@omnibase/core-js 0.9.15 → 0.9.16

package/src/apis/V1TenantsApi.ts

@@ -2,9 +2,9 @@
 /* eslint-disable */
 /**
  * Omnibase REST API
- * Self-hostable Backend-as-a-Service providing database management, authentication, payments, storage, and email services.  ## Features - **Database**: PostgreSQL with RLS and migrations - **Authentication**: Ory Kratos integration with session management - **Payments**: Stripe integration with version-controlled billing configs - **Storage**: S3-compatible object storage with RLS - **Email**: Transactional email service - **Permissions**: Fine-grained access control via Ory Keto  ## Authentication Most endpoints require authentication via session cookies or JWT tokens. Use the appropriate security scheme based on the endpoint requirements.
+ * Self-hostable Backend-as-a-Service providing database management, authentication, payments, storage, and email services.  ## Features - **Database**: PostgreSQL with RLS and migrations - **Authentication**: Ory Kratos integration with session management - **Payments**: Stripe integration with version-controlled billing configs - **Storage**: S3-compatible object storage with RLS - **Email**: Transactional email service - **Permissions**: Fine-grained access control via Ory Keto  ## Authentication Most endpoints require authentication via session cookies or JWT tokens. Use the appropriate security scheme based on the endpoint requirements. 
  *
- * The version of the OpenAPI document: 0.9.15
+ * The version of the OpenAPI document: 0.9.16
  * Contact: support@omnibase.dev
  *
  * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
@@ -16,79 +16,76 @@
 import * as runtime from '../runtime';
 import type {
   AcceptInvite200Response,
+  AcceptInviteRequest,
   AddSubscription200Response,
-  AssignRole200Response,
+  AddSubscriptionRequest,
+  BadRequestResponse,
   CreateInvite200Response,
   CreateRole200Response,
-  CreateSubscription200Response,
+  CreateRoleRequest,
   CreateTenant200Response,
+  CreateTenantRequest,
+  CreateTenantUserInviteRequest,
   DeleteRole200Response,
   DeleteTenant200Response,
+  DeleteTenantUserRequest,
+  ErrorResponse,
+  ForbiddenResponse,
   GetRoleDefinitions200Response,
   GetTenantBillingStatus200Response,
   GetTenantJWT200Response,
-  HandlersBadRequestResponse,
-  HandlersForbiddenResponse,
-  HandlersInternalServerErrorResponse,
-  HandlersNotFoundErrorResponse,
-  HandlersSuccessResponse,
-  HandlersUnauthorizedResponse,
   ListRoles200Response,
   ListTenantSubscriptions200Response,
   ListTenantUsers200Response,
   RemoveSubscription200Response,
+  RemoveSubscriptionRequest,
+  SchemasConflictResponse,
+  SuccessResponse,
   SwitchActiveTenant200Response,
-  TenantsAcceptInviteRequest,
-  TenantsAddSubscriptionRequest,
-  TenantsAssignRoleRequest,
-  TenantsCreateRoleRequest,
-  TenantsCreateSubscriptionRequest,
-  TenantsCreateTenantRequest,
-  TenantsCreateTenantUserInviteRequest,
-  TenantsDeleteTenantUserRequest,
-  TenantsRemoveSubscriptionRequest,
-  TenantsSwitchTenantRequest,
-  TenantsUpdateRoleRequest,
-  TenantsUpdateTenantUserRoleRequest,
+  SwitchTenantRequest,
+  UpdateRoleRequest,
   UpdateTenantUserRole200Response,
+  UpdateTenantUserRoleRequest,
 } from '../models/index';
 import {
     AcceptInvite200ResponseFromJSON,
     AcceptInvite200ResponseToJSON,
+    AcceptInviteRequestFromJSON,
+    AcceptInviteRequestToJSON,
     AddSubscription200ResponseFromJSON,
     AddSubscription200ResponseToJSON,
-    AssignRole200ResponseFromJSON,
-    AssignRole200ResponseToJSON,
+    AddSubscriptionRequestFromJSON,
+    AddSubscriptionRequestToJSON,
+    BadRequestResponseFromJSON,
+    BadRequestResponseToJSON,
     CreateInvite200ResponseFromJSON,
     CreateInvite200ResponseToJSON,
     CreateRole200ResponseFromJSON,
     CreateRole200ResponseToJSON,
-    CreateSubscription200ResponseFromJSON,
-    CreateSubscription200ResponseToJSON,
+    CreateRoleRequestFromJSON,
+    CreateRoleRequestToJSON,
     CreateTenant200ResponseFromJSON,
     CreateTenant200ResponseToJSON,
+    CreateTenantRequestFromJSON,
+    CreateTenantRequestToJSON,
+    CreateTenantUserInviteRequestFromJSON,
+    CreateTenantUserInviteRequestToJSON,
     DeleteRole200ResponseFromJSON,
     DeleteRole200ResponseToJSON,
     DeleteTenant200ResponseFromJSON,
     DeleteTenant200ResponseToJSON,
+    DeleteTenantUserRequestFromJSON,
+    DeleteTenantUserRequestToJSON,
+    ErrorResponseFromJSON,
+    ErrorResponseToJSON,
+    ForbiddenResponseFromJSON,
+    ForbiddenResponseToJSON,
     GetRoleDefinitions200ResponseFromJSON,
     GetRoleDefinitions200ResponseToJSON,
     GetTenantBillingStatus200ResponseFromJSON,
     GetTenantBillingStatus200ResponseToJSON,
     GetTenantJWT200ResponseFromJSON,
     GetTenantJWT200ResponseToJSON,
-    HandlersBadRequestResponseFromJSON,
-    HandlersBadRequestResponseToJSON,
-    HandlersForbiddenResponseFromJSON,
-    HandlersForbiddenResponseToJSON,
-    HandlersInternalServerErrorResponseFromJSON,
-    HandlersInternalServerErrorResponseToJSON,
-    HandlersNotFoundErrorResponseFromJSON,
-    HandlersNotFoundErrorResponseToJSON,
-    HandlersSuccessResponseFromJSON,
-    HandlersSuccessResponseToJSON,
-    HandlersUnauthorizedResponseFromJSON,
-    HandlersUnauthorizedResponseToJSON,
     ListRoles200ResponseFromJSON,
     ListRoles200ResponseToJSON,
     ListTenantSubscriptions200ResponseFromJSON,
@@ -97,88 +94,99 @@ import {
     ListTenantUsers200ResponseToJSON,
     RemoveSubscription200ResponseFromJSON,
     RemoveSubscription200ResponseToJSON,
+    RemoveSubscriptionRequestFromJSON,
+    RemoveSubscriptionRequestToJSON,
+    SchemasConflictResponseFromJSON,
+    SchemasConflictResponseToJSON,
+    SuccessResponseFromJSON,
+    SuccessResponseToJSON,
     SwitchActiveTenant200ResponseFromJSON,
     SwitchActiveTenant200ResponseToJSON,
-    TenantsAcceptInviteRequestFromJSON,
-    TenantsAcceptInviteRequestToJSON,
-    TenantsAddSubscriptionRequestFromJSON,
-    TenantsAddSubscriptionRequestToJSON,
-    TenantsAssignRoleRequestFromJSON,
-    TenantsAssignRoleRequestToJSON,
-    TenantsCreateRoleRequestFromJSON,
-    TenantsCreateRoleRequestToJSON,
-    TenantsCreateSubscriptionRequestFromJSON,
-    TenantsCreateSubscriptionRequestToJSON,
-    TenantsCreateTenantRequestFromJSON,
-    TenantsCreateTenantRequestToJSON,
-    TenantsCreateTenantUserInviteRequestFromJSON,
-    TenantsCreateTenantUserInviteRequestToJSON,
-    TenantsDeleteTenantUserRequestFromJSON,
-    TenantsDeleteTenantUserRequestToJSON,
-    TenantsRemoveSubscriptionRequestFromJSON,
-    TenantsRemoveSubscriptionRequestToJSON,
-    TenantsSwitchTenantRequestFromJSON,
-    TenantsSwitchTenantRequestToJSON,
-    TenantsUpdateRoleRequestFromJSON,
-    TenantsUpdateRoleRequestToJSON,
-    TenantsUpdateTenantUserRoleRequestFromJSON,
-    TenantsUpdateTenantUserRoleRequestToJSON,
+    SwitchTenantRequestFromJSON,
+    SwitchTenantRequestToJSON,
+    UpdateRoleRequestFromJSON,
+    UpdateRoleRequestToJSON,
     UpdateTenantUserRole200ResponseFromJSON,
     UpdateTenantUserRole200ResponseToJSON,
+    UpdateTenantUserRoleRequestFromJSON,
+    UpdateTenantUserRoleRequestToJSON,
 } from '../models/index';
 
