@cubist-labs/cubesigner-sdk 0.2.17 → 0.2.21

package/src/api.ts

@@ -1,5 +1,11 @@
-import createClient from "openapi-fetch";
-import { paths } from "./schema";
+import createClient, {
+  FetchOptions,
+  FetchResponse,
+  FilterKeys,
+  HttpMethod,
+  PathsWith,
+} from "openapi-fetch";
+import { paths, operations } from "./schema";
 import {
   SignerSessionData,
   SignerSessionLifetime,
@@ -50,8 +56,9 @@ import {
   UserExportCompleteResponse,
   UserExportInitResponse,
   UserExportListResponse,
+  Empty,
 } from "./schema_types";
-import { assertOk, encodeToBase64 } from "./util";
+import { encodeToBase64 } from "./util";
 import { AddFidoChallenge, MfaFidoChallenge, MfaReceipt, TotpChallenge } from "./mfa";
 import { CubeSignerResponse, mapResponse } from "./response";
 import { Key, KeyType } from "./key";
@@ -60,11 +67,174 @@ import { KeyPolicy } from "./role";
 import { EnvInterface } from "./env";
 import { NAME, VERSION } from ".";
 import { loadSubtleCrypto } from "./user_export";
+import { EventEmitter } from "./events";
 
 /** @internal */
 export type Client = ReturnType<typeof createClient<paths>>;
 
-export { paths };
+export { paths, operations };
+
+/**
+ * Omit routes in {@link T} whose methods are all 'never'
+ */
+type OmitNeverPaths<T extends paths> = {
+  /* eslint-disable-next-line no-unused-vars */ // 'm', but it's needed
+  [p in keyof T as T[p] extends { [m in keyof T[p]]: never } ? never : p]: T[p];
+};
+
+/**
+ * Filter out methods that don't match operation {@link Op}
+ */
+type FilterPaths<Op extends keyof operations> = {
+  [p in keyof paths]: {
+    [m in HttpMethod as m extends keyof paths[p] ? m : never]: m extends keyof paths[p]
+      ? operations[Op] extends paths[p][m]
+        ? paths[p][m] extends operations[Op]
+          ? operations[Op]
+          : never
+        : never
+      : never;
+  };
+};
+
+type Paths<Op extends keyof operations> = OmitNeverPaths<FilterPaths<Op>>;
+
+/**
+ * Open-fetch client restricted to the route that corresponds to operation {@link Op}
+ */
+export type FetchClient<Op extends keyof operations> = ReturnType<typeof createClient<Paths<Op>>>;
+
+/**
+ * Type alias for the type of the response body (the "data" field of
+ * {@link FetchResponse<T>}) when that response is successful.
+ */
+export type FetchResponseSuccessData<T> = Required<FetchResponse<T>>["data"];
+
+/**
+ * Error response type, thrown on non-successful responses.
+ */
+export class ErrResponse extends Error {
+  /** Operation that produced this error */
+  readonly operation?: keyof operations;
+  /** HTTP status code text (derived from `this.status`) */
+  readonly statusText?: string;
+  /** HTTP status code */
+  readonly status?: number;
+  /** HTTP response url */
+  readonly url?: string;
+
+  /**
+   * @param {Partial<ErrResponse>} init Initializer
+   */
+  constructor(init: Partial<ErrResponse>) {
+    super(init.message);
+    Object.assign(this, init);
+  }
+}
+
+/**
+ * Wrapper around an open-fetch client restricted to a single operation.
+ * The restriction applies only when type checking, the actual
+ * client does not restrict anything at runtime.
+ * client does not restrict anything at runtime
+ */
+export class OpClient<Op extends keyof operations> {
+  readonly #op: Op;
+  readonly #client: FetchClient<Op>;
+  readonly #eventEmitter: EventEmitter;
+
+  /**
+   * @param {Op} op The operation this client should be restricted to
+   * @param {FetchClient<Op> | Client} client open-fetch client (either restricted to {@link Op} or not)
+   * @param {EventEmitter} eventEmitter The client-local event dispatcher.
+   */
+  constructor(op: Op, client: FetchClient<Op> | Client, eventEmitter: EventEmitter) {
+    this.#op = op;
+    this.#client = client as FetchClient<Op>; // either works
+    this.#eventEmitter = eventEmitter;
+  }
+
+  /** The operation this client is restricted to */
+  get op() {
+    return this.#op;
+  }
+
+  /**
+   * Inspects the response and returns the response body if the request was successful.
+   * Otherwise, dispatches the error to event listeners, then throws {@link ErrResponse}.
+   *
+   * @param {FetchResponse<T>} resp The response to check
+   * @return {FetchResponseSuccessData<T>} The response data corresponding to response type {@link T}.
+   */
+  private async assertOk<T>(resp: FetchResponse<T>): Promise<FetchResponseSuccessData<T>> {
+    if (resp.error) {
+      const error = new ErrResponse({
+        operation: this.op,
+        message: (resp.error as any).message, // eslint-disable-line @typescript-eslint/no-explicit-any
+        statusText: resp.response?.statusText,
+        status: resp.response?.status,
+        url: resp.response?.url,
+      });
+      this.#eventEmitter.classifyAndEmitError(error);
+      throw error;
+    }
+    if (resp.data === undefined) {
+      throw new Error("Response data is undefined");
+    }
+    return resp.data;
+  }
+
+  /* eslint-disable valid-jsdoc */
+
+  /**
+   * Invoke HTTP GET
+   */
+  async get(
+    url: PathsWith<Paths<Op>, "get">,
+    init: FetchOptions<FilterKeys<Paths<Op>[PathsWith<Paths<Op>, "get">], "get">>,
+  ) {
+    const resp = await this.#client.get(url, init);
+    return await this.assertOk(resp);
+  }
+
+  /** Invoke HTTP POST */
+  async post(
+    url: PathsWith<Paths<Op>, "post">,
+    init: FetchOptions<FilterKeys<Paths<Op>[PathsWith<Paths<Op>, "post">], "post">>,
+  ) {
+    const resp = await this.#client.post(url, init);
+    return await this.assertOk(resp);
+  }
+
+  /** Invoke HTTP PATCH */
+  async patch(
+    url: PathsWith<Paths<Op>, "patch">,
+    init: FetchOptions<FilterKeys<Paths<Op>[PathsWith<Paths<Op>, "patch">], "patch">>,
+  ) {
+    const resp = await this.#client.patch(url, init);
+    return await this.assertOk(resp);
+  }
+
+  /** Invoke HTTP DELETE */
+  async del(
+    url: PathsWith<Paths<Op>, "delete">,
+    init: FetchOptions<FilterKeys<Paths<Op>[PathsWith<Paths<Op>, "delete">], "delete">>,
+  ) {
+    const resp = await this.#client.del(url, init);
+    return await this.assertOk(resp);
+  }
+
+  /** Invoke HTTP PUT */
+  async put(
+    url: PathsWith<Paths<Op>, "put">,
+    init: FetchOptions<FilterKeys<Paths<Op>[PathsWith<Paths<Op>, "put">], "put">>,
+  ) {
+    const resp = await this.#client.put(url, init);
+    return await this.assertOk(resp);
+  }
+
+  /* eslint-enable valid-jsdoc */
+}
 
