@cubist-labs/cubesigner-sdk 0.3.27 → 0.3.29

package/src/schema.ts

@@ -38,26 +38,69 @@ export interface paths {
      */
     patch: operations["updateOrg"];
   };
+  "/v0/org/{org_id}/ava/sign/{ava_chain}/{pubkey}": {
+    /**
+     * Sign a serialized Avalanche C/X/P-Chain Message
+     * @description Sign a serialized Avalanche C/X/P-Chain Message
+     *
+     * Signs an Avalanche message with a given SecpEth (C-Chain messages) or
+     * SecpAva (X- and P-Chain messages) key. Currently signing C-Chain messages
+     * with SecpEth key must also be explicitly allowed via `AllowRawBlobSigning`
+     * policy.
+     *
+     * This is a pre-release feature.
+     */
+    post: operations["avaSerializedTxSign"];
+  };
   "/v0/org/{org_id}/ava/sign/{pubkey}": {
     /**
-     * Sign Avalanche X- or P-Chain Message
-     * @description Sign Avalanche X- or P-Chain Message
+     * Sign JSON-encoded Avalanche X- or P-Chain Message
+     * @description Sign JSON-encoded Avalanche X- or P-Chain Message
      *
      * Signs an Avalanche message with a given SecpAva key.
      * This is a pre-release feature.
      */
     post: operations["avaSign"];
   };
+  "/v0/org/{org_id}/babylon/eots/nonces/{pubkey}": {
+    /**
+     * Create EOTS nonces
+     * @description Create EOTS nonces
+     *
+     * Generates a set of Babylon EOTS nonces for a specified chain-id, starting at a
+     * specified block height.
+     */
+    post: operations["createEotsNonces"];
+  };
+  "/v0/org/{org_id}/babylon/eots/sign/{pubkey}": {
+    /**
+     * Create an EOTS signature
+     * @description Create an EOTS signature
+     *
+     * Generates an EOTS signature for the specified chain-id, block height, and message.
+     */
+    post: operations["eotsSign"];
+  };
   "/v0/org/{org_id}/btc/sign/{pubkey}": {
     /**
-     * Sign Bitcoin Transaction
-     * @description Sign Bitcoin Transaction
+     * Sign Bitcoin Segwit Transaction
+     * @description Sign Bitcoin Segwit Transaction
      *
-     * Signs a Bitcoin transaction with a given key.
+     * Signs a Bitcoin Segwit transaction with a given key.
      * This is a pre-release feature.
      */
     post: operations["btcSign"];
   };
+  "/v0/org/{org_id}/btc/taproot/sign/{pubkey}": {
+    /**
+     * Sign Bitcoin Taproot Transaction
+     * @description Sign Bitcoin Taproot Transaction
+     *
+     * Signs a Bitcoin Taproot transaction with a given key.
+     * This is a pre-release feature.
+     */
+    post: operations["btcTaprootSign"];
+  };
   "/v0/org/{org_id}/derive_key": {
     /**
      * Derive Key From Long-Lived Mnemonic
@@ -68,6 +111,9 @@ export interface paths {
      */
     put: operations["deriveKey"];
   };
+  "/v0/org/{org_id}/emails/otp": {
+    put: operations["setEmailOtp"];
+  };
   "/v0/org/{org_id}/evm/eip191/sign/{pubkey}": {
     /**
      * Sign EIP-191 Data
@@ -86,6 +132,23 @@ export interface paths {
      */
     post: operations["eip712Sign"];
   };
+  "/v0/org/{org_id}/identity": {
+    /**
+     * List associated OIDC identities with the current user.
+     * @description List associated OIDC identities with the current user.
+     */
+    get: operations["listOidcIdentities"];
+    /**
+     * Associate an OIDC identity with the current user in org <session.org>.
+     * @description Associate an OIDC identity with the current user in org <session.org>.
+     */
+    post: operations["addOidcIdentity"];
+    /**
+     * Remove an OIDC identity from the current user's account in org <session.org>.
+     * @description Remove an OIDC identity from the current user's account in org <session.org>.
+     */
+    delete: operations["removeOidcIdentity"];
+  };
   "/v0/org/{org_id}/identity/prove": {
     /**
      * Create [IdentityProof] from CubeSigner user session
@@ -181,14 +244,20 @@ export interface paths {
      * @description Delete Key
      *
      * Deletes a key specified by its ID.
+     *
      * Only the key owner and org owners are allowed to delete keys.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["deleteKey"];
     /**
      * Update Key
      * @description Update Key
      *
-     * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+     * Enable or disable a key.  The user must be the owner of the key or
+     * organization to perform this action.
+     *
+     * For each requested update, the session must have the corresponding 'manage:key:update:_' scope;
+     * if no updates are requested, the session must have 'manage:key:get'.
      */
     patch: operations["updateKey"];
   };
@@ -296,6 +365,23 @@ export interface paths {
      */
     post: operations["oidcAuth"];
   };
+  "/v0/org/{org_id}/oidc/email-otp": {
+    /**
+     * Initiate login via email token
+     * @description Initiate login via email token
+     *
+     * This endpoint sends an email to the provided address with an OIDC token encrypted with AES-GCM.
+     * The decryption parameters are returned immediately in the response.
+     * Once that token is decrypted, it can be used with the standard OIDC authentication flows
+     *
+     *
+     * > [!IMPORTANT]
+     * > For this endpoint to succeed, the org must be configured to:
+     * > 1. Allow the issuer `https://shim.oauth2.cubist.dev/email-otp` and client ID being the Org ID
+     * > 2. Have an email sender configured for OTPs
+     */
+    post: operations["emailOtpAuth"];
+  };
   "/v0/org/{org_id}/roles": {
     /**
      * List Roles
@@ -326,7 +412,9 @@ export interface paths {
      * @description Delete Role
      *
      * Deletes a role in an organization.
