@cubist-labs/cubesigner-sdk 0.1.50 → 0.2.2

package/src/schema.ts

@@ -12,7 +12,7 @@ export interface paths {
      *
      * Retrieves information about the current user.
      */
-    get: operations["aboutMe"];
+    get: operations["aboutMeLegacy"];
   };
   "/v0/org/{org_id}": {
     /**
@@ -30,6 +30,16 @@ export interface paths {
      */
     patch: operations["updateOrg"];
   };
+  "/v0/org/{org_id}/ava/sign/{pubkey}": {
+    /**
+     * Sign Avalanche X- or P-Chain Message
+     * @description Sign Avalanche X- or P-Chain Message
+     *
+     * Signs an Avalanche message with a given SecpAva key.
+     * This is a pre-release feature.
+     */
+    post: operations["avaSign"];
+  };
   "/v0/org/{org_id}/btc/sign/{pubkey}": {
     /**
      * Sign Bitcoin Transaction
@@ -50,6 +60,56 @@ export interface paths {
      */
     put: operations["deriveKey"];
   };
+  "/v0/org/{org_id}/evm/eip712/sign/{pubkey}": {
+    /**
+     * Sign EIP-712 Typed Data
+     * @description Sign EIP-712 Typed Data
+     *
+     * Signs typed data according to EIP-712 with a given Secp256k1 key.
+     */
+    post: operations["eip712Sign"];
+  };
+  "/v0/org/{org_id}/identity/prove": {
+    /**
+     * Create [IdentityProof] from CubeSigner user session
+     * @description Create [IdentityProof] from CubeSigner user session
+     *
+     * This route can be used to prove to another party that a user has a
+     * valid CubeSigner session.
+     *
+     * Clients are intended to call this route and pass the returned evidence
+     * to another service which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
+     */
+    post: operations["createProofCubeSigner"];
+  };
+  "/v0/org/{org_id}/identity/prove/oidc": {
+    /**
+     * Create [IdentityProof] from OIDC token
+     * @description Create [IdentityProof] from OIDC token
+     *
+     * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
+     *
+     * This route can be used to prove to another party that a user has met the
+     * authentication requirements (allowed issuers & audiences) for CubeSigner
+     * without leaking their credentials.
+     *
+     * Clients are intended to call this route and pass the returned evidence to another service
+     * which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
+     */
+    post: operations["createProofOidc"];
+  };
+  "/v0/org/{org_id}/identity/verify": {
+    /**
+     * Verify identity proof
+     * @description Verify identity proof
+     *
+     * Allows a third-party to validate proof of authentication.
+     *
+     * When a third-party is provided an [IdentityProof] object, they must check its
+     * veracity by calling this endpoint
+     */
+    post: operations["verifyProof"];
+  };
   "/v0/org/{org_id}/import_key": {
     /**
      * Create Key-Import Key
@@ -83,32 +143,14 @@ export interface paths {
      * Gets the list of owned keys in a given org.
      */
     get: operations["listKeysInOrg"];
-    /**
-     * Legacy Import Key
-     * @deprecated
-     * @description Legacy Import Key
-     *
-     * Securely imports an existing key. This API is deprecated; please use the new version.
-     */
-    put: operations["importKeyLegacy"];
     /**
      * Create Key
      * @description Create Key
      *
-     * Creates one or more new keys of the specified type (BLS or Secp).
+     * Creates one or more new keys of the specified type.
      */
     post: operations["createKey"];
   };
-  "/v0/org/{org_id}/keys/get_keys": {
-    /**
-     * Legacy List Keys
-     * @deprecated
-     * @description Legacy List Keys
-     *
-     * This route is deprecated. Use `GET /v0/org/<org_id>/keys?<key_type>`
-     */
-    post: operations["listKeysLegacy"];
-  };
   "/v0/org/{org_id}/keys/{key_id}": {
     /**
      * Get Key
@@ -117,6 +159,14 @@ export interface paths {
      * Returns the properties of a key.
      */
     get: operations["getKeyInOrg"];
+    /**
+     * Delete Key
+     * @description Delete Key
+     *
+     * Deletes a key specified by its ID.
+     * Only the key owner and org owners are allowed to delete keys.
+     */
+    delete: operations["deleteKey"];
     /**
      * Update Key
      * @description Update Key
@@ -125,10 +175,20 @@ export interface paths {
      */
     patch: operations["updateKey"];
   };
+  "/v0/org/{org_id}/mfa": {
+    /**
+     * List Pending MFA Requests
+     * @description List Pending MFA Requests
+     *
+     * Retrieves and returns all pending MFA requests that are accessible to the current user,
+     * i.e., those in which the current user is listed as an approver
+     */
+    get: operations["mfaList"];
+  };
   "/v0/org/{org_id}/mfa/{mfa_id}": {
     /**
-     * Gets a Pending MFA Request
-     * @description Gets a Pending MFA Request
+     * Get Pending MFA Request
+     * @description Get Pending MFA Request
      *
      * Retrieves and returns a pending MFA request by its id.
      */
@@ -184,34 +244,6 @@ export interface paths {
      */
     post: operations["oidcAuth"];
   };
-  "/v0/org/{org_id}/oidc/prove": {
-    /**
-     * Create OIDCProof
-     * @description Create OIDCProof
-     *
-     * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
-     *
-     * This route can be used to prove to another party that a user has met the
-     * authentication requirements (allowed issuers & audiences) for CubeSigner
-     * without leaking their credentials.
-     *
-     * Clients are intended to call this route and pass the returned evidence to another service
-     * which will verify it.
-     */
-    post: operations["createOidcProof"];
-  };
-  "/v0/org/{org_id}/oidc/verify": {
-    /**
-     * Verify OIDC Proof
-     * @description Verify OIDC Proof
-     *
-     * Allows a third-party to validate proof of OIDC authentication.
-     *
-     * When a third-party is provided an OidcProof object, they must check its
-     * veracity by calling this endpoint
-     */
-    post: operations["verifyOidcProof"];
-  };
   "/v0/org/{org_id}/roles": {
     /**
      * List Roles
@@ -273,6 +305,15 @@ export interface paths {
      */
     put: operations["addUserToRole"];
   };
+  "/v0/org/{org_id}/roles/{role_id}/keys": {
+    /**
+     * List Role Keys
+     * @description List Role Keys
+     *
+     * Returns an array of all keys in a role.
+     */
+    get: operations["listRoleKeys"];
+  };
   "/v0/org/{org_id}/roles/{role_id}/keys/{key_id}": {
     /**
      * Remove Key
@@ -284,9 +325,9 @@ export interface paths {
   };
   "/v0/org/{org_id}/roles/{role_id}/tokens": {
     /**
-     * List Tokens (Deprecated)
+     * List a single page of Tokens (Deprecated)
      * @deprecated
-     * @description List Tokens (Deprecated)
+     * @description List a single page of Tokens (Deprecated)
      *
      * **Deprecated**: Use `GET /org/{org_id}/session?role=`
      *
@@ -327,6 +368,15 @@ export interface paths {
      */
     delete: operations["revokeRoleToken"];
   };
+  "/v0/org/{org_id}/roles/{role_id}/users": {
+    /**
+     * List Role Users.
+     * @description List Role Users.
+     *
+     * Returns an array of all users who have access to a role.
+     */
+    get: operations["listRoleUsers"];
+  };
   "/v0/org/{org_id}/session": {
     /**
      * List sessions
@@ -344,6 +394,15 @@ export interface paths {
      */
     delete: operations["revokeSessions"];
   };
+  "/v0/org/{org_id}/session/self": {
+    /**
+     * Revoke current session
+     * @description Revoke current session
+     *
+     * Immediately revokes the current session, preventing it from being used or refreshed
+     */
+    delete: operations["revokeCurrentSession"];
+  };
   "/v0/org/{org_id}/session/{session_id}": {
     /**
      * Get session information
@@ -358,6 +417,16 @@ export interface paths {
      */
     delete: operations["revokeSession"];
   };
+  "/v0/org/{org_id}/solana/sign/{pubkey}": {
+    /**
+     * Sign Solana Message
+     * @description Sign Solana Message
+     *
+     * Signs a Solana message with a given key.
+     * This is a pre-release feature.
+     */
+    post: operations["solanaSign"];
+  };
   "/v0/org/{org_id}/token/keys": {
     /**
      * Get Token-Accessible Keys
@@ -367,44 +436,55 @@ export interface paths {
      */
     get: operations["listTokenKeys"];
   };
-  "/v0/org/{org_id}/users": {
+  "/v0/org/{org_id}/user/me": {
     /**
-     * List users in organization
-     * @description List users in organization
+     * User Info
+     * @description User Info
+     *
+     * Retrieves information about the current user.
      */
-    get: operations["listUsersInOrg"];
+    get: operations["aboutMe"];
+  };
+  "/v0/org/{org_id}/user/me/fido": {
     /**
-     * Add a third-party user to the org
-     * @description Add a third-party user to the org
+     * Initiate registration of a FIDO key
+     * @description Initiate registration of a FIDO key
+     *
+     * Generates a challenge that must be answered to prove ownership of a key
      */
-    post: operations["createOidcUser"];
-  };
-  "/v0/org/{org_id}/users/oidc": {
+    post: operations["userRegisterFidoInit"];
     /**
-     * Remove a third-party user from the org
-     * @description Remove a third-party user from the org
+     * Finalize registration of a FIDO key
+     * @description Finalize registration of a FIDO key
+     *
+     * Accepts the response to the challenge generated by the POST to this endpoint.
      */
-    delete: operations["deleteOidcUser"];
+    patch: operations["userRegisterFidoComplete"];
   };
-  "/v0/totp": {
+  "/v0/org/{org_id}/user/me/totp": {
     /**
-     * Initialize TOTP
-     * @description Initialize TOTP
+     * Initialize TOTP Reset
+     * @description Initialize TOTP Reset
+     *
+     * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+     * was successfully imported into an authenticator app.
      *
-     * Creates and sets a new TOTP configuration for the current user,
-     * if and only if no TOTP configuration is already set.
+     * This operation is allowed if EITHER
+     * - the user account is not yet initialized and no TOTP is already set, OR
+     * - the user has not configured any auth factors;
+     * otherwise, MFA is required.
