@eudiplo/sdk-core 3.1.2 → 4.1.0

package/dist/{types.gen-B8BIFvOm.d.ts → types.gen-CVLCgolx.d.ts}

@@ -1,6 +1,26 @@
 type ClientOptions = {
     baseUrl: string;
 };
+type GrafanaConfigDto = {
+    /**
+     * Base URL of the Grafana instance
+     */
+    url?: string;
+    /**
+     * UID of the Tempo data source in Grafana
+     */
+    tempoUid: string;
+    /**
+     * UID of the Loki data source in Grafana
+     */
+    lokiUid: string;
+};
+type FrontendConfigResponseDto = {
+    /**
+     * Grafana observability configuration
+     */
+    grafana: GrafanaConfigDto;
+};
 type RoleDto = {
     /**
      * OAuth2 roles
@@ -129,11 +149,6 @@ type CreateTenantDto = {
      * Status list configuration for this tenant. Only affects newly created status lists.
      */
     statusListConfig?: StatusListConfig;
-    /**
-     * Session storage configuration. Controls TTL and cleanup behavior.
-     */
-    sessionConfig?: SessionStorageConfig;
-    roles?: Array<"presentation:manage" | "presentation:request" | "issuance:manage" | "issuance:offer" | "clients:manage" | "tenants:manage" | "registrar:manage">;
     /**
      * The unique identifier for the tenant.
      */
@@ -146,16 +161,17 @@ type CreateTenantDto = {
      * The description of the tenant.
      */
     description?: string;
+    /**
+     * Session storage configuration. Controls TTL and cleanup behavior.
+     */
+    sessionConfig?: SessionStorageConfig;
+    roles?: Array<"presentation:manage" | "presentation:request" | "issuance:manage" | "issuance:offer" | "clients:manage" | "tenants:manage" | "registrar:manage">;
 };
 type UpdateTenantDto = {
     /**
      * Status list configuration for this tenant. Only affects newly created status lists.
      */
     statusListConfig?: StatusListConfig;
-    /**
-     * Session storage configuration. Controls TTL and cleanup behavior.
-     */
-    sessionConfig?: SessionStorageConfig;
     /**
      * The name of the tenant.
      */
@@ -164,6 +180,10 @@ type UpdateTenantDto = {
      * The description of the tenant.
      */
     description?: string;
+    /**
+     * Session storage configuration. Controls TTL and cleanup behavior.
+     */
+    sessionConfig?: SessionStorageConfig;
     roles?: Array<"presentation:manage" | "presentation:request" | "issuance:manage" | "issuance:offer" | "clients:manage" | "tenants:manage" | "registrar:manage">;
 };
 type ClientSecretResponseDto = {
@@ -213,138 +233,6 @@ type CreateClientDto = {
      */
     roles: Array<"presentation:manage" | "presentation:request" | "issuance:manage" | "issuance:offer" | "clients:manage" | "tenants:manage" | "registrar:manage">;
 };
-type KeyEntity = {
-    /**
-     * Unique identifier for the key.
-     */
-    id: string;
-    /**
-     * Description of the key.
-     */
-    description?: string;
-    /**
-     * Tenant ID for the key.
-     */
-    tenantId: string;
-    /**
-     * The tenant that owns this object.
-     */
-    tenant: TenantEntity;
-    /**
-     * The key material.
-     * Encrypted at rest using AES-256-GCM.
-     */
-    key: {
-        [key: string]: unknown;
-    };
-    /**
-     * The usage type of the key.
-     */
-    usage: {
-        [key: string]: unknown;
-    };
-    /**
-     * The KMS provider used for this key.
-     * References a configured KMS provider name.
-     */
-    kmsProvider: string;
-    /**
-     * Certificates associated with this key.
-     */
-    certificates: Array<CertEntity>;
-    /**
-     * The timestamp when the key was created.
-     */
-    createdAt: string;
-    /**
-     * The timestamp when the key was last updated.
-     */
-    updatedAt: string;
-};
-type CertEntity = {
-    /**
-     * The key ID this certificate is associated with
-     */
-    keyId: string;
-    /**
-     * Unique identifier for the key.
-     */
-    id: string;
-    /**
-     * Tenant ID for the key.
-     */
-    tenantId: string;
-    /**
-     * The tenant that owns this object.
-     */
-    tenant: TenantEntity;
-    /**
-     * Certificate chain in PEM format (leaf first, then intermediates/CA).
-     */
-    crt: Array<string>;
-    usages: Array<CertUsageEntity>;
-    /**
-     * Description of the key.
-     */
-    description?: string;
-    key: KeyEntity;
-    /**
-     * The timestamp when the certificate was created.
-     */
-    createdAt: string;
-    /**
-     * The timestamp when the certificate was last updated.
-     */
-    updatedAt: string;
-};
-type CertUsageEntity = {
-    tenantId: string;
-    certId: string;
-    usage: "access" | "signing" | "trustList" | "statusList";
-    cert: CertEntity;
-};
-type CertImportDto = {
-    /**
-     * The key ID this certificate is associated with
-     */
-    keyId: string;
-    id?: string;
-    /**
-     * Usage types for the certificate.
-     */
-    certUsageTypes: Array<"access" | "signing" | "trustList" | "statusList">;
-    /**
-     * Certificate chain in PEM format (leaf first, then intermediates/CA).
-     * If not provided, a self-signed certificate will be generated.
-     */
-    crt?: Array<string>;
-    /**
-     * Subject name (CN) for self-signed certificate generation.
-     * If not provided, the tenant name will be used.
-     */
-    subjectName?: string;
-    /**
-     * Description of the key.
-     */
-    description?: string;
-};
-type CertResponseDto = {
-    /**
-     * The ID of the created self-signed certificate.
-     */
-    id: string;
-};
-type CertUpdateDto = {
-    /**
-     * Usage types for the certificate.
-     */
-    certUsageTypes: Array<"access" | "signing" | "trustList" | "statusList">;
-    usages: Array<CertUsageEntity>;
-    /**
-     * Description of the key.
-     */
-    description?: string;
-};
 type StatusListImportDto = {
     /**
      * Unique identifier for the status list
@@ -355,9 +243,9 @@ type StatusListImportDto = {
      */
     credentialConfigurationId?: string;
     /**
-     * Certificate ID to use for signing. Leave empty to use the tenant's default StatusList certificate.
+     * Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain.
      */
-    certId?: string;
+    keyChainId?: string;
     /**
      * Capacity of the status list. If not provided, uses tenant or global defaults.
      */
@@ -409,9 +297,9 @@ type StatusListResponseDto = {
      */
     credentialConfigurationId?: string;
     /**
-     * Certificate ID used for signing. Null means using the tenant's default.
+     * Key chain ID used for signing. Null means using the tenant's default.
      */
-    certId?: string;
+    keyChainId?: string;
     /**
      * Bits per status value
      */
@@ -447,9 +335,9 @@ type CreateStatusListDto = {
      */
     credentialConfigurationId?: string;
     /**
-     * Certificate ID to use for signing. Leave empty to use the tenant's default StatusList certificate.
+     * Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain.
      */
-    certId?: string;
+    keyChainId?: string;
     /**
      * Bits per status value. More bits allow more status states. Defaults to tenant configuration.
      */
@@ -465,9 +353,9 @@ type UpdateStatusListDto = {
      */
     credentialConfigurationId?: string;
     /**
-     * Certificate ID to use for signing. Set to null to use the tenant's default StatusList certificate.
+     * Key chain ID to use for signing. Set to null to use the tenant's default StatusList key chain.
      */
-    certId?: string;
+    keyChainId?: string;
 };
 type AuthorizeQueries = {
     issuer_state?: string;
@@ -482,44 +370,14 @@ type AuthorizeQueries = {
     request_uri?: string;
     auth_session?: string;
     state?: string;
-};
-type WebHookAuthConfigNone = {
-    /**
-     * The type of authentication used for the webhook.
-     */
-    type: "none";
-};
-type ApiKeyConfig = {
-    /**
-     * The name of the header where the API key will be sent.
-     */
-    headerName: string;
     /**
-     * The value of the API key to be sent in the header.
-     */
-    value: string;
-};
-type WebHookAuthConfigHeader = {
-    /**
-     * The type of authentication used for the webhook.
-     */
-    type: "apiKey";
-    /**
-     * Configuration for API key authentication.
-     * This is required if the type is 'apiKey'.
-     */
-    config: ApiKeyConfig;
-};
-type WebhookConfig = {
-    /**
-     * Optional authentication configuration for the webhook.
-     * If not provided, no authentication will be used.
-     */
-    auth: WebHookAuthConfigNone | WebHookAuthConfigHeader;
-    /**
-     * The URL to which the webhook will send notifications.
+     * RFC 9396 authorization details. When passed via
+     * application/x-www-form-urlencoded (PAR) the value is a JSON string; when
+     * passed inside a signed request object it can already be an array.
      */
-    url: string;
+    authorization_details?: {
+        [key: string]: unknown;
+    };
 };
 type OfferRequestDto = {
     /**
@@ -535,10 +393,16 @@ type OfferRequestDto = {
             claims: {
                 [key: string]: unknown;
             };
+        } | {
+            type: "attributeProvider";
+            attributeProviderId: string;
         } | {
             type: "webhook";
             webhook: {
-                [key: string]: unknown;
+                url: string;
+                auth?: {
+                    [key: string]: unknown;
+                };
             };
         };
     };
@@ -563,9 +427,51 @@ type OfferRequestDto = {
      */
     authorization_server?: string;
     /**
-     * Webhook to notify about the status of the issuance process.
+     * ID of the webhook endpoint to notify about the status of the issuance process.
+     */
+    webhookEndpointId?: string;
+};
+type WebHookAuthConfigNone = {
+    /**
+     * The type of authentication used for the webhook.
+     */
+    type: "none";
+};
+type ApiKeyConfig = {
+    /**
+     * The name of the header where the API key will be sent.
+     */
+    headerName: string;
+    /**
+     * The value of the API key to be sent in the header.
+     */
+    value: string;
+};
+type WebHookAuthConfigHeader = {
+    /**
+     * The type of authentication used for the webhook.
+     */
+    type: "apiKey";
+    /**
+     * Configuration for API key authentication.
+     * This is required if the type is 'apiKey'.
+     */
+    config: ApiKeyConfig;
+};
+type WebhookConfig = {
+    /**
+     * Optional authentication configuration for the webhook.
+     * If not provided, no authentication will be used.
+     */
+    auth: WebHookAuthConfigNone | WebHookAuthConfigHeader;
+    /**
+     * List of credential IDs to include raw tokens for (e.g., ['sca_credential'])
+     */
+    includeRawTokensFor?: Array<string>;
+    /**
+     * The URL to which the webhook will send notifications.
      */
-    notifyWebhook?: WebhookConfig;
+    url: string;
 };
 type TransactionData = {
     type: string;
@@ -605,6 +511,15 @@ type Session = {
      */
     tenant: TenantEntity;
     authorization_code?: string;
+    /**
+     * Refresh token for the session - used to obtain a new access token.
+     */
+    refresh_token?: string;
+    /**
+     * Expiration timestamp for the refresh token.
+     * Used to validate refresh_token grant requests.
+     */
+    refresh_token_expires_at?: string;
     /**
      * Request URI from the authorization request.
      */
@@ -631,9 +546,9 @@ type Session = {
      */
     credentialPayload?: OfferRequestDto;
     /**
-     * Webhook configuration to send the result of the notification response.
+     * ID of the webhook endpoint to notify about issuance status.
      */
-    notifyWebhook?: WebhookConfig;
+    webhookEndpointId?: string;
     /**
      * Notifications associated with the session.
      */
@@ -664,6 +579,18 @@ type Session = {
      * Client ID used in the OID4VP authorization request.
      */
     clientId?: string;
+    /**
+     * Cryptographic random nonce used in wallet-facing URLs (response_uri, request_uri, state).
+     * Per OID4VP spec Section 13.3, this separates the wallet-facing identifier (request-id)
+     * from the frontend-facing session ID (transaction-id) to prevent session fixation.
+     */
+    walletNonce?: string;
+    /**
+     * Cryptographic random code generated after successful VP Token processing.
+     * Per OID4VP spec Section 13.3, included in redirect_uri so only the legitimate
+     * frontend (which receives the redirect) can confirm the session completed.
+     */
+    responseCode?: string;
     /**
      * Response URI used in the OID4VP authorization request.
      */
@@ -687,6 +614,43 @@ type Session = {
      * Used to identify the user at the external AS.
      */
     externalSubject?: string;
+    /**
+     * Error reason if the session failed.
+     * Stores the error message when status is 'failed'.
+     */
+    errorReason?: string;
+};
+type SessionLogEntryResponseDto = {
+    /**
+     * Log entry ID
+     */
+    id: string;
+    /**
+     * Session ID
+     */
+    sessionId: string;
+    /**
+     * Timestamp of the log entry
+     */
+    timestamp: string;
+    /**
+     * Log level
+     */
+    level: "info" | "warn" | "error";
+    /**
+     * Flow stage
+     */
+    stage?: string;
+    /**
+     * Log message
+     */
+    message: string;
+    /**
+     * Additional structured detail
+     */
+    detail?: {
+        [key: string]: unknown;
+    };
 };
 type StatusUpdateDto = {
     /**
@@ -798,12 +762,28 @@ type DisplayInfo = {
     logo?: DisplayLogo;
 };
 type IssuanceConfig = {
+    /**
+     * Key ID for signing access tokens. If unset, the default signing key is used.
+     */
+    signingKeyId?: string;
     /**
      * Configuration for Chained Authorization Server mode.
      * When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication
      * to an upstream OIDC provider while issuing its own tokens with issuer_state.
      */
     chainedAs?: ChainedAsConfig;
+    /**
+     * Whether refresh tokens should be issued for OID4VCI token responses.
+     */
+    refreshTokenEnabled?: boolean;
+    /**
+     * Whether `credential_response_encryption` should be advertised in the credential issuer metadata.
+     */
+    credentialResponseEncryption?: boolean;
+    /**
+     * Refresh token lifetime in seconds. Defaults to 2592000 (30 days).
+     */
+    refreshTokenExpiresInSeconds?: number;
     /**
      * The tenant that owns this object.
      */
@@ -833,6 +813,13 @@ type IssuanceConfig = {
      * If empty and walletAttestationRequired is true, all wallet providers are rejected.
      */
     walletProviderTrustLists?: Array<string>;
+    /**
+     * The URL of the preferred authorization server for wallet-initiated flows.
+     * When set, this AS is placed first in the `authorization_servers` array
+     * of the credential issuer metadata, signaling wallets to use it by default.
+     * Must match one of the configured auth servers, the chained AS URL, or "built-in".
+     */
+    preferredAuthServer?: string;
     display: Array<DisplayInfo>;
     /**
      * The timestamp when the VP request was created.
@@ -844,12 +831,28 @@ type IssuanceConfig = {
     updatedAt: string;
 };
 type IssuanceDto = {
+    /**
+     * Key ID for signing access tokens. If unset, the default signing key is used.
+     */
+    signingKeyId?: string;
     /**
      * Configuration for Chained Authorization Server mode.
      * When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication
      * to an upstream OIDC provider while issuing its own tokens with issuer_state.
      */
     chainedAs?: ChainedAsConfig;
+    /**
+     * Whether refresh tokens should be issued for OID4VCI token responses.
+     */
+    refreshTokenEnabled?: boolean;
+    /**
+     * Whether `credential_response_encryption` should be advertised in the credential issuer metadata.
+     */
+    credentialResponseEncryption?: boolean;
+    /**
+     * Refresh token lifetime in seconds. Defaults to 2592000 (30 days).
+     */
+    refreshTokenExpiresInSeconds?: number;
     /**
      * Authentication server URL for the issuance process.
      */
@@ -875,6 +878,13 @@ type IssuanceDto = {
      * If empty and walletAttestationRequired is true, all wallet providers are rejected.
      */
     walletProviderTrustLists?: Array<string>;
+    /**
+     * The URL of the preferred authorization server for wallet-initiated flows.
+     * When set, this AS is placed first in the `authorization_servers` array
+     * of the credential issuer metadata, signaling wallets to use it by default.
+     * Must match one of the configured auth servers, the chained AS URL, or "built-in".
+     */
+    preferredAuthServer?: string;
     display: Array<DisplayInfo>;
 };
 type ClaimsQuery = {
@@ -968,6 +978,16 @@ type IaeActionRedirectToWeb = {
 type EmbeddedDisclosurePolicy = {
     policy: string;
 };
+type KeyAttestationsRequired = {
+    /**
+     * List of required key storage types (e.g., iso_18045_high, iso_18045_moderate)
+     */
+    key_storage?: Array<string>;
+    /**
+     * List of required user authentication types (e.g., iso_18045_high, iso_18045_moderate)
+     */
+    user_authentication?: Array<string>;
+};
 type DisplayImage = {
     uri: string;
 };
@@ -980,8 +1000,38 @@ type Display = {
     background_image?: DisplayImage;
     logo?: DisplayImage;
 };
-type IssuerMetadataCredentialConfig = {
-    format: "mso_mdoc" | "dc+sd-jwt";
+type ClaimDisplayInfo = {
+    /**
+     * Human-readable name for the claim
+     */
+    name?: string;
+    /**
+     * Locale identifier (e.g., en-US, de-DE)
+     */
+    locale?: string;
+};
+type ClaimMetadata = {
+    /**
+     * Path to the claim. For SD-JWT: JSONPath-like array. For mDOC: [namespace, claim_name]
+     */
+    path: Array<string>;
+    /**
+     * Whether this claim must be disclosed
+     */
+    mandatory?: boolean;
+    /**
+     * Display information for the claim in different locales
+     */
+    display?: Array<ClaimDisplayInfo>;
+};
+type IssuerMetadataCredentialConfig = {
+    /**
+     * Key attestation requirements for JWT proofs for this credential.
+     * When set, this is published in proof_types_supported.jwt.key_attestations_required
+     * for this specific credential configuration.
+     */
+    keyAttestationsRequired?: KeyAttestationsRequired;
+    format: "mso_mdoc" | "dc+sd-jwt";
     display: Array<Display>;
     scope?: string;
     /**
@@ -1008,6 +1058,120 @@ type IssuerMetadataCredentialConfig = {
     claimsByNamespace?: {
         [key: string]: unknown;
     };
+    /**
+     * Claims metadata for wallet rendering.
