@cubist-labs/cubesigner-sdk 0.3.28 → 0.3.29

package/src/schema.ts

@@ -38,26 +38,69 @@ export interface paths {
      */
     patch: operations["updateOrg"];
   };
+  "/v0/org/{org_id}/ava/sign/{ava_chain}/{pubkey}": {
+    /**
+     * Sign a serialized Avalanche C/X/P-Chain Message
+     * @description Sign a serialized Avalanche C/X/P-Chain Message
+     *
+     * Signs an Avalanche message with a given SecpEth (C-Chain messages) or
+     * SecpAva (X- and P-Chain messages) key. Currently signing C-Chain messages
+     * with SecpEth key must also be explicitly allowed via `AllowRawBlobSigning`
+     * policy.
+     *
+     * This is a pre-release feature.
+     */
+    post: operations["avaSerializedTxSign"];
+  };
   "/v0/org/{org_id}/ava/sign/{pubkey}": {
     /**
-     * Sign Avalanche X- or P-Chain Message
-     * @description Sign Avalanche X- or P-Chain Message
+     * Sign JSON-encoded Avalanche X- or P-Chain Message
+     * @description Sign JSON-encoded Avalanche X- or P-Chain Message
      *
      * Signs an Avalanche message with a given SecpAva key.
      * This is a pre-release feature.
      */
     post: operations["avaSign"];
   };
+  "/v0/org/{org_id}/babylon/eots/nonces/{pubkey}": {
+    /**
+     * Create EOTS nonces
+     * @description Create EOTS nonces
+     *
+     * Generates a set of Babylon EOTS nonces for a specified chain-id, starting at a
+     * specified block height.
+     */
+    post: operations["createEotsNonces"];
+  };
+  "/v0/org/{org_id}/babylon/eots/sign/{pubkey}": {
+    /**
+     * Create an EOTS signature
+     * @description Create an EOTS signature
+     *
+     * Generates an EOTS signature for the specified chain-id, block height, and message.
+     */
+    post: operations["eotsSign"];
+  };
   "/v0/org/{org_id}/btc/sign/{pubkey}": {
     /**
-     * Sign Bitcoin Transaction
-     * @description Sign Bitcoin Transaction
+     * Sign Bitcoin Segwit Transaction
+     * @description Sign Bitcoin Segwit Transaction
      *
-     * Signs a Bitcoin transaction with a given key.
+     * Signs a Bitcoin Segwit transaction with a given key.
      * This is a pre-release feature.
      */
     post: operations["btcSign"];
   };
+  "/v0/org/{org_id}/btc/taproot/sign/{pubkey}": {
+    /**
+     * Sign Bitcoin Taproot Transaction
+     * @description Sign Bitcoin Taproot Transaction
+     *
+     * Signs a Bitcoin Taproot transaction with a given key.
+     * This is a pre-release feature.
+     */
+    post: operations["btcTaprootSign"];
+  };
   "/v0/org/{org_id}/derive_key": {
     /**
      * Derive Key From Long-Lived Mnemonic
@@ -68,6 +111,9 @@ export interface paths {
      */
     put: operations["deriveKey"];
   };
+  "/v0/org/{org_id}/emails/otp": {
+    put: operations["setEmailOtp"];
+  };
   "/v0/org/{org_id}/evm/eip191/sign/{pubkey}": {
     /**
      * Sign EIP-191 Data
@@ -86,6 +132,23 @@ export interface paths {
      */
     post: operations["eip712Sign"];
   };
+  "/v0/org/{org_id}/identity": {
+    /**
+     * List associated OIDC identities with the current user.
+     * @description List associated OIDC identities with the current user.
+     */
+    get: operations["listOidcIdentities"];
+    /**
+     * Associate an OIDC identity with the current user in org <session.org>.
+     * @description Associate an OIDC identity with the current user in org <session.org>.
+     */
+    post: operations["addOidcIdentity"];
+    /**
+     * Remove an OIDC identity from the current user's account in org <session.org>.
+     * @description Remove an OIDC identity from the current user's account in org <session.org>.
+     */
+    delete: operations["removeOidcIdentity"];
+  };
   "/v0/org/{org_id}/identity/prove": {
     /**
      * Create [IdentityProof] from CubeSigner user session
@@ -181,7 +244,9 @@ export interface paths {
      * @description Delete Key
      *
      * Deletes a key specified by its ID.
+     *
      * Only the key owner and org owners are allowed to delete keys.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["deleteKey"];
     /**
@@ -300,6 +365,23 @@ export interface paths {
      */
     post: operations["oidcAuth"];
   };
+  "/v0/org/{org_id}/oidc/email-otp": {
+    /**
+     * Initiate login via email token
+     * @description Initiate login via email token
+     *
+     * This endpoint sends an email to the provided address with an OIDC token encrypted with AES-GCM.
+     * The decryption parameters are returned immediately in the response.
+     * Once that token is decrypted, it can be used with the standard OIDC authentication flows
+     *
+     *
+     * > [!IMPORTANT]
+     * > For this endpoint to succeed, the org must be configured to:
+     * > 1. Allow the issuer `https://shim.oauth2.cubist.dev/email-otp` and client ID being the Org ID
+     * > 2. Have an email sender configured for OTPs
+     */
+    post: operations["emailOtpAuth"];
+  };
   "/v0/org/{org_id}/roles": {
     /**
      * List Roles
@@ -330,7 +412,9 @@ export interface paths {
      * @description Delete Role
      *
      * Deletes a role in an organization.
+     *
      * Only users in the role can perform this action.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["deleteRole"];
     /**
@@ -339,7 +423,9 @@ export interface paths {
      *
      * Enables or disables a role (this requires the `manage:role:update:enable` scope).