+     *
      * Only users in the role can perform this action.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["deleteRole"];
     /**
@@ -335,7 +423,9 @@ export interface paths {
      *
      * Enables or disables a role (this requires the `manage:role:update:enable` scope).
      * Updates the role's policies (this requires the `manage:role:update:policy` scope).
+     *
      * The user must be in the role or an owner of the organization.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     patch: operations["updateRole"];
   };
@@ -345,6 +435,9 @@ export interface paths {
      * @description Add Keys
      *
      * Adds a list of existing keys to an existing role.
+     *
+     * Only the key owner can their key to a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     put: operations["addKeysToRole"];
   };
@@ -354,7 +447,9 @@ export interface paths {
      * @description Add User
      *
      * Adds an existing user to an existing role.
-     * Only users in the role or owners can add users to a role.
+     *
+     * Only users in the role or org owners can add users to a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     put: operations["addUserToRole"];
   };
@@ -372,7 +467,10 @@ export interface paths {
      * Remove Key
      * @description Remove Key
      *
-     * Removes a given key from a role
+     * Removes a given key from a role.
+     *
+     * Only users in the role or org owners can remove keys from a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["removeKeyFromRole"];
   };
@@ -436,7 +534,9 @@ export interface paths {
      * @description Remove User
      *
      * Removes an existing user from an existing role.
+     *
      * Only users in the role or org owners can remove users from a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["removeUserFromRole"];
   };
@@ -636,6 +736,22 @@ export interface paths {
      */
     delete: operations["deleteOidcUser"];
   };
+  "/v0/org/{org_id}/users/{user_id}": {
+    /**
+     * Remove a user from the org
+     * @description Remove a user from the org
+     */
+    delete: operations["deleteUser"];
+  };
+  "/v0/org/{org_id}/users/{user_id}/membership": {
+    /**
+     * Update a user's membership in the org
+     * @description Update a user's membership in the org
+     *
+     * Currently allows just enabling/disabling a user in the org.
+     */
+    patch: operations["updateUserMembership"];
+  };
   "/v0/user/me/fido": {
     /**
      * Initiate registration of a FIDO key
@@ -690,13 +806,19 @@ export interface paths {
      */
     post: operations["verifyTotpLegacy"];
   };
+  "/v0/user/orgs": {
+    /**
+     * Retrieves all the orgs the user is a part of
+     * @description Retrieves all the orgs the user is a part of
+     */
+    get: operations["userOrgs"];
+  };
   "/v1/org/{org_id}/blob/sign/{key_id}": {
     /**
      * Sign Raw Blob
      * @description Sign Raw Blob
      *
      * Signs an arbitrary blob with a given key.
-     * This is a pre-release feature.
      *
      * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
      * byte v, which can in general take any of the values 0, 1, 2, or 3.
@@ -797,6 +919,10 @@ export interface components {
     };
     /** @enum {string} */
     AcceptedValueCode: "MfaRequired";
+    /** @description Request to add OIDC identity to an existing user account */
+    AddIdentityRequest: {
+      oidc_token: string;
+    };
     AddKeysToRoleRequest: {
       /**
        * @description A list of keys to add to a role
@@ -983,7 +1109,12 @@ export interface components {
      * @enum {string}
      */
     AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
-    /** @description Request to sign an Avalanche transactions */
+    /** @description Request to sign a serialized Avalanche transaction */
+    AvaSerializedTxSignRequest: {
+      /** @description Serialized transaction to sign */
+      tx: string;
+    };
+    /** @description Request to sign an Avalanche transaction */
     AvaSignRequest: {
       /**
        * @description Transaction to sign.
@@ -1009,7 +1140,11 @@ export interface components {
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
     /** @enum {string} */
-    BadGatewayErrorCode: "OAuthProviderError";
+    BadGatewayErrorCode:
+      | "OAuthProviderError"
+      | "OidcDisoveryFailed"
+      | "OidcIssuerJwkEndpointUnavailable"
+      | "SmtpServerUnavailable";
     /** @enum {string} */
     BadRequestErrorCode:
       | "GenericBadRequest"
@@ -1026,12 +1161,14 @@ export interface components {
       | "RoleNameTaken"
       | "AddKeyToRoleCountTooHigh"
       | "InvalidKeyId"
-      | "InvalidKeyMetadataLength"
-      | "InvalidKeyMetadata"
+      | "InvalidTimeLockAlreadyInThePast"
+      | "InvalidUpdate"
+      | "InvalidMetadataLength"
       | "InvalidKeyMaterialId"
       | "KeyNotFound"
       | "UserExportDerivedKey"
       | "UserExportPublicKeyInvalid"
+      | "UnableToAccessSmtpRelay"
       | "UserExportInProgress"
       | "RoleNotFound"
       | "InvalidMfaReceiptOrgIdMissing"
@@ -1070,14 +1207,19 @@ export interface components {
       | "AvaSignHashError"
       | "AvaSignError"
       | "BtcSegwitHashError"
+      | "BtcTaprootHashError"
       | "BtcSignError"
+      | "TaprootSignError"
       | "Eip712SignError"
       | "InvalidMemberRoleInUserAdd"
       | "ThirdPartyUserAlreadyExists"
+      | "OidcIdentityAlreadyExists"
       | "ThirdPartyUserNotFound"
       | "DeleteOidcUserError"
+      | "DeleteUserError"
       | "SessionRoleMismatch"
       | "InvalidOidcToken"
+      | "InvalidOidcIdentity"
       | "OidcIssuerUnsupported"
       | "OidcIssuerNotAllowed"
       | "OidcIssuerNoApplicableJwk"
@@ -1098,7 +1240,8 @@ export interface components {
       | "CannotDeletePendingSubscription"
       | "InvalidNotificationUrlProtocol"
       | "EmptyOneOfOrgEventFilter"
-      | "EmptyAllExceptOrgEventFilter";
+      | "EmptyAllExceptOrgEventFilter"
+      | "InvalidTapNodeHash";
     /**
      * @example {
      *   "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK"
@@ -1112,11 +1255,32 @@ export interface components {
        * the message. For example, Secp256k1 keys require that the message is 32 bytes long.