+     * Follows the OID4VCI credential_metadata.claims specification.
+     * Each claim includes a path (JSONPath-like array), optional mandatory flag,
+     * and display information with multi-language support.
+     *
+     * Example:
+     * [
+     * { "path": ["given_name"], "mandatory": false, "display": [{ "name": "Given Name", "locale": "en-US" }] },
+     * { "path": ["address", "street_address"], "display": [{ "name": "Street Address", "locale": "en-US" }] }
+     * ]
+     */
+    claimsMetadata?: Array<ClaimMetadata>;
+};
+type AttributeProviderEntity = {
+    auth: WebHookAuthConfigNone | WebHookAuthConfigHeader;
+    id: string;
+    tenantId: string;
+    tenant: TenantEntity;
+    name: string;
+    description?: string;
+    url: string;
+};
+type WebhookEndpointEntity = {
+    auth: WebHookAuthConfigNone | WebHookAuthConfigHeader;
+    id: string;
+    tenantId: string;
+    tenant: TenantEntity;
+    name: string;
+    description?: string;
+    url: string;
+};
+type KeyChainEntity = {
+    /**
+     * Unique identifier for the key chain.
+     * This is the ID referenced by other entities (e.g., issuance config's signingKeyId).
+     */
+    id: string;
+    /**
+     * Tenant ID for the key chain.
+     */
+    tenantId: string;
+    /**
+     * The tenant that owns this key chain.
+     */
+    tenant: TenantEntity;
+    /**
+     * Human-readable description of the key chain.
+     */
+    description?: string;
+    /**
+     * The purpose/role of this key chain in the system.
+     */
+    usageType: "access" | "attestation" | "trustList" | "statusList" | "encrypt";
+    /**
+     * The usage type of the keys (sign or encrypt).
+     */
+    usage: "sign" | "encrypt";
+    /**
+     * The KMS provider used for this key chain.
+     * References a configured KMS provider name.
+     */
+    kmsProvider: string;
+    /**
+     * External key identifier for cloud KMS providers.
+     * This field stores the provider-specific key reference for the active signing key.
+     */
+    externalKeyId?: string;
+    rootKey?: {
+        [key: string]: unknown;
+    };
+    /**
+     * Root CA certificate in PEM format.
+     * Self-signed certificate for the root CA key.
+     */
+    rootCertificate?: string;
+    activeKey: {
+        [key: string]: unknown;
+    };
+    /**
+     * Certificate for the active signing key in PEM format.
+     * Either CA-signed (if rootKey exists) or self-signed.
+     */
+    activeCertificate: string;
+    rotationEnabled: boolean;
+    /**
+     * Rotation interval in days. Key material will be rotated after this many days.
+     */
+    rotationIntervalDays?: number;
+    /**
+     * Certificate validity in days when generating new certificates.
+     */
+    certValidityDays?: number;
+    /**
+     * Timestamp of when the key was last rotated.
+     */
+    lastRotatedAt?: string;
+    previousKey?: {
+        [key: string]: unknown;
+    };
+    /**
+     * Certificate for the previous signing key in PEM format.
+     */
+    previousCertificate?: string;
+    /**
+     * Expiry date for the previous key.
+     * After this date, the previous key should be deleted.
+     */
+    previousKeyExpiry?: string;
+    createdAt: string;
+    /**
+     * The timestamp when the key chain was last updated.
+     */
+    updatedAt: string;
 };
 type SchemaResponse = {
     $schema: string;
@@ -1045,25 +1209,27 @@ type CredentialConfig = {
         [key: string]: unknown;
     };
     /**
-     * Webhook to receive claims for the issuance process.
+     * Reference to the attribute provider used for fetching claims.
+     * Optional: if set, claims will be fetched from this provider during issuance.
      */
-    claimsWebhook?: WebhookConfig;
+    attributeProviderId?: string;
+    attributeProvider?: AttributeProviderEntity;
     /**
-     * Webhook to receive claims for the issuance process.
+     * Reference to the webhook endpoint used for notifications.
+     * Optional: if set, notifications will be sent to this endpoint.
      */
-    notificationWebhook?: WebhookConfig;
+    webhookEndpointId?: string;
+    webhookEndpoint?: WebhookEndpointEntity;
     disclosureFrame?: {
         [key: string]: unknown;
     };
     keyBinding?: boolean;
     /**
-     * Reference to the certificate used for signing.
-     * Note: No DB-level FK constraint because CertEntity has a composite PK
-     * (id + tenantId) and SET NULL behavior cannot work when tenantId is
-     * part of this entity's own PK.
+     * Reference to the key chain used for signing.
+     * Optional: if not specified, the default attestation key chain will be used.
      */
-    certId?: string;
-    cert?: CertEntity;
+    keyChainId?: string;
+    keyChain?: KeyChainEntity;
     statusManagement?: boolean;
     lifeTime?: number;
     schema?: SchemaResponse;
@@ -1090,24 +1256,24 @@ type CredentialConfigCreate = {
         [key: string]: unknown;
     };
     /**
-     * Webhook to receive claims for the issuance process.
+     * Reference to the attribute provider used for fetching claims.
+     * Optional: if set, claims will be fetched from this provider during issuance.
      */
-    claimsWebhook?: WebhookConfig;
+    attributeProviderId?: string;
     /**
-     * Webhook to receive claims for the issuance process.
+     * Reference to the webhook endpoint used for notifications.
+     * Optional: if set, notifications will be sent to this endpoint.
      */
-    notificationWebhook?: WebhookConfig;
+    webhookEndpointId?: string;
     disclosureFrame?: {
         [key: string]: unknown;
     };
     keyBinding?: boolean;
     /**
-     * Reference to the certificate used for signing.
-     * Note: No DB-level FK constraint because CertEntity has a composite PK
-     * (id + tenantId) and SET NULL behavior cannot work when tenantId is
-     * part of this entity's own PK.
+     * Reference to the key chain used for signing.
+     * Optional: if not specified, the default attestation key chain will be used.
      */
-    certId?: string;
+    keyChainId?: string;
     statusManagement?: boolean;
     lifeTime?: number;
     schema?: SchemaResponse;
@@ -1134,37 +1300,92 @@ type CredentialConfigUpdate = {
         [key: string]: unknown;
     };
     /**
-     * Webhook to receive claims for the issuance process.
+     * Reference to the attribute provider used for fetching claims.
+     * Optional: if set, claims will be fetched from this provider during issuance.
      */
-    claimsWebhook?: WebhookConfig;
+    attributeProviderId?: string;
     /**
-     * Webhook to receive claims for the issuance process.
+     * Reference to the webhook endpoint used for notifications.
+     * Optional: if set, notifications will be sent to this endpoint.
      */
-    notificationWebhook?: WebhookConfig;
+    webhookEndpointId?: string;
     disclosureFrame?: {
         [key: string]: unknown;
     };
     keyBinding?: boolean;
     /**
-     * Reference to the certificate used for signing.
-     * Note: No DB-level FK constraint because CertEntity has a composite PK
-     * (id + tenantId) and SET NULL behavior cannot work when tenantId is
-     * part of this entity's own PK.
+     * Reference to the key chain used for signing.
+     * Optional: if not specified, the default attestation key chain will be used.
      */
-    certId?: string;
+    keyChainId?: string;
     statusManagement?: boolean;
     lifeTime?: number;
     schema?: SchemaResponse;
 };
+type CreateAttributeProviderDto = {
+    auth: WebHookAuthConfigNone | WebHookAuthConfigHeader;
+    id: string;
+    name: string;
+    description?: string;
+    url: string;
+};
+type UpdateAttributeProviderDto = {
+    auth?: WebHookAuthConfigNone | WebHookAuthConfigHeader;
+    id?: string;
+    name?: string;
+    description?: string;
+    url?: string;
+};
+type CreateWebhookEndpointDto = {
+    auth: WebHookAuthConfigNone | WebHookAuthConfigHeader;
+    id: string;
+    name: string;
+    description?: string;
+    url: string;
+};
+type UpdateWebhookEndpointDto = {
+    auth?: WebHookAuthConfigNone | WebHookAuthConfigHeader;
+    id?: string;
+    name?: string;
+    description?: string;
+    url?: string;
+};
 type Dcql = {
     credentials: Array<CredentialQuery>;
     credential_sets?: Array<CredentialSetQuery>;
 };
+type RegistrationCertificatePurpose = {
+    lang: string;
+    value: string;
+};
+type RegistrationCertificateBody = {
+    privacy_policy: string;
+    support_uri: string;
+    intermediary?: string;
+    purpose?: Array<RegistrationCertificatePurpose>;
+    credentials?: Array<{
+        [key: string]: unknown;
+    }>;
+    provided_attestations?: Array<{
+        [key: string]: unknown;
+    }>;
+};
 type RegistrationCertificateRequest = {
     /**
-     * The body of the registration certificate request containing the necessary details.
+     * Optional registrar-side certificate identifier.
+     * If provided and still valid, EUDIPLO reuses it instead of creating a new certificate.
      */
-    jwt: string;
+    id?: string;
+    /**
+     * Registration certificate creation payload.
+     * This is merged with tenant-level registrar defaults when a certificate is created.
+     */
+    body?: RegistrationCertificateBody;
+    /**
+     * Optional pre-existing registration certificate JWT.
+     * If provided, EUDIPLO forwards it as-is and does not create a new one.
+     */
+    jwt?: string;
 };
 type PresentationAttachment = {
     format: string;
@@ -1174,6 +1395,12 @@ type PresentationAttachment = {
     credential_ids?: Array<string>;
 };
 type PresentationConfig = {
+    /**
+     * Server-managed cache of the materialized registration certificate. Read-only; values supplied by clients are ignored.
+     */
+    readonly registrationCertCache?: {
+        [key: string]: unknown;
+    };
     /**
      * Unique identifier for the VP request.
      */
@@ -1229,7 +1456,13 @@ type PresentationConfig = {
      * that reference only part of a composite primary key. The relationship is handled
      * at the application level in the service layer.
      */
-    accessCertId?: string;
+    accessKeyChainId?: string;
+};
+type ResolveIssuerMetadataDto = {
+    /**
+     * Issuer URL or full OpenID4VCI metadata URL to resolve server-side.
+     */
+    issuerUrl: string;
 };
 type PresentationConfigCreateDto = {
     /**
@@ -1275,7 +1508,7 @@ type PresentationConfigCreateDto = {
      * that reference only part of a composite primary key. The relationship is handled
      * at the application level in the service layer.
      */
-    accessCertId?: string;
+    accessKeyChainId?: string;
 };
 type PresentationConfigUpdateDto = {
     /**
@@ -1321,7 +1554,109 @@ type PresentationConfigUpdateDto = {
      * that reference only part of a composite primary key. The relationship is handled
      * at the application level in the service layer.
      */
-    accessCertId?: string;
+    accessKeyChainId?: string;
+};
+type RegistrarConfigResponseDto = {
+    /**
+     * The base URL of the registrar API
+     */
+    registrarUrl: string;
+    /**
+     * The OIDC issuer URL for authentication (e.g., Keycloak realm URL)
+     */
+    oidcUrl: string;
+    /**
+     * The OIDC client ID for the registrar
+     */
+    clientId: string;
+    /**
+     * The OIDC client secret (optional, for confidential clients)
+     */
+    clientSecret?: string;
+    /**
+     * The username for OIDC login
+     */
+    username: string;
+    /**
+     * Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)
+     */
+    registrationCertificateDefaults?: {
+        [key: string]: unknown;
+    };
+    /**
+     * Indicates whether a password is configured (actual password is never returned)
+     */
+    hasPassword: boolean;
+};
+type CreateRegistrarConfigDto = {
+    /**
+     * The base URL of the registrar API
+     */
+    registrarUrl: string;
+    /**
+     * The OIDC issuer URL for authentication (e.g., Keycloak realm URL)
+     */
+    oidcUrl: string;
+    /**
+     * The OIDC client ID for the registrar
+     */
+    clientId: string;
+    /**
+     * The OIDC client secret (optional, for confidential clients)
+     */
+    clientSecret?: string;
+    /**
+     * The username for OIDC login
+     */
+    username: string;
+    /**
+     * The password for OIDC login (stored in plaintext)
+     */
+    password: string;
+    /**
+     * Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)
+     */
+    registrationCertificateDefaults?: {
+        [key: string]: unknown;
+    };
+};
+type UpdateRegistrarConfigDto = {
+    /**
+     * The base URL of the registrar API
+     */
+    registrarUrl?: string;
+    /**
+     * The OIDC issuer URL for authentication (e.g., Keycloak realm URL)
+     */
+    oidcUrl?: string;
+    /**
+     * The OIDC client ID for the registrar
+     */
+    clientId?: string;
+    /**
+     * The OIDC client secret (optional, for confidential clients)
+     */
+    clientSecret?: string;
+    /**
+     * The username for OIDC login
+     */
+    username?: string;
+    /**
+     * The password for OIDC login (stored in plaintext)
+     */
+    password?: string;
+    /**
+     * Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)
+     */
+    registrationCertificateDefaults?: {
+        [key: string]: unknown;
+    };
+};
+type CreateAccessCertificateDto = {
+    /**
+     * The ID of the key to create an access certificate for
+     */
+    keyId: string;
 };
 type DeferredCredentialRequestDto = {
     /**
@@ -1335,6 +1670,9 @@ type NotificationRequestDto = {
         [key: string]: unknown;
     };
 };
+type Object$1 = {
+    [key: string]: unknown;
+};
 type ParResponseDto = {
     /**
      * The request URI for the Pushed Authorization Request.
@@ -1429,46 +1767,6 @@ type InteractiveAuthorizationErrorResponseDto = {
      */
     error_description?: string;
 };
-type ChainedAsParRequestDto = {
-    /**
-     * OAuth response type (must be 'code')
-     */
-    response_type: string;
-    /**
-     * Client identifier (wallet identifier)
-     */
-    client_id: string;
-    /**
-     * URI to redirect the wallet after authorization
-     */
-    redirect_uri: string;
-    /**
-     * PKCE code challenge
-     */
-    code_challenge?: string;
-    /**
-     * PKCE code challenge method (e.g., S256)
-     */
-    code_challenge_method?: string;
-    /**
-     * State parameter (returned in redirect)
-     */
-    state?: string;
-    /**
-     * Scope requested
-     */
-    scope?: string;
-    /**
-     * Issuer state from credential offer
-     */
-    issuer_state?: string;
-    /**
-     * Authorization details (JSON array)
-     */
-    authorization_details?: Array<{
-        [key: string]: unknown;
-    }>;
-};
 type ChainedAsParResponseDto = {
     /**
      * The request URI to use at the authorization endpoint
@@ -1491,13 +1789,17 @@ type ChainedAsErrorResponseDto = {
 };
 type ChainedAsTokenRequestDto = {
     /**
-     * Grant type (must be 'authorization_code')
+     * Grant type ('authorization_code' or 'refresh_token')
      */
     grant_type: string;
     /**
-     * Authorization code received in the callback
+     * Authorization code received in the callback (authorization_code grant)
      */
-    code: string;
+    code?: string;
+    /**
+     * Refresh token (refresh_token grant)
+     */
+    refresh_token?: string;
     /**
      * Client identifier
      */
@@ -1542,6 +1844,10 @@ type ChainedAsTokenResponseDto = {
      * C_NONCE lifetime in seconds
      */
     c_nonce_expires_in?: number;
+    /**
+     * Refresh token (issued when refresh tokens are enabled)
+     */
+    refresh_token?: string;
 };
 type OfferResponse = {
     uri: string;
@@ -1605,112 +1911,51 @@ type JwksResponseDto = {
 };
 type AuthorizationResponse = {
     /**
-     * The response string containing the authorization details.
+     * The response string containing the authorization details (JWE-encrypted VP token).
+     * Required for success responses, absent for error responses.
      */
-    response: string;
+    response?: string;
     /**
      * When set to true, the authorization response will be sent to the client.
      */
     sendResponse?: boolean;
-};
-type RegistrarConfigEntity = {
-    /**
-     * The base URL of the registrar API
-     */
-    registrarUrl: string;
-    /**
-     * The OIDC issuer URL for authentication (e.g., Keycloak realm URL)
-     */
-    oidcUrl: string;
-    /**
-     * The OIDC client ID for the registrar
-     */
-    clientId: string;
-    /**
-     * The OIDC client secret (optional, for confidential clients)
-     */
-    clientSecret?: string;
-    /**
-     * The username for OIDC login
-     */
-    username: string;
-    /**
-     * The password for OIDC login (stored in plaintext)
-     */
-    password: string;
-    /**
-     * The tenant ID this configuration belongs to.
-     */
-    tenantId: string;
-    /**
-     * The tenant that owns this configuration.
-     */
-    tenant: TenantEntity;
-};
-type CreateRegistrarConfigDto = {
-    /**
-     * The base URL of the registrar API
-     */
-    registrarUrl: string;
-    /**
-     * The OIDC issuer URL for authentication (e.g., Keycloak realm URL)
-     */
-    oidcUrl: string;
-    /**
-     * The OIDC client ID for the registrar
-     */
-    clientId: string;
-    /**
-     * The OIDC client secret (optional, for confidential clients)
-     */
-    clientSecret?: string;
-    /**
-     * The username for OIDC login
-     */
-    username: string;
-    /**
-     * The password for OIDC login (stored in plaintext)
-     */
-    password: string;
-};
-type UpdateRegistrarConfigDto = {
-    /**
-     * The base URL of the registrar API
-     */
-    registrarUrl?: string;
-    /**
-     * The OIDC issuer URL for authentication (e.g., Keycloak realm URL)
-     */
-    oidcUrl?: string;
+    error?: string;
     /**
-     * The OIDC client ID for the registrar
+     * Human-readable description of the error.
      */
-    clientId?: string;
+    error_description?: string;
     /**
-     * The OIDC client secret (optional, for confidential clients)
+     * URI with additional information about the error.
      */
-    clientSecret?: string;
+    error_uri?: string;
     /**
-     * The username for OIDC login
+     * State value from the authorization request (for correlation).
