@cubist-labs/cubesigner-sdk 0.3.1 → 0.3.11

package/src/schema.ts

@@ -192,6 +192,15 @@ export interface paths {
      */
     patch: operations["updateKey"];
   };
+  "/v0/org/{org_id}/keys/{key_id}/roles": {
+    /**
+     * List Key Roles
+     * @description List Key Roles
+     *
+     * Get all roles the key is in
+     */
+    get: operations["listKeyRoles"];
+  };
   "/v0/org/{org_id}/mfa": {
     /**
      * List Pending MFA Requests
@@ -211,46 +220,67 @@ export interface paths {
      */
     get: operations["mfaGet"];
     /**
-     * Approve MFA Request
-     * @description Approve MFA Request
+     * Approve or Reject MFA Request
+     * @description Approve or Reject MFA Request
      *
-     * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+     * Approve or reject request after logging in with CubeSigner.
+     *
+     * If approving, adds the currently-logged user as an approver
      * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
      * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
      * resume the original HTTP request.
+     *
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    patch: operations["mfaApproveCs"];
+    patch: operations["mfaVoteCs"];
   };
   "/v0/org/{org_id}/mfa/{mfa_id}/fido": {
     /**
-     * Initiate Approving an MFA Request with FIDO
-     * @description Initiate Approving an MFA Request with FIDO
+     * Initiate a FIDO MFA Approval/Rejection
+     * @description Initiate a FIDO MFA Approval/Rejection
      *
-     * Initiates the approval process of an MFA Request using FIDO.
+     * Initiates the approval/rejection process of an MFA Request using FIDO.
      */
-    post: operations["mfaApproveFido"];
+    post: operations["mfaFidoInit"];
     /**
-     * Finalize a FIDO MFA Approval
-     * @description Finalize a FIDO MFA Approval
-     *
-     * Adds an approver to a pending MFA request.
+     * Finalize a FIDO MFA Approval/Rejection
+     * @description Finalize a FIDO MFA Approval/Rejection
      *
+     * If approving, adds an approver to a pending MFA request.
      * If the required number of approvers is reached, the MFA request is approved;
      * the confirmation receipt can be used to resume the original HTTP request.
+     *
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    patch: operations["mfaApproveFidoComplete"];
+    patch: operations["mfaVoteFidoComplete"];
   };
   "/v0/org/{org_id}/mfa/{mfa_id}/totp": {
     /**
-     * Approve a TOTP MFA Request
-     * @description Approve a TOTP MFA Request
+     * Approve/Reject a TOTP MFA Request
+     * @description Approve/Reject a TOTP MFA Request
      *
-     * Adds the current user as approver to a pending MFA request by providing TOTP code.
+     * If approving, adds the current user as approver to a pending MFA request by
+     * providing TOTP code. If the required number of approvers is reached, the MFA request is
+     * approved; the confirmation receipt can be used to resume the original HTTP request.
      *
-     * If the required number of approvers is reached, the MFA request is approved;
-     * the confirmation receipt can be used to resume the original HTTP request.
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    patch: operations["mfaApproveTotp"];
+    patch: operations["mfaVoteTotp"];
+  };
+  "/v0/org/{org_id}/oauth2/twitter": {
+    /**
+     * Mint an OIDC ID token for Twitter
+     * @description Mint an OIDC ID token for Twitter
+     *
+     * This function acts identically to Twitter's [`oauth2/token`](https://developer.twitter.com/en/docs/authentication/api-reference/token) endpoint,
+     * but extends the output with an `id_token`.
+     *
+     * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+     *
+     * > [!IMPORTANT]
+     * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
+     */
+    post: operations["oauth2Twitter"];
   };
   "/v0/org/{org_id}/oidc": {
     /**
@@ -395,6 +425,16 @@ export interface paths {
      */
     get: operations["listRoleUsers"];
   };
+  "/v0/org/{org_id}/roles/{role_id}/users/{user_id}": {
+    /**
+     * Remove User
+     * @description Remove User
+     *
+     * Removes an existing user from an existing role.
+     * Only users in the role or org owners can remove users from a role.