      */
-    put: operations["userInitTotp"];
+    post: operations["userResetTotpInit"];
     /**
-     * Reset TOTP
-     * @description Reset TOTP
+     * Finalize resetting TOTP
+     * @description Finalize resetting TOTP
      *
-     * Creates and sets a new TOTP configuration for the current user,
-     * overriding the existing one (if any).
+     * Checks if the response contains the correct TOTP code corresponding to the
+     * challenge generated by the POST method of this endpoint.
      */
-    patch: operations["userResetTotp"];
+    patch: operations["userResetTotpComplete"];
   };
-  "/v0/totp/verify/{code}": {
+  "/v0/org/{org_id}/user/me/totp/verify": {
     /**
      * Verify TOTP
      * @description Verify TOTP
@@ -412,23 +492,80 @@ export interface paths {
      * Checks if a given code matches the current TOTP code for the current user.
      * Errors with 403 if the current user has not set up TOTP or the code fails verification.
      */
-    get: operations["userVerifyTotp"];
+    post: operations["userVerifyTotp"];
+  };
+  "/v0/org/{org_id}/users": {
+    /**
+     * List users in organization
+     * @description List users in organization
+     */
+    get: operations["listUsersInOrg"];
+    /**
+     * Add a third-party user to the org
+     * @description Add a third-party user to the org
+     */
+    post: operations["createOidcUser"];
+  };
+  "/v0/org/{org_id}/users/oidc": {
+    /**
+     * Remove a third-party user from the org
+     * @description Remove a third-party user from the org
+     */
+    delete: operations["deleteOidcUser"];
   };
   "/v0/user/me/fido": {
     /**
      * Initiate registration of a FIDO key
+     * @deprecated
      * @description Initiate registration of a FIDO key
      *
      * Generates a challenge that must be answered to prove ownership of a key
      */
-    post: operations["userRegisterFido"];
+    post: operations["registerFidoInitLegacy"];
     /**
      * Finalize registration of a FIDO key
+     * @deprecated
      * @description Finalize registration of a FIDO key
      *
      * Accepts the response to the challenge generated by the POST to this endpoint.
      */
-    patch: operations["userRegisterFidoComplete"];
+    patch: operations["registerFidoCompleteLegacy"];
+  };
+  "/v0/user/me/totp": {
+    /**
+     * Initialize TOTP Reset
+     * @deprecated
+     * @description Initialize TOTP Reset
+     *
+     * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+     * was successfully imported into an authenticator app.
+     *
+     * This operation is allowed if EITHER
+     * - the user account is not yet initialized and no TOTP is already set, OR
+     * - the user has not configured any auth factors;
+     * otherwise, MFA is required.
+     */
+    post: operations["resetTotpInitLegacy"];
+    /**
+     * Finalize resetting TOTP
+     * @deprecated
+     * @description Finalize resetting TOTP
+     *
+     * Checks if the response contains the correct TOTP code corresponding to the
+     * challenge generated by the POST method of this endpoint.
+     */
+    patch: operations["resetTotpCompleteLegacy"];
+  };
+  "/v0/user/me/totp/verify": {
+    /**
+     * Verify TOTP
+     * @deprecated
+     * @description Verify TOTP
+     *
+     * Checks if a given code matches the current TOTP code for the current user.
+     * Errors with 403 if the current user has not set up TOTP or the code fails verification.
+     */
+    post: operations["verifyTotpLegacy"];
   };
   "/v1/org/{org_id}/blob/sign/{key_id}": {
     /**
@@ -437,6 +574,13 @@ export interface paths {
      *
      * Signs an arbitrary blob with a given key.
      * This is a pre-release feature.
+     *
+     * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
+     * byte v, which can in general take any of the values 0, 1, 2, or 3.
+     *
+     * - EdDSA signatures are serialized in the standard format.
+     *
+     * - BLS signatures are not supported on the blob-sign endpoint.
      */
     post: operations["blobSign"];
   };
@@ -455,6 +599,7 @@ export interface paths {
      * @description Sign EVM Transaction
      *
      * Signs an Ethereum (and other EVM) transaction with a given Secp256k1 key.
+     * Returns an RLP-encoded transaction with EIP-155 signature.
      *
      * The key must be associated with the role and organization on whose behalf this action is called.
      */
@@ -496,16 +641,6 @@ export interface paths {
      */
     post: operations["unstake"];
   };
-  "/v1/org/{org_id}/solana/sign/{pubkey}": {
-    /**
-     * Sign Solana Message
-     * @description Sign Solana Message
-     *
-     * Signs a Solana message with a given key.
-     * This is a pre-release feature.
-     */
-    post: operations["solanaSign"];
-  };
   "/v1/org/{org_id}/token/refresh": {
     /**
      * Refresh Signer Session
@@ -530,7 +665,10 @@ export interface components {
      */
     AcceptedValue: {
       MfaRequired: {
+        /** @description MFA request id */
         id: string;
+        /** @description Organization id */
+        org_id: string;
         session?: components["schemas"]["NewSessionResponse"] | null;
       };
     };
@@ -568,7 +706,7 @@ export interface components {
        *   }
        * ]
        */
-      policy: Record<string, never>[] | null;
+      policy?: Record<string, never>[] | null;
     };
     AddThirdPartyUserRequest: {
       /**
@@ -581,6 +719,10 @@ export interface components {
       mfa_policy?: Record<string, unknown> | null;
       role: components["schemas"]["MemberRole"];
     };
+    AddThirdPartyUserResponse: {
+      /** @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f */
+      user_id: string;
+    };
     ApprovalInfo: {
       timestamp: components["schemas"]["EpochDateTime"];
     };
@@ -631,7 +773,7 @@ export interface components {
        * @description Allows the authenticator to optionally declare the credential identifier they used.
        * https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle
        */
-      userHandle: string | null;
+      userHandle?: string | null;
     };
     /**
      * @description This enumeration’s values describe authenticators' attachment modalities.
@@ -685,7 +827,7 @@ export interface components {
      * https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria
      */
     AuthenticatorSelectionCriteria: {
-      authenticator_attachment: components["schemas"]["AuthenticatorAttachment"] | null;
+      authenticator_attachment?: components["schemas"]["AuthenticatorAttachment"] | null;
       /**
        * @description This member is retained for backwards compatibility with WebAuthn Level
        * 1 and, for historical reasons, its naming retains the deprecated
@@ -695,7 +837,7 @@ export interface components {
        * https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-requireresidentkey
        */
       require_resident_key?: boolean;
-      resident_key: components["schemas"]["ResidentKeyRequirement"] | null;
+      resident_key?: components["schemas"]["ResidentKeyRequirement"] | null;
       user_verification?: components["schemas"]["UserVerificationRequirement"];
     };
     /**
@@ -711,6 +853,29 @@ export interface components {
      * @enum {string}
      */
     AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
+    /** @description Request to sign an Avalanche transactions */
+    AvaSignRequest: {
+      /**
+       * @description Transaction to sign.
+       *
+       * Examples:
+       * - {"P": { "AddPermissionlessValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_permissionless_validator.rs#L14) }}
+       * - {"P": { "AddSubnetValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_subnet_validator.rs#L29) }}
+       * - {"P": { "AddValidator": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_validator.rs#L12) }}
+       * - {"P": { "CreateChain": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_chain.rs#L8) }}
+       * - {"P": { "CreateSubnet": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_subnet.rs#L8) }}
+       * - {"P": { "Export": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/export.rs#L12) }}
+       * - {"P": { "Import": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/import.rs#L12) }}
+       * - {"X": { "Base": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/mod.rs#L21) }}
+       * - {"X": { "Export": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/export.rs#L16) }}
+       * - {"X": { "Import": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/import.rs#L14) }}
+       */
+      tx: Record<string, never>;
+    };
+    AvaSignResponse: {
+      /** @description The hex-encoded signature. */
+      signature: string;
+    };
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
     /**
@@ -727,6 +892,10 @@ export interface components {
        */
       message_base64: string;
     };
+    BlobSignResponse: {
+      /** @description The hex-encoded signature. */
+      signature: string;
+    };
     /** @enum {string} */
     BtcSighashType: "All" | "None" | "Single" | "AllPlusAnyoneCanPay" | "NonePlusAnyoneCanPay" | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
@@ -734,6 +903,13 @@ export interface components {
       /** @description The bitcoin transaction to sign */
       tx: Record<string, never>;
     };
+    BtcSignResponse: {
+      /**
+       * @description The hex-encoded signature in compact format.
+       * @example 0x454aef27c21df7dd8f537dc869f4cd65286ce239a52d36470f4d85be85a891b02789e5ffd8560b32a98110e5d0096802e4c14145cf6c44f10a768c87755eaa4800
+       */
+      signature: string;
+    };
     BtcSignatureKind: {
       /** @description Segregated Witness */
       Segwit: {
@@ -787,13 +963,25 @@ export interface components {
       /** @enum {string} */
       type: "fido";
     };
+    CreateKeyImportKeyResponse: components["schemas"]["KeyImportKey"] & {
+      /**
+       * @description An attestation document from a secure enclave, including an
+       * RSA signing key used to sign the contents of this message.
+       */
+      enclave_attestation: string;
+      /**
+       * @description An RSA-PSS-SHA256 signature on the public key and encrypted
+       * secrets attesting to their generation inside a secure enclave.
+       */
+      enclave_signature: string;
+    };
     CreateKeyRequest: {
       /**
        * Format: int64
        * @description Chain id for which the key is allowed to sign messages
        * @example 5
        */
-      chain_id: number | null;
+      chain_id?: number | null;
       /**
        * Format: int32
        * @description Number of keys to create
@@ -805,7 +993,11 @@ export interface components {
        * @description Allows users to specify a user other than themselves to receive the key
        * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
        */
-      owner: string | null;
+      owner?: string | null;
+    };
+    CreateKeyResponse: {
+      /** @description The info about the created keys */
+      keys: components["schemas"]["KeyInfo"][];
     };
     /** @description Optional create role request body */
     CreateRoleRequest: {
@@ -815,12 +1007,41 @@ export interface components {
        */
       name: string;
     };
-    CreateTokenRequest: components["schemas"]["RatchetConfig"] & {
+    /** @description The newly created role information */
+    CreateRoleResponse: {
+      /**
+       * @description A human-readable name for the role.