      */
-    username?: string;
-    /**
-     * The password for OIDC login (stored in plaintext)
-     */
-    password?: string;
+    state?: string;
 };
-type CreateAccessCertificateDto = {
-    /**
-     * The ID of the key to create an access certificate for
-     */
-    keyId: string;
+type TrustListEntityInfo = {
+    name: string;
+    lang?: string;
+    uri?: string;
+    country?: string;
+    locality?: string;
+    postalCode?: string;
+    streetAddress?: string;
+    contactUri?: string;
+};
+type InternalTrustListEntity = {
+    type: "internal";
+    issuerKeyChainId: string;
+    revocationKeyChainId: string;
+    info: TrustListEntityInfo;
+};
+type ExternalTrustListEntity = {
+    type: "external";
+    issuerCertPem: string;
+    revocationCertPem: string;
+    info: TrustListEntityInfo;
 };
 type TrustListCreateDto = {
-    id?: string;
-    certId?: string;
-    entities: Array<{
-        [key: string]: unknown;
-    }>;
     description?: string;
     /**
      * The full trust list JSON (generated LoTE structure)
@@ -1718,6 +1963,13 @@ type TrustListCreateDto = {
     data?: {
         [key: string]: unknown;
     };
+    entities: Array<({
+        type: "internal";
+    } & InternalTrustListEntity) | ({
+        type: "external";
+    } & ExternalTrustListEntity)>;
+    id?: string;
+    keyChainId?: string;
 };
 type TrustList = {
     /**
@@ -1733,8 +1985,8 @@ type TrustList = {
      * The tenant that owns this object.
      */
     tenant: TenantEntity;
-    certId: string;
-    cert: CertEntity;
+    keyChainId: string;
+    keyChain: KeyChainEntity;
     /**
      * The full trust list JSON (generated LoTE structure)
      */
@@ -1786,29 +2038,6 @@ type TrustListVersion = {
     jwt: string;
     createdAt: string;
 };
-type DbKmsConfigDto = {
-    [key: string]: unknown;
-};
-type VaultKmsConfigDto = {
-    /**
-     * URL of the HashiCorp Vault instance. Supports ${ENV_VAR} placeholders.
-     */
-    vaultUrl: string;
-    /**
-     * Authentication token for HashiCorp Vault. Supports ${ENV_VAR} placeholders.
-     */
-    vaultToken: string;
-};
-type KmsConfigDto = {
-    /**
-     * Name of the default KMS provider. Defaults to "db" if not set.
-     */
-    defaultProvider?: string;
-    providers: {
-        db?: DbKmsConfigDto;
-        vault?: VaultKmsConfigDto;
-    };
-};
 type KmsProviderCapabilitiesDto = {
     /**
      * Whether the provider supports importing existing keys.
@@ -1825,9 +2054,17 @@ type KmsProviderCapabilitiesDto = {
 };
 type KmsProviderInfoDto = {
     /**
-     * Unique provider name (matches the key in kms.json).
+     * Unique provider ID (matches the id in kms.json).
      */
     name: string;
+    /**
+     * Type of the KMS provider (db, vault, aws-kms).
+     */
+    type: string;
+    /**
+     * Human-readable description of this provider instance.
+     */
+    description?: string;
     /**
      * Capabilities of this provider.
      */
@@ -1843,55 +2080,316 @@ type KmsProvidersResponseDto = {
      */
     default: string;
 };
-type KeyGenerateDto = {
+type CertificateInfoDto = {
     /**
-     * KMS provider to use (defaults to the configured default provider).
+     * Certificate in PEM format.
      */
-    kmsProvider?: string;
+    pem: string;
+    /**
+     * Certificate subject (CN).
+     */
+    subject?: string;
+    /**
+     * Certificate issuer (CN).
+     */
+    issuer?: string;
+    /**
+     * Certificate not before date.
+     */
+    notBefore?: string;
+    /**
+     * Certificate not after date.
+     */
+    notAfter?: string;
+    /**
+     * Serial number.
+     */
+    serialNumber?: string;
+};
+type PublicKeyInfoDto = {
+    /**
+     * Key type (e.g., EC).
+     */
+    kty: string;
+    /**
+     * Key algorithm (e.g., ES256).
+     */
+    alg?: string;
+    /**
+     * Key ID.
+     */
+    kid?: string;
+    /**
+     * Curve (for EC keys).
+     */
+    crv?: string;
+};
+type RotationPolicyResponseDto = {
     /**
-     * Optional human-readable description for the key.
+     * Whether automatic key rotation is enabled.
+     */
+    enabled: boolean;
+    /**
+     * Rotation interval in days.
+     */
+    intervalDays?: number;
+    /**
+     * Certificate validity in days.
+     */
+    certValidityDays?: number;
+    /**
+     * Next scheduled rotation date.
+     */
+    nextRotationAt?: string;
+};
+type KeyChainResponseDto = {
+    /**
+     * Unique identifier for the key chain.
+     */
+    id: string;
+    /**
+     * Usage type of the key chain.
+     */
+    usageType: "access" | "attestation" | "trustList" | "statusList" | "encrypt";
+    /**
+     * Type of key chain (standalone or internalChain).
+     */
+    type: "standalone" | "internalChain";
+    /**
+     * Human-readable description.
      */
     description?: string;
+    /**
+     * KMS provider used for this key chain.
+     */
+    kmsProvider: string;
+    /**
+     * Root CA certificate (only for internalChain type).
+     */
+    rootCertificate?: CertificateInfoDto;
+    /**
+     * Active signing key's public key info.
+     */
+    activePublicKey: PublicKeyInfoDto;
+    /**
+     * Active signing key's certificate. Not present for encryption keys.
+     */
+    activeCertificate?: CertificateInfoDto;
+    /**
+     * Previous signing key's public key info (if in grace period).
+     */
+    previousPublicKey?: PublicKeyInfoDto;
+    /**
+     * Previous signing key's certificate (if in grace period).
+     */
+    previousCertificate?: CertificateInfoDto;
+    /**
+     * Previous key expiry date.
+     */
+    previousKeyExpiry?: string;
+    /**
+     * Rotation policy configuration.
+     */
+    rotationPolicy: RotationPolicyResponseDto;
+    /**
+     * Timestamp when the key chain was created.
+     */
+    createdAt: string;
+    /**
+     * Timestamp when the key chain was last updated.
+     */
+    updatedAt: string;
 };
-type Key = {
+type ExportEcJwk = {
+    /**
+     * Key type
+     */
     kty: string;
+    /**
+     * Curve
+     */
+    crv: string;
+    /**
+     * X coordinate (base64url)
+     */
     x: string;
+    /**
+     * Y coordinate (base64url)
+     */
     y: string;
-    crv: string;
+    /**
+     * Private key (base64url)
+     */
     d: string;
-    alg: string;
+    /**
+     * Algorithm
+     */
+    alg?: string;
+    /**
+     * Key ID
+     */
+    kid?: string;
 };
-type KeyImportDto = {
+type ExportRotationPolicyDto = {
     /**
-     * KMS provider name to use for this key. Defaults to the configured default.
+     * Whether rotation is enabled.
      */
-    kmsProvider?: string;
+    enabled: boolean;
     /**
-     * The private key in JWK format.
+     * Rotation interval in days.
      */
-    key: Key;
+    intervalDays?: number;
     /**
-     * Unique identifier for the key.
+     * Certificate validity in days.
+     */
+    certValidityDays?: number;
+};
+type KeyChainExportDto = {
+    /**
+     * Key chain ID.
      */
     id: string;
     /**
-     * Description of the key.
+     * Human-readable description.
+     */
+    description?: string;
+    /**
+     * Usage type for this key chain.
+     */
+    usageType: "access" | "attestation" | "trustList" | "statusList" | "encrypt";
+    /**
+     * The private key in JWK format (EC).
+     */
+    key: ExportEcJwk;
+    /**
+     * Certificate chain in PEM format (leaf first, then intermediates/CA).
+     */
+    crt?: Array<string>;
+    /**
+     * KMS provider name.
+     */
+    kmsProvider?: string;
+    /**
+     * Rotation policy.
+     */
+    rotationPolicy?: ExportRotationPolicyDto;
+};
+type RotationPolicyCreateDto = {
+    /**
+     * Whether automatic key rotation is enabled.
+     */
+    enabled: boolean;
+    /**
+     * Rotation interval in days. Required when enabled is true.
+     */
+    intervalDays?: number;
+    /**
+     * Certificate validity in days. Defaults to rotation interval + 30 days grace period.
+     */
+    certValidityDays?: number;
+};
+type KeyChainCreateDto = {
+    /**
+     * Usage type determines the purpose of this key chain (access, attestation, etc.).
+     */
+    usageType: "access" | "attestation" | "trustList" | "statusList" | "encrypt";
+    /**
+     * Type of key chain to create.
+     */
+    type: "standalone" | "internalChain";
+    /**
+     * Human-readable description for the key chain.
      */
     description?: string;
+    /**
+     * KMS provider to use (defaults to the configured default provider).
+     */
+    kmsProvider?: string;
+    /**
+     * Rotation policy configuration. Only applicable for the signing key (root CA never rotates).
+     */
+    rotationPolicy?: RotationPolicyCreateDto;
 };
-type UpdateKeyDto = {
+type EcJwk = {
+    kty: string;
+    x: string;
+    y: string;
+    crv: string;
+    d: string;
+    alg?: string;
+    kid?: string;
+};
+type RotationPolicyImportDto = {
+    /**
+     * Whether rotation is enabled. When true, the imported key becomes a root CA.
+     */
+    enabled: boolean;
     /**
-     * KMS provider name to use for this key. Defaults to the configured default.
+     * Rotation interval in days.
+     */
+    intervalDays?: number;
+    /**
+     * Certificate validity in days.
+     */
+    certValidityDays?: number;
+};
+type KeyChainImportDto = {
+    /**
+     * ID for the key chain. If not provided, a new UUID will be generated.
+     */
+    id?: string;
+    /**
+     * The private key in JWK format.
+     */
+    key: EcJwk;
+    /**
+     * Human-readable description.
+     */
+    description?: string;
+    /**
+     * Usage type for this key chain.
+     */
+    usageType: "access" | "attestation" | "trustList" | "statusList" | "encrypt";
+    /**
+     * Certificate chain in PEM format (leaf first, then intermediates/CA).
+     */
+    crt?: Array<string>;
+    /**
+     * KMS provider to use. Defaults to 'db'.
      */
     kmsProvider?: string;
     /**
-     * Unique identifier for the key.
+     * Rotation policy. When enabled, the imported key becomes a root CA and a new leaf key is generated.
      */
-    id: string;
+    rotationPolicy?: RotationPolicyImportDto;
+};
+type RotationPolicyUpdateDto = {
+    /**
+     * Whether automatic key rotation is enabled.
+     */
+    enabled?: boolean;
+    /**
+     * Rotation interval in days.
+     */
+    intervalDays?: number;
     /**
-     * Description of the key.
+     * Certificate validity in days.
+     */
+    certValidityDays?: number;
+};
+type KeyChainUpdateDto = {
+    /**
+     * Human-readable description for the key chain.
      */
     description?: string;
+    /**
+     * Rotation policy configuration.
+     */
+    rotationPolicy?: RotationPolicyUpdateDto;
+    /**
+     * Active certificate chain in PEM format. Used for external certificate updates.
+     */
+    activeCertificate?: string;
 };
 type PresentationRequest = {
     /**
@@ -1921,124 +2419,97 @@ type PresentationRequest = {
 type FileUploadDto = {
     file: Blob | File;
 };
-type AppControllerMainData = {
-    body?: never;
-    path?: never;
-    query?: never;
-    url: "/";
-};
-type AppControllerMainResponses = {
-    200: unknown;
-};
-type HealthControllerCheckData = {
-    body?: never;
-    path?: never;
-    query?: never;
-    url: "/health";
-};
-type HealthControllerCheckErrors = {
+type PresentationConfigWritable = {
     /**
-     * The Health Check is not successful
+     * Unique identifier for the VP request.
      */
-    503: {
-        status?: string;
-        info?: {
-            [key: string]: {
-                status: string;
-                [key: string]: unknown | string;
-            };
-        };
-        error?: {
-            [key: string]: {
-                status: string;
-                [key: string]: unknown | string;
-            };
-        };
-        details?: {
-            [key: string]: {
-                status: string;
-                [key: string]: unknown | string;
-            };
-        };
-    };
-};
-type HealthControllerCheckError = HealthControllerCheckErrors[keyof HealthControllerCheckErrors];
-type HealthControllerCheckResponses = {
+    id: string;
     /**
-     * The Health Check is successful
+     * The tenant that owns this object.
      */
-    200: {
-        status?: string;
-        info?: {
-            [key: string]: {
-                status: string;
-                [key: string]: unknown | string;
-            };
-        };
-        error?: {
-            [key: string]: {
-                status: string;
-                [key: string]: unknown | string;
-            };
-        };
-        details?: {
-            [key: string]: {
-                status: string;
-                [key: string]: unknown | string;
-            };
-        };
-    };
-};
-type HealthControllerCheckResponse = HealthControllerCheckResponses[keyof HealthControllerCheckResponses];
-type AuthControllerGetOAuth2TokenData = {
-    body: ClientCredentialsDto;
-    path?: never;
-    query?: never;
-    url: "/oauth2/token";
-};
-type AuthControllerGetOAuth2TokenErrors = {
+    tenant: TenantEntity;
     /**
-     * Invalid client credentials
+     * Description of the presentation configuration.
      */
-    401: unknown;
-};
-type AuthControllerGetOAuth2TokenResponses = {
+    description?: string;
+    /**
+     * Lifetime how long the presentation request is valid after creation, in seconds.
+     */
+    lifeTime?: number;
+    /**
+     * The DCQL query to be used for the VP request.
+     */
+    dcql_query: Dcql;
+    transaction_data?: Array<TransactionData>;
     /**
-     * OAuth2 token response
+     * The registration certificate request containing the necessary details.
+     */
+    registrationCert?: RegistrationCertificateRequest;
+    /**
+     * Optional webhook URL to receive the response.
+     */
+    webhook?: WebhookConfig;
+    /**
+     * The timestamp when the VP request was created.
      */
-    200: TokenResponse;
-    201: TokenResponse;
+    createdAt: string;
+    /**
+     * The timestamp when the VP request was last updated.
+     */
+    updatedAt: string;
+    /**
+     * Attestation that should be attached
+     */
+    attached?: Array<PresentationAttachment>;
+    /**
+     * Redirect URI to which the user-agent should be redirected after the presentation is completed.
+     * You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.
+     */
+    redirectUri?: string;
+    /**
+     * Optional ID of the access certificate to use for signing the presentation request.
+     * If not provided, the default access certificate for the tenant will be used.
+     *
+     * Note: This is intentionally NOT a TypeORM relationship because CertEntity uses
+     * a composite primary key (id + tenantId), and SQLite cannot create foreign keys
+     * that reference only part of a composite primary key. The relationship is handled
+     * at the application level in the service layer.
