returns the properties of a key.
+     * Gets the list of owned keys in a given org.
      */
-    getKeyInOrg: {
+    listKeysInOrg: {
         parameters: {
+            query?: {
+                /**
+                 * @description Max number of items to return per page.
+                 *
+                 * If the actual number of returned items may be less that this, even if there exist more
+                 * data in the result set. To reliably determine if more data is left in the result set,
+                 * inspect the [UnencryptedLastEvalKey] value in the response object.
+                 */
+                "page.size"?: number;
+                /**
+                 * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+                 * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+                 */
+                "page.start"?: components["schemas"]["LastEvalKey"] | null;
+                /**
+                 * @description Filter by key type
+                 * @example SecpEthAddr
+                 */
+                key_type?: components["schemas"]["KeyType"] | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
                  * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 org_id: string;
-                /**
-                 * @description ID of the key
-                 * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-                 */
-                key_id: string;
             };
         };
         responses: {
-            200: components["responses"]["KeyInfo"];
+            200: components["responses"]["PaginatedListKeysResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2107,12 +3329,12 @@ export interface operations {
         };
     };
     /**
-     * Update Key
-     * @description Update Key
+     * Create Key
+     * @description Create Key
      *
-     * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+     * Creates one or more new keys of the specified type.
      */
-    updateKey: {
+    createKey: {
         parameters: {
             path: {
                 /**
@@ -2120,20 +3342,15 @@ export interface operations {
                  * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 org_id: string;
-                /**
-                 * @description ID of the key
-                 * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-                 */
-                key_id: string;
             };
         };
         requestBody: {
             content: {
-                "application/json": components["schemas"]["UpdateKeyRequest"];
+                "application/json": components["schemas"]["CreateKeyRequest"];
             };
         };
         responses: {
-            200: components["responses"]["KeyInfo"];
+            200: components["responses"]["CreateKeyResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2142,12 +3359,12 @@ export interface operations {
         };
     };
     /**
-     * Gets a Pending MFA Request
-     * @description Gets a Pending MFA Request
+     * Get Key
+     * @description Get Key
      *
-     * Retrieves and returns a pending MFA request by its id.
+     * Returns the properties of a key.
      */
-    mfaGet: {
+    getKeyInOrg: {
         parameters: {
             path: {
                 /**
@@ -2156,14 +3373,14 @@ export interface operations {
                  */
                 org_id: string;
                 /**
-                 * @description ID of the approval
-                 * @example ...
+                 * @description ID of the desired Key
+                 * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
-                mfa_id: string;
+                key_id: string;
             };
         };
         responses: {
-            200: components["responses"]["MfaRequestInfo"];
+            200: components["responses"]["KeyInfo"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2172,12 +3389,135 @@ export interface operations {
         };
     };
     /**
-     * Approve a Pending MFA Request
-     * @description Approve a Pending MFA Request
+     * Delete Key
+     * @description Delete Key
      *
-     * Adds the current user as an approver of a pending MFA request of the [Status::RequiredApprovers] kind.
-     * If the required number of approvers is reached, the MFA request is approved;
-     * the confirmation receipt can be used to resume the original HTTP request.
+     * Deletes a key specified by its ID.
+     * Only the key owner and org owners are allowed to delete keys.
+     */
+    deleteKey: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description ID of the desired Key
+                 * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                key_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Update Key
+     * @description Update Key
+     *
+     * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+     */
+    updateKey: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description ID of the desired Key
+                 * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                key_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["UpdateKeyRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["KeyInfo"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * List Pending MFA Requests
+     * @description List Pending MFA Requests
+     *
+     * Retrieves and returns all pending MFA requests that are accessible to the current user,
+     * i.e., those in which the current user is listed as an approver
+     */
+    mfaList: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["ListMfaResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Get Pending MFA Request
+     * @description Get Pending MFA Request
+     *
+     * Retrieves and returns a pending MFA request by its id.
+     */
+    mfaGet: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Name or ID of the desired MfaRequest
+                 * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                mfa_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["MfaRequestInfo"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Approve MFA Request
+     * @description Approve MFA Request
+     *
+     * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+     * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
+     * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
+     * resume the original HTTP request.
