@cubist-labs/cubesigner-sdk 0.3.27 → 0.3.29

package/dist/cjs/src/schema.d.ts

@@ -34,26 +34,69 @@ export interface paths {
          */
         patch: operations["updateOrg"];
     };
+    "/v0/org/{org_id}/ava/sign/{ava_chain}/{pubkey}": {
+        /**
+         * Sign a serialized Avalanche C/X/P-Chain Message
+         * @description Sign a serialized Avalanche C/X/P-Chain Message
+         *
+         * Signs an Avalanche message with a given SecpEth (C-Chain messages) or
+         * SecpAva (X- and P-Chain messages) key. Currently signing C-Chain messages
+         * with SecpEth key must also be explicitly allowed via `AllowRawBlobSigning`
+         * policy.
+         *
+         * This is a pre-release feature.
+         */
+        post: operations["avaSerializedTxSign"];
+    };
     "/v0/org/{org_id}/ava/sign/{pubkey}": {
         /**
-         * Sign Avalanche X- or P-Chain Message
-         * @description Sign Avalanche X- or P-Chain Message
+         * Sign JSON-encoded Avalanche X- or P-Chain Message
+         * @description Sign JSON-encoded Avalanche X- or P-Chain Message
          *
          * Signs an Avalanche message with a given SecpAva key.
          * This is a pre-release feature.
          */
         post: operations["avaSign"];
     };
+    "/v0/org/{org_id}/babylon/eots/nonces/{pubkey}": {
+        /**
+         * Create EOTS nonces
+         * @description Create EOTS nonces
+         *
+         * Generates a set of Babylon EOTS nonces for a specified chain-id, starting at a
+         * specified block height.
+         */
+        post: operations["createEotsNonces"];
+    };
+    "/v0/org/{org_id}/babylon/eots/sign/{pubkey}": {
+        /**
+         * Create an EOTS signature
+         * @description Create an EOTS signature
+         *
+         * Generates an EOTS signature for the specified chain-id, block height, and message.
+         */
+        post: operations["eotsSign"];
+    };
     "/v0/org/{org_id}/btc/sign/{pubkey}": {
         /**
-         * Sign Bitcoin Transaction
-         * @description Sign Bitcoin Transaction
+         * Sign Bitcoin Segwit Transaction
+         * @description Sign Bitcoin Segwit Transaction
          *
-         * Signs a Bitcoin transaction with a given key.
+         * Signs a Bitcoin Segwit transaction with a given key.
          * This is a pre-release feature.
          */
         post: operations["btcSign"];
     };
+    "/v0/org/{org_id}/btc/taproot/sign/{pubkey}": {
+        /**
+         * Sign Bitcoin Taproot Transaction
+         * @description Sign Bitcoin Taproot Transaction
+         *
+         * Signs a Bitcoin Taproot transaction with a given key.
+         * This is a pre-release feature.
+         */
+        post: operations["btcTaprootSign"];
+    };
     "/v0/org/{org_id}/derive_key": {
         /**
          * Derive Key From Long-Lived Mnemonic
@@ -64,6 +107,9 @@ export interface paths {
          */
         put: operations["deriveKey"];
     };
+    "/v0/org/{org_id}/emails/otp": {
+        put: operations["setEmailOtp"];
+    };
     "/v0/org/{org_id}/evm/eip191/sign/{pubkey}": {
         /**
          * Sign EIP-191 Data
@@ -82,6 +128,23 @@ export interface paths {
          */
         post: operations["eip712Sign"];
     };
+    "/v0/org/{org_id}/identity": {
+        /**
+         * List associated OIDC identities with the current user.
+         * @description List associated OIDC identities with the current user.
+         */
+        get: operations["listOidcIdentities"];
+        /**
+         * Associate an OIDC identity with the current user in org <session.org>.
+         * @description Associate an OIDC identity with the current user in org <session.org>.
+         */
+        post: operations["addOidcIdentity"];
+        /**
+         * Remove an OIDC identity from the current user's account in org <session.org>.
+         * @description Remove an OIDC identity from the current user's account in org <session.org>.
+         */
+        delete: operations["removeOidcIdentity"];
+    };
     "/v0/org/{org_id}/identity/prove": {
         /**
          * Create [IdentityProof] from CubeSigner user session
@@ -177,14 +240,20 @@ export interface paths {
          * @description Delete Key
          *
          * Deletes a key specified by its ID.
+         *
          * Only the key owner and org owners are allowed to delete keys.
+         * Additionally, the role's edit policy (if set) must permit the update.
          */
         delete: operations["deleteKey"];
         /**
          * Update Key
          * @description Update Key
          *
-         * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+         * Enable or disable a key.  The user must be the owner of the key or
+         * organization to perform this action.
+         *
+         * For each requested update, the session must have the corresponding 'manage:key:update:_' scope;
+         * if no updates are requested, the session must have 'manage:key:get'.
          */
         patch: operations["updateKey"];
     };
@@ -292,6 +361,23 @@ export interface paths {
          */
         post: operations["oidcAuth"];
     };
+    "/v0/org/{org_id}/oidc/email-otp": {
+        /**
+         * Initiate login via email token
+         * @description Initiate login via email token
+         *
+         * This endpoint sends an email to the provided address with an OIDC token encrypted with AES-GCM.
+         * The decryption parameters are returned immediately in the response.
+         * Once that token is decrypted, it can be used with the standard OIDC authentication flows
+         *
+         *
+         * > [!IMPORTANT]
+         * > For this endpoint to succeed, the org must be configured to:
+         * > 1. Allow the issuer `https://shim.oauth2.cubist.dev/email-otp` and client ID being the Org ID
+         * > 2. Have an email sender configured for OTPs
+         */
+        post: operations["emailOtpAuth"];
+    };
     "/v0/org/{org_id}/roles": {
         /**
          * List Roles
@@ -322,7 +408,9 @@ export interface paths {
          * @description Delete Role
          *
          * Deletes a role in an organization.
+         *
          * Only users in the role can perform this action.
+         * Additionally, the role's edit policy (if set) must permit the update.
          */
         delete: operations["deleteRole"];
         /**
@@ -331,7 +419,9 @@ export interface paths {
          *
          * Enables or disables a role (this requires the `manage:role:update:enable` scope).
          * Updates the role's policies (this requires the `manage:role:update:policy` scope).
+         *
          * The user must be in the role or an owner of the organization.
+         * Additionally, the role's edit policy (if set) must permit the update.
          */
         patch: operations["updateRole"];
     };
@@ -341,6 +431,9 @@ export interface paths {
          * @description Add Keys
          *
          * Adds a list of existing keys to an existing role.
+         *
+         * Only the key owner can their key to a role.
+         * Additionally, the role's edit policy (if set) must permit the update.
          */
         put: operations["addKeysToRole"];
     };
@@ -350,7 +443,9 @@ export interface paths {
          * @description Add User
          *
          * Adds an existing user to an existing role.
-         * Only users in the role or owners can add users to a role.
+         *
+         * Only users in the role or org owners can add users to a role.
+         * Additionally, the role's edit policy (if set) must permit the update.
          */
         put: operations["addUserToRole"];
     };
@@ -368,7 +463,10 @@ export interface paths {
          * Remove Key
          * @description Remove Key
          *
-         * Removes a given key from a role
+         * Removes a given key from a role.
+         *
+         * Only users in the role or org owners can remove keys from a role.
+         * Additionally, the role's edit policy (if set) must permit the update.
          */
         delete: operations["removeKeyFromRole"];
     };
@@ -432,7 +530,9 @@ export interface paths {
          * @description Remove User
          *
          * Removes an existing user from an existing role.
+         *
          * Only users in the role or org owners can remove users from a role.