+     */
+    accessKeyChainId?: string;
+};
+type ObjectWritable = {
+    [key: string]: unknown;
 };
-type AuthControllerGetOAuth2TokenResponse = AuthControllerGetOAuth2TokenResponses[keyof AuthControllerGetOAuth2TokenResponses];
-type AuthControllerGetOidcDiscoveryData = {
+type AppControllerGetVersionData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/.well-known/oauth-authorization-server";
+    url: "/api/version";
 };
-type AuthControllerGetOidcDiscoveryResponses = {
+type AppControllerGetVersionResponses = {
     /**
-     * OIDC Discovery Configuration
+     * Service version info
      */
     200: unknown;
 };
-type AuthControllerGetGlobalJwksData = {
+type AppControllerGetFrontendConfigData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/.well-known/jwks.json";
+    url: "/api/frontend-config";
 };
-type AuthControllerGetGlobalJwksResponses = {
+type AppControllerGetFrontendConfigResponses = {
     /**
-     * JSON Web Key Set
+     * Frontend configuration
      */
-    200: unknown;
+    200: FrontendConfigResponseDto;
 };
+type AppControllerGetFrontendConfigResponse = AppControllerGetFrontendConfigResponses[keyof AppControllerGetFrontendConfigResponses];
 type TenantControllerGetTenantsData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/tenant";
+    url: "/api/tenant";
 };
 type TenantControllerGetTenantsResponses = {
     200: Array<TenantEntity>;
@@ -2048,7 +2519,7 @@ type TenantControllerInitTenantData = {
     body: CreateTenantDto;
     path?: never;
     query?: never;
-    url: "/tenant";
+    url: "/api/tenant";
 };
 type TenantControllerInitTenantResponses = {
     201: {
@@ -2062,7 +2533,7 @@ type TenantControllerDeleteTenantData = {
         id: string;
     };
     query?: never;
-    url: "/tenant/{id}";
+    url: "/api/tenant/{id}";
 };
 type TenantControllerDeleteTenantResponses = {
     200: unknown;
@@ -2073,7 +2544,7 @@ type TenantControllerGetTenantData = {
         id: string;
     };
     query?: never;
-    url: "/tenant/{id}";
+    url: "/api/tenant/{id}";
 };
 type TenantControllerGetTenantResponses = {
     200: TenantEntity;
@@ -2085,7 +2556,7 @@ type TenantControllerUpdateTenantData = {
         id: string;
     };
     query?: never;
-    url: "/tenant/{id}";
+    url: "/api/tenant/{id}";
 };
 type TenantControllerUpdateTenantResponses = {
     200: TenantEntity;
@@ -2095,184 +2566,88 @@ type ClientControllerGetClientsData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/client";
+    url: "/api/client";
 };
 type ClientControllerGetClientsResponses = {
     200: Array<ClientEntity>;
 };
-type ClientControllerGetClientsResponse = ClientControllerGetClientsResponses[keyof ClientControllerGetClientsResponses];
-type ClientControllerCreateClientData = {
-    body: CreateClientDto;
-    path?: never;
-    query?: never;
-    url: "/client";
-};
-type ClientControllerCreateClientResponses = {
-    201: ClientEntity;
-};
-type ClientControllerCreateClientResponse = ClientControllerCreateClientResponses[keyof ClientControllerCreateClientResponses];
-type ClientControllerDeleteClientData = {
-    body?: never;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/client/{id}";
-};
-type ClientControllerDeleteClientResponses = {
-    200: unknown;
-};
-type ClientControllerGetClientData = {
-    body?: never;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/client/{id}";
-};
-type ClientControllerGetClientResponses = {
-    200: ClientEntity;
-};
-type ClientControllerGetClientResponse = ClientControllerGetClientResponses[keyof ClientControllerGetClientResponses];
-type ClientControllerUpdateClientData = {
-    body: UpdateClientDto;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/client/{id}";
-};
-type ClientControllerUpdateClientResponses = {
-    200: {
-        [key: string]: unknown;
-    };
-};
-type ClientControllerUpdateClientResponse = ClientControllerUpdateClientResponses[keyof ClientControllerUpdateClientResponses];
-type ClientControllerGetClientSecretData = {
-    body?: never;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/client/{id}/secret";
-};
-type ClientControllerGetClientSecretResponses = {
-    200: ClientSecretResponseDto;
-};
-type ClientControllerGetClientSecretResponse = ClientControllerGetClientSecretResponses[keyof ClientControllerGetClientSecretResponses];
-type ClientControllerRotateClientSecretData = {
-    body?: never;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/client/{id}/rotate-secret";
-};
-type ClientControllerRotateClientSecretResponses = {
-    201: ClientSecretResponseDto;
-};
-type ClientControllerRotateClientSecretResponse = ClientControllerRotateClientSecretResponses[keyof ClientControllerRotateClientSecretResponses];
-type CertControllerGetCertificatesData = {
-    body?: never;
-    path?: never;
-    query?: {
-        keyId?: string;
-    };
-    url: "/certs";
-};
-type CertControllerGetCertificatesResponses = {
-    200: Array<CertEntity>;
-};
-type CertControllerGetCertificatesResponse = CertControllerGetCertificatesResponses[keyof CertControllerGetCertificatesResponses];
-type CertControllerAddCertificateData = {
-    body: CertImportDto;
+type ClientControllerGetClientsResponse = ClientControllerGetClientsResponses[keyof ClientControllerGetClientsResponses];
+type ClientControllerCreateClientData = {
+    body: CreateClientDto;
     path?: never;
     query?: never;
-    url: "/certs";
+    url: "/api/client";
 };
-type CertControllerAddCertificateResponses = {
-    201: CertResponseDto;
+type ClientControllerCreateClientResponses = {
+    201: ClientEntity;
 };
-type CertControllerAddCertificateResponse = CertControllerAddCertificateResponses[keyof CertControllerAddCertificateResponses];
-type CertControllerDeleteCertificateData = {
+type ClientControllerCreateClientResponse = ClientControllerCreateClientResponses[keyof ClientControllerCreateClientResponses];
+type ClientControllerDeleteClientData = {
     body?: never;
     path: {
-        certId: string;
+        id: string;
     };
     query?: never;
-    url: "/certs/{certId}";
+    url: "/api/client/{id}";
 };
-type CertControllerDeleteCertificateResponses = {
+type ClientControllerDeleteClientResponses = {
     200: unknown;
 };
-type CertControllerGetCertificateData = {
+type ClientControllerGetClientData = {
     body?: never;
     path: {
-        certId: string;
+        id: string;
     };
     query?: never;
-    url: "/certs/{certId}";
+    url: "/api/client/{id}";
 };
-type CertControllerGetCertificateResponses = {
-    200: CertEntity;
+type ClientControllerGetClientResponses = {
+    200: ClientEntity;
 };
-type CertControllerGetCertificateResponse = CertControllerGetCertificateResponses[keyof CertControllerGetCertificateResponses];
-type CertControllerUpdateCertificateData = {
-    body: CertUpdateDto;
+type ClientControllerGetClientResponse = ClientControllerGetClientResponses[keyof ClientControllerGetClientResponses];
+type ClientControllerUpdateClientData = {
+    body: UpdateClientDto;
     path: {
-        certId: string;
+        id: string;
     };
     query?: never;
-    url: "/certs/{certId}";
-};
-type CertControllerUpdateCertificateResponses = {
-    200: unknown;
+    url: "/api/client/{id}";
 };
-type CertControllerExportConfigData = {
-    body?: never;
-    path: {
-        certId: string;
+type ClientControllerUpdateClientResponses = {
+    200: {
+        [key: string]: unknown;
     };
-    query?: never;
-    url: "/certs/{certId}/config";
-};
-type CertControllerExportConfigResponses = {
-    200: CertImportDto;
 };
-type CertControllerExportConfigResponse = CertControllerExportConfigResponses[keyof CertControllerExportConfigResponses];
-type StatusListControllerGetListData = {
+type ClientControllerUpdateClientResponse = ClientControllerUpdateClientResponses[keyof ClientControllerUpdateClientResponses];
+type ClientControllerGetClientSecretData = {
     body?: never;
     path: {
-        tenantId: string;
-        listId: string;
+        id: string;
     };
     query?: never;
-    url: "/{tenantId}/status-management/status-list/{listId}";
+    url: "/api/client/{id}/secret";
 };
-type StatusListControllerGetListResponses = {
-    200: string;
+type ClientControllerGetClientSecretResponses = {
+    200: ClientSecretResponseDto;
 };
-type StatusListControllerGetListResponse = StatusListControllerGetListResponses[keyof StatusListControllerGetListResponses];
-type StatusListControllerGetStatusListAggregationData = {
+type ClientControllerGetClientSecretResponse = ClientControllerGetClientSecretResponses[keyof ClientControllerGetClientSecretResponses];
+type ClientControllerRotateClientSecretData = {
     body?: never;
     path: {
-        tenantId: string;
+        id: string;
     };
     query?: never;
-    url: "/{tenantId}/status-management/status-list-aggregation";
+    url: "/api/client/{id}/rotate-secret";
 };
-type StatusListControllerGetStatusListAggregationResponses = {
-    /**
-     * List of status list URIs
-     */
-    200: StatusListAggregationDto;
+type ClientControllerRotateClientSecretResponses = {
+    201: ClientSecretResponseDto;
 };
-type StatusListControllerGetStatusListAggregationResponse = StatusListControllerGetStatusListAggregationResponses[keyof StatusListControllerGetStatusListAggregationResponses];
+type ClientControllerRotateClientSecretResponse = ClientControllerRotateClientSecretResponses[keyof ClientControllerRotateClientSecretResponses];
 type StatusListConfigControllerResetConfigData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/status-list-config";
+    url: "/api/status-list-config";
 };
 type StatusListConfigControllerResetConfigResponses = {
     /**
@@ -2285,7 +2660,7 @@ type StatusListConfigControllerGetConfigData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/status-list-config";
+    url: "/api/status-list-config";
 };
 type StatusListConfigControllerGetConfigResponses = {
     /**
@@ -2298,7 +2673,7 @@ type StatusListConfigControllerUpdateConfigData = {
     body: UpdateStatusListConfigDto;
     path?: never;
     query?: never;
-    url: "/status-list-config";
+    url: "/api/status-list-config";
 };
 type StatusListConfigControllerUpdateConfigResponses = {
     /**
@@ -2311,7 +2686,7 @@ type StatusListManagementControllerGetListsData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/status-lists";
+    url: "/api/status-lists";
 };
 type StatusListManagementControllerGetListsResponses = {
     /**
@@ -2324,7 +2699,7 @@ type StatusListManagementControllerCreateListData = {
     body: CreateStatusListDto;
     path?: never;
     query?: never;
-    url: "/status-lists";
+    url: "/api/status-lists";
 };
 type StatusListManagementControllerCreateListResponses = {
     /**
@@ -2342,7 +2717,7 @@ type StatusListManagementControllerDeleteListData = {
         listId: string;
     };
     query?: never;
-    url: "/status-lists/{listId}";
+    url: "/api/status-lists/{listId}";
 };
 type StatusListManagementControllerDeleteListResponses = {
     /**
@@ -2360,7 +2735,7 @@ type StatusListManagementControllerGetListData = {
         listId: string;
     };
     query?: never;
-    url: "/status-lists/{listId}";
+    url: "/api/status-lists/{listId}";
 };
 type StatusListManagementControllerGetListResponses = {
     /**
@@ -2378,7 +2753,7 @@ type StatusListManagementControllerUpdateListData = {
         listId: string;
     };
     query?: never;
-    url: "/status-lists/{listId}";
+    url: "/api/status-lists/{listId}";
 };
 type StatusListManagementControllerUpdateListResponses = {
     /**
@@ -2391,7 +2766,7 @@ type SessionControllerGetAllSessionsData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/session";
+    url: "/api/session";
 };
 type SessionControllerGetAllSessionsResponses = {
     200: Array<Session>;
@@ -2403,7 +2778,7 @@ type SessionControllerDeleteSessionData = {
         id: string;
     };
     query?: never;
-    url: "/session/{id}";
+    url: "/api/session/{id}";
 };
 type SessionControllerDeleteSessionResponses = {
     200: unknown;
@@ -2417,17 +2792,32 @@ type SessionControllerGetSessionData = {
         id: string;
     };
     query?: never;
-    url: "/session/{id}";
+    url: "/api/session/{id}";
 };
 type SessionControllerGetSessionResponses = {
     200: Session;
 };
 type SessionControllerGetSessionResponse = SessionControllerGetSessionResponses[keyof SessionControllerGetSessionResponses];
+type SessionControllerGetSessionLogsData = {
+    body?: never;
+    path: {
+        /**
+         * The session ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: "/api/session/{id}/logs";
+};
+type SessionControllerGetSessionLogsResponses = {
+    200: Array<SessionLogEntryResponseDto>;
+};
+type SessionControllerGetSessionLogsResponse = SessionControllerGetSessionLogsResponses[keyof SessionControllerGetSessionLogsResponses];
 type SessionControllerRevokeAllData = {
     body: StatusUpdateDto;
     path?: never;
     query?: never;
-    url: "/session/revoke";
+    url: "/api/session/revoke";
 };
 type SessionControllerRevokeAllResponses = {
     201: unknown;
@@ -2436,7 +2826,7 @@ type SessionConfigControllerResetConfigData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/session-config";
+    url: "/api/session-config";
 };
 type SessionConfigControllerResetConfigResponses = {
     /**
@@ -2448,7 +2838,7 @@ type SessionConfigControllerGetConfigData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/session-config";
+    url: "/api/session-config";
 };
 type SessionConfigControllerGetConfigResponses = {
     /**
@@ -2461,7 +2851,7 @@ type SessionConfigControllerUpdateConfigData = {
     body: UpdateSessionConfigDto;
     path?: never;
     query?: never;
-    url: "/session-config";
+    url: "/api/session-config";
 };
 type SessionConfigControllerUpdateConfigResponses = {
     /**
@@ -2484,7 +2874,7 @@ type SessionEventsControllerSubscribeToSessionEventsData = {
          */
         token: string;
     };
-    url: "/session/{id}/events";
+    url: "/api/session/{id}/events";
 };
 type SessionEventsControllerSubscribeToSessionEventsResponses = {
     200: unknown;
@@ -2493,7 +2883,7 @@ type IssuanceConfigControllerGetIssuanceConfigurationsData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/issuer/config";
+    url: "/api/issuer/config";
 };
 type IssuanceConfigControllerGetIssuanceConfigurationsResponses = {
     200: IssuanceConfig;
@@ -2503,7 +2893,7 @@ type IssuanceConfigControllerStoreIssuanceConfigurationData = {
     body: IssuanceDto;
     path?: never;
     query?: never;
-    url: "/issuer/config";
+    url: "/api/issuer/config";
 };
 type IssuanceConfigControllerStoreIssuanceConfigurationResponses = {
     201: {
@@ -2515,7 +2905,7 @@ type CredentialConfigControllerGetConfigsData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/issuer/credentials";
+    url: "/api/issuer/credentials";
 };
 type CredentialConfigControllerGetConfigsResponses = {
     200: Array<CredentialConfig>;
@@ -2525,7 +2915,7 @@ type CredentialConfigControllerStoreCredentialConfigurationData = {
     body: CredentialConfigCreate;
     path?: never;
     query?: never;
-    url: "/issuer/credentials";
+    url: "/api/issuer/credentials";
 };
 type CredentialConfigControllerStoreCredentialConfigurationResponses = {
     201: {
@@ -2539,7 +2929,7 @@ type CredentialConfigControllerDeleteIssuanceConfigurationData = {
         id: string;
     };
     query?: never;
-    url: "/issuer/credentials/{id}";
+    url: "/api/issuer/credentials/{id}";
 };
 type CredentialConfigControllerDeleteIssuanceConfigurationResponses = {
     200: unknown;
@@ -2550,7 +2940,7 @@ type CredentialConfigControllerGetConfigByIdData = {
         id: string;
     };
     query?: never;
-    url: "/issuer/credentials/{id}";
+    url: "/api/issuer/credentials/{id}";
 };
 type CredentialConfigControllerGetConfigByIdResponses = {
     200: CredentialConfig;
@@ -2562,7 +2952,7 @@ type CredentialConfigControllerUpdateCredentialConfigurationData = {
         id: string;
     };
     query?: never;
-    url: "/issuer/credentials/{id}";
+    url: "/api/issuer/credentials/{id}";
 };
 type CredentialConfigControllerUpdateCredentialConfigurationResponses = {
     200: {
@@ -2570,638 +2960,323 @@ type CredentialConfigControllerUpdateCredentialConfigurationResponses = {
     };
 };
 type CredentialConfigControllerUpdateCredentialConfigurationResponse = CredentialConfigControllerUpdateCredentialConfigurationResponses[keyof CredentialConfigControllerUpdateCredentialConfigurationResponses];
-type PresentationManagementControllerConfigurationData = {
-    body?: never;
-    path?: never;
-    query?: never;
-    url: "/verifier/config";
-};
-type PresentationManagementControllerConfigurationResponses = {
-    200: Array<PresentationConfig>;
-};
-type PresentationManagementControllerConfigurationResponse = PresentationManagementControllerConfigurationResponses[keyof PresentationManagementControllerConfigurationResponses];
-type PresentationManagementControllerStorePresentationConfigData = {
-    body: PresentationConfigCreateDto;
-    path?: never;
-    query?: never;
-    url: "/verifier/config";
-};
-type PresentationManagementControllerStorePresentationConfigResponses = {
-    201: {
-        [key: string]: unknown;
-    };
-};
-type PresentationManagementControllerStorePresentationConfigResponse = PresentationManagementControllerStorePresentationConfigResponses[keyof PresentationManagementControllerStorePresentationConfigResponses];
-type PresentationManagementControllerDeleteConfigurationData = {
-    body?: never;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/verifier/config/{id}";
-};
-type PresentationManagementControllerDeleteConfigurationResponses = {
-    200: unknown;
-};
-type PresentationManagementControllerGetConfigurationData = {