-export interface AcceptInviteRequest {
-    request: TenantsAcceptInviteRequest;
+export interface AcceptInviteOperationRequest {
+    acceptInviteRequest: AcceptInviteRequest;
+    xUserId?: string;
 }
 
-export interface AddSubscriptionRequest {
-    request: TenantsAddSubscriptionRequest;
+export interface AddSubscriptionOperationRequest {
+    addSubscriptionRequest: AddSubscriptionRequest;
 }
 
-export interface AssignRoleRequest {
-    userId: string;
-    request: TenantsAssignRoleRequest;
+export interface CreateInviteRequest {
+    createTenantUserInviteRequest: CreateTenantUserInviteRequest;
+    xUserId?: string;
+    xTenantId?: string;
 }
 
-export interface CreateInviteRequest {
-    request: TenantsCreateTenantUserInviteRequest;
+export interface CreateRoleOperationRequest {
+    createRoleRequest: CreateRoleRequest;
+    xUserId?: string;
+    xTenantId?: string;
 }
 
-export interface CreateRoleRequest {
-    request: TenantsCreateRoleRequest;
+export interface CreateTenantOperationRequest {
+    createTenantRequest: CreateTenantRequest;
+    xUserId?: string;
 }
 
-export interface CreateSubscriptionRequest {
-    request: TenantsCreateSubscriptionRequest;
+export interface DeleteRoleRequest {
+    roleId: string;
+    xUserId?: string;
+    xTenantId?: string;
 }
 
-export interface CreateTenantRequest {
-    request: TenantsCreateTenantRequest;
+export interface DeleteTenantRequest {
+    xUserId?: string;
+    xTenantId?: string;
 }
 
-export interface DeleteRoleRequest {
-    roleId: string;
+export interface GetTenantJWTRequest {
+    xUserId?: string;
+    xTenantId?: string;
 }
 
-export interface RemoveSubscriptionRequest {
-    request: TenantsRemoveSubscriptionRequest;
+export interface ListRolesRequest {
+    xTenantId?: string;
+}
+
+export interface ListTenantUsersRequest {
+    xUserId?: string;
+    xTenantId?: string;
+}
+
+export interface RemoveSubscriptionOperationRequest {
+    removeSubscriptionRequest: RemoveSubscriptionRequest;
 }
 
 export interface RemoveTenantUserRequest {
-    request: TenantsDeleteTenantUserRequest;
+    deleteTenantUserRequest: DeleteTenantUserRequest;
 }
 
 export interface SwitchActiveTenantRequest {
-    request: TenantsSwitchTenantRequest;
+    switchTenantRequest: SwitchTenantRequest;
+    xUserId?: string;
 }
 
-export interface UpdateRoleRequest {
+export interface UpdateRoleOperationRequest {
     roleId: string;
-    request: TenantsUpdateRoleRequest;
+    updateRoleRequest: UpdateRoleRequest;
+    xUserId?: string;
+    xTenantId?: string;
 }
 
-export interface UpdateTenantUserRoleRequest {
-    request: TenantsUpdateTenantUserRoleRequest;
+export interface UpdateTenantUserRoleOperationRequest {
+    updateTenantUserRoleRequest: UpdateTenantUserRoleRequest;
+    xUserId?: string;
+    xTenantId?: string;
 }
 
 /**
@@ -187,14 +195,14 @@ export interface UpdateTenantUserRoleRequest {
 export class V1TenantsApi extends runtime.BaseAPI {
 
     /**
-     * Accepts a tenant invitation using the token from the invite email and adds the user to the organization.  ## Authentication Requires JWT token. User\'s email must match the invite email.  ## Process 1. Validates invite token and expiry 2. Verifies user\'s email matches invite email 3. Marks invite as used 4. Adds user to tenant 5. Assigns role with permissions 6. Sets as active tenant and returns JWT token
+     * Accepts a tenant invitation using the token from the invite email and adds the user to the organization.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session - User\'s email must match the invite email - **Service Key Auth**: Requires X-Service-Key + X-User-ID header  ## Process 1. Validates invite token and expiry 2. Verifies user\'s email matches invite email 3. Marks invite as used 4. Adds user to tenant 5. Assigns role with permissions 6. Sets as active tenant and returns JWT token 
      * Accept tenant invite
      */
-    async acceptInviteRaw(requestParameters: AcceptInviteRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<AcceptInvite200Response>> {
-        if (requestParameters['request'] == null) {
+    async acceptInviteRaw(requestParameters: AcceptInviteOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<AcceptInvite200Response>> {
+        if (requestParameters['acceptInviteRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling acceptInvite().'
+                'acceptInviteRequest',
+                'Required parameter "acceptInviteRequest" was null or undefined when calling acceptInvite().'
             );
         }
 