+         * Additionally, the role's edit policy (if set) must permit the update.
          */
         delete: operations["removeUserFromRole"];
     };
@@ -632,6 +732,22 @@ export interface paths {
          */
         delete: operations["deleteOidcUser"];
     };
+    "/v0/org/{org_id}/users/{user_id}": {
+        /**
+         * Remove a user from the org
+         * @description Remove a user from the org
+         */
+        delete: operations["deleteUser"];
+    };
+    "/v0/org/{org_id}/users/{user_id}/membership": {
+        /**
+         * Update a user's membership in the org
+         * @description Update a user's membership in the org
+         *
+         * Currently allows just enabling/disabling a user in the org.
+         */
+        patch: operations["updateUserMembership"];
+    };
     "/v0/user/me/fido": {
         /**
          * Initiate registration of a FIDO key
@@ -686,13 +802,19 @@ export interface paths {
          */
         post: operations["verifyTotpLegacy"];
     };
+    "/v0/user/orgs": {
+        /**
+         * Retrieves all the orgs the user is a part of
+         * @description Retrieves all the orgs the user is a part of
+         */
+        get: operations["userOrgs"];
+    };
     "/v1/org/{org_id}/blob/sign/{key_id}": {
         /**
          * Sign Raw Blob
          * @description Sign Raw Blob
          *
          * Signs an arbitrary blob with a given key.
-         * This is a pre-release feature.
          *
          * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
          * byte v, which can in general take any of the values 0, 1, 2, or 3.
@@ -791,6 +913,10 @@ export interface components {
         };
         /** @enum {string} */
         AcceptedValueCode: "MfaRequired";
+        /** @description Request to add OIDC identity to an existing user account */
+        AddIdentityRequest: {
+            oidc_token: string;
+        };
         AddKeysToRoleRequest: {
             /**
              * @description A list of keys to add to a role
@@ -977,7 +1103,12 @@ export interface components {
          * @enum {string}
          */
         AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
-        /** @description Request to sign an Avalanche transactions */
+        /** @description Request to sign a serialized Avalanche transaction */
+        AvaSerializedTxSignRequest: {
+            /** @description Serialized transaction to sign */
+            tx: string;
+        };
+        /** @description Request to sign an Avalanche transaction */
         AvaSignRequest: {
             /**
              * @description Transaction to sign.
@@ -1003,9 +1134,9 @@ export interface components {
         /** @description Wrapper around a zeroizing 32-byte fixed-size array */
         B32: string;
         /** @enum {string} */
-        BadGatewayErrorCode: "OAuthProviderError";
+        BadGatewayErrorCode: "OAuthProviderError" | "OidcDisoveryFailed" | "OidcIssuerJwkEndpointUnavailable" | "SmtpServerUnavailable";
         /** @enum {string} */
-        BadRequestErrorCode: "GenericBadRequest" | "InvalidBody" | "TokenRequestError" | "InvalidMfaReceipt" | "InvalidMfaPolicyCount" | "InvalidMfaPolicyNumAuthFactors" | "InvalidMfaPolicyNumAllowedApprovers" | "InvalidMfaPolicyRedundantRule" | "InvalidCreateKeyCount" | "OrgInviteExistingUser" | "OrgNameTaken" | "RoleNameTaken" | "AddKeyToRoleCountTooHigh" | "InvalidKeyId" | "InvalidKeyMetadataLength" | "InvalidKeyMetadata" | "InvalidKeyMaterialId" | "KeyNotFound" | "UserExportDerivedKey" | "UserExportPublicKeyInvalid" | "UserExportInProgress" | "RoleNotFound" | "InvalidMfaReceiptOrgIdMissing" | "InvalidMfaReceiptInvalidOrgId" | "MfaRequestNotFound" | "InvalidKeyType" | "InvalidKeyMaterial" | "InvalidHexValue" | "InvalidBase32Value" | "InvalidBase58Value" | "InvalidForkVersionLength" | "InvalidEthAddress" | "InvalidStellarAddress" | "InvalidOrgNameOrId" | "InvalidStakeDeposit" | "InvalidBlobSignRequest" | "InvalidSolanaSignRequest" | "InvalidEip712SignRequest" | "InvalidEvmSignRequest" | "InvalidEth2SignRequest" | "InvalidDeriveKeyRequest" | "InvalidStakingAmount" | "CustomStakingAmountNotAllowedForWrapperContract" | "InvalidUnstakeRequest" | "InvalidCreateUserRequest" | "UserAlreadyExists" | "UserNotFound" | "PolicyRuleKeyMismatch" | "EmptyScopes" | "InvalidScopesForRoleSession" | "InvalidLifetime" | "NoSingleKeyForUser" | "InvalidOrgPolicyRule" | "SourceIpAllowlistEmpty" | "InvalidOrgPolicyRepeatedRule" | "AvaSignHashError" | "AvaSignError" | "BtcSegwitHashError" | "BtcSignError" | "Eip712SignError" | "InvalidMemberRoleInUserAdd" | "ThirdPartyUserAlreadyExists" | "ThirdPartyUserNotFound" | "DeleteOidcUserError" | "SessionRoleMismatch" | "InvalidOidcToken" | "OidcIssuerUnsupported" | "OidcIssuerNotAllowed" | "OidcIssuerNoApplicableJwk" | "FidoKeyAlreadyRegistered" | "FidoKeySignCountTooLow" | "FidoVerificationFailed" | "FidoChallengeMfaMismatch" | "UnsupportedLegacyCognitoSession" | "InvalidIdentityProof" | "PaginationDataExpired" | "ExistingKeysViolateExclusiveKeyAccess" | "ExportDelayTooShort" | "ExportWindowTooLong" | "InvalidTotpFailureLimit" | "InvalidEip191SignRequest" | "CannotResendUserInvitation" | "InvalidNotificationEndpointCount" | "CannotDeletePendingSubscription" | "InvalidNotificationUrlProtocol" | "EmptyOneOfOrgEventFilter" | "EmptyAllExceptOrgEventFilter";
+        BadRequestErrorCode: "GenericBadRequest" | "InvalidBody" | "TokenRequestError" | "InvalidMfaReceipt" | "InvalidMfaPolicyCount" | "InvalidMfaPolicyNumAuthFactors" | "InvalidMfaPolicyNumAllowedApprovers" | "InvalidMfaPolicyRedundantRule" | "InvalidCreateKeyCount" | "OrgInviteExistingUser" | "OrgNameTaken" | "RoleNameTaken" | "AddKeyToRoleCountTooHigh" | "InvalidKeyId" | "InvalidTimeLockAlreadyInThePast" | "InvalidUpdate" | "InvalidMetadataLength" | "InvalidKeyMaterialId" | "KeyNotFound" | "UserExportDerivedKey" | "UserExportPublicKeyInvalid" | "UnableToAccessSmtpRelay" | "UserExportInProgress" | "RoleNotFound" | "InvalidMfaReceiptOrgIdMissing" | "InvalidMfaReceiptInvalidOrgId" | "MfaRequestNotFound" | "InvalidKeyType" | "InvalidKeyMaterial" | "InvalidHexValue" | "InvalidBase32Value" | "InvalidBase58Value" | "InvalidForkVersionLength" | "InvalidEthAddress" | "InvalidStellarAddress" | "InvalidOrgNameOrId" | "InvalidStakeDeposit" | "InvalidBlobSignRequest" | "InvalidSolanaSignRequest" | "InvalidEip712SignRequest" | "InvalidEvmSignRequest" | "InvalidEth2SignRequest" | "InvalidDeriveKeyRequest" | "InvalidStakingAmount" | "CustomStakingAmountNotAllowedForWrapperContract" | "InvalidUnstakeRequest" | "InvalidCreateUserRequest" | "UserAlreadyExists" | "UserNotFound" | "PolicyRuleKeyMismatch" | "EmptyScopes" | "InvalidScopesForRoleSession" | "InvalidLifetime" | "NoSingleKeyForUser" | "InvalidOrgPolicyRule" | "SourceIpAllowlistEmpty" | "InvalidOrgPolicyRepeatedRule" | "AvaSignHashError" | "AvaSignError" | "BtcSegwitHashError" | "BtcTaprootHashError" | "BtcSignError" | "TaprootSignError" | "Eip712SignError" | "InvalidMemberRoleInUserAdd" | "ThirdPartyUserAlreadyExists" | "OidcIdentityAlreadyExists" | "ThirdPartyUserNotFound" | "DeleteOidcUserError" | "DeleteUserError" | "SessionRoleMismatch" | "InvalidOidcToken" | "InvalidOidcIdentity" | "OidcIssuerUnsupported" | "OidcIssuerNotAllowed" | "OidcIssuerNoApplicableJwk" | "FidoKeyAlreadyRegistered" | "FidoKeySignCountTooLow" | "FidoVerificationFailed" | "FidoChallengeMfaMismatch" | "UnsupportedLegacyCognitoSession" | "InvalidIdentityProof" | "PaginationDataExpired" | "ExistingKeysViolateExclusiveKeyAccess" | "ExportDelayTooShort" | "ExportWindowTooLong" | "InvalidTotpFailureLimit" | "InvalidEip191SignRequest" | "CannotResendUserInvitation" | "InvalidNotificationEndpointCount" | "CannotDeletePendingSubscription" | "InvalidNotificationUrlProtocol" | "EmptyOneOfOrgEventFilter" | "EmptyAllExceptOrgEventFilter" | "InvalidTapNodeHash";
         /**
          * @example {
          *   "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK"
@@ -1019,17 +1150,37 @@ export interface components {
              * the message. For example, Secp256k1 keys require that the message is 32 bytes long.