      * Updates the role's policies (this requires the `manage:role:update:policy` scope).
+     *
      * The user must be in the role or an owner of the organization.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     patch: operations["updateRole"];
   };
@@ -349,6 +435,9 @@ export interface paths {
      * @description Add Keys
      *
      * Adds a list of existing keys to an existing role.
+     *
+     * Only the key owner can their key to a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     put: operations["addKeysToRole"];
   };
@@ -358,7 +447,9 @@ export interface paths {
      * @description Add User
      *
      * Adds an existing user to an existing role.
-     * Only users in the role or owners can add users to a role.
+     *
+     * Only users in the role or org owners can add users to a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     put: operations["addUserToRole"];
   };
@@ -376,7 +467,10 @@ export interface paths {
      * Remove Key
      * @description Remove Key
      *
-     * Removes a given key from a role
+     * Removes a given key from a role.
+     *
+     * Only users in the role or org owners can remove keys from a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["removeKeyFromRole"];
   };
@@ -440,7 +534,9 @@ export interface paths {
      * @description Remove User
      *
      * Removes an existing user from an existing role.
+     *
      * Only users in the role or org owners can remove users from a role.
+     * Additionally, the role's edit policy (if set) must permit the update.
      */
     delete: operations["removeUserFromRole"];
   };
@@ -640,6 +736,22 @@ export interface paths {
      */
     delete: operations["deleteOidcUser"];
   };
+  "/v0/org/{org_id}/users/{user_id}": {
+    /**
+     * Remove a user from the org
+     * @description Remove a user from the org
+     */
+    delete: operations["deleteUser"];
+  };
+  "/v0/org/{org_id}/users/{user_id}/membership": {
+    /**
+     * Update a user's membership in the org
+     * @description Update a user's membership in the org
+     *
+     * Currently allows just enabling/disabling a user in the org.
+     */
+    patch: operations["updateUserMembership"];
+  };
   "/v0/user/me/fido": {
     /**
      * Initiate registration of a FIDO key
@@ -694,13 +806,19 @@ export interface paths {
      */
     post: operations["verifyTotpLegacy"];
   };
+  "/v0/user/orgs": {
+    /**
+     * Retrieves all the orgs the user is a part of
+     * @description Retrieves all the orgs the user is a part of
+     */
+    get: operations["userOrgs"];
+  };
   "/v1/org/{org_id}/blob/sign/{key_id}": {
     /**
      * Sign Raw Blob
      * @description Sign Raw Blob
      *
      * Signs an arbitrary blob with a given key.
-     * This is a pre-release feature.
      *
      * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
      * byte v, which can in general take any of the values 0, 1, 2, or 3.
@@ -801,6 +919,10 @@ export interface components {
     };
     /** @enum {string} */
     AcceptedValueCode: "MfaRequired";
+    /** @description Request to add OIDC identity to an existing user account */
+    AddIdentityRequest: {
+      oidc_token: string;
+    };
     AddKeysToRoleRequest: {
       /**
        * @description A list of keys to add to a role
@@ -987,7 +1109,12 @@ export interface components {
      * @enum {string}
      */
     AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
-    /** @description Request to sign an Avalanche transactions */
+    /** @description Request to sign a serialized Avalanche transaction */
+    AvaSerializedTxSignRequest: {
+      /** @description Serialized transaction to sign */
+      tx: string;
+    };
+    /** @description Request to sign an Avalanche transaction */
     AvaSignRequest: {
       /**
        * @description Transaction to sign.
@@ -1013,7 +1140,11 @@ export interface components {
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
     /** @enum {string} */
-    BadGatewayErrorCode: "OAuthProviderError";
+    BadGatewayErrorCode:
+      | "OAuthProviderError"
+      | "OidcDisoveryFailed"
+      | "OidcIssuerJwkEndpointUnavailable"
+      | "SmtpServerUnavailable";
     /** @enum {string} */
     BadRequestErrorCode:
       | "GenericBadRequest"
@@ -1030,12 +1161,14 @@ export interface components {
       | "RoleNameTaken"
       | "AddKeyToRoleCountTooHigh"
       | "InvalidKeyId"
+      | "InvalidTimeLockAlreadyInThePast"
       | "InvalidUpdate"
       | "InvalidMetadataLength"
       | "InvalidKeyMaterialId"
       | "KeyNotFound"
       | "UserExportDerivedKey"
       | "UserExportPublicKeyInvalid"
+      | "UnableToAccessSmtpRelay"
       | "UserExportInProgress"
       | "RoleNotFound"
       | "InvalidMfaReceiptOrgIdMissing"
@@ -1074,14 +1207,19 @@ export interface components {
       | "AvaSignHashError"
       | "AvaSignError"
       | "BtcSegwitHashError"
+      | "BtcTaprootHashError"
       | "BtcSignError"
+      | "TaprootSignError"
       | "Eip712SignError"
       | "InvalidMemberRoleInUserAdd"
       | "ThirdPartyUserAlreadyExists"
+      | "OidcIdentityAlreadyExists"
       | "ThirdPartyUserNotFound"
       | "DeleteOidcUserError"
+      | "DeleteUserError"
       | "SessionRoleMismatch"
       | "InvalidOidcToken"
+      | "InvalidOidcIdentity"
       | "OidcIssuerUnsupported"
       | "OidcIssuerNotAllowed"
       | "OidcIssuerNoApplicableJwk"
@@ -1102,7 +1240,8 @@ export interface components {
       | "CannotDeletePendingSubscription"
       | "InvalidNotificationUrlProtocol"
       | "EmptyOneOfOrgEventFilter"
-      | "EmptyAllExceptOrgEventFilter";
+      | "EmptyAllExceptOrgEventFilter"
+      | "InvalidTapNodeHash";
     /**
      * @example {
      *   "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK"
@@ -1116,11 +1255,32 @@ export interface components {
        * the message. For example, Secp256k1 keys require that the message is 32 bytes long.