        */
       message_base64: string;
+      /**
+       * @description An optional tweak value for use *only* with Taproot keys. This field is ignored
+       * for all other key types.
+       *
+       * If this field is not present or null, no tweak is applied. If the field is an
+       * empty string, the key is tweaked with an unspendable script path per BIP0341.
+       * Otherwise, this field must contain a 32-byte, base-64 encoded hex string
+       * representing the Merkle root with which to tweak the key before signing.
+       * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+       */
+      taproot_tweak?: string | null;
     };
     BlobSignResponse: {
       /** @description The hex-encoded signature. */
       signature: string;
     };
+    /** @description Leaf hash and code, as per BIP341 and https://github.com/rust-bitcoin/rust-bitcoin/blob/464202109d2b2c96e9b4867461bffe420dbd8177/bitcoin/src/crypto/sighash.rs#L691 */
+    BtcLeafHashCodeSeparator: {
+      /**
+       * Format: int32
+       * @description Code separator
+       */
+      code_separator: number;
+      /** @description Taproot-tagged hash with tag "TapLeaf". */
+      leaf_hash: string;
+    };
     /** @enum {string} */
     BtcSighashType:
       | "All"
@@ -1127,8 +1291,7 @@ export interface components {
       | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
       sig_kind: components["schemas"]["BtcSignatureKind"];
-      /** @description The bitcoin transaction to sign */
-      tx: Record<string, never>;
+      tx: components["schemas"]["BtcTx"];
     };
     BtcSignResponse: {
       /**
@@ -1159,6 +1322,16 @@ export interface components {
         value: number;
       };
     };
+    BtcTx: Record<string, never>;
+    BtcTxOut: {
+      /** @description The script which must be satisfied for the output to be spent. */
+      script_pubkey: string;
+      /**
+       * Format: int64
+       * @description The value of the output, in satoshis.
+       */
+      value: number;
+    };
     /** @description Describes how to derive a WebAuthn challenge value. */
     ChallengePieces: {
       /**
@@ -1192,6 +1365,30 @@ export interface components {
       /** @description Session ID */
       session_id: string;
     };
+    /** @description Fields that are common to different types of resources such as keys */
+    CommonFields: {
+      created?: components["schemas"]["EpochDateTime"] | null;
+      edit_policy?: components["schemas"]["EditPolicy"];
+      last_modified?: components["schemas"]["EpochDateTime"] | null;
+      /**
+       * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
+       * it as untrusted user data (and avoid injecting metadata into HTML directly) if
+       * untrusted users can create/update keys (or their metadata).
+       */
+      metadata?: unknown;
+      /**
+       * Format: int64
+       * @description Version of this object
+       */
+      version?: number;
+    };
+    ConfigureEmailOtpRequest: {
+      auth: {
+        smtp: string;
+      };
+      /** @description The email address that OTP requests will come from */
+      sender: string;
+    };
     ConfiguredMfa:
       | {
           /** @enum {string} */
@@ -1206,11 +1403,12 @@ export interface components {
           type: "fido";
         };
     CreateAndUpdateKeyProperties: {
+      edit_policy?: components["schemas"]["EditPolicy"] | null;
       /**
-       * @description Set this key's metadata. Validation regex: ^[A-Za-z0-9_=+/ \-\.\,]{0,1024}$
-       * @example Contract admin key
+       * @description Set this key's metadata. If this value is `null`, the metadata is erased. If the field is
+       * missing, the metadata remains unchanged.
        */
-      metadata?: string | null;
+      metadata?: unknown;
       /**
        * @description Specify a user other than themselves to be the (potentially new) owner of the key.
        * The specified owner must be an existing user who is a member of the same org.
@@ -1374,6 +1572,10 @@ export interface components {
        */
       mnemonic_id: string;
     };
+    EditPolicy: {
+      mfa?: components["schemas"]["MfaPolicy"] | null;
+      time_lock_until?: components["schemas"]["EpochDateTime"] | null;
+    };
     Eip191Or712SignResponse: {
       /**
        * @description Hex-encoded signature comprising 65 bytes in the format required
@@ -1397,6 +1599,7 @@ export interface components {
      *     "domain": {
      *       "chainId": 1337,
      *       "name": "Ether Mail",
+     *       "salt": "0x0000000000000000000000000000000000000000000000000000000000000000",
      *       "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC",
      *       "version": "1"
      *     },
@@ -1436,6 +1639,10 @@ export interface components {
      *         {
      *           "name": "verifyingContract",
      *           "type": "address"
+     *         },
+     *         {
+     *           "name": "salt",
+     *           "type": "bytes32"
      *         }
      *       ],
      *       "Group": [
@@ -1485,11 +1692,95 @@ export interface components {
       /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
       typed_data: Record<string, never>;
     };
+    /** @description The request users send to initiate email OTP */
+    EmailOtpRequest: {
+      /** @description The email which will receive the OTP */
+      email: string;
+    };
+    /**
+     * @description The HTTP response to an email OTP request.
+     *
+     * Users receive an encrypted OIDC token in their email inbox.
+     * The values in this response can be used to decrypt that token
+     * using AES-GCM. This ensures that clients need *both* the emailed token
+     * and this response to complete OTP auth.
+     */
+    EmailOtpResponse: {
+      /**
+       * Format: binary
+       * @description Base64 URL encoded IV value for AES-GCM
+       */
+      iv: string;
+      /**
+       * Format: binary
+       * @description Base64 URL encoded key for AES-GCM
+       */
+      key: string;
+    };
     /** @default null */
     Empty: unknown;
     EmptyImpl: {
       status: string;
     };
+    /**
+     * @description Request to create a set of EOTS nonces for a specified chain-id, starting
+     * at a specified block height.