+     */
+    delete: operations["removeUserFromRole"];
+  };
   "/v0/org/{org_id}/session": {
     /**
      * List sessions
@@ -750,6 +790,8 @@ export interface components {
         session?: components["schemas"]["NewSessionResponse"] | null;
       };
     };
+    /** @enum {string} */
+    AcceptedValueCode: "MfaRequired";
     AddKeysToRoleRequest: {
       /**
        * @description A list of keys to add to a role
@@ -795,6 +837,11 @@ export interface components {
       identity: components["schemas"]["OIDCIdentity"];
       /** @description Optional login MFA policy */
       mfa_policy?: unknown;
+      /**
+       * @description Optional user full name
+       * @example Alice Wonderland
+       */
+      name?: string | null;
       role: components["schemas"]["MemberRole"];
     };
     AddThirdPartyUserResponse: {
@@ -956,6 +1003,92 @@ export interface components {
     };
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
+    /** @enum {string} */
+    BadGatewayErrorCode: "OAuthProviderError";
+    /** @enum {string} */
+    BadRequestErrorCode:
+      | "GenericBadRequest"
+      | "InvalidBody"
+      | "TokenRequestError"
+      | "InvalidMfaReceipt"
+      | "InvalidMfaPolicyCount"
+      | "InvalidMfaPolicyNumAuthFactors"
+      | "InvalidMfaPolicyNumAllowedApprovers"
+      | "InvalidMfaPolicyRedundantRule"
+      | "InvalidCreateKeyCount"
+      | "OrgInviteExistingUser"
+      | "OrgNameTaken"
+      | "RoleNameTaken"
+      | "AddKeyToRoleCountTooHigh"
+      | "InvalidKeyId"
+      | "InvalidKeyMetadataLength"
+      | "InvalidKeyMetadata"
+      | "InvalidKeyMaterialId"
+      | "KeyNotFound"
+      | "UserExportDerivedKey"
+      | "UserExportPublicKeyInvalid"
+      | "UserExportInProgress"
+      | "RoleNotFound"
+      | "InvalidMfaReceiptOrgIdMissing"
+      | "InvalidMfaReceiptInvalidOrgId"
+      | "MfaRequestNotFound"
+      | "InvalidKeyType"
+      | "InvalidKeyMaterial"
+      | "InvalidHexValue"
+      | "InvalidBase32Value"
+      | "InvalidBase58Value"
+      | "InvalidForkVersionLength"
+      | "InvalidEthAddress"
+      | "InvalidStellarAddress"
+      | "InvalidOrgNameOrId"
+      | "InvalidStakeDeposit"
+      | "InvalidBlobSignRequest"
+      | "InvalidSolanaSignRequest"
+      | "InvalidEip712SignRequest"
+      | "InvalidEvmSignRequest"
+      | "InvalidEth2SignRequest"
+      | "InvalidDeriveKeyRequest"
+      | "InvalidStakingAmount"
+      | "CustomStakingAmountNotAllowedForWrapperContract"
+      | "InvalidUnstakeRequest"
+      | "InvalidCreateUserRequest"
+      | "UserAlreadyExists"
+      | "UserNotFound"
+      | "PolicyRuleKeyMismatch"
+      | "EmptyScopes"
+      | "InvalidScopesForRoleSession"
+      | "InvalidLifetime"
+      | "NoSingleKeyForUser"
+      | "InvalidOrgPolicyRule"
+      | "SourceIpAllowlistEmpty"
+      | "InvalidOrgPolicyRepeatedRule"
+      | "AvaSignHashError"
+      | "AvaSignError"
+      | "BtcSegwitHashError"
+      | "BtcSignError"
+      | "Eip712SignError"
+      | "InvalidMemberRoleInUserAdd"
+      | "ThirdPartyUserAlreadyExists"
+      | "ThirdPartyUserNotFound"
+      | "DeleteOidcUserError"
+      | "SessionRoleMismatch"
+      | "InvalidOidcToken"
+      | "OidcIssuerUnsupported"
+      | "OidcIssuerNotAllowed"
+      | "OidcIssuerNoApplicableJwk"
+      | "FidoKeyAlreadyRegistered"
+      | "FidoKeySignCountTooLow"
+      | "FidoVerificationFailed"
+      | "FidoChallengeMfaMismatch"
+      | "UnsupportedLegacyCognitoSession"
+      | "InvalidIdentityProof"
+      | "PaginationDataExpired"
+      | "ExistingKeysViolateExclusiveKeyAccess"
+      | "ExportDelayTooShort"
+      | "ExportWindowTooLong"
+      | "InvalidTotpFailureLimit"