        */
       message_base64: string;
+      /**
+       * @description An optional tweak value for use *only* with Taproot keys. This field is ignored
+       * for all other key types.
+       *
+       * If this field is not present or null, no tweak is applied. If the field is an
+       * empty string, the key is tweaked with an unspendable script path per BIP0341.
+       * Otherwise, this field must contain a 32-byte, base-64 encoded hex string
+       * representing the Merkle root with which to tweak the key before signing.
+       * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+       */
+      taproot_tweak?: string | null;
     };
     BlobSignResponse: {
       /** @description The hex-encoded signature. */
       signature: string;
     };
+    /** @description Leaf hash and code, as per BIP341 and https://github.com/rust-bitcoin/rust-bitcoin/blob/464202109d2b2c96e9b4867461bffe420dbd8177/bitcoin/src/crypto/sighash.rs#L691 */
+    BtcLeafHashCodeSeparator: {
+      /**
+       * Format: int32
+       * @description Code separator
+       */
+      code_separator: number;
+      /** @description Taproot-tagged hash with tag "TapLeaf". */
+      leaf_hash: string;
+    };
     /** @enum {string} */
     BtcSighashType:
       | "All"
@@ -1131,8 +1291,7 @@ export interface components {
       | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
       sig_kind: components["schemas"]["BtcSignatureKind"];
-      /** @description The bitcoin transaction to sign */
-      tx: Record<string, never>;
+      tx: components["schemas"]["BtcTx"];
     };
     BtcSignResponse: {
       /**
@@ -1163,6 +1322,16 @@ export interface components {
         value: number;
       };
     };
+    BtcTx: Record<string, never>;
+    BtcTxOut: {
+      /** @description The script which must be satisfied for the output to be spent. */
+      script_pubkey: string;
+      /**
+       * Format: int64
+       * @description The value of the output, in satoshis.
+       */
+      value: number;
+    };
     /** @description Describes how to derive a WebAuthn challenge value. */
     ChallengePieces: {
       /**
@@ -1199,6 +1368,7 @@ export interface components {
     /** @description Fields that are common to different types of resources such as keys */
     CommonFields: {
       created?: components["schemas"]["EpochDateTime"] | null;
+      edit_policy?: components["schemas"]["EditPolicy"];
       last_modified?: components["schemas"]["EpochDateTime"] | null;
       /**
        * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
@@ -1212,6 +1382,13 @@ export interface components {
        */
       version?: number;
     };
+    ConfigureEmailOtpRequest: {
+      auth: {
+        smtp: string;
+      };
+      /** @description The email address that OTP requests will come from */
+      sender: string;
+    };
     ConfiguredMfa:
       | {
           /** @enum {string} */
@@ -1226,6 +1403,7 @@ export interface components {
           type: "fido";
         };
     CreateAndUpdateKeyProperties: {
+      edit_policy?: components["schemas"]["EditPolicy"] | null;
       /**
        * @description Set this key's metadata. If this value is `null`, the metadata is erased. If the field is
        * missing, the metadata remains unchanged.
@@ -1394,6 +1572,10 @@ export interface components {
        */
       mnemonic_id: string;
     };
+    EditPolicy: {
+      mfa?: components["schemas"]["MfaPolicy"] | null;
+      time_lock_until?: components["schemas"]["EpochDateTime"] | null;
+    };
     Eip191Or712SignResponse: {
       /**
        * @description Hex-encoded signature comprising 65 bytes in the format required
@@ -1417,6 +1599,7 @@ export interface components {
      *     "domain": {
      *       "chainId": 1337,
      *       "name": "Ether Mail",
+     *       "salt": "0x0000000000000000000000000000000000000000000000000000000000000000",
      *       "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC",
      *       "version": "1"
      *     },
@@ -1456,6 +1639,10 @@ export interface components {
      *         {
      *           "name": "verifyingContract",
      *           "type": "address"
+     *         },
+     *         {
+     *           "name": "salt",
+     *           "type": "bytes32"
      *         }
      *       ],
      *       "Group": [
@@ -1505,11 +1692,95 @@ export interface components {
       /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
       typed_data: Record<string, never>;
     };
+    /** @description The request users send to initiate email OTP */
+    EmailOtpRequest: {
+      /** @description The email which will receive the OTP */
+      email: string;
+    };
+    /**
+     * @description The HTTP response to an email OTP request.
+     *
+     * Users receive an encrypted OIDC token in their email inbox.
+     * The values in this response can be used to decrypt that token
+     * using AES-GCM. This ensures that clients need *both* the emailed token
+     * and this response to complete OTP auth.
+     */
+    EmailOtpResponse: {
+      /**
+       * Format: binary
+       * @description Base64 URL encoded IV value for AES-GCM
+       */
+      iv: string;
+      /**
+       * Format: binary
+       * @description Base64 URL encoded key for AES-GCM
+       */
+      key: string;
+    };
     /** @default null */
     Empty: unknown;
     EmptyImpl: {
       status: string;
     };
+    /**
+     * @description Request to create a set of EOTS nonces for a specified chain-id, starting
+     * at a specified block height.