              */
             message_base64: string;
+            /**
+             * @description An optional tweak value for use *only* with Taproot keys. This field is ignored
+             * for all other key types.
+             *
+             * If this field is not present or null, no tweak is applied. If the field is an
+             * empty string, the key is tweaked with an unspendable script path per BIP0341.
+             * Otherwise, this field must contain a 32-byte, base-64 encoded hex string
+             * representing the Merkle root with which to tweak the key before signing.
+             * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+             */
+            taproot_tweak?: string | null;
         };
         BlobSignResponse: {
             /** @description The hex-encoded signature. */
             signature: string;
         };
+        /** @description Leaf hash and code, as per BIP341 and https://github.com/rust-bitcoin/rust-bitcoin/blob/464202109d2b2c96e9b4867461bffe420dbd8177/bitcoin/src/crypto/sighash.rs#L691 */
+        BtcLeafHashCodeSeparator: {
+            /**
+             * Format: int32
+             * @description Code separator
+             */
+            code_separator: number;
+            /** @description Taproot-tagged hash with tag "TapLeaf". */
+            leaf_hash: string;
+        };
         /** @enum {string} */
         BtcSighashType: "All" | "None" | "Single" | "AllPlusAnyoneCanPay" | "NonePlusAnyoneCanPay" | "SinglePlusAnyoneCanPay";
         BtcSignRequest: {
             sig_kind: components["schemas"]["BtcSignatureKind"];
-            /** @description The bitcoin transaction to sign */
-            tx: Record<string, never>;
+            tx: components["schemas"]["BtcTx"];
         };
         BtcSignResponse: {
             /**
@@ -1060,6 +1211,16 @@ export interface components {
                 value: number;
             };
         };
+        BtcTx: Record<string, never>;
+        BtcTxOut: {
+            /** @description The script which must be satisfied for the output to be spent. */
+            script_pubkey: string;
+            /**
+             * Format: int64
+             * @description The value of the output, in satoshis.
+             */
+            value: number;
+        };
         /** @description Describes how to derive a WebAuthn challenge value. */
         ChallengePieces: {
             /**
@@ -1093,6 +1254,30 @@ export interface components {
             /** @description Session ID */
             session_id: string;
         };
+        /** @description Fields that are common to different types of resources such as keys */
+        CommonFields: {
+            created?: components["schemas"]["EpochDateTime"] | null;
+            edit_policy?: components["schemas"]["EditPolicy"];
+            last_modified?: components["schemas"]["EpochDateTime"] | null;
+            /**
+             * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
+             * it as untrusted user data (and avoid injecting metadata into HTML directly) if
+             * untrusted users can create/update keys (or their metadata).
+             */
+            metadata?: unknown;
+            /**
+             * Format: int64
+             * @description Version of this object
+             */
+            version?: number;
+        };
+        ConfigureEmailOtpRequest: {
+            auth: {
+                smtp: string;
+            };
+            /** @description The email address that OTP requests will come from */
+            sender: string;
+        };
         ConfiguredMfa: {
             /** @enum {string} */
             type: "totp";
@@ -1105,11 +1290,12 @@ export interface components {
             type: "fido";
         };
         CreateAndUpdateKeyProperties: {
+            edit_policy?: components["schemas"]["EditPolicy"] | null;
             /**
-             * @description Set this key's metadata. Validation regex: ^[A-Za-z0-9_=+/ \-\.\,]{0,1024}$
-             * @example Contract admin key
+             * @description Set this key's metadata. If this value is `null`, the metadata is erased. If the field is
+             * missing, the metadata remains unchanged.
              */
-            metadata?: string | null;
+            metadata?: unknown;
             /**
              * @description Specify a user other than themselves to be the (potentially new) owner of the key.
              * The specified owner must be an existing user who is a member of the same org.
@@ -1273,6 +1459,10 @@ export interface components {
              */
             mnemonic_id: string;
         };
+        EditPolicy: {
+            mfa?: components["schemas"]["MfaPolicy"] | null;
+            time_lock_until?: components["schemas"]["EpochDateTime"] | null;
+        };
         Eip191Or712SignResponse: {
             /**
              * @description Hex-encoded signature comprising 65 bytes in the format required
@@ -1296,6 +1486,7 @@ export interface components {
          *     "domain": {
          *       "chainId": 1337,
          *       "name": "Ether Mail",
+         *       "salt": "0x0000000000000000000000000000000000000000000000000000000000000000",
          *       "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC",
          *       "version": "1"
          *     },
@@ -1335,6 +1526,10 @@ export interface components {
          *         {
          *           "name": "verifyingContract",
          *           "type": "address"
+         *         },
+         *         {
+         *           "name": "salt",
+         *           "type": "bytes32"
          *         }
          *       ],
          *       "Group": [
@@ -1384,11 +1579,95 @@ export interface components {
             /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
             typed_data: Record<string, never>;
         };
+        /** @description The request users send to initiate email OTP */
+        EmailOtpRequest: {
+            /** @description The email which will receive the OTP */
+            email: string;
+        };
+        /**
+         * @description The HTTP response to an email OTP request.
+         *
+         * Users receive an encrypted OIDC token in their email inbox.
+         * The values in this response can be used to decrypt that token
+         * using AES-GCM. This ensures that clients need *both* the emailed token
+         * and this response to complete OTP auth.
+         */
+        EmailOtpResponse: {
+            /**
+             * Format: binary
+             * @description Base64 URL encoded IV value for AES-GCM
+             */
+            iv: string;
+            /**
+             * Format: binary
+             * @description Base64 URL encoded key for AES-GCM
+             */
+            key: string;
+        };
         /** @default null */
         Empty: unknown;
         EmptyImpl: {
             status: string;
         };
+        /**
+         * @description Request to create a set of EOTS nonces for a specified chain-id, starting
+         * at a specified block height.