+     */
+    EotsCreateNonceRequest: {
+      /**
+       * @description The chain id for which the nonces will be used, as a hex string
+       * @example 0x11223344
+       */
+      chain_id: string;
+      /**
+       * Format: int32
+       * @description The number of nonces to generate
+       * @example 16
+       */
+      num: number;
+      /**
+       * @description The starting block height of the generated nonces (quoted decimal u64)
+       * @example 31337
+       */
+      start_height: string;
+    };
+    /** @description Response generated when creating EOTS nonces */
+    EotsCreateNonceResponse: {
+      /**
+       * @description The generated nonces as an array of 0x-prefixed hex strings
+       * @example [
+       *   "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7",
+       *   "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d"
+       * ]
+       */
+      nonces: string[];
+    };
+    /** @description Request for an EOTS signature on a specified message, chain-id, block-height triple */
+    EotsSignRequest: {
+      /**
+       * @description The block height for the signature (quoted decimal u64)
+       * @example 123456
+       */
+      block_height: string;
+      /**
+       * @description The chain id for the signature
+       * @example 0x11223344
+       */
+      chain_id: string;
+      /**
+       * @description The message to sign
+       * @example 0x5a2688faea09d42b9270fdb8de6fff6f192243a910ba66329073e12e0d0046a2
+       */
+      message: string;
+    };
+    /** @description Response to an EOTS signing request */
+    EotsSignResponse: {
+      /**
+       * @description The resulting signature, a hex-encoded 32-byte value
+       * @example 0xd9804c04a696b522472c53bd3a3c664c4c3085a017927e45ffaed711d1613700
+       */
+      signature: string;
+    };
     /**
      * @description Epoch is a quoted `uint64`.
      * @example 256
@@ -1642,10 +1933,15 @@ export interface components {
     /** @enum {string} */
     ForbiddenErrorCode:
       | "FidoRequiredToRemoveTotp"
+      | "EmailOtpNotConfigured"
       | "MfaChallengeExpired"
       | "ChainIdNotAllowed"
       | "InvalidOrg"
       | "SessionForWrongOrg"
+      | "SelfDelete"
+      | "SelfDisable"
+      | "UserHasNoMfa"
+      | "UserDisabled"
       | "OrgDisabled"
       | "OrgNotFound"
       | "OrgWithoutOwner"
@@ -1816,6 +2112,7 @@ export interface components {
       /** @description HTTP path of the request (including host or not?) */
       path: string;
     };
+    Id: string;
     /**
      * @description Proof that an end-user provided CubeSigner with a valid auth token
      * (either an OIDC token or a CubeSigner session token)
@@ -1870,6 +2167,7 @@ export interface components {
     InternalErrorCode:
       | "SystemTimeError"
       | "ReqwestError"
+      | "EmailConstructionError"
       | "DbQueryError"
       | "DbGetError"
       | "DbDeleteError"
@@ -1888,6 +2186,8 @@ export interface components {
       | "ParseDerivationPathError"
       | "SplitSignerError"
       | "CreateImportKeyError"
+      | "CreateEotsNoncesError"
+      | "EotsSignError"
       | "CognitoDeleteUserError"
       | "CognitoListUsersError"
       | "CognitoGetUserError"
@@ -1911,7 +2211,6 @@ export interface components {
       | "RequestLocalStateAlreadySet"
       | "OidcOrgMismatch"
       | "OrphanedRoleKeyId"
-      | "OidcIssuerJwkEndpointUnavailable"
       | "OidcIssuerInvalidJwk"
       | "InvalidPkForMaterialId"
       | "UncheckedOrg"
@@ -1925,7 +2224,8 @@ export interface components {
       | "SnsGetSubscriptionAttributesError"
       | "SnsSubscriptionAttributesMissing"
       | "SnsSetSubscriptionAttributesError"
-      | "SnsPublishBatchError";
+      | "SnsPublishBatchError"
+      | "InconsistentMultiValueTestAndSet";
     InviteRequest: {
       /**
        * @description The user's email address
@@ -2090,7 +2390,7 @@ export interface components {
        */
       role_id: string;
     };
-    KeyInfo: {
+    KeyInfo: components["schemas"]["CommonFields"] & {
       derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
       /** @description Whether the key is enabled (only enabled keys may be used for signing) */
       enabled: boolean;
@@ -2106,12 +2406,6 @@ export interface components {
        * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
        */
       material_id: string;
-      /**
-       * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
-       * it as untrusted user data (and avoid injecting metadata into HTML directly) if
-       * untrusted users can create/update keys (or their metadata).
-       */
-      metadata?: string;
       /**
        * @description Owner of the key
        * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -2162,7 +2456,10 @@ export interface components {
       | "Ed25519CardanoAddrVk"
       | "Ed25519StellarAddr"
       | "Mnemonic"
-      | "Stark";
+      | "Stark"
+      | "BabylonEots"
+      | "TaprootBtc"
+      | "TaprootBtcTest";
     /**
      * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
      *
@@ -2170,6 +2467,10 @@ export interface components {
      * so that they can pass this back to us as a url query parameter.
      */
     LastEvalKey: string;
+    /** @description Third-party identities associated with the user's account */
+    ListIdentitiesResponse: {
+      identities: components["schemas"]["OIDCIdentity"][];
+    };
     ListMfaResponse: {
       /** @description All pending MFA requests */
       mfa_requests: components["schemas"]["MfaRequestInfo"][];
@@ -2182,6 +2483,40 @@ export interface components {
      * @enum {string}
      */
     MemberRole: "Alien" | "Member" | "Owner";
+    /** @enum {string} */
+    MembershipStatus: "enabled" | "disabled";
+    /**
+     * @example {
+     *   "allowed_approvers": [
+     *     "User#fabc3f88-04e0-471b-9657-0ae12a3cd73e",
+     *     "User#d796c369-9974-473b-ab9e-e4a2418d2d07"
+     *   ],
+     *   "count": 2,
+     *   "lifetime": 900
+     * }
+     */
+    MfaPolicy: {
+      /** @description Users who are allowed to approve. If empty at creation time, default to the current user. */
+      allowed_approvers?: string[];
+      /** @description Allowed approval types. When omitted, defaults to any. */
+      allowed_mfa_types?: components["schemas"]["MfaType"][] | null;
+      /**
+       * Format: int32
+       * @description How many users to require to approve (defaults to 1).