+     */
+    EotsCreateNonceRequest: {
+      /**
+       * @description The chain id for which the nonces will be used, as a hex string
+       * @example 0x11223344
+       */
+      chain_id: string;
+      /**
+       * Format: int32
+       * @description The number of nonces to generate
+       * @example 16
+       */
+      num: number;
+      /**
+       * @description The starting block height of the generated nonces (quoted decimal u64)
+       * @example 31337
+       */
+      start_height: string;
+    };
+    /** @description Response generated when creating EOTS nonces */
+    EotsCreateNonceResponse: {
+      /**
+       * @description The generated nonces as an array of 0x-prefixed hex strings
+       * @example [
+       *   "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7",
+       *   "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d"
+       * ]
+       */
+      nonces: string[];
+    };
+    /** @description Request for an EOTS signature on a specified message, chain-id, block-height triple */
+    EotsSignRequest: {
+      /**
+       * @description The block height for the signature (quoted decimal u64)
+       * @example 123456
+       */
+      block_height: string;
+      /**
+       * @description The chain id for the signature
+       * @example 0x11223344
+       */
+      chain_id: string;
+      /**
+       * @description The message to sign
+       * @example 0x5a2688faea09d42b9270fdb8de6fff6f192243a910ba66329073e12e0d0046a2
+       */
+      message: string;
+    };
+    /** @description Response to an EOTS signing request */
+    EotsSignResponse: {
+      /**
+       * @description The resulting signature, a hex-encoded 32-byte value
+       * @example 0xd9804c04a696b522472c53bd3a3c664c4c3085a017927e45ffaed711d1613700
+       */
+      signature: string;
+    };
     /**
      * @description Epoch is a quoted `uint64`.
      * @example 256
@@ -1662,10 +1933,15 @@ export interface components {
     /** @enum {string} */
     ForbiddenErrorCode:
       | "FidoRequiredToRemoveTotp"
+      | "EmailOtpNotConfigured"
       | "MfaChallengeExpired"
       | "ChainIdNotAllowed"
       | "InvalidOrg"
       | "SessionForWrongOrg"
+      | "SelfDelete"
+      | "SelfDisable"
+      | "UserHasNoMfa"
+      | "UserDisabled"
       | "OrgDisabled"
       | "OrgNotFound"
       | "OrgWithoutOwner"
@@ -1836,6 +2112,7 @@ export interface components {
       /** @description HTTP path of the request (including host or not?) */
       path: string;
     };
+    Id: string;
     /**
      * @description Proof that an end-user provided CubeSigner with a valid auth token
      * (either an OIDC token or a CubeSigner session token)
@@ -1890,6 +2167,7 @@ export interface components {
     InternalErrorCode:
       | "SystemTimeError"
       | "ReqwestError"
+      | "EmailConstructionError"
       | "DbQueryError"
       | "DbGetError"
       | "DbDeleteError"
@@ -1908,6 +2186,8 @@ export interface components {
       | "ParseDerivationPathError"
       | "SplitSignerError"
       | "CreateImportKeyError"
+      | "CreateEotsNoncesError"
+      | "EotsSignError"
       | "CognitoDeleteUserError"
       | "CognitoListUsersError"
       | "CognitoGetUserError"
@@ -1931,7 +2211,6 @@ export interface components {
       | "RequestLocalStateAlreadySet"
       | "OidcOrgMismatch"
       | "OrphanedRoleKeyId"
-      | "OidcIssuerJwkEndpointUnavailable"
       | "OidcIssuerInvalidJwk"
       | "InvalidPkForMaterialId"
       | "UncheckedOrg"
@@ -1945,7 +2224,8 @@ export interface components {
       | "SnsGetSubscriptionAttributesError"
       | "SnsSubscriptionAttributesMissing"
       | "SnsSetSubscriptionAttributesError"
-      | "SnsPublishBatchError";
+      | "SnsPublishBatchError"
+      | "InconsistentMultiValueTestAndSet";
     InviteRequest: {
       /**
        * @description The user's email address
@@ -2176,7 +2456,10 @@ export interface components {
       | "Ed25519CardanoAddrVk"
       | "Ed25519StellarAddr"
       | "Mnemonic"
-      | "Stark";
+      | "Stark"
+      | "BabylonEots"
+      | "TaprootBtc"
+      | "TaprootBtcTest";
     /**
      * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
      *
@@ -2184,6 +2467,10 @@ export interface components {
      * so that they can pass this back to us as a url query parameter.
      */
     LastEvalKey: string;
+    /** @description Third-party identities associated with the user's account */
+    ListIdentitiesResponse: {
+      identities: components["schemas"]["OIDCIdentity"][];
+    };
     ListMfaResponse: {
       /** @description All pending MFA requests */
       mfa_requests: components["schemas"]["MfaRequestInfo"][];
@@ -2196,6 +2483,40 @@ export interface components {
      * @enum {string}
      */
     MemberRole: "Alien" | "Member" | "Owner";
+    /** @enum {string} */
+    MembershipStatus: "enabled" | "disabled";
+    /**
+     * @example {
+     *   "allowed_approvers": [
+     *     "User#fabc3f88-04e0-471b-9657-0ae12a3cd73e",
+     *     "User#d796c369-9974-473b-ab9e-e4a2418d2d07"
+     *   ],
+     *   "count": 2,
+     *   "lifetime": 900
+     * }
+     */
+    MfaPolicy: {
+      /** @description Users who are allowed to approve. If empty at creation time, default to the current user. */
+      allowed_approvers?: string[];
+      /** @description Allowed approval types. When omitted, defaults to any. */
+      allowed_mfa_types?: components["schemas"]["MfaType"][] | null;
+      /**
+       * Format: int32
+       * @description How many users to require to approve (defaults to 1).