      */
     mfaApproveCs: {
         parameters: {
@@ -2188,12 +3528,80 @@ export interface operations {
                  */
                 org_id: string;
                 /**
-                 * @description ID of the MFA approval request
-                 * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
+                 * @description Name or ID of the desired MfaRequest
+                 * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                mfa_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["MfaRequestInfo"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Initiate Approving an MFA Request with FIDO
+     * @description Initiate Approving an MFA Request with FIDO
+     *
+     * Initiates the approval process of an MFA Request using FIDO.
+     */
+    mfaApproveFido: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Name or ID of the desired MfaRequest
+                 * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                mfa_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["FidoAssertChallenge"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Finalize a FIDO MFA Approval
+     * @description Finalize a FIDO MFA Approval
+     *
+     * Adds an approver to a pending MFA request.
+     *
+     * If the required number of approvers is reached, the MFA request is approved;
+     * the confirmation receipt can be used to resume the original HTTP request.
+     */
+    mfaApproveFidoComplete: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Name or ID of the desired MfaRequest
+                 * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 mfa_id: string;
             };
         };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["FidoAssertAnswer"];
+            };
+        };
         responses: {
             200: components["responses"]["MfaRequestInfo"];
             default: {
@@ -2207,7 +3615,7 @@ export interface operations {
      * Approve a TOTP MFA Request
      * @description Approve a TOTP MFA Request
      *
-     * Adds an approver to a pending TOTP MFA request.
+     * Adds the current user as approver to a pending MFA request by providing TOTP code.
      *
      * If the required number of approvers is reached, the MFA request is approved;
      * the confirmation receipt can be used to resume the original HTTP request.
@@ -2221,8 +3629,8 @@ export interface operations {
                  */
                 org_id: string;
                 /**
-                 * @description ID of the MFA approval request
-                 * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
+                 * @description Name or ID of the desired MfaRequest
+                 * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 mfa_id: string;
             };
@@ -2263,7 +3671,7 @@ export interface operations {
             };
         };
         responses: {
-            200: components["responses"]["OidcLoginResponse"];
+            200: components["responses"]["NewSessionResponse"];
             202: {
                 content: {
                     "application/json": components["schemas"]["AcceptedResponse"];
@@ -2284,6 +3692,23 @@ export interface operations {
      */
     listRoles: {
         parameters: {
+            query?: {
+                /**
+                 * @description Max number of items to return per page.
+                 *
+                 * If the actual number of returned items may be less that this, even if there exist more
+                 * data in the result set. To reliably determine if more data is left in the result set,
+                 * inspect the [UnencryptedLastEvalKey] value in the response object.
+                 */
+                "page.size"?: number;
+                /**
+                 * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+                 * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+                 */
+                "page.start"?: components["schemas"]["LastEvalKey"] | null;
+                /** @description Don't include keys and users for each role */
+                summarize?: boolean | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
@@ -2293,7 +3718,7 @@ export interface operations {
             };
         };
         responses: {
-            200: components["responses"]["ListRolesResponse"];
+            200: components["responses"]["PaginatedListRolesResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2321,7 +3746,7 @@ export interface operations {
         /** @description Optional request body to set the role name */
         requestBody?: {
             content: {
-                "application/json": components["schemas"]["CreateRoleRequest"];
+                "application/json": components["schemas"]["CreateRoleRequest"] | null;
             };
         };
         responses: {
@@ -2479,14 +3904,59 @@ export interface operations {
                  */
                 role_id: string;
                 /**
-                 * @description ID of the user to add to role
-                 * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
+                 * @description ID of the desired User
+                 * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 user_id: string;
             };
         };
         responses: {};
     };
+    /**
+     * List Role Keys
+     * @description List Role Keys
+     *
+     * Returns an array of all keys in a role.
+     */
+    listRoleKeys: {
+        parameters: {
+            query?: {
+                /**
+                 * @description Max number of items to return per page.
+                 *
+                 * If the actual number of returned items may be less that this, even if there exist more
+                 * data in the result set. To reliably determine if more data is left in the result set,
+                 * inspect the [UnencryptedLastEvalKey] value in the response object.
+                 */
+                "page.size"?: number;
+                /**
+                 * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+                 * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+                 */
+                "page.start"?: components["schemas"]["LastEvalKey"] | null;
+            };
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Name or ID of the desired Role
+                 * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                role_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["PaginatedListRoleKeysResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Remove Key
      * @description Remove Key
@@ -2516,8 +3986,11 @@ export interface operations {
         responses: {};
     };
     /**
-     * List Tokens
-     * @description List Tokens
+     * List a single page of Tokens (Deprecated)
+     * @deprecated
+     * @description List a single page of Tokens (Deprecated)
+     *
+     * **Deprecated**: Use `GET /org/{org_id}/session?role=`
      *
      * Returns all access tokens for a given role.