@@ -204,8 +212,16 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         headerParameters['Content-Type'] = 'application/json';
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -216,30 +232,30 @@ export class V1TenantsApi extends runtime.BaseAPI {
             method: 'PUT',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsAcceptInviteRequestToJSON(requestParameters['request']),
+            body: AcceptInviteRequestToJSON(requestParameters['acceptInviteRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => AcceptInvite200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Accepts a tenant invitation using the token from the invite email and adds the user to the organization.  ## Authentication Requires JWT token. User\'s email must match the invite email.  ## Process 1. Validates invite token and expiry 2. Verifies user\'s email matches invite email 3. Marks invite as used 4. Adds user to tenant 5. Assigns role with permissions 6. Sets as active tenant and returns JWT token
+     * Accepts a tenant invitation using the token from the invite email and adds the user to the organization.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session - User\'s email must match the invite email - **Service Key Auth**: Requires X-Service-Key + X-User-ID header  ## Process 1. Validates invite token and expiry 2. Verifies user\'s email matches invite email 3. Marks invite as used 4. Adds user to tenant 5. Assigns role with permissions 6. Sets as active tenant and returns JWT token 
      * Accept tenant invite
      */
-    async acceptInvite(requestParameters: AcceptInviteRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<AcceptInvite200Response> {
+    async acceptInvite(requestParameters: AcceptInviteOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<AcceptInvite200Response> {
         const response = await this.acceptInviteRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Adds a Stripe subscription for the authenticated tenant using the provided plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") that maps to a Stripe price - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Checks if subscription already exists for this plan to prevent duplicates 4. Creates the subscription in Stripe with the specified price 5. Returns the subscription ID and status  ## Notes - If a subscription for this plan already exists, returns a 400 error - The subscription is created immediately and begins billing  ## Use Cases - Subscribe tenant to metered pricing plans (compute, storage, workers) - Enable usage-based billing for resources - Add additional services to tenant\'s billing
+     * Adds a Stripe subscription for the authenticated tenant using the provided plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") that maps to a Stripe price - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Checks if subscription already exists for this plan to prevent duplicates 4. Creates the subscription in Stripe with the specified price 5. Returns the subscription ID and status  ## Notes - If a subscription for this plan already exists, returns a 400 error - The subscription is created immediately and begins billing  ## Use Cases - Subscribe tenant to metered pricing plans (compute, storage, workers) - Enable usage-based billing for resources - Add additional services to tenant\'s billing 
      * Add subscription
      */
-    async addSubscriptionRaw(requestParameters: AddSubscriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<AddSubscription200Response>> {
-        if (requestParameters['request'] == null) {
+    async addSubscriptionRaw(requestParameters: AddSubscriptionOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<AddSubscription200Response>> {
+        if (requestParameters['addSubscriptionRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling addSubscription().'
+                'addSubscriptionRequest',
+                'Required parameter "addSubscriptionRequest" was null or undefined when calling addSubscription().'
             );
         }
 
@@ -250,48 +266,45 @@ export class V1TenantsApi extends runtime.BaseAPI {
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
-        let urlPath = `/api/v1/payments/subscription/add`;
+        let urlPath = `/api/v1/tenants/subscriptions`;
 
         const response = await this.request({
             path: urlPath,
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsAddSubscriptionRequestToJSON(requestParameters['request']),
+            body: AddSubscriptionRequestToJSON(requestParameters['addSubscriptionRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => AddSubscription200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Adds a Stripe subscription for the authenticated tenant using the provided plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") that maps to a Stripe price - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Checks if subscription already exists for this plan to prevent duplicates 4. Creates the subscription in Stripe with the specified price 5. Returns the subscription ID and status  ## Notes - If a subscription for this plan already exists, returns a 400 error - The subscription is created immediately and begins billing  ## Use Cases - Subscribe tenant to metered pricing plans (compute, storage, workers) - Enable usage-based billing for resources - Add additional services to tenant\'s billing
+     * Adds a Stripe subscription for the authenticated tenant using the provided plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") that maps to a Stripe price - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Checks if subscription already exists for this plan to prevent duplicates 4. Creates the subscription in Stripe with the specified price 5. Returns the subscription ID and status  ## Notes - If a subscription for this plan already exists, returns a 400 error - The subscription is created immediately and begins billing  ## Use Cases - Subscribe tenant to metered pricing plans (compute, storage, workers) - Enable usage-based billing for resources - Add additional services to tenant\'s billing 
      * Add subscription
      */
-    async addSubscription(requestParameters: AddSubscriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<AddSubscription200Response> {
+    async addSubscription(requestParameters: AddSubscriptionOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<AddSubscription200Response> {
         const response = await this.addSubscriptionRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Assigns a role to a user and creates all associated Keto relationships for the role\'s permissions.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Request Format Provide either `role_id` or `role_name` (not both).  ## Use Cases - Grant role to user - Assign permissions via role - User onboarding
-     * Assign role to user
+     * Creates a tenant invitation with a 7-day expiry token and sends an email to the invited user.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `invite_user` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `invite_user` permission  ## Process 1. Verifies user has invite permission 2. Creates invite with unique token (7-day expiry) 3. Sends invitation email asynchronously  ## Use Cases - Add team members to organization - Invite collaborators with specific roles 
+     * Create tenant invite
      */
-    async assignRoleRaw(requestParameters: AssignRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<AssignRole200Response>> {
-        if (requestParameters['userId'] == null) {
-            throw new runtime.RequiredError(
-                'userId',
-                'Required parameter "userId" was null or undefined when calling assignRole().'
-            );
-        }
-
-        if (requestParameters['request'] == null) {
+    async createInviteRaw(requestParameters: CreateInviteRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateInvite200Response>> {
+        if (requestParameters['createTenantUserInviteRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling assignRole().'
+                'createTenantUserInviteRequest',
+                'Required parameter "createTenantUserInviteRequest" was null or undefined when calling createInvite().'
             );
         }
 
@@ -301,54 +314,20 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         headerParameters['Content-Type'] = 'application/json';
 
-        if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
         }
 
-
-        let urlPath = `/api/v1/tenants/roles/assign/{user_id}`;
-        urlPath = urlPath.replace(`{${"user_id"}}`, encodeURIComponent(String(requestParameters['userId'])));
-
-        const response = await this.request({
-            path: urlPath,
-            method: 'POST',
-            headers: headerParameters,
-            query: queryParameters,
-            body: TenantsAssignRoleRequestToJSON(requestParameters['request']),
-        }, initOverrides);
-
-        return new runtime.JSONApiResponse(response, (jsonValue) => AssignRole200ResponseFromJSON(jsonValue));
-    }
-
-    /**
-     * Assigns a role to a user and creates all associated Keto relationships for the role\'s permissions.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Request Format Provide either `role_id` or `role_name` (not both).  ## Use Cases - Grant role to user - Assign permissions via role - User onboarding
-     * Assign role to user
-     */
-    async assignRole(requestParameters: AssignRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<AssignRole200Response> {
-        const response = await this.assignRoleRaw(requestParameters, initOverrides);
-        return await response.value();
-    }
-
-    /**
-     * Creates a tenant invitation with a 7-day expiry token and sends an email to the invited user.  ## Authentication Requires JWT token with `invite_user` permission.  ## Process 1. Verifies user has invite permission 2. Creates invite with unique token (7-day expiry) 3. Sends invitation email asynchronously  ## Use Cases - Add team members to organization - Invite collaborators with specific roles
-     * Create tenant invite
-     */
-    async createInviteRaw(requestParameters: CreateInviteRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateInvite200Response>> {
-        if (requestParameters['request'] == null) {
-            throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling createInvite().'
-            );
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
         }
 