+         */
+        EotsCreateNonceRequest: {
+            /**
+             * @description The chain id for which the nonces will be used, as a hex string
+             * @example 0x11223344
+             */
+            chain_id: string;
+            /**
+             * Format: int32
+             * @description The number of nonces to generate
+             * @example 16
+             */
+            num: number;
+            /**
+             * @description The starting block height of the generated nonces (quoted decimal u64)
+             * @example 31337
+             */
+            start_height: string;
+        };
+        /** @description Response generated when creating EOTS nonces */
+        EotsCreateNonceResponse: {
+            /**
+             * @description The generated nonces as an array of 0x-prefixed hex strings
+             * @example [
+             *   "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7",
+             *   "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d"
+             * ]
+             */
+            nonces: string[];
+        };
+        /** @description Request for an EOTS signature on a specified message, chain-id, block-height triple */
+        EotsSignRequest: {
+            /**
+             * @description The block height for the signature (quoted decimal u64)
+             * @example 123456
+             */
+            block_height: string;
+            /**
+             * @description The chain id for the signature
+             * @example 0x11223344
+             */
+            chain_id: string;
+            /**
+             * @description The message to sign
+             * @example 0x5a2688faea09d42b9270fdb8de6fff6f192243a910ba66329073e12e0d0046a2
+             */
+            message: string;
+        };
+        /** @description Response to an EOTS signing request */
+        EotsSignResponse: {
+            /**
+             * @description The resulting signature, a hex-encoded 32-byte value
+             * @example 0xd9804c04a696b522472c53bd3a3c664c4c3085a017927e45ffaed711d1613700
+             */
+            signature: string;
+        };
         /**
          * @description Epoch is a quoted `uint64`.
          * @example 256
@@ -1521,7 +1800,7 @@ export interface components {
             name: string;
         };
         /** @enum {string} */
-        ForbiddenErrorCode: "FidoRequiredToRemoveTotp" | "MfaChallengeExpired" | "ChainIdNotAllowed" | "InvalidOrg" | "SessionForWrongOrg" | "OrgDisabled" | "OrgNotFound" | "OrgWithoutOwner" | "OrphanedUser" | "OidcUserNotFound" | "UserNotInOrg" | "UserNotOrgOwner" | "UserNotKeyOwner" | "InvalidRole" | "DisabledRole" | "KeyDisabled" | "RoleNotInOrg" | "KeyNotInRole" | "KeyNotInOrg" | "UserExportRequestNotInOrg" | "UserExportRequestInvalid" | "UserNotOriginalKeyOwner" | "UserNotInRole" | "MustBeFullMember" | "SessionExpired" | "SessionChanged" | "SessionRevoked" | "ExpectedUserSession" | "SessionRoleChanged" | "ScopedNameNotFound" | "SessionInvalidEpochToken" | "SessionInvalidRefreshToken" | "SessionRefreshTokenExpired" | "InvalidAuthHeader" | "SessionNotFound" | "InvalidArn" | "SessionInvalidAuthToken" | "SessionAuthTokenExpired" | "SessionPossiblyStolenToken" | "MfaDisallowedIdentity" | "MfaDisallowedApprover" | "MfaTypeNotAllowed" | "MfaNotApprovedYet" | "MfaConfirmationCodeMismatch" | "MfaHttpRequestMismatch" | "MfaRemoveBelowMin" | "TotpAlreadyConfigured" | "TotpConfigurationChanged" | "MfaTotpBadConfiguration" | "MfaTotpBadCode" | "MfaTotpRateLimit" | "ImproperSessionScope" | "FullSessionRequired" | "SessionWithoutAnyScopeUnder" | "UserRoleUnprivileged" | "MfaNotConfigured";
+        ForbiddenErrorCode: "FidoRequiredToRemoveTotp" | "EmailOtpNotConfigured" | "MfaChallengeExpired" | "ChainIdNotAllowed" | "InvalidOrg" | "SessionForWrongOrg" | "SelfDelete" | "SelfDisable" | "UserHasNoMfa" | "UserDisabled" | "OrgDisabled" | "OrgNotFound" | "OrgWithoutOwner" | "OrphanedUser" | "OidcUserNotFound" | "UserNotInOrg" | "UserNotOrgOwner" | "UserNotKeyOwner" | "InvalidRole" | "DisabledRole" | "KeyDisabled" | "RoleNotInOrg" | "KeyNotInRole" | "KeyNotInOrg" | "UserExportRequestNotInOrg" | "UserExportRequestInvalid" | "UserNotOriginalKeyOwner" | "UserNotInRole" | "MustBeFullMember" | "SessionExpired" | "SessionChanged" | "SessionRevoked" | "ExpectedUserSession" | "SessionRoleChanged" | "ScopedNameNotFound" | "SessionInvalidEpochToken" | "SessionInvalidRefreshToken" | "SessionRefreshTokenExpired" | "InvalidAuthHeader" | "SessionNotFound" | "InvalidArn" | "SessionInvalidAuthToken" | "SessionAuthTokenExpired" | "SessionPossiblyStolenToken" | "MfaDisallowedIdentity" | "MfaDisallowedApprover" | "MfaTypeNotAllowed" | "MfaNotApprovedYet" | "MfaConfirmationCodeMismatch" | "MfaHttpRequestMismatch" | "MfaRemoveBelowMin" | "TotpAlreadyConfigured" | "TotpConfigurationChanged" | "MfaTotpBadConfiguration" | "MfaTotpBadCode" | "MfaTotpRateLimit" | "ImproperSessionScope" | "FullSessionRequired" | "SessionWithoutAnyScopeUnder" | "UserRoleUnprivileged" | "MfaNotConfigured";
         /**
          * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
          * The schema of `Fork` is defined in the [Beacon chain
@@ -1641,6 +1920,7 @@ export interface components {
             /** @description HTTP path of the request (including host or not?) */
             path: string;
         };
+        Id: string;
         /**
          * @description Proof that an end-user provided CubeSigner with a valid auth token
          * (either an OIDC token or a CubeSigner session token)
@@ -1692,7 +1972,7 @@ export interface components {
             salt: string;
         };
         /** @enum {string} */
-        InternalErrorCode: "SystemTimeError" | "ReqwestError" | "DbQueryError" | "DbGetError" | "DbDeleteError" | "DbPutError" | "DbUpdateError" | "SerdeError" | "TestAndSetError" | "DbGetItemsError" | "DbWriteError" | "CubistSignerError" | "CwPutMetricDataError" | "KmsGenerateRandomError" | "MalformedTotpBytes" | "KmsGenerateRandomNoResponseError" | "CreateKeyError" | "ParseDerivationPathError" | "SplitSignerError" | "CreateImportKeyError" | "CognitoDeleteUserError" | "CognitoListUsersError" | "CognitoGetUserError" | "MissingUserEmail" | "CognitoResendUserInvitation" | "CognitoSetUserPasswordError" | "GenericInternalError" | "OidcAuthWithoutOrg" | "MissingKeyMetadata" | "KmsKeyWithoutId" | "KmsEnableKeyError" | "KmsDisableKeyError" | "SerializeEncryptedExportKeyError" | "DeserializeEncryptedExportKeyError" | "ReEncryptUserExport" | "S3UploadError" | "S3DownloadError" | "ManagedStateMissing" | "InternalHeaderMissing" | "InvalidInternalHeaderValue" | "RequestLocalStateAlreadySet" | "OidcOrgMismatch" | "OrphanedRoleKeyId" | "OidcIssuerJwkEndpointUnavailable" | "OidcIssuerInvalidJwk" | "InvalidPkForMaterialId" | "UncheckedOrg" | "AvaSignCredsMissing" | "AvaSignSignatureMissing" | "ExpectedRoleSession" | "InvalidThirdPartyIdentity" | "CognitoGetUser" | "SnsSubscribeError" | "SnsUnsubscribeError" | "SnsGetSubscriptionAttributesError" | "SnsSubscriptionAttributesMissing" | "SnsSetSubscriptionAttributesError" | "SnsPublishBatchError";