-    body?: never;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/verifier/config/{id}";
-};
-type PresentationManagementControllerGetConfigurationResponses = {
-    200: PresentationConfig;
-};
-type PresentationManagementControllerGetConfigurationResponse = PresentationManagementControllerGetConfigurationResponses[keyof PresentationManagementControllerGetConfigurationResponses];
-type PresentationManagementControllerUpdateConfigurationData = {
-    body: PresentationConfigUpdateDto;
-    path: {
-        id: string;
-    };
-    query?: never;
-    url: "/verifier/config/{id}";
-};
-type PresentationManagementControllerUpdateConfigurationResponses = {
-    200: {
-        [key: string]: unknown;
-    };
-};
-type PresentationManagementControllerUpdateConfigurationResponse = PresentationManagementControllerUpdateConfigurationResponses[keyof PresentationManagementControllerUpdateConfigurationResponses];
-type CacheControllerGetStatsData = {
+type AttributeProviderControllerGetAllData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/cache/stats";
+    url: "/api/issuer/attribute-providers";
 };
-type CacheControllerGetStatsResponses = {
+type AttributeProviderControllerGetAllResponses = {
     /**
-     * Cache statistics
+     * List of attribute providers
      */
     200: unknown;
 };
-type CacheControllerClearAllCachesData = {
-    body?: never;
-    path?: never;
-    query?: never;
-    url: "/cache";
-};
-type CacheControllerClearAllCachesResponses = {
-    /**
-     * All caches cleared successfully
-     */
-    204: void;
-};
-type CacheControllerClearAllCachesResponse = CacheControllerClearAllCachesResponses[keyof CacheControllerClearAllCachesResponses];
-type CacheControllerClearTrustListCacheData = {
-    body?: never;
-    path?: never;
-    query?: never;
-    url: "/cache/trust-list";
-};
-type CacheControllerClearTrustListCacheResponses = {
-    /**
-     * Trust list cache cleared successfully
-     */
-    204: void;
-};
-type CacheControllerClearTrustListCacheResponse = CacheControllerClearTrustListCacheResponses[keyof CacheControllerClearTrustListCacheResponses];
-type CacheControllerClearStatusListCacheData = {
-    body?: never;
+type AttributeProviderControllerCreateData = {
+    body: CreateAttributeProviderDto;
     path?: never;
     query?: never;
-    url: "/cache/status-list";
+    url: "/api/issuer/attribute-providers";
 };
-type CacheControllerClearStatusListCacheResponses = {
+type AttributeProviderControllerCreateResponses = {
     /**
-     * Status list cache cleared successfully
+     * Attribute provider created
      */
-    204: void;
-};
-type CacheControllerClearStatusListCacheResponse = CacheControllerClearStatusListCacheResponses[keyof CacheControllerClearStatusListCacheResponses];
-type Oid4VciControllerCredentialData = {
-    body?: never;
-    path: {
-        tenantId: string;
-    };
-    query?: never;
-    url: "/{tenantId}/vci/credential";
-};
-type Oid4VciControllerCredentialResponses = {
-    200: {
-        [key: string]: unknown;
-    };
-};
-type Oid4VciControllerCredentialResponse = Oid4VciControllerCredentialResponses[keyof Oid4VciControllerCredentialResponses];
-type Oid4VciControllerDeferredCredentialData = {
-    body: DeferredCredentialRequestDto;
-    path: {
-        tenantId: string;
-    };
-    query?: never;
-    url: "/{tenantId}/vci/deferred_credential";
-};
-type Oid4VciControllerDeferredCredentialResponses = {
-    200: unknown;
-};
-type Oid4VciControllerNotificationsData = {
-    body: NotificationRequestDto;
-    path: {
-        tenantId: string;
-    };
-    query?: never;
-    url: "/{tenantId}/vci/notification";
-};
-type Oid4VciControllerNotificationsResponses = {
     201: unknown;
 };
-type Oid4VciControllerNonceData = {
-    body?: never;
-    path: {
-        tenantId: string;
-    };
-    query?: never;
-    url: "/{tenantId}/vci/nonce";
-};
-type Oid4VciControllerNonceResponses = {
-    200: unknown;
-};
-type AuthorizeControllerAuthorizeData = {
-    body?: never;
-    path: {
-        tenantId: string;
-    };
-    query?: {
-        issuer_state?: string;
-        response_type?: string;
-        client_id?: string;
-        redirect_uri?: string;
-        resource?: string;
-        scope?: string;
-        code_challenge?: string;
-        code_challenge_method?: string;
-        dpop_jkt?: string;
-        request_uri?: string;
-        auth_session?: string;
-        state?: string;
-    };
-    url: "/{tenantId}/authorize";
-};
-type AuthorizeControllerAuthorizeResponses = {
-    200: unknown;
-};
-type AuthorizeControllerParData = {
-    /**
-     * Pushed Authorization Request
-     */
-    body: AuthorizeQueries;
-    path?: never;
-    query?: never;
-    url: "/{tenantId}/authorize/par";
-};
-type AuthorizeControllerParResponses = {
-    201: ParResponseDto;
-};
-type AuthorizeControllerParResponse = AuthorizeControllerParResponses[keyof AuthorizeControllerParResponses];
-type AuthorizeControllerTokenData = {
-    body?: never;
-    path: {
-        tenantId: string;
-    };
-    query?: never;
-    url: "/{tenantId}/authorize/token";
-};
-type AuthorizeControllerTokenResponses = {
-    201: {
-        [key: string]: unknown;
-    };
-};
-type AuthorizeControllerTokenResponse = AuthorizeControllerTokenResponses[keyof AuthorizeControllerTokenResponses];
-type InteractiveAuthorizationControllerInteractiveAuthorizationData = {
-    /**
-     * Interactive authorization request
-     */
-    body: InteractiveAuthorizationRequestDto;
-    headers: {
-        origin: string;
-    };
-    path: {
-        tenantId: string;
-    };
-    query?: never;
-    url: "/{tenantId}/authorize/interactive";
-};
-type InteractiveAuthorizationControllerInteractiveAuthorizationErrors = {
-    /**
-     * Error response
-     */
-    400: InteractiveAuthorizationErrorResponseDto;
-};
-type InteractiveAuthorizationControllerInteractiveAuthorizationError = InteractiveAuthorizationControllerInteractiveAuthorizationErrors[keyof InteractiveAuthorizationControllerInteractiveAuthorizationErrors];
-type InteractiveAuthorizationControllerInteractiveAuthorizationResponses = {
-    /**
-     * Authorization code response (successful completion)
-     */
-    200: InteractiveAuthorizationCodeResponseDto;
-};
-type InteractiveAuthorizationControllerInteractiveAuthorizationResponse = InteractiveAuthorizationControllerInteractiveAuthorizationResponses[keyof InteractiveAuthorizationControllerInteractiveAuthorizationResponses];
-type InteractiveAuthorizationControllerCompleteWebAuthData = {
+type AttributeProviderControllerDeleteData = {
     body?: never;
     path: {
-        authSession: string;
-        tenantId: string;
+        id: string;
     };
     query?: never;
-    url: "/{tenantId}/authorize/interactive/complete-web-auth/{authSession}";
+    url: "/api/issuer/attribute-providers/{id}";
 };
-type InteractiveAuthorizationControllerCompleteWebAuthErrors = {
+type AttributeProviderControllerDeleteErrors = {
     /**
-     * Auth session not found
+     * Attribute provider not found
      */
     404: unknown;
 };
-type InteractiveAuthorizationControllerCompleteWebAuthResponses = {
+type AttributeProviderControllerDeleteResponses = {
     /**
-     * Web authorization marked as completed
+     * Attribute provider deleted
      */
     200: unknown;
 };
-type ChainedAsControllerParData = {
-    body: ChainedAsParRequestDto;
-    headers?: {
-        /**
-         * DPoP proof JWT
-         */
-        DPoP?: string;
-        /**
-         * Wallet attestation JWT
-         */
-        "OAuth-Client-Attestation"?: string;
-        /**
-         * Wallet attestation proof-of-possession JWT
-         */
-        "OAuth-Client-Attestation-PoP"?: string;
-    };
-    path: {
-        /**
-         * Tenant identifier
-         */
-        tenant: string;
-    };
-    query?: never;
-    url: "/{tenant}/chained-as/par";
-};
-type ChainedAsControllerParErrors = {
-    /**
-     * Invalid request
-     */
-    400: ChainedAsErrorResponseDto;
-};
-type ChainedAsControllerParError = ChainedAsControllerParErrors[keyof ChainedAsControllerParErrors];
-type ChainedAsControllerParResponses = {
-    /**
-     * PAR request accepted
-     */
-    201: ChainedAsParResponseDto;
-};
-type ChainedAsControllerParResponse = ChainedAsControllerParResponses[keyof ChainedAsControllerParResponses];
-type ChainedAsControllerAuthorizeData = {
+type AttributeProviderControllerGetByIdData = {
     body?: never;
     path: {
-        /**
-         * Tenant identifier
-         */
-        tenant: string;
-    };
-    query: {
-        /**
-         * Client identifier
-         */
-        client_id: string;
-        /**
-         * Request URI from PAR response
-         */
-        request_uri: string;
+        id: string;
     };
-    url: "/{tenant}/chained-as/authorize";
+    query?: never;
+    url: "/api/issuer/attribute-providers/{id}";
 };
-type ChainedAsControllerAuthorizeErrors = {
+type AttributeProviderControllerGetByIdErrors = {
     /**
-     * Invalid request
+     * Attribute provider not found
      */
-    400: ChainedAsErrorResponseDto;
-};
-type ChainedAsControllerAuthorizeError = ChainedAsControllerAuthorizeErrors[keyof ChainedAsControllerAuthorizeErrors];
-type ChainedAsControllerAuthorizeResponses = {
-    200: unknown;
-};
-type ChainedAsControllerCallbackData = {
-    body?: never;
-    path: {
-        /**
-         * Tenant identifier
-         */
-        tenant: string;
-    };
-    query: {
-        code: string;
-        state: string;
-        error: string;
-        error_description: string;
-    };
-    url: "/{tenant}/chained-as/callback";
+    404: unknown;
 };
-type ChainedAsControllerCallbackErrors = {
+type AttributeProviderControllerGetByIdResponses = {
     /**
-     * Invalid callback
+     * The attribute provider
      */
-    400: ChainedAsErrorResponseDto;
-};
-type ChainedAsControllerCallbackError = ChainedAsControllerCallbackErrors[keyof ChainedAsControllerCallbackErrors];
-type ChainedAsControllerCallbackResponses = {
     200: unknown;
 };
-type ChainedAsControllerTokenData = {
-    body: ChainedAsTokenRequestDto;
-    headers?: {
-        /**
-         * DPoP proof JWT
-         */
-        DPoP?: string;
-    };
+type AttributeProviderControllerUpdateData = {
+    body: UpdateAttributeProviderDto;
     path: {
-        /**
-         * Tenant identifier
-         */
-        tenant: string;
+        id: string;
     };
     query?: never;
-    url: "/{tenant}/chained-as/token";
-};
-type ChainedAsControllerTokenErrors = {
-    /**
-     * Invalid request
-     */
-    400: ChainedAsErrorResponseDto;
-    /**
-     * Invalid authorization code
-     */
-    401: ChainedAsErrorResponseDto;
+    url: "/api/issuer/attribute-providers/{id}";
 };
-type ChainedAsControllerTokenError = ChainedAsControllerTokenErrors[keyof ChainedAsControllerTokenErrors];
-type ChainedAsControllerTokenResponses = {
+type AttributeProviderControllerUpdateErrors = {
     /**
-     * Token issued successfully
+     * Attribute provider not found
      */
-    200: ChainedAsTokenResponseDto;
-};
-type ChainedAsControllerTokenResponse = ChainedAsControllerTokenResponses[keyof ChainedAsControllerTokenResponses];
-type ChainedAsControllerJwksData = {
-    body?: never;
-    path: {
-        /**
-         * Tenant identifier
-         */
-        tenant: string;
-    };
-    query?: never;
-    url: "/{tenant}/chained-as/.well-known/jwks.json";
+    404: unknown;
 };
-type ChainedAsControllerJwksResponses = {
+type AttributeProviderControllerUpdateResponses = {
     /**
-     * JWKS document
+     * Attribute provider updated
      */
     200: unknown;
 };
-type ChainedAsControllerGetMetadataData = {
+type WebhookEndpointControllerGetAllData = {
     body?: never;
-    path: {
-        /**
-         * Tenant identifier
-         */
-        tenant: string;
-    };
+    path?: never;
     query?: never;
-    url: "/{tenant}/chained-as/.well-known/oauth-authorization-server";
+    url: "/api/issuer/webhook-endpoints";
 };
-type ChainedAsControllerGetMetadataResponses = {
+type WebhookEndpointControllerGetAllResponses = {
     /**
-     * OAuth AS metadata
+     * List of webhook endpoints
      */
     200: unknown;
 };
-type CredentialOfferControllerGetOfferData = {
-    body: OfferRequestDto;
+type WebhookEndpointControllerCreateData = {
+    body: CreateWebhookEndpointDto;
     path?: never;
     query?: never;
-    url: "/issuer/offer";
+    url: "/api/issuer/webhook-endpoints";
 };
-type CredentialOfferControllerGetOfferResponses = {
+type WebhookEndpointControllerCreateResponses = {
     /**
-     * JSON response
+     * Webhook endpoint created
      */
-    201: OfferResponse;
+    201: unknown;
 };
-type CredentialOfferControllerGetOfferResponse = CredentialOfferControllerGetOfferResponses[keyof CredentialOfferControllerGetOfferResponses];
-type DeferredControllerCompleteDeferredData = {
-    body: CompleteDeferredDto;
+type WebhookEndpointControllerDeleteData = {
+    body?: never;
     path: {
-        transactionId: string;
+        id: string;
     };
     query?: never;
-    url: "/issuer/deferred/{transactionId}/complete";
+    url: "/api/issuer/webhook-endpoints/{id}";
 };
-type DeferredControllerCompleteDeferredErrors = {
+type WebhookEndpointControllerDeleteErrors = {
     /**
-     * Transaction not found
+     * Webhook endpoint not found
      */
     404: unknown;
 };
-type DeferredControllerCompleteDeferredResponses = {
+type WebhookEndpointControllerDeleteResponses = {
     /**
-     * Transaction completed successfully
+     * Webhook endpoint deleted
      */
-    200: DeferredOperationResponse;
+    200: unknown;
 };
-type DeferredControllerCompleteDeferredResponse = DeferredControllerCompleteDeferredResponses[keyof DeferredControllerCompleteDeferredResponses];
-type DeferredControllerFailDeferredData = {
-    body?: FailDeferredDto;
+type WebhookEndpointControllerGetByIdData = {
+    body?: never;
     path: {
-        transactionId: string;
+        id: string;
     };
     query?: never;
-    url: "/issuer/deferred/{transactionId}/fail";
+    url: "/api/issuer/webhook-endpoints/{id}";
 };
-type DeferredControllerFailDeferredErrors = {
+type WebhookEndpointControllerGetByIdErrors = {
     /**
-     * Transaction not found
+     * Webhook endpoint not found
      */
     404: unknown;
 };
-type DeferredControllerFailDeferredResponses = {
+type WebhookEndpointControllerGetByIdResponses = {
     /**
-     * Transaction marked as failed
+     * The webhook endpoint
      */
-    200: DeferredOperationResponse;
+    200: unknown;
 };
-type DeferredControllerFailDeferredResponse = DeferredControllerFailDeferredResponses[keyof DeferredControllerFailDeferredResponses];
-type Oid4VciMetadataControllerVctData = {
-    body?: never;
+type WebhookEndpointControllerUpdateData = {
+    body: UpdateWebhookEndpointDto;
     path: {
         id: string;
-        tenantId: string;
     };
     query?: never;
-    url: "/{tenantId}/credentials-metadata/vct/{id}";
+    url: "/api/issuer/webhook-endpoints/{id}";
+};
+type WebhookEndpointControllerUpdateErrors = {
+    /**
+     * Webhook endpoint not found
+     */
+    404: unknown;
 };
-type Oid4VciMetadataControllerVctResponses = {
-    200: Vct;
+type WebhookEndpointControllerUpdateResponses = {
+    /**
+     * Webhook endpoint updated
+     */
+    200: unknown;
 };
-type Oid4VciMetadataControllerVctResponse = Oid4VciMetadataControllerVctResponses[keyof Oid4VciMetadataControllerVctResponses];
-type WellKnownControllerIssuerMetadata0Data = {
+type PresentationManagementControllerConfigurationData = {
     body?: never;
-    path: {
-        tenantId: string;
-    };
+    path?: never;
     query?: never;
-    url: "/.well-known/openid-credential-issuer/{tenantId}";
+    url: "/api/verifier/config";
 };
-type WellKnownControllerIssuerMetadata0Responses = {
-    200: {
-        [key: string]: unknown;
-    };
+type PresentationManagementControllerConfigurationResponses = {
+    200: Array<PresentationConfig>;
 };
-type WellKnownControllerIssuerMetadata0Response = WellKnownControllerIssuerMetadata0Responses[keyof WellKnownControllerIssuerMetadata0Responses];
-type WellKnownControllerIssuerMetadata1Data = {
-    body?: never;
-    path: {
-        tenantId: string;
-    };
+type PresentationManagementControllerConfigurationResponse = PresentationManagementControllerConfigurationResponses[keyof PresentationManagementControllerConfigurationResponses];
+type PresentationManagementControllerStorePresentationConfigData = {
+    body: PresentationConfigCreateDto;
+    path?: never;
     query?: never;
-    url: "/{tenantId}/.well-known/openid-credential-issuer";
+    url: "/api/verifier/config";
 };
-type WellKnownControllerIssuerMetadata1Responses = {
-    200: {
-        [key: string]: unknown;
-    };
+type PresentationManagementControllerStorePresentationConfigResponses = {
+    201: PresentationConfig;
 };
-type WellKnownControllerIssuerMetadata1Response = WellKnownControllerIssuerMetadata1Responses[keyof WellKnownControllerIssuerMetadata1Responses];
-type WellKnownControllerAuthzMetadata0Data = {
-    body?: never;
-    path: {
-        tenantId: string;
-    };
+type PresentationManagementControllerStorePresentationConfigResponse = PresentationManagementControllerStorePresentationConfigResponses[keyof PresentationManagementControllerStorePresentationConfigResponses];
+type PresentationManagementControllerResolveIssuerMetadataData = {
+    body: ResolveIssuerMetadataDto;
+    path?: never;
     query?: never;
-    url: "/.well-known/oauth-authorization-server/{tenantId}";
+    url: "/api/verifier/config/issuer-metadata/resolve";
+};
+type PresentationManagementControllerResolveIssuerMetadataErrors = {