-        const queryParameters: any = {};
-
-        const headerParameters: runtime.HTTPHeaders = {};
-
-        headerParameters['Content-Type'] = 'application/json';
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -359,14 +338,14 @@ export class V1TenantsApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsCreateTenantUserInviteRequestToJSON(requestParameters['request']),
+            body: CreateTenantUserInviteRequestToJSON(requestParameters['createTenantUserInviteRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => CreateInvite200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Creates a tenant invitation with a 7-day expiry token and sends an email to the invited user.  ## Authentication Requires JWT token with `invite_user` permission.  ## Process 1. Verifies user has invite permission 2. Creates invite with unique token (7-day expiry) 3. Sends invitation email asynchronously  ## Use Cases - Add team members to organization - Invite collaborators with specific roles
+     * Creates a tenant invitation with a 7-day expiry token and sends an email to the invited user.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `invite_user` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `invite_user` permission  ## Process 1. Verifies user has invite permission 2. Creates invite with unique token (7-day expiry) 3. Sends invitation email asynchronously  ## Use Cases - Add team members to organization - Invite collaborators with specific roles 
      * Create tenant invite
      */
     async createInvite(requestParameters: CreateInviteRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateInvite200Response> {
@@ -375,14 +354,14 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Creates a new custom role for the tenant with specified permissions.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Permission Format Permissions should be in the format: `namespace:resource#relation` - Tenant-wide: `tenant#relation` - Resource-specific: `project:uuid#relation`  ## Use Cases - Create custom roles for specific workflows - Define project-specific permissions - Build granular access control
+     * Creates a new custom role for the tenant with specified permissions.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context and appropriate permissions - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with appropriate permissions  ## Permission Format Permissions should be in the format: `namespace:resource#relation` - Tenant-wide: `tenant#relation` - Resource-specific: `project:uuid#relation`  ## Use Cases - Create custom roles for specific workflows - Define project-specific permissions - Build granular access control 
      * Create role
      */
-    async createRoleRaw(requestParameters: CreateRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateRole200Response>> {
-        if (requestParameters['request'] == null) {
+    async createRoleRaw(requestParameters: CreateRoleOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateRole200Response>> {
+        if (requestParameters['createRoleRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling createRole().'
+                'createRoleRequest',
+                'Required parameter "createRoleRequest" was null or undefined when calling createRole().'
             );
         }
 
@@ -392,8 +371,20 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         headerParameters['Content-Type'] = 'application/json';
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -404,30 +395,30 @@ export class V1TenantsApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsCreateRoleRequestToJSON(requestParameters['request']),
+            body: CreateRoleRequestToJSON(requestParameters['createRoleRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => CreateRole200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Creates a new custom role for the tenant with specified permissions.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Permission Format Permissions should be in the format: `namespace:resource#relation` - Tenant-wide: `tenant#relation` - Resource-specific: `project:uuid#relation`  ## Use Cases - Create custom roles for specific workflows - Define project-specific permissions - Build granular access control
+     * Creates a new custom role for the tenant with specified permissions.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context and appropriate permissions - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with appropriate permissions  ## Permission Format Permissions should be in the format: `namespace:resource#relation` - Tenant-wide: `tenant#relation` - Resource-specific: `project:uuid#relation`  ## Use Cases - Create custom roles for specific workflows - Define project-specific permissions - Build granular access control 
      * Create role
      */
-    async createRole(requestParameters: CreateRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateRole200Response> {
+    async createRole(requestParameters: CreateRoleOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateRole200Response> {
         const response = await this.createRoleRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Creates a Stripe subscription for the authenticated tenant using the provided plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") that maps to a Stripe price - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Creates the subscription in Stripe with the specified price 4. Returns the subscription ID and status  ## Use Cases - Subscribe tenant to metered pricing plans (compute, storage, workers) - Enable usage-based billing for resources - Add additional services to tenant\'s billing
-     * Create subscription
+     * Creates a new tenant organization with Stripe customer, sets up owner role, and makes it the active tenant for the creator.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session (user_id extracted from session) - **Service Key Auth**: Requires X-Service-Key + X-User-ID headers  ## Service Key Usage When using service key authentication, provide the user_id via the X-User-ID header. The user_id must be a valid UUID matching an existing Kratos identity.  ## Process 1. Creates Stripe customer (if billing_email provided) 2. Creates tenant in database 3. Sets up default tenant settings 4. Adds creator as owner 5. Assigns owner role with all permissions 6. Sets as active tenant and returns JWT token 
+     * Create tenant
      */
-    async createSubscriptionRaw(requestParameters: CreateSubscriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateSubscription200Response>> {
-        if (requestParameters['request'] == null) {
+    async createTenantRaw(requestParameters: CreateTenantOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateTenant200Response>> {
+        if (requestParameters['createTenantRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling createSubscription().'
+                'createTenantRequest',
+                'Required parameter "createTenantRequest" was null or undefined when calling createTenant().'
             );
         }
 
@@ -437,53 +428,16 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         headerParameters['Content-Type'] = 'application/json';
 
-        if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
         }
 
-
-        let urlPath = `/api/v1/payments/subscription`;
-
-        const response = await this.request({
-            path: urlPath,
-            method: 'POST',
-            headers: headerParameters,
-            query: queryParameters,
-            body: TenantsCreateSubscriptionRequestToJSON(requestParameters['request']),
-        }, initOverrides);
-
-        return new runtime.JSONApiResponse(response, (jsonValue) => CreateSubscription200ResponseFromJSON(jsonValue));
-    }
-
-    /**
-     * Creates a Stripe subscription for the authenticated tenant using the provided plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") that maps to a Stripe price - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Creates the subscription in Stripe with the specified price 4. Returns the subscription ID and status  ## Use Cases - Subscribe tenant to metered pricing plans (compute, storage, workers) - Enable usage-based billing for resources - Add additional services to tenant\'s billing
-     * Create subscription
-     */
-    async createSubscription(requestParameters: CreateSubscriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateSubscription200Response> {
-        const response = await this.createSubscriptionRaw(requestParameters, initOverrides);
-        return await response.value();
-    }
-
-    /**
-     * Creates a new tenant organization with Stripe customer, sets up owner role, and makes it the active tenant for the creator.  ## Authentication Requires JWT token.  ## Process 1. Creates Stripe customer (if billing_email provided) 2. Creates tenant in database 3. Sets up default tenant settings 4. Adds creator as owner 5. Assigns owner role with all permissions 6. Sets as active tenant and returns JWT token
-     * Create tenant
-     */
-    async createTenantRaw(requestParameters: CreateTenantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateTenant200Response>> {
-        if (requestParameters['request'] == null) {
-            throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling createTenant().'
-            );
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
         }
 