+        InternalErrorCode: "SystemTimeError" | "ReqwestError" | "EmailConstructionError" | "DbQueryError" | "DbGetError" | "DbDeleteError" | "DbPutError" | "DbUpdateError" | "SerdeError" | "TestAndSetError" | "DbGetItemsError" | "DbWriteError" | "CubistSignerError" | "CwPutMetricDataError" | "KmsGenerateRandomError" | "MalformedTotpBytes" | "KmsGenerateRandomNoResponseError" | "CreateKeyError" | "ParseDerivationPathError" | "SplitSignerError" | "CreateImportKeyError" | "CreateEotsNoncesError" | "EotsSignError" | "CognitoDeleteUserError" | "CognitoListUsersError" | "CognitoGetUserError" | "MissingUserEmail" | "CognitoResendUserInvitation" | "CognitoSetUserPasswordError" | "GenericInternalError" | "OidcAuthWithoutOrg" | "MissingKeyMetadata" | "KmsKeyWithoutId" | "KmsEnableKeyError" | "KmsDisableKeyError" | "SerializeEncryptedExportKeyError" | "DeserializeEncryptedExportKeyError" | "ReEncryptUserExport" | "S3UploadError" | "S3DownloadError" | "ManagedStateMissing" | "InternalHeaderMissing" | "InvalidInternalHeaderValue" | "RequestLocalStateAlreadySet" | "OidcOrgMismatch" | "OrphanedRoleKeyId" | "OidcIssuerInvalidJwk" | "InvalidPkForMaterialId" | "UncheckedOrg" | "AvaSignCredsMissing" | "AvaSignSignatureMissing" | "ExpectedRoleSession" | "InvalidThirdPartyIdentity" | "CognitoGetUser" | "SnsSubscribeError" | "SnsUnsubscribeError" | "SnsGetSubscriptionAttributesError" | "SnsSubscriptionAttributesMissing" | "SnsSetSubscriptionAttributesError" | "SnsPublishBatchError" | "InconsistentMultiValueTestAndSet";
         InviteRequest: {
             /**
              * @description The user's email address
@@ -1854,7 +2134,7 @@ export interface components {
              */
             role_id: string;
         };
-        KeyInfo: {
+        KeyInfo: components["schemas"]["CommonFields"] & {
             derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
             /** @description Whether the key is enabled (only enabled keys may be used for signing) */
             enabled: boolean;
@@ -1870,12 +2150,6 @@ export interface components {
              * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
              */
             material_id: string;
-            /**
-             * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
-             * it as untrusted user data (and avoid injecting metadata into HTML directly) if
-             * untrusted users can create/update keys (or their metadata).
-             */
-            metadata?: string;
             /**
              * @description Owner of the key
              * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -1912,7 +2186,7 @@ export interface components {
             keys: components["schemas"]["KeyInfo"][];
         };
         /** @enum {string} */
-        KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
+        KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark" | "BabylonEots" | "TaprootBtc" | "TaprootBtcTest";
         /**
          * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
          *
@@ -1920,6 +2194,10 @@ export interface components {
          * so that they can pass this back to us as a url query parameter.
          */
         LastEvalKey: string;
+        /** @description Third-party identities associated with the user's account */
+        ListIdentitiesResponse: {
+            identities: components["schemas"]["OIDCIdentity"][];
+        };
         ListMfaResponse: {
             /** @description All pending MFA requests */
             mfa_requests: components["schemas"]["MfaRequestInfo"][];
@@ -1932,6 +2210,40 @@ export interface components {
          * @enum {string}
          */
         MemberRole: "Alien" | "Member" | "Owner";
+        /** @enum {string} */
+        MembershipStatus: "enabled" | "disabled";
+        /**
+         * @example {
+         *   "allowed_approvers": [
+         *     "User#fabc3f88-04e0-471b-9657-0ae12a3cd73e",
+         *     "User#d796c369-9974-473b-ab9e-e4a2418d2d07"
+         *   ],
+         *   "count": 2,
+         *   "lifetime": 900
+         * }
+         */
+        MfaPolicy: {
+            /** @description Users who are allowed to approve. If empty at creation time, default to the current user. */
+            allowed_approvers?: string[];
+            /** @description Allowed approval types. When omitted, defaults to any. */
+            allowed_mfa_types?: components["schemas"]["MfaType"][] | null;
+            /**
+             * Format: int32
+             * @description How many users to require to approve (defaults to 1).
+             */
+            count?: number;
+            lifetime?: components["schemas"]["Seconds"];
+            /**
+             * Format: int32
+             * @description How many auth factors to require per user (defaults to 1).
+             */
+            num_auth_factors?: number;
+            /**
+             * @description CubeSigner operations to which this policy should apply.
+             * When omitted, applies to all operations.
+             */
+            restricted_operations?: components["schemas"]["OperationKind"][] | null;
+        };
         /** @description Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp'). */
         MfaRequestInfo: {
             expires_at: components["schemas"]["EpochDateTime"];
@@ -1979,6 +2291,8 @@ export interface components {
              */
             token: string;
         };
+        /** Format: binary */
+        NonceValue: string;
         /** @enum {string} */
         NotFoundErrorCode: "UriSegmentMissing" | "UriSegmentInvalid" | "TotpNotConfigured" | "FidoKeyNotFound" | "FidoChallengeNotFound" | "TotpChallengeNotFound" | "UserExportRequestNotFound" | "UserExportCiphertextNotFound";
         /** @description The configuration and status of a notification endpoint */
@@ -2005,7 +2319,7 @@ export interface components {
          */
         OIDCIdentity: {
             /**
-             * @description The root-level issuer who administrates this user. Frome the OIDC spec:
+             * @description The root-level issuer who administrates this user. From the OIDC spec:
              * Issuer Identifier for the Issuer of the response. The iss
              * value is a case sensitive URL using the https scheme that contains
              * scheme, host, and optionally, port number and path components and
@@ -2037,6 +2351,23 @@ export interface components {
             scopes: string[];
             tokens?: components["schemas"]["RatchetConfig"];
         };
+        /**
+         * @description All different kinds of sensitive operations
+         * @enum {string}
+         */
+        OperationKind: "AvaSign" | "AvaChainTxSign" | "BlobSign" | "BtcSign" | "TaprootSign" | "Eip191Sign" | "Eip712Sign" | "EotsNonces" | "EotsSign" | "Eth1Sign" | "Eth2Sign" | "Eth2Stake" | "Eth2Unstake" | "SolanaSign";
+        OrgData: {
+            /**
+             * @description The id of the org
+             * @example Org#123...