      * Only users in the role or owners can create a token for it.
@@ -2574,7 +4047,7 @@ export interface operations {
             };
         };
         responses: {
-            200: components["responses"]["CreateTokenResponse"];
+            200: components["responses"]["NewSessionResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2583,8 +4056,11 @@ export interface operations {
         };
     };
     /**
-     * Revoke All Tokens
-     * @description Revoke All Tokens
+     * Revoke All Tokens (Deprecated)
+     * @deprecated
+     * @description Revoke All Tokens (Deprecated)
+     *
+     * **Deprecated**: Use `DELETE /org/{org_id}/session?role=` instead
      *
      * Revokes all access tokens associated with a role.
      * Only users in the role or owners can perform this action.
@@ -2614,8 +4090,11 @@ export interface operations {
         };
     };
     /**
-     * Revoke Token
-     * @description Revoke Token
+     * Revoke Token (Deprecated)
+     * @deprecated
+     * @description Revoke Token (Deprecated)
+     *
+     * **Deprecated**: Use `DELETE /org/{org_id}/session/{session_id}`
      *
      * Revokes an access token associated with a role.
      * Only users in the role or owners can perform this action.
@@ -2650,23 +4129,43 @@ export interface operations {
         };
     };
     /**
-     * Get Token-Accessible Keys
-     * @description Get Token-Accessible Keys
+     * List Role Users.
+     * @description List Role Users.
      *
-     * Retrieves the keys that the role token can access.
+     * Returns an array of all users who have access to a role.
      */
-    listTokenKeys: {
+    listRoleUsers: {
         parameters: {
+            query?: {
+                /**
+                 * @description Max number of items to return per page.
+                 *
+                 * If the actual number of returned items may be less that this, even if there exist more
+                 * data in the result set. To reliably determine if more data is left in the result set,
+                 * inspect the [UnencryptedLastEvalKey] value in the response object.
+                 */
+                "page.size"?: number;
+                /**
+                 * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+                 * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+                 */
+                "page.start"?: components["schemas"]["LastEvalKey"] | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
                  * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 org_id: string;
+                /**
+                 * @description Name or ID of the desired Role
+                 * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                role_id: string;
             };
         };
         responses: {
-            200: components["responses"]["KeyInfos"];
+            200: components["responses"]["PaginatedListRoleUsersResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2675,11 +4174,33 @@ export interface operations {
         };
     };
     /**
-     * List users in organization
-     * @description List users in organization
+     * List sessions
+     * @description List sessions
+     *
+     * If no query parameters are provided, information for the current session is returned
      */
-    listUsersInOrg: {
+    listSessions: {
         parameters: {
+            query?: {
+                /**
+                 * @description Max number of items to return per page.
+                 *
+                 * If the actual number of returned items may be less that this, even if there exist more
+                 * data in the result set. To reliably determine if more data is left in the result set,
+                 * inspect the [UnencryptedLastEvalKey] value in the response object.
+                 */
+                "page.size"?: number;
+                /**
+                 * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+                 * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+                 */
+                "page.start"?: components["schemas"]["LastEvalKey"] | null;
+                /**
+                 * @description If provided, the name or ID of a role to operate on
+                 * @example my-role
+                 */
+                role?: string | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
@@ -2689,7 +4210,7 @@ export interface operations {
             };
         };
         responses: {
-            200: components["responses"]["GetUsersInOrgResponse"];
+            200: components["responses"]["PaginatedSessionsResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2698,11 +4219,21 @@ export interface operations {
         };
     };
     /**
-     * Adds a third-party user to the org
-     * @description Adds a third-party user to the org
+     * Revoke existing session(s)
+     * @description Revoke existing session(s)
+     *
+     * Immediately revokes existing sessions, preventing them from being used or refreshed.
+     * If no query params are provided, the current session is revoked.