 /**
  * Creates a new HTTP client, setting the "User-Agent" header to this package's {name}@{version}.
@@ -90,6 +260,7 @@ export function createHttpClient(baseUrl: string, authToken: string): Client {
 export class CubeSignerApi {
   readonly #orgId: string;
   readonly #sessionMgr: SignerSessionManager;
+  readonly #eventEmitter: EventEmitter;
 
   /** Underlying session manager */
   get sessionMgr(): SignerSessionManager {
@@ -108,6 +279,7 @@ export class CubeSignerApi {
    */
   constructor(sessionMgr: SignerSessionManager, orgId?: string) {
     this.#sessionMgr = sessionMgr;
+    this.#eventEmitter = new EventEmitter([sessionMgr.events]);
     this.#orgId = orgId ?? sessionMgr.orgId;
   }
 
@@ -126,7 +298,19 @@ export class CubeSignerApi {
     return this.#orgId;
   }
 
-  // #region USERS: userGet, userResetTotp(Init|Complete), userVerifyTotp, userRegisterFido(Init|Complete)
+  /**
+   * HTTP client restricted to a single operation. The restriction applies only
+   * when type checking, the actual client does not restrict anything at runtime.
+   *
+   * @param {Op} op The operation to restrict the client to
+   * @return {Promise<OpClient<Op>>} The client restricted to {@link op}
+   */
+  private async client<Op extends keyof operations>(op: Op): Promise<OpClient<Op>> {
+    const fetchClient = await this.#sessionMgr.client();
+    return new OpClient(op, fetchClient, this.#eventEmitter);
+  }
+
+  // #region USERS: userGet, userTotp(ResetInit|ResetComplete|Verify|Delete), userFido(RegisterInit|RegisterComplete|Delete)
 
   /**
    * Obtain information about the current user.
@@ -134,32 +318,32 @@ export class CubeSignerApi {
    * @return {Promise<UserInfo>} Retrieves information about the current user.
    */
   async userGet(): Promise<UserInfo> {
-    const client = await this.client();
-    const resp =
-      `${this.orgId}` !== "undefined"
-        ? await client.get("/v0/org/{org_id}/user/me", {
-            params: { path: { org_id: this.orgId } },
-            parseAs: "json",
-          })
-        : await client.get("/v0/about_me", { parseAs: "json" });
-    return assertOk(resp);
+    if (`${this.orgId}` === "undefined") {
+      const client = await this.client("aboutMeLegacy");
+      return await client.get("/v0/about_me", {});
+    } else {
+      const client = await this.client("aboutMe");
+      return await client.get("/v0/org/{org_id}/user/me", {
+        params: { path: { org_id: this.orgId } },
+      });
+    }
   }
 
   /**
    * Creates a request to change user's TOTP. Returns a {@link TotpChallenge}
    * that must be answered either by calling {@link TotpChallenge.answer} (or
-   * {@link CubeSignerApi.userResetTotpComplete}).
+   * {@link CubeSignerApi.userTotpResetComplete}).
    *
    * @param {string} issuer Optional issuer; defaults to "Cubist"
    * @param {MfaReceipt} mfaReceipt MFA receipt to include in HTTP headers
    */
-  async userResetTotpInit(
+  async userTotpResetInit(
     issuer?: string,
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<TotpChallenge>> {
     const resetTotpFn = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v0/org/{org_id}/user/me/totp", {
+      const client = await this.client("userResetTotpInit");
+      const data = await client.post("/v0/org/{org_id}/user/me/totp", {
         headers,
         params: { path: { org_id: this.orgId } },
         body: issuer
@@ -167,16 +351,14 @@ export class CubeSignerApi {
               issuer,
             }
           : null,
-        parseAs: "json",
       });
-      const data = assertOk(resp);
       return mapResponse(data, (totpInfo) => new TotpChallenge(this, totpInfo));
     };
     return await CubeSignerResponse.create(resetTotpFn, mfaReceipt);
   }
 
   /**
-   * Answer the TOTP challenge issued by {@link userResetTotpInit}. If successful, user's
+   * Answer the TOTP challenge issued by {@link userTotpResetInit}. If successful, user's
    * TOTP configuration will be updated to that of the TOTP challenge.
    *
    * Instead of calling this method directly, prefer {@link TotpChallenge.answer}.
@@ -184,14 +366,12 @@ export class CubeSignerApi {
    * @param {string} totpId - The ID of the TOTP challenge
    * @param {string} code - The TOTP code that should verify against the TOTP configuration from the challenge.
    */
-  async userResetTotpComplete(totpId: string, code: string): Promise<void> {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}/user/me/totp", {
-      parseAs: "json",
+  async userTotpResetComplete(totpId: string, code: string): Promise<void> {
+    const client = await this.client("userResetTotpComplete");
+    await client.patch("/v0/org/{org_id}/user/me/totp", {
       params: { path: { org_id: this.orgId } },
       body: { totp_id: totpId, code },
     });
-    assertOk(resp);
   }
 