+      | "InvalidEip191SignRequest"
+      | "CannotResendUserInvitation";
     /**
      * @example {
      *   "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK"
@@ -1162,6 +1295,8 @@ export interface components {
       configured_mfa: components["schemas"]["ConfiguredMfa"][];
       /** @description Set once the user successfully logs into CubeSigner */
       initialized: boolean;
+      /** @description Optional human name for the user */
+      name?: string | null;
       /** @description CubeSigner's user identifier */
       user_id: string;
     };
@@ -1340,6 +1475,7 @@ export interface components {
     /** @description The structure of ErrorResponse must match the response template that AWS uses */
     ErrorResponse: {
       accepted?: components["schemas"]["AcceptedValue"] | null;
+      error_code: components["schemas"]["SignerErrorCode"];
       /** @description Error message */
       message: string;
       /** @description Optional request identifier */
@@ -1417,6 +1553,26 @@ export interface components {
        */
       signature: string;
     };
+    /** @enum {string} */
+    EvmTxDepositErrorCode:
+      | "EvmTxDepositReceiverMismatch"
+      | "EvmTxDepositEmptyData"
+      | "EvmTxDepositEmptyChainId"
+      | "EvmTxDepositEmptyReceiver"
+      | "EvmTxDepositUnexpectedValue"
+      | "EvmTxDepositUnexpectedDataLength"
+      | "EvmTxDepositNoAbi"
+      | "EvmTxDepositNoDepositFunction"
+      | "EvmTxDepositUnexpectedFunctionName"
+      | "EvmTxDepositUnexpectedValidatorKey"
+      | "EvmTxDepositInvalidValidatorKey"
+      | "EvmTxDepositMissingDepositArg"
+      | "EvmTxDepositWrongDepositArgType"
+      | "EvmTxDepositWrongValidatorArgValue"
+      | "EvmTxDepositValidatorKeyNotInRole"
+      | "EvmTxDepositUnexpectedWithdrawalCredentials"
+      | "EvmTxDepositUnresolvedRole"
+      | "EvmTxDepositInvalidDepositEncoding";
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoAssertAnswer: {
       /** @description The ID of the challenge that was returned from the POST endpoint */
@@ -1453,6 +1609,63 @@ export interface components {
        */
       name: string;
     };
+    /** @enum {string} */
+    ForbiddenErrorCode:
+      | "FidoRequiredToRemoveTotp"
+      | "MfaChallengeExpired"
+      | "ChainIdNotAllowed"
+      | "InvalidOrg"
+      | "SessionForWrongOrg"
+      | "OrgDisabled"
+      | "OrgNotFound"
+      | "OrgWithoutOwner"
+      | "OrphanedUser"
+      | "OidcUserNotFound"
+      | "UserNotInOrg"
+      | "UserNotOrgOwner"
+      | "UserNotKeyOwner"
+      | "InvalidRole"
+      | "DisabledRole"
+      | "KeyDisabled"
+      | "RoleNotInOrg"
+      | "KeyNotInRole"
+      | "KeyNotInOrg"
+      | "UserExportRequestNotInOrg"
+      | "UserExportRequestInvalid"
+      | "UserNotOriginalKeyOwner"
+      | "UserNotInRole"
+      | "MustBeFullMember"
+      | "SessionExpired"
+      | "SessionRevoked"
+      | "ExpectedUserSession"
+      | "SessionRoleChanged"
+      | "ScopedNameNotFound"
+      | "SessionInvalidEpochToken"
+      | "SessionInvalidRefreshToken"
+      | "SessionRefreshTokenExpired"
+      | "InvalidAuthHeader"
+      | "SessionNotFound"
+      | "InvalidArn"
+      | "SessionInvalidAuthToken"
+      | "SessionAuthTokenExpired"
+      | "SessionPossiblyStolenToken"
+      | "MfaDisallowedIdentity"
+      | "MfaDisallowedApprover"
+      | "MfaTypeNotAllowed"
+      | "MfaNotApprovedYet"
+      | "MfaConfirmationCodeMismatch"
+      | "MfaHttpRequestMismatch"
+      | "MfaRemoveBelowMin"
+      | "TotpAlreadyConfigured"
+      | "TotpConfigurationChanged"
+      | "MfaTotpBadConfiguration"
+      | "MfaTotpBadCode"
+      | "MfaTotpRateLimit"