+       * @example my_role
+       */
+      name?: string | null;
+      /**
+       * @description The id of the newly created role
+       * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
+       */
+      role_id: string;
+    };
+    CreateTokenRequest: components["schemas"]["RatchetConfig"] & ({
       /**
        * @description A human readable description of the purpose of the key
        * @example Validator Signing
        */
       purpose: string;
+      /**
+       * @description Controls what capabilities this session will have. By default, it has all
+       * signing capabilities, i.e., just the 'sign:*' scope.
+       * @example [
+       *   "sign:*"
+       * ]
+       */
+      scopes?: string[] | null;
+    });
+    CubeSignerUserInfo: {
+      /** @description All multi-factor authentication methods configured for this user */
+      configured_mfa: components["schemas"]["ConfiguredMfa"][];
+      /** @description Set once the user successfully logs into CubeSigner */
+      initialized: boolean;
+      /** @description CubeSigner's user identifier */
+      user_id: string;
     };
     /**
      * @description Information produced by a successful deposit
@@ -865,11 +1086,115 @@ export interface components {
        * @example 0x9f07be82d934fcb5d0f75dd24c2dfea8a85a4d0c289d58828b3537fae24d32b8
        */
       mnemonic_id: string;
+    };
+    /**
+     * @example {
+     *   "chain_id": 1337,
+     *   "typed_data": {
+     *     "domain": {
+     *       "chainId": 1337,
+     *       "name": "Ether Mail",
+     *       "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC",
+     *       "version": "1"
+     *     },
+     *     "message": {
+     *       "contents": "Hello, Bob!",
+     *       "from": {
+     *         "name": "Cow",
+     *         "wallets": [
+     *           "0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826",
+     *           "0xDeaDbeefdEAdbeefdEadbEEFdeadbeEFdEaDbeeF"
+     *         ]
+     *       },
+     *       "to": {
+     *         "name": "Bob",
+     *         "wallets": [
+     *           "0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB",
+     *           "0xB0BdaBea57B0BDABeA57b0bdABEA57b0BDabEa57",
+     *           "0xB0B0b0b0b0b0B000000000000000000000000000"
+     *         ]
+     *       }
+     *     },
+     *     "primaryType": "Mail",
+     *     "types": {
+     *       "EIP712Domain": [
+     *         {
+     *           "name": "name",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "version",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "chainId",
+     *           "type": "uint256"
+     *         },
+     *         {
+     *           "name": "verifyingContract",
+     *           "type": "address"
+     *         }
+     *       ],
+     *       "Group": [
+     *         {
+     *           "name": "name",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "members",
+     *           "type": "Person[]"
+     *         }
+     *       ],
+     *       "Mail": [
+     *         {
+     *           "name": "from",
+     *           "type": "Person"
+     *         },
+     *         {
+     *           "name": "to",
+     *           "type": "Person"
+     *         },
+     *         {
+     *           "name": "contents",
+     *           "type": "string"
+     *         }
+     *       ],
+     *       "Person": [
+     *         {
+     *           "name": "name",
+     *           "type": "string"
+     *         },
+     *         {
+     *           "name": "wallets",
+     *           "type": "address[]"
+     *         }
+     *       ]
+     *     }
+     *   }
+     * }
+     */
+    Eip712SignRequest: {
       /**
-       * @description Allows users to specify a user other than themselves to receive the key
-       * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
+       * Format: int64
+       * @description The chain-id to which this typed data will be sent
+       */
+      chain_id: number;
+      /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
+      typed_data: Record<string, never>;
+    };
+    Eip712SignResponse: {
+      /**
+       * @description Hex-encoded signature comprising 65 bytes in the format required
+       * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+       * which is either 27 or 28.
+       * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
        */
-      owner: string | null;
+      signature: string;
+    };
+    /** @default null */
+    Empty: Record<string, unknown> | null;
+    EmptyImpl: {
+      status: string;
     };
     /**
      * @description Epoch is a quoted `uint64`.
@@ -888,6 +1213,8 @@ export interface components {
       accepted?: components["schemas"]["AcceptedValue"] | null;
       /** @description Error message */
       message: string;
+      /** @description Optional request identifier */
+      request_id?: string;
     };
     /**
      * @example {
@@ -918,6 +1245,13 @@ export interface components {
        */
       tx: Record<string, never>;
     };
+    Eth1SignResponse: {
+      /**
+       * @description Hex-encoded RLP encoding of the transaction and its signature
+       * @example 0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001201d58656b0e22aaa68fdc692db41979098c3886ed33015d7467de9211609cdac000000000000000000000000000000000000000000000000000000000000000308b0c2900324d3ff9adfba7fdfe5af3f9b2cdbeef7b280437bbf1b1c59a093d615afe3e5dfed9622b540cdd9b49b3c5ad00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002001000000000000000000000049011adbcc3bc9c0307bb07f37dda1a1a9c69d2e0000000000000000000000000000000000000000000000000000000000000060903db8525674b8e7904f9b7d7d9ec55a0a42d33cf58be25469b0c21bbb6d06172bc5bb5fd1aed8e4f35936968958116b0619553c2cb1c52e7323074c6f8eb3d5a7074fc6580148df907837fa3b164ad7fbc2288dad1e8a5b021095b57c8a36d4
+       */
+      rlp_signed_tx: string;
+    };
     /**
      * @example {
      *   "eth2_sign_request": {
@@ -947,18 +1281,39 @@ export interface components {
       eth2_sign_request: Record<string, never>;
       network: components["schemas"]["Network"];
     };
+    Eth2SignResponse: {
+      /**
+       * @description Hex encoded signature prefixed with 0x e.g. "0x0000..."
+       * @example 0xb4f2ef9d12a54e1f569596c07c97d6d730535b6ffc0d287761dc78103a86326782471a04c75ce7a6faea08ca9a4a0830031cdcb893da8711d54aa22619f1a7e71b8185ddf4c6bfd9babbd735960e35e56bd6eeb89625b04850e7a9ef8846e549
+       */
+      signature: string;
+    };
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoAssertAnswer: {
       /** @description The ID of the challenge that was returned from the POST endpoint */
       challenge_id: string;
       credential: components["schemas"]["PublicKeyCredential"];
     };
+    FidoAssertChallenge: {
+      /** @description The id of the challenge. Must be supplied when answering the challenge. */
+      challenge_id: string;
+      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+    };
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoCreateChallengeAnswer: {
       /** @description The ID of the challenge that was returned from the POST endpoint */
       challenge_id: string;
       credential: components["schemas"]["PublicKeyCredential"];
     };
+    /**
+     * @description Sent by the server to the client. Contains the challenge data that must be
+     * used to generate a new credential
+     */
+    FidoCreateChallengeResponse: {
+      /** @description The id of the challenge. Must be supplied when answering the challenge. */
+      challenge_id: string;
+      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+    };
     /** @description Declares intent to register a new FIDO key */
     FidoCreateRequest: {
       /**
@@ -1014,7 +1369,11 @@ export interface components {
       genesis_validators_root: string;
     };
     GetKeysInOrgRequest: {
-      key_type: components["schemas"]["KeyType"] | null;
+      key_type?: components["schemas"]["KeyType"] | null;
+    };
+    GetUsersInOrgResponse: {
+      /** @description The list of users in the org */
+      users: components["schemas"]["UserIdInfo"][];
     };
     /** @description Stats pertaining the the sender `cube3signer` instance */
     HeartbeatRequest: {
@@ -1063,7 +1422,7 @@ export interface components {
        *
        * TODO: Make non-optional once we do not support proxies without version information
        */
-      proxy_version: string | null;
+      proxy_version?: string | null;
     };
     /**
      * @description Information about the request.
@@ -1074,22 +1433,34 @@ export interface components {
      */
     HttpRequest: {
       /** @description HTTP request body */
-      body: Record<string, unknown> | null;
+      body?: Record<string, unknown> | null;
       /** @description HTTP method of the request */
       method: string;
       /** @description HTTP path of the request (including host or not?) */
       path: string;
     };
-    ImportKeyLegacyRequest: {
+    /**
+     * @description Proof that an end-user provided CubeSigner with a valid auth token
+     * (either an OIDC token or a CubeSigner session token)
+     */
+    IdentityProof: ({
       /**
-       * Format: int64
-       * @description The chain ID of the chain that the key will be used for
-       * @example 5
+       * @description OIDC audience; set only if the proof was obtained by using OIDC token.
+       *
+       * In other words, presence of this field testifies that authorization was obtained via OIDC.
        */
-      chain_id: number | null;
-      /** @description The key to import encrypted with the public key of the organization */
-      key_material: components["schemas"]["RsaOaepXChaChaMaterial"][];
-      key_type: components["schemas"]["KeyType"];
+      aud?: string | null;
+      /**
+       * @description The email associated with the user
+       * @example user@email.com
+       */
+      email: string;
+      exp_epoch: components["schemas"]["EpochDateTime"];
+      identity?: components["schemas"]["OIDCIdentity"] | null;
+      user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
+    }) & {
+      /** @description An opaque identifier for the proof */
+      id: string;
     };
     ImportKeyRequest: components["schemas"]["KeyImportKey"] & {
       /** @description A set of encrypted keys to be imported */
@@ -1126,6 +1497,7 @@ export interface components {
        * @example Alice Wonderland
        */
       name: string;
+      role?: components["schemas"]["MemberRole"] | null;
       /**
        * @description Skip sending an invitation email to this user if true.
        *
@@ -1159,6 +1531,27 @@ export interface components {
       /** @description Base64-encoded, encrypted secret key. */
       sk_enc: string;
     };
+    KeyInRoleInfo: {
+      /**
+       * @description Key ID
+       * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
+       */
+      key_id: string;
+      /**
+       * @description Policies that are checked before this key is used on behalf of this role
+       * @example [
+       *   {
+       *     "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa"
+       *   },
+       *   {
+       *     "TxDeposit": {
+       *       "kind": "Canonical"
+       *     }
+       *   }
+       * ]
+       */
+      policy?: Record<string, never>[];
+    };
     KeyInfo: {
       derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
       /** @description Whether the key is enabled (only enabled keys may be used for signing) */
@@ -1207,34 +1600,39 @@ export interface components {
        */
       purpose: string;
     };
+    KeyInfos: {
+      keys: components["schemas"]["KeyInfo"][];
+    };
     /** @enum {string} */
-    KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Mnemonic" | "Stark";
-    KeyWithPolicies: {
-      /**
-       * @description Key ID
-       * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-       */
-      key_id: string;
-      /**
-       * @description Policies that are checked before this key is used on behalf of this role
-       * @example [
-       *   {
-       *     "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa"
-       *   },
-       *   {
-       *     "TxDeposit": {
-       *       "kind": "Canonical"
-       *     }
-       *   }
-       * ]
-       */
-      policy?: Record<string, never>[];
+    KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
+    /**
+     * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
+     *
+     * We serialize this into a base64url-encoded string and return to the user
+     * so that they can pass this back to us as a url query parameter.