   /**
@@ -200,45 +380,60 @@ export class CubeSignerApi {
    *
    * @param {string} code Current TOTP code
    */
-  async userVerifyTotp(code: string) {
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/user/me/totp/verify", {
+  async userTotpVerify(code: string) {
+    const client = await this.client("userVerifyTotp");
+    await client.post("/v0/org/{org_id}/user/me/totp/verify", {
       params: { path: { org_id: this.orgId } },
       body: { code },
-      parseAs: "json",
     });
-    assertOk(resp);
+  }
+
+  /**
+   * Delete TOTP from the user's account.
+   * Allowed only if at least one FIDO key is registered with the user's account.
+   * MFA via FIDO is always required.
+   *
+   * @param {MfaReceipt} mfaReceipt Optional MFA receipt to include in HTTP headers
+   */
+  async userTotpDelete(mfaReceipt?: MfaReceipt): Promise<CubeSignerResponse<Empty>> {
+    const deleteTotpFn = async (headers?: HeadersInit) => {
+      const client = await this.client("userDeleteTotp");
+      return await client.del("/v0/org/{org_id}/user/me/totp", {
+        headers,
+        params: { path: { org_id: this.orgId } },
+        body: null,
+      });
+    };
+    return await CubeSignerResponse.create(deleteTotpFn, mfaReceipt);
   }
 
   /**
    * Initiate adding a new FIDO device. MFA may be required.  This returns a {@link AddFidoChallenge}
-   * that must be answered with {@link AddFidoChallenge.answer} or {@link userRegisterFidoComplete}
+   * that must be answered with {@link AddFidoChallenge.answer} or {@link userFidoRegisterComplete}
    * (after MFA approvals).
    *
    * @param {string} name The name of the new device.
    * @param {MfaReceipt} mfaReceipt Optional MFA receipt to include in HTTP headers
    * @return {Promise<CubeSignerResponse<AddFidoChallenge>>} A challenge that must be answered in order to complete FIDO registration.
    */
-  async userRegisterFidoInit(
+  async userFidoRegisterInit(
     name: string,
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<AddFidoChallenge>> {
     const addFidoFn = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v0/org/{org_id}/user/me/fido", {
+      const client = await this.client("userRegisterFidoInit");
+      const data = await client.post("/v0/org/{org_id}/user/me/fido", {
         headers,
         params: { path: { org_id: this.orgId } },
         body: { name },
-        parseAs: "json",
       });
-      const data = assertOk(resp);
       return mapResponse(data, (c) => new AddFidoChallenge(this, c));
     };
     return await CubeSignerResponse.create(addFidoFn, mfaReceipt);
   }
 
   /**
-   * Complete a previously initiated (via {@link userRegisterFidoInit}) request to add a new FIDO device.
+   * Complete a previously initiated (via {@link userFidoRegisterInit}) request to add a new FIDO device.
    *
    * Instead of calling this method directly, prefer {@link AddFidoChallenge.answer} or
    * {@link AddFidoChallenge.createCredentialAndAnswer}.
@@ -246,17 +441,38 @@ export class CubeSignerApi {
    * @param {string} challengeId The ID of the challenge returned by the remote end.
    * @param {PublicKeyCredential} credential The answer to the challenge.
    */
-  async userRegisterFidoComplete(challengeId: string, credential: PublicKeyCredential) {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}/user/me/fido", {
+  async userFidoRegisterComplete(challengeId: string, credential: PublicKeyCredential) {
+    const client = await this.client("userRegisterFidoComplete");
+    await client.patch("/v0/org/{org_id}/user/me/fido", {
       params: { path: { org_id: this.orgId } },
       body: {
         challenge_id: challengeId,
         credential,
       },
-      parseAs: "json",
     });
-    assertOk(resp);
+  }
+
+  /**
+   * Delete a FIDO key from the user's account.
+   * Allowed only if TOTP is also defined.
+   * MFA via TOTP is always required.
+   *
+   * @param {string} fidoId The ID of the desired FIDO key
+   * @param {MfaReceipt} mfaReceipt Optional MFA receipt to include in HTTP headers
+   */
+  async userFidoDelete(
+    fidoId: string,
+    mfaReceipt?: MfaReceipt,
+  ): Promise<CubeSignerResponse<Empty>> {
+    const deleteFidoFn = async (headers?: HeadersInit) => {
+      const client = await this.client("userDeleteFido");
+      return await client.del("/v0/org/{org_id}/user/me/fido/{fido_id}", {
+        headers,
+        params: { path: { org_id: this.orgId, fido_id: fidoId } },
+        body: null,
+      });
+    };
+    return await CubeSignerResponse.create(deleteFidoFn, mfaReceipt);
   }
 
   // #endregion
@@ -268,12 +484,10 @@ export class CubeSignerApi {
    * @return {OrgInfo} Information about the organization.
    */
   async orgGet(): Promise<OrgInfo> {
-    const client = await this.client();
-    const resp = await client.get("/v0/org/{org_id}", {
+    const client = await this.client("getOrg");
+    return await client.get("/v0/org/{org_id}", {
       params: { path: { org_id: this.orgId } },
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   /**
@@ -282,13 +496,11 @@ export class CubeSignerApi {
    * @return {UpdateOrgResponse} Updated org information.
    */
   async orgUpdate(request: UpdateOrgRequest): Promise<UpdateOrgResponse> {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}", {
+    const client = await this.client("updateOrg");
+    return await client.patch("/v0/org/{org_id}", {
       params: { path: { org_id: this.orgId } },
       body: request,
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   // #endregion
@@ -303,8 +515,8 @@ export class CubeSignerApi {
    * @param {MemberRole} role Optional role. Defaults to "alien".
    */
   async orgUserInvite(email: string, name: string, role?: MemberRole): Promise<void> {
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/invite", {
+    const client = await this.client("invite");
+    await client.post("/v0/org/{org_id}/invite", {
       params: { path: { org_id: this.orgId } },
       body: {
         email,
@@ -312,9 +524,7 @@ export class CubeSignerApi {
         role,
         skip_email: false,
       },
-      parseAs: "json",
     });
-    assertOk(resp);
   }
 