+    /**
+     * Invalid issuer URL or metadata could not be resolved
+     */
+    400: unknown;
 };
-type WellKnownControllerAuthzMetadata0Responses = {
+type PresentationManagementControllerResolveIssuerMetadataResponses = {
+    /**
+     * Resolved credential issuer metadata
+     */
     200: unknown;
 };
-type WellKnownControllerAuthzMetadata1Data = {
+type PresentationManagementControllerDeleteConfigurationData = {
     body?: never;
     path: {
-        tenantId: string;
+        id: string;
     };
     query?: never;
-    url: "/{tenantId}/.well-known/oauth-authorization-server";
+    url: "/api/verifier/config/{id}";
 };
-type WellKnownControllerAuthzMetadata1Responses = {
+type PresentationManagementControllerDeleteConfigurationResponses = {
     200: unknown;
 };
-type WellKnownControllerChainedAsMetadataData = {
+type PresentationManagementControllerGetConfigurationData = {
     body?: never;
     path: {
-        tenantId: string;
+        id: string;
     };
     query?: never;
-    url: "/.well-known/oauth-authorization-server/{tenantId}/chained-as";
+    url: "/api/verifier/config/{id}";
 };
-type WellKnownControllerChainedAsMetadataResponses = {
-    200: {
-        [key: string]: unknown;
-    };
+type PresentationManagementControllerGetConfigurationResponses = {
+    200: PresentationConfig;
 };
-type WellKnownControllerChainedAsMetadataResponse = WellKnownControllerChainedAsMetadataResponses[keyof WellKnownControllerChainedAsMetadataResponses];
-type WellKnownControllerGetJwks0Data = {
-    body?: never;
+type PresentationManagementControllerGetConfigurationResponse = PresentationManagementControllerGetConfigurationResponses[keyof PresentationManagementControllerGetConfigurationResponses];
+type PresentationManagementControllerUpdateConfigurationData = {
+    body: PresentationConfigUpdateDto;
     path: {
-        tenantId: string;
+        id: string;
     };
     query?: never;
-    url: "/.well-known/jwks.json/{tenantId}";
+    url: "/api/verifier/config/{id}";
 };
-type WellKnownControllerGetJwks0Responses = {
-    200: JwksResponseDto;
+type PresentationManagementControllerUpdateConfigurationResponses = {
+    200: PresentationConfig;
 };
-type WellKnownControllerGetJwks0Response = WellKnownControllerGetJwks0Responses[keyof WellKnownControllerGetJwks0Responses];
-type WellKnownControllerGetJwks1Data = {
+type PresentationManagementControllerUpdateConfigurationResponse = PresentationManagementControllerUpdateConfigurationResponses[keyof PresentationManagementControllerUpdateConfigurationResponses];
+type PresentationManagementControllerReissueRegistrationCertificateData = {
     body?: never;
     path: {
-        tenantId: string;
+        id: string;
     };
     query?: never;
-    url: "/{tenantId}/.well-known/jwks.json";
+    url: "/api/verifier/config/{id}/registration-cert/reissue";
+};
+type PresentationManagementControllerReissueRegistrationCertificateErrors = {
+    /**
+     * Config has no registrationCert spec or registrar is not enabled
+     */
+    400: unknown;
 };
-type WellKnownControllerGetJwks1Responses = {
-    200: JwksResponseDto;
+type PresentationManagementControllerReissueRegistrationCertificateResponses = {
+    /**
+     * Updated presentation configuration
+     */
+    200: unknown;
 };
-type WellKnownControllerGetJwks1Response = WellKnownControllerGetJwks1Responses[keyof WellKnownControllerGetJwks1Responses];
-type Oid4VpControllerGetRequestWithSessionData = {
+type CacheControllerGetStatsData = {
     body?: never;
-    path: {
-        session: string;
-    };
+    path?: never;
     query?: never;
-    url: "/{session}/oid4vp/request";
+    url: "/api/cache/stats";
 };
-type Oid4VpControllerGetRequestWithSessionResponses = {
-    200: string;
+type CacheControllerGetStatsResponses = {
+    /**
+     * Cache statistics
+     */
+    200: unknown;
 };
-type Oid4VpControllerGetRequestWithSessionResponse = Oid4VpControllerGetRequestWithSessionResponses[keyof Oid4VpControllerGetRequestWithSessionResponses];
-type Oid4VpControllerGetPostRequestWithSessionData = {
+type CacheControllerClearAllCachesData = {
     body?: never;
-    path: {
-        session: string;
-    };
+    path?: never;
     query?: never;
-    url: "/{session}/oid4vp/request";
+    url: "/api/cache";
 };
-type Oid4VpControllerGetPostRequestWithSessionResponses = {
-    201: string;
+type CacheControllerClearAllCachesResponses = {
+    /**
+     * All caches cleared successfully
+     */
+    204: void;
 };
-type Oid4VpControllerGetPostRequestWithSessionResponse = Oid4VpControllerGetPostRequestWithSessionResponses[keyof Oid4VpControllerGetPostRequestWithSessionResponses];
-type Oid4VpControllerGetRequestNoRedirectWithSessionData = {
+type CacheControllerClearAllCachesResponse = CacheControllerClearAllCachesResponses[keyof CacheControllerClearAllCachesResponses];
+type CacheControllerClearTrustListCacheData = {
     body?: never;
-    path: {
-        session: string;
-    };
+    path?: never;
     query?: never;
-    url: "/{session}/oid4vp/request/no-redirect";
+    url: "/api/cache/trust-list";
 };
-type Oid4VpControllerGetRequestNoRedirectWithSessionResponses = {
-    200: string;
+type CacheControllerClearTrustListCacheResponses = {
+    /**
+     * Trust list cache cleared successfully
+     */
+    204: void;
 };
-type Oid4VpControllerGetRequestNoRedirectWithSessionResponse = Oid4VpControllerGetRequestNoRedirectWithSessionResponses[keyof Oid4VpControllerGetRequestNoRedirectWithSessionResponses];
-type Oid4VpControllerGetResponseData = {
-    body: AuthorizationResponse;
-    path: {
-        session: string;
-    };
+type CacheControllerClearTrustListCacheResponse = CacheControllerClearTrustListCacheResponses[keyof CacheControllerClearTrustListCacheResponses];
+type CacheControllerClearStatusListCacheData = {
+    body?: never;
+    path?: never;
     query?: never;
-    url: "/{session}/oid4vp";
+    url: "/api/cache/status-list";
 };
-type Oid4VpControllerGetResponseResponses = {
-    200: {
-        [key: string]: unknown;
-    };
+type CacheControllerClearStatusListCacheResponses = {
+    /**
+     * Status list cache cleared successfully
+     */
+    204: void;
 };
-type Oid4VpControllerGetResponseResponse = Oid4VpControllerGetResponseResponses[keyof Oid4VpControllerGetResponseResponses];
+type CacheControllerClearStatusListCacheResponse = CacheControllerClearStatusListCacheResponses[keyof CacheControllerClearStatusListCacheResponses];
 type RegistrarControllerDeleteConfigData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/registrar/config";
+    url: "/api/registrar/config";
 };
 type RegistrarControllerDeleteConfigResponses = {
     /**
@@ -3214,7 +3289,7 @@ type RegistrarControllerGetConfigData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/registrar/config";
+    url: "/api/registrar/config";
 };
 type RegistrarControllerGetConfigErrors = {
     /**
@@ -3226,14 +3301,14 @@ type RegistrarControllerGetConfigResponses = {
     /**
      * The registrar configuration
      */
-    200: RegistrarConfigEntity;
+    200: RegistrarConfigResponseDto;
 };
 type RegistrarControllerGetConfigResponse = RegistrarControllerGetConfigResponses[keyof RegistrarControllerGetConfigResponses];
 type RegistrarControllerUpdateConfigData = {
     body: UpdateRegistrarConfigDto;
     path?: never;
     query?: never;
-    url: "/registrar/config";
+    url: "/api/registrar/config";
 };
 type RegistrarControllerUpdateConfigErrors = {
     /**
@@ -3249,14 +3324,14 @@ type RegistrarControllerUpdateConfigResponses = {
     /**
      * Configuration updated successfully
      */
-    200: RegistrarConfigEntity;
+    200: RegistrarConfigResponseDto;
 };
 type RegistrarControllerUpdateConfigResponse = RegistrarControllerUpdateConfigResponses[keyof RegistrarControllerUpdateConfigResponses];
 type RegistrarControllerCreateConfigData = {
     body: CreateRegistrarConfigDto;
     path?: never;
     query?: never;
-    url: "/registrar/config";
+    url: "/api/registrar/config";
 };
 type RegistrarControllerCreateConfigErrors = {
     /**
@@ -3268,14 +3343,14 @@ type RegistrarControllerCreateConfigResponses = {
     /**
      * Configuration created successfully
      */
-    201: RegistrarConfigEntity;
+    201: RegistrarConfigResponseDto;
 };
 type RegistrarControllerCreateConfigResponse = RegistrarControllerCreateConfigResponses[keyof RegistrarControllerCreateConfigResponses];
 type RegistrarControllerCreateAccessCertificateData = {
     body: CreateAccessCertificateDto;
     path?: never;
     query?: never;
-    url: "/registrar/access-certificate";
+    url: "/api/registrar/access-certificate";
 };
 type RegistrarControllerCreateAccessCertificateErrors = {
     /**
@@ -3303,11 +3378,66 @@ type RegistrarControllerCreateAccessCertificateResponses = {
     };
 };
 type RegistrarControllerCreateAccessCertificateResponse = RegistrarControllerCreateAccessCertificateResponses[keyof RegistrarControllerCreateAccessCertificateResponses];
+type CredentialOfferControllerGetOfferData = {
+    body: OfferRequestDto;
+    path?: never;
+    query?: never;
+    url: "/api/issuer/offer";
+};
+type CredentialOfferControllerGetOfferResponses = {
+    /**
+     * JSON response
+     */
+    201: OfferResponse;
+};
+type CredentialOfferControllerGetOfferResponse = CredentialOfferControllerGetOfferResponses[keyof CredentialOfferControllerGetOfferResponses];
+type DeferredControllerCompleteDeferredData = {
+    body: CompleteDeferredDto;
+    path: {
+        transactionId: string;
+    };
+    query?: never;
+    url: "/api/issuer/deferred/{transactionId}/complete";
+};
+type DeferredControllerCompleteDeferredErrors = {
+    /**
+     * Transaction not found
+     */
+    404: unknown;
+};
+type DeferredControllerCompleteDeferredResponses = {
+    /**
+     * Transaction completed successfully
+     */
+    200: DeferredOperationResponse;
+};
+type DeferredControllerCompleteDeferredResponse = DeferredControllerCompleteDeferredResponses[keyof DeferredControllerCompleteDeferredResponses];
+type DeferredControllerFailDeferredData = {
+    body?: FailDeferredDto;
+    path: {
+        transactionId: string;
+    };
+    query?: never;
+    url: "/api/issuer/deferred/{transactionId}/fail";
+};
+type DeferredControllerFailDeferredErrors = {
+    /**
+     * Transaction not found
+     */
+    404: unknown;
+};
+type DeferredControllerFailDeferredResponses = {
+    /**
+     * Transaction marked as failed
+     */
+    200: DeferredOperationResponse;
+};
+type DeferredControllerFailDeferredResponse = DeferredControllerFailDeferredResponses[keyof DeferredControllerFailDeferredResponses];
 type TrustListControllerGetAllTrustListsData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/trust-list";
+    url: "/api/trust-list";
 };
 type TrustListControllerGetAllTrustListsResponses = {
     200: Array<TrustList>;
@@ -3317,7 +3447,7 @@ type TrustListControllerCreateTrustListData = {
     body: TrustListCreateDto;
     path?: never;
     query?: never;
-    url: "/trust-list";
+    url: "/api/trust-list";
 };
 type TrustListControllerCreateTrustListResponses = {
     201: TrustList;
@@ -3329,7 +3459,7 @@ type TrustListControllerDeleteTrustListData = {
         id: string;
     };
     query?: never;
-    url: "/trust-list/{id}";
+    url: "/api/trust-list/{id}";
 };
 type TrustListControllerDeleteTrustListResponses = {
     200: unknown;
@@ -3340,7 +3470,7 @@ type TrustListControllerGetTrustListData = {
         id: string;
     };
     query?: never;
-    url: "/trust-list/{id}";
+    url: "/api/trust-list/{id}";
 };
 type TrustListControllerGetTrustListResponses = {
     200: TrustList;
@@ -3352,7 +3482,7 @@ type TrustListControllerUpdateTrustListData = {
         id: string;
     };
     query?: never;
-    url: "/trust-list/{id}";
+    url: "/api/trust-list/{id}";
 };
 type TrustListControllerUpdateTrustListResponses = {
     200: TrustList;
@@ -3364,7 +3494,7 @@ type TrustListControllerExportTrustListData = {
         id: string;
     };
     query?: never;
-    url: "/trust-list/{id}/export";
+    url: "/api/trust-list/{id}/export";
 };
 type TrustListControllerExportTrustListResponses = {
     200: TrustListCreateDto;
@@ -3376,7 +3506,7 @@ type TrustListControllerGetTrustListVersionsData = {
         id: string;
     };
     query?: never;
-    url: "/trust-list/{id}/versions";
+    url: "/api/trust-list/{id}/versions";
 };
 type TrustListControllerGetTrustListVersionsResponses = {
     200: Array<TrustListVersion>;
@@ -3389,117 +3519,169 @@ type TrustListControllerGetTrustListVersionData = {
         versionId: string;
     };
     query?: never;
-    url: "/trust-list/{id}/versions/{versionId}";
+    url: "/api/trust-list/{id}/versions/{versionId}";
 };
 type TrustListControllerGetTrustListVersionResponses = {
     200: TrustListVersion;
 };
 type TrustListControllerGetTrustListVersionResponse = TrustListControllerGetTrustListVersionResponses[keyof TrustListControllerGetTrustListVersionResponses];
-type TrustListPublicControllerGetTrustListJwtData = {
-    body?: never;
-    path: {
-        tenantId: string;
-        id: string;
-    };
-    query?: never;
-    url: "/{tenantId}/trust-list/{id}";
-};
-type TrustListPublicControllerGetTrustListJwtResponses = {
-    200: string;
-};
-type TrustListPublicControllerGetTrustListJwtResponse = TrustListPublicControllerGetTrustListJwtResponses[keyof TrustListPublicControllerGetTrustListJwtResponses];
-type KeyControllerGetProvidersData = {
+type KeyChainControllerGetProvidersData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/key/providers";
+    url: "/api/key-chain/providers";
 };
-type KeyControllerGetProvidersResponses = {
+type KeyChainControllerGetProvidersResponses = {
     /**
-     * List of available KMS providers
+     * List of available KMS providers with capabilities
      */
     200: KmsProvidersResponseDto;
 };
-type KeyControllerGetProvidersResponse = KeyControllerGetProvidersResponses[keyof KeyControllerGetProvidersResponses];
-type KeyControllerGetKeysData = {
+type KeyChainControllerGetProvidersResponse = KeyChainControllerGetProvidersResponses[keyof KeyChainControllerGetProvidersResponses];
+type KeyChainControllerGetAllData = {
     body?: never;
     path?: never;
     query?: never;
-    url: "/key";
+    url: "/api/key-chain";
 };
-type KeyControllerGetKeysResponses = {
-    200: Array<KeyEntity>;
+type KeyChainControllerGetAllResponses = {
+    /**
+     * List of key chains
+     */
+    200: Array<KeyChainResponseDto>;
 };
-type KeyControllerGetKeysResponse = KeyControllerGetKeysResponses[keyof KeyControllerGetKeysResponses];
-type KeyControllerAddKeyData = {
-    body: KeyImportDto;
+type KeyChainControllerGetAllResponse = KeyChainControllerGetAllResponses[keyof KeyChainControllerGetAllResponses];
+type KeyChainControllerCreateData = {
+    body: KeyChainCreateDto;
     path?: never;
     query?: never;
-    url: "/key";
+    url: "/api/key-chain";
 };
-type KeyControllerAddKeyResponses = {
+type KeyChainControllerCreateResponses = {
     /**
-     * Key imported successfully
+     * Key chain created successfully
      */
     201: unknown;
 };
-type KeyControllerDeleteKeyData = {
+type KeyChainControllerDeleteData = {
     body?: never;
     path: {
         id: string;
     };
     query?: never;
-    url: "/key/{id}";
+    url: "/api/key-chain/{id}";
+};
+type KeyChainControllerDeleteErrors = {
+    /**
+     * Key chain not found
+     */
+    404: unknown;
 };
-type KeyControllerDeleteKeyResponses = {
+type KeyChainControllerDeleteResponses = {
     /**
-     * Key deleted successfully
+     * Key chain deleted successfully
      */
     200: unknown;
 };
-type KeyControllerGetKeyData = {
+type KeyChainControllerGetByIdData = {
     body?: never;
     path: {
         id: string;
     };
     query?: never;
-    url: "/key/{id}";
+    url: "/api/key-chain/{id}";
+};
+type KeyChainControllerGetByIdErrors = {
+    /**
+     * Key chain not found
+     */
+    404: unknown;
 };
-type KeyControllerGetKeyResponses = {
-    200: KeyEntity;
+type KeyChainControllerGetByIdResponses = {
+    /**
+     * The key chain
+     */
+    200: KeyChainResponseDto;
 };
-type KeyControllerGetKeyResponse = KeyControllerGetKeyResponses[keyof KeyControllerGetKeyResponses];
-type KeyControllerUpdateKeyData = {
-    body: UpdateKeyDto;
+type KeyChainControllerGetByIdResponse = KeyChainControllerGetByIdResponses[keyof KeyChainControllerGetByIdResponses];
+type KeyChainControllerUpdateData = {
+    body: KeyChainUpdateDto;
     path: {
         id: string;
     };
     query?: never;
-    url: "/key/{id}";
+    url: "/api/key-chain/{id}";
 };
-type KeyControllerUpdateKeyResponses = {
+type KeyChainControllerUpdateErrors = {
     /**
-     * Key updated successfully
+     * Key chain not found
+     */
+    404: unknown;
+};
+type KeyChainControllerUpdateResponses = {
+    /**
+     * Key chain updated successfully
      */
     200: unknown;
 };
-type KeyControllerGenerateKeyData = {
-    body: KeyGenerateDto;
+type KeyChainControllerExportData = {
+    body?: never;
+    path: {
+        id: string;
+    };
+    query?: never;
+    url: "/api/key-chain/{id}/export";
+};
+type KeyChainControllerExportErrors = {
+    /**
+     * Key chain not found
+     */
+    404: unknown;
+};
+type KeyChainControllerExportResponses = {
+    /**
+     * Key chain export data
+     */
+    200: KeyChainExportDto;
+};
+type KeyChainControllerExportResponse = KeyChainControllerExportResponses[keyof KeyChainControllerExportResponses];
+type KeyChainControllerImportData = {
+    body: KeyChainImportDto;
     path?: never;
     query?: never;
-    url: "/key/generate";
+    url: "/api/key-chain/import";
 };
-type KeyControllerGenerateKeyResponses = {