+      | "ImproperSessionScope"
+      | "FullSessionRequired"
+      | "SessionWithoutAnyScopeUnder"
+      | "UserRoleUnprivileged"
+      | "MfaNotConfigured";
     /**
      * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
      * The schema of `Fork` is defined in the [Beacon chain
@@ -1587,9 +1800,14 @@ export interface components {
        * @description The email associated with the user
        * @example user@email.com
        */
-      email: string;
+      email?: string | null;
       exp_epoch: components["schemas"]["EpochDateTime"];
       identity?: components["schemas"]["OIDCIdentity"] | null;
+      /**
+       * @description The username (if any) associated with the user
+       * @example cubistdev
+       */
+      preferred_username?: string | null;
       user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
     } & {
       /** @description An opaque identifier for the proof */
@@ -1617,6 +1835,60 @@ export interface components {
        */
       salt: string;
     };
+    /** @enum {string} */
+    InternalErrorCode:
+      | "SystemTimeError"
+      | "ReqwestError"
+      | "DbQueryError"
+      | "DbGetError"
+      | "DbDeleteError"
+      | "DbPutError"
+      | "DbUpdateError"
+      | "SerdeError"
+      | "TestAndSetError"
+      | "DbGetItemsError"
+      | "DbWriteError"
+      | "CubistSignerError"
+      | "CwPutMetricDataError"
+      | "KmsGenerateRandomError"
+      | "MalformedTotpBytes"
+      | "KmsGenerateRandomNoResponseError"
+      | "CreateKeyError"
+      | "ParseDerivationPathError"
+      | "SplitSignerError"
+      | "CreateImportKeyError"
+      | "CognitoDeleteUserError"
+      | "CognitoListUsersError"
+      | "CognitoGetUserError"
+      | "MissingUserEmail"
+      | "CognitoResendUserInvitation"
+      | "CognitoSetUserPasswordError"
+      | "GenericInternalError"
+      | "OidcAuthWithoutOrg"
+      | "MissingKeyMetadata"
+      | "KmsKeyWithoutId"
+      | "KmsEnableKeyError"
+      | "KmsDisableKeyError"
+      | "SerializeEncryptedExportKeyError"
+      | "DeserializeEncryptedExportKeyError"
+      | "ReEncryptUserExport"
+      | "S3UploadError"
+      | "S3DownloadError"
+      | "ManagedStateMissing"
+      | "InternalHeaderMissing"
+      | "InvalidInternalHeaderValue"
+      | "RequestLocalStateAlreadySet"
+      | "OidcOrgMismatch"
+      | "OrphanedRoleKeyId"
+      | "OidcIssuerJwkEndpointUnavailable"
+      | "OidcIssuerInvalidJwk"
+      | "InvalidPkForMaterialId"
+      | "UncheckedOrg"
+      | "AvaSignCredsMissing"
+      | "AvaSignSignatureMissing"
+      | "ExpectedRoleSession"
+      | "InvalidThirdPartyIdentity"
+      | "CognitoGetUser";
     InviteRequest: {
       /**
        * @description The user's email address
@@ -1775,6 +2047,11 @@ export interface components {
        * ]
        */
       policy?: Record<string, never>[];
+      /**
+       * @description Role ID
+       * @example Role#e427c28a-9c5b-49cc-a257-878aea58a22c
+       */
+      role_id: string;
     };
     KeyInfo: {
       derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
@@ -1894,6 +2171,8 @@ export interface components {
         },
       ]
     >;
+    /** @enum {string} */
+    MfaVote: "approve" | "reject";
     /**
      * @description Network name ('mainnet', 'prater', 'goerli')
      * @example goerli
@@ -1915,14 +2194,21 @@ export interface components {
        */
       token: string;
     };
+    /** @enum {string} */
+    NotFoundErrorCode:
+      | "UriSegmentMissing"
+      | "UriSegmentInvalid"
+      | "TotpNotConfigured"
+      | "FidoKeyNotFound"
+      | "FidoChallengeNotFound"
+      | "TotpChallengeNotFound"