-        const queryParameters: any = {};
-
-        const headerParameters: runtime.HTTPHeaders = {};
-
-        headerParameters['Content-Type'] = 'application/json';
-
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -494,23 +448,23 @@ export class V1TenantsApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsCreateTenantRequestToJSON(requestParameters['request']),
+            body: CreateTenantRequestToJSON(requestParameters['createTenantRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => CreateTenant200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Creates a new tenant organization with Stripe customer, sets up owner role, and makes it the active tenant for the creator.  ## Authentication Requires JWT token.  ## Process 1. Creates Stripe customer (if billing_email provided) 2. Creates tenant in database 3. Sets up default tenant settings 4. Adds creator as owner 5. Assigns owner role with all permissions 6. Sets as active tenant and returns JWT token
+     * Creates a new tenant organization with Stripe customer, sets up owner role, and makes it the active tenant for the creator.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session (user_id extracted from session) - **Service Key Auth**: Requires X-Service-Key + X-User-ID headers  ## Service Key Usage When using service key authentication, provide the user_id via the X-User-ID header. The user_id must be a valid UUID matching an existing Kratos identity.  ## Process 1. Creates Stripe customer (if billing_email provided) 2. Creates tenant in database 3. Sets up default tenant settings 4. Adds creator as owner 5. Assigns owner role with all permissions 6. Sets as active tenant and returns JWT token 
      * Create tenant
      */
-    async createTenant(requestParameters: CreateTenantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateTenant200Response> {
+    async createTenant(requestParameters: CreateTenantOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateTenant200Response> {
         const response = await this.createTenantRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Deletes a role and removes all associated Keto relationships for users who had this role assigned.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Use Cases - Remove obsolete roles - Clean up role definitions - Revoke all permissions from role users
+     * Deletes a role and removes all associated Keto relationships for users who had this role assigned.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context and appropriate permissions - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with appropriate permissions  ## Use Cases - Remove obsolete roles - Clean up role definitions - Revoke all permissions from role users 
      * Delete role
      */
     async deleteRoleRaw(requestParameters: DeleteRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<DeleteRole200Response>> {
@@ -525,8 +479,20 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         const headerParameters: runtime.HTTPHeaders = {};
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -544,7 +510,7 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Deletes a role and removes all associated Keto relationships for users who had this role assigned.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Use Cases - Remove obsolete roles - Clean up role definitions - Revoke all permissions from role users
+     * Deletes a role and removes all associated Keto relationships for users who had this role assigned.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context and appropriate permissions - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with appropriate permissions  ## Use Cases - Remove obsolete roles - Clean up role definitions - Revoke all permissions from role users 
      * Delete role
      */
     async deleteRole(requestParameters: DeleteRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<DeleteRole200Response> {
@@ -553,16 +519,28 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Deletes a tenant organization and performs cleanup of Stripe customer, Keto permissions, and user associations.  ## Authentication Requires JWT token with `delete_tenant` permission.  ## Process 1. Verifies user has delete permission 2. Archives Stripe customer 3. Deletes tenant (cascades to users, settings, invites) 4. Cleans up all affected users\' tenant state
+     * Deletes a tenant organization and performs cleanup of Stripe customer, Keto permissions, and user associations.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `delete_tenant` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `delete_tenant` permission  ## Process 1. Verifies user has delete permission 2. Archives Stripe customer 3. Deletes tenant (cascades to users, settings, invites) 4. Cleans up all affected users\' tenant state 
      * Delete tenant
      */
-    async deleteTenantRaw(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<DeleteTenant200Response>> {
+    async deleteTenantRaw(requestParameters: DeleteTenantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<DeleteTenant200Response>> {
         const queryParameters: any = {};
 
         const headerParameters: runtime.HTTPHeaders = {};
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -579,16 +557,16 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Deletes a tenant organization and performs cleanup of Stripe customer, Keto permissions, and user associations.  ## Authentication Requires JWT token with `delete_tenant` permission.  ## Process 1. Verifies user has delete permission 2. Archives Stripe customer 3. Deletes tenant (cascades to users, settings, invites) 4. Cleans up all affected users\' tenant state
+     * Deletes a tenant organization and performs cleanup of Stripe customer, Keto permissions, and user associations.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `delete_tenant` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `delete_tenant` permission  ## Process 1. Verifies user has delete permission 2. Archives Stripe customer 3. Deletes tenant (cascades to users, settings, invites) 4. Cleans up all affected users\' tenant state 
      * Delete tenant
      */
-    async deleteTenant(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<DeleteTenant200Response> {
-        const response = await this.deleteTenantRaw(initOverrides);
+    async deleteTenant(requestParameters: DeleteTenantRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<DeleteTenant200Response> {
+        const response = await this.deleteTenantRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Returns all available permission namespaces and their relations from the database.  ## Authentication Requires JWT token with appropriate permissions.  ## Use Cases - Discover available permission namespaces - List relations for each namespace - Build dynamic permission UIs
+     * Returns all available permission namespaces and their relations from the database.  ## Authentication Requires JWT token with appropriate permissions.  ## Use Cases - Discover available permission namespaces - List relations for each namespace - Build dynamic permission UIs 
      * Get namespace definitions
      */
     async getRoleDefinitionsRaw(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<GetRoleDefinitions200Response>> {
@@ -597,7 +575,11 @@ export class V1TenantsApi extends runtime.BaseAPI {
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -614,7 +596,7 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Returns all available permission namespaces and their relations from the database.  ## Authentication Requires JWT token with appropriate permissions.  ## Use Cases - Discover available permission namespaces - List relations for each namespace - Build dynamic permission UIs
+     * Returns all available permission namespaces and their relations from the database.  ## Authentication Requires JWT token with appropriate permissions.  ## Use Cases - Discover available permission namespaces - List relations for each namespace - Build dynamic permission UIs 
      * Get namespace definitions
      */
     async getRoleDefinitions(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<GetRoleDefinitions200Response> {
@@ -623,7 +605,7 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Checks whether the tenant has billing information configured in Stripe and if it\'s active.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Check if billing setup is required - Conditional feature access - Payment method verification
+     * Checks whether the tenant has billing information configured in Stripe and if it\'s active.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Check if billing setup is required - Conditional feature access - Payment method verification 
      * Get billing status
      */
     async getTenantBillingStatusRaw(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<GetTenantBillingStatus200Response>> {
@@ -632,7 +614,11 @@ export class V1TenantsApi extends runtime.BaseAPI {
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -649,7 +635,7 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Checks whether the tenant has billing information configured in Stripe and if it\'s active.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Check if billing setup is required - Conditional feature access - Payment method verification
+     * Checks whether the tenant has billing information configured in Stripe and if it\'s active.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Check if billing setup is required - Conditional feature access - Payment method verification 
      * Get billing status
      */
     async getTenantBillingStatus(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<GetTenantBillingStatus200Response> {
@@ -658,16 +644,28 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Generates a JWT token for direct PostgREST database access with the user\'s active tenant context.  ## Authentication Requires JWT token and active tenant.  ## Use Cases - Client-side database queries - Real-time subscriptions - Direct PostgREST API access
+     * Generates a JWT token for direct PostgREST database access with the user\'s active tenant context.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session and active tenant - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers  ## Use Cases - Client-side database queries - Real-time subscriptions - Direct PostgREST API access 
      * Get PostgREST JWT token
      */
-    async getTenantJWTRaw(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<GetTenantJWT200Response>> {
+    async getTenantJWTRaw(requestParameters: GetTenantJWTRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<GetTenantJWT200Response>> {
         const queryParameters: any = {};
 