   /**
@@ -322,13 +532,11 @@ export class CubeSignerApi {
    * @return {User[]} Org users.
    */
   async orgUsersList(): Promise<UserIdInfo[]> {
-    const client = await this.client();
+    const client = await this.client("listUsersInOrg");
     const resp = await client.get("/v0/org/{org_id}/users", {
       params: { path: { org_id: this.orgId } },
-      parseAs: "json",
     });
-    const data = assertOk(resp);
-    return data.users;
+    return resp.users;
   }
 
   /**
@@ -343,8 +551,8 @@ export class CubeSignerApi {
     email: string,
     opts: CreateOidcUserOptions = {},
   ): Promise<string> {
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/users", {
+    const client = await this.client("createOidcUser");
+    const data = await client.post("/v0/org/{org_id}/users", {
       params: { path: { org_id: this.orgId } },
       body: {
         identity,
@@ -352,9 +560,8 @@ export class CubeSignerApi {
         email: email,
         mfa_policy: opts.mfaPolicy ?? null,
       },
-      parseAs: "json",
     });
-    return assertOk(resp).user_id;
+    return data.user_id;
   }
 
   /**
@@ -362,13 +569,11 @@ export class CubeSignerApi {
    * @param {OidcIdentity} identity The identity of the OIDC user
    */
   async orgUserDeleteOidc(identity: OidcIdentity) {
-    const client = await this.client();
-    const resp = await client.del("/v0/org/{org_id}/users/oidc", {
+    const client = await this.client("deleteOidcUser");
+    return await client.del("/v0/org/{org_id}/users/oidc", {
       params: { path: { org_id: this.orgId } },
       body: identity,
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   // #endregion
@@ -382,12 +587,10 @@ export class CubeSignerApi {
    * @return {KeyInfoApi} The key information.
    */
   async keyGet(keyId: string): Promise<KeyInfoApi> {
-    const client = await this.client();
-    const resp = await client.get("/v0/org/{org_id}/keys/{key_id}", {
+    const client = await this.client("getKeyInOrg");
+    return await client.get("/v0/org/{org_id}/keys/{key_id}", {
       params: { path: { org_id: this.orgId, key_id: keyId } },
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   /**
@@ -397,13 +600,11 @@ export class CubeSignerApi {
    * @return {KeyInfoApi} The JSON response from the API server.
    */
   async keyUpdate(keyId: string, request: UpdateKeyRequest): Promise<KeyInfoApi> {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}/keys/{key_id}", {
+    const client = await this.client("updateKey");
+    return await client.patch("/v0/org/{org_id}/keys/{key_id}", {
       params: { path: { org_id: this.orgId, key_id: keyId } },
       body: request,
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   /**
@@ -412,12 +613,10 @@ export class CubeSignerApi {
    * @param {string} keyId - Key id
    */
   async keyDelete(keyId: string) {
-    const client = await this.client();
-    const resp = await client.del("/v0/org/{org_id}/keys/{key_id}", {
+    const client = await this.client("deleteKey");
+    await client.del("/v0/org/{org_id}/keys/{key_id}", {
       params: { path: { org_id: this.orgId, key_id: keyId } },
-      parseAs: "json",
     });
-    assertOk(resp);
   }
 
   /**
@@ -430,8 +629,8 @@ export class CubeSignerApi {
    */
   async keysCreate(keyType: KeyType, count: number, ownerId?: string): Promise<KeyInfoApi[]> {
     const chain_id = 0; // not used anymore
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/keys", {
+    const client = await this.client("createKey");
+    const data = await client.post("/v0/org/{org_id}/keys", {
       params: { path: { org_id: this.orgId } },
       body: {
         count,
@@ -439,9 +638,7 @@ export class CubeSignerApi {
         key_type: keyType,
         owner: ownerId || null,
       },
-      parseAs: "json",
     });
-    const data = assertOk(resp);
     return data.keys;
   }
 
@@ -461,17 +658,16 @@ export class CubeSignerApi {
     derivationPaths: string[],
     mnemonicId: string,
   ): Promise<KeyInfoApi[]> {
-    const client = await this.client();
-    const resp = await client.put("/v0/org/{org_id}/derive_key", {
+    const client = await this.client("deriveKey");
+    const data = await client.put("/v0/org/{org_id}/derive_key", {
       params: { path: { org_id: this.orgId } },
       body: {
         derivation_path: derivationPaths,
         mnemonic_id: mnemonicId,
         key_type: keyType,
       },
-      parseAs: "json",
     });
-    return assertOk(resp).keys;
+    return data.keys;
   }
 
   /**
@@ -482,8 +678,8 @@ export class CubeSignerApi {
    */
   keysList(type?: KeyType, page?: PageOpts): Paginator<ListKeysResponse, KeyInfoApi> {
     const listFn = async (query: PageQueryArgs) => {
-      const client = await this.client();
-      const resp = await client.get("/v0/org/{org_id}/keys", {
+      const client = await this.client("listKeysInOrg");
+      return await client.get("/v0/org/{org_id}/keys", {
         params: {
           path: { org_id: this.orgId },
           query: {
@@ -491,9 +687,7 @@ export class CubeSignerApi {
             ...query,
           },
         },
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return new Paginator(
       page ?? Page.default(),
@@ -513,13 +707,12 @@ export class CubeSignerApi {
    * @return {string} The ID of the new role.
    */
   async roleCreate(name?: string): Promise<string> {
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/roles", {
+    const client = await this.client("createRole");
+    const data = await client.post("/v0/org/{org_id}/roles", {
       params: { path: { org_id: this.orgId } },
       body: name ? { name } : undefined,
-      parseAs: "json",
     });
-    return assertOk(resp).role_id;
+    return data.role_id;
   }
 