+type KeyChainControllerImportResponses = {
     /**
-     * Key generated successfully
+     * Key chain imported successfully
      */
     201: unknown;
 };
+type KeyChainControllerRotateData = {
+    body?: never;
+    path: {
+        id: string;
+    };
+    query?: never;
+    url: "/api/key-chain/{id}/rotate";
+};
+type KeyChainControllerRotateErrors = {
+    /**
+     * Key chain not found
+     */
+    404: unknown;
+};
+type KeyChainControllerRotateResponses = {
+    /**
+     * Key chain rotated successfully
+     */
+    200: unknown;
+};
 type VerifierOfferControllerGetOfferData = {
     body: PresentationRequest;
     path?: never;
     query?: never;
-    url: "/verifier/offer";
+    url: "/api/verifier/offer";
 };
 type VerifierOfferControllerGetOfferResponses = {
     /**
@@ -3509,13 +3691,10 @@ type VerifierOfferControllerGetOfferResponses = {
 };
 type VerifierOfferControllerGetOfferResponse = VerifierOfferControllerGetOfferResponses[keyof VerifierOfferControllerGetOfferResponses];
 type StorageControllerUploadData = {
-    /**
-     * List of cats
-     */
     body: FileUploadDto;
     path?: never;
     query?: never;
-    url: "/storage";
+    url: "/api/storage";
 };
 type StorageControllerUploadResponses = {
     201: {
@@ -3523,16 +3702,5 @@ type StorageControllerUploadResponses = {
     };
 };
 type StorageControllerUploadResponse = StorageControllerUploadResponses[keyof StorageControllerUploadResponses];
-type StorageControllerDownloadData = {
-    body?: never;
-    path: {
-        key: string;
-    };
-    query?: never;
-    url: "/storage/{key}";
-};
-type StorageControllerDownloadResponses = {
-    200: unknown;
-};
 
-export type { CertControllerGetCertificatesResponse as $, AllowListPolicy as A, AuthorizeQueries as B, CacheControllerClearAllCachesData as C, CacheControllerClearAllCachesResponse as D, CacheControllerClearAllCachesResponses as E, CacheControllerClearStatusListCacheData as F, CacheControllerClearStatusListCacheResponse as G, HealthControllerCheckResponse as H, CacheControllerClearStatusListCacheResponses as I, CacheControllerClearTrustListCacheData as J, CacheControllerClearTrustListCacheResponse as K, CacheControllerClearTrustListCacheResponses as L, CacheControllerGetStatsData as M, CacheControllerGetStatsResponses as N, CertControllerAddCertificateData as O, CertControllerAddCertificateResponse as P, CertControllerAddCertificateResponses as Q, CertControllerDeleteCertificateData as R, Session as S, CertControllerDeleteCertificateResponses as T, CertControllerExportConfigData as U, CertControllerExportConfigResponse as V, CertControllerExportConfigResponses as W, CertControllerGetCertificateData as X, CertControllerGetCertificateResponse as Y, CertControllerGetCertificateResponses as Z, CertControllerGetCertificatesData as _, HealthControllerCheckError as a, CreateAccessCertificateDto as a$, CertControllerGetCertificatesResponses as a0, CertControllerUpdateCertificateData as a1, CertControllerUpdateCertificateResponses as a2, CertEntity as a3, CertImportDto as a4, CertResponseDto as a5, CertUpdateDto as a6, CertUsageEntity as a7, ChainedAsConfig as a8, ChainedAsControllerAuthorizeData as a9, ChainedAsTokenResponseDto as aA, ClaimsQuery as aB, ClientControllerCreateClientData as aC, ClientControllerCreateClientResponse as aD, ClientControllerCreateClientResponses as aE, ClientControllerDeleteClientData as aF, ClientControllerDeleteClientResponses as aG, ClientControllerGetClientData as aH, ClientControllerGetClientResponse as aI, ClientControllerGetClientResponses as aJ, ClientControllerGetClientSecretData as aK, ClientControllerGetClientSecretResponse as aL, ClientControllerGetClientSecretResponses as aM, ClientControllerGetClientsData as aN, ClientControllerGetClientsResponse as aO, ClientControllerGetClientsResponses as aP, ClientControllerRotateClientSecretData as aQ, ClientControllerRotateClientSecretResponse as aR, ClientControllerRotateClientSecretResponses as aS, ClientControllerUpdateClientData as aT, ClientControllerUpdateClientResponse as aU, ClientControllerUpdateClientResponses as aV, ClientCredentialsDto as aW, ClientEntity as aX, ClientOptions as aY, ClientSecretResponseDto as aZ, CompleteDeferredDto as a_, ChainedAsControllerAuthorizeError as aa, ChainedAsControllerAuthorizeErrors as ab, ChainedAsControllerAuthorizeResponses as ac, ChainedAsControllerCallbackData as ad, ChainedAsControllerCallbackError as ae, ChainedAsControllerCallbackErrors as af, ChainedAsControllerCallbackResponses as ag, ChainedAsControllerGetMetadataData as ah, ChainedAsControllerGetMetadataResponses as ai, ChainedAsControllerJwksData as aj, ChainedAsControllerJwksResponses as ak, ChainedAsControllerParData as al, ChainedAsControllerParError as am, ChainedAsControllerParErrors as an, ChainedAsControllerParResponse as ao, ChainedAsControllerParResponses as ap, ChainedAsControllerTokenData as aq, ChainedAsControllerTokenError as ar, ChainedAsControllerTokenErrors as as, ChainedAsControllerTokenResponse as at, ChainedAsControllerTokenResponses as au, ChainedAsErrorResponseDto as av, ChainedAsParRequestDto as aw, ChainedAsParResponseDto as ax, ChainedAsTokenConfig as ay, ChainedAsTokenRequestDto as az, ApiKeyConfig as b, IssuanceConfig as b$, CreateClientDto as b0, CreateRegistrarConfigDto as b1, CreateStatusListDto as b2, CreateTenantDto as b3, CredentialConfig as b4, CredentialConfigControllerDeleteIssuanceConfigurationData as b5, CredentialConfigControllerDeleteIssuanceConfigurationResponses as b6, CredentialConfigControllerGetConfigByIdData as b7, CredentialConfigControllerGetConfigByIdResponse as b8, CredentialConfigControllerGetConfigByIdResponses as b9, DeferredCredentialRequestDto as bA, DeferredOperationResponse as bB, Display as bC, DisplayImage as bD, DisplayInfo as bE, DisplayLogo as bF, EcPublic as bG, EmbeddedDisclosurePolicy as bH, FailDeferredDto as bI, FileUploadDto as bJ, HealthControllerCheckData as bK, HealthControllerCheckErrors as bL, HealthControllerCheckResponses as bM, IaeActionOpenid4VpPresentation as bN, IaeActionRedirectToWeb as bO, ImportTenantDto as bP, InteractiveAuthorizationCodeResponseDto as bQ, InteractiveAuthorizationControllerCompleteWebAuthData as bR, InteractiveAuthorizationControllerCompleteWebAuthErrors as bS, InteractiveAuthorizationControllerCompleteWebAuthResponses as bT, InteractiveAuthorizationControllerInteractiveAuthorizationData as bU, InteractiveAuthorizationControllerInteractiveAuthorizationError as bV, InteractiveAuthorizationControllerInteractiveAuthorizationErrors as bW, InteractiveAuthorizationControllerInteractiveAuthorizationResponse as bX, InteractiveAuthorizationControllerInteractiveAuthorizationResponses as bY, InteractiveAuthorizationErrorResponseDto as bZ, InteractiveAuthorizationRequestDto as b_, CredentialConfigControllerGetConfigsData as ba, CredentialConfigControllerGetConfigsResponse as bb, CredentialConfigControllerGetConfigsResponses as bc, CredentialConfigControllerStoreCredentialConfigurationData as bd, CredentialConfigControllerStoreCredentialConfigurationResponse as be, CredentialConfigControllerStoreCredentialConfigurationResponses as bf, CredentialConfigControllerUpdateCredentialConfigurationData as bg, CredentialConfigControllerUpdateCredentialConfigurationResponse as bh, CredentialConfigControllerUpdateCredentialConfigurationResponses as bi, CredentialConfigCreate as bj, CredentialConfigUpdate as bk, CredentialOfferControllerGetOfferData as bl, CredentialOfferControllerGetOfferResponse as bm, CredentialOfferControllerGetOfferResponses as bn, CredentialQuery as bo, CredentialSetQuery as bp, DbKmsConfigDto as bq, Dcql as br, DeferredControllerCompleteDeferredData as bs, DeferredControllerCompleteDeferredErrors as bt, DeferredControllerCompleteDeferredResponse as bu, DeferredControllerCompleteDeferredResponses as bv, DeferredControllerFailDeferredData as bw, DeferredControllerFailDeferredErrors as bx, DeferredControllerFailDeferredResponse as by, DeferredControllerFailDeferredResponses as bz, AppControllerMainData as c, PolicyCredential as c$, IssuanceConfigControllerGetIssuanceConfigurationsData as c0, IssuanceConfigControllerGetIssuanceConfigurationsResponse as c1, IssuanceConfigControllerGetIssuanceConfigurationsResponses as c2, IssuanceConfigControllerStoreIssuanceConfigurationData as c3, IssuanceConfigControllerStoreIssuanceConfigurationResponse as c4, IssuanceConfigControllerStoreIssuanceConfigurationResponses as c5, IssuanceDto as c6, IssuerMetadataCredentialConfig as c7, JwksResponseDto as c8, Key as c9, OfferRequestDto as cA, OfferResponse as cB, Oid4VciControllerCredentialData as cC, Oid4VciControllerCredentialResponse as cD, Oid4VciControllerCredentialResponses as cE, Oid4VciControllerDeferredCredentialData as cF, Oid4VciControllerDeferredCredentialResponses as cG, Oid4VciControllerNonceData as cH, Oid4VciControllerNonceResponses as cI, Oid4VciControllerNotificationsData as cJ, Oid4VciControllerNotificationsResponses as cK, Oid4VciMetadataControllerVctData as cL, Oid4VciMetadataControllerVctResponse as cM, Oid4VciMetadataControllerVctResponses as cN, Oid4VpControllerGetPostRequestWithSessionData as cO, Oid4VpControllerGetPostRequestWithSessionResponse as cP, Oid4VpControllerGetPostRequestWithSessionResponses as cQ, Oid4VpControllerGetRequestNoRedirectWithSessionData as cR, Oid4VpControllerGetRequestNoRedirectWithSessionResponse as cS, Oid4VpControllerGetRequestNoRedirectWithSessionResponses as cT, Oid4VpControllerGetRequestWithSessionData as cU, Oid4VpControllerGetRequestWithSessionResponse as cV, Oid4VpControllerGetRequestWithSessionResponses as cW, Oid4VpControllerGetResponseData as cX, Oid4VpControllerGetResponseResponse as cY, Oid4VpControllerGetResponseResponses as cZ, ParResponseDto as c_, KeyControllerAddKeyData as ca, KeyControllerAddKeyResponses as cb, KeyControllerDeleteKeyData as cc, KeyControllerDeleteKeyResponses as cd, KeyControllerGenerateKeyData as ce, KeyControllerGenerateKeyResponses as cf, KeyControllerGetKeyData as cg, KeyControllerGetKeyResponse as ch, KeyControllerGetKeyResponses as ci, KeyControllerGetKeysData as cj, KeyControllerGetKeysResponse as ck, KeyControllerGetKeysResponses as cl, KeyControllerGetProvidersData as cm, KeyControllerGetProvidersResponse as cn, KeyControllerGetProvidersResponses as co, KeyControllerUpdateKeyData as cp, KeyControllerUpdateKeyResponses as cq, KeyEntity as cr, KeyGenerateDto as cs, KeyImportDto as ct, KmsConfigDto as cu, KmsProviderCapabilitiesDto as cv, KmsProviderInfoDto as cw, KmsProvidersResponseDto as cx, NoneTrustPolicy as cy, NotificationRequestDto as cz, AppControllerMainResponses as d, SessionEventsControllerSubscribeToSessionEventsData as d$, PresentationAttachment as d0, PresentationConfig as d1, PresentationConfigCreateDto as d2, PresentationConfigUpdateDto as d3, PresentationDuringIssuanceConfig as d4, PresentationManagementControllerConfigurationData as d5, PresentationManagementControllerConfigurationResponse as d6, PresentationManagementControllerConfigurationResponses as d7, PresentationManagementControllerDeleteConfigurationData as d8, PresentationManagementControllerDeleteConfigurationResponses as d9, RegistrarControllerGetConfigResponses as dA, RegistrarControllerUpdateConfigData as dB, RegistrarControllerUpdateConfigErrors as dC, RegistrarControllerUpdateConfigResponse as dD, RegistrarControllerUpdateConfigResponses as dE, RegistrationCertificateRequest as dF, RoleDto as dG, RootOfTrustPolicy as dH, SchemaResponse as dI, SessionConfigControllerGetConfigData as dJ, SessionConfigControllerGetConfigResponse as dK, SessionConfigControllerGetConfigResponses as dL, SessionConfigControllerResetConfigData as dM, SessionConfigControllerResetConfigResponses as dN, SessionConfigControllerUpdateConfigData as dO, SessionConfigControllerUpdateConfigResponse as dP, SessionConfigControllerUpdateConfigResponses as dQ, SessionControllerDeleteSessionData as dR, SessionControllerDeleteSessionResponses as dS, SessionControllerGetAllSessionsData as dT, SessionControllerGetAllSessionsResponse as dU, SessionControllerGetAllSessionsResponses as dV, SessionControllerGetSessionData as dW, SessionControllerGetSessionResponse as dX, SessionControllerGetSessionResponses as dY, SessionControllerRevokeAllData as dZ, SessionControllerRevokeAllResponses as d_, PresentationManagementControllerGetConfigurationData as da, PresentationManagementControllerGetConfigurationResponse as db, PresentationManagementControllerGetConfigurationResponses as dc, PresentationManagementControllerStorePresentationConfigData as dd, PresentationManagementControllerStorePresentationConfigResponse as de, PresentationManagementControllerStorePresentationConfigResponses as df, PresentationManagementControllerUpdateConfigurationData as dg, PresentationManagementControllerUpdateConfigurationResponse as dh, PresentationManagementControllerUpdateConfigurationResponses as di, PresentationRequest as dj, RegistrarConfigEntity as dk, RegistrarControllerCreateAccessCertificateData as dl, RegistrarControllerCreateAccessCertificateErrors as dm, RegistrarControllerCreateAccessCertificateResponse as dn, RegistrarControllerCreateAccessCertificateResponses as dp, RegistrarControllerCreateConfigData as dq, RegistrarControllerCreateConfigErrors as dr, RegistrarControllerCreateConfigResponse as ds, RegistrarControllerCreateConfigResponses as dt, RegistrarControllerDeleteConfigData as du, RegistrarControllerDeleteConfigResponse as dv, RegistrarControllerDeleteConfigResponses as dw, RegistrarControllerGetConfigData as dx, RegistrarControllerGetConfigErrors as dy, RegistrarControllerGetConfigResponse as dz, AttestationBasedPolicy as e, TrustListControllerDeleteTrustListData as e$, SessionEventsControllerSubscribeToSessionEventsResponses as e0, SessionStorageConfig as e1, StatusListAggregationDto as e2, StatusListConfig as e3, StatusListConfigControllerGetConfigData as e4, StatusListConfigControllerGetConfigResponse as e5, StatusListConfigControllerGetConfigResponses as e6, StatusListConfigControllerResetConfigData as e7, StatusListConfigControllerResetConfigResponse as e8, StatusListConfigControllerResetConfigResponses as e9, StatusUpdateDto as eA, StorageControllerDownloadData as eB, StorageControllerDownloadResponses as eC, StorageControllerUploadData as eD, StorageControllerUploadResponse as eE, StorageControllerUploadResponses as eF, TenantControllerDeleteTenantData as eG, TenantControllerDeleteTenantResponses as eH, TenantControllerGetTenantData as eI, TenantControllerGetTenantResponse as eJ, TenantControllerGetTenantResponses as eK, TenantControllerGetTenantsData as eL, TenantControllerGetTenantsResponse as eM, TenantControllerGetTenantsResponses as eN, TenantControllerInitTenantData as eO, TenantControllerInitTenantResponse as eP, TenantControllerInitTenantResponses as eQ, TenantControllerUpdateTenantData as eR, TenantControllerUpdateTenantResponse as eS, TenantControllerUpdateTenantResponses as eT, TenantEntity as eU, TokenResponse as eV, TransactionData as eW, TrustList as eX, TrustListControllerCreateTrustListData as eY, TrustListControllerCreateTrustListResponse as eZ, TrustListControllerCreateTrustListResponses as e_, StatusListConfigControllerUpdateConfigData as ea, StatusListConfigControllerUpdateConfigResponse as eb, StatusListConfigControllerUpdateConfigResponses as ec, StatusListControllerGetListData as ed, StatusListControllerGetListResponse as ee, StatusListControllerGetListResponses as ef, StatusListControllerGetStatusListAggregationData as eg, StatusListControllerGetStatusListAggregationResponse as eh, StatusListControllerGetStatusListAggregationResponses as ei, StatusListImportDto as ej, StatusListManagementControllerCreateListData as ek, StatusListManagementControllerCreateListResponse as el, StatusListManagementControllerCreateListResponses as em, StatusListManagementControllerDeleteListData as en, StatusListManagementControllerDeleteListResponse as eo, StatusListManagementControllerDeleteListResponses as ep, StatusListManagementControllerGetListData as eq, StatusListManagementControllerGetListResponse as er, StatusListManagementControllerGetListResponses as es, StatusListManagementControllerGetListsData as et, StatusListManagementControllerGetListsResponse as eu, StatusListManagementControllerGetListsResponses as ev, StatusListManagementControllerUpdateListData as ew, StatusListManagementControllerUpdateListResponse as ex, StatusListManagementControllerUpdateListResponses as ey, StatusListResponseDto as ez, AuthControllerGetGlobalJwksData as f, TrustListControllerDeleteTrustListResponses as f0, TrustListControllerExportTrustListData as f1, TrustListControllerExportTrustListResponse as f2, TrustListControllerExportTrustListResponses as f3, TrustListControllerGetAllTrustListsData as f4, TrustListControllerGetAllTrustListsResponse as f5, TrustListControllerGetAllTrustListsResponses as f6, TrustListControllerGetTrustListData as f7, TrustListControllerGetTrustListResponse as f8, TrustListControllerGetTrustListResponses as f9, VerifierOfferControllerGetOfferResponse as fA, VerifierOfferControllerGetOfferResponses as fB, WebHookAuthConfigHeader as fC, WebHookAuthConfigNone as fD, WebhookConfig as fE, WellKnownControllerAuthzMetadata0Data as fF, WellKnownControllerAuthzMetadata0Responses as fG, WellKnownControllerAuthzMetadata1Data as fH, WellKnownControllerAuthzMetadata1Responses as fI, WellKnownControllerChainedAsMetadataData as fJ, WellKnownControllerChainedAsMetadataResponse as fK, WellKnownControllerChainedAsMetadataResponses as fL, WellKnownControllerGetJwks0Data as fM, WellKnownControllerGetJwks0Response as fN, WellKnownControllerGetJwks0Responses as fO, WellKnownControllerGetJwks1Data as fP, WellKnownControllerGetJwks1Response as fQ, WellKnownControllerGetJwks1Responses as fR, WellKnownControllerIssuerMetadata0Data as fS, WellKnownControllerIssuerMetadata0Response as fT, WellKnownControllerIssuerMetadata0Responses as fU, WellKnownControllerIssuerMetadata1Data as fV, WellKnownControllerIssuerMetadata1Response as fW, WellKnownControllerIssuerMetadata1Responses as fX, TrustListControllerGetTrustListVersionData as fa, TrustListControllerGetTrustListVersionResponse as fb, TrustListControllerGetTrustListVersionResponses as fc, TrustListControllerGetTrustListVersionsData as fd, TrustListControllerGetTrustListVersionsResponse as fe, TrustListControllerGetTrustListVersionsResponses as ff, TrustListControllerUpdateTrustListData as fg, TrustListControllerUpdateTrustListResponse as fh, TrustListControllerUpdateTrustListResponses as fi, TrustListCreateDto as fj, TrustListPublicControllerGetTrustListJwtData as fk, TrustListPublicControllerGetTrustListJwtResponse as fl, TrustListPublicControllerGetTrustListJwtResponses as fm, TrustListVersion as fn, TrustedAuthorityQuery as fo, UpdateClientDto as fp, UpdateKeyDto as fq, UpdateRegistrarConfigDto as fr, UpdateSessionConfigDto as fs, UpdateStatusListConfigDto as ft, UpdateStatusListDto as fu, UpdateTenantDto as fv, UpstreamOidcConfig as fw, VaultKmsConfigDto as fx, Vct as fy, VerifierOfferControllerGetOfferData as fz, AuthControllerGetGlobalJwksResponses as g, AuthControllerGetOAuth2TokenData as h, AuthControllerGetOAuth2TokenErrors as i, AuthControllerGetOAuth2TokenResponse as j, AuthControllerGetOAuth2TokenResponses as k, AuthControllerGetOidcDiscoveryData as l, AuthControllerGetOidcDiscoveryResponses as m, AuthenticationMethodAuth as n, AuthenticationMethodNone as o, AuthenticationMethodPresentation as p, AuthenticationUrlConfig as q, AuthorizationResponse as r, AuthorizeControllerAuthorizeData as s, AuthorizeControllerAuthorizeResponses as t, AuthorizeControllerParData as u, AuthorizeControllerParResponse as v, AuthorizeControllerParResponses as w, AuthorizeControllerTokenData as x, AuthorizeControllerTokenResponse as y, AuthorizeControllerTokenResponses as z };