         const headerParameters: runtime.HTTPHeaders = {};
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -684,25 +682,33 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Generates a JWT token for direct PostgREST database access with the user\'s active tenant context.  ## Authentication Requires JWT token and active tenant.  ## Use Cases - Client-side database queries - Real-time subscriptions - Direct PostgREST API access
+     * Generates a JWT token for direct PostgREST database access with the user\'s active tenant context.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session and active tenant - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers  ## Use Cases - Client-side database queries - Real-time subscriptions - Direct PostgREST API access 
      * Get PostgREST JWT token
      */
-    async getTenantJWT(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<GetTenantJWT200Response> {
-        const response = await this.getTenantJWTRaw(initOverrides);
+    async getTenantJWT(requestParameters: GetTenantJWTRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<GetTenantJWT200Response> {
+        const response = await this.getTenantJWTRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Returns all roles for the authenticated tenant, including both system roles and custom tenant-specific roles.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Display available roles to assign - Role management UI - Permission auditing
+     * Returns all roles for the authenticated tenant, including both system roles and custom tenant-specific roles.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID header  ## Use Cases - Display available roles to assign - Role management UI - Permission auditing 
      * List roles
      */
-    async listRolesRaw(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<ListRoles200Response>> {
+    async listRolesRaw(requestParameters: ListRolesRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<ListRoles200Response>> {
         const queryParameters: any = {};
 
         const headerParameters: runtime.HTTPHeaders = {};
 
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -719,16 +725,16 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Returns all roles for the authenticated tenant, including both system roles and custom tenant-specific roles.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Display available roles to assign - Role management UI - Permission auditing
+     * Returns all roles for the authenticated tenant, including both system roles and custom tenant-specific roles.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID header  ## Use Cases - Display available roles to assign - Role management UI - Permission auditing 
      * List roles
      */
-    async listRoles(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<ListRoles200Response> {
-        const response = await this.listRolesRaw(initOverrides);
+    async listRoles(requestParameters: ListRolesRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<ListRoles200Response> {
+        const response = await this.listRolesRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Returns all active Stripe subscriptions associated with the tenant\'s Stripe customer.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Display current subscriptions - Billing overview - Subscription management UI
+     * Returns all active Stripe subscriptions associated with the tenant\'s Stripe customer.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Display current subscriptions - Billing overview - Subscription management UI 
      * Get tenant subscriptions
      */
     async listTenantSubscriptionsRaw(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<ListTenantSubscriptions200Response>> {
@@ -737,7 +743,11 @@ export class V1TenantsApi extends runtime.BaseAPI {
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -754,7 +764,7 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Returns all active Stripe subscriptions associated with the tenant\'s Stripe customer.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Display current subscriptions - Billing overview - Subscription management UI
+     * Returns all active Stripe subscriptions associated with the tenant\'s Stripe customer.  ## Authentication Requires JWT token with tenant context.  ## Use Cases - Display current subscriptions - Billing overview - Subscription management UI 
      * Get tenant subscriptions
      */
     async listTenantSubscriptions(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<ListTenantSubscriptions200Response> {
@@ -763,16 +773,28 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Returns all users who are members of the tenant with their profile information and roles.  ## Authentication Requires JWT token with `view_users` permission.  ## Use Cases - Display team members list - User management UI - Member directory
+     * Returns all users who are members of the tenant with their profile information and roles.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `view_users` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `view_users` permission  ## Use Cases - Display team members list - User management UI - Member directory 
      * Get tenant users
      */
-    async listTenantUsersRaw(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<ListTenantUsers200Response>> {
+    async listTenantUsersRaw(requestParameters: ListTenantUsersRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<ListTenantUsers200Response>> {
         const queryParameters: any = {};
 
         const headerParameters: runtime.HTTPHeaders = {};
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -789,23 +811,23 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Returns all users who are members of the tenant with their profile information and roles.  ## Authentication Requires JWT token with `view_users` permission.  ## Use Cases - Display team members list - User management UI - Member directory
+     * Returns all users who are members of the tenant with their profile information and roles.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `view_users` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `view_users` permission  ## Use Cases - Display team members list - User management UI - Member directory 
      * Get tenant users
      */
-    async listTenantUsers(initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<ListTenantUsers200Response> {
-        const response = await this.listTenantUsersRaw(initOverrides);
+    async listTenantUsers(requestParameters: ListTenantUsersRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<ListTenantUsers200Response> {
+        const response = await this.listTenantUsersRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Cancels a Stripe subscription immediately for the authenticated tenant based on the plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") to identify which subscription to cancel - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Finds the active subscription matching the price_id for the customer 4. Cancels the subscription immediately in Stripe 5. Returns the cancellation confirmation  ## Notes - The subscription is canceled immediately, not at the end of the billing period - If no matching subscription is found, returns a 404 error - Only active, trialing, or past_due subscriptions can be canceled  ## Use Cases - Remove specific service subscriptions from tenant - Downgrade by removing premium features - Stop billing for unused resources
+     * Cancels a Stripe subscription immediately for the authenticated tenant based on the plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") to identify which subscription to cancel - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Finds the active subscription matching the price_id for the customer 4. Cancels the subscription immediately in Stripe 5. Returns the cancellation confirmation  ## Notes - The subscription is canceled immediately, not at the end of the billing period - If no matching subscription is found, returns a 404 error - Only active, trialing, or past_due subscriptions can be canceled  ## Use Cases - Remove specific service subscriptions from tenant - Downgrade by removing premium features - Stop billing for unused resources 
      * Remove subscription
      */
-    async removeSubscriptionRaw(requestParameters: RemoveSubscriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RemoveSubscription200Response>> {
-        if (requestParameters['request'] == null) {
+    async removeSubscriptionRaw(requestParameters: RemoveSubscriptionOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RemoveSubscription200Response>> {
+        if (requestParameters['removeSubscriptionRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling removeSubscription().'
+                'removeSubscriptionRequest',
+                'Required parameter "removeSubscriptionRequest" was null or undefined when calling removeSubscription().'
             );
         }
 