+      | "UserExportRequestNotFound"
+      | "UserExportCiphertextNotFound";
     /**
      * @description Represents a globally unique OIDC-authorized user by expressing the full "path" to a user. That is:
      *
      * (iss)       (sub)
      * Issuer -> Subresource
-     *
-     * We include a non-standard third-tier `disambiguator` which allows us to map
-     * a single OIDC user to multiple `User`s in CubeSigner
      */
     OIDCIdentity: {
       /**
@@ -2043,6 +2329,21 @@ export interface components {
        */
       "page.start"?: string | null;
     };
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListKeyRolesResponse: {
+      /** @description All roles the key is in */
+      roles: components["schemas"]["KeyInRoleInfo"][];
+    } & {
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -2131,6 +2432,42 @@ export interface components {
        */
       last_evaluated_key?: string | null;
     };
+    PolicyErrorCode:
+      | components["schemas"]["PolicyErrorOwnCodes"]
+      | components["schemas"]["EvmTxDepositErrorCode"];
+    /** @enum {string} */
+    PolicyErrorOwnCodes:
+      | "EvmTxReceiverMismatch"
+      | "EvmTxSenderMismatch"
+      | "PolicyDisjunctionError"
+      | "PolicyNegationError"
+      | "Eth2ExceededMaxUnstake"
+      | "Eth2ConcurrentUnstaking"
+      | "NotInIpv4Allowlist"
+      | "NotInOriginAllowlist"
+      | "InvalidSourceIp"
+      | "RawSigningNotAllowed"
+      | "Eip712SigningNotAllowed"
+      | "OidcSourceNotAllowed"
+      | "NoOidcAuthSourcesDefined"
+      | "AddKeyToRoleDisallowed"
+      | "KeysAlreadyInRole"
+      | "KeyInMultipleRoles"
+      | "KeyAccessError"
+      | "Eip191SigningNotAllowed";
+    PreconditionErrorCode:
+      | components["schemas"]["PreconditionErrorOwnCodes"]
+      | components["schemas"]["PolicyErrorCode"];
+    /** @enum {string} */
+    PreconditionErrorOwnCodes:
+      | "Eth2ProposerSlotTooLow"
+      | "Eth2AttestationSourceEpochTooLow"
+      | "Eth2AttestationTargetEpochTooLow"
+      | "Eth2ConcurrentBlockSigning"
+      | "Eth2ConcurrentAttestationSigning"
+      | "Eth2MultiDepositToNonGeneratedKey"
+      | "Eth2MultiDepositUnknownInitialDeposit"
+      | "Eth2MultiDepositWithdrawalAddressMismatch";
     /**
      * @description This type represents a wire-encodable form of the PublicKeyCredential interface
      * Clients may need to manually encode into this format to communicate with the server
@@ -2554,6 +2891,18 @@ export interface components {
       /** @description The list of sessions */
       sessions: components["schemas"]["SessionInfo"][];
     };
+    SignerErrorCode:
+      | components["schemas"]["SignerErrorOwnCodes"]
+      | components["schemas"]["AcceptedValueCode"]
+      | components["schemas"]["BadRequestErrorCode"]
+      | components["schemas"]["BadGatewayErrorCode"]
+      | components["schemas"]["NotFoundErrorCode"]
+      | components["schemas"]["ForbiddenErrorCode"]
+      | components["schemas"]["UnauthorizedErrorCode"]
+      | components["schemas"]["PreconditionErrorCode"]
+      | components["schemas"]["InternalErrorCode"];
+    /** @enum {string} */
+    SignerErrorOwnCodes: "UnhandledError" | "ProxyStartError" | "EnclaveError";
     /**
      * @example {
      *   "message_base64": "AQABA8OKVzLEjststN4xXr39kLKHT8d58eQY1QEs6MeXwEFBrxTAlULX1troLbWxuAXQqgbQofGi6z8fJi7KAAIf7YMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJK0tn39k28s+X86W47EvbRRKnYBVQ8Q/l2m1EbfT7+vAQICAAEMAgAAAGQAAAAAAAAA"
@@ -2631,6 +2980,21 @@ export interface components {
       /** @description Tokens purpose */
       purpose: string;
     };
+    /**
+     * @description OAuth2 standard Token Response.