+     */
+    LastEvalKey: string;
+    ListMfaResponse: {
+      /** @description All pending MFA requests */
+      mfa_requests: components["schemas"]["MfaRequestInfo"][];
+    };
+    ListTokensResponse: {
+      tokens: components["schemas"]["TokenInfo"][];
     };
     /**
      * @description Describes whether a user in an org is an Owner or just a regular member
      * @enum {string}
      */
-    MemberRole: "Owner" | "Member" | "Alien";
+    MemberRole: "Alien" | "Member" | "Owner";
+    /** @description Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp'). */
+    MfaRequestInfo: {
+      expires_at: components["schemas"]["EpochDateTime"];
+      /** @description Approval request ID. */
+      id: string;
+      receipt?: components["schemas"]["Receipt"] | null;
+      request: components["schemas"]["HttpRequest"];
+      status: components["schemas"]["Status"];
+    };
     /** @enum {string} */
     MfaType: "CubeSigner" | "Totp" | "Fido";
     /**
@@ -1262,11 +1660,6 @@ export interface components {
      * a single OIDC user to multiple `User`s in CubeSigner
      */
     OIDCIdentity: {
-      /**
-       * @description Free-form additional user info.
-       * @example null
-       */
-      disambiguator?: string | null;
       /**
        * @description The root-level issuer who administrates this user. Frome the OIDC spec:
        * Issuer Identifier for the Issuer of the response. The iss
@@ -1298,35 +1691,11 @@ export interface components {
       scopes: string[];
       tokens?: components["schemas"]["RatchetConfig"];
     };
-    /** @description Proof that an end-user provided CubeSigner with a valid OIDC token */
-    OidcProof: ((components["schemas"]["OIDCIdentity"] & {
-      /**
-       * @description The "audience" (oauth client) through which the user authenticated with the issuer.
-       * This string is opaque according to the OIDC spec, but for example Google
-       * audiences look like `1234987819200.apps.googleusercontent.com`
-       * @example 1234987819200.apps.googleusercontent.com
-       */
-      aud: string;
-      /**
-       * @description The email associated with the user
-       * @example user@email.com
-       */
-      email: string;
-    }) & {
-      exp_epoch: components["schemas"]["EpochDateTime"];
-    }) & {
-      /** @description An opaque identifier for the proof */
-      id: string;
-    };
     OrgInfo: {
       /** @description When false, all cryptographic operations involving keys in this org are disabled. */
       enabled: boolean;
-      /**
-       * @description The RSA public key to use when importing keys into this organization. This string is the
-       * hex encoding of the DER representation of the key.
-       * @example 30820222300d06092a864886f70d01010105000382020f003082020a0282020100c89765b8f347caafbec09fcb17740e032d854ec99f2d9c16167be335339b4fdeba18a7f13d8e8b7ae7d689cab63d8ecdf548f4746eacaf95b61fef76ade9f81b3c038891c52542fd352697b618afbea6103723c28f2db450e9d852be16a4dc2cbc9442da9a6610044009e056ba90728f0b9888d9b036e493aaed168ccf930fa2f730b17eb3ad6f455a792b762c47f3d3c6b7a7c458556a592e688791599a576bf2149d8e9614db775e7a48602d237a347d5399c681f7f7d9c81f6a64e7cfd356bba545d45e5023ca1f09a66a1d4550f61cf2c4367e14997b5d749bb0326a44d058119e8caf7fd79d517eb2d11dddb2db329f350698f0f978d5e150bb402c8bc4c5ec36d6f38db3f3a204813cda9f52dbcee809204f8e35a455c0e110e10eec41f734f2d55a058a7a21fa90602f94da6de2378ff61e7b3550b77e53d75d7b3d3b39ccab0e5101b916dab01da096f7627175d5b68a1a6464ce5be3e95e7c464d69eb0b675057705c11bc79c3543313b0d9c703c50dc1a16dd9b55e5599e3b02e527b85938e7b81c65e56960bcd7c7a266b07dc05107fd0d7d3c208a878eb0fc74b0d007f421d0c5b28cf78eb441aa0166dceeeac255d68622492f9b526ae13c93754ea8eda96f3b764ba931f8d49c7de8b00ac53d993ab9b08fd2892d8e82cc1a9746f0b426b19256d13d780445e150ce81da0b3c96e32559cb47cb5cb93f805650203010001
-       */
-      key_import_key: string;
+      /** @description Deprecated: this field should be ignored. */
+      key_import_key?: string | null;
       /**
        * @description The organization's universally unique key-wrapping-key identifier.
        * This value is required when setting up key export.
@@ -1363,6 +1732,101 @@ export interface components {
        */
       policy?: Record<string, never>[];
     };
+    /**
+     * @description The rocket query parameter representing the page from which to start a paginated query.
+     *
+     * MUST be named `<page>` in rocket url spec so that 'serde(rename = "page.*")' below continues to work
+     */
+    Page: {
+      /**
+       * Format: int32
+       * @description Max number of items to return per page.
+       *
+       * If the actual number of returned items may be less that this, even if there exist more
+       * data in the result set. To reliably determine if more data is left in the result set,
+       * inspect the [UnencryptedLastEvalKey] value in the response object.
+       */
+      "page.size"?: number;
+      /**
+       * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+       * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+       */
+      "page.start"?: string | null;
+    };
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListKeysResponse: {
+      keys: components["schemas"]["KeyInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListRoleKeysResponse: {
+      /** @description All keys in a role */
+      keys: components["schemas"]["KeyInRoleInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListRoleUsersResponse: {
+      /** @description All users in a role */
+      users: components["schemas"]["UserInRoleInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListRolesResponse: {
+      /** @description All roles in an organization. */
+      roles: components["schemas"]["RoleInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedSessionsResponse: {
+      /** @description The list of sessions */
+      sessions: components["schemas"]["SessionInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
     /**
      * @description This type represents a wire-encodable form of the PublicKeyCredential interface
      * Clients may need to manually encode into this format to communicate with the server
@@ -1407,7 +1871,7 @@ export interface components {
      */
     PublicKeyCredentialCreationOptions: {
       attestation?: components["schemas"]["AttestationConveyancePreference"];
-      authenticator_selection: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
+      authenticator_selection?: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
       /**
        * @description This member contains a challenge intended to be used for generating the
        * newly created credential’s attestation object. See the § 13.4.3
@@ -1438,7 +1902,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-extensions
        */
-      extensions: Record<string, unknown> | null;
+      extensions?: Record<string, unknown> | null;
       /**
        * @description This member contains information about the desired properties of the
        * credential to be created. The sequence is ordered from most preferred to
@@ -1457,8 +1921,8 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-timeout
        */
-      timeout: number | null;
-      user: components["schemas"]["PublicKeyCredentialUserEntity"] | null;
+      timeout?: number | null;
+      user: components["schemas"]["PublicKeyCredentialUserEntity"];
     };
     /**
      * @description This dictionary contains the attributes that are specified by a caller when
@@ -1488,7 +1952,7 @@ export interface components {
        * SHOULD retrieve that stored value and set it as the value of the
        * transports member.
        */
-      transports: components["schemas"]["AuthenticatorTransport"][] | null;
+      transports?: components["schemas"]["AuthenticatorTransport"][] | null;
       type: components["schemas"]["PublicKeyCredentialType"];
     };
     /**
@@ -1540,7 +2004,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid
        */
-      rp_id: string | null;
+      rp_id?: string | null;
       /**
        * Format: int32
        * @description This OPTIONAL member specifies a time, in milliseconds, that the caller
@@ -1549,7 +2013,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-timeout
        */
-      timeout: number | null;
+      timeout?: number | null;
       user_verification?: components["schemas"]["UserVerificationRequirement"];
     };
     /**
@@ -1564,7 +2028,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id
        */
-      id: string;
+      id?: string | null;
       /**
        * @description A human-palatable name for the entity. Its function depends on what the
        * PublicKeyCredentialEntity represents: When inherited by
@@ -1679,8 +2143,13 @@ export interface components {
       name: string;
     };
     RatchetConfig: {
+      /** @default 300 */
       auth_lifetime?: components["schemas"]["Seconds"];
+      /** @default default_grace_lifetime */
+      grace_lifetime?: components["schemas"]["Seconds"];
+      /** @default 86400 */
       refresh_lifetime?: components["schemas"]["Seconds"];
+      /** @default 31536000 */
       session_lifetime?: components["schemas"]["Seconds"];
     };
     /** @description Receipt that an MFA request was approved. */
@@ -1703,63 +2172,49 @@ export interface components {
      * @enum {string}
      */
     ResidentKeyRequirement: "discouraged" | "preferred" | "required";
+    RevokeTokenResponse: {
+      token?: components["schemas"]["TokenInfo"] | null;
+    };
+    RevokeTokensResponse: {
+      /** @description Tokens that were revoked. */
+      revoked: components["schemas"]["TokenInfo"][];
+    };
     RoleInfo: {
       /**
        * @description Whether the role is enabled
        * @example true
        */
       enabled: boolean;
-      /** @description The CubeSigner IDs of the keys */
-      keys: components["schemas"]["KeyWithPolicies"][];
+      /** @description Deprecated The CubeSigner IDs of at most 100 keys associated with this role */
+      keys?: components["schemas"]["KeyInRoleInfo"][] | null;
       /**
        * @description The human-readable name for the role (must be alphanumeric)
        * @example my_role
        */
       name?: string | null;
       /**
-       * @description The ID of the role
-       * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
-       */
-      role_id: string;
-      /**
-       * @description The list of users with access to the role
+       * @description Policy that is checked whenever a key is accessed for signing via this role.