@@ -816,41 +838,45 @@ export class V1TenantsApi extends runtime.BaseAPI {
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
-        let urlPath = `/api/v1/payments/subscription`;
+        let urlPath = `/api/v1/tenants/subscriptions`;
 
         const response = await this.request({
             path: urlPath,
             method: 'DELETE',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsRemoveSubscriptionRequestToJSON(requestParameters['request']),
+            body: RemoveSubscriptionRequestToJSON(requestParameters['removeSubscriptionRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RemoveSubscription200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Cancels a Stripe subscription immediately for the authenticated tenant based on the plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") to identify which subscription to cancel - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Finds the active subscription matching the price_id for the customer 4. Cancels the subscription immediately in Stripe 5. Returns the cancellation confirmation  ## Notes - The subscription is canceled immediately, not at the end of the billing period - If no matching subscription is found, returns a 404 error - Only active, trialing, or past_due subscriptions can be canceled  ## Use Cases - Remove specific service subscriptions from tenant - Downgrade by removing premium features - Stop billing for unused resources
+     * Cancels a Stripe subscription immediately for the authenticated tenant based on the plan ID.  ## Authentication Requires JWT token with tenant context.  ## Request Parameters - **plan_id** (required): The configuration item ID (e.g., \"neon_compute_starter\") to identify which subscription to cancel - **stripe_customer_id** (optional): Override tenant\'s Stripe customer ID if needed  ## Process Flow 1. Validates the plan_id and maps it to a Stripe price_id via the stripe_id_mappings table 2. Resolves the Stripe customer ID from the authenticated tenant (or uses provided stripe_customer_id) 3. Finds the active subscription matching the price_id for the customer 4. Cancels the subscription immediately in Stripe 5. Returns the cancellation confirmation  ## Notes - The subscription is canceled immediately, not at the end of the billing period - If no matching subscription is found, returns a 404 error - Only active, trialing, or past_due subscriptions can be canceled  ## Use Cases - Remove specific service subscriptions from tenant - Downgrade by removing premium features - Stop billing for unused resources 
      * Remove subscription
      */
-    async removeSubscription(requestParameters: RemoveSubscriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RemoveSubscription200Response> {
+    async removeSubscription(requestParameters: RemoveSubscriptionOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RemoveSubscription200Response> {
         const response = await this.removeSubscriptionRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Removes a user from the tenant and cleans up all associated permissions and Keto relationships.  ## Authentication Requires JWT token with `remove_user` permission.  ## Restrictions - Cannot remove the last owner (must have at least one owner) - Removing an owner requires `remove_owner_role` permission  ## Process 1. Verifies permissions 2. Removes from role\'s user list 3. Deletes all Keto relationships 4. Removes from database 5. Cleans up user\'s tenant state
+     * Removes a user from the tenant and cleans up all associated permissions and Keto relationships.  ## Authentication Requires JWT token with `remove_user` permission.  ## Restrictions - Cannot remove the last owner (must have at least one owner) - Removing an owner requires `remove_owner_role` permission  ## Process 1. Verifies permissions 2. Removes from role\'s user list 3. Deletes all Keto relationships 4. Removes from database 5. Cleans up user\'s tenant state 
      * Remove tenant user
      */
-    async removeTenantUserRaw(requestParameters: RemoveTenantUserRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<HandlersSuccessResponse>> {
-        if (requestParameters['request'] == null) {
+    async removeTenantUserRaw(requestParameters: RemoveTenantUserRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<SuccessResponse>> {
+        if (requestParameters['deleteTenantUserRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling removeTenantUser().'
+                'deleteTenantUserRequest',
+                'Required parameter "deleteTenantUserRequest" was null or undefined when calling removeTenantUser().'
             );
         }
 
@@ -861,7 +887,11 @@ export class V1TenantsApi extends runtime.BaseAPI {
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -872,30 +902,30 @@ export class V1TenantsApi extends runtime.BaseAPI {
             method: 'DELETE',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsDeleteTenantUserRequestToJSON(requestParameters['request']),
+            body: DeleteTenantUserRequestToJSON(requestParameters['deleteTenantUserRequest']),
         }, initOverrides);
 
-        return new runtime.JSONApiResponse(response, (jsonValue) => HandlersSuccessResponseFromJSON(jsonValue));
+        return new runtime.JSONApiResponse(response, (jsonValue) => SuccessResponseFromJSON(jsonValue));
     }
 
     /**
-     * Removes a user from the tenant and cleans up all associated permissions and Keto relationships.  ## Authentication Requires JWT token with `remove_user` permission.  ## Restrictions - Cannot remove the last owner (must have at least one owner) - Removing an owner requires `remove_owner_role` permission  ## Process 1. Verifies permissions 2. Removes from role\'s user list 3. Deletes all Keto relationships 4. Removes from database 5. Cleans up user\'s tenant state
+     * Removes a user from the tenant and cleans up all associated permissions and Keto relationships.  ## Authentication Requires JWT token with `remove_user` permission.  ## Restrictions - Cannot remove the last owner (must have at least one owner) - Removing an owner requires `remove_owner_role` permission  ## Process 1. Verifies permissions 2. Removes from role\'s user list 3. Deletes all Keto relationships 4. Removes from database 5. Cleans up user\'s tenant state 
      * Remove tenant user
      */
-    async removeTenantUser(requestParameters: RemoveTenantUserRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<HandlersSuccessResponse> {
+    async removeTenantUser(requestParameters: RemoveTenantUserRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<SuccessResponse> {
         const response = await this.removeTenantUserRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Updates the user\'s active tenant in Kratos identity and returns a new JWT token with updated tenant context.  ## Authentication Requires JWT token.  ## Use Cases - Switch between organizations - Change context for multi-tenant users
+     * Updates the user\'s active tenant in Kratos identity and returns a new JWT token with updated tenant context.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session - **Service Key Auth**: Requires X-Service-Key + X-User-ID header  ## Use Cases - Switch between organizations - Change context for multi-tenant users 
      * Switch active tenant
      */
     async switchActiveTenantRaw(requestParameters: SwitchActiveTenantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<SwitchActiveTenant200Response>> {
-        if (requestParameters['request'] == null) {
+        if (requestParameters['switchTenantRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling switchActiveTenant().'
+                'switchTenantRequest',
+                'Required parameter "switchTenantRequest" was null or undefined when calling switchActiveTenant().'
             );
         }
 
@@ -905,8 +935,16 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         headerParameters['Content-Type'] = 'application/json';
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -917,14 +955,14 @@ export class V1TenantsApi extends runtime.BaseAPI {
             method: 'PUT',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsSwitchTenantRequestToJSON(requestParameters['request']),
+            body: SwitchTenantRequestToJSON(requestParameters['switchTenantRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => SwitchActiveTenant200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Updates the user\'s active tenant in Kratos identity and returns a new JWT token with updated tenant context.  ## Authentication Requires JWT token.  ## Use Cases - Switch between organizations - Change context for multi-tenant users
+     * Updates the user\'s active tenant in Kratos identity and returns a new JWT token with updated tenant context.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session - **Service Key Auth**: Requires X-Service-Key + X-User-ID header  ## Use Cases - Switch between organizations - Change context for multi-tenant users 
      * Switch active tenant
      */
     async switchActiveTenant(requestParameters: SwitchActiveTenantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<SwitchActiveTenant200Response> {
@@ -933,10 +971,10 @@ export class V1TenantsApi extends runtime.BaseAPI {
     }
 