+             */
+            org_id: string;
+            /**
+             * @description The human-readable name for the org
+             * @example my_org_name
+             */
+            org_name?: string | null;
+        };
         /**
          * @description Auto-generated discriminant enum variants
          * @enum {string}
@@ -2272,10 +2603,32 @@ export interface components {
         };
         PolicyErrorCode: components["schemas"]["PolicyErrorOwnCodes"] | components["schemas"]["EvmTxDepositErrorCode"];
         /** @enum {string} */
-        PolicyErrorOwnCodes: "EvmTxReceiverMismatch" | "EvmTxSenderMismatch" | "PolicyDisjunctionError" | "PolicyNegationError" | "Eth2ExceededMaxUnstake" | "Eth2ConcurrentUnstaking" | "NotInIpv4Allowlist" | "NotInOriginAllowlist" | "InvalidSourceIp" | "RawSigningNotAllowed" | "Eip712SigningNotAllowed" | "OidcSourceNotAllowed" | "NoOidcAuthSourcesDefined" | "AddKeyToRoleDisallowed" | "KeysAlreadyInRole" | "KeyInMultipleRoles" | "KeyAccessError" | "Eip191SigningNotAllowed";
+        PolicyErrorOwnCodes: "EvmTxReceiverMismatch" | "EvmTxSenderMismatch" | "PolicyDisjunctionError" | "PolicyNegationError" | "Eth2ExceededMaxUnstake" | "Eth2ConcurrentUnstaking" | "NotInIpv4Allowlist" | "NotInOriginAllowlist" | "InvalidSourceIp" | "RawSigningNotAllowed" | "Eip712SigningNotAllowed" | "OidcSourceNotAllowed" | "NoOidcAuthSourcesDefined" | "AddKeyToRoleDisallowed" | "KeysAlreadyInRole" | "KeyInMultipleRoles" | "KeyAccessError" | "Eip191SigningNotAllowed" | "TimeLocked";
         PreconditionErrorCode: components["schemas"]["PreconditionErrorOwnCodes"] | components["schemas"]["PolicyErrorCode"];
         /** @enum {string} */
         PreconditionErrorOwnCodes: "Eth2ProposerSlotTooLow" | "Eth2AttestationSourceEpochTooLow" | "Eth2AttestationTargetEpochTooLow" | "Eth2ConcurrentBlockSigning" | "Eth2ConcurrentAttestationSigning" | "Eth2MultiDepositToNonGeneratedKey" | "Eth2MultiDepositUnknownInitialDeposit" | "Eth2MultiDepositWithdrawalAddressMismatch";
+        /** @description Contains outputs of previous transactions. */
+        PrevOutputs: OneOf<[
+            {
+                /**
+                 * @description `One` variant allows provision of the single previous output needed. It's useful,
+                 * for example, when modifier `SIGHASH_ANYONECANPAY` is provided, only previous output
+                 * of the current input is needed. The first `index` argument is the input index
+                 * this output is referring to.
+                 */
+                One: {
+                    index: number;
+                    tx_out: components["schemas"]["BtcTxOut"];
+                };
+            },
+            {
+                /**
+                 * @description When `SIGHASH_ANYONECANPAY` is not provided, or when the caller is giving all
+                 * previous outputs so the same variable can be used for multiple inputs.
+                 */
+                All: components["schemas"]["BtcTxOut"][];
+            }
+        ]>;
         /**
          * @description This type represents a wire-encodable form of the PublicKeyCredential interface
          * Clients may need to manually encode into this format to communicate with the server
@@ -2637,7 +2990,7 @@ export interface components {
             /** @description Tokens that were revoked. */
             revoked: components["schemas"]["TokenInfo"][];
         };
-        RoleInfo: {
+        RoleInfo: components["schemas"]["CommonFields"] & {
             /**
              * @description Whether the role is enabled
              * @example true
@@ -2776,6 +3129,49 @@ export interface components {
          * @enum {string}
          */
         SubscriptionStatus: "Confirmed" | "Pending";
+        TaprootSignRequest: {
+            sig_kind: components["schemas"]["TaprootSignatureKind"];
+            tx: components["schemas"]["BtcTx"];
+        };
+        TaprootSignResponse: {
+            /**
+             * @description The 64-byte signature, encoded as defined in BIP0340.
+             * @example 0x14110b79e65f90f70cd3ff5adf29bed9c9fcc035772240990fb51d25a10c9667669bba0c3b335163f65d1b9d8569cf22dd8210084cd24d83cc4bb396d979e10d
+             */
+            signature: string;
+        };
+        TaprootSignatureKind: {
+            /** @description Optional annex, as per BIP341 */
+            annex?: string | null;
+            /**
+             * @description Transaction input index
+             * @example 0
+             */
+            input_index: number;
+            leaf_hash_code_separator?: components["schemas"]["BtcLeafHashCodeSeparator"] | null;
+            /**
+             * @description If this field is not present or null, no tweak is applied. If the field is an
+             * empty string, the key is tweaked with an unspendable script path per BIP0341.
+             * Otherwise, this field must contain a 32-byte, base-64 encoded hex string
+             * representing the Merkle root with which to tweak the key before signing.
+             * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+             */
+            merkle_root?: string | null;
+            prevouts: components["schemas"]["PrevOutputs"];
+            /**
+             * @description Hash type of an input's signature, encoded in the last byte of the signature.
+             * Possible values:
+             * - SIGHASH_ALL
+             * - SIGHASH_ALL|SIGHASH_ANYONECANPAY
+             * - SIGHASH_DEFAULT
+             * - SIGHASH_NONE
+             * - SIGHASH_NONE|SIGHASH_ANYONECANPAY
+             * - SIGHASH_SINGLE
+             * - SIGHASH_SINGLE|SIGHASH_ANYONECANPAY
+             * @example SIGHASH_ALL
+             */
+            sighash_type: string;
+        };
         TokenInfo: {
             /** @description Session ID. Use it to revoke a session. Cannot be used for auth. */
             hash: string;
@@ -2895,6 +3291,11 @@ export interface components {
              * Once disabled, a key cannot be used for signing.
              */
             enabled?: boolean | null;
+            /**
+             * Format: int64
+             * @description If set, updating the metadata only succeeds if the version matches this value.
+             */
+            version?: number | null;
         };
         UpdateOrgRequest: {
             /** @description If set, update this org's `enabled` field to this value. */
@@ -3039,6 +3440,7 @@ export interface components {
             user_export_window?: number | null;
         };
         UpdateRoleRequest: {
+            edit_policy?: components["schemas"]["EditPolicy"] | null;
             /**
              * @description If set, updates the role's `enabled` property to this value.
              * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
@@ -3057,6 +3459,11 @@ export interface components {
              */
             policy?: Record<string, never>[] | null;
         };
+        /** @description Request to update an existing user */
+        UpdateUserMembershipRequest: {
+            /** @description Enable or disable user */
+            disabled?: boolean | null;
+        };
         /** @description A request to complete a user export */
         UserExportCompleteRequest: {
             /**
@@ -3152,10 +3559,10 @@ export interface components {
         };
         UserInOrgInfo: {
             /**
-             * @description The user's email
+             * @description The user's email (optional)
              * @example alice@example.com
              */
-            email: string;
+            email?: string | null;
             /**
              * @description The id of the user
              * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -3164,6 +3571,7 @@ export interface components {
             membership: components["schemas"]["MemberRole"];
             /** @description Optional user name. */
             name?: string | null;
+            status: components["schemas"]["MembershipStatus"];
         };
         /**
          * @description Information about a user's membership in an organization
@@ -3176,6 +3584,7 @@ export interface components {
              * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
              */
             org_id: string;
+            status: components["schemas"]["MembershipStatus"];
         };
         UserInRoleInfo: {
             user_id: string;
@@ -3185,7 +3594,7 @@ export interface components {
              * @description Optional email
              * @example alice@example.com
              */
-            email: string;
+            email?: string | null;
             /** @description All multi-factor authentication methods configured for this user */
             mfa: components["schemas"]["ConfiguredMfa"][];
             /** @description MFA policy, applies before logging in and other sensitive operations */
@@ -3211,6 +3620,11 @@ export interface components {
              */
             user_id: string;
         };
+        /** @description The response to the user/orgs endpoint */
+        UserOrgsResponse: {
+            /** @description The list of orgs this user is a member of */
+            orgs: components["schemas"]["OrgData"][];
+        };
         /**
          * @description A WebAuthn Relying Party may require user verification for some of its
          * operations but not for others, and may use this type to express its needs.