   /**
@@ -528,12 +721,10 @@ export class CubeSignerApi {
    * @return {RoleInfo} The role.
    */
   async roleGet(roleId: string): Promise<RoleInfo> {
-    const client = await this.client();
-    const resp = await client.get("/v0/org/{org_id}/roles/{role_id}", {
+    const client = await this.client("getRole");
+    return await client.get("/v0/org/{org_id}/roles/{role_id}", {
       params: { path: { org_id: this.orgId, role_id: roleId } },
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   /**
@@ -544,13 +735,11 @@ export class CubeSignerApi {
    * @return {Promise<RoleInfo>} The updated role information.
    */
   async roleUpdate(roleId: string, request: UpdateRoleRequest): Promise<RoleInfo> {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}/roles/{role_id}", {
+    const client = await this.client("updateRole");
+    return await client.patch("/v0/org/{org_id}/roles/{role_id}", {
       params: { path: { org_id: this.orgId, role_id: roleId } },
       body: request,
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   /**
@@ -559,12 +748,10 @@ export class CubeSignerApi {
    * @param {string} roleId The ID of the role to delete.
    */
   async roleDelete(roleId: string): Promise<void> {
-    const client = await this.client();
-    const resp = await client.del("/v0/org/{org_id}/roles/{role_id}", {
+    const client = await this.client("deleteRole");
+    await client.del("/v0/org/{org_id}/roles/{role_id}", {
       params: { path: { org_id: this.orgId, role_id: roleId } },
-      parseAs: "json",
     });
-    assertOk(resp);
   }
 
   /**
@@ -575,15 +762,13 @@ export class CubeSignerApi {
    */
   rolesList(page?: PageOpts): Paginator<ListRolesResponse, RoleInfo> {
     const listFn = async (query: PageQueryArgs) => {
-      const client = await this.client();
-      const resp = await client.get("/v0/org/{org_id}/roles", {
+      const client = await this.client("listRoles");
+      return await client.get("/v0/org/{org_id}/roles", {
         params: {
           path: { org_id: this.orgId },
           query,
         },
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return new Paginator(
       page ?? Page.default(),
@@ -605,16 +790,14 @@ export class CubeSignerApi {
    * @param {KeyPolicy?} policy The optional policy to apply to each key.
    */
   async roleKeysAdd(roleId: string, keyIds: string[], policy?: KeyPolicy) {
-    const client = await this.client();
-    const resp = await client.put("/v0/org/{org_id}/roles/{role_id}/add_keys", {
+    const client = await this.client("addKeysToRole");
+    await client.put("/v0/org/{org_id}/roles/{role_id}/add_keys", {
       params: { path: { org_id: this.#orgId, role_id: roleId } },
       body: {
         key_ids: keyIds,
         policy: (policy ?? null) as Record<string, never>[] | null,
       },
-      parseAs: "json",
     });
-    assertOk(resp, "Failed to add keys to role");
   }
 
   /**
@@ -624,12 +807,10 @@ export class CubeSignerApi {
    * @param {string} keyId The ID of the key to remove from the role
    */
   async roleKeysRemove(roleId: string, keyId: string) {
-    const client = await this.client();
-    const resp = await client.del("/v0/org/{org_id}/roles/{role_id}/keys/{key_id}", {
+    const client = await this.client("removeKeyFromRole");
+    await client.del("/v0/org/{org_id}/roles/{role_id}/keys/{key_id}", {
       params: { path: { org_id: this.#orgId, role_id: roleId, key_id: keyId } },
-      parseAs: "json",
     });
-    assertOk(resp, "Failed to remove key from a role");
   }
 
   /**
@@ -641,15 +822,13 @@ export class CubeSignerApi {
    */
   roleKeysList(roleId: string, page?: PageOpts): Paginator<ListRoleKeysResponse, KeyInRoleInfo> {
     const listFn = async (query: PageQueryArgs) => {
-      const client = await this.client();
-      const resp = await client.get("/v0/org/{org_id}/roles/{role_id}/keys", {
+      const client = await this.client("listRoleKeys");
+      return await client.get("/v0/org/{org_id}/roles/{role_id}/keys", {
         params: {
           path: { org_id: this.orgId, role_id: roleId },
           query,
         },
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return new Paginator(
       page ?? Page.default(),
@@ -670,12 +849,10 @@ export class CubeSignerApi {
    * @param {string} userId The ID of the user to add to the role.
    */
   async roleUserAdd(roleId: string, userId: string) {
-    const client = await this.client();
-    const resp = await client.put("/v0/org/{org_id}/roles/{role_id}/add_user/{user_id}", {
+    const client = await this.client("addUserToRole");
+    await client.put("/v0/org/{org_id}/roles/{role_id}/add_user/{user_id}", {
       params: { path: { org_id: this.#orgId, role_id: roleId, user_id: userId } },
-      parseAs: "json",
     });
-    assertOk(resp, "Failed to add user to role");
   }
 
   /**
@@ -687,15 +864,13 @@ export class CubeSignerApi {
    */
   roleUsersList(roleId: string, page?: PageOpts): Paginator<ListRoleUsersResponse, UserInRoleInfo> {
     const listFn = async (query: PageQueryArgs) => {
-      const client = await this.client();
-      const resp = await client.get("/v0/org/{org_id}/roles/{role_id}/users", {
+      const client = await this.client("listRoleUsers");
+      return await client.get("/v0/org/{org_id}/roles/{role_id}/users", {
         params: {
           path: { org_id: this.orgId, role_id: roleId },
           query,
         },
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return new Paginator(
       page ?? Page.default(),
@@ -707,7 +882,46 @@ export class CubeSignerApi {
 