        * @example [
-       *   "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f",
-       *   "User#5593c25b-52e2-4fb5-b39b-96d41d681d82"
+       *   {
+       *     "SourceIpAllowlist": [
+       *       "123.456.78.9/16"
+       *     ]
+       *   },
+       *   {
+       *     "RequireMfa": {
+       *       "count": 1
+       *     }
+       *   }
        * ]
        */
-      users: string[];
-    };
-    /**
-     * @description Encrypted key material for import using hybrid encryption.
-     *
-     * The imported keying material is encrypted using [XChaCha20Poly1305], which
-     * we choose for its speed and side channel resistance, its ability to encrypt
-     * very long messages, and its safety when using random nonces even for a large
-     * number of messages. The latter should not happen in this case, but the cost
-     * is negligible and the benefit is that we know it's safe to use random nonces.
-     *
-     * The XChaCha key is encrypted using [RSAES-OAEP-SHA256], which we choose because
-     * it's the best of the [available options for asymmetric encryption][kmsopts]
-     * in AWS KMS.
-     *
-     * [XChaCha20Poly1305]: https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction
-     * [RSAES-OAEP-SHA256]: https://www.rfc-editor.org/rfc/rfc8017#section-7.1
-     * [kmsopts]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html
-     */
-    RsaOaepXChaChaMaterial: {
-      /**
-       * @description The keying material to be imported, encrypted with
-       * [XChaCha20Poly1305](https://doc.libsodium.org/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction).
-       */
-      ikm_enc: number[];
+      policy?: Record<string, never>[];
       /**
-       * @description The key-wrapping key used to encrypt `ikm_enc`, encrypted with
-       * [RSAES-OAEP-SHA256](https://www.rfc-editor.org/rfc/rfc8017#section-7.1).
+       * @description The ID of the role
+       * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
        */
-      kwk_enc: number[];
-      /** @description The nonce used to generate `ikm_enc`. */
-      nonce: number[];
+      role_id: string;
+      /** @description Deprecated. The list of at most 100 users with access to the role. */
+      users?: string[] | null;
     };
     /**
      * Format: int64
@@ -1779,10 +2234,24 @@ export interface components {
        */
       session_id: string;
     };
-    SignRequest: {
-      message: Record<string, never>;
+    /** @description The response from any operation operating on multiple sessions */
+    SessionsResponse: {
+      /** @description The list of sessions */
+      sessions: components["schemas"]["SessionInfo"][];
+    };
+    /**
+     * @example {
+     *   "message_base64": "AQABA8OKVzLEjststN4xXr39kLKHT8d58eQY1QEs6MeXwEFBrxTAlULX1troLbWxuAXQqgbQofGi6z8fJi7KAAIf7YMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJK0tn39k28s+X86W47EvbRRKnYBVQ8Q/l2m1EbfT7+vAQICAAEMAgAAAGQAAAAAAAAA"
+     * }
+     */
+    SolanaSignRequest: {
+      /** @description Solana base64-encoded serialized Message */
+      message_base64: string;
+    };
+    SolanaSignResponse: {
+      /** @description The hex-encoded signature. */
+      signature: string;
     };
-    SolanaSignRequest: components["schemas"]["SignRequest"] & Record<string, never>;
     StakeRequest: {
       /**
        * Format: int64
@@ -1799,18 +2268,26 @@ export interface components {
        * Must not be different from the default value when 'deposit_type' is "Wrapper".
        */
       staking_amount_gwei?: number;
-      unsafe_conf: components["schemas"]["UnsafeConf"] | null;
+      unsafe_conf?: components["schemas"]["UnsafeConf"] | null;
       /**
        * @description The validator BLS public key to use, or `None` to generate a fresh one.
        * @example 0xa99a76ed7796f7be22d5b7e85deeb7c5677e88e511e0b337618f8c4eb61349b4bf2d153f649f7b53359fe8b94a38e44c
        */
-      validator_key: string | null;
+      validator_key?: string | null;
       /**
        * @description The ethereum address to which withdrawn funds go
        * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
        */
       withdrawal_addr: string;
     };
+    StakeResponse: {
+      /**
+       * @description The validator key id ("Key#...")
+       * @example Key#db1731f8-3659-45c0-885b-e11e1f5b7be2
+       */
+      created_validator_key_id: string;
+      deposit_tx: components["schemas"]["DepositTxn"];
+    };
     Status: {
       /** @description Users who are allowed to approve. Must be non-empty. */
       allowed_approvers: string[];
@@ -1818,9 +2295,9 @@ export interface components {
       allowed_mfa_types?: components["schemas"]["MfaType"][] | null;
       /** @description Users who have already approved */
       approved_by: {
-        [key: string]: ({
-          [key: string]: components["schemas"]["ApprovalInfo"] | undefined;
-        }) | undefined;
+        [key: string]: {
+          [key: string]: components["schemas"]["ApprovalInfo"];
+        };
       };
       /**
        * Format: int32
@@ -1843,18 +2320,37 @@ export interface components {
       /** @description TOTP verification code */
       code: string;
     };
+    /** @description Sent from the client to the server to answer a TOTP challenge */
+    TotpChallengeAnswer: {
+      /** @description The current TOTP code */
+      code: string;
+      /** @description The ID of the challenge that was returned from the POST endpoint */
+      totp_id: string;
+    };
+    TotpInfo: {
+      /**
+       * @description The ID of the TOTP challenge.
+       * @example TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286
+       */
+      totp_id: string;
+      /**
+       * @description Standard TOTP url which includes everything needed to initialize TOTP.
+       * @example otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist
+       */
+      totp_url: string;
+    };
     /** @description Options that should be set only for local devnet testing. */
     UnsafeConf: {
       /**
        * @description The hex-encoded address of the deposit contract. If omitted, inferred from `chain_id`
        * @example 0xff50ed3d0ec03ac01d4c79aad74928bff48a7b2b
        */
-      deposit_contract_addr: string | null;
+      deposit_contract_addr?: string | null;
       /**
        * @description The hex-encoded 4-byte fork version
        * @example 0x00001020
        */
-      genesis_fork_version: string | null;
+      genesis_fork_version?: string | null;
     };
     /**
      * @description Unstake message request.
@@ -1875,7 +2371,7 @@ export interface components {
      * }
      */
     UnstakeRequest: {
-      epoch: components["schemas"]["Epoch"] | null;
+      epoch?: components["schemas"]["Epoch"] | null;
       fork: components["schemas"]["Fork"];
       genesis_data: components["schemas"]["GenesisData"];
       network: components["schemas"]["Network"];
@@ -1889,6 +2385,22 @@ export interface components {
        */
       validator_index: string;
     };
+    /**
+     * @description Unstake responses are signed voluntary exit messages.
+     * The schema for this message is defined
+     * [here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).
+     * This message can be directly POSTed to the Beacon node's
+     * `/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema
+     * [here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).
+     */
+    UnstakeResponse: {
+      message: components["schemas"]["VoluntaryExit"];
+      /**
+       * @description BLS signature.
+       * @example 0x910c7cd537ed91cc8c4a82f3cbd832e9be8c24a22e9c86df479f7ce42025ea6a09619b418b666a060e260d2aae31b8e50e9d05ca3442c7eed3b507e5207e14674275f68c2ba84c4bf6b8dd364a304acac8cfab3681e2514b4400f9242bc61164
+       */
+      signature: string;
+    };
     UpdateKeyRequest: {
       /**
        * @description If set, updates the keys's `enabled` property to this value.
@@ -1943,12 +2455,52 @@ export interface components {
        */
       policy?: Record<string, never>[] | null;
     };
+    UpdateOrgResponse: {
+      /** @description The new value of the 'enabled' property */
+      enabled?: boolean | null;
+      /**
+       * @description The new human-readable name for the org (must be alphanumeric)
+       * @example my_org_name
+       */
+      name?: string | null;
+      /**
+       * @description The ID of the organization
+       * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+       */
+      org_id: string;
+      /**
+       * @description The new value of org-wide policies
+       * @example [
+       *   {
+       *     "MaxDailyUnstake": 5
+       *   },
+       *   {
+       *     "OriginAllowlist": [
+       *       "https://example.com"
+       *     ]
+       *   }
+       * ]
+       */
+      policy?: Record<string, never>[] | null;
+    };
     UpdateRoleRequest: {
       /**
        * @description If set, updates the role's `enabled` property to this value.
        * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
        */
       enabled?: boolean | null;
+      /**
+       * @description If set, update this role's key policies (old policies will be overwritten!).
+       * Only "deny" style policies may be set.
+       * @example [
+       *   {
+       *     "SourceIpAllowlist": [
+       *       "123.456.78.9/16"
+       *     ]
+       *   }
+       * ]
+       */
+      policy?: Record<string, never>[] | null;
     };
     UserIdInfo: {
       /**
@@ -1962,6 +2514,9 @@ export interface components {
        */
       id: string;
     };
+    UserInRoleInfo: {
+      user_id: string;
+    };
     UserInfo: {
       /** @example alice@example.com */
       email: string;
@@ -2013,6 +2568,14 @@ export interface components {
         };
       };
     };
+    AvaSignResponse: {
+      content: {
+        "application/json": {
+          /** @description The hex-encoded signature. */
+          signature: string;
+        };
+      };
+    };
     BlobSignResponse: {
       content: {
         "application/json": {
@@ -2073,6 +2636,19 @@ export interface components {
         };
       };
     };
+    Eip712SignResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description Hex-encoded signature comprising 65 bytes in the format required
+           * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+           * which is either 27 or 28.
+           * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
+           */
+          signature: string;
+        };
+      };
+    };
     EmptyImpl: {
       content: {
         "application/json": {
@@ -2124,18 +2700,38 @@ export interface components {
         };
       };
     };
-    GetKeysInOrgResponse: {
+    GetUsersInOrgResponse: {
       content: {
         "application/json": {
-          keys: components["schemas"]["KeyInfo"][];
+          /** @description The list of users in the org */
+          users: components["schemas"]["UserIdInfo"][];
         };
       };
     };
-    GetUsersInOrgResponse: {
+    /**
+     * @description Proof that an end-user provided CubeSigner with a valid auth token
+     * (either an OIDC token or a CubeSigner session token)
+     */
+    IdentityProof: {
       content: {
-        "application/json": {
-          /** @description The list of users in the org */
-          users: components["schemas"]["UserIdInfo"][];
+        "application/json": ({
+          /**
+           * @description OIDC audience; set only if the proof was obtained by using OIDC token.