+       */
+      count?: number;
+      lifetime?: components["schemas"]["Seconds"];
+      /**
+       * Format: int32
+       * @description How many auth factors to require per user (defaults to 1).
+       */
+      num_auth_factors?: number;
+      /**
+       * @description CubeSigner operations to which this policy should apply.
+       * When omitted, applies to all operations.
+       */
+      restricted_operations?: components["schemas"]["OperationKind"][] | null;
+    };
     /** @description Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp'). */
     MfaRequestInfo: {
       expires_at: components["schemas"]["EpochDateTime"];
@@ -2231,6 +2566,8 @@ export interface components {
        */
       token: string;
     };
+    /** Format: binary */
+    NonceValue: string;
     /** @enum {string} */
     NotFoundErrorCode:
       | "UriSegmentMissing"
@@ -2265,7 +2602,7 @@ export interface components {
      */
     OIDCIdentity: {
       /**
-       * @description The root-level issuer who administrates this user. Frome the OIDC spec:
+       * @description The root-level issuer who administrates this user. From the OIDC spec:
        * Issuer Identifier for the Issuer of the response. The iss
        * value is a case sensitive URL using the https scheme that contains
        * scheme, host, and optionally, port number and path components and
@@ -2297,6 +2634,37 @@ export interface components {
       scopes: string[];
       tokens?: components["schemas"]["RatchetConfig"];
     };
+    /**
+     * @description All different kinds of sensitive operations
+     * @enum {string}
+     */
+    OperationKind:
+      | "AvaSign"
+      | "AvaChainTxSign"
+      | "BlobSign"
+      | "BtcSign"
+      | "TaprootSign"
+      | "Eip191Sign"
+      | "Eip712Sign"
+      | "EotsNonces"
+      | "EotsSign"
+      | "Eth1Sign"
+      | "Eth2Sign"
+      | "Eth2Stake"
+      | "Eth2Unstake"
+      | "SolanaSign";
+    OrgData: {
+      /**
+       * @description The id of the org
+       * @example Org#123...
+       */
+      org_id: string;
+      /**
+       * @description The human-readable name for the org
+       * @example my_org_name
+       */
+      org_name?: string | null;
+    };
     /**
      * @description Auto-generated discriminant enum variants
      * @enum {string}
@@ -2564,7 +2932,8 @@ export interface components {
       | "KeysAlreadyInRole"
       | "KeyInMultipleRoles"
       | "KeyAccessError"
-      | "Eip191SigningNotAllowed";
+      | "Eip191SigningNotAllowed"
+      | "TimeLocked";
     PreconditionErrorCode:
       | components["schemas"]["PreconditionErrorOwnCodes"]
       | components["schemas"]["PolicyErrorCode"];
@@ -2578,6 +2947,30 @@ export interface components {
       | "Eth2MultiDepositToNonGeneratedKey"
       | "Eth2MultiDepositUnknownInitialDeposit"
       | "Eth2MultiDepositWithdrawalAddressMismatch";
+    /** @description Contains outputs of previous transactions. */
+    PrevOutputs: OneOf<
+      [
+        {
+          /**
+           * @description `One` variant allows provision of the single previous output needed. It's useful,
+           * for example, when modifier `SIGHASH_ANYONECANPAY` is provided, only previous output
+           * of the current input is needed. The first `index` argument is the input index
+           * this output is referring to.
+           */
+          One: {
+            index: number;
+            tx_out: components["schemas"]["BtcTxOut"];
+          };
+        },
+        {
+          /**
+           * @description When `SIGHASH_ANYONECANPAY` is not provided, or when the caller is giving all
+           * previous outputs so the same variable can be used for multiple inputs.
+           */
+          All: components["schemas"]["BtcTxOut"][];
+        },
+      ]
+    >;
     /**
      * @description This type represents a wire-encodable form of the PublicKeyCredential interface
      * Clients may need to manually encode into this format to communicate with the server
@@ -2941,7 +3334,7 @@ export interface components {
       /** @description Tokens that were revoked. */
       revoked: components["schemas"]["TokenInfo"][];
     };
-    RoleInfo: {
+    RoleInfo: components["schemas"]["CommonFields"] & {
       /**
        * @description Whether the role is enabled
        * @example true
@@ -3089,6 +3482,49 @@ export interface components {
      * @enum {string}
      */
     SubscriptionStatus: "Confirmed" | "Pending";
+    TaprootSignRequest: {
+      sig_kind: components["schemas"]["TaprootSignatureKind"];
+      tx: components["schemas"]["BtcTx"];
+    };
+    TaprootSignResponse: {
+      /**
+       * @description The 64-byte signature, encoded as defined in BIP0340.
+       * @example 0x14110b79e65f90f70cd3ff5adf29bed9c9fcc035772240990fb51d25a10c9667669bba0c3b335163f65d1b9d8569cf22dd8210084cd24d83cc4bb396d979e10d
+       */
+      signature: string;
+    };
+    TaprootSignatureKind: {
+      /** @description Optional annex, as per BIP341 */
+      annex?: string | null;
+      /**
+       * @description Transaction input index
+       * @example 0
+       */
+      input_index: number;
+      leaf_hash_code_separator?: components["schemas"]["BtcLeafHashCodeSeparator"] | null;
+      /**
+       * @description If this field is not present or null, no tweak is applied. If the field is an
+       * empty string, the key is tweaked with an unspendable script path per BIP0341.