+       */
+      count?: number;
+      lifetime?: components["schemas"]["Seconds"];
+      /**
+       * Format: int32
+       * @description How many auth factors to require per user (defaults to 1).
+       */
+      num_auth_factors?: number;
+      /**
+       * @description CubeSigner operations to which this policy should apply.
+       * When omitted, applies to all operations.
+       */
+      restricted_operations?: components["schemas"]["OperationKind"][] | null;
+    };
     /** @description Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp'). */
     MfaRequestInfo: {
       expires_at: components["schemas"]["EpochDateTime"];
@@ -2245,6 +2566,8 @@ export interface components {
        */
       token: string;
     };
+    /** Format: binary */
+    NonceValue: string;
     /** @enum {string} */
     NotFoundErrorCode:
       | "UriSegmentMissing"
@@ -2279,7 +2602,7 @@ export interface components {
      */
     OIDCIdentity: {
       /**
-       * @description The root-level issuer who administrates this user. Frome the OIDC spec:
+       * @description The root-level issuer who administrates this user. From the OIDC spec:
        * Issuer Identifier for the Issuer of the response. The iss
        * value is a case sensitive URL using the https scheme that contains
        * scheme, host, and optionally, port number and path components and
@@ -2311,6 +2634,37 @@ export interface components {
       scopes: string[];
       tokens?: components["schemas"]["RatchetConfig"];
     };
+    /**
+     * @description All different kinds of sensitive operations
+     * @enum {string}
+     */
+    OperationKind:
+      | "AvaSign"
+      | "AvaChainTxSign"
+      | "BlobSign"
+      | "BtcSign"
+      | "TaprootSign"
+      | "Eip191Sign"
+      | "Eip712Sign"
+      | "EotsNonces"
+      | "EotsSign"
+      | "Eth1Sign"
+      | "Eth2Sign"
+      | "Eth2Stake"
+      | "Eth2Unstake"
+      | "SolanaSign";
+    OrgData: {
+      /**
+       * @description The id of the org
+       * @example Org#123...
+       */
+      org_id: string;
+      /**
+       * @description The human-readable name for the org
+       * @example my_org_name
+       */
+      org_name?: string | null;
+    };
     /**
      * @description Auto-generated discriminant enum variants
      * @enum {string}
@@ -2578,7 +2932,8 @@ export interface components {
       | "KeysAlreadyInRole"
       | "KeyInMultipleRoles"
       | "KeyAccessError"
-      | "Eip191SigningNotAllowed";
+      | "Eip191SigningNotAllowed"
+      | "TimeLocked";
     PreconditionErrorCode:
       | components["schemas"]["PreconditionErrorOwnCodes"]
       | components["schemas"]["PolicyErrorCode"];
@@ -2592,6 +2947,30 @@ export interface components {
       | "Eth2MultiDepositToNonGeneratedKey"
       | "Eth2MultiDepositUnknownInitialDeposit"
       | "Eth2MultiDepositWithdrawalAddressMismatch";
+    /** @description Contains outputs of previous transactions. */
+    PrevOutputs: OneOf<
+      [
+        {
+          /**
+           * @description `One` variant allows provision of the single previous output needed. It's useful,
+           * for example, when modifier `SIGHASH_ANYONECANPAY` is provided, only previous output
+           * of the current input is needed. The first `index` argument is the input index
+           * this output is referring to.
+           */
+          One: {
+            index: number;
+            tx_out: components["schemas"]["BtcTxOut"];
+          };
+        },
+        {
+          /**
+           * @description When `SIGHASH_ANYONECANPAY` is not provided, or when the caller is giving all
+           * previous outputs so the same variable can be used for multiple inputs.
+           */
+          All: components["schemas"]["BtcTxOut"][];
+        },
+      ]
+    >;
     /**
      * @description This type represents a wire-encodable form of the PublicKeyCredential interface
      * Clients may need to manually encode into this format to communicate with the server
@@ -2955,7 +3334,7 @@ export interface components {
       /** @description Tokens that were revoked. */
       revoked: components["schemas"]["TokenInfo"][];
     };
-    RoleInfo: {
+    RoleInfo: components["schemas"]["CommonFields"] & {
       /**
        * @description Whether the role is enabled
        * @example true
@@ -3103,6 +3482,49 @@ export interface components {
      * @enum {string}
      */
     SubscriptionStatus: "Confirmed" | "Pending";
+    TaprootSignRequest: {
+      sig_kind: components["schemas"]["TaprootSignatureKind"];
+      tx: components["schemas"]["BtcTx"];
+    };
+    TaprootSignResponse: {
+      /**
+       * @description The 64-byte signature, encoded as defined in BIP0340.
+       * @example 0x14110b79e65f90f70cd3ff5adf29bed9c9fcc035772240990fb51d25a10c9667669bba0c3b335163f65d1b9d8569cf22dd8210084cd24d83cc4bb396d979e10d
+       */
+      signature: string;
+    };
+    TaprootSignatureKind: {
+      /** @description Optional annex, as per BIP341 */
+      annex?: string | null;
+      /**
+       * @description Transaction input index
+       * @example 0
+       */
+      input_index: number;
+      leaf_hash_code_separator?: components["schemas"]["BtcLeafHashCodeSeparator"] | null;
+      /**
+       * @description If this field is not present or null, no tweak is applied. If the field is an
+       * empty string, the key is tweaked with an unspendable script path per BIP0341.
+       * Otherwise, this field must contain a 32-byte, base-64 encoded hex string
+       * representing the Merkle root with which to tweak the key before signing.
+       * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+       */
+      merkle_root?: string | null;
+      prevouts: components["schemas"]["PrevOutputs"];
+      /**
+       * @description Hash type of an input's signature, encoded in the last byte of the signature.