+           *
+           * In other words, presence of this field testifies that authorization was obtained via OIDC.
+           */
+          aud?: string | null;
+          /**
+           * @description The email associated with the user
+           * @example user@email.com
+           */
+          email: string;
+          exp_epoch: components["schemas"]["EpochDateTime"];
+          identity?: components["schemas"]["OIDCIdentity"] | null;
+          user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
+        }) & {
+          /** @description An opaque identifier for the proof */
+          id: string;
         };
       };
     };
@@ -2230,11 +2826,11 @@ export interface components {
         };
       };
     };
-    ListRolesResponse: {
+    ListMfaResponse: {
       content: {
         "application/json": {
-          /** @description All roles in an organization. */
-          roles: components["schemas"]["RoleInfo"][];
+          /** @description All pending MFA requests */
+          mfa_requests: components["schemas"]["MfaRequestInfo"][];
         };
       };
     };
@@ -2252,7 +2848,7 @@ export interface components {
           expires_at: components["schemas"]["EpochDateTime"];
           /** @description Approval request ID. */
           id: string;
-          receipt: components["schemas"]["Receipt"] | null;
+          receipt?: components["schemas"]["Receipt"] | null;
           request: components["schemas"]["HttpRequest"];
           status: components["schemas"]["Status"];
         };
@@ -2271,41 +2867,13 @@ export interface components {
         };
       };
     };
-    /** @description Proof that an end-user provided CubeSigner with a valid OIDC token */
-    OidcProof: {
-      content: {
-        "application/json": ((components["schemas"]["OIDCIdentity"] & {
-          /**
-           * @description The "audience" (oauth client) through which the user authenticated with the issuer.
-           * This string is opaque according to the OIDC spec, but for example Google
-           * audiences look like `1234987819200.apps.googleusercontent.com`
-           * @example 1234987819200.apps.googleusercontent.com
-           */
-          aud: string;
-          /**
-           * @description The email associated with the user
-           * @example user@email.com
-           */
-          email: string;
-        }) & {
-          exp_epoch: components["schemas"]["EpochDateTime"];
-        }) & {
-          /** @description An opaque identifier for the proof */
-          id: string;
-        };
-      };
-    };
-    OrgInfo: {
+    OrgInfo: {
       content: {
         "application/json": {
           /** @description When false, all cryptographic operations involving keys in this org are disabled. */
           enabled: boolean;
-          /**
-           * @description The RSA public key to use when importing keys into this organization. This string is the
-           * hex encoding of the DER representation of the key.
-           * @example 30820222300d06092a864886f70d01010105000382020f003082020a0282020100c89765b8f347caafbec09fcb17740e032d854ec99f2d9c16167be335339b4fdeba18a7f13d8e8b7ae7d689cab63d8ecdf548f4746eacaf95b61fef76ade9f81b3c038891c52542fd352697b618afbea6103723c28f2db450e9d852be16a4dc2cbc9442da9a6610044009e056ba90728f0b9888d9b036e493aaed168ccf930fa2f730b17eb3ad6f455a792b762c47f3d3c6b7a7c458556a592e688791599a576bf2149d8e9614db775e7a48602d237a347d5399c681f7f7d9c81f6a64e7cfd356bba545d45e5023ca1f09a66a1d4550f61cf2c4367e14997b5d749bb0326a44d058119e8caf7fd79d517eb2d11dddb2db329f350698f0f978d5e150bb402c8bc4c5ec36d6f38db3f3a204813cda9f52dbcee809204f8e35a455c0e110e10eec41f734f2d55a058a7a21fa90602f94da6de2378ff61e7b3550b77e53d75d7b3d3b39ccab0e5101b916dab01da096f7627175d5b68a1a6464ce5be3e95e7c464d69eb0b675057705c11bc79c3543313b0d9c703c50dc1a16dd9b55e5599e3b02e527b85938e7b81c65e56960bcd7c7a266b07dc05107fd0d7d3c208a878eb0fc74b0d007f421d0c5b28cf78eb441aa0166dceeeac255d68622492f9b526ae13c93754ea8eda96f3b764ba931f8d49c7de8b00ac53d993ab9b08fd2892d8e82cc1a9746f0b426b19256d13d780445e150ce81da0b3c96e32559cb47cb5cb93f805650203010001
-           */
-          key_import_key: string;
+          /** @description Deprecated: this field should be ignored. */
+          key_import_key?: string | null;
           /**
            * @description The organization's universally unique key-wrapping-key identifier.
            * This value is required when setting up key export.
@@ -2344,6 +2912,80 @@ export interface components {
         };
       };
     };
+    PaginatedListKeysResponse: {
+      content: {
+        "application/json": {
+          keys: components["schemas"]["KeyInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedListRoleKeysResponse: {
+      content: {
+        "application/json": {
+          /** @description All keys in a role */
+          keys: components["schemas"]["KeyInRoleInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedListRoleUsersResponse: {
+      content: {
+        "application/json": {
+          /** @description All users in a role */
+          users: components["schemas"]["UserInRoleInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedListRolesResponse: {
+      content: {
+        "application/json": {
+          /** @description All roles in an organization. */
+          roles: components["schemas"]["RoleInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
+    PaginatedSessionsResponse: {
+      content: {
+        "application/json": {
+          /** @description The list of sessions */
+          sessions: components["schemas"]["SessionInfo"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
     RevokeTokenResponse: {
       content: {
         "application/json": {
@@ -2367,26 +3009,36 @@ export interface components {
            * @example true
            */
           enabled: boolean;
-          /** @description The CubeSigner IDs of the keys */
-          keys: components["schemas"]["KeyWithPolicies"][];
+          /** @description Deprecated The CubeSigner IDs of at most 100 keys associated with this role */
+          keys?: components["schemas"]["KeyInRoleInfo"][] | null;
           /**
            * @description The human-readable name for the role (must be alphanumeric)
            * @example my_role
            */
           name?: string | null;
+          /**
+           * @description Policy that is checked whenever a key is accessed for signing via this role.
+           * @example [
+           *   {
+           *     "SourceIpAllowlist": [
+           *       "123.456.78.9/16"
+           *     ]
+           *   },
+           *   {
+           *     "RequireMfa": {
+           *       "count": 1
+           *     }
+           *   }
+           * ]
+           */
+          policy?: Record<string, never>[];
           /**
            * @description The ID of the role
            * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
            */
           role_id: string;
-          /**
-           * @description The list of users with access to the role
-           * @example [
-           *   "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f",
-           *   "User#5593c25b-52e2-4fb5-b39b-96d41d681d82"
-           * ]
-           */
-          users: string[];
+          /** @description Deprecated. The list of at most 100 users with access to the role. */
+          users?: string[] | null;
         };
       };
     };
@@ -2448,6 +3100,11 @@ export interface components {
     TotpInfo: {
       content: {
         "application/json": {
+          /**
+           * @description The ID of the TOTP challenge.
+           * @example TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286
+           */
+          totp_id: string;
           /**
            * @description Standard TOTP url which includes everything needed to initialize TOTP.
            * @example otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist
@@ -2539,6 +3196,8 @@ export interface components {
   pathItems: never;
 }
 
+export type $defs = Record<string, never>;
+
 export type external = Record<string, never>;
 
 export interface operations {
@@ -2549,7 +3208,7 @@ export interface operations {
    *
    * Retrieves information about the current user.
    */
-  aboutMe: {
+  aboutMeLegacy: {
     responses: {
       200: components["responses"]["UserInfo"];
       default: {
@@ -2614,6 +3273,47 @@ export interface operations {
       };
     };
   };
+  /**
+   * Sign Avalanche X- or P-Chain Message
+   * @description Sign Avalanche X- or P-Chain Message
+   *
+   * Signs an Avalanche message with a given SecpAva key.
+   * This is a pre-release feature.
+   */
+  avaSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Avalanche bech32 address format without the chain prefix
+         * @example avax1am4w6hfrvmh3akduzkjthrtgtqafalce6an8cr
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AvaSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["AvaSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign Bitcoin Transaction
    * @description Sign Bitcoin Transaction
@@ -2687,12 +3387,12 @@ export interface operations {
     };
   };
   /**
-   * Create Key-Import Key
-   * @description Create Key-Import Key
+   * Sign EIP-712 Typed Data
+   * @description Sign EIP-712 Typed Data
    *
-   * Generate an ephemeral key that a client can use for key-import encryption.
+   * Signs typed data according to EIP-712 with a given Secp256k1 key.
    */
-  createKeyImportKey: {
+  eip712Sign: {
     parameters: {
       path: {
         /**
@@ -2700,10 +3400,25 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
+        /**
+         * @description Hex-encoded ethereum address of the secp key
+         * @example 0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Eip712SignRequest"];
       };
     };
     responses: {
-      200: components["responses"]["CreateKeyImportKeyResponse"];
+      200: components["responses"]["Eip712SignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2712,12 +3427,16 @@ export interface operations {
     };
   };
   /**
-   * Import Key
-   * @description Import Key
+   * Create [IdentityProof] from CubeSigner user session
+   * @description Create [IdentityProof] from CubeSigner user session
    *
-   * Securely imports an existing key using a previously generated key-import key.
+   * This route can be used to prove to another party that a user has a
+   * valid CubeSigner session.
+   *
+   * Clients are intended to call this route and pass the returned evidence
+   * to another service which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
    */
-  importKey: {
+  createProofCubeSigner: {
     parameters: {
       path: {
         /**
@@ -2727,13 +3446,8 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["ImportKeyRequest"];
-      };
-    };
     responses: {
-      200: components["responses"]["CreateKeyResponse"];
+      200: components["responses"]["IdentityProof"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2742,12 +3456,19 @@ export interface operations {
     };
   };
   /**
-   * Invite User
-   * @description Invite User
+   * Create [IdentityProof] from OIDC token
+   * @description Create [IdentityProof] from OIDC token
    *
-   * Creates a new user in an existing org and sends that user an invite email.