   // #endregion
 
-  // #region SESSIONS: sessionCreateForRole, sessionRefresh, sessionRevoke, sessionsList, sessionKeysList
+  // #region SESSIONS: session(Create|CreateForRole|Refresh|Revoke|List|KeysList)
+
+  /**
+   * Create new user session (management and/or signing)
+   *
+   * @param {string} purpose The purpose of the session
+   * @param {string[]} scopes Session scopes.
+   * @param {SignerSessionLifetime} lifetimes Lifetime settings
+   * @return {Promise<SignerSessionData>} New signer session info.
+   */
+  async sessionCreate(
+    purpose: string,
+    scopes: string[],
+    lifetimes?: SignerSessionLifetime,
+  ): Promise<SignerSessionData> {
+    lifetimes ??= defaultSignerSessionLifetime;
+    const client = await this.client("createSession");
+    const data = await client.post("/v0/org/{org_id}/session", {
+      params: { path: { org_id: this.orgId } },
+      body: {
+        purpose,
+        scopes,
+        auth_lifetime: lifetimes.auth,
+        refresh_lifetime: lifetimes.refresh,
+        session_lifetime: lifetimes.session,
+        grace_lifetime: lifetimes.grace,
+      },
+    });
+    return {
+      org_id: this.orgId,
+      role_id: undefined,
+      purpose,
+      token: data.token,
+      session_info: data.session_info,
+      // Keep compatibility with tokens produced by CLI
+      env: {
+        ["Dev-CubeSignerStack"]: this.#sessionMgr.env,
+      },
+    };
+  }
 
   /**
    * Create a new signer session for a given role.
@@ -730,8 +944,8 @@ export class CubeSignerApi {
       throw new Error(`Role scopes must start with 'sign:'; invalid scopes: ${invalidScopes}`);
     }
 
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/roles/{role_id}/tokens", {
+    const client = await this.client("createRoleToken");
+    const data = await client.post("/v0/org/{org_id}/roles/{role_id}/tokens", {
       params: { path: { org_id: this.orgId, role_id: roleId } },
       body: {
         purpose,
@@ -741,9 +955,7 @@ export class CubeSignerApi {
         session_lifetime: lifetimes.session,
         grace_lifetime: lifetimes.grace,
       },
-      parseAs: "json",
     });
-    const data = assertOk(resp);
     return {
       org_id: this.orgId,
       role_id: roleId,
@@ -763,12 +975,10 @@ export class CubeSignerApi {
    * @param {string} sessionId The ID of the session to revoke.
    */
   async sessionRevoke(sessionId: string) {
-    const client = await this.client();
-    const resp = await client.del("/v0/org/{org_id}/session/{session_id}", {
+    const client = await this.client("revokeSession");
+    await client.del("/v0/org/{org_id}/session/{session_id}", {
       params: { path: { org_id: this.orgId, session_id: sessionId } },
-      parseAs: "json",
     });
-    assertOk(resp);
   }
 
   /**
@@ -780,15 +990,13 @@ export class CubeSignerApi {
    */
   sessionsList(roleId?: string, page?: PageOpts): Paginator<SessionsResponse, SessionInfo> {
     const listFn = async (query: PageQueryArgs) => {
-      const client = await this.client();
-      const resp = await client.get("/v0/org/{org_id}/session", {
+      const client = await this.client("listSessions");
+      return await client.get("/v0/org/{org_id}/session", {
         params: {
           path: { org_id: this.#orgId },
           query: { role: roleId, ...query },
         },
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return new Paginator(
       page ?? Page.default(),
@@ -803,12 +1011,11 @@ export class CubeSignerApi {
    * @return {Key[]} The list of keys.
    */
   async sessionKeysList(): Promise<KeyInfoApi[]> {
-    const client = await this.client();
+    const client = await this.client("listTokenKeys");
     const resp = await client.get("/v0/org/{org_id}/token/keys", {
       params: { path: { org_id: this.orgId } },
-      parseAs: "json",
     });
-    return assertOk(resp).keys;
+    return resp.keys;
   }
 
   // #endregion
@@ -821,12 +1028,10 @@ export class CubeSignerApi {
    * @return {Promise<IdentityProof>} Proof of authentication
    */
   async identityProve(): Promise<IdentityProof> {
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/identity/prove", {
+    const client = await this.client("createProofCubeSigner");
+    return await client.post("/v0/org/{org_id}/identity/prove", {
       params: { path: { org_id: this.orgId } },
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   /**
@@ -835,13 +1040,11 @@ export class CubeSignerApi {
    * @param {IdentityProof} proof The proof of authentication.
    */
   async identityVerify(proof: IdentityProof) {
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/identity/verify", {
+    const client = await this.client("verifyProof");
+    await client.post("/v0/org/{org_id}/identity/verify", {
       params: { path: { org_id: this.orgId } },
       body: proof,
-      parseAs: "json",
     });
-    assertOk(resp);
   }
 
   // #endregion
@@ -855,11 +1058,10 @@ export class CubeSignerApi {
    * @return {Promise<MfaRequestInfo>} MFA request information
    */
   async mfaGet(mfaId: string): Promise<MfaRequestInfo> {
-    const client = await this.client();
-    const resp = await client.get("/v0/org/{org_id}/mfa/{mfa_id}", {
+    const client = await this.client("mfaGet");
+    return await client.get("/v0/org/{org_id}/mfa/{mfa_id}", {
       params: { path: { org_id: this.orgId, mfa_id: mfaId } },
     });
-    return assertOk(resp);
   }
 
   /**
@@ -868,11 +1070,11 @@ export class CubeSignerApi {
    * @return {Promise<MfaRequestInfo[]>} The MFA requests.
    */
   async mfaList(): Promise<MfaRequestInfo[]> {
-    const client = await this.client();
+    const client = await this.client("mfaList");
     const resp = await client.get("/v0/org/{org_id}/mfa", {
       params: { path: { org_id: this.orgId } },
     });
-    return assertOk(resp).mfa_requests;
+    return resp.mfa_requests;
   }
 
   /**
@@ -882,11 +1084,10 @@ export class CubeSignerApi {
    * @return {Promise<MfaRequestInfo>} The result of the MFA request
    */
   async mfaApprove(mfaId: string): Promise<MfaRequestInfo> {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}/mfa/{mfa_id}", {
+    const client = await this.client("mfaApproveCs");
+    return await client.patch("/v0/org/{org_id}/mfa/{mfa_id}", {
       params: { path: { org_id: this.orgId, mfa_id: mfaId } },
     });
-    return assertOk(resp);
   }
 