+       * Possible values:
+       * - SIGHASH_ALL
+       * - SIGHASH_ALL|SIGHASH_ANYONECANPAY
+       * - SIGHASH_DEFAULT
+       * - SIGHASH_NONE
+       * - SIGHASH_NONE|SIGHASH_ANYONECANPAY
+       * - SIGHASH_SINGLE
+       * - SIGHASH_SINGLE|SIGHASH_ANYONECANPAY
+       * @example SIGHASH_ALL
+       */
+      sighash_type: string;
+    };
     TokenInfo: {
       /** @description Session ID. Use it to revoke a session. Cannot be used for auth. */
       hash: string;
@@ -3375,6 +3797,7 @@ export interface components {
       user_export_window?: number | null;
     };
     UpdateRoleRequest: {
+      edit_policy?: components["schemas"]["EditPolicy"] | null;
       /**
        * @description If set, updates the role's `enabled` property to this value.
        * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
@@ -3393,6 +3816,11 @@ export interface components {
        */
       policy?: Record<string, never>[] | null;
     };
+    /** @description Request to update an existing user */
+    UpdateUserMembershipRequest: {
+      /** @description Enable or disable user */
+      disabled?: boolean | null;
+    };
     /** @description A request to complete a user export */
     UserExportCompleteRequest: {
       /**
@@ -3500,6 +3928,7 @@ export interface components {
       membership: components["schemas"]["MemberRole"];
       /** @description Optional user name. */
       name?: string | null;
+      status: components["schemas"]["MembershipStatus"];
     };
     /**
      * @description Information about a user's membership in an organization
@@ -3512,6 +3941,7 @@ export interface components {
        * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
        */
       org_id: string;
+      status: components["schemas"]["MembershipStatus"];
     };
     UserInRoleInfo: {
       user_id: string;
@@ -3547,6 +3977,11 @@ export interface components {
        */
       user_id: string;
     };
+    /** @description The response to the user/orgs endpoint */
+    UserOrgsResponse: {
+      /** @description The list of orgs this user is a member of */
+      orgs: components["schemas"]["OrgData"][];
+    };
     /**
      * @description A WebAuthn Relying Party may require user verification for some of its
      * operations but not for others, and may use this type to express its needs.
@@ -3659,6 +4094,30 @@ export interface components {
         };
       };
     };
+    /**
+     * @description The HTTP response to an email OTP request.
+     *
+     * Users receive an encrypted OIDC token in their email inbox.
+     * The values in this response can be used to decrypt that token
+     * using AES-GCM. This ensures that clients need *both* the emailed token
+     * and this response to complete OTP auth.
+     */
+    EmailOtpResponse: {
+      content: {
+        "application/json": {
+          /**
+           * Format: binary
+           * @description Base64 URL encoded IV value for AES-GCM
+           */
+          iv: string;
+          /**
+           * Format: binary
+           * @description Base64 URL encoded key for AES-GCM
+           */
+          key: string;
+        };
+      };
+    };
     EmptyImpl: {
       content: {
         "application/json": {
@@ -3666,6 +4125,33 @@ export interface components {
         };
       };
     };
+    /** @description Response generated when creating EOTS nonces */
+    EotsCreateNonceResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description The generated nonces as an array of 0x-prefixed hex strings
+           * @example [
+           *   "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7",
+           *   "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d"
+           * ]
+           */
+          nonces: string[];
+        };
+      };
+    };
+    /** @description Response to an EOTS signing request */
+    EotsSignResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description The resulting signature, a hex-encoded 32-byte value
+           * @example 0xd9804c04a696b522472c53bd3a3c664c4c3085a017927e45ffaed711d1613700
+           */
+          signature: string;
+        };
+      };
+    };
     Eth1SignResponse: {
       content: {
         "application/json": {
@@ -3843,6 +4329,14 @@ export interface components {
         };
       };
     };
+    /** @description Third-party identities associated with the user's account */
+    ListIdentitiesResponse: {
+      content: {
+        "application/json": {
+          identities: components["schemas"]["OIDCIdentity"][];
+        };
+      };
+    };
     ListMfaResponse: {
       content: {
         "application/json": {
@@ -4106,7 +4600,7 @@ export interface components {
     };
     RoleInfo: {
       content: {
-        "application/json": {
+        "application/json": components["schemas"]["CommonFields"] & {
           /**
            * @description Whether the role is enabled
            * @example true
@@ -4190,6 +4684,17 @@ export interface components {
         };
       };
     };
+    TaprootSignResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description The 64-byte signature, encoded as defined in BIP0340.
+           * @example 0x14110b79e65f90f70cd3ff5adf29bed9c9fcc035772240990fb51d25a10c9667669bba0c3b335163f65d1b9d8569cf22dd8210084cd24d83cc4bb396d979e10d
+           */
+          signature: string;
+        };
+      };
+    };
     TokenInfo: {
       content: {
         "application/json": {
@@ -4345,6 +4850,26 @@ export interface components {
         };
       };
     };
+    UserInOrgInfo: {
+      content: {
+        "application/json": {
+          /**
+           * @description The user's email (optional)
+           * @example alice@example.com
+           */
+          email?: string | null;
+          /**
+           * @description The id of the user
+           * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
+           */
+          id: string;
+          membership: components["schemas"]["MemberRole"];
+          /** @description Optional user name. */
+          name?: string | null;
+          status: components["schemas"]["MembershipStatus"];
+        };
+      };
+    };
     UserInfo: {
       content: {
         "application/json": {
@@ -4380,6 +4905,15 @@ export interface components {
         };
       };
     };
+    /** @description The response to the user/orgs endpoint */
+    UserOrgsResponse: {
+      content: {
+        "application/json": {
+          /** @description The list of orgs this user is a member of */
+          orgs: components["schemas"]["OrgData"][];
+        };
+      };
+    };
   };
   parameters: never;
   requestBodies: never;
@@ -4464,13 +4998,17 @@ export interface operations {
     };
   };
   /**
-   * Sign Avalanche X- or P-Chain Message
-   * @description Sign Avalanche X- or P-Chain Message
+   * Sign a serialized Avalanche C/X/P-Chain Message
+   * @description Sign a serialized Avalanche C/X/P-Chain Message
+   *
+   * Signs an Avalanche message with a given SecpEth (C-Chain messages) or
+   * SecpAva (X- and P-Chain messages) key. Currently signing C-Chain messages
+   * with SecpEth key must also be explicitly allowed via `AllowRawBlobSigning`
+   * policy.