+   * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
+   *
+   * This route can be used to prove to another party that a user has met the
+   * authentication requirements (allowed issuers & audiences) for CubeSigner
+   * without leaking their credentials.
+   *
+   * Clients are intended to call this route and pass the returned evidence to another service
+   * which will verify it by making a request to `/v0/org/<org_id>/identity/verify`.
    */
-  invite: {
+  createProofOidc: {
     parameters: {
       path: {
         /**
@@ -2757,13 +3478,8 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["InviteRequest"];
-      };
-    };
     responses: {
-      200: components["responses"]["EmptyImpl"];
+      200: components["responses"]["IdentityProof"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2772,20 +3488,16 @@ export interface operations {
     };
   };
   /**
-   * List Keys
-   * @description List Keys
+   * Verify identity proof
+   * @description Verify identity proof
    *
-   * Gets the list of owned keys in a given org.
+   * Allows a third-party to validate proof of authentication.
+   *
+   * When a third-party is provided an [IdentityProof] object, they must check its
+   * veracity by calling this endpoint
    */
-  listKeysInOrg: {
+  verifyProof: {
     parameters: {
-      query?: {
-        /**
-         * @description Filter by key type
-         * @example SecpEthAddr
-         */
-        key_type?: components["schemas"]["KeyType"];
-      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -2794,23 +3506,21 @@ export interface operations {
         org_id: string;
       };
     };
-    responses: {
-      200: components["responses"]["GetKeysInOrgResponse"];
-      default: {
-        content: {
-          "application/json": components["schemas"]["ErrorResponse"];
-        };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["IdentityProof"];
       };
     };
+    responses: {
+    };
   };
   /**
-   * Legacy Import Key
-   * @deprecated
-   * @description Legacy Import Key
+   * Create Key-Import Key
+   * @description Create Key-Import Key
    *
-   * Securely imports an existing key. This API is deprecated; please use the new version.
+   * Generate an ephemeral key that a client can use for key-import encryption.
    */
-  importKeyLegacy: {
+  createKeyImportKey: {
     parameters: {
       path: {
         /**
@@ -2820,13 +3530,8 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["ImportKeyLegacyRequest"];
-      };
-    };
     responses: {
-      200: components["responses"]["CreateKeyResponse"];
+      200: components["responses"]["CreateKeyImportKeyResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2835,12 +3540,12 @@ export interface operations {
     };
   };
   /**
-   * Create Key
-   * @description Create Key
+   * Import Key
+   * @description Import Key
    *
-   * Creates one or more new keys of the specified type (BLS or Secp).
+   * Securely imports an existing key using a previously generated key-import key.
    */
-  createKey: {
+  importKey: {
     parameters: {
       path: {
         /**
@@ -2852,7 +3557,7 @@ export interface operations {
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["CreateKeyRequest"];
+        "application/json": components["schemas"]["ImportKeyRequest"];
       };
     };
     responses: {
@@ -2865,13 +3570,12 @@ export interface operations {
     };
   };
   /**
-   * Legacy List Keys
-   * @deprecated
-   * @description Legacy List Keys
+   * Invite User
+   * @description Invite User
    *
-   * This route is deprecated. Use `GET /v0/org/<org_id>/keys?<key_type>`
+   * Creates a new user in an existing org and sends that user an invite email.
    */
-  listKeysLegacy: {
+  invite: {
     parameters: {
       path: {
         /**
@@ -2883,11 +3587,11 @@ export interface operations {
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["GetKeysInOrgRequest"];
+        "application/json": components["schemas"]["InviteRequest"];
       };
     };
     responses: {
-      200: components["responses"]["GetKeysInOrgResponse"];
+      200: components["responses"]["EmptyImpl"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2896,28 +3600,43 @@ export interface operations {
     };
   };
   /**
-   * Get Key
-   * @description Get Key
+   * List Keys
+   * @description List Keys
    *
-   * Returns the properties of a key.
+   * Gets the list of owned keys in a given org.
    */
-  getKeyInOrg: {
+  listKeysInOrg: {
     parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+        /**
+         * @description Filter by key type
+         * @example SecpEthAddr
+         */
+        key_type?: components["schemas"]["KeyType"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description ID of the key
-         * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-         */
-        key_id: string;
       };
     };
     responses: {
-      200: components["responses"]["KeyInfo"];
+      200: components["responses"]["PaginatedListKeysResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2926,12 +3645,12 @@ export interface operations {
     };
   };
   /**
-   * Update Key
-   * @description Update Key
+   * Create Key
+   * @description Create Key
    *
-   * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+   * Creates one or more new keys of the specified type.
    */
-  updateKey: {
+  createKey: {
     parameters: {
       path: {
         /**
@@ -2939,20 +3658,15 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-        /**
-         * @description ID of the key
-         * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-         */
-        key_id: string;
       };
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["UpdateKeyRequest"];
+        "application/json": components["schemas"]["CreateKeyRequest"];
       };
     };
     responses: {
-      200: components["responses"]["KeyInfo"];
+      200: components["responses"]["CreateKeyResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2961,12 +3675,12 @@ export interface operations {
     };
   };
   /**
-   * Gets a Pending MFA Request
-   * @description Gets a Pending MFA Request
+   * Get Key
+   * @description Get Key
    *
-   * Retrieves and returns a pending MFA request by its id.
+   * Returns the properties of a key.
    */
-  mfaGet: {
+  getKeyInOrg: {
     parameters: {
       path: {
         /**
@@ -2975,14 +3689,14 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description ID of the approval
-         * @example ...
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
-        mfa_id: string;
+        key_id: string;
       };
     };
     responses: {
-      200: components["responses"]["MfaRequestInfo"];
+      200: components["responses"]["KeyInfo"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -2991,13 +3705,135 @@ export interface operations {
     };
   };
   /**
-   * Approve MFA Request
-   * @description Approve MFA Request
+   * Delete Key
+   * @description Delete Key
    *
-   * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
-   * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
-   * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
-   * resume the original HTTP request.
+   * Deletes a key specified by its ID.
+   * Only the key owner and org owners are allowed to delete keys.
+   */
+  deleteKey: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Update Key
+   * @description Update Key
+   *
+   * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+   */
+  updateKey: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["UpdateKeyRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["KeyInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * List Pending MFA Requests
+   * @description List Pending MFA Requests
+   *
+   * Retrieves and returns all pending MFA requests that are accessible to the current user,
+   * i.e., those in which the current user is listed as an approver
+   */
+  mfaList: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["ListMfaResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Get Pending MFA Request
+   * @description Get Pending MFA Request
+   *
+   * Retrieves and returns a pending MFA request by its id.
+   */
+  mfaGet: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        mfa_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["MfaRequestInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Approve MFA Request
+   * @description Approve MFA Request
+   *
+   * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+   * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
+   * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
+   * resume the original HTTP request.
    */
   mfaApproveCs: {
     parameters: {
@@ -3008,8 +3844,8 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description ID of the MFA approval request
-         * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         mfa_id: string;
       };
@@ -3038,8 +3874,8 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description ID of the MFA approval request
-         * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         mfa_id: string;
       };
@@ -3071,8 +3907,8 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description ID of the MFA approval request
-         * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         mfa_id: string;
       };
@@ -3109,8 +3945,8 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description ID of the MFA approval request
-         * @example MfaRequest#6de79de4-662c-4203-9235-b6ace5cb432b
+         * @description Name or ID of the desired MfaRequest
+         * @example MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         mfa_id: string;
       };
@@ -3165,72 +4001,30 @@ export interface operations {
     };
   };
   /**
-   * Create OIDCProof
-   * @description Create OIDCProof
-   *
-   * Exchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.
-   *
-   * This route can be used to prove to another party that a user has met the
-   * authentication requirements (allowed issuers & audiences) for CubeSigner
-   * without leaking their credentials.
+   * List Roles
+   * @description List Roles
    *
-   * Clients are intended to call this route and pass the returned evidence to another service
-   * which will verify it.
+   * Retrieves all roles in an organization that the current user is allowed to access.
    */
-  createOidcProof: {
+  listRoles: {
     parameters: {
-      path: {
+      query?: {
         /**
-         * @description Name or ID of the desired Org
-         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
          */
-        org_id: string;
-      };
-    };
-    responses: {
-      200: components["responses"]["OidcProof"];
-      default: {
-        content: {
-          "application/json": components["schemas"]["ErrorResponse"];
-        };
-      };
-    };
-  };
-  /**
-   * Verify OIDC Proof
-   * @description Verify OIDC Proof
-   *
-   * Allows a third-party to validate proof of OIDC authentication.
-   *
-   * When a third-party is provided an OidcProof object, they must check its
-   * veracity by calling this endpoint
-   */
-  verifyOidcProof: {
-    parameters: {
-      path: {
+        "page.size"?: number;
         /**
-         * @description Name or ID of the desired Org
-         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
          */
-        org_id: string;
-      };
-    };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["OidcProof"];
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+        /** @description Don't include keys and users for each role */
+        summarize?: boolean | null;
       };
-    };
-    responses: {
-    };
-  };
-  /**
-   * List Roles
-   * @description List Roles
-   *
-   * Retrieves all roles in an organization that the current user is allowed to access.
-   */
-  listRoles: {
-    parameters: {
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -3240,7 +4034,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["ListRolesResponse"];
+      200: components["responses"]["PaginatedListRolesResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3268,7 +4062,7 @@ export interface operations {
     /** @description Optional request body to set the role name */
     requestBody?: {
       content: {
-        "application/json": components["schemas"]["CreateRoleRequest"];
+        "application/json": components["schemas"]["CreateRoleRequest"] | null;
       };
     };
     responses: {
@@ -3369,7 +4163,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["EmptyImpl"];
+      200: components["responses"]["RoleInfo"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3436,6 +4230,51 @@ export interface operations {
     responses: {
     };
   };
+  /**
+   * List Role Keys
+   * @description List Role Keys
+   *
+   * Returns an array of all keys in a role.
+   */
+  listRoleKeys: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedListRoleKeysResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Remove Key
    * @description Remove Key
@@ -3466,9 +4305,9 @@ export interface operations {
     };
   };
   /**
-   * List Tokens (Deprecated)
+   * List a single page of Tokens (Deprecated)
    * @deprecated
-   * @description List Tokens (Deprecated)
+   * @description List a single page of Tokens (Deprecated)
    *
    * **Deprecated**: Use `GET /org/{org_id}/session?role=`
    *
@@ -3608,6 +4447,51 @@ export interface operations {
       };
     };
   };
+  /**
+   * List Role Users.