   /**
@@ -897,13 +1098,11 @@ export class CubeSignerApi {
    * @return {Promise<MfaRequestInfo>} The current status of the MFA request
    */
   async mfaApproveTotp(mfaId: string, code: string): Promise<MfaRequestInfo> {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}/mfa/{mfa_id}/totp", {
+    const client = await this.client("mfaApproveTotp");
+    return await client.patch("/v0/org/{org_id}/mfa/{mfa_id}/totp", {
       params: { path: { org_id: this.#orgId, mfa_id: mfaId } },
       body: { code },
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   /**
@@ -914,12 +1113,10 @@ export class CubeSignerApi {
    * @return {Promise<MfaFidoChallenge>} A challenge that needs to be answered to complete the approval.
    */
   async mfaApproveFidoInit(mfaId: string): Promise<MfaFidoChallenge> {
-    const client = await this.client();
-    const resp = await client.post("/v0/org/{org_id}/mfa/{mfa_id}/fido", {
+    const client = await this.client("mfaApproveFido");
+    const challenge = await client.post("/v0/org/{org_id}/mfa/{mfa_id}/fido", {
       params: { path: { org_id: this.orgId, mfa_id: mfaId } },
-      parseAs: "json",
     });
-    const challenge = assertOk(resp);
     return new MfaFidoChallenge(this, mfaId, challenge);
   }
 
@@ -939,16 +1136,14 @@ export class CubeSignerApi {
     challengeId: string,
     credential: PublicKeyCredential,
   ): Promise<MfaRequestInfo> {
-    const client = await this.client();
-    const resp = await client.patch("/v0/org/{org_id}/mfa/{mfa_id}/fido", {
+    const client = await this.client("mfaApproveFidoComplete");
+    return await client.patch("/v0/org/{org_id}/mfa/{mfa_id}/fido", {
       params: { path: { org_id: this.orgId, mfa_id: mfaId } },
       body: {
         challenge_id: challengeId,
         credential,
       },
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 
   // #endregion
@@ -968,17 +1163,15 @@ export class CubeSignerApi {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<EvmSignResponse>> {
     const pubkey = typeof key === "string" ? (key as string) : key.materialId;
-    const sign = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v1/org/{org_id}/eth1/sign/{pubkey}", {
+    const signFn = async (headers?: HeadersInit) => {
+      const client = await this.client("eth1Sign");
+      return await client.post("/v1/org/{org_id}/eth1/sign/{pubkey}", {
         params: { path: { org_id: this.orgId, pubkey } },
         body: req,
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(sign, mfaReceipt);
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
   }
 
   /**
@@ -996,14 +1189,12 @@ export class CubeSignerApi {
   ): Promise<CubeSignerResponse<Eth2SignResponse>> {
     const pubkey = typeof key === "string" ? (key as string) : key.materialId;
     const sign = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v1/org/{org_id}/eth2/sign/{pubkey}", {
+      const client = await this.client("eth2Sign");
+      return await client.post("/v1/org/{org_id}/eth2/sign/{pubkey}", {
         params: { path: { org_id: this.orgId, pubkey } },
         body: req,
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return await CubeSignerResponse.create(sign, mfaReceipt);
   }
@@ -1020,14 +1211,12 @@ export class CubeSignerApi {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<Eth2StakeResponse>> {
     const sign = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v1/org/{org_id}/eth2/stake", {
+      const client = await this.client("stake");
+      return await client.post("/v1/org/{org_id}/eth2/stake", {
         params: { path: { org_id: this.orgId } },
         body: req,
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return await CubeSignerResponse.create(sign, mfaReceipt);
   }
@@ -1046,17 +1235,15 @@ export class CubeSignerApi {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<Eth2UnstakeResponse>> {
     const pubkey = typeof key === "string" ? (key as string) : key.materialId;
-    const sign = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v1/org/{org_id}/eth2/unstake/{pubkey}", {
+    const signFn = async (headers?: HeadersInit) => {
+      const client = await this.client("unstake");
+      return await client.post("/v1/org/{org_id}/eth2/unstake/{pubkey}", {
         params: { path: { org_id: this.orgId, pubkey } },
         body: req,
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(sign, mfaReceipt);
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
   }
 
   /**
@@ -1072,20 +1259,18 @@ export class CubeSignerApi {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<AvaSignResponse>> {
     const pubkey = typeof key === "string" ? (key as string) : key.materialId;
-    const sign = async (headers?: HeadersInit) => {
+    const signFn = async (headers?: HeadersInit) => {
       const req = <AvaSignRequest>{
         tx: tx as unknown,
       };
-      const client = await this.client();
-      const resp = await client.post("/v0/org/{org_id}/ava/sign/{pubkey}", {
+      const client = await this.client("avaSign");
+      return await client.post("/v0/org/{org_id}/ava/sign/{pubkey}", {
         params: { path: { org_id: this.orgId, pubkey } },
         body: req,
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(sign, mfaReceipt);
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
   }
 
   /**
@@ -1117,19 +1302,17 @@ export class CubeSignerApi {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<BlobSignResponse>> {
     const key_id = typeof key === "string" ? (key as string) : key.id;
-    const sign = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v1/org/{org_id}/blob/sign/{key_id}", {
+    const signFn = async (headers?: HeadersInit) => {
+      const client = await this.client("blobSign");
+      return await client.post("/v1/org/{org_id}/blob/sign/{key_id}", {
         params: {
           path: { org_id: this.orgId, key_id },
         },
         body: req,
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(sign, mfaReceipt);
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
   }
 