    *
-   * Signs an Avalanche message with a given SecpAva key.
    * This is a pre-release feature.
    */
-  avaSign: {
+  avaSerializedTxSign: {
     parameters: {
       path: {
         /**
@@ -4479,15 +5017,20 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description Avalanche bech32 address format without the chain prefix
-         * @example avax1am4w6hfrvmh3akduzkjthrtgtqafalce6an8cr
+         * @description Avalanche chain
+         * @example P
+         */
+        ava_chain: string;
+        /**
+         * @description Avalanche address in bech32 or ETH format
+         * @example 0xB31f66AA3C1e785363F0875A1B74E27b85FD66c7
          */
         pubkey: string;
       };
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["AvaSignRequest"];
+        "application/json": components["schemas"]["AvaSerializedTxSignRequest"];
       };
     };
     responses: {
@@ -4505,13 +5048,13 @@ export interface operations {
     };
   };
   /**
-   * Sign Bitcoin Transaction
-   * @description Sign Bitcoin Transaction
+   * Sign JSON-encoded Avalanche X- or P-Chain Message
+   * @description Sign JSON-encoded Avalanche X- or P-Chain Message
    *
-   * Signs a Bitcoin transaction with a given key.
+   * Signs an Avalanche message with a given SecpAva key.
    * This is a pre-release feature.
    */
-  btcSign: {
+  avaSign: {
     parameters: {
       path: {
         /**
@@ -4520,19 +5063,19 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description bech32 encoding of the public key
-         * @example bc1q5p5qkae77ly80kr4pyfytdqm7rf08ddhdejl9g
+         * @description Avalanche bech32 address format without the chain prefix
+         * @example avax1am4w6hfrvmh3akduzkjthrtgtqafalce6an8cr
          */
         pubkey: string;
       };
     };
     requestBody: {
       content: {
-        "application/json": components["schemas"]["BtcSignRequest"];
+        "application/json": components["schemas"]["AvaSignRequest"];
       };
     };
     responses: {
-      200: components["responses"]["BtcSignResponse"];
+      200: components["responses"]["AvaSignResponse"];
       202: {
         content: {
           "application/json": components["schemas"]["AcceptedResponse"];
@@ -4546,13 +5089,13 @@ export interface operations {
     };
   };
   /**
-   * Derive Key From Long-Lived Mnemonic
-   * @description Derive Key From Long-Lived Mnemonic
+   * Create EOTS nonces
+   * @description Create EOTS nonces
    *
-   * Derives a key of a specified type using a supplied derivation path and an
-   * existing long-lived mnemonic.
+   * Generates a set of Babylon EOTS nonces for a specified chain-id, starting at a
+   * specified block height.
    */
-  deriveKey: {
+  createEotsNonces: {
     parameters: {
       path: {
         /**
@@ -4560,7 +5103,165 @@ export interface operations {
          * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         org_id: string;
-      };
+        /**
+         * @description Hex-encoded public key of the EOTS key
+         * @example 0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["EotsCreateNonceRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EotsCreateNonceResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Create an EOTS signature
+   * @description Create an EOTS signature
+   *
+   * Generates an EOTS signature for the specified chain-id, block height, and message.
+   */
+  eotsSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Hex-encoded public key of the EOTS key
+         * @example 0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["EotsSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EotsSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Sign Bitcoin Segwit Transaction
+   * @description Sign Bitcoin Segwit Transaction
+   *
+   * Signs a Bitcoin Segwit transaction with a given key.
+   * This is a pre-release feature.
+   */
+  btcSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description bech32 encoding of the public key
+         * @example bc1q5p5qkae77ly80kr4pyfytdqm7rf08ddhdejl9g
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["BtcSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["BtcSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Sign Bitcoin Taproot Transaction
+   * @description Sign Bitcoin Taproot Transaction
+   *
+   * Signs a Bitcoin Taproot transaction with a given key.
+   * This is a pre-release feature.
+   */
+  btcTaprootSign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description bech32 encoding of the public key
+         * @example bc1p2wsldez5mud2yam29q22wgfh9439spgduvct83k3pm50fcxa5dps59h4z5
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["TaprootSignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["TaprootSignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Derive Key From Long-Lived Mnemonic
+   * @description Derive Key From Long-Lived Mnemonic
+   *
+   * Derives a key of a specified type using a supplied derivation path and an
+   * existing long-lived mnemonic.
+   */
+  deriveKey: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
     };
     requestBody: {
       content: {
@@ -4576,6 +5277,30 @@ export interface operations {
       };
     };
   };
+  setEmailOtp: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["ConfigureEmailOtpRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign EIP-191 Data
    * @description Sign EIP-191 Data
@@ -4656,6 +5381,85 @@ export interface operations {
       };
     };
   };
+  /**
+   * List associated OIDC identities with the current user.