      */
-    createOidcUser: {
+    revokeSessions: {
         parameters: {
+            query?: {
+                /**
+                 * @description If provided, the name or ID of a role to operate on
+                 * @example my-role
+                 */
+                role?: string | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
@@ -2711,13 +4242,8 @@ export interface operations {
                 org_id: string;
             };
         };
-        requestBody: {
-            content: {
-                "application/json": components["schemas"]["AddThirdPartyUserRequest"];
-            };
-        };
         responses: {
-            200: components["responses"]["AddThirdPartyUserResponse"];
+            200: components["responses"]["SessionsResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2726,23 +4252,292 @@ export interface operations {
         };
     };
     /**
-     * Reset TOTP
-     * @description Reset TOTP
-     *
-     * Creates and sets a new TOTP configuration for the current user,
-     * overriding the existing one (if any).
+     * Get session information
+     * @description Get session information
      */
-    userResetTotp: {
-        responses: {
-            200: components["responses"]["TotpInfo"];
-            default: {
-                content: {
-                    "application/json": components["schemas"]["ErrorResponse"];
-                };
-            };
-        };
-    };
-    /**
+    getSession: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description The ID of the session to get
+                 * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
+                 */
+                session_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["SessionInfo"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Revoke a session
+     * @description Revoke a session
+     *
+     * Immediately revokes an existing session, preventing it from being used or refreshed
+     */
+    revokeSession: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description The ID of the session to revoke
+                 * @example 77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e
+                 */
+                session_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["SessionInfo"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Sign Solana Message
+     * @description Sign Solana Message
+     *
+     * Signs a Solana message with a given key.
+     * This is a pre-release feature.
+     */
+    solanaSign: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description The base58-encoded public key
+                 * @example 86ZRPszBp5EoPj7wR3bHn7wnAZ5iYfpasRc7DKFPTUaZ
+                 */
+                pubkey: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["SolanaSignRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["SolanaSignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Get Token-Accessible Keys
+     * @description Get Token-Accessible Keys
+     *
+     * Retrieves the keys that the role token can access.
+     */
+    listTokenKeys: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["KeyInfos"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * User Info
+     * @description User Info
+     *
+     * Retrieves information about the current user.
+     */
+    aboutMe: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["UserInfo"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Initiate registration of a FIDO key
+     * @description Initiate registration of a FIDO key
+     *
+     * Generates a challenge that must be answered to prove ownership of a key
+     */
+    userRegisterFidoInit: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["FidoCreateRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["FidoCreateChallengeResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Finalize registration of a FIDO key
+     * @description Finalize registration of a FIDO key
+     *
+     * Accepts the response to the challenge generated by the POST to this endpoint.
+     */
+    userRegisterFidoComplete: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["FidoCreateChallengeAnswer"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Initialize TOTP Reset
+     * @description Initialize TOTP Reset
+     *
+     * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+     * was successfully imported into an authenticator app.
+     *
+     * This operation is allowed if EITHER
+     * - the user account is not yet initialized and no TOTP is already set, OR
+     * - the user has not configured any auth factors;
+     * otherwise, MFA is required.
+     */
+    userResetTotpInit: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["Empty"];
+            };
+        };
+        responses: {
+            200: components["responses"]["TotpInfo"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Finalize resetting TOTP
+     * @description Finalize resetting TOTP
+     *
+     * Checks if the response contains the correct TOTP code corresponding to the
+     * challenge generated by the POST method of this endpoint.
+     */
+    userResetTotpComplete: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["TotpChallengeAnswer"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
      * Verify TOTP
      * @description Verify TOTP
      *
@@ -2752,7 +4547,223 @@ export interface operations {
     userVerifyTotp: {
         parameters: {
             path: {
-                code: string;
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["TotpApproveRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * List users in organization
+     * @description List users in organization
+     */
+    listUsersInOrg: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["GetUsersInOrgResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Add a third-party user to the org
+     * @description Add a third-party user to the org
+     */
+    createOidcUser: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["AddThirdPartyUserRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["AddThirdPartyUserResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Remove a third-party user from the org
+     * @description Remove a third-party user from the org
+     */
+    deleteOidcUser: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["OIDCIdentity"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Initiate registration of a FIDO key
+     * @deprecated
+     * @description Initiate registration of a FIDO key
+     *
+     * Generates a challenge that must be answered to prove ownership of a key
+     */
+    registerFidoInitLegacy: {
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["FidoCreateRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["FidoCreateChallengeResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Finalize registration of a FIDO key
+     * @deprecated
+     * @description Finalize registration of a FIDO key
+     *
+     * Accepts the response to the challenge generated by the POST to this endpoint.