     /**
-     * Updates the permissions for an existing role. This will update Keto relationships for all users assigned to this role.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Permission Format Permissions should be in the format: `namespace:resource#relation`  ## Use Cases - Modify role permissions - Grant or revoke access - Update role capabilities
+     * Updates the permissions for an existing role. This will update Keto relationships for all users assigned to this role.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context and appropriate permissions - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with appropriate permissions  ## Permission Format Permissions should be in the format: `namespace:resource#relation`  ## Use Cases - Modify role permissions - Grant or revoke access - Update role capabilities 
      * Update role
      */
-    async updateRoleRaw(requestParameters: UpdateRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateRole200Response>> {
+    async updateRoleRaw(requestParameters: UpdateRoleOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<CreateRole200Response>> {
         if (requestParameters['roleId'] == null) {
             throw new runtime.RequiredError(
                 'roleId',
@@ -944,10 +982,10 @@ export class V1TenantsApi extends runtime.BaseAPI {
             );
         }
 
-        if (requestParameters['request'] == null) {
+        if (requestParameters['updateRoleRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling updateRole().'
+                'updateRoleRequest',
+                'Required parameter "updateRoleRequest" was null or undefined when calling updateRole().'
             );
         }
 
@@ -957,8 +995,20 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         headerParameters['Content-Type'] = 'application/json';
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
         }
 
 
@@ -970,30 +1020,30 @@ export class V1TenantsApi extends runtime.BaseAPI {
             method: 'PUT',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsUpdateRoleRequestToJSON(requestParameters['request']),
+            body: UpdateRoleRequestToJSON(requestParameters['updateRoleRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => CreateRole200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Updates the permissions for an existing role. This will update Keto relationships for all users assigned to this role.  ## Authentication Requires JWT token with tenant context and appropriate permissions.  ## Permission Format Permissions should be in the format: `namespace:resource#relation`  ## Use Cases - Modify role permissions - Grant or revoke access - Update role capabilities
+     * Updates the permissions for an existing role. This will update Keto relationships for all users assigned to this role.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with tenant context and appropriate permissions - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with appropriate permissions  ## Permission Format Permissions should be in the format: `namespace:resource#relation`  ## Use Cases - Modify role permissions - Grant or revoke access - Update role capabilities 
      * Update role
      */
-    async updateRole(requestParameters: UpdateRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateRole200Response> {
+    async updateRole(requestParameters: UpdateRoleOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<CreateRole200Response> {
         const response = await this.updateRoleRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Updates a user\'s role in the tenant and updates all associated Keto permissions.  ## Authentication Requires JWT token with `update_user_role` permission.  ## Restrictions - Promoting to owner requires `update_user_role_to_owner` permission - Demoting from owner requires `remove_owner_role` permission - Cannot demote the last owner (must have at least one owner)  ## Process 1. Verifies permissions 2. Removes old role permissions 3. Updates database 4. Assigns new role permissions
+     * Updates a user\'s role in the tenant and updates all associated Keto permissions.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `update_user_role` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `update_user_role` permission  ## Restrictions - Promoting to owner requires `update_user_role_to_owner` permission - Demoting from owner requires `remove_owner_role` permission - Cannot demote the last owner (must have at least one owner)  ## Process 1. Verifies permissions 2. Removes old role permissions 3. Updates database 4. Assigns new role permissions 
      * Update user role
      */
-    async updateTenantUserRoleRaw(requestParameters: UpdateTenantUserRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<UpdateTenantUserRole200Response>> {
-        if (requestParameters['request'] == null) {
+    async updateTenantUserRoleRaw(requestParameters: UpdateTenantUserRoleOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<UpdateTenantUserRole200Response>> {
+        if (requestParameters['updateTenantUserRoleRequest'] == null) {
             throw new runtime.RequiredError(
-                'request',
-                'Required parameter "request" was null or undefined when calling updateTenantUserRole().'
+                'updateTenantUserRoleRequest',
+                'Required parameter "updateTenantUserRoleRequest" was null or undefined when calling updateTenantUserRole().'
             );
         }
 
@@ -1003,29 +1053,41 @@ export class V1TenantsApi extends runtime.BaseAPI {
 
         headerParameters['Content-Type'] = 'application/json';
 
+        if (requestParameters['xUserId'] != null) {
+            headerParameters['X-User-Id'] = String(requestParameters['xUserId']);
+        }
+
+        if (requestParameters['xTenantId'] != null) {
+            headerParameters['X-Tenant-Id'] = String(requestParameters['xTenantId']);
+        }
+
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["Authorization"] = await this.configuration.apiKey("Authorization"); // BearerAuth authentication
+            headerParameters["X-Service-Key"] = await this.configuration.apiKey("X-Service-Key"); // ServiceKeyAuth authentication
         }
 
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Session-Token"] = await this.configuration.apiKey("X-Session-Token"); // SessionTokenAuth authentication
+        }
 
-        let urlPath = `/api/v1/tenants/users/role`;
+
+        let urlPath = `/api/v1/tenants/users`;
 
         const response = await this.request({
             path: urlPath,
             method: 'PUT',
             headers: headerParameters,
             query: queryParameters,
-            body: TenantsUpdateTenantUserRoleRequestToJSON(requestParameters['request']),
+            body: UpdateTenantUserRoleRequestToJSON(requestParameters['updateTenantUserRoleRequest']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => UpdateTenantUserRole200ResponseFromJSON(jsonValue));
     }
 
     /**
-     * Updates a user\'s role in the tenant and updates all associated Keto permissions.  ## Authentication Requires JWT token with `update_user_role` permission.  ## Restrictions - Promoting to owner requires `update_user_role_to_owner` permission - Demoting from owner requires `remove_owner_role` permission - Cannot demote the last owner (must have at least one owner)  ## Process 1. Verifies permissions 2. Removes old role permissions 3. Updates database 4. Assigns new role permissions
+     * Updates a user\'s role in the tenant and updates all associated Keto permissions.  ## Authentication - **Session Auth**: Requires JWT token / Cookie Session with `update_user_role` permission - **Service Key Auth**: Requires X-Service-Key + X-Tenant-ID + X-User-ID headers with `update_user_role` permission  ## Restrictions - Promoting to owner requires `update_user_role_to_owner` permission - Demoting from owner requires `remove_owner_role` permission - Cannot demote the last owner (must have at least one owner)  ## Process 1. Verifies permissions 2. Removes old role permissions 3. Updates database 4. Assigns new role permissions 
      * Update user role
      */
-    async updateTenantUserRole(requestParameters: UpdateTenantUserRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<UpdateTenantUserRole200Response> {
+    async updateTenantUserRole(requestParameters: UpdateTenantUserRoleOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<UpdateTenantUserRole200Response> {
         const response = await this.updateTenantUserRoleRaw(requestParameters, initOverrides);
         return await response.value();
     }