+export type { ClientControllerDeleteClientData as $, AllowListPolicy as A, AuthorizeQueries as B, CacheControllerClearAllCachesData as C, CacheControllerClearAllCachesResponse as D, CacheControllerClearAllCachesResponses as E, CacheControllerClearStatusListCacheData as F, CacheControllerClearStatusListCacheResponse as G, CacheControllerClearStatusListCacheResponses as H, CacheControllerClearTrustListCacheData as I, CacheControllerClearTrustListCacheResponse as J, CacheControllerClearTrustListCacheResponses as K, CacheControllerGetStatsData as L, CacheControllerGetStatsResponses as M, CertificateInfoDto as N, ChainedAsConfig as O, ChainedAsErrorResponseDto as P, ChainedAsParResponseDto as Q, ChainedAsTokenConfig as R, Session as S, ChainedAsTokenRequestDto as T, ChainedAsTokenResponseDto as U, ClaimDisplayInfo as V, ClaimMetadata as W, ClaimsQuery as X, ClientControllerCreateClientData as Y, ClientControllerCreateClientResponse as Z, ClientControllerCreateClientResponses as _, ApiKeyConfig as a, DisplayInfo as a$, ClientControllerDeleteClientResponses as a0, ClientControllerGetClientData as a1, ClientControllerGetClientResponse as a2, ClientControllerGetClientResponses as a3, ClientControllerGetClientSecretData as a4, ClientControllerGetClientSecretResponse as a5, ClientControllerGetClientSecretResponses as a6, ClientControllerGetClientsData as a7, ClientControllerGetClientsResponse as a8, ClientControllerGetClientsResponses as a9, CredentialConfigControllerGetConfigsResponses as aA, CredentialConfigControllerStoreCredentialConfigurationData as aB, CredentialConfigControllerStoreCredentialConfigurationResponse as aC, CredentialConfigControllerStoreCredentialConfigurationResponses as aD, CredentialConfigControllerUpdateCredentialConfigurationData as aE, CredentialConfigControllerUpdateCredentialConfigurationResponse as aF, CredentialConfigControllerUpdateCredentialConfigurationResponses as aG, CredentialConfigCreate as aH, CredentialConfigUpdate as aI, CredentialOfferControllerGetOfferData as aJ, CredentialOfferControllerGetOfferResponse as aK, CredentialOfferControllerGetOfferResponses as aL, CredentialQuery as aM, CredentialSetQuery as aN, Dcql as aO, DeferredControllerCompleteDeferredData as aP, DeferredControllerCompleteDeferredErrors as aQ, DeferredControllerCompleteDeferredResponse as aR, DeferredControllerCompleteDeferredResponses as aS, DeferredControllerFailDeferredData as aT, DeferredControllerFailDeferredErrors as aU, DeferredControllerFailDeferredResponse as aV, DeferredControllerFailDeferredResponses as aW, DeferredCredentialRequestDto as aX, DeferredOperationResponse as aY, Display as aZ, DisplayImage as a_, ClientControllerRotateClientSecretData as aa, ClientControllerRotateClientSecretResponse as ab, ClientControllerRotateClientSecretResponses as ac, ClientControllerUpdateClientData as ad, ClientControllerUpdateClientResponse as ae, ClientControllerUpdateClientResponses as af, ClientCredentialsDto as ag, ClientEntity as ah, ClientOptions as ai, ClientSecretResponseDto as aj, CompleteDeferredDto as ak, CreateAccessCertificateDto as al, CreateAttributeProviderDto as am, CreateClientDto as an, CreateRegistrarConfigDto as ao, CreateStatusListDto as ap, CreateTenantDto as aq, CreateWebhookEndpointDto as ar, CredentialConfig as as, CredentialConfigControllerDeleteIssuanceConfigurationData as at, CredentialConfigControllerDeleteIssuanceConfigurationResponses as au, CredentialConfigControllerGetConfigByIdData as av, CredentialConfigControllerGetConfigByIdResponse as aw, CredentialConfigControllerGetConfigByIdResponses as ax, CredentialConfigControllerGetConfigsData as ay, CredentialConfigControllerGetConfigsResponse as az, AppControllerGetFrontendConfigData as b, KmsProviderInfoDto as b$, DisplayLogo as b0, EcJwk as b1, EcPublic as b2, EmbeddedDisclosurePolicy as b3, ExportEcJwk as b4, ExportRotationPolicyDto as b5, ExternalTrustListEntity as b6, FailDeferredDto as b7, FileUploadDto as b8, FrontendConfigResponseDto as b9, KeyChainControllerExportResponse as bA, KeyChainControllerExportResponses as bB, KeyChainControllerGetAllData as bC, KeyChainControllerGetAllResponse as bD, KeyChainControllerGetAllResponses as bE, KeyChainControllerGetByIdData as bF, KeyChainControllerGetByIdErrors as bG, KeyChainControllerGetByIdResponse as bH, KeyChainControllerGetByIdResponses as bI, KeyChainControllerGetProvidersData as bJ, KeyChainControllerGetProvidersResponse as bK, KeyChainControllerGetProvidersResponses as bL, KeyChainControllerImportData as bM, KeyChainControllerImportResponses as bN, KeyChainControllerRotateData as bO, KeyChainControllerRotateErrors as bP, KeyChainControllerRotateResponses as bQ, KeyChainControllerUpdateData as bR, KeyChainControllerUpdateErrors as bS, KeyChainControllerUpdateResponses as bT, KeyChainCreateDto as bU, KeyChainEntity as bV, KeyChainExportDto as bW, KeyChainImportDto as bX, KeyChainResponseDto as bY, KeyChainUpdateDto as bZ, KmsProviderCapabilitiesDto as b_, GrafanaConfigDto as ba, IaeActionOpenid4VpPresentation as bb, IaeActionRedirectToWeb as bc, ImportTenantDto as bd, InteractiveAuthorizationCodeResponseDto as be, InteractiveAuthorizationErrorResponseDto as bf, InteractiveAuthorizationRequestDto as bg, InternalTrustListEntity as bh, IssuanceConfig as bi, IssuanceConfigControllerGetIssuanceConfigurationsData as bj, IssuanceConfigControllerGetIssuanceConfigurationsResponse as bk, IssuanceConfigControllerGetIssuanceConfigurationsResponses as bl, IssuanceConfigControllerStoreIssuanceConfigurationData as bm, IssuanceConfigControllerStoreIssuanceConfigurationResponse as bn, IssuanceConfigControllerStoreIssuanceConfigurationResponses as bo, IssuanceDto as bp, IssuerMetadataCredentialConfig as bq, JwksResponseDto as br, KeyAttestationsRequired as bs, KeyChainControllerCreateData as bt, KeyChainControllerCreateResponses as bu, KeyChainControllerDeleteData as bv, KeyChainControllerDeleteErrors as bw, KeyChainControllerDeleteResponses as bx, KeyChainControllerExportData as by, KeyChainControllerExportErrors as bz, AppControllerGetFrontendConfigResponse as c, RotationPolicyCreateDto as c$, KmsProvidersResponseDto as c0, NoneTrustPolicy as c1, NotificationRequestDto as c2, Object$1 as c3, ObjectWritable as c4, OfferRequestDto as c5, OfferResponse as c6, ParResponseDto as c7, PolicyCredential as c8, PresentationAttachment as c9, PublicKeyInfoDto as cA, RegistrarConfigResponseDto as cB, RegistrarControllerCreateAccessCertificateData as cC, RegistrarControllerCreateAccessCertificateErrors as cD, RegistrarControllerCreateAccessCertificateResponse as cE, RegistrarControllerCreateAccessCertificateResponses as cF, RegistrarControllerCreateConfigData as cG, RegistrarControllerCreateConfigErrors as cH, RegistrarControllerCreateConfigResponse as cI, RegistrarControllerCreateConfigResponses as cJ, RegistrarControllerDeleteConfigData as cK, RegistrarControllerDeleteConfigResponse as cL, RegistrarControllerDeleteConfigResponses as cM, RegistrarControllerGetConfigData as cN, RegistrarControllerGetConfigErrors as cO, RegistrarControllerGetConfigResponse as cP, RegistrarControllerGetConfigResponses as cQ, RegistrarControllerUpdateConfigData as cR, RegistrarControllerUpdateConfigErrors as cS, RegistrarControllerUpdateConfigResponse as cT, RegistrarControllerUpdateConfigResponses as cU, RegistrationCertificateBody as cV, RegistrationCertificatePurpose as cW, RegistrationCertificateRequest as cX, ResolveIssuerMetadataDto as cY, RoleDto as cZ, RootOfTrustPolicy as c_, PresentationConfig as ca, PresentationConfigCreateDto as cb, PresentationConfigUpdateDto as cc, PresentationConfigWritable as cd, PresentationDuringIssuanceConfig as ce, PresentationManagementControllerConfigurationData as cf, PresentationManagementControllerConfigurationResponse as cg, PresentationManagementControllerConfigurationResponses as ch, PresentationManagementControllerDeleteConfigurationData as ci, PresentationManagementControllerDeleteConfigurationResponses as cj, PresentationManagementControllerGetConfigurationData as ck, PresentationManagementControllerGetConfigurationResponse as cl, PresentationManagementControllerGetConfigurationResponses as cm, PresentationManagementControllerReissueRegistrationCertificateData as cn, PresentationManagementControllerReissueRegistrationCertificateErrors as co, PresentationManagementControllerReissueRegistrationCertificateResponses as cp, PresentationManagementControllerResolveIssuerMetadataData as cq, PresentationManagementControllerResolveIssuerMetadataErrors as cr, PresentationManagementControllerResolveIssuerMetadataResponses as cs, PresentationManagementControllerStorePresentationConfigData as ct, PresentationManagementControllerStorePresentationConfigResponse as cu, PresentationManagementControllerStorePresentationConfigResponses as cv, PresentationManagementControllerUpdateConfigurationData as cw, PresentationManagementControllerUpdateConfigurationResponse as cx, PresentationManagementControllerUpdateConfigurationResponses as cy, PresentationRequest as cz, AppControllerGetFrontendConfigResponses as d, TenantControllerDeleteTenantResponses as d$, RotationPolicyImportDto as d0, RotationPolicyResponseDto as d1, RotationPolicyUpdateDto as d2, SchemaResponse as d3, SessionConfigControllerGetConfigData as d4, SessionConfigControllerGetConfigResponse as d5, SessionConfigControllerGetConfigResponses as d6, SessionConfigControllerResetConfigData as d7, SessionConfigControllerResetConfigResponses as d8, SessionConfigControllerUpdateConfigData as d9, StatusListConfigControllerResetConfigResponse as dA, StatusListConfigControllerResetConfigResponses as dB, StatusListConfigControllerUpdateConfigData as dC, StatusListConfigControllerUpdateConfigResponse as dD, StatusListConfigControllerUpdateConfigResponses as dE, StatusListImportDto as dF, StatusListManagementControllerCreateListData as dG, StatusListManagementControllerCreateListResponse as dH, StatusListManagementControllerCreateListResponses as dI, StatusListManagementControllerDeleteListData as dJ, StatusListManagementControllerDeleteListResponse as dK, StatusListManagementControllerDeleteListResponses as dL, StatusListManagementControllerGetListData as dM, StatusListManagementControllerGetListResponse as dN, StatusListManagementControllerGetListResponses as dO, StatusListManagementControllerGetListsData as dP, StatusListManagementControllerGetListsResponse as dQ, StatusListManagementControllerGetListsResponses as dR, StatusListManagementControllerUpdateListData as dS, StatusListManagementControllerUpdateListResponse as dT, StatusListManagementControllerUpdateListResponses as dU, StatusListResponseDto as dV, StatusUpdateDto as dW, StorageControllerUploadData as dX, StorageControllerUploadResponse as dY, StorageControllerUploadResponses as dZ, TenantControllerDeleteTenantData as d_, SessionConfigControllerUpdateConfigResponse as da, SessionConfigControllerUpdateConfigResponses as db, SessionControllerDeleteSessionData as dc, SessionControllerDeleteSessionResponses as dd, SessionControllerGetAllSessionsData as de, SessionControllerGetAllSessionsResponse as df, SessionControllerGetAllSessionsResponses as dg, SessionControllerGetSessionData as dh, SessionControllerGetSessionLogsData as di, SessionControllerGetSessionLogsResponse as dj, SessionControllerGetSessionLogsResponses as dk, SessionControllerGetSessionResponse as dl, SessionControllerGetSessionResponses as dm, SessionControllerRevokeAllData as dn, SessionControllerRevokeAllResponses as dp, SessionEventsControllerSubscribeToSessionEventsData as dq, SessionEventsControllerSubscribeToSessionEventsResponses as dr, SessionLogEntryResponseDto as ds, SessionStorageConfig as dt, StatusListAggregationDto as du, StatusListConfig as dv, StatusListConfigControllerGetConfigData as dw, StatusListConfigControllerGetConfigResponse as dx, StatusListConfigControllerGetConfigResponses as dy, StatusListConfigControllerResetConfigData as dz, AppControllerGetVersionData as e, WebhookEndpointControllerDeleteResponses as e$, TenantControllerGetTenantData as e0, TenantControllerGetTenantResponse as e1, TenantControllerGetTenantResponses as e2, TenantControllerGetTenantsData as e3, TenantControllerGetTenantsResponse as e4, TenantControllerGetTenantsResponses as e5, TenantControllerInitTenantData as e6, TenantControllerInitTenantResponse as e7, TenantControllerInitTenantResponses as e8, TenantControllerUpdateTenantData as e9, TrustListControllerUpdateTrustListData as eA, TrustListControllerUpdateTrustListResponse as eB, TrustListControllerUpdateTrustListResponses as eC, TrustListCreateDto as eD, TrustListEntityInfo as eE, TrustListVersion as eF, TrustedAuthorityQuery as eG, UpdateAttributeProviderDto as eH, UpdateClientDto as eI, UpdateRegistrarConfigDto as eJ, UpdateSessionConfigDto as eK, UpdateStatusListConfigDto as eL, UpdateStatusListDto as eM, UpdateTenantDto as eN, UpdateWebhookEndpointDto as eO, UpstreamOidcConfig as eP, Vct as eQ, VerifierOfferControllerGetOfferData as eR, VerifierOfferControllerGetOfferResponse as eS, VerifierOfferControllerGetOfferResponses as eT, WebHookAuthConfigHeader as eU, WebHookAuthConfigNone as eV, WebhookConfig as eW, WebhookEndpointControllerCreateData as eX, WebhookEndpointControllerCreateResponses as eY, WebhookEndpointControllerDeleteData as eZ, WebhookEndpointControllerDeleteErrors as e_, TenantControllerUpdateTenantResponse as ea, TenantControllerUpdateTenantResponses as eb, TenantEntity as ec, TokenResponse as ed, TransactionData as ee, TrustList as ef, TrustListControllerCreateTrustListData as eg, TrustListControllerCreateTrustListResponse as eh, TrustListControllerCreateTrustListResponses as ei, TrustListControllerDeleteTrustListData as ej, TrustListControllerDeleteTrustListResponses as ek, TrustListControllerExportTrustListData as el, TrustListControllerExportTrustListResponse as em, TrustListControllerExportTrustListResponses as en, TrustListControllerGetAllTrustListsData as eo, TrustListControllerGetAllTrustListsResponse as ep, TrustListControllerGetAllTrustListsResponses as eq, TrustListControllerGetTrustListData as er, TrustListControllerGetTrustListResponse as es, TrustListControllerGetTrustListResponses as et, TrustListControllerGetTrustListVersionData as eu, TrustListControllerGetTrustListVersionResponse as ev, TrustListControllerGetTrustListVersionResponses as ew, TrustListControllerGetTrustListVersionsData as ex, TrustListControllerGetTrustListVersionsResponse as ey, TrustListControllerGetTrustListVersionsResponses as ez, AppControllerGetVersionResponses as f, WebhookEndpointControllerGetAllData as f0, WebhookEndpointControllerGetAllResponses as f1, WebhookEndpointControllerGetByIdData as f2, WebhookEndpointControllerGetByIdErrors as f3, WebhookEndpointControllerGetByIdResponses as f4, WebhookEndpointControllerUpdateData as f5, WebhookEndpointControllerUpdateErrors as f6, WebhookEndpointControllerUpdateResponses as f7, WebhookEndpointEntity as f8, AttestationBasedPolicy as g, AttributeProviderControllerCreateData as h, AttributeProviderControllerCreateResponses as i, AttributeProviderControllerDeleteData as j, AttributeProviderControllerDeleteErrors as k, AttributeProviderControllerDeleteResponses as l, AttributeProviderControllerGetAllData as m, AttributeProviderControllerGetAllResponses as n, AttributeProviderControllerGetByIdData as o, AttributeProviderControllerGetByIdErrors as p, AttributeProviderControllerGetByIdResponses as q, AttributeProviderControllerUpdateData as r, AttributeProviderControllerUpdateErrors as s, AttributeProviderControllerUpdateResponses as t, AttributeProviderEntity as u, AuthenticationMethodAuth as v, AuthenticationMethodNone as w, AuthenticationMethodPresentation as x, AuthenticationUrlConfig as y, AuthorizationResponse as z };