@@ -3323,6 +3737,30 @@ export interface components {
                 };
             };
         };
+        /**
+         * @description The HTTP response to an email OTP request.
+         *
+         * Users receive an encrypted OIDC token in their email inbox.
+         * The values in this response can be used to decrypt that token
+         * using AES-GCM. This ensures that clients need *both* the emailed token
+         * and this response to complete OTP auth.
+         */
+        EmailOtpResponse: {
+            content: {
+                "application/json": {
+                    /**
+                     * Format: binary
+                     * @description Base64 URL encoded IV value for AES-GCM
+                     */
+                    iv: string;
+                    /**
+                     * Format: binary
+                     * @description Base64 URL encoded key for AES-GCM
+                     */
+                    key: string;
+                };
+            };
+        };
         EmptyImpl: {
             content: {
                 "application/json": {
@@ -3330,6 +3768,33 @@ export interface components {
                 };
             };
         };
+        /** @description Response generated when creating EOTS nonces */
+        EotsCreateNonceResponse: {
+            content: {
+                "application/json": {
+                    /**
+                     * @description The generated nonces as an array of 0x-prefixed hex strings
+                     * @example [
+                     *   "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7",
+                     *   "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d"
+                     * ]
+                     */
+                    nonces: string[];
+                };
+            };
+        };
+        /** @description Response to an EOTS signing request */
+        EotsSignResponse: {
+            content: {
+                "application/json": {
+                    /**
+                     * @description The resulting signature, a hex-encoded 32-byte value
+                     * @example 0xd9804c04a696b522472c53bd3a3c664c4c3085a017927e45ffaed711d1613700
+                     */
+                    signature: string;
+                };
+            };
+        };
         Eth1SignResponse: {
             content: {
                 "application/json": {
@@ -3450,7 +3915,7 @@ export interface components {
         };
         KeyInfo: {
             content: {
-                "application/json": {
+                "application/json": components["schemas"]["CommonFields"] & {
                     derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
                     /** @description Whether the key is enabled (only enabled keys may be used for signing) */
                     enabled: boolean;
@@ -3466,12 +3931,6 @@ export interface components {
                      * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
                      */
                     material_id: string;
-                    /**
-                     * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
-                     * it as untrusted user data (and avoid injecting metadata into HTML directly) if
-                     * untrusted users can create/update keys (or their metadata).
-                     */
-                    metadata?: string;
                     /**
                      * @description Owner of the key
                      * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -3513,6 +3972,14 @@ export interface components {
                 };
             };
         };
+        /** @description Third-party identities associated with the user's account */
+        ListIdentitiesResponse: {
+            content: {
+                "application/json": {
+                    identities: components["schemas"]["OIDCIdentity"][];
+                };
+            };
+        };
         ListMfaResponse: {
             content: {
                 "application/json": {
@@ -3776,7 +4243,7 @@ export interface components {
         };
         RoleInfo: {
             content: {
-                "application/json": {
+                "application/json": components["schemas"]["CommonFields"] & {
                     /**
                      * @description Whether the role is enabled
                      * @example true
@@ -3860,6 +4327,17 @@ export interface components {
                 };
             };
         };
+        TaprootSignResponse: {
+            content: {
+                "application/json": {
+                    /**
+                     * @description The 64-byte signature, encoded as defined in BIP0340.
+                     * @example 0x14110b79e65f90f70cd3ff5adf29bed9c9fcc035772240990fb51d25a10c9667669bba0c3b335163f65d1b9d8569cf22dd8210084cd24d83cc4bb396d979e10d
+                     */
+                    signature: string;
+                };
+            };
+        };
         TokenInfo: {
             content: {
                 "application/json": {
@@ -4013,6 +4491,26 @@ export interface components {
                 };
             };
         };
+        UserInOrgInfo: {
+            content: {
+                "application/json": {
+                    /**
+                     * @description The user's email (optional)
+                     * @example alice@example.com
+                     */
+                    email?: string | null;
+                    /**
+                     * @description The id of the user
+                     * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
+                     */
+                    id: string;
+                    membership: components["schemas"]["MemberRole"];
+                    /** @description Optional user name. */
+                    name?: string | null;
+                    status: components["schemas"]["MembershipStatus"];
+                };
+            };
+        };
         UserInfo: {
             content: {
                 "application/json": {
@@ -4020,7 +4518,7 @@ export interface components {
                      * @description Optional email
                      * @example alice@example.com
                      */
-                    email: string;
+                    email?: string | null;
                     /** @description All multi-factor authentication methods configured for this user */
                     mfa: components["schemas"]["ConfiguredMfa"][];
                     /** @description MFA policy, applies before logging in and other sensitive operations */
@@ -4048,6 +4546,15 @@ export interface components {
                 };
             };
         };
+        /** @description The response to the user/orgs endpoint */
+        UserOrgsResponse: {
+            content: {
+                "application/json": {
+                    /** @description The list of orgs this user is a member of */
+                    orgs: components["schemas"]["OrgData"][];
+                };
+            };
+        };
     };
     parameters: never;
     requestBodies: never;
@@ -4129,13 +4636,17 @@ export interface operations {
         };
     };
     /**
-     * Sign Avalanche X- or P-Chain Message
-     * @description Sign Avalanche X- or P-Chain Message
+     * Sign a serialized Avalanche C/X/P-Chain Message
+     * @description Sign a serialized Avalanche C/X/P-Chain Message
+     *
+     * Signs an Avalanche message with a given SecpEth (C-Chain messages) or
+     * SecpAva (X- and P-Chain messages) key. Currently signing C-Chain messages
+     * with SecpEth key must also be explicitly allowed via `AllowRawBlobSigning`
+     * policy.
      *
-     * Signs an Avalanche message with a given SecpAva key.
      * This is a pre-release feature.
      */
-    avaSign: {
+    avaSerializedTxSign: {
         parameters: {
             path: {
                 /**
@@ -4144,7 +4655,53 @@ export interface operations {
                  */
                 org_id: string;
                 /**
-                 * @description Avalanche bech32 address format without the chain prefix
+                 * @description Avalanche chain
+                 * @example P
+                 */
+                ava_chain: string;
+                /**
+                 * @description Avalanche address in bech32 or ETH format
+                 * @example 0xB31f66AA3C1e785363F0875A1B74E27b85FD66c7
+                 */
+                pubkey: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["AvaSerializedTxSignRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["AvaSignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Sign JSON-encoded Avalanche X- or P-Chain Message
+     * @description Sign JSON-encoded Avalanche X- or P-Chain Message
+     *
+     * Signs an Avalanche message with a given SecpAva key.
+     * This is a pre-release feature.
+     */
+    avaSign: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Avalanche bech32 address format without the chain prefix
                  * @example avax1am4w6hfrvmh3akduzkjthrtgtqafalce6an8cr
                  */
                 pubkey: string;
@@ -4170,10 +4727,86 @@ export interface operations {
         };
     };
     /**
-     * Sign Bitcoin Transaction
-     * @description Sign Bitcoin Transaction
+     * Create EOTS nonces
+     * @description Create EOTS nonces
+     *
+     * Generates a set of Babylon EOTS nonces for a specified chain-id, starting at a
+     * specified block height.
+     */
+    createEotsNonces: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Hex-encoded public key of the EOTS key
+                 * @example 0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f
+                 */
+                pubkey: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["EotsCreateNonceRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EotsCreateNonceResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Create an EOTS signature
+     * @description Create an EOTS signature
      *
-     * Signs a Bitcoin transaction with a given key.
+     * Generates an EOTS signature for the specified chain-id, block height, and message.