+       * Otherwise, this field must contain a 32-byte, base-64 encoded hex string
+       * representing the Merkle root with which to tweak the key before signing.
+       * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+       */
+      merkle_root?: string | null;
+      prevouts: components["schemas"]["PrevOutputs"];
+      /**
+       * @description Hash type of an input's signature, encoded in the last byte of the signature.
+       * Possible values:
+       * - SIGHASH_ALL
+       * - SIGHASH_ALL|SIGHASH_ANYONECANPAY
+       * - SIGHASH_DEFAULT
+       * - SIGHASH_NONE
+       * - SIGHASH_NONE|SIGHASH_ANYONECANPAY
+       * - SIGHASH_SINGLE
+       * - SIGHASH_SINGLE|SIGHASH_ANYONECANPAY
+       * @example SIGHASH_ALL
+       */
+      sighash_type: string;
+    };
     TokenInfo: {
       /** @description Session ID. Use it to revoke a session. Cannot be used for auth. */
       hash: string;
@@ -3212,6 +3648,11 @@ export interface components {
        * Once disabled, a key cannot be used for signing.
        */
       enabled?: boolean | null;
+      /**
+       * Format: int64
+       * @description If set, updating the metadata only succeeds if the version matches this value.
+       */
+      version?: number | null;
     };
     UpdateOrgRequest: {
       /** @description If set, update this org's `enabled` field to this value. */
@@ -3356,6 +3797,7 @@ export interface components {
       user_export_window?: number | null;
     };
     UpdateRoleRequest: {
+      edit_policy?: components["schemas"]["EditPolicy"] | null;
       /**
        * @description If set, updates the role's `enabled` property to this value.
        * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
@@ -3374,6 +3816,11 @@ export interface components {
        */
       policy?: Record<string, never>[] | null;
     };
+    /** @description Request to update an existing user */
+    UpdateUserMembershipRequest: {
+      /** @description Enable or disable user */
+      disabled?: boolean | null;
+    };
     /** @description A request to complete a user export */
     UserExportCompleteRequest: {
       /**
@@ -3469,10 +3916,10 @@ export interface components {
     };
     UserInOrgInfo: {
       /**
-       * @description The user's email
+       * @description The user's email (optional)
        * @example alice@example.com
        */
-      email: string;
+      email?: string | null;
       /**
        * @description The id of the user
        * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -3481,6 +3928,7 @@ export interface components {
       membership: components["schemas"]["MemberRole"];
       /** @description Optional user name. */
       name?: string | null;
+      status: components["schemas"]["MembershipStatus"];
     };
     /**
      * @description Information about a user's membership in an organization
@@ -3493,6 +3941,7 @@ export interface components {
        * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
        */
       org_id: string;
+      status: components["schemas"]["MembershipStatus"];
     };
     UserInRoleInfo: {
       user_id: string;
@@ -3502,7 +3951,7 @@ export interface components {
        * @description Optional email
        * @example alice@example.com
        */
-      email: string;
+      email?: string | null;
       /** @description All multi-factor authentication methods configured for this user */
       mfa: components["schemas"]["ConfiguredMfa"][];
       /** @description MFA policy, applies before logging in and other sensitive operations */
@@ -3528,6 +3977,11 @@ export interface components {
        */
       user_id: string;
     };
+    /** @description The response to the user/orgs endpoint */
+    UserOrgsResponse: {
+      /** @description The list of orgs this user is a member of */
+      orgs: components["schemas"]["OrgData"][];
+    };
     /**
      * @description A WebAuthn Relying Party may require user verification for some of its
      * operations but not for others, and may use this type to express its needs.
@@ -3640,6 +4094,30 @@ export interface components {
         };
       };
     };
+    /**
+     * @description The HTTP response to an email OTP request.
+     *
+     * Users receive an encrypted OIDC token in their email inbox.
+     * The values in this response can be used to decrypt that token
+     * using AES-GCM. This ensures that clients need *both* the emailed token
+     * and this response to complete OTP auth.
+     */
+    EmailOtpResponse: {
+      content: {
+        "application/json": {
+          /**
+           * Format: binary
+           * @description Base64 URL encoded IV value for AES-GCM
+           */
+          iv: string;
+          /**
+           * Format: binary
+           * @description Base64 URL encoded key for AES-GCM
+           */
+          key: string;
+        };
+      };
+    };
     EmptyImpl: {
       content: {
         "application/json": {
@@ -3647,6 +4125,33 @@ export interface components {
         };
       };
     };
+    /** @description Response generated when creating EOTS nonces */
+    EotsCreateNonceResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description The generated nonces as an array of 0x-prefixed hex strings
+           * @example [
+           *   "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7",
+           *   "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d"
+           * ]
+           */
+          nonces: string[];
+        };
+      };
+    };
+    /** @description Response to an EOTS signing request */
+    EotsSignResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description The resulting signature, a hex-encoded 32-byte value
+           * @example 0xd9804c04a696b522472c53bd3a3c664c4c3085a017927e45ffaed711d1613700
+           */
+          signature: string;
+        };
+      };
+    };
     Eth1SignResponse: {
       content: {
         "application/json": {
@@ -3767,7 +4272,7 @@ export interface components {
     };
     KeyInfo: {
       content: {
-        "application/json": {
+        "application/json": components["schemas"]["CommonFields"] & {
           derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
           /** @description Whether the key is enabled (only enabled keys may be used for signing) */
           enabled: boolean;
@@ -3783,12 +4288,6 @@ export interface components {
            * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
            */
           material_id: string;
-          /**
-           * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
-           * it as untrusted user data (and avoid injecting metadata into HTML directly) if
-           * untrusted users can create/update keys (or their metadata).