+     *
+     * https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
+     */
+    TokenResponse: {
+      /** @description The access token issued by the authorization server. */
+      access_token: string;
+      expires_in: components["schemas"]["Seconds"];
+      /** @description An OIDC token issued by Cubist, containing user information */
+      id_token?: string;
+      /** @description The type of the token issued. Value is case insensitive. */
+      token_type: string;
+      [key: string]: unknown;
+    };
     TotpApproveRequest: {
       /** @description TOTP verification code */
       code: string;
@@ -2659,6 +3023,12 @@ export interface components {
       /** @description The name of the issuer; defaults to "Cubist". */
       issuer?: string | null;
     };
+    /** @enum {string} */
+    UnauthorizedErrorCode:
+      | "ClaimsHeaderMissing"
+      | "ClaimsParseError"
+      | "OidcIdentityHeaderMissing"
+      | "OidcIdentityParseError";
     /** @description Options that should be set only for local devnet testing. */
     UnsafeConf: {
       /**
@@ -2974,12 +3344,20 @@ export interface components {
       user_id: string;
     };
     UserInfo: {
-      /** @example alice@example.com */
+      /**
+       * @description Optional email
+       * @example alice@example.com
+       */
       email: string;
       /** @description All multi-factor authentication methods configured for this user */
       mfa: components["schemas"]["ConfiguredMfa"][];
       /** @description MFA policy, applies before logging in and other sensitive operations */
       mfa_policy?: unknown;
+      /**
+       * @description Optional name
+       * @example Alice
+       */
+      name?: string | null;
       /**
        * @description All organizations the user belongs to
        * @example [
@@ -3183,9 +3561,14 @@ export interface components {
            * @description The email associated with the user
            * @example user@email.com
            */
-          email: string;
+          email?: string | null;
           exp_epoch: components["schemas"]["EpochDateTime"];
           identity?: components["schemas"]["OIDCIdentity"] | null;
+          /**
+           * @description The username (if any) associated with the user
+           * @example cubistdev
+           */
+          preferred_username?: string | null;
           user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
         } & {
           /** @description An opaque identifier for the proof */
@@ -3405,6 +3788,21 @@ export interface components {
         };
       };
     };
+    PaginatedListKeyRolesResponse: {
+      content: {
+        "application/json": {
+          /** @description All roles the key is in */
+          roles: components["schemas"]["KeyInRoleInfo"][];
+        } & {
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        };
+      };
+    };
     PaginatedListKeysResponse: {
       content: {
         "application/json": {
@@ -3604,6 +4002,25 @@ export interface components {
         };
       };
     };
+    /**
+     * @description OAuth2 standard Token Response.
+     *
+     * https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
+     */
+    TokenResponse: {
+      content: {
+        "application/json": {
+          /** @description The access token issued by the authorization server. */
+          access_token: string;
+          expires_in: components["schemas"]["Seconds"];
+          /** @description An OIDC token issued by Cubist, containing user information */
+          id_token?: string;
+          /** @description The type of the token issued. Value is case insensitive. */
+          token_type: string;
+          [key: string]: unknown;
+        };
+      };
+    };
     TotpInfo: {
       content: {
         "application/json": {
@@ -3722,12 +4139,20 @@ export interface components {
     UserInfo: {
       content: {
         "application/json": {
-          /** @example alice@example.com */
+          /**
+           * @description Optional email
+           * @example alice@example.com
+           */
           email: string;
           /** @description All multi-factor authentication methods configured for this user */
           mfa: components["schemas"]["ConfiguredMfa"][];
           /** @description MFA policy, applies before logging in and other sensitive operations */
           mfa_policy?: unknown;
+          /**
+           * @description Optional name
+           * @example Alice
+           */
+          name?: string | null;
           /**
            * @description All organizations the user belongs to
            * @example [
@@ -4362,6 +4787,51 @@ export interface operations {
       };
     };
   };
+  /**
+   * List Key Roles
+   * @description List Key Roles
+   *
+   * Get all roles the key is in
+   */
+  listKeyRoles: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedListKeyRolesResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * List Pending MFA Requests
    * @description List Pending MFA Requests
@@ -4419,16 +4889,23 @@ export interface operations {
     };
   };
   /**
-   * Approve MFA Request
-   * @description Approve MFA Request
+   * Approve or Reject MFA Request
+   * @description Approve or Reject MFA Request
    *
-   * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+   * Approve or reject request after logging in with CubeSigner.