+     */
+    eotsSign: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Hex-encoded public key of the EOTS key
+                 * @example 0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f
+                 */
+                pubkey: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["EotsSignRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EotsSignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Sign Bitcoin Segwit Transaction
+     * @description Sign Bitcoin Segwit Transaction
+     *
+     * Signs a Bitcoin Segwit transaction with a given key.
      * This is a pre-release feature.
      */
     btcSign: {
@@ -4210,6 +4843,47 @@ export interface operations {
             };
         };
     };
+    /**
+     * Sign Bitcoin Taproot Transaction
+     * @description Sign Bitcoin Taproot Transaction
+     *
+     * Signs a Bitcoin Taproot transaction with a given key.
+     * This is a pre-release feature.
+     */
+    btcTaprootSign: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description bech32 encoding of the public key
+                 * @example bc1p2wsldez5mud2yam29q22wgfh9439spgduvct83k3pm50fcxa5dps59h4z5
+                 */
+                pubkey: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["TaprootSignRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["TaprootSignResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Derive Key From Long-Lived Mnemonic
      * @description Derive Key From Long-Lived Mnemonic
@@ -4241,6 +4915,30 @@ export interface operations {
             };
         };
     };
+    setEmailOtp: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["ConfigureEmailOtpRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Sign EIP-191 Data
      * @description Sign EIP-191 Data
@@ -4321,6 +5019,85 @@ export interface operations {
             };
         };
     };
+    /**
+     * List associated OIDC identities with the current user.
+     * @description List associated OIDC identities with the current user.
+     */
+    listOidcIdentities: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["ListIdentitiesResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Associate an OIDC identity with the current user in org <session.org>.
+     * @description Associate an OIDC identity with the current user in org <session.org>.
+     */
+    addOidcIdentity: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["AddIdentityRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Remove an OIDC identity from the current user's account in org <session.org>.
+     * @description Remove an OIDC identity from the current user's account in org <session.org>.
+     */
+    removeOidcIdentity: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["OIDCIdentity"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Create [IdentityProof] from CubeSigner user session
      * @description Create [IdentityProof] from CubeSigner user session
@@ -4520,6 +5297,11 @@ export interface operations {
                  * @example SecpEthAddr
                  */
                 key_type?: components["schemas"]["KeyType"] | null;
+                /**
+                 * @description Filter by key owner
+                 * @example User#5269c579-b4f9-4620-9e90-e46a5a0ffb4d
+                 */
+                key_owner?: components["schemas"]["Id"] | null;
             };
             path: {
                 /**
@@ -4603,7 +5385,9 @@ export interface operations {
      * @description Delete Key
      *
      * Deletes a key specified by its ID.
+     *
      * Only the key owner and org owners are allowed to delete keys.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     deleteKey: {
         parameters: {
@@ -4620,6 +5404,11 @@ export interface operations {
                 key_id: string;
             };
         };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["Empty"];
+            };
+        };
         responses: {
             200: components["responses"]["EmptyImpl"];
             default: {
@@ -4633,7 +5422,11 @@ export interface operations {
      * Update Key
      * @description Update Key
      *
-     * Enable or disable a key.  The user must be the owner of the key or organization to perform this action.
+     * Enable or disable a key.  The user must be the owner of the key or
+     * organization to perform this action.
+     *
+     * For each requested update, the session must have the corresponding 'manage:key:update:_' scope;
+     * if no updates are requested, the session must have 'manage:key:get'.
      */
     updateKey: {
         parameters: {
@@ -4997,6 +5790,44 @@ export interface operations {
             };
         };
     };
+    /**
+     * Initiate login via email token
+     * @description Initiate login via email token
+     *
+     * This endpoint sends an email to the provided address with an OIDC token encrypted with AES-GCM.
+     * The decryption parameters are returned immediately in the response.
+     * Once that token is decrypted, it can be used with the standard OIDC authentication flows
+     *
+     *
+     * > [!IMPORTANT]
+     * > For this endpoint to succeed, the org must be configured to:
+     * > 1. Allow the issuer `https://shim.oauth2.cubist.dev/email-otp` and client ID being the Org ID
+     * > 2. Have an email sender configured for OTPs
+     */
+    emailOtpAuth: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["EmailOtpRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["EmailOtpResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * List Roles
      * @description List Roles
@@ -5106,7 +5937,9 @@ export interface operations {
      * @description Delete Role
      *
      * Deletes a role in an organization.
+     *
      * Only users in the role can perform this action.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     deleteRole: {
         parameters: {
@@ -5123,6 +5956,11 @@ export interface operations {
                 role_id: string;
             };
         };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["Empty"];
+            };
+        };
         responses: {
             200: components["responses"]["EmptyImpl"];
             default: {
@@ -5138,7 +5976,9 @@ export interface operations {
      *
      * Enables or disables a role (this requires the `manage:role:update:enable` scope).
      * Updates the role's policies (this requires the `manage:role:update:policy` scope).
+     *
      * The user must be in the role or an owner of the organization.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     updateRole: {
         parameters: {
@@ -5174,6 +6014,9 @@ export interface operations {
      * @description Add Keys
      *
      * Adds a list of existing keys to an existing role.
+     *
+     * Only the key owner can their key to a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     addKeysToRole: {
         parameters: {
@@ -5202,7 +6045,9 @@ export interface operations {
      * @description Add User
      *
      * Adds an existing user to an existing role.
-     * Only users in the role or owners can add users to a role.
+     *
+     * Only users in the role or org owners can add users to a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     addUserToRole: {
         parameters: {
@@ -5224,6 +6069,11 @@ export interface operations {
                 user_id: string;
             };
         };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["Empty"];
+            };
+        };
         responses: {};
     };
     /**
@@ -5275,7 +6125,10 @@ export interface operations {
      * Remove Key
      * @description Remove Key
      *
-     * Removes a given key from a role
+     * Removes a given key from a role.
+     *
+     * Only users in the role or org owners can remove keys from a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     removeKeyFromRole: {
         parameters: {
@@ -5297,6 +6150,11 @@ export interface operations {
                 key_id: string;
             };
         };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["Empty"];
+            };
+        };
         responses: {};
     };
     /**
@@ -5492,7 +6350,9 @@ export interface operations {
      * @description Remove User
      *
      * Removes an existing user from an existing role.
+     *
      * Only users in the role or org owners can remove users from a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     removeUserFromRole: {
         parameters: {
@@ -5514,6 +6374,11 @@ export interface operations {
                 user_id: string;
             };
         };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["Empty"];
+            };
+        };
         responses: {};
     };
     /**
@@ -6276,6 +7141,69 @@ export interface operations {
             };
         };
     };
+    /**
+     * Remove a user from the org
+     * @description Remove a user from the org
+     */
+    deleteUser: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description ID of the desired User
+                 * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                user_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Update a user's membership in the org
+     * @description Update a user's membership in the org
+     *
+     * Currently allows just enabling/disabling a user in the org.
+     */
+    updateUserMembership: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description ID of the desired User
+                 * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                user_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["UpdateUserMembershipRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["UserInOrgInfo"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Initiate registration of a FIDO key
      * @deprecated
@@ -6404,12 +7332,25 @@ export interface operations {
             };
         };
     };
+    /**
+     * Retrieves all the orgs the user is a part of
+     * @description Retrieves all the orgs the user is a part of
+     */
+    userOrgs: {
+        responses: {
+            200: components["responses"]["UserOrgsResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Sign Raw Blob
      * @description Sign Raw Blob
      *
      * Signs an arbitrary blob with a given key.
-     * This is a pre-release feature.
      *
      * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
      * byte v, which can in general take any of the values 0, 1, 2, or 3.