+     */
+    registerFidoCompleteLegacy: {
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["FidoCreateChallengeAnswer"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Initialize TOTP Reset
+     * @deprecated
+     * @description Initialize TOTP Reset
+     *
+     * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+     * was successfully imported into an authenticator app.
+     *
+     * This operation is allowed if EITHER
+     * - the user account is not yet initialized and no TOTP is already set, OR
+     * - the user has not configured any auth factors;
+     * otherwise, MFA is required.
+     */
+    resetTotpInitLegacy: {
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["Empty"];
+            };
+        };
+        responses: {
+            200: components["responses"]["TotpInfo"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Finalize resetting TOTP
+     * @deprecated
+     * @description Finalize resetting TOTP
+     *
+     * Checks if the response contains the correct TOTP code corresponding to the
+     * challenge generated by the POST method of this endpoint.
+     */
+    resetTotpCompleteLegacy: {
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["TotpChallengeAnswer"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Verify TOTP
+     * @deprecated
+     * @description Verify TOTP
+     *
+     * Checks if a given code matches the current TOTP code for the current user.
+     * Errors with 403 if the current user has not set up TOTP or the code fails verification.
+     */
+    verifyTotpLegacy: {
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["TotpApproveRequest"];
             };
         };
         responses: {
@@ -2770,6 +4781,13 @@ export interface operations {
      *
      * Signs an arbitrary blob with a given key.
      * This is a pre-release feature.
+     *
+     * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
+     * byte v, which can in general take any of the values 0, 1, 2, or 3.
+     *
+     * - EdDSA signatures are serialized in the standard format.
+     *
+     * - BLS signatures are not supported on the blob-sign endpoint.
      */
     blobSign: {
         parameters: {
@@ -2780,8 +4798,8 @@ export interface operations {
                  */
                 org_id: string;
                 /**
-                 * @description The ID of the key
-                 * @example Key#0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+                 * @description ID of the desired Key
+                 * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 key_id: string;
             };
@@ -2815,7 +4833,7 @@ export interface operations {
         parameters: {
             path: {
                 /**
-                 * @description Name or ID of the organization owning the key
+                 * @description Name or ID of the desired Org
                  * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
                  */
                 org_id: string;
@@ -2840,6 +4858,7 @@ export interface operations {
      * @description Sign EVM Transaction
      *
      * Signs an Ethereum (and other EVM) transaction with a given Secp256k1 key.
+     * Returns an RLP-encoded transaction with EIP-155 signature.
      *
      * The key must be associated with the role and organization on whose behalf this action is called.
      */
@@ -2865,6 +4884,11 @@ export interface operations {
         };
         responses: {
             200: components["responses"]["Eth1SignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2902,6 +4926,11 @@ export interface operations {
         };
         responses: {
             200: components["responses"]["Eth2SignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2936,6 +4965,11 @@ export interface operations {
         };
         responses: {
             200: components["responses"]["StakeResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -2974,42 +5008,11 @@ export interface operations {
         };
         responses: {
             200: components["responses"]["UnstakeResponse"];
-            default: {
+            202: {
                 content: {
-                    "application/json": components["schemas"]["ErrorResponse"];
+                    "application/json": components["schemas"]["AcceptedResponse"];
                 };
             };
-        };
-    };
-    /**
-     * Sign Solana Message
-     * @description Sign Solana Message
-     *
-     * Signs a Solana message with a given key.
-     * This is a pre-release feature.
-     */
-    solanaSign: {
-        parameters: {
-            path: {
-                /**
-                 * @description Name or ID of the desired Org
-                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-                 */
-                org_id: string;
-                /**
-                 * @description The base58-encoded public key
-                 * @example 86ZRPszBp5EoPj7wR3bHn7wnAZ5iYfpasRc7DKFPTUaZ
-                 */
-                pubkey: string;
-            };
-        };
-        requestBody: {
-            content: {
-                "application/json": components["schemas"]["SolanaSignRequest"];
-            };
-        };
-        responses: {
-            200: components["responses"]["SolanaSignResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -3037,7 +5040,7 @@ export interface operations {
             };
         };
         responses: {
-            200: components["responses"]["RefreshResponse"];
+            200: components["responses"]["NewSessionResponse"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -3046,4 +5049,3 @@ export interface operations {
         };
     };
 }
-export {};