+   *
+   * If approving, adds the currently-logged user as an approver
    * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
    * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
    * resume the original HTTP request.
+   *
+   * If rejecting, immediately deletes the pending MFA request.
    */
-  mfaApproveCs: {
+  mfaVoteCs: {
     parameters: {
+      query?: {
+        mfa_vote?: components["schemas"]["MfaVote"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -4452,12 +4929,12 @@ export interface operations {
     };
   };
   /**
-   * Initiate Approving an MFA Request with FIDO
-   * @description Initiate Approving an MFA Request with FIDO
+   * Initiate a FIDO MFA Approval/Rejection
+   * @description Initiate a FIDO MFA Approval/Rejection
    *
-   * Initiates the approval process of an MFA Request using FIDO.
+   * Initiates the approval/rejection process of an MFA Request using FIDO.
    */
-  mfaApproveFido: {
+  mfaFidoInit: {
     parameters: {
       path: {
         /**
@@ -4482,16 +4959,20 @@ export interface operations {
     };
   };
   /**
-   * Finalize a FIDO MFA Approval
-   * @description Finalize a FIDO MFA Approval
-   *
-   * Adds an approver to a pending MFA request.
+   * Finalize a FIDO MFA Approval/Rejection
+   * @description Finalize a FIDO MFA Approval/Rejection
    *
+   * If approving, adds an approver to a pending MFA request.
    * If the required number of approvers is reached, the MFA request is approved;
    * the confirmation receipt can be used to resume the original HTTP request.
+   *
+   * If rejecting, immediately deletes the pending MFA request.
    */
-  mfaApproveFidoComplete: {
+  mfaVoteFidoComplete: {
     parameters: {
+      query?: {
+        mfa_vote?: components["schemas"]["MfaVote"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -4520,16 +5001,20 @@ export interface operations {
     };
   };
   /**
-   * Approve a TOTP MFA Request
-   * @description Approve a TOTP MFA Request
+   * Approve/Reject a TOTP MFA Request
+   * @description Approve/Reject a TOTP MFA Request
    *
-   * Adds the current user as approver to a pending MFA request by providing TOTP code.
+   * If approving, adds the current user as approver to a pending MFA request by
+   * providing TOTP code. If the required number of approvers is reached, the MFA request is
+   * approved; the confirmation receipt can be used to resume the original HTTP request.
    *
-   * If the required number of approvers is reached, the MFA request is approved;
-   * the confirmation receipt can be used to resume the original HTTP request.
+   * If rejecting, immediately deletes the pending MFA request.
    */
-  mfaApproveTotp: {
+  mfaVoteTotp: {
     parameters: {
+      query?: {
+        mfa_vote?: components["schemas"]["MfaVote"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -4557,6 +5042,44 @@ export interface operations {
       };
     };
   };
+  /**
+   * Mint an OIDC ID token for Twitter
+   * @description Mint an OIDC ID token for Twitter
+   *
+   * This function acts identically to Twitter's [`oauth2/token`](https://developer.twitter.com/en/docs/authentication/api-reference/token) endpoint,
+   * but extends the output with an `id_token`.
+   *
+   * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+   *
+   * > [!IMPORTANT]
+   * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
+   */
+  oauth2Twitter: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": {
+          [key: string]: string;
+        };
+      };
+    };
+    responses: {
+      200: components["responses"]["TokenResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Login with OIDC
    * @description Login with OIDC
@@ -5082,6 +5605,35 @@ export interface operations {
       };
     };
   };
+  /**
+   * Remove User
+   * @description Remove User
+   *
+   * Removes an existing user from an existing role.
+   * Only users in the role or org owners can remove users from a role.
+   */
+  removeUserFromRole: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+        /**
+         * @description ID of the desired User
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        user_id: string;
+      };
+    };
+    responses: {};
+  };
   /**
    * List sessions
    * @description List sessions