+   * @description List associated OIDC identities with the current user.
+   */
+  listOidcIdentities: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["ListIdentitiesResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Associate an OIDC identity with the current user in org <session.org>.
+   * @description Associate an OIDC identity with the current user in org <session.org>.
+   */
+  addOidcIdentity: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AddIdentityRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Remove an OIDC identity from the current user's account in org <session.org>.
+   * @description Remove an OIDC identity from the current user's account in org <session.org>.
+   */
+  removeOidcIdentity: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["OIDCIdentity"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Create [IdentityProof] from CubeSigner user session
    * @description Create [IdentityProof] from CubeSigner user session
@@ -4855,6 +5659,11 @@ export interface operations {
          * @example SecpEthAddr
          */
         key_type?: components["schemas"]["KeyType"] | null;
+        /**
+         * @description Filter by key owner
+         * @example User#5269c579-b4f9-4620-9e90-e46a5a0ffb4d
+         */
+        key_owner?: components["schemas"]["Id"] | null;
       };
       path: {
         /**
@@ -4938,7 +5747,9 @@ export interface operations {
    * @description Delete Key
    *
    * Deletes a key specified by its ID.
+   *
    * Only the key owner and org owners are allowed to delete keys.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   deleteKey: {
     parameters: {
@@ -4955,6 +5766,11 @@ export interface operations {
         key_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {
       200: components["responses"]["EmptyImpl"];
       default: {
@@ -5336,6 +6152,44 @@ export interface operations {
       };
     };
   };
+  /**
+   * Initiate login via email token
+   * @description Initiate login via email token
+   *
+   * This endpoint sends an email to the provided address with an OIDC token encrypted with AES-GCM.
+   * The decryption parameters are returned immediately in the response.
+   * Once that token is decrypted, it can be used with the standard OIDC authentication flows
+   *
+   *
+   * > [!IMPORTANT]
+   * > For this endpoint to succeed, the org must be configured to:
+   * > 1. Allow the issuer `https://shim.oauth2.cubist.dev/email-otp` and client ID being the Org ID
+   * > 2. Have an email sender configured for OTPs
+   */
+  emailOtpAuth: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["EmailOtpRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["EmailOtpResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * List Roles
    * @description List Roles
@@ -5445,7 +6299,9 @@ export interface operations {
    * @description Delete Role
    *
    * Deletes a role in an organization.
+   *
    * Only users in the role can perform this action.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   deleteRole: {
     parameters: {
@@ -5462,6 +6318,11 @@ export interface operations {
         role_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {
       200: components["responses"]["EmptyImpl"];
       default: {
@@ -5477,7 +6338,9 @@ export interface operations {
    *
    * Enables or disables a role (this requires the `manage:role:update:enable` scope).
    * Updates the role's policies (this requires the `manage:role:update:policy` scope).
+   *
    * The user must be in the role or an owner of the organization.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   updateRole: {
     parameters: {
@@ -5513,6 +6376,9 @@ export interface operations {
    * @description Add Keys
    *
    * Adds a list of existing keys to an existing role.
+   *
+   * Only the key owner can their key to a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   addKeysToRole: {
     parameters: {
@@ -5541,7 +6407,9 @@ export interface operations {
    * @description Add User
    *
    * Adds an existing user to an existing role.
-   * Only users in the role or owners can add users to a role.
+   *
+   * Only users in the role or org owners can add users to a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   addUserToRole: {
     parameters: {
@@ -5563,6 +6431,11 @@ export interface operations {
         user_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {};
   };
   /**
@@ -5614,7 +6487,10 @@ export interface operations {
    * Remove Key
    * @description Remove Key
    *
-   * Removes a given key from a role
+   * Removes a given key from a role.
+   *
+   * Only users in the role or org owners can remove keys from a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   removeKeyFromRole: {
     parameters: {
@@ -5636,6 +6512,11 @@ export interface operations {
         key_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {};
   };
   /**
@@ -5831,7 +6712,9 @@ export interface operations {
    * @description Remove User
    *
    * Removes an existing user from an existing role.
+   *
    * Only users in the role or org owners can remove users from a role.
+   * Additionally, the role's edit policy (if set) must permit the update.
    */
   removeUserFromRole: {
     parameters: {
@@ -5853,6 +6736,11 @@ export interface operations {
         user_id: string;
       };
     };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Empty"];
+      };
+    };
     responses: {};
   };
   /**
@@ -6615,6 +7503,69 @@ export interface operations {
       };
     };
   };
+  /**
+   * Remove a user from the org
+   * @description Remove a user from the org
+   */
+  deleteUser: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired User
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        user_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Update a user's membership in the org
+   * @description Update a user's membership in the org
+   *
+   * Currently allows just enabling/disabling a user in the org.
+   */
+  updateUserMembership: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired User
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        user_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["UpdateUserMembershipRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["UserInOrgInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Initiate registration of a FIDO key
    * @deprecated
@@ -6743,12 +7694,25 @@ export interface operations {
       };
     };
   };
+  /**
+   * Retrieves all the orgs the user is a part of
+   * @description Retrieves all the orgs the user is a part of
+   */
+  userOrgs: {
+    responses: {
+      200: components["responses"]["UserOrgsResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign Raw Blob
    * @description Sign Raw Blob
    *
    * Signs an arbitrary blob with a given key.
-   * This is a pre-release feature.
    *
    * - ECDSA signatures are serialized as big-endian r and s plus recovery-id
    * byte v, which can in general take any of the values 0, 1, 2, or 3.