   /**
@@ -1146,19 +1329,17 @@ export class CubeSignerApi {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<BtcSignResponse>> {
     const pubkey = typeof key === "string" ? (key as string) : key.materialId;
-    const sign = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v0/org/{org_id}/btc/sign/{pubkey}", {
+    const signFn = async (headers?: HeadersInit) => {
+      const client = await this.client("btcSign");
+      return await client.post("/v0/org/{org_id}/btc/sign/{pubkey}", {
         params: {
           path: { org_id: this.orgId, pubkey },
         },
         body: req,
         headers: headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(sign, mfaReceipt);
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
   }
 
   /**
@@ -1175,25 +1356,18 @@ export class CubeSignerApi {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<SolanaSignResponse>> {
     const pubkey = typeof key === "string" ? (key as string) : key.materialId;
-    const sign = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v0/org/{org_id}/solana/sign/{pubkey}", {
+    const signFn = async (headers?: HeadersInit) => {
+      const client = await this.client("solanaSign");
+      return await client.post("/v0/org/{org_id}/solana/sign/{pubkey}", {
         params: { path: { org_id: this.orgId, pubkey } },
         body: req,
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(sign, mfaReceipt);
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
   }
   // #endregion
 
-  /** HTTPS client */
-  private async client(): Promise<Client> {
-    return await this.#sessionMgr.client();
-  }
-
   // #region USER EXPORT: userExport(Init,Complete,List,Delete)
   /**
    * List outstanding user-export requests.
@@ -1209,8 +1383,8 @@ export class CubeSignerApi {
     page?: PageOpts,
   ): Paginator<UserExportListResponse, UserExportInitResponse> {
     const listFn = async (query: PageQueryArgs) => {
-      const client = await this.client();
-      const resp = await client.get("/v0/org/{org_id}/user/me/export", {
+      const client = await this.client("userExportList");
+      return await client.get("/v0/org/{org_id}/user/me/export", {
         params: {
           path: { org_id: this.orgId },
           query: {
@@ -1219,9 +1393,7 @@ export class CubeSignerApi {
             ...query,
           },
         },
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
     return new Paginator(
       page ?? Page.default(),
@@ -1238,8 +1410,8 @@ export class CubeSignerApi {
    * @param {string?} userId Optional user ID. If omitted, uses the current user's ID. Only org owners can delete user-export requests for users other than themselves.
    */
   async userExportDelete(keyId: string, userId?: string): Promise<void> {
-    const client = await this.client();
-    const resp = await client.del("/v0/org/{org_id}/user/me/export", {
+    const client = await this.client("userExportDelete");
+    await client.del("/v0/org/{org_id}/user/me/export", {
       params: {
         path: { org_id: this.orgId },
         query: {
@@ -1247,9 +1419,7 @@ export class CubeSignerApi {
           user_id: userId,
         },
       },
-      parseAs: "json",
     });
-    assertOk(resp);
   }
 
   /**
@@ -1263,17 +1433,15 @@ export class CubeSignerApi {
     keyId: string,
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<UserExportInitResponse>> {
-    const init = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.post("/v0/org/{org_id}/user/me/export", {
+    const initFn = async (headers?: HeadersInit) => {
+      const client = await this.client("userExportInit");
+      return await client.post("/v0/org/{org_id}/user/me/export", {
         params: { path: { org_id: this.orgId } },
         body: { key_id: keyId },
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(init, mfaReceipt);
+    return await CubeSignerResponse.create(initFn, mfaReceipt);
   }
 
   /**
@@ -1294,20 +1462,18 @@ export class CubeSignerApi {
     const publicKeyB64 = encodeToBase64(Buffer.from(await subtle.exportKey("raw", publicKey)));
 
     // make the request
-    const complete = async (headers?: HeadersInit) => {
-      const client = await this.client();
-      const resp = await client.patch("/v0/org/{org_id}/user/me/export", {
+    const completeFn = async (headers?: HeadersInit) => {
+      const client = await this.client("userExportComplete");
+      return await client.patch("/v0/org/{org_id}/user/me/export", {
         params: { path: { org_id: this.orgId } },
         body: {
           key_id: keyId,
           public_key: publicKeyB64,
         },
         headers,
-        parseAs: "json",
       });
-      return assertOk(resp);
     };
-    return await CubeSignerResponse.create(complete, mfaReceipt);
+    return await CubeSignerResponse.create(completeFn, mfaReceipt);
   }
   // #endregion
 }
@@ -1332,6 +1498,16 @@ export class OidcClient {
     this.#client = createHttpClient(env.SignerApiRoot, oidcToken);
   }
 
+  /**
+   * HTTP client restricted to a single operation.
+   *
+   * @param {Op} op The operation to restrict the client to
+   * @return {OpClient<Op>} The client restricted to {@link op}
+   */
+  private client<Op extends keyof operations>(op: Op): OpClient<Op> {
+    return new OpClient(op, this.#client, new EventEmitter([]));
+  }
+
   /**
    * Exchange an OIDC token for a CubeSigner session token.
    * @param {List<string>} scopes The scopes for the new session
@@ -1345,16 +1521,15 @@ export class OidcClient {
     mfaReceipt?: MfaReceipt,
   ): Promise<CubeSignerResponse<SignerSessionData>> {
     const loginFn = async (headers?: HeadersInit) => {
-      const resp = await this.#client.post("/v0/org/{org_id}/oidc", {
+      const client = this.client("oidcAuth");
+      const data = await client.post("/v0/org/{org_id}/oidc", {
         params: { path: { org_id: this.#orgId } },
         headers,
         body: {
           scopes,
           tokens: lifetimes,
         },
-        parseAs: "json",
       });
-      const data = assertOk(resp);
       return mapResponse(
         data,
         (sessionInfo) =>
@@ -1379,11 +1554,10 @@ export class OidcClient {
    * @return {Promise<IdentityProof>} Proof of authentication
    */
   async identityProve(): Promise<IdentityProof> {
-    const resp = await this.#client.post("/v0/org/{org_id}/identity/prove/oidc", {
+    const client = this.client("createProofOidc");
+    return await client.post("/v0/org/{org_id}/identity/prove/oidc", {
       params: { path: { org_id: this.#orgId } },
-      parseAs: "json",
     });
-    return assertOk(resp);
   }
 }