-           */
-          metadata?: string;
           /**
            * @description Owner of the key
            * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -3830,6 +4329,14 @@ export interface components {
         };
       };
     };
+    /** @description Third-party identities associated with the user's account */
+    ListIdentitiesResponse: {
+      content: {
+        "application/json": {
+          identities: components["schemas"]["OIDCIdentity"][];
+        };
+      };
+    };
     ListMfaResponse: {
       content: {
         "application/json": {
@@ -4093,7 +4600,7 @@ export interface components {
     };
     RoleInfo: {
       content: {
-        "application/json": {
+        "application/json": components["schemas"]["CommonFields"] & {
           /**
            * @description Whether the role is enabled
            * @example true
@@ -4177,6 +4684,17 @@ export interface components {
         };
       };
     };
+    TaprootSignResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description The 64-byte signature, encoded as defined in BIP0340.
+           * @example 0x14110b79e65f90f70cd3ff5adf29bed9c9fcc035772240990fb51d25a10c9667669bba0c3b335163f65d1b9d8569cf22dd8210084cd24d83cc4bb396d979e10d
+           */
+          signature: string;
+        };
+      };
+    };
     TokenInfo: {
       content: {
         "application/json": {
@@ -4332,6 +4850,26 @@ export interface components {
         };
       };
     };
+    UserInOrgInfo: {
+      content: {
+        "application/json": {
+          /**
+           * @description The user's email (optional)
+           * @example alice@example.com
+           */
+          email?: string | null;
+          /**
+           * @description The id of the user
+           * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
+           */
+          id: string;
+          membership: components["schemas"]["MemberRole"];
+          /** @description Optional user name. */
+          name?: string | null;
+          status: components["schemas"]["MembershipStatus"];
+        };
+      };
+    };
     UserInfo: {
       content: {
         "application/json": {
@@ -4339,7 +4877,7 @@ export interface components {
            * @description Optional email
            * @example alice@example.com
            */
-          email: string;
+          email?: string | null;
           /** @description All multi-factor authentication methods configured for this user */
           mfa: components["schemas"]["ConfiguredMfa"][];
           /** @description MFA policy, applies before logging in and other sensitive operations */
@@ -4367,10 +4905,19 @@ export interface components {
         };
       };
     };
-  };
-  parameters: never;
-  requestBodies: never;
-  headers: never;
+    /** @description The response to the user/orgs endpoint */
+    UserOrgsResponse: {
+      content: {
+        "application/json": {
+          /** @description The list of orgs this user is a member of */
+          orgs: components["schemas"]["OrgData"][];
+        };
+      };
+    };
+  };
+  parameters: never;
+  requestBodies: never;
+  headers: never;
   pathItems: never;
 }
 
@@ -4451,8 +4998,58 @@ export interface operations {
     };
   };
   /**
-   * Sign Avalanche X- or P-Chain Message
-   * @description Sign Avalanche X- or P-Chain Message
+   * Sign a serialized Avalanche C/X/P-Chain Message
+   * @description Sign a serialized Avalanche C/X/P-Chain Message
+   *
+   * Signs an Avalanche message with a given SecpEth (C-Chain messages) or
+   * SecpAva (X- and P-Chain messages) key. Currently signing C-Chain messages
+   * with SecpEth key must also be explicitly allowed via `AllowRawBlobSigning`
+   * policy.
+   *
+   * This is a pre-release feature.
+   */
+  avaSerializedTxSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Avalanche chain
+         * @example P
+         */
+        ava_chain: string;
+        /**
+         * @description Avalanche address in bech32 or ETH format
+         * @example 0xB31f66AA3C1e785363F0875A1B74E27b85FD66c7
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AvaSerializedTxSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["AvaSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Sign JSON-encoded Avalanche X- or P-Chain Message
+   * @description Sign JSON-encoded Avalanche X- or P-Chain Message
    *
    * Signs an Avalanche message with a given SecpAva key.
    * This is a pre-release feature.
@@ -4492,10 +5089,86 @@ export interface operations {
     };
   };
   /**
-   * Sign Bitcoin Transaction
-   * @description Sign Bitcoin Transaction
+   * Create EOTS nonces
+   * @description Create EOTS nonces
+   *
+   * Generates a set of Babylon EOTS nonces for a specified chain-id, starting at a
+   * specified block height.
+   */
+  createEotsNonces: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Hex-encoded public key of the EOTS key
+         * @example 0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["EotsCreateNonceRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EotsCreateNonceResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Create an EOTS signature
+   * @description Create an EOTS signature
+   *
+   * Generates an EOTS signature for the specified chain-id, block height, and message.
+   */
+  eotsSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Hex-encoded public key of the EOTS key
+         * @example 0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["EotsSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EotsSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Sign Bitcoin Segwit Transaction
+   * @description Sign Bitcoin Segwit Transaction
    *
-   * Signs a Bitcoin transaction with a given key.
+   * Signs a Bitcoin Segwit transaction with a given key.
    * This is a pre-release feature.
    */
   btcSign: {
@@ -4532,6 +5205,47 @@ export interface operations {
       };
     };
   };
+  /**
+   * Sign Bitcoin Taproot Transaction
+   * @description Sign Bitcoin Taproot Transaction
+   *
+   * Signs a Bitcoin Taproot transaction with a given key.
+   * This is a pre-release feature.
+   */
+  btcTaprootSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description bech32 encoding of the public key
+         * @example bc1p2wsldez5mud2yam29q22wgfh9439spgduvct83k3pm50fcxa5dps59h4z5
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TaprootSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["TaprootSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Derive Key From Long-Lived Mnemonic
    * @description Derive Key From Long-Lived Mnemonic
@@ -4563,6 +5277,30 @@ export interface operations {
       };
     };
   };
+  setEmailOtp: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["ConfigureEmailOtpRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign EIP-191 Data
    * @description Sign EIP-191 Data
@@ -4643,6 +5381,85 @@ export interface operations {
       };
     };
   };
+  /**
+   * List associated OIDC identities with the current user.