+   * @description List Role Users.
+   *
+   * Returns an array of all users who have access to a role.
+   */
+  listRoleUsers: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedListRoleUsersResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * List sessions
    * @description List sessions
@@ -3617,11 +4501,24 @@ export interface operations {
   listSessions: {
     parameters: {
       query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
         /**
          * @description If provided, the name or ID of a role to operate on
          * @example my-role
          */
-        role?: string;
+        role?: string | null;
       };
       path: {
         /**
@@ -3632,7 +4529,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["SessionsResponse"];
+      200: components["responses"]["PaginatedSessionsResponse"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3654,7 +4551,7 @@ export interface operations {
          * @description If provided, the name or ID of a role to operate on
          * @example my-role
          */
-        role?: string;
+        role?: string | null;
       };
       path: {
         /**
@@ -3673,6 +4570,31 @@ export interface operations {
       };
     };
   };
+  /**
+   * Revoke current session
+   * @description Revoke current session
+   *
+   * Immediately revokes the current session, preventing it from being used or refreshed
+   */
+  revokeCurrentSession: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Get session information
    * @description Get session information
@@ -3732,7 +4654,48 @@ export interface operations {
     };
   };
   /**
-   * Get Token-Accessible Keys
+   * Sign Solana Message
+   * @description Sign Solana Message
+   *
+   * Signs a Solana message with a given key.
+   * This is a pre-release feature.
+   */
+  solanaSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description The base58-encoded public key
+         * @example 86ZRPszBp5EoPj7wR3bHn7wnAZ5iYfpasRc7DKFPTUaZ
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["SolanaSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["SolanaSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Get Token-Accessible Keys
    * @description Get Token-Accessible Keys
    *
    * Retrieves the keys that the role token can access.
@@ -3757,10 +4720,12 @@ export interface operations {
     };
   };
   /**
-   * List users in organization
-   * @description List users in organization
+   * User Info
+   * @description User Info
+   *
+   * Retrieves information about the current user.
    */
-  listUsersInOrg: {
+  aboutMe: {
     parameters: {
       path: {
         /**
@@ -3771,7 +4736,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["GetUsersInOrgResponse"];
+      200: components["responses"]["UserInfo"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3780,10 +4745,12 @@ export interface operations {
     };
   };
   /**
-   * Add a third-party user to the org
-   * @description Add a third-party user to the org
+   * Initiate registration of a FIDO key
+   * @description Initiate registration of a FIDO key
+   *
+   * Generates a challenge that must be answered to prove ownership of a key
    */
-  createOidcUser: {
+  userRegisterFidoInit: {
     parameters: {
       path: {
         /**
@@ -3795,11 +4762,16 @@ export interface operations {
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["AddThirdPartyUserRequest"];
+        "application/json": components["schemas"]["FidoCreateRequest"];
       };
     };
     responses: {
-      200: components["responses"]["AddThirdPartyUserResponse"];
+      200: components["responses"]["FidoCreateChallengeResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3808,10 +4780,12 @@ export interface operations {
     };
   };
   /**
-   * Remove a third-party user from the org
-   * @description Remove a third-party user from the org
+   * Finalize registration of a FIDO key
+   * @description Finalize registration of a FIDO key
+   *
+   * Accepts the response to the challenge generated by the POST to this endpoint.
    */
-  deleteOidcUser: {
+  userRegisterFidoComplete: {
     parameters: {
       path: {
         /**
@@ -3823,7 +4797,7 @@ export interface operations {
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["OIDCIdentity"];
+        "application/json": components["schemas"]["FidoCreateChallengeAnswer"];
       };
     };
     responses: {
@@ -3836,15 +4810,39 @@ export interface operations {
     };
   };
   /**
-   * Initialize TOTP
-   * @description Initialize TOTP
+   * Initialize TOTP Reset
+   * @description Initialize TOTP Reset
    *
-   * Creates and sets a new TOTP configuration for the current user,
-   * if and only if no TOTP configuration is already set.
+   * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+   * was successfully imported into an authenticator app.
+   *
+   * This operation is allowed if EITHER
+   * - the user account is not yet initialized and no TOTP is already set, OR
+   * - the user has not configured any auth factors;
+   * otherwise, MFA is required.
    */
-  userInitTotp: {
+  userResetTotpInit: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {
       200: components["responses"]["TotpInfo"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3853,15 +4851,29 @@ export interface operations {
     };
   };
   /**
-   * Reset TOTP
-   * @description Reset TOTP
+   * Finalize resetting TOTP
+   * @description Finalize resetting TOTP
    *
-   * Creates and sets a new TOTP configuration for the current user,
-   * overriding the existing one (if any).
+   * Checks if the response contains the correct TOTP code corresponding to the
+   * challenge generated by the POST method of this endpoint.
    */
-  userResetTotp: {
+  userResetTotpComplete: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpChallengeAnswer"];
+      };
+    };
     responses: {
-      200: components["responses"]["TotpInfo"];
+      200: components["responses"]["EmptyImpl"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3879,7 +4891,95 @@ export interface operations {
   userVerifyTotp: {
     parameters: {
       path: {
-        code: string;
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpApproveRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * List users in organization
+   * @description List users in organization
+   */
+  listUsersInOrg: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["GetUsersInOrgResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Add a third-party user to the org
+   * @description Add a third-party user to the org
+   */
+  createOidcUser: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AddThirdPartyUserRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["AddThirdPartyUserResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Remove a third-party user from the org
+   * @description Remove a third-party user from the org
+   */
+  deleteOidcUser: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["OIDCIdentity"];
       };
     };
     responses: {
@@ -3893,11 +4993,12 @@ export interface operations {
   };
   /**
    * Initiate registration of a FIDO key
+   * @deprecated
    * @description Initiate registration of a FIDO key
    *
    * Generates a challenge that must be answered to prove ownership of a key
    */
-  userRegisterFido: {
+  registerFidoInitLegacy: {
     requestBody: {
       content: {
         "application/json": components["schemas"]["FidoCreateRequest"];
@@ -3905,6 +5006,11 @@ export interface operations {
     };
     responses: {
       200: components["responses"]["FidoCreateChallengeResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -3914,11 +5020,12 @@ export interface operations {
   };
   /**
    * Finalize registration of a FIDO key
+   * @deprecated
    * @description Finalize registration of a FIDO key
    *
    * Accepts the response to the challenge generated by the POST to this endpoint.
    */
-  userRegisterFidoComplete: {
+  registerFidoCompleteLegacy: {
     requestBody: {
       content: {
         "application/json": components["schemas"]["FidoCreateChallengeAnswer"];
@@ -3933,12 +5040,98 @@ export interface operations {
       };
     };
   };
+  /**
+   * Initialize TOTP Reset
+   * @deprecated
+   * @description Initialize TOTP Reset
+   *
+   * Creates a new TOTP challenge that must be answered to prove that the new TOTP
+   * was successfully imported into an authenticator app.
+   *
+   * This operation is allowed if EITHER
+   * - the user account is not yet initialized and no TOTP is already set, OR
+   * - the user has not configured any auth factors;
+   * otherwise, MFA is required.
+   */
+  resetTotpInitLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
+    responses: {
+      200: components["responses"]["TotpInfo"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Finalize resetting TOTP
+   * @deprecated
+   * @description Finalize resetting TOTP
+   *
+   * Checks if the response contains the correct TOTP code corresponding to the
+   * challenge generated by the POST method of this endpoint.
+   */
+  resetTotpCompleteLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpChallengeAnswer"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Verify TOTP
+   * @deprecated
+   * @description Verify TOTP
+   *
+   * Checks if a given code matches the current TOTP code for the current user.
+   * Errors with 403 if the current user has not set up TOTP or the code fails verification.
+   */
+  verifyTotpLegacy: {
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TotpApproveRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign Raw Blob
    * @description Sign Raw Blob
    *
    * Signs an arbitrary blob with a given key.
    * This is a pre-release feature.
+   *
+   * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
+   * byte v, which can in general take any of the values 0, 1, 2, or 3.
+   *
+   * - EdDSA signatures are serialized in the standard format.
+   *
+   * - BLS signatures are not supported on the blob-sign endpoint.
    */
   blobSign: {
     parameters: {
@@ -3949,8 +5142,8 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description The ID of the key
-         * @example Key#0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         key_id: string;
       };
@@ -3984,7 +5177,7 @@ export interface operations {
     parameters: {
       path: {
         /**
-         * @description Name or ID of the organization owning the key
+         * @description Name or ID of the desired Org
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
@@ -4009,6 +5202,7 @@ export interface operations {
    * @description Sign EVM Transaction
    *
    * Signs an Ethereum (and other EVM) transaction with a given Secp256k1 key.
+   * Returns an RLP-encoded transaction with EIP-155 signature.
    *
    * The key must be associated with the role and organization on whose behalf this action is called.
    */
@@ -4170,47 +5364,6 @@ export interface operations {
       };
     };
   };
-  /**
-   * Sign Solana Message
-   * @description Sign Solana Message
-   *
-   * Signs a Solana message with a given key.
-   * This is a pre-release feature.
-   */
-  solanaSign: {
-    parameters: {
-      path: {
-        /**
-         * @description Name or ID of the desired Org
-         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
-         */
-        org_id: string;
-        /**
-         * @description The base58-encoded public key
-         * @example 86ZRPszBp5EoPj7wR3bHn7wnAZ5iYfpasRc7DKFPTUaZ
-         */
-        pubkey: string;
-      };
-    };
-    requestBody: {
-      content: {
-        "application/json": components["schemas"]["SolanaSignRequest"];
-      };
-    };
-    responses: {
-      200: components["responses"]["SolanaSignResponse"];
-      202: {
-        content: {
-          "application/json": components["schemas"]["AcceptedResponse"];
-        };
-      };
-      default: {
-        content: {
-          "application/json": components["schemas"]["ErrorResponse"];
-        };
-      };
-    };
-  };
   /**
    * Refresh Signer Session
    * @description Refresh Signer Session