+   * @description List associated OIDC identities with the current user.
+   */
+  listOidcIdentities: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["ListIdentitiesResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Associate an OIDC identity with the current user in org <session.org>.
+   * @description Associate an OIDC identity with the current user in org <session.org>.
+   */
+  addOidcIdentity: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AddIdentityRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Remove an OIDC identity from the current user's account in org <session.org>.
+   * @description Remove an OIDC identity from the current user's account in org <session.org>.
+   */
+  removeOidcIdentity: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["OIDCIdentity"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Create [IdentityProof] from CubeSigner user session
    * @description Create [IdentityProof] from CubeSigner user session
@@ -4842,6 +5659,11 @@ export interface operations {
          * @example SecpEthAddr
          */
         key_type?: components["schemas"]["KeyType"] | null;
+        /**
+         * @description Filter by key owner
+         * @example User#5269c579-b4f9-4620-9e90-e46a5a0ffb4d
+         */
+        key_owner?: components["schemas"]["Id"] | null;
       };
       path: {
         /**
@@ -4925,7 +5747,9 @@ export interface operations {
    * @description Delete Key
    *
    * Deletes a key specified by its ID.
+   *
    * Only the key owner and org owners are allowed to delete keys.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   deleteKey: {
     parameters: {
@@ -4942,6 +5766,11 @@ export interface operations {
         key_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {
       200: components["responses"]["EmptyImpl"];
       default: {
@@ -4955,7 +5784,11 @@ export interface operations {
    * Update Key
    * @description Update Key
    *
-   * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+   * Enable or disable a key.  The user must be the owner of the key or
+   * organization to perform this action.
+   *
+   * For each requested update, the session must have the corresponding 'manage:key:update:_' scope;
+   * if no updates are requested, the session must have 'manage:key:get'.
    */
   updateKey: {
     parameters: {
@@ -5319,6 +6152,44 @@ export interface operations {
       };
     };
   };
+  /**
+   * Initiate login via email token
+   * @description Initiate login via email token
+   *
+   * This endpoint sends an email to the provided address with an OIDC token encrypted with AES-GCM.
+   * The decryption parameters are returned immediately in the response.
+   * Once that token is decrypted, it can be used with the standard OIDC authentication flows
+   *
+   *
+   * > [!IMPORTANT]
+   * > For this endpoint to succeed, the org must be configured to:
+   * > 1. Allow the issuer `https://shim.oauth2.cubist.dev/email-otp` and client ID being the Org ID
+   * > 2. Have an email sender configured for OTPs
+   */
+  emailOtpAuth: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["EmailOtpRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmailOtpResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * List Roles
    * @description List Roles
@@ -5428,7 +6299,9 @@ export interface operations {
    * @description Delete Role
    *
    * Deletes a role in an organization.
+   *
    * Only users in the role can perform this action.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   deleteRole: {
     parameters: {
@@ -5445,6 +6318,11 @@ export interface operations {
         role_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {
       200: components["responses"]["EmptyImpl"];
       default: {
@@ -5460,7 +6338,9 @@ export interface operations {
    *
    * Enables or disables a role (this requires the `manage:role:update:enable` scope).
    * Updates the role's policies (this requires the `manage:role:update:policy` scope).
+   *
    * The user must be in the role or an owner of the organization.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   updateRole: {
     parameters: {
@@ -5496,6 +6376,9 @@ export interface operations {
    * @description Add Keys
    *
    * Adds a list of existing keys to an existing role.
+   *
+   * Only the key owner can their key to a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   addKeysToRole: {
     parameters: {
@@ -5524,7 +6407,9 @@ export interface operations {
    * @description Add User
    *
    * Adds an existing user to an existing role.
-   * Only users in the role or owners can add users to a role.
+   *
+   * Only users in the role or org owners can add users to a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   addUserToRole: {
     parameters: {
@@ -5546,6 +6431,11 @@ export interface operations {
         user_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {};
   };
   /**
@@ -5597,7 +6487,10 @@ export interface operations {
    * Remove Key
    * @description Remove Key
    *
-   * Removes a given key from a role
+   * Removes a given key from a role.
+   *
+   * Only users in the role or org owners can remove keys from a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   removeKeyFromRole: {
     parameters: {
@@ -5619,6 +6512,11 @@ export interface operations {
         key_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {};
   };
   /**
@@ -5814,7 +6712,9 @@ export interface operations {
    * @description Remove User
    *
    * Removes an existing user from an existing role.
+   *
    * Only users in the role or org owners can remove users from a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   removeUserFromRole: {
     parameters: {
@@ -5836,6 +6736,11 @@ export interface operations {
         user_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {};
   };
   /**
@@ -6598,6 +7503,69 @@ export interface operations {
       };
     };
   };
+  /**
+   * Remove a user from the org
+   * @description Remove a user from the org
+   */
+  deleteUser: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired User
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        user_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Update a user's membership in the org
+   * @description Update a user's membership in the org
+   *
+   * Currently allows just enabling/disabling a user in the org.
+   */
+  updateUserMembership: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired User
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        user_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["UpdateUserMembershipRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["UserInOrgInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Initiate registration of a FIDO key
    * @deprecated
@@ -6726,12 +7694,25 @@ export interface operations {
       };
     };
   };
+  /**
+   * Retrieves all the orgs the user is a part of
+   * @description Retrieves all the orgs the user is a part of
+   */
+  userOrgs: {
+    responses: {
+      200: components["responses"]["UserOrgsResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign Raw Blob
    * @description Sign Raw Blob
    *
    * Signs an arbitrary blob with a given key.
-   * This is a pre-release feature.
    *
    * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
    * byte v, which can in general take any of the values 0, 1